Merge branch 'dev' into feat/dsc-rsa

circuits/circuits/dsc/dsc.circom

@@ -9,8 +9,8 @@ include "@zk-kit/binary-merkle-root.circom/src/binary-merkle-root.circom";
 include "../utils/passport/customHashers.circom";
 include "../utils/passport/signatureAlgorithm.circom";
 include "../utils/passport/signatureVerifier.circom";
-include "@zk-email/circuits/utils/bytes.circom";
-include "../utils/crypto/utils/WordToBytes.circom";
+include "@openpassport/zk-email-circuits/utils/bytes.circom";
+include "../utils/crypto/bitify/bytes.circom";
 
 template DSC(signatureAlgorithm, n_dsc, k_dsc, n_csca, k_csca, max_cert_bytes, maxPubkeyBytesLength, nLevels) {
 

circuits/circuits/tests/utils/ecdsa/test_brainpoolP512r1.circom

@@ -0,0 +1,13 @@
+pragma circom 2.1.9;
+
+include "../../../utils/crypto/signature/ecdsa/ecdsaVerifier.circom";
+
+template VerifyBrainpoolP384r1Sha384() {
+    signal input signature[2 * 8];
+    signal input pubKey[2 * 8];
+    signal input hashParsed[512];
+
+    EcdsaVerifier(29, 64, 8)(signature, pubKey, hashParsed);
+}
+
+component main = VerifyBrainpoolP384r1Sha384();

circuits/circuits/tests/utils/ecdsa/test_p256.circom

@@ -0,0 +1,13 @@
+pragma circom 2.1.9;
+
+include "../../../utils/crypto/signature/ecdsa/ecdsaVerifier.circom";
+
+template VerifyP256Sha256() {
+    signal input signature[2 * 4];
+    signal input pubKey[2 * 4];
+    signal input hashParsed[256];
+
+    EcdsaVerifier(8, 64, 4)(signature, pubKey, hashParsed);
+}
+
+component main = VerifyP256Sha256();

circuits/circuits/tests/utils/ecdsa/test_p384.circom

@@ -0,0 +1,13 @@
+pragma circom 2.1.9;
+
+include "../../../utils/crypto/signature/ecdsa/ecdsaVerifier.circom";
+
+template VerifyP384r1Sha384() {
+    signal input signature[2 * 6];
+    signal input pubKey[2 * 6];
+    signal input hashParsed[384];
+
+    EcdsaVerifier(9, 64, 6)(signature, pubKey, hashParsed);
+}
+
+component main = VerifyP384r1Sha384();

circuits/circuits/utils/crypto/bigInt/bigInt.circom

@@ -70,7 +70,7 @@ template BigMultModP(CHUNK_SIZE, CHUNK_NUMBER_GREATER, CHUNK_NUMBER_LESS, CHUNK_
         mult2.in1 <== modulus;
     }
 
-    component isZero = BigIntIsZero(CHUNK_SIZE, CHUNK_SIZE * 2 + log_ceil_dl(CHUNK_NUMBER_MODULUS + CHUNK_NUMBER_DIV - 1), CHUNK_NUMBER_BASE - 1);
+    component isZero = BigIntIsZero(CHUNK_SIZE, CHUNK_SIZE * 2 + log_ceil(CHUNK_NUMBER_MODULUS + CHUNK_NUMBER_DIV - 1), CHUNK_NUMBER_BASE - 1);
     for (var i = 0; i < CHUNK_NUMBER_MODULUS; i++) {
         isZero.in[i] <== mult.out[i] - mult2.out[i] - mod[i];
     }

circuits/circuits/utils/crypto/bigInt/bigIntFunc.circom

@@ -1,39 +1,7 @@
 pragma circom 2.1.6;
-
+include "circom-bigint/circuits/bigint_func.circom";
 include "./shouldUseKaratsuba.circom";
 
-function is_negative_dl(x) {
-    return x > 10944121435919637611123202872628637544274182200208017171849102093287904247808 ? 1 : 0;
-}
-
-function div_ceil_dl(m, n) {
-    var ret = 0;
-    if (m % n == 0) {
-        ret = m \ n;
-    } else {
-        ret = m \ n + 1;
-    }
-    return ret;
-}
-
-function log_ceil_dl(n) {
-    var n_temp = n;
-    for (var i = 0; i < 254; i++) {
-        if (n_temp == 0) {
-            return i;
-        }
-        n_temp = n_temp \ 2;
-    }
-    return 254;
-}
-
-function SplitFn_dl(in, n, m) {
-    return [in % (1 << n), (in \ (1 << n)) % (1 << m)];
-}
-
-function SplitThreeFn_dl(in, n, m, k) {
-    return [in % (1 << n), (in \ (1 << n)) % (1 << m), (in \ (1 << n + m)) % (1 << k)];
-}
 
 // in is an m bit number
 // split into ceil(m/n) n-bit registers
@@ -44,7 +12,7 @@ function splitOverflowedRegister_dl(m, n, in) {
         out[i] = 0;
     }
 
-    var nRegisters = div_ceil_dl(m, n);
+    var nRegisters = div_ceil(m, n);
     var running = in;
     for (var i = 0; i < nRegisters; i++) {
         out[i] = running % (1 << n);
@@ -74,7 +42,7 @@ function getProperRepresentation_dl(m, n, k, in) {
         for (var j = 0; j < 200; j++) {
             pieces[i][j] = 0;
         }
-        if (is_negative_dl(in[i]) == 1) {
+        if (isNegative(in[i]) == 1) {
             var negPieces[200] = splitOverflowedRegister_dl(m, n, - 1 * in[i]);
             for (var j = 0; j < ceilMN; j++) {
                 pieces[i][j] =  - 1 * negPieces[j];
@@ -108,7 +76,7 @@ function getProperRepresentation_dl(m, n, k, in) {
             }
         }
 
-        if (is_negative_dl(thisRegisterValue) == 1) {
+        if (isNegative(thisRegisterValue) == 1) {
             var thisRegisterAbs =  - 1 * thisRegisterValue;
             out[registerIdx] = (1 << n) - (thisRegisterAbs % (1 << n));
             carries[registerIdx] =  - 1 * (thisRegisterAbs >> n) - 1;
@@ -121,19 +89,6 @@ function getProperRepresentation_dl(m, n, k, in) {
     return out;
 }
 
-// 1 if true, 0 if false
-function long_gt_dl(n, k, a, b) {
-    for (var i = k - 1; i >= 0; i--) {
-        if (a[i] > b[i]) {
-            return 1;
-        }
-        if (a[i] < b[i]) {
-            return 0;
-        }
-    }
-    return 0;
-}
-
 // n bits per register
 // a has k registers
 // b has k registers
@@ -293,9 +248,9 @@ function short_div_norm_dl(n, k, a, b) {
     }
 
     var mult[200] = long_scalar_mult_dl(n, k, qhat, b);
-    if (long_gt_dl(n, k + 1, mult, a) == 1) {
+    if (long_gt(n, k + 1, mult, a) == 1) {
         mult = long_sub_dl(n, k + 1, mult, b);
-        if (long_gt_dl(n, k + 1, mult, a) == 1) {
+        if (long_gt(n, k + 1, mult, a) == 1) {
             return qhat - 2;
         } else {
             return qhat - 1;
@@ -352,20 +307,20 @@ function prod_dl(n, k, a, b) {
 
     var split[200][3];
     for (var i = 0; i < 2 * k - 1; i++) {
-        split[i] = SplitThreeFn_dl(prod_val[i], n, n, n);
+        split[i] = SplitThreeFn(prod_val[i], n, n, n);
     }
 
     var carry[200];
     carry[0] = 0;
     out[0] = split[0][0];
     if (2 * k - 1 > 1) {
-        var sumAndCarry[2] = SplitFn_dl(split[0][1] + split[1][0], n, n);
+        var sumAndCarry[2] = SplitFn(split[0][1] + split[1][0], n, n);
         out[1] = sumAndCarry[0];
         carry[1] = sumAndCarry[1];
     }
     if (2 * k - 1 > 2) {
         for (var i = 2; i < 2 * k - 1; i++) {
-            var sumAndCarry[2] = SplitFn_dl(split[i][0] + split[i - 1][1] + split[i - 2][2] + carry[i - 1], n, n);
+            var sumAndCarry[2] = SplitFn(split[i][0] + split[i - 1][1] + split[i - 2][2] + carry[i - 1], n, n);
             out[i] = sumAndCarry[0];
             carry[i] = sumAndCarry[1];
         }
@@ -465,7 +420,7 @@ function mod_inv_dl(n, k, a, p) {
 
 // a, b and out are all n bits k registers
 function long_sub_mod_p_dl(n, k, a, b, p){
-    var gt = long_gt_dl(n, k, a, b);
+    var gt = long_gt(n, k, a, b);
     var tmp[200];
     if (gt){
         tmp = long_sub_dl(n, k, a, b);
@@ -503,7 +458,7 @@ function long_add_dl(CHUNK_SIZE, CHUNK_NUMBER, A, B){
     var carry = 0;
     var sum[200];
     for (var i = 0; i < CHUNK_NUMBER; i++){
-        var sumAndCarry[2] = SplitFn_dl(A[i] + B[i] + carry, CHUNK_SIZE, CHUNK_SIZE);
+        var sumAndCarry[2] = SplitFn(A[i] + B[i] + carry, CHUNK_SIZE, CHUNK_SIZE);
         sum[i] = sumAndCarry[0];
         carry = sumAndCarry[1];
     }
@@ -513,7 +468,7 @@ function long_add_dl(CHUNK_SIZE, CHUNK_NUMBER, A, B){
 
 
 function long_sub_mod_dl(CHUNK_SIZE, CHUNK_NUMBER, A, B, P) {
-    if (long_gt_dl(CHUNK_SIZE, CHUNK_NUMBER, B, A) == 1){
+    if (long_gt(CHUNK_SIZE, CHUNK_NUMBER, B, A) == 1){
         return long_add_dl(CHUNK_SIZE, CHUNK_NUMBER, A, long_sub_dl(CHUNK_SIZE,CHUNK_NUMBER,P,B));
     } else {
         return long_sub_dl(CHUNK_SIZE, CHUNK_NUMBER, A, B);
@@ -630,7 +585,7 @@ function is_karatsuba_optimal_dl(a, b){
     return 0;
 }
 
-function is_negative_chunk_dl(x, n) {
+function isNegative_chunk_dl(x, n) {
     var x2 = x;
     for (var i = 0; i < n; i++){
         x2 = x2 \ 2;
@@ -649,7 +604,7 @@ function reduce_overflow_signed_dl(n, k, k2, max_n, in){
         clone[i] = in[i];
     }
     for (var i = 0; i < k2; i++){
-        if (is_negative_chunk_dl(clone[i], max_n) == 0){
+        if (isNegative_chunk_dl(clone[i], max_n) == 0){
             out[i] = clone[i] % 2 ** n;
             clone[i + 1] += clone[i] \ 2 ** n;
         } else {
@@ -674,7 +629,7 @@ function reduce_overflow_signed_dl(n, k, k2, max_n, in){
         }
 
         for (var i = 0; i < k2; i++){
-            if (is_negative_chunk_dl(clone[i], max_n) == 0){
+            if (isNegative_chunk_dl(clone[i], max_n) == 0){
                 out[i] = clone[i] % 2 ** n;
                 clone[i + 1] += clone[i] \ 2 ** n;
             } else {

circuits/circuits/utils/crypto/bitify/bytes.circom

@@ -0,0 +1,34 @@
+// NOTE: this circuit is unaudited and should not be used in production
+/// @title SplitBytesToWords
+/// @notice split an array of bytes into an array of words
+/// @notice useful for casting a message or modulus before RSA verification
+/// @param l: number of bytes in the input array
+/// @param n: number of bits in a word
+/// @param k: number of words
+/// @input in: array of bytes
+/// @output out: array of words
+template SplitBytesToWords (l,n,k) {
+    signal input in[l];
+    signal output out[k];
+
+    component num2bits[l];
+    for (var i = 0 ; i < l ; i++){
+        num2bits[i] = Num2Bits(8);
+        num2bits[i].in <== in[i];
+    }
+    component bits2num[k];
+    for (var i = 0 ; i < k ; i++){
+        bits2num[i] = Bits2Num(n);
+        for(var j = 0 ; j < n ; j++){
+            if(i*n + j >=  8 * l){
+                bits2num[i].in[j] <==  0;
+            }
+            else{
+                bits2num[i].in[j] <== num2bits[l - (( i * n + j) \ 8) - 1].out[ ((i * n + j) % 8)];
+            }
+        }
+    }
+    for( var i = 0 ; i< k ; i++){
+    out[i] <== bits2num[i].out;
+    }
+}

circuits/circuits/utils/crypto/hasher/sha2/sha224/sha224HashChunks.circom

@@ -3,7 +3,7 @@ pragma circom 2.0.0;
 include "../sha2Common.circom";
 include "../sha256/sha256Schedule.circom";
 include "../sha256/sha256Rounds.circom";
-include "@zk-email/circuits/utils/array.circom";
+include "@openpassport/zk-email-circuits/utils/array.circom";
 include "sha224InitialValue.circom";
 
 template Sha224HashChunks(MAX_BLOCKS) {

circuits/circuits/utils/crypto/hasher/sha2/sha384/sha384HashChunks.circom

@@ -3,7 +3,7 @@ pragma circom 2.0.0;
 include "../sha2Common.circom";
 include "../sha512/sha512Schedule.circom";
 include "../sha512/sha512Rounds.circom";
-include "@zk-email/circuits/utils/array.circom";
+include "@openpassport/zk-email-circuits/utils/array.circom";
 include "sha384InitialValue.circom";
 
 template Sha384HashChunks(MAX_BLOCKS) {

circuits/circuits/utils/crypto/hasher/sha2/sha512/sha512HashChunks.circom

@@ -3,7 +3,7 @@ pragma circom 2.0.0;
 include "../sha2Common.circom";
 include "sha512InitialValue.circom";
 include "sha512Schedule.circom";
-include "@zk-email/circuits/utils/array.circom";
+include "@openpassport/zk-email-circuits/utils/array.circom";
 include "sha512Rounds.circom";
 
 template Sha512HashChunks(MAX_BLOCKS) {