From 2b3554963e44d65aa2065b965c8e5bf779187ac4 Mon Sep 17 00:00:00 2001 From: dark64 Date: Wed, 4 Jan 2023 19:04:32 +0100 Subject: [PATCH 01/14] wip --- .../compress.zok} | 9 +- .../stdlib/ecc/babyjubjub/params.zok | 13 + .../ecc/babyjubjub/proofOfOwnership.zok | 21 ++ .../babyjubjub}/verifyEddsa.zok | 37 +- .../stdlib/ecc/babyjubjubParams.zok | 37 -- zokrates_stdlib/stdlib/ecc/edwards.zok | 61 +++ zokrates_stdlib/stdlib/ecc/edwardsAdd.zok | 20 - zokrates_stdlib/stdlib/ecc/edwardsNegate.zok | 9 - zokrates_stdlib/stdlib/ecc/edwardsOnCurve.zok | 17 - .../stdlib/ecc/edwardsOrderCheck.zok | 26 -- .../stdlib/ecc/edwardsScalarMult.zok | 26 -- zokrates_stdlib/stdlib/ecc/jubjub/params.zok | 13 + .../stdlib/ecc/proofOfOwnership.zok | 28 -- .../stdlib/hashes/pedersen/512bitBool.zok | 352 +++++++++--------- .../compress.json} | 2 +- .../tests/tests/ecc/babyjubjub/compress.zok | 9 + .../edwardsAdd.json} | 2 +- .../tests/tests/ecc/babyjubjub/edwardsAdd.zok | 27 ++ .../ecc/{ => babyjubjub}/edwardsOnCurve.json | 2 +- .../tests/ecc/babyjubjub/edwardsOnCurve.zok | 11 + .../{ => babyjubjub}/edwardsOrderCheck.json | 2 +- .../ecc/babyjubjub/edwardsOrderCheck.zok | 25 ++ .../{ => babyjubjub}/edwardsScalarMult.json | 2 +- .../{ => babyjubjub}/edwardsScalarMult.zok | 45 +-- .../{ => babyjubjub}/proofOfOwnership.json | 2 +- .../ecc/{ => babyjubjub}/proofOfOwnership.zok | 14 +- .../babyjubjub}/verifyEddsa.json | 2 +- .../babyjubjub}/verifyEddsa.zok | 7 +- .../tests/tests/ecc/edwardsAdd.zok | 36 -- .../tests/tests/ecc/edwardsCompress.zok | 19 - .../tests/tests/ecc/edwardsOnCurve.zok | 17 - .../tests/tests/ecc/edwardsOrderCheck.zok | 30 -- .../tests/tests/ecc/jubjub/edwardsAdd.json | 16 + .../tests/tests/ecc/jubjub/edwardsAdd.zok | 25 ++ .../tests/ecc/jubjub/edwardsOnCurve.json | 16 + .../tests/tests/ecc/jubjub/edwardsOnCurve.zok | 9 + .../tests/ecc/jubjub/edwardsOrderCheck.json | 16 + .../tests/ecc/jubjub/edwardsOrderCheck.zok | 23 ++ .../tests/ecc/jubjub/edwardsScalarMult.json | 16 + .../tests/ecc/jubjub/edwardsScalarMult.zok | 85 +++++ 40 files changed, 615 insertions(+), 514 deletions(-) rename zokrates_stdlib/stdlib/ecc/{edwardsCompress.zok => babyjubjub/compress.zok} (69%) create mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok create mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok rename zokrates_stdlib/stdlib/{signatures => ecc/babyjubjub}/verifyEddsa.zok (58%) delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjubParams.zok create mode 100644 zokrates_stdlib/stdlib/ecc/edwards.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/edwardsAdd.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/edwardsNegate.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/edwardsOnCurve.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/edwardsScalarMult.zok create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/params.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok rename zokrates_stdlib/tests/tests/ecc/{edwardsAdd.json => babyjubjub/compress.json} (74%) create mode 100644 zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok rename zokrates_stdlib/tests/tests/ecc/{edwardsCompress.json => babyjubjub/edwardsAdd.json} (73%) create mode 100644 zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok rename zokrates_stdlib/tests/tests/ecc/{ => babyjubjub}/edwardsOnCurve.json (72%) create mode 100644 zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok rename zokrates_stdlib/tests/tests/ecc/{ => babyjubjub}/edwardsOrderCheck.json (71%) create mode 100644 zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok rename zokrates_stdlib/tests/tests/ecc/{ => babyjubjub}/edwardsScalarMult.json (71%) rename zokrates_stdlib/tests/tests/ecc/{ => babyjubjub}/edwardsScalarMult.zok (92%) rename zokrates_stdlib/tests/tests/ecc/{ => babyjubjub}/proofOfOwnership.json (71%) rename zokrates_stdlib/tests/tests/ecc/{ => babyjubjub}/proofOfOwnership.zok (63%) rename zokrates_stdlib/tests/tests/{signatures => ecc/babyjubjub}/verifyEddsa.json (73%) rename zokrates_stdlib/tests/tests/{signatures => ecc/babyjubjub}/verifyEddsa.zok (81%) delete mode 100644 zokrates_stdlib/tests/tests/ecc/edwardsAdd.zok delete mode 100644 zokrates_stdlib/tests/tests/ecc/edwardsCompress.zok delete mode 100644 zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.zok delete mode 100644 zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok diff --git a/zokrates_stdlib/stdlib/ecc/edwardsCompress.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok similarity index 69% rename from zokrates_stdlib/stdlib/ecc/edwardsCompress.zok rename to zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok index 1959f5740..4351b36ac 100644 --- a/zokrates_stdlib/stdlib/ecc/edwardsCompress.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok @@ -1,13 +1,12 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256; -// Compress JubJub Curve Point to 256bit array using big endianness bit order -// Python reference code from pycrypto: +// Compress curve point to a 256-bit boolean array using the big-endian bit order +// Python code reference: // def compress(self): // x = self.x.n // y = self.y.n // return int.to_bytes(y | ((x & 1) << 255), 32, "big") - -def main(field[2] pt) -> bool[256] { +def main(field[2] pt) -> bool[256] { field x = pt[0]; field y = pt[1]; @@ -18,4 +17,4 @@ def main(field[2] pt) -> bool[256] { yBits[0] = sign; return yBits; -} +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok new file mode 100644 index 000000000..6dd695dd1 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok @@ -0,0 +1,13 @@ +#pragma curve bn128 + +// The `a` coefficient of the twisted Edwards curve +const field EDWARDS_A = 168700; + +// The `d` coefficient of the twisted Edwards curve +const field EDWARDS_D = 168696; + +// The generator point +const field[2] G = [ + 16540640123574156134436876038791482806971768689494387082833631921987005038935, // Gx + 20819045374670962167435360035096875258406992893633759881276124905556507972311 // Gy +]; \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok new file mode 100644 index 000000000..53f09125c --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok @@ -0,0 +1,21 @@ +import "utils/pack/bool/nonStrictUnpack256" as unpack256; +from "./params" import EDWARDS_A, EDWARDS_D, G; +from "ecc/edwards" import scalarMul; + +/// Verifies match of a given public/private keypair. +/// +/// Checks if the following equation holds for the provided keypair: +/// pk = sk*G +/// where G is the chosen base point of the subgroup +/// and * denotes scalar multiplication in the subgroup +/// +/// Arguments: +/// pk: Curve point (public key) +/// sk: Private key +/// +/// Returns true for pk/sk being a valid keypair, false otherwise. +def main(field[2] pk, field sk) -> bool { + bool[256] sk_bits = unpack256(sk); + field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); + return (res[0] == pk[0] && res[1] == pk[1]); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/signatures/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok similarity index 58% rename from zokrates_stdlib/stdlib/signatures/verifyEddsa.zok rename to zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok index e6e2f8069..bb8e5c785 100644 --- a/zokrates_stdlib/stdlib/signatures/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok @@ -1,12 +1,9 @@ import "hashes/sha256/1024bitPadded" as sha256; -import "ecc/edwardsScalarMult" as scalarMult; -import "ecc/edwardsAdd" as add; import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; import "utils/pack/u32/nonStrictUnpack256" as unpack256u; -import "ecc/edwardsOnCurve" as onCurve; -import "ecc/edwardsOrderCheck" as orderCheck; -from "ecc/babyjubjubParams" import BabyJubJubParams; -import "utils/casts/u32_8_to_bool_256"; +from "utils/casts" import cast; +from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; +from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. /// @@ -23,29 +20,27 @@ import "utils/casts/u32_8_to_bool_256"; /// R: Curve point. Hidden version of the per-message nonce. /// S: Field element. Signature to be verified. /// A: Curve point. Public part of the key used to create S. -/// M0: 256bit array. First 256bits of the message used to create S . -/// M1: 256bit array. Trailing 256bits of the message used to create S . -/// context: Curve parameters used to create S. +/// M0: 256bit array. First 256bits of the message used to create S. +/// M1: 256bit array. Trailing 256bits of the message used to create S. /// /// Returns: /// Return true for S being a valid EdDSA Signature, false otherwise. -def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1, BabyJubJubParams context) -> bool { - field[2] G = [context.Gu, context.Gv]; - +def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline - assert(onCurve(R, context)); // throws if R is not on curve - assert(orderCheck(R, context)); + assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve + assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); u32[8] Rx = unpack256u(R[0]); u32[8] Ax = unpack256u(A[0]); - bool[256] hRAM = u32_8_to_bool_256(sha256(Rx, Ax, M0, M1)); + + u32[8] h = sha256(Rx, Ax, M0, M1); + bool[256] hRAM = cast(h); bool[256] sBits = unpack256bool(S); - field[2] lhs = scalarMult(sBits, G, context); + field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); - field[2] AhRAM = scalarMult(hRAM, A, context); - field[2] rhs = add(R, AhRAM, context); + field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); + field[2] rhs = add(R, AhRAM, EDWARDS_A, EDWARDS_D); - bool out = rhs[0] == lhs[0] && rhs[1] == lhs[1]; - return out; -} + return (rhs[0] == lhs[0] && rhs[1] == lhs[1]); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjubParams.zok b/zokrates_stdlib/stdlib/ecc/babyjubjubParams.zok deleted file mode 100644 index 6718b833e..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjubParams.zok +++ /dev/null @@ -1,37 +0,0 @@ -#pragma curve bn128 - -// Parameters are based on: https://github.com/HarryR/ethsnarks/tree/9cdf0117c2e42c691e75b98979cb29b099eca998/src/jubjub -// Note: parameters will be updated soon to be more compatible with zCash's implementation - -struct BabyJubJubParams { - field JUBJUB_C; - field JUBJUB_A; - field JUBJUB_D; - field MONT_A; - field MONT_B; - field[2] INFINITY; - field Gu; - field Gv; -} - -const BabyJubJubParams BABYJUBJUB_PARAMS = BabyJubJubParams { - // Order of the curve for reference: 21888242871839275222246405745257275088614511777268538073601725287587578984328 - JUBJUB_C: 8, // Cofactor - JUBJUB_A: 168700, // Coefficient A - JUBJUB_D: 168696, // Coefficient D - - // Montgomery parameters - MONT_A: 168698, - MONT_B: 1, - - // Point at infinity - INFINITY: [0, 1], - - // Generator - Gu: 16540640123574156134436876038791482806971768689494387082833631921987005038935, - Gv: 20819045374670962167435360035096875258406992893633759881276124905556507972311 -}; - -def main() -> BabyJubJubParams { - return BABYJUBJUB_PARAMS; -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/edwards.zok b/zokrates_stdlib/stdlib/ecc/edwards.zok new file mode 100644 index 000000000..3cbf20e2d --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/edwards.zok @@ -0,0 +1,61 @@ +// Add two points on a twisted Edwards curve +// https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Addition_on_twisted_Edwards_curves +def add(field[2] pt1, field[2] pt2, field a, field d) -> field[2] { + field u1 = pt1[0]; + field v1 = pt1[1]; + field u2 = pt2[0]; + field v2 = pt2[1]; + + field u = (u1*v2 + v1*u2) / (1 + d*u1*u2*v1*v2); + field v = (v1*v2 - a*u1*u2) / (1 - d*u1*u2*v1*v2); + return [u, v]; +} + +// Check if a point is on a twisted Edwards curve +// See appendix 3.3.1 of Zcash protocol specification: +// https://github.com/zcash/zips/blob/master/protocol/protocol.pdf +def onCurve(field[2] pt, field a, field d) -> bool { + field uu = pt[0] * pt[0]; + field vv = pt[1] * pt[1]; + field uuvv = uu * vv; + + assert(a * uu + vv == 1 + d * uuvv); + return true; +} + +// Function that implements scalar multiplication for a fixed base point +// Reference: https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/fs.rs#L555 +def scalarMul(bool[N] exponent, field[2] pt, field a, field d) -> field[2] { + field[2] mut res = pt; + field[2] mut acc = [0, 1]; + + for u32 i in 0..N { + u32 j = N - i - 1; + field[2] candidate = add(acc, res, a, d); + acc = exponent[j] ? candidate : acc; + res = add(res, res, a, d); + } + + assert(onCurve(acc, a, d)); + return acc; +} + +// Negate a point on an Edwards curve +// Twisted Edwards Curves, BBJLP-2008, section 2 pg 2 +def negate(field[2] pt) -> field[2] { + field u = pt[0]; + field v = pt[1]; + return [-u, v]; +} + +// Verifies that the point is not one of the low-order points. +// If any of the points is multiplied by the cofactor, the resulting point will be infinity. +// Returns true if the point is not one of the low-order points, false otherwise. +// Cofactor is hard-coded to 8 for efficiency reasons +// Reference: https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/edwards.rs#L166 +def orderCheck(field[2] pt, field a, field d) -> bool { + field[2] mut res = add(pt, pt, a, d); // 2*pt + res = add(res, res, a, d); // 4*pt + res = add(res, res, a, d); // 8*pt + return !(res[0] == 0 && res[1] == 1); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/edwardsAdd.zok b/zokrates_stdlib/stdlib/ecc/edwardsAdd.zok deleted file mode 100644 index 843f6f924..000000000 --- a/zokrates_stdlib/stdlib/ecc/edwardsAdd.zok +++ /dev/null @@ -1,20 +0,0 @@ -from "ecc/babyjubjubParams" import BabyJubJubParams; - -// Add two points on a twisted Edwards curve -// Curve parameters are defined with the last argument -// https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Addition_on_twisted_Edwards_curves -def main(field[2] pt1, field[2] pt2, BabyJubJubParams context) -> field[2] { - - field a = context.JUBJUB_A; - field d = context.JUBJUB_D; - - field u1 = pt1[0]; - field v1 = pt1[1]; - field u2 = pt2[0]; - field v2 = pt2[1]; - - field uOut = (u1*v2 + v1*u2) / (1 + d*u1*u2*v1*v2); - field vOut = (v1*v2 - a*u1*u2) / (1 - d*u1*u2*v1*v2); - - return [uOut, vOut]; -} diff --git a/zokrates_stdlib/stdlib/ecc/edwardsNegate.zok b/zokrates_stdlib/stdlib/ecc/edwardsNegate.zok deleted file mode 100644 index 62fcd1eb6..000000000 --- a/zokrates_stdlib/stdlib/ecc/edwardsNegate.zok +++ /dev/null @@ -1,9 +0,0 @@ -// Negate a point on an Edwards curve -// Curve parameters are defined with the last argument -// Twisted Edwards Curves, BBJLP-2008, section 2 pg 2 -def main(field[2] pt) -> field[2] { - field u = pt[0]; - field v = pt[1]; - - return [-u, v]; -} diff --git a/zokrates_stdlib/stdlib/ecc/edwardsOnCurve.zok b/zokrates_stdlib/stdlib/ecc/edwardsOnCurve.zok deleted file mode 100644 index d2d824014..000000000 --- a/zokrates_stdlib/stdlib/ecc/edwardsOnCurve.zok +++ /dev/null @@ -1,17 +0,0 @@ -from "ecc/babyjubjubParams" import BabyJubJubParams; - -// Check if a point is on a twisted Edwards curve -// Curve parameters are defined with the last argument -// See appendix 3.3.1 of Zcash protocol specification: -// https://github.com/zcash/zips/blob/master/protocol/protocol.pdf -def main(field[2] pt, BabyJubJubParams context) -> bool { - field a = context.JUBJUB_A; - field d = context.JUBJUB_D; - - field uu = pt[0] * pt[0]; - field vv = pt[1] * pt[1]; - field uuvv = uu * vv; - - assert(a * uu + vv == 1 + d * uuvv); - return true; -} diff --git a/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.zok b/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.zok deleted file mode 100644 index c6913126f..000000000 --- a/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.zok +++ /dev/null @@ -1,26 +0,0 @@ -import "ecc/edwardsAdd" as add; -import "ecc/edwardsScalarMult" as multiply; -import "utils/pack/bool/nonStrictUnpack256" as unpack256; -from "ecc/babyjubjubParams" import BabyJubJubParams; - -// Verifies that the point is not one of the low-order points. -// If any of the points is multiplied by the cofactor, the resulting point -// will be infinity. -// Returns true if the point is not one of the low-order points, false otherwise. -// Curve parameters are defined with the last argument -// https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/edwards.rs#L166 -def main(field[2] pt, BabyJubJubParams context) -> bool { - field cofactor = context.JUBJUB_C; - assert(cofactor == 8); - - // Co-factor currently hard-coded to 8 for efficiency reasons - // See discussion here: https://github.com/Zokrates/ZoKrates/pull/301#discussion_r267203391 - // Generic code: - // bool[256] cofactorExponent = unpack256(cofactor); - // field[2] ptExp = multiply(cofactorExponent, pt, context); - field[2] mut ptExp = add(pt, pt, context); // 2*pt - ptExp = add(ptExp, ptExp, context); // 4*pt - ptExp = add(ptExp, ptExp, context); // 8*pt - - return !(ptExp[0] == 0 && ptExp[1] == 1); -} diff --git a/zokrates_stdlib/stdlib/ecc/edwardsScalarMult.zok b/zokrates_stdlib/stdlib/ecc/edwardsScalarMult.zok deleted file mode 100644 index 1d7dec693..000000000 --- a/zokrates_stdlib/stdlib/ecc/edwardsScalarMult.zok +++ /dev/null @@ -1,26 +0,0 @@ -import "ecc/edwardsAdd" as add; -import "ecc/edwardsOnCurve" as onCurve; -from "ecc/babyjubjubParams" import BabyJubJubParams; - -// Function that implements scalar multiplication for a fixed base point -// Curve parameters are defined with the last argument -// The exponent is hard-coded to a 256bit scalar, hence we allow wrapping around the group for certain -// curve parameters. -// Note that the exponent array is not check to be boolean in this gadget -// Reference: https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/fs.rs#L555 -def main(bool[256] exponent, field[2] pt, BabyJubJubParams context) -> field[2] { - field[2] infinity = context.INFINITY; - - field[2] mut doubledP = pt; - field[2] mut accumulatedP = infinity; - - for u32 i in 0..256 { - u32 j = 255 - i; - field[2] candidateP = add(accumulatedP, doubledP, context); - accumulatedP = exponent[j] ? candidateP : accumulatedP; - doubledP = add(doubledP, doubledP, context); - } - - assert(onCurve(accumulatedP, context)); - return accumulatedP; -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/params.zok b/zokrates_stdlib/stdlib/ecc/jubjub/params.zok new file mode 100644 index 000000000..c4273750f --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/params.zok @@ -0,0 +1,13 @@ +#pragma curve bls12_381 + +// The `a` coefficient of the twisted Edwards curve +const field EDWARDS_A = -1; + +// The `d` coefficient of the twisted Edwards curve (-10240/10241 mod p) +const field EDWARDS_D = 19257038036680949359750312669786877991949435402254120286184196891950884077233; + +// The generator point +const field[2] G = [ + 11076627216317271660298050606127911965867021807910416450833192264015104452986, // Gx + 44412834903739585386157632289020980010620626017712148233229312325549216099227 // Gy +]; \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok deleted file mode 100644 index 840457307..000000000 --- a/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok +++ /dev/null @@ -1,28 +0,0 @@ -import "ecc/edwardsAdd" as add; -import "ecc/edwardsScalarMult" as multiply; -import "utils/pack/bool/nonStrictUnpack256" as unpack256; -from "ecc/babyjubjubParams" import BabyJubJubParams; - -/// Verifies match of a given public/private keypair. -/// -/// Checks if the following equation holds for the provided keypair: -/// pk = sk*G -/// where G is the chosen base point of the subgroup -/// and * denotes scalar multiplication in the subgroup -/// -/// Arguments: -/// pk: Curve point. Public key. -/// sk: Field element. Private key. -/// context: Curve parameters (including generator G) used to create keypair. -/// -/// Returns: -/// Return true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field sk, BabyJubJubParams context) -> bool { - field[2] G = [context.Gu, context.Gv]; - - bool[256] skBits = unpack256(sk); - field[2] ptExp = multiply(skBits, G, context); - - bool out = ptExp[0] == pk[0] && ptExp[1] == pk[1]; - return out; -} diff --git a/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok b/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok index 0e5873e93..aa9a62afb 100644 --- a/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok +++ b/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok @@ -1,8 +1,8 @@ import "utils/multiplexer/lookup3bitSigned" as sel3s; import "utils/multiplexer/lookup2bit" as sel2; -import "ecc/edwardsAdd" as add; -import "ecc/edwardsCompress" as edwardsCompress; -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; +import "ecc/babyjubjub/compress"; +from "ecc/edwards" import add; +from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; // Code to export generators used in this example: // import bitstring @@ -21,694 +21,694 @@ def main(bool[512] inputs) -> bool[256] { false ]; - field[2] mut a = BABYJUBJUB_PARAMS.INFINITY; // Infinity + field[2] mut a = [0, 1]; // Infinity field mut cx = 0; field mut cy = 0; // Round 0 cx = sel3s([e[0], e[1], e[2]], [13418723823902222986275588345615650707197303761863176429873001977640541977977, 8366451672790208592553809639953117385619257483837439526516290319251622927412, 1785026334726838136757054176272745265857971873904476677125553010508875025629, 15763987975760561753692294837740043971877392788040801334205375164715487005236]); cy = sel2([e[0], e[1]], [15255921313433251341520743036334816584226787412845488772781699434149539664639, 10916775373885716961512013142444429405184550001421868906213743991404593770484, 18533662942827602783563125901366807026309605479742251601915445402562880550265, 12754584346112149619040942896930712185968371085994381911052593922432846916845]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 1 cx = sel3s([e[3], e[4], e[5]], [10096735692467598736728394557736034054031417419721869067082824451240861468728, 6979151010236415881632946866847657030447196774231162748523315765559549846746, 12137947022495312670974525048647679757468392619153927921382150023166867027471, 10624360821702266736197468438435445939719745367234393212061381062942588576905]); cy = sel2([e[3], e[4]], [16704592219657141368520262522286248296157931669321735564513068002743507745908, 11518684165372839249156788740134693928233608013641661856685773776747280808438, 21502372109496595498116676984635248026663470429940273577484250291841812814697, 17522620677401472201433112250371604936150385414760411280739362011041111141253]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 2 cx = sel3s([e[6], e[7], e[8]], [13312232735691933658355691628172862856002099081831058080743469900077389848112, 19327977014594608605244544461851908604127577374373936700152837514516831827340, 5965720943494263185596399776343244990255258211404706922145440547143467603204, 11103963817151340664968920805661885925719434417460707046799768750046118166436]); cy = sel2([e[6], e[7]], [13997829888819279202328839701908695991998552542771378089573544166678617234314, 13691878221338656794058835175667599549759724338245021721239544263931121101102, 706995887987748628352958611569702130644716818339521451078302067359882016752, 15519367213943391783104357888987456282196269996908068205680088855765566529720]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 3 cx = sel3s([e[9], e[10], e[11]], [3514614172108804338031132171140068954832144631243755202685348634084887116595, 21412073555057635706619028382831866089835908408883521913045888015461883281372, 471607086653490738521346129178778785664646799897580486044670851346383461743, 10847495464297569158944970563387929708762967645792327184202073895773051681481]); cy = sel2([e[9], e[10]], [15464894923367337880246198022819299804461472054752016232660084768002214822896, 12567819427817222147810760128898363854788230435988968217407844445582977743495, 12262870457786134457367539925912446664295463121045105711733382320777142547504, 18045012503832343228779780686530560760323693867512598336456499973983304678718]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 4 cx = sel3s([e[12], e[13], e[14]], [15118628380960917951049569119912548662747322287644759811263888312919249703276, 16598886614963769408191675395388471256601718506085533073063821434952573740600, 18985834203956331009360396769407075613873303527461874103999130837255502328872, 4433382535573345454766736182894234755024333432764634149565968221321851794725]); cy = sel2([e[12], e[13]], [20910093482714196883913434341954530700836700132902516503233669201436063149009, 1519565901492557479831267649363202289903292383838537677400586534724780525304, 10041416515147137792479948105907931790389702515927709045015890740481960188846, 14765380703378616132649352585549040264662795611639979047816682374423451525367]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 5 cx = sel3s([e[15], e[16], e[17]], [12047448614322625640496087488290723061283996543855169192549742347740217312911, 4511402808301687111378591744698422835937202088514472343139677982999770140261, 12163443309105839408816984443621255269615222157093914420088948521258519452383, 3481629181674207202258216324378273648482838926623855453371874690866818821960]); cy = sel2([e[15], e[16]], [16179347143471683729835238045770641754106645772730542840306059882771262928390, 1330606780692172668576026668607748751348574609524694619904517828208139587545, 21047796364446011793075955655871569603152857270194799075248022968227548164989, 19676582441619193608410544431560207171545714550092005317667230665261246116642]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 6 cx = sel3s([e[18], e[19], e[20]], [12701245173613054114260668542643518710151543759808175831262148773821226772548, 18376560769194320940844431278184909327980744436343482850507604422674089850707, 2108750731998522594975480214785919514173920126687735114472940765769183959289, 8345688345972355310911106597696772464487464098975129504776508629148304380440]); cy = sel2([e[18], e[19]], [6893882093554801220855651573375911275440312424798351852776449414399981870319, 10206179889544308860397247082680802082921236707029342452958684549094240474070, 20690576727949006946449925807058663187909753260538825130322359335830578756980, 934097825986417774187883244964416516816295235495828890679674782707274540176]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 7 cx = sel3s([e[21], e[22], e[23]], [2944698428855471170284815781705687753367479016293091716206788980482046638948, 13677149007138113141214051970478824544363893133343069459792025336510743485579, 8778584537362078914166751980528033062427878768812683022653464796527206882567, 14187573305341020255138644844606451353103636392771375201751096173736574567883]); cy = sel2([e[21], e[22]], [17360101552805013843890050881314712134389035043192466182420273655548320239406, 15585069751456986750767880753875189652981026069625633386060310449606941883984, 14103016602951516262329001181468262879087099584460171406752641724802127444882, 20246884593862204796710227582734862797721958090111806492549002716706329529389]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 8 cx = sel3s([e[24], e[25], e[26]], [14561966822440683665541629338358038450751192033904756806839710397580365916408, 9033289676904424897161301113716021195450524279682799709206671901182123388512, 3130553029765252517071677341132737863162584406047933071036994763690628383497, 478748220028687672909774713203680223481010996519205842697362525656305870550]); cy = sel2([e[24], e[25]], [2103279357051120614300268561700949519576521616178686690761693996681299230890, 20408096719725376095564479959189425244640061563902110565713028117867143533071, 10602190247054189080928144476332888853804880952034975460420247853133904008108, 8904086690633759655814572723164827369823592560037992353159979088242240507753]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 9 cx = sel3s([e[27], e[28], e[29]], [6226499033652114521979121779728984801913588832404495199289210905837818402723, 8038917508002636084872059181598756897599119789741848736002584943229165162988, 2277325821476302201179031013369476744187798789480148846137091219460796268467, 967514222774662330369300003456258491278184516505205753272628639669418183698]); cy = sel2([e[27], e[28]], [7443974969385276473096219793909172323973358085935860096061435962537700448286, 16080381380787087259419052592465179031841607813350912826860291224363330298665, 7197183980134554514649915487783920553359271769991651108349414168397349372685, 15259375744392791676426881929656094304768076565231411137199656518314416373020]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 10 cx = sel3s([e[30], e[31], e[32]], [7079401365241105225661961622760419818013463250349580158302569256283647306129, 14357098412862251375028337875874646262567035230486208703024315026944432279497, 12132744267560027693690759266151433597852816079588628241106105645480008053825, 16149669420758195925157542983134397690644755714433681232247094526660232442631]); cy = sel2([e[30], e[31]], [11050535702333135359874644130653446287886435768224627066379760227644857448025, 2102777351898195104147031754958199443749204333224032175429214522075012926330, 4445288497276728579279429434033072747592184765171167503126978668105350002482, 2895400734738526057690008272958539309751728639263619269043890651038357187575]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 11 cx = sel3s([e[33], e[34], e[35]], [20192636532359225751119979205906307972955330178954709766736232115035084682472, 804195338747219623697418198937917828717652612397835452095971237574002648345, 6394431494852440399081028203192653448308162012036135765292083934292810191518, 11939476767684237945975176292664687849983867031644620074465117021204214089848]); cy = sel2([e[33], e[34]], [17748517956264309916268005941322895780280007418421226047127160997826331847601, 19497513174101598882802026674952900838989414265369078336475842766531805130216, 5620469644231252504463650386222007834239202862082473485080174711171599148975, 5516661986429427386078472422851029350005420782971768428739820651749444868271]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 12 cx = sel3s([e[36], e[37], e[38]], [1324920405111324350836746707883938204858273081019435873511569172015916187999, 15384225309297147198449617653578330654472159141743407174794062987091000857662, 9920404264935487368096005007182799973436766546149561065368669780566156587060, 15254057056535397961799214335179813200885132815863068943475012547021698517077]); cy = sel2([e[36], e[37]], [16984705452766649815073644511059333480190120433850502120324063182300137456908, 18046160220855048074367913256918233739227589113215101142291000275961918974523, 13094718066881673586455686749880972268909309391825129019088029831712146780775, 17556146601257932451584708078305104848786797650062537873707738860847250565143]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 13 cx = sel3s([e[39], e[40], e[41]], [10184781845128697471817965179509651550812478664395958690225791623061609959495, 5456125639262884825452992858423500073570690895733609235845616173174729575569, 2442835875584110487966438996784695688123609547017380844898154175948468234967, 1507509649954376860384651590722437356078107662975164713418836301939281575419]); cy = sel2([e[39], e[40]], [12481681651435870984379558646813686612408709833154117210578901875084149402369, 11152008367598826226940260746556525580820232821082556208512958435351250898503, 7567915483885326926315083960846242855523572023844618551872662303018722806760, 20394803059296859730298132333424950360853695629226621934657959417500478188961]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 14 cx = sel3s([e[42], e[43], e[44]], [10680962982327504072121608021689834159178144997131600234373184928312768469752, 2399077467035346531560164705357209055497431901223015425246039711757880798964, 3423125451159866822107483111524543716819043967842944968651561023348340629866, 9942880027482137313328709914157120920632734642771778240985776643385937071731]); cy = sel2([e[42], e[43]], [4698845013673361363032641974440465619959991809676353365742268606915462346702, 16130578759626193985851427947711894136403468334125608062505774040115700327331, 15972516792261738383725187984065495328469263202118598475958253769706945995080, 7601042727654430423755752301100987459144576573414967660631298823059519301944]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 15 cx = sel3s([e[45], e[46], e[47]], [559099661340368706731458173062937049444139592208939239637572972395409815235, 1445905511768661496314996877214005625534188630127375321650145036638654136508, 12558069540132067621925302006222579198925455408763618011362743955646129467625, 19809789628385980249290251944250230372682953514057413790020001670501854917090]); cy = sel2([e[45], e[46]], [10744092763718531253355077100374662669098109929848484460119044326894952631009, 3973362040829593578154878010051739631231888449967620092704468180671355813892, 1362015208311760378785201188340495520529554642363760051915563618841646945115, 11588368620504227678083366267185871581602064602621931713732756924598104334083]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 16 cx = sel3s([e[48], e[49], e[50]], [1678013963086824122518234712588270403106471527976328603364788331772512526348, 19217446816753374280163957047166499363370322773252755452762764797217084855190, 18251775792701212313037978569776264038974809413837373677702565241405411946778, 7791054681559787609111187809686247485256130898718509173169053332755413410611]); cy = sel2([e[48], e[49]], [2187428842929094383038114367392650175780437811274194322303902357941058607339, 8626132368431980635626323475901790012728207722636477570331410763937692048466, 113795593186630447648084123083495614901087109757474270136294009546464903517, 3911253907085777766524239918145094862050185692851156691146764655435644911738]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 17 cx = sel3s([e[51], e[52], e[53]], [12873968423948310899392467568104977730716801401622261861937368089215309803500, 12347009456329688755313379291270351313162786795095345538842244121034639964166, 1453033777281838070082852447488517173632198407446735454517038916605079634444, 11282290315868048695472900994602235661536258445850718305682561140328404797725]); cy = sel2([e[51], e[52]], [8139007031385157566567411468459940290231498857090568363629902873306461631248, 9142412231629797319569179103935970351107774720462787670615972830568683805984, 12672100925996181868477785977558380430714799944709260345359951721012123501095, 16494953398584179618210238266126209360371451946684386111530845235540890038134]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 18 cx = sel3s([e[54], e[55], e[56]], [7778254495039611795685039895928787457435875136389165268120013630439201169232, 18978376692784498976711790251498129273567483356717340918869164950830208175147, 6786343960634025784864145941287160961224170404722122001422161703472545445301, 963142484718869013546386102939529863406065949253846087785240390647819147126]); cy = sel2([e[54], e[55]], [7284679595773642123118330714484999203099307921555787993734753019057231440983, 11863181578147413903879545253723831525079414688349285572164796614141056912840, 14506820856835670503131551890617399661938603609062325089041733284980790009293, 4347670008275218338032617206784753933320201662996772040726919225863771514568]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 19 cx = sel3s([e[57], e[58], e[59]], [3630756302007400417952089805331380555952289748859891438940570770932527475452, 4733072488758626584177720052077496914661792393101658203493985364120366268281, 4526910185101338883574479225992287789853409001566403159278561225375682298543, 4955992755917650287600423903671744997417781344631255784951922382765227784141]); cy = sel2([e[57], e[58]], [16596280733402230599955345374089507399680037832193751466748596443674569931646, 6390381659733151443695336725554471564240651107616043093647301732553182081233, 17125093365984505488419430885232358010204128822674623886572872558984812477756, 7907776458440631594337279500574606181494889317898652109149850067084027888619]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 20 cx = sel3s([e[60], e[61], e[62]], [13428507160783248146944378848829437095621758280249270905793449036777555016842, 10292076501843933688687976934900220205880058108224904881677407523508189156342, 766857404192368568735095124452313950539381046754211726072981073742394879383, 19929977262929097751573344897093024390473135465066154321364399543253519251540]); cy = sel2([e[60], e[61]], [16698341695430068847582701171147088836738454320587148532489385958997389524692, 15892936434362954902510964691481568586089663041057258511149661842770672240332, 7940515703899915602011570921990242082041971424425808524102519499134803569591, 6891504197906111172381550323513759741804319972496414093225387272302697012664]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 21 cx = sel3s([e[63], e[64], e[65]], [9001788585918405588944162583417858847457169702891113291878897002187678929577, 6471893763677472946002018028525448192731896031469219164732421705849786414080, 6872696243264239672878286181725922526028148800020555100207514569826971690256, 6457059076269833003010871598305386357557482703463879737255688784535353986402]); cy = sel2([e[63], e[64]], [2208441895306047741608356002988212098270630744976300198681224594148576837458, 18524825154497781981405149991295652940946623352876024366965123296382603920630, 4474085805150211658090190066955902897001661633303260299025041221776891523378, 7848328793479881488968680696062292137496770320699466501151951135248413225123]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 22 cx = sel3s([e[66], e[67], e[68]], [9370960127159127445266474449258070389736162441470427007490084241211557822341, 14965609177224099035387154934147530900281499783229343066828915253839198476726, 10228455969106022490302521106014422994204231909208186519000062372321621002715, 329501376630941941063220737355314017862421104304435198239389326959464907258]); cy = sel2([e[66], e[67]], [10405035931558887078762806053185283924863039263200495982754625705264574757491, 15502133231749593338314160389347860966662224717441686478526316588882854824409, 16159781620881884595657183508560936205420303661972673108699575582908291222745, 11627201183429653135859532750162240837549070563304757137644487859075461689878]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 23 cx = sel3s([e[69], e[70], e[71]], [9435538689621391149659891449161022313817917158768482063316123517911261629051, 20034929826130067090642639519998781717754864739607562909796887703087596572733, 2387945787036487514595261230908460627602020385539203589000341684029816345462, 14287010417915184144199881651073103018750205011354171060170509879133644433324]); cy = sel2([e[69], e[70]], [3766822724536031967241092846229703633913210151222385593884505545907921188272, 15647190524611689022349999926088308537492889236313676989549224633916679679521, 12082040904926878889054967598271733538467180307938292871588544645957948546982, 18694076414086475523793644660947803814318698157437774233969783951279622080580]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 24 cx = sel3s([e[72], e[73], e[74]], [5859172856191457066677368896012140820864205253768332100482413148381377691822, 4109040705512320821322629424016219907769924434419769556997996401827477205364, 20898133598840700569835017147086534068242670333567622549169818027799138688520, 2562111968303466794360830608662119102867266861457203102917042145665851057610]); cy = sel2([e[72], e[73]], [4836009713585714465496581912154882382453931120914721557804515434755336832208, 15143499611233432306382398214139440479742818510304232326049564749513747791130, 19356118393311375462052662305789820240618686111711161337705029468367145040988, 5688481852857742015073912476996667522213010914545901826896160233670889226775]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 25 cx = sel3s([e[75], e[76], e[77]], [4623242138639627730014370601705308411725596532862597538813607327046410321312, 20015154717710755506154819006635497782515667453025611627915382742560093423171, 3514612823502534944140986983282927838609295377065173960376131742886885892219, 20191997625806343264590099369325683216271615998169853765554784065039674586670]); cy = sel2([e[75], e[76]], [6538526769564699401600543915225940144078494544354769810309083421131300518775, 9118555176257537603156148628736012723504563452923782011591078402032233615522, 12815558970989336318868652718709831589595442899079588636818966291960853991023, 7703616604462929360855592091876031952747180200478430464323567906544600168109]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 26 cx = sel3s([e[78], e[79], e[80]], [7426207409769264985012540642921370782277366662985635838803842004294008785185, 5999778250617485918891782298009709493035045140093544961901833503446031905913, 14130927440165985043471103750344848991689715792245153118451423398655300689873, 3796482870456559450471870663226834834712024906775762338643689176551263991246]); cy = sel2([e[78], e[79]], [16458635168452867431186476181702908205218256620571557119181621733008943007186, 2408736441388526903801723805189252326923776373802231905332653169285504488507, 4539189593448662319023898529532785456602052593687554864880479361284144700884, 6490484418842862735983085938727562049587933870197049726191839108647357897041]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 27 cx = sel3s([e[81], e[82], e[83]], [9274793422641213328277630692090429447322754602554792362167389139799628719939, 18213562677024477140777501284013103092531757860081519011108723177266099803615, 5928914343334640962747136863911294731157726634392529232872962806197144988571, 17364692793332784962323580622297080260599290963212510860189969183095513710617]); cy = sel2([e[81], e[82]], [2125001664000799929029867649528637137680130729147235858348667725168119291610, 15787194912569598784093233335743719308944830093009287397433562464152875584662, 17778173794489364127449950674919162836220066518510591114146982109869842663244, 18328553264273479562530008673792097214292102347103296244385349755449098608225]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 28 cx = sel3s([e[84], e[85], e[86]], [13710259114758767844337497139752382122951774216678047790125818858626546865590, 3343610505090632166881693615831990684789904804852523835888323130512752436557, 11550335352408668215051239093872906070657140182660747433535878335227749182418, 21793892863650948729507322696305982607072336532791041097212359516991274087980]); cy = sel2([e[84], e[85]], [11846136982947366289908137269088548542970460276305965388699657623060915691485, 14439612735106182034303100596819001121085745615069593580210956482903072588413, 11243378354558219750264654469308879862376787156599458648274627817471028307109, 1416613801077957126034351583571856403044235139983509507026555602579721659100]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 29 cx = sel3s([e[87], e[88], e[89]], [16898533007964698268976570330413504736326631860509774315700399063143612293661, 19762411747110048388233897239023416141949331694011759548598869652948167421240, 11749964437081939283728905999710450041654325285452589389081577137553602604162, 16314155164640857713960417655857498051596153632474886680423284957133775223285]); cy = sel2([e[87], e[88]], [19301014021919583977567348438857464752913991729661145830439339193394619822674, 4081042960569737826610743202667127127506276066439423960421657857551695871422, 14520831020919654323745478654766278220911435521609622705053803095115677276928, 10347543397607839527923790122253286529883327940351684415635401368115385858121]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 30 cx = sel3s([e[90], e[91], e[92]], [184222443282411811008485293978090987184574946550463281113036487016967683795, 4323925196392247451702039714921386345420807454721539995370304513020371659426, 2346825777983317939724845287942565740027799801885272779028341294742495881964, 3497425097320782814346947506403058330145264032565372769682636446824270312453]); cy = sel2([e[90], e[91]], [13850322095814274715426304026104710047724256505475254494587134658322670671529, 11511819464672461161880080290029237185728360968222698390620899743097045452336, 8068296678016129536739401811575622149523917897086227154769231758295218255268, 10263809994502353117991909442849926729413925087877766198113026233378613424956]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 31 cx = sel3s([e[93], e[94], e[95]], [8995760760295995916308082490351740974639094331313720900267671545759667549796, 11019493928623991376174717464416885911906134873939034428175124701672655752839, 14017581177532816290320938368540191606560126820406006677979240977503063555845, 5992767544073504039822155308781253229334004182511050716159238341577147193720]); cy = sel2([e[93], e[94]], [19514976680591593876219573359164805119998241765130948583982557052811782267484, 16839145730766072636625126513480100227916490562760284965681235183731245254947, 1021292692554672699619028273609664837317397089685876358558294458673381089032, 19705834660126914988160966717581159186486910721909298688364547098333399879621]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 32 cx = sel3s([e[96], e[97], e[98]], [2527638437523893015660301196665088766965588386392795314680197258969354623363, 1138471124880305373267488994599338604626881130398552196301155187554578496993, 18796280357765998280755689911684961342287093510307513491082157499389652187596, 17845424627755166990290252831103404879406229534320972756944316138691932923261]); cy = sel2([e[96], e[97]], [19210721144465266426749734142673856566947869352583355496554030705736452071361, 14313930380744847001650971451811594041740544882894516063775993860263195402168, 21025107892840987725102949502655791789935181032924916608477285415225533245973, 3555509537083802658278452964512402851284368794121767087246797342866139363946]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 33 cx = sel3s([e[99], e[100], e[101]], [15846792621646742652974245065938230651829248095884295067743275618391603947137, 252268672903219503110064676037004166486655891926695090023400798499584132445, 19530459807361347014390846162868811023755147873522489974990781147946076957319, 6779173153401014221878658847395058091689669042378445736327791547741105926579]); cy = sel2([e[99], e[100]], [13124560942345768357314581178595700674622208923899518932907915338485045148127, 19427900801187548763760894641856199686412861734645157290016060446141874396762, 10578265528433465376709803300626505953445780532420709942597293441366167803051, 2814357683688249343045032287308948679662030207205739212100871663137250686972]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 34 cx = sel3s([e[102], e[103], e[104]], [9161164860624082016500689976633279187120278305601384250238486553068325633742, 3594465641083658357640727503005755820863340547313408576898849399984296404007, 19745546026637204577602881915206827000693868119693662890799396502208696901732, 18116250696909523241042661347132525872828324429923244627289119813508105665938]); cy = sel2([e[102], e[103]], [13685063021736046635507535227140671955502404587270095297507854657927533098685, 21481850865118949667886934355577641333398731968912180643307092533138863580900, 4539145198976864585367021826448478029652078179409326031693175016758410731544, 17461973876416788164599136875394849349337761082750935487057356278682772411162]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 35 cx = sel3s([e[105], e[106], e[107]], [13763732875937305178862849318112327966371606623409616602363024527079535241003, 7146728911382113235576196126361394323865045988036623175328726379662117800087, 13957018179677684863250069220406779871369347949049594304698838627334319400324, 2983130106134530061974606593769911479536904265326576922594002168086009867582]); cy = sel2([e[105], e[106]], [15902927258231569893737955890837667742457214947649307818302524420399149241212, 5394027336566373776896911094388660738090625577337970061356832815458464701108, 5175259754491075858870829756483758144360263281431531384832593797283930411109, 14151565798137996208654994826049340981954317623288904943712618832232605861595]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 36 cx = sel3s([e[108], e[109], e[110]], [3511208839914156996602850728297722115315702089624058744395068873552707949103, 17785314838779826411805999953134869098297432649970533754606824062794244465005, 19568380235187862245567915799143793188430865272594403468605211965296271194922, 8968217637384711708369798047935037549991275897411766158377778716106218907618]); cy = sel2([e[108], e[109]], [9113093883676083424918242033136578270322417571556449454840754893578163802387, 15195400406105586498427391734410887774383134313041084245786188708846588107061, 10391623490262978616498794103188417653962360594423044385370483010810406454393, 262198447430650388196958319338915798147458757989176286529479967365139093614]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 37 cx = sel3s([e[111], e[112], e[113]], [11522295231047132260758343744179190547608150890072723735296048871441325064339, 6417300850099046536319790332124930285535196168151466782463281196540309297983, 19137291956859275825926699344301804549568562573423342909926469403211747707345, 2774443339156228722046927543564067034026765236710736809480294993459012359549]); cy = sel2([e[111], e[112]], [10997633658189180813501132314065688584832302881630691645920837501861598079973, 11230602434226993956802641296087754248529927465162671110571036062223097035285, 62131588140380451567557177282839666875193860544849125919004473298285110712, 10450442472445392653150568721579575112681026302736591474982185692600259786523]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 38 cx = sel3s([e[114], e[115], e[116]], [13408931465122001423751414891302829165042502658140645208130973182525808774770, 12919550455861565687920656314018840423444710872112059576718885637461594199393, 8902156077182438987081535936092318477847851529427670854791439040325983142815, 10551142139308027026174282362670932774470751296642556552082094389923387853839]); cy = sel2([e[114], e[115]], [9267742985382681478817853200119409918969418222977519894367804134923874406267, 19027179442258820884726400809066833518658247567670360715860243154343698445860, 18038603127894002689531978859178109088479567097675385814346786297731217235404, 14150146649091182389991766732798336665028567292472735778013325601175132243538]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 39 cx = sel3s([e[117], e[118], e[119]], [6540890698262697218677202035403667770177820101154223149908034301445959517274, 435497241504544923461214042595209510655313029058197261483355541334388444061, 12972419969438465538309509757262343703702203355603454637962110103300326018994, 6669959829681253734882192282716498450739929798663147573799606668374867628160]); cy = sel2([e[117], e[118]], [2642034845320222085946302229307945658183260378358994660373441270519802248925, 14736341083198246245608013213787697485596965707560872888430876049025049794937, 4329454540840640926293454385395213780440355759242417354895666807552226740059, 13390807756542084619965526671660454489274096296730210772303889980314835989796]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 40 cx = sel3s([e[120], e[121], e[122]], [3375661072576892623715175468380800047905893262660913295358697027074087217513, 5069202507845220698620539676049456933089654255996130713693017872693588276345, 307360032529211257870367390878851528397463530836715039216723323169226021440, 98081915276387897864111573201930613825497393423677224354881280134376446888]); cy = sel2([e[120], e[121]], [8987539541637688797931012030256009083390767313291834963652110291129797020941, 17901947618091300697708370389296420066544823878914604900411880276648078042269, 10639219577401234864823685175468874052621402569992677814844863434253512890795, 13240331547980137691596357784155019878384406802888737259354896076218619627328]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 41 cx = sel3s([e[123], e[124], e[125]], [9662184175454991631880218147488300829920024817382740712599708905755708816803, 17771020629416708231961523003444615645037663660747267683766850455503462282265, 14494133870721701214401742677540032810309496543890589653927595534007509078658, 16561168866198605810694591274909829276030780262733890202994760647724957996711]); cy = sel2([e[123], e[124]], [16632142917625566129622048663670437511136716491293457317746859226945397089536, 18400270017828347077622860778898029123047396355399577145984944065126581795849, 8353334605287102455944569500604056116678191817084945684486328539838325378046, 12147075225903504606648888869906750158496142784038841529413244301117587609138]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 42 cx = sel3s([e[126], e[127], e[128]], [20252038718269174556829574777069549258100538764143309785207012647062643184902, 19438750079062162172414919070069193686275943617816957878302458952613247286975, 2739523700389893370248547110285910821118647890992955640060929464309561828074, 18986163209792052202203221314221453057559857704913672555327882100075093616752]); cy = sel2([e[126], e[127]], [1949203652074521007058676904301415827566224382778317340432698169556879788463, 4017921177690528677848183821427142247358574441895228503258380087834359360501, 10532220115833479369586881444322308530349489476356817032718755221032796227335, 20767633640647488765234831415684490207979213320475813611233243261000228414020]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 43 cx = sel3s([e[129], e[130], e[131]], [13929197264592281054662634434397205757522163835293158725199610804948038924930, 18983630674546465400919161958500748450652609469567091049588112148279229509416, 21298720061922244441608259922072286340766498728629540286898859613690667559954, 1255771444824172694387038994365972934222854858110644765629654650968093841237]); cy = sel2([e[129], e[130]], [20928589942441069163400310179733448745002695258624629275677130484867901611592, 20945151313192869288039616217247173168964585800167278953053768079971885757820, 13394130995265898710013904122336137332320804034657805114241934415456940879520, 8345380486550648681305351465341710151021284756322349929795845243989999089313]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 44 cx = sel3s([e[132], e[133], e[134]], [20820962511183569148336349677594457306122370638840390080208640481304634109972, 21271204223521868772910817161761075423625575552213963956907846089587689594662, 10733658208915381791180435538254458430504966830986768682084274021501716755708, 3213872100717631866873070659546947812880485326599459130685149408092349854866]); cy = sel2([e[132], e[133]], [18802948623154501291575097526503171935564067914914679326677986205652424463305, 18671196065143385675890877955428696189287618414074487330442057564568301653630, 17500512499632911097527623128158674292347613137609268450560746154383855656852, 10140717739675826292242942694935483711727546989965783109636404988746901047250]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 45 cx = sel3s([e[135], e[136], e[137]], [14908874845345243542374913242177817956756346686642792660468745914078612972964, 6494892024924675012540500602558430897039227451488331729419886431227425262471, 19660118982815103063271284609401904064050204952733042875484811495633642263876, 10404140614423982473417062438060653585074743419249328530274575800693260655367]); cy = sel2([e[135], e[136]], [5109688569541183345813508363367270401129385455666732942384933494548859595681, 6488452587861781859966899732568514074249818909310744177483425914897141192195, 19759144330570995637436877834773866770106917696169828968224667729682932948543, 19372158643071160860924236286390794017939077735118276297478085704446653404487]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 46 cx = sel3s([e[138], e[139], e[140]], [1154476465911192808082307928347900064111325728833428891094393674593800812900, 6647319020085089760145868568636007917712315513936955502164154733998378717177, 12584569464684026880899751873241162942166450853083376779447501714905643756083, 14243280142991602029691394563175478833697759877979687578140951697024930901167]); cy = sel2([e[138], e[139]], [6461899930945412323497751736369894620103555271239754245787726192367462376648, 11218209351589240489615573530963044202098579836550413344228327749253510456169, 20533060824796367399322624999408451192171574545415433951669661225068106752784, 11799997625790604641690313275280372066913716290701708574743226300595877165728]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 47 cx = sel3s([e[141], e[142], e[143]], [3106120971963814637086817095821216892657807437909030172048489357608690908664, 19983788499223635315597700897580134177379185544458724791602486120287361195709, 20011311503290782295958825256275853340402122848359336349363185226433870439371, 17061518479999755720537296647402074631690029621158571296727706119729187756044]); cy = sel2([e[141], e[142]], [11655780578227604806047758025034240629153798954712964172707380870816316797993, 622054523287271568164593718522127794491026889292924398674394690726823527200, 16135285950085594062254918487673085571627312978983012587993350339361155816604, 16823182833153464340537049615227906529068252572342151311965980898836651237386]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 48 cx = sel3s([e[144], e[145], e[146]], [20374356410965803131887119977813187747682102078262988894186807366145009893312, 16140790886679277390055909624981354111468382311692868339667095804914180995816, 5269708933005858910719244518715051229221686961187992215177561544872857207052, 17003669964193566226265890987693478032205879390270724431641892912757008513023]); cy = sel2([e[144], e[145]], [15298182760377768633156209223343487909782393543670382286190369588693664098885, 15694313374278606393252570906724471325000910752891934797182427274800382725179, 20211423855194801900153066955584657931131527051780164510917465106404910099513, 15455288363376670716062020330944532534047008363514636685826622499678373390425]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 49 cx = sel3s([e[147], e[148], e[149]], [14165004713755765453589527153323887724160944086658242248604905215519807263185, 301131970962481505862420187551701457358785403147894839379498410579773149817, 20703780629190814394908582715811669803434202446164042946560257906844612159868, 12367443634404793487462362639029662097550355799821945744713867599113535990920]); cy = sel2([e[147], e[148]], [20401715072789557220769413113920881979690352159560582443280493351937640089943, 9512744351810164617160144481900582699060463555523641782334998030336637339295, 19997026788203221539856525472799656962300551306251956395441891331721763269878, 4420107516401930587358239495168429945976230331917756712920657983670672632753]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 50 cx = sel3s([e[150], e[151], e[152]], [8103748105126096403620617531109165346111017883414253359146860083465308290054, 14803748343013980101691104453457628404765420707022107332787520877316491921572, 6553189032217952509828188229822974795796651131494012230703062173727191718256, 14488140647832162063035434131927730449663617866962750748399561354722976225897]); cy = sel2([e[150], e[151]], [6900602880532330473224374524196761198151861405485326291615150754345009304151, 1513115647408875522957756488493462370777248725072062752756727843920832160085, 14896301840535712091808125164986771300932651268478608922083726618785610993431, 18048817115801653510192862998462822947761670069362294686696577131702147477504]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 51 cx = sel3s([e[153], e[154], e[155]], [382543238316875203894587902417533689378617036331411163099475938996384971274, 9619454944964330535387495829359535093743583319913348616872361595592109685167, 6081261874729821958303230238004699407225832699063899155741932401034312247576, 3156137884201329913786702605630625537320273632812696416791152392474314037759]); cy = sel2([e[153], e[154]], [4793004393185972052681267640894832507973895495734257655931836941627180322533, 12524126851245821931846984936446041288760976334671736634358685272033969216980, 6277340058786227516467028124755004985063566609742747175031180490042372405740, 6981569030046806591634476164525159834865090256544287529201527685109358245562]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 52 cx = sel3s([e[156], e[157], e[158]], [7242980429824960501440666232145028986161691674990466362832703971174936796830, 8045674190780012690331364750465564303458553754280502177743436741257674712579, 11260599103741407968666669605286104777635431193927929500939820855376897097946, 18466264932289657017935069178634633780361979903681010210726608765753592098197]); cy = sel2([e[156], e[157]], [2313823382391584526084833833122921512331314230217820828722208559851046887792, 10089801374498501989652677350203014944991951797848003015280234323125565001040, 17328843896403558624774477961071623822106890748911687259696765820336743222251, 9096128104648798569037169791537313868030583174665566146242611146033775655076]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 53 cx = sel3s([e[159], e[160], e[161]], [14129501557712467097681133312480956681237794589418881140932742431414452181802, 14215253979300894109266393937905007744674886266134853669970409340633353105422, 5101954416353969027375336730301151965881345391948426977373049227857281866232, 14576353231486654843487902119173617652532372118230138091256904812874365465828]); cy = sel2([e[159], e[160]], [8967890713970048745032869372462848543847652746940083058618452105243173038725, 6265601060440963621915827684472693851147234848878380918293598569151688236174, 640827344679117882936589383352750227742240703205324868948399729377934123492, 9724475542168570127797711494687143027178927970205326782155651202256929792882]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 54 cx = sel3s([e[162], e[163], e[164]], [5456157947126010471455582105823966618048439614862840203794276433144936442303, 21043218890179638595653930578748044093798652379401035786184926212259053133276, 1927155268257451951778867733460386031395807546286255979317875653435797662494, 2742904689169248143495331827109449907113748836918731412006506067439664106654]); cy = sel2([e[162], e[163]], [9440520397717291873292501513394144011971438675685104804031688857727475979708, 4417998885632129975756353073742958617120204855631898102096412742879398656621, 21718244289007192530526626848367390261419399428442075984244560471039861817138, 8877177915758141474927139565405950662745390581859900899551672907102924557478]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 55 cx = sel3s([e[165], e[166], e[167]], [14850732473677774396477975866215714018387310838284937771253941847508860390570, 15346251439912975799100173523179670100616030950715800206631108275859894555954, 9806744113621004413976521475016417033548532640900224199389230684453784278689, 21096603979133316753091339975348990230540836494614368335651248862844085270520]); cy = sel2([e[165], e[166]], [11812452402407343928752680921354215607515699690942611270817873638995622443255, 6279013985783386608484242724725362666241553499782119548714289191679033556648, 19001277736410456807324578202368992701796359861619482537978016830870842626762, 14081519926521914451511625869848591232696520686473918498999632052868953710854]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 56 cx = sel3s([e[168], e[169], e[170]], [13157890071808158704354468737847471048810392369152727364639634059504126884874, 8008722424616547903294828680672771630855086822683412918399539174241338981774, 18594694810411494426945160098830123105355833500416479749049639533195702072502, 3003039638546974941710738006242011804553647552380262745534233703293489168909]); cy = sel2([e[168], e[169]], [893279927671356626449601197530638356692800493991878277093322197544680454846, 13710236865890222581902901564951693313216932700203676104342205227571583021557, 11991140728188265308988894689292592177761583244141205754043533415013439187396, 7408159576060936012801497750876509797959683640624248586584358220473720101773]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 57 cx = sel3s([e[171], e[172], e[173]], [20379496501734200220097501155104742700678033944324898621914782326376426827694, 5628902661740155176800052287728775683561775403751721906542502141173662773805, 6649334930850298644282280075473454376493217119135753313843458230202317946465, 13953386616146853105384995231337773651826685901371822028427880819484312577968]); cy = sel2([e[171], e[172]], [6312536910770269621417292581781438152243262819530627194840110225345012746549, 6128625960467547051042766267966540761259574034224991328868848127157477007514, 2178504154437332931470309748598630309367590073987406533802402874933913898875, 10049120191768569519993419401578117655266529530568527176008678950298967775522]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 58 cx = sel3s([e[174], e[175], e[176]], [14193197030749382932133736734505537242924559995077781886176225169837220402133, 2565010016572214675455233006763278152319972391059007175692722972374012019501, 20022269140157840221511080273245661956116845958170472382643581298431129105222, 15951592620529204477279907750991493798200861674998832536410750610279414881478]); cy = sel2([e[174], e[175]], [10015961841973388881391587018151977950817576225746650865142918877894543270446, 10962609190943341745700082387389939598903593214578149618076217369020441344245, 10875728650787073188338824979727792178460025858689164586811311106195554874546, 8704250736813220528338393230481759654328677814076110220308209376595986509914]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 59 cx = sel3s([e[177], e[178], e[179]], [21185904177969045625821216347084191287459806531017721293624058180265336503811, 1250611256248923800378335492392268625608584743125298517147184362502718557754, 4732901842829850758626640836087921620095030893254064254821493648172485065995, 4686012912505407137434711885457531064310116778761775095814150050521297721079]); cy = sel2([e[177], e[178]], [21681922300753515822840018285496181872470481450737464910861242457369823926925, 8250546098596619229605270054781796306579374634169772718113961166155976799791, 19064654253935902908485961089200674782438523882800790190859631804189001729500, 7893084863238812828005589178028293328994403260619345443806395973318698162130]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 60 cx = sel3s([e[180], e[181], e[182]], [14071560871369419892033259843192185467358801846474749773427241883409830032328, 9559459046618636497241065316366978002044190960713451216793292122894012900863, 13031319565545666906249801044337083380860313201803429372439840529717343742035, 20069400641162643493898109922008601219601618686364720341639616051841829074334]); cy = sel2([e[180], e[181]], [8710777380190521326883551341251426052007249230093350101154473409247609882825, 10439377650670164179707163339178975058403688089785136107598148495986084488509, 20130072726000251358667317961033491205160472226244307309389477611437739154303, 17216059825244204015919013637129845877195519789582013765405196142334767977705]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 61 cx = sel3s([e[183], e[184], e[185]], [20777314589605673759170070653370407645867665889025835324139659856710113131826, 17380793433135473426803899659206730936771330488910864786997506181753180852018, 9135535394443552083655851762956576299400389583070951313661035134759057889658, 19259342468126216922767538099314197508403261200862162612026099962268769453780]); cy = sel2([e[183], e[184]], [2644721599238941245572401477946144870669550581359063534170381908963477379532, 12369176861935895868206428376006904712013007036288222495431735574326142454609, 17367574625533031619575225680253098966157776114681359698904430545328078639283, 21794479452176520273231597892096817659539111123775968164861961429589103329517]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 62 cx = sel3s([e[186], e[187], e[188]], [11749872627669176692285695179399857264465143297451429569602068921530882657945, 31939593233430950996158270398727464286178387866161404769182205304632811436, 6016890150518491477122345305716423891405612103278736006824977752295838970965, 10857254852618093631105790010825256882158099527623146563961929227148379359444]); cy = sel2([e[186], e[187]], [2495745987765795949478491016197984302943511277003077751830848242972604164102, 6997914616631605853238336322733192620418492595988404136191499921296408710465, 6173428954671571373132804754825927617043378457799815000168451967196664752847, 9007836187082518685036356739793187792845982511088020304887245789556567564055]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 63 cx = sel3s([e[189], e[190], e[191]], [5139361255050232661773452561726452928115803730344567411456642256556217045338, 18849283619433745348738480276785423370734769795033289874458118507070173353564, 8448578350964247311518616492977206693278225803594287158372550008714482924618, 9689086950770336907190180706142608582993499523814136266854852845122214734392]); cy = sel2([e[189], e[190]], [14036051510959474100046039284978060652197630794277473374328558492372137493500, 16611708132761924749528167866816090876717761056993928787802780141779996313373, 830643686092782069152588625317289527987176650776268015346372712951408738404, 7124577892782407025863252010240336830171667706358033009166413008136074540762]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 64 cx = sel3s([e[192], e[193], e[194]], [7037199118537155369331275916815326054696699996573020862644806346516390510132, 15801832773874273151484928140234822912161499004629735400320792200594998558674, 20529919447890597649764739102616587236240564012012882223198985848792346137419, 15587579342628673804059001440002406839596944474602936992474297171186661645909]); cy = sel2([e[192], e[193]], [13107688056462500445700480209995877016295689081542565992250464593152667593220, 2950999836230463387014662253708191376901146777669866592618407913815214817829, 4910645882425237270468350930391794068554002250789220952036477599584216368730, 3842197005807929553563656299566067039385580918555124491435963737335985608367]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 65 cx = sel3s([e[195], e[196], e[197]], [5946112335249256697077095359378565725733629742750694340878812663903909175901, 19030634249222736450152769682445487635301904450722490014396919999971262563725, 20272077332559936653726679368964023857291782018546895109417787179027229259529, 4325773325239231432990045180370600024086140077952119719002873860984820794777]); cy = sel2([e[195], e[196]], [7559787099338642680034184654424868894988928943730034769673486129058256478240, 14955054800505659097184643689663447282484820948805633199847088945313706647256, 20527315092050743721874398127103128550881291654522271023332206474058940158292, 9254615232744118309709861811378827051213745889996697483998530345751148041402]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 66 cx = sel3s([e[198], e[199], e[200]], [41373522534463253583709483090344938032869463670116114182911184041610044395, 123058269904779894306385100149700584700988943576532400555257363214064615908, 2188259327903131136942811179577591848088244960706164332041753317001971084806, 5677272600001855408525885379297081872841669910685379249005421935936405438326]); cy = sel2([e[198], e[199]], [1812970364913777725848745565574644898635129603904027984751613694625700239455, 6325479481133126048154398075474627535983053143312386360869927669212098083218, 13018920334214076613442336156617958094802950850259563883918734414290288034687, 11007863126994999194753256186448493793850907406765917922947224071691321773988]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 67 cx = sel3s([e[201], e[202], e[203]], [19366353265983664793480214800587120487923062015491759603977854723148315579274, 13009712389497066149642205706505053720391552889715847781477674095579012684216, 7540090586243428109828867879678893096981460680323209865296583411528024312326, 16312880719251887899651071843693753472207446322138586240016038563189666076704]); cy = sel2([e[201], e[202]], [10425762558101863677692090103799691698591185440858290129753641015260969124568, 19889759528114345474077603906066211135049113446169104039752988610769598108616, 10189577411425365730046714422122931951193107064366232919940491025624263274830, 19402847860324611226251435664012558569374211845205502575728141649693622181131]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 68 cx = sel3s([e[204], e[205], e[206]], [15647575844595805283124278572298605369081553302159286302039104118434564547757, 11119588224460846619648329471078205852940427394545403397495758589586019867123, 11531502595396972280500527673404404955773795456604503116176223280757803701142, 8880302652736630728773712083983401143315564427649676162399333300472018402820]); cy = sel2([e[204], e[205]], [18121989769429113110431033241130632527148185431169035091659247063715924437727, 20873727571773157361636727287434618496229040659202161464546752313173048350714, 20691117161323169072636575178583071560333787206766658873639451682743014282486, 8341316767034979343476640425183870254531797329971610276320314018660072501097]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 69 cx = sel3s([e[207], e[208], e[209]], [15099126396506559307312697471585164108461593918632286769972271267945539855806, 19719992822745709208744805037389314455441129806628318848823336999297717461102, 2498623947360180463813005839687911187525292314091943320262937967401409761873, 6773513521666107580427042608663114222160509705880285715315137855519926605076]); cy = sel2([e[207], e[208]], [11185464183896587792324099270269738719144599552792757002841466742562118002961, 17962378754832909648632213279341274522205662106198070463591287770511029247082, 9572883626752796327156744085207279145562604122052196885537416403686418306743, 849739335033117039567862203783008236118271414428303942526044722712316390134]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 70 cx = sel3s([e[210], e[211], e[212]], [5586425841805464495367763159434170408121119147683098906675715851224959199555, 2275887592294698256371035540589451793263643729528648494997423042939590025265, 21623018362589173579186020601617142922337607155324626054728009524185014872882, 6470935377837087985284657580709150204914393986124872780110914178120147824883]); cy = sel2([e[210], e[211]], [18977748529759410811480134751116373952642146764796083016667926272252310801539, 15415054474257926323577643558627142211566179025425425674112343915385225979379, 10178696720359974033063364767044087765079200964723755314869211737985682962880, 2751262919149939488788372835165540688204591943865442185170575019042791606144]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 71 cx = sel3s([e[213], e[214], e[215]], [8067396068830332270789178613335432253659758303711969642714931687060160381303, 8639011650360344590794984878540401640139910601923862912593792315052343319076, 11233915498048422123675368878285943174009257862418242010192825609765986035356, 14474288438243449444797392475230229280689019808482654245523987676777400402951]); cy = sel2([e[213], e[214]], [1109389204114118726338211511183391561882818362713716952828416479757048480713, 20658495580821728113676289889282525822016081521980495256710356417074439523320, 5734616557338566574377893898300784804059511397655030429323489999855673254133, 7694030151585859685333610687574701561418848021817379115721565206849330185976]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 72 cx = sel3s([e[216], e[217], e[218]], [14694205333290671963708923368506587408024223912051732033761240288927263651380, 16846840700984603406007084554481852964137248522784508429412010549513323188912, 13176399412773372610094105377631574988462669519590170596472033646615482615262, 2687848140625094867763341291336975245615611233615607599401834736964978577349]); cy = sel2([e[216], e[217]], [9656049051507081163863869851380474393220762381365090138663873299937439711626, 16257833452680722743254377629669121273261457821544261762335781528496650481193, 6465537052899418297534883094198381748729828452125250541158965933076691478294, 709697610986733714785106299677092114124154955937070541190663241187641683175]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 73 cx = sel3s([e[219], e[220], e[221]], [12368397247649882906953915991250714931614715588424094368585746160811998953306, 18782888042679815293214947449937714827609414183597755427793821090364126288476, 14980906670860851104998617553690749074165805207013703141953243482569349981523, 6579728809126224271038924161669519472291072114357057900231021883849035745958]); cy = sel2([e[219], e[220]], [813793955589589118694666569995091571992486583635127942664119751723536369919, 7944299604444967298799338830762202580774561040186193713045849824532426689590, 10002642178009570948907228870686621440930898426698423035982221525801621370935, 8479337223317874954343670583381865510386888037444628897905418707487375421325]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 74 cx = sel3s([e[222], e[223], e[224]], [7187732531650016705045248947412886871494880941757180032721434029527647591174, 21429737681997573327768382790700665701419541321736653106996131182050077581533, 11836369351087123833634897021408898134248512107687639835461193259880629295891, 19132784475506243814038464623366364810380933540097619300595341694560215897043]); cy = sel2([e[222], e[223]], [7505964932526905326140236282846132917485872002527800757209057356562826370965, 7446191000078603169082551991705097881255381261806164450828019975914186121730, 20501368217451607884813098738754813918145802982055856468691458112065708320700, 12111360534733555932929570216465933882611889545473508372687771008732927246750]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 75 cx = sel3s([e[225], e[226], e[227]], [11880592453253678945312808709337779570677968939895786745513483795196121148239, 15885465855717299709344092447684246292163545547216436459368792952573638150871, 15785265541005027154032372858808930773051366971093462129449868653918773012805, 18569197812514885943202170611076608358219751234067371040250790526837986392838]); cy = sel2([e[225], e[226]], [19319714983097503154896952315362236888483358620825042533226116711980128027594, 16203396727641772481371087324762669694595077074099718953937599120235089562441, 8069072007055358551280258194912706575285364270109077890462380604843344248137, 14879918508369225877688675007526587407926006842700210091106836056129459129297]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 76 cx = sel3s([e[228], e[229], e[230]], [4665897628623235203637312232323957679483103295583092141578808282040205079719, 13624944208440724520944284383225072602905876122550187793344788447894380752405, 13240065107073736104958720757918020581159288509346627802839384665867212601652, 5404872141819776433203748684385984691445987755176034496638153799038857512389]); cy = sel2([e[228], e[229]], [20713846021060085908071105513304556412817630308151607438714049866357354550752, 12308156363070414998141304956459569678321247441462175945058420898750569812289, 7869135919638822130359819523186642202243136255410646018113662355856102696554, 18106721900555088660857020092432838491684499647468676099930405315728768226404]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 77 cx = sel3s([e[231], e[232], e[233]], [18212889377782903846034117170355855193339291343619773736161614903123505780500, 5724371935927035469891307360583032289870105083635885948626519084327837492412, 15018564556029978781532805643572668082137657619876811702006326742091833640503, 1980690392504623526106436839420486135508948878537486163191798777558809427629]); cy = sel2([e[231], e[232]], [14150007145691261709583376556777715716099818143565185837820917588114159379297, 20022624235079706615759218203483775626475427851084411515081825296526003331089, 3653600812499303949236693031235500821149221426419723829534939359247593779698, 17687818220966506140783793822520601258809092691114698078370817997514472088683]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 78 cx = sel3s([e[234], e[235], e[236]], [20014362392122060372382978901186124374461219393111624832280409989286374019151, 7678149165067745993890478281145655203076154350573466295728882151032664933813, 3225698435546178867794794576435022149554488042976954865856749306115721077662, 11309031064526492555710928277445241789558140050876975815061803061421298770441]); cy = sel2([e[234], e[235]], [3781524301363795687584984812832316590367643113392401377547409393858835211208, 14954378542264966404669454369751236758988379152056658083888298000396867621936, 1762346050163239223923110798598502612894079706374187891044283390513959164382, 4511820337785812086858556857918524260240820667203320876468844848816354037596]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 79 cx = sel3s([e[237], e[238], e[239]], [9734499467834650890192498500298459962067559704398257089549121433441674087115, 5215135617552133686060655322881340267001697536486897440412599806944209294580, 4188240743485809003397687109987123955188618656835900004447532212211334022150, 10646753846009034357734238656245532993332944314059322522045789305478499710981]); cy = sel2([e[237], e[238]], [4354361275489184569727883669567924050940590772506719250562939951242102459556, 11812679101253609883065116716426172392592451529279171373836703114919477018303, 15938685241828674681356945591247179905945286496762161102822537588243702016335, 2396399767043799129388585002615296373717040489521252489057941017313192676808]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 80 cx = sel3s([e[240], e[241], e[242]], [9547054830379311239093093214427099367592481292385809745992166194109928893132, 15809211758984123203744250589992081971737344928666499432318524828207451637502, 2317605133926452505125489082200124096354438531853199813212363802981648616781, 11720218057191867199121604823871387192503455956722025424220873115151171617846]); cy = sel2([e[240], e[241]], [13627319622459471863286677434492810110443625239619395014230589374758547978269, 1429116229161069264517866355097922507661063351137334983223517731193665190730, 8760550298269703331457356635709373772631633074463698514870757469189354319951, 1695059580774200437965405056230849147697820569205516838038543601601027611172]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 81 cx = sel3s([e[243], e[244], e[245]], [5462734684060346793723051717116621327144354637585189012464556861789633254735, 1574368603481037100592052661337337694471748163849816976465511323905498090898, 21017620690824743015216528248522045704369427405753453300912995325024062710748, 335774257251677761852834523904277348100779994383726453798657085528043830396]); cy = sel2([e[243], e[244]], [19956048369873968081515874523485925798105246605761695905870795560621002747577, 9838187823381646970305000918713399614038197140004128824046441620722100628627, 9761598443789947780667845618272433395258577614354457312915153694570906468084, 5678382193061301565104967410106463714669588791192144419019555111526838349597]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 82 cx = sel3s([e[246], e[247], e[248]], [14120934246971429747829618071104732571014495017644755746350410437296386191831, 6321525285327330824512104449106606616844709114576208465479970358050873874349, 9828948304711234867338016094087396323909457869737239406325931677882463208355, 18078003119304519959309175940845224181126936983821549690560235900824217790962]); cy = sel2([e[246], e[247]], [20946993100078048703890437478651577253995893117657499778417778292965813281806, 14356404021232332461217625395600664517715960389258731685389867303545696108853, 2810577432005044954032138045179699447584646279814848461184496089430514835598, 8767040452903340993130881597424027588451974218686780194782289690479045090015]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 83 cx = sel3s([e[249], e[250], e[251]], [10074124480658003038181060843544012751655263682971006047574974839001332519369, 12077899488247602319223956898393373607365192976733626340271805296106145121355, 16135938726601100366620437452815649119119591825429317780601932003124015669028, 8179818941824323394614877573129531443686047058703515433852568295536575458823]); cy = sel2([e[249], e[250]], [6742523042997173838799423244280133352249230789995302906545025471831316165384, 20571270140927253125417728386763981919687051926731085366043566448009069227191, 923263495309221023264076470401516657594260797987069910555955234338720881738, 10846387476002903807347429282866412191160400241233297902208546470305682775632]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 84 cx = sel3s([e[252], e[253], e[254]], [9734317150772506967195863825775613184177780587009303743393397724706924797808, 11208201130011695436334652728584169313726840614571295516236997046457697153324, 1222680486642983364052833343811429934453835860106899436901212790725638894713, 12019238493894483056724448289009076436822742112482573063847552596048227585627]); cy = sel2([e[252], e[253]], [21086552119896541186107689532205383551960199801453516689016972250104900583432, 3056767815025727154134820681013380076250249612276183869180162238277626532027, 8232281317297626211055636489579107493658454229617058760791605403582002142140, 14549672514437654184453326941604694948116368249587796119338038904533837120165]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 85 cx = sel3s([e[255], e[256], e[257]], [19897146034704593618377175099239959996606643851373776355482440566659528393713, 13567220274372260527197800746127305934893509881083589343644604005840555405371, 19175080795372179131749429828665039169211560827471558543841205575231867635965, 6917449549804522032498038894724900459329834531091410689621076525743611296938]); cy = sel2([e[255], e[256]], [12223657826278264815494051932052421695129917274617530304443478482578919678308, 8295548603728936503708692859047908287111164162226375098145740427985958712611, 6607229719664137890140258196376647042900642854569636028419328459816951119658, 14110421155257010376968111292134385106023449978845823063864491477811661996253]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 86 cx = sel3s([e[258], e[259], e[260]], [8185677100333640041421355126903921619342273914070568426300075868606141405021, 1670466886055998857358105826250955310011203741639197041742892893805477021056, 671638389102335040808130453738616724135371178235871000115155863725237535561, 15155007602444057841308084879571465766457754342497255444459746080732112337898]); cy = sel2([e[258], e[259]], [5730721122742653576294802609542803235749403433458024692842251665338778112357, 14898703166129675283863893661050084311561656604196737234704191900969087474133, 2459074141813559460216507737311533957327810551114696579502401763839835381335, 15516107503085209346875467061340145906150528515154791297494671889511125291207]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 87 cx = sel3s([e[261], e[262], e[263]], [13654034957145907815962106285631017905892861670471883127206658577251723739165, 8633158844589460452837721754446206625865140330878411953122575379370751622485, 10232722293127899126024059808155635562748968165573438955077544464410325913567, 15328263964181874734867171882863588382257876665732200627067485961683406281267]); cy = sel2([e[261], e[262]], [14648234277430895067547661111448501238234630914838612427562971477472564218927, 12394752068682518494797840832073763890437175762631359486643184011399642941695, 19427382571659868487644833684469199967640111942906298364811415181281091481616, 182598521940883711045871251162735110551301299145061787687905605212153955957]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 88 cx = sel3s([e[264], e[265], e[266]], [10625366736090949097208784405733508126867531010210504034282606844498242195460, 5745457912443473561064508106222759378152708028067817946740487826967842596074, 19720099885004155494384241598041924024056522066497340576395346816817691557959, 4411557748754390593675263772383003703921572549170163035845149756207936580167]); cy = sel2([e[264], e[265]], [14732913015624058203205922728424826465278063568996784510238321594483738024116, 8539999814473505400128567752428776172019356440581684960088711125461388816752, 8671134805346361443739204337860301475415660510460401138135319415884938499794, 12889649495366374604591900250806268552879620119403975808021738180701264567775]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 89 cx = sel3s([e[267], e[268], e[269]], [8424620995080153959855099087384460880708718787657472234234125992142104413784, 1213413054380708818479960383614577938132447492306231448400493113424770669073, 17993616645286674150803280096391639271887381916203322164869533675674274690369, 153030618728554031479557843767027262505356544554897273649773418701874030937]); cy = sel2([e[267], e[268]], [8774350273413061850499929377371854983526435316805379820854063460345613579740, 160874859222003480689240665151063301233791348742268400199413950144629148606, 3864981636983763871420661536128329698816776138190284810024785475130342429509, 8927799801878514388025533121285392339945739901708290822291826043102309328947]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 90 cx = sel3s([e[270], e[271], e[272]], [8559837035180670877234803295116293964077309001575836599087921933374799946149, 18335809791652365585369283816437201104065890639760635850904865621132150615442, 20223042693949477624057496950714682763488956308852238106089638364544757819336, 956531986282862630457073126978994765430652506058410664783115436243377137130]); cy = sel2([e[270], e[271]], [839500690449928047855071514156387100713350925422279056462945330783580827563, 16644736196961833445797352798716804869773621626799896168771841453493474463773, 604545836161644183235683876796430911898168138926947606928620724963455977159, 13372011982201734306725124438714782615028067496534473713140957917136368058903]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 91 cx = sel3s([e[273], e[274], e[275]], [2094128027031828157560092686172909842260483168819281235210539106189673022187, 14831470033363035728579660771199958641838096197597230010879786959469055433282, 14580113677826055589909107333827815551732916495147612562237413782243389891044, 21457439024195964947733246659608329461028391228550531897929776149059108022400]); cy = sel2([e[273], e[274]], [11349460624897126395359735030876451695289908168621129531254166231469594999395, 19428708736392770387243553726555356520800900418277262898221664159221843559913, 4432119977004888069457445133143529511285856348699582219607694824086497898807, 9160542608356323143471297830883618199584611885676024272763585312451903134897]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 92 cx = sel3s([e[276], e[277], e[278]], [4354759259287077683606602421630609654573093874872166313972356669642414450557, 13648951383939395268518611670175324834705441295145081802011558222046663990635, 14109063296906889436525684297777423342039664400074253643711178181120772454442, 7920829805332901764517739207944367186855755092397343817260945923718690867274]); cy = sel2([e[276], e[277]], [215179997319049227050677351252505122489806707992988193421803248841509506088, 15514289571504865101354424086151224801481680739860239328031576438563705370521, 5904618612526890474103927634405504783798865056645457180704237978103781216311, 5748211772814574948909294216861178264766343013494657271260147929020820008781]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 93 cx = sel3s([e[279], e[280], e[281]], [8507753630181199902479216321724505843375506218865451254864654248120523505482, 9450124212352501425016224885075456626937137054710829941179274211424392402188, 14617760695968479875555170000896560124384001439628509056518085157675385430999, 11259792651191057957240332532512267993084988584437199185342993378682410436972]); cy = sel2([e[279], e[280]], [10815868200773974736475276546832667321164179489094422703987813447328543028788, 270750089909256057588643640569447562301277634245971255743235422454022028456, 12525264811662854133497240150104162834870195408235601736200987821770575683753, 21492322023082787855062324449039977497952909569982074113097211015628539637105]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 94 cx = sel3s([e[282], e[283], e[284]], [13109291774440010508838814834344208104350382843329321595606001193219335478061, 18178081082215000330236621415683992037792438414607902561151998975591610672159, 1825689425393769600328701494994687539687903068590739461592021486333291661266, 7793684058500310840246186772109776829776364159558184911962167538064855177290]); cy = sel2([e[282], e[283]], [12538966751785809241486764416198217361134417700423840996157483469862141526006, 18918692038570377322252840249784989027502652471358614978414943590808682898821, 10739840318098234656669579810873413661071494114926975536918927404574756289141, 19177195314890990393062332918745346394029203576215723513167013054282705104509]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 95 cx = sel3s([e[285], e[286], e[287]], [10225920463059329189289679689043403756461771898061631555012236633674500607894, 19821058226025589223575559712382894896410588163797548720897159700660021786692, 4342530929634070742874132949165242936564090903607131574088848141363806195244, 5402483411262228419126012059406829285695506472234034454332016959299908934815]); cy = sel2([e[285], e[286]], [14845268720181506270843668435047795143673881800644972711347963164805203292028, 13672974733920510644893233723674603797496603310630434825704649796138313401676, 6411707949262855152252009198588056473458716851460397006471717726058983234993, 18779680229580121519443328584313676056219616039194596697158403462222387132381]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 96 cx = sel3s([e[288], e[289], e[290]], [4836760236524137019788853323648085337078365119204570171912328851849081302469, 17868028324749251162769441309905628927317218753130618155651317995445082462075, 1772933343466453031175704703581215603932939906355841484695391914536709138761, 3546600638749568273439745161679319484611182076185127936908592367054940973889]); cy = sel2([e[288], e[289]], [15727462261854339392836033936665994570356817309630572739663218192786419709049, 1337461376408438722980356088847283448049292537148264126525086899131501823829, 12238707625348281750296588592788256417660177170554983893114345282873428793086, 15525437884516977515442248737754366741726151193578138245479811700230576818338]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 97 cx = sel3s([e[291], e[292], e[293]], [20126221763126240993614454578144859888701958472483256034667342833856637405284, 19699064573618103786080175406330154847584332570598813466503995653274429215656, 5989506922601319310850294681562133253116809072854033597983216925515271522735, 1000911579713616921402553874631906432389325985380989857769833587362794312630]); cy = sel2([e[291], e[292]], [20063374408209966489810045113711694748195105838875731221209079272072900704065, 9194215440981146522641296536570335847038564333573070389731736048602585014353, 9856108459841119062384164372572927792749846793172495377480072007040372623532, 16456996545907573633695460898581306270452076960241899452978065386508672788709]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 98 cx = sel3s([e[294], e[295], e[296]], [335301756618437339439144029360964383534478515390448989496515998200065120560, 8900295787747118853873347685755889791679080209434225159052383890249026687118, 7128354610803275364524320321498051406687079176221803083268519268078181474486, 10587524605383993790235166395264599817111999691721750015186077104713345396025]); cy = sel2([e[294], e[295]], [5048381480643837407413881593434054866090196361251156389103862466064034755870, 5633507321470690754598569732643608340435754341640194463936636395149026354734, 14155759183302230320588700447409830028824433982845500795956824041195173925296, 8029144329154622500871732803176023714578210937344495829905950083327660868243]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 99 cx = sel3s([e[297], e[298], e[299]], [4778598962832696072676642978625204359871247189399816084941520023705687820799, 1041656446764385248839445285580789894072064765593570151992974139621577464190, 16604772736533716135897718386428759521995904068172209060160905451073360508438, 5434449975739162120230503825057718004673241312353068784008427484008820677975]); cy = sel2([e[297], e[298]], [6056883361340614567315212379835078890341975776819628834401238537031161511515, 12948572080347797369632667255105735306309789288527345335385584655912071062991, 2047203431451992701474247296709372094572802843600017662927813418631212656090, 4132565694324682855622172238297326586214736771195057409015171400249163749388]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 100 cx = sel3s([e[300], e[301], e[302]], [6916961985409927380628327393774423923434707859806165446564471158322143896430, 5992074540412063352415311056228455935293166060283849428112990098777744329018, 15928943908823412922424046027263578805013830577468518797177611363337136608209, 9165805262654590321870254579036281540959358923531526687992873621654142568029]); cy = sel2([e[300], e[301]], [19113997592137471372275504986229466743101683336744251847362311356790431849943, 14004712182695079610522706143578502649621084194457654873685315715331271860709, 19337382334092833222650792928980596008310896977712987991984497026496963328127, 19598147310295874176650103171586127283815601834965516057565002042355878900904]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 101 cx = sel3s([e[303], e[304], e[305]], [10948634109523663410073892096301229908363974454242026292710198013874268733721, 15429431087099938206375989354827088309373134102432374989679474148007045226404, 15424933350139202912640857850279200342934439164947473620816895024212952340734, 7249326591094430300092421476233168005480477057146500206388167575638063334006]); cy = sel2([e[303], e[304]], [13978844239437491612582517692269818179489578402023377256168376965218369369939, 2030861900932117628118671150363276958527364035939087076359289004302891739342, 15817916211331592751911789779171300716227893840209480318007078572691072662437, 11627409307299027242340485688430280907603952564355973323102745520536413654480]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 102 cx = sel3s([e[306], e[307], e[308]], [18995578047969205917336954191535061050094635635378379108624715348396977983189, 4225372875497776800681698864198574622710499387413704002947025943614195612470, 17351437921298308953512714184518159189123423974926314714485788395814969849744, 8648037604000808882689040136601171409077000943524268908332163815927078223586]); cy = sel2([e[306], e[307]], [13847262887662907650775044616657488013627923118617883909535158774246706595453, 16327475809001511779800793713087994795688106377254965385366798254360171531485, 9662682437808722890180813130657795806130406684446667889065062080930078837985, 2502962306844881519115529360019706751646009100590601561262014681428188719652]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 103 cx = sel3s([e[309], e[310], e[311]], [15920090333582846150341817050024564335649064112537068561935372152494077145209, 5605643430930274732542971456995927736808851585930096579266761796229766916419, 16417626123069839752924241752177228747744623168825833393208640134299321885615, 10047503027147056454952493773282171263110464519924564641292405110762258997532]); cy = sel2([e[309], e[310]], [17200096279975283058225939790642290750952306062383335630123644381672038262866, 9789126042032908977600199303915152601153926597218655498907321898754260478045, 8000890408406693601499028261723138327296400099255905955307073434675924377491, 4588804177243916206243160261751431868697632792491002746485364561078105548339]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 104 cx = sel3s([e[312], e[313], e[314]], [17405833224461846119127359023602459766899246377474167154738658246656617261320, 17497966949182265924717994126031328897613192226672854325764486326873236644838, 18112601253331073769860162727184645241197911130662557597456857637926799952771, 18917984642138666446882277898695258545411024830699319452174655151221791211048]); cy = sel2([e[312], e[313]], [2379006936139604897517171125029127132096844925377650383092744055973319489305, 12749848257678287712950295235536433677019860991481258729313170570275169590140, 19636804280533422414605179875456610832289030857729756765481423873607782896032, 1918232436869295272222782754406246415048195875894409329377075908962690232744]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 105 cx = sel3s([e[315], e[316], e[317]], [12917351824629483440622737030529674983967542988637720886395195031194160632079, 8841322465723154205678020011172362816775587975165151786897606627457187155545, 14002729598867581256643018976730132585331390790166577050573493502425421127182, 15268061642248917754819598857052007481406516866069427006418085798086854466171]); cy = sel2([e[315], e[316]], [16674117998706559220643814233136742237729068875288271911312504301619597199572, 15156988565931490695937923747057400310765196912391035444903438612244254494193, 10444568487973458741284119360757120950097746658650645740311119491238200646302, 385547467860345680569692008987772843718726855128251196487129380665836896693]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 106 cx = sel3s([e[318], e[319], e[320]], [11485514708661668839797104792911993330100465395538998907154500209956717209980, 2378564891356297882391172511058064121371341057541144541265151112602629407486, 15431113736930357829525054375951018432490410667610553241393471463868088483568, 15128200972190674116782495538728842150282218770763850888538540847691112710086]); cy = sel2([e[318], e[319]], [9353349283824572334689034791316525426505799181965760097150790472211583538470, 2565250682258865603262212838934596650511603775929760392607203509225620090349, 19046693709474252308020355261538860605259941620276924614654553264840108783324, 15978910116968143273641610096037639009526883121076925418594134134597880991636]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 107 cx = sel3s([e[321], e[322], e[323]], [12732753810746517185428320079630798046136898905138090354428070504022561261129, 14570979590504848605419638850092710612576634760731998010991154705829891960303, 7081876654999237785822068068775175823259789900038464857602167050792131983158, 11911397750859796885754857056361505572472692036239385315518934824432070976827]); cy = sel2([e[321], e[322]], [18703753174721947326863540292822225800192529767109903887849391280378615950879, 19613778040124100165889220227898498533129133505873538625549588791740345005884, 15039820717144729975607443780109118368904218216499993640810787891283371396202, 7893305471806697580362861198809218871446498187812275173987543199956558198521]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 108 cx = sel3s([e[324], e[325], e[326]], [4396441250850868966014141809834014631796411613521413364533261157108807304791, 16836648497150572549121598580118959226192434996387135129991940567405870268725, 19465159793724690099931261171165210166819967882352842855510624454147581274670, 18758053793437253746142721581116755417112792746753684636213054094477781477382]); cy = sel2([e[324], e[325]], [2981405188098805378415778407831807030725264692497108694734382487084076855210, 20469108288868835484927940943356623938045830438424196869633899618683134613519, 933161936100801959708943470285929527457537321589386575156679532348625637985, 269411351035529607018992916380602655161076148137839318392666564540836404599]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 109 cx = sel3s([e[327], e[328], e[329]], [18448980711993048271679830178954781281796619509660919482566515137849326949705, 19744948717433186245821639271216553763028577858032707139265783707853921912155, 19819689638742986969009459074952228930363474994050981268236002838584672060867, 16852310388498099768769862489306840010510354704163417110628769300551675410617]); cy = sel2([e[327], e[328]], [13538295481673593444396948705042001770075594914797407330259513771278632533788, 14779507856773747214980057665178562325159137267699293184545672938786460137545, 18422483889209125213732972603904783756680200857795267276573963126785961918198, 4225410028652447730956912638069668360808266049871102249949930413024208501463]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 110 cx = sel3s([e[330], e[331], e[332]], [8789386218557174287787274081526754120821582438440596481230009033085305168336, 19604730670978725971286378588091820043225493993475360080974783305559899794334, 5754400819903612415922678283536801620301085919072204701407326554289862247, 8133367062275595631112870441047385208403330263311352404563334748971640119238]); cy = sel2([e[330], e[331]], [14711352054903619189890311113670897561016852508413508359380114647296690234759, 15505081148609421707654891794900819606599284654426944331953154100271365747946, 10498745521808868190882616751430118808278388180031887838543438537592782154020, 14283723444930116423678497723705206282538086486601870839003576853131844860728]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 111 cx = sel3s([e[333], e[334], e[335]], [16410879947793378178852309134034691965068173351773904636443113803287073468165, 2459742793248426443467557681746013841012911230130900204552944771295773437965, 14148653292536659971692314351826075143664660164844520450779907656237062521024, 3823568337665129538914482600317854425115614575078537531810182911935066246893]); cy = sel2([e[333], e[334]], [13525280335627612179489028500357999227382280656020782481971742893960563718069, 13906986326008385599879221793305773429690045797230325194617940541283670975066, 17928827609489859058711914379940226888033289004797111427100202351646756410052, 7751873896780721346657011057490735623065509677587909473561532470621436328656]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 112 cx = sel3s([e[336], e[337], e[338]], [6360670162449266467030644276184864100593477111108480032796373772347480922189, 6238026479435781753480651584008291445457129357178771800497280501659229824509, 14372912505742790548866622516086728314858808340582492719789600777407852624706, 2504355035079143757819920622529907675398702401030398889002491033376003993290]); cy = sel2([e[336], e[337]], [14257529111287275777165336596087530152135443364949890695933859730727871380736, 362630247512640601958597579829458123399369864147591061426591055098065517091, 17799973102921706872164223253101644481160962872432375782799635148100439645882, 16292554915278539427322523921562887226516459098783274424269678044297404132797]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 113 cx = sel3s([e[339], e[340], e[341]], [10885915218940734071225780147170174316285574070557833147925199753671864395970, 16952199638513201931184233985077369412021694081253114169931799009969944845190, 6579022618957621849920927439620464464347948481098737101648586523931683396941, 8954730328909621308689740172956171586217761959578457105814991014419829084276]); cy = sel2([e[339], e[340]], [11029057981581926429073650712620964484769971154264787930046960173769123662678, 14057756519867963926667557918235357382317971790756175535573262066939972782226, 14508105580605381633693926053140229084417508695027158358695356916669309852365, 8985315555716651207654399675191261186115135312348808559060054412234307291987]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 114 cx = sel3s([e[342], e[343], e[344]], [9591625063099557813317657356201310094684652614430671855551305338577894715651, 21710627476302748728292369634413673464477226906421695181551559967392730749884, 10189696652015358480306279349674126142601586910844054141319090928400967920492, 14575448555178809619615329760249104735737622500547600222673171666044253032327]); cy = sel2([e[342], e[343]], [13661097518448111362501604180288489621905168345464166181035334250815558586292, 6541927678640542532346030316589325212935454830056081625698359290342280209696, 19655534040611331062875671654696954076416928174908705322979343601347718766841, 18893407984789248251370377180059349323487262100431967496838185583910928677618]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 115 cx = sel3s([e[345], e[346], e[347]], [18886312892727437565309004732784060353326028914324367568840970250261109059822, 4969806713830542782459289156960092729650598975239889678453184524343618399703, 16622981471374298426508813360547940582831388597832992696194782397307736766285, 17207217606628134149600916884515052475396230199786007830822049511835023327746]); cy = sel2([e[345], e[346]], [20097067895510901824034782908594630518461908899922907976633298936904395310483, 7549705567086856493177008201999701185795474113091244286639270279144087122600, 6359914741562734059777896085058461481450840152242223222499923214787802554266, 4523686415566243191697029234004097207393002925819292838991423859908963592134]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 116 cx = sel3s([e[348], e[349], e[350]], [9611980085915454916721710377398516249069657290776790665729578385653465657608, 2808629496317279665377941162907583528406102092075003683612652910715356989065, 5146801454146059628396374424703327885864890381251241815068083494646287896482, 9712822633793199870569132733680515369277288793857035023884821044404624931246]); cy = sel2([e[348], e[349]], [12531050708955702438977554896456788618229483698488185884652134859969233228127, 7759740123661798513430229604959580258805004199555419745903987161601748379417, 12676630374277918228347114736241248443643025357735194824989982902529942631987, 7957263793605029493947914798589160413665834659013858298537818906355583201202]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 117 cx = sel3s([e[351], e[352], e[353]], [1741783015222897367309800534949631760951606605798891132137371646304340462458, 15753951377666759323512681415584732767525844411650049393938120048851867306800, 11318371057965241278094291737048639440256637452901941620275041654781038395027, 9043834682180335510097190442699980857932890158044577184782692529141130240824]); cy = sel2([e[351], e[352]], [163811524362553669200342941603136686901966525127089114473510248213711571683, 20253563341205755839890642239029020576032044419644567576263861445077574198624, 1129293390247992239629138633531986375671761935795719290973869330578475352706, 12864200497534810115296604114235985076138506691530959360993894765742849428715]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 118 cx = sel3s([e[354], e[355], e[356]], [19845239752872171546325855177077796460784181475810291663797620022786920823647, 13524819092286579506826904337550390593582530067994137276480823345309729489925, 6812066149319989921217367650719188106577252681936159930531352608504453614106, 7222950523682776178187164591717978364824407709855563372464941677077475909161]); cy = sel2([e[354], e[355]], [10413380090476979012716640518612591288231919255093118763710930970879877622297, 13124406349881024599134718908760433545313158896610258373843772982921905937617, 10544285464977662192736078007137407440374594005235468167522962555324745898878, 4262511480267656654185538760448950673777806215660569720854482040852407424457]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 119 cx = sel3s([e[357], e[358], e[359]], [21840644145325684882015312401601386817913954005861480185552664536266852358123, 17245795366378478445622830709744244736981686761608208515847580487483274745119, 13807005991933596253278252430914713127227144098393113439031517565273756047729, 7508257045596568083350722191515656587852775770850324460219207057837744147846]); cy = sel2([e[357], e[358]], [8473655227220833354585864220301666825011510607427101884196854510787991763100, 12360766780968617496459580910362246207458173665456601955392871687431450155437, 16167977026195109940196928407142099851728373085986722415539043108707307260209, 198020065443013508235269047245522994471757343128188653900779810305583184096]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 120 cx = sel3s([e[360], e[361], e[362]], [408538855946993109150255210001390137328762855947155164309686603040268044308, 9956106896094805762100856187967638241058986877712947272175178827260922476691, 10413057148806203104120616811444687722773209463542545789320471445420824622479, 11902530720628689665925185225980720963660904880464037650526790156354563593259]); cy = sel2([e[360], e[361]], [1479997830732538227417547327573357263920837878818360220214252494202287418999, 14987839414386761194654231515173353164503075512219993482548242568337943854755, 21713504951370328462347781999791817908891510961297311340202728964936620298516, 20863127910126532592439656993995677084099363872120709138917554483343369113988]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 121 cx = sel3s([e[363], e[364], e[365]], [16909060815089078676939420644976457427406147473547024017569298235433420995548, 13780618743481311116310648367060473410410597997822855004264478650194424563904, 2732495529118703111995546569867225395498452112166729675036576016860030980932, 13122008905793271330592610678764878579485569855365858119720314545298458579129]); cy = sel2([e[363], e[364]], [9691045028169014905240668289132134803037917344396639164551352440947925851528, 3058069811496358922966440231506430818794592620746845318344939704361344313857, 5622098116652966523875299529800829301718212684029447361840034988407307855810, 7183269074283900923163991117263230892311528827769843151316519486217947924186]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 122 cx = sel3s([e[366], e[367], e[368]], [20571623498624005071141088211057092924213194074152586837454876463843418144025, 14097761035973961045955839030064191145683851652701331413184120292691554339371, 4700343263415821617058086844751479864993855871131720446111591033305616384725, 15018715227933376511503870740434993985805930984246159457731592079602230709953]); cy = sel2([e[366], e[367]], [16001479421972757821409642160488722706981473283972847385882762682377724905156, 16084059586346766494553050527349239192146155351545756557596881128274718933483, 15099192410657454417038148697642033151361229914558920712490911402249873000238, 6321931552493003117300598295325862984882362303961074819842172524617810976022]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 123 cx = sel3s([e[369], e[370], e[371]], [9888014007610840933022906589732806947017424423907994528302713554488676542739, 8913934326838155827928873892003131738033383847534784434581587200177151201442, 11175569252941365912268295578620074710236065357166442341964835896122343271089, 14897216243038767404517178131890350534529367853478353360851740975433826101343]); cy = sel2([e[369], e[370]], [15251452715683470293001422999667336542311051361914428663773647008481320118023, 13776813195393840721224885537714951191622587841642219673672717728440679190719, 109393055477786022036855578884727112792551641118563108378161158873180208830, 4672879465153093973501790898266208077997221906104002063988725461236876037213]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 124 cx = sel3s([e[372], e[373], e[374]], [11201877561392804928547433284377926158320532448010089457664943460838007583898, 14898313039936563609742185951856291683792301837166735453885728355621976660447, 271087861779394868518887048853047396941902217944929345703753181641065491942, 4441061173173027475223782298768839441149677456214218957851727123779445089634]); cy = sel2([e[372], e[373]], [17554707027223374526818340909253875671094356182527312776837442099008513816809, 20394478950504145529480516245504739970884923781915405632423034600555134724554, 16722605284146576015540826794584204150250626411625717127438407440061496436970, 18186321490023557384895834600063402151493085858585827781091438725428737294598]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 125 cx = sel3s([e[375], e[376], e[377]], [8041169655049264647027531522783115313651111026520000925526843693578880103225, 14515227610041424277087375692958559713914998916629738058046674629183188354305, 19607007966889476958718540412171510858381328905787578252786377727252482454742, 2784733087979918000560628875496578392394872735862389774966301201852627273440]); cy = sel2([e[375], e[376]], [16996116430274827689271070440218340032465717731948638724397047789367189212654, 1334527779675942376452476259926180292226498546209192760351592699867703388666, 2040984273885096997446285553479523685705477968103260410171803510149440153201, 1362381113387759937979242007199225976741286448134891397298462226220340605980]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 126 cx = sel3s([e[378], e[379], e[380]], [19334565048001467439446889504730002771044189757270166846813098304840682799995, 12950908278008251424596267965839781465537497199604011584300739900170800951940, 21595247577936157693500985718654956851081515776736906827009279412148715287229, 15215490137474227465600889880755209339274086672218612829479984354294020155457]); cy = sel2([e[378], e[379]], [11177666514768283886285136134046021748603781779508224469021361511080086667157, 19019917071840025176852012694579443932947880720292648245869222295962307004975, 4637723565271538497699679545822400204099231070875646671160251633445655525972, 17666228617432733285346663026898759021573050617000716798909504211448351974426]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 127 cx = sel3s([e[381], e[382], e[383]], [10764100134342681938975151936530775454161936697333679961141539476099641645903, 16887585392329741143712714812495679688982136908448490321095843300899468374984, 17732836192725467148065242235309558107289861496038148884513643994394428900356, 1445275363508375975763521380916891145219085429516411016928665376398954093593]); cy = sel2([e[381], e[382]], [19850691100864531393976360616243718992492409320965998539447518686463634627384, 11041690436464044133197365654525664032353519287590211059695239069687237542566, 12282683178748394297470306056106686277334235538468988533692942720363799093795, 21342615132598490749588725326967212830166119543678585183102318245731915882892]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 128 cx = sel3s([e[384], e[385], e[386]], [7984775939876417845202037337929702281039643807160799398396389954446436630245, 11385355274910748832054888360458973063107383418973550712148639893241354902280, 1459026779105998101465829026524789739182470402517704469029876736898952870477, 13412666792048974377925483462948441322790663427949756029941851541794367956141]); cy = sel2([e[384], e[385]], [11644088529951120466123058306783377782553679447618569394424538939634266570688, 3423766185322892807020818425845766412060736093511436910964946420904954554780, 4248997486365074893462023447486954255437098681775520477410894095041115503490, 13508520946233121439054409300327739993661203591041357972218149016790406863855]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 129 cx = sel3s([e[387], e[388], e[389]], [5565157198993964726485879908963280627890845525340341493437203971709365228330, 7321058630137598328136197614874359518495943608220094707772133348409941566403, 7424926497991627209495812948930411917848701932818206777924739403931504666904, 2952280234707044917845773867363672510563637804197143708410321227590096039398]); cy = sel2([e[387], e[388]], [16047978233091600592523116252839158499254716982332498268149527514947495047441, 3013461674923738179146278200182113922630443185951298626004001204030842783133, 21733406038088991240575501132398939052212396619770619197864537159847335678397, 9758173327391957613571828756022551933369392423107899686458119829785341358149]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 130 cx = sel3s([e[390], e[391], e[392]], [724617195994552100441707186007100945318061137735042194166321801565168264994, 21457482305994995060621698878673403410439584990848189791210666985898821778689, 12733018351677357535096192491479720026355634001914123270202692797811692793469, 17876157828650849091584102879830086520321631185862731111337702980715729860154]); cy = sel2([e[390], e[391]], [1941243639179655563586549731833523575056282199989602716546318426577162114198, 7186671745389328078718719957510862463188189283547797342924706384031236512232, 181655793349501388675021326982297619804658251127556562657041847324134931318, 17955220324559325573119985254939537965603633897040077737890918084344489169000]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 131 cx = sel3s([e[393], e[394], e[395]], [20917363825188238552045899784153496987535745925685770873105753565860443082365, 4540090524117153259059229343653410962125958868702729157110889632173091362337, 19931748170703315405614719529478161068009956569206884593254142678501117968416, 2400060542928241404744010463507020801241694851019173560965950546401444426082]); cy = sel2([e[393], e[394]], [1745736425002501661522536470728945366618822522645696668197436988525466413140, 3366347972505547411030140128225789817592493957844838153202867496815084725868, 13538672659394937012305631615026094764214309199641714104321427476435723762022, 5730310969197975636538358956003546448924042719236605822193245706535947879790]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 132 cx = sel3s([e[396], e[397], e[398]], [12673489410414637838905637938820402546181123854591818062100393889121109718668, 2399760455052989852989301770450241617652861646522026007293921167342274767344, 20212599267512455026947565441242728025855774594658042161574807775907652589242, 8096283485634551421043683037450718803162713602325821677928898619562706870069]); cy = sel2([e[396], e[397]], [2273218791680662828916671149332560291571458847138066661294611637128783792792, 8189321225342615133315741008578315746871762722980986965249683543300354337817, 15342161105292713352374449802912175534449400959133109035836260415735518836755, 18075013689729624974967362235212984989450911765049481574404064991547015443791]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 133 cx = sel3s([e[399], e[400], e[401]], [1596291013949010721288060595532569432608538778619836480784785471074053165112, 6808491683819461025655595089437806112418825101974851283793281398274802390485, 364241503925827187366795904611796342209607893955620582589568264631586955422, 16490550871285168246186419126591524969189857825357227166657318003550977024941]); cy = sel2([e[399], e[400]], [7862378404177401992071889396713852447802454946236648304807328682371781930090, 507291250759269099980701396020232970806066743976022636589996988193601483784, 10744127551738752560827414410584235701822856001225517338822143012287884858602, 18241779151498711099077315181629505156252250432591841498036131464452558240559]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 134 cx = sel3s([e[402], e[403], e[404]], [13383782376835328120051264492485947246229335501182593669024066132006083860995, 6829659109797487915393241205795046921708391483622784165963215585089039907693, 9316519590383340417002353253254231934003449806173856616162378794199227402893, 13002922510988749141229072125743986091046064285797312111247897533544865920246]); cy = sel2([e[402], e[403]], [1452388014885069534714863742557414467294079407912495717272255602231974271039, 5900502409092025397559171952410984687860230521181044855453255892660864354438, 10043095963739821148582141213281494171132379314509020019652213752752234376602, 9999295030621233000765070897582529515356078631699063530749343953422947829219]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 135 cx = sel3s([e[405], e[406], e[407]], [13165533527694513928104129943149460933916076941607396715443729707678633985673, 20294369464168299590806576821399517301857816000499415634107985306452722815938, 6067645363539607688922626118164207320418666861212948609146588413602170467017, 119932367132867885429975847232185792475931817114142487620518936723703313296]); cy = sel2([e[405], e[406]], [17238425515895072477563840544058923640858290538130746390995636765338905591675, 20628042696308823655110673878535950075986980894297665479048269813590306242580, 11749486899455580256560135562925052584441889327031335669536847121302580177052, 16957619631025354458723169845456497220362554006891490260455748609237426050971]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 136 cx = sel3s([e[408], e[409], e[410]], [7326992374695153334569399469397596928696501586886381702972942656080738560504, 4198555626333615585226486302590784054103224208504401294485393840072962221472, 18288510281806332963207620050180295922486954421289661405933207406160563376204, 19378648346334975363564386629109544268031565617795572270340255835354171953065]); cy = sel2([e[408], e[409]], [3441991977044037545935620478935168226411039028254665140927991316702138513190, 7980022316348851053079344973315144435710609854183180078433220232446348072790, 10703403289781310156812833248447222548151317595810496437901793212311982317063, 16301246072292511450557090225826608132244132307038997545230147196603338285964]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 137 cx = sel3s([e[411], e[412], e[413]], [4380971751033847027929691061398944531722909263311553031455521197665070771642, 1958998764514462202561805635784673640011091472752464180193064104296547581169, 16607632498550062722823535936950763735998138401664871177932105851574722673362, 18107842395238833528194122400147411460295339366691168281515267029707554163796]); cy = sel2([e[411], e[412]], [16794605741797752486161164743285493892529567663448780177764044251817860406839, 627364605348057780240790756195705309805910423716172983190978634837740895756, 15938340690702031578469687601244712133164105954943969813204470601233395408177, 1337728022058609756453976167140964506743665540101352471912041874198880786028]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 138 cx = sel3s([e[414], e[415], e[416]], [4325450975911066881724043517797022496124195434220888316197251865366294339361, 16239262892194658073042878979066943080253388067983326658313518038231343725333, 3224923392579231188607529005374853676842589239602348970956358059045513499844, 18711810040957806004127569353264972856236116117792057333129328498567653245337]); cy = sel2([e[414], e[415]], [18556589125306655880844231674670238467511897504977535323905816448582480367724, 14450907030938846250134541582271892920169763336845349109491176054829079021938, 5489164165718004081061600001298776199757130654902992957321875892970948684039, 3404126456231281994449938636645452663538090331489692208486381139765931389947]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 139 cx = sel3s([e[417], e[418], e[419]], [3049906494165633773067493912990013841965806179225048735919293547905816967010, 2425405604681482172566807394598240014734338608183001729881716084701331638207, 21560391195338031738549905898033672840916947395960523186297949490337780382461, 10640880946275949996544592530048605056441276931537882586193904453232482475238]); cy = sel2([e[417], e[418]], [1139270967545262231620743596254789040950691396231510347534297369410226811042, 20852287956575668107697863776884710196273757688539515338600627283890571581133, 17188605966302742252765339963794720668370341043552053263753117294010969693650, 19246586050423626713095252320183688353765457408019346352862271422811659317777]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 140 cx = sel3s([e[420], e[421], e[422]], [19942746034266536069392101170115851306620344112551007974939114086497358930858, 15726708481134151732276229872451366695420040201434018827381159241014716358033, 3452250047812572894016965388138239348795538732265416477858038566576272340399, 732825901760241932909222883465959257672029209130800755766287912812473135470]); cy = sel2([e[420], e[421]], [5234335526367392822375043936890479400588416815383747301372644960641216357795, 16682782393317738699538698600037172468451638588454521003611347304172554322239, 4800939729460682232720559307513657730880675292200605768084865538547688695396, 13002618796997179002671199181852958465089986403190513123030050511152310206971]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 141 cx = sel3s([e[423], e[424], e[425]], [4345203866646269633300579468877411954334981515932585752657225898484243906660, 18369957391582635573293322493321958485207102003892958136897534329158731684885, 20673831086732472000273127370905823039882723856850376643114084876980363716192, 2498213507326390169362081908041456736901489034606083564552630396661416090091]); cy = sel2([e[423], e[424]], [19711785928362785984568609948298550809737208754846854010480265206080190724688, 11436630733281926268922633177556600595162960771369546050376297927685306050908, 7773194831659524501769470153758921383337560398544153003929463015874290745463, 8133306555008250199402612262687855812899186562206213570420163947809045175265]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 142 cx = sel3s([e[426], e[427], e[428]], [13604959715661441436052939762464429298226713418171390314110026091418525209941, 771054573202666486644315008474869467749501529120937703475279735897998473318, 10650739155896636131407567213077995361727149157766675911133814003745320974607, 21082274336612203666519840927907859383019309974047946161440422017817660726149]); cy = sel2([e[426], e[427]], [9106634253925907822997376723908848470389744101982447244238790923479221740587, 7324910184007890101804849358851153077116609835592182327277588695666568522132, 9210749700131521931808418873690269098719063379384664590576822932928021903283, 12373345790154524492998539937744274645461345882077071841080883186883404184026]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 143 cx = sel3s([e[429], e[430], e[431]], [12272981972646946567553896730199881959247853499104488943992635249117595393209, 17484113948306348142106921779441669789323552473173221235726133380929727014173, 15117556748390824311921483809280404911428464810641842112990732230853500342878, 18738665459003240153367275566837691463796036422817751002779294781153509048410]); cy = sel2([e[429], e[430]], [12840198036955871442566173317906222816787870441489199428401326600711994709214, 13447048657087191261352674553209997835888060694120420289379298057286058954919, 11085124394828809185369563175800089294678889500629428639251047427113804175136, 20040932616180013985013159566209210337758333701488325181237556234029685365086]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 144 cx = sel3s([e[432], e[433], e[434]], [3005593847772820450050205074163314509976806377772621088836578637506564062913, 2910567614812792758847544159495544141576095133298651646543717734234356651464, 8630893570634023334653627900758492588201195084156991103796478188432785900122, 20068438612873289533893462991408376904784837411837844241529573433855826118434]); cy = sel2([e[432], e[433]], [17258587025904856892544250820556722922327972240440200527118380921147955645556, 9839944666562674042904466515196204595921896101136113309540898758440523509232, 382264312380680546118029507176039576064064377468124376294215202312670233326, 16859633470889096937094854459393230196320754799783499045789361347337904723211]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 145 cx = sel3s([e[435], e[436], e[437]], [21553262056684585969628674122764109775958361035991194009613252605155913211334, 15282636750399879299317591027894754559134990135454294656134105963760417995544, 4066930541781809252860144352581968840798983673586834922803928000950012716773, 17266825085778436273993504052249489036678132768169211810048007631121526004292]); cy = sel2([e[435], e[436]], [14469270633466381305852216281125837079646617198515099740000541993840798471084, 16980111987593030332881454298183054033228595894840772569146266548134494583283, 15118688184376333116924615779850360769477969453186921964192734694461085893102, 4748807943449256265621737370336238625547081211863390407052811770007138872316]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 146 cx = sel3s([e[438], e[439], e[440]], [11763347508086007810977359866267798246514404258245360557926263268200652076963, 8663905006927572311188991703236656874376542152827973004022578290253373528008, 2952845374549988741320721621283121797914244173004620545437372716814928986849, 17071883097921153691621062529879599274949735278299892231358334236565401545899]); cy = sel2([e[438], e[439]], [14706162498378202954074913829047629685039231677186626739445882650545999503202, 1719746349330736449674857345290037499267579249273019799523377364214790913723, 21616731410397798448193163892890526448374926979106286339849727909287686706845, 11446919769449393256780992769707214683226878212422736672766658759052425409242]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 147 cx = sel3s([e[441], e[442], e[443]], [4356994949172878276640972387865792898708144237321291982532719592191935134502, 9058912028451204788275313382642068418310841490274106696805181452416351257146, 15190160120915818686650557755704440198069036613617930484645880424887234233075, 9960154561010441532105561845082645172957096392270554555453954413006726871798]); cy = sel2([e[441], e[442]], [14574692378125259586817945291111936727424704391123959334117252195469092200764, 9224728228539828897416026999778106548490158473228676095012930511474594231477, 1760463507739730034367125481096536174852992494939001755761219582349351757169, 17340078450196530212205314520279311841731993777309479440929707007860057490354]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 148 cx = sel3s([e[444], e[445], e[446]], [21880820504467716634106664909402072165472960350877194774465177915127008092893, 11747606579643600398471099307152208653405848363842457205852065247815894902054, 19027263041564841350573847395951723454691080012198506245692747602145336686229, 5632682422077314837831565983660289273448221389165648008167925020530588300924]); cy = sel2([e[444], e[445]], [5182168744456816656485869911241149693404052223082761825064601932558781730740, 2685937932147288674316610675212322222716444961674715249218650895750571659552, 1912852125196207140975649985472776011293820313776376659814516409955251806791, 18263958114524880676274451483937610105571465623681831140376587635788141241088]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 149 cx = sel3s([e[447], e[448], e[449]], [8936781701927368370215210870827508937678765478808217533286287559934624784681, 5108431664028439851662340341125863641795570652264053957564019035084276122804, 12999653496005517730722186355139904948504508219343877303366358022761375044402, 19179622495081980573635923134343351242929014436693872859625873727501193848932]); cy = sel2([e[447], e[448]], [4623029543859886044767307470074323247069187031547412019261660683452990785239, 9857015684855568488276378660083416741199186578332924215590492662945432272825, 5242391447932956625671668911434466570194372869876929059550830464880164528131, 14646928672286452058469223988095085156895208600523868135204725017248298504143]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 150 cx = sel3s([e[450], e[451], e[452]], [7946459614521142644206204774850419894186577869297360917934350740375926112382, 11530085592691934773947896113217121596676226719554558175458752626759168307130, 12291215261278045612022495371137973264064622535432110273152233125306665396787, 4442266885858584741818610179233325487185053295954810407262511211378152048331]); cy = sel2([e[450], e[451]], [20393528966549387266343193152712146799161036298032725317477228673291507957942, 1831259860608244620805838343666664146008857962101286629882205237950513972028, 2581270768505724914793947599867596421087089340177029937008824731251155270286, 1824038414762784797700995677077189626495506231241155951144255369814082278582]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 151 cx = sel3s([e[453], e[454], e[455]], [16996326686259093178712301719114535464147004200933701699216923172711169217776, 10135668620867881915901635109225909232593721615476228193005378643989870282190, 12684696285143358527008494835928613367424428569071148860201922633463847362163, 19520340433574445384932755965450431313046400213079154403779893187900476007389]); cy = sel2([e[453], e[454]], [10879703765081907416589976314120373073533854885503210038919805342729980088501, 3042952377945780941440480619239495862925076770257741464841490662991367990723, 20568201167449878452522309826171296534890589395210499691162182782776592901489, 2515435614825363087293388949409937340469196878839891206929432371588941120828]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 152 cx = sel3s([e[456], e[457], e[458]], [5948355082391370971277814822201259570199411254972015395356071689733858457870, 14435295688288574008552320445654835668230448171821339773392204385711009673498, 4555707692840173328761632986080641237899354311390885658902712711385985152474, 21377793559898523325502642621273525075966615158530502938404139072744665720725]); cy = sel2([e[456], e[457]], [18781938632634665629392534748457372928296731257744451684662925940692495070899, 20870582266287640319635222130472633641883455183531701982867810507045631654099, 6255001622610081365809867580322152519018111820804890853975941295493185079617, 11444903546950465193484459453464362458126976218066241321940461471249831055834]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 153 cx = sel3s([e[459], e[460], e[461]], [4801783634053958699406131208260321653724147389806778300442394152288266622390, 13657947007455887667569605985083889328718870615545221619668723775205747840135, 177598511756923881728697053947837521554079408931967588956714727282062478754, 1374290142752108446259268973165307183295759382785138144661109763848127727476]); cy = sel2([e[459], e[460]], [10503832530625380631086165586158401732075983866290617431349835924922749109699, 8383317413774803586670187834721088561764237477263859389570115631886656905028, 2834233504802602126712103599378293010472650755759227696185340490923006971103, 17330582798076118742935459828744886802843487551551606246519220146369990307779]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 154 cx = sel3s([e[462], e[463], e[464]], [5093610893249308867168031458336741939196884648123926997975341654608609426830, 12248279767532955250746877738475030196514076889129781370472666862024900770669, 5043009492124624507652527263244758360087085758651362799261288863076362039187, 16591909200159417412409462652077399999824413751859530227695887196356321679228]); cy = sel2([e[462], e[463]], [10952612598118313917631759693602817846928839860096429550603703046117049639522, 2884939241145303979172401496138136665819626424676215132904685536232137032921, 21092145374321584925227081195844245213760374840107123770724422721835988876958, 5499840197627421265036310285493143039360364243394878011782966367266344217732]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 155 cx = sel3s([e[465], e[466], e[467]], [3794104339739491010449122661216407115137782001618163380131794160705537757426, 7514419529276933284458458535371966876401883528785013067210805765651582633130, 2534189532451386749189970776179117832798970009395742348348119108287813471216, 5610243014937776775874159841646817951854662385825951664842167532212856045068]); cy = sel2([e[465], e[466]], [12842968623255283384772731210441087433561383555541999360200972373794310794093, 10823437952973686303915120116380996262045441725571077692704581218749963605907, 21253964658659775229061107104903539871763760188604842330476347939642955209002, 1745535366815989039402026181267179197840739481539734000808670009580269211142]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 156 cx = sel3s([e[468], e[469], e[470]], [3459245219635302288341483992140272707638915493010622274381776793623419230591, 9849021255480129732487752167924340739614806540698786580158805033907788030853, 3255308487469886623287718398314898379309460957968181729113829918571419337145, 15359614079733122216507425018253600855203543497608695539122606260839625565617]); cy = sel2([e[468], e[469]], [17415928452277952995861857592997544802223350915817518744596816398543561612106, 9999856236606156376100952785476675300524456948913069129769906530665355058037, 17734497746752242925262857913765409819203458581088950917188119245918082092030, 6881580842463060802624074515204787264906621652045323766233447264566499944530]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 157 cx = sel3s([e[471], e[472], e[473]], [634964597278986129282215293208138156361395902716873910540311662219517773576, 310253852479958835592393232442887907344502522183801152945448588489452412569, 384881480274621505303330466062621612997526527075542749162723700081976881288, 11767445114097831765826464678890553621483551558949563523534328471079851963281]); cy = sel2([e[471], e[472]], [17203635141310737823252743409317633065422478971915442288649227045499339781109, 2545094457118912372548408336893899649182443951551613850781196845141738637170, 8609139198776064973664903858401535131314034007074283879284230416121615542308, 20092107484372320312567981037155807130829118997137612522175958096520972507336]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 158 cx = sel3s([e[474], e[475], e[476]], [20098437969178934435495041700635313630962028038875583770224318127835756299529, 311104306589906971684844795811359683864786473908061989245919427082915904714, 5007249687217418940511624233021226494914521342148545152148356064906320432035, 9785851145981523672688289938894315309424412779439726667571213830109657407900]); cy = sel2([e[474], e[475]], [877613904095171787446316454384924363436490179245069691113043218080238972652, 15255392602742007855606168874483544819258797919038984937824266131810915403967, 3482868076428758563707184390706074120455579821747810434457575250407348632455, 5737555899585712614112644175034540180519345050397396205967955592318835422324]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 159 cx = sel3s([e[477], e[478], e[479]], [17889638686175315317941901427709143202478522471798280927986774735210637820526, 4586587171981050785204495209615167868746399227792813638212786811256473778221, 1864752565757236746122736751796835904389046064841800598816325031089096557478, 13943403942544820674673437343502779310324858400636923221774342029216604251440]); cy = sel2([e[477], e[478]], [17728898667133884634264046347611298588924985692465583707491826367590591819161, 18365428070394378833051912713200271982753415548931989923757430748929339745094, 13355801165885814561827651110098104649674895992244923613944279081535896494292, 12718254346735593182641856097514926990330253814732909832265502852628068735026]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 160 cx = sel3s([e[480], e[481], e[482]], [17159516188699622404527134263356371503443962451842558111890221401200764258125, 19697000438877661546696672369476849653861527230741461549059757921200307256689, 8082602544025295110701438493605046299287009032703969632384937719700791606339, 5936552380580117855548116310401989958728171511356588061450350806482980900531]); cy = sel2([e[480], e[481]], [288697205606498046198642124865852628925547477970007319079115715396675917499, 11438994931015502912944770174743669059446783563412696311667974558402876489825, 2713576975757110627428489368530113978475830565467996635364633792472336700891, 20023822454992925006561366839036620580908513505208980493011483098957399405656]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 161 cx = sel3s([e[483], e[484], e[485]], [11476903323853344813827041345787850966667514952865946400953029235796901464022, 15662688482882450089332164944545567115920791913333567306810233998084574572841, 16165244090421658682362860955446523155721204004465368156540492359518946703685, 13233236504179066734589049314166320998745790229936719431495551951291164368688]); cy = sel2([e[483], e[484]], [21544495907681885621399294493301860022991247894450553860102494438499516461036, 15070356063300726246376329439697612629246560015487953180041607494107482212328, 10932308314438454016363769449242767120417784090441698745502660483728820506459, 15142440904746497443767345573381088273730091577283493618193631903901402378371]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 162 cx = sel3s([e[486], e[487], e[488]], [6740469135284996394159167279126920754449900660887428959259136317440159292867, 1951789672920637712186229138057234008172951294439716801691622239946406362446, 10614706090196653889949286489862565736131644495539213256761186995450585212820, 20219336380099606710973890974478494924791931389585459347005405927908068729651]); cy = sel2([e[486], e[487]], [12559437556228574824459283742977065667884462966124147526010574650373707978536, 11353250997656326728675199688614508617263787972463605193791786351817731868528, 9955679877407075213882986027032271351625902587325271136145291798547578901197, 7587664180577472344145946155058239620135123893989614056504418351234639990359]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 163 cx = sel3s([e[489], e[490], e[491]], [11683193590608313373089435698057644614965227085254736967478627707109364481009, 5373593679075319624506848608700634791297845735799356231319125589754901432010, 14330496678432059141319543266495924665988744049796260830269932610430618839231, 16147138941500612947680025577703299264094926996519490683694344514795650552030]); cy = sel2([e[489], e[490]], [14089407095672561058133609212857713657125336981293206062798215054918146117895, 5921405729554308485753035966317904019193857886291312338471036342984958996974, 14219166018565381341875979253176613205499868708487414627746489465729919459602, 9173206043848059861761039827886516664018988512989876666692360758637877840001]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 164 cx = sel3s([e[492], e[493], e[494]], [12391241461796318677666973225906912103063953603374991439355987755433936571792, 11342324255021537810533271600486943249554637261483201032733188357979300928906, 6762143596567875242093282841823575455167081327592834568853990326935018728741, 1729094316763263611553329689516612131095524285732807879509329720064037980971]); cy = sel2([e[492], e[493]], [6256323253756510425990684148198273229283967340029341825763386143854418092931, 608479563301898577121898469798459144789668559311173727644698121661161535370, 16118965412641868779259712849902459712114606105053804845952965420804403776265, 5207196556914412218334602277590189653542873808697180315162104560234636073976]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 165 cx = sel3s([e[495], e[496], e[497]], [12090834415198821488072985841187199896460619427268475889346428879276625683876, 20435352555053416469114817994605784220258558984767053371686545934216871498097, 7919766463107746640570694574991853522177141706128568812747727580994437010928, 18791819403195060520893758220974368558662433382958799315116210085990602330263]); cy = sel2([e[495], e[496]], [11186634643432676423242372187246648742599522445001126220151236883458565017089, 730264789631663387855933585769199256797088038637783970560657523730947722943, 9789319816975923274967045544277604801648452652703289939384714401867885689451, 20390569650377326057430918388837541684089995685084097630788684319064176189296]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 166 cx = sel3s([e[498], e[499], e[500]], [9073477014345643942359994649331122800736234440180113066690071117218958686221, 17848891043122277658033397684650904021333601784635518417727821688552518594475, 8394455238188958480130266174842497177830879983439478526032000789572056999540, 3969215253795918818810265899749520158876595254756141389552909935321879395990]); cy = sel2([e[498], e[499]], [15421230006761899572959376594938017439120427450367920423701622807634638005218, 691759570775251457416249989322179808019152722619656278259527490301863241777, 19687896560656750069557210923004770524699515901561346847457425701096560281307, 13013403796046695153969709190889488389508063704805702465177729278466953096077]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 167 cx = sel3s([e[501], e[502], e[503]], [17605212659450062681090282709904508607567301109002577655966314961623397498778, 20706453518066591671344075213608634140534260809172831962434708646209603184096, 20530641835252913976176823270868884490574732596806683216254892843407024651486, 19512520336574558609801187648395617364107060095538444150298099264798316486399]); cy = sel2([e[501], e[502]], [18088283300102077232647028354145534410326244238430555546504288886091850910025, 19624767204537830958950503358240075916787006780432673880401115874844576604739, 13389739174441700308398229420122777340874705736681526274430502297758537243393, 2768660518118504029156154123602101814256009402463064802144883490594220059578]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 168 cx = sel3s([e[504], e[505], e[506]], [3898901470837850662399020072718316987511815396623761376502150466549773974269, 20681259404330431411774484706350104535474957110888110413896201115382255532278, 12146860081497614316907871444885755439616687087776665508013517962132514932126, 10103366418676857183019670163194546750004223272088526675082633522057697832251]); cy = sel2([e[504], e[505]], [18552945270636575492780160887690665046683842994616480518496617903497833044944, 16280318807141467057522946128901953503954886894473765482004622686048871784896, 16511259671446150110679883995503700110523460228865394020432354340848786592304, 11820015885519382016829607197866756084707670961286078960070207041832708513141]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 169 cx = sel3s([e[507], e[508], e[509]], [6124403322044682705571649214069113177521499060664580284884665715951975035077, 3806547960677312456106393355578152447583324120952390972170284549005371006887, 12796416634735923176681417392847285391386920336707070519873332365264500996292, 18113312677912280033934533469627761267183403533244965210112870702471687667512]); cy = sel2([e[507], e[508]], [18191174947339798787646910619446409943766046946921136035021645191602921923040, 16559060177998758852323304784771936179434931576336411584121379336820727372618, 13858115732979799183025726471151602712224733686530960054365665740611187232029, 9933192519609817862698304326029579651414877338671776883175639003837130283966]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); // Round 170 cx = sel3s([e[510], e[511], e[512]], [3342564788366736273905106071612128667477972061160313630133110787799686301495, 13766193863701503939885263345152684798552605679140222504700163745347162493183, 18523279471468319520962369406962457727155204375043681943707151819380964978377, 8094164074569624021939357073285075790695279643883973800173037824312344195506]); cy = sel2([e[510], e[511]], [2329094643034533408459502544740928833981119919633412709248656884170940780093, 3216329736050668550647765981020076413548845117352735257893224753954595290363, 18710403072495673647060422294369054840513840567808020912157404388689648711093, 9785201456176703812798077455183487364035650707229293534561747881523562553649]); - a = add(a, [cx, cy], BABYJUBJUB_PARAMS); + a = add(a, [cx, cy], EDWARDS_A, EDWARDS_D); - return edwardsCompress(a); + return compress(a); } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsAdd.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.json similarity index 74% rename from zokrates_stdlib/tests/tests/ecc/edwardsAdd.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.json index 606cf381c..d22ae5433 100644 --- a/zokrates_stdlib/tests/tests/ecc/edwardsAdd.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/ecc/edwardsAdd.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/compress.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok new file mode 100644 index 000000000..b74505d43 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok @@ -0,0 +1,9 @@ +import "ecc/babyjubjub/compress"; +from "ecc/babyjubjub/params" import G; + +// Code to create test cases: +// https://github.com/Zokrates/pycrypto +def main() { + bool[256] compressed = compress(G); + assert(compressed == [true, false, true, false, true, true, true, false, false, false, false, false, false, true, true, true, false, false, true, false, true, false, false, true, false, true, true, true, true, true, true, true, true, false, false, false, true, true, false, true, false, false, true, true, true, true, false, false, false, false, true, true, true, true, false, true, false, true, true, true, true, false, false, false, false, false, false, true, true, false, false, false, true, true, false, true, true, false, true, true, true, true, false, true, true, true, false, true, true, true, true, true, true, true, false, true, false, false, true, false, false, true, false, false, true, true, false, false, false, false, true, true, false, true, false, true, false, true, false, true, true, false, false, false, false, false, true, true, true, true, true, true, true, false, false, true, true, false, true, false, true, false, false, true, true, true, false, true, false, true, false, false, true, true, true, false, true, true, false, true, false, false, false, false, true, true, false, false, true, false, true, true, false, false, false, false, true, true, false, false, false, false, false, true, true, true, false, true, false, false, false, true, false, false, true, true, false, true, false, false, true, false, false, false, true, true, false, true, true, true, false, true, true, false, false, false, true, true, true, true, false, true, true, true, true, true, true, true, true, false, false, true, true, false, false, true, false, false, false, true, false, true, false, true, false, false, true, false, true, true, false, true, false, true, true, true]); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsCompress.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.json similarity index 73% rename from zokrates_stdlib/tests/tests/ecc/edwardsCompress.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.json index a6d986972..fbe156141 100644 --- a/zokrates_stdlib/tests/tests/ecc/edwardsCompress.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/ecc/edwardsCompress.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/edwardsAdd.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok new file mode 100644 index 000000000..d38391e2b --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok @@ -0,0 +1,27 @@ +from "ecc/edwards" import add, negate; +from "ecc/babyjubjub/params" import G, EDWARDS_A, EDWARDS_D; + +// Code to create test cases: +// https://github.com/Zokrates/pycrypto +def testDoubleViaAdd() -> bool { + field[2] out = add(G, G, EDWARDS_A, EDWARDS_D); + assert(out[0] == 17324563846726889236817837922625232543153115346355010501047597319863650987830); + assert(out[1] == 20022170825455209233733649024450576091402881793145646502279487074566492066831); + return true; +} + +def testIdentities() -> bool { + field[2] inf = [0, 1]; + assert(G == add(G, inf, EDWARDS_A, EDWARDS_D)); + + field[2] nG = negate(G); + field[2] nGaddG = add(G, nG, EDWARDS_A, EDWARDS_D); + + assert(inf == nGaddG); + return true; +} + +def main() { + assert(testDoubleViaAdd()); + assert(testIdentities()); +} diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.json similarity index 72% rename from zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.json index 936ae4431..3c4c1aaa9 100644 --- a/zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/ecc/edwardsOnCurve.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/edwardsOnCurve.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok new file mode 100644 index 000000000..45b14bf8a --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok @@ -0,0 +1,11 @@ +from "ecc/edwards" import onCurve; +from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; + +// Code to create test cases: +// https://github.com/Zokrates/pycrypto +def main() { + field u = 17324563846726889236817837922625232543153115346355010501047597319863650987830; + field v = 20022170825455209233733649024450576091402881793145646502279487074566492066831; + + assert(onCurve([u, v], EDWARDS_A, EDWARDS_D)); // onCurve throws for false +} diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.json similarity index 71% rename from zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.json index a22c24724..aeceacdee 100644 --- a/zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/ecc/edwardsOrderCheck.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok new file mode 100644 index 000000000..6d44f2db2 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok @@ -0,0 +1,25 @@ +from "ecc/edwards" import orderCheck; +from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; + +// Code to create test cases: +// https://github.com/Zokrates/pycrypto +def testOrderCheckTrue() -> bool { + field u = 17324563846726889236817837922625232543153115346355010501047597319863650987830; + field v = 20022170825455209233733649024450576091402881793145646502279487074566492066831; + + assert(orderCheck([u, v], EDWARDS_A, EDWARDS_D)); + return true; +} + +def testOrderCheckFalse() -> bool { + field u = 4342719913949491028786768530115087822524712248835451589697801404893164183326; + field v = 4826523245007015323400664741523384119579596407052839571721035538011798951543; + + assert(!orderCheck([u, v], EDWARDS_A, EDWARDS_D)); + return true; +} + +def main() { + assert(testOrderCheckFalse()); + assert(testOrderCheckTrue()); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsScalarMult.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.json similarity index 71% rename from zokrates_stdlib/tests/tests/ecc/edwardsScalarMult.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.json index 55857dde5..9ed53a6a9 100644 --- a/zokrates_stdlib/tests/tests/ecc/edwardsScalarMult.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/ecc/edwardsScalarMult.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/edwardsScalarMult.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsScalarMult.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok similarity index 92% rename from zokrates_stdlib/tests/tests/ecc/edwardsScalarMult.zok rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok index 132729244..bcf1efdbb 100644 --- a/zokrates_stdlib/tests/tests/ecc/edwardsScalarMult.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok @@ -1,26 +1,22 @@ -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; -import "ecc/edwardsScalarMult" as mul; +from "ecc/edwards" import scalarMul as mul; +from "ecc/babyjubjub/params" import G, EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto def testCyclic() -> bool { - field[2] G = [BABYJUBJUB_PARAMS.Gu, BABYJUBJUB_PARAMS.Gv]; - // exp = JUBJUB_E + 1 bool[256] exp = [false, false, true, true, false, false, false, false, false, true, true, false, false, true, false, false, false, true, false, false, true, true, true, false, false, true, true, true, false, false, true, false, true, true, true, false, false, false, false, true, false, false, true, true, false, false, false, true, true, false, true, false, false, false, false, false, false, false, true, false, true, false, false, true, true, false, true, true, true, false, false, false, false, true, false, true, false, false, false, false, false, true, false, false, false, true, false, true, true, false, true, true, false, true, true, false, true, false, false, false, false, false, false, true, true, false, false, false, false, false, false, true, false, true, false, true, true, false, false, false, false, true, false, true, true, true, false, true, false, true, false, true, true, false, false, true, true, true, true, true, false, true, true, true, false, true, true, false, true, true, false, true, true, true, false, false, false, false, false, true, true, true, false, false, true, false, false, true, false, false, false, false, false, true, true, true, false, true, true, true, false, false, false, false, false, true, false, true, false, false, true, true, false, false, true, true, true, false, true, true, true, false, false, true, false, true, false, false, true, false, true, true, true, true, true, false, true, true, true, false, false, false, false, true, true, true, false, false, true, false, false, true, false, false, false, false, true, false, false, true, false, false, true, true, false, true, true, true, true, false, false, false, true, false, false, true]; - field[2] out = mul(exp, G, BABYJUBJUB_PARAMS); + field[2] out = mul(exp, G, EDWARDS_A, EDWARDS_D); assert(G == out); return true; } def testMul2() -> bool { - field[2] G = [BABYJUBJUB_PARAMS.Gu, BABYJUBJUB_PARAMS.Gv]; - // exp == 2 bool[256] exp = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false]; - field[2] out = mul(exp, G, BABYJUBJUB_PARAMS); + field[2] out = mul(exp, G, EDWARDS_A, EDWARDS_D); assert(out[0] == 17324563846726889236817837922625232543153115346355010501047597319863650987830); assert(out[1] == 20022170825455209233733649024450576091402881793145646502279487074566492066831); @@ -29,8 +25,6 @@ def testMul2() -> bool { } def testAssociativity() -> bool { - field[2] G = [BABYJUBJUB_PARAMS.Gu, BABYJUBJUB_PARAMS.Gv]; - // a = 1234 bool[256] a = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, false, true, true, false, true, false, false, true, false]; @@ -40,17 +34,17 @@ def testAssociativity() -> bool { // c = 7890 bool[256] c = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, true, true, true, false, true, true, false, true, false, false, true, false]; - field[2] Ga = mul(a, G, BABYJUBJUB_PARAMS); - field[2] Gab = mul(b, Ga, BABYJUBJUB_PARAMS); - field[2] Gabc = mul(c, Gab, BABYJUBJUB_PARAMS); + field[2] Ga = mul(a, G, EDWARDS_A, EDWARDS_D); + field[2] Gab = mul(b, Ga, EDWARDS_A, EDWARDS_D); + field[2] Gabc = mul(c, Gab, EDWARDS_A, EDWARDS_D); - field[2] Gb = mul(b, G, BABYJUBJUB_PARAMS); - field[2] Gbc = mul(c, Gb, BABYJUBJUB_PARAMS); - field[2] Gbca = mul(a, Gbc, BABYJUBJUB_PARAMS); + field[2] Gb = mul(b, G, EDWARDS_A, EDWARDS_D); + field[2] Gbc = mul(c, Gb, EDWARDS_A, EDWARDS_D); + field[2] Gbca = mul(a, Gbc, EDWARDS_A, EDWARDS_D); - field[2] Gc = mul(c, G, BABYJUBJUB_PARAMS); - field[2] Gca = mul(a, Gc, BABYJUBJUB_PARAMS); - field[2] Gcab = mul(b, Gca, BABYJUBJUB_PARAMS); + field[2] Gc = mul(c, G, EDWARDS_A, EDWARDS_D); + field[2] Gca = mul(a, Gc, EDWARDS_A, EDWARDS_D); + field[2] Gcab = mul(b, Gca, EDWARDS_A, EDWARDS_D); assert(Gabc == Gbca); assert(Gbca == Gcab); @@ -60,8 +54,6 @@ def testAssociativity() -> bool { } def testMultiplicative() -> bool { - field[2] G = [BABYJUBJUB_PARAMS.Gu, BABYJUBJUB_PARAMS.Gv]; - // a = 1234 bool[256] a = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, false, true, true, false, true, false, false, true, false]; // b = 5678 @@ -70,13 +62,13 @@ def testMultiplicative() -> bool { // ab = a*b = 7006652 bool[256] ab = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, true, false, true, false, true, false, true, true, true, false, true, false, false, true, true, false, true, true, true, true, false, false]; - field[2] Ga = mul(a, G, BABYJUBJUB_PARAMS); - field[2] Gb = mul(b, G, BABYJUBJUB_PARAMS); + field[2] Ga = mul(a, G, EDWARDS_A, EDWARDS_D); + field[2] Gb = mul(b, G, EDWARDS_A, EDWARDS_D); - field[2] Gab = mul(b, Ga, BABYJUBJUB_PARAMS); - field[2] Gba = mul(a, Gb, BABYJUBJUB_PARAMS); + field[2] Gab = mul(b, Ga, EDWARDS_A, EDWARDS_D); + field[2] Gba = mul(a, Gb, EDWARDS_A, EDWARDS_D); - field[2] Gmab = mul(ab, G, BABYJUBJUB_PARAMS); + field[2] Gmab = mul(ab, G, EDWARDS_A, EDWARDS_D); assert(Gab == Gba); assert(Gba == Gmab); @@ -90,5 +82,4 @@ def main() { assert(testCyclic()); assert(testAssociativity()); assert(testMultiplicative()); - return; } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/proofOfOwnership.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.json similarity index 71% rename from zokrates_stdlib/tests/tests/ecc/proofOfOwnership.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.json index d08778bfd..f94485bca 100644 --- a/zokrates_stdlib/tests/tests/ecc/proofOfOwnership.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/ecc/proofOfOwnership.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/proofOfOwnership.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/ecc/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok similarity index 63% rename from zokrates_stdlib/tests/tests/ecc/proofOfOwnership.zok rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok index 76ea81467..98c387bff 100644 --- a/zokrates_stdlib/tests/tests/ecc/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok @@ -1,23 +1,22 @@ -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; -import "ecc/proofOfOwnership" as proofOfOwnership; -import "ecc/edwardsScalarMult" as multiply; +import "ecc/babyjubjub/proofOfOwnership" as proofOfOwnership; +from "ecc/edwards" import scalarMul; // Code to create test cases: // https://github.com/Zokrates/pycrypto def testOwnershipTrue() -> bool { - field[2] Pk = [14897476871502190904409029696666322856887678969656209656241038339251270171395, 16668832459046858928951622951481252834155254151733002984053501254009901876174]; + field[2] pk = [14897476871502190904409029696666322856887678969656209656241038339251270171395, 16668832459046858928951622951481252834155254151733002984053501254009901876174]; field sk = 1997011358982923168928344992199991480689546837621580239342656433234255379025; - bool out = proofOfOwnership(Pk, sk, BABYJUBJUB_PARAMS); + bool out = proofOfOwnership(pk, sk); assert(out); return true; } def testOwnershipFalse() -> bool { - field[2] Pk = [16328093915569409528980874702678312730273137210288183490878184636452430630129, 9377227749598842756429258362864743065769435972445705966557343775367597326529]; + field[2] pk = [16328093915569409528980874702678312730273137210288183490878184636452430630129, 9377227749598842756429258362864743065769435972445705966557343775367597326529]; field sk = 1997011358982923168928344992199991480689546837621580239342656433234255379025; - bool out = proofOfOwnership(Pk, sk, BABYJUBJUB_PARAMS); + bool out = proofOfOwnership(pk, sk); assert(!out); return true; @@ -26,5 +25,4 @@ def testOwnershipFalse() -> bool { def main() { assert(testOwnershipTrue()); assert(testOwnershipFalse()); - return; } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/signatures/verifyEddsa.json b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.json similarity index 73% rename from zokrates_stdlib/tests/tests/signatures/verifyEddsa.json rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.json index bea9daf72..522c40956 100644 --- a/zokrates_stdlib/tests/tests/signatures/verifyEddsa.json +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.json @@ -1,5 +1,5 @@ { - "entry_point": "./tests/tests/signatures/verifyEddsa.zok", + "entry_point": "./tests/tests/ecc/babyjubjub/verifyEddsa.zok", "curves": ["Bn128"], "tests": [ { diff --git a/zokrates_stdlib/tests/tests/signatures/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok similarity index 81% rename from zokrates_stdlib/tests/tests/signatures/verifyEddsa.zok rename to zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok index 607bd2eee..e813aa133 100644 --- a/zokrates_stdlib/tests/tests/signatures/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok @@ -1,5 +1,4 @@ -import "signatures/verifyEddsa" as verifyEddsa; -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; +import "ecc/babyjubjub/verifyEddsa" as verifyEddsa; // Code to create test case: // https://github.com/Zokrates/pycrypto @@ -13,8 +12,6 @@ def main() { u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; - bool isVerified = verifyEddsa(R, S, A, M0, M1, BABYJUBJUB_PARAMS); + bool isVerified = verifyEddsa(R, S, A, M0, M1); assert(isVerified); - - return; } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/edwardsAdd.zok deleted file mode 100644 index 17e97a329..000000000 --- a/zokrates_stdlib/tests/tests/ecc/edwardsAdd.zok +++ /dev/null @@ -1,36 +0,0 @@ -import "ecc/edwardsAdd" as add; -import "ecc/edwardsNegate" as neg; -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; - -// Code to create test cases: -// https://github.com/Zokrates/pycrypto -def testDoubleViaAdd() -> bool { - field[2] G = [BABYJUBJUB_PARAMS.Gu, BABYJUBJUB_PARAMS.Gv]; - - field[2] out = add(G, G, BABYJUBJUB_PARAMS); - - assert(out[0] == 17324563846726889236817837922625232543153115346355010501047597319863650987830); - assert(out[1] == 20022170825455209233733649024450576091402881793145646502279487074566492066831); - - return true; -} - -def testIdentities() -> bool { - field[2] G = [BABYJUBJUB_PARAMS.Gu, BABYJUBJUB_PARAMS.Gv]; - field[2] inf = BABYJUBJUB_PARAMS.INFINITY; - - assert(G == add(G, inf, BABYJUBJUB_PARAMS)); - - field[2] nG = neg(G); - field[2] nGaddG = add(G, nG, BABYJUBJUB_PARAMS); - - assert(inf == nGaddG); - - return true; -} - -def main() { - assert(testDoubleViaAdd()); - assert(testIdentities()); - return; -} diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsCompress.zok b/zokrates_stdlib/tests/tests/ecc/edwardsCompress.zok deleted file mode 100644 index 0a3a5df70..000000000 --- a/zokrates_stdlib/tests/tests/ecc/edwardsCompress.zok +++ /dev/null @@ -1,19 +0,0 @@ -import "ecc/edwardsCompress" as edwardsCompress; -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; - -// Code to create test cases: -// https://github.com/Zokrates/pycrypto -def testCompress() -> bool { - field Gu = BABYJUBJUB_PARAMS.Gu; - field Gv = BABYJUBJUB_PARAMS.Gv; - - bool[256] Gcompressed = edwardsCompress([Gu, Gv]); - - assert(Gcompressed == [true, false, true, false, true, true, true, false, false, false, false, false, false, true, true, true, false, false, true, false, true, false, false, true, false, true, true, true, true, true, true, true, true, false, false, false, true, true, false, true, false, false, true, true, true, true, false, false, false, false, true, true, true, true, false, true, false, true, true, true, true, false, false, false, false, false, false, true, true, false, false, false, true, true, false, true, true, false, true, true, true, true, false, true, true, true, false, true, true, true, true, true, true, true, false, true, false, false, true, false, false, true, false, false, true, true, false, false, false, false, true, true, false, true, false, true, false, true, false, true, true, false, false, false, false, false, true, true, true, true, true, true, true, false, false, true, true, false, true, false, true, false, false, true, true, true, false, true, false, true, false, false, true, true, true, false, true, true, false, true, false, false, false, false, true, true, false, false, true, false, true, true, false, false, false, false, true, true, false, false, false, false, false, true, true, true, false, true, false, false, false, true, false, false, true, true, false, true, false, false, true, false, false, false, true, true, false, true, true, true, false, true, true, false, false, false, true, true, true, true, false, true, true, true, true, true, true, true, true, false, false, true, true, false, false, true, false, false, false, true, false, true, false, true, false, false, true, false, true, true, false, true, false, true, true, true]); - return true; -} - -def main() { - assert(testCompress()); - return; -} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.zok deleted file mode 100644 index 527dfe18f..000000000 --- a/zokrates_stdlib/tests/tests/ecc/edwardsOnCurve.zok +++ /dev/null @@ -1,17 +0,0 @@ -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; -import "ecc/edwardsOnCurve" as onCurve; - -// Code to create test cases: -// https://github.com/Zokrates/pycrypto -def testOnCurveTrue() -> bool { - field testU = 17324563846726889236817837922625232543153115346355010501047597319863650987830; - field testV = 20022170825455209233733649024450576091402881793145646502279487074566492066831; - - assert(onCurve([testU, testV], BABYJUBJUB_PARAMS)); - return true; -} - -def main() { - assert(testOnCurveTrue()); // onCurve throws for false - return; -} diff --git a/zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.zok deleted file mode 100644 index 3ae977481..000000000 --- a/zokrates_stdlib/tests/tests/ecc/edwardsOrderCheck.zok +++ /dev/null @@ -1,30 +0,0 @@ -import "ecc/edwardsOrderCheck" as orderCheck; -from "ecc/babyjubjubParams" import BABYJUBJUB_PARAMS; - -// Code to create test cases: -// https://github.com/Zokrates/pycrypto -def testOrderCheckTrue() -> bool { - field testU = 17324563846726889236817837922625232543153115346355010501047597319863650987830; - field testV = 20022170825455209233733649024450576091402881793145646502279487074566492066831; - - bool out = orderCheck([testU, testV], BABYJUBJUB_PARAMS); - assert(out); - - return true; -} - -def testOrderCheckFalse() -> bool { - field testU = 4342719913949491028786768530115087822524712248835451589697801404893164183326; - field testV = 4826523245007015323400664741523384119579596407052839571721035538011798951543; - - bool out = orderCheck([testU, testV], BABYJUBJUB_PARAMS); - assert(!out); - - return true; -} - -def main() { - assert(testOrderCheckFalse()); - assert(testOrderCheckTrue()); - return; -} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.json b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.json new file mode 100644 index 000000000..3591ddd08 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/edwardsAdd.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok new file mode 100644 index 000000000..2d72da6dd --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok @@ -0,0 +1,25 @@ +from "ecc/edwards" import add, negate; +from "ecc/jubjub/params" import G, EDWARDS_A, EDWARDS_D; + +def testDoubleViaAdd() -> bool { + field[2] out = add(G, G, EDWARDS_A, EDWARDS_D); + assert(out[0] == 24354739613603689994794220961510120098878467021907233280927460034349391620123); + assert(out[1] == 29483318942286486402737115541242503910259255414069955254009289511391310837461); + return true; +} + +def testIdentities() -> bool { + field[2] inf = [0, 1]; + assert(G == add(G, inf, EDWARDS_A, EDWARDS_D)); + + field[2] nG = negate(G); + field[2] nGaddG = add(G, nG, EDWARDS_A, EDWARDS_D); + + assert(inf == nGaddG); + return true; +} + +def main() { + assert(testDoubleViaAdd()); + assert(testIdentities()); +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.json b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.json new file mode 100644 index 000000000..3f44fe2cd --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/edwardsOnCurve.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok new file mode 100644 index 000000000..68e0b0be6 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok @@ -0,0 +1,9 @@ +from "ecc/edwards" import onCurve; +from "ecc/jubjub/params" import EDWARDS_A, EDWARDS_D; + +def main() { + field u = 11076627216317271660298050606127911965867021807910416450833192264015104452986; + field v = 44412834903739585386157632289020980010620626017712148233229312325549216099227; + + assert(onCurve([u, v], EDWARDS_A, EDWARDS_D)); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.json b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.json new file mode 100644 index 000000000..a660aded4 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/edwardsOrderCheck.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok new file mode 100644 index 000000000..93332d861 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok @@ -0,0 +1,23 @@ +from "ecc/edwards" import orderCheck; +from "ecc/jubjub/params" import EDWARDS_A, EDWARDS_D; + +def testOrderCheckTrue() -> bool { + field u = 11076627216317271660298050606127911965867021807910416450833192264015104452986; + field v = 44412834903739585386157632289020980010620626017712148233229312325549216099227; + + assert(orderCheck([u, v], EDWARDS_A, EDWARDS_D)); + return true; +} + +def testOrderCheckFalse() -> bool { + field u = 0; + field v = 52435875175126190479447740508185965837690552500527637822603658699938581184512; + + assert(!orderCheck([u, v], EDWARDS_A, EDWARDS_D)); + return true; +} + +def main() { + assert(testOrderCheckFalse()); + assert(testOrderCheckTrue()); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.json b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.json new file mode 100644 index 000000000..6bbabb410 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/edwardsScalarMult.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok new file mode 100644 index 000000000..348b0b977 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok @@ -0,0 +1,85 @@ +from "ecc/edwards" import scalarMul as mul; +from "ecc/jubjub/params" import G, EDWARDS_A, EDWARDS_D; + +/* +def testCyclic() -> bool { + // exp = JUBJUB_E + 1 + bool[256] exp = [false, false, true, true, false, false, false, false, false, true, true, false, false, true, false, false, false, true, false, false, true, true, true, false, false, true, true, true, false, false, true, false, true, true, true, false, false, false, false, true, false, false, true, true, false, false, false, true, true, false, true, false, false, false, false, false, false, false, true, false, true, false, false, true, true, false, true, true, true, false, false, false, false, true, false, true, false, false, false, false, false, true, false, false, false, true, false, true, true, false, true, true, false, true, true, false, true, false, false, false, false, false, false, true, true, false, false, false, false, false, false, true, false, true, false, true, true, false, false, false, false, true, false, true, true, true, false, true, false, true, false, true, true, false, false, true, true, true, true, true, false, true, true, true, false, true, true, false, true, true, false, true, true, true, false, false, false, false, false, true, true, true, false, false, true, false, false, true, false, false, false, false, false, true, true, true, false, true, true, true, false, false, false, false, false, true, false, true, false, false, true, true, false, false, true, true, true, false, true, true, true, false, false, true, false, true, false, false, true, false, true, true, true, true, true, false, true, true, true, false, false, false, false, true, true, true, false, false, true, false, false, true, false, false, false, false, true, false, false, true, false, false, true, true, false, true, true, true, true, false, false, false, true, false, false, true]; + + field[2] out = mul(exp, G, EDWARDS_A, EDWARDS_D); + assert(G == out); + + return true; +} +*/ + +def testMul2() -> bool { + // exp == 2 + bool[256] exp = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false]; + field[2] out = mul(exp, G, EDWARDS_A, EDWARDS_D); + + assert(out[0] == 24354739613603689994794220961510120098878467021907233280927460034349391620123); + assert(out[1] == 29483318942286486402737115541242503910259255414069955254009289511391310837461); + + return true; +} + +def testAssociativity() -> bool { + // a = 1234 + bool[256] a = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, false, true, true, false, true, false, false, true, false]; + + // b = 5678 + bool[256] b = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, true, true, false, false, false, true, false, true, true, true, false]; + + // c = 7890 + bool[256] c = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, true, true, true, false, true, true, false, true, false, false, true, false]; + + field[2] Ga = mul(a, G, EDWARDS_A, EDWARDS_D); + field[2] Gab = mul(b, Ga, EDWARDS_A, EDWARDS_D); + field[2] Gabc = mul(c, Gab, EDWARDS_A, EDWARDS_D); + + field[2] Gb = mul(b, G, EDWARDS_A, EDWARDS_D); + field[2] Gbc = mul(c, Gb, EDWARDS_A, EDWARDS_D); + field[2] Gbca = mul(a, Gbc, EDWARDS_A, EDWARDS_D); + + field[2] Gc = mul(c, G, EDWARDS_A, EDWARDS_D); + field[2] Gca = mul(a, Gc, EDWARDS_A, EDWARDS_D); + field[2] Gcab = mul(b, Gca, EDWARDS_A, EDWARDS_D); + + assert(Gabc == Gbca); + assert(Gbca == Gcab); + assert(Gabc == Gcab); + + return true; +} + +def testMultiplicative() -> bool { + // a = 1234 + bool[256] a = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, false, true, true, false, true, false, false, true, false]; + // b = 5678 + bool[256] b = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, true, true, false, false, false, true, false, true, true, true, false]; + + // ab = a*b = 7006652 + bool[256] ab = [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, true, false, true, false, true, false, true, true, true, false, true, false, false, true, true, false, true, true, true, true, false, false]; + + field[2] Ga = mul(a, G, EDWARDS_A, EDWARDS_D); + field[2] Gb = mul(b, G, EDWARDS_A, EDWARDS_D); + + field[2] Gab = mul(b, Ga, EDWARDS_A, EDWARDS_D); + field[2] Gba = mul(a, Gb, EDWARDS_A, EDWARDS_D); + + field[2] Gmab = mul(ab, G, EDWARDS_A, EDWARDS_D); + + assert(Gab == Gba); + assert(Gba == Gmab); + assert(Gab == Gmab); + + return true; +} + +def main() { + // assert(testCyclic()); + assert(testMul2()); + assert(testAssociativity()); + assert(testMultiplicative()); +} \ No newline at end of file From b3e7a6369e03994b5b1be2055b7208ccf7162605 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 21 Feb 2023 12:28:19 +0100 Subject: [PATCH 02/14] remove pragma macro from nonStrictUnpack256 --- zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok | 1 - 1 file changed, 1 deletion(-) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index c0f0b81c7..639450da1 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -1,4 +1,3 @@ -#pragma curve bn128 import "./unpack_unchecked"; From 98e91f915e58bc39cba2610b9a1e785caeea3bc5 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 21 Feb 2023 12:47:53 +0100 Subject: [PATCH 03/14] jubjub proofOfOwnership --- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 24 ++++++++++++++++ .../tests/ecc/jubjub/proofOfOwnership.json | 16 +++++++++++ .../tests/ecc/jubjub/proofOfOwnership.zok | 28 +++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok new file mode 100644 index 000000000..2ddf218a8 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -0,0 +1,24 @@ +import "../babyjubjub/compress" as compress; +from "./params" import EDWARDS_A, EDWARDS_D, G; +from "ecc/edwards" import scalarMul; + +/// Verifies match of a given public/private keypair. +/// +/// Checks if the following equation holds for the provided keypair: +/// pk = sk*G +/// where G is the chosen base point of the subgroup +/// and * denotes scalar multiplication in the subgroup +/// +/// Arguments: +/// pk: Curve point (public key) +/// sk: Private key +/// +/// Returns true for pk/sk being a valid keypair, false otherwise. +def main(field[2] pk, field[2] sk) -> bool { + // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 + bool[256] sk_bits = compress(sk); + field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); + assert(res[1] == pk[1]); + assert(res[0] == pk[0]); + return (res[0] == pk[0] && res[1] == pk[1]); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json new file mode 100644 index 000000000..f702e1da9 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/proofOfOwnership.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok new file mode 100644 index 000000000..265a6e2da --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -0,0 +1,28 @@ +import "ecc/jubjub/proofOfOwnership" as proofOfOwnership; +from "ecc/edwards" import scalarMul; + +// Code to create test cases: +// https://github.com/Zokrates/pycrypto +def testOwnershipTrue() -> bool { + field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; + field[2] sk = [0, 24537266074035586913841246471742714563414767347802800698790739697702568093815]; + + bool out = proofOfOwnership(pk, sk); + log("x is {}", out); + assert(out); + return true; +} + +// def testOwnershipFalse() -> bool { +// field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; +// field sk = 10373199597469011642833447973814301035791960523127709637201278600637657954762; +// bool out = proofOfOwnership(pk, sk); + +// assert(!out); +// return true; +// } + +def main() { + assert(testOwnershipTrue()); + // assert(testOwnershipFalse()); +} \ No newline at end of file From ded2611731f4a6bb9d90ac705ffcea4b63d2730e Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 21 Feb 2023 13:46:47 +0100 Subject: [PATCH 04/14] jubjub: proofOfOwnership --- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 2 -- .../tests/ecc/jubjub/proofOfOwnership.zok | 19 ++++++++++--------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok index 2ddf218a8..d584fb290 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -18,7 +18,5 @@ def main(field[2] pk, field[2] sk) -> bool { // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 bool[256] sk_bits = compress(sk); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); - assert(res[1] == pk[1]); - assert(res[0] == pk[0]); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok index 265a6e2da..7dc4e0548 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -8,21 +8,22 @@ def testOwnershipTrue() -> bool { field[2] sk = [0, 24537266074035586913841246471742714563414767347802800698790739697702568093815]; bool out = proofOfOwnership(pk, sk); - log("x is {}", out); + assert(out); return true; } -// def testOwnershipFalse() -> bool { -// field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; -// field sk = 10373199597469011642833447973814301035791960523127709637201278600637657954762; -// bool out = proofOfOwnership(pk, sk); +def testOwnershipFalse() -> bool { + field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; + field[2] sk = [1, 18475905664277789456729952520987977663429644364066130483020274925168451465560]; + + bool out = proofOfOwnership(pk, sk); -// assert(!out); -// return true; -// } + assert(!out); + return true; +} def main() { assert(testOwnershipTrue()); - // assert(testOwnershipFalse()); + assert(testOwnershipFalse()); } \ No newline at end of file From 8b6a19f04aa1774d077797dc6edfcfd75bac67cd Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Thu, 22 Jun 2023 23:39:07 +0200 Subject: [PATCH 05/14] remove unnecessary macros --- zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok | 1 - zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok | 2 -- 2 files changed, 3 deletions(-) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok index c84ff0c29..c85e4f3e5 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok @@ -1,4 +1,3 @@ -#pragma curve bn128 import "./pack" as pack; diff --git a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok index 37311a5cf..1661a1a51 100644 --- a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok @@ -1,5 +1,3 @@ -#pragma curve bn128 - import "../bool/nonStrictUnpack256" as unpack; import "../../casts/bool_256_to_u32_8" as from_bits; From ae1f1361416bf9d23f1ebe2ff2648a55a74fab54 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Thu, 22 Jun 2023 23:40:15 +0200 Subject: [PATCH 06/14] jubjub signature verification --- .../stdlib/ecc/jubjub/verifyEddsa.zok | 46 +++++++++++++++++++ .../tests/tests/ecc/jubjub/verifyEddsa.json | 16 +++++++ .../tests/tests/ecc/jubjub/verifyEddsa.zok | 19 ++++++++ 3 files changed, 81 insertions(+) create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok new file mode 100644 index 000000000..bb8e5c785 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok @@ -0,0 +1,46 @@ +import "hashes/sha256/1024bitPadded" as sha256; +import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; +import "utils/pack/u32/nonStrictUnpack256" as unpack256u; +from "utils/casts" import cast; +from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; +from "./params" import EDWARDS_A, EDWARDS_D, G; + +/// Verifies an EdDSA Signature. +/// +/// Checks the correctness of a given EdDSA Signature (R,S) for the provided +/// public key A and message (M0, M1). +/// This python repo provides the tooling for creating valid signatures: +/// https://github.com/Zokrates/pycrypto +/// +/// For more information see: +/// https://en.wikipedia.org/wiki/EdDSA +/// https://eprint.iacr.org/2015/677.pdf +/// +/// Arguments: +/// R: Curve point. Hidden version of the per-message nonce. +/// S: Field element. Signature to be verified. +/// A: Curve point. Public part of the key used to create S. +/// M0: 256bit array. First 256bits of the message used to create S. +/// M1: 256bit array. Trailing 256bits of the message used to create S. +/// +/// Returns: +/// Return true for S being a valid EdDSA Signature, false otherwise. +def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { + // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline + assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve + assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); + + u32[8] Rx = unpack256u(R[0]); + u32[8] Ax = unpack256u(A[0]); + + u32[8] h = sha256(Rx, Ax, M0, M1); + bool[256] hRAM = cast(h); + + bool[256] sBits = unpack256bool(S); + field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); + + field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); + field[2] rhs = add(R, AhRAM, EDWARDS_A, EDWARDS_D); + + return (rhs[0] == lhs[0] && rhs[1] == lhs[1]); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json new file mode 100644 index 000000000..98b1e734d --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/verifyEddsa.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok new file mode 100644 index 000000000..aebb79822 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -0,0 +1,19 @@ +import "ecc/jubjub/verifyEddsa" as verifyEddsa; +import "ecc/babyjubjub/compress" as compress; +import "utils/pack/bool/pack256" as pack256; + +// Code to create test case: +// https://github.com/Zokrates/pycrypto +def main() { + field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; + field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + + // Public Key + field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; + + u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; + + bool isVerified = verifyEddsa(R, S, A, M0, M1); + assert(isVerified); +} \ No newline at end of file From f38f09c9cf49acd18646ca6ab962371a6dccc2ab Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 27 Jun 2023 14:43:01 +0200 Subject: [PATCH 07/14] valid signature verification for low values --- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index aebb79822..3d82f075d 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -5,11 +5,18 @@ import "utils/pack/bool/pack256" as pack256; // Code to create test case: // https://github.com/Zokrates/pycrypto def main() { - field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; - field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + + // TODO: Jubjub currently work only for keys <=254 bit long + // With the following keys should also work: + // field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; + // field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + // field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; + + field[2] R = [22490636668646525942229915433486323453438020635284373216128437835524621360673, 12624871741136060820677763385435731993497076701049783026530291333628743153148]; + field S = 4726755026051608078555693269742820684994756545022776898606146042065180474766; // Public Key - field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; + field[2] A = [2448502067502868941604870117226902939301253140620644024854137332469457672501, 13461260963687082967268176292121237897132924185324950183385550823033303781608]; u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; From b4a349c11b93918aa9d2283a870833af24bb2907 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 27 Jun 2023 15:11:39 +0200 Subject: [PATCH 08/14] Revert "remove pragma macro from nonStrictUnpack256" This reverts commit a741f9e8f99731caac4446cbbd1dad2573ae4227. --- zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok | 1 + 1 file changed, 1 insertion(+) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index 639450da1..c0f0b81c7 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -1,3 +1,4 @@ +#pragma curve bn128 import "./unpack_unchecked"; From dc59cd5e572c62306d50a76345abff79a140504c Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 27 Jun 2023 16:43:07 +0200 Subject: [PATCH 09/14] jubjub proofOfOwnership and signature verification --- .../stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok | 11 +++++++++++ .../stdlib/ecc/jubjub/nonStrictUnpack256u32.zok | 9 +++++++++ .../stdlib/ecc/jubjub/proofOfOwnership.zok | 6 +++--- zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok | 4 ++-- .../tests/tests/ecc/jubjub/proofOfOwnership.zok | 4 ++-- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 12 ++++-------- 6 files changed, 31 insertions(+), 15 deletions(-) create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok new file mode 100644 index 000000000..df8b6df49 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok @@ -0,0 +1,11 @@ +#pragma curve bls12_381 + +import "utils/pack/bool/unpack_unchecked"; + +// Unpack a field element as 256 big-endian bits +// Note: uniqueness of the output is not guaranteed +// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` +def main(field i) -> bool[256] { + bool[255] b = unpack_unchecked(i); + return [false, ...b]; +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok new file mode 100644 index 000000000..6ca34030e --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok @@ -0,0 +1,9 @@ +import "./nonStrictUnpack256u32" as unpack; +import "utils/casts/bool_256_to_u32_8" as from_bits; + +// Unpack a field element as a u32[8] (big-endian) +// Note: uniqueness of the output is not guaranteed +// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` +def main(field i) -> u32[8] { + return from_bits(unpack(i)); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok index d584fb290..2a2992c88 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -1,4 +1,4 @@ -import "../babyjubjub/compress" as compress; +import "./nonStrictUnpack256Bool" as unpack256bool; from "./params" import EDWARDS_A, EDWARDS_D, G; from "ecc/edwards" import scalarMul; @@ -14,9 +14,9 @@ from "ecc/edwards" import scalarMul; /// sk: Private key /// /// Returns true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field[2] sk) -> bool { +def main(field[2] pk, field sk) -> bool { // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 - bool[256] sk_bits = compress(sk); + bool[256] sk_bits = unpack256bool(sk); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok index bb8e5c785..df5c6cec9 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok @@ -1,8 +1,8 @@ import "hashes/sha256/1024bitPadded" as sha256; -import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; -import "utils/pack/u32/nonStrictUnpack256" as unpack256u; from "utils/casts" import cast; from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; +import "./nonStrictUnpack256Bool" as unpack256bool; +import "./nonStrictUnpack256u32" as unpack256u; from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok index 7dc4e0548..ab61865cc 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -5,7 +5,7 @@ from "ecc/edwards" import scalarMul; // https://github.com/Zokrates/pycrypto def testOwnershipTrue() -> bool { field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; - field[2] sk = [0, 24537266074035586913841246471742714563414767347802800698790739697702568093815]; + field sk = 24537266074035586913841246471742714563414767347802800698790739697702568093815; bool out = proofOfOwnership(pk, sk); @@ -15,7 +15,7 @@ def testOwnershipTrue() -> bool { def testOwnershipFalse() -> bool { field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; - field[2] sk = [1, 18475905664277789456729952520987977663429644364066130483020274925168451465560]; + field sk = 47423927973606838312622698773159954626747140530476271492884670927146733875544; bool out = proofOfOwnership(pk, sk); diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index 3d82f075d..6cad9a899 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -8,15 +8,11 @@ def main() { // TODO: Jubjub currently work only for keys <=254 bit long // With the following keys should also work: - // field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; - // field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; - // field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; - - field[2] R = [22490636668646525942229915433486323453438020635284373216128437835524621360673, 12624871741136060820677763385435731993497076701049783026530291333628743153148]; - field S = 4726755026051608078555693269742820684994756545022776898606146042065180474766; - + field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; + field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + // Public Key - field[2] A = [2448502067502868941604870117226902939301253140620644024854137332469457672501, 13461260963687082967268176292121237897132924185324950183385550823033303781608]; + field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; From 5b5af49b42a2af4d0eccce71019dc14f48817002 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 4 Jul 2023 12:57:58 +0200 Subject: [PATCH 10/14] nunStrictUnpack256 refactor to support 255-bits fields from bls12_381 --- .../tests/tests/arrays/fun_spread.zok | 2 +- .../stdlib/ecc/babyjubjub/compress.zok | 4 +-- .../ecc/babyjubjub/proofOfOwnership.zok | 2 +- .../stdlib/ecc/babyjubjub/verifyEddsa.zok | 6 ++--- .../ecc/jubjub/nonStrictUnpack256Bool.zok | 11 -------- .../ecc/jubjub/nonStrictUnpack256u32.zok | 9 ------- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 5 ++-- .../stdlib/ecc/jubjub/verifyEddsa.zok | 10 +++---- .../utils/pack/bool/nonStrictUnpack256.zok | 10 +++---- .../utils/pack/u32/nonStrictUnpack256.zok | 4 +-- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 1 - .../utils/pack/bool/nonStrictUnpack256.json | 2 +- .../utils/pack/bool/nonStrictUnpack256.zok | 26 ++++++++++++++++--- .../utils/pack/u32/nonStrictUnpack256.json | 2 +- .../utils/pack/u32/nonStrictUnpack256.zok | 23 +++++++++++++--- zokrates_test/tests/out_of_range.rs | 2 +- 16 files changed, 65 insertions(+), 54 deletions(-) delete mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok diff --git a/zokrates_core_test/tests/tests/arrays/fun_spread.zok b/zokrates_core_test/tests/tests/arrays/fun_spread.zok index 7a2ccd905..861c05368 100644 --- a/zokrates_core_test/tests/tests/arrays/fun_spread.zok +++ b/zokrates_core_test/tests/tests/arrays/fun_spread.zok @@ -1,6 +1,6 @@ import "utils/pack/bool/nonStrictUnpack256.zok" as unpack256; def main(field[2] inputs) -> bool[512] { - bool[512] preimage512 = [...unpack256(inputs[0]), ...unpack256(inputs[1])]; + bool[512] preimage512 = [...unpack256(inputs[0], 254), ...unpack256(inputs[1], 254)]; return preimage512; } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok index 4351b36ac..9bcc819b5 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok @@ -10,8 +10,8 @@ def main(field[2] pt) -> bool[256] { field x = pt[0]; field y = pt[1]; - bool[256] xBits = unpack256(x); - bool[256] mut yBits = unpack256(y); + bool[256] xBits = unpack256(x, 254); + bool[256] mut yBits = unpack256(y, 254); bool sign = xBits[255]; yBits[0] = sign; diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok index 53f09125c..a4546ce01 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok @@ -15,7 +15,7 @@ from "ecc/edwards" import scalarMul; /// /// Returns true for pk/sk being a valid keypair, false otherwise. def main(field[2] pk, field sk) -> bool { - bool[256] sk_bits = unpack256(sk); + bool[256] sk_bits = unpack256(sk, 254); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok index bb8e5c785..ebfc07a00 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok @@ -30,13 +30,13 @@ def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - u32[8] Rx = unpack256u(R[0]); - u32[8] Ax = unpack256u(A[0]); + u32[8] Rx = unpack256u(R[0], 254); + u32[8] Ax = unpack256u(A[0], 254); u32[8] h = sha256(Rx, Ax, M0, M1); bool[256] hRAM = cast(h); - bool[256] sBits = unpack256bool(S); + bool[256] sBits = unpack256bool(S, 254); field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok deleted file mode 100644 index df8b6df49..000000000 --- a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok +++ /dev/null @@ -1,11 +0,0 @@ -#pragma curve bls12_381 - -import "utils/pack/bool/unpack_unchecked"; - -// Unpack a field element as 256 big-endian bits -// Note: uniqueness of the output is not guaranteed -// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> bool[256] { - bool[255] b = unpack_unchecked(i); - return [false, ...b]; -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok deleted file mode 100644 index 6ca34030e..000000000 --- a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok +++ /dev/null @@ -1,9 +0,0 @@ -import "./nonStrictUnpack256u32" as unpack; -import "utils/casts/bool_256_to_u32_8" as from_bits; - -// Unpack a field element as a u32[8] (big-endian) -// Note: uniqueness of the output is not guaranteed -// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> u32[8] { - return from_bits(unpack(i)); -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok index 2a2992c88..fef53a3d0 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -1,4 +1,4 @@ -import "./nonStrictUnpack256Bool" as unpack256bool; +import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; from "./params" import EDWARDS_A, EDWARDS_D, G; from "ecc/edwards" import scalarMul; @@ -15,8 +15,7 @@ from "ecc/edwards" import scalarMul; /// /// Returns true for pk/sk being a valid keypair, false otherwise. def main(field[2] pk, field sk) -> bool { - // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 - bool[256] sk_bits = unpack256bool(sk); + bool[256] sk_bits = unpack256bool(sk, 255); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok index df5c6cec9..3ed8b317c 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok @@ -1,8 +1,8 @@ import "hashes/sha256/1024bitPadded" as sha256; +import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; +import "utils/pack/u32/nonStrictUnpack256" as unpack256u; from "utils/casts" import cast; from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; -import "./nonStrictUnpack256Bool" as unpack256bool; -import "./nonStrictUnpack256u32" as unpack256u; from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. @@ -30,13 +30,13 @@ def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - u32[8] Rx = unpack256u(R[0]); - u32[8] Ax = unpack256u(A[0]); + u32[8] Rx = unpack256u(R[0], 255); + u32[8] Ax = unpack256u(A[0], 255); u32[8] h = sha256(Rx, Ax, M0, M1); bool[256] hRAM = cast(h); - bool[256] sBits = unpack256bool(S); + bool[256] sBits = unpack256bool(S, 255); field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index c0f0b81c7..6ba5a8662 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -1,11 +1,11 @@ -#pragma curve bn128 - import "./unpack_unchecked"; // Unpack a field element as 256 big-endian bits // Note: uniqueness of the output is not guaranteed // For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> bool[256] { - bool[254] b = unpack_unchecked(i); - return [false, false, ...b]; +def main(field i, u32 bit_size) -> bool[256] { + assert(bit_size == 254 || bit_size == 255); + u32 padding_size = 256 - bit_size; + bool[bit_size] b = unpack_unchecked(i); + return [...[false; padding_size], ...b]; } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok index 1661a1a51..3a3a70039 100644 --- a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok @@ -4,6 +4,6 @@ import "../../casts/bool_256_to_u32_8" as from_bits; // Unpack a field element as a u32[8] (big-endian) // Note: uniqueness of the output is not guaranteed // For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> u32[8] { - return from_bits(unpack(i)); +def main(field i, u32 bit_size) -> u32[8] { + return from_bits(unpack(i, bit_size)); } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index 6cad9a899..2438f6c65 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -1,5 +1,4 @@ import "ecc/jubjub/verifyEddsa" as verifyEddsa; -import "ecc/babyjubjub/compress" as compress; import "utils/pack/bool/pack256" as pack256; // Code to create test case: diff --git a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json index dc6f88bd7..e7c734581 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json +++ b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json @@ -1,6 +1,6 @@ { "entry_point": "./tests/tests/utils/pack/bool/nonStrictUnpack256.zok", - "curves": ["Bn128"], + "curves": ["Bls12_381"], "tests": [ { "input": { diff --git a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok index 9cd9694ad..8e8746b26 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok @@ -1,26 +1,44 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256; def testFive() -> bool { - bool[256] b = unpack256(5); + bool[256] b = unpack256(5, 254); assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, true]); + + bool[256] b = unpack256(5, 255); + assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, true]); + return true; } def testZero() -> bool { - bool[256] b = unpack256(0); + bool[256] b = unpack256(0, 254); + assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + + bool[256] b = unpack256(0, 255); assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + return true; } def testLarge() -> bool { - bool[256] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991); + bool[256] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991, 254); assert(b == [false, false, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true]); + + bool[256] b = unpack256(28948022309329048855892746252171976963317496166410141009864396001978282409983, 255); + assert(b == [false, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true]); + return true; } def testMax() -> bool { - bool[256] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616); + // bn128 + bool[256] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616, 254); assert(b == [false, false, true, true, false, false, false, false, false, true, true, false, false, true, false, false, false, true, false, false, true, true, true, false, false, true, true, true, false, false, true, false, true, true, true, false, false, false, false, true, false, false, true, true, false, false, false, true, true, false, true, false, false, false, false, false, false, false, true, false, true, false, false, true, true, false, true, true, true, false, false, false, false, true, false, true, false, false, false, false, false, true, false, false, false, true, false, true, true, false, true, true, false, true, true, false, true, false, false, false, false, false, false, true, true, false, false, false, false, false, false, true, false, true, false, true, true, false, false, false, false, true, false, true, true, true, false, true, false, false, true, false, true, false, false, false, false, false, true, true, false, false, true, true, true, true, true, false, true, false, false, false, false, true, false, false, true, false, false, false, false, true, true, true, true, false, false, true, true, false, true, true, true, false, false, true, false, true, true, true, false, false, false, false, true, false, false, true, false, false, false, true, false, true, false, false, false, false, true, true, true, true, true, false, false, false, false, true, true, true, true, true, false, true, false, true, true, false, false, true, false, false, true, true, true, true, true, true, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + + // bls12_381 + bool[256] b = unpack256(52435875175126190479447740508185965837690552500527637822603658699938581184512, 255); + assert(b == [false, true, true, true, false, false, true, true, true, true, true, false, true, true, false, true, true, false, true, false, false, true, true, true, false, true, false, true, false, false, true, true, false, false, true, false, true, false, false, true, true, false, false, true, true, true, false, true, false, true, true, true, true, true, false, true, false, true, false, false, true, false, false, false, false, false, true, true, false, false, true, true, false, false, true, true, true, false, false, true, true, true, false, true, true, false, false, false, false, false, false, false, true, false, false, false, false, false, false, false, true, false, false, true, true, false, true, false, false, false, false, true, true, true, false, true, true, false, false, false, false, false, false, false, false, true, false, true, false, true, false, true, false, false, true, true, true, false, true, true, true, true, false, true, true, false, true, false, false, true, false, false, false, false, false, false, false, false, true, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, false, false, true, false, true, true, false, true, true, true, true, true, true, true, true, true, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + return true; } diff --git a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json index 00815fc75..5a8dc41e3 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json +++ b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json @@ -1,6 +1,6 @@ { "entry_point": "./tests/tests/utils/pack/u32/nonStrictUnpack256.zok", - "curves": ["Bn128"], + "curves": ["Bls12_381"], "tests": [ { "input": { diff --git a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok index 4a865fb6e..67be9afda 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok +++ b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok @@ -1,26 +1,41 @@ import "utils/pack/u32/nonStrictUnpack256" as unpack256; def testFive() -> bool { - u32[8] b = unpack256(5); + u32[8] b = unpack256(5, 254); assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]); + + u32[8] b = unpack256(5, 255); + assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]); + return true; } def testZero() -> bool { - u32[8] b = unpack256(0); + u32[8] b = unpack256(0, 254); + assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]); + + u32[8] b = unpack256(0, 255); assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]); return true; } def testLarge() -> bool { - u32[8] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991); + u32[8] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991, 254); assert(b == [0x1fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff]); + + u32[8] b = unpack256(28948022309329048855892746252171976963317496166410141009864396001978282409983, 255); + assert(b == [0x3fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff]); return true; } def testMax() -> bool { - u32[8] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616); + // bn128 + u32[8] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616, 254); assert(b == [0x30644e72, 0xe131a029, 0xb85045b6, 0x8181585d, 0x2833e848, 0x79b97091, 0x43e1f593, 0xf0000000]); + + // bls12_381 + u32[8] b = unpack256(52435875175126190479447740508185965837690552500527637822603658699938581184512, 255); + assert(b == [0x73eda753, 0x299d7d48, 0x3339d808, 0x09a1d805, 0x53bda402, 0xfffe5bfe, 0xffffffff, 0x00000000]); return true; } diff --git a/zokrates_test/tests/out_of_range.rs b/zokrates_test/tests/out_of_range.rs index ea2800252..730485ae7 100644 --- a/zokrates_test/tests/out_of_range.rs +++ b/zokrates_test/tests/out_of_range.rs @@ -133,7 +133,7 @@ fn unpack256_unchecked() { import "utils/pack/bool/nonStrictUnpack256"; def main(private field a) { - bool[256] bits = nonStrictUnpack256(a); + bool[256] bits = nonStrictUnpack256(a, 254); assert(bits[255]); return; } From 4fbc5c584e163ddaeb6da11c479051af42cdb75d Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 4 Jul 2023 13:44:04 +0200 Subject: [PATCH 11/14] stdlib ecc module refactor to facilitate the addition signatures from other curves --- zokrates_stdlib/stdlib/ecc/babyjubjub.zok | 46 +++++++++++++++++++ .../stdlib/ecc/babyjubjub/compress.zok | 20 -------- .../stdlib/ecc/babyjubjub/params.zok | 13 ------ .../stdlib/ecc/babyjubjub/verifyEddsa.zok | 46 ------------------- .../ecc/{jubjub/params.zok => jubjub.zok} | 20 +++++++- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 21 --------- .../ecc/{babyjubjub => }/proofOfOwnership.zok | 5 +- .../stdlib/ecc/{jubjub => }/verifyEddsa.zok | 9 ++-- .../stdlib/hashes/pedersen/512bitBool.zok | 3 +- .../tests/tests/ecc/babyjubjub/compress.zok | 3 +- .../tests/tests/ecc/babyjubjub/edwardsAdd.zok | 2 +- .../tests/ecc/babyjubjub/edwardsOnCurve.zok | 2 +- .../ecc/babyjubjub/edwardsOrderCheck.zok | 2 +- .../ecc/babyjubjub/edwardsScalarMult.zok | 2 +- .../tests/ecc/babyjubjub/proofOfOwnership.zok | 4 +- .../tests/ecc/babyjubjub/verifyEddsa.zok | 2 +- .../tests/tests/ecc/jubjub/edwardsAdd.zok | 2 +- .../tests/tests/ecc/jubjub/edwardsOnCurve.zok | 2 +- .../tests/ecc/jubjub/edwardsOrderCheck.zok | 2 +- .../tests/ecc/jubjub/edwardsScalarMult.zok | 2 +- .../tests/ecc/jubjub/proofOfOwnership.zok | 4 +- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 4 +- 22 files changed, 88 insertions(+), 128 deletions(-) create mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok rename zokrates_stdlib/stdlib/ecc/{jubjub/params.zok => jubjub.zok} (53%) delete mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok rename zokrates_stdlib/stdlib/ecc/{babyjubjub => }/proofOfOwnership.zok (80%) rename zokrates_stdlib/stdlib/ecc/{jubjub => }/verifyEddsa.zok (85%) diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub.zok new file mode 100644 index 000000000..2df5ec0f8 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub.zok @@ -0,0 +1,46 @@ +#pragma curve bn128 + +import "./proofOfOwnership" as edwardsProofOfOwnership; +import "./verifyEddsa" as edwardsSignature; +import "utils/pack/bool/nonStrictUnpack256" as unpack256; + + +// The `a` coefficient of the twisted Edwards curve +const field EDWARDS_A = 168700; + +// The `d` coefficient of the twisted Edwards curve +const field EDWARDS_D = 168696; + +// The generator point +const field[2] G = [ + 16540640123574156134436876038791482806971768689494387082833631921987005038935, // Gx + 20819045374670962167435360035096875258406992893633759881276124905556507972311 // Gy +]; + +const u32 bit_size = 254; + + +def proofOfOwnership(field[2] pk, field sk) -> bool { + + return edwardsProofOfOwnership(pk, sk, G, EDWARDS_A, EDWARDS_D, bit_size); +} + + +def verifyEddsa(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { + + return edwardsSignature(R, S, A, M0, M1, G, EDWARDS_A, EDWARDS_D, bit_size); +} + + +def compress(field[2] pt) -> bool[256] { + field x = pt[0]; + field y = pt[1]; + + bool[256] xBits = unpack256(x, 254); + bool[256] mut yBits = unpack256(y, 254); + + bool sign = xBits[255]; + yBits[0] = sign; + + return yBits; +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok deleted file mode 100644 index 9bcc819b5..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok +++ /dev/null @@ -1,20 +0,0 @@ -import "utils/pack/bool/nonStrictUnpack256" as unpack256; - -// Compress curve point to a 256-bit boolean array using the big-endian bit order -// Python code reference: -// def compress(self): -// x = self.x.n -// y = self.y.n -// return int.to_bytes(y | ((x & 1) << 255), 32, "big") -def main(field[2] pt) -> bool[256] { - field x = pt[0]; - field y = pt[1]; - - bool[256] xBits = unpack256(x, 254); - bool[256] mut yBits = unpack256(y, 254); - - bool sign = xBits[255]; - yBits[0] = sign; - - return yBits; -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok deleted file mode 100644 index 6dd695dd1..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok +++ /dev/null @@ -1,13 +0,0 @@ -#pragma curve bn128 - -// The `a` coefficient of the twisted Edwards curve -const field EDWARDS_A = 168700; - -// The `d` coefficient of the twisted Edwards curve -const field EDWARDS_D = 168696; - -// The generator point -const field[2] G = [ - 16540640123574156134436876038791482806971768689494387082833631921987005038935, // Gx - 20819045374670962167435360035096875258406992893633759881276124905556507972311 // Gy -]; \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok deleted file mode 100644 index ebfc07a00..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok +++ /dev/null @@ -1,46 +0,0 @@ -import "hashes/sha256/1024bitPadded" as sha256; -import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; -import "utils/pack/u32/nonStrictUnpack256" as unpack256u; -from "utils/casts" import cast; -from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; -from "./params" import EDWARDS_A, EDWARDS_D, G; - -/// Verifies an EdDSA Signature. -/// -/// Checks the correctness of a given EdDSA Signature (R,S) for the provided -/// public key A and message (M0, M1). -/// This python repo provides the tooling for creating valid signatures: -/// https://github.com/Zokrates/pycrypto -/// -/// For more information see: -/// https://en.wikipedia.org/wiki/EdDSA -/// https://eprint.iacr.org/2015/677.pdf -/// -/// Arguments: -/// R: Curve point. Hidden version of the per-message nonce. -/// S: Field element. Signature to be verified. -/// A: Curve point. Public part of the key used to create S. -/// M0: 256bit array. First 256bits of the message used to create S. -/// M1: 256bit array. Trailing 256bits of the message used to create S. -/// -/// Returns: -/// Return true for S being a valid EdDSA Signature, false otherwise. -def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { - // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline - assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve - assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - - u32[8] Rx = unpack256u(R[0], 254); - u32[8] Ax = unpack256u(A[0], 254); - - u32[8] h = sha256(Rx, Ax, M0, M1); - bool[256] hRAM = cast(h); - - bool[256] sBits = unpack256bool(S, 254); - field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); - - field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); - field[2] rhs = add(R, AhRAM, EDWARDS_A, EDWARDS_D); - - return (rhs[0] == lhs[0] && rhs[1] == lhs[1]); -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/params.zok b/zokrates_stdlib/stdlib/ecc/jubjub.zok similarity index 53% rename from zokrates_stdlib/stdlib/ecc/jubjub/params.zok rename to zokrates_stdlib/stdlib/ecc/jubjub.zok index c4273750f..89eb6e9a0 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/params.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub.zok @@ -1,5 +1,9 @@ #pragma curve bls12_381 +import "./proofOfOwnership" as edwardsProofOfOwnership; +import "./verifyEddsa" as edwardsSignature; + + // The `a` coefficient of the twisted Edwards curve const field EDWARDS_A = -1; @@ -10,4 +14,18 @@ const field EDWARDS_D = 19257038036680949359750312669786877991949435402254120286 const field[2] G = [ 11076627216317271660298050606127911965867021807910416450833192264015104452986, // Gx 44412834903739585386157632289020980010620626017712148233229312325549216099227 // Gy -]; \ No newline at end of file +]; + +const u32 bit_size = 255; + + +def proofOfOwnership(field[2] pk, field sk) -> bool { + + return edwardsProofOfOwnership(pk, sk, G, EDWARDS_A, EDWARDS_D, bit_size); +} + + +def verifyEddsa(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { + + return edwardsSignature(R, S, A, M0, M1, G, EDWARDS_A, EDWARDS_D, bit_size); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok deleted file mode 100644 index fef53a3d0..000000000 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ /dev/null @@ -1,21 +0,0 @@ -import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; -from "./params" import EDWARDS_A, EDWARDS_D, G; -from "ecc/edwards" import scalarMul; - -/// Verifies match of a given public/private keypair. -/// -/// Checks if the following equation holds for the provided keypair: -/// pk = sk*G -/// where G is the chosen base point of the subgroup -/// and * denotes scalar multiplication in the subgroup -/// -/// Arguments: -/// pk: Curve point (public key) -/// sk: Private key -/// -/// Returns true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field sk) -> bool { - bool[256] sk_bits = unpack256bool(sk, 255); - field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); - return (res[0] == pk[0] && res[1] == pk[1]); -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok similarity index 80% rename from zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok rename to zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok index a4546ce01..7642737e2 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok @@ -1,5 +1,4 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256; -from "./params" import EDWARDS_A, EDWARDS_D, G; from "ecc/edwards" import scalarMul; /// Verifies match of a given public/private keypair. @@ -14,8 +13,8 @@ from "ecc/edwards" import scalarMul; /// sk: Private key /// /// Returns true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field sk) -> bool { - bool[256] sk_bits = unpack256(sk, 254); +def main(field[2] pk, field sk, field[2] G, field EDWARDS_A, field EDWARDS_D, u32 bit_size) -> bool { + bool[256] sk_bits = unpack256(sk, bit_size); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok similarity index 85% rename from zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok rename to zokrates_stdlib/stdlib/ecc/verifyEddsa.zok index 3ed8b317c..51103e745 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok @@ -3,7 +3,6 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; import "utils/pack/u32/nonStrictUnpack256" as unpack256u; from "utils/casts" import cast; from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; -from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. /// @@ -25,18 +24,18 @@ from "./params" import EDWARDS_A, EDWARDS_D, G; /// /// Returns: /// Return true for S being a valid EdDSA Signature, false otherwise. -def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { +def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1, field[2] G, field EDWARDS_A, field EDWARDS_D, u32 bit_size) -> bool { // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - u32[8] Rx = unpack256u(R[0], 255); - u32[8] Ax = unpack256u(A[0], 255); + u32[8] Rx = unpack256u(R[0], bit_size); + u32[8] Ax = unpack256u(A[0], bit_size); u32[8] h = sha256(Rx, Ax, M0, M1); bool[256] hRAM = cast(h); - bool[256] sBits = unpack256bool(S, 255); + bool[256] sBits = unpack256bool(S, bit_size); field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok b/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok index aa9a62afb..0e1786a0b 100644 --- a/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok +++ b/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok @@ -1,8 +1,7 @@ import "utils/multiplexer/lookup3bitSigned" as sel3s; import "utils/multiplexer/lookup2bit" as sel2; -import "ecc/babyjubjub/compress"; from "ecc/edwards" import add; -from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import EDWARDS_A, EDWARDS_D, compress; // Code to export generators used in this example: // import bitstring diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok index b74505d43..2f174fe4c 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok @@ -1,5 +1,4 @@ -import "ecc/babyjubjub/compress"; -from "ecc/babyjubjub/params" import G; +from "ecc/babyjubjub" import G, compress; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok index d38391e2b..802c63873 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import add, negate; -from "ecc/babyjubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import G, EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok index 45b14bf8a..6be0b79d7 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import onCurve; -from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok index 6d44f2db2..bf16f0bf8 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import orderCheck; -from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok index bcf1efdbb..960acddfe 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import scalarMul as mul; -from "ecc/babyjubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import G, EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok index 98c387bff..bacbdae21 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok @@ -1,5 +1,5 @@ -import "ecc/babyjubjub/proofOfOwnership" as proofOfOwnership; -from "ecc/edwards" import scalarMul; +from "ecc/babyjubjub" import proofOfOwnership; + // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok index e813aa133..ff86dc696 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok @@ -1,4 +1,4 @@ -import "ecc/babyjubjub/verifyEddsa" as verifyEddsa; +from "ecc/babyjubjub" import verifyEddsa; // Code to create test case: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok index 2d72da6dd..4306cfb55 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import add, negate; -from "ecc/jubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import G, EDWARDS_A, EDWARDS_D; def testDoubleViaAdd() -> bool { field[2] out = add(G, G, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok index 68e0b0be6..dda5bd262 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import onCurve; -from "ecc/jubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import EDWARDS_A, EDWARDS_D; def main() { field u = 11076627216317271660298050606127911965867021807910416450833192264015104452986; diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok index 93332d861..e6c10e323 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import orderCheck; -from "ecc/jubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import EDWARDS_A, EDWARDS_D; def testOrderCheckTrue() -> bool { field u = 11076627216317271660298050606127911965867021807910416450833192264015104452986; diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok index 348b0b977..64590c424 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import scalarMul as mul; -from "ecc/jubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import G, EDWARDS_A, EDWARDS_D; /* def testCyclic() -> bool { diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok index ab61865cc..ea6b20e6a 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -1,5 +1,5 @@ -import "ecc/jubjub/proofOfOwnership" as proofOfOwnership; -from "ecc/edwards" import scalarMul; +from "ecc/jubjub" import proofOfOwnership; + // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index 2438f6c65..ce07cdc51 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -1,5 +1,5 @@ -import "ecc/jubjub/verifyEddsa" as verifyEddsa; -import "utils/pack/bool/pack256" as pack256; +from "ecc/jubjub" import verifyEddsa; + // Code to create test case: // https://github.com/Zokrates/pycrypto From e391fe13237e27509663997629e3a0d0d13b2fc8 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Wed, 27 Sep 2023 14:10:08 +0200 Subject: [PATCH 12/14] review changes applied --- zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index 6ba5a8662..070a865a9 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -4,7 +4,7 @@ import "./unpack_unchecked"; // Note: uniqueness of the output is not guaranteed // For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` def main(field i, u32 bit_size) -> bool[256] { - assert(bit_size == 254 || bit_size == 255); + assert(bit_size <= 256); u32 padding_size = 256 - bit_size; bool[bit_size] b = unpack_unchecked(i); return [...[false; padding_size], ...b]; From e84ff7ac697e9fc5595aef1f07e26f086d59ddbb Mon Sep 17 00:00:00 2001 From: dark64 Date: Wed, 4 Oct 2023 18:33:09 +0200 Subject: [PATCH 13/14] format, add changelog --- changelogs/unreleased/1333-dark64 | 1 + zokrates_stdlib/stdlib/ecc/babyjubjub.zok | 6 ------ zokrates_stdlib/stdlib/ecc/jubjub.zok | 5 ----- zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok | 4 ++++ zokrates_stdlib/stdlib/ecc/verifyEddsa.zok | 3 +++ 5 files changed, 8 insertions(+), 11 deletions(-) create mode 100644 changelogs/unreleased/1333-dark64 diff --git a/changelogs/unreleased/1333-dark64 b/changelogs/unreleased/1333-dark64 new file mode 100644 index 000000000..c7a870565 --- /dev/null +++ b/changelogs/unreleased/1333-dark64 @@ -0,0 +1 @@ +Add jubjub to stdlib (collab with @alvaro-alonso) \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub.zok index 2df5ec0f8..c7b97c3a6 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub.zok @@ -4,7 +4,6 @@ import "./proofOfOwnership" as edwardsProofOfOwnership; import "./verifyEddsa" as edwardsSignature; import "utils/pack/bool/nonStrictUnpack256" as unpack256; - // The `a` coefficient of the twisted Edwards curve const field EDWARDS_A = 168700; @@ -19,19 +18,14 @@ const field[2] G = [ const u32 bit_size = 254; - def proofOfOwnership(field[2] pk, field sk) -> bool { - return edwardsProofOfOwnership(pk, sk, G, EDWARDS_A, EDWARDS_D, bit_size); } - def verifyEddsa(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { - return edwardsSignature(R, S, A, M0, M1, G, EDWARDS_A, EDWARDS_D, bit_size); } - def compress(field[2] pt) -> bool[256] { field x = pt[0]; field y = pt[1]; diff --git a/zokrates_stdlib/stdlib/ecc/jubjub.zok b/zokrates_stdlib/stdlib/ecc/jubjub.zok index 89eb6e9a0..54f5e7687 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub.zok @@ -3,7 +3,6 @@ import "./proofOfOwnership" as edwardsProofOfOwnership; import "./verifyEddsa" as edwardsSignature; - // The `a` coefficient of the twisted Edwards curve const field EDWARDS_A = -1; @@ -18,14 +17,10 @@ const field[2] G = [ const u32 bit_size = 255; - def proofOfOwnership(field[2] pk, field sk) -> bool { - return edwardsProofOfOwnership(pk, sk, G, EDWARDS_A, EDWARDS_D, bit_size); } - def verifyEddsa(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { - return edwardsSignature(R, S, A, M0, M1, G, EDWARDS_A, EDWARDS_D, bit_size); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok index 7642737e2..54aa6b222 100644 --- a/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok @@ -11,6 +11,10 @@ from "ecc/edwards" import scalarMul; /// Arguments: /// pk: Curve point (public key) /// sk: Private key +/// G: Generator point +/// EDWARDS_A: Coefficient `a` of the twisted Edwards curve +/// EDWARDS_D: Coefficient `d` of the twisted Edwards curve +/// bit_size: Bit size of the twisted Edwards curve /// /// Returns true for pk/sk being a valid keypair, false otherwise. def main(field[2] pk, field sk, field[2] G, field EDWARDS_A, field EDWARDS_D, u32 bit_size) -> bool { diff --git a/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok index 51103e745..75e88b4ea 100644 --- a/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok @@ -21,6 +21,9 @@ from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; /// A: Curve point. Public part of the key used to create S. /// M0: 256bit array. First 256bits of the message used to create S. /// M1: 256bit array. Trailing 256bits of the message used to create S. +/// EDWARDS_A: Coefficient `a` of the twisted Edwards curve +/// EDWARDS_D: Coefficient `d` of the twisted Edwards curve +/// bit_size: Bit size of the twisted Edwards curve /// /// Returns: /// Return true for S being a valid EdDSA Signature, false otherwise. From 9366c099c17f6cabfc4a42df7d5ba4aaf9ed0aa3 Mon Sep 17 00:00:00 2001 From: dark64 Date: Wed, 4 Oct 2023 18:34:35 +0200 Subject: [PATCH 14/14] fix changelog number --- changelogs/unreleased/{1333-dark64 => 1259-dark64} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelogs/unreleased/{1333-dark64 => 1259-dark64} (100%) diff --git a/changelogs/unreleased/1333-dark64 b/changelogs/unreleased/1259-dark64 similarity index 100% rename from changelogs/unreleased/1333-dark64 rename to changelogs/unreleased/1259-dark64