test: standard circom tests

Cargo.toml

@@ -58,7 +58,6 @@ rayon = "1.8.1"
 thiserror = "1.0.59"
 tracing = { version = "0.1.40" }
 tracing-subscriber = "0.3"
-tracing-test = "0.2.4"
 tokio = { version = "1.34.0", features = [
     "rt",
     "rt-multi-thread",

circom-mpc-compiler/Cargo.toml

@@ -33,5 +33,3 @@ circom-types = { version = "0.1.0", path = "../circom-types" }
 collaborative-groth16 = { version = "0.1.0", path = "../collaborative-groth16" }
 mpc-core = { version = "0.1.0", path = "../mpc-core" }
 tracing.workspace = true
-# we want to test logging of other crates, so we disable the env filter
-tracing-test = { workspace = true, features = ["no-env-filter"] }

circom-mpc-compiler/src/lib.rs

@@ -533,14 +533,12 @@ impl<P: Pairing> CollaborativeCircomCompiler<P> {
         ))
     }
 }
-
 #[cfg(test)]
 mod tests {
     use ark_bn254::Bn254;
     use circom_types::groth16::witness::Witness;
     use collaborative_groth16::groth16::SharedWitness;
     use mpc_core::protocols::plain::PlainDriver;
-    use tracing_test::traced_test;
 
     use super::*;
     use std::{fs::File, str::FromStr};
@@ -550,9 +548,8 @@ mod tests {
         witness.public_inputs
     }
 
-    #[traced_test]
     #[test]
-    fn logs() {
+    fn mul2() {
         let file = "../test_vectors/circuits/multiplier2.circom";
         let builder = CompilerBuilder::<Bn254>::new(file.to_owned()).build();
         let is_witness = builder
@@ -573,9 +570,6 @@ mod tests {
                 ark_bn254::Fr::from_str("11").unwrap()
             ]
         );
-        assert!(logs_contain(
-            "This is a test to see whether the logging work:  33"
-        ));
     }
     #[test]
     fn mul16() {

test_vectors/circuits/libs/binsub.circom

@@ -0,0 +1,74 @@
+ /*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+This component creates a binary substraction.
+
+
+Main Constraint:
+   (in[0][0]     * 2^0  +  in[0][1]     * 2^1  + ..... + in[0][n-1]    * 2^(n-1))  +
+ +  2^n
+ - (in[1][0]     * 2^0  +  in[1][1]     * 2^1  + ..... + in[1][n-1]    * 2^(n-1))
+ ===
+   out[0] * 2^0  + out[1] * 2^1 +   + out[n-1] *2^(n-1) + aux
+
+
+    out[0]     * (out[0] - 1) === 0
+    out[1]     * (out[0] - 1) === 0
+    .
+    .
+    .
+    out[n-1]   * (out[n-1] - 1) === 0
+    aux * (aux-1) == 0
+
+*/
+pragma circom 2.0.0;
+
+template BinSub(n) {
+    signal input in[2][n];
+    signal output out[n];
+
+    signal aux;
+
+    var lin = 2**n;
+    var lout = 0;
+
+    var i;
+
+    for (i=0; i<n; i++) {
+        lin = lin + in[0][i]*(2**i);
+        lin = lin - in[1][i]*(2**i);
+    }
+
+    for (i=0; i<n; i++) {
+        out[i] <-- (lin >> i) & 1;
+
+        // Ensure out is binary
+        out[i] * (out[i] - 1) === 0;
+
+        lout = lout + out[i]*(2**i);
+    }
+
+    aux <-- (lin >> n) & 1;
+    aux*(aux-1) === 0;
+    lout = lout + aux*(2**n);
+
+    // Ensure the sum;
+    lin === lout;
+}

test_vectors/circuits/libs/eddsa.circom

@@ -0,0 +1,139 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+include "pointbits.circom";
+include "pedersen.circom";
+include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+template EdDSAVerifier(n) {
+    signal input msg[n];
+
+    signal input A[256];
+    signal input R8[256];
+    signal input S[256];
+
+    signal Ax;
+    signal Ay;
+
+    signal R8x;
+    signal R8y;
+
+    var i;
+
+// Ensure S<Subgroup Order
+
+    component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
+
+    for (i=0; i<254; i++) {
+        S[i] ==> compConstant.in[i];
+    }
+    compConstant.out === 0;
+    S[254] === 0;
+    S[255] === 0;
+
+// Convert A to Field elements (And verify A)
+
+    component bits2pointA = Bits2Point_Strict();
+
+    for (i=0; i<256; i++) {
+        bits2pointA.in[i] <== A[i];
+    }
+    Ax <== bits2pointA.out[0];
+    Ay <== bits2pointA.out[1];
+
+// Convert R8 to Field elements (And verify R8)
+
+    component bits2pointR8 = Bits2Point_Strict();
+
+    for (i=0; i<256; i++) {
+        bits2pointR8.in[i] <== R8[i];
+    }
+    R8x <== bits2pointR8.out[0];
+    R8y <== bits2pointR8.out[1];
+
+// Calculate the h = H(R,A, msg)
+
+    component hash = Pedersen(512+n);
+
+    for (i=0; i<256; i++) {
+        hash.in[i] <== R8[i];
+        hash.in[256+i] <== A[i];
+    }
+    for (i=0; i<n; i++) {
+        hash.in[512+i] <== msg[i];
+    }
+
+    component point2bitsH = Point2Bits_Strict();
+    point2bitsH.in[0] <== hash.out[0];
+    point2bitsH.in[1] <== hash.out[1];
+
+// Calculate second part of the right side:  right2 = h*8*A
+
+    // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
+    // the subgroup.
+    component dbl1 = BabyDbl();
+    dbl1.x <== Ax;
+    dbl1.y <== Ay;
+    component dbl2 = BabyDbl();
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
+    component dbl3 = BabyDbl();
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
+
+    // We check that A is not zero.
+    component isZero = IsZero();
+    isZero.in <== dbl3.x;
+    isZero.out === 0;
+
+    component mulAny = EscalarMulAny(256);
+    for (i=0; i<256; i++) {
+        mulAny.e[i] <== point2bitsH.out[i];
+    }
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
+
+
+// Compute the right side: right =  R8 + right2
+
+    component addRight = BabyAdd();
+    addRight.x1 <== R8x;
+    addRight.y1 <== R8y;
+    addRight.x2 <== mulAny.out[0];
+    addRight.y2 <== mulAny.out[1];
+
+// Calculate left side of equation left = S*B8
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+    component mulFix = EscalarMulFix(256, BASE8);
+    for (i=0; i<256; i++) {
+        mulFix.e[i] <== S[i];
+    }
+
+// Do the comparation left == right
+
+    mulFix.out[0] === addRight.xout;
+    mulFix.out[1] === addRight.yout;
+}

test_vectors/circuits/libs/eddsamimc.circom

@@ -0,0 +1,124 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+include "pointbits.circom";
+include "mimc.circom";
+include "bitify.circom";
+include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+template EdDSAMiMCVerifier() {
+    signal input enabled;
+    signal input Ax;
+    signal input Ay;
+
+    signal input S;
+    signal input R8x;
+    signal input R8y;
+
+    signal input M;
+
+    var i;
+
+// Ensure S<Subgroup Order
+
+    component snum2bits = Num2Bits(253);
+    snum2bits.in <== S;
+
+    component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
+
+    for (i=0; i<253; i++) {
+        snum2bits.out[i] ==> compConstant.in[i];
+    }
+    compConstant.in[253] <== 0;
+    compConstant.out === 0;
+
+// Calculate the h = H(R,A, msg)
+
+    component hash = MultiMiMC7(5, 91);
+    hash.in[0] <== R8x;
+    hash.in[1] <== R8y;
+    hash.in[2] <== Ax;
+    hash.in[3] <== Ay;
+    hash.in[4] <== M;
+    hash.k <== 0;
+
+    component h2bits = Num2Bits_strict();
+    h2bits.in <== hash.out;
+
+// Calculate second part of the right side:  right2 = h*8*A
+
+    // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
+    // the subgroup.
+    component dbl1 = BabyDbl();
+    dbl1.x <== Ax;
+    dbl1.y <== Ay;
+    component dbl2 = BabyDbl();
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
+    component dbl3 = BabyDbl();
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
+
+    // We check that A is not zero.
+    component isZero = IsZero();
+    isZero.in <== dbl3.x;
+    isZero.out === 0;
+
+    component mulAny = EscalarMulAny(254);
+    for (i=0; i<254; i++) {
+        mulAny.e[i] <== h2bits.out[i];
+    }
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
+
+
+// Compute the right side: right =  R8 + right2
+
+    component addRight = BabyAdd();
+    addRight.x1 <== R8x;
+    addRight.y1 <== R8y;
+    addRight.x2 <== mulAny.out[0];
+    addRight.y2 <== mulAny.out[1];
+
+// Calculate left side of equation left = S*B8
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+    component mulFix = EscalarMulFix(253, BASE8);
+    for (i=0; i<253; i++) {
+        mulFix.e[i] <== snum2bits.out[i];
+    }
+
+// Do the comparation left == right if enabled;
+
+    component eqCheckX = ForceEqualIfEnabled();
+    eqCheckX.enabled <== enabled;
+    eqCheckX.in[0] <== mulFix.out[0];
+    eqCheckX.in[1] <== addRight.xout;
+
+    component eqCheckY = ForceEqualIfEnabled();
+    eqCheckY.enabled <== enabled;
+    eqCheckY.in[0] <== mulFix.out[1];
+    eqCheckY.in[1] <== addRight.yout;
+}