Merge pull request #13 from zkp-application/circom2.0

feat(upgrade circom2.0): Circom2.0

.gitmodules

@@ -1,6 +1,8 @@
 [submodule "circomlib"]
 	path = circomlib
 	url = https://github.com/iden3/circomlib.git
-[submodule "circom-bigint"]
-	path = circom-bigint
-	url = https://github.com/jacksoom/circom-bigint.git
+
+[submodule "circom-ecdsa"]
+	path = circom-ecdsa
+	url = https://github.com/agnxsh/circom-ecdsa.git
+	branch = 0xagnish/circom_tester-fix

README.md

@@ -1,25 +1,32 @@
 # circom-rsa-verify
-This repository contains an implementation of a Zero Knowledge Proof for RSA signature verify for the circom language.
-Currently supported pkcs1v15 + sha256 and exponent is 65537
+
+This repository contains an implementation of a Zero Knowledge Proof for RSA signature verify for the [Circom](https://docs.circom.io) language.
+Currently supported pkcs1v15 + sha256 and exponent is 65537. The Montgomery Exponentiation algorithm and Montgomery CIOS product is used to calculate large numbers  [Modular exponentiation](https://en.wikipedia.org/wiki/Modular_exponentiation)
+
 # Getting started
+
 Running circuits test cases
+
 ```sh
-git submodule update --init --recursive; npm install; npm test
+git submodule update --init --recursive; npm i; npm test
 ```
 
 ## Circuits Benchmark
+
 RSA verify: pkcs1v15/sha256/2048 bits key
-* Env: Mac mini (M1, 2020). 8 cores. 8 threads   
-* Memory consumption: 1.7G   
-* Time consumption: 150s   
-## The circom compiler
-
-This repository uses a modified version of the circom compiler found at
-[alex-ozdemir/circom](https://github.com/alex-ozdemir/circom).
-It includes a few extra features not found in the original:
-
-   * Clearer error printouts
-   * More comprehensive/informative treatment of `log` statements
-   * A new type `int` which enables bigints to be handled during witness
-      computations.
-   * `compute` blocks
+
+* Env: Mac mini (M1, 2020). 8 cores. 8 threads
+
+Circuit infomation
+
+* snarkJS: Curve: bn-128
+* snarkJS: # of Wires: 530676
+* snarkJS: # of Constraints: 536212
+* snarkJS: # of Private Inputs: 0
+* snarkJS: # of Public Inputs: 100
+* snarkJS: # of Labels: 583860
+* snarkJS: # of Outputs: 0
+
+## Ref
+
+2. [Arithmetic of Finite Fields](https://www.researchgate.net/publication/319538235_Arithmetic_of_Finite_Fields)

circuits/pow_mod.circom

@@ -1,10 +1,11 @@
-include "../circom-bigint/circomlib/circuits/bitify.circom"
-include "../circom-bigint/circuits/mult.circom"
+pragma circom 2.0.0;
+
+include "../circom-ecdsa/circuits/bigint.circom";
 // w = 32
 // base ** exp mod modulus
 // nb is the length of the input number
 // exp = 65537
-template PowerModv2(w, nb, e_bits) {
+template PowerMod(w, nb, e_bits) {
     signal input base[nb];
     signal input exp[nb];
     signal input modulus[nb];
@@ -14,10 +15,10 @@ template PowerModv2(w, nb, e_bits) {
 
     component muls[e_bits + 2];
     for (var i = 0; i < e_bits + 2; i++) {
-        muls[i] = MultiplierReducer(w, nb);
+        muls[i] = BigMultModP(w, nb);
         // modulus params
         for (var j = 0; j < nb; j++) {
-            muls[i].modulus[j] <== modulus[j];
+            muls[i].p[j] <== modulus[j];
         }
     }
 
@@ -38,8 +39,8 @@ template PowerModv2(w, nb, e_bits) {
                }
            } else {
                for(var j = 0; j < nb; j++) {
-                   muls[muls_index].a[j] <== muls[result_index].prod[j];
-                   muls[muls_index].b[j] <== muls[base_index].prod[j];
+                   muls[muls_index].a[j] <== muls[result_index].out[j];
+                   muls[muls_index].b[j] <== muls[base_index].out[j];
                }
            }
             result_index = muls_index;
@@ -53,17 +54,15 @@ template PowerModv2(w, nb, e_bits) {
              }
         } else {
              for (var j = 0; j < nb; j++) {
-                 muls[muls_index].a[j] <== muls[base_index].prod[j];
-                 muls[muls_index].b[j] <== muls[base_index].prod[j];
+                 muls[muls_index].a[j] <== muls[base_index].out[j];
+                 muls[muls_index].b[j] <== muls[base_index].out[j];
              }
         }
         base_index = muls_index;
         muls_index++;
     }
 
     for (var i = 0; i < nb; i++) {
-        out[i] <== muls[result_index].prod[i];
+        out[i] <== muls[result_index].out[i];
     }
 }
-
-

circuits/rsa_verify.circom

@@ -1,5 +1,22 @@
+pragma circom 2.0.0;
+
 include "./pow_mod.circom";
-include "../circom-bigint/circomlib/circuits/bitify.circom"
+
+template NumToBits(n) {
+    signal input in;
+    signal output out[n];
+    var lc1=0;
+
+    var e2=1;
+    for (var i = 0; i<n; i++) {
+        out[i] <-- (in >> i) & 1;
+        out[i] * (out[i] -1 ) === 0;
+        lc1 += out[i] * e2;
+        e2 = e2+e2;
+    }
+
+    lc1 === in;
+}
 
 // Pkcs1v15 + Sha256
 // exp 65537
@@ -11,7 +28,7 @@ template RsaVerifyPkcs1v15(w, nb, e_bits, hashLen) {
     signal input hashed[hashLen];
 
     // sign ** exp mod modulus
-    component pm = PowerModv2(w, nb, e_bits);
+    component pm = PowerMod(w, nb, e_bits);
     for (var i  = 0; i < nb; i++) {
         pm.base[i] <== sign[i];
         pm.exp[i] <== exp[i];
@@ -30,7 +47,7 @@ template RsaVerifyPkcs1v15(w, nb, e_bits, hashLen) {
     pm.out[4] === 217300885422736416;
     pm.out[5] === 938447882527703397;
     // // remain 24 bit
-    component num2bits_6 = Num2Bits(w);
+    component num2bits_6 = NumToBits(w);
     num2bits_6.in <== pm.out[6];
     var remainsBits[32] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0];
     for (var i = 0; i < 32; i++) {
@@ -49,3 +66,4 @@ template RsaVerifyPkcs1v15(w, nb, e_bits, hashLen) {
     // 0b1111111111111111111111111111111111111111111111111
     pm.out[31] === 562949953421311;
 }
+