Barretenberg: src/barretenberg/stdlib/hash/blake2s/blake2s.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#include "blake_util.hpp"


#include "barretenberg/stdlib/hash/blake2s/blake2s.hpp"

#include "barretenberg/stdlib/primitives/plookup/plookup.hpp"


namespace bb::stdlib {


template <typename Builder> void Blake2s<Builder>::increment_counter(blake2s_state& S, const uint32_t inc)

{

    field_ct inc_scalar(static_cast<uint256_t>(inc));

    S.t[0] = S.t[0] + inc_scalar;

    // TODO: Secure!? Think so as inc is known at "compile" time as it's derived from the msg length.

    const bool to_inc = uint32_t(uint256_t(S.t[0].get_value())) < inc;

    S.t[1] = S.t[1] + (to_inc ? field_ct(1) : field_ct(0));

}


template <typename Builder> void Blake2s<Builder>::compress(blake2s_state& S, byte_array_ct const& in)

{

    using plookup::ColumnIdx;

    using namespace blake_util;

    field_ct m[BLAKE2S_STATE_SIZE];

    field_ct v[BLAKE2S_STATE_SIZE];


    for (size_t i = 0; i < BLAKE2S_STATE_SIZE; ++i) {

        m[i] = static_cast<field_ct>(in.slice(i * 4, 4).reverse());

    }


    for (size_t i = 0; i < 8; ++i) {

        v[i] = S.h[i];

    }


    v[8] = field_ct(uint256_t(blake2s_IV[0]));

    v[9] = field_ct(uint256_t(blake2s_IV[1]));

    v[10] = field_ct(uint256_t(blake2s_IV[2]));

    v[11] = field_ct(uint256_t(blake2s_IV[3]));


    // Use the lookup tables to perform XORs

    const auto lookup_1 =

        plookup_read<Builder>::get_lookup_accumulators(BLAKE_XOR, S.t[0], field_ct(uint256_t(blake2s_IV[4])), true);

    v[12] = lookup_1[ColumnIdx::C3][0];

    const auto lookup_2 =

        plookup_read<Builder>::get_lookup_accumulators(BLAKE_XOR, S.t[1], field_ct(uint256_t(blake2s_IV[5])), true);

    v[13] = lookup_2[ColumnIdx::C3][0];

    const auto lookup_3 =

        plookup_read<Builder>::get_lookup_accumulators(BLAKE_XOR, S.f[0], field_ct(uint256_t(blake2s_IV[6])), true);

    v[14] = lookup_3[ColumnIdx::C3][0];

    const auto lookup_4 =

        plookup_read<Builder>::get_lookup_accumulators(BLAKE_XOR, S.f[1], field_ct(uint256_t(blake2s_IV[7])), true);

    v[15] = lookup_4[ColumnIdx::C3][0];


    for (size_t idx = 0; idx < 10; idx++) {

        blake_util::round_fn(v, m, idx);

    }


    // At this point in the algorithm, the elements (v0, v1, v2, v3) and (v8, v9, v10, v11) in the state matrix 'v' can

    // be 'overflowed' i.e. contain values > 2^{32}. However we do NOT need to normalize them to be < 2^{32}, the

    // following `read_sequence_from_table` calls correctly constrain the output to be 32-bits

    for (size_t i = 0; i < 8; ++i) {

        const auto lookup_a = plookup_read<Builder>::get_lookup_accumulators(BLAKE_XOR, S.h[i], v[i], true);

        const auto lookup_b =

            plookup_read<Builder>::get_lookup_accumulators(BLAKE_XOR, lookup_a[ColumnIdx::C3][0], v[i + 8], true);

        S.h[i] = lookup_b[ColumnIdx::C3][0];

    }

}


template <typename Builder> void Blake2s<Builder>::blake2s(blake2s_state& S, byte_array_ct const& in)

{

    using plookup::ColumnIdx;

    using namespace blake_util;


    size_t offset = 0;

    size_t size = in.size();


    while (size > BLAKE2S_BLOCKBYTES) {

        increment_counter(S, BLAKE2S_BLOCKBYTES);

        compress(S, in.slice(offset, BLAKE2S_BLOCKBYTES));

        offset += BLAKE2S_BLOCKBYTES;

        size -= BLAKE2S_BLOCKBYTES;

    }


    // Set last block.

    S.f[0] = field_t<Builder>(uint256_t((uint32_t)-1));


    byte_array_ct final(in.get_context());

    final.write(in.slice(offset)).write(byte_array_ct(in.get_context(), BLAKE2S_BLOCKBYTES - size));

    increment_counter(S, static_cast<uint32_t>(size));

    compress(S, final);

}


template <typename Builder> byte_array<Builder> Blake2s<Builder>::hash(const byte_array_ct& input)

{

    blake2s_state S;


    for (size_t i = 0; i < 8; i++) {

        S.h[i] = field_ct(uint256_t(initial_H[i]));

    }


    blake2s(S, input);


    byte_array_ct result(input.get_context());

    for (auto h : S.h) {

        byte_array_ct v(h, 4);

        result.write(v.reverse());

    }

    return result;

}


template class Blake2s<UltraCircuitBuilder>;

template class Blake2s<MegaCircuitBuilder>;


} // namespace bb::stdlib

blake_util.hpp

bb::numeric::uint256_t
Definition uint256.hpp:32

bb::stdlib::Blake2s
Definition blake2s.hpp:16

bb::stdlib::Blake2s::compress
static void compress(blake2s_state &S, byte_array_ct const &in)
Definition blake2s.cpp:49

bb::stdlib::Blake2s::blake2s
static void blake2s(blake2s_state &S, byte_array_ct const &in)
Definition blake2s.cpp:98

bb::stdlib::Blake2s::hash
static byte_array_ct hash(const byte_array_ct &input)
Definition blake2s.cpp:122

bb::stdlib::Blake2s::increment_counter
static void increment_counter(blake2s_state &S, const uint32_t inc)
Definition blake2s.cpp:40

bb::stdlib::byte_array
Represents a dynamic array of bytes in-circuit.
Definition byte_array.hpp:28

bb::stdlib::byte_array::slice
byte_array slice(size_t offset) const
Slice bytes from the byte array starting at offset. Does not add any constraints.
Definition byte_array.cpp:278

bb::stdlib::byte_array::reverse
byte_array reverse() const
Reverse the bytes in the byte array.
Definition byte_array.cpp:301

bb::stdlib::byte_array::write
byte_array & write(byte_array const &other)
Appends the contents of another byte_array (other) to the end of this one.
Definition byte_array.cpp:256

bb::stdlib::byte_array::size
size_t size() const
Definition byte_array.hpp:74

bb::stdlib::byte_array::get_context
Builder * get_context() const
Definition byte_array.hpp:78

bb::stdlib::field_t< Builder >

bb::stdlib::field_t::get_value
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
Definition field.cpp:827

bb::stdlib::plookup_read
Definition plookup.hpp:17

blake2s
WASM_EXPORT void blake2s(uint8_t const *data, out_buf32 out)
Definition c_bind.cpp:13

offset
ssize_t offset
Definition engine.cpp:36

field_ct
stdlib::field_t< Builder > field_ct
Definition graph_description_blake2s.test.cpp:12

byte_array_ct
stdlib::byte_array< Builder > byte_array_ct
Definition graph_description_blake2s.test.cpp:14

bb::plookup::ColumnIdx
ColumnIdx
Definition types.hpp:403

bb::plookup::BLAKE_XOR
@ BLAKE_XOR
Definition types.hpp:128

bb::stdlib::blake_util::round_fn
void round_fn(field_t< Builder > state[BLAKE_STATE_SIZE], field_t< Builder > msg[BLAKE_STATE_SIZE], size_t round, const bool which_blake=false)
Definition blake_util.hpp:176

bb::stdlib
Definition graph_description_goblin.test.cpp:13

bb::compress
std::vector< uint8_t > compress(const std::vector< uint8_t > &input)
Definition private_execution_steps.cpp:8

bb::write
void write(B &buf, field2< base_field, Params > const &value)
Definition field2_declarations.hpp:155

plookup.hpp

blake2s.hpp

bb::stdlib::Blake2s::blake2s_state
Definition blake2s.hpp:30

bb::stdlib::Blake2s::blake2s_state::f
field_t< Builder > f[2]
Definition blake2s.hpp:33

bb::stdlib::Blake2s::blake2s_state::t
field_t< Builder > t[2]
Definition blake2s.hpp:32

bb::stdlib::Blake2s::blake2s_state::h
field_t< Builder > h[8]
Definition blake2s.hpp:31