Golf aes gcm fold #103
Golf aes gcm fold #103
Conversation
.github/workflows/circom.yml
Outdated
| cd circom-witnesscalc | ||
| cargo install --path . | ||
| echo $(which build-circuit) | ||
|
|
||
| - name: Build witness for aes-gcm | ||
| run: | | ||
| build-circuit circuits/aes-gcm/aes-gcm-fold.circom aes-gcm-fold.bin -l node_modules |
There was a problem hiding this comment.
nice this is super helpful for me to see
|
Latest push is removing generics from the ghash modes and commenting. Tomorrow i will remove the generic from the Constraints are about the same so wont update that here. |
|
Okay so i decided to rip out authentication after some back and forth with team. constraint count in now 133k |
|
Next things to do:
|
|
Okay so i have a test passing for a single block, need to test more blocks now |
|
Okay this should be good for review. Here is a quick summary of what I did here:
Throughout all of this i was pulling out things that were unused or redundant. I know this is a lot and there was a bit of scope creep but i am very happy that is went smoothly and was coordinated well with @Autoparallel. The current constraint count with these changes for aesgcmfold are: I do think it would be a good idea for us to have a multi block test for gctr so i did open an issue for it: #104. I am not sure where to find more test vectors. If really need be i can make some, byte by byte but that is likely not the best path here. |
0xJepsen
added
refactor 📦
| template AESGCMFOLD(bytesPerFold, totalBytes) { | ||
| // cannot fold outside chunk boundaries. | ||
| assert(bytesPerFold % 16 == 0); | ||
| assert(totalBytes % 16 == 0); | ||
| template AESGCMFOLD(INPUT_LEN) { | ||
| assert(INPUT_LEN % 16 == 0); | ||
|
|
||
| var DATA_BYTES = (INPUT_LEN * 2) + 5; |
| pragma circom 2.1.9; | ||
|
|
||
| include "ghash-foldable.circom"; | ||
| include "aes/cipher.circom"; |
There was a problem hiding this comment.
making note to self to annotate difference between files called foldable and fold suffix at module level comment next week
| template GhashStreamMode(l, ghashBlocks) { | ||
| signal input cipherText[l]; | ||
| signal output blocks[ghashBlocks*4*4]; | ||
|
|
||
| var blockIndex = 0; | ||
| // layout ciphertext (l*16 bytes) | ||
| for (var i=0; i<l; i++) { | ||
| blocks[blockIndex] <== cipherText[i]; | ||
| blockIndex += 1; | ||
| } | ||
|
|
||
| // pad remainder | ||
| for (var i=blockIndex; i<ghashBlocks*4*4; i++) { | ||
| blocks[i] <== 0x00; | ||
| } | ||
| } | ||
|
|
||
| template GhashEndMode(l, totalBlocks, ghashBlocks) { | ||
| signal input cipherText[l]; | ||
| signal output blocks[ghashBlocks*4*4]; | ||
|
|
||
| var blockIndex = 0; | ||
| // layout ciphertext (l*16 bytes) | ||
| for (var i=0; i<l; i++) { | ||
| blocks[blockIndex] <== cipherText[i]; | ||
| blockIndex += 1; | ||
| } | ||
|
|
||
| signal lengthData[8] <== [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80]; | ||
| for (var i = 0; i<8; i++) { | ||
| blocks[blockIndex] <== lengthData[i]; | ||
| blockIndex += 1; | ||
| } | ||
|
|
||
| // length of blocks as a u64 (8 bytes) | ||
| var len = totalBlocks * 128; | ||
| for (var i=0; i<8; i++) { | ||
| var byte_value = 0; | ||
| var val = 1; | ||
| for (var j=0; j<8; j++) { | ||
| var bit = (len >> i*8+j) & 1; | ||
| byte_value += bit*val; | ||
| val = val+val; | ||
| } | ||
| // Insert in reversed (big endian) order. | ||
| blocks[blockIndex+7-i] <== byte_value; | ||
| } | ||
| blockIndex+=8; | ||
| // NOTE: Added this so all of blocks is written | ||
| for (var i = 0; i<16; i++) { | ||
| blocks[blockIndex] <== 0; | ||
| blockIndex += 1; | ||
| // extract the counter column wise. | ||
| for (var i = 0; i < 4; i++) { | ||
| counter[i] <== J0[i][3]; | ||
| } |
There was a problem hiding this comment.
you love to see a big chunk killed like this. Was this all just stuff we wrote while figuring things out but didn't use?
There was a problem hiding this comment.
No tracy wrote most of this, which i think was maybe not the best path forward.
| var blockCount = l\16; | ||
| if(l%16 > 0){ | ||
| blockCount = blockCount + 1; | ||
| } | ||
| var ghashblocks = 1 + blockCount + 1; // blocksize is 16 bytes |
There was a problem hiding this comment.
but the 1's are homoiconic
There was a problem hiding this comment.
haha, It took me a while to dissect why there was three of them
There was a problem hiding this comment.
yeah we decide to remove ghash entirely from this circuit. IT doesn't quite make sense to fold here since a since aes block does three ghash blocks that are not symmetric, which is where there was a bunch of strange ghash mode selector logic that gave us constraint bloat. I was talking a bit with @Autoparallel and i think we could fold ghash at a later step after we have all the cipher text because then we can do number of ciphertext blocks + 2 (as you see above) and fold that many ghash times, but then we will also need one gctr round on the result which is possible (see step 4-6 of nist spec). But it's pending that we will use at all for the test net at first.
| @@ -436,3 +314,107 @@ template Selector(n) { | |||
|
|
|||
| out <== sums[n]; | |||
| } | |||
|
|
|||
| // TODO(WJ 2024-10-24): shared across parser circuits should consolidate. | |||
|
|
||
| // Note: this is underconstrained, we need to constrain that index + n <= m | ||
| // Need to constrain that index + n <= m -- can't be an assertion, because uses a signal | ||
| // ------------------------- // | ||
|
|
||
| // Here, we get an array of ALL zeros, except at the `index` AND `index + n` | ||
| // beginning-------^^^^^ end---^^^^^^^^^ |
|
had a couple questions about some folding chunks you removed waylon. non blocking, good job |
|
Going to merge so we can start sheeping |
Planing on
Closes #93
Closes #102
current status