Golf aes gcm fold (#103)

* add witness calc to CI

* idiomatic CI nameing

* constraints: 801698, removed redunant parameters

* constraints: 801676, ghash modes?

* simplify a bit more

* CI Fix

* comments: tracing our ghash mode selectors

* mode logs

* removing unneeded generics and adding documentation

* remove unused test

* removed all auth from ghash

* figure fix

* compiling array builder

* accumulating all values

* witness calc works

* Update aes-gcm-fold.circom

* fix bug in WriteToIndex component

* squashing bugs 🐞

* squashing bugs 🐞

* tests passing for a single block

* remove misleading logs

* remove unused components

* fix CI

* cleanning up comments

* cleanning up comments

* bug in to blocks?

* passing non zero pr test

* test passing for two block case

* remove unused foldable ghash

* fix ci

.github/workflows/test.yml → .github/workflows/circom.yml

@@ -32,4 +32,21 @@ jobs:
         circom --version
 
     - name: Run tests
-      run: npm run test
+      run: npm run test
+
+    - name: Install Protocol Buffers
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y protobuf-compiler libprotobuf-dev
+
+    - name: Setup circom-witnesscalc
+      run: | 
+        cd .. && git clone https://github.com/iden3/circom-witnesscalc.git
+        cd circom-witnesscalc
+        cargo install --path .
+        echo $(which build-circuit)
+
+    - name: Build witness for aes-gcm
+      run: |
+        build-circuit circuits/aes-gcm-fold/aes-gcm-fold.circom aes-fold.bin -l node_modules
+        

.github/workflows/ci.yml → .github/workflows/rust.yml

@@ -26,17 +26,6 @@ jobs:
       - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }}
       - run: rustup component add clippy
       - run: cargo clippy -- -Dwarnings
-  # test:
-  #   name: test project
-  #   runs-on: ubuntu-latest
-  #   strategy:
-  #     matrix:
-  #       toolchain:
-  #         - nightly
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #     - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }}
-  #     - run: cargo test --all-features --verbose
 
   fmt:
     name: fmt project

.gitignore

@@ -13,4 +13,7 @@ circuits/test/*.circom
 circuits/main/*
 ir_log/*
 log_input_signals.txt
-*.bin
+*.bin
+ghash_gmul.r1cs
+main.r1cs
+*.r1cs

circuits/aes-gcm-fold/aes-gcm-fold.circom

@@ -0,0 +1,5 @@
+pragma circom 2.1.9;
+
+include "../aes-gcm/aes-gcm-fold.circom";
+
+component main = AESGCMFOLD(16);

circuits/aes-gcm/aes-gcm-fold.circom

@@ -1,52 +1,66 @@
 pragma circom 2.1.9;
 
 include "./aes-gcm-foldable.circom";
+include "./utils.circom";
 
 // Compute AES-GCM 
-template AESGCMFOLD(bytesPerFold, totalBytes) {
-    // cannot fold outside chunk boundaries.
-    assert(bytesPerFold % 16 == 0);
-    assert(totalBytes % 16 == 0);
+template AESGCMFOLD(INPUT_LEN) {
+    assert(INPUT_LEN % 16 == 0);
+
+    var DATA_BYTES = (INPUT_LEN * 2) + 5;
 
     signal input key[16];
     signal input iv[12];
     signal input aad[16];
-    signal input plainText[bytesPerFold];
+    signal input plainText[16];
+
+    // step_in[0..INPUT_LEN] => accumulate plaintext blocks
+    // step_in[INPUT_LEN..INPUT_LEN*2]  => accumulate ciphertext blocks
+    // step_in[INPUT_LEN*2..INPUT_LEN*2+4]  => lastCounter
+    // step_in[INPUT_LEN*2+5]     => foldedBlocks // TODO(WJ 2024-10-24): technically not needed if can read 4 bytes as a 32 bit number
+    signal input step_in[DATA_BYTES]; 
+    signal output step_out[DATA_BYTES];
+    signal counter <== step_in[INPUT_LEN*2 + 4];
 
-    // Output from the last encryption step
-    // Always use last bytes for inputs which are not same size.
-    // step_in[0..4]  => lastCounter
-    // step_in[4..20] => lastTag
-    // step_in[20]    => foldedBlocks
-    signal input step_in[21]; 
+    // write new plain text block.
+    signal plainTextAccumulator[DATA_BYTES];    
+    component writeToIndex = WriteToIndex(DATA_BYTES, 16);
+    writeToIndex.array_to_write_to <== step_in;
+    writeToIndex.array_to_write_at_index <== plainText;
+    writeToIndex.index <== counter * 16;
+    writeToIndex.out ==> plainTextAccumulator;
 
-    // For now, attempt to support variable fold size. Potential fix at 16 in the future.
-    component aes = AESGCMFOLDABLE(bytesPerFold, totalBytes\16);
+    // folds one block
+    component aes = AESGCMFOLDABLE();
     aes.key       <== key;
     aes.iv        <== iv;
     aes.aad       <== aad;
     aes.plainText <== plainText;
 
-    // Fold inputs
     for(var i = 0; i < 4; i++) {
-        aes.lastCounter[i] <== step_in[i];
+        aes.lastCounter[i] <== step_in[INPUT_LEN*2 + i];
     }
-    for(var i = 0; i < 16; i++) {
-        aes.lastTag[i] <== step_in[4 + i];
-    }
-    // TODO:tracy range check, assertions, stuff.
-    aes.foldedBlocks <== step_in[20];
 
-    // Fold Outputs
-    signal output step_out[21];
-    for(var i = 0; i < 4; i++) {
-        step_out[i] <== aes.counter[i];
-    }
-    for(var i = 0; i < 16; i++) {
-        step_out[4 + i] <== aes.authTag[i];
-    }
-    step_out[20] <== step_in[20] + bytesPerFold \ 16;
+    // accumulate cipher text
+    signal cipherTextAccumulator[DATA_BYTES];
+    component writeCipherText = WriteToIndex(DATA_BYTES, 16);
+    writeCipherText.array_to_write_to <== plainTextAccumulator;
+    writeCipherText.array_to_write_at_index <== aes.cipherText;
+    writeCipherText.index <== INPUT_LEN + counter * 16;
+    writeCipherText.out ==> cipherTextAccumulator;
+
+    // get counter
+    signal counterAccumulator[DATA_BYTES];
+    component writeCounter = WriteToIndex(DATA_BYTES, 4);
+    writeCounter.array_to_write_to <== cipherTextAccumulator;
+    writeCounter.array_to_write_at_index <== aes.counter;
+    writeCounter.index <== INPUT_LEN*2;
+    writeCounter.out ==> counterAccumulator;
 
-    signal output authTag[16] <== aes.authTag;
-    signal output cipherText[bytesPerFold] <== aes.cipherText;
-}
+    // accumulate number of folded blocks
+    component writeNumberOfFoldedBlocks = WriteToIndex(DATA_BYTES, 1);
+    writeNumberOfFoldedBlocks.array_to_write_to <== counterAccumulator;
+    writeNumberOfFoldedBlocks.array_to_write_at_index <== [step_in[INPUT_LEN*2 + 4] + 1];
+    writeNumberOfFoldedBlocks.index <== INPUT_LEN*2 + 4;
+    writeNumberOfFoldedBlocks.out ==> step_out;
+}