Qortal/pirate-librustzcash
1
0
Fork 1
mirror of https://github.com/Qortal/pirate-librustzcash.git synced 2025-07-30 20:11:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #93 from defuse/qed-it-lrz

Browse Source 
Bring in QED-it Tests
This commit is contained in:
str4d
2019-10-08 13:47:36 +13:00
committed by GitHub
parent 212b6e67d0 39a73c8eda
commit 2399d9f3e3
10 changed files with 1481 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
zcash_proofs/src/circuit/ecc.rs
View File

@@ -1098,4 +1098,87 @@ mod test {
assert_eq!(cs.which_is_unsatisfied(), Some("addition/evaluate lambda"));
}
}
#[test]
fn test_assert_not_small_order() {
let params = &JubjubBls12::new();
let check_small_order_from_p = |p: edwards::Point<Bls12, _>, is_small_order| {
let mut cs = TestConstraintSystem::<Bls12>::new();
let p = EdwardsPoint::witness(&mut cs, Some(p), params).unwrap();
assert!(cs.is_satisfied());
assert!(p.assert_not_small_order(&mut cs, params).is_err() == is_small_order);
};
let check_small_order_from_strs = |x, y| {
//let (x,y) = (Fr::from_str("14080418777298869350588389379361252092475090129841789940098060767181937064268").unwrap(), Fr::from_str("4408371274642418797323679050836535851651768103477128764103246588657558662748").unwrap());
let (x, y) = (Fr::from_str(x).unwrap(), Fr::from_str(y).unwrap());
let p = edwards::Point::<Bls12, _>::get_for_y(y, false, params).unwrap();
assert_eq!(x, p.to_xy().0);
check_small_order_from_p(p, true);
};
// zero has low order
check_small_order_from_strs("0", "1");
// prime subgroup order
let prime_subgroup_order = Fs::from_str(
"6554484396890773809930967563523245729705921265872317281365359162392183254199",
)
.unwrap();
let largest_small_subgroup_order = Fs::from_str("8").unwrap();
let (zero_x, zero_y) = (Fr::from_str("0").unwrap(), Fr::from_str("1").unwrap());
// generator for jubjub
let (x, y) = (
Fr::from_str(
"11076627216317271660298050606127911965867021807910416450833192264015104452986",
)
.unwrap(),
Fr::from_str(
"44412834903739585386157632289020980010620626017712148233229312325549216099227",
)
.unwrap(),
);
let g = edwards::Point::<Bls12, _>::get_for_y(y, false, params).unwrap();
assert_eq!(x, g.to_xy().0);
check_small_order_from_p(g.clone(), false);
// generator for the prime subgroup
let g_prime = g.mul(largest_small_subgroup_order, params);
check_small_order_from_p(g_prime.clone(), false);
let mut prime_subgroup_order_minus_1 = prime_subgroup_order.clone();
prime_subgroup_order_minus_1.sub_assign(&Fs::from_str("1").unwrap());
let should_not_be_zero = g_prime.mul(prime_subgroup_order_minus_1, params);
assert_ne!(zero_x, should_not_be_zero.to_xy().0);
assert_ne!(zero_y, should_not_be_zero.to_xy().1);
let should_be_zero = should_not_be_zero.add(&g_prime, params);
assert_eq!(zero_x, should_be_zero.to_xy().0);
assert_eq!(zero_y, should_be_zero.to_xy().1);
// generator for the small order subgroup
let g_small = g.mul(prime_subgroup_order_minus_1, params);
let g_small = g_small.add(&g, params);
check_small_order_from_p(g_small.clone(), true);
// g_small does have order 8
let mut largest_small_subgroup_order_minus_1 = largest_small_subgroup_order.clone();
largest_small_subgroup_order_minus_1.sub_assign(&Fs::from_str("1").unwrap());
let should_not_be_zero = g_small.mul(largest_small_subgroup_order_minus_1, params);
assert_ne!(zero_x, should_not_be_zero.to_xy().0);
assert_ne!(zero_y, should_not_be_zero.to_xy().1);
let should_be_zero = should_not_be_zero.add(&g_small, params);
assert_eq!(zero_x, should_be_zero.to_xy().0);
assert_eq!(zero_y, should_be_zero.to_xy().1);
// take all the points from the script
// assert should be different than multiplying by cofactor, which is the solution
// is user input verified? https://github.com/zcash/librustzcash/blob/f5d2afb4eabac29b1b1cc860d66e45a5b48b4f88/src/rustzcash.rs#L299
}
}

146
zcash_proofs/src/circuit/pedersen_hash.rs
View File

@@ -116,6 +116,31 @@ mod test {
use rand_xorshift::XorShiftRng;
use zcash_primitives::pedersen_hash;
/// Predict the number of constraints of a Pedersen hash
fn ph_num_constraints(input_bits: usize) -> usize {
// Account for the 6 personalization bits.
let personalized_bits = 6 + input_bits;
// Constant booleans in the personalization and padding don't need lookup "precomp" constraints.
let precomputed_booleans = 2 + (personalized_bits % 3 == 1) as usize;
// Count chunks and segments with ceiling division
let chunks = (personalized_bits + 3 - 1) / 3;
let segments = (chunks + 63 - 1) / 63;
let all_but_last_segments = segments - 1;
let last_chunks = chunks - all_but_last_segments * 63;
// Constraints per operation
let lookup_chunk = 2;
let add_chunks = 3; // Montgomery addition
let convert_segment = 2; // Conversion to Edwards
let add_segments = 6; // Edwards addition
return (chunks) * lookup_chunk - precomputed_booleans
+ segments * convert_segment
+ all_but_last_segments * ((63 - 1) * add_chunks + add_segments)
+ (last_chunks - 1) * add_chunks;
}
#[test]
fn test_pedersen_hash_constraints() {
let mut rng = XorShiftRng::from_seed([
@@ -123,32 +148,56 @@ mod test {
0xbc, 0xe5,
]);
let params = &JubjubBls12::new();
let mut cs = TestConstraintSystem::<Bls12>::new();
let input: Vec<bool> = (0..(Fr::NUM_BITS * 2))
.map(|_| rng.next_u32() % 2 != 0)
.collect();
let leaves_len = 2 * 255;
let note_len = 64 + 256 + 256;
let input_bools: Vec<Boolean> = input
.iter()
.enumerate()
.map(|(i, b)| {
Boolean::from(
AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b)).unwrap(),
)
})
.collect();
for &n_bits in [
0,
3 * 63 - 6,
3 * 63 - 6 + 1,
3 * 63 - 6 + 2,
leaves_len,
note_len,
]
.iter()
{
let mut cs = TestConstraintSystem::<Bls12>::new();
pedersen_hash(
cs.namespace(|| "pedersen hash"),
Personalization::NoteCommitment,
&input_bools,
params,
)
.unwrap();
let input: Vec<bool> = (0..n_bits).map(|_| rng.next_u32() % 2 != 0).collect();
assert!(cs.is_satisfied());
assert_eq!(cs.num_constraints(), 1377);
let input_bools: Vec<Boolean> = input
.iter()
.enumerate()
.map(|(i, b)| {
Boolean::from(
AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b))
.unwrap(),
)
})
.collect();
pedersen_hash(
cs.namespace(|| "pedersen hash"),
Personalization::NoteCommitment,
&input_bools,
params,
)
.unwrap();
assert!(cs.is_satisfied());
let bitness_constraints = n_bits;
let ph_constraints = ph_num_constraints(n_bits);
assert_eq!(cs.num_constraints(), bitness_constraints + ph_constraints);
// The actual usages
if n_bits == leaves_len {
assert_eq!(cs.num_constraints(), leaves_len + 867)
};
if n_bits == note_len {
assert_eq!(cs.num_constraints(), note_len + 982)
};
}
}
#[test]
@@ -209,4 +258,57 @@ mod test {
}
}
}
#[test]
fn test_pedersen_hash_external_test_vectors() {
let mut rng = XorShiftRng::from_seed([
0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06,
0xbc, 0xe5,
]);
let params = &JubjubBls12::new();
let expected_xs = [
"28161926966428986673895580777285905189725480206811328272001879986576840909576",
"39669831794597628158501766225645040955899576179071014703006420393381978263045",
];
let expected_ys = [
"26869991781071974894722407757894142583682396277979904369818887810555917099932",
"2112827187110048608327330788910224944044097981650120385961435904443901436107",
];
for length in 300..302 {
let input: Vec<bool> = (0..length).map(|_| rng.next_u32() % 2 != 0).collect();
let mut cs = TestConstraintSystem::<Bls12>::new();
let input_bools: Vec<Boolean> = input
.iter()
.enumerate()
.map(|(i, b)| {
Boolean::from(
AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b))
.unwrap(),
)
})
.collect();
let res = pedersen_hash(
cs.namespace(|| "pedersen hash"),
Personalization::MerkleTree(1),
&input_bools,
params,
)
.unwrap();
assert!(cs.is_satisfied());
assert_eq!(
res.get_x().get_value().unwrap(),
Fr::from_str(expected_xs[length - 300]).unwrap()
);
assert_eq!(
res.get_y().get_value().unwrap(),
Fr::from_str(expected_ys[length - 300]).unwrap()
);
}
}
}

184
zcash_proofs/src/circuit/sapling.rs
View File

@@ -684,6 +684,190 @@ fn test_input_circuit_with_bls12_381() {
}
}
#[test]
fn test_input_circuit_with_bls12_381_external_test_vectors() {
use bellman::gadgets::test::*;
use ff::{BitIterator, Field};
use pairing::bls12_381::*;
use rand_core::{RngCore, SeedableRng};
use rand_xorshift::XorShiftRng;
use zcash_primitives::{
jubjub::{edwards, fs, JubjubBls12},
pedersen_hash,
primitives::{Diversifier, Note, ProofGenerationKey},
};
let params = &JubjubBls12::new();
let rng = &mut XorShiftRng::from_seed([
0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc,
0xe5,
]);
let tree_depth = 32;
let expected_cm_xs = vec![
"43821661663052659750276289184181083197337192946256245809816728673021647664276",
"7220807656052227578299730541645543434083158611414003423211850718229633594616",
"13239753550660714843257636471668037031928211668773449453628093339627668081697",
"10900524635678389360790699587556574797582192824300145558807405770494079767974",
"1411013767457690636461779630023011774660680126764323588543800715293173598850",
"32334206652383066267661379202183359608706535021387905923603014648832344657662",
"20206750741605167608500278423400565295188703622528437817438897624149653579380",
"46716485782200334735478719487356079850582051575003452698983255860512578229998",
"31221372899739042781372142393132358519434268512685538373976981051223051220367",
"18269767207277008186871145355531741929166733260352590789136389380124992250945",
];
let expected_cm_ys = vec![
"27630722367128086497290371604583225252915685718989450292520883698391703910",
"23310648738313092772044712773481584369462075017189681529702825235349449805260",
"25709635353183537915646348052945798827495141780341329896098121888376871589480",
"10516315852014492141081718791576479298042117442649432716255936672048164184691",
"23970713991179488695004801139667700217127937225554773561645815034212389459772",
"3256052161046564597126736968199320852691566092694819239485673781545479548450",
"18887250722195819674378865377623103071236046274361890247643850134985809137409",
"36501156873031641173054592888886902104303750771545647842488588827138867116570",
"21927526310070011864833939629345235038589128172309792087590183778192091594775",
"32959334601512756708397683646222389414681003290313255304927423560477040775488",
];
for i in 0..10 {
let value_commitment = ValueCommitment {
value: i,
randomness: fs::Fs::from_str(&(1000 * (i + 1)).to_string()).unwrap(),
};
let nsk = fs::Fs::random(rng);
let ak = edwards::Point::rand(rng, params).mul_by_cofactor(params);
let proof_generation_key = ProofGenerationKey {
ak: ak.clone(),
nsk: nsk.clone(),
};
let viewing_key = proof_generation_key.to_viewing_key(params);
let payment_address;
loop {
let diversifier = {
let mut d = [0; 11];
rng.fill_bytes(&mut d);
Diversifier(d)
};
if let Some(p) = viewing_key.to_payment_address(diversifier, params) {
payment_address = p;
break;
}
}
let g_d = payment_address.diversifier().g_d(params).unwrap();
let commitment_randomness = fs::Fs::random(rng);
let auth_path = vec![Some((Fr::random(rng), rng.next_u32() % 2 != 0)); tree_depth];
let ar = fs::Fs::random(rng);
{
let rk = viewing_key.rk(ar, params).to_xy();
let expected_value_cm = value_commitment.cm(params).to_xy();
assert_eq!(
expected_value_cm.0,
Fr::from_str(&expected_cm_xs[i as usize]).unwrap()
);
assert_eq!(
expected_value_cm.1,
Fr::from_str(&expected_cm_ys[i as usize]).unwrap()
);
let note = Note {
value: value_commitment.value,
g_d: g_d.clone(),
pk_d: payment_address.pk_d().clone(),
r: commitment_randomness.clone(),
};
let mut position = 0u64;
let cm: Fr = note.cm(params);
let mut cur = cm.clone();
for (i, val) in auth_path.clone().into_iter().enumerate() {
let (uncle, b) = val.unwrap();
let mut lhs = cur;
let mut rhs = uncle;
if b {
::std::mem::swap(&mut lhs, &mut rhs);
}
let mut lhs: Vec<bool> = BitIterator::new(lhs.into_repr()).collect();
let mut rhs: Vec<bool> = BitIterator::new(rhs.into_repr()).collect();
lhs.reverse();
rhs.reverse();
cur = pedersen_hash::pedersen_hash::<Bls12, _>(
pedersen_hash::Personalization::MerkleTree(i),
lhs.into_iter()
.take(Fr::NUM_BITS as usize)
.chain(rhs.into_iter().take(Fr::NUM_BITS as usize)),
params,
)
.to_xy()
.0;
if b {
position |= 1 << i;
}
}
let expected_nf = note.nf(&viewing_key, position, params);
let expected_nf = multipack::bytes_to_bits_le(&expected_nf);
let expected_nf = multipack::compute_multipacking::<Bls12>(&expected_nf);
assert_eq!(expected_nf.len(), 2);
let mut cs = TestConstraintSystem::<Bls12>::new();
let instance = Spend {
params: params,
value_commitment: Some(value_commitment.clone()),
proof_generation_key: Some(proof_generation_key.clone()),
payment_address: Some(payment_address.clone()),
commitment_randomness: Some(commitment_randomness),
ar: Some(ar),
auth_path: auth_path.clone(),
anchor: Some(cur),
};
instance.synthesize(&mut cs).unwrap();
assert!(cs.is_satisfied());
assert_eq!(cs.num_constraints(), 98777);
assert_eq!(
cs.hash(),
"d37c738e83df5d9b0bb6495ac96abf21bcb2697477e2c15c2c7916ff7a3b6a89"
);
assert_eq!(cs.get("randomization of note commitment/x3/num"), cm);
assert_eq!(cs.num_inputs(), 8);
assert_eq!(cs.get_input(0, "ONE"), Fr::one());
assert_eq!(cs.get_input(1, "rk/x/input variable"), rk.0);
assert_eq!(cs.get_input(2, "rk/y/input variable"), rk.1);
assert_eq!(
cs.get_input(3, "value commitment/commitment point/x/input variable"),
expected_value_cm.0
);
assert_eq!(
cs.get_input(4, "value commitment/commitment point/y/input variable"),
expected_value_cm.1
);
assert_eq!(cs.get_input(5, "anchor/input variable"), cur);
assert_eq!(cs.get_input(6, "pack nullifier/input 0"), expected_nf[0]);
assert_eq!(cs.get_input(7, "pack nullifier/input 1"), expected_nf[1]);
}
}
}
#[test]
fn test_output_circuit_with_bls12_381() {
use bellman::gadgets::test::*;