├── .gitmodules ├── AUTHORS ├── CMakeLists.txt ├── LICENSE ├── README.md ├── contracts ├── MerkelTree.sol ├── Miximus.sol ├── Pairing.sol └── Verifier.sol ├── depends └── CMakeLists.txt ├── examples ├── deposit.py └── withdraw.py ├── snarkWrapper └── deploy.py ├── src ├── CMakeLists.txt ├── ZoKrates │ ├── wraplibsnark.cpp │ └── wraplibsnark.hpp ├── export.cpp ├── main.cpp ├── main.hpp └── sha256 │ └── sha256_ethereum.cpp ├── tests └── test.py └── zksnark_element └── vk.json /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "depends/libsnark"] 2 | path = depends/libsnark 3 | url = https://github.com/scipr-lab/libsnark.git 4 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | # This is the official list of Miximus authors for copyright purposes. 2 | 3 | barrywhitehat 4 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 2.8) 2 | 3 | project(libsnark-tutorial) 4 | 5 | set( 6 | CURVE 7 | "ALT_BN128" 8 | CACHE 9 | STRING 10 | "Default curve: one of ALT_BN128, BN128, EDWARDS, MNT4, MNT6" 11 | ) 12 | 13 | set( 14 | DEPENDS_DIR 15 | "${CMAKE_CURRENT_SOURCE_DIR}/depends" 16 | CACHE 17 | STRING 18 | "Optionally specify the dependency installation directory relative to the source directory (default: inside dependency folder)" 19 | ) 20 | 21 | set( 22 | OPT_FLAGS 23 | "" 24 | CACHE 25 | STRING 26 | "Override C++ compiler optimization flags" 27 | ) 28 | 29 | option( 30 | MULTICORE 31 | "Enable parallelized execution, using OpenMP" 32 | OFF 33 | ) 34 | 35 | option( 36 | WITH_PROCPS 37 | "Use procps for memory profiling" 38 | ON 39 | ) 40 | 41 | option( 42 | VERBOSE 43 | "Print internal messages" 44 | ON 45 | ) 46 | 47 | option( 48 | DEBUG 49 | "Enable debugging mode" 50 | OFF 51 | ) 52 | 53 | option( 54 | CPPDEBUG 55 | "Enable debugging of C++ STL (does not imply DEBUG)" 56 | ON 57 | ) 58 | 59 | if(CMAKE_COMPILER_IS_GNUCXX OR "${CMAKE_CXX_COMPILER_ID}" STREQUAL "Clang") 60 | # Common compilation flags and warning configuration 61 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -Wall -Wextra -Wfatal-errors -pthread") 62 | 63 | if("${MULTICORE}") 64 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fopenmp") 65 | endif() 66 | 67 | # Default optimizations flags (to override, use -DOPT_FLAGS=...) 68 | if("${OPT_FLAGS}" STREQUAL "") 69 | set(OPT_FLAGS "-ggdb3 -O2 -march=native -mtune=native") 70 | endif() 71 | endif() 72 | 73 | add_definitions(-DCURVE_${CURVE}) 74 | 75 | if(${CURVE} STREQUAL "BN128") 76 | add_definitions(-DBN_SUPPORT_SNARK=1) 77 | endif() 78 | 79 | if("${VERBOSE}") 80 | add_definitions(-DVERBOSE=1) 81 | endif() 82 | 83 | if("${MULTICORE}") 84 | add_definitions(-DMULTICORE=1) 85 | endif() 86 | 87 | 88 | add_definitions(-DDEBUG=1) 89 | add_compile_options(-fPIC) 90 | 91 | if("${CPPDEBUG}") 92 | add_definitions(-D_GLIBCXX_DEBUG -D_GLIBCXX_DEBUG_PEDANTIC) 93 | endif() 94 | 95 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OPT_FLAGS}") 96 | 97 | include(FindPkgConfig) 98 | if("${WITH_PROCPS}") 99 | pkg_check_modules(PROCPS REQUIRED libprocps) 100 | else() 101 | add_definitions(-DNO_PROCPS) 102 | endif() 103 | 104 | include_directories(.) 105 | 106 | add_subdirectory(depends) 107 | add_subdirectory(src) 108 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Miximus 2 | Decentralized Ethereum Mixer 3 | 4 | [![Join the chat at https://gitter.im/barrywhitehat/miximus_eth](https://badges.gitter.im/barrywhitehat/miximus_eth.svg)](https://gitter.im/barrywhitehat/miximus_eth?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) 5 | 6 | 7 | ## How it works 8 | When someone sends 1 ether to the `deposit` function in miximus.sol they append single leaf 9 | to the merkle tree. 10 | 11 | Afterwards someone who has the secret key (sk) and `nullifier` of the leaf of the merkle tree is allowed to 12 | withdraw 1 ether. But instead of revealing the information to prove that they control it. They (using a zksnark) 13 | produce a proof that they know this information without revealing it. They also create a proof that their leaf 14 | is in the merkle tree. 15 | 16 | When they verify this proof they reveal the nullifier, but not the sk. So no one is able to tell which nullifier 17 | maps to which leaf. 18 | 19 | To prevent double spends the smart contract tracks the nullifiers and only allows a single withdrawal per nullifiers. 20 | 21 | 22 | ## build instructions: 23 | 24 | 25 | 26 | ### build libsnark gadget and getting the proving key 27 | get dependencies `git submodule update --init --recursive` 28 | `mkdir build` 29 | `cd build` 30 | `cmake .. && make` 31 | 32 | Finally you will need to download the ~400MB proving key from [here](https://github.com/barryWhiteHat/miximus/releases/download/untagged-5e043815d553302be2d2/rinkeby_vk_pk.tar.gz), unzip it and save it in the `./zksnark_element` directory. 33 | 34 | ### Running the tests 35 | Start your prefered ethereum node, `cd tests` and run `python3 test.py` This will 36 | 1. Generate verification keys, proving keys, This step takes a lot of ram and its likely your OS will kill it if you have a bunch of windows open. 37 | 2. deploy the contract 38 | 3. Deposit 32 ether in 1 ether chunks. 39 | 4. Withdraw the 32 eth so that an observer cannot tell which deposit it was based upon. 40 | 41 | ### Examples 42 | The examples are interactive and ask you for the addresses you want to send from and to. The contract is deployed on the Rinkeby test net. These 43 | scripts deposit and withdraw from that contract. 44 | `cd examples` 45 | deposit `python3 deposit.py` ether this will create a transaction from an account of your chosing to send 1 ether to the smart contract. It will create 46 | a files of the forum `%d.json` where `%d` is the merkel tree index of your commitment. 47 | 48 | `python3 withdraw.py` will ask you for a file `%d.json` it will call libsnark and generate a proof with proving key `../zksnark_elements/pk_rinkby.raw` 49 | `python3 withdraw.py` takes a long time to run so make sure that your `eth.accounts[0]` is unlocked by the time the transaction gets broadcast. otherwise 50 | it will drop to pdb debugger. 51 | 52 | ## Layer 2 transaction abstraction 53 | A major problem in the current system is who pays for the gas for the withdrawal. While the perfect solution to this is to allow the smart contract 54 | to pay for gas. This is not possible at the moment. There for we provide layer two transaction abstraction where a depositor can define a fee that 55 | gets paid to whoever pays the gas of a transaction. Future work should formalize a communication channel where people can 56 | advertise these transactions so that others can pay the gas for them and recive a reward. 57 | 58 | 59 | ## References 60 | This is very similar to [babyZoe](https://github.com/zcash-hackworks/babyzoe/) and its [backend](https://github.com/ebfull/hackishlibsnarkbindings/) 61 | Alessandro Chiesa's [Zero Cash](https://www.youtube.com/watch?v=84Vbj7-i9CI) talk is quite useful to help understand how this works. 62 | -------------------------------------------------------------------------------- /contracts/MerkelTree.sol: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | copyright 2018 to the Miximus Authors 4 | 5 | This file is part of Miximus. 6 | 7 | Miximus is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | Miximus is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with Miximus. If not, see . 19 | */ 20 | 21 | 22 | contract MerkelTree { 23 | mapping (bytes32 => bool) public serials; 24 | mapping (bytes32 => bool) public roots; 25 | uint public tree_depth = 29; 26 | uint public no_leaves = 536870912; 27 | struct Mtree { 28 | uint cur; 29 | bytes32[536870912][30] leaves2; 30 | } 31 | 32 | Mtree public MT; 33 | 34 | event leafAdded(uint index); 35 | 36 | //Merkletree.append(com) 37 | function insert(bytes32 com) internal returns (bool res) { 38 | require (MT.cur != no_leaves - 1); 39 | MT.leaves2[0][MT.cur] = com; 40 | updateTree(); 41 | leafAdded(MT.cur); 42 | MT.cur++; 43 | 44 | return true; 45 | } 46 | 47 | 48 | function getMerkelProof(uint index) constant returns (bytes32[29], uint[29]) { 49 | 50 | uint[29] memory address_bits; 51 | bytes32[29] memory merkelProof; 52 | 53 | for (uint i=0 ; i < tree_depth; i++) { 54 | address_bits[i] = index%2; 55 | if (index%2 == 0) { 56 | merkelProof[i] = getUniqueLeaf(MT.leaves2[i][index + 1],i); 57 | } 58 | else { 59 | merkelProof[i] = getUniqueLeaf(MT.leaves2[i][index - 1],i); 60 | } 61 | index = uint(index/2); 62 | } 63 | return(merkelProof, address_bits); 64 | } 65 | 66 | function getSha256(bytes32 input, bytes32 sk) constant returns ( bytes32) { 67 | return(sha256(input , sk)); 68 | } 69 | 70 | function getUniqueLeaf(bytes32 leaf, uint depth) returns (bytes32) { 71 | if (leaf == 0x0) { 72 | for (uint i=0;i. 18 | */ 19 | 20 | 21 | 22 | 23 | pragma solidity ^0.4.19; 24 | 25 | import "../contracts/MerkelTree.sol"; 26 | import "../contracts/Verifier.sol"; 27 | 28 | contract Miximus is MerkelTree { 29 | mapping (bytes32 => bool) roots; 30 | mapping (bytes32 => bool) nullifiers; 31 | event Withdraw (address); 32 | Verifier public zksnark_verify; 33 | function Miximus (address _zksnark_verify) { 34 | zksnark_verify = Verifier(_zksnark_verify); 35 | } 36 | 37 | function deposit (bytes32 leaf) payable { 38 | require(msg.value == 1 ether); 39 | insert(leaf); 40 | roots[padZero(getRoot())] = true; 41 | } 42 | 43 | function withdraw ( 44 | uint[2] a, 45 | uint[2] a_p, 46 | uint[2][2] b, 47 | uint[2] b_p, 48 | uint[2] c, 49 | uint[2] c_p, 50 | uint[2] h, 51 | uint[2] k, 52 | uint[] input 53 | ) returns (address) { 54 | address recipient = nullifierToAddress(reverse(bytes32(input[2]))); 55 | bytes32 root = padZero(reverse(bytes32(input[0]))); //)merge253bitWords(input[0], input[1]); 56 | 57 | bytes32 nullifier = padZero(reverse(bytes32(input[2]))); //)merge253bitWords(input[2], input[3]); 58 | 59 | require(roots[root]); 60 | require(!nullifiers[nullifier]); 61 | 62 | require(zksnark_verify.verifyTx(a,a_p,b,b_p,c,c_p,h,k,input)); 63 | nullifiers[nullifier] = true; 64 | 65 | uint fee = input[4]; 66 | require(fee < 1 ether); 67 | if (fee != 0 ) { 68 | msg.sender.transfer(fee); 69 | } 70 | 71 | recipient.transfer(1 ether - fee); 72 | 73 | Withdraw(recipient); 74 | return(recipient); 75 | } 76 | 77 | function isRoot(bytes32 root) constant returns(bool) { 78 | return(roots[root]); 79 | } 80 | 81 | function nullifierToAddress(bytes32 source) returns(address) { 82 | bytes20[2] memory y = [bytes20(0), 0]; 83 | assembly { 84 | mstore(y, source) 85 | mstore(add(y, 20), source) 86 | } 87 | //trace(source, y[0], y[1]); 88 | return(address(y[0])); 89 | } 90 | 91 | // libshark only allows 253 bit chunks in its output 92 | // to overcome this we merge the first 253 bits (left) with the remaining 3 bits 93 | // in the next variable (right) 94 | 95 | function merge253bitWords(uint left, uint right) returns(bytes32) { 96 | right = pad3bit(right); 97 | uint left_msb = uint(padZero(reverse(bytes32(left)))); 98 | uint left_lsb = uint(getZero(reverse(bytes32(left)))); 99 | right = right + left_lsb; 100 | uint res = left_msb + right; 101 | return(bytes32(res)); 102 | } 103 | 104 | 105 | // ensure that the 3 bits on the left is actually 3 bits. 106 | function pad3bit(uint input) constant returns(uint) { 107 | if (input == 0) 108 | return 0; 109 | if (input == 1) 110 | return 4; 111 | if (input == 2) 112 | return 4; 113 | if (input == 3) 114 | return 6; 115 | return(input); 116 | } 117 | 118 | function getZero(bytes32 x) returns(bytes32) { 119 | //0x1111111111111111111111113fdc3192693e28ff6aee95320075e4c26be03308 120 | return(x & 0x000000000000000000000000000000000000000000000000000000000000000F); 121 | } 122 | 123 | function padZero(bytes32 x) returns(bytes32) { 124 | //0x1111111111111111111111113fdc3192693e28ff6aee95320075e4c26be03308 125 | return(x & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0); 126 | } 127 | 128 | function reverseByte(uint a) public pure returns (uint) { 129 | uint c = 0xf070b030d0509010e060a020c0408000; 130 | 131 | return (( c >> ((a & 0xF)*8)) & 0xF0) + 132 | (( c >> (((a >> 4)&0xF)*8) + 4) & 0xF); 133 | } 134 | //flip endinaness 135 | function reverse(bytes32 a) public pure returns(bytes32) { 136 | uint r; 137 | uint i; 138 | uint b; 139 | for (i=0; i<32; i++) { 140 | b = (uint(a) >> ((31-i)*8)) & 0xff; 141 | b = reverseByte(b); 142 | r += b << (i*8); 143 | } 144 | return bytes32(r); 145 | } 146 | 147 | } 148 | -------------------------------------------------------------------------------- /contracts/Pairing.sol: -------------------------------------------------------------------------------- 1 | /* 2 | copyright 2018 to the ZoKrates Authors 3 | */ 4 | 5 | 6 | 7 | 8 | library Pairing { 9 | struct G1Point { 10 | uint X; 11 | uint Y; 12 | } 13 | // Encoding of field elements is: X[0] * z + X[1] 14 | struct G2Point { 15 | uint[2] X; 16 | uint[2] Y; 17 | } 18 | /// @return the generator of G1 19 | function P1() internal returns (G1Point) { 20 | return G1Point(1, 2); 21 | } 22 | /// @return the generator of G2 23 | function P2() internal returns (G2Point) { 24 | return G2Point( 25 | [11559732032986387107991004021392285783925812861821192530917403151452391805634, 26 | 10857046999023057135944570762232829481370756359578518086990519993285655852781], 27 | [4082367875863433681332203403145435568316851327593401208105741076214120093531, 28 | 8495653923123431417604973247489272438418190587263600148770280649306958101930] 29 | ); 30 | } 31 | /// @return the negation of p, i.e. p.add(p.negate()) should be zero. 32 | function negate(G1Point p) internal returns (G1Point) { 33 | // The prime q in the base field F_q for G1 34 | uint q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; 35 | if (p.X == 0 && p.Y == 0) 36 | return G1Point(0, 0); 37 | return G1Point(p.X, q - (p.Y % q)); 38 | } 39 | /// @return the sum of two points of G1 40 | function add(G1Point p1, G1Point p2) internal returns (G1Point r) { 41 | uint[4] memory input; 42 | input[0] = p1.X; 43 | input[1] = p1.Y; 44 | input[2] = p2.X; 45 | input[3] = p2.Y; 46 | bool success; 47 | assembly { 48 | success := call(sub(gas, 2000), 6, 0, input, 0xc0, r, 0x60) 49 | // Use "invalid" to make gas estimation work 50 | switch success case 0 { invalid } 51 | } 52 | require(success); 53 | } 54 | /// @return the product of a point on G1 and a scalar, i.e. 55 | /// p == p.mul(1) and p.add(p) == p.mul(2) for all points p. 56 | function mul(G1Point p, uint s) internal returns (G1Point r) { 57 | uint[3] memory input; 58 | input[0] = p.X; 59 | input[1] = p.Y; 60 | input[2] = s; 61 | bool success; 62 | assembly { 63 | success := call(sub(gas, 2000), 7, 0, input, 0x80, r, 0x60) 64 | // Use "invalid" to make gas estimation work 65 | switch success case 0 { invalid } 66 | } 67 | require (success); 68 | } 69 | /// @return the result of computing the pairing check 70 | /// e(p1[0], p2[0]) * .... * e(p1[n], p2[n]) == 1 71 | /// For example pairing([P1(), P1().negate()], [P2(), P2()]) should 72 | /// return true. 73 | function pairing(G1Point[] p1, G2Point[] p2) internal returns (bool) { 74 | require(p1.length == p2.length); 75 | uint elements = p1.length; 76 | uint inputSize = elements * 6; 77 | uint[] memory input = new uint[](inputSize); 78 | for (uint i = 0; i < elements; i++) 79 | { 80 | input[i * 6 + 0] = p1[i].X; 81 | input[i * 6 + 1] = p1[i].Y; 82 | input[i * 6 + 2] = p2[i].X[0]; 83 | input[i * 6 + 3] = p2[i].X[1]; 84 | input[i * 6 + 4] = p2[i].Y[0]; 85 | input[i * 6 + 5] = p2[i].Y[1]; 86 | } 87 | uint[1] memory out; 88 | bool success; 89 | assembly { 90 | success := call(sub(gas, 2000), 8, 0, add(input, 0x20), mul(inputSize, 0x20), out, 0x20) 91 | // Use "invalid" to make gas estimation work 92 | switch success case 0 { invalid } 93 | } 94 | require(success); 95 | return out[0] != 0; 96 | } 97 | /// Convenience method for a pairing check for two pairs. 98 | function pairingProd2(G1Point a1, G2Point a2, G1Point b1, G2Point b2) internal returns (bool) { 99 | G1Point[] memory p1 = new G1Point[](2); 100 | G2Point[] memory p2 = new G2Point[](2); 101 | p1[0] = a1; 102 | p1[1] = b1; 103 | p2[0] = a2; 104 | p2[1] = b2; 105 | return pairing(p1, p2); 106 | } 107 | /// Convenience method for a pairing check for three pairs. 108 | function pairingProd3( 109 | G1Point a1, G2Point a2, 110 | G1Point b1, G2Point b2, 111 | G1Point c1, G2Point c2 112 | ) internal returns (bool) { 113 | G1Point[] memory p1 = new G1Point[](3); 114 | G2Point[] memory p2 = new G2Point[](3); 115 | p1[0] = a1; 116 | p1[1] = b1; 117 | p1[2] = c1; 118 | p2[0] = a2; 119 | p2[1] = b2; 120 | p2[2] = c2; 121 | return pairing(p1, p2); 122 | } 123 | /// Convenience method for a pairing check for four pairs. 124 | function pairingProd4( 125 | G1Point a1, G2Point a2, 126 | G1Point b1, G2Point b2, 127 | G1Point c1, G2Point c2, 128 | G1Point d1, G2Point d2 129 | ) internal returns (bool) { 130 | G1Point[] memory p1 = new G1Point[](4); 131 | G2Point[] memory p2 = new G2Point[](4); 132 | p1[0] = a1; 133 | p1[1] = b1; 134 | p1[2] = c1; 135 | p1[3] = d1; 136 | p2[0] = a2; 137 | p2[1] = b2; 138 | p2[2] = c2; 139 | p2[3] = d2; 140 | return pairing(p1, p2); 141 | } 142 | } 143 | 144 | -------------------------------------------------------------------------------- /contracts/Verifier.sol: -------------------------------------------------------------------------------- 1 | /* 2 | copyright 2018 to the ZoKrates Authors 3 | */ 4 | 5 | 6 | 7 | 8 | pragma solidity ^0.4.19; 9 | 10 | import "../contracts/Pairing.sol"; 11 | 12 | contract Verifier { 13 | using Pairing for *; 14 | uint i = 0; //IC parameater add counter. 15 | struct VerifyingKey { 16 | Pairing.G2Point A; 17 | Pairing.G1Point B; 18 | Pairing.G2Point C; 19 | Pairing.G2Point gamma; 20 | Pairing.G1Point gammaBeta1; 21 | Pairing.G2Point gammaBeta2; 22 | Pairing.G2Point Z; 23 | Pairing.G1Point[] IC; 24 | } 25 | struct Proof { 26 | Pairing.G1Point A; 27 | Pairing.G1Point A_p; 28 | Pairing.G2Point B; 29 | Pairing.G1Point B_p; 30 | Pairing.G1Point C; 31 | Pairing.G1Point C_p; 32 | Pairing.G1Point K; 33 | Pairing.G1Point H; 34 | } 35 | VerifyingKey verifyKey; 36 | function Verifier (uint[2] A1, uint[2] A2, uint[2] B, uint[2] C1, uint[2] C2, 37 | uint[2] gamma1, uint[2] gamma2, uint[2] gammaBeta1, 38 | uint[2] gammaBeta2_1, uint[2] gammaBeta2_2, uint[2] Z1, uint[2] Z2, 39 | uint[] input) { 40 | verifyKey.A = Pairing.G2Point(A1,A2); 41 | verifyKey.B = Pairing.G1Point(B[0], B[1]); 42 | verifyKey.C = Pairing.G2Point(C1, C2); 43 | verifyKey.gamma = Pairing.G2Point(gamma1, gamma2); 44 | 45 | verifyKey.gammaBeta1 = Pairing.G1Point(gammaBeta1[0], gammaBeta1[1]); 46 | verifyKey.gammaBeta2 = Pairing.G2Point(gammaBeta2_1, gammaBeta2_2); 47 | verifyKey.Z = Pairing.G2Point(Z1,Z2); 48 | //addIC(input); 49 | //verifyKey.IC = new Pairing.G1Point[](1); 50 | //for (uint i = 0; i < input.length; i+=2) 51 | // verifyKey.IC.push(Pairing.G1Point(input[i], input[i+1])); 52 | // verifyKey.IC.push(Pairing.G1Point(input[i][0], input[i][1])); 53 | //verifyKey.IC.push(Pairing.G1Point(input[0], input[1])); 54 | 55 | while (verifyKey.IC.length != input.length/2) { 56 | verifyKey.IC.push(Pairing.G1Point(input[i], input[i+1])); 57 | i += 2; 58 | } 59 | 60 | } 61 | 62 | function getIC(uint i) returns(uint) { 63 | return(verifyKey.IC[i].X); 64 | } 65 | 66 | function getICLen () returns (uint) { 67 | return(verifyKey.IC.length); 68 | } 69 | 70 | function verify(uint[] input, Proof proof) internal returns (uint) { 71 | VerifyingKey memory vk = verifyKey; 72 | require(input.length + 1 == vk.IC.length); 73 | 74 | 75 | // Compute the linear combination vk_x 76 | Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0); 77 | for (uint i = 0; i < input.length; i++) 78 | vk_x = Pairing.add(vk_x, Pairing.mul(vk.IC[i + 1], input[i])); 79 | vk_x = Pairing.add(vk_x, vk.IC[0]); 80 | 81 | if (!Pairing.pairingProd2(proof.A, vk.A, Pairing.negate(proof.A_p), Pairing.P2())) return 1; 82 | if (!Pairing.pairingProd2(vk.B, proof.B, Pairing.negate(proof.B_p), Pairing.P2())) return 2; 83 | if (!Pairing.pairingProd2(proof.C, vk.C, Pairing.negate(proof.C_p), Pairing.P2())) return 3; 84 | if (!Pairing.pairingProd3( 85 | proof.K, vk.gamma, 86 | Pairing.negate(Pairing.add(vk_x, Pairing.add(proof.A, proof.C))), vk.gammaBeta2, 87 | Pairing.negate(vk.gammaBeta1), proof.B 88 | )) return 4; 89 | if (!Pairing.pairingProd3( 90 | Pairing.add(vk_x, proof.A), proof.B, 91 | Pairing.negate(proof.H), vk.Z, 92 | Pairing.negate(proof.C), Pairing.P2() 93 | )) return 5; 94 | return 0; 95 | } 96 | event Verified(string); 97 | function verifyTx( 98 | uint[2] a, 99 | uint[2] a_p, 100 | uint[2][2] b, 101 | uint[2] b_p, 102 | uint[2] c, 103 | uint[2] c_p, 104 | uint[2] h, 105 | uint[2] k, 106 | uint[] input 107 | ) returns (bool) { 108 | Proof memory proof; 109 | proof.A = Pairing.G1Point(a[0], a[1]); 110 | proof.A_p = Pairing.G1Point(a_p[0], a_p[1]); 111 | proof.B = Pairing.G2Point([b[0][0], b[0][1]], [b[1][0], b[1][1]]); 112 | proof.B_p = Pairing.G1Point(b_p[0], b_p[1]); 113 | proof.C = Pairing.G1Point(c[0], c[1]); 114 | proof.C_p = Pairing.G1Point(c_p[0], c_p[1]); 115 | proof.H = Pairing.G1Point(h[0], h[1]); 116 | proof.K = Pairing.G1Point(k[0], k[1]); 117 | uint[] memory inputValues = new uint[](input.length); 118 | for(uint i = 0; i < input.length; i++){ 119 | inputValues[i] = input[i]; 120 | } 121 | //uint res = verify(inputValues, proof); 122 | if (verify(inputValues, proof) == 0) { 123 | Verified("Transaction successfully verified."); 124 | return true; 125 | } else { 126 | return false; 127 | } 128 | //return(res); 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /depends/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(libsnark) -------------------------------------------------------------------------------- /examples/deposit.py: -------------------------------------------------------------------------------- 1 | ''' 2 | copyright 2018 to the Miximus Authors 3 | 4 | This file is part of Miximus. 5 | 6 | Miximus is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | Miximus is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with Miximus. If not, see . 18 | ''' 19 | 20 | 21 | import sys 22 | sys.path.insert(0, '../snarkWrapper') 23 | 24 | 25 | from deploy import * 26 | 27 | from web3.middleware import geth_poa_middleware 28 | w3.middleware_stack.inject(geth_poa_middleware, layer=0) 29 | 30 | if __name__ == "__main__": 31 | tree_depth = 29 32 | 33 | 34 | deployedAddress = "0xB586453a8e44c86E012958E48a0DeCED462BD16e" 35 | 36 | 37 | miximus_interface , verifier_interface = compile(tree_depth) 38 | 39 | miximus = w3.eth.contract(address=deployedAddress, abi=miximus_interface['abi'],ContractFactoryClass=ConciseContract) 40 | 41 | fee = 0 42 | depositAddress = Web3.toChecksumAddress(input("enter your deposit addrss, make sure it is unlocked \n")) 43 | withdrawAddress = Web3.toChecksumAddress(input("enter the address you want to ether to go to \n")) 44 | 45 | nullifier = genNullifier(withdrawAddress) 46 | sk = "0x" + genSalt(64) 47 | 48 | index = deposit(miximus, nullifier, sk, depositAddress) 49 | deposit = {"index":index , "nullifier":nullifier , "secretKey":sk} 50 | f = open("%d.json"%index, "w+") 51 | f.write(json.dumps(deposit, ensure_ascii=False)) 52 | f.close() 53 | 54 | 55 | 56 | print("Ether was deposited, file %s.json was created this contains information for miximus to withdraw your funds. Its important that you backup this file. \ 57 | anyone who can see this file will be able to deanonymize you. But they will not be able to steal your funds."% str(index)) 58 | 59 | 60 | -------------------------------------------------------------------------------- /examples/withdraw.py: -------------------------------------------------------------------------------- 1 | ''' 2 | copyright 2018 to the Miximus Authors 3 | 4 | This file is part of Miximus. 5 | 6 | Miximus is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | Miximus is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with Miximus. If not, see . 18 | ''' 19 | 20 | 21 | import sys 22 | sys.path.insert(0, '../snarkWrapper') 23 | 24 | from deploy import * 25 | 26 | 27 | from web3.middleware import geth_poa_middleware 28 | w3.middleware_stack.inject(geth_poa_middleware, layer=0) 29 | 30 | 31 | if __name__ == "__main__": 32 | tree_depth = 29 33 | 34 | pk_output = "../zksnark_element/pk_rinkby.raw" 35 | 36 | deployedAddress = "0xB586453a8e44c86E012958E48a0DeCED462BD16e" 37 | withdrawIndex = input("Enter the name of the deposit file you would like to use. Should be something like 0.json\n") 38 | 39 | miximus_interface , verifier_interface = compile(tree_depth) 40 | miximus = w3.eth.contract(address=deployedAddress, abi=miximus_interface['abi'],ContractFactoryClass=ConciseContract) 41 | 42 | 43 | with open(withdrawIndex) as json_data: 44 | commitment = json.load(json_data) 45 | 46 | nullifier = commitment["nullifier"] 47 | sk = commitment["secretKey"] 48 | i = commitment["index"] 49 | fee = 0 50 | 51 | pk = genWitness(miximus, nullifier, sk, i, tree_depth, fee, pk_output) 52 | 53 | try: 54 | withdraw(miximus, pk) 55 | except: 56 | pdb.set_trace() 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /snarkWrapper/deploy.py: -------------------------------------------------------------------------------- 1 | ''' 2 | copyright 2018 to the Miximus Authors 3 | 4 | This file is part of Miximus. 5 | 6 | Miximus is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | Miximus is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with Miximus. If not, see . 18 | ''' 19 | 20 | 21 | import json 22 | import web3 23 | 24 | from web3 import Web3, HTTPProvider, TestRPCProvider 25 | from solc import compile_source, compile_standard 26 | from web3.contract import ConciseContract 27 | 28 | 29 | import pdb 30 | from solc import compile_source, compile_files, link_code 31 | from bitstring import BitArray 32 | import random 33 | 34 | from ctypes import cdll 35 | import ctypes as c 36 | 37 | tree_depth = 29 38 | lib = cdll.LoadLibrary('../build/src/libmiximus.so') 39 | #lib = cdll.LoadLibrary('../../test_merkel_tree/build/src/libmiximus.so') 40 | 41 | prove = lib.prove 42 | prove.restype = c.c_char_p; 43 | #prove.argtypes = [c.POINTER(c.POINTER(c.c_bool*256))] 44 | 45 | prove.argtypes = [((c.c_bool*256)*(tree_depth + 3)), c.c_int, ((c.c_bool*tree_depth)), c.c_int] 46 | genKeys = lib.genKeys 47 | genKeys.argtypes = [c.c_int, c.c_char_p, c.c_char_p] 48 | 49 | helloWorld = lib.helloWorld 50 | 51 | helloWorld.restype = c.c_char_p; 52 | helloWorld.argtypes = [c.c_char_p]; 53 | 54 | 55 | 56 | 57 | w3 = Web3(HTTPProvider("http://localhost:8545")); 58 | 59 | 60 | def hex2int(elements): 61 | ints = [] 62 | for el in elements: 63 | ints.append(int(el, 16)) 64 | return(ints) 65 | 66 | def compile(tree_depth): 67 | miximus = "../contracts/Miximus.sol" 68 | MerkelTree = "../contracts/MerkelTree.sol" 69 | Pairing = "../contracts/Pairing.sol" 70 | Verifier = "../contracts/Verifier.sol" 71 | 72 | compiled_sol = compile_files([Pairing, MerkelTree, Pairing, Verifier, miximus], allow_paths="./contracts") 73 | 74 | miximus_interface = compiled_sol[miximus + ':Miximus'] 75 | verifier_interface = compiled_sol[Verifier + ':Verifier'] 76 | 77 | return(miximus_interface, verifier_interface) 78 | 79 | 80 | def deploy(tree_depth, vk_dir): 81 | miximus_interface , verifier_interface = compile(tree_depth) 82 | with open(vk_dir) as json_data: 83 | vk = json.load(json_data) 84 | 85 | 86 | vk = [hex2int(vk["a"][0]), 87 | hex2int(vk["a"][1]), 88 | hex2int(vk["b"]), 89 | hex2int(vk["c"][0]), 90 | hex2int(vk["c"][1]), 91 | hex2int(vk["g"][0]), 92 | hex2int(vk["g"][1]), 93 | hex2int(vk["gb1"]), 94 | hex2int(vk["gb2"][0]), 95 | hex2int(vk["gb2"][1]), 96 | hex2int(vk["z"][0]), 97 | hex2int(vk["z"][1]), 98 | hex2int(sum(vk["IC"], [])) 99 | ] 100 | 101 | # Instantiate and deploy contract 102 | miximus = w3.eth.contract(abi=miximus_interface['abi'], bytecode=miximus_interface['bin']) 103 | verifier = w3.eth.contract(abi=verifier_interface['abi'], bytecode=verifier_interface['bin']) 104 | 105 | # Get transaction hash from deployed contract 106 | tx_hash = verifier.deploy(args=vk, transaction={'from': w3.eth.accounts[0], 'gas': 4000000}) 107 | # Get tx receipt to get contract address 108 | 109 | tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash, 10000) 110 | verifier_address = tx_receipt['contractAddress'] 111 | 112 | 113 | tx_hash = miximus.deploy(transaction={'from': w3.eth.accounts[0], 'gas': 4000000}, args=[verifier_address]) 114 | 115 | # Get tx receipt to get contract address 116 | tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash, 10000) 117 | miximus_address = tx_receipt['contractAddress'] 118 | 119 | # Contract instance in concise mode 120 | abi = miximus_interface['abi'] 121 | miximus = w3.eth.contract(address=miximus_address, abi=abi,ContractFactoryClass=ConciseContract) 122 | 123 | 124 | 125 | return(miximus) 126 | 127 | def deposit(miximus, nullifier, sk, depositAddress): 128 | #FFFF...FFFF is the salt 3fdc....03309 is the address that will recive the funds. 129 | 130 | leaf = miximus.getSha256(nullifier, sk) 131 | print ("leaf: " , w3.toHex(leaf)) 132 | print ("null: " , nullifier, "sk: " , sk) 133 | 134 | tx_hash = miximus.deposit( leaf, transact={'from': depositAddress, 'gas': 4000000, "value":w3.toWei(1, "ether")}) 135 | tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash, 10000) 136 | return(int(tx_receipt["logs"][0]["data"], 16)) 137 | 138 | def withdraw(miximus, pk): 139 | print( w3.eth.getBalance(miximus.address)) 140 | tx_hash = miximus.withdraw(pk["a"] , pk["a_p"], pk["b"], pk["b_p"] , pk["c"], pk["c_p"] , pk["h"] , pk["k"], pk["input"] , transact={'from': w3.eth.accounts[0], 'gas': 4000000}) 141 | tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash, 10000) 142 | 143 | print( w3.eth.getBalance(miximus.address)) 144 | 145 | def bytesToBinary(hexString): 146 | out = "" 147 | for i, byte in enumerate(hexString): 148 | out += bin(byte)[2:].rjust(8,"0") 149 | out = [int(x) for x in out] 150 | return((c.c_bool*256)(*out)) 151 | pk = "asdf" 152 | 153 | def genhelloWorld(pk_dir): 154 | pk = helloWorld(c.c_char_p(pk_dir.encode())) 155 | 156 | def genWitness(miximus, nullifier, sk, address, tree_depth, fee, pk_dir): 157 | 158 | path = [] 159 | address_bits = [] 160 | #tree = miximus.getTree() 161 | #tree_hex = [w3.toHex(x) for x in tree] 162 | root = miximus.getRoot() 163 | 164 | path1, address_bits1 = miximus.getMerkelProof(address, call={"gas":500000}) 165 | ''' 166 | for i in range (0 , tree_depth): 167 | address_bits.append(address%2) 168 | if ( address %2 == 0) : 169 | print (w3.toHex(tree[address + 1])) 170 | path.append(tree[address + 1]) 171 | print (path1[i] == tree[address + 1]) 172 | else: 173 | print (w3.toHex(tree[address - 1])) 174 | path.append(tree[address - 1]) 175 | print (path1[i] == tree[address - 1]) 176 | 177 | address = int(address/2) 178 | ''' 179 | print (address_bits1) 180 | y = [w3.toHex(x) for x in path1] 181 | print (y) 182 | path = [bytesToBinary(x) for x in path1] 183 | 184 | address_bits = address_bits1[::-1] 185 | 186 | path = path[::-1] 187 | 188 | path.append(bytesToBinary(w3.toBytes(hexstr=nullifier))) 189 | path.append(bytesToBinary(w3.toBytes(hexstr=sk))) 190 | path.append(bytesToBinary(root)) 191 | 192 | print ("address bits ", address_bits) 193 | 194 | path = ((c.c_bool*256)*(tree_depth + 3))(*path) 195 | address = 2#int("".join([str(int(x=="True")) for x in address_bits]), 2) 196 | address_bits = (c.c_bool*tree_depth)(*address_bits) 197 | 198 | print(address) 199 | print( w3.toHex(root)) 200 | 201 | pk = prove(path, address, address_bits, tree_depth, c.c_int(fee), c.c_char_p(pk_dir.encode())) 202 | 203 | 204 | 205 | pk = json.loads(pk.decode("utf-8")) 206 | pk["a"] = hex2int(pk["a"]) 207 | pk["a_p"] = hex2int(pk["a_p"]) 208 | pk["b"] = [hex2int(pk["b"][0]), hex2int(pk["b"][1])] 209 | pk["b_p"] = hex2int(pk["b_p"]) 210 | pk["c"] = hex2int(pk["c"]) 211 | pk["c_p"] = hex2int(pk["c_p"]) 212 | pk["h"] = hex2int(pk["h"]) 213 | pk["k"] = hex2int(pk["k"]) 214 | pk["input"] = hex2int(pk["input"]) 215 | 216 | return(pk) 217 | 218 | def genSalt(i): 219 | salt = [random.choice("0123456789abcdef0123456789ABCDEF") for x in range(0,i)] 220 | out = "".join(salt) 221 | return(out) 222 | 223 | def genNullifier(recvAddress): 224 | salt = genSalt(24) 225 | return(recvAddress + salt) 226 | -------------------------------------------------------------------------------- /src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | include_directories(.) 2 | 3 | add_library( 4 | miximus 5 | SHARED 6 | main.cpp 7 | ) 8 | 9 | target_link_libraries( 10 | miximus 11 | snark 12 | ) 13 | 14 | 15 | set_property(TARGET miximus PROPERTY POSITION_INDEPENDENT_CODE ON) 16 | 17 | target_include_directories( 18 | miximus 19 | PUBLIC 20 | ${DEPENDS_DIR}/libsnark 21 | ${DEPENDS_DIR}/libsnark/depends/libff 22 | ${DEPENDS_DIR}/libsnark/depends/libfqfft 23 | ) 24 | -------------------------------------------------------------------------------- /src/ZoKrates/wraplibsnark.cpp: -------------------------------------------------------------------------------- 1 | /** 2 | * @file wraplibsnark.cpp 3 | * @author Jacob Eberhardt 5 | * @date 2017 6 | */ 7 | 8 | #include "wraplibsnark.hpp" 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | // contains definition of alt_bn128 ec public parameters 15 | //#include "libsnark/libsnark/algebra/curves/alt_bn128/alt_bn128_pp.hpp" 16 | #include "libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp" 17 | // contains required interfaces and types (keypair, proof, generator, prover, verifier) 18 | #include 19 | 20 | typedef long integer_coeff_t; 21 | 22 | using namespace std; 23 | using namespace libsnark; 24 | 25 | // conversion byte[32] <-> libsnark bigint. 26 | libff::bigint libsnarkBigintFromBytes(const uint8_t* _x) 27 | { 28 | libff::bigint x; 29 | 30 | for (unsigned i = 0; i < 4; i++) { 31 | for (unsigned j = 0; j < 8; j++) { 32 | x.data[3 - i] |= uint64_t(_x[i * 8 + j]) << (8 * (7-j)); 33 | } 34 | } 35 | return x; 36 | } 37 | 38 | std::string HexStringFromLibsnarkBigint(libff::bigint _x){ 39 | uint8_t x[32]; 40 | for (unsigned i = 0; i < 4; i++) 41 | for (unsigned j = 0; j < 8; j++) 42 | x[i * 8 + j] = uint8_t(uint64_t(_x.data[3 - i]) >> (8 * (7 - j))); 43 | 44 | std::stringstream ss; 45 | ss << std::setfill('0'); 46 | for (unsigned i = 0; i<32; i++) { 47 | ss << std::hex << std::setw(2) << (int)x[i]; 48 | } 49 | 50 | std:string str = ss.str(); 51 | return str.erase(0, min(str.find_first_not_of('0'), str.size()-1)); 52 | } 53 | 54 | std::string outputPointG1AffineAsHex(libff::alt_bn128_G1 _p) 55 | { 56 | libff::alt_bn128_G1 aff = _p; 57 | aff.to_affine_coordinates(); 58 | return 59 | "\"0x" + 60 | HexStringFromLibsnarkBigint(aff.X.as_bigint()) + 61 | "\", \"0x" + 62 | HexStringFromLibsnarkBigint(aff.Y.as_bigint()) + 63 | "\""; 64 | } 65 | 66 | std::string outputPointG2AffineAsHex(libff::alt_bn128_G2 _p) 67 | { 68 | libff::alt_bn128_G2 aff = _p; 69 | aff.to_affine_coordinates(); 70 | return 71 | "[\"0x" + 72 | HexStringFromLibsnarkBigint(aff.X.c1.as_bigint()) + "\", \"0x" + 73 | HexStringFromLibsnarkBigint(aff.X.c0.as_bigint()) + "\"],\n [\"0x" + 74 | HexStringFromLibsnarkBigint(aff.Y.c1.as_bigint()) + "\", \"0x" + 75 | HexStringFromLibsnarkBigint(aff.Y.c0.as_bigint()) + "\"]"; 76 | } 77 | 78 | //takes input and puts it into constraint system 79 | r1cs_ppzksnark_constraint_system createConstraintSystem(const uint8_t* A, const uint8_t* B, const uint8_t* C, int constraints, int variables, int inputs) 80 | { 81 | r1cs_ppzksnark_constraint_system cs; 82 | cs.primary_input_size = inputs; 83 | cs.auxiliary_input_size = variables - inputs - 1; // ~one not included 84 | 85 | cout << "num variables: " << variables < lin_comb_A, lin_comb_B, lin_comb_C; 91 | 92 | for (int idx=0; idx value = libsnarkBigintFromBytes(A+row*variables*32 + idx*32); 94 | libff::alt_bn128_pp::init_public_params(); 95 | cout << "C entry " << idx << " in row " << row << ": " << value << endl; 96 | if (!value.is_zero()) { 97 | //cout << "A(" << idx << ", " << value << ")" << endl; 98 | //lin_comb_A.add_term(idx,value); 99 | //linear_term(0); 100 | } 101 | } 102 | for (int idx=0; idx value = libsnarkBigintFromBytes(B+row*variables*32 + idx*32); 104 | cout << "B entry " << idx << " in row " << row << ": " << value << endl; 105 | if (!value.is_zero()) { 106 | cout << "B(" << idx << ", " << value << ")" << endl; 107 | //lin_comb_B.add_term(idx, value); 108 | } 109 | } 110 | for (int idx=0; idx value = libsnarkBigintFromBytes(C+row*variables*32 + idx*32); 112 | // cout << "C entry " << idx << " in row " << row << ": " << value << endl; 113 | if (!value.is_zero()) { 114 | // cout << "C(" << idx << ", " << value << ")" << endl; 115 | //lin_comb_C.add_term(idx, value); 116 | } 117 | } 118 | //cs.add_constraint(r1cs_constraint(lin_comb_A, lin_comb_B, lin_comb_C)); 119 | } 120 | return cs; 121 | } 122 | 123 | // keypair generateKeypair(constraints) 124 | r1cs_ppzksnark_keypair generateKeypair(const r1cs_ppzksnark_constraint_system &cs){ 125 | // from r1cs_ppzksnark.hpp 126 | return r1cs_ppzksnark_generator(cs); 127 | } 128 | 129 | template 130 | void writeToFile(std::string path, T& obj) { 131 | std::stringstream ss; 132 | ss << obj; 133 | std::ofstream fh; 134 | fh.open(path, std::ios::binary); 135 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 136 | fh << ss.rdbuf(); 137 | fh.flush(); 138 | fh.close(); 139 | } 140 | 141 | template 142 | T loadFromFile(std::string path) { 143 | std::stringstream ss; 144 | std::ifstream fh(path, std::ios::binary); 145 | 146 | assert(fh.is_open()); 147 | 148 | ss << fh.rdbuf(); 149 | fh.close(); 150 | 151 | ss.rdbuf()->pubseekpos(0, std::ios_base::in); 152 | 153 | T obj; 154 | ss >> obj; 155 | 156 | return obj; 157 | } 158 | 159 | void serializeProvingKeyToFile(r1cs_ppzksnark_proving_key pk, const char* pk_path){ 160 | writeToFile(pk_path, pk); 161 | } 162 | 163 | r1cs_ppzksnark_proving_key deserializeProvingKeyFromFile(const char* pk_path){ 164 | return loadFromFile>(pk_path); 165 | } 166 | 167 | void serializeVerificationKeyToFile(r1cs_ppzksnark_verification_key vk, const char* vk_path){ 168 | std::stringstream ss; 169 | 170 | unsigned icLength = vk.encoded_IC_query.rest.indices.size() + 1; 171 | 172 | ss << "\t\tvk.A = " << outputPointG2AffineAsHex(vk.alphaA_g2) << endl; 173 | ss << "\t\tvk.B = " << outputPointG1AffineAsHex(vk.alphaB_g1) << endl; 174 | ss << "\t\tvk.C = " << outputPointG2AffineAsHex(vk.alphaC_g2) << endl; 175 | ss << "\t\tvk.gamma = " << outputPointG2AffineAsHex(vk.gamma_g2) << endl; 176 | ss << "\t\tvk.gammaBeta1 = " << outputPointG1AffineAsHex(vk.gamma_beta_g1) << endl; 177 | ss << "\t\tvk.gammaBeta2 = " << outputPointG2AffineAsHex(vk.gamma_beta_g2) << endl; 178 | ss << "\t\tvk.Z = " << outputPointG2AffineAsHex(vk.rC_Z_g2) << endl; 179 | ss << "\t\tvk.IC.len() = " << icLength << endl; 180 | ss << "\t\tvk.IC[0] = " << outputPointG1AffineAsHex(vk.encoded_IC_query.first) << endl; 181 | for (size_t i = 1; i < icLength; ++i) 182 | { 183 | auto vkICi = outputPointG1AffineAsHex(vk.encoded_IC_query.rest.values[i - 1]); 184 | ss << "\t\tvk.IC[" << i << "] = " << vkICi << endl; 185 | } 186 | 187 | std::ofstream fh; 188 | fh.open(vk_path, std::ios::binary); 189 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 190 | fh << ss.rdbuf(); 191 | fh.flush(); 192 | fh.close(); 193 | } 194 | 195 | // compliant with solidty verification example 196 | void exportVerificationKey(r1cs_ppzksnark_keypair keypair){ 197 | unsigned icLength = keypair.vk.encoded_IC_query.rest.indices.size() + 1; 198 | 199 | cout << "\tVerification key in Solidity compliant format:{" << endl; 200 | cout << "\t\tvk.A = Pairing.G2Point(" << outputPointG2AffineAsHex(keypair.vk.alphaA_g2) << ");" << endl; 201 | cout << "\t\tvk.B = Pairing.G1Point(" << outputPointG1AffineAsHex(keypair.vk.alphaB_g1) << ");" << endl; 202 | cout << "\t\tvk.C = Pairing.G2Point(" << outputPointG2AffineAsHex(keypair.vk.alphaC_g2) << ");" << endl; 203 | cout << "\t\tvk.gamma = Pairing.G2Point(" << outputPointG2AffineAsHex(keypair.vk.gamma_g2) << ");" << endl; 204 | cout << "\t\tvk.gammaBeta1 = Pairing.G1Point(" << outputPointG1AffineAsHex(keypair.vk.gamma_beta_g1) << ");" << endl; 205 | cout << "\t\tvk.gammaBeta2 = Pairing.G2Point(" << outputPointG2AffineAsHex(keypair.vk.gamma_beta_g2) << ");" << endl; 206 | cout << "\t\tvk.Z = Pairing.G2Point(" << outputPointG2AffineAsHex(keypair.vk.rC_Z_g2) << ");" << endl; 207 | cout << "\t\tvk.IC = new Pairing.G1Point[](" << icLength << ");" << endl; 208 | cout << "\t\tvk.IC[0] = Pairing.G1Point(" << outputPointG1AffineAsHex(keypair.vk.encoded_IC_query.first) << ");" << endl; 209 | for (size_t i = 1; i < icLength; ++i) 210 | { 211 | auto vkICi = outputPointG1AffineAsHex(keypair.vk.encoded_IC_query.rest.values[i - 1]); 212 | cout << "\t\tvk.IC[" << i << "] = Pairing.G1Point(" << vkICi << ");" << endl; 213 | } 214 | cout << "\t\t}" << endl; 215 | 216 | } 217 | 218 | // compliant with solidty verification example 219 | /* 220 | void exportInput(r1cs_primary_input input){ 221 | cout << "\tInput in Solidity compliant format:{" << endl; 222 | for (size_t i = 0; i < input.size(); ++i) 223 | { 224 | cout << "\t\tinput[" << i << "] = " << HexStringFromLibsnarkBigint(input[i].as_bigint()) << ";" << endl; 225 | } 226 | cout << "\t\t}" << endl; 227 | } */ 228 | 229 | 230 | void printProof(r1cs_ppzksnark_proof proof){ 231 | cout << "Proof:"<< endl; 232 | cout << "proof.A = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_A.g)<< ");" << endl; 233 | cout << "proof.A_p = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_A.h)<< ");" << endl; 234 | cout << "proof.B = Pairing.G2Point(" << outputPointG2AffineAsHex(proof.g_B.g)<< ");" << endl; 235 | cout << "proof.B_p = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_B.h)<<");" << endl; 236 | cout << "proof.C = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_C.g)<< ");" << endl; 237 | cout << "proof.C_p = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_C.h)<<");" << endl; 238 | cout << "proof.H = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_H)<<");"<< endl; 239 | cout << "proof.K = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_K)<<");"<< endl; 240 | } 241 | 242 | /*bool _setup(const uint8_t* A, const uint8_t* B, const uint8_t* C, int constraints, int variables, int inputs, const char* pk_path, const char* vk_path) 243 | { 244 | //libsnark::inhibit_profiling_info = true; 245 | //libsnark::inhibit_profiling_counters = true; 246 | 247 | //initialize curve parameters 248 | libff::alt_bn128_pp::init_public_params(); 249 | 250 | r1cs_constraint_system cs; 251 | cs = createConstraintSystem(A, B ,C , constraints, variables, inputs); 252 | 253 | assert(cs.num_variables() >= inputs); 254 | assert(cs.num_inputs() == inputs); 255 | assert(cs.num_constraints() == constraints); 256 | 257 | // create keypair 258 | r1cs_ppzksnark_keypair keypair = r1cs_ppzksnark_generator(cs); 259 | 260 | // Export vk and pk to files 261 | serializeProvingKeyToFile(keypair.pk, pk_path); 262 | serializeVerificationKeyToFile(keypair.vk, vk_path); 263 | 264 | // Print VerificationKey in Solidity compatible format 265 | exportVerificationKey(keypair); 266 | 267 | return true; 268 | }*/ 269 | /* 270 | bool _generate_proof(const char* pk_path, const uint8_t* public_inputs, int public_inputs_length, const uint8_t* private_inputs, int private_inputs_length) 271 | { 272 | // libsnark::inhibit_profiling_info = true; 273 | // libsnark::inhibit_profiling_counters = true; 274 | 275 | //initialize curve parameters 276 | libff::alt_bn128_pp::init_public_params(); 277 | r1cs_ppzksnark_proving_key pk = deserializeProvingKeyFromFile(pk_path); 278 | 279 | // assign variables based on witness values, excludes ~one 280 | r1cs_variable_assignment full_variable_assignment; 281 | for (int i = 1; i < public_inputs_length; i++) { 282 | full_variable_assignment.push_back(libff::alt_bn128_pp(libsnarkBigintFromBytes(public_inputs + i*32))); 283 | } 284 | for (int i = 0; i < private_inputs_length; i++) { 285 | full_variable_assignment.push_back((libsnarkBigintFromBytes(private_inputs + i*32))); 286 | } 287 | 288 | // split up variables into primary and auxiliary inputs. Does *NOT* include the constant 1 289 | // Public variables belong to primary input, private variables are auxiliary input. 290 | r1cs_primary_input primary_input(full_variable_assignment.begin(), full_variable_assignment.begin() + public_inputs_length-1); 291 | r1cs_primary_input auxiliary_input(full_variable_assignment.begin() + public_inputs_length-1, full_variable_assignment.end()); 292 | 293 | // for debugging 294 | // cout << "full variable assignment:"<< endl << full_variable_assignment; 295 | // cout << "primary input:"<< endl << primary_input; 296 | // cout << "auxiliary input:"<< endl << auxiliary_input; 297 | 298 | // Proof Generation 299 | r1cs_ppzksnark_proof proof = r1cs_ppzksnark_prover(pk, primary_input, auxiliary_input); 300 | 301 | // print proof 302 | printProof(proof); 303 | // TODO? print inputs 304 | 305 | return true; 306 | } */ 307 | -------------------------------------------------------------------------------- /src/ZoKrates/wraplibsnark.hpp: -------------------------------------------------------------------------------- 1 | /** 2 | * @file wraplibsnark.hpp 3 | * @author Jacob Eberhardt 5 | * @date 2017 6 | */ 7 | 8 | #ifdef __cplusplus 9 | extern "C" { 10 | #endif 11 | 12 | #include 13 | #include 14 | 15 | bool _setup(const uint8_t* A, 16 | const uint8_t* B, 17 | const uint8_t* C, 18 | int constraints, 19 | int variables, 20 | int inputs, 21 | const char* pk_path, 22 | const char* vk_path 23 | ); 24 | 25 | bool _generate_proof(const char* pk_path, 26 | const uint8_t* public_inputs, 27 | int public_inputs_length, 28 | const uint8_t* private_inputs, 29 | int private_inputs_length 30 | ); 31 | 32 | #ifdef __cplusplus 33 | } // extern "C" 34 | #endif 35 | -------------------------------------------------------------------------------- /src/export.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | copyright 2018 to the Miximus Authors 3 | 4 | This file is part of Miximus. 5 | 6 | Miximus is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | Miximus is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with Miximus. If not, see . 18 | */ 19 | 20 | 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | 28 | 29 | #include 30 | 31 | // ZoKrates 32 | #include 33 | 34 | 35 | 36 | 37 | 38 | 39 | //key gen 40 | #include "libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp" //hold key 41 | #include "libff/algebra/curves/bn128/bn128_pp.hpp" //hold key 42 | #include 43 | #include 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | #include 57 | #include 58 | 59 | 60 | // tmp 61 | //#include 62 | #include 63 | #include 64 | 65 | using namespace libsnark; 66 | using namespace libff; 67 | 68 | 69 | template 70 | void constraint_to_json(linear_combination constraints, std::stringstream &ss) 71 | { 72 | ss << "{"; 73 | uint count = 0; 74 | for (const linear_term& lt : constraints.terms) 75 | { 76 | if (count != 0) { 77 | ss << ","; 78 | } 79 | if (lt.coeff != 0 && lt.coeff != 1) { 80 | ss << '"' << lt.index << '"' << ":" << "-1"; 81 | } 82 | else { 83 | ss << '"' << lt.index << '"' << ":" << lt.coeff; 84 | } 85 | count++; 86 | } 87 | ss << "}"; 88 | } 89 | 90 | template 91 | void array_to_json(protoboard pb, uint input_variables, std::string path) 92 | { 93 | 94 | std::stringstream ss; 95 | std::ofstream fh; 96 | fh.open(path, std::ios::binary); 97 | 98 | r1cs_variable_assignment values = pb.full_variable_assignment(); 99 | ss << "\n{\"TestVariables\":["; 100 | 101 | for (size_t i = 0; i < values.size(); ++i) 102 | { 103 | 104 | ss << values[i].as_bigint(); 105 | if (i < values.size() - 1) { ss << ",";} 106 | } 107 | 108 | ss << "]}\n"; 109 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 110 | 111 | fh << ss.rdbuf(); 112 | fh.flush(); 113 | fh.close(); 114 | } 115 | 116 | template 117 | void r1cs_to_json(protoboard pb, uint input_variables, std::string path) 118 | { 119 | // output inputs, right now need to compile with debug flag so that the `variable_annotations` 120 | // exists. Having trouble setting that up so will leave for now. 121 | r1cs_constraint_system constraints = pb.get_constraint_system(); 122 | std::stringstream ss; 123 | std::ofstream fh; 124 | fh.open(path, std::ios::binary); 125 | 126 | ss << "\n{\"variables\":["; 127 | 128 | for (size_t i = 0; i < input_variables + 1; ++i) 129 | { 130 | ss << '"' << constraints.variable_annotations[i].c_str() << '"'; 131 | if (i < input_variables ) { 132 | ss << ", "; 133 | } 134 | } 135 | ss << "],\n"; 136 | ss << "\"constraints\":["; 137 | 138 | for (size_t c = 0; c < constraints.num_constraints(); ++c) 139 | { 140 | ss << "[";// << "\"A\"="; 141 | constraint_to_json(constraints.constraints[c].a, ss); 142 | ss << ",";// << "\"B\"="; 143 | constraint_to_json(constraints.constraints[c].b, ss); 144 | ss << ",";// << "\"A\"=";; 145 | constraint_to_json(constraints.constraints[c].c, ss); 146 | if (c == constraints.num_constraints()-1 ) { 147 | ss << "]\n"; 148 | } else { 149 | ss << "],\n"; 150 | } 151 | } 152 | ss << "]}"; 153 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 154 | fh << ss.rdbuf(); 155 | fh.flush(); 156 | fh.close(); 157 | } 158 | 159 | template 160 | string proof_to_json(r1cs_ppzksnark_proof proof, r1cs_primary_input input) { 161 | std::cout << "proof.A = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_A.g)<< ");" << endl; 162 | std::cout << "proof.A_p = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_A.h)<< ");" << endl; 163 | std::cout << "proof.B = Pairing.G2Point(" << outputPointG2AffineAsHex(proof.g_B.g)<< ");" << endl; 164 | std::cout << "proof.B_p = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_B.h)<<");" << endl; 165 | std::cout << "proof.C = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_C.g)<< ");" << endl; 166 | std::cout << "proof.C_p = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_C.h)<<");" << endl; 167 | std::cout << "proof.H = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_H)<<");"<< endl; 168 | std::cout << "proof.K = Pairing.G1Point(" << outputPointG1AffineAsHex(proof.g_K)<<");"<< endl; 169 | 170 | 171 | std::string path = "../zksnark_element/proof.json"; 172 | std::stringstream ss; 173 | std::ofstream fh; 174 | fh.open(path, std::ios::binary); 175 | 176 | ss << "{\n"; 177 | ss << " \"a\" :[" << outputPointG1AffineAsHex(proof.g_A.g) << "],\n"; 178 | ss << " \"a_p\" :[" << outputPointG1AffineAsHex(proof.g_A.h)<< "],\n"; 179 | ss << " \"b\" :[" << outputPointG2AffineAsHex(proof.g_B.g)<< "],\n"; 180 | ss << " \"b_p\" :[" << outputPointG1AffineAsHex(proof.g_B.h)<< "],\n"; 181 | ss << " \"c\" :[" << outputPointG1AffineAsHex(proof.g_C.g)<< "],\n"; 182 | ss << " \"c_p\" :[" << outputPointG1AffineAsHex(proof.g_C.h)<< "],\n"; 183 | ss << " \"h\" :[" << outputPointG1AffineAsHex(proof.g_H)<< "],\n"; 184 | ss << " \"k\" :[" << outputPointG1AffineAsHex(proof.g_K)<< "],\n"; 185 | ss << " \"input\" :" << "["; //1 should always be the first variavle passed 186 | 187 | for (size_t i = 0; i < input.size(); ++i) 188 | { 189 | ss << "\"0x" << HexStringFromLibsnarkBigint(input[i].as_bigint()) << "\""; 190 | if ( i < input.size() - 1 ) { 191 | ss<< ", "; 192 | } 193 | } 194 | ss << "]\n"; 195 | 196 | /*ss << "\"IC\" :[" << outputPointG1AffineAsHex(keypair.vk.encoded_IC_query.first); 197 | 198 | for (size_t i = 1; i < icLength; ++i) 199 | { 200 | auto vkICi = outputPointG1AffineAsHex(keypair.vk.encoded_IC_query.rest.values[i - 1]); 201 | ss << "," << vkICi; 202 | } 203 | ss << "]"; */ 204 | 205 | ss << "}"; 206 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 207 | fh << ss.rdbuf(); 208 | fh.flush(); 209 | fh.close(); 210 | return(ss.str()); 211 | } 212 | 213 | void vk2json(r1cs_ppzksnark_keypair keypair, std::string path ) { 214 | 215 | std::stringstream ss; 216 | std::ofstream fh; 217 | fh.open(path, std::ios::binary); 218 | unsigned icLength = keypair.vk.encoded_IC_query.rest.indices.size() + 1; 219 | 220 | ss << "{\n"; 221 | ss << " \"a\" :[" << outputPointG2AffineAsHex(keypair.vk.alphaA_g2) << "],\n"; 222 | ss << " \"b\" :[" << outputPointG1AffineAsHex(keypair.vk.alphaB_g1) << "],\n"; 223 | ss << " \"c\" :[" << outputPointG2AffineAsHex(keypair.vk.alphaC_g2) << "],\n"; 224 | ss << " \"g\" :[" << outputPointG2AffineAsHex(keypair.vk.gamma_g2)<< "],\n"; 225 | ss << " \"gb1\" :[" << outputPointG1AffineAsHex(keypair.vk.gamma_beta_g1)<< "],\n"; 226 | ss << " \"gb2\" :[" << outputPointG2AffineAsHex(keypair.vk.gamma_beta_g2)<< "],\n"; 227 | ss << " \"z\" :[" << outputPointG2AffineAsHex(keypair.vk.rC_Z_g2)<< "],\n"; 228 | 229 | ss << "\"IC\" :[[" << outputPointG1AffineAsHex(keypair.vk.encoded_IC_query.first) << "]"; 230 | 231 | for (size_t i = 1; i < icLength; ++i) 232 | { 233 | auto vkICi = outputPointG1AffineAsHex(keypair.vk.encoded_IC_query.rest.values[i - 1]); 234 | ss << ",[" << vkICi << "]"; 235 | } 236 | ss << "]"; 237 | ss << "}"; 238 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 239 | fh << ss.rdbuf(); 240 | fh.flush(); 241 | fh.close(); 242 | } 243 | template 244 | //void dump_key(r1cs_constraint_system cs) 245 | char* dump_key(protoboard pb, std::string path) 246 | { 247 | 248 | r1cs_constraint_system constraints = pb.get_constraint_system(); 249 | std::stringstream ss; 250 | std::ofstream fh; 251 | fh.open(path, std::ios::binary); 252 | 253 | 254 | r1cs_ppzksnark_keypair keypair = generateKeypair(pb.get_constraint_system()); 255 | 256 | //save keys 257 | vk2json(keypair, "vk.json"); 258 | writeToFile("../zksnark_element/pk.raw", keypair.pk); 259 | writeToFile("../zksnark_element/vk.raw", keypair.vk); 260 | 261 | pb.primary_input(); 262 | pb.auxiliary_input(); 263 | 264 | r1cs_primary_input primary_input = pb.primary_input(); 265 | r1cs_auxiliary_input auxiliary_input = pb.auxiliary_input(); 266 | ss << "primaryinputs" << primary_input; 267 | ss << "aux input" << auxiliary_input; 268 | 269 | 270 | r1cs_ppzksnark_proof proof = r1cs_ppzksnark_prover(keypair.pk, primary_input, auxiliary_input); 271 | 272 | 273 | auto json = proof_to_json (proof, primary_input); 274 | 275 | ss.rdbuf()->pubseekpos(0, std::ios_base::out); 276 | fh << ss.rdbuf(); 277 | fh.flush(); 278 | fh.close(); 279 | 280 | auto result = new char[json.size()]; 281 | memcpy(result, json.c_str(), json.size() + 1); 282 | return result; 283 | 284 | 285 | } 286 | 287 | 288 | -------------------------------------------------------------------------------- /src/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | copyright 2018 to the Miximus Authors 3 | 4 | This file is part of Miximus. 5 | 6 | Miximus is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | Miximus is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with Miximus. If not, see . 18 | */ 19 | 20 | 21 | #include 22 | 23 | //hash 24 | //#include 25 | #include 26 | #include 27 | #include "main.hpp" 28 | //key gen 29 | #include "libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp" //hold key 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #include 37 | #include 38 | 39 | using namespace libsnark; 40 | using namespace libff; 41 | 42 | typedef sha256_ethereum HashT; 43 | 44 | // taken froim deploy.js 45 | // TODO: deal with leading zeros being removed in deploy.js 46 | 47 | /* 48 | libff::bit_vector tree17 = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 49 | 50 | 51 | libff::bit_vector tree9 = { 1 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 }; 52 | libff::bit_vector tree5 = { 1 ,1 ,0 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,1 }; 53 | libff::bit_vector tree3 = { 1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,0 }; 54 | libff::bit_vector root = {0, 1 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0}; 55 | libff::bit_vector nullifier = {0,0, 1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,0 }; 56 | libff::bit_vector secret = { 1 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,1 ,0 ,0 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,0 ,0 ,1 ,0 ,1 ,1 ,0 ,1 ,0 ,1 ,1 ,1 ,1 ,0 ,0 ,1 ,1 ,1 ,0 ,0 ,0 ,1 ,1 ,1 ,0 ,1 ,1 ,0 ,1 ,1 }; 57 | */ 58 | 59 | 60 | 61 | template 62 | class Miximus { 63 | public: 64 | 65 | const size_t digest_len = HashT::get_digest_len(); 66 | size_t tree_depth; 67 | protoboard pb; 68 | 69 | std::shared_ptr> unpacker; 70 | std::shared_ptr> unpacker1; 71 | 72 | //digest_variable root_digest(pb, digest_len, "root_digest"); 73 | std::shared_ptr> root_digest; 74 | //digest_variable cm(pb, digest_len, "cm_digest"); 75 | std::shared_ptr> cm; 76 | //digest_variable sk(pb, digest_len, "sk_digest"); 77 | std::shared_ptr> sk; 78 | //digest_variable leaf_digest(pb, digest_len, "leaf_digest"); 79 | std::shared_ptr> leaf_digest; 80 | 81 | std::shared_ptr cm_hash; 82 | 83 | 84 | std::shared_ptr> path_var; 85 | 86 | std::shared_ptr> ml; 87 | 88 | pb_variable_array address_bits_va; 89 | std::shared_ptr > input_variable; 90 | 91 | pb_variable ZERO; 92 | //we use layer 2 transaction abstration. 93 | //here the depositor denotes the fee in Wei 94 | pb_variable msgSenderFee; 95 | 96 | 97 | 98 | pb_variable_array packed_inputs; 99 | pb_variable_array unpacked_inputs; 100 | 101 | pb_variable_array packed_inputs1; 102 | pb_variable_array unpacked_inputs1; 103 | 104 | 105 | Miximus(int _tree_depth) { 106 | tree_depth = _tree_depth; 107 | 108 | packed_inputs.allocate(pb, 1 + 1, "packed"); 109 | packed_inputs1.allocate(pb, 1 + 1, "packed"); 110 | msgSenderFee.allocate(pb, "msgSenderFee"); 111 | ZERO.allocate(pb, "ZERO"); 112 | pb.val(ZERO) = 0; 113 | address_bits_va.allocate(pb, tree_depth, "address_bits"); 114 | 115 | cm.reset(new digest_variable(pb, 256, "cm")); 116 | root_digest.reset(new digest_variable(pb, 256, "root_digest")); 117 | sk.reset(new digest_variable(pb, 256, "sk")); 118 | leaf_digest.reset(new digest_variable(pb, 256, "leaf_digest")); 119 | 120 | //unpacked_inputs.insert(unpacked_inputs.end(), true ); 121 | unpacked_inputs.insert(unpacked_inputs.end(), root_digest->bits.begin(), root_digest->bits.end()); 122 | //unpacked_inputs.insert(unpacked_inputs.end(), cm->bits.begin(), cm->bits.end()); 123 | 124 | unpacker.reset(new multipacking_gadget( 125 | pb, 126 | unpacked_inputs, 127 | packed_inputs, 128 | FieldT::capacity(), 129 | "unpacker" 130 | )); 131 | 132 | unpacked_inputs1.insert(unpacked_inputs1.end(), cm->bits.begin(), cm->bits.end()); 133 | 134 | unpacker1.reset(new multipacking_gadget( 135 | pb, 136 | unpacked_inputs1, 137 | packed_inputs1, 138 | FieldT::capacity(), 139 | "unpacker" 140 | )); 141 | 142 | pb.set_input_sizes(4 + 1 ); 143 | 144 | input_variable.reset(new block_variable(pb, *cm, *sk, "input_variable")); 145 | 146 | cm_hash.reset(new sha256_ethereum( 147 | pb, SHA256_block_size, *input_variable, *leaf_digest, "cm_hash" 148 | )); 149 | //sha256_ethereum g(pb, SHA256_block_size, *input_variable, *leaf_digest, "g"); 150 | 151 | path_var.reset(new merkle_authentication_path_variable (pb, tree_depth, "path_var" )); 152 | 153 | //merkle_authentication_path_variable path_var(pb, tree_depth, "path_var"); 154 | 155 | ml.reset(new merkle_tree_check_read_gadget(pb, tree_depth, address_bits_va, *leaf_digest, *root_digest, *path_var, ONE, "ml")); 156 | //merkle_tree_check_read_gadget ml(pb, tree_depth, address_bits_va, *leaf_digest, *root_digest, path_var, ONE, "ml"); 157 | 158 | // generate constraints 159 | //root_digest.generate_r1cs_constraints(); 160 | unpacker->generate_r1cs_constraints(true); 161 | unpacker1->generate_r1cs_constraints(false); 162 | 163 | generate_r1cs_equals_const_constraint(pb, ZERO, FieldT::zero(), "ZERO"); 164 | cm_hash->generate_r1cs_constraints(true); 165 | path_var->generate_r1cs_constraints(); 166 | ml->generate_r1cs_constraints(); 167 | } 168 | 169 | void writeKeysToFile(char* pk , char* vk) { 170 | r1cs_constraint_system constraints = this->pb.get_constraint_system(); 171 | 172 | r1cs_ppzksnark_keypair keypair = generateKeypair(this->pb.get_constraint_system()); 173 | 174 | //save keys 175 | vk2json(keypair, vk); 176 | 177 | writeToFile(pk, keypair.pk); 178 | } 179 | 180 | char* prove(std::vector path, int address, libff::bit_vector address_bits , libff::bit_vector nullifier , libff::bit_vector secret , libff::bit_vector root, int fee, char* pk) { 181 | // generate witness 182 | //unpacker->generate_r1cs_constraints(false); 183 | //std::vector path(tree_depth); 184 | 185 | //libff::bit_vector address_bits; 186 | //size_t address = 0; // uint of address_bits 187 | //address_bits = {0,0,0,0}; // defines the ordering of hashing 188 | //path = {tree3,tree5,tree9, _tree17}; 189 | cm->generate_r1cs_witness(nullifier); 190 | root_digest->generate_r1cs_witness(root); 191 | sk->generate_r1cs_witness(secret); 192 | cm_hash->generate_r1cs_witness(); 193 | //leaf_digest->generate_r1cs_witness(leaf); 194 | address_bits_va.fill_with_bits(pb, address_bits); 195 | assert(address_bits_va.get_field_element_from_bits(pb).as_ulong() == address); 196 | pb.val(msgSenderFee) = fee; 197 | 198 | 199 | path_var->generate_r1cs_witness(address, path); 200 | ml->generate_r1cs_witness(); 201 | unpacker->generate_r1cs_witness_from_bits(); 202 | unpacker1->generate_r1cs_witness_from_bits(); 203 | 204 | // make sure that read checker didn't accidentally overwrite anything 205 | address_bits_va.fill_with_bits(pb, address_bits); 206 | unpacker->generate_r1cs_witness_from_bits(); 207 | 208 | root_digest->generate_r1cs_witness(root); 209 | 210 | 211 | r1cs_ppzksnark_keypair keypair; 212 | keypair.pk = loadFromFile> (pk); 213 | 214 | 215 | pb.primary_input(); 216 | pb.auxiliary_input(); 217 | 218 | r1cs_primary_input primary_input = pb.primary_input(); 219 | r1cs_auxiliary_input auxiliary_input = pb.auxiliary_input(); 220 | r1cs_ppzksnark_proof proof = r1cs_ppzksnark_prover(keypair.pk, primary_input, auxiliary_input); 221 | 222 | auto json = proof_to_json (proof, primary_input); 223 | 224 | auto result = new char[json.size()]; 225 | memcpy(result, json.c_str(), json.size() + 1); 226 | return result; 227 | } 228 | }; 229 | 230 | void genKeys(int tree_depth, char* pkOutput, char* vkOuput) { 231 | 232 | libff::alt_bn128_pp::init_public_params(); 233 | Miximus c (tree_depth); 234 | c.writeKeysToFile(pkOutput, vkOuput ); 235 | } 236 | 237 | void helloWorld( char* input) { 238 | 239 | std::cout << input << std::endl; 240 | 241 | } 242 | 243 | char* prove(bool _path[][256], int _address, bool _address_bits[], int tree_depth, int fee, char* pk) { 244 | 245 | libff::alt_bn128_pp::init_public_params(); 246 | libff::bit_vector init(0,256); 247 | libff::bit_vector _nullifier(0,256); 248 | libff::bit_vector _secret(0, 256); 249 | libff::bit_vector _root(0,256); 250 | libff::bit_vector address_bits; 251 | 252 | std::vector path(tree_depth); 253 | 254 | init.resize(256); 255 | 256 | path.resize(tree_depth); 257 | _nullifier.resize(256); 258 | _secret.resize(256); 259 | _root.resize(256); 260 | std::cout << "tree depth: " << tree_depth << std::endl; 261 | for (int i =tree_depth - 1; i>=0 ; i--) { 262 | path[i] = init; 263 | for (int j =0; j= 0; level--) 275 | { 276 | 277 | const bool computed_is_right = _address_bits[level]; 278 | 279 | address |= (computed_is_right ? 1ul << (tree_depth-1-level) : 0); 280 | address_bits.push_back(computed_is_right); 281 | } 282 | 283 | libff::alt_bn128_pp::init_public_params(); 284 | Miximus c(tree_depth); 285 | 286 | auto out = c.prove(path, address , address_bits, _nullifier, _secret, _root, fee, pk); 287 | return(out); 288 | } 289 | -------------------------------------------------------------------------------- /src/main.hpp: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | copyright 2018 to the Miximus Authors 4 | 5 | This file is part of Miximus. 6 | 7 | Miximus is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | Miximus is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with Miximus. If not, see . 19 | */ 20 | 21 | 22 | #ifdef __cplusplus 23 | extern "C" { 24 | #endif 25 | 26 | #include 27 | #include 28 | 29 | char* _sha256Constraints(); 30 | char* _sha256Witness(); 31 | char* prove(bool path[][256], int address, bool _address_bits[], int tree_depth, int fee, char* pk); 32 | void genKeys(int tree_depth, char* pkOutput, char* vkOuput ); 33 | 34 | void helloWorld( char* input); 35 | 36 | 37 | 38 | #ifdef __cplusplus 39 | } // extern "C" 40 | #endif 41 | -------------------------------------------------------------------------------- /src/sha256/sha256_ethereum.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | copyright 2018 to the Kobigurk 3 | https://github.com/kobigurk/sha256_ethereum 4 | MIT 5 | */ 6 | 7 | 8 | #include 9 | 10 | #include "libsnark/gadgetlib1/gadget.hpp" 11 | #include "libsnark/gadgetlib1/protoboard.hpp" 12 | #include "libff/common/default_types/ec_pp.hpp" 13 | #include "libsnark/reductions/r1cs_to_qap/r1cs_to_qap.hpp" 14 | 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | using namespace libsnark; 23 | using namespace libff; 24 | 25 | using std::vector; 26 | 27 | //typedef libff::Fr FieldT; 28 | typedef libff::Fr FieldT; 29 | 30 | pb_variable_array from_bits(std::vector bits, pb_variable& ZERO) { 31 | pb_variable_array acc; 32 | 33 | for (size_t i = 0; i < bits.size(); i++) { 34 | bool bit = bits[i]; 35 | acc.emplace_back(bit ? ONE : ZERO); 36 | } 37 | 38 | return acc; 39 | } 40 | 41 | class sha256_ethereum : gadget { 42 | private: 43 | std::shared_ptr> block1; 44 | std::shared_ptr> block2; 45 | std::shared_ptr> hasher1; 46 | std::shared_ptr> intermediate_hash; 47 | std::shared_ptr> hasher2; 48 | 49 | public: 50 | 51 | sha256_ethereum(protoboard &pb, 52 | const size_t block_length, 53 | const block_variable &input_block, 54 | const digest_variable &output, 55 | const std::string &annotation_prefix) : gadget(pb, "sha256_ethereum") { 56 | 57 | intermediate_hash.reset(new digest_variable(pb, 256, "intermediate")); 58 | pb_variable ZERO; 59 | 60 | ZERO.allocate(pb, "ZERO"); 61 | pb.val(ZERO) = 0; 62 | 63 | // final padding 64 | pb_variable_array length_padding = 65 | from_bits({ 66 | // padding 67 | 1,0,0,0,0,0,0,0, 68 | 0,0,0,0,0,0,0,0, 69 | 0,0,0,0,0,0,0,0, 70 | 0,0,0,0,0,0,0,0, 71 | 0,0,0,0,0,0,0,0, 72 | 0,0,0,0,0,0,0,0, 73 | 0,0,0,0,0,0,0,0, 74 | 0,0,0,0,0,0,0,0, 75 | 0,0,0,0,0,0,0,0, 76 | 0,0,0,0,0,0,0,0, 77 | 0,0,0,0,0,0,0,0, 78 | 0,0,0,0,0,0,0,0, 79 | 0,0,0,0,0,0,0,0, 80 | 0,0,0,0,0,0,0,0, 81 | 0,0,0,0,0,0,0,0, 82 | 0,0,0,0,0,0,0,0, 83 | 0,0,0,0,0,0,0,0, 84 | 0,0,0,0,0,0,0,0, 85 | 0,0,0,0,0,0,0,0, 86 | 0,0,0,0,0,0,0,0, 87 | 0,0,0,0,0,0,0,0, 88 | 0,0,0,0,0,0,0,0, 89 | 0,0,0,0,0,0,0,0, 90 | 0,0,0,0,0,0,0,0, 91 | 0,0,0,0,0,0,0,0, 92 | 0,0,0,0,0,0,0,0, 93 | 0,0,0,0,0,0,0,0, 94 | 0,0,0,0,0,0,0,0, 95 | 0,0,0,0,0,0,0,0, 96 | 0,0,0,0,0,0,0,0, 97 | 0,0,0,0,0,0,0,0, 98 | 0,0,0,0,0,0,0,0, 99 | 0,0,0,0,0,0,0,0, 100 | 0,0,0,0,0,0,0,0, 101 | 0,0,0,0,0,0,0,0, 102 | 0,0,0,0,0,0,0,0, 103 | 0,0,0,0,0,0,0,0, 104 | 0,0,0,0,0,0,0,0, 105 | 0,0,0,0,0,0,0,0, 106 | 0,0,0,0,0,0,0,0, 107 | 0,0,0,0,0,0,0,0, 108 | 0,0,0,0,0,0,0,0, 109 | 0,0,0,0,0,0,0,0, 110 | 0,0,0,0,0,0,0,0, 111 | 0,0,0,0,0,0,0,0, 112 | 0,0,0,0,0,0,0,0, 113 | 0,0,0,0,0,0,0,0, 114 | 0,0,0,0,0,0,0,0, 115 | 0,0,0,0,0,0,0,0, 116 | 0,0,0,0,0,0,0,0, 117 | 0,0,0,0,0,0,0,0, 118 | 0,0,0,0,0,0,0,0, 119 | 0,0,0,0,0,0,0,0, 120 | 0,0,0,0,0,0,0,0, 121 | 0,0,0,0,0,0,0,0, 122 | 0,0,0,0,0,0,0,0, 123 | 124 | // length of message (512 bits) 125 | 0,0,0,0,0,0,0,0, 126 | 0,0,0,0,0,0,0,0, 127 | 0,0,0,0,0,0,0,0, 128 | 0,0,0,0,0,0,0,0, 129 | 0,0,0,0,0,0,0,0, 130 | 0,0,0,0,0,0,0,0, 131 | 0,0,0,0,0,0,1,0, 132 | 0,0,0,0,0,0,0,0 133 | }, ZERO); 134 | 135 | /* block2.reset(new block_variable(pb, { 136 | length_padding 137 | }, "block2")); 138 | */ 139 | pb_linear_combination_array IV = SHA256_default_IV(pb); 140 | 141 | hasher1.reset(new sha256_compression_function_gadget( 142 | pb, 143 | IV, 144 | input_block.bits, 145 | *intermediate_hash, 146 | "hasher1")); 147 | 148 | pb_linear_combination_array IV2(intermediate_hash->bits); 149 | // std::cout << block2->bits; 150 | // std::cout << intermediate_hash; 151 | 152 | hasher2.reset(new sha256_compression_function_gadget( 153 | pb, 154 | IV2, 155 | length_padding, 156 | output, 157 | "hasher2")); 158 | 159 | } 160 | 161 | void generate_r1cs_constraints(const bool ensure_output_bitness) { 162 | libff::UNUSED(ensure_output_bitness); 163 | hasher1->generate_r1cs_constraints(); 164 | hasher2->generate_r1cs_constraints(); 165 | } 166 | 167 | void generate_r1cs_witness() { 168 | hasher1->generate_r1cs_witness(); 169 | hasher2->generate_r1cs_witness(); 170 | } 171 | 172 | static size_t get_digest_len() 173 | { 174 | return 256; 175 | } 176 | 177 | 178 | 179 | static libff::bit_vector get_hash(const libff::bit_vector &input) 180 | { 181 | 182 | protoboard pb; 183 | 184 | block_variable input_variable(pb, SHA256_block_size, "input"); 185 | digest_variable output_variable(pb, SHA256_digest_size, "output"); 186 | sha256_ethereum f(pb, SHA256_block_size, input_variable, output_variable, "f"); 187 | 188 | input_variable.generate_r1cs_witness(input); 189 | f.generate_r1cs_witness(); 190 | 191 | return output_variable.get_digest(); 192 | 193 | } 194 | 195 | 196 | static size_t expected_constraints(const bool ensure_output_bitness) 197 | { 198 | libff::UNUSED(ensure_output_bitness); 199 | return 54560; /* hardcoded for now */ 200 | } 201 | }; 202 | 203 | 204 | 205 | 206 | vector bit_list_to_ints(vector bit_list, const size_t wordsize) { 207 | vector res; 208 | size_t iterations = bit_list.size()/wordsize+1; 209 | for (size_t i = 0; i < iterations; ++i) { 210 | unsigned long current = 0; 211 | for (size_t j = 0; j < wordsize; ++j) { 212 | if (bit_list.size() == (i*wordsize+j)) break; 213 | current += (bit_list[i*wordsize+j] * (1ul<<(wordsize-1-j))); 214 | } 215 | res.push_back(current); 216 | } 217 | return res; 218 | } 219 | -------------------------------------------------------------------------------- /tests/test.py: -------------------------------------------------------------------------------- 1 | ''' 2 | copyright 2018 to the Miximus Authors 3 | 4 | This file is part of Miximus. 5 | 6 | Miximus is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | Miximus is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with Miximus. If not, see . 18 | ''' 19 | 20 | import sys 21 | sys.path.insert(0, '../snarkWrapper') 22 | 23 | 24 | from deploy import * 25 | 26 | if __name__ == "__main__": 27 | tree_depth = 29 28 | pk_output = "../zksnark_element/pk.raw" 29 | vk_output = "../zksnark_element/vk.json" 30 | 31 | genKeys(c.c_int(tree_depth), c.c_char_p(pk_output.encode()) , c.c_char_p(vk_output.encode())) 32 | 33 | 34 | miximus = deploy(tree_depth, vk_output) 35 | for j in range (0,16): 36 | 37 | nullifiers = [] 38 | sks = [] 39 | 40 | fee = 0 41 | 42 | for i in range(0,1): 43 | nullifiers.append(genNullifier(w3.eth.accounts[i%10])) 44 | sk = genSalt(64) 45 | sks.append("0x" + sk) 46 | 47 | for nullifier , sk in zip(nullifiers, sks): 48 | try: 49 | index = deposit(miximus, nullifier, sk, w3.eth.accounts[0]) 50 | except: 51 | pdb.set_trace() 52 | 53 | for i, (nullifier , sk) in enumerate(zip(nullifiers, sks)): 54 | 55 | pk = genWitness(miximus, nullifier, sk, i + j, tree_depth, fee, "../zksnark_element/pk.raw") 56 | withdraw(miximus, pk) 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /zksnark_element/vk.json: -------------------------------------------------------------------------------- 1 | { 2 | "a" :[["0x77d0e2e7b73192ce90f517bd797897decec02cc3f7985d37d0f60ed68baf3d5", "0x1505cd1eda9abf7deb8b5fb46d6344bd030ba7790eae88d6f73a2d64642942fd"], 3 | ["0x4a8de8c6f48e602c2f0dcaa543c36c50923b420d3bc4f98a231fb1a55d3ed25", "0x168010e166f6b7df47c693f4371612ce672c154cd78b252f31a3219cc69ff564"]], 4 | "b" :["0x2005e1a4addeaddd7b1d8e29c5132294dbe9ed560df24771d6b678fb1eaacccf", "0x2b3a34fc43a689ed05f15fab69867c00fea091e7ce584245ad7cba3d95fc9dcf"], 5 | "c" :[["0x22733f867d9a6551da6d06007d30b0956586731aa09b84e7dc6fcff6a5b348a7", "0x1be8e2cddb9ea5155c9b0a06fcdefd964180efc817b2e9d3eefc2bedb1570547"], 6 | ["0x40d4c33d7bb26dfeb0a7addfc73904b0cda4533d1a524724e7e05f2c838ea23", "0x134f0d715947dcb5ad7a46747d2005b95a5407fb45e7e92e44ecd1dd0b75a2f0"]], 7 | "g" :[["0x1c330293dc072dd4296209b4b2bdea21b48b30a8f3375f8984b17c53d3d38a1d", "0x1ae84e7e2dabfb46dec2d17bb50eaef3d999f4dbe3bd019d21f751271f57459c"], 8 | ["0x128071b4a65b3e6243cb6ee16b879312d772a0179e238d4c431ed0c7cd2897db", "0x13af387a47387d5b09f5bc7406a9d6552fa23a5bad681bf79f5f2543124131bd"]], 9 | "gb1" :["0x1325e870a5ae45462df4688a644371640f6869e7e00d072ead211e1786f03173", "0x26e72b9018d4a5f1fbdf31982e9eb176bd6f30959a78afa296627b9a5dec0b10"], 10 | "gb2" :[["0x268b5f6f7305c4995f2256de9c5002d4727228dafa9fbf1ce3af087a6e8472a6", "0x16e485f9c16cba42f2bc44a6e2762c0e48717ef60d9ccb8737c2ab6a2c2d80e"], 11 | ["0x2fd21c46c072a7ffd1723de89cb0843fe760969808ddb7d7bc2ab8740811d70", "0x10debb2b79c2490bbadea64527f59770f36beefe7bc098aa1d04bafd8b04a2ac"]], 12 | "z" :[["0x17255e06f50fde448bf5afcd5f6ccdb0d24292bd3a9166a48f52f5adc40b71c5", "0x72fbebb64c52398c95627b9080504af1cea2616d039a86e8309c08bddcce4b"], 13 | ["0x2ead16c1cafd4aa667d3895b356033b1be9779a96f2a96783cc45def53124cb9", "0x1c5e73b18773a34281294dae349ef0d8f3ed17f724f01f69a7b57366459de1d8"]], 14 | "IC" :[["0x132f6be3fdd8c5abb6289bca37e9071c1f1b0e454f0c9d5723fc94a6e98075c", "0x1a5c921c21168be97c8e9d792d664f6f9ed5a69bcb365e9f1e6f3acbc7d1455c"],["0xf1183b1c357b7932bf85bb65793afe50bf613c1cdac2ab39c1a606c16fd8c83", "0x1c0eec18634d8e6e80bfd26a11b0feb77e86db33b65cf0e4ae62f7a18a67550"],["0x2e46a99089f24c110fa044ebcd65506ef6735a253e9084db2b2ad62fa98dd10c", "0x298a0143f9baa13512cf4bdf13d70a59d83e49fe35fcaf0e74c74654b9576817"],["0x2475a83849b140e4de427947e067c07bbd66a48f4bb705c85a867ce792844769", "0x1fa091b98c4eae6413a713fbf6233469d7b3925ef2d87e60ac1cec4c8c067dee"],["0x29984788643100b92d3eac7bc266362fdc5364a2e63901d9a5d309797a9b32b6", "0x2bf46e3430d487fd0ab3c9ccdf6df043f5a108c1043dd96c8a32cf67e321188c"],["0x4a78596c121f0bf7afa651319550f8773df8257fef041262960d294f8d97498", "0x16910d139f6ed2954cd31de37d8b7fc3637478efe072e4921dc94fec3a54e112"]]} --------------------------------------------------------------------------------