├── .gitignore ├── jigg ├── .eslintignore ├── .gitignore ├── src │ ├── jigg.js │ ├── parse │ │ ├── label.js │ │ ├── circuit.js │ │ └── parse.js │ ├── modules │ │ ├── circuit.js │ │ ├── gate.js │ │ └── label.js │ ├── util │ │ ├── hexutils.js │ │ └── crypto.js │ ├── comm │ │ ├── clientSocket.js │ │ ├── serverSocket.js │ │ └── ot.js │ ├── jiggServer.js │ ├── jiggClient.js │ ├── evaluate.js │ └── garble.js ├── demo │ ├── client │ │ ├── worker.js │ │ └── client.js │ ├── party.js │ ├── server.js │ └── client.html ├── jsdoc.conf.json ├── LICENSE ├── .eslintrc ├── jsdoc.layout.tmpl ├── package.json └── README.md ├── app ├── .eslintrc.json ├── public │ ├── favicon.ico │ └── circuits │ │ ├── job_matching.txt │ │ └── 32bit_add.txt ├── laconic │ ├── laconic_ot_bg.wasm │ ├── package.json │ ├── laconic_ot_bg.wasm.d.ts │ ├── laconic_ot.d.ts │ └── index.html ├── README.md ├── postcss.config.mjs ├── next.config.ts ├── pages │ ├── _app.tsx │ ├── _document.tsx │ ├── api │ │ └── hello.ts │ └── index.tsx ├── styles │ └── globals.css ├── tailwind.config.ts ├── tsconfig.json ├── .gitignore ├── package.json ├── LICENSE.md ├── utils │ └── jobMatchingUtils.ts ├── components │ ├── JobMatchingForm.tsx │ └── JobMatching.tsx └── test │ └── HIRING.md ├── laconic ├── pkg │ ├── laconic_ot_bg.wasm │ ├── package.json │ ├── laconic_ot_bg.wasm.d.ts │ ├── README.md │ ├── laconic_ot.d.ts │ └── index.html ├── .gitignore ├── src │ ├── lib.rs │ ├── kzg.rs │ ├── wasm_bindings.rs │ ├── kzg_types.rs │ ├── kzg_fk_open.rs │ ├── laconic_ot.rs │ └── kzg_utils.rs ├── Cargo.toml ├── LICENSE.md ├── table.py ├── README.md └── benches │ └── laconic_ot.rs ├── circuits ├── src │ ├── main.rs │ ├── demo.rs │ ├── hiring_original.rs │ └── hiring.rs ├── Cargo.toml ├── job_matching_two_input.txt ├── job_matching.txt └── Cargo.lock └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | target/ -------------------------------------------------------------------------------- /jigg/.eslintignore: -------------------------------------------------------------------------------- 1 | **/node_modules/ 2 | -------------------------------------------------------------------------------- /app/.eslintrc.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": ["next/core-web-vitals", "next/typescript"] 3 | } 4 | -------------------------------------------------------------------------------- /jigg/.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | .DS_Store 3 | node_modules 4 | package-lock.json 5 | circuits/gg 6 | -------------------------------------------------------------------------------- /app/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cursive-team/trinity-v0/HEAD/app/public/favicon.ico -------------------------------------------------------------------------------- /app/laconic/laconic_ot_bg.wasm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cursive-team/trinity-v0/HEAD/app/laconic/laconic_ot_bg.wasm -------------------------------------------------------------------------------- /laconic/pkg/laconic_ot_bg.wasm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cursive-team/trinity-v0/HEAD/laconic/pkg/laconic_ot_bg.wasm -------------------------------------------------------------------------------- /circuits/src/main.rs: -------------------------------------------------------------------------------- 1 | mod demo; 2 | mod hiring; 3 | mod hiring_original; 4 | 5 | fn main() { 6 | hiring::hiring(); 7 | } 8 | -------------------------------------------------------------------------------- /app/README.md: -------------------------------------------------------------------------------- 1 | # Trinity demo app 2 | 3 | Demoing trinity circuits in a Next.js app, a mix of fully local and half-server, half-client approaches. 4 | -------------------------------------------------------------------------------- /laconic/.gitignore: -------------------------------------------------------------------------------- 1 | */target 2 | **/*.rs.bk 3 | Cargo.lock 4 | notes.md 5 | scrap.rs 6 | kzg10.rs 7 | design.md 8 | refactor_notes 9 | *.out 10 | .DS_Store 11 | -------------------------------------------------------------------------------- /app/postcss.config.mjs: -------------------------------------------------------------------------------- 1 | /** @type {import('postcss-load-config').Config} */ 2 | const config = { 3 | plugins: { 4 | tailwindcss: {}, 5 | }, 6 | }; 7 | 8 | export default config; 9 | -------------------------------------------------------------------------------- /app/next.config.ts: -------------------------------------------------------------------------------- 1 | import type { NextConfig } from "next"; 2 | 3 | const nextConfig: NextConfig = { 4 | /* config options here */ 5 | reactStrictMode: true, 6 | }; 7 | 8 | export default nextConfig; 9 | -------------------------------------------------------------------------------- /app/pages/_app.tsx: -------------------------------------------------------------------------------- 1 | import "@/styles/globals.css"; 2 | import type { AppProps } from "next/app"; 3 | 4 | export default function App({ Component, pageProps }: AppProps) { 5 | return ; 6 | } 7 | -------------------------------------------------------------------------------- /jigg/src/jigg.js: -------------------------------------------------------------------------------- 1 | /** 2 | * Main module: exposes client and server API. This is the module that is exposed when 3 | * requiring jigg from node.js. 4 | * 5 | * @module JIGG 6 | */ 7 | 8 | const Agent = require("./jiggClient.js"); 9 | 10 | module.exports = Agent; 11 | -------------------------------------------------------------------------------- /circuits/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "circuits" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | [dependencies] 7 | boolify = { git = "https://github.com/voltrevo/boolify", rev = "e9707c0" } 8 | bristol-circuit = { git = "https://github.com/voltrevo/bristol-circuit", rev = "2a8b001" } 9 | -------------------------------------------------------------------------------- /app/laconic/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "laconic-ot", 3 | "version": "0.1.0", 4 | "license": "MIT", 5 | "files": [ 6 | "laconic_ot_bg.wasm", 7 | "laconic_ot.js", 8 | "laconic_ot.d.ts" 9 | ], 10 | "module": "laconic_ot.js", 11 | "types": "laconic_ot.d.ts", 12 | "sideEffects": false 13 | } -------------------------------------------------------------------------------- /app/styles/globals.css: -------------------------------------------------------------------------------- 1 | @tailwind base; 2 | @tailwind components; 3 | @tailwind utilities; 4 | 5 | :root { 6 | --background: #ffffff; 7 | --foreground: #171717; 8 | } 9 | 10 | body { 11 | color: var(--foreground); 12 | background: var(--background); 13 | font-family: Arial, Helvetica, sans-serif; 14 | } 15 | -------------------------------------------------------------------------------- /app/pages/_document.tsx: -------------------------------------------------------------------------------- 1 | import { Html, Head, Main, NextScript } from "next/document"; 2 | 3 | export default function Document() { 4 | return ( 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 | ); 13 | } 14 | -------------------------------------------------------------------------------- /laconic/pkg/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "laconic-ot", 3 | "version": "0.1.0", 4 | "license": "MIT", 5 | "files": [ 6 | "laconic_ot_bg.wasm", 7 | "laconic_ot.js", 8 | "laconic_ot.d.ts", 9 | "LICENSE.md" 10 | ], 11 | "module": "laconic_ot.js", 12 | "types": "laconic_ot.d.ts", 13 | "sideEffects": false 14 | } -------------------------------------------------------------------------------- /jigg/src/parse/label.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const Label = require('../modules/label.js'); 4 | 5 | const labelParser = function (labelStr) { 6 | const bytes = new Uint8Array(labelStr.length); 7 | for (let i = 0; i < labelStr.length; i++) { 8 | bytes[i] = labelStr.charCodeAt(i); 9 | } 10 | 11 | return new Label(bytes); 12 | }; 13 | 14 | module.exports = labelParser; -------------------------------------------------------------------------------- /app/pages/api/hello.ts: -------------------------------------------------------------------------------- 1 | // Next.js API route support: https://nextjs.org/docs/api-routes/introduction 2 | import type { NextApiRequest, NextApiResponse } from "next"; 3 | 4 | type Data = { 5 | name: string; 6 | }; 7 | 8 | export default function handler( 9 | req: NextApiRequest, 10 | res: NextApiResponse, 11 | ) { 12 | res.status(200).json({ name: "John Doe" }); 13 | } 14 | -------------------------------------------------------------------------------- /laconic/src/lib.rs: -------------------------------------------------------------------------------- 1 | mod kzg; 2 | mod kzg_fk_open; 3 | mod kzg_types; 4 | mod kzg_utils; 5 | mod laconic_ot; 6 | mod wasm_bindings; 7 | 8 | pub use kzg_types::CommitmentKey; 9 | pub use laconic_ot::*; 10 | pub use wasm_bindings::*; 11 | 12 | // Initialize panic hook for better error messages in WASM 13 | #[wasm_bindgen::prelude::wasm_bindgen(start)] 14 | pub fn start() { 15 | std::panic::set_hook(Box::new(console_error_panic_hook::hook)); 16 | } 17 | -------------------------------------------------------------------------------- /app/tailwind.config.ts: -------------------------------------------------------------------------------- 1 | import type { Config } from "tailwindcss"; 2 | 3 | export default { 4 | content: [ 5 | "./pages/**/*.{js,ts,jsx,tsx,mdx}", 6 | "./components/**/*.{js,ts,jsx,tsx,mdx}", 7 | "./app/**/*.{js,ts,jsx,tsx,mdx}", 8 | ], 9 | theme: { 10 | extend: { 11 | colors: { 12 | background: "var(--background)", 13 | foreground: "var(--foreground)", 14 | }, 15 | }, 16 | }, 17 | plugins: [], 18 | } satisfies Config; 19 | -------------------------------------------------------------------------------- /app/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "ES2017", 4 | "lib": ["dom", "dom.iterable", "esnext"], 5 | "allowJs": true, 6 | "skipLibCheck": true, 7 | "strict": true, 8 | "noEmit": true, 9 | "esModuleInterop": true, 10 | "module": "esnext", 11 | "moduleResolution": "bundler", 12 | "resolveJsonModule": true, 13 | "isolatedModules": true, 14 | "jsx": "preserve", 15 | "incremental": true, 16 | "paths": { 17 | "@/*": ["./*"] 18 | } 19 | }, 20 | "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx"], 21 | "exclude": ["node_modules"] 22 | } 23 | -------------------------------------------------------------------------------- /app/.gitignore: -------------------------------------------------------------------------------- 1 | # See https://help.github.com/articles/ignoring-files/ for more about ignoring files. 2 | 3 | # dependencies 4 | /node_modules 5 | /.pnp 6 | .pnp.* 7 | .yarn/* 8 | !.yarn/patches 9 | !.yarn/plugins 10 | !.yarn/releases 11 | !.yarn/versions 12 | 13 | # testing 14 | /coverage 15 | 16 | # next.js 17 | /.next/ 18 | /out/ 19 | 20 | # production 21 | /build 22 | 23 | # misc 24 | .DS_Store 25 | *.pem 26 | 27 | # debug 28 | npm-debug.log* 29 | yarn-debug.log* 30 | yarn-error.log* 31 | 32 | # env files (can opt-in for committing if needed) 33 | .env* 34 | 35 | # vercel 36 | .vercel 37 | 38 | # typescript 39 | *.tsbuildinfo 40 | next-env.d.ts 41 | -------------------------------------------------------------------------------- /jigg/demo/client/worker.js: -------------------------------------------------------------------------------- 1 | /* global JIGG importScripts */ 2 | importScripts('/dist/jigg.js'); 3 | 4 | onmessage = function (e) { 5 | const role = e.data.role; 6 | const circuit = e.data.circuit; 7 | const input = e.data.input; 8 | const base = e.data.base; 9 | 10 | const agent = new JIGG(role); 11 | agent.loadCircuit(circuit); 12 | agent.setInput(input, base); 13 | 14 | agent.addProgressListener(function (status, start, total, error) { 15 | postMessage({type: 'progress', args: [status, start, total, error]}); 16 | }); 17 | 18 | agent.getOutput(base).then(function (output) { 19 | postMessage({type: 'output', args: output}); 20 | }); 21 | 22 | agent.start(); 23 | }; -------------------------------------------------------------------------------- /app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "app", 3 | "version": "0.1.0", 4 | "private": true, 5 | "scripts": { 6 | "dev": "next dev", 7 | "build": "next build", 8 | "start": "next start", 9 | "lint": "next lint" 10 | }, 11 | "dependencies": { 12 | "libsodium-wrappers-sumo": "^0.7.15", 13 | "next": "15.0.3", 14 | "react": "18", 15 | "react-dom": "18", 16 | "react-hook-form": "^7.53.2" 17 | }, 18 | "devDependencies": { 19 | "@types/node": "^20", 20 | "@types/react": "^18", 21 | "@types/react-dom": "^18", 22 | "eslint": "^8", 23 | "eslint-config-next": "15.0.3", 24 | "postcss": "^8", 25 | "tailwindcss": "^3.4.1", 26 | "typescript": "^5" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /circuits/src/demo.rs: -------------------------------------------------------------------------------- 1 | use boolify::{generate_bristol, BoolWire, CircuitOutput, IdGenerator, ValueWire}; 2 | use bristol_circuit::BristolCircuit; 3 | 4 | pub fn demo() { 5 | let id_gen = IdGenerator::new_rc_refcell(); 6 | 7 | let a = ValueWire::new_input("a", 8, &id_gen); 8 | let b = ValueWire::new_input("b", 8, &id_gen); 9 | let c = ValueWire::mul(&a, &b); 10 | let d = ValueWire::less_than(&c, &ValueWire::new_const(123, &id_gen)); 11 | let outputs = vec![CircuitOutput::new("d", BoolWire::as_value(&d))]; 12 | 13 | let bristol_circuit = generate_bristol(&outputs); 14 | println!("gates: {}", bristol_circuit.gates.len()); 15 | let output = BristolCircuit::get_bristol_string(&bristol_circuit).unwrap(); 16 | std::fs::write("demo.txt", output).unwrap(); 17 | } 18 | -------------------------------------------------------------------------------- /jigg/src/modules/circuit.js: -------------------------------------------------------------------------------- 1 | // Describes both garbled and plain circuits 2 | 3 | 'use strict'; 4 | 5 | function Circuit(wiresCount, garblerInputSize, evaluatorInputSize, outputSize, labelSize) { 6 | this.wiresCount = wiresCount; 7 | this.garblerInputSize = garblerInputSize; 8 | this.evaluatorInputSize = evaluatorInputSize; 9 | this.outputSize = outputSize; 10 | this.labelSize = labelSize; 11 | 12 | this.gates = []; 13 | } 14 | 15 | Circuit.prototype.serialize = function () { 16 | const meta = JSON.stringify([ 17 | this.wiresCount, 18 | this.garblerInputSize, 19 | this.evaluatorInputSize, 20 | this.outputSize, 21 | this.labelSize, 22 | this.gates.length 23 | ]); 24 | 25 | const gates = this.gates.map(function (gate) { 26 | return gate.serialize(); 27 | }); 28 | gates.unshift(meta); 29 | 30 | return gates.join(''); 31 | }; 32 | 33 | module.exports = Circuit; -------------------------------------------------------------------------------- /laconic/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "laconic-ot" 3 | version = "0.1.0" 4 | edition = "2021" 5 | license = "MIT" 6 | 7 | [dependencies] 8 | ark-bls12-381 = "0.4.0" 9 | ark-ec = "0.4.2" 10 | ark-ff = "0.4.2" 11 | ark-poly = "0.4.2" 12 | ark-poly-commit = "0.4.0" 13 | ark-serialize = "0.4.2" 14 | ark-std = "0.4.0" 15 | rand = { version = "0.8.5", features = ["getrandom"] } 16 | getrandom = { version = "0.2", features = ["js"] } 17 | blake3 = "1.5" 18 | wasm-bindgen = "0.2" 19 | console_error_panic_hook = "0.1.7" 20 | serde = { version = "1.0", features = ["derive"] } 21 | serde_json = "1.0" 22 | 23 | [dev-dependencies] 24 | criterion = "0.5.1" 25 | 26 | [lib] 27 | crate-type = ["cdylib", "rlib"] 28 | 29 | [[bench]] 30 | name = "laconic_ot" 31 | harness = false 32 | 33 | [features] 34 | asm = ["ark-ff/asm"] 35 | parallel = ["ark-std/parallel", "ark-ff/parallel", "ark-poly/parallel"] 36 | print-trace = ["ark-std/print-trace"] 37 | -------------------------------------------------------------------------------- /jigg/src/util/hexutils.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const table16 = { 4 | 0: '0000', 1: '0001', 2: '0010', 3: '0011', 5 | 4: '0100', 5: '0101', 6: '0110', 7: '0111', 6 | 8: '1000', 9: '1001', A: '1010', B: '1011', 7 | C: '1100', D: '1101', E: '1110', F: '1111' 8 | }; 9 | function hex2bin(hex) { 10 | let bin = ''; 11 | for (let i = 0; i < hex.length; i++) { 12 | bin += table16[hex[i].toUpperCase()]; 13 | } 14 | return bin; 15 | } 16 | 17 | const table2 = { 18 | '0000': '0', '0001': '1', '0010': '2', '0011': '3', 19 | '0100': '4', '0101': '5', '0110': '6', '0111': '7', 20 | '1000': '8', '1001': '9', '1010': 'A', '1011': 'B', 21 | '1100': 'C', '1101': 'D', '1110': 'E', '1111': 'F' 22 | }; 23 | function bin2hex(bin) { 24 | let hex = ''; 25 | bin = (new Array((4-(bin.length%4))%4)).fill('0').join('') + bin; 26 | for (let i = 0; i < bin.length; i+=4) { 27 | hex += table2[bin.substr(i, 4)]; 28 | } 29 | return hex; 30 | } 31 | 32 | module.exports = { 33 | bin2hex: bin2hex, 34 | hex2bin: hex2bin 35 | }; 36 | -------------------------------------------------------------------------------- /jigg/jsdoc.conf.json: -------------------------------------------------------------------------------- 1 | { 2 | "plugins": ["plugins/markdown"], 3 | "recurseDepth": 10, 4 | "source": { 5 | "includePattern": ".+\\.js(doc|x)?$", 6 | "excludePattern": "(^|\\/|\\\\)_", 7 | "include": [ 8 | "./README.md" 9 | ] 10 | }, 11 | "sourceType": "module", 12 | "tags": { 13 | "allowUnknownTags": true, 14 | "dictionaries": ["jsdoc","closure"] 15 | }, 16 | "templates": { 17 | "cleverLinks": false, 18 | "useShortNamesInLinks": true, 19 | "monospaceLinks": false 20 | }, 21 | "opts": { 22 | "destination": "./docs/", 23 | "template": "node_modules/docdash" 24 | }, 25 | "docdash": { 26 | "collalpse": true, 27 | "search": true, 28 | "menu":{ 29 | "Github Repo":{ 30 | "href":"https://github.com/multiparty/jigg", 31 | "target":"_blank", 32 | "class":"menu-item", 33 | "id":"github_link" 34 | }, 35 | "Tutorial":{ 36 | "href":"tutorial.html", 37 | "class":"menu-item" 38 | } 39 | }, 40 | "meta": { 41 | "title": "JIGG Library Documentation" 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /app/LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright © 2024 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the “Software”), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /jigg/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Wyatt Howe 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESSED OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /laconic/LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright © 2024 4 | 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the “Software”), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in 14 | all copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 22 | THE SOFTWARE. 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Trinity 2 | 3 | Trinity is a new 2PC scheme, developed by Cursive. It combines ideas from a trio of cryptographic primitives: Garbled Circuits, KZG Witness Encryption, and PLONK. 4 | 5 | This is a v0 version that has the first end-to-end implementation of the core scheme involving Garbled Circuits & KZG WE. PLONK will be added in a future version; it requires significant refactoring and isn't necessary to build initial applications. 6 | 7 | The specific example used is a private hiring matcher. This is the same functionality that we previously built with Multi-Party FHE using [phantom-zone](https://github.com/gausslabs/phantom-zone), which you can find [here](https://github.com/RiverRuby/pz-hiring). 8 | 9 | ## Acknowledgements 10 | 11 | This repo uses code from a number of different projects: 12 | 13 | - `/circuits`: [Boolify](https://github.com/voltrevo/boolify) to write a hiring 2PC circuit in Bristol format 14 | - `/jigg`: [JIGG](https://github.com/multiparty/jigg) for JavaScript native Garbled Circuit generation & evaluation 15 | - `/laconic`: [research-we-kzg](https://github.com/rot256/research-we-kzg), the original paper implementation of KZG Witness Encryption 16 | -------------------------------------------------------------------------------- /jigg/.eslintrc: -------------------------------------------------------------------------------- 1 | { 2 | "root": true, 3 | "extends": "eslint:recommended", 4 | "rules": { 5 | "indent": [2, 2, { "SwitchCase": 1 }], 6 | "keyword-spacing": [2, { "before": true, "after": true }], 7 | "object-shorthand": [2, "consistent"], 8 | "no-unused-vars": [1, { "vars": "local", "args": "none" }], 9 | "quote-props": [1, "consistent-as-needed"], 10 | "eqeqeq": [2, "smart"], 11 | "brace-style": 2, 12 | "curly": 2, 13 | "no-trailing-spaces": 2, 14 | "space-before-function-paren": [ 15 | 2, 16 | { 17 | "anonymous": "always", 18 | "named": "never", 19 | "asyncArrow": "always" 20 | } 21 | ], 22 | "no-console": 0, 23 | "space-before-blocks": [2, "always"], 24 | "requirejs/no-invalid-define": 2, 25 | "requirejs/no-multiple-define": 2, 26 | "requirejs/no-named-define": 2, 27 | "requirejs/no-commonjs-wrapper": 2, 28 | "requirejs/no-object-define": 1 29 | }, 30 | "env": { 31 | "browser": true, 32 | "jquery": true, 33 | "node": true, 34 | "amd": true, 35 | "es6": true 36 | }, 37 | 38 | "parserOptions": { 39 | "ecmaVersion": 6 40 | }, 41 | "plugins": ["requirejs", "mocha"] 42 | } 43 | -------------------------------------------------------------------------------- /jigg/src/modules/gate.js: -------------------------------------------------------------------------------- 1 | // Describes both garbled and plain gates 2 | 3 | "use strict"; 4 | 5 | function Gate(id, operation, inputWires, outputWire, truthTable) { 6 | this.id = id; 7 | this.operation = operation; 8 | this.inputWires = inputWires; 9 | this.outputWire = outputWire; 10 | this.truthTable = truthTable; 11 | 12 | // INV is an alias for NOT 13 | if (this.operation === "INV") { 14 | this.operation = "NOT"; 15 | } 16 | } 17 | 18 | Gate.prototype.serialize = function () { 19 | let gateStr = []; 20 | 21 | if (this.operation === "AND") { 22 | gateStr.push("&"); 23 | } else if (this.operation === "LOR") { 24 | gateStr.push("|"); 25 | } else if (this.operation === "XOR") { 26 | gateStr.push("^"); 27 | } else if (this.operation === "NOT") { 28 | gateStr.push("!"); 29 | } 30 | 31 | gateStr.push(this.id); 32 | gateStr.push(JSON.stringify(this.inputWires)); 33 | gateStr.push(this.outputWire); 34 | 35 | if (this.operation === "AND" || this.operation === "LOR") { 36 | gateStr.push("-"); 37 | for (let i = 0; i < this.truthTable.length; i++) { 38 | gateStr.push(this.truthTable[i].serialize()); 39 | } 40 | } 41 | 42 | return gateStr.join(""); 43 | }; 44 | 45 | module.exports = Gate; 46 | -------------------------------------------------------------------------------- /jigg/jsdoc.layout.tmpl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | JSDoc: <?js= title ?> 6 | 7 | 8 | 9 | 12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 |

21 | 22 | JIGG','') : content ?> 23 |
24 | 25 | 28 | 29 |
30 | 31 |
32 | Documentation generated by JSDoc on 33 |
34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /jigg/demo/party.js: -------------------------------------------------------------------------------- 1 | const JIGG = require('../src/jigg.js'); 2 | const fs = require('fs'); 3 | 4 | // Handle command line arguments. 5 | const port = process.argv[2]; 6 | const role = process.argv[3]; 7 | let input = process.argv[4]; 8 | let encoding = process.argv[5]; 9 | let circuitName = process.argv[6]; 10 | const debug = process.argv[7] !== 'false'; 11 | 12 | // default arguments. 13 | if (encoding == null) { 14 | encoding = 'number'; 15 | } 16 | if (circuitName == null) { 17 | circuitName = 'arith-add-32-bit-old.txt'; 18 | } 19 | 20 | // encoding 21 | if (encoding === 'number') { 22 | input = parseInt(input); 23 | } 24 | if (encoding === 'bits') { 25 | input = input.split('').map(Number); 26 | } 27 | 28 | // Read circuit 29 | const circuitPath = __dirname + '/../circuits/bristol/' + circuitName; 30 | const circuit = fs.readFileSync(circuitPath, 'utf8'); 31 | 32 | // Application code. 33 | const agent = new JIGG.Client(role, 'http://localhost:' + port, {debug: debug}); 34 | agent.loadCircuit(circuit); 35 | agent.setInput(input, encoding); 36 | 37 | agent.addProgressListener(function (status) { 38 | if (status === 'connected') { 39 | console.time('time'); 40 | } 41 | }); 42 | 43 | agent.getOutput(encoding).then(function (output) { 44 | if (debug) { 45 | console.timeEnd('time'); 46 | } 47 | 48 | console.log(output); 49 | agent.disconnect(); 50 | }); 51 | 52 | agent.start(); -------------------------------------------------------------------------------- /jigg/src/util/crypto.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const sodium = require('libsodium-wrappers-sumo'); 4 | const bytes = 16; 5 | 6 | function encrypt(a, b, t, m) { 7 | const a2 = a.double(); 8 | const b4 = b.quadruple(); 9 | const k = a2.xor(b4); 10 | return m.xor(k).xorBytes(randomOracle(k.bytes, t)); 11 | } 12 | 13 | function longToByteArray(long) { 14 | // we want to represent the input as a 24-bytes array 15 | let byteArray = new Uint8Array(sodium.crypto_secretbox_NONCEBYTES); 16 | 17 | for (let index = 0; index < byteArray.length; index++) { 18 | let byte = long & 0xff; 19 | byteArray [ index ] = byte; 20 | long = (long - byte) / 256 ; 21 | } 22 | 23 | return byteArray; 24 | } 25 | 26 | function randomOracle(m, t) { 27 | return sodium.crypto_secretbox_easy( 28 | m, 29 | longToByteArray(t), // Nonce 24 bytes because this sodium uses 192 bit blocks. 30 | sodium.from_hex('da5698be17b9b46962335799779fbeca8ce5d491c0d26243bafef9ea1837a9d8') // SHA(0). 31 | ).subarray(0, bytes+1); // Prune back to the correct number of bytes. 32 | } 33 | 34 | function encrypt_generic(plaintext, key, nonce) { 35 | return plaintext.xorBytes(key).xorBytes(randomOracle(key, nonce)); 36 | } 37 | 38 | module.exports = { 39 | encrypt: encrypt, // label encryption 40 | decrypt: encrypt, 41 | encrypt_generic: encrypt_generic, // OT 42 | decrypt_generic: encrypt_generic 43 | }; 44 | -------------------------------------------------------------------------------- /app/pages/index.tsx: -------------------------------------------------------------------------------- 1 | import { useEffect, useState } from "react"; 2 | import JobMatching, { GarbledData } from "../components/JobMatching"; 3 | import init, { WasmCommitmentKey } from "../laconic/laconic_ot.js"; 4 | 5 | export default function JobMatchingPage() { 6 | const [garblerText, setGarblerText] = useState(); 7 | const [commitment, setCommitment] = useState(); 8 | const [commitmentKey, setCommitmentKey] = useState(); 9 | 10 | useEffect(() => { 11 | init().then(() => { 12 | setCommitmentKey(WasmCommitmentKey.setup(30)); 13 | }); 14 | }, []); 15 | 16 | return ( 17 |
18 |
19 | {commitmentKey ? ( 20 | <> 21 | 27 | 33 | 34 | ) : ( 35 |

Loading...

36 | )} 37 |
38 |
39 | ); 40 | } 41 | -------------------------------------------------------------------------------- /app/laconic/laconic_ot_bg.wasm.d.ts: -------------------------------------------------------------------------------- 1 | /* tslint:disable */ 2 | /* eslint-disable */ 3 | export const memory: WebAssembly.Memory; 4 | export function __wbg_wasmcommitmentkey_free(a: number, b: number): void; 5 | export function __wbg_wasmreceiver_free(a: number, b: number): void; 6 | export function __wbg_wasmsender_free(a: number, b: number): void; 7 | export function __wbg_wasmmessage_free(a: number, b: number): void; 8 | export function wasmcommitmentkey_setup(a: number, b: number): void; 9 | export function wasmcommitmentkey_serialize(a: number, b: number): void; 10 | export function wasmcommitmentkey_deserialize(a: number, b: number, c: number): void; 11 | export function wasmreceiver_new(a: number, b: number, c: number): number; 12 | export function wasmreceiver_recv(a: number, b: number, c: number, d: number): void; 13 | export function wasmreceiver_commitment(a: number, b: number): void; 14 | export function wasmreceiver_deserialize(a: number, b: number, c: number): number; 15 | export function wasmreceiver_serialize(a: number, b: number): void; 16 | export function wasmsender_new(a: number, b: number, c: number, d: number): void; 17 | export function wasmsender_send(a: number, b: number, c: number, d: number, e: number, f: number, g: number): void; 18 | export function start(): void; 19 | export function __wbindgen_add_to_stack_pointer(a: number): number; 20 | export function __wbindgen_free(a: number, b: number, c: number): void; 21 | export function __wbindgen_malloc(a: number, b: number): number; 22 | export function __wbindgen_realloc(a: number, b: number, c: number, d: number): number; 23 | export function __wbindgen_exn_store(a: number): void; 24 | export function __wbindgen_start(): void; 25 | -------------------------------------------------------------------------------- /laconic/pkg/laconic_ot_bg.wasm.d.ts: -------------------------------------------------------------------------------- 1 | /* tslint:disable */ 2 | /* eslint-disable */ 3 | export const memory: WebAssembly.Memory; 4 | export function __wbg_wasmcommitmentkey_free(a: number, b: number): void; 5 | export function __wbg_wasmreceiver_free(a: number, b: number): void; 6 | export function __wbg_wasmsender_free(a: number, b: number): void; 7 | export function __wbg_wasmmessage_free(a: number, b: number): void; 8 | export function wasmcommitmentkey_setup(a: number, b: number): void; 9 | export function wasmcommitmentkey_serialize(a: number, b: number): void; 10 | export function wasmcommitmentkey_deserialize(a: number, b: number, c: number): void; 11 | export function wasmreceiver_new(a: number, b: number, c: number): number; 12 | export function wasmreceiver_recv(a: number, b: number, c: number, d: number): void; 13 | export function wasmreceiver_commitment(a: number, b: number): void; 14 | export function wasmreceiver_deserialize(a: number, b: number, c: number): number; 15 | export function wasmreceiver_serialize(a: number, b: number): void; 16 | export function wasmsender_new(a: number, b: number, c: number, d: number): void; 17 | export function wasmsender_send(a: number, b: number, c: number, d: number, e: number, f: number, g: number): void; 18 | export function start(): void; 19 | export function __wbindgen_add_to_stack_pointer(a: number): number; 20 | export function __wbindgen_free(a: number, b: number, c: number): void; 21 | export function __wbindgen_malloc(a: number, b: number): number; 22 | export function __wbindgen_realloc(a: number, b: number, c: number, d: number): number; 23 | export function __wbindgen_exn_store(a: number): void; 24 | export function __wbindgen_start(): void; 25 | -------------------------------------------------------------------------------- /jigg/src/comm/clientSocket.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const socketio = require('socket.io-client'); 4 | 5 | function ClientSocket(hostname, agent) { 6 | const self = this; 7 | 8 | this._nextId = 0; 9 | this.socket = socketio(hostname, {forceNew: true}); 10 | 11 | // mailbox and listeners 12 | this.listeners = {}; 13 | this.mailbox = {}; 14 | this.socket.on('receive', function (tag, msg) { 15 | if (self.listeners[tag] != null) { 16 | self.listeners[tag](msg); 17 | delete self.listeners[tag]; 18 | } else { 19 | self.mailbox[tag] = msg; 20 | } 21 | }); 22 | 23 | // handle error 24 | this.socket.on('error', function (error) { 25 | agent.progress('error', null, null, error); 26 | throw error; 27 | }); 28 | } 29 | 30 | ClientSocket.prototype.join = function (role) { 31 | this.socket.emit('join', role); 32 | }; 33 | 34 | ClientSocket.prototype.hear = function (tag, _id) { 35 | if (_id == null) { 36 | _id = this._nextId++; 37 | } 38 | 39 | const self = this; 40 | return new Promise(function (resolve) { 41 | self.on(tag + _id, resolve); 42 | }); 43 | }; 44 | 45 | ClientSocket.prototype.on = function (tag, callback) { 46 | if (this.mailbox[tag] != null) { 47 | callback(this.mailbox[tag]); 48 | delete this.mailbox[tag]; 49 | } else { 50 | this.listeners[tag] = callback; 51 | } 52 | }; 53 | 54 | ClientSocket.prototype.send = function (tag, msg, _id) { 55 | if (_id == null) { 56 | _id = this._nextId++; 57 | } 58 | 59 | this.socket.emit('send', tag + _id, msg); 60 | }; 61 | 62 | ClientSocket.prototype.nextId = function () { 63 | return this._nextId++; 64 | }; 65 | 66 | ClientSocket.prototype.disconnect = function () { 67 | this.socket.disconnect(); 68 | }; 69 | 70 | module.exports = ClientSocket; 71 | -------------------------------------------------------------------------------- /laconic/table.py: -------------------------------------------------------------------------------- 1 | import os 2 | import json 3 | import tabulate 4 | 5 | from fractions import Fraction 6 | 7 | PATH = "target/criterion" 8 | SIZES = list(range(3, 10)) 9 | SUB_DIRS = [ 10 | ("Hash (Time)", "laconic_ot_commit"), 11 | ("Send (Time)", "laconic_ot_send"), 12 | ("Recv (Time)", "laconic_ot_recv"), 13 | ] 14 | 15 | def fmt_time(ns): 16 | if ns < 1_000: 17 | return f"{ns:.2f} ns" 18 | 19 | if ns < 1_000_000: 20 | return f"{ns / 1_000:.2f} µs" 21 | 22 | ms = ns / 1_000_000 23 | 24 | if ms < 1_000: 25 | return f"{ms:.2f} ms" 26 | 27 | s = ms / 1_000 28 | 29 | if s < 60: 30 | return f"{s:.2f} s" 31 | 32 | m = s / 60 33 | s = s % 60 34 | 35 | return f"{m:.0f}:{round(s)} m" 36 | 37 | table = [] 38 | 39 | header = ["Database Size"] 40 | for (name, _) in SUB_DIRS: 41 | header.append(name) 42 | 43 | for size in SIZES: 44 | row = [] 45 | row.append(f"$2^{{{size}}}$") 46 | for (name, sub_dir) in SUB_DIRS: 47 | path = os.path.join(PATH, sub_dir, f"{size}", "new", "sample.json") 48 | data = json.loads(open(path, "r").read()) 49 | 50 | iters = data["iters"] 51 | times = data["times"] 52 | 53 | assert len(iters) == len(times) 54 | 55 | # compute average time 56 | total = 0 57 | for (iter, time) in zip(iters, times): 58 | total += Fraction(time) / iter 59 | 60 | # format time 61 | average_ns = total / len(iters) 62 | time = fmt_time(average_ns) 63 | print(f"{sub_dir} {size} {time}") 64 | row.append(time) 65 | table.append(row) 66 | 67 | print(tabulate.tabulate( 68 | table, 69 | headers=header, 70 | tablefmt="github", 71 | colalign=("center", "center", "center", "center"), 72 | stralign="center", 73 | )) 74 | -------------------------------------------------------------------------------- /app/utils/jobMatchingUtils.ts: -------------------------------------------------------------------------------- 1 | export const convertToBinary = (num: number, bits: number): string => { 2 | let binary = ""; 3 | for (let i = bits - 1; i >= 0; i--) { 4 | binary += num & (1 << i) ? "1" : "0"; 5 | } 6 | return binary; 7 | }; 8 | 9 | export const convertToVector = ( 10 | num: number, 11 | bits: number, 12 | isRecruiter: boolean 13 | ): string => { 14 | if (num > bits) { 15 | throw new Error("Number of ones cannot be greater than the number of bits"); 16 | } 17 | 18 | console.log(num, bits, isRecruiter); 19 | 20 | const vector = Array(bits).fill("0"); 21 | if (!isRecruiter) { 22 | for (let i = 0; i < num; i++) { 23 | vector[i] = "1"; 24 | } 25 | } else { 26 | for (let i = 0; i < bits - num + 1; i++) { 27 | vector[bits - 1 - i] = "1"; 28 | } 29 | } 30 | 31 | return vector.join(""); 32 | }; 33 | 34 | export const generateBinaryInput = (data: { 35 | isRecruiter: boolean; 36 | commitment: boolean; 37 | education: number; 38 | experience: number; 39 | interests: boolean[]; 40 | companyStage: boolean[]; 41 | salary: number; 42 | }): string => { 43 | console.log(data); 44 | const parts = [ 45 | data.isRecruiter ? "1" : "0", // Position bit (0) 46 | data.commitment ? "1" : "0", // Commitment bit (1) 47 | convertToVector(data.education, 4, data.isRecruiter), // Education bits (2-5) 48 | convertToVector(data.experience, 8, data.isRecruiter), // Experience bits (6-13) 49 | data.interests.map((i) => (i ? "1" : "0")).join(""), // Interest bits (14-17) 50 | data.companyStage.map((s) => (s ? "1" : "0")).join(""), // Company stage bits (18-21) 51 | convertToBinary(Math.min(data.salary, 255), 8), // Salary bits (22-29) 52 | ]; 53 | 54 | console.log(parts); 55 | console.log(parts.join("").length); 56 | 57 | return parts.join(""); 58 | }; 59 | -------------------------------------------------------------------------------- /jigg/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "jigg", 3 | "version": "1.0.1", 4 | "description": "JavaScript Implementation of Garbled Gates (two-party computation library for boolean circuits)", 5 | "main": "src/jigg.js", 6 | "dependencies": { 7 | "casm": "^0.2.2", 8 | "libsodium-wrappers-sumo": "^0.7.6", 9 | "socket.io": "^4.8.1" 10 | }, 11 | "devDependencies": { 12 | "browserify": "^16.5.0", 13 | "child_process": "^1.0.2", 14 | "docdash": "^1.1.1", 15 | "eslint": "^5.16.0", 16 | "eslint-plugin-mocha": "^6.2.2", 17 | "eslint-plugin-requirejs": "^4.0.0", 18 | "express": "^4.17.1", 19 | "jsdoc": "^4.0.4", 20 | "mocha": "^10.8.2", 21 | "neptune-notebook": "^1.3.1" 22 | }, 23 | "scripts": { 24 | "test": "mocha test/test.js --timeout 120000", 25 | "build": "browserify src/jiggClient.js --debug --s JIGG -o dist/jigg.js", 26 | "docs": "jsdoc -r src -c jsdoc.conf.json", 27 | "casm": "node node_modules/casm/casm.js", 28 | "lint": "eslint ./src/ ./demo/", 29 | "tutorial": "node tutorial/index.js" 30 | }, 31 | "repository": { 32 | "type": "git", 33 | "url": "git+https://github.com/multiparty/jigg.git" 34 | }, 35 | "keywords": [ 36 | "Garbled-Circuit", 37 | "2PC" 38 | ], 39 | "author": "Wyatt Howe", 40 | "contributors": [ 41 | { 42 | "name": "Kinan Dak Albab", 43 | "email": "babman@bu.edu", 44 | "url": "http://cs-people.bu.edu/babman/" 45 | }, 46 | { 47 | "name": "Andrei Lapets", 48 | "email": "a@lapets.io", 49 | "url": "https://lapets.io" 50 | } 51 | ], 52 | "license": "MIT", 53 | "bugs": { 54 | "url": "https://github.com/multiparty/jigg/issues" 55 | }, 56 | "legacy_homepage": "https://github.com/wyatt-howe/jigg#readme", 57 | "homepage": "https://github.com/multiparty/jigg#readme" 58 | } 59 | -------------------------------------------------------------------------------- /jigg/src/comm/serverSocket.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | function ServerSocket(jiggServer, agent) { 4 | this.id = '__SERVER__'; 5 | this._nextId = 0; 6 | 7 | // instances 8 | this.jiggServer = jiggServer; 9 | this.agent = agent; 10 | 11 | // mailbox and listeners 12 | this.listeners = {}; 13 | this.mailbox = {}; 14 | } 15 | 16 | ServerSocket.prototype.join = function (role) { 17 | this.jiggServer.join(this, role); 18 | }; 19 | 20 | ServerSocket.prototype.hear = function (tag, _id) { 21 | if (_id == null) { 22 | _id = this._nextId++; 23 | } 24 | 25 | const self = this; 26 | return new Promise(function (resolve) { 27 | self.on(tag + _id, resolve); 28 | }); 29 | }; 30 | 31 | ServerSocket.prototype.on = function (tag, callback) { 32 | if (this.mailbox[tag] != null) { 33 | callback(this.mailbox[tag]); 34 | delete this.mailbox[tag]; 35 | } else { 36 | this.listeners[tag] = callback; 37 | } 38 | }; 39 | 40 | ServerSocket.prototype.send = function (tag, msg, _id) { 41 | if (_id == null) { 42 | _id = this._nextId++; 43 | } 44 | 45 | this.jiggServer.send(this, tag + _id, msg); 46 | }; 47 | 48 | ServerSocket.prototype.nextId = function () { 49 | return this._nextId++; 50 | }; 51 | 52 | ServerSocket.prototype.disconnect = function () {}; 53 | 54 | // Specific to a Server Socket, to emulate the server side of the socket 55 | ServerSocket.prototype.emit = function (label, tag, msg) { 56 | if (label === 'error') { 57 | this.agent.progress('error', null, null, tag); 58 | return; 59 | } 60 | 61 | // label must be 'receive' 62 | if (this.listeners[tag] != null) { 63 | this.listeners[tag](msg); 64 | delete this.listeners[tag]; 65 | } else { 66 | this.mailbox[tag] = msg; 67 | } 68 | }; 69 | 70 | ServerSocket.prototype.disconnect = function () { 71 | this.listeners['disconnect'](); 72 | }; 73 | 74 | module.exports = ServerSocket; 75 | -------------------------------------------------------------------------------- /jigg/demo/server.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const fs = require('fs'); 4 | const express = require('express'); 5 | const http = require('http'); 6 | 7 | const app = express(); 8 | const httpServer = http.createServer(app); 9 | 10 | // Static routes 11 | app.get('/', (request, response) => response.sendFile(__dirname + '/client.html')); 12 | app.use('/client', express.static(__dirname + '/client/')); 13 | app.use('/dist', express.static(__dirname + '/../dist/')); 14 | app.use('/circuits', express.static(__dirname + '/../circuits/')); 15 | 16 | // Create new JIGG Server and run it (by running http) 17 | const JIGG = require('../src/jigg.js'); 18 | const server = new JIGG.Server(httpServer); 19 | 20 | const port = parseInt(process.argv[2]); 21 | httpServer.listen(port, function () { 22 | console.log('listening on *:', port); 23 | }); 24 | 25 | // Optional: in case the server is also a garbler or evaluator 26 | const role = process.argv[3]; 27 | if (role != null) { 28 | let input = process.argv[4]; 29 | let encoding = process.argv[5]; 30 | let circuitName = process.argv[6]; 31 | let debug = process.argv[7] !== 'false'; 32 | 33 | // default arguments. 34 | if (encoding == null) { 35 | encoding = 'number'; 36 | } 37 | if (circuitName == null) { 38 | circuitName = 'arith-add-32-bit-old.txt'; 39 | } 40 | 41 | // encoding 42 | if (encoding === 'number') { 43 | input = parseInt(input); 44 | } 45 | if (encoding === 'bits') { 46 | input = input.split('').map(Number); 47 | } 48 | 49 | // Read circuit 50 | const circuitPath = __dirname + '/../circuits/bristol/' + circuitName; 51 | const circuit = fs.readFileSync(circuitPath, 'utf8'); 52 | 53 | const agent = server.makeAgent(role, {debug: debug}); 54 | agent.loadCircuit(circuit); 55 | agent.setInput(input, encoding); 56 | agent.start(); 57 | 58 | agent.getOutput(encoding).then(function (output) { 59 | console.log(output); 60 | agent.socket.disconnect(); 61 | }); 62 | } -------------------------------------------------------------------------------- /jigg/src/comm/ot.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const sodium = require('libsodium-wrappers-sumo'); 4 | 5 | const crypto = require('../util/crypto.js'); 6 | const labelParser = require('../parse/label.js'); 7 | 8 | function OT(socket) { 9 | this.socket = socket; 10 | } 11 | 12 | OT.prototype.send = function (tag, m0, m1) { 13 | const self = this; 14 | const _id = this.socket.nextId(); 15 | 16 | const a = sodium.crypto_core_ristretto255_scalar_random(); 17 | const A = sodium.crypto_scalarmult_ristretto255_base(a); 18 | 19 | this.socket.send('A', Array.from(A), _id); 20 | this.socket.hear('B', _id).then(function (B) { 21 | B = Uint8Array.from(B); 22 | let k0 = sodium.crypto_scalarmult_ristretto255(a, B); 23 | let k1 = sodium.crypto_scalarmult_ristretto255(a, sodium.crypto_core_ristretto255_sub(B, A)); 24 | 25 | k0 = sodium.crypto_generichash(m0.bytes.length, k0); 26 | k1 = sodium.crypto_generichash(m1.bytes.length, k1); 27 | 28 | const e0 = crypto.encrypt_generic(m0, k0, 0); 29 | const e1 = crypto.encrypt_generic(m1, k1, 0); 30 | 31 | self.socket.send('e', [e0.serialize(), e1.serialize()], _id); 32 | }); 33 | }; 34 | 35 | OT.prototype.receive = function (tag, c) { 36 | const self = this; 37 | const _id = this.socket.nextId(); 38 | 39 | const b = sodium.crypto_core_ristretto255_scalar_random(); 40 | let B = sodium.crypto_scalarmult_ristretto255_base(b); 41 | 42 | return new Promise(function (resolve) { 43 | self.socket.hear('A', _id).then(function (A) { 44 | A = Uint8Array.from(A); 45 | if (c === 1) { 46 | B = sodium.crypto_core_ristretto255_add(A, B); 47 | } 48 | 49 | self.socket.send('B', Array.from(B), _id); 50 | self.socket.hear('e', _id).then(function (e) { 51 | e = labelParser(e[c]); 52 | 53 | let k = sodium.crypto_scalarmult_ristretto255(b, A); 54 | k = sodium.crypto_generichash(e.bytes.length, k); 55 | 56 | resolve(crypto.decrypt_generic(e, k, 0)); 57 | }); 58 | }); 59 | }); 60 | }; 61 | 62 | module.exports = OT; 63 | -------------------------------------------------------------------------------- /app/public/circuits/job_matching.txt: -------------------------------------------------------------------------------- 1 | 95 155 2 | 2 30 30 3 | 1 1 4 | 2 1 0 30 60 XOR 5 | 2 1 60 60 61 AND 6 | 2 1 61 0 62 AND 7 | 2 1 2 32 63 AND 8 | 2 1 3 33 64 AND 9 | 2 1 63 64 65 LOR 10 | 2 1 4 34 66 AND 11 | 2 1 65 66 67 LOR 12 | 2 1 5 35 68 AND 13 | 2 1 67 68 69 LOR 14 | 2 1 62 69 70 AND 15 | 2 1 6 36 71 AND 16 | 2 1 7 37 72 AND 17 | 2 1 71 72 73 LOR 18 | 2 1 8 38 74 AND 19 | 2 1 73 74 75 LOR 20 | 2 1 9 39 76 AND 21 | 2 1 75 76 77 LOR 22 | 2 1 10 40 78 AND 23 | 2 1 77 78 79 LOR 24 | 2 1 11 41 80 AND 25 | 2 1 79 80 81 LOR 26 | 2 1 12 42 82 AND 27 | 2 1 81 82 83 LOR 28 | 2 1 13 43 84 AND 29 | 2 1 83 84 85 LOR 30 | 2 1 70 85 86 AND 31 | 1 1 52 87 NOT 32 | 2 1 87 22 88 AND 33 | 2 1 52 22 89 XOR 34 | 1 1 89 90 NOT 35 | 1 1 53 91 NOT 36 | 2 1 91 23 92 AND 37 | 2 1 90 92 93 AND 38 | 2 1 88 93 94 LOR 39 | 2 1 53 23 95 XOR 40 | 1 1 95 96 NOT 41 | 2 1 96 90 97 AND 42 | 1 1 54 98 NOT 43 | 2 1 98 24 99 AND 44 | 2 1 54 24 100 XOR 45 | 1 1 100 101 NOT 46 | 1 1 55 102 NOT 47 | 2 1 102 25 103 AND 48 | 2 1 101 103 104 AND 49 | 2 1 99 104 105 LOR 50 | 2 1 97 105 106 AND 51 | 2 1 94 106 107 LOR 52 | 2 1 55 25 108 XOR 53 | 1 1 108 109 NOT 54 | 2 1 109 101 110 AND 55 | 2 1 110 97 111 AND 56 | 1 1 56 112 NOT 57 | 2 1 112 26 113 AND 58 | 2 1 56 26 114 XOR 59 | 1 1 114 115 NOT 60 | 1 1 57 116 NOT 61 | 2 1 116 27 117 AND 62 | 2 1 115 117 118 AND 63 | 2 1 113 118 119 LOR 64 | 2 1 57 27 120 XOR 65 | 1 1 120 121 NOT 66 | 2 1 121 115 122 AND 67 | 1 1 58 123 NOT 68 | 2 1 123 28 124 AND 69 | 2 1 58 28 125 XOR 70 | 1 1 125 126 NOT 71 | 1 1 59 127 NOT 72 | 2 1 127 29 128 AND 73 | 2 1 126 128 129 AND 74 | 2 1 124 129 130 LOR 75 | 2 1 122 130 131 AND 76 | 2 1 119 131 132 LOR 77 | 2 1 111 132 133 AND 78 | 2 1 107 133 134 LOR 79 | 2 1 86 134 135 AND 80 | 2 1 14 44 136 AND 81 | 2 1 15 45 137 AND 82 | 2 1 136 137 138 LOR 83 | 2 1 16 46 139 AND 84 | 2 1 138 139 140 LOR 85 | 2 1 17 47 141 AND 86 | 2 1 140 141 142 LOR 87 | 2 1 135 142 143 AND 88 | 2 1 18 48 144 AND 89 | 2 1 19 49 145 AND 90 | 2 1 144 145 146 LOR 91 | 2 1 20 50 147 AND 92 | 2 1 146 147 148 LOR 93 | 2 1 21 51 149 AND 94 | 2 1 148 149 150 LOR 95 | 2 1 143 150 151 AND 96 | 1 1 1 152 NOT 97 | 2 1 152 31 153 LOR 98 | 2 1 151 153 154 AND 99 | -------------------------------------------------------------------------------- /circuits/job_matching_two_input.txt: -------------------------------------------------------------------------------- 1 | 95 155 2 | 2 30 30 3 | 1 1 4 | 5 | 2 1 29 59 60 XOR 6 | 2 1 60 60 61 AND 7 | 2 1 61 29 62 AND 8 | 2 1 27 57 63 AND 9 | 2 1 26 56 64 AND 10 | 2 1 63 64 65 OR 11 | 2 1 25 55 66 AND 12 | 2 1 65 66 67 OR 13 | 2 1 24 54 68 AND 14 | 2 1 67 68 69 OR 15 | 2 1 62 69 70 AND 16 | 2 1 23 53 71 AND 17 | 2 1 22 52 72 AND 18 | 2 1 71 72 73 OR 19 | 2 1 21 51 74 AND 20 | 2 1 73 74 75 OR 21 | 2 1 20 50 76 AND 22 | 2 1 75 76 77 OR 23 | 2 1 19 49 78 AND 24 | 2 1 77 78 79 OR 25 | 2 1 18 48 80 AND 26 | 2 1 79 80 81 OR 27 | 2 1 17 47 82 AND 28 | 2 1 81 82 83 OR 29 | 2 1 16 46 84 AND 30 | 2 1 83 84 85 OR 31 | 2 1 70 85 86 AND 32 | 1 1 30 87 NOT 33 | 2 1 87 0 88 AND 34 | 2 1 30 0 89 XOR 35 | 1 1 89 90 NOT 36 | 1 1 31 91 NOT 37 | 2 1 91 1 92 AND 38 | 2 1 90 92 93 AND 39 | 2 1 88 93 94 OR 40 | 2 1 31 1 95 XOR 41 | 1 1 95 96 NOT 42 | 2 1 96 90 97 AND 43 | 1 1 32 98 NOT 44 | 2 1 98 2 99 AND 45 | 2 1 32 2 100 XOR 46 | 1 1 100 101 NOT 47 | 1 1 33 102 NOT 48 | 2 1 102 3 103 AND 49 | 2 1 101 103 104 AND 50 | 2 1 99 104 105 OR 51 | 2 1 97 105 106 AND 52 | 2 1 94 106 107 OR 53 | 2 1 33 3 108 XOR 54 | 1 1 108 109 NOT 55 | 2 1 109 101 110 AND 56 | 2 1 110 97 111 AND 57 | 1 1 34 112 NOT 58 | 2 1 112 4 113 AND 59 | 2 1 34 4 114 XOR 60 | 1 1 114 115 NOT 61 | 1 1 35 116 NOT 62 | 2 1 116 5 117 AND 63 | 2 1 115 117 118 AND 64 | 2 1 113 118 119 OR 65 | 2 1 35 5 120 XOR 66 | 1 1 120 121 NOT 67 | 2 1 121 115 122 AND 68 | 1 1 36 123 NOT 69 | 2 1 123 6 124 AND 70 | 2 1 36 6 125 XOR 71 | 1 1 125 126 NOT 72 | 1 1 37 127 NOT 73 | 2 1 127 7 128 AND 74 | 2 1 126 128 129 AND 75 | 2 1 124 129 130 OR 76 | 2 1 122 130 131 AND 77 | 2 1 119 131 132 OR 78 | 2 1 111 132 133 AND 79 | 2 1 107 133 134 OR 80 | 2 1 86 134 135 AND 81 | 2 1 15 45 136 AND 82 | 2 1 14 44 137 AND 83 | 2 1 136 137 138 OR 84 | 2 1 13 43 139 AND 85 | 2 1 138 139 140 OR 86 | 2 1 12 42 141 AND 87 | 2 1 140 141 142 OR 88 | 2 1 135 142 143 AND 89 | 2 1 11 41 144 AND 90 | 2 1 10 40 145 AND 91 | 2 1 144 145 146 OR 92 | 2 1 9 39 147 AND 93 | 2 1 146 147 148 OR 94 | 2 1 8 38 149 AND 95 | 2 1 148 149 150 OR 96 | 2 1 143 150 151 AND 97 | 1 1 28 152 NOT 98 | 2 1 152 58 153 OR 99 | 2 1 151 153 154 AND 100 | -------------------------------------------------------------------------------- /jigg/src/modules/label.js: -------------------------------------------------------------------------------- 1 | // Wrapper around Uint8Arrays 2 | 3 | "use strict"; 4 | 5 | function Label(bytes) { 6 | this.bytes = bytes; 7 | } 8 | 9 | Label.prototype.xor = function (label2) { 10 | return this.xorBytes(label2.bytes); 11 | }; 12 | 13 | Label.prototype.xorBytes = function (bytes2) { 14 | const bytes = this.bytes.slice(); 15 | 16 | for (let i = 0; i < bytes.length; i++) { 17 | bytes[i] = bytes[i] ^ bytes2[i]; 18 | } 19 | 20 | return new Label(bytes); 21 | }; 22 | 23 | Label.prototype.double = function () { 24 | const bytes = this.bytes.slice(); 25 | const leastbyte = bytes[0]; 26 | bytes.copyWithin(0, 1, 15); // Logical left shift by 1 byte 27 | bytes[14] = leastbyte; // Restore old least byte as new greatest (non-pointer) byte 28 | return new Label(bytes); 29 | }; 30 | 31 | Label.prototype.quadruple = function () { 32 | const bytes = this.bytes.slice(); 33 | const leastbytes = [bytes[0], bytes[1]]; 34 | bytes.copyWithin(0, 2, 15); // Logical left shift by 2 byte 35 | [bytes[13], bytes[14]] = leastbytes; // Restore old least two bytes as new greatest bytes 36 | return new Label(bytes); 37 | }; 38 | 39 | Label.prototype.getPoint = function () { 40 | return this.bytes[15] & 0x01; 41 | }; 42 | 43 | Label.prototype.setPoint = function (point) { 44 | if (point === 0) { 45 | this.bytes[15] = this.bytes[15] & 0xfe; 46 | } else { 47 | this.bytes[15] = this.bytes[15] | 0x01; 48 | } 49 | }; 50 | 51 | Label.prototype.equals = function (label2) { 52 | if (this.bytes.length !== label2.bytes.length) { 53 | return false; 54 | } 55 | 56 | for (let i = 0; i < this.bytes.length; i++) { 57 | if (this.bytes[i] !== label2.bytes[i]) { 58 | return false; 59 | } 60 | } 61 | 62 | return true; 63 | }; 64 | 65 | Label.prototype.isZero = function () { 66 | for (let i = 0; i < this.bytes.length; i++) { 67 | if (this.bytes[i] !== 0) { 68 | return false; 69 | } 70 | } 71 | 72 | return true; 73 | }; 74 | 75 | Label.prototype.serialize = function () { 76 | const arr = []; 77 | for (let i = 0; i < this.bytes.length; i++) { 78 | arr[i] = String.fromCharCode(this.bytes[i]); 79 | } 80 | 81 | return arr.join(""); 82 | }; 83 | 84 | module.exports = Label; 85 | -------------------------------------------------------------------------------- /circuits/job_matching.txt: -------------------------------------------------------------------------------- 1 | 95 155 2 | 46 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 8 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 8 3 | 1 1 4 | 5 | 2 1 0 30 60 XOR 6 | 2 1 60 60 61 AND 7 | 2 1 61 0 62 AND 8 | 2 1 2 32 63 AND 9 | 2 1 3 33 64 AND 10 | 2 1 63 64 65 OR 11 | 2 1 4 34 66 AND 12 | 2 1 65 66 67 OR 13 | 2 1 5 35 68 AND 14 | 2 1 67 68 69 OR 15 | 2 1 62 69 70 AND 16 | 2 1 6 36 71 AND 17 | 2 1 7 37 72 AND 18 | 2 1 71 72 73 OR 19 | 2 1 8 38 74 AND 20 | 2 1 73 74 75 OR 21 | 2 1 9 39 76 AND 22 | 2 1 75 76 77 OR 23 | 2 1 10 40 78 AND 24 | 2 1 77 78 79 OR 25 | 2 1 11 41 80 AND 26 | 2 1 79 80 81 OR 27 | 2 1 12 42 82 AND 28 | 2 1 81 82 83 OR 29 | 2 1 13 43 84 AND 30 | 2 1 83 84 85 OR 31 | 2 1 70 85 86 AND 32 | 1 1 52 87 NOT 33 | 2 1 87 22 88 AND 34 | 2 1 52 22 89 XOR 35 | 1 1 89 90 NOT 36 | 1 1 53 91 NOT 37 | 2 1 91 23 92 AND 38 | 2 1 90 92 93 AND 39 | 2 1 88 93 94 OR 40 | 2 1 53 23 95 XOR 41 | 1 1 95 96 NOT 42 | 2 1 96 90 97 AND 43 | 1 1 54 98 NOT 44 | 2 1 98 24 99 AND 45 | 2 1 54 24 100 XOR 46 | 1 1 100 101 NOT 47 | 1 1 55 102 NOT 48 | 2 1 102 25 103 AND 49 | 2 1 101 103 104 AND 50 | 2 1 99 104 105 OR 51 | 2 1 97 105 106 AND 52 | 2 1 94 106 107 OR 53 | 2 1 55 25 108 XOR 54 | 1 1 108 109 NOT 55 | 2 1 109 101 110 AND 56 | 2 1 110 97 111 AND 57 | 1 1 56 112 NOT 58 | 2 1 112 26 113 AND 59 | 2 1 56 26 114 XOR 60 | 1 1 114 115 NOT 61 | 1 1 57 116 NOT 62 | 2 1 116 27 117 AND 63 | 2 1 115 117 118 AND 64 | 2 1 113 118 119 OR 65 | 2 1 57 27 120 XOR 66 | 1 1 120 121 NOT 67 | 2 1 121 115 122 AND 68 | 1 1 58 123 NOT 69 | 2 1 123 28 124 AND 70 | 2 1 58 28 125 XOR 71 | 1 1 125 126 NOT 72 | 1 1 59 127 NOT 73 | 2 1 127 29 128 AND 74 | 2 1 126 128 129 AND 75 | 2 1 124 129 130 OR 76 | 2 1 122 130 131 AND 77 | 2 1 119 131 132 OR 78 | 2 1 111 132 133 AND 79 | 2 1 107 133 134 OR 80 | 2 1 86 134 135 AND 81 | 2 1 14 44 136 AND 82 | 2 1 15 45 137 AND 83 | 2 1 136 137 138 OR 84 | 2 1 16 46 139 AND 85 | 2 1 138 139 140 OR 86 | 2 1 17 47 141 AND 87 | 2 1 140 141 142 OR 88 | 2 1 135 142 143 AND 89 | 2 1 18 48 144 AND 90 | 2 1 19 49 145 AND 91 | 2 1 144 145 146 OR 92 | 2 1 20 50 147 AND 93 | 2 1 146 147 148 OR 94 | 2 1 21 51 149 AND 95 | 2 1 148 149 150 OR 96 | 2 1 143 150 151 AND 97 | 1 1 1 152 NOT 98 | 2 1 152 31 153 OR 99 | 2 1 151 153 154 AND 100 | -------------------------------------------------------------------------------- /jigg/demo/client/client.js: -------------------------------------------------------------------------------- 1 | /* global JIGG */ 2 | let timeStart; 3 | 4 | const getCircuit = function () { 5 | return $.ajax('/circuits/bristol/' + $('#circuit').val()); 6 | }; 7 | const countbits = function () { 8 | const input = $('#input').val(); 9 | const base = $('#base').val(); 10 | 11 | let count = input.length; 12 | if (base === 'hex') { 13 | count *= 4; 14 | } 15 | if (base === 'number') { 16 | count = Number(input).toString(2).length; 17 | } 18 | 19 | $('#bitsCount').text('Entered ' + count + ' bits'); 20 | }; 21 | 22 | const progress = function (status, start, total, error) { 23 | if (status === 'connected') { 24 | timeStart = new Date().getTime(); 25 | } 26 | if (status === 'error') { 27 | document.getElementById('results').innerHTML += '

' + error.toString() + '

'; 28 | console.log(error); 29 | return; 30 | } 31 | if (status === 'garbling' || status === 'evaluating') { 32 | document.getElementById('results').innerHTML += '

' + status + ': ' + start + '/' + total + '

'; 33 | return; 34 | } 35 | document.getElementById('results').innerHTML += '

' + status + '

'; 36 | }; 37 | const displayOutput = function (output) { 38 | const timeEnd = new Date().getTime(); 39 | const time = (timeEnd - timeStart) / 1000; 40 | 41 | const base = $('#base').val(); 42 | if (base === 'bits') { 43 | output = output.reverse().join(''); 44 | } 45 | document.getElementById('results').innerHTML += '

Results: ' + output + '     Took: ' + time + 'seconds

'; 46 | }; 47 | 48 | const start = function () { 49 | getCircuit().then(function (circuit) { 50 | const role = $('#partytype').val(); 51 | const base = $('#base').val(); 52 | 53 | let input = $('#input').val(); 54 | if (base === 'bits') { 55 | input = input.split('').map(Number).reverse(); 56 | } else if (base === 'number') { 57 | input = Number(input); 58 | } 59 | 60 | if (window.Worker) { 61 | const worker = new Worker('client/worker.js'); 62 | worker.postMessage({role: role, circuit: circuit, input: input, base: base}); 63 | worker.onmessage = function (e) { 64 | if (e.data.type === 'progress') { 65 | progress.apply(window, e.data.args); 66 | } else { 67 | displayOutput(e.data.args); 68 | } 69 | }; 70 | } else { 71 | const agent = new JIGG(role); 72 | agent.addProgressListener(progress); 73 | agent.loadCircuit(circuit); 74 | agent.setInput(input, base); 75 | agent.getOutput(base).then(displayOutput); 76 | agent.start(); 77 | } 78 | }); 79 | }; -------------------------------------------------------------------------------- /jigg/src/jiggServer.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const io = require('socket.io'); 4 | 5 | const JIGGClient = require('./jiggClient.js'); 6 | const ServerSocket = require('./comm/serverSocket.js'); 7 | 8 | /** 9 | * Create a new JIGG server. 10 | * @param {http} http - An HTTP server to be used to initialize a socket.io server. 11 | * @param {object} [options] - additional optional options including: 12 | * debug, which defaults to false. 13 | * @constructor 14 | * @alias Server 15 | */ 16 | function Server(http, options) { 17 | const self = this; 18 | 19 | if (options == null) { 20 | options = {}; 21 | } 22 | 23 | this.http = http; 24 | this.io = io(http); 25 | 26 | this.parties = { 27 | Garbler: null, 28 | Evaluator: null 29 | }; 30 | 31 | this.io.on('connection', function (socket) { 32 | socket.on('join', self.join.bind(self, socket)); 33 | socket.on('send', self.send.bind(self, socket)); 34 | }); 35 | 36 | this.log = function () {}; 37 | if (options.debug) { 38 | this.log = console.log.bind(console); 39 | } 40 | } 41 | 42 | Server.prototype.join = function (socket, role) { 43 | const self = this; 44 | 45 | this.log('join', role); 46 | if (role !== 'Garbler' && role !== 'Evaluator') { 47 | socket.emit('error', 'Invalid role!'); 48 | return; 49 | } 50 | 51 | if (this.parties[role] != null) { 52 | socket.emit('error', 'Role already taken!'); 53 | return; 54 | } 55 | 56 | this.parties[role] = socket; 57 | socket.on('disconnect', function () { 58 | self.parties[role] = null; 59 | }); 60 | 61 | if (this.parties['Garbler'] != null && this.parties['Evaluator'] != null) { 62 | this.log('Both parties connected'); 63 | this.parties['Garbler'].emit('receive', 'go0'); 64 | this.parties['Evaluator'].emit('receive', 'go0'); 65 | } 66 | }; 67 | 68 | Server.prototype.send = function (socket, tag, msg) { 69 | this.log('send', tag); 70 | let target = this.parties['Evaluator']; 71 | if (socket === this.parties['Evaluator']) { 72 | target = this.parties['Garbler']; 73 | } 74 | 75 | target.emit('receive', tag, msg); 76 | }; 77 | 78 | /** 79 | * Creates and returns a new JIGG Client Agent 80 | * This agent is wired into the server, to avoid unnecessary overheads. 81 | * @param {string} role - either 'Garbler' or 'Evaluator'. 82 | * @param {object} [options] - same format as the Client Agent constructor. 83 | * @return {Agent} the client Agent ready to use normally. 84 | */ 85 | Server.prototype.makeAgent = function (role, options) { 86 | options = Object.assign({}, options, {__Socket: ServerSocket}); 87 | return new JIGGClient(role, this, options); 88 | }; 89 | 90 | module.exports = Server; -------------------------------------------------------------------------------- /laconic/README.md: -------------------------------------------------------------------------------- 1 | # KZG Witness Encryption 2 | 3 | This is the implementation artifacts for the paper: 4 | 5 | [Extractable Witness Encryption for KZG Commitments and Efficient Laconic OT](https://eprint.iacr.org/2024/264) 6 | 7 | **Abstract:** 8 | We present a concretely efficient and simple extractable witness encryption scheme for KZG polynomial commitments. 9 | It allows to encrypt a message towards a triple $(\mathsf{com}, \alpha, \beta)$, where $\mathsf{com}$ is a KZG commitment for some polynomial $f(X)$. 10 | Anyone with an opening for the commitment attesting $f(\alpha) = \beta$ can decrypt, but without knowledge of a valid opening the message is computationally hidden. 11 | 12 | Our construction is simple and highly efficient. The ciphertext is only a single group element. 13 | Encryption and decryption both require a single pairing evaluation and a constant number of group operations. 14 | 15 | ## Laconic OT Performance 16 | 17 | Using our witness encryption scheme for KZG we construct a simple and highly efficient laconic OT protocol 18 | which significantly outperforms the state of the art in most important metrics. 19 | 20 | At 128-bits of security, the digest is a constant 48 bytes and the communication is just 256 bytes. 21 | 22 | Below are the running times on an Macbook Pro M3 Max for different operations and different database sizes: 23 | 24 | | Database Size | Hash (Time) | Send (Time) | Recv (Time) | 25 | |-----------------|---------------|---------------|---------------| 26 | | $2^{3}$ | 12.39 ms | 2.59 ms | 595.52 µs | 27 | | $2^{4}$ | 24.58 ms | 2.62 ms | 594.31 µs | 28 | | $2^{5}$ | 49.27 ms | 2.63 ms | 595.35 µs | 29 | | $2^{6}$ | 98.93 ms | 2.64 ms | 590.88 µs | 30 | | $2^{7}$ | 199.65 ms | 2.64 ms | 597.03 µs | 31 | | $2^{8}$ | 405.10 ms | 2.64 ms | 597.60 µs | 32 | | $2^{9}$ | 819.49 ms | 2.64 ms | 595.67 µs | 33 | | $2^{10}$ | 1.65 s | 2.65 ms | 596.54 µs | 34 | | $2^{11}$ | 2.90 s | 2.64 ms | 592.32 µs | 35 | | $2^{12}$ | 5.19 s | 2.65 ms | 592.85 µs | 36 | | $2^{13}$ | 10.08 s | 2.65 ms | 597.57 µs | 37 | | $2^{14}$ | 20.01 s | 2.65 ms | 592.74 µs | 38 | | $2^{15}$ | 40.76 s | 2.65 ms | 591.76 µs | 39 | | $2^{16}$ | 1:22 m | 2.65 ms | 592.44 µs | 40 | | $2^{17}$ | 3:48 m | 2.65 ms | 593.00 µs | 41 | | $2^{18}$ | 6:39 m | 2.64 ms | 592.98 µs | 42 | 43 | Where: 44 | 45 | - Hash: compute the digest of the database (containing the OT choice bits) 46 | - Send: OT send. 47 | - Recv: OT receive. 48 | 49 | ## Reproduction of The Results 50 | 51 | Benchmarks can be reproduced by simply running `cargo bench`. 52 | -------------------------------------------------------------------------------- /laconic/pkg/README.md: -------------------------------------------------------------------------------- 1 | # KZG Witness Encryption 2 | 3 | This is the implementation artifacts for the paper: 4 | 5 | [Extractable Witness Encryption for KZG Commitments and Efficient Laconic OT](https://eprint.iacr.org/2024/264) 6 | 7 | **Abstract:** 8 | We present a concretely efficient and simple extractable witness encryption scheme for KZG polynomial commitments. 9 | It allows to encrypt a message towards a triple $(\mathsf{com}, \alpha, \beta)$, where $\mathsf{com}$ is a KZG commitment for some polynomial $f(X)$. 10 | Anyone with an opening for the commitment attesting $f(\alpha) = \beta$ can decrypt, but without knowledge of a valid opening the message is computationally hidden. 11 | 12 | Our construction is simple and highly efficient. The ciphertext is only a single group element. 13 | Encryption and decryption both require a single pairing evaluation and a constant number of group operations. 14 | 15 | ## Laconic OT Performance 16 | 17 | Using our witness encryption scheme for KZG we construct a simple and highly efficient laconic OT protocol 18 | which significantly outperforms the state of the art in most important metrics. 19 | 20 | At 128-bits of security, the digest is a constant 48 bytes and the communication is just 256 bytes. 21 | 22 | Below are the running times on an Macbook Pro M3 Max for different operations and different database sizes: 23 | 24 | | Database Size | Hash (Time) | Send (Time) | Recv (Time) | 25 | |-----------------|---------------|---------------|---------------| 26 | | $2^{3}$ | 12.39 ms | 2.59 ms | 595.52 µs | 27 | | $2^{4}$ | 24.58 ms | 2.62 ms | 594.31 µs | 28 | | $2^{5}$ | 49.27 ms | 2.63 ms | 595.35 µs | 29 | | $2^{6}$ | 98.93 ms | 2.64 ms | 590.88 µs | 30 | | $2^{7}$ | 199.65 ms | 2.64 ms | 597.03 µs | 31 | | $2^{8}$ | 405.10 ms | 2.64 ms | 597.60 µs | 32 | | $2^{9}$ | 819.49 ms | 2.64 ms | 595.67 µs | 33 | | $2^{10}$ | 1.65 s | 2.65 ms | 596.54 µs | 34 | | $2^{11}$ | 2.90 s | 2.64 ms | 592.32 µs | 35 | | $2^{12}$ | 5.19 s | 2.65 ms | 592.85 µs | 36 | | $2^{13}$ | 10.08 s | 2.65 ms | 597.57 µs | 37 | | $2^{14}$ | 20.01 s | 2.65 ms | 592.74 µs | 38 | | $2^{15}$ | 40.76 s | 2.65 ms | 591.76 µs | 39 | | $2^{16}$ | 1:22 m | 2.65 ms | 592.44 µs | 40 | | $2^{17}$ | 3:48 m | 2.65 ms | 593.00 µs | 41 | | $2^{18}$ | 6:39 m | 2.64 ms | 592.98 µs | 42 | 43 | Where: 44 | 45 | - Hash: compute the digest of the database (containing the OT choice bits) 46 | - Send: OT send. 47 | - Recv: OT receive. 48 | 49 | ## Reproduction of The Results 50 | 51 | Benchmarks can be reproduced by simply running `cargo bench`. 52 | -------------------------------------------------------------------------------- /laconic/src/kzg.rs: -------------------------------------------------------------------------------- 1 | use ark_ec::pairing::Pairing; 2 | use ark_ec::CurveGroup; 3 | use ark_poly::EvaluationDomain; 4 | use ark_std::UniformRand; 5 | use ark_std::Zero; 6 | 7 | use std::ops::Mul; 8 | 9 | use crate::kzg_types::Commitment; 10 | use crate::kzg_types::Opening; 11 | use crate::kzg_types::State; 12 | use crate::kzg_utils::plain_kzg_com; 13 | use crate::kzg_utils::witness_evals_inside; 14 | use crate::{ 15 | kzg_fk_open::precompute_y, 16 | kzg_types::{CommitmentKey, VcKZG}, 17 | }; 18 | 19 | impl> VcKZG { 20 | pub fn setup( 21 | rng: &mut R, 22 | message_length: usize, 23 | ) -> Result, ()> { 24 | CommitmentKey::setup(rng, message_length) 25 | } 26 | 27 | pub fn commit( 28 | rng: &mut R, 29 | ck: &CommitmentKey, 30 | m: &Vec, 31 | ) -> (Commitment, State) { 32 | // evals[0..domain.size] will store evaluations of our polynomial 33 | // over our evaluation domain, namely 34 | // evals[i] = m[i] if m[i] is defined, 35 | // evals[i] = random if not 36 | // evals[domain.size()..2*domain.size()] will store evaluations of 37 | // the random masking polynomial used for hiding 38 | // we keep both evaluations in the same vector so that 39 | // we can easily do a single MSM later 40 | let dsize = ck.domain.size(); 41 | let mut evals = Vec::with_capacity(2 * dsize); 42 | for i in 0..m.len() { 43 | evals.push(m[i]); 44 | } 45 | for _ in m.len()..2 * ck.domain.size() { 46 | evals.push(E::ScalarField::rand(rng)); 47 | } 48 | 49 | // from our evaluations, we compute a standard KZG commitment 50 | let com_kzg = plain_kzg_com(ck, &evals); 51 | 52 | let state = State { 53 | evals, 54 | precomputed_v: None, 55 | }; 56 | let com = Commitment { com_kzg }; 57 | (com, state) 58 | } 59 | 60 | pub fn open(ck: &CommitmentKey, st: &State, i: u32) -> Result, ()> { 61 | if i as usize >= ck.message_length { 62 | return Err(()); 63 | } 64 | 65 | // compute v: the KZG opening, which is a KZG commitment 66 | // to the witness polynomial. Either we already have it 67 | // precomputed, or we compute it in evaluation form 68 | let v = if let Some(vs) = &st.precomputed_v { 69 | vs[i as usize].into_affine() 70 | } else { 71 | let deg = ck.domain.size(); 72 | let mut witn_evals = Vec::new(); 73 | witness_evals_inside::(&ck.domain, &st.evals, i as usize, &mut witn_evals); 74 | witness_evals_inside::( 75 | &ck.domain, 76 | &st.evals[deg..2 * deg], 77 | i as usize, 78 | &mut witn_evals, 79 | ); 80 | plain_kzg_com(&ck, &witn_evals) 81 | }; 82 | 83 | Ok(Opening { v }) 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /jigg/src/parse/circuit.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | 3 | const Circuit = require("../modules/circuit.js"); 4 | const Gate = require("../modules/gate.js"); 5 | const Label = require("../modules/label.js"); 6 | 7 | const circuitParser = function (text) { 8 | const metaEnd = text.indexOf("]"); 9 | const meta = JSON.parse(text.substring(0, metaEnd + 1)); 10 | 11 | const circuit = new Circuit(meta[0], meta[1], meta[2], meta[3], meta[4]); 12 | let gatesCount = meta[5]; 13 | 14 | let i = metaEnd + 1; 15 | // parse one gate at a time 16 | while (i < text.length) { 17 | // console.log("gate", gatesCount); // DEBUGGING 18 | 19 | let operation, inputWires, outputWire, gateId, truthTable; 20 | 21 | // parse operation 22 | operation = text.charAt(i); 23 | if (operation === "&") { 24 | operation = "AND"; 25 | } else if (operation === "^") { 26 | operation = "XOR"; 27 | } else if (operation === "!") { 28 | operation = "NOT"; 29 | } else if (operation === "|") { 30 | operation = "LOR"; 31 | } 32 | 33 | // console.log("operation", operation); // DEBUGGING 34 | 35 | // parse gate Id 36 | i++; 37 | gateId = ""; 38 | while (text.charAt(i) !== "[") { 39 | // console.log("looking for [", i); // DEBUGGING 40 | 41 | gateId += text.charAt(i); 42 | i++; 43 | } 44 | gateId = parseInt(gateId); 45 | 46 | // parse input wires 47 | inputWires = ""; 48 | while (text.charAt(i) !== "]") { 49 | // console.log("looking for ]", i); // DEBUGGING 50 | 51 | inputWires += text.charAt(i); 52 | i++; 53 | } 54 | inputWires = JSON.parse(inputWires + "]"); 55 | 56 | // parse output wires 57 | i++; 58 | outputWire = ""; 59 | while ( 60 | text.charAt(i) !== "-" && 61 | text.charAt(i) !== "&" && 62 | text.charAt(i) !== "^" && 63 | text.charAt(i) !== "!" && 64 | text.charAt(i) !== "|" && 65 | i < text.length 66 | ) { 67 | // console.log("looking for op", i); // DEBUGGING 68 | outputWire += text.charAt(i); 69 | i++; 70 | } 71 | outputWire = parseInt(outputWire); 72 | 73 | // parse truth table if exists 74 | if (operation === "AND" || operation === "LOR") { 75 | i++; 76 | truthTable = []; 77 | // parse one label at a time 78 | for (let k = 0; k < 4; k++) { 79 | truthTable[k] = new Uint8Array(circuit.labelSize); 80 | for (let l = 0; l < circuit.labelSize; l++) { 81 | truthTable[k][l] = text.charCodeAt(i); 82 | i++; 83 | } 84 | truthTable[k] = new Label(truthTable[k]); 85 | } 86 | } 87 | 88 | // build gate and put it in circuit 89 | circuit.gates.push( 90 | new Gate(gateId, operation, inputWires, outputWire, truthTable) 91 | ); 92 | gatesCount--; 93 | } 94 | 95 | if (gatesCount !== 0) { 96 | console.log("problem parsing circuit!"); 97 | throw new Error("problem parsing circuit!"); 98 | } 99 | 100 | return circuit; 101 | }; 102 | 103 | module.exports = circuitParser; 104 | -------------------------------------------------------------------------------- /jigg/src/parse/parse.js: -------------------------------------------------------------------------------- 1 | // Parses bristol fashion text circuits into Circuit objects 2 | 3 | "use strict"; 4 | 5 | /* 6 | * Bristol fashion has the following format: 7 | * 8 | * ... 9 | * ... 10 | * ... ... 11 | * ... 12 | */ 13 | 14 | const Circuit = require("../modules/circuit.js"); 15 | const Gate = require("../modules/gate.js"); 16 | 17 | const RECOGNIZED_OPERATIONS = ["AND", "XOR", "INV", "NOT", "LOR"]; 18 | 19 | module.exports = function (text) { 20 | const rows = text 21 | .split("\n") 22 | .filter(function (line) { 23 | const tmp = line.trim(); 24 | return !(tmp.startsWith("#") || tmp.length === 0); 25 | }) 26 | .map(function (line) { 27 | if (line.indexOf("#") > -1) { 28 | line = line.substring(0, line.indexOf("#")).trim(); 29 | } 30 | 31 | return line.split(" ").map(function (token) { 32 | return token.trim(); 33 | }); 34 | }); 35 | 36 | // Begin parsing input/output meta data 37 | const wireCount = parseInt(rows[0][1]); 38 | const inputs = rows[1].slice(1); 39 | const outputs = rows[2].slice(1); 40 | 41 | // Sanity Checks 42 | if (rows[2][0] !== "1" || outputs.length !== 1) { 43 | throw new Error("Circuit has multiple outputs! Unsupported"); 44 | } 45 | if (rows[1][0] !== "2" || inputs.length !== 2) { 46 | throw new Error("Circuit does not have exactly 2 inputs! Unsupported"); 47 | } 48 | if (rows.length !== parseInt(rows[0][0]) + 3) { 49 | throw new Error( 50 | "Circuit has inconsistent number of lines compared to gates count" 51 | ); 52 | } 53 | 54 | // Create empty circuit object 55 | const circuit = new Circuit( 56 | wireCount, 57 | parseInt(inputs[0]), 58 | parseInt(inputs[1]), 59 | parseInt(outputs[0]) 60 | ); 61 | 62 | // Parse the individual gates 63 | for (let r = 3; r < rows.length; r++) { 64 | const tokens = rows[r]; 65 | 66 | const inputCount = parseInt(tokens[0]); 67 | const outputCount = parseInt(tokens[1]); 68 | const operation = tokens[tokens.length - 1]; 69 | 70 | if (RECOGNIZED_OPERATIONS.indexOf(operation) === -1) { 71 | throw new Error("Unrecognized gate: " + operation); 72 | } 73 | if (outputCount !== 1) { 74 | throw new Error("Gate " + r + " does not have exactly 1 output!"); 75 | } 76 | 77 | const output = parseInt(tokens[2 + inputCount]); 78 | const inputs = tokens.slice(2, 2 + inputCount).map(function (e) { 79 | return parseInt(e); 80 | }); 81 | const gate = new Gate(r - 3, operation, inputs, output); 82 | 83 | if ((operation === "INV" || operation === "NOT") && inputs.length !== 1) { 84 | throw new Error( 85 | operation + " Gate " + r + " does not have exactly 1 input!" 86 | ); 87 | } 88 | if ( 89 | (operation === "AND" || operation === "LOR" || operation === "XOR") && 90 | inputs.length !== 2 91 | ) { 92 | throw new Error("Gate " + r + " does not have exactly 2 inputs!"); 93 | } 94 | 95 | circuit.gates.push(gate); 96 | } 97 | 98 | return circuit; 99 | }; 100 | -------------------------------------------------------------------------------- /jigg/src/jiggClient.js: -------------------------------------------------------------------------------- 1 | /** 2 | * Simplified JIGG agent for garbling and evaluation 3 | */ 4 | "use strict"; 5 | 6 | const LABEL_SIZE = 16; // 16 bytes => 128 bits 7 | 8 | const garble = require("./garble.js"); 9 | const evaluate = require("./evaluate.js"); 10 | const circuitParser = require("./parse/parse.js"); 11 | const hexutils = require("./util/hexutils.js"); 12 | const sodium = require("libsodium-wrappers-sumo"); 13 | 14 | /** 15 | * Create a new JIGG agent with the given role. 16 | * @param {string} role - Agent role ('Garbler' or 'Evaluator') 17 | * @param {object} [options] - additional optional options including: 18 | *     labelSize: number, defaults to 16 bytes. 19 | */ 20 | function Agent(role, options) { 21 | if (options == null) { 22 | options = {}; 23 | } 24 | 25 | this.role = role; 26 | this.labelSize = options.labelSize == null ? LABEL_SIZE : options.labelSize; 27 | this.hexutils = hexutils; 28 | } 29 | 30 | /** 31 | * Loads the given circuit. 32 | * @param {string|Circuit} circuit - the circuit encoded as specified in encoding. 33 | * @param {string} [encoding='text'] - the encoding of the circuit 34 | */ 35 | Agent.prototype.loadCircuit = function (circuit, encoding) { 36 | if (encoding == null || encoding === "text") { 37 | this.circuit = circuitParser(circuit); 38 | } else { 39 | this.circuit = circuit; 40 | } 41 | }; 42 | 43 | /** 44 | * Sets the input of this party. 45 | * @param {number[]|number|string} input - the input to the circuit. 46 | * @param [encoding='bits'] - the encoding of the input 47 | */ 48 | Agent.prototype.setInput = function (input, encoding) { 49 | const size = 50 | this.role === "Garbler" 51 | ? this.circuit.garblerInputSize 52 | : this.circuit.evaluatorInputSize; 53 | 54 | if (encoding === "number") { 55 | this.input = input 56 | .toString(2) 57 | .split("") 58 | .map(function (bit) { 59 | return parseInt(bit); 60 | }) 61 | .reverse(); 62 | 63 | while (this.input.length < size) { 64 | this.input.push(0); 65 | } 66 | } 67 | 68 | if (encoding === "hex") { 69 | this.input = hexutils 70 | .hex2bin(input) 71 | .split("") 72 | .map(function (bit) { 73 | return parseInt(bit); 74 | }) 75 | .reverse(); 76 | 77 | while (this.input.length < size) { 78 | this.input.push(0); 79 | } 80 | } 81 | 82 | if (encoding === "bits" || encoding == null) { 83 | if (input.length !== size) { 84 | throw new Error("Input has wrong length"); 85 | } 86 | this.input = input.slice(); 87 | } 88 | }; 89 | 90 | /** 91 | * Generate garbled circuit and input labels 92 | * @returns {Object} Contains garbled circuit and input labels 93 | */ 94 | Agent.prototype.generateGarbling = function () { 95 | if (this.role !== "Garbler") { 96 | throw new Error("Only Garbler can generate garbling"); 97 | } 98 | return garble.generateGarbling(this); 99 | }; 100 | 101 | /** 102 | * Evaluate the circuit with given input labels 103 | * @param {Object} garbledData - The garbled circuit and input labels 104 | * @returns {number[]} The output bits 105 | */ 106 | Agent.prototype.evaluateCircuit = function ( 107 | serializedCircuit, 108 | garbledAssignment 109 | ) { 110 | if (this.role !== "Evaluator") { 111 | throw new Error("Only Evaluator can evaluate circuit"); 112 | } 113 | return evaluate.evaluateCircuit(this, serializedCircuit, garbledAssignment); 114 | }; 115 | 116 | module.exports = Agent; 117 | module.exports = Agent; 118 | -------------------------------------------------------------------------------- /circuits/Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 3 4 | 5 | [[package]] 6 | name = "boolify" 7 | version = "0.1.0" 8 | source = "git+https://github.com/voltrevo/boolify?rev=e9707c0#e9707c0a7613e50dc375beec67e9367c30bc57f4" 9 | dependencies = [ 10 | "bristol-circuit", 11 | "serde", 12 | "serde_json", 13 | ] 14 | 15 | [[package]] 16 | name = "bristol-circuit" 17 | version = "0.1.0" 18 | source = "git+https://github.com/voltrevo/bristol-circuit?rev=2a8b001#2a8b001a80ffc0370c641ccc0ed5bf5c04aea9cc" 19 | dependencies = [ 20 | "serde", 21 | "serde_json", 22 | "thiserror", 23 | ] 24 | 25 | [[package]] 26 | name = "circuits" 27 | version = "0.1.0" 28 | dependencies = [ 29 | "boolify", 30 | "bristol-circuit", 31 | ] 32 | 33 | [[package]] 34 | name = "itoa" 35 | version = "1.0.11" 36 | source = "registry+https://github.com/rust-lang/crates.io-index" 37 | checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" 38 | 39 | [[package]] 40 | name = "memchr" 41 | version = "2.7.4" 42 | source = "registry+https://github.com/rust-lang/crates.io-index" 43 | checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" 44 | 45 | [[package]] 46 | name = "proc-macro2" 47 | version = "1.0.89" 48 | source = "registry+https://github.com/rust-lang/crates.io-index" 49 | checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" 50 | dependencies = [ 51 | "unicode-ident", 52 | ] 53 | 54 | [[package]] 55 | name = "quote" 56 | version = "1.0.37" 57 | source = "registry+https://github.com/rust-lang/crates.io-index" 58 | checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" 59 | dependencies = [ 60 | "proc-macro2", 61 | ] 62 | 63 | [[package]] 64 | name = "ryu" 65 | version = "1.0.18" 66 | source = "registry+https://github.com/rust-lang/crates.io-index" 67 | checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" 68 | 69 | [[package]] 70 | name = "serde" 71 | version = "1.0.214" 72 | source = "registry+https://github.com/rust-lang/crates.io-index" 73 | checksum = "f55c3193aca71c12ad7890f1785d2b73e1b9f63a0bbc353c08ef26fe03fc56b5" 74 | dependencies = [ 75 | "serde_derive", 76 | ] 77 | 78 | [[package]] 79 | name = "serde_derive" 80 | version = "1.0.214" 81 | source = "registry+https://github.com/rust-lang/crates.io-index" 82 | checksum = "de523f781f095e28fa605cdce0f8307e451cc0fd14e2eb4cd2e98a355b147766" 83 | dependencies = [ 84 | "proc-macro2", 85 | "quote", 86 | "syn", 87 | ] 88 | 89 | [[package]] 90 | name = "serde_json" 91 | version = "1.0.132" 92 | source = "registry+https://github.com/rust-lang/crates.io-index" 93 | checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" 94 | dependencies = [ 95 | "itoa", 96 | "memchr", 97 | "ryu", 98 | "serde", 99 | ] 100 | 101 | [[package]] 102 | name = "syn" 103 | version = "2.0.87" 104 | source = "registry+https://github.com/rust-lang/crates.io-index" 105 | checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" 106 | dependencies = [ 107 | "proc-macro2", 108 | "quote", 109 | "unicode-ident", 110 | ] 111 | 112 | [[package]] 113 | name = "thiserror" 114 | version = "1.0.68" 115 | source = "registry+https://github.com/rust-lang/crates.io-index" 116 | checksum = "02dd99dc800bbb97186339685293e1cc5d9df1f8fae2d0aecd9ff1c77efea892" 117 | dependencies = [ 118 | "thiserror-impl", 119 | ] 120 | 121 | [[package]] 122 | name = "thiserror-impl" 123 | version = "1.0.68" 124 | source = "registry+https://github.com/rust-lang/crates.io-index" 125 | checksum = "a7c61ec9a6f64d2793d8a45faba21efbe3ced62a886d44c36a009b2b519b4c7e" 126 | dependencies = [ 127 | "proc-macro2", 128 | "quote", 129 | "syn", 130 | ] 131 | 132 | [[package]] 133 | name = "unicode-ident" 134 | version = "1.0.13" 135 | source = "registry+https://github.com/rust-lang/crates.io-index" 136 | checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" 137 | -------------------------------------------------------------------------------- /circuits/src/hiring_original.rs: -------------------------------------------------------------------------------- 1 | use std::{cell::RefCell, rc::Rc}; 2 | 3 | use boolify::{generate_bristol, BoolWire, CircuitOutput, IdGenerator, ValueWire}; 4 | use bristol_circuit::BristolCircuit; 5 | 6 | struct JobCriteria { 7 | position: ValueWire, 8 | commitment: ValueWire, 9 | education: Vec, 10 | experience: Vec, 11 | interests: Vec, 12 | company_stage: Vec, 13 | salary: ValueWire, 14 | } 15 | 16 | fn generate_job_criteria(prefix: &str, id_gen: &Rc>) -> JobCriteria { 17 | JobCriteria { 18 | position: ValueWire::new_input(&format!("{}_position", prefix), 1, id_gen), 19 | commitment: ValueWire::new_input(&format!("{}_commitment", prefix), 1, id_gen), 20 | education: (0..4) 21 | .map(|i| ValueWire::new_input(&format!("{}_education_{}", prefix, i), 1, id_gen)) 22 | .collect(), 23 | experience: (0..8) 24 | .map(|i| ValueWire::new_input(&format!("{}_experience_{}", prefix, i), 1, id_gen)) 25 | .collect(), 26 | interests: (0..4) 27 | .map(|i| ValueWire::new_input(&format!("{}_interests_{}", prefix, i), 1, id_gen)) 28 | .collect(), 29 | company_stage: (0..4) 30 | .map(|i| ValueWire::new_input(&format!("{}_company_stage_{}", prefix, i), 1, id_gen)) 31 | .collect(), 32 | salary: ValueWire::new_input(&format!("{}_salary", prefix), 8, id_gen), 33 | } 34 | } 35 | 36 | pub fn hiring() { 37 | let id_gen = IdGenerator::new_rc_refcell(); 38 | 39 | // Generate inputs for both parties using the new structure 40 | let a = generate_job_criteria("a", &id_gen); 41 | let b = generate_job_criteria("b", &id_gen); 42 | 43 | // Implement the matching logic 44 | let compatible_pos = ValueWire::bit_xor(&a.position, &b.position); 45 | let a_recruiter = a.position.clone(); 46 | 47 | // Education match (OR of ANDs) 48 | let mut education_match = ValueWire::bit_and(&a.education[0], &b.education[0]); 49 | for i in 1..4 { 50 | let match_i = ValueWire::bit_and(&a.education[i], &b.education[i]); 51 | education_match = ValueWire::bit_or(&education_match, &match_i); 52 | } 53 | 54 | // Experience match 55 | let mut experience_match = ValueWire::bit_and(&a.experience[0], &b.experience[0]); 56 | for i in 1..8 { 57 | let match_i = ValueWire::bit_and(&a.experience[i], &b.experience[i]); 58 | experience_match = ValueWire::bit_or(&experience_match, &match_i); 59 | } 60 | 61 | // Salary match 62 | let salary_match = BoolWire::as_value(&ValueWire::greater_than(&a.salary, &b.salary)); 63 | 64 | // Interest overlap 65 | let mut interest_overlap = ValueWire::bit_and(&a.interests[0], &b.interests[0]); 66 | for i in 1..4 { 67 | let match_i = ValueWire::bit_and(&a.interests[i], &b.interests[i]); 68 | interest_overlap = ValueWire::bit_or(&interest_overlap, &match_i); 69 | } 70 | 71 | // Company stage overlap 72 | let mut stage_overlap = ValueWire::bit_and(&a.company_stage[0], &b.company_stage[0]); 73 | for i in 1..4 { 74 | let match_i = ValueWire::bit_and(&a.company_stage[i], &b.company_stage[i]); 75 | stage_overlap = ValueWire::bit_or(&stage_overlap, &match_i); 76 | } 77 | 78 | // Commitment overlap (!a_commitment | b_commitment) 79 | let commitment_overlap = ValueWire::bit_or(&ValueWire::bit_not(&a.commitment), &b.commitment); 80 | 81 | // Final result 82 | let result = [ 83 | &compatible_pos, 84 | &a_recruiter, 85 | &education_match, 86 | &experience_match, 87 | &salary_match, 88 | &interest_overlap, 89 | &stage_overlap, 90 | &commitment_overlap, 91 | ] 92 | .iter() 93 | .fold(compatible_pos.clone(), |acc, &x| { 94 | ValueWire::bit_and(&acc, x) 95 | }); 96 | 97 | // Generate circuit 98 | let outputs = vec![CircuitOutput::new("match_result", result)]; 99 | let bristol_circuit = generate_bristol(&outputs); 100 | println!("Number of gates: {}", bristol_circuit.gates.len()); 101 | 102 | // Write to file 103 | let output = BristolCircuit::get_bristol_string(&bristol_circuit).unwrap(); 104 | std::fs::write("job_matching.txt", output).unwrap(); 105 | } 106 | -------------------------------------------------------------------------------- /app/laconic/laconic_ot.d.ts: -------------------------------------------------------------------------------- 1 | /* tslint:disable */ 2 | /* eslint-disable */ 3 | /** 4 | */ 5 | export function start(): void; 6 | /** 7 | */ 8 | export class WasmCommitmentKey { 9 | free(): void; 10 | /** 11 | * @param {number} message_length 12 | * @returns {WasmCommitmentKey} 13 | */ 14 | static setup(message_length: number): WasmCommitmentKey; 15 | /** 16 | * @returns {Uint8Array} 17 | */ 18 | serialize(): Uint8Array; 19 | /** 20 | * @param {Uint8Array} data 21 | * @returns {WasmCommitmentKey} 22 | */ 23 | static deserialize(data: Uint8Array): WasmCommitmentKey; 24 | } 25 | /** 26 | */ 27 | export class WasmMessage { 28 | free(): void; 29 | } 30 | /** 31 | */ 32 | export class WasmReceiver { 33 | free(): void; 34 | /** 35 | * @param {WasmCommitmentKey} ck 36 | * @param {Uint8Array} bits 37 | * @returns {WasmReceiver} 38 | */ 39 | static new(ck: WasmCommitmentKey, bits: Uint8Array): WasmReceiver; 40 | /** 41 | * @param {number} i 42 | * @param {WasmMessage} msg 43 | * @returns {Uint8Array} 44 | */ 45 | recv(i: number, msg: WasmMessage): Uint8Array; 46 | /** 47 | * @returns {Uint8Array} 48 | */ 49 | commitment(): Uint8Array; 50 | /** 51 | * @param {Uint8Array} data 52 | * @param {WasmCommitmentKey} ck 53 | * @returns {WasmReceiver} 54 | */ 55 | static deserialize(data: Uint8Array, ck: WasmCommitmentKey): WasmReceiver; 56 | /** 57 | * @returns {Uint8Array} 58 | */ 59 | serialize(): Uint8Array; 60 | } 61 | /** 62 | */ 63 | export class WasmSender { 64 | free(): void; 65 | /** 66 | * @param {WasmCommitmentKey} ck 67 | * @param {Uint8Array} commitment_bytes 68 | * @returns {WasmSender} 69 | */ 70 | static new(ck: WasmCommitmentKey, commitment_bytes: Uint8Array): WasmSender; 71 | /** 72 | * @param {number} i 73 | * @param {Uint8Array} m0 74 | * @param {Uint8Array} m1 75 | * @returns {WasmMessage} 76 | */ 77 | send(i: number, m0: Uint8Array, m1: Uint8Array): WasmMessage; 78 | } 79 | 80 | export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module; 81 | 82 | export interface InitOutput { 83 | readonly memory: WebAssembly.Memory; 84 | readonly __wbg_wasmcommitmentkey_free: (a: number, b: number) => void; 85 | readonly __wbg_wasmreceiver_free: (a: number, b: number) => void; 86 | readonly __wbg_wasmsender_free: (a: number, b: number) => void; 87 | readonly __wbg_wasmmessage_free: (a: number, b: number) => void; 88 | readonly wasmcommitmentkey_setup: (a: number, b: number) => void; 89 | readonly wasmcommitmentkey_serialize: (a: number, b: number) => void; 90 | readonly wasmcommitmentkey_deserialize: (a: number, b: number, c: number) => void; 91 | readonly wasmreceiver_new: (a: number, b: number, c: number) => number; 92 | readonly wasmreceiver_recv: (a: number, b: number, c: number, d: number) => void; 93 | readonly wasmreceiver_commitment: (a: number, b: number) => void; 94 | readonly wasmreceiver_deserialize: (a: number, b: number, c: number) => number; 95 | readonly wasmreceiver_serialize: (a: number, b: number) => void; 96 | readonly wasmsender_new: (a: number, b: number, c: number, d: number) => void; 97 | readonly wasmsender_send: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void; 98 | readonly start: () => void; 99 | readonly __wbindgen_add_to_stack_pointer: (a: number) => number; 100 | readonly __wbindgen_free: (a: number, b: number, c: number) => void; 101 | readonly __wbindgen_malloc: (a: number, b: number) => number; 102 | readonly __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number; 103 | readonly __wbindgen_exn_store: (a: number) => void; 104 | readonly __wbindgen_start: () => void; 105 | } 106 | 107 | export type SyncInitInput = BufferSource | WebAssembly.Module; 108 | /** 109 | * Instantiates the given `module`, which can either be bytes or 110 | * a precompiled `WebAssembly.Module`. 111 | * 112 | * @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated. 113 | * 114 | * @returns {InitOutput} 115 | */ 116 | export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput; 117 | 118 | /** 119 | * If `module_or_path` is {RequestInfo} or {URL}, makes a request and 120 | * for everything else, calls `WebAssembly.instantiate` directly. 121 | * 122 | * @param {{ module_or_path: InitInput | Promise }} module_or_path - Passing `InitInput` directly is deprecated. 123 | * 124 | * @returns {Promise} 125 | */ 126 | export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise } | InitInput | Promise): Promise; 127 | -------------------------------------------------------------------------------- /laconic/pkg/laconic_ot.d.ts: -------------------------------------------------------------------------------- 1 | /* tslint:disable */ 2 | /* eslint-disable */ 3 | /** 4 | */ 5 | export function start(): void; 6 | /** 7 | */ 8 | export class WasmCommitmentKey { 9 | free(): void; 10 | /** 11 | * @param {number} message_length 12 | * @returns {WasmCommitmentKey} 13 | */ 14 | static setup(message_length: number): WasmCommitmentKey; 15 | /** 16 | * @returns {Uint8Array} 17 | */ 18 | serialize(): Uint8Array; 19 | /** 20 | * @param {Uint8Array} data 21 | * @returns {WasmCommitmentKey} 22 | */ 23 | static deserialize(data: Uint8Array): WasmCommitmentKey; 24 | } 25 | /** 26 | */ 27 | export class WasmMessage { 28 | free(): void; 29 | } 30 | /** 31 | */ 32 | export class WasmReceiver { 33 | free(): void; 34 | /** 35 | * @param {WasmCommitmentKey} ck 36 | * @param {Uint8Array} bits 37 | * @returns {WasmReceiver} 38 | */ 39 | static new(ck: WasmCommitmentKey, bits: Uint8Array): WasmReceiver; 40 | /** 41 | * @param {number} i 42 | * @param {WasmMessage} msg 43 | * @returns {Uint8Array} 44 | */ 45 | recv(i: number, msg: WasmMessage): Uint8Array; 46 | /** 47 | * @returns {Uint8Array} 48 | */ 49 | commitment(): Uint8Array; 50 | /** 51 | * @param {Uint8Array} data 52 | * @param {WasmCommitmentKey} ck 53 | * @returns {WasmReceiver} 54 | */ 55 | static deserialize(data: Uint8Array, ck: WasmCommitmentKey): WasmReceiver; 56 | /** 57 | * @returns {Uint8Array} 58 | */ 59 | serialize(): Uint8Array; 60 | } 61 | /** 62 | */ 63 | export class WasmSender { 64 | free(): void; 65 | /** 66 | * @param {WasmCommitmentKey} ck 67 | * @param {Uint8Array} commitment_bytes 68 | * @returns {WasmSender} 69 | */ 70 | static new(ck: WasmCommitmentKey, commitment_bytes: Uint8Array): WasmSender; 71 | /** 72 | * @param {number} i 73 | * @param {Uint8Array} m0 74 | * @param {Uint8Array} m1 75 | * @returns {WasmMessage} 76 | */ 77 | send(i: number, m0: Uint8Array, m1: Uint8Array): WasmMessage; 78 | } 79 | 80 | export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module; 81 | 82 | export interface InitOutput { 83 | readonly memory: WebAssembly.Memory; 84 | readonly __wbg_wasmcommitmentkey_free: (a: number, b: number) => void; 85 | readonly __wbg_wasmreceiver_free: (a: number, b: number) => void; 86 | readonly __wbg_wasmsender_free: (a: number, b: number) => void; 87 | readonly __wbg_wasmmessage_free: (a: number, b: number) => void; 88 | readonly wasmcommitmentkey_setup: (a: number, b: number) => void; 89 | readonly wasmcommitmentkey_serialize: (a: number, b: number) => void; 90 | readonly wasmcommitmentkey_deserialize: (a: number, b: number, c: number) => void; 91 | readonly wasmreceiver_new: (a: number, b: number, c: number) => number; 92 | readonly wasmreceiver_recv: (a: number, b: number, c: number, d: number) => void; 93 | readonly wasmreceiver_commitment: (a: number, b: number) => void; 94 | readonly wasmreceiver_deserialize: (a: number, b: number, c: number) => number; 95 | readonly wasmreceiver_serialize: (a: number, b: number) => void; 96 | readonly wasmsender_new: (a: number, b: number, c: number, d: number) => void; 97 | readonly wasmsender_send: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void; 98 | readonly start: () => void; 99 | readonly __wbindgen_add_to_stack_pointer: (a: number) => number; 100 | readonly __wbindgen_free: (a: number, b: number, c: number) => void; 101 | readonly __wbindgen_malloc: (a: number, b: number) => number; 102 | readonly __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number; 103 | readonly __wbindgen_exn_store: (a: number) => void; 104 | readonly __wbindgen_start: () => void; 105 | } 106 | 107 | export type SyncInitInput = BufferSource | WebAssembly.Module; 108 | /** 109 | * Instantiates the given `module`, which can either be bytes or 110 | * a precompiled `WebAssembly.Module`. 111 | * 112 | * @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated. 113 | * 114 | * @returns {InitOutput} 115 | */ 116 | export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput; 117 | 118 | /** 119 | * If `module_or_path` is {RequestInfo} or {URL}, makes a request and 120 | * for everything else, calls `WebAssembly.instantiate` directly. 121 | * 122 | * @param {{ module_or_path: InitInput | Promise }} module_or_path - Passing `InitInput` directly is deprecated. 123 | * 124 | * @returns {Promise} 125 | */ 126 | export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise } | InitInput | Promise): Promise; 127 | -------------------------------------------------------------------------------- /laconic/benches/laconic_ot.rs: -------------------------------------------------------------------------------- 1 | use ark_bls12_381::{Bls12_381, Fr}; 2 | use ark_ec::{pairing::Pairing, Group}; 3 | use ark_poly::Radix2EvaluationDomain; 4 | use ark_std::rand::Rng; 5 | use ark_std::test_rng; 6 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion}; 7 | use laconic_ot::{CommitmentKey, LaconicOTRecv, LaconicOTSender}; 8 | 9 | const MIN_LOG_SIZE: usize = 3; 10 | const MAX_LOG_SIZE: usize = 10; 11 | 12 | fn laconic_ot_benchmarks(c: &mut Criterion) { 13 | let name = "laconic_ot"; 14 | 15 | let mut commit_benchmarks = c.benchmark_group(format!("{0}/commit", name)); 16 | commit_benchmarks.sample_size(10); 17 | for log_len in MIN_LOG_SIZE..=MAX_LOG_SIZE { 18 | commit_benchmarks.bench_with_input( 19 | BenchmarkId::from_parameter(log_len), 20 | &log_len, 21 | |b, _| { 22 | let rng = &mut test_rng(); 23 | let num = 1 << log_len; 24 | 25 | let mut bits = Vec::with_capacity(log_len); 26 | for _ in 0..num { 27 | bits.push(rng.gen_bool(0.5)); 28 | } 29 | 30 | b.iter(|| { 31 | let ck = 32 | CommitmentKey::>::setup(rng, num) 33 | .unwrap(); 34 | 35 | let _sender = LaconicOTRecv::new(&ck, &bits); 36 | }) 37 | }, 38 | ); 39 | } 40 | commit_benchmarks.finish(); 41 | 42 | let mut send_benchmarks = c.benchmark_group(format!("{0}/send_all", name)); 43 | for log_len in MIN_LOG_SIZE..=MAX_LOG_SIZE { 44 | let rng = &mut test_rng(); 45 | let num = 1 << log_len; 46 | 47 | let mut bits = Vec::with_capacity(log_len); 48 | for _ in 0..num { 49 | bits.push(rng.gen_bool(0.5)); 50 | } 51 | 52 | let ck = CommitmentKey::>::setup(rng, num).unwrap(); 53 | let recv = LaconicOTRecv::new(&ck, &bits); 54 | 55 | let m0 = [0u8; 32]; 56 | let m1 = [1u8; 32]; 57 | 58 | send_benchmarks.bench_with_input(BenchmarkId::from_parameter(log_len), &log_len, |b, _| { 59 | b.iter(|| { 60 | let sender = LaconicOTSender::new(&ck, recv.commitment()); 61 | // precompute pairing 62 | let l0 = recv.commitment(); 63 | let l1 = recv.commitment() - ck.u[0]; 64 | 65 | // m0, m1 66 | let com0 = Bls12_381::pairing(l0, ck.g2); 67 | let com1 = Bls12_381::pairing(l1, ck.g2); 68 | 69 | let mut com0_precomp = vec![(com0, -com0)]; 70 | let mut com1_precomp = vec![(com1, -com1)]; 71 | for _ in 1..381 { 72 | let com0_square = *com0_precomp.last().unwrap().0.clone().double_in_place(); 73 | let com1_square = *com1_precomp.last().unwrap().0.clone().double_in_place(); 74 | let com0_square_inv = *com0_precomp.last().unwrap().1.clone().double_in_place(); 75 | let com1_square_inv = *com1_precomp.last().unwrap().1.clone().double_in_place(); 76 | com0_precomp.push((com0_square, com0_square_inv)); 77 | com1_precomp.push((com1_square, com1_square_inv)); 78 | } 79 | 80 | for i in 0..num { 81 | let _msg = 82 | sender.send_precompute_naf(rng, i, m0, m1, &com0_precomp, &com1_precomp); 83 | } 84 | }) 85 | }); 86 | } 87 | send_benchmarks.finish(); 88 | 89 | let mut recv_benchmarks = c.benchmark_group(format!("{0}/recv_all", name)); 90 | 91 | for log_len in MIN_LOG_SIZE..=MAX_LOG_SIZE { 92 | let rng = &mut test_rng(); 93 | let num = 1 << log_len; 94 | 95 | let mut bits = Vec::with_capacity(log_len); 96 | for _ in 0..num { 97 | bits.push(rng.gen_bool(0.5)); 98 | } 99 | 100 | let ck = CommitmentKey::>::setup(rng, num).unwrap(); 101 | let recv = LaconicOTRecv::new(&ck, &bits); 102 | 103 | let m0 = [0u8; 32]; 104 | let m1 = [1u8; 32]; 105 | 106 | let sender = LaconicOTSender::new(&ck, recv.commitment()); 107 | 108 | // Simulate all sends 109 | let msgs: Vec<_> = (0..num).map(|i| sender.send(rng, i, m0, m1)).collect(); 110 | 111 | recv_benchmarks.bench_with_input(BenchmarkId::from_parameter(log_len), &log_len, |b, _| { 112 | b.iter(|| { 113 | for i in 0..num { 114 | let _res = recv.recv(i, msgs[i].clone()); 115 | } 116 | }) 117 | }); 118 | } 119 | } 120 | 121 | criterion_group! { 122 | name = laconic_ot; 123 | config = Criterion::default().sample_size(10); 124 | targets = laconic_ot_benchmarks, // ipa_benchmarks 125 | } 126 | criterion_main!(laconic_ot); 127 | -------------------------------------------------------------------------------- /circuits/src/hiring.rs: -------------------------------------------------------------------------------- 1 | use std::{cell::RefCell, rc::Rc}; 2 | 3 | use boolify::{generate_bristol, BoolWire, CircuitOutput, IdGenerator, ValueWire}; 4 | use bristol_circuit::BristolCircuit; 5 | 6 | const INPUT_SIZE: usize = 30; 7 | 8 | struct JobCriteria { 9 | position: ValueWire, 10 | commitment: ValueWire, 11 | education: Vec, 12 | experience: Vec, 13 | interests: Vec, 14 | company_stage: Vec, 15 | salary: ValueWire, 16 | } 17 | 18 | fn extract_bits(input: &ValueWire, start: usize, size: usize) -> Vec { 19 | input.bits[start..start + size] 20 | .iter() 21 | .map(|bit| BoolWire::as_value(bit)) 22 | .collect() 23 | } 24 | 25 | fn extract_multi_bit_value( 26 | input: &ValueWire, 27 | start: usize, 28 | size: usize, 29 | id_gen: &Rc>, 30 | ) -> ValueWire { 31 | // Create a new multi-bit input 32 | let mut result = ValueWire::new_input(&format!("temp_{}", start), size, id_gen); 33 | 34 | // Copy the bits from the input 35 | result.bits = input.bits[start..start + size].to_vec(); 36 | 37 | result 38 | } 39 | 40 | pub fn hiring() { 41 | let id_gen = IdGenerator::new_rc_refcell(); 42 | 43 | // Create just two input wires - one for each party 44 | let a_input = ValueWire::new_input("a", INPUT_SIZE, &id_gen); 45 | let b_input = ValueWire::new_input("b", INPUT_SIZE, &id_gen); 46 | 47 | // Extract individual bits from the input wires 48 | let a = JobCriteria { 49 | position: extract_bits(&a_input, 0, 1)[0].clone(), 50 | commitment: extract_bits(&a_input, 1, 1)[0].clone(), 51 | education: extract_bits(&a_input, 2, 4), 52 | experience: extract_bits(&a_input, 6, 8), 53 | interests: extract_bits(&a_input, 14, 4), 54 | company_stage: extract_bits(&a_input, 18, 4), 55 | salary: extract_multi_bit_value(&a_input, 22, 8, &id_gen), 56 | }; 57 | 58 | let b = JobCriteria { 59 | position: extract_bits(&b_input, 0, 1)[0].clone(), 60 | commitment: extract_bits(&b_input, 1, 1)[0].clone(), 61 | education: extract_bits(&b_input, 2, 4), 62 | experience: extract_bits(&b_input, 6, 8), 63 | interests: extract_bits(&b_input, 14, 4), 64 | company_stage: extract_bits(&b_input, 18, 4), 65 | salary: extract_multi_bit_value(&b_input, 22, 8, &id_gen), 66 | }; 67 | 68 | // Rest of the matching logic remains the same 69 | let compatible_pos = ValueWire::bit_xor(&a.position, &b.position); 70 | let a_recruiter = a.position.clone(); 71 | 72 | // Education match (OR of ANDs) 73 | let mut education_match = ValueWire::bit_and(&a.education[0], &b.education[0]); 74 | for i in 1..4 { 75 | let match_i = ValueWire::bit_and(&a.education[i], &b.education[i]); 76 | education_match = ValueWire::bit_or(&education_match, &match_i); 77 | } 78 | 79 | // Experience match 80 | let mut experience_match = ValueWire::bit_and(&a.experience[0], &b.experience[0]); 81 | for i in 1..8 { 82 | let match_i = ValueWire::bit_and(&a.experience[i], &b.experience[i]); 83 | experience_match = ValueWire::bit_or(&experience_match, &match_i); 84 | } 85 | 86 | // Interest overlap 87 | let mut interest_overlap = ValueWire::bit_and(&a.interests[0], &b.interests[0]); 88 | for i in 1..4 { 89 | let match_i = ValueWire::bit_and(&a.interests[i], &b.interests[i]); 90 | interest_overlap = ValueWire::bit_or(&interest_overlap, &match_i); 91 | } 92 | 93 | // Company stage overlap 94 | let mut stage_overlap = ValueWire::bit_and(&a.company_stage[0], &b.company_stage[0]); 95 | for i in 1..4 { 96 | let match_i = ValueWire::bit_and(&a.company_stage[i], &b.company_stage[i]); 97 | stage_overlap = ValueWire::bit_or(&stage_overlap, &match_i); 98 | } 99 | 100 | // Commitment overlap (!a_commitment | b_commitment) 101 | let commitment_overlap = ValueWire::bit_or(&ValueWire::bit_not(&a.commitment), &b.commitment); 102 | 103 | // Salary match (proper comparison) 104 | let salary_match = BoolWire::as_value(&ValueWire::greater_than(&a.salary, &b.salary)); 105 | 106 | // Final result 107 | let result = [ 108 | &compatible_pos, 109 | &a_recruiter, 110 | &education_match, 111 | &experience_match, 112 | &salary_match, 113 | &interest_overlap, 114 | &stage_overlap, 115 | &commitment_overlap, 116 | ] 117 | .iter() 118 | .fold(compatible_pos.clone(), |acc, &x| { 119 | ValueWire::bit_and(&acc, x) 120 | }); 121 | 122 | // Generate circuit 123 | let outputs = vec![CircuitOutput::new("match_result", result)]; 124 | let bristol_circuit = generate_bristol(&outputs); 125 | println!("Number of gates: {}", bristol_circuit.gates.len()); 126 | 127 | // Write to file 128 | let output = BristolCircuit::get_bristol_string(&bristol_circuit).unwrap(); 129 | std::fs::write("job_matching_two_input.txt", output).unwrap(); 130 | } 131 | -------------------------------------------------------------------------------- /jigg/demo/client.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Garbled Circuit JS 2PC 5 | 6 | 7 | 8 | 9 |

Garbled Circuits in JavaScript

10 |

Choose your circuit (Bristol Fashion MPC Circuits)

11 | 12 | 62 | 63 | 67 | 68 | 69 |
70 |

Enter a string to compute on and the maximum encryptions to run in parallel:

71 |   76 | 77 |
78 | 
Entered 0 bits

79 |
80 | 81 | 82 | 83 | 91 | 92 | -------------------------------------------------------------------------------- /jigg/src/evaluate.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | 3 | const circuitParser = require("./parse/circuit.js"); 4 | const labelParser = require("./parse/label.js"); 5 | 6 | const crypto = require("./util/crypto.js"); 7 | 8 | const receiveInputLabels = function (agent, circuit) { 9 | const garblerInputSize = circuit.garblerInputSize; 10 | const evaluatorInputSize = circuit.evaluatorInputSize; 11 | 12 | // send garbler input labels 13 | const promises = []; 14 | for (let i = 0; i < garblerInputSize; i++) { 15 | promises.push(agent.socket.hear("wire" + i).then(labelParser)); 16 | } 17 | 18 | // Send the evaluator the first half of the input labels directly. 19 | for (let i = 0; i < evaluatorInputSize; i++) { 20 | const index = i + garblerInputSize; 21 | promises.push(agent.OT.receive("wire" + index, agent.input[i])); 22 | } 23 | 24 | return Promise.all(promises); 25 | }; 26 | 27 | const evaluateAnd = function (agent, garbledGate, garbledAssignment) { 28 | const in1 = garbledGate.inputWires[0]; 29 | const in2 = garbledGate.inputWires[1]; 30 | const out = garbledGate.outputWire; 31 | 32 | const label1 = garbledAssignment[in1]; 33 | const label2 = garbledAssignment[in2]; 34 | 35 | const point = 2 * label1.getPoint() + label2.getPoint(); 36 | const cipher = garbledGate.truthTable[point]; 37 | 38 | garbledAssignment[out] = crypto.decrypt( 39 | label1, 40 | label2, 41 | garbledGate.id, 42 | cipher 43 | ); 44 | }; 45 | 46 | const evaluateXor = function (agent, garbledGate, garbledAssignment) { 47 | const in1 = garbledGate.inputWires[0]; 48 | const in2 = garbledGate.inputWires[1]; 49 | const out = garbledGate.outputWire; 50 | 51 | garbledAssignment[out] = garbledAssignment[in1].xor(garbledAssignment[in2]); 52 | }; 53 | 54 | const evaluateNot = function (agent, garbledGate, garbledAssignment) { 55 | const in1 = garbledGate.inputWires[0]; 56 | const out = garbledGate.outputWire; 57 | 58 | garbledAssignment[out] = garbledAssignment[in1]; 59 | }; 60 | 61 | const run = function (agent) { 62 | // receive circuit 63 | agent.socket.hear("circuit").then(function (circuit) { 64 | // parse circuit 65 | circuit = circuitParser(circuit); 66 | 67 | agent.progress("OT"); 68 | 69 | // receiver garbled inputs and OT for evaluator inputs 70 | receiveInputLabels(agent, circuit).then(function (garbledAssignment) { 71 | // evaluate one gate at a time 72 | for (let i = 0; i < circuit.gates.length; i++) { 73 | if (i % 2500 === 0) { 74 | agent.progress("evaluating", i, circuit.gates.length); 75 | } 76 | 77 | const garbledGate = circuit.gates[i]; 78 | 79 | if (garbledGate.operation === "AND") { 80 | evaluateAnd(agent, garbledGate, garbledAssignment); 81 | } else if (garbledGate.operation === "LOR") { 82 | evaluateAnd(agent, garbledGate, garbledAssignment); 83 | } else if (garbledGate.operation === "XOR") { 84 | evaluateXor(agent, garbledGate, garbledAssignment); 85 | } else if ( 86 | garbledGate.operation === "NOT" || 87 | garbledGate.operation === "INV" 88 | ) { 89 | evaluateNot(agent, garbledGate, garbledAssignment); 90 | } else { 91 | throw new Error("Unrecognized gate: " + garbledGate.operation); 92 | } 93 | } 94 | agent.progress("evaluating", circuit.gates.length, circuit.gates.length); 95 | 96 | // send garbled output to garbler 97 | agent.progress("output"); 98 | const garbledOutput = garbledAssignment.slice( 99 | circuit.wiresCount - circuit.outputSize 100 | ); 101 | agent.socket.send( 102 | "output", 103 | garbledOutput.map(function (label) { 104 | return label.serialize(); 105 | }) 106 | ); 107 | 108 | // retrieve de-garbled output 109 | agent.socket.hear("output").then(function (bits) { 110 | agent._outputResolve(bits); 111 | }); 112 | }); 113 | }); 114 | }; 115 | 116 | module.exports = run; 117 | 118 | module.exports = { 119 | evaluateCircuit: function (agent, serializedCircuit, garbledAssignment) { 120 | const circuit = circuitParser(serializedCircuit); 121 | 122 | // Evaluate gates 123 | for (let i = 0; i < circuit.gates.length; i++) { 124 | const garbledGate = circuit.gates[i]; 125 | 126 | if (garbledGate.operation === "AND") { 127 | evaluateAnd(agent, garbledGate, garbledAssignment); 128 | } else if (garbledGate.operation === "LOR") { 129 | evaluateAnd(agent, garbledGate, garbledAssignment); 130 | } else if (garbledGate.operation === "XOR") { 131 | evaluateXor(agent, garbledGate, garbledAssignment); 132 | } else if ( 133 | garbledGate.operation === "NOT" || 134 | garbledGate.operation === "INV" 135 | ) { 136 | evaluateNot(agent, garbledGate, garbledAssignment); 137 | } 138 | } 139 | 140 | // Get output bits 141 | const garbledOutput = garbledAssignment.slice( 142 | circuit.wiresCount - circuit.outputSize 143 | ); 144 | return garbledOutput; 145 | }, 146 | }; 147 | -------------------------------------------------------------------------------- /laconic/pkg/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Laconic OT WASM Test 5 | 6 | 7 |

Laconic OT WASM Test

8 |
9 | 10 | 130 | 131 | 132 | -------------------------------------------------------------------------------- /app/laconic/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Laconic OT WASM Test 5 | 6 | 7 |

Laconic OT WASM Test

8 |
9 | 10 | 128 | 129 | 130 | -------------------------------------------------------------------------------- /jigg/README.md: -------------------------------------------------------------------------------- 1 | # JIGG 2 | 3 | JavaScript implementation of garbled gates and 2PC boolean circuit protocols. 4 | 5 | ## Requirements and Installation 6 | 7 | This library is implemented entirely in JavaScript. Running the server requires [Node.js](https://nodejs.org/en/), [npm](https://www.npmjs.com/) (both installed via `yum install nodejs npm` or `brew install npm` on macOS), [Socket.IO](https://socket.io/), and [libsodium](https://www.npmjs.com/package/libsodium). 8 | 9 | Run `npm` to install all JIGG dependencies: 10 | ```shell 11 | npm install 12 | ``` 13 | 14 | ## Project Layout 15 | 16 | ├─ circuits/ Circuit files 17 | │ ├─ macros/ Macro files to assemble circuits using [CASM](https://github.com/wyatt-howe/macro-circuit-assembler) 18 | │ └─ bristol/ Bristol format files 19 | ├─ demo/ Demo for client-server deployment scenario 20 | ├─ src/ Library modules implementing protocol steps for participants 21 | │ ├─ comm/ Communications modules (such as for OT) 22 | │ ├─ modules/ Data structure modules (such as circuits) 23 | │ └─ utils/ Other utility modules (such as cryptographic primitives) 24 | ├─ test/ End-to-end tests 25 | └─ tutorial/ Interactive tutorial on using JIGG 26 | 27 | ## Running The tutorial 28 | 29 | You can run the tutorial interactively on your local machine, after cloning JIGG, by using 30 | ```shell 31 | cd path/to/JIGG 32 | npm run tutorial 33 | ``` 34 | 35 | ## Running Demo Circuit Applications 36 | 37 | Start the communications server from server.js with the command below: 38 | ```shell 39 | node demo/server.js 40 | ``` 41 | 42 | ### As a Browser Party 43 | 44 | Parties can go to `http://localhost:/` in a web browser supporting JavaScript to begin communications. 45 | 46 | ### As a Node.js Party 47 | 48 | Connect a new party in Node.js by running: 49 | ```shell 50 | node demo/party.js 51 | # : Garbler or Evaluator 52 | # : string with no whitespaces 53 | # : bits, number, or hex 54 | # : must include file extension 55 | # demo will run bristol circuit found at 56 | # 'circuits/bristol/' 57 | ``` 58 | 59 | For example to join an AES-128 computation as the garbler, run: 60 | ```shell 61 | node demo/party.js 3000 Evaluator 00000000000000000000000000000000 hex aes-128-reverse.txt 62 | ``` 63 | 64 | ### Server + Garbler/Evaluator 65 | 66 | The server may also run as a garbler or evaluator. You can acheive this by running the server with 67 | the same arguments as a party: 68 | ```shell 69 | node demo/server.js 70 | ``` 71 | 72 | ## Demo Circuits 73 | We have a variety of circuits available under `circuits/bristol` mostly from this [page](https://homes.esat.kuleuven.be/~nsmart/MPC/). 74 | 75 | ### Circuit Format 76 | JIGG can parse a circuit in the standardized '[Bristol](https://homes.esat.kuleuven.be/~nsmart/MPC/) [Format](https://homes.esat.kuleuven.be/~nsmart/MPC/old-circuits.html)' which is supported by several compiled MPC libraries such as [SCALE-MAMBA](https://homes.esat.kuleuven.be/~nsmart/SCALE/). 77 | ```ada 78 | 4 8 79 | 2 2 2 80 | 1 3 81 | 2 1 0 1 4 AND 82 | 2 1 2 3 5 XOR 83 | 1 1 5 6 INV 84 | 2 1 4 6 7 AND 85 | ``` 86 | 87 | ### Circuit Assembler 88 | To create a new circuit, write a macro with existing circuits as its gates and run the [macro-circuit-assembler](https://github.com/wyatt-howe/macro-circuit-assembler/) with: 89 | 90 | ```shell 91 | npm run casm -- 92 | ``` 93 | 94 | For example, this macro assembles an AND circuit over 8 bits using 95 | existing 4 bit AND circuits: 96 | 97 | ``` 98 | npm run casm -- circuits/macros/and-8.casm circuits/and-8.txt 99 | ``` 100 | 101 | ## Running Tests 102 | 103 | All of the built-in test vectors can be verified in `npm test`. The tests will run a server automatically. These are end-to-end tests. 104 | 105 | ## Capabilities 106 | JIGG is designed for semi-honest parties (in either node or in the browser). We support point-and-permute, free-XOR, free single-input gates, and encryption from a random oracle (fixed-key XChaCha20). The half-AND optimization is compatible but not yet supported. The default label size is 128 bits and relies on JavaScript's Uint8Array class. The [`simple-labels`](https://github.com/wyatt-howe/jigg/tree/simple-labels) branch demonstrates dynamically-sized labels (that are 53 bits in length or less) without using arrays. Some potential improvements are listed in the to-do section. 107 | 108 | ## Contributing 109 | JIGG is fully functional as it is now, but there's still more to do (see the list below) before version 1. Pull requests are welcome for any improvement. The JIGG source is maintained with the help of [ESLint](https://eslint.org/) for style and the [included test suite](https://github.com/multiparty/jigg#legacy-end-to-end-tests) for stability. 110 | 111 | ### To Do 112 | - Half-AND gate optimization 113 | - Standardize JSON/serialized/compressed formats for inter-party messages compatible with [SIGG](https://github.com/multiparty/sigg) 114 | 115 | ## Information and Collaborators 116 | More information about this project, including collaborators and publications, can be found at [multiparty.org](https://multiparty.org/). 117 | -------------------------------------------------------------------------------- /laconic/src/wasm_bindings.rs: -------------------------------------------------------------------------------- 1 | use ark_bls12_381::{Bls12_381, Fr}; 2 | use ark_ec::pairing::Pairing; 3 | use ark_poly::Radix2EvaluationDomain; 4 | use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; 5 | use rand::{thread_rng, Rng}; 6 | use std::convert::TryInto; 7 | use wasm_bindgen::prelude::*; 8 | 9 | use crate::{CommitmentKey, LaconicOTRecv, LaconicOTSender, Msg, MSG_SIZE}; 10 | 11 | type Domain = Radix2EvaluationDomain; 12 | type E = Bls12_381; 13 | 14 | // Wrapper types for WASM 15 | #[wasm_bindgen] 16 | #[derive(Clone)] 17 | pub struct WasmCommitmentKey { 18 | commitment_key: CommitmentKey, 19 | } 20 | 21 | #[wasm_bindgen] 22 | pub struct WasmReceiver { 23 | receiver: LaconicOTRecv<'static, E, Domain>, 24 | } 25 | 26 | #[wasm_bindgen] 27 | pub struct WasmSender { 28 | sender: LaconicOTSender<'static, E, Domain>, 29 | } 30 | 31 | #[wasm_bindgen] 32 | pub struct WasmMessage { 33 | message: Msg, 34 | } 35 | 36 | // CommitmentKey implementations 37 | #[wasm_bindgen] 38 | impl WasmCommitmentKey { 39 | #[wasm_bindgen] 40 | pub fn setup(message_length: usize) -> Result { 41 | let mut rng = rand::thread_rng(); 42 | 43 | CommitmentKey::::setup(&mut rng, message_length) 44 | .map(|key| WasmCommitmentKey { 45 | commitment_key: key, 46 | }) 47 | .map_err(|_| JsError::new("Failed to setup commitment key").into()) 48 | } 49 | 50 | #[wasm_bindgen] 51 | pub fn serialize(&self) -> Vec { 52 | let mut bytes = Vec::new(); 53 | self.commitment_key 54 | .serialize_uncompressed(&mut bytes) 55 | .unwrap(); 56 | bytes 57 | } 58 | 59 | #[wasm_bindgen] 60 | pub fn deserialize(data: &[u8]) -> Result { 61 | CommitmentKey::::deserialize_uncompressed(data) 62 | .map(|key| WasmCommitmentKey { 63 | commitment_key: key, 64 | }) 65 | .map_err(|_| JsError::new("Failed to deserialize commitment key").into()) 66 | } 67 | } 68 | 69 | // Receiver implementations 70 | #[wasm_bindgen] 71 | impl WasmReceiver { 72 | #[wasm_bindgen] 73 | pub fn new(ck: &WasmCommitmentKey, bits: Vec) -> Self { 74 | let key = Box::leak(Box::new(ck.commitment_key.clone())); 75 | let bits: Vec = bits.into_iter().map(|b| b != 0).collect(); 76 | WasmReceiver { 77 | receiver: LaconicOTRecv::new(key, &bits), 78 | } 79 | } 80 | 81 | #[wasm_bindgen] 82 | pub fn recv(&self, i: usize, msg: &WasmMessage) -> Vec { 83 | self.receiver.recv(i, msg.message.clone()).to_vec() 84 | } 85 | 86 | #[wasm_bindgen] 87 | pub fn commitment(&self) -> Vec { 88 | let mut bytes = Vec::new(); 89 | self.receiver 90 | .commitment() 91 | .serialize_uncompressed(&mut bytes) 92 | .unwrap(); 93 | bytes 94 | } 95 | 96 | #[wasm_bindgen] 97 | pub fn deserialize(data: &[u8], ck: &WasmCommitmentKey) -> Self { 98 | let key = Box::leak(Box::new(ck.commitment_key.clone())); 99 | WasmReceiver { 100 | receiver: LaconicOTRecv::deserialize(data, key), 101 | } 102 | } 103 | 104 | #[wasm_bindgen] 105 | pub fn serialize(&self) -> Vec { 106 | self.receiver.serialize() 107 | } 108 | } 109 | 110 | // Sender implementations 111 | #[wasm_bindgen] 112 | impl WasmSender { 113 | #[wasm_bindgen] 114 | pub fn new(ck: &WasmCommitmentKey, commitment_bytes: &[u8]) -> Result { 115 | let commitment = ::G1::deserialize_uncompressed(commitment_bytes) 116 | .map_err(|_| JsError::new("Failed to deserialize commitment"))?; 117 | let key = Box::leak(Box::new(ck.commitment_key.clone())); 118 | Ok(WasmSender { 119 | sender: LaconicOTSender::new(key, commitment), 120 | }) 121 | } 122 | 123 | #[wasm_bindgen] 124 | pub fn send(&self, i: usize, m0: &[u8], m1: &[u8]) -> Result { 125 | let mut rng = rand::thread_rng(); 126 | 127 | let m0_array: [u8; MSG_SIZE] = m0 128 | .try_into() 129 | .map_err(|_| JsError::new(&format!("m0 must be {} bytes", MSG_SIZE)))?; 130 | let m1_array: [u8; MSG_SIZE] = m1 131 | .try_into() 132 | .map_err(|_| JsError::new(&format!("m1 must be {} bytes", MSG_SIZE)))?; 133 | 134 | let msg = self.sender.send(&mut rng, i, m0_array, m1_array); 135 | Ok(WasmMessage { message: msg }) 136 | } 137 | } 138 | 139 | #[cfg(test)] 140 | mod tests { 141 | use super::*; 142 | 143 | #[test] 144 | fn test_commitment_key_serialization() { 145 | // Create a new commitment key 146 | let ck = WasmCommitmentKey::setup(32).expect("Failed to setup commitment key"); 147 | 148 | // Serialize 149 | let serialized = ck.serialize(); 150 | 151 | // Deserialize 152 | let deserialized = WasmCommitmentKey::deserialize(&serialized) 153 | .expect("Failed to deserialize commitment key"); 154 | 155 | // Serialize again and compare bytes 156 | let serialized_again = deserialized.serialize(); 157 | assert_eq!( 158 | serialized, serialized_again, 159 | "Serialized bytes should match" 160 | ); 161 | } 162 | } 163 | -------------------------------------------------------------------------------- /app/components/JobMatchingForm.tsx: -------------------------------------------------------------------------------- 1 | import { useForm } from "react-hook-form"; 2 | import { generateBinaryInput } from "../utils/jobMatchingUtils"; 3 | 4 | interface JobMatchingFormProps { 5 | role: "Garbler" | "Evaluator"; 6 | onSubmit: (binaryInput: string) => void; 7 | disabled?: boolean; 8 | } 9 | 10 | export default function JobMatchingForm({ 11 | role, 12 | onSubmit, 13 | disabled, 14 | }: JobMatchingFormProps) { 15 | // Evaluator = Candidate, Garbler = Recruiter 16 | const { register, handleSubmit } = useForm({ 17 | defaultValues: { 18 | education: role === "Evaluator" ? 2 : 1, 19 | experience: role === "Evaluator" ? 5 : 1, 20 | interestZk: true, 21 | interestDefi: role === "Evaluator", 22 | interestConsumer: role === "Evaluator", 23 | interestInfra: role === "Evaluator", 24 | salary: role === "Evaluator" ? 10 : 100, 25 | stageGrant: true, 26 | stageSeed: role === "Evaluator", 27 | stageSeriesA: role === "Evaluator", 28 | stageSeriesB: role === "Evaluator", 29 | partTime: false, 30 | }, 31 | }); 32 | 33 | // eslint-disable-next-line @typescript-eslint/no-explicit-any 34 | const onSubmitForm = (data: any) => { 35 | const binaryInput = generateBinaryInput({ 36 | isRecruiter: role === "Garbler", 37 | commitment: data.partTime, 38 | education: parseInt(data.education), 39 | experience: parseInt(data.experience), 40 | interests: [ 41 | data.interestZk, 42 | data.interestDefi, 43 | data.interestConsumer, 44 | data.interestInfra, 45 | ], 46 | companyStage: [ 47 | data.stageGrant, 48 | data.stageSeed, 49 | data.stageSeriesA, 50 | data.stageSeriesB, 51 | ], 52 | salary: data.salary, 53 | }); 54 | 55 | onSubmit(binaryInput); 56 | }; 57 | 58 | return ( 59 |
60 |

61 | {role === "Garbler" ? "Recruiter Form" : "Candidate Form"} 62 |

63 | 64 | {/* Education */} 65 |
66 | 72 | 81 |
82 | 83 | {/* Experience */} 84 |
85 | 91 | 98 |
99 | 100 | {/* Interests or Job Preferences */} 101 |
102 | 105 |
106 | 109 | 112 | 115 | 119 |
120 |
121 | 122 | {/* Company Stage */} 123 |
124 | 125 |
126 | 129 | 132 | 135 | 138 |
139 |
140 | 141 | {/* Part Time */} 142 |
143 | 149 |
150 | 151 | {/* Salary */} 152 |
153 | 158 | 165 |
166 | 167 | 178 |
179 | ); 180 | } 181 | -------------------------------------------------------------------------------- /laconic/src/kzg_types.rs: -------------------------------------------------------------------------------- 1 | use ark_ec::pairing::Pairing; 2 | use ark_ec::CurveGroup; 3 | use ark_poly::EvaluationDomain; 4 | use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; 5 | use ark_std::UniformRand; 6 | use ark_std::Zero; 7 | use std::marker::PhantomData; 8 | use std::ops::Mul; 9 | 10 | use crate::kzg_fk_open::precompute_y; 11 | 12 | /// Simulation-Extractable vector commitment based on KZG 13 | pub struct VcKZG> { 14 | _e: PhantomData, 15 | _d: PhantomData, 16 | } 17 | 18 | #[derive(CanonicalSerialize, CanonicalDeserialize, Clone, PartialEq, Eq, Debug)] 19 | pub struct CommitmentKey> { 20 | /// length of messages to which we commit, 21 | /// This is called ell in the paper 22 | pub message_length: usize, 23 | 24 | /// evaluation domain that we use to represent vectors 25 | /// should support polynomials of degree deg >= ell+1 26 | pub domain: D, 27 | 28 | /// powers-of-alpha: u[i] = g1^{alpha^i} 29 | /// i should range from 0 to deg 30 | /// Note: u[0] = g1 31 | pub u: Vec, 32 | 33 | // /// lagrange version of u 34 | // /// u_lag[i] = g1^{l_i(alpha)}, where 35 | // /// l_i is the ith lagrange polynomial 36 | // /// i should range from 0 to deg 37 | // pub u_lag: Vec, 38 | /// same as u, but for the hiding part 39 | /// hat_u[i] = h1^{alpha^i} 40 | /// i should range from 0 to deg 41 | pub hat_u: Vec, 42 | 43 | /// lagrange version of u and hat_u 44 | /// Let l_i be the ith lagrange poly. Then: 45 | /// lag[i] = g1^{l_i(alpha)} 46 | /// lag[deg+i] = h1^{l_i(alpha)} 47 | /// for i in 0..deg 48 | pub lagranges: Vec, 49 | 50 | /// generator of G2 51 | pub g2: E::G2Affine, 52 | 53 | /// r = g2^{\alpha}, needed for verification 54 | pub r: E::G2Affine, 55 | 56 | /// precomputed denominators in the exponent 57 | /// all prepared for pairing 58 | /// namely, d[i] = g2^{alpha - zi}, 59 | /// where zi is the ith evaluation point 60 | /// i should range from 0 to deg 61 | pub d: Vec, 62 | 63 | /// y = DFT_{2d}(hat_s) for 64 | /// hat_s = [u[d-1],...,u[0], d+2 neutral elements] 65 | /// precomputed for use in the FK technique 66 | pub y: Vec, 67 | } 68 | 69 | #[derive(CanonicalSerialize)] 70 | pub struct Opening { 71 | /// commitment to witness polynomial g1^{psi(alpha)} 72 | pub v: E::G1Affine, 73 | } 74 | 75 | #[derive(CanonicalSerialize)] 76 | pub struct Commitment { 77 | pub com_kzg: E::G1Affine, 78 | } 79 | 80 | pub struct State { 81 | /// stores both the evaluations of the polynomial 82 | /// and the evaluations of the masking polynomial 83 | /// polynomial: 0..deg, masking: deg..2*deg 84 | pub evals: Vec, 85 | 86 | /// optionally stores precomputed KZG openings 87 | /// Note: this is only the group element part 88 | pub precomputed_v: Option>, 89 | } 90 | 91 | impl> CommitmentKey { 92 | pub fn setup( 93 | rng: &mut R, 94 | message_length: usize, 95 | ) -> Result, ()> { 96 | if message_length < 1 { 97 | return Err(()); 98 | } 99 | 100 | // generate an evaluation domain 101 | // should support polynomials to degree >= message_length + 1 102 | let domain = D::new(message_length); 103 | if domain.is_none() { 104 | return Err(()); 105 | } 106 | let domain = domain.unwrap(); 107 | 108 | // sample generators g1 and g2 109 | let g1 = E::G1::rand(rng); 110 | let g2 = E::G2::rand(rng); 111 | if g1.is_zero() || g2.is_zero() { 112 | return Err(()); 113 | } 114 | 115 | // sample hiding generator h 116 | let h = E::G1::rand(rng); 117 | 118 | // sample secret exponent alpha 119 | let alpha = E::ScalarField::rand(rng); 120 | 121 | // raise g1 to the powers of alpha --> u 122 | // raise h to the powers of alpha --> hat_u 123 | let deg = domain.size() - 1; 124 | let mut u: Vec = Vec::new(); 125 | let mut hat_u: Vec = Vec::new(); 126 | let mut curr_g = g1; 127 | let mut curr_h = h; 128 | u.push(curr_g.into_affine()); 129 | hat_u.push(curr_h.into_affine()); 130 | for _ in 1..=deg { 131 | curr_g = curr_g.mul(alpha); 132 | u.push(curr_g.into_affine()); 133 | curr_h = curr_h.mul(alpha); 134 | hat_u.push(curr_h.into_affine()); 135 | } 136 | 137 | // compute exponentiated lagrange coefficients 138 | // Note: If a standard powers-of-tau setup is used, 139 | // this can be publicly computed from u and hat_u 140 | let lf = domain.evaluate_all_lagrange_coefficients(alpha); 141 | let mut lagranges = Vec::with_capacity(2 * deg); 142 | for i in 0..=deg { 143 | lagranges.push(u[0].mul(lf[i]).into_affine()); 144 | } 145 | 146 | //compute r = g2^{alpha} 147 | let r = g2.mul(alpha).into_affine(); 148 | 149 | // compute all d[i] = g2^{alpha - zi} 150 | let mut d = Vec::new(); 151 | for i in 0..message_length { 152 | let z = domain.element(i); 153 | let exponent: E::ScalarField = alpha - z; 154 | d.push(g2.mul(exponent).into_affine()); 155 | } 156 | 157 | // precompute y and hat_y for FK algorithm 158 | let y = precompute_y::(&u, &domain); 159 | 160 | // assemble commitment key 161 | let g2 = g2.into_affine(); 162 | Ok(CommitmentKey { 163 | message_length, 164 | domain, 165 | u, 166 | hat_u, 167 | lagranges, 168 | g2, 169 | r, 170 | d, 171 | y, 172 | }) 173 | } 174 | } 175 | -------------------------------------------------------------------------------- /app/components/JobMatching.tsx: -------------------------------------------------------------------------------- 1 | "use client"; 2 | 3 | import { useState, useEffect } from "react"; 4 | import JIGG from "../../jigg/src/jiggClient.js"; 5 | import Label from "../../jigg/src/modules/label.js"; 6 | import JobMatchingForm from "./JobMatchingForm"; 7 | import init, { 8 | WasmCommitmentKey, 9 | WasmReceiver, 10 | WasmSender, 11 | WasmMessage, 12 | } from "../laconic/laconic_ot.js"; 13 | 14 | interface JobMatchingProps { 15 | role: "Garbler" | "Evaluator"; 16 | onGarbledDataChange?: (data: GarbledData) => void; 17 | onCommitmentChange?: (commitment: Uint8Array) => void; 18 | garbledData?: GarbledData; 19 | commitment?: Uint8Array; 20 | commitmentKey?: WasmCommitmentKey; 21 | } 22 | 23 | export interface GarbledData { 24 | circuit: string; 25 | garblerInputSize: number; 26 | evaluatorInputSize: number; 27 | garblerInputLabels?: Label[]; 28 | inputLabels?: Label[][]; 29 | evaluatorInputLabelEncryption?: WasmMessage[]; 30 | outputLabels?: Label[][]; 31 | R: Label; 32 | } 33 | 34 | export default function JobMatching({ 35 | role, 36 | onGarbledDataChange, 37 | onCommitmentChange, 38 | garbledData, 39 | commitment, 40 | commitmentKey, 41 | }: JobMatchingProps) { 42 | const [circuit, setCircuit] = useState(""); 43 | const [result, setResult] = useState(""); 44 | const [status, setStatus] = useState(""); 45 | const [serializedReceiver, setSerializedReceiver] = useState(); 46 | 47 | useEffect(() => { 48 | fetch("/circuits/job_matching.txt") 49 | .then((res) => res.text()) 50 | .then(setCircuit); 51 | }, []); 52 | 53 | const handleFormSubmit = async (binaryInput: string) => { 54 | try { 55 | if (!commitmentKey) { 56 | return; 57 | } 58 | 59 | const agent = new JIGG(role); 60 | agent.loadCircuit(circuit); 61 | 62 | const binaryArray = binaryInput 63 | .split("") 64 | .map(Number) 65 | .filter((bit) => bit === 0 || bit === 1); 66 | 67 | // sets up the oblivious transfer WASM 68 | await init(); 69 | 70 | if (role === "Evaluator" && !garbledData) { 71 | // Generate commitment for evaluator's input 72 | const binaryUint8Array = new Uint8Array(binaryArray); 73 | console.log("Type of commitmentKey:", typeof commitmentKey); 74 | console.log(commitmentKey); 75 | const receiver = WasmReceiver.new(commitmentKey, binaryUint8Array); 76 | const commitment = receiver.commitment(); 77 | setSerializedReceiver(receiver.serialize()); 78 | 79 | // Propagate commitment to garbler 80 | if (onCommitmentChange) { 81 | onCommitmentChange(commitment); 82 | } 83 | setStatus("Generated commitment"); 84 | } else if (role === "Garbler" && commitment) { 85 | // Garbler generates circuit and encrypts evaluator inputs 86 | const garbledData = agent.generateGarbling() as GarbledData; 87 | 88 | // Garbler gets his own inputs 89 | garbledData.garblerInputLabels = garbledData.inputLabels 90 | ?.slice(0, garbledData.garblerInputSize) 91 | .map((label, index) => label[binaryArray[index]]); 92 | 93 | // Generate witness encryptions of evaluator inputs 94 | const sender = WasmSender.new(commitmentKey, commitment); 95 | const evaluatorInputLabelEncryption = await Promise.all( 96 | Array.from( 97 | { length: garbledData.evaluatorInputSize }, 98 | async (_, i) => { 99 | const index = i + garbledData.garblerInputSize; 100 | 101 | if ( 102 | !garbledData.inputLabels?.[index] || 103 | !garbledData.inputLabels[index][0] || 104 | !garbledData.inputLabels[index][1] 105 | ) { 106 | throw new Error(`Missing input labels for index ${i}`); 107 | } 108 | 109 | const label0 = garbledData.inputLabels[index][0].bytes; 110 | const label1 = garbledData.inputLabels[index][1].bytes; 111 | 112 | if (!label0 || !label1) { 113 | throw new Error(`Missing bytes for input labels at index ${i}`); 114 | } 115 | 116 | const msg = await sender.send(i, label0, label1); 117 | return msg; 118 | } 119 | ) 120 | ); 121 | 122 | // Send evaluator encryptions to evaluator 123 | garbledData.evaluatorInputLabelEncryption = 124 | evaluatorInputLabelEncryption; 125 | 126 | if (onGarbledDataChange) { 127 | onGarbledDataChange(garbledData); 128 | } 129 | setStatus("Generated garbled circuit"); 130 | setResult(JSON.stringify(garbledData.outputLabels, null, 2)); 131 | } else if ( 132 | role === "Evaluator" && 133 | serializedReceiver && 134 | garbledData?.evaluatorInputLabelEncryption && 135 | garbledData?.garblerInputLabels 136 | ) { 137 | const receiver = WasmReceiver.deserialize( 138 | serializedReceiver, 139 | commitmentKey 140 | ); 141 | const evaluatorInputLabels = 142 | garbledData.evaluatorInputLabelEncryption.map( 143 | (msg, i) => new Label(receiver.recv(i, msg)) 144 | ); 145 | 146 | const evaluationResult = agent.evaluateCircuit(garbledData.circuit, [ 147 | ...garbledData.garblerInputLabels, 148 | ...evaluatorInputLabels, 149 | ]); 150 | 151 | setStatus("Evaluated garbled circuit"); 152 | setResult(JSON.stringify(evaluationResult, null, 2)); 153 | } 154 | } catch (error) { 155 | console.error(error); 156 | setStatus(`Error!`); 157 | } 158 | }; 159 | 160 | return ( 161 |
162 | 167 | 168 | {status && ( 169 |
170 |

Status:

171 |

{status}

172 |
173 | )} 174 | 175 | {result && ( 176 |
177 |

Result:

178 | 
{result}
179 |
180 | )} 181 |
182 | ); 183 | } 184 | -------------------------------------------------------------------------------- /jigg/src/garble.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | 3 | const sodium = require("libsodium-wrappers-sumo"); 4 | 5 | const Label = require("./modules/label.js"); 6 | const Circuit = require("./modules/circuit.js"); 7 | const Gate = require("./modules/gate.js"); 8 | const crypto = require("./util/crypto.js"); 9 | 10 | const generateInputLabels = function (R, count, labelSize) { 11 | const garbledAssignment = []; 12 | for (let i = 0; i < count; i++) { 13 | const label = new Label(sodium.randombytes_buf(labelSize)); 14 | garbledAssignment[i] = [label, label.xor(R)]; 15 | } 16 | 17 | return garbledAssignment; 18 | }; 19 | 20 | const garbleAnd = function (agent, gate, R, garbledAssignment) { 21 | const in1 = gate.inputWires[0]; 22 | const in2 = gate.inputWires[1]; 23 | const out = gate.outputWire; 24 | 25 | const randomLabel = new Label(sodium.randombytes_buf(agent.labelSize)); 26 | garbledAssignment[out] = [randomLabel, randomLabel.xor(R)]; 27 | 28 | let values = [ 29 | crypto.encrypt( 30 | garbledAssignment[in1][0], 31 | garbledAssignment[in2][0], 32 | gate.id, 33 | garbledAssignment[out][0] 34 | ), 35 | crypto.encrypt( 36 | garbledAssignment[in1][0], 37 | garbledAssignment[in2][1], 38 | gate.id, 39 | garbledAssignment[out][0] 40 | ), 41 | crypto.encrypt( 42 | garbledAssignment[in1][1], 43 | garbledAssignment[in2][0], 44 | gate.id, 45 | garbledAssignment[out][0] 46 | ), 47 | crypto.encrypt( 48 | garbledAssignment[in1][1], 49 | garbledAssignment[in2][1], 50 | gate.id, 51 | garbledAssignment[out][1] 52 | ), 53 | ]; 54 | 55 | let points = [ 56 | 2 * garbledAssignment[in1][0].getPoint() + 57 | garbledAssignment[in2][0].getPoint(), 58 | 2 * garbledAssignment[in1][0].getPoint() + 59 | garbledAssignment[in2][1].getPoint(), 60 | 2 * garbledAssignment[in1][1].getPoint() + 61 | garbledAssignment[in2][0].getPoint(), 62 | 2 * garbledAssignment[in1][1].getPoint() + 63 | garbledAssignment[in2][1].getPoint(), 64 | ]; 65 | 66 | let truthTable = []; 67 | truthTable[points[0]] = values[0]; 68 | truthTable[points[1]] = values[1]; 69 | truthTable[points[2]] = values[2]; 70 | truthTable[points[3]] = values[3]; 71 | 72 | return new Gate(gate.id, "AND", gate.inputWires, gate.outputWire, truthTable); 73 | }; 74 | 75 | const garbleLor = function (agent, gate, R, garbledAssignment) { 76 | const in1 = gate.inputWires[0]; 77 | const in2 = gate.inputWires[1]; 78 | const out = gate.outputWire; 79 | 80 | const randomLabel = new Label(sodium.randombytes_buf(agent.labelSize)); 81 | garbledAssignment[out] = [randomLabel, randomLabel.xor(R)]; 82 | 83 | let values = [ 84 | crypto.encrypt( 85 | garbledAssignment[in1][0], 86 | garbledAssignment[in2][0], 87 | gate.id, 88 | garbledAssignment[out][0] 89 | ), 90 | crypto.encrypt( 91 | garbledAssignment[in1][0], 92 | garbledAssignment[in2][1], 93 | gate.id, 94 | garbledAssignment[out][1] 95 | ), 96 | crypto.encrypt( 97 | garbledAssignment[in1][1], 98 | garbledAssignment[in2][0], 99 | gate.id, 100 | garbledAssignment[out][1] 101 | ), 102 | crypto.encrypt( 103 | garbledAssignment[in1][1], 104 | garbledAssignment[in2][1], 105 | gate.id, 106 | garbledAssignment[out][1] 107 | ), 108 | ]; 109 | 110 | let points = [ 111 | 2 * garbledAssignment[in1][0].getPoint() + 112 | garbledAssignment[in2][0].getPoint(), 113 | 2 * garbledAssignment[in1][0].getPoint() + 114 | garbledAssignment[in2][1].getPoint(), 115 | 2 * garbledAssignment[in1][1].getPoint() + 116 | garbledAssignment[in2][0].getPoint(), 117 | 2 * garbledAssignment[in1][1].getPoint() + 118 | garbledAssignment[in2][1].getPoint(), 119 | ]; 120 | 121 | let truthTable = []; 122 | truthTable[points[0]] = values[0]; 123 | truthTable[points[1]] = values[1]; 124 | truthTable[points[2]] = values[2]; 125 | truthTable[points[3]] = values[3]; 126 | 127 | return new Gate(gate.id, "LOR", gate.inputWires, gate.outputWire, truthTable); 128 | }; 129 | 130 | const garbleXor = function (agent, gate, R, garbledAssignment) { 131 | const in1 = gate.inputWires[0]; 132 | const in2 = gate.inputWires[1]; 133 | const out = gate.outputWire; 134 | 135 | garbledAssignment[out] = [ 136 | garbledAssignment[in1][0].xor(garbledAssignment[in2][0]), 137 | garbledAssignment[in1][1].xor(garbledAssignment[in2][1]).xor(R), 138 | ]; 139 | 140 | return gate; 141 | }; 142 | 143 | const garbleNot = function (agent, gate, R, garbledAssignment) { 144 | const in1 = gate.inputWires[0]; 145 | const out = gate.outputWire; 146 | 147 | garbledAssignment[out] = [ 148 | garbledAssignment[in1][1], 149 | garbledAssignment[in1][0], 150 | ]; 151 | 152 | return gate; 153 | }; 154 | 155 | const degarbleOutput = function (agent, garbledAssignment, outputLabels) { 156 | const bits = []; 157 | for (let i = 0; i < agent.circuit.outputSize; i++) { 158 | const bitLabel = outputLabels[i]; 159 | const options = 160 | garbledAssignment[ 161 | agent.circuit.wiresCount - agent.circuit.outputSize + i 162 | ]; 163 | if (options[0].equals(bitLabel)) { 164 | bits.push(0); 165 | } else if (options[1].equals(bitLabel)) { 166 | bits.push(1); 167 | } else { 168 | agent.progress( 169 | "error", 170 | null, 171 | null, 172 | "output label unequal to either labels" 173 | ); 174 | agent.log("Output label " + i + " unequal to either labels!"); 175 | } 176 | } 177 | 178 | return bits; 179 | }; 180 | 181 | module.exports = { 182 | generateGarbling: (agent) => { 183 | const circuit = agent.circuit; 184 | const garbledCircuit = new Circuit( 185 | circuit.wiresCount, 186 | circuit.garblerInputSize, 187 | circuit.evaluatorInputSize, 188 | circuit.outputSize, 189 | agent.labelSize 190 | ); 191 | 192 | // Generate random offset 193 | const R = new Label(sodium.randombytes_buf(agent.labelSize)); 194 | R.setPoint(1); 195 | 196 | // Generate labels for input wires 197 | const garbledAssignment = generateInputLabels( 198 | R, 199 | circuit.evaluatorInputSize + circuit.garblerInputSize, 200 | agent.labelSize 201 | ); 202 | 203 | // Garble gates 204 | for (let i = 0; i < circuit.gates.length; i++) { 205 | let gate = circuit.gates[i]; 206 | 207 | if (gate.operation === "AND") { 208 | gate = garbleAnd(agent, gate, R, garbledAssignment); 209 | } else if (gate.operation === "LOR") { 210 | gate = garbleLor(agent, gate, R, garbledAssignment); 211 | } else if (gate.operation === "XOR") { 212 | gate = garbleXor(agent, gate, R, garbledAssignment); 213 | } else if (gate.operation === "NOT" || gate.operation === "INV") { 214 | gate = garbleNot(agent, gate, R, garbledAssignment); 215 | } 216 | 217 | garbledCircuit.gates.push(gate); 218 | } 219 | 220 | return { 221 | circuit: garbledCircuit.serialize(), 222 | garblerInputSize: circuit.garblerInputSize, 223 | evaluatorInputSize: circuit.evaluatorInputSize, 224 | inputLabels: garbledAssignment.slice( 225 | 0, 226 | circuit.garblerInputSize + circuit.evaluatorInputSize 227 | ), 228 | outputLabels: garbledAssignment.slice( 229 | circuit.wiresCount - circuit.outputSize, 230 | circuit.wiresCount 231 | ), 232 | R: R, 233 | }; 234 | }, 235 | degarbleOutput: degarbleOutput, 236 | }; 237 | -------------------------------------------------------------------------------- /app/public/circuits/32bit_add.txt: -------------------------------------------------------------------------------- 1 | 375 439 2 | 2 32 32 3 | 1 33 4 | 2 1 0 32 406 XOR 5 | 2 1 5 37 373 AND 6 | 2 1 4 36 336 AND 7 | 2 1 10 42 340 AND 8 | 2 1 14 46 366 AND 9 | 2 1 24 56 341 AND 10 | 2 1 8 40 342 AND 11 | 2 1 1 33 343 AND 12 | 2 1 7 39 348 AND 13 | 2 1 28 60 349 AND 14 | 2 1 19 51 350 AND 15 | 2 1 2 34 351 AND 16 | 2 1 30 62 364 AND 17 | 2 1 13 45 352 AND 18 | 2 1 18 50 353 AND 19 | 2 1 11 43 355 AND 20 | 2 1 3 35 356 AND 21 | 2 1 16 48 359 AND 22 | 2 1 31 63 357 AND 23 | 2 1 27 59 358 AND 24 | 2 1 15 47 360 AND 25 | 2 1 17 49 361 AND 26 | 2 1 9 41 363 AND 27 | 2 1 32 0 278 AND 28 | 2 1 29 61 362 AND 29 | 2 1 6 38 365 AND 30 | 2 1 25 57 354 AND 31 | 2 1 20 52 367 AND 32 | 2 1 22 54 331 AND 33 | 2 1 21 53 371 AND 34 | 2 1 12 44 372 AND 35 | 2 1 23 55 339 AND 36 | 2 1 26 58 368 AND 37 | 1 1 56 398 INV 38 | 1 1 3 314 INV 39 | 1 1 40 346 INV 40 | 1 1 62 378 INV 41 | 1 1 6 389 INV 42 | 1 1 28 401 INV 43 | 1 1 10 377 INV 44 | 1 1 13 391 INV 45 | 1 1 27 335 INV 46 | 1 1 7 387 INV 47 | 1 1 24 399 INV 48 | 1 1 54 327 INV 49 | 1 1 36 315 INV 50 | 1 1 52 332 INV 51 | 1 1 50 380 INV 52 | 1 1 57 404 INV 53 | 1 1 31 323 INV 54 | 1 1 55 317 INV 55 | 1 1 18 381 INV 56 | 1 1 60 400 INV 57 | 1 1 5 322 INV 58 | 1 1 14 395 INV 59 | 1 1 47 402 INV 60 | 1 1 8 347 INV 61 | 1 1 19 385 INV 62 | 1 1 53 374 INV 63 | 1 1 29 330 INV 64 | 1 1 1 382 INV 65 | 1 1 34 344 INV 66 | 1 1 20 333 INV 67 | 1 1 37 321 INV 68 | 1 1 45 390 INV 69 | 1 1 11 338 INV 70 | 1 1 42 376 INV 71 | 1 1 12 370 INV 72 | 1 1 38 388 INV 73 | 1 1 23 318 INV 74 | 1 1 41 392 INV 75 | 1 1 61 329 INV 76 | 1 1 15 403 INV 77 | 1 1 48 396 INV 78 | 1 1 26 320 INV 79 | 1 1 43 337 INV 80 | 1 1 59 334 INV 81 | 1 1 9 393 INV 82 | 1 1 58 319 INV 83 | 1 1 17 326 INV 84 | 1 1 44 369 INV 85 | 1 1 21 375 INV 86 | 1 1 49 325 INV 87 | 1 1 16 397 INV 88 | 1 1 25 405 INV 89 | 1 1 51 384 INV 90 | 1 1 4 316 INV 91 | 1 1 2 345 INV 92 | 1 1 39 386 INV 93 | 1 1 46 394 INV 94 | 1 1 35 313 INV 95 | 1 1 22 328 INV 96 | 1 1 63 324 INV 97 | 1 1 33 383 INV 98 | 1 1 30 379 INV 99 | 2 1 313 314 282 AND 100 | 2 1 315 316 283 AND 101 | 2 1 317 318 284 AND 102 | 2 1 319 320 299 AND 103 | 2 1 321 322 285 AND 104 | 2 1 323 324 286 AND 105 | 2 1 325 326 288 AND 106 | 2 1 327 328 289 AND 107 | 2 1 329 330 290 AND 108 | 1 1 331 130 INV 109 | 2 1 332 333 287 AND 110 | 2 1 334 335 292 AND 111 | 1 1 336 256 INV 112 | 2 1 337 338 293 AND 113 | 1 1 339 123 INV 114 | 1 1 340 214 INV 115 | 1 1 341 116 INV 116 | 1 1 342 228 INV 117 | 1 1 343 276 INV 118 | 2 1 344 345 310 AND 119 | 2 1 346 347 300 AND 120 | 1 1 348 235 INV 121 | 1 1 349 88 INV 122 | 1 1 350 151 INV 123 | 1 1 351 270 INV 124 | 1 1 352 193 INV 125 | 1 1 353 158 INV 126 | 1 1 354 109 INV 127 | 1 1 355 207 INV 128 | 1 1 356 263 INV 129 | 1 1 357 66 INV 130 | 1 1 358 95 INV 131 | 1 1 359 172 INV 132 | 1 1 360 179 INV 133 | 1 1 361 165 INV 134 | 1 1 362 81 INV 135 | 1 1 363 221 INV 136 | 1 1 364 74 INV 137 | 1 1 365 242 INV 138 | 1 1 366 186 INV 139 | 1 1 367 144 INV 140 | 1 1 368 102 INV 141 | 2 1 369 370 301 AND 142 | 1 1 371 137 INV 143 | 1 1 372 200 INV 144 | 1 1 373 249 INV 145 | 2 1 374 375 298 AND 146 | 2 1 376 377 296 AND 147 | 2 1 378 379 291 AND 148 | 2 1 380 381 297 AND 149 | 2 1 382 383 306 AND 150 | 2 1 384 385 294 AND 151 | 2 1 386 387 295 AND 152 | 2 1 388 389 302 AND 153 | 2 1 390 391 303 AND 154 | 2 1 392 393 304 AND 155 | 2 1 394 395 305 AND 156 | 2 1 396 397 307 AND 157 | 2 1 398 399 308 AND 158 | 2 1 400 401 309 AND 159 | 2 1 402 403 311 AND 160 | 2 1 404 405 312 AND 161 | 1 1 282 266 INV 162 | 1 1 283 259 INV 163 | 1 1 284 126 INV 164 | 1 1 285 252 INV 165 | 1 1 286 69 INV 166 | 1 1 287 147 INV 167 | 1 1 288 168 INV 168 | 1 1 289 133 INV 169 | 1 1 290 84 INV 170 | 1 1 291 77 INV 171 | 1 1 292 98 INV 172 | 1 1 293 210 INV 173 | 1 1 294 154 INV 174 | 1 1 295 238 INV 175 | 1 1 296 217 INV 176 | 1 1 297 161 INV 177 | 1 1 298 140 INV 178 | 1 1 299 105 INV 179 | 1 1 300 231 INV 180 | 1 1 301 203 INV 181 | 1 1 302 245 INV 182 | 1 1 303 196 INV 183 | 1 1 304 224 INV 184 | 1 1 305 189 INV 185 | 1 1 306 281 INV 186 | 1 1 307 175 INV 187 | 1 1 308 119 INV 188 | 1 1 309 91 INV 189 | 1 1 310 273 INV 190 | 1 1 311 182 INV 191 | 1 1 312 112 INV 192 | 2 1 281 276 277 AND 193 | 2 1 69 66 279 AND 194 | 2 1 281 278 280 AND 195 | 2 1 277 278 407 XOR 196 | 1 1 279 71 INV 197 | 1 1 280 275 INV 198 | 2 1 275 276 274 AND 199 | 1 1 274 271 INV 200 | 2 1 2 271 268 XOR 201 | 2 1 271 273 272 AND 202 | 2 1 34 268 408 XOR 203 | 1 1 272 269 INV 204 | 2 1 269 270 267 AND 205 | 1 1 267 264 INV 206 | 2 1 3 264 261 XOR 207 | 2 1 264 266 265 AND 208 | 2 1 35 261 409 XOR 209 | 1 1 265 262 INV 210 | 2 1 262 263 260 AND 211 | 1 1 260 257 INV 212 | 2 1 4 257 253 XOR 213 | 2 1 257 259 258 AND 214 | 2 1 36 253 410 XOR 215 | 1 1 258 255 INV 216 | 2 1 255 256 254 AND 217 | 1 1 254 250 INV 218 | 2 1 5 250 247 XOR 219 | 2 1 250 252 251 AND 220 | 2 1 37 247 411 XOR 221 | 1 1 251 248 INV 222 | 2 1 248 249 246 AND 223 | 1 1 246 243 INV 224 | 2 1 6 243 239 XOR 225 | 2 1 243 245 244 AND 226 | 2 1 38 239 412 XOR 227 | 1 1 244 241 INV 228 | 2 1 241 242 240 AND 229 | 1 1 240 236 INV 230 | 2 1 7 236 233 XOR 231 | 2 1 236 238 237 AND 232 | 2 1 39 233 413 XOR 233 | 1 1 237 234 INV 234 | 2 1 234 235 232 AND 235 | 1 1 232 229 INV 236 | 2 1 8 229 226 XOR 237 | 2 1 229 231 230 AND 238 | 2 1 40 226 414 XOR 239 | 1 1 230 227 INV 240 | 2 1 227 228 225 AND 241 | 1 1 225 222 INV 242 | 2 1 9 222 219 XOR 243 | 2 1 222 224 223 AND 244 | 2 1 41 219 415 XOR 245 | 1 1 223 220 INV 246 | 2 1 220 221 218 AND 247 | 1 1 218 215 INV 248 | 2 1 10 215 212 XOR 249 | 2 1 215 217 216 AND 250 | 2 1 42 212 416 XOR 251 | 1 1 216 213 INV 252 | 2 1 213 214 211 AND 253 | 1 1 211 208 INV 254 | 2 1 11 208 205 XOR 255 | 2 1 208 210 209 AND 256 | 2 1 43 205 417 XOR 257 | 1 1 209 206 INV 258 | 2 1 206 207 204 AND 259 | 1 1 204 201 INV 260 | 2 1 12 201 198 XOR 261 | 2 1 201 203 202 AND 262 | 2 1 44 198 418 XOR 263 | 1 1 202 199 INV 264 | 2 1 199 200 197 AND 265 | 1 1 197 195 INV 266 | 2 1 13 195 190 XOR 267 | 2 1 195 196 194 AND 268 | 2 1 45 190 419 XOR 269 | 1 1 194 192 INV 270 | 2 1 192 193 191 AND 271 | 1 1 191 187 INV 272 | 2 1 14 187 183 XOR 273 | 2 1 187 189 188 AND 274 | 2 1 46 183 420 XOR 275 | 1 1 188 185 INV 276 | 2 1 185 186 184 AND 277 | 1 1 184 180 INV 278 | 2 1 15 180 177 XOR 279 | 2 1 180 182 181 AND 280 | 2 1 47 177 421 XOR 281 | 1 1 181 178 INV 282 | 2 1 178 179 176 AND 283 | 1 1 176 173 INV 284 | 2 1 48 173 170 XOR 285 | 2 1 173 175 174 AND 286 | 2 1 16 170 422 XOR 287 | 1 1 174 171 INV 288 | 2 1 171 172 169 AND 289 | 1 1 169 166 INV 290 | 2 1 17 166 163 XOR 291 | 2 1 166 168 167 AND 292 | 2 1 49 163 423 XOR 293 | 1 1 167 164 INV 294 | 2 1 164 165 162 AND 295 | 1 1 162 159 INV 296 | 2 1 18 159 156 XOR 297 | 2 1 159 161 160 AND 298 | 2 1 50 156 424 XOR 299 | 1 1 160 157 INV 300 | 2 1 157 158 155 AND 301 | 1 1 155 152 INV 302 | 2 1 19 152 149 XOR 303 | 2 1 152 154 153 AND 304 | 2 1 51 149 425 XOR 305 | 1 1 153 150 INV 306 | 2 1 150 151 148 AND 307 | 1 1 148 145 INV 308 | 2 1 20 145 141 XOR 309 | 2 1 145 147 146 AND 310 | 2 1 52 141 426 XOR 311 | 1 1 146 143 INV 312 | 2 1 143 144 142 AND 313 | 1 1 142 138 INV 314 | 2 1 53 138 135 XOR 315 | 2 1 138 140 139 AND 316 | 2 1 21 135 427 XOR 317 | 1 1 139 136 INV 318 | 2 1 136 137 134 AND 319 | 1 1 134 132 INV 320 | 2 1 22 132 127 XOR 321 | 2 1 132 133 131 AND 322 | 2 1 54 127 428 XOR 323 | 1 1 131 129 INV 324 | 2 1 129 130 128 AND 325 | 1 1 128 124 INV 326 | 2 1 23 124 121 XOR 327 | 2 1 124 126 125 AND 328 | 2 1 55 121 429 XOR 329 | 1 1 125 122 INV 330 | 2 1 122 123 120 AND 331 | 1 1 120 117 INV 332 | 2 1 24 117 114 XOR 333 | 2 1 117 119 118 AND 334 | 2 1 56 114 430 XOR 335 | 1 1 118 115 INV 336 | 2 1 115 116 113 AND 337 | 1 1 113 110 INV 338 | 2 1 25 110 107 XOR 339 | 2 1 110 112 111 AND 340 | 2 1 57 107 431 XOR 341 | 1 1 111 108 INV 342 | 2 1 108 109 106 AND 343 | 1 1 106 103 INV 344 | 2 1 26 103 100 XOR 345 | 2 1 103 105 104 AND 346 | 2 1 58 100 432 XOR 347 | 1 1 104 101 INV 348 | 2 1 101 102 99 AND 349 | 1 1 99 96 INV 350 | 2 1 59 96 93 XOR 351 | 2 1 96 98 97 AND 352 | 2 1 27 93 433 XOR 353 | 1 1 97 94 INV 354 | 2 1 94 95 92 AND 355 | 1 1 92 89 INV 356 | 2 1 28 89 86 XOR 357 | 2 1 89 91 90 AND 358 | 2 1 60 86 434 XOR 359 | 1 1 90 87 INV 360 | 2 1 87 88 85 AND 361 | 1 1 85 83 INV 362 | 2 1 61 83 79 XOR 363 | 2 1 83 84 82 AND 364 | 2 1 29 79 435 XOR 365 | 1 1 82 80 INV 366 | 2 1 80 81 78 AND 367 | 1 1 78 76 INV 368 | 2 1 30 76 72 XOR 369 | 2 1 76 77 75 AND 370 | 2 1 62 72 436 XOR 371 | 1 1 75 73 INV 372 | 2 1 73 74 70 AND 373 | 2 1 70 71 437 XOR 374 | 1 1 70 68 INV 375 | 2 1 68 69 67 AND 376 | 1 1 67 65 INV 377 | 2 1 65 66 64 AND 378 | 1 1 64 438 INV -------------------------------------------------------------------------------- /laconic/src/kzg_fk_open.rs: -------------------------------------------------------------------------------- 1 | use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup}; 2 | use ark_poly::EvaluationDomain; 3 | use ark_std::Zero; 4 | use std::ops::Mul; 5 | 6 | use crate::kzg_types::{CommitmentKey, State}; 7 | 8 | // this module allows to compute all openings in a 9 | // fast amortized way following the FK technique: 10 | // https://eprint.iacr.org/2023/033.pdf 11 | 12 | /// Compute the vector y = DFT(hat_s) used for fast amortized 13 | /// computation of all KZG openings. It is independent of the 14 | /// committed vector and can therefore be computed once from 15 | /// the public parameters / commitment key 16 | pub fn precompute_y>( 17 | powers: &[E::G1Affine], 18 | domain: &D, 19 | ) -> Vec { 20 | // Preparation: We need to do FFTs of twice the size. 21 | // for that, we make use of a evaluation domain of twice the size 22 | // we also let d be the degree of f 23 | let d = domain.size() - 1; 24 | let domain2 = D::new(2 * domain.size()).unwrap(); 25 | // hat_s = [powers[d-1],...,powers[0], d+2 neutral elements] 26 | let mut hat_s = Vec::with_capacity(2 * d + 2); 27 | for i in (0..=d - 1).rev() { 28 | hat_s.push(powers[i].into_group()); 29 | } 30 | for _ in 0..d + 2 { 31 | hat_s.push(E::G1::zero()); 32 | } 33 | let y = domain2.fft(&hat_s); 34 | E::G1::normalize_batch(&y) 35 | } 36 | 37 | /// FK technique to compute openings in a *non-hiding* way 38 | /// evals contains the domain.size() many evaluations 39 | /// of the polynomial over the evaluation domain 40 | pub fn all_openings_single>( 41 | y: &[E::G1Affine], 42 | domain: &D, 43 | evals: &[E::ScalarField], 44 | ) -> Vec { 45 | // compute the base polynomial h 46 | let coeffs = domain.ifft(&evals); 47 | let mut h = base_poly::(y, domain, &coeffs); 48 | 49 | // evaluate h in the exponent using FFT 50 | // the evaluations are the openings 51 | domain.fft_in_place(&mut h); 52 | h 53 | } 54 | 55 | /// compute the polynomial h (in exponent) from the paper (see Proposition 1) 56 | /// The polynomial f is given by domain.size() many coefficients, and we have 57 | /// powers[i] = g1^{alpha^i} 58 | /// The ith KZG opening is h(domain.element(i)). Hence, one we have h, we can 59 | /// compute all openings efficiently using a single FFT in the exponent 60 | fn base_poly>( 61 | y: &[E::G1Affine], 62 | domain: &D, 63 | coeffs: &[E::ScalarField], 64 | ) -> Vec { 65 | // we follow the modifications as in the implementation of caulk 66 | // https://github.com/caulk-crypto/caulk/blob/main/src/dft.rs#L17 67 | 68 | // Preparation: We need to do FFTs of twice the size. 69 | // for that, we make use of a evaluation domain of twice the size 70 | // we also let d be the degree of f 71 | let d = domain.size() - 1; 72 | let domain2 = D::new(2 * domain.size()).unwrap(); 73 | 74 | // Step 1: y = DFT(hat_s) has already been precomputed 75 | // Step 2: v = DFT(hat_c), where 76 | 77 | // hat_c = [coeffs[d], d zeros, coeffs[d], coeffs[0],...,coeffs[d-1]] 78 | let mut hat_c = Vec::with_capacity(2 * d + 2); 79 | hat_c.push(coeffs[d]); 80 | for _ in 0..d { 81 | hat_c.push(E::ScalarField::zero()); 82 | } 83 | hat_c.push(coeffs[d]); 84 | for i in 0..d { 85 | hat_c.push(coeffs[i]); 86 | } 87 | 88 | // let v = domain2.fft(&hat_c); 89 | domain2.fft_in_place(&mut hat_c); 90 | let v = hat_c; 91 | 92 | // Step 3: u = comp.-wise prod. of y and v 93 | let mut u: Vec = Vec::with_capacity(2 * d); 94 | for i in 0..2 * d + 2 { 95 | u.push(y[i].mul(v[i])); 96 | } 97 | 98 | // Step 4: hat_h = iDFT(u) 99 | //let hat_h = domain2.ifft(&u); 100 | domain2.ifft_in_place(&mut u); 101 | let hat_h = u; 102 | let h = hat_h[0..d].to_vec(); 103 | h 104 | } 105 | 106 | #[cfg(test)] 107 | mod tests { 108 | 109 | use std::vec; 110 | 111 | use ark_bls12_381::Bls12_381; 112 | use ark_ec::pairing::Pairing; 113 | use ark_ec::{CurveGroup, VariableBaseMSM}; 114 | use ark_poly::univariate::DensePolynomial; 115 | use ark_poly::EvaluationDomain; 116 | use ark_poly::{DenseUVPolynomial, Radix2EvaluationDomain}; 117 | use ark_std::One; 118 | use ark_std::UniformRand; 119 | 120 | use crate::kzg_types::VcKZG; 121 | 122 | use super::{all_openings_single, base_poly}; 123 | 124 | type F = ::ScalarField; 125 | type D = Radix2EvaluationDomain; 126 | 127 | /// test function base_polynomial 128 | #[test] 129 | fn test_base_poly() { 130 | let mut rng = ark_std::rand::thread_rng(); 131 | let degree = 15; 132 | let runs = 10; 133 | 134 | // generate some parameters 135 | let ck = VcKZG::::setup(&mut rng, degree - 1).unwrap(); 136 | 137 | for _ in 0..runs { 138 | // sample random polynomial f and its evaluations 139 | let f = DensePolynomial::rand(ck.domain.size() - 1, &mut rng); 140 | // compute the expected coefficients of h 141 | // in the exponent (expensive version) 142 | let mut naive = Vec::new(); 143 | for i in 1..=degree { 144 | // according to paper: 145 | // h_i = f[d]u[d-i] + f[d-1]u[d-i-1] + ... + f[i+1]u[1] + f[i]u[0], 146 | // where u[j] = g1^{secret^j} and d = degree 147 | // note that this is an MSM of f[i..=d] and u[0..=d-i] 148 | let hi = <::G1 as VariableBaseMSM>::msm( 149 | &ck.u[0..=(degree - i)], 150 | &f.coeffs[i..=degree], 151 | ) 152 | .unwrap() 153 | .into_affine(); 154 | naive.push(hi); 155 | } 156 | // compute h using the function we want to test 157 | let h = base_poly::(&ck.y, &ck.domain, &f.coeffs); 158 | // check that they are indeed equal 159 | for i in 0..=degree - 1 { 160 | assert_eq!(naive[i], h[i].into_affine()); 161 | } 162 | } 163 | } 164 | 165 | /// test function all_openings_single 166 | #[test] 167 | fn test_all_openings_single() { 168 | let mut rng = ark_std::rand::thread_rng(); 169 | let degree = 15; 170 | let runs = 10; 171 | 172 | // generate some parameters 173 | let ck = VcKZG::::setup(&mut rng, degree - 1).unwrap(); 174 | 175 | for _ in 0..runs { 176 | // generate random polynomial and its evaluations 177 | let f = DensePolynomial::rand(ck.domain.size() - 1, &mut rng); 178 | let evals = ck.domain.fft(&f.coeffs); 179 | // precompute the openings naively using long division (very slow) 180 | let mut naive: Vec<::G1Affine> = Vec::new(); 181 | for i in 0..ck.domain.size() { 182 | // witness poly using long division 183 | let z = ck.domain.element(i); 184 | let fshift = &f - &DensePolynomial::from_coefficients_vec(vec![evals[i]]); 185 | let div = DensePolynomial::from_coefficients_vec(vec![-z, F::one()]); 186 | let witness_poly = &fshift / ÷ 187 | // commit to witness poly at alpha 188 | let c = <::G1 as VariableBaseMSM>::msm( 189 | &ck.u[0..ck.domain.size() - 1], 190 | &witness_poly.coeffs, 191 | ) 192 | .unwrap(); 193 | naive.push(c.into_affine()); 194 | } 195 | // precompute the openings using the function we want to test 196 | let fk: Vec<::G1> = 197 | all_openings_single::(&ck.y, &ck.domain, &evals); 198 | // compare the results 199 | for i in 0..ck.domain.size() { 200 | assert_eq!(naive[i], fk[i].into_affine()); 201 | } 202 | } 203 | } 204 | 205 | // test the public function all_openings 206 | #[test] 207 | fn test_all_openings() { 208 | let mut rng = ark_std::rand::thread_rng(); 209 | let degree = 15; 210 | let runs = 3; 211 | 212 | for _ in 0..runs { 213 | // generate some parameters 214 | let ck = VcKZG::::setup(&mut rng, degree - 1).unwrap(); 215 | 216 | // commit to something 217 | let m = (0..degree - 1).map(|_| F::rand(&mut rng)).collect(); 218 | let (_com, mut st) = VcKZG::::commit(&mut rng, &ck, &m); 219 | 220 | // compute all the openings freshly 221 | let mut openings = Vec::new(); 222 | for i in 0..ck.message_length { 223 | let op = VcKZG::::open(&ck, &st, i as u32).unwrap(); 224 | openings.push(op.v); 225 | } 226 | 227 | // check that all openings are the same 228 | let precomputed = st.precomputed_v.unwrap(); 229 | for i in 0..ck.message_length { 230 | assert_eq!(precomputed[i], openings[i]); 231 | } 232 | } 233 | } 234 | } 235 | -------------------------------------------------------------------------------- /app/test/HIRING.md: -------------------------------------------------------------------------------- 1 | # Test Case Inputs for `job_matching.txt` Circuit 2 | 3 | ## Bit Order 4 | 5 | Each party's input string consists of 30 bits, structured as follows: 6 | 7 | 1. **Bit 0:** Position (`1` bit) 8 | 2. **Bit 1:** Commitment (`1` bit) 9 | 3. **Bits 2-5:** Education (`4` bits) - `education[0]` (MSB) to `education[3]` (LSB) 10 | 4. **Bits 6-13:** Experience (`8` bits) - `experience[0]` (MSB) to `experience[7]` (LSB) 11 | 5. **Bits 14-17:** Interests (`4` bits) - `interests[0]` (MSB) to `interests[3]` (LSB) 12 | 6. **Bits 18-21:** Company Stage (`4` bits) - `company_stage[0]` (MSB) to `company_stage[3]` (LSB) 13 | 7. **Bits 22-29:** Salary (`8` bits) - `salary[0]` (MSB) to `salary[7]` (LSB) 14 | 15 | --- 16 | 17 | ## Test Case 1: Successful Match 18 | 19 | **Expected Output:** **True (1)** 20 | 21 | **Party A Input String (30 bits):** 22 | 23 | ``` 24 | 1 0 1000 00000001 0001 0100 00110010 25 | ``` 26 | 27 | **Combined as:** 28 | 29 | ``` 30 | 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 1 0 0 1 0 31 | ``` 32 | 33 | **Party A Input String (30 bits):** 34 | 35 | ``` 36 | 101000000000010001010001100010 37 | ``` 38 | 39 | **Party B Input String (30 bits):** 40 | 41 | ``` 42 | 0 0 1000 00000001 0001 0100 00101101 43 | ``` 44 | 45 | **Combined as:** 46 | 47 | ``` 48 | 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 1 1 0 1 49 | ``` 50 | 51 | **Party B Input String (30 bits):** 52 | 53 | ``` 54 | 0010000000000100010100010101101 55 | ``` 56 | 57 | (Note: Corrected to have 30 bits.) 58 | 59 | **Explanation:** 60 | 61 | - **Both input strings are exactly 30 bits long.** 62 | - All bits are correctly assigned based on the specified bit positions. 63 | - **All matching conditions are satisfied**, so the expected output is **True (1)**. 64 | 65 | --- 66 | 67 | ## Test Case 2: Salary Mismatch 68 | 69 | **Expected Output:** **False (0)** 70 | 71 | **Changes from Test Case 1:** 72 | 73 | - **Party B Salary:** `55` (Desires $55,000) 74 | - Salary in binary: `00110111` 75 | 76 | **Party B Input String (30 bits):** 77 | 78 | ``` 79 | 0 0 1000 00000001 0001 0100 00110111 80 | ``` 81 | 82 | **Combined as:** 83 | 84 | ``` 85 | 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 1 0 1 1 1 86 | ``` 87 | 88 | **Party B Input String (30 bits):** 89 | 90 | ``` 91 | 00100000000001000101000100110111 92 | ``` 93 | 94 | **Explanation:** 95 | 96 | - **Total bits:** 30 97 | - **Salary Bits (Bits 22-29):** `0 0 1 1 0 1 1 1` (Correctly represented) 98 | - **Salary Match Condition Fails**: Expected output is **False (0)**. 99 | 100 | --- 101 | 102 | ## Test Case 3: Education Mismatch 103 | 104 | **Expected Output:** **False (0)** 105 | 106 | **Changes from Test Case 1:** 107 | 108 | - **Party B Education:** `0100` (Associate's degree) 109 | 110 | **Party B Input String (30 bits):** 111 | 112 | ``` 113 | 0 0 0100 00000001 0001 0100 00101101 114 | ``` 115 | 116 | **Combined as:** 117 | 118 | ``` 119 | 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 1 1 0 1 120 | ``` 121 | 122 | **Party B Input String (30 bits):** 123 | 124 | ``` 125 | 0001000000000100010100010101101 126 | ``` 127 | 128 | **Explanation:** 129 | 130 | - **Total bits:** 30 131 | - **Education Bits (Bits 2-5):** `0 1 0 0` (Correct) 132 | - **Education Match Condition Fails**: Expected output is **False (0)**. 133 | 134 | --- 135 | 136 | ## Test Case 4: Commitment Mismatch 137 | 138 | **Expected Output:** **False (0)** 139 | 140 | **Changes from Test Case 1:** 141 | 142 | - **Party B Commitment:** `1` (Wants part-time) 143 | 144 | **Party B Input String (30 bits):** 145 | 146 | ``` 147 | 0 1 1000 00000001 0001 0100 00101101 148 | ``` 149 | 150 | **Combined as:** 151 | 152 | ``` 153 | 0 1 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 1 1 0 1 154 | ``` 155 | 156 | **Party B Input String (30 bits):** 157 | 158 | ``` 159 | 0110000000000100010100010101101 160 | ``` 161 | 162 | **Explanation:** 163 | 164 | - **Total bits:** 30 165 | - **Commitment Bit (Bit 1):** `1` (Correct) 166 | - **Commitment Overlap Condition Fails**: Expected output is **False (0)**. 167 | 168 | --- 169 | 170 | ## Test Case 5: Both Parties Are Candidates 171 | 172 | **Expected Output:** **False (0)** 173 | 174 | **Changes:** 175 | 176 | - **Party A Position:** `0` (Candidate) 177 | 178 | **Party A Input String (30 bits):** 179 | 180 | ``` 181 | 0 0 1000 00000001 0001 0100 00110010 182 | ``` 183 | 184 | **Combined as:** 185 | 186 | ``` 187 | 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 1 0 0 1 0 188 | ``` 189 | 190 | **Party A Input String (30 bits):** 191 | 192 | ``` 193 | 001000000000010001010001100010 194 | ``` 195 | 196 | **Explanation:** 197 | 198 | - **Total bits:** 30 199 | - **Position Bit (Bit 0):** `0` (Correct) 200 | - **Position Compatibility Condition Fails**: Expected output is **False (0)**. 201 | 202 | --- 203 | 204 | ## Test Case 6: Interest Mismatch 205 | 206 | **Expected Output:** **False (0)** 207 | 208 | **Changes from Test Case 1:** 209 | 210 | - **Party B Interests:** `0010` (Interest 1) 211 | 212 | **Party B Input String (30 bits):** 213 | 214 | ``` 215 | 0 0 1000 00000001 0010 0100 00101101 216 | ``` 217 | 218 | **Combined as:** 219 | 220 | ``` 221 | 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 0 1 1 0 1 222 | ``` 223 | 224 | **Party B Input String (30 bits):** 225 | 226 | ``` 227 | 0010000000000010010100010101101 228 | ``` 229 | 230 | **Explanation:** 231 | 232 | - **Total bits:** 30 233 | - **Interests Bits (Bits 14-17):** `0 0 1 0` (Correct) 234 | - **Interest Overlap Condition Fails**: Expected output is **False (0)**. 235 | 236 | --- 237 | 238 | ## Test Case 7: Company Stage Mismatch 239 | 240 | **Expected Output:** **False (0)** 241 | 242 | **Changes from Test Case 1:** 243 | 244 | - **Party B Company Stage:** `0010` (Stage 1) 245 | 246 | **Party B Input String (30 bits):** 247 | 248 | ``` 249 | 0 0 1000 00000001 0001 0010 00101101 250 | ``` 251 | 252 | **Combined as:** 253 | 254 | ``` 255 | 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 0 1 0 1 1 0 1 256 | ``` 257 | 258 | **Party B Input String (30 bits):** 259 | 260 | ``` 261 | 0010000000000100000100010101101 262 | ``` 263 | 264 | **Explanation:** 265 | 266 | - **Total bits:** 30 267 | - **Company Stage Bits (Bits 18-21):** `0 0 1 0` (Correct) 268 | - **Company Stage Overlap Fails**: Expected output is **False (0)**. 269 | 270 | --- 271 | 272 | ## Test Case 8: Experience Mismatch 273 | 274 | **Expected Output:** **False (0)** 275 | 276 | **Changes from Test Case 1:** 277 | 278 | - **Party B Experience:** `00010000` (Field 4) 279 | 280 | **Party B Input String (30 bits):** 281 | 282 | ``` 283 | 0 0 1000 00010000 0001 0100 00101101 284 | ``` 285 | 286 | **Combined as:** 287 | 288 | ``` 289 | 0 0 1 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 1 0 1 1 0 1 290 | ``` 291 | 292 | **Party B Input String (30 bits):** 293 | 294 | ``` 295 | 0010000010000000010100010101101 296 | ``` 297 | 298 | **Explanation:** 299 | 300 | - **Total bits:** 30 301 | - **Experience Bits (Bits 6-13):** `0 0 0 1 0 0 0 0` (Correct) 302 | - **Experience Match Condition Fails**: Expected output is **False (0)**. 303 | 304 | --- 305 | 306 | ## Test Case 9: Multiple Criteria Fail 307 | 308 | **Expected Output:** **False (0)** 309 | 310 | **Party B Inputs:** 311 | 312 | - **Position:** `0` (Candidate) 313 | - **Commitment:** `1` (Part-time) 314 | - **Education:** `0 1 0 0` (Associate's degree) 315 | - **Experience:** `0 0 0 1 0 0 0 0` (Field 4) 316 | - **Interests:** `0 1 0 0` (Interest 2) 317 | - **Company Stage:** `0 0 1 0` (Stage 1) 318 | - **Salary:** `60` (Desires $60,000) 319 | - Salary in binary: `00111100` 320 | 321 | **Party B Input String (30 bits):** 322 | 323 | ``` 324 | 0 1 0100 00010000 0100 0010 00111100 325 | ``` 326 | 327 | **Combined as:** 328 | 329 | ``` 330 | 0 1 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 1 1 1 1 0 0 331 | ``` 332 | 333 | **Party B Input String (30 bits):** 334 | 335 | ``` 336 | 010100000100010001001001111100 337 | ``` 338 | 339 | (Note: Corrected to have 30 bits.) 340 | 341 | **Explanation:** 342 | 343 | - **Total bits:** 30 344 | - **Multiple Conditions Fail**: 345 | - **Commitment Mismatch** 346 | - **Education Mismatch** 347 | - **Experience Mismatch** 348 | - **Interest Mismatch** 349 | - **Company Stage Mismatch** 350 | - **Salary Mismatch** 351 | - Expected output is **False (0)**. 352 | 353 | --- 354 | 355 | ## Test Case 10: Candidate Is a Recruiter 356 | 357 | **Expected Output:** **False (0)** 358 | 359 | **Changes from Test Case 1:** 360 | 361 | - **Party B Position:** `1` (Recruiter) 362 | 363 | **Party B Input String (30 bits):** 364 | 365 | ``` 366 | 1 0 1000 00000001 0001 0100 00101101 367 | ``` 368 | 369 | **Combined as:** 370 | 371 | ``` 372 | 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 1 1 0 1 373 | ``` 374 | 375 | **Party B Input String (30 bits):** 376 | 377 | ``` 378 | 1010000000000100010100010101101 379 | ``` 380 | 381 | **Explanation:** 382 | 383 | - **Total bits:** 30 384 | - **Position Bit (Bit 0):** `1` (Correct) 385 | - **Position Compatibility Condition Fails**: Expected output is **False (0)**. 386 | 387 | --- 388 | 389 | # Notes and Corrections 390 | 391 | - **Leading Zeros:** In previous responses, some salary values might have missed leading zeros, causing the input strings to be less than 30 bits. I've corrected this by ensuring all 8 bits for salary are included with leading zeros where necessary. 392 | - **Input Strings Formatting:** I've restructured the input strings to clearly show the separation between different fields and to make counting bits easier. 393 | 394 | - **Consistency:** For each test case: 395 | 396 | - **Total Bits:** Verified that **each input string is exactly 30 bits long**. 397 | - **Bit Assignments:** Ensured that bits are assigned correctly according to the specified positions. 398 | - **Corrected Input Strings:** Adjusted any input strings that were previously missing bits or had incorrect bit counts. 399 | 400 | - **Combined Input Strings:** After combining the bits, I provided the input strings both as separated bits and as concatenated strings for clarity. 401 | -------------------------------------------------------------------------------- /laconic/src/laconic_ot.rs: -------------------------------------------------------------------------------- 1 | use std::sync::mpsc::Receiver; 2 | 3 | use crate::kzg_utils::plain_kzg_com; 4 | use crate::{kzg_fk_open::all_openings_single, kzg_types::CommitmentKey}; 5 | 6 | use ark_ec::pairing::{Pairing, PairingOutput}; 7 | use ark_ec::Group; 8 | use ark_ff::BigInteger; 9 | use ark_ff::CyclotomicMultSubgroup; 10 | use ark_ff::PrimeField; 11 | use ark_poly::{EvaluationDomain, Radix2EvaluationDomain}; 12 | use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; 13 | use ark_std::One; 14 | use ark_std::UniformRand; 15 | use ark_std::Zero; 16 | use rand::Rng; 17 | use serde::{Deserialize, Serialize}; 18 | use wasm_bindgen::prelude::*; 19 | 20 | pub const MSG_SIZE: usize = 16; 21 | 22 | #[derive(Clone, Copy, Debug)] 23 | pub struct Msg { 24 | h: [(E::G2Affine, [u8; MSG_SIZE]); 2], 25 | } 26 | 27 | pub struct LaconicOT> { 28 | ck: CommitmentKey, 29 | } 30 | 31 | #[derive(Serialize, Deserialize)] 32 | struct LaconicOTRecvData { 33 | qs: Vec>, 34 | com: Vec, 35 | bits: Vec, 36 | } 37 | 38 | pub struct LaconicOTRecv<'a, E: Pairing, D: EvaluationDomain> { 39 | ck: &'a CommitmentKey, 40 | qs: Vec, 41 | com: E::G1, 42 | bits: Vec, 43 | } 44 | 45 | pub struct LaconicOTSender<'a, E: Pairing, D: EvaluationDomain> { 46 | ck: &'a CommitmentKey, 47 | com: E::G1, 48 | } 49 | 50 | impl<'a, E: Pairing, D: EvaluationDomain> LaconicOTRecv<'a, E, D> { 51 | pub fn new(ck: &'a CommitmentKey, bits: &[bool]) -> Self { 52 | let mut elems: Vec<_> = bits 53 | .iter() 54 | .map(|b| { 55 | if *b { 56 | E::ScalarField::one() 57 | } else { 58 | E::ScalarField::zero() 59 | } 60 | }) 61 | .collect(); 62 | 63 | // pad with random elements 64 | assert!(elems.len() <= ck.domain.size()); 65 | elems.resize_with(ck.domain.size(), || { 66 | E::ScalarField::rand(&mut rand::thread_rng()) 67 | }); 68 | 69 | // compute commitment 70 | let com = plain_kzg_com(ck, &elems); 71 | 72 | // compute all openings 73 | let qs = all_openings_single::(&ck.y, &ck.domain, &elems); 74 | 75 | Self { 76 | ck, 77 | qs, 78 | com: com.into(), 79 | bits: bits.to_vec(), 80 | } 81 | } 82 | 83 | pub fn recv(&self, i: usize, msg: Msg) -> [u8; MSG_SIZE] { 84 | let j: usize = if self.bits[i] { 1 } else { 0 }; 85 | let h = msg.h[j].0; 86 | let c = msg.h[j].1; 87 | let m = E::pairing(self.qs[i], h); 88 | decrypt::(m.0, &c) 89 | } 90 | 91 | pub fn commitment(&self) -> E::G1 { 92 | self.com 93 | } 94 | 95 | pub fn serialize(&self) -> Vec { 96 | let data: LaconicOTRecvData = LaconicOTRecvData { 97 | qs: self 98 | .qs 99 | .iter() 100 | .map(|q| { 101 | let mut bytes = Vec::new(); 102 | q.serialize_uncompressed(&mut bytes).unwrap(); 103 | bytes 104 | }) 105 | .collect(), 106 | com: { 107 | let mut bytes = Vec::new(); 108 | self.com.serialize_uncompressed(&mut bytes).unwrap(); 109 | bytes 110 | }, 111 | bits: self.bits.clone(), 112 | }; 113 | serde_json::to_vec(&data).unwrap() 114 | } 115 | 116 | pub fn deserialize(data: &[u8], ck: &'a CommitmentKey) -> Self { 117 | let recv_data: LaconicOTRecvData = serde_json::from_slice(data).unwrap(); 118 | let qs = recv_data 119 | .qs 120 | .iter() 121 | .map(|q_bytes| { 122 | ::G1::deserialize_uncompressed(q_bytes.as_slice()) 123 | .expect("Failed to deserialize G1 point") 124 | }) 125 | .collect(); 126 | 127 | let com = ::G1::deserialize_uncompressed(recv_data.com.as_slice()) 128 | .expect("Failed to deserialize commitment"); 129 | 130 | LaconicOTRecv { 131 | ck, 132 | qs, 133 | com, 134 | bits: recv_data.bits, 135 | } 136 | } 137 | } 138 | 139 | fn encrypt(pad: E::TargetField, msg: &[u8; N]) -> [u8; N] { 140 | // hash the pad 141 | let mut hsh = blake3::Hasher::new(); 142 | pad.serialize_uncompressed(&mut hsh).unwrap(); 143 | 144 | // xor the message with the pad 145 | let mut xof = hsh.finalize_xof(); 146 | let mut res = [0u8; N]; 147 | xof.fill(&mut res); 148 | 149 | for i in 0..N { 150 | res[i] ^= msg[i]; 151 | } 152 | res 153 | } 154 | 155 | fn decrypt(pad: E::TargetField, ct: &[u8; N]) -> [u8; N] { 156 | encrypt::(pad, ct) 157 | } 158 | 159 | impl<'a, E: Pairing, D: EvaluationDomain> LaconicOTSender<'a, E, D> { 160 | pub fn new(ck: &'a CommitmentKey, com: E::G1) -> Self { 161 | Self { ck, com } 162 | } 163 | 164 | pub fn send_precompute_squares( 165 | &self, 166 | rng: &mut R, 167 | i: usize, 168 | m0: [u8; MSG_SIZE], 169 | m1: [u8; MSG_SIZE], 170 | com0_squares: &[PairingOutput], 171 | com1_squares: &[PairingOutput], 172 | ) -> Msg { 173 | let x = self.ck.domain.element(i); 174 | let r0 = E::ScalarField::rand(rng); 175 | let r1 = E::ScalarField::rand(rng); 176 | 177 | let g2 = self.ck.g2; 178 | let tau = self.ck.r; 179 | 180 | // Compute msk0 and msk1 using the precomputed squares 181 | let msk0 = self.scalar_mul_with_precomputed_squares(com0_squares, r0); 182 | let msk1 = self.scalar_mul_with_precomputed_squares(com1_squares, r1); 183 | 184 | // h0, h1 185 | let g2x = g2 * x; 186 | let cm: E::G2 = Into::::into(tau) - g2x; 187 | let h0: E::G2 = cm * r0; 188 | let h1: E::G2 = cm * r1; 189 | 190 | // encapsulate the messages 191 | Msg { 192 | h: [ 193 | (h0.into(), encrypt::(msk0.0, &m0)), 194 | (h1.into(), encrypt::(msk1.0, &m1)), 195 | ], 196 | } 197 | } 198 | 199 | pub fn send_precompute_naf( 200 | &self, 201 | rng: &mut R, 202 | i: usize, 203 | m0: [u8; MSG_SIZE], 204 | m1: [u8; MSG_SIZE], 205 | com0_precomp: &[(PairingOutput, PairingOutput)], 206 | com1_precomp: &[(PairingOutput, PairingOutput)], 207 | ) -> Msg { 208 | let x = self.ck.domain.element(i); 209 | let r0 = E::ScalarField::rand(rng); 210 | let r1 = E::ScalarField::rand(rng); 211 | 212 | let g2 = self.ck.g2; 213 | let tau = self.ck.r; 214 | 215 | // Compute msk0 and msk1 using the precomputed squares 216 | let msk0 = self.scalar_mul_with_precomputed_naf(com0_precomp, r0); 217 | let msk1 = self.scalar_mul_with_precomputed_naf(com1_precomp, r1); 218 | 219 | // h0, h1 220 | let g2x = g2 * x; 221 | let cm: E::G2 = Into::::into(tau) - g2x; 222 | let h0: E::G2 = cm * r0; 223 | let h1: E::G2 = cm * r1; 224 | 225 | // encapsulate the messages 226 | Msg { 227 | h: [ 228 | (h0.into(), encrypt::(msk0.0, &m0)), 229 | (h1.into(), encrypt::(msk1.0, &m1)), 230 | ], 231 | } 232 | } 233 | 234 | pub fn send_precompute_pairings( 235 | &self, 236 | rng: &mut R, 237 | i: usize, 238 | m0: [u8; MSG_SIZE], 239 | m1: [u8; MSG_SIZE], 240 | com0: PairingOutput, 241 | com1: PairingOutput, 242 | ) -> Msg { 243 | let x = self.ck.domain.element(i); 244 | let r0 = E::ScalarField::rand(rng); 245 | let r1 = E::ScalarField::rand(rng); 246 | 247 | let g2 = self.ck.g2; 248 | let tau = self.ck.r; 249 | 250 | // m0, m1 251 | let msk0 = com0 * r0; 252 | let msk1 = com1 * r1; 253 | 254 | // h0, h1 255 | let cm = Into::::into(tau) - g2 * x; 256 | let h0: E::G2 = cm * r0; 257 | let h1: E::G2 = cm * r1; 258 | 259 | // encapsulate the messages 260 | Msg { 261 | h: [ 262 | (h0.into(), encrypt::(msk0.0, &m0)), 263 | (h1.into(), encrypt::(msk1.0, &m1)), 264 | ], 265 | } 266 | } 267 | 268 | pub fn send( 269 | &self, 270 | rng: &mut R, 271 | i: usize, 272 | m0: [u8; MSG_SIZE], 273 | m1: [u8; MSG_SIZE], 274 | ) -> Msg { 275 | let x = self.ck.domain.element(i); 276 | let r0 = E::ScalarField::rand(rng); 277 | let r1 = E::ScalarField::rand(rng); 278 | 279 | let g1 = self.ck.u[0]; 280 | let g2 = self.ck.g2; 281 | let tau = self.ck.r; 282 | 283 | // y = 0/1 284 | let l0 = self.com * r0; // r * (c - [y]) 285 | let l1 = (self.com - g1) * r1; // r * (c - [y]) 286 | 287 | // m0, m1 288 | let msk0 = E::pairing(l0, self.ck.g2); 289 | let msk1 = E::pairing(l1, self.ck.g2); 290 | 291 | // h0, h1 292 | let cm = Into::::into(tau) - g2 * x; 293 | let h0: E::G2 = cm * r0; 294 | let h1: E::G2 = cm * r1; 295 | 296 | // encapsulate the messages 297 | Msg { 298 | h: [ 299 | (h0.into(), encrypt::(msk0.0, &m0)), 300 | (h1.into(), encrypt::(msk1.0, &m1)), 301 | ], 302 | } 303 | } 304 | 305 | fn scalar_mul_with_precomputed_squares( 306 | &self, 307 | precomp: &[PairingOutput], 308 | scalar: E::ScalarField, 309 | ) -> PairingOutput { 310 | let mut result = PairingOutput::::zero(); 311 | 312 | for (i, num) in scalar.into_bigint().to_bits_le().iter().enumerate() { 313 | if *num { 314 | result += precomp[i]; 315 | } 316 | } 317 | result 318 | } 319 | 320 | fn scalar_mul_with_precomputed_naf( 321 | &self, 322 | precomp: &[(PairingOutput, PairingOutput)], 323 | scalar: E::ScalarField, 324 | ) -> PairingOutput { 325 | let mut result = PairingOutput::::zero(); 326 | 327 | for (i, num) in scalar 328 | .into_bigint() 329 | .find_wnaf(2) 330 | .unwrap() 331 | .iter() 332 | .enumerate() 333 | { 334 | if *num == 1 { 335 | result += precomp[i].0; 336 | } else if *num == -1 { 337 | result += precomp[i].1; 338 | } 339 | } 340 | result 341 | } 342 | } 343 | 344 | #[test] 345 | fn test_laconic_ot() { 346 | use ark_bls12_381::{Bls12_381, Fr}; 347 | use ark_std::test_rng; 348 | 349 | let rng = &mut test_rng(); 350 | 351 | let degree = 4; 352 | let ck = CommitmentKey::>::setup(rng, degree).unwrap(); 353 | 354 | let receiver = LaconicOTRecv::new(&ck, &[false, true, false, true]); 355 | let sender = LaconicOTSender::new(&ck, receiver.commitment()); 356 | 357 | let m0 = [0u8; MSG_SIZE]; 358 | let m1 = [1u8; MSG_SIZE]; 359 | 360 | // precompute pairing 361 | let l0 = receiver.commitment(); 362 | let l1 = receiver.commitment() - sender.ck.u[0]; 363 | 364 | // m0, m1 365 | let com0 = Bls12_381::pairing(l0, receiver.ck.g2); 366 | let com1 = Bls12_381::pairing(l1, receiver.ck.g2); 367 | 368 | // test normal send 369 | let msg = sender.send(rng, 0, m0, m1); 370 | let res = receiver.recv(0, msg); 371 | assert_eq!(res, m0); 372 | 373 | // test without precomputation 374 | let msg = sender.send_precompute_pairings(rng, 1, m0, m1, com0, com1); 375 | let res = receiver.recv(1, msg); 376 | assert_eq!(res, m1); 377 | 378 | // precompute naf data 379 | let mut com0_precomp = vec![(com0, -com0)]; 380 | let mut com1_precomp = vec![(com1, -com1)]; 381 | let mut com0_squares = vec![com0]; 382 | let mut com1_squares = vec![com1]; 383 | for _ in 1..381 { 384 | let com0_square = *com0_precomp.last().unwrap().0.clone().double_in_place(); 385 | let com1_square = *com1_precomp.last().unwrap().0.clone().double_in_place(); 386 | let com0_square_inv = *com0_precomp.last().unwrap().1.clone().double_in_place(); 387 | let com1_square_inv = *com1_precomp.last().unwrap().1.clone().double_in_place(); 388 | com0_squares.push(com0_square); 389 | com1_squares.push(com1_square); 390 | com0_precomp.push((com0_square, com0_square_inv)); 391 | com1_precomp.push((com1_square, com1_square_inv)); 392 | } 393 | 394 | // test with precompute squares 395 | let msg = sender.send_precompute_squares(rng, 2, m0, m1, &com0_squares, &com1_squares); 396 | let res = receiver.recv(2, msg); 397 | assert_eq!(res, m0); 398 | 399 | // test with precompute naf 400 | let msg = sender.send_precompute_naf(rng, 3, m0, m1, &com0_precomp, &com1_precomp); 401 | let res = receiver.recv(3, msg); 402 | assert_eq!(res, m1); 403 | } 404 | 405 | #[test] 406 | fn test_serialize_deserialize() { 407 | use ark_bls12_381::{Bls12_381, Fr}; 408 | use ark_std::test_rng; 409 | 410 | let rng = &mut test_rng(); 411 | 412 | let degree = 4; 413 | let ck = CommitmentKey::>::setup(rng, degree).unwrap(); 414 | 415 | let receiver = LaconicOTRecv::new(&ck, &[false, true, false, true]); 416 | 417 | // Serialize the receiver 418 | let serialized = receiver.serialize(); 419 | 420 | // Deserialize the receiver 421 | let deserialized_receiver = LaconicOTRecv::deserialize(&serialized, &ck); 422 | 423 | // Check that the deserialized receiver matches the original 424 | assert_eq!(receiver.bits, deserialized_receiver.bits); 425 | assert_eq!(receiver.com, deserialized_receiver.com); 426 | assert_eq!(receiver.qs, deserialized_receiver.qs); 427 | } 428 | -------------------------------------------------------------------------------- /laconic/src/kzg_utils.rs: -------------------------------------------------------------------------------- 1 | use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup, VariableBaseMSM}; 2 | use ark_ff::{batch_inversion, Field}; 3 | use ark_poly::{EvaluationDomain, Polynomial}; 4 | use ark_serialize::CanonicalSerialize; 5 | use ark_std::{One, Zero}; 6 | use std::ops::Mul; 7 | 8 | use crate::kzg_types::{Commitment, CommitmentKey, Opening}; 9 | 10 | // This module contains helper functions for the Simulation Extractable KZG Vector commitment 11 | 12 | /// Standard KZG verification. Verifies that f(z) = y 13 | #[inline] 14 | pub fn plain_kzg_verify>( 15 | ck: &CommitmentKey, 16 | com_kzg: &E::G1Affine, 17 | z: E::ScalarField, 18 | y: E::ScalarField, 19 | tau: &Opening, 20 | ) -> bool { 21 | // check e(com*g1^{-y}*h^{-hat_y},g2) == e(v,r*g2^{-z}) 22 | let mut lhs_left = com_kzg.into_group(); 23 | lhs_left -= ck.u[0].mul(y); 24 | let rhs_right = ck.r.into_group() - ck.g2.mul(z); 25 | // Naive Implementation: 26 | // let lhs = E::pairing(lhs_left, ck.g2); 27 | // let rhs = E::pairing(tau.v, rhs_right); 28 | // lhs == rhs 29 | // We can do it slightly faster: 30 | let left = vec![E::G1Prepared::from(-lhs_left), E::G1Prepared::from(tau.v)]; 31 | let right = vec![E::G2Prepared::from(ck.g2), E::G2Prepared::from(rhs_right)]; 32 | let q = E::multi_pairing(left, right); 33 | q.is_zero() 34 | } 35 | 36 | /// Standard KZG verification. Verifies that f(z) = y, 37 | /// but assumes that z = domain.element(i) 38 | #[inline] 39 | pub fn plain_kzg_verify_inside>( 40 | ck: &CommitmentKey, 41 | i: usize, 42 | com_kzg: &E::G1Affine, 43 | y: E::ScalarField, 44 | tau: &Opening, 45 | ) -> bool { 46 | // check e(com*g1^{-y}*h^{-hat_y0},g2) == e(v0,r*g2^{-z0}) 47 | let mut lhs_left = com_kzg.into_group(); 48 | lhs_left -= ck.u[0].mul(y); 49 | // Naive Implementation: 50 | // let lhs = E::pairing(lhs_left, ck.g2); 51 | // let rhs = E::pairing(tau.v, ck.d[i]); 52 | // lhs == rhs 53 | // We can do it slightly faster: 54 | let left = vec![E::G1Prepared::from(-lhs_left), E::G1Prepared::from(tau.v)]; 55 | let right = vec![E::G2Prepared::from(ck.g2), E::G2Prepared::from(ck.d[i])]; 56 | let q = E::multi_pairing(left, right); 57 | q.is_zero() 58 | } 59 | 60 | /// Compute a KZG commitment for the given vector of evaluations 61 | #[inline] 62 | pub fn plain_kzg_com>( 63 | ck: &CommitmentKey, 64 | evals: &[E::ScalarField], 65 | ) -> E::G1Affine { 66 | assert_eq!(evals.len(), ck.lagranges.len()); 67 | let c = ::msm(&ck.lagranges, evals).unwrap(); 68 | c.into_affine() 69 | } 70 | 71 | /// Check if the given element is in the evaluation domain 72 | /// and if so, return the index of it. Otherwise, return None 73 | #[inline] 74 | pub fn find_in_domain>( 75 | domain: &D, 76 | z: E::ScalarField, 77 | ) -> Option { 78 | if domain.vanishing_polynomial().evaluate(&z) == E::ScalarField::zero() { 79 | // this should happen with negl prob. 80 | let mut y = None; 81 | for i in 0..domain.size() { 82 | if z == domain.element(i) { 83 | y = Some(i); 84 | } 85 | } 86 | y 87 | } else { 88 | None 89 | } 90 | } 91 | 92 | /// Compute the evaluation form of the KZG witness polynomial 93 | /// psi = (f - f(w_i)) / (X - w_i) when f is given in evaluation form 94 | /// Note: This assumes that w_i is the ith element of the domain 95 | /// The evaluation form is appended to the given vector witn_evals 96 | /// that is, the jth pushed element is psi(w_j) 97 | #[inline] 98 | pub fn witness_evals_inside>( 99 | domain: &D, 100 | evals: &[E::ScalarField], 101 | i: usize, 102 | witn_evals: &mut Vec, 103 | ) { 104 | // need that later for index calculation 105 | let oldsize = witn_evals.len(); 106 | 107 | // let x_j denote the elements of the evaluation domain 108 | // then for each j != i, we can compute the evaluation 109 | // as in witness_evals_outside, 110 | // namely, as (evals[j] - evals[i]) / (x_j-x_i) 111 | // for that, we first compute all 112 | // denominators we need using batch inversion 113 | let fxi = evals[i]; 114 | let xi = domain.element(i); 115 | let mut nums = Vec::new(); 116 | let mut denoms = Vec::new(); 117 | for j in 0..domain.size() { 118 | // f(x_j) - f(x_i) 119 | nums.push(evals[j] - fxi); 120 | // x_j-x_i 121 | denoms.push(domain.element(j) - xi); 122 | } 123 | // now, denoms[i] = 0. So let's set it to 1 124 | // to make batch inversion possible 125 | denoms[i] = E::ScalarField::one(); 126 | batch_inversion(&mut denoms); 127 | for j in 0..domain.size() { 128 | witn_evals.push(nums[j] * denoms[j]); 129 | } 130 | // now witn_evals is correctly computed for all j!=i. 131 | // whats left is to compute the ith evaluation properly 132 | // https://dankradfeist.de/ethereum/2021/06/18/pcs-multiproofs.html 133 | witn_evals[oldsize + i] = { 134 | let mut sum = E::ScalarField::zero(); 135 | for j in 0..domain.size() { 136 | if j == i { 137 | continue; 138 | } 139 | let mut term = nums[j] * (-denoms[j]); 140 | let d = domain.size(); 141 | let exponent = (j as isize) - (i as isize); 142 | let exponent = ((exponent + d as isize) as usize) % d; 143 | term *= domain.element(exponent); 144 | sum += term; 145 | } 146 | sum 147 | }; 148 | } 149 | 150 | /// computes the vector of all 1/(domain[i]-z) 151 | /// Assumes that z is not in domain 152 | #[inline] 153 | pub fn inv_diffs>( 154 | domain: &D, 155 | z: E::ScalarField, 156 | ) -> Vec { 157 | // we use batch inversion for the denominators 158 | let mut inv_diffs = Vec::with_capacity(domain.size()); 159 | for i in 0..domain.size() { 160 | inv_diffs.push(domain.element(i) - z); 161 | } 162 | batch_inversion(&mut inv_diffs); 163 | inv_diffs 164 | } 165 | 166 | /// Compute the evaluation form of the KZG witness polynomial 167 | /// Evaluation form will be pushed to the vector witn_evals 168 | /// ith pushed element is (f(domain[i]) - f(z)) / (domain[i] - z) 169 | /// where i ranges from 0 to domain.size() 170 | /// Assumes inv_diffs[i] = 1/(domain[i]-z) for i in 0..domain.size() 171 | #[inline] 172 | pub fn witness_evals_outside>( 173 | domain: &D, 174 | evals: &[E::ScalarField], 175 | fz: E::ScalarField, 176 | inv_diffs: &[E::ScalarField], 177 | witn_evals: &mut Vec, 178 | ) { 179 | // witn_evals[i] = (evals[i] - fz) / (domain[i]-z) 180 | for i in 0..domain.size() { 181 | let num = evals[i] - fz; 182 | witn_evals.push(num * inv_diffs[i]); 183 | } 184 | } 185 | 186 | /// Evaluate the polynomial given by the evaluations evals over domain at z 187 | /// Assumes that inv_diffs[i] = 1/(domain[i]-z) 188 | /// Note: This assumes that z is not in the evaluation domain 189 | #[inline] 190 | pub fn evaluate_outside>( 191 | domain: &D, 192 | evals: &[E::ScalarField], 193 | z: E::ScalarField, 194 | inv_diffs: &[E::ScalarField], 195 | ) -> E::ScalarField { 196 | // formula taken from https://dankradfeist.de/ethereum/2021/06/18/pcs-multiproofs.html 197 | // f(z) = {z^d-1}/d * sum_i (f_i * {w^i}/{z-w^i}), where d is the size of the domain 198 | let nom = domain.vanishing_polynomial().evaluate(&z); 199 | let factor = nom / domain.size_as_field_element(); 200 | let mut sum = E::ScalarField::zero(); 201 | for i in 0..domain.size() { 202 | let term = -domain.element(i) * inv_diffs[i]; 203 | sum += evals[i] * term; 204 | } 205 | factor * sum 206 | } 207 | 208 | #[cfg(test)] 209 | mod tests { 210 | use ark_bls12_381::Bls12_381; 211 | use ark_ec::pairing::Pairing; 212 | use ark_ec::CurveGroup; 213 | use ark_poly::univariate::DensePolynomial; 214 | use ark_poly::{DenseUVPolynomial, Radix2EvaluationDomain}; 215 | use ark_poly::{EvaluationDomain, Evaluations, Polynomial}; 216 | use ark_std::One; 217 | use ark_std::UniformRand; 218 | 219 | use super::{ 220 | evaluate_outside, find_in_domain, inv_diffs, witness_evals_inside, witness_evals_outside, 221 | }; 222 | 223 | type F = ::ScalarField; 224 | type D = Radix2EvaluationDomain; 225 | 226 | /// test function find_in_domain 227 | #[test] 228 | fn test_find_in_domain() { 229 | let mut rng = ark_std::rand::thread_rng(); 230 | let degree = 15; 231 | let domain = D::new(degree + 1).unwrap(); 232 | let runs = 20; 233 | for _ in 0..runs { 234 | // check that it returns None 235 | // for element outside of domain 236 | let z = domain.sample_element_outside_domain(&mut rng); 237 | assert!(find_in_domain::(&domain, z).is_none()); 238 | } 239 | // check that it returns the right 240 | // index for all elements in domain 241 | for i in 0..domain.size() { 242 | let fi = find_in_domain::(&domain, domain.element(i)); 243 | assert!(fi.is_some()); 244 | let j = fi.unwrap(); 245 | assert_eq!(i, j); 246 | } 247 | } 248 | 249 | /// test function witness_evals_inside 250 | #[test] 251 | fn test_witness_evals_inside() { 252 | let mut rng = ark_std::rand::thread_rng(); 253 | let degree = 15; 254 | let domain = D::new(degree + 1).unwrap(); 255 | let runs = 10; 256 | for _ in 0..runs { 257 | // sample a random polynomial 258 | let f = DensePolynomial::rand(domain.size() - 1, &mut rng); 259 | // evaluate the polynomial on the domain 260 | let evals = domain.fft(&f.coeffs); 261 | // test that witness_evals_inside works properly over the entire domain 262 | for i in 0..domain.size() { 263 | let z = domain.element(i); 264 | // compute the witness polynomial by long division 265 | let fshift = &f - &DensePolynomial::from_coefficients_vec(vec![evals[i]]); 266 | let div = DensePolynomial::from_coefficients_vec(vec![-z, F::one()]); 267 | let witness_poly = &fshift / ÷ 268 | let witn_evals_expected = domain.fft(&witness_poly.coeffs); 269 | // compare with what we get from our function 270 | let mut witn_evals = Vec::new(); 271 | witness_evals_inside::(&domain, &evals, i, &mut witn_evals); 272 | for i in 0..domain.size() { 273 | assert_eq!(witn_evals[i], witn_evals_expected[i]); 274 | } 275 | } 276 | } 277 | } 278 | 279 | /// test function inv_diffs 280 | #[test] 281 | fn test_inv_diffs() { 282 | let mut rng = ark_std::rand::thread_rng(); 283 | let degree = 15; 284 | let domain = D::new(degree + 1).unwrap(); 285 | let runs = 10; 286 | for _ in 0..runs { 287 | // sample an element outside the domain 288 | let z = domain.sample_element_outside_domain(&mut rng); 289 | // compute its inverse differences 290 | let inv_diffs = inv_diffs::(&domain, z); 291 | // check that each element is really the inverse 292 | for i in 0..domain.size() { 293 | let diff = domain.element(i) - z; 294 | let prod = diff * inv_diffs[i]; 295 | assert_eq!(prod, F::one()); 296 | } 297 | } 298 | } 299 | 300 | /// test function witness_evals_outside 301 | #[test] 302 | fn test_witness_evals_outside() { 303 | let mut rng = ark_std::rand::thread_rng(); 304 | let degree = 15; 305 | let domain = D::new(degree + 1).unwrap(); 306 | let runs = 10; 307 | for _ in 0..runs { 308 | // sample a random polynomial by sampling coefficients 309 | let f = DensePolynomial::rand(domain.size() - 1, &mut rng); 310 | // evaluate the polynomial on the domain 311 | let evals: Vec = domain.fft(&f.coeffs); 312 | // do a few tests with this polynomial 313 | for _ in 0..runs { 314 | // sample a random point outside the domain 315 | let z = domain.sample_element_outside_domain(&mut rng); 316 | let inv_diffs = inv_diffs::(&domain, z); 317 | let fz = f.evaluate(&z); 318 | let fshift = &f - &DensePolynomial::from_coefficients_vec(vec![fz]); 319 | // compute the witness polynomial by long division 320 | let div = DensePolynomial::from_coefficients_vec(vec![-z, F::one()]); 321 | let witness_poly = &fshift / ÷ 322 | let witn_evals_expected = domain.fft(&witness_poly.coeffs); 323 | // compare with what we get from our function 324 | let mut witn_evals = Vec::new(); 325 | witness_evals_outside::( 326 | &domain, 327 | &evals, 328 | fz, 329 | &inv_diffs, 330 | &mut witn_evals, 331 | ); 332 | for i in 0..domain.size() { 333 | assert_eq!(witn_evals[i], witn_evals_expected[i]); 334 | } 335 | } 336 | } 337 | } 338 | 339 | /// test function evaluate_outside 340 | #[test] 341 | fn test_evaluate_outside() { 342 | let mut rng = ark_std::rand::thread_rng(); 343 | let degree = 15; 344 | let domain = D::new(degree + 1).unwrap(); 345 | let runs = 20; 346 | for _ in 0..runs { 347 | // sample a random polynomial by sampling random evaluations 348 | let mut evals = Vec::new(); 349 | for _ in 0..domain.size() { 350 | evals.push(F::rand(&mut rng)); 351 | } 352 | let evals = Evaluations::from_vec_and_domain(evals, domain); 353 | let f = evals.interpolate_by_ref(); 354 | 355 | // sample a bunch of points and 356 | // evaluate the polynomial classically 357 | // and evaluate it using our function 358 | // result should then be the same 359 | // tests will most likely be outside of the domain 360 | for _ in 0..runs { 361 | let z = F::rand(&mut rng); 362 | let expected: F = f.evaluate(&z); 363 | let inv_diffs = inv_diffs::(&domain, z); 364 | let obtained: F = 365 | evaluate_outside::(&domain, &evals.evals, z, &inv_diffs); 366 | assert_eq!(obtained, expected); 367 | } 368 | } 369 | } 370 | } 371 | --------------------------------------------------------------------------------