├── gradle.properties ├── settings.gradle ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── .gitignore ├── src ├── main │ └── kotlin │ │ └── com │ │ └── ing │ │ └── dlt │ │ └── zkkrypto │ │ ├── ecc │ │ ├── ZKHash.kt │ │ ├── EllipticCurvePoint.kt │ │ ├── EllipticCurve.kt │ │ ├── curves │ │ │ ├── BabyJubjub.kt │ │ │ ├── Jubjub.kt │ │ │ ├── AltBabyJubjub.kt │ │ │ └── TwistedEdwardsCurve.kt │ │ ├── poseidon │ │ │ └── PoseidonHash.kt │ │ ├── mimc │ │ │ └── Mimc7Hash.kt │ │ ├── arithmetic │ │ │ └── TwistedEdwardsArithmetic.kt │ │ └── pedersenhash │ │ │ ├── PedersenHash.kt │ │ │ └── Generators.kt │ │ └── util │ │ ├── Extensions.kt │ │ └── BitArray.kt └── test │ └── kotlin │ └── com │ └── ing │ └── dlt │ └── zkkrypto │ └── ecc │ ├── poseidon │ └── PoseidonHashTest.kt │ ├── mimc │ └── Mimc7HashTest.kt │ └── pedersenhash │ ├── PedersenHashTest.kt │ └── TestVectors.kt ├── .github └── workflows │ └── gradle.yml ├── README.md ├── gradlew └── LICENSE /gradle.properties: -------------------------------------------------------------------------------- 1 | kotlin.code.style=official -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'zkkrypto' 2 | 3 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ing-bank/zkkrypto/HEAD/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | gradlew.bat 2 | /.gradle 3 | 4 | /.idea 5 | *.iml 6 | 7 | /build 8 | 9 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 10 | hs_err_pid* 11 | 12 | local.properties -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-6.1.1-bin.zip 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/ZKHash.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc 2 | 3 | interface ZKHash { 4 | 5 | /** 6 | * Hash size in bytes 7 | */ 8 | val hashLength: Int 9 | 10 | fun hash(msg: ByteArray): ByteArray 11 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/EllipticCurvePoint.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc 2 | 3 | import java.math.BigInteger 4 | 5 | data class EllipticCurvePoint(val x: BigInteger, val y: BigInteger, val curve: EllipticCurve) { 6 | 7 | fun add(other: EllipticCurvePoint): EllipticCurvePoint = curve.add(this, other) 8 | fun scalarMult(scalar: BigInteger): EllipticCurvePoint = curve.scalarMult(this, scalar) 9 | fun double(): EllipticCurvePoint = curve.double(this) 10 | fun isOnCurve(): Boolean = curve.isOnCurve(this) 11 | 12 | override fun toString(): String { 13 | return "EllipticCurvePoint(x=${x.toString(16)}, y=${y.toString(16)}" 14 | } 15 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/EllipticCurve.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc 2 | 3 | import java.math.BigInteger 4 | 5 | interface EllipticCurve { 6 | 7 | // group order 8 | val R: BigInteger 9 | 10 | // group generator 11 | val FrGenerator: BigInteger 12 | 13 | // order of prime subgroup 14 | val S: BigInteger 15 | 16 | // cofactor 17 | val cofactor: BigInteger 18 | 19 | // identity element 20 | val zero: EllipticCurvePoint 21 | 22 | fun add(a: EllipticCurvePoint, b: EllipticCurvePoint): EllipticCurvePoint 23 | fun scalarMult(p: EllipticCurvePoint, scalar: BigInteger): EllipticCurvePoint 24 | fun double(p: EllipticCurvePoint): EllipticCurvePoint 25 | fun isOnCurve(p: EllipticCurvePoint): Boolean 26 | fun getForY(y: BigInteger, sign: Boolean): EllipticCurvePoint? 27 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/curves/BabyJubjub.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.curves 2 | 3 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 4 | import java.math.BigInteger 5 | 6 | object BabyJubjub : TwistedEdwardsCurve { 7 | 8 | override val R = BigInteger("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10) 9 | override val S = BigInteger("2736030358979909402780800718157159386076813972158567259200215660948447373041", 10) 10 | override val d: BigInteger = BigInteger.valueOf(168696) 11 | override val a: BigInteger = BigInteger.valueOf(168700) 12 | override val cofactor: BigInteger = BigInteger.valueOf(8) 13 | override val FrGenerator: BigInteger = BigInteger.valueOf(7) 14 | override val zero: EllipticCurvePoint = EllipticCurvePoint(BigInteger.ZERO, BigInteger.ONE, this) 15 | 16 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/curves/Jubjub.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.curves 2 | 3 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 4 | import java.math.BigInteger 5 | 6 | object Jubjub : TwistedEdwardsCurve { 7 | 8 | override val R = BigInteger("73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001", 16) 9 | override val S = BigInteger("e7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7", 16) 10 | // d = -(10240/10241) 11 | override val d = BigInteger("2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1", 16) 12 | override val a: BigInteger = BigInteger.valueOf(-1) 13 | override val cofactor: BigInteger = BigInteger.valueOf(8) 14 | override val FrGenerator: BigInteger = BigInteger.valueOf(7) 15 | override val zero: EllipticCurvePoint = EllipticCurvePoint(BigInteger.ZERO, BigInteger.ONE, this) 16 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/curves/AltBabyJubjub.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.curves 2 | 3 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 4 | import java.math.BigInteger 5 | 6 | object AltBabyJubjub : TwistedEdwardsCurve { 7 | 8 | override val R = BigInteger("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10) 9 | override val S = BigInteger("2736030358979909402780800718157159386076813972158567259200215660948447373041", 10) 10 | // d = -(168696/168700) 11 | override val d = BigInteger("12181644023421730124874158521699555681764249180949974110617291017600649128846", 10) 12 | override val a: BigInteger = BigInteger.valueOf(-1) 13 | override val cofactor: BigInteger = BigInteger.valueOf(8) 14 | override val FrGenerator: BigInteger = BigInteger.valueOf(7) 15 | override val zero: EllipticCurvePoint = EllipticCurvePoint(BigInteger.ZERO, BigInteger.ONE, this) 16 | } -------------------------------------------------------------------------------- /.github/workflows/gradle.yml: -------------------------------------------------------------------------------- 1 | # This workflow will build a Java project with Gradle 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle 3 | 4 | name: Build Master 5 | 6 | on: 7 | push: 8 | branches: [ master ] 9 | pull_request: 10 | branches: [ master ] 11 | 12 | jobs: 13 | build: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@v2 17 | 18 | - name: Set up JDK 1.8 19 | uses: actions/setup-java@v1 20 | with: 21 | java-version: 1.8 22 | 23 | - name: Cache Gradle packages 24 | uses: actions/cache@v1 25 | with: 26 | path: ~/.gradle/caches 27 | key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }} 28 | restore-keys: | 29 | ${{ runner.os }}-gradle- 30 | 31 | - name: Build with Gradle 32 | run: ./gradlew build --stacktrace --build-cache 33 | -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/curves/TwistedEdwardsCurve.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.curves 2 | 3 | import com.ing.dlt.zkkrypto.ecc.arithmetic.TwistedEdwardsArithmetic 4 | import com.ing.dlt.zkkrypto.ecc.EllipticCurve 5 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 6 | import java.math.BigInteger 7 | 8 | /** 9 | * Simple curve that uses solely Twisted Edwards form arithmetics 10 | */ 11 | interface TwistedEdwardsCurve : EllipticCurve { 12 | 13 | val a: BigInteger 14 | val d: BigInteger 15 | 16 | override fun add(a: EllipticCurvePoint, b: EllipticCurvePoint): EllipticCurvePoint = TwistedEdwardsArithmetic.add(a, b) 17 | 18 | override fun scalarMult(p: EllipticCurvePoint, scalar: BigInteger): EllipticCurvePoint = TwistedEdwardsArithmetic.scalarMult(p, scalar) 19 | 20 | override fun double(p: EllipticCurvePoint): EllipticCurvePoint = TwistedEdwardsArithmetic.double(p) 21 | 22 | override fun isOnCurve(p: EllipticCurvePoint): Boolean = TwistedEdwardsArithmetic.isOnCurve(p) 23 | 24 | override fun getForY(y: BigInteger, sign: Boolean): EllipticCurvePoint? = TwistedEdwardsArithmetic.getForY(y, sign, this) 25 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ZKKrypto 2 | 3 | This repository contains cryptographic primitives mostly used in a ZKP context. The goal is to gather a library of ZKP-friendly crypto algorithms written in Kotlin (accessible in Java) in a single place to simplify research and development. 4 | 5 | Currently, following algorithms are implemented: 6 | 7 | - Pedersen hash 8 | - MiMC7 hash 9 | - Poseidon hash 10 | - Edwards curve arithmetic 11 | - Curves: Jubjub, BabyJubjub, AltBabyJubjub 12 | 13 | ### Getting started 14 | 15 | To use zkkrypto as Gradle dependency add Jitpack to the 'repositories' list. 16 | 17 | ``` 18 | repositories { 19 | ... 20 | maven { url 'https://jitpack.io' } 21 | ... 22 | } 23 | ``` 24 | Then you can use zkkrypto package in your dependencies: 25 | ``` 26 | dependencies { 27 | ... 28 | implementation "com.ing.dlt:zkkrypto:{VERSION}" 29 | ... 30 | } 31 | ``` 32 | Done! Now import chosen primitives and knock yourself out. 33 | 34 | ### Work in progress 35 | 36 | We are going to support this repo and to add new algorithms to it. So if you are interested in particular primitives - let us know. Push requests are highly appreciated as well. 37 | 38 | 39 | ### Disclamer 40 | 41 | Code is released under Apache license so feel free to use it wherever you want. 42 | 43 | Although please keep in mind that it comes with absolutely no warranty so before using it in production - please make sure you know what you are doing. 44 | 45 | ### Contacts 46 | 47 | For any questions either create an Issue or just poke somebody from our team directly. E.g.: 48 | 49 | [Alexey Koren](https://www.linkedin.com/in/alexeykoren/ "LinkedIn") 50 | -------------------------------------------------------------------------------- /src/test/kotlin/com/ing/dlt/zkkrypto/ecc/poseidon/PoseidonHashTest.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.poseidon 2 | 3 | import org.junit.jupiter.api.Assertions.assertEquals 4 | import org.junit.jupiter.api.Test 5 | import java.math.BigInteger 6 | 7 | /** 8 | * Tested to be compatible with Iden3 implementation 9 | */ 10 | class PoseidonHashTest { 11 | 12 | @Test 13 | fun testHashing() { 14 | val poseidon = PoseidonHash() 15 | 16 | val b0 = BigInteger.valueOf(0) 17 | val b1 = BigInteger.valueOf(1) 18 | val b2 = BigInteger.valueOf(2) 19 | val b3 = BigInteger.valueOf(3) 20 | val b4 = BigInteger.valueOf(4) 21 | val b5 = BigInteger.valueOf(5) 22 | val b6 = BigInteger.valueOf(6) 23 | 24 | var h = poseidon.hash(listOf(b1)) 25 | 26 | assertEquals("11043376183861534927536506085090418075369306574649619885724436265926427398571", h.toString(10)) 27 | 28 | h = poseidon.hash(listOf(b1, b2)) 29 | 30 | assertEquals("17117985411748610629288516079940078114952304104811071254131751175361957805920", h.toString(10)) 31 | 32 | h = poseidon.hash(listOf(b1, b2, b0, b0, b0)) 33 | 34 | assertEquals("3975478831357328722254985704342968745327876719981393787143845259590563829094", h.toString(10)) 35 | h = poseidon.hash(listOf(b1, b2, b0, b0, b0, b0)) 36 | 37 | assertEquals("19772360636270345724087386688434825760738403416279047262510528378903625000110", h.toString(10)) 38 | 39 | 40 | h = poseidon.hash(listOf(b3, b4, b0, b0, b0)) 41 | 42 | assertEquals("3181200837746671699652342497997860344148947482942465819251904554707352676086", h.toString(10)) 43 | h = poseidon.hash(listOf(b3, b4, b0, b0, b0, b0)) 44 | 45 | assertEquals("8386348873272147968934270337233829407378789978142456170950021426339096575008", h.toString(10)) 46 | 47 | 48 | h = poseidon.hash(listOf(b1, b2, b3, b4, b5, b6)) 49 | 50 | assertEquals("5202465217520500374834597824465244016759843635092906214933648999760272616044", h.toString(10)) 51 | } 52 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/util/Extensions.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.util 2 | 3 | import java.math.BigInteger 4 | 5 | fun Byte.asUnsigned() = this.toInt() and 0xFF 6 | 7 | /** Performs a bitwise AND operation between the two values. */ 8 | infix fun Byte.and(other: Byte): Byte = (this.toInt() and other.toInt()).toByte() 9 | 10 | /** Performs a bitwise OR operation between the two values. */ 11 | infix fun Byte.or(other: Byte): Byte = (this.toInt() or other.toInt()).toByte() 12 | 13 | fun BigInteger.sqrtMod(generator: BigInteger, modulus: BigInteger): BigInteger? { 14 | when { 15 | modulus % BigInteger.valueOf(16) == BigInteger.valueOf(1) -> { 16 | // Tonelli-Shank's algorithm for q mod 16 = 1 17 | // https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5) 18 | val a = this 19 | 20 | // PRECOMPUTATION 21 | 22 | // q - 1 = t * 2^S, where q is modulus 23 | val (t, s) = breakdownModulus(modulus) 24 | 25 | val ONE = BigInteger.ONE 26 | val TWO = BigInteger.valueOf(2) 27 | var z = generator.modPow(t, modulus) // Root of unity 28 | val exp1 = TWO.modPow(s - ONE, modulus) // 2 ^ (s - 1) 29 | 30 | // COMPUTATION 31 | var w = a.modPow((t - ONE) / TWO, modulus) 32 | val a0 = (w.pow(2) * a).modPow(exp1, modulus) 33 | 34 | if ((a0 + ONE) % modulus == BigInteger.ZERO) return null 35 | 36 | var v = s 37 | var x = (a * w) % modulus 38 | var b = (x * w) % modulus 39 | 40 | // TODO optimise performance 41 | while (b != ONE) { 42 | val k = findK(b, v, modulus) 43 | w = z.modPow(TWO.modPow(v - k - ONE, modulus), modulus) 44 | z = w.modPow(TWO, modulus) 45 | b = (b * z) % modulus 46 | x = (x * w) % modulus 47 | v = k 48 | } 49 | return x 50 | } 51 | else -> error("General case is not yet implemented") 52 | } 53 | } 54 | 55 | /** 56 | * Find least integer k ≥ 0 such that b^2^k == 1 57 | */ 58 | private fun findK(b: BigInteger, limit: BigInteger, modulus: BigInteger): BigInteger { 59 | var k = BigInteger.ZERO 60 | do { 61 | val b2k = b.modPow(BigInteger.valueOf(2).modPow(k, modulus), modulus) 62 | if(b2k == BigInteger.ONE) return k else k++ 63 | } while (k <= limit) 64 | error("K not found") 65 | } 66 | 67 | private fun breakdownModulus(q: BigInteger): Pair { 68 | val qMinus1 = q - BigInteger.ONE 69 | var s = 0 70 | 71 | while(!qMinus1.testBit(s)) { 72 | s++ 73 | } 74 | return qMinus1.shiftRight(s) to BigInteger.valueOf(s.toLong()) 75 | } -------------------------------------------------------------------------------- /src/test/kotlin/com/ing/dlt/zkkrypto/ecc/mimc/Mimc7HashTest.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.mimc 2 | 3 | import org.bouncycastle.jcajce.provider.digest.Keccak 4 | import org.bouncycastle.util.encoders.Hex 5 | import org.junit.jupiter.api.Assertions.assertEquals 6 | import org.junit.jupiter.api.Test 7 | import java.math.BigInteger 8 | 9 | /** 10 | * Tested to be compatible with Mimc-rs (https://github.com/arnaucube/mimc-rs) and, transitively, with Iden3 (https://github.com/iden3/go-iden3-crypto) 11 | */ 12 | class Mimc7HashTest { 13 | 14 | @Test 15 | fun testKeccak() { 16 | 17 | val sha3: Keccak.Digest256 = Keccak.Digest256() 18 | 19 | val seedHash = sha3.digest(Mimc7Hash.defaultSeed) 20 | 21 | assertEquals( 22 | Hex.toHexString(seedHash), 23 | "b6e489e6b37224a50bebfddbe7d89fa8fdcaa84304a70bd13f79b5d9f7951e9e" 24 | ) 25 | } 26 | 27 | @Test 28 | fun testConstantsGeneration() { 29 | 30 | val constants = Mimc7Hash.generateRoundConstants( 31 | r = BigInteger("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10) 32 | ) 33 | assertEquals( 34 | "20888961410941983456478427210666206549300505294776164667214940546594746570981", 35 | constants[1].toString(10) 36 | ) 37 | } 38 | 39 | @Test 40 | fun testBigIntegerHashing() { 41 | 42 | val b12 = BigInteger("12", 10) 43 | val b45 = BigInteger("45", 10) 44 | val b78 = BigInteger("78", 10) 45 | val b41 = BigInteger("41", 10) 46 | 47 | val mimc7 = Mimc7Hash() 48 | 49 | val ints1 = listOf(b12) 50 | val h1 = mimc7.hash(ints1) 51 | assertEquals( 52 | Hex.toHexString(h1), 53 | "237c92644dbddb86d8a259e0e923aaab65a93f1ec5758b8799988894ac0958fd" 54 | ) 55 | 56 | val ints2 = listOf(b78, b41) 57 | val h2 = mimc7.hash(ints2) 58 | assertEquals( 59 | Hex.toHexString(h2), 60 | "067f3202335ea256ae6e6aadcd2d5f7f4b06a00b2d1e0de903980d5ab552dc70" 61 | ) 62 | 63 | val ints3 = listOf(b12, b45) 64 | val h3 = mimc7.hash(ints3) 65 | assertEquals( 66 | Hex.toHexString(h3), 67 | "15ff7fe9793346a17c3150804bcb36d161c8662b110c50f55ccb7113948d8879" 68 | ) 69 | 70 | val ints4 = listOf(b12, b45, b78, b41) 71 | val h4 = mimc7.hash(ints4) 72 | assertEquals( 73 | Hex.toHexString(h4), 74 | "284bc1f34f335933a23a433b6ff3ee179d682cd5e5e2fcdd2d964afa85104beb" 75 | ) 76 | } 77 | 78 | @Test 79 | fun testBytesHashing() { 80 | 81 | val msg = "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." 82 | 83 | val mimc7 = Mimc7Hash() 84 | 85 | val h = mimc7.hash(msg.toByteArray()) 86 | assertEquals( 87 | BigInteger(h).toString(10), 88 | "16855787120419064316734350414336285711017110414939748784029922801367685456065" 89 | ) 90 | 91 | } 92 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/poseidon/PoseidonHash.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.poseidon 2 | 3 | import com.ing.dlt.zkkrypto.ecc.ZKHash 4 | import com.ing.dlt.zkkrypto.ecc.curves.BabyJubjub 5 | import com.ing.dlt.zkkrypto.ecc.poseidon.Constants.Companion.defaultRoundConstants 6 | import java.math.BigInteger 7 | import kotlin.math.min 8 | 9 | data class PoseidonHash( 10 | val r: BigInteger = BabyJubjub.R, 11 | val constants: Constants = defaultRoundConstants() 12 | ): ZKHash { 13 | 14 | /** 15 | * Hash size in bytes 16 | */ 17 | override val hashLength = r.bitLength() / 8 + if(r.bitLength() / 8 != 0) 1 else 0 18 | 19 | override fun hash(msg: ByteArray): ByteArray = hash(bytesToField(msg)).toByteArray() 20 | 21 | fun hash(msg: List): BigInteger { 22 | 23 | if (msg.isEmpty() || msg.size >= constants.numRoundsP.size - 1) 24 | throw Exception("Invalid inputs length: ${msg.size}, maximum allowed: ${constants.numRoundsP.size - 2}") 25 | 26 | msg.forEach { if(it >= r) throw Exception("Element {$it} is out of the field {$r}") } 27 | 28 | val t = msg.size + 1 29 | 30 | var state = msg.plus(BigInteger.ZERO).toMutableList() 31 | 32 | val nRoundsP = constants.numRoundsP[t-2] 33 | 34 | val lastRound = constants.numRoundsF + nRoundsP - 1 35 | 36 | for (round in 0 until constants.numRoundsF + nRoundsP) { 37 | 38 | // Add Round Key 39 | for (i in state.indices) { 40 | state[i] = state[i] + constants.c[t-2][round * t + i] 41 | } 42 | 43 | // S-Box 44 | if (round < constants.numRoundsF / 2 || round >= constants.numRoundsF / 2 + nRoundsP) { 45 | // Full round 46 | for (i in state.indices) { 47 | state[i] = sbox(state[i]) 48 | } 49 | } else { 50 | // Partial round 51 | state[0] = sbox(state[0]) 52 | } 53 | 54 | // If not last round: mix (via matrix multiplication) 55 | if (round != lastRound) { 56 | state = mix(state, constants.m[t-2]).toMutableList() 57 | } 58 | } 59 | 60 | return state[0] 61 | } 62 | 63 | private fun sbox(m: BigInteger): BigInteger { 64 | return m.modPow(BigInteger.valueOf(5), r) 65 | } 66 | 67 | private fun mix(state: List, matrix: List>): List { 68 | 69 | val newState: MutableList = MutableList(state.size) { BigInteger.ZERO } 70 | 71 | for (i in state.indices) { 72 | for (j in state.indices) { 73 | newState[i] = newState[i] + matrix[j][i] * state[j] 74 | } 75 | } 76 | return newState 77 | } 78 | 79 | private fun bytesToField(msg: ByteArray): List { 80 | /** 81 | * TODO 82 | * if we take n = hashLength then resulting integer can be bigger than R, 83 | * and we cannot take modulo because it will introduce collision attack. 84 | * Now performance suffers so we need to figure out optimal way. 85 | */ 86 | val n = hashLength - 1 87 | val ints = mutableListOf() 88 | 89 | for (i in msg.indices step n) { 90 | val int = BigInteger(1, msg.sliceArray(i until min(i+n, msg.size))) 91 | ints.add(int) 92 | } 93 | return ints 94 | } 95 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/mimc/Mimc7Hash.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.mimc 2 | 3 | import com.ing.dlt.zkkrypto.ecc.ZKHash 4 | import com.ing.dlt.zkkrypto.ecc.curves.BabyJubjub 5 | import org.bouncycastle.jcajce.provider.digest.Keccak 6 | import java.math.BigInteger 7 | import kotlin.math.min 8 | 9 | 10 | data class Mimc7Hash( 11 | val r: BigInteger = BabyJubjub.R, 12 | val numRounds: Int = defaultNumRounds, 13 | val roundConstants: List = generateRoundConstants(r = r, numRounds = numRounds) 14 | ): ZKHash { 15 | 16 | /** 17 | * Hash size in bytes 18 | */ 19 | override val hashLength = r.bitLength() / 8 + if(r.bitLength() / 8 != 0) 1 else 0 20 | 21 | override fun hash(msg: ByteArray): ByteArray = hash(bytesToField(msg)) 22 | 23 | fun hash(msg: List): ByteArray { 24 | 25 | // check if all elements are in field R 26 | msg.forEach { 27 | if( it > r) throw IllegalArgumentException("Element $it is not in field $r") 28 | } 29 | 30 | var result = BigInteger.ZERO 31 | 32 | msg.forEach { 33 | result = (result + it + hashElement(it, result)) % r 34 | } 35 | val bytes = result.toByteArray() 36 | return if(bytes.size == hashLength) 37 | bytes 38 | else 39 | ByteArray(hashLength - bytes.size).plus(bytes) 40 | } 41 | 42 | private fun hashElement(msg: BigInteger, key: BigInteger): BigInteger { 43 | var res: BigInteger = BigInteger.ZERO 44 | for (i in 0 until numRounds) { 45 | val t = if (i == 0) { 46 | msg + key 47 | } else { 48 | res + key + roundConstants[i] 49 | } 50 | 51 | val t2 = t * t 52 | val t4 = t2 * t2 53 | res = (t4 * t2 * t) % r 54 | } 55 | return (res + key) % r 56 | } 57 | 58 | private fun bytesToField(msg: ByteArray): List { 59 | 60 | // 31 seems to hardcoded and probably should depend on R but I use it like this for compatibility reason 61 | val n = 31 62 | val ints = mutableListOf() 63 | 64 | for (i in msg.indices step n) { 65 | // We revert array here because bytes are supposed to be little-endian unlike BigInteger 66 | val int = BigInteger(1, msg.sliceArray(i until min(i+n, msg.size)).reversedArray()) 67 | ints.add(int) 68 | } 69 | return ints 70 | } 71 | 72 | companion object { 73 | 74 | const val defaultNumRounds = 91 75 | val defaultSeed = "mimc".toByteArray() 76 | 77 | fun generateRoundConstants(seed: ByteArray = defaultSeed, numRounds: Int = defaultNumRounds, r: BigInteger): List { 78 | 79 | val constants = mutableListOf(BigInteger.ZERO) 80 | 81 | val keccak: Keccak.Digest256 = Keccak.Digest256() 82 | val digest = keccak.digest(seed) 83 | 84 | var c = BigInteger(1, digest) 85 | 86 | for (i in 0 until numRounds) { 87 | val bytes = dropSignBitIfNeeded(c.toByteArray()) 88 | c = BigInteger(1, keccak.digest(bytes)) 89 | constants.add(c % r) 90 | } 91 | return constants 92 | } 93 | 94 | private fun dropSignBitIfNeeded(bytes: ByteArray): ByteArray { 95 | return if (bytes[0] == 0.toByte()) { 96 | val res = ByteArray(bytes.size - 1) 97 | System.arraycopy(bytes, 1, res, 0, res.size) 98 | res 99 | } else bytes 100 | } 101 | } 102 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/util/BitArray.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.util 2 | 3 | import java.math.BigInteger 4 | 5 | /** 6 | * Bit array with underlying byte[] representation in big-endian bit order 7 | */ 8 | data class BitArray(val data: ByteArray, val size: Int = data.size * 8) { 9 | 10 | fun get(i: Int): BigInteger { 11 | return if(testBit(i)) BigInteger.ONE else BigInteger.ZERO 12 | } 13 | 14 | fun testBit(i: Int): Boolean { 15 | if(i >= size) throw ArrayIndexOutOfBoundsException(i) 16 | val byte: Int = i / 8 17 | val bit: Int = 7 - i % 8 18 | return data[byte].toInt().ushr(bit).and(1) > 0 19 | } 20 | 21 | fun withPadding(numBits: Int): BitArray { 22 | val newSize = size + numBits 23 | val byteLenDiff = wordLen(newSize) - data.size 24 | return BitArray(data.plus(ByteArray(byteLenDiff)), newSize) 25 | } 26 | 27 | override fun equals(other: Any?): Boolean { 28 | if (this === other) return true 29 | if (javaClass != other?.javaClass) return false 30 | 31 | other as BitArray 32 | 33 | if (!data.contentEquals(other.data)) return false 34 | if (size != other.size) return false 35 | 36 | return true 37 | } 38 | 39 | override fun hashCode(): Int { 40 | var result = data.contentHashCode() 41 | result = 31 * result + size 42 | return result 43 | } 44 | 45 | fun plus(other: BitArray): BitArray { 46 | return if(size % 8 != 0) { 47 | val newData = shift(other, this.size).data 48 | for (i in this.data.indices) newData[i] = newData[i] or data[i] 49 | BitArray(newData, this.size + other.size) 50 | } else { 51 | BitArray(data.plus(other.data), this.size + other.size) 52 | } 53 | } 54 | 55 | 56 | companion object { 57 | 58 | fun fromString(bitString: String) : BitArray { 59 | 60 | val byteLen = wordLen(bitString.length) 61 | val data = ByteArray(byteLen) 62 | 63 | var bitIndex = 7 64 | var byteIndex = 0 65 | 66 | bitString.forEach { char -> 67 | if(char == '1') { 68 | data[byteIndex] = (data[byteIndex] + 1.shl(bitIndex)).toByte() 69 | } else if(char != '0') throw IllegalArgumentException("Only binary strings are allowed") 70 | 71 | bitIndex-- 72 | if(bitIndex < 0) { 73 | byteIndex++ 74 | bitIndex = 7 75 | } 76 | } 77 | 78 | return BitArray(data, bitString.length) 79 | } 80 | 81 | private fun wordLen(bitLen: Int, wordLen: Int = 8): Int { 82 | return bitLen / wordLen + if(bitLen % wordLen == 0) 0 else 1 83 | } 84 | 85 | private fun shift(sourceBits: BitArray, bitCount: Int): BitArray { 86 | val shiftMod = bitCount % 8 87 | val offsetBytes = bitCount / 8 88 | val destBitSize = sourceBits.size + bitCount 89 | val byteSize = wordLen(destBitSize) 90 | val dest = ByteArray(byteSize) 91 | val carryMask = (0xFF ushr (8 - shiftMod)).toByte() 92 | val byteAdded = wordLen(sourceBits.size) != byteSize 93 | 94 | val source = sourceBits.data 95 | 96 | for (i in source.indices) { 97 | if(shiftMod == 0) { 98 | dest[offsetBytes + i] = source[i] 99 | } else { 100 | val sourceCarry = (source[i] and carryMask).asUnsigned() shl (8 - shiftMod) 101 | dest[offsetBytes + i] = dest[offsetBytes + i] or (source[i].asUnsigned() ushr shiftMod).toByte() 102 | if(!byteAdded && i == source.size - 1) { /* skip last carry if we don't add byte */ } else { 103 | dest[offsetBytes + i + 1] = dest[offsetBytes + i + 1] or sourceCarry.toByte() 104 | } 105 | } 106 | } 107 | return BitArray(dest, destBitSize) 108 | } 109 | 110 | } 111 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/arithmetic/TwistedEdwardsArithmetic.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.arithmetic 2 | 3 | import com.ing.dlt.zkkrypto.ecc.EllipticCurve 4 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 5 | import com.ing.dlt.zkkrypto.ecc.curves.TwistedEdwardsCurve 6 | import com.ing.dlt.zkkrypto.util.sqrtMod 7 | import java.math.BigInteger 8 | 9 | object TwistedEdwardsArithmetic { 10 | 11 | fun add(a: EllipticCurvePoint, b: EllipticCurvePoint): EllipticCurvePoint { 12 | 13 | require(a.curve is TwistedEdwardsCurve) { "Elliptic curve must be Twisted Edwards Curve" } 14 | require(a.curve == b.curve) { "Points should be on the same curve, A's curve is ${a.curve}, B's curve is ${b.curve}" } 15 | 16 | // x = (pointA.x * pointB.y + pointA.y * pointB.x) / (1 + d * pointA.x * pointB.x * pointA.y * pointB.y) 17 | // y = (pointA.y * pointB.y - a * pointA.x * pointB.x) / (1 - d * pointA.x * pointB.x * pointA.y * pointB.y) 18 | 19 | val curve = a.curve 20 | 21 | val xNomTerm1 = a.x.multiply(b.y).mod(curve.R) 22 | val xNomTerm2 = a.y.multiply(b.x).mod(curve.R) 23 | val xNom = xNomTerm1.add(xNomTerm2) 24 | 25 | val yNomTerm1 = a.y.multiply(b.y).mod(curve.R) 26 | val yNomTerm2 = a.x.multiply(b.x).mod(curve.R).multiply(curve.a).mod(curve.R) 27 | val yNom = yNomTerm1.subtract(yNomTerm2) 28 | 29 | val denomCommonTerm = curve.d.multiply(a.x).mod(curve.R).multiply(a.y).mod(curve.R).multiply(b.x).mod(curve.R).multiply(b.y).mod(curve.R) 30 | 31 | val xDenomInversed = BigInteger.ONE.add(denomCommonTerm).modInverse(curve.R) 32 | val yDenomInversed = BigInteger.ONE.subtract(denomCommonTerm).modInverse(curve.R) 33 | 34 | val resultX = xNom.multiply(xDenomInversed).mod(curve.R) 35 | val resultY = yNom.multiply(yDenomInversed).mod(curve.R) 36 | 37 | return EllipticCurvePoint(resultX, resultY, curve) 38 | } 39 | 40 | fun scalarMult(p: EllipticCurvePoint, scalar: BigInteger): EllipticCurvePoint { 41 | 42 | // double & add 43 | 44 | val s = scalar.mod(p.curve.R) 45 | var doubling: EllipticCurvePoint = p.copy() 46 | var result: EllipticCurvePoint = p.curve.zero 47 | 48 | for( i in 0 until s.bitLength() ) { 49 | if (s.testBit(i)) { 50 | result = result.add(doubling) 51 | } 52 | doubling = doubling.double() 53 | } 54 | return result 55 | } 56 | 57 | fun double(p: EllipticCurvePoint): EllipticCurvePoint { 58 | return p.add(p) 59 | } 60 | 61 | fun isOnCurve(p: EllipticCurvePoint): Boolean { 62 | 63 | require(p.curve is TwistedEdwardsCurve) { "Elliptic curve must be Twisted Edwards Curve" } 64 | 65 | // a * x^2 + y^2 = 1 + d * x^2 * y^2 66 | val d = p.curve.d 67 | 68 | val x2 = p.x.multiply(p.x).mod(p.curve.R) 69 | val ax2 = x2.multiply(p.curve.a).mod(p.curve.R) 70 | val y2 = p.y.multiply(p.y).mod(p.curve.R) 71 | 72 | val dTimesX2Y2 = d.multiply(x2).multiply(y2).mod(p.curve.R) 73 | 74 | return y2.add(ax2).mod(p.curve.R) == BigInteger.ONE.add(dTimesX2Y2).mod(p.curve.R) 75 | } 76 | 77 | fun getForY(y: BigInteger, sign: Boolean, curve: EllipticCurve): EllipticCurvePoint? { 78 | 79 | require(curve is TwistedEdwardsCurve) { "Elliptic curve must be Twisted Edwards Curve" } 80 | 81 | if (y >= curve.R) return null 82 | 83 | // HERE it' different from jubjub 84 | // Given a y on the curve, x^2 = (y^2 - 1) / (dy^2 - a) 85 | // This is defined for all valid y-coordinates, 86 | // as dy^2 - a = 0 has no solution in Fr. 87 | 88 | val y2 = (y * y) % curve.R 89 | 90 | // (y^2 - 1) 91 | val numerator = y2 - BigInteger.ONE 92 | 93 | // (dy^2 - a) 94 | val denominator = (y2 * curve.d - curve.a) % curve.R 95 | 96 | val invDenominator = denominator.modInverse(curve.R) 97 | 98 | // (y^2 - 1) / (dy^2 - a) 99 | val right = (numerator * invDenominator) % curve.R 100 | 101 | var x = right.sqrtMod(curve.FrGenerator, curve.R) ?: return null 102 | 103 | if ((x.toByteArray().last() % 2 != 0) != sign) { 104 | x = curve.R - x 105 | } 106 | val point = EllipticCurvePoint(x, y, curve) 107 | 108 | return if (point.isOnCurve()) point else null 109 | } 110 | } -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # 4 | # Copyright 2015 the original author or authors. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # https://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | ############################################################################## 20 | ## 21 | ## Gradle start up script for UN*X 22 | ## 23 | ############################################################################## 24 | 25 | # Attempt to set APP_HOME 26 | # Resolve links: $0 may be a link 27 | PRG="$0" 28 | # Need this for relative symlinks. 29 | while [ -h "$PRG" ] ; do 30 | ls=`ls -ld "$PRG"` 31 | link=`expr "$ls" : '.*-> \(.*\)$'` 32 | if expr "$link" : '/.*' > /dev/null; then 33 | PRG="$link" 34 | else 35 | PRG=`dirname "$PRG"`"/$link" 36 | fi 37 | done 38 | SAVED="`pwd`" 39 | cd "`dirname \"$PRG\"`/" >/dev/null 40 | APP_HOME="`pwd -P`" 41 | cd "$SAVED" >/dev/null 42 | 43 | APP_NAME="Gradle" 44 | APP_BASE_NAME=`basename "$0"` 45 | 46 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 47 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' 48 | 49 | # Use the maximum available, or set MAX_FD != -1 to use that value. 50 | MAX_FD="maximum" 51 | 52 | warn () { 53 | echo "$*" 54 | } 55 | 56 | die () { 57 | echo 58 | echo "$*" 59 | echo 60 | exit 1 61 | } 62 | 63 | # OS specific support (must be 'true' or 'false'). 64 | cygwin=false 65 | msys=false 66 | darwin=false 67 | nonstop=false 68 | case "`uname`" in 69 | CYGWIN* ) 70 | cygwin=true 71 | ;; 72 | Darwin* ) 73 | darwin=true 74 | ;; 75 | MINGW* ) 76 | msys=true 77 | ;; 78 | NONSTOP* ) 79 | nonstop=true 80 | ;; 81 | esac 82 | 83 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 84 | 85 | # Determine the Java command to use to start the JVM. 86 | if [ -n "$JAVA_HOME" ] ; then 87 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 88 | # IBM's JDK on AIX uses strange locations for the executables 89 | JAVACMD="$JAVA_HOME/jre/sh/java" 90 | else 91 | JAVACMD="$JAVA_HOME/bin/java" 92 | fi 93 | if [ ! -x "$JAVACMD" ] ; then 94 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 95 | 96 | Please set the JAVA_HOME variable in your environment to match the 97 | location of your Java installation." 98 | fi 99 | else 100 | JAVACMD="java" 101 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 102 | 103 | Please set the JAVA_HOME variable in your environment to match the 104 | location of your Java installation." 105 | fi 106 | 107 | # Increase the maximum file descriptors if we can. 108 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then 109 | MAX_FD_LIMIT=`ulimit -H -n` 110 | if [ $? -eq 0 ] ; then 111 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 112 | MAX_FD="$MAX_FD_LIMIT" 113 | fi 114 | ulimit -n $MAX_FD 115 | if [ $? -ne 0 ] ; then 116 | warn "Could not set maximum file descriptor limit: $MAX_FD" 117 | fi 118 | else 119 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 120 | fi 121 | fi 122 | 123 | # For Darwin, add options to specify how the application appears in the dock 124 | if $darwin; then 125 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 126 | fi 127 | 128 | # For Cygwin or MSYS, switch paths to Windows format before running java 129 | if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then 130 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 131 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 132 | JAVACMD=`cygpath --unix "$JAVACMD"` 133 | 134 | # We build the pattern for arguments to be converted via cygpath 135 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 136 | SEP="" 137 | for dir in $ROOTDIRSRAW ; do 138 | ROOTDIRS="$ROOTDIRS$SEP$dir" 139 | SEP="|" 140 | done 141 | OURCYGPATTERN="(^($ROOTDIRS))" 142 | # Add a user-defined pattern to the cygpath arguments 143 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 144 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 145 | fi 146 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 147 | i=0 148 | for arg in "$@" ; do 149 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 150 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 151 | 152 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 153 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 154 | else 155 | eval `echo args$i`="\"$arg\"" 156 | fi 157 | i=`expr $i + 1` 158 | done 159 | case $i in 160 | 0) set -- ;; 161 | 1) set -- "$args0" ;; 162 | 2) set -- "$args0" "$args1" ;; 163 | 3) set -- "$args0" "$args1" "$args2" ;; 164 | 4) set -- "$args0" "$args1" "$args2" "$args3" ;; 165 | 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 166 | 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 167 | 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 168 | 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 169 | 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 170 | esac 171 | fi 172 | 173 | # Escape application args 174 | save () { 175 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done 176 | echo " " 177 | } 178 | APP_ARGS=`save "$@"` 179 | 180 | # Collect all arguments for the java command, following the shell quoting and substitution rules 181 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" 182 | 183 | exec "$JAVACMD" "$@" 184 | -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/pedersenhash/PedersenHash.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.pedersenhash 2 | 3 | import com.ing.dlt.zkkrypto.ecc.EllipticCurve 4 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 5 | import com.ing.dlt.zkkrypto.ecc.ZKHash 6 | import com.ing.dlt.zkkrypto.ecc.curves.AltBabyJubjub 7 | import com.ing.dlt.zkkrypto.ecc.curves.Jubjub 8 | import com.ing.dlt.zkkrypto.util.BitArray 9 | import java.lang.IllegalStateException 10 | import java.math.BigInteger 11 | 12 | /** 13 | * Instance of Pedersen Hash. 14 | * Window size is dynamic by design but in practice it is only tested and works for classic 3-bits window 15 | */ 16 | data class PedersenHash( 17 | val window: Int = 3, 18 | val chunksPerGenerator: Int = 63, // ZCash default, Zinc uses 62 for AltJJ 19 | val curve: EllipticCurve, 20 | val generators: Generators = Generators.defaultForCurve(curve), 21 | val defaultSalt: BitArray? = null 22 | ): ZKHash { 23 | 24 | init { 25 | if(window != 3) throw IllegalStateException("Only supporting window size 3 at the moment") 26 | } 27 | 28 | private val chunkShift = window + 1 29 | private val windowMask = BigInteger.valueOf((1 shl window) - 1L) 30 | 31 | private val generatorsExpTable: ArrayList>> = buildExpTable() 32 | 33 | /** 34 | * Hash size in bytes 35 | */ 36 | override val hashLength = curve.S.toByteArray().size 37 | 38 | override fun hash(msg: ByteArray): ByteArray = hash(msg, salt = defaultSalt) 39 | 40 | fun hash(msg: ByteArray, salt: BitArray? = defaultSalt): ByteArray = hash(BitArray(msg), salt) 41 | 42 | fun hash(msg: BitArray, salt: BitArray? = defaultSalt): ByteArray { 43 | 44 | var hashPoint = curve.zero 45 | val salted = salted(msg, salt) 46 | 47 | if(salted.size > maxBitLength() && maxBitLength() > 0) throw IllegalArgumentException("Message is too long, length = ${salted.size}, limit = ${maxBitLength()}") 48 | 49 | val m = padded(salted) 50 | 51 | val numProducts = numProducts(m) 52 | 53 | for (productIndex in 0 until numProducts) { 54 | var product = product(m, productIndex) 55 | var tmp = curve.zero 56 | var chunkIndex = 0 57 | while (product != BigInteger.ZERO) { 58 | val powerIndex = product.and(windowMask).intValueExact() 59 | 60 | tmp = tmp.add(generatorsExpTable[productIndex][chunkIndex][powerIndex]) 61 | 62 | product = product shr window 63 | chunkIndex++ 64 | } 65 | 66 | hashPoint = hashPoint.add(tmp) 67 | } 68 | 69 | // we want constant size hashes so we add trailing zero bytes to the beginning 70 | val bytes = hashPoint.x.toByteArray() 71 | return if(bytes.size == hashLength) 72 | bytes 73 | else 74 | ByteArray(hashLength - bytes.size).plus(bytes) 75 | } 76 | 77 | // compute enc(m_j) as in the documentation 78 | private fun chunk(m: BitArray, productIndex: Int, chunkIndex: Int): Long { 79 | val lowestBitIndex = (productIndex * chunksPerGenerator + chunkIndex) * window 80 | 81 | var chunk = 1L 82 | for(i in 0 until window-1) { 83 | if(m.testBit(lowestBitIndex + i)) chunk += 1 shl i 84 | } 85 | 86 | if(m.testBit(lowestBitIndex + (window-1))) { 87 | // only works for ZCash 3-bits window now because iden3 4-bit algorithm uses different sign switch :shrug: 88 | chunk = -chunk 89 | } 90 | 91 | return chunk 92 | } 93 | 94 | private fun fieldNegate(element: BigInteger): BigInteger { 95 | return if(element >= BigInteger.ZERO) { 96 | element 97 | } else { 98 | curve.S + element 99 | } 100 | } 101 | 102 | // compute as in the documentation 103 | private fun product(msg: BitArray, i: Int): BigInteger { 104 | 105 | var product = BigInteger.ZERO 106 | 107 | for(j in 0 until numChunksInProduct(msg, i)) { 108 | val chunk = fieldNegate(BigInteger.valueOf(chunk(msg, i, j)).shiftLeft(chunkShift * j)) 109 | product += chunk 110 | } 111 | 112 | return product.mod(curve.S) 113 | } 114 | 115 | // chunksPerGenerator in most cases but variable for last product (it can be shorter) 116 | private fun numChunksInProduct(msg: BitArray, productIndex: Int): Int { 117 | 118 | val lastProduct = if(msg.size % productBitSize() == 0) msg.size / productBitSize() - 1 else msg.size / productBitSize() 119 | 120 | return if(productIndex == lastProduct) { 121 | if(msg.size % productBitSize() == 0) 122 | chunksPerGenerator 123 | else { 124 | msg.size % productBitSize() / window + if(msg.size % window == 0) 0 else 1 125 | } 126 | } else chunksPerGenerator 127 | } 128 | 129 | private fun productBitSize(): Int { 130 | return chunksPerGenerator * window 131 | } 132 | 133 | private fun maxBitLength(): Int { 134 | return generators.size * productBitSize() 135 | } 136 | 137 | private fun numProducts(m: BitArray) = m.size / productBitSize() + if(m.size % productBitSize() == 0) 0 else 1 138 | 139 | private fun salted(msg: BitArray, salt: BitArray?): BitArray { 140 | return salt?.plus(msg) ?: msg 141 | } 142 | 143 | private fun padded(m: BitArray): BitArray { 144 | return m.withPadding((window - m.size % window) % window) 145 | } 146 | 147 | private fun buildExpTable(): ArrayList>> { 148 | if(generators.size <= 0) error("Can only build exp table for limited amount of generators") 149 | 150 | val expTable = ArrayList>>(generators.size) 151 | val powers = 1 shl window 152 | val generatorsIter = generators.iterator() 153 | 154 | generatorsIter.forEach { generator -> 155 | var g = generator 156 | val tables = ArrayList>(chunksPerGenerator) 157 | for (i in 0..curve.S.bitLength() step window) { 158 | var base = curve.zero 159 | val table = ArrayList(powers) 160 | for (power in 0 until powers) { 161 | table.add(base) 162 | base = base.add(g) 163 | } 164 | tables.add(table) 165 | for (j in 0 until window) { 166 | g = g.double() 167 | } 168 | } 169 | expTable.add(tables) 170 | } 171 | return expTable 172 | } 173 | 174 | companion object { 175 | val zinc = PedersenHash( 176 | curve = AltBabyJubjub, 177 | chunksPerGenerator = 62, 178 | defaultSalt = BitArray.fromString("111111") 179 | ) 180 | 181 | fun zcash() = PedersenHash(curve = Jubjub, chunksPerGenerator = 63) 182 | } 183 | } 184 | 185 | -------------------------------------------------------------------------------- /src/test/kotlin/com/ing/dlt/zkkrypto/ecc/pedersenhash/PedersenHashTest.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.pedersenhash 2 | 3 | import com.ing.dlt.zkkrypto.ecc.curves.AltBabyJubjub 4 | import com.ing.dlt.zkkrypto.ecc.curves.Jubjub 5 | import com.ing.dlt.zkkrypto.util.BitArray 6 | import org.junit.jupiter.api.Assertions.assertArrayEquals 7 | import org.junit.jupiter.api.Assertions.assertEquals 8 | import org.junit.jupiter.api.Test 9 | import java.math.BigInteger 10 | import kotlin.random.Random 11 | 12 | internal class PedersenHashTest { 13 | 14 | @Test 15 | fun jubjub() { 16 | 17 | TestVectors.jubjub.forEach { vector -> 18 | 19 | val hash = BigInteger(PedersenHash.zcash().hash(vector.input_bits)) 20 | 21 | assertEquals(BigInteger(vector.hash_x, 16), hash) 22 | } 23 | } 24 | 25 | @Test 26 | fun altBabyJubjubStrings() { 27 | 28 | TestVectors.altBabyJubjub.forEach { vector -> 29 | 30 | val hash = BigInteger(PedersenHash(curve = AltBabyJubjub, chunksPerGenerator = 62) 31 | .hash(vector.input_bits)) 32 | 33 | assertEquals(BigInteger(vector.hash_x, 16), hash) 34 | } 35 | } 36 | 37 | @Test 38 | fun altBabyJubjubBytes() { 39 | 40 | TestVectors.altBabyJubjubBytes.forEach { vector -> 41 | 42 | val hash = BigInteger(PedersenHash.zinc.hash(vector.input_bits)) 43 | 44 | assertEquals(vector.hash_x, hash.toString(16)) 45 | } 46 | } 47 | 48 | @Test 49 | fun zincDefaultTest() { 50 | 51 | val vector = TestVectors.TestVector( 52 | personalization = TestVectors.Personalization.NoteCommitment, 53 | input_bits = BitArray.fromString("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101010"), 54 | hash_x = "d799568a2faaebce79310bbb84e454bf934e61f1879c8095ac7c0a45905d2d3", 55 | hash_y = "40d2992106b2c6e8c2f0b38e5238fbd9b46ef042d91011a5566044f2943ac65" 56 | ) 57 | 58 | val hash = BigInteger(PedersenHash.zinc.hash(vector.input_bits)) 59 | 60 | assertEquals(vector.hash_x, hash.toString(16)) 61 | } 62 | 63 | @Test 64 | fun zincGeneratorsTest() { 65 | 66 | val hardcoded = Generators.zincAltBabyJubjub().iterator() 67 | 68 | val calculated = PedersenHash.zinc.generators.iterator() 69 | 70 | for (i in 0..4) { 71 | val h = hardcoded.next() 72 | val c = calculated.next() 73 | require(h == c) { "Generated generators should be equal to pregenerated generators" } 74 | } 75 | 76 | for (i in 0..2) { 77 | require(calculated.iterator().hasNext()) 78 | val next = calculated.iterator().next() // shouldn't fail 79 | require(next.isOnCurve()) 80 | } 81 | } 82 | 83 | @Test 84 | fun constantSizeHash() { 85 | 86 | // PH(40) = 00116fbd117d117768ec0f977d857df3e278015d4ce9fd4d08bd6c153ebd1fa2 87 | // 48058 hashes to the point where X coordinate is only 31 byte long 88 | // so we check it was correctly padded with zero byte at zero position to be 32-bytes constant size 89 | 90 | val m = 40 91 | val hash = PedersenHash.zcash().hash(BitArray(m.toBigInteger().toByteArray())) 92 | assertEquals(0, hash[0]) 93 | assertEquals(32, hash.size) 94 | assertEquals("116fbd117d117768ec0f977d857df3e278015d4ce9fd4d08bd6c153ebd1fa2", BigInteger(hash).toString(16)) 95 | } 96 | 97 | 98 | @Test 99 | fun salt() { 100 | 101 | val full = Random.Default.nextBytes(ByteArray(10)) 102 | 103 | val expected = PedersenHash.zcash().hash(full) 104 | 105 | val msg = full.drop(4).toByteArray() 106 | val salt = full.dropLast(full.size - 4).toByteArray() 107 | 108 | val hash = PedersenHash(curve = Jubjub).hash(msg, BitArray(salt)) 109 | 110 | assertArrayEquals(expected, hash) 111 | } 112 | 113 | 114 | // @Test 115 | fun hashSingle() { 116 | 117 | val len = 1 118 | val ph = PedersenHash.zinc 119 | val f42 = "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101010" 120 | val msg = BitArray.fromString(f42 + f42 + f42 + f42 + f42) 121 | val hash = ph.hash(msg) 122 | println(BigInteger(hash).toString(16)) 123 | } 124 | 125 | // @Test 126 | fun benchmarkGenerators() { 127 | 128 | // Total time (nanos): 16.701.578.307 ~ 16 seconds 129 | // Total time per generator (nanos): 521.924 ~ 0.5 milliseconds 130 | // 131 | // Will do for now but its clear how to optimize it further 132 | 133 | 134 | val calculated = PedersenHash.zinc.generators.iterator() 135 | 136 | val start = System.nanoTime() 137 | val numRuns = 4 * 8 * 1000 // ~ 1 MB 138 | for(i in 0..numRuns) { 139 | calculated.next() 140 | } 141 | val finish = System.nanoTime() 142 | println("Total time (nanos): ${finish - start}") 143 | println("Average time per generator (nanos): ${(finish - start) / numRuns}") 144 | } 145 | 146 | // @Test 147 | fun benchmarkLongHash() { 148 | 149 | val ph = PedersenHash.zinc 150 | 151 | // Generate generators 152 | val calculated = ph.generators.iterator() 153 | 154 | var start = System.nanoTime() 155 | var numRuns = 4 * 8 * 10 // ~ 10 KB 156 | for(i in 0..numRuns) { 157 | calculated.next() 158 | } 159 | var finish = System.nanoTime() 160 | println("Total time (nanos): ${finish - start}") 161 | println("Average time per generator (nanos): ${(finish - start) / numRuns}") 162 | 163 | 164 | // Hash 165 | val msg = Random.nextBytes(10000) 166 | 167 | start = System.nanoTime() 168 | numRuns = 1 169 | for(i in 0..numRuns) { 170 | ph.hash(msg) 171 | } 172 | finish = System.nanoTime() 173 | println("Average time per hash (nanos): ${(finish - start) / numRuns}") 174 | } 175 | 176 | // @Test 177 | fun benchmark() { 178 | // From https://github.com/zcash-hackworks/sapling-crypto/pull/79 : 179 | // 180 | // at first: 181 | // 182 | // test bench_pedersen_hash ... bench: 452,241 ns/iter (+/- 24,567) 183 | // 184 | // after wnaf: 185 | // 186 | // test bench_pedersen_hash ... bench: 276,877 ns/iter (+/- 7,185) 187 | // 188 | // after more optimal doubling (eyeroll at the variance): 189 | // 190 | // test bench_pedersen_hash ... bench: 279,210 ns/iter (+/- 7,150) 191 | // 192 | // after dedicated window tables: 193 | // 194 | // test bench_pedersen_hash ... bench: 37,373 ns/iter (+/- 2,020) 195 | // 196 | // ------------------------------------------------------------------------------------------------- 197 | // 198 | // My dev machine: 199 | // Total time per hash (nanos): 864,246 200 | // 201 | // Neither MM nor lookups nor any other optimizations are implemented 202 | // so looks like there is plenty of room for improvement yet its good enough at least for experimentation 203 | 204 | 205 | val start = System.nanoTime() 206 | val numRuns = 1000 207 | for(m in 1..numRuns) { 208 | PedersenHash(curve = Jubjub).hash(BitArray(m.toBigInteger().toByteArray())) 209 | } 210 | val finish = System.nanoTime() 211 | println("Total time (nanos): ${finish - start}") 212 | println("Average time per hash (nanos): ${(finish - start) / numRuns}") 213 | } 214 | } -------------------------------------------------------------------------------- /src/main/kotlin/com/ing/dlt/zkkrypto/ecc/pedersenhash/Generators.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.pedersenhash 2 | 3 | import com.ing.dlt.zkkrypto.ecc.EllipticCurve 4 | import com.ing.dlt.zkkrypto.ecc.EllipticCurvePoint 5 | import com.ing.dlt.zkkrypto.ecc.curves.AltBabyJubjub 6 | import com.ing.dlt.zkkrypto.ecc.curves.BabyJubjub 7 | import com.ing.dlt.zkkrypto.ecc.curves.Jubjub 8 | import org.bouncycastle.crypto.digests.Blake2sDigest 9 | import java.math.BigInteger 10 | import java.nio.ByteBuffer 11 | import kotlin.experimental.and 12 | 13 | 14 | class FixedSizeGenerators(private val points: List) : Generators() { 15 | override val size = points.size 16 | override fun iterator(): Iterator = points.iterator() 17 | } 18 | 19 | class EndlessGenerators(private val curve: EllipticCurve, private val personalization: ByteArray, limit: Int = 0) : Generators() { 20 | override val size = limit 21 | private val generators: MutableList = mutableListOf() 22 | 23 | @Synchronized private fun getGenerator(index: Int): EllipticCurvePoint { 24 | if(size != 0 && index >= size) error("Limit of generators amount is reached: $size") 25 | return if (generators.size > index) generators[index] else generateGenerators(index + 1) 26 | } 27 | 28 | 29 | @Synchronized private fun generateGenerators(newSize: Int): EllipticCurvePoint { 30 | while(generators.size < newSize) { 31 | val generator = generateGenerator(generators.size) 32 | generators.add(generator) 33 | } 34 | return generators.last() 35 | } 36 | 37 | private fun generateGenerator(segment: Int): EllipticCurvePoint { 38 | 39 | val tag = segment.bytes() 40 | for (i in 0..255) { 41 | tag[tag.size - 1] = i.toByte() 42 | val hash = getGroupHash(tag).reversed().toByteArray() 43 | val p: EllipticCurvePoint? = fromY(hash, curve) 44 | if(!generators.contains(p)) { 45 | val pm = p?.scalarMult(curve.cofactor) 46 | if (pm != null) return pm 47 | } else { 48 | // We can as well increase tag and continue but for now we fail to be consistent with Zinc approach 49 | error("Duplicate generator at segment $segment, tag $i: $p") 50 | } 51 | } 52 | error("Failed to generate generator for segment $segment") 53 | } 54 | 55 | private fun Int.bytes(): ByteArray { 56 | val leInt = ByteBuffer.allocate(4) // we reserve 1 extra byte for tag counter 57 | .putInt(this) 58 | .array().reversed() 59 | 60 | return leInt.plus(0).toByteArray() 61 | } 62 | 63 | private fun getGroupHash(tag: ByteArray): ByteArray { 64 | val blake = Blake2sDigest( 65 | null, 66 | 32, 67 | null, 68 | personalization 69 | ) 70 | blake.update(GH_FIRST_BLOCK, 0, GH_FIRST_BLOCK.size) 71 | blake.update(tag, 0, tag.size) 72 | 73 | val hash = ByteArray(32) 74 | blake.doFinal(hash, 0) 75 | return hash 76 | } 77 | 78 | fun fromY(y: ByteArray, curve: EllipticCurve): EllipticCurvePoint? { 79 | 80 | // Use top bit of this integer as a sign (parity) bit for X coordinate of the point on Twisted Edwards curve 81 | val xSign = (y[0] and 128.toByte()) != 0.toByte() 82 | 83 | y[0] = y[0] and 127 84 | 85 | return curve.getForY(BigInteger(1, y), xSign) 86 | } 87 | 88 | override fun iterator(): Iterator = GeneratorsIterator(this) 89 | 90 | companion object { 91 | 92 | /// First 64 bytes of the BLAKE2s input during group hash. 93 | /// This is chosen to be some random string that we couldn't have anticipated when we designed 94 | /// the algorithm, for rigidity purposes. 95 | /// We deliberately use an ASCII hex string of 32 bytes here. 96 | private val GH_FIRST_BLOCK = "096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0".toByteArray() 97 | } 98 | 99 | private class GeneratorsIterator(val source: EndlessGenerators): Iterator { 100 | 101 | private var index = 0 102 | 103 | override fun hasNext(): Boolean = if(source.size == 0) true else index < source.size 104 | 105 | override fun next(): EllipticCurvePoint = source.getGenerator(index++) 106 | } 107 | } 108 | 109 | sealed class Generators { 110 | 111 | abstract val size: Int 112 | abstract fun iterator(): Iterator 113 | 114 | companion object { 115 | 116 | /** 117 | * Constants from librustzcash test 118 | * They don't have it hardcoded but for now its easier to get them from runtime comparing to reimplementing group hash 119 | */ 120 | fun zcashLibrust(): Generators = FixedSizeGenerators( 121 | listOf( 122 | EllipticCurvePoint( 123 | BigInteger("73c016a42ded9578b5ea25de7ec0e3782f0c718f6f0fbadd194e42926f661b51", 16), 124 | BigInteger("289e87a2d3521b5779c9166b837edc5ef9472e8bc04e463277bfabd432243cca", 16), 125 | Jubjub 126 | ), 127 | EllipticCurvePoint( 128 | BigInteger("15a36d1f0f390d8852a35a8c1908dd87a361ee3fd48fdf77b9819dc82d90607e", 16), 129 | BigInteger("015d8c7f5b43fe33f7891142c001d9251f3abeeb98fad3e87b0dc53c4ebf1891", 16), 130 | Jubjub 131 | ), 132 | EllipticCurvePoint( 133 | BigInteger("664321a58246e2f6eb69ae39f5c84210bae8e5c46641ae5c76d6f7c2b67fc475", 16), 134 | BigInteger("362e1500d24eee9ee000a46c8e8ce8538bb22a7f1784b49880ed502c9793d457", 16), 135 | Jubjub 136 | ), 137 | EllipticCurvePoint( 138 | BigInteger("323a6548ce9d9876edc5f4a9cff29fd57d02d50e654b87f24c767804c1c4a2cc", 16), 139 | BigInteger("2f7ee40c4b56cad891070acbd8d947b75103afa1a11f6a8584714beca33570e9", 16), 140 | Jubjub 141 | ), 142 | EllipticCurvePoint( 143 | BigInteger("3bd2666000b5479689b64b4e03362796efd5931305f2f0bf46809430657f82d1", 16), 144 | BigInteger("494bc52103ab9d0a397832381406c9e5b3b9d8095859d14c99968299c3658aef", 16), 145 | Jubjub 146 | ), 147 | EllipticCurvePoint( 148 | BigInteger("63447b2ba31bb28ada049746d76d3ee51d9e5ca21135ff6fcb3c023258d32079", 16), 149 | BigInteger("64ec4689e8bfb6e564cdb1070a136a28a80200d2c66b13a7436082119f8d629a", 16), 150 | Jubjub 151 | ) 152 | ) 153 | ) 154 | 155 | 156 | /** 157 | * Generators from Zinc 158 | */ 159 | fun zincAltBabyJubjub(): Generators = FixedSizeGenerators( 160 | listOf( 161 | EllipticCurvePoint( 162 | BigInteger("184570ed4909a81b2793320a26e8f956be129e4eed381acf901718dff8802135", 16), 163 | BigInteger("1c3a9a830f61587101ef8cbbebf55063c1c6480e7e5a7441eac7f626d8f69a45", 16), 164 | AltBabyJubjub 165 | ), 166 | EllipticCurvePoint( 167 | BigInteger("0afc00ffa0065f5479f53575e86f6dcd0d88d7331eefd39df037eea2d6f031e4", 16), 168 | BigInteger("237a6734dd50e044b4f44027ee9e70fcd2e5724ded1d1c12b820a11afdc15c7a", 16), 169 | AltBabyJubjub 170 | ), 171 | EllipticCurvePoint( 172 | BigInteger("00fb62ad05ee0e615f935c5a83a870f389a5ea2baccf22ad731a4929e7a75b37", 16), 173 | BigInteger("00bc8b1c9d376ceeea2cf66a91b7e2ad20ab8cce38575ac13dbefe2be548f702", 16), 174 | AltBabyJubjub 175 | ), 176 | EllipticCurvePoint( 177 | BigInteger("0675544aa0a708b0c584833fdedda8d89be14c516e0a7ef3042f378cb01f6e48", 16), 178 | BigInteger("169025a530508ee4f1d34b73b4d32e008b97da2147f15af3c53f405cf44f89d4", 16), 179 | AltBabyJubjub 180 | ), 181 | EllipticCurvePoint( 182 | BigInteger("07350a0660a05014168047155c0a0647ea2720ecb182a6cb137b29f8a5cfd37f", 16), 183 | BigInteger("3004ad73b7abe27f17ec04b04b450955a4189dd012b4cf4b174af15bd412696a", 16), 184 | AltBabyJubjub 185 | ) 186 | ) 187 | ) 188 | 189 | /** 190 | * Constants from 191 | * https://github.com/matter-labs/pedersen_hash_standard 192 | */ 193 | fun zcashBlakePrecomputed(): Generators = FixedSizeGenerators( 194 | listOf( 195 | EllipticCurvePoint( 196 | BigInteger("184570ed4909a81b2793320a26e8f956be129e4eed381acf901718dff8802135", 16), 197 | BigInteger("1c3a9a830f61587101ef8cbbebf55063c1c6480e7e5a7441eac7f626d8f69a45", 16), 198 | Jubjub 199 | ), 200 | EllipticCurvePoint( 201 | BigInteger("0afc00ffa0065f5479f53575e86f6dcd0d88d7331eefd39df037eea2d6f031e4", 16), 202 | BigInteger("237a6734dd50e044b4f44027ee9e70fcd2e5724ded1d1c12b820a11afdc15c7a", 16), 203 | Jubjub 204 | ), 205 | EllipticCurvePoint( 206 | BigInteger("00fb62ad05ee0e615f935c5a83a870f389a5ea2baccf22ad731a4929e7a75b37", 16), 207 | BigInteger("00bc8b1c9d376ceeea2cf66a91b7e2ad20ab8cce38575ac13dbefe2be548f702", 16), 208 | Jubjub 209 | ), 210 | EllipticCurvePoint( 211 | BigInteger("0675544aa0a708b0c584833fdedda8d89be14c516e0a7ef3042f378cb01f6e48", 16), 212 | BigInteger("169025a530508ee4f1d34b73b4d32e008b97da2147f15af3c53f405cf44f89d4", 16), 213 | Jubjub 214 | ), 215 | EllipticCurvePoint( 216 | BigInteger("07350a0660a05014168047155c0a0647ea2720ecb182a6cb137b29f8a5cfd37f", 16), 217 | BigInteger("3004ad73b7abe27f17ec04b04b450955a4189dd012b4cf4b174af15bd412696a", 16), 218 | Jubjub 219 | ) 220 | ) 221 | ) 222 | 223 | fun zincAltBabyJubjubDynamicSize(): Generators = EndlessGenerators(AltBabyJubjub, "Zcash_PH".toByteArray(), 4 * 8 * 20) // ~20 Kb, should match custom generators count from our Zinc fork 224 | 225 | 226 | fun defaultForCurve(curve: EllipticCurve): Generators { 227 | return when (curve) { 228 | is Jubjub -> zcashLibrust() 229 | is BabyJubjub -> TODO() 230 | is AltBabyJubjub -> zincAltBabyJubjubDynamicSize() 231 | else -> throw IllegalArgumentException("Unknown curve: $curve") 232 | } 233 | 234 | } 235 | } 236 | } 237 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2019 ING Bank NV 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /src/test/kotlin/com/ing/dlt/zkkrypto/ecc/pedersenhash/TestVectors.kt: -------------------------------------------------------------------------------- 1 | package com.ing.dlt.zkkrypto.ecc.pedersenhash 2 | 3 | import com.ing.dlt.zkkrypto.util.BitArray 4 | 5 | object TestVectors { 6 | 7 | //! Test vectors from https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_pedersen.py 8 | 9 | val jubjub = listOf( 10 | 11 | TestVector ( 12 | personalization = Personalization.NoteCommitment, 13 | input_bits = BitArray.fromString("111111"), 14 | hash_x = "06b1187c11ca4fb4383b2e0d0dbbde3ad3617338b5029187ec65a5eaed5e4d0b", 15 | hash_y = "3ce70f536652f0dea496393a1e55c4e08b9d55508e16d11e5db40d4810cbc982" 16 | ), 17 | TestVector( 18 | personalization = Personalization.NoteCommitment, 19 | input_bits = BitArray.fromString("1111110"), 20 | hash_x = "2fc3bc454c337f71d4f04f86304262fcbfc9ecd808716b92fc42cbe6827f7f1a", 21 | hash_y = "46d0d25bf1a654eedc6a9b1e5af398925113959feac31b7a2c036ff9b9ec0638" 22 | ), 23 | TestVector( 24 | personalization = Personalization.NoteCommitment, 25 | input_bits = BitArray.fromString("1111111"), 26 | hash_x = "4f8ce0e0a9e674b3ab9606a7d7aefba386e81583d81918127814cde41d209d97", 27 | hash_y = "312b5ab93b14c9b9af334fe1fe3c50fffb53fbd074fa40ca600febde7c97e346" 28 | ), 29 | TestVector( 30 | personalization = Personalization.NoteCommitment, 31 | input_bits = BitArray.fromString("111111100"), 32 | hash_x = "4f8ce0e0a9e674b3ab9606a7d7aefba386e81583d81918127814cde41d209d97", 33 | hash_y = "312b5ab93b14c9b9af334fe1fe3c50fffb53fbd074fa40ca600febde7c97e346" 34 | ), 35 | TestVector( 36 | personalization = Personalization.NoteCommitment, 37 | input_bits = BitArray.fromString("111111101101000010000011001000000010111010111010110000010111011101000100111001011011001000000011000000001101111111010011000111101000110010101101101101111101000001011101011110101000010000"), 38 | hash_x = "599ab788360ae8c6d5bb7618aec37056d6227408d857fdc394078a3d7afdfe0f", 39 | hash_y = "4320c373da670e28d168f4ffd72b43208e8c815f40841682c57a3ee1d005a527" 40 | ), 41 | TestVector( 42 | personalization = Personalization.NoteCommitment, 43 | input_bits = BitArray.fromString("1111111000001111011100011100" + 44 | "0010000100111010110100011010" + 45 | "0001000000101000101111101110" + 46 | "1011100100110100110111000011" + 47 | "1011001100101001011111111100" + 48 | "0010111010011111001010100110" + 49 | "100010100101010101000" 50 | ), 51 | hash_x = "2da510317620f5dfdce1f31db6019f947eedcf02ff2972cff597a5c3ad21f5dd", 52 | hash_y = "198789969c0c33e6c359b9da4a51771f4d50863f36beef90436944fe568399f2" 53 | ), 54 | TestVector( 55 | personalization = Personalization.NoteCommitment, 56 | input_bits = BitArray.fromString("1111111010001101000100010000" + 57 | "0011000001111100001110001110" + 58 | "1100111110010101000010110110" + 59 | "0111110100010101000011000000" + 60 | "0011100101100001100100100100" + 61 | "0000101101111101111011000110" + 62 | "0111100001011111000011"), 63 | hash_x = "601247c7e640992d193dfb51df6ed93446687a7f2bcd0e4a598e6feb1ef20c40", 64 | hash_y = "371931733b73e7b95c2cad55a6cebd15c83619f697c64283e54e5ef61442a743" 65 | ), 66 | TestVector( 67 | personalization = Personalization.NoteCommitment, 68 | input_bits = BitArray.fromString( 69 | "1111111100100100101000000110" + 70 | "0101111010110011100001100100" + 71 | "1110010011101110110100000111" + 72 | "0111110011111100011011001010" + 73 | "1110100000100111000101110001" + 74 | "1011100000110100000111101011" + 75 | "0001000011010101111100010101" + 76 | "1100100110001100110101100100" + 77 | "1111011110011100010100010010" + 78 | "0010000110000000010111011000" + 79 | "1000110110010000101001010010" + 80 | "1011011001011111000010001000" + 81 | "0000010101111001011110101110" + 82 | "1101011110100110001001101110" + 83 | "0000111001010100010011101111" + 84 | "1001000001000010110101010110" + 85 | "0011001011100100010001111101" + 86 | "0000111011111110111101000010" + 87 | "1001000110010001100100110101" + 88 | "0001011010001110100110010001" + 89 | "0000001011011010100010101011" + 90 | "1000100010000101100110101101" + 91 | "1110101001111000101111110101" + 92 | "0011111101011110110101010010" + 93 | "0010101100011111010100100010" + 94 | "1101000001001010010001101011" + 95 | "1100110100100000010000000111" 96 | ), 97 | hash_x = "314192ecb1f2d8806a8108704c875a25d9fb7e444f9f373919adedebe8f2ae27", 98 | hash_y = "6b12b32f1372ad574799dee9eb591d961b704bf611f55fcc71f7e82cd3330b74" 99 | ), 100 | TestVector( 101 | personalization = Personalization.NoteCommitment, 102 | input_bits = BitArray.fromString( 103 | "1111111100110101110101110010" + 104 | "0111010000000101010110000110" + 105 | "1111001110000110110010101101" + 106 | "1001001000100011101011001011" + 107 | "0000111101001010010100001001" + 108 | "0110001111001110011101011010" + 109 | "0110110001100110010111010110" + 110 | "0111100001011011010010011010" + 111 | "1011101110101100010101110101" + 112 | "1111011111000110110010000010" + 113 | "1000100001000100011011101100" + 114 | "1011111011000111111110001010" + 115 | "1100100011100110100011010101" + 116 | "1101100101011000111110101010" + 117 | "1111010101111100001011011001" + 118 | "1000011000000110010010001100" + 119 | "1100110001001101001001010001" + 120 | "0101000111101010100010111000" + 121 | "1111101010100101010101110010" + 122 | "0011111010101010000101101110" + 123 | "0101111011011000100000010001" + 124 | "0011011110100011001011011001" + 125 | "0111000101011011111000000101" + 126 | "0101101100010011111101010011" + 127 | "0100001101110101010000010100" + 128 | "1100110001000011101011000011" + 129 | "1101011111001010000101010111" + 130 | "0" 131 | ), 132 | hash_x = "0666c2bce7f362a2b807d212e9a577f116891a932affd7addec39fbf372c494e", 133 | hash_y = "6758bccfaf2e47c07756b96edea23aa8d10c33b38220bd1c411af612eeec18ab" 134 | ), 135 | TestVector( 136 | personalization = Personalization.NoteCommitment, 137 | input_bits = BitArray.fromString("1111111000000101100100100001" + 138 | "1001011101101000000100010110" + 139 | "0000110010111010111010011001" + 140 | "1101100001110011000000110011" + 141 | "0101001000001111100001100101" + 142 | "0000110011101001100010001100" + 143 | "1010001010010110010011101001" + 144 | "1101101011001111000011010000" + 145 | "1011100111110001011101100000" + 146 | "1000010111101101111011000000" + 147 | "0011010000000011000100110001" + 148 | "0001000100000000001011111111" + 149 | "0110000001000111110100000000" + 150 | "1011111101001111010100000101" + 151 | "1111101100001100010000011111" + 152 | "0100000110101011010010001011" + 153 | "0100100001001110011011011000" + 154 | "0100001111010111011011010110" + 155 | "0001011010010100110111111110" + 156 | "1100110010010111000011001000" + 157 | "0011101010000100010101110100" + 158 | "0100000110100001010101010111" + 159 | "0110101001001110100011011001" + 160 | "0001101011011101101101001101" + 161 | "1100010111100100110011011001" + 162 | "0110011101110101001111111110" + 163 | "1010001111101011101100011001" + 164 | "1110000000011101101111011011" + 165 | "1011101111001110111001111010" + 166 | "1001011010110100001011010010" + 167 | "1101000000100000001110011010" + 168 | "1111101011001100101111011110" + 169 | "0000001110001110110011010010" + 170 | "101010010101110110011" 171 | ), 172 | hash_x = "130afe02b99375484efb0998f5331d2178e1d00e803049bb0769099420624f5f", 173 | hash_y = "5e2fc6970554ffe358652aa7968ac4fcf3de0c830e6ea492e01a38fafb68cd71" 174 | ), 175 | TestVector( 176 | personalization = Personalization.NoteCommitment, 177 | input_bits = BitArray.fromString( 178 | "1111110110011010011011001110" + 179 | "1101101000110011110110100101" + 180 | "0111000010101110011000000100" + 181 | "1010101100010001001101000110" + 182 | "0101011111100101111011000100" + 183 | "1111001010100010000000011101" + 184 | "0010011111010101111011001001" + 185 | "0000111011010111000011001010" + 186 | "1001100010101010000101100100" + 187 | "0100010011100101000010101111" + 188 | "1011001100010000000010101100" + 189 | "1111100000001101100001000011" + 190 | "1000100100000110101000001100" + 191 | "0110101001100010101000100111" + 192 | "1101011010001001011110110101" + 193 | "1011000111011100000001101000" + 194 | "1011110111100110110101011111" + 195 | "0010100101011001001010000011" + 196 | "0100001010110001010100100101" + 197 | "1011001110001011010101011000" + 198 | "1000110000000011100011001011" + 199 | "1110010000101001011011100110" + 200 | "1000110001011101101110000000" + 201 | "1111100000000010111000001110" + 202 | "1110111100000111010110010100" + 203 | "0010111110011010000111001110" + 204 | "1101000010111100010101101001" + 205 | "0111001111000110111111000011" + 206 | "0100010010111000000101100100" + 207 | "1111100010111001101110101111" + 208 | "1100110110110111110000111000" + 209 | "1001110100010010100010011110" + 210 | "0100011011110000100111111011" + 211 | "1110000111011001110001" 212 | ), 213 | hash_x = "67914ebd539961b70f468fa23d4cb42133693a8ac57cd35a1e6369fe34fbedf7", 214 | hash_y = "44770870c0f0cfe59a10df95d6c21e6f1514a2f464b66377599438c126052d9f" 215 | ), 216 | TestVector( 217 | personalization = Personalization.MerkleTree_0, 218 | input_bits = BitArray.fromString("000000"), 219 | hash_x = "62454a957289b3930d10f3def0d512cfe0ef3de06421321221af3558de9d481d", 220 | hash_y = "0279f0aebfb66e53ff69fba16b6608dbf4319b944432f45c6e69a3dbd1f7b330" 221 | ), 222 | TestVector( 223 | personalization = Personalization.MerkleTree_0, 224 | input_bits = BitArray.fromString("0000000"), 225 | hash_x = "283c7880f35179e201161402d9c4556b255917dbbf0142ae60519787d36d4dea", 226 | hash_y = "648224408b4b83297cd0feb4cdc4eeb224237734931145432793bcd414228dc4" 227 | ), 228 | TestVector( 229 | personalization = Personalization.MerkleTree_0, 230 | input_bits = BitArray.fromString("0000001"), 231 | hash_x = "1f1086b287636a20063c9614db2de66bb7d49242e88060956a5e5845057f6f5d", 232 | hash_y = "6b1b395421dde74d53341caa9e01f39d7a3138efb9b57fc0381f98f4868df622" 233 | ), 234 | TestVector( 235 | personalization = Personalization.MerkleTree_0, 236 | input_bits = BitArray.fromString("000000100"), 237 | hash_x = "1f1086b287636a20063c9614db2de66bb7d49242e88060956a5e5845057f6f5d", 238 | hash_y = "6b1b395421dde74d53341caa9e01f39d7a3138efb9b57fc0381f98f4868df622" 239 | ), 240 | TestVector( 241 | personalization = Personalization.MerkleTree_0, 242 | input_bits = BitArray.fromString( 243 | "0000001101001110010010110111" + 244 | "0001111001101010111010111000" + 245 | "0100001001101001110011011001" + 246 | "1100111011101010001101101011" + 247 | "0011000101011101000110001110" + 248 | "1110000110110010101110101101" + 249 | "110111111001000110" 250 | ), 251 | hash_x = "20d2b1b0551efe511755d564f8da4f5bf285fd6051331fa5f129ad95b318f6cd", 252 | hash_y = "2834d96950de67ae80e85545f8333c6e14b5cf5be7325dac768f401e6edd9544" 253 | ), 254 | TestVector( 255 | personalization = Personalization.MerkleTree_0, 256 | input_bits = BitArray.fromString( 257 | "0000000010000110001100111101" + 258 | "1001011110011001110101101111" + 259 | "1110011110000000000110011100" + 260 | "0110111110010010110010101111" + 261 | "1101001011000101001100101010" + 262 | "0010011100011011011101110100" + 263 | "010111101111011010000" 264 | ), 265 | hash_x = "01f4850a0f40e07186fee1f0a276f52fb12cffe05c18eb2aa18170330a93c555", 266 | hash_y = "19b0807358e7c8cba9168815ec54c4cd76997c34c592607d172151c48d5377cb" 267 | ), 268 | TestVector( 269 | personalization = Personalization.MerkleTree_0, 270 | input_bits = BitArray.fromString( 271 | "0000001111100001011111111000" + 272 | "0101100011111111001110101001" + 273 | "0000101101111001010010111010" + 274 | "0111011111100111110010010101" + 275 | "0100101110100001101101111101" + 276 | "1001011111000110101011111101" + 277 | "0011010110101001101100" 278 | ), 279 | hash_x = "26dd81a3ffa37452c6a932d41eb4f2e0fedd531e9af8c2a7935b91dff653879d", 280 | hash_y = "2fc7aebb729ef5cabf0fb3f883bc2eb2603093850b0ec19c1a3c08b653e7f27f" 281 | ), 282 | TestVector( 283 | personalization = Personalization.MerkleTree_0, 284 | input_bits = BitArray.fromString( 285 | "0000000100011111100000000101" + 286 | "0110011100001110010001010010" + 287 | "1110010011000011010101010111" + 288 | "1001011111100000001110011101" + 289 | "0101010101010000001011100000" + 290 | "0110110000100111101010000101" + 291 | "1101001100111110110111110000" + 292 | "0011001111000001100101111110" + 293 | "1001001101011101001110100110" + 294 | "0111010100011010010110110001" + 295 | "0101011011011010100110100010" + 296 | "0101100000000100100010101011" + 297 | "0110001001101111100110010111" + 298 | "0000000011101111011100100000" + 299 | "0110111100000100010100101010" + 300 | "1000110010111010111001110100" + 301 | "0000100110110000111100000101" + 302 | "0000000011011101001010010101" + 303 | "0011101101000000101000111000" + 304 | "0100101011110101100100010011" + 305 | "0001101101010111100011111010" + 306 | "0011010011011100101011010110" + 307 | "1001001101001101100000011010" + 308 | "1010001000111010100100101011" + 309 | "0000100101000011110010110001" + 310 | "0101110110101101001101001111" + 311 | "1110001100111101101001011001" 312 | ), 313 | hash_x = "1111740552773b00aa6a2334575aa94102cfbd084290a430c90eb56d6db65b85", 314 | hash_y = "6560c44b11683c20030626f89456f78a53ae8a89f565956a98ffc554b48fbb1a" 315 | ), 316 | TestVector( 317 | personalization = Personalization.MerkleTree_0, 318 | input_bits = BitArray.fromString( 319 | "0000000010011010110111011010" + 320 | "1000010000001100101010101000" + 321 | "0100100010100101111000011111" + 322 | "0001001101011110010110010111" + 323 | "1100000100011110111110001000" + 324 | "0110111011100111010001001011" + 325 | "0100000100001101000110110100" + 326 | "0111101000101101011100010111" + 327 | "1101101011000111011010101111" + 328 | "1010010110100010101011000000" + 329 | "0000010010101101011011100001" + 330 | "0111111110111100001100100100" + 331 | "0001110000101000110101111100" + 332 | "1001000010101111001101010011" + 333 | "0110101000001010101110001100" + 334 | "0001101111000010011111110101" + 335 | "1110001000010100001000011011" + 336 | "0000101101111100100100101000" + 337 | "0111111101000010110111011001" + 338 | "1000010011011001010100111110" + 339 | "1100010110101110110011110101" + 340 | "1000011011100010111011010010" + 341 | "1010110001110111100001010110" + 342 | "1111011111110001000001100010" + 343 | "1000101100011101101001101101" + 344 | "1011010010101111011110001011" + 345 | "1110110100100110100000111100" + 346 | "0" 347 | ), 348 | hash_x = "429349ea9b5f8163bcda3014b3e15554df5173353fd73f315a49360c97265f68", 349 | hash_y = "188774bb6de41eba669be5d368942783f937acf2f418385fc5c78479b0a405ee" 350 | ), 351 | TestVector( 352 | personalization = Personalization.MerkleTree_0, 353 | input_bits = BitArray.fromString( 354 | "0000000010000011010000000001" + 355 | "0010111101001010101011011100" + 356 | "0001011111100011111110110011" + 357 | "0001101101010110010000101001" + 358 | "0010011010100011111010100001" + 359 | "1011011111100000101011010001" + 360 | "1011111001110011011000100100" + 361 | "0000000000010110000000100000" + 362 | "0100011111101010010011000111" + 363 | "0010111100111101111110010000" + 364 | "1011011011001100001111101001" + 365 | "1011111000100110000011101110" + 366 | "1110110010010110010001110110" + 367 | "1010001101101011100000110011" + 368 | "0110101110101001001001110000" + 369 | "0111101011101111101000000001" + 370 | "0010100100000100010001101011" + 371 | "0011001001110001010010001000" + 372 | "0011101101000001011100001111" + 373 | "0011101010111000111100100101" + 374 | "1110001100001001011000011101" + 375 | "1000110100110011010111000001" + 376 | "1111000101001001100001110001" + 377 | "0010001111011010010001010111" + 378 | "0101111011001100110010111111" + 379 | "0011001110110110001101110011" + 380 | "0001010011000010001001101111" + 381 | "0100110111011010111101001010" + 382 | "0110000110011101000011011111" + 383 | "0010010100011110110000010011" + 384 | "0001100001110111110000011001" + 385 | "0101110111110001101101101110" + 386 | "0111001100111000010010100000" + 387 | "001100010111100100110" 388 | ), 389 | hash_x = "00e827f3ed136f3c91c61c97ab9b7cca0ea53c20e47abb5e226ede297bdd5f37", 390 | hash_y = "315cc00a54972df6a19f650d3fab5f2ad0fb07397bacb6944568618f2aa76bf6" 391 | ), 392 | TestVector( 393 | personalization = Personalization.MerkleTree_0, 394 | input_bits = BitArray.fromString( 395 | "0000000011100101011100111111" + 396 | "0011011101000011101111001101" + 397 | "1010111010101010110011101110" + 398 | "0001111001100100110111100011" + 399 | "1000010101111101000100101010" + 400 | "0100011011010010110111111101" + 401 | "0100010111010111110001001000" + 402 | "1001000010101101001010101110" + 403 | "0110111001001111100011000101" + 404 | "0011110111011010111011100100" + 405 | "0010010001100111001010000110" + 406 | "1101100011100001101011101000" + 407 | "0000001010001000000101111010" + 408 | "1001001011001011001111100011" + 409 | "0001010010100100011010000000" + 410 | "0100110010001001001001001011" + 411 | "1111110100000000101100001001" + 412 | "1000000100101101001001001001" + 413 | "0110101011010100101010111110" + 414 | "1010010101000111010100010011" + 415 | "1001011101000111010110010011" + 416 | "0010011111010100011110111000" + 417 | "0100111000101001101100000010" + 418 | "1111111100010010111110000000" + 419 | "1011110000010100110100110111" + 420 | "1011011100101111001000011110" + 421 | "0011101010101010110011001010" + 422 | "0011101000011111101000100111" + 423 | "0000010010011110011101110001" + 424 | "0001001110110110001010111001" + 425 | "0111000100100001110100011110" + 426 | "1101101000000100111101111010" + 427 | "1000110011001110011000100111" + 428 | "1010100001000010101000" 429 | ), 430 | hash_x = "3ee50557c4aa9158c4bb9d5961208e6c62f55c73ad7c7695a0eba0bcb6d83d05", 431 | hash_y = "1b1a2be6e47688828aeadf2d37db298eac0c2736c2722b227871fdeeee29de33" 432 | ), 433 | TestVector( 434 | personalization = Personalization.MerkleTree_34, 435 | input_bits = BitArray.fromString("010001"), 436 | hash_x = "61f8e2cb8e945631677b450d5e5669bc6b5f2ec69b321ac550dbe74525d7ac9a", 437 | hash_y = "4e11951ab9c9400ee38a18bd98cdb9453f1f67141ee9d9bf0c1c157d4fb34f9a" 438 | ), 439 | TestVector( 440 | personalization = Personalization.MerkleTree_34, 441 | input_bits = BitArray.fromString("0100010"), 442 | hash_x = "27fa1e296c37dde8448483ce5485c2604d1d830e53812246299773a02ecd519c", 443 | hash_y = "08e499113675202cb42b4b681a31430814edebd72c5bb3bc3bfedf91fb0605df" 444 | ), 445 | TestVector( 446 | personalization = Personalization.MerkleTree_34, 447 | input_bits = BitArray.fromString("0100011"), 448 | hash_x = "52112dd7a4293d049bb011683244a0f957e6ba95e1d1cf2fb6654d449a6d3fbc", 449 | hash_y = "2ae14ecd81bb5b4489d2d64b5d2eb92a684087b28dd9a4950ecdb78c014e178c" 450 | ), 451 | TestVector( 452 | personalization = Personalization.MerkleTree_34, 453 | input_bits = BitArray.fromString("010001100"), 454 | hash_x = "52112dd7a4293d049bb011683244a0f957e6ba95e1d1cf2fb6654d449a6d3fbc", 455 | hash_y = "2ae14ecd81bb5b4489d2d64b5d2eb92a684087b28dd9a4950ecdb78c014e178c" 456 | ), 457 | TestVector( 458 | personalization = Personalization.MerkleTree_34, 459 | input_bits = BitArray.fromString( 460 | "0100010101010000100010000110" + 461 | "0011111100000100011010100101" + 462 | "1111011110010111001000101110" + 463 | "1000101110000001100100110100" + 464 | "0111111100101110110101110010" + 465 | "1011011010011010100011110010" + 466 | "001001110110000110" 467 | ), 468 | hash_x = "544a0b44c35dca64ee806d1af70b7c44134e5d86efed413947657ffd71adf9b2", 469 | hash_y = "5ddc5dbf12abbbc5561defd3782a32f450b3c398f52ff4629677e59e86e3ab31" 470 | ), 471 | TestVector( 472 | personalization = Personalization.MerkleTree_34, 473 | input_bits = BitArray.fromString( 474 | "0100011000110001011100010011" + 475 | "0010000000110010101100111101" + 476 | "0010011101101011011010111111" + 477 | "0111001110011011100101100100" + 478 | "0010111111010011110011110110" + 479 | "1110001011111110001100010011" + 480 | "100010111110000011101" 481 | ), 482 | hash_x = "6cb6490ccb0ca9ccd657146f58a7b800bc4fb2556ee37861227ee8fda724acfb", 483 | hash_y = "05c6fe100926f5cc441e54e72f024b6b12c907f2ec5680335057896411984c9f" 484 | ), 485 | TestVector( 486 | personalization = Personalization.MerkleTree_34, 487 | input_bits = BitArray.fromString( 488 | "0100010110011001111010111101" + 489 | "0110111001000101111010110011" + 490 | "0000000101100101100010000111" + 491 | "1001111010000101001010100100" + 492 | "0100101101101001001001000111" + 493 | "0000010010010011101010101001" + 494 | "0001101011100111010100" 495 | ), 496 | hash_x = "40901e2175cb7f06a00c676d54d90e59fd448f11cbbc5eb517f9fea74b795ce2", 497 | hash_y = "42d512891f91087310c9bc630c8d0ecc014596f884fd6df55dada8195ed726de" 498 | ), 499 | TestVector( 500 | personalization = Personalization.MerkleTree_34, 501 | input_bits = BitArray.fromString( 502 | "0100011100110011011001000110" + 503 | "0010100111110011100000100001" + 504 | "1111010001011001000000100100" + 505 | "1001111111011010000111010001" + 506 | "1111111001111111010001011000" + 507 | "1000000011001011110000001001" + 508 | "1000100111001100000100111100" + 509 | "0111011110010000101110101011" + 510 | "1110101000000000110001000010" + 511 | "0010101011010001010101010100" + 512 | "0111011000110011011101110001" + 513 | "1000010010001011110111111001" + 514 | "1110010100100110101111100110" + 515 | "1100011000010110110110110101" + 516 | "0111111010010111000110011100" + 517 | "1101000100011111110110001100" + 518 | "1010010100010101101010001000" + 519 | "1001101010110110111010000110" + 520 | "0111111101001100110101010011" + 521 | "1011010001100111010010110010" + 522 | "1001000101010100100010100100" + 523 | "1000001100010001100110100110" + 524 | "1110111000101000010011000110" + 525 | "1100001101101101001100001001" + 526 | "1001110011101000101101010100" + 527 | "0001001101101001001010111011" + 528 | "0111001000000111010101000101" 529 | ), 530 | hash_x = "66a433542419f1a086ed0663b0e8df2ece9a04065f147896976baba1a916b6dc", 531 | hash_y = "203bd3672522e1d3c86fa6b9f3b58f20199a4216adfd40982add13a856f6f3de" 532 | ), 533 | TestVector( 534 | personalization = Personalization.MerkleTree_34, 535 | input_bits = BitArray.fromString( 536 | "0100010010011000100001010011" + 537 | "1010111000010011000010000111" + 538 | "1101000000001010100001110111" + 539 | "1110011111010110001111011110" + 540 | "1101000101011001000101000101" + 541 | "0000010001001111110101101111" + 542 | "0110011100100001011101011100" + 543 | "1100011011110100110111111011" + 544 | "1101001111001001001011000001" + 545 | "1100011110111001100000100011" + 546 | "0001101001000101110001110000" + 547 | "0010001100010101101011110100" + 548 | "0111100000101010000100010100" + 549 | "1011110101010001011001100011" + 550 | "1000010010001011110110001101" + 551 | "1011100000001011010100010011" + 552 | "0010111100101100110101001000" + 553 | "1010101000100100101111010001" + 554 | "0100101110010000111011110000" + 555 | "0000111110101011100001101001" + 556 | "0110101011100001011001100010" + 557 | "0110011000110111000011111001" + 558 | "1011110110110100101011101001" + 559 | "1111101110000011011101110010" + 560 | "1000100101101011100011111100" + 561 | "1001110001101100000011000000" + 562 | "1011000101110111011001110000" + 563 | "1" 564 | ), 565 | hash_x = "119db3b38086c1a3c6c6f53c529ee62d9311d69c2d8aeeafa6e172e650d3afda", 566 | hash_y = "72287540be7d2b0f58f5c73eaa53c55bea6b79dd79873b4e47cc11787bb9a15d" 567 | ), 568 | TestVector( 569 | personalization = Personalization.MerkleTree_34, 570 | input_bits = BitArray.fromString( 571 | "0100010011000011011010110111" + 572 | "1101101100100110110011000101" + 573 | "1111101111100100010100111110" + 574 | "0011010001001000001000110010" + 575 | "1101000000000010100001110000" + 576 | "0100101010100101100101101010" + 577 | "0111101010010110011101010101" + 578 | "1010000011010011100111010110" + 579 | "1101110100100010110111101010" + 580 | "1011001100000001110110011111" + 581 | "0000000011011011110101000111" + 582 | "0101010101000101010110010100" + 583 | "1011001111101010001110010010" + 584 | "1000110001101000111010111000" + 585 | "1100101011001000000111100111" + 586 | "1000010001010011011100000110" + 587 | "0111110110111110000010011101" + 588 | "0000100000111110000010101011" + 589 | "0010001111010011100011011110" + 590 | "1011110001000011010010011000" + 591 | "1000000011100100011101010100" + 592 | "1000000100000001010010111111" + 593 | "0101000001011110010000100111" + 594 | "1011001000100010010110001010" + 595 | "0011100001111101000001001110" + 596 | "1000010100001000011111001110" + 597 | "1001101000011100001110110110" + 598 | "0111101001001010010001100110" + 599 | "0011000110110110100001001111" + 600 | "1011110011001110101110111111" + 601 | "0100000000110110011100011110" + 602 | "1000000010001010000000001010" + 603 | "0011110011011111100101110111" + 604 | "100010101111011111100" 605 | ), 606 | hash_x = "446efdcf89b70ba2b03427a0893008181d0fc4e76b84b1a500d7ee523c8e3666", 607 | hash_y = "125ee0048efb0372b92c3c15d51a7c5c77a712054cc4fdd0774563da46ec7289" 608 | ), 609 | TestVector( 610 | personalization = Personalization.MerkleTree_34, 611 | input_bits = BitArray.fromString( 612 | "0100010011101110010101111111" + 613 | "1000101000110100010110010111" + 614 | "0000101101110100100101101110" + 615 | "1100010001100000111011110100" + 616 | "1111000110101011111101011010" + 617 | "0011100101111111001111010111" + 618 | "0011000010011001011000110011" + 619 | "1111111110110011101100010110" + 620 | "0001000100110100100111100110" + 621 | "0101110011111101111110101110" + 622 | "1110011100000011011100111010" + 623 | "0100010011111101000100101100" + 624 | "0001100100100111001010011101" + 625 | "1000111011111011111101101111" + 626 | "0111101100011001000100100110" + 627 | "0000111111101011110001001110" + 628 | "0010110111010100011001000101" + 629 | "1101010001111110110001010011" + 630 | "1100110111001101011111001101" + 631 | "1011110101000110000101011010" + 632 | "0011101001101000001111010010" + 633 | "1111001010000000000110000011" + 634 | "1110000000101111000110011011" + 635 | "1011101100010011100111010011" + 636 | "1001001000010011100100010000" + 637 | "0110101001110100110110001101" + 638 | "0011001000101010000000100101" + 639 | "0010000011101100110000001100" + 640 | "1110010011011110110111111010" + 641 | "0100110101100001100110001101" + 642 | "0011111100011000011000010100" + 643 | "0000010000010010100110011101" + 644 | "1110111011100001000011010110" + 645 | "1001001001001111101101" 646 | ), 647 | hash_x = "72723bf0573bcb4b72d4184cfeb707d9556b7f705f56a4652707a36f2edf10f7", 648 | hash_y = "3a7f0999a6a1393bd49fc82302e7352e01176fbebb0192bf5e6ef39eb8c585ad" 649 | ), 650 | TestVector( 651 | personalization = Personalization.MerkleTree_27, 652 | input_bits = BitArray.fromString( 653 | "1101101101101101101101101101" + 654 | "1011011011011011011011011011" + 655 | "0110110110110110110110110110" + 656 | "1101101101101101101101101101" + 657 | "1011011011011011011011011011" + 658 | "0110110110110110110110110110" + 659 | "110110110110110110110" 660 | ), 661 | hash_x = "414f6ba05f6b92da1f9051950769e1083d05615def32b016ae424309828a11f4", 662 | hash_y = "471d2109656afcb96d0609b371b132b97efcf72c6051064dd19fdc004799bfa9" 663 | ), 664 | TestVector( 665 | personalization = Personalization.MerkleTree_36, 666 | input_bits = BitArray.fromString( 667 | "0010010010010010010010010010" + 668 | "0100100100100100100100100100" + 669 | "1001001001001001001001001001" + 670 | "0010010010010010010010010010" + 671 | "0100100100100100100100100100" + 672 | "1001001001001001001001001001" + 673 | "001001001001001001001" 674 | ), 675 | hash_x = "62d6fe1e373225a5695f3115aed8265c59e2d6275ceef6bbc53fde3fc6594024", 676 | hash_y = "407275be7d5a4c48204c8d83f5b211d09a2f285d4f0f87a928d4de9a6338e1d1" 677 | ), 678 | TestVector( 679 | personalization = Personalization.MerkleTree_0, 680 | input_bits = BitArray.fromString( 681 | "0000000000000000000000000000" + 682 | "0000000000000000000000000000" + 683 | "0000000000000000000000000000" + 684 | "0000000000000000000000000000" + 685 | "0000000000000000000000000000" + 686 | "0000000000000000000000000000" + 687 | "000000000000000000000" 688 | ), 689 | hash_x = "1116a934f26b57a2c9daa6f25ac9b1a8f9dacddba30f65433ac021bf39a6bfdd", 690 | hash_y = "407275be7d5a4c48204c8d83f5b211d09a2f285d4f0f87a928d4de9a6338e1d1" 691 | ), 692 | TestVector( 693 | personalization = Personalization.NoteCommitment, 694 | input_bits = BitArray.fromString( 695 | "1111111111111111111111111111" + 696 | "1111111111111111111111111111" + 697 | "1111111111111111111111111111" + 698 | "1111111111111111111111111111" + 699 | "1111111111111111111111111111" + 700 | "1111111111111111111111111111" + 701 | "111111111111111111111" 702 | ), 703 | hash_x = "329e3bb2ca31ea6e13a986730237f6fd16b842a510cbabe851bdbcf57d75ee0d", 704 | hash_y = "471d2109656afcb96d0609b371b132b97efcf72c6051064dd19fdc004799bfa9" 705 | ) 706 | ) 707 | 708 | // Test from Zinc, input is 42 + NoteCommitment 709 | 710 | val altBabyJubjub = listOf( 711 | 712 | TestVector ( 713 | personalization = Personalization.NoteCommitment, 714 | input_bits = BitArray.fromString("11111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101010"), 715 | hash_x = "d799568a2faaebce79310bbb84e454bf934e61f1879c8095ac7c0a45905d2d3", 716 | hash_y = "40d2992106b2c6e8c2f0b38e5238fbd9b46ef042d91011a5566044f2943ac65" 717 | ) 718 | ) 719 | 720 | 721 | val altBabyJubjubBytes = listOf( 722 | 723 | 724 | TestVector ( 725 | personalization = Personalization.NoteCommitment, 726 | input_bits = BitArray(arrayOf(2).map { it.toByte() }.toByteArray()), 727 | hash_x = "16eaafa8bf93f1f27186cb8771b852a9a3570830eb263c0c39523ab90674e6", 728 | hash_y = "b235463d147fc1042a120bdff0a35668ad1d9b8c265c48976086d8807abdfb6" 729 | ), 730 | 731 | TestVector ( 732 | personalization = Personalization.NoteCommitment, 733 | input_bits = BitArray(arrayOf(2, 2).map { it.toByte() }.toByteArray()), 734 | hash_x = "6273578ac58d3c2f79f2e1c295a5ed3a74a16f1e35661c7bc6592813201835d", 735 | hash_y = "187681a9397880994ca3584285e4dc7e9d0aa6fa42e0ff08b1dcb17dc8f3900e" 736 | ), 737 | 738 | TestVector ( 739 | personalization = Personalization.NoteCommitment, 740 | input_bits = BitArray(arrayOf(0, 0, 0, 2).map { it.toByte() }.toByteArray()), 741 | hash_x = "1ceb95bf288ae7358b559348b56fd36abf9326af4ffe64e2d2b6210c445344b0", 742 | hash_y = "159c5863b7f2ad2e3df3c3798625bf2c4a6f7046ea6053a856774e0502de7b2" 743 | ), 744 | 745 | TestVector ( 746 | personalization = Personalization.NoteCommitment, 747 | input_bits = BitArray(arrayOf(2, 2, 2, 2, 2, 2, 2, 2).map { it.toByte() }.toByteArray()), 748 | hash_x = "12a71044d9154787840999c1654d30f1a19422c09897c1511c67068b4f1ec557", 749 | hash_y = "6f45fb86387cbf7342be80e0b924420fb42d44c73781d1d07075bb8d9d5fbf9" 750 | ), 751 | 752 | TestVector ( 753 | personalization = Personalization.NoteCommitment, 754 | input_bits = BitArray(arrayOf(2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2).map { it.toByte() }.toByteArray()), 755 | hash_x = "1651027d8491db883b96a377b0cc885673415f012c2a5b92d3b146e369843257", 756 | hash_y = "16b09c34ed5232f658e4c38400bd7b6d0cb9396e10488d4a219d96914e2b438a" 757 | ), 758 | 759 | TestVector ( 760 | personalization = Personalization.NoteCommitment, 761 | input_bits = BitArray(arrayOf(2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2).map { it.toByte() }.toByteArray()), 762 | hash_x = "104058a28c52d2db3ddb540f03d2c0c798244daee3df59067a101f7679a69d9a", 763 | hash_y = "2d6c50a6937223a1f3dd7f90394809356e574f5158f9f6044a5bb4ea3aec81a8" 764 | ), 765 | 766 | TestVector ( 767 | personalization = Personalization.NoteCommitment, 768 | input_bits = BitArray(arrayOf(2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2).map { it.toByte() }.toByteArray()), 769 | hash_x = "1b483fbf06bf1a7f139ebed40ede666708616fadad90ab99a1475ab4dea7227", 770 | hash_y = "27a8660e4da972407d3156e2fd06de6ae0226459de30da24473e72b079ec836e" 771 | ) 772 | ) 773 | 774 | data class TestVector( 775 | /** 776 | * we store personalization info just in case although it is already joined into 'input_bits' 777 | */ 778 | val personalization: String, 779 | val input_bits: BitArray, 780 | val hash_x: String, 781 | val hash_y: String 782 | ) 783 | 784 | object Personalization { 785 | const val NONE = "" 786 | const val NoteCommitment = "111111" 787 | const val MerkleTree_0 = "" 788 | const val MerkleTree_34 = "" 789 | const val MerkleTree_36 = "" 790 | const val MerkleTree_27 = "" 791 | } 792 | } --------------------------------------------------------------------------------