Namespaces
namespace	merkle_tree

Classes
struct	blake2s_state__

struct	Blake2sHasher

struct	ecdsa_key_pair

struct	ecdsa_signature

class	FieldSponge
	Implements a cryptographic sponge over prime fields. Sponge construction follows the Duplex Sponge model (https://keccak.team/files/SpongeDuplex.pdf). Domain separation uses IV = (input_length << 64) per Section 4.2 of the Poseidon paper (https://eprint.iacr.org/2019/458.pdf). Permutation is Poseidon2 (https://eprint.iacr.org/2023/323.pdf). More...

class	generator_data
	class that stores precomputed generators used for Pedersen commitments and Pedersen hashes More...

struct	GeneratorContext

class	Keccak
	A wrapper class used to construct `KeccakTranscript`. More...

struct	KeccakHasher

class	pedersen_commitment_base
	Performs pedersen commitments! More...

class	pedersen_hash_base
	Performs pedersen hashes! More...

class	Poseidon2
	Native Poseidon2 hash function implementation. More...

struct	Poseidon2Bn254ScalarFieldParams

class	Poseidon2Permutation
	Applies the Poseidon2 permutation function from https://eprint.iacr.org/2023/323. More...

struct	Poseidon2QuadBn254Params

struct	schnorr_key_pair

struct	schnorr_signature

struct	Sha256Hasher

struct	WycherproofTest

Typedefs
typedef struct bb::crypto::blake2s_state__	blake2s_state

typedef struct blake2s_param__	blake2s_param

using	WycherproofSecp256k1 = WycherproofTest< bb::curve::SECP256K1 >

using	WycherproofSecp256r1 = WycherproofTest< bb::curve::SECP256R1 >

using	pedersen_commitment = pedersen_commitment_base< curve::Grumpkin >

using	pedersen_hash = pedersen_hash_base< curve::Grumpkin >

using	Sha256Hash = std::array< uint8_t, 32 >

Enumerations
enum	blake2s_constant { BLAKE2S_BLOCKBYTES = 64 , BLAKE2S_OUTBYTES = 32 , BLAKE2S_KEYBYTES = 32 , BLAKE2S_SALTBYTES = 8 , BLAKE2S_PERSONALBYTES = 8 }

enum	{ BLAKE2_DUMMY_1 = 1 / (sizeof(blake2s_param) == BLAKE2S_OUTBYTES) }

Functions
void	aes128_expand_key (const uint8_t key, uint8_t round_key)

void	aes128_inverse_cipher (uint8_t input, const uint8_t round_key)

void	aes128_cipher (uint8_t state, const uint8_t round_key)

void	aes128_encrypt_buffer_cbc (uint8_t buffer, uint8_t iv, const uint8_t *key, const size_t length)

void	aes128_decrypt_buffer_cbc (uint8_t buffer, uint8_t iv, const uint8_t *key, const size_t length)

int	blake2s_init_param (blake2s_state S, const blake2s_param P)

int	blake2s_init (blake2s_state *S, size_t outlen)

int	blake2s_update (blake2s_state S, const void pin, size_t inlen)

int	blake2s_final (blake2s_state S, void out, size_t outlen)

std::array< uint8_t, BLAKE2S_OUTBYTES >	blake2s (std::vector< uint8_t > const &input)

	BLAKE2_PACKED (struct blake2s_param__ { uint8_t digest_length;uint8_t key_length;uint8_t fanout;uint8_t depth;uint32_t leaf_length;uint32_t node_offset;uint16_t xof_length;uint8_t node_depth;uint8_t inner_length;uint8_t salt[BLAKE2S_SALTBYTES];uint8_t personal[BLAKE2S_PERSONALBYTES];})

template<typename Hash , typename Fq , typename Fr , typename G1 >
ecdsa_signature	ecdsa_construct_signature (const std::string &message, const ecdsa_key_pair< Fr, G1 > &account)
	Generate the ECDSA for the message using the provided account key pair and hash function.

template<typename Hash , typename Fq , typename Fr , typename G1 >
G1::affine_element	ecdsa_recover_public_key (const std::string &message, const ecdsa_signature &sig)

template<typename Hash , typename Fq , typename Fr , typename G1 >
bool	ecdsa_verify_signature (const std::string &message, const typename G1::affine_element &public_key, const ecdsa_signature &sig)

template<typename Hash , typename Fr >
Fr	ecdsa_hash_message (const std::string &message)

	TEST (GeneratorContext, DeriveDefaultGenerators)

	TEST (GeneratorContext, GeneratorDataGetVariousCases)

void	secure_erase_bytes (void *ptr, size_t size)

template<typename T , size_t N>
void	secure_erase (std::array< T, N > &buffer)

template<typename T >
void	secure_erase (std::vector< T > &buffer)

template<typename Hash , typename MessageContainer , typename KeyContainer >
std::array< uint8_t, Hash::OUTPUT_SIZE >	hmac (const MessageContainer &message, const KeyContainer &key)
	Compute an HMAC given a secret key and a message, see https://datatracker.ietf.org/doc/html/rfc2104.

template<typename Hash , typename Fr , typename MessageContainer , typename KeyContainer > requires (Hash::OUTPUT_SIZE == 32)
Fr	deterministic_nonce_rfc6979 (const MessageContainer &message, const KeyContainer &key)
	Deterministic nonce derivation according to RFC6979 specification (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf, A.3.3)

	TEST (Pedersen, Commitment)

	TEST (Pedersen, CommitmentWithZero)

	TEST (Pedersen, CommitmentProf)

	TEST (Pedersen, GeneratorPrinter)

	TEST (Pedersen, DeriveLengthGenerator)

	TEST (Pedersen, Hash)

	TEST (Pedersen, HashWithIndex)

	TEST (Pedersen, Hash32Bytes)

	TEST (Pedersen, HashRejectsEmptyInput)

	TEST (Pedersen, HashBufferRejectsEmptyInput)

template<typename Fr , typename G1 >
bool	schnorr_verify_signature (const typename G1::Fq &message_field, const typename G1::affine_element &public_key, const schnorr_signature &sig)

template<typename Fr , typename G1 >
schnorr_signature	schnorr_construct_signature (const typename G1::Fq &message_field, const schnorr_key_pair< Fr, G1 > &account)

bool	operator== (schnorr_signature const &lhs, schnorr_signature const &rhs)

std::ostream &	operator<< (std::ostream &os, schnorr_signature const &sig)

template<typename B >
void	read (B &it, schnorr_key_pair< grumpkin::fr, grumpkin::g1 > &keypair)

template<typename B >
void	write (B &buf, schnorr_key_pair< grumpkin::fr, grumpkin::g1 > const &keypair)

void	prepare_constants (std::array< uint32_t, 8 > &input)

std::array< uint32_t, 8 >	sha256_block (const std::array< uint32_t, 8 > &h_init, const std::array< uint32_t, 16 > &input)
	SHA-256 compression function (FIPS 180-4 Section 6.2.2)

template<typename ByteContainer >
Sha256Hash	sha256 (const ByteContainer &input)
	SHA-256 hash function (FIPS 180-4)

template Sha256Hash	sha256< std::vector< uint8_t > > (const std::vector< uint8_t > &input)

template Sha256Hash	sha256< std::array< uint8_t, 32 > > (const std::array< uint8_t, 32 > &input)

template Sha256Hash	sha256< std::string > (const std::string &input)

template Sha256Hash	sha256< std::span< uint8_t > > (const std::span< uint8_t > &input)

template Sha256Hash	sha256< std::span< const uint8_t > > (const std::span< const uint8_t > &input)

template<typename T >
Sha256Hash	sha256 (const T &input)

bool	operator== (Sha256Hash const &lhs, std::vector< uint8_t > const &rhs)

Variables
constexpr uint64_t	aes128_sparse_base = 9

const std::vector< WycherproofSecp256k1 >	secp256k1_tests
	Test for Secp256k1 ECDSA signatures taken from the Wycherproof project.

const std::vector< WycherproofSecp256r1 >	secp256r1_tests
	Test for Secp256r1 ECDSA signatures taken from the Wycherproof project.

Detailed Description

AES-128 Cipher

Implements AES-128 block cipher, and buffer encryption using cbc cipher chaining

Based off of tiny-AES by @kokke : https://github.com/kokke/tiny-AES-c

Typedef Documentation

◆ blake2s_param

typedef struct blake2s_param__ bb::crypto::blake2s_param

Definition at line 69 of file blake2s.hpp.

◆ blake2s_state

typedef struct bb::crypto::blake2s_state__ bb::crypto::blake2s_state

◆ pedersen_commitment

using bb::crypto::pedersen_commitment = typedef pedersen_commitment_base<curve::Grumpkin>

Definition at line 37 of file pedersen.hpp.

◆ pedersen_hash

using bb::crypto::pedersen_hash = typedef pedersen_hash_base<curve::Grumpkin>

Definition at line 47 of file pedersen.hpp.

◆ Sha256Hash

using bb::crypto::Sha256Hash = typedef std::array<uint8_t, 32>

Definition at line 17 of file sha256.hpp.

◆ WycherproofSecp256k1

using bb::crypto::WycherproofSecp256k1 = typedef WycherproofTest<bb::curve::SECP256K1>

Definition at line 31 of file ecdsa_tests_data.hpp.

◆ WycherproofSecp256r1

using bb::crypto::WycherproofSecp256r1 = typedef WycherproofTest<bb::curve::SECP256R1>

Definition at line 32 of file ecdsa_tests_data.hpp.

Enumeration Type Documentation

◆ anonymous enum

anonymous enum

Enumerator
BLAKE2_DUMMY_1

Definition at line 72 of file blake2s.hpp.

◆ blake2s_constant

enum bb::crypto::blake2s_constant

Enumerator
BLAKE2S_BLOCKBYTES
BLAKE2S_OUTBYTES
BLAKE2S_KEYBYTES
BLAKE2S_SALTBYTES
BLAKE2S_PERSONALBYTES

Definition at line 36 of file blake2s.hpp.

Function Documentation

◆ aes128_cipher()

void bb::crypto::aes128_cipher	(	uint8_t *	state,
		const uint8_t *	round_key
	)

Definition at line 218 of file aes128.cpp.

◆ aes128_decrypt_buffer_cbc()

void bb::crypto::aes128_decrypt_buffer_cbc	(	uint8_t *	buffer,
		uint8_t *	iv,
		const uint8_t *	key,
		const size_t	length
	)

Definition at line 257 of file aes128.cpp.

◆ aes128_encrypt_buffer_cbc()

void bb::crypto::aes128_encrypt_buffer_cbc	(	uint8_t *	buffer,
		uint8_t *	iv,
		const uint8_t *	key,
		const size_t	length
	)

Definition at line 234 of file aes128.cpp.

◆ aes128_expand_key()

void bb::crypto::aes128_expand_key	(	const uint8_t *	key,
		uint8_t *	round_key
	)

Definition at line 160 of file aes128.cpp.

◆ aes128_inverse_cipher()

void bb::crypto::aes128_inverse_cipher	(	uint8_t *	input,
		const uint8_t *	round_key
	)

Definition at line 202 of file aes128.cpp.

◆ BLAKE2_PACKED()

bb::crypto::BLAKE2_PACKED ( struct blake2s_param__ { uint8_t digest_length;uint8_t key_length;uint8_t fanout;uint8_t depth;uint32_t leaf_length;uint32_t node_offset;uint16_t xof_length;uint8_t node_depth;uint8_t inner_length;uint8_t salt[BLAKE2S_SALTBYTES];uint8_t personal[BLAKE2S_PERSONALBYTES];} )

◆ blake2s()

std::array< uint8_t, BLAKE2S_OUTBYTES > bb::crypto::blake2s ( std::vector< uint8_t > const & input )

Definition at line 232 of file blake2s.cpp.

◆ blake2s_final()

int bb::crypto::blake2s_final	(	blake2s_state *	S,
		void *	out,
		size_t	outlen
	)

Definition at line 208 of file blake2s.cpp.

◆ blake2s_init()

int bb::crypto::blake2s_init	(	blake2s_state *	S,
		size_t	outlen
	)

Definition at line 93 of file blake2s.cpp.

◆ blake2s_init_param()

int bb::crypto::blake2s_init_param	(	blake2s_state *	S,
		const blake2s_param *	P
	)

Definition at line 77 of file blake2s.cpp.

◆ blake2s_update()

int bb::crypto::blake2s_update	(	blake2s_state *	S,
		const void *	pin,
		size_t	inlen
	)

Definition at line 182 of file blake2s.cpp.

◆ deterministic_nonce_rfc6979()

template<typename Hash , typename Fr , typename MessageContainer , typename KeyContainer >
requires (Hash::OUTPUT_SIZE == 32)

Fr bb::crypto::deterministic_nonce_rfc6979	(	const MessageContainer &	message,
		const KeyContainer &	key
	)

Deterministic nonce derivation according to RFC6979 specification (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf, A.3.3)

Template Parameters

Hash	the hash function we're using
Fr	field type
MessageContainer	a byte container (std::vector<uint8_t>, std::array<uint8_t, ...>, std::string)
KeyContainer	a byte container

Parameters

message	the input buffer used to derive the nonce
key	key used to derive the nonce

Definition at line 122 of file hmac.hpp.

◆ ecdsa_construct_signature()

template<typename Hash , typename Fq , typename Fr , typename G1 >

ecdsa_signature bb::crypto::ecdsa_construct_signature	(	const std::string &	message,
		const ecdsa_key_pair< Fr, G1 > &	account
	)

Generate the ECDSA for the message using the provided account key pair and hash function.

Definition at line 19 of file ecdsa_impl.hpp.

◆ ecdsa_hash_message()

template<typename Hash , typename Fr >

Fr bb::crypto::ecdsa_hash_message ( const std::string & message )

Definition at line 194 of file ecdsa_impl.hpp.

◆ ecdsa_recover_public_key()

template<typename Hash , typename Fq , typename Fr , typename G1 >

G1::affine_element bb::crypto::ecdsa_recover_public_key	(	const std::string &	message,
		const ecdsa_signature &	sig
	)

Definition at line 69 of file ecdsa_impl.hpp.

◆ ecdsa_verify_signature()

template<typename Hash , typename Fq , typename Fr , typename G1 >

bool bb::crypto::ecdsa_verify_signature	(	const std::string &	message,
		const typename G1::affine_element &	public_key,
		const ecdsa_signature &	sig
	)

Definition at line 130 of file ecdsa_impl.hpp.

◆ hmac()

template<typename Hash , typename MessageContainer , typename KeyContainer >

std::array< uint8_t, Hash::OUTPUT_SIZE > bb::crypto::hmac	(	const MessageContainer &	message,
		const KeyContainer &	key
	)

Compute an HMAC given a secret key and a message, see https://datatracker.ietf.org/doc/html/rfc2104.

Template Parameters

Hash	hasher being used
MessageContainer	a byte container (std::vector<uint8_t>, std::array<uint8_t, ...>, std::string)
KeyContainer	a byte container

Parameters

message	the message
key	the key

Returns: std::array<uint8_t, Hash::OUTPUT_SIZE> the HMAC output

Definition at line 49 of file hmac.hpp.

◆ operator<<()

std::ostream & bb::crypto::operator<<	(	std::ostream &	os,
		schnorr_signature const &	sig
	)

inline

Definition at line 43 of file schnorr.hpp.

◆ operator==() [1/2]

bool bb::crypto::operator==	(	schnorr_signature const &	lhs,
		schnorr_signature const &	rhs
	)

inline

Definition at line 38 of file schnorr.hpp.

◆ operator==() [2/2]

bool bb::crypto::operator==	(	Sha256Hash const &	lhs,
		std::vector< uint8_t > const &	rhs
	)

inline

Definition at line 24 of file sha256.hpp.

◆ prepare_constants()

void bb::crypto::prepare_constants ( std::array< uint32_t, 8 > & input )

Definition at line 51 of file sha256.cpp.

◆ read()

template<typename B >

void bb::crypto::read	(	B &	it,
		schnorr_key_pair< grumpkin::fr, grumpkin::g1 > &	keypair
	)

inline

Definition at line 49 of file schnorr.hpp.

◆ schnorr_construct_signature()

template<typename Fr , typename G1 >

schnorr_signature bb::crypto::schnorr_construct_signature	(	const typename G1::Fq &	message_field,
		const schnorr_key_pair< Fr, G1 > &	account
	)

◆ schnorr_verify_signature()

template<typename Fr , typename G1 >

bool bb::crypto::schnorr_verify_signature	(	const typename G1::Fq &	message_field,
		const typename G1::affine_element &	public_key,
		const schnorr_signature &	sig
	)

◆ secure_erase() [1/2]

template<typename T , size_t N>

void bb::crypto::secure_erase ( std::array< T, N > & buffer )

inline

Definition at line 26 of file hmac.hpp.

◆ secure_erase() [2/2]

template<typename T >

void bb::crypto::secure_erase ( std::vector< T > & buffer )

inline

Definition at line 31 of file hmac.hpp.

◆ secure_erase_bytes()

void bb::crypto::secure_erase_bytes	(	void *	ptr,
		size_t	size
	)

inline

Definition at line 18 of file hmac.hpp.

◆ sha256() [1/2]

template<typename ByteContainer >

Sha256Hash bb::crypto::sha256 ( const ByteContainer & input )

SHA-256 hash function (FIPS 180-4)

Computes the SHA-256 hash of an arbitrary-length message. Handles padding (Section 5.1.1) and iterates the compression function.

Parameters

input Message bytes to hash

Returns: 256-bit hash as 32 bytes

Definition at line 150 of file sha256.cpp.

◆ sha256() [2/2]

template<typename T >

Sha256Hash bb::crypto::sha256 ( const T & input )

◆ sha256< std::array< uint8_t, 32 > >()

template Sha256Hash bb::crypto::sha256< std::array< uint8_t, 32 > > ( const std::array< uint8_t, 32 > & input )

◆ sha256< std::span< const uint8_t > >()

template Sha256Hash bb::crypto::sha256< std::span< const uint8_t > > ( const std::span< const uint8_t > & input )

◆ sha256< std::span< uint8_t > >()

template Sha256Hash bb::crypto::sha256< std::span< uint8_t > > ( const std::span< uint8_t > & input )

◆ sha256< std::string >()

template Sha256Hash bb::crypto::sha256< std::string > ( const std::string & input )

◆ sha256< std::vector< uint8_t > >()

template Sha256Hash bb::crypto::sha256< std::vector< uint8_t > > ( const std::vector< uint8_t > & input )

◆ sha256_block()

std::array< uint32_t, 8 > bb::crypto::sha256_block	(	const std::array< uint32_t, 8 > &	h_init,
		const std::array< uint32_t, 16 > &	input
	)

SHA-256 compression function (FIPS 180-4 Section 6.2.2)

Processes a single 512-bit (16-word) message block, updating the hash state. This is the core primitive exposed to ACIR via Sha256Compression opcode.

Parameters

h_init	Previous hash state (or initial constants for first block)
input	512-bit message block as 16 x 32-bit words (big-endian)

Returns: Updated 256-bit hash state as 8 x 32-bit words

Fill first 16 words with the message schedule

Extend the input data into the remaining 48 words

Initialize round variables with previous block output

Apply SHA-256 compression function to the message schedule

Add into previous block output and return

Definition at line 73 of file sha256.cpp.

◆ TEST() [1/12]

bb::crypto::TEST	(	GeneratorContext	,
		DeriveDefaultGenerators
	)

Definition at line 8 of file generator_data.test.cpp.

◆ TEST() [2/12]

bb::crypto::TEST	(	GeneratorContext	,
		GeneratorDataGetVariousCases
	)

Definition at line 50 of file generator_data.test.cpp.

◆ TEST() [3/12]

bb::crypto::TEST	(	Pedersen	,
		Commitment
	)

Definition at line 10 of file pedersen.test.cpp.

◆ TEST() [4/12]

bb::crypto::TEST	(	Pedersen	,
		CommitmentProf
	)

Definition at line 31 of file pedersen.test.cpp.

◆ TEST() [5/12]

bb::crypto::TEST	(	Pedersen	,
		CommitmentWithZero
	)

Definition at line 20 of file pedersen.test.cpp.

◆ TEST() [6/12]

bb::crypto::TEST	(	Pedersen	,
		DeriveLengthGenerator
	)

Definition at line 11 of file pedersen.test.cpp.

◆ TEST() [7/12]

bb::crypto::TEST	(	Pedersen	,
		GeneratorPrinter
	)

Definition at line 44 of file pedersen.test.cpp.

◆ TEST() [8/12]

bb::crypto::TEST	(	Pedersen	,
		Hash
	)

Definition at line 22 of file pedersen.test.cpp.

◆ TEST() [9/12]

bb::crypto::TEST	(	Pedersen	,
		Hash32Bytes
	)

Definition at line 38 of file pedersen.test.cpp.

◆ TEST() [10/12]

bb::crypto::TEST	(	Pedersen	,
		HashBufferRejectsEmptyInput
	)

Definition at line 79 of file pedersen.test.cpp.

◆ TEST() [11/12]

bb::crypto::TEST	(	Pedersen	,
		HashRejectsEmptyInput
	)

Definition at line 68 of file pedersen.test.cpp.

◆ TEST() [12/12]

bb::crypto::TEST	(	Pedersen	,
		HashWithIndex
	)

Definition at line 30 of file pedersen.test.cpp.

◆ write()

template<typename B >

void bb::crypto::write	(	B &	buf,
		schnorr_key_pair< grumpkin::fr, grumpkin::g1 > const &	keypair
	)

inline

Definition at line 55 of file schnorr.hpp.

Variable Documentation

◆ aes128_sparse_base

constexpr uint64_t bb::crypto::aes128_sparse_base = 9

constexpr

Definition at line 33 of file aes128.hpp.

◆ secp256k1_tests

const std::vector<WycherproofSecp256k1> bb::crypto::secp256k1_tests

Test for Secp256k1 ECDSA signatures taken from the Wycherproof project.

Definition at line 38 of file ecdsa_tests_data.hpp.

◆ secp256r1_tests

const std::vector<WycherproofSecp256r1> bb::crypto::secp256r1_tests

Test for Secp256r1 ECDSA signatures taken from the Wycherproof project.

Definition at line 94 of file ecdsa_tests_data.hpp.

Namespaces

Classes

Typedefs

Enumerations

Functions

Variables

Detailed Description

Typedef Documentation

◆ blake2s_param

◆ blake2s_state

◆ pedersen_commitment

◆ pedersen_hash

◆ Sha256Hash

◆ WycherproofSecp256k1

◆ WycherproofSecp256r1

Enumeration Type Documentation

◆ anonymous enum

◆ blake2s_constant

Function Documentation

◆ aes128_cipher()

◆ aes128_decrypt_buffer_cbc()

◆ aes128_encrypt_buffer_cbc()

◆ aes128_expand_key()

◆ aes128_inverse_cipher()

◆ BLAKE2_PACKED()

◆ blake2s()

◆ blake2s_final()

◆ blake2s_init()

◆ blake2s_init_param()

◆ blake2s_update()

◆ deterministic_nonce_rfc6979()

◆ ecdsa_construct_signature()

◆ ecdsa_hash_message()

◆ ecdsa_recover_public_key()

◆ ecdsa_verify_signature()

◆ hmac()

◆ operator<<()

◆ operator==() [1/2]

◆ operator==() [2/2]

◆ prepare_constants()

◆ read()

◆ schnorr_construct_signature()

◆ schnorr_verify_signature()

◆ secure_erase() [1/2]

◆ secure_erase() [2/2]

◆ secure_erase_bytes()

◆ sha256() [1/2]

◆ sha256() [2/2]

◆ sha256< std::array< uint8_t, 32 > >()

◆ sha256< std::span< const uint8_t > >()

◆ sha256< std::span< uint8_t > >()

◆ sha256< std::string >()

◆ sha256< std::vector< uint8_t > >()

◆ sha256_block()

◆ TEST() [1/12]

◆ TEST() [2/12]

◆ TEST() [3/12]

◆ TEST() [4/12]

◆ TEST() [5/12]

◆ TEST() [6/12]

◆ TEST() [7/12]

◆ TEST() [8/12]

◆ TEST() [9/12]

◆ TEST() [10/12]

◆ TEST() [11/12]

◆ TEST() [12/12]

◆ write()

Variable Documentation

◆ aes128_sparse_base

◆ secp256k1_tests

◆ secp256r1_tests