search

iden3 / circomlib

Library of basic circuits for circom
623 stars 213 forks source link

Pedersen tool in `circomlibjs` doesn't match the pedersen in `circom` #77

Closed ZionDoki closed 2 years ago

ZionDoki commented 2 years ago

This is the version of the environment I am using:

Maybe I'm using the wrong method, the hash I generate with the pedersen tool in circomlibjs doesn't match the hash generated by pedersen in circom, so generating witness keeps failing.

This has been bothering me for a long time, I would like to ask for help, thank you very much!

circomlib: ^2.0.5
circomlibjs: ^0.1.7

I had some problems reproducing the Tornado Cash MerkleTree circom, So I first tested the pedersen hash circom and then ran into problems, here is the circom used for testing:

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/pedersen.circom";
include "../node_modules/circomlib/circuits/bitify.circom";

template CommitmentHasher() {
    signal input secret;
    signal input commitment;      // I change here `outpu => input` for test

    component hasher = Pedersen(248);
    component secretBits = Num2Bits(248);
    secretBits.in <== secret;

    for (var i = 0; i < 248; i++) {
        hasher.in[i] <== secretBits.out[i];
    }

    commitment === hasher.out[0];  // I change here `<== =>  ===` for test
}

This is the code I used to generate the test input.json file:


const crypto = require("crypto");
const { groth16 } = require("snarkjs");
const circomlibjs = require("circomlibjs");

/** Generate random buffer of specified byte length */
const rbuffer = (nbytes) => crypto.randomBytes(nbytes);

/** Compute pedersen hash */
async function pedersenHash(data) {
  let babyJub = await circomlibjs.buildBabyjub()
  let ph = await circomlibjs.buildPedersenHash()

  return babyJub.unpackPoint(ph.hash(data))[0];
}

function toBigIntLE(buf) {
  const reversed = Buffer.from(buf);
  reversed.reverse();
  const hex = reversed.toString("hex");
  if (hex.length === 0) {
    return BigInt(0);
  }
  return BigInt(`0x${hex}`);
}

const rbuf = utils.rbuffer(31);

// generate circom input as follow
const secret = utils.toBigIntLE(rbuf).toString();  
const commitment = await utils.pedersenHash(rbuf);
StrawberryChocolateFudge commented 2 years ago

I'm having similar problems!

crashpilot commented 2 years ago

Hey, I ran into similar issues.

After quite some debugging I found that the circomlibjs expects an uint8array as input and the circom circuit expects the bit format.

I use this function to format for instance an uint8 buffer to a bit representation:

function buffer2bits(buff) {
    const res = [];
    for (let i = 0; i < buff.length; i++) {
        for (let j = 0; j < 8; j++) {
            if ((buff[i] >> j) & 1) {
                res.push('1');
            } else {
                res.push('0');
            }
        }
    }
    return res;
}

Adapting accordingly fixed it for me.

ZionDoki commented 2 years ago

The problem occurs because there is a problem between the Buffer BigInt and the string format conversion required by the commitment.

In case someone encounters the same problem later, my previous solution is:

const ffjavascript = require("ffjavascript");
const stringifyBigInts = ffjavascript.utils.stringifyBigInts;
const F = new ffjavascript.ZqField(
  ffjavascript.Scalar.fromString(
    "21888242871839275222246405745257275088548364400416034343698204186575808495617"
  )
);

function createCommitment(secret) {
  return pedersenHash(secret)
}

let secret = crypto.randomBytes(31);                                         // generate random secret
const createdcommitment = createCommitment(secret);  
cm = stringifyBigInts(F.fromRprLEM(createdcommitment));      // commitment

with good regards, guys :>

TheBojda commented 1 year ago

@ZionDoki Is the complete code available anywhere?

I tried it with a super simple circuit:

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/pedersen.circom";

component main = Pedersen(248);

and a simple js code, but the result is always wrong:

pedersen = await buildPedersenHash();
const b = Buffer.alloc(31);
for (let i = 0; i < 31; i++) {
   b[i] = i + 1;
}
const pedersenHash = pedersen.hash(b)
const points = pedersen.babyJub.unpackPoint(pedersenHash)
console.log(points);

function buffer2bitArray(b) {
    const res = [];
    for (let i = 0; i < b.length; i++) {
        for (let j = 0; j < 8; j++) {
            res.push((b[i] >> (7 - j) & 1));
        }
    }
    return res;
}

const { proof, publicSignals } = await groth16.fullProve({ in: arrIn }, "./build/pedersen_test_js/pedersen_test.wasm", "./build/pedersen_test.zkey")
console.log(publicSignals)

The publicSignals[0] should be equal to points[0], but it is always different.

(btw, sha256 works lika a charm, but it's slow)