search

semaphore-protocol / semaphore

A zero-knowledge protocol for anonymous interactions.
https://semaphore.pse.dev
MIT License
879 stars 191 forks source link

Got unexpected results of blake2s #36

Closed KimiWu123 closed 4 years ago

KimiWu123 commented 4 years ago

Here is what I did, firstly, using the sample code in test/circuits/blake2s/blake2s.js. For the input 

1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
// value is 179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474110969959963482268385702277221395399966640087262359691628045276706960578432807926936308666529070259922820652728111753896392184596904358265409895975218053120

, got hash value, 0xc8a7a6e87d10557e3214979b2dda05b16a0e845a7367bcacb1890bfed50aaa97, as expected in the test case.

Secondly, using golang lib to generate blake2s hash and run the above example. The same input and got the same output.

Thirdly, change the input to 

1011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

// value is 134826985114673693079697889309176855021348273420672992955072560868299506854125722349531357991805652015840085409903545018244092326610812466869635572979605579875517990126052014383201666495088443110223991621670376603067169289992817087558458031031322260969085192981581537193909580699976975282056570813569162018816

the result hash of blake2s in my golang tool is 

0xe1988bb5bd57b4f5515a1d86b2dcc17fc48b7d481f9c1e688afac3b804f4abd8
or
102039915927513906082938535389439440797562814612940794478682210575787626900440

but the output of circom blake2s is 

0xc66d1d8b506ca588c04faa351282612f6776801b0ff8670782ac21d05aee2816
or
89750734256093910409842373137218358381311776910904108967787906358041386035222

I don't understand what's wrong. I run many cases, 256/512/1024 bits length input, just not matching the output of circom blake2s. I also used nodejs(lib blakejs) to calculate the hashes of blake2s and got the same result as golang version. Could you help check what happened? Stuck here for many days. Thanks.

kobigurk commented 4 years ago

Hi, sorry for the late response!

The inputs are bit representation of each byte, in a "little-endian" fashion - least significant bit first, most significant bit last.

There is currently a bug that makes the circuit work only for multiples of 512. It's fixed in a Semaphore version that we'll release soon.

To give an example of a hex to bits conversion, where we look at "little endian" bit decompositions of numbers: A = 0101 B = 1101 C = 0011 D = 1011

0xABCD -> 11010101 10110011

This will not work due to the bug, so you can test this input in Python 3:

import hashlib
hashlib.blake2s(b'\xFF'*64 + b'\x00'*64).digest().hex()

corresponds to 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

KimiWu123 commented 4 years ago

Great! looking forward to your fix. Many thanks!

kobigurk commented 4 years ago

@KimiWu123 Just to be clear, you can already use it if you want :) Just make sure your inputs are padded to be multiples of 512 bits.