dusk-safe 0.3.0

Sponge API for Field Elements
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// Copyright (c) DUSK NETWORK. All rights reserved.

use dusk_bls12_381::BlsScalar;
use dusk_safe::{Call, Error, Safe, Sponge};

const W: usize = 7;

#[derive(Default, Debug, Clone, Copy, PartialEq)]
struct Rotate();

impl Safe<BlsScalar, W> for Rotate {
    // rotate every item one item to the left, first item becomes last
    fn permute(&mut self, state: &mut [BlsScalar; W]) {
        let tmp = state[0];
        for i in 1..W {
            state[i - 1] = state[i];
        }
        state[W - 1] = tmp;
    }

    // Setting the tag to a constant zero here so that the sponge output
    // is predictable, this should *not* be done in production as it makes the
    // resulting hash vulnerable to collisions attacks.
    fn tag(&mut self, _input: &[u8]) -> BlsScalar {
        BlsScalar::zero()
    }

    fn add(&mut self, right: &BlsScalar, left: &BlsScalar) -> BlsScalar {
        right + left
    }
}

impl Rotate {
    pub fn new() -> Self {
        Self()
    }
}

#[test]
fn sponge() -> Result<(), Error> {
    // pick a domain-separator
    let domain_sep = 0;

    // build the io-pattern
    let iopattern = vec![
        Call::Absorb(6),
        Call::Squeeze(1),
        Call::Absorb(4),
        Call::Absorb(4),
        Call::Squeeze(3),
        Call::Squeeze(4),
    ];

    // start the sponge
    let mut sponge = Sponge::start(Rotate::new(), iopattern, domain_sep)?;

    // absorb the first 6 elements of [1, 2, 3, 8, 5, 6, 7]
    sponge.absorb(
        6,
        &[
            BlsScalar::from(1),
            BlsScalar::from(2),
            BlsScalar::from(3),
            BlsScalar::from(8),
            BlsScalar::from(5),
            BlsScalar::from(6),
            BlsScalar::from(7),
        ],
    )?;
    // memory after call to absorb:
    // state: [0, 1, 2, 3, 8, 5, 6]
    // output: []

    // call to squeeze triggers one permutation:
    sponge.squeeze(1)?;
    // memory after call to squeeze:
    // state: [1, 2, 3, 8, 5, 6, 0]
    // output: [2]

    // now we twice absorb 4 times the element `6`
    let input = [BlsScalar::from(6); 4];
    sponge.absorb(4, &input)?;
    sponge.absorb(4, &input)?;
    // state during these calls to absorb:
    // absorbing the first 6 elements: [1, 8. 9, 14, 11, 12, 6]
    // calling permutation:            [8. 9, 14, 11, 12, 6, 1]
    // absorbing the last 2 elements:  [8. 15, 20, 11, 12, 6, 1]
    // output: [2]

    // call to squeeze 3 elements triggers another permutation and adds 3
    // more elements to the output:
    sponge.squeeze(3)?;
    // memory after call to squeeze:
    // state: [15, 20, 11, 12, 6, 1, 8]
    // output: [2, 20, 11, 12]

    // call to squeeze 4 elements first squeezes 3 more elements from the state,
    // triggers a permutation and squeezes the last element:
    sponge.squeeze(4)?;
    // memory after squeezing 3 elements:
    // state: [15, 20, 11, 12, 6, 1, 8]
    // output: [2, 20, 11, 12, 6, 1, 8]
    // memory after permuting the state and squeezing one more element:
    // state: [20, 11, 12, 6, 1, 8, 15]
    // output: [2, 20, 11, 12, 6, 1, 8, 11]

    let output = sponge.finish()?;
    assert_eq!(
        output,
        vec![
            BlsScalar::from(2),
            BlsScalar::from(20),
            BlsScalar::from(11),
            BlsScalar::from(12),
            BlsScalar::from(6),
            BlsScalar::from(1),
            BlsScalar::from(8),
            BlsScalar::from(11),
        ]
    );

    Ok(())
}

#[test]
fn absorb_fails() -> Result<(), Error> {
    // pick a domain-separator
    let domain_sep = 0;

    // build the io-pattern
    let iopattern = vec![Call::Absorb(6), Call::Squeeze(1)];

    // start the sponge
    let input = [BlsScalar::one(); 10];
    let mut sponge = Sponge::start(Rotate::new(), iopattern, domain_sep)?;

    // input-slice smaller than len
    let error = sponge.clone().absorb(6, &input[..4]).unwrap_err();
    assert_eq!(error, Error::TooFewInputElements);

    // absorb len is not as io-pattern specifies
    let error = sponge.clone().absorb(4, &input[..4]).unwrap_err();
    assert_eq!(error, Error::IOPatternViolation);

    // unexpected call to squeeze
    let error = sponge.squeeze(1).unwrap_err();
    assert_eq!(error, Error::IOPatternViolation);

    Ok(())
}

#[test]
fn squeeze_fails() -> Result<(), Error> {
    // pick a domain-separator
    let domain_sep = 0;

    // build the io-pattern
    let iopattern = vec![Call::Absorb(6), Call::Squeeze(1)];

    // start the sponge
    let input = [BlsScalar::one(); 10];
    let mut sponge = Sponge::start(Rotate::new(), iopattern, domain_sep)?;

    // absorb 6 elements as specified by the io-pattern
    sponge.absorb(6, &input[..6])?;

    // squeeze 4 elements when io-pattern expects 1
    let error = sponge.clone().squeeze(4).unwrap_err();
    assert_eq!(error, Error::IOPatternViolation);

    // unexpected call to absorb when io-pattern expects squeeze
    let error = sponge.absorb(1, &input).unwrap_err();
    assert_eq!(error, Error::IOPatternViolation);

    Ok(())
}

#[test]
fn finish_fails() -> Result<(), Error> {
    // pick a domain-separator
    let domain_sep = 0;

    // build the io-pattern
    let iopattern = vec![
        Call::Absorb(6),
        Call::Squeeze(1),
        Call::Absorb(1),
        Call::Squeeze(1),
    ];
    // start the sponge
    let input = [BlsScalar::one(); 10];
    let mut sponge = Sponge::start(Rotate::new(), iopattern, domain_sep)?;

    // absorb 6 elements as specified by the io-pattern
    sponge.absorb(6, &input[..6])?;
    // squeeze 1 element as specified by the io-pattern
    sponge.squeeze(1)?;

    // try to finalize before the io-pattern is exhausted
    let error = sponge.clone().finish().unwrap_err();
    assert_eq!(error, Error::IOPatternViolation);

    // absorb 1 element as specified by the io-pattern
    sponge.absorb(1, &input)?;
    // squeeze 1 element as specified by the io-pattern
    sponge.squeeze(1)?;

    // absorption after io-pattern is exhausted should fail
    let error = sponge.absorb(1, &input).unwrap_err();
    assert_eq!(error, Error::IOPatternViolation);

    Ok(())
}