removed unused code (#97)

* removed dated comments and unused code

* opt notes

Author: 0xJepsen

circuits/aes-gcm/aes-gcm-fold.circom

@@ -34,7 +34,7 @@ template AESGCMFOLD(bytesPerFold, totalBytes) {
     for(var i = 0; i < 16; i++) {
         aes.lastTag[i] <== step_in[4 + i];
     }
-    // TODO: range check, assertions, stuff.
+    // TODO:tracy range check, assertions, stuff.
     aes.foldedBlocks <== step_in[20];
 
     // Fold Outputs

circuits/aes-gcm/aes-gcm.circom

@@ -38,13 +38,12 @@ template AESGCM(l) {
         zeroBlock.stream[i] <== 0;
     }
 
-    // Step 1: Let H = CIPHK(0128)
-    component cipherH = Cipher(); // 128-bit key -> 4 32-bit words -> 10 rounds
+    // Step 1: Let H = aes(key, zeroBlock)
+    component cipherH = Cipher();
     cipherH.key <== key;
     cipherH.block <== zeroBlock.blocks[0];
 
     // Step 2: Define a block, J0 with 96 bits of iv and 32 bits of 0s
-    // you can of the 96bits as a nonce and the 32 bits of 0s as an integer counter
     component J0builder = ToBlocks(16);
     for (var i = 0; i < 12; i++) {
         J0builder.stream[i] <== iv[i];
@@ -71,11 +70,8 @@ template AESGCM(l) {
     gctr.plainText <== plainText;
 
 
-    // Step 4: Let u and v
+    // Step 4: Let u and v (v is always zero with out key size and aad length)
     var u = 128 * (l \ 128) - l;
-    // when we handle dynamic aad lengths, we'll need to change this
-    var v = 0;
-
     var blockCount = l\16;
     if(l%16 > 0){
         blockCount = blockCount + 1;
@@ -110,7 +106,6 @@ template AESGCM(l) {
     ghashMessage[ghashblocks-1][0] <== [0x00, 0x00, 0x00, 0x00];
     ghashMessage[ghashblocks-1][1] <== [0x00, 0x00, 0x00, 0x80];
 
-    // TODO: constrain len to be u64 range.
     var len = blockCount * 128;
     for (var i=0; i<8; i++) {
         var byte_value = 0;
@@ -131,16 +126,7 @@ template AESGCM(l) {
     for (var i = 0 ; i<ghashblocks ; i++) {
         ghash.msg[i] <== ToStream(1, 16)([ghashMessage[i]]);
     }
-    // ghash.msg <== msgToStream.stream;
-    // In Steps 4 and 5, the AAD and the ciphertext are each appended with the minimum number of
-    // ‘0’ bits, possibly none, so that the bit lengths of the resulting strings are multiples of the block
-    // size. The concatenation of these strings is appended with the 64-bit representations of the
-    // lengths of the AAD and the ciphertext, and the GHASH function is applied to the result to
-    // produce a single output block.
-
-    // TODO: Check the endianness
-    // TODO: this is underconstrained too
-    // log("ghash bytes"); // BUG: Currently 0.
+
     signal bytes[16];
     signal tagBytes[16 * 8] <== BytesToBits(16)(ghash.tag);
     for(var i = 0; i < 16; i++) {
@@ -151,10 +137,8 @@ template AESGCM(l) {
             byteValue += tagBytes[bitIndex]*sum;
             sum = sum*sum;
         }
-        // log(byteValue);
         bytes[i] <== byteValue;
     }
-    // log("end ghash bytes");
 
     // Step 6: Let T = MSBt(GCTRK(J0, S))
     component gctrT = GCTR(16);

circuits/aes-gcm/aes/cipher.circom

@@ -9,8 +9,7 @@ include "transformations.circom";
 include "mix_columns.circom";
 
 // Cipher Process
-// nk: number of keys which can be 4, 6, 8
-// AES 128, 192, 256 have 10, 12, 14 rounds.
+// AES 128 keys have 10 rounds.
 // Input Block   Initial Round Key          Round Key             Final Round Key
 //     │                │                       │                       │
 //     ▼                ▼                       ▼                       ▼
@@ -31,16 +30,13 @@ include "mix_columns.circom";
 //                                                                 Ciphertext
 
 
-// @param nk: number of keys which can be 4, 6, 8
 // @inputs block: 4x4 matrix representing the input block
-// @inputs key: array of nk*4 bytes representing the key
+// @inputs key: array of 16 bytes representing the key
 // @outputs cipher: 4x4 matrix representing the output block
 template Cipher(){
         signal input block[4][4];
         signal input key[16];
         signal output cipher[4][4];
-
-        // var nr = Rounds(nk);
 
         component keyExpansion = KeyExpansion();
         keyExpansion.key <== key;
@@ -59,16 +55,21 @@ template Cipher(){
         }
 
         interBlock[0] <== addRoundKey[0].newState;
+        // for each round. 
         for (var i = 1; i < 10; i++) {
+                // SubBytes
                 subBytes[i-1] = SubBlock();
                 subBytes[i-1].state <== interBlock[i-1];
 
+                // ShiftRows
                 shiftRows[i-1] = ShiftRows();
                 shiftRows[i-1].state <== subBytes[i-1].newState;
 
+                // MixColumns
                 mixColumns[i-1] = MixColumns();
                 mixColumns[i-1].state <== shiftRows[i-1].newState;
 
+                // AddRoundKey
                 addRoundKey[i] = AddRoundKey();
                 addRoundKey[i].state <== mixColumns[i-1].out;
                  for (var j = 0; j < 4; j++) {
@@ -78,32 +79,19 @@ template Cipher(){
                 interBlock[i] <== addRoundKey[i].newState;
         }
 
+        // Final SubBytes
         subBytes[9] = SubBlock();
         subBytes[9].state <== interBlock[9];
 
         shiftRows[9] = ShiftRows();
         shiftRows[9].state <== subBytes[9].newState;
 
+        // Final AddRoundKey
         addRoundKey[10] = AddRoundKey();
         addRoundKey[10].state <== shiftRows[9].newState;
         for (var i = 0; i < 4; i++) {
                 addRoundKey[10].roundKey[i] <== keyExpansion.keyExpanded[i + (40)];
         }
 
         cipher <== addRoundKey[10].newState;
-}
-
-// @param nk: number of keys which can be 4, 6, 8
-// @returns number of rounds
-// AES 128, 192, 256 have 10, 12, 14 rounds.
-function Rounds (nk) {
-    if (nk == 4) {
-       return 10;
-    } else if (nk == 6) {
-        return 12;
-    } else {
-        return 14;
-    }
-}
-
-
+}

circuits/aes-gcm/aes/key_expansion.circom

@@ -106,9 +106,6 @@ template NextRound(){
         [0x36, 0x00, 0x00, 0x00]
     ];
     rcon.index <== round-1;
-
-    // var rcon[4] = rcons[round-1];
-
     component xorWord[4 + 1];
     xorWord[0] = XorWord();
     xorWord[0].bytes1 <== substituteWord[0].substituted;

circuits/aes-gcm/aes/tbox.circom

@@ -8,10 +8,8 @@ template TBox(index) {
     signal output out;
 
     if (index == 0) {
-        // tbox[0] =>> multiplication by 2
         out <== FieldMul2()(subindex);
     } else if (index == 1) {
-        // tbox[1] =>> multiplication by 3
         out <== FieldMul3()(subindex);
     }
 }

circuits/aes-gcm/aes/utils.circom

@@ -168,34 +168,4 @@ template AddCipher(){
             newState[i][j] <== xorbyte[i][j].out;
         }
     }
-}
-
-// converts iv to counter blocks
-// iv is 16 bytes
-// TODO: this is definitely underconstrained
-template GenerateCounterBlocks(n){
-        assert(n < 0xffffffff);
-        signal input iv[16];
-        signal output counterBlocks[n][4][4];
-
-        var ivr[16] = iv;
-
-        component toBlocks[n];
-
-        for (var i = 0; i < n; i++) {
-                toBlocks[i] = ToBlocks(16);
-                toBlocks[i].stream <-- ivr;
-                counterBlocks[i] <== toBlocks[i].blocks[0];
-                ivr[15] = (ivr[15] + 1)%256;
-                if (ivr[15] == 0){
-                        ivr[14] = (ivr[14] + 1)%256;
-                        if (ivr[14] == 0){
-                                ivr[13] = (ivr[13] + 1)%256;
-                                if (ivr[13] == 0){
-                                        ivr[12] = (ivr[12] + 1)%256;
-                                }
-                        }
-                }
-
-        }
 }

circuits/aes-gcm/gctr.circom

@@ -31,7 +31,6 @@ include "utils.circom";
 
 
 // We are opperating on 128 bit blocks represented as 16 bytes
-
 template GCTR(INPUT_LEN) {
     signal input key[16];
     signal input initialCounterBlock[4][4];
@@ -63,16 +62,15 @@ template GCTR(INPUT_LEN) {
     component inc32[nBlocks - 1];
     // For i = 2 to nBlocks, let CBi = inc32(CBi-1).
 
-    // TODO: Actually test me on a block larger than 16 bytes. 
     for (var i = 1; i < nBlocks; i++) {
         inc32[i - 1] = IncrementWord();
-        inc32[i - 1].in <== CounterBlocks[i - 1][3]; // idea: use the counterblock here directly so that we don't need to use this toCounterblock thing
+        inc32[i - 1].in <== CounterBlocks[i - 1][3];
 
         // copy the previous 12 bytes of the counter block
         for (var j = 0; j < 3; j++) {
             CounterBlocks[i][j] <== CounterBlocks[i - 1][j];
         }
-        // should write the last 4 bytes of the incremented word
+        // write the last 4 bytes of the incremented word
         CounterBlocks[i][3] <== inc32[i - 1].out;
     }
 
@@ -102,7 +100,6 @@ template GCTR(INPUT_LEN) {
     // Step 3: Handle the last block separately
     // Y* = X* ⊕ MSBlen(X*) (CIPH_K (CB_n*))
 
-    // TODO: When we only have one block, this double Cipher's. We shouldnnt do this when l % 16 == 0
     // encrypt the last counter block 
     aes[nBlocks] = Cipher();
     aes[nBlocks].key <== key;

circuits/aes-gcm/ghash-foldable.circom

@@ -10,11 +10,6 @@ include "ghash_gmul.circom";
 // Outputs:
 // - `tag` the authentication tag
 //
-// Computes:
-// Y_0 = 0^128
-// Y_{i+1} = (Y_i xor X_{i-1}) * H
-// output: Y_{n+1} where n is the number of blocks.
-// GHASH Process
 //
 //           X1                      X2          ...          XM 
 //           │                       │                        │ 

circuits/aes-gcm/ghash.circom

@@ -10,12 +10,6 @@ include "ghash_gmul.circom";
 // Outputs:
 // - `tag` the authentication tag
 //
-// Computes:
-// Y_0 = 0^128
-// Y_{i+1} = (Y_i xor X_{i-1}) * H
-// output: Y_{n+1} where n is the number of blocks.
-// GHASH Process
-//
 //           X1                      X2          ...          XM 
 //           │                       │                        │ 
 //           │                       ▼                        ▼   

circuits/aes-gcm/ghash_gmul.circom

@@ -47,7 +47,6 @@ template GhashMul() {
     signal bitsX[16*8];
     bitsX <== bytesToBits.out;
     for (var i = 0; i < 128; i++) {
-        // log("i*8 + j", i*8 + j);
         // z_i_update
         z_i_update[i] = Z_UPDATE(16);
         z_i_update[i].Z <== Z[i];