From 715c87cba413eb8a2c1ead10b7977d16933104ce Mon Sep 17 00:00:00 2001 From: iddo Date: Sun, 6 May 2018 12:31:05 +0300 Subject: [PATCH] confidential-input program of starkdpm --- .../LOCI_AES160hashchain.hpp | 0 .../LOCI_AES160hashchain_EvalPoly.cpp | 0 .../LOCI_AES160hashchain__GenWitness.cpp | 0 .../LOCI_AES160hashchain_constraints.cpp | 0 .../LOCI_AES160hashchain_instance.cpp | 0 .../LOCI_AES160hashchain_instance.hpp | 0 .../LOCI_AES160hashchain_witness.cpp | 0 ...onstraints_ACSPforLOCI_AES160HashChain.txt | 0 prevstarkdpm/main.cpp | 141 ++ ...constraints_parser_LOCI_AES160hashchain.py | 0 starkdpm/AES160hashcLOCI.hpp | 164 ++ starkdpm/AES160hashcLOCI_EvalPoly.cpp | 952 ++++++++ starkdpm/AES160hashcLOCI_GenWitness.cpp | 819 +++++++ starkdpm/AES160hashcLOCI_constraints.cpp | 271 +++ starkdpm/AES160hashcLOCI_instance.cpp | 58 + starkdpm/AES160hashcLOCI_instance.hpp | 31 + starkdpm/AES160hashcLOCI_witness.cpp | 46 + starkdpm/constraints_AES160hashcLOCI.txt | 2046 +++++++++++++++++ starkdpm/main.cpp | 123 +- .../row_constraints_parser_AES160LOCIhashc.py | 1139 +++++++++ 20 files changed, 5695 insertions(+), 95 deletions(-) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain.hpp (100%) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain_EvalPoly.cpp (100%) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain__GenWitness.cpp (100%) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain_constraints.cpp (100%) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain_instance.cpp (100%) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain_instance.hpp (100%) rename {starkdpm => prevstarkdpm}/LOCI_AES160hashchain_witness.cpp (100%) rename {starkdpm => prevstarkdpm}/constraints_ACSPforLOCI_AES160HashChain.txt (100%) create mode 100644 prevstarkdpm/main.cpp rename {starkdpm => prevstarkdpm}/row_constraints_parser_LOCI_AES160hashchain.py (100%) create mode 100644 starkdpm/AES160hashcLOCI.hpp create mode 100644 starkdpm/AES160hashcLOCI_EvalPoly.cpp create mode 100644 starkdpm/AES160hashcLOCI_GenWitness.cpp create mode 100644 starkdpm/AES160hashcLOCI_constraints.cpp create mode 100644 starkdpm/AES160hashcLOCI_instance.cpp create mode 100644 starkdpm/AES160hashcLOCI_instance.hpp create mode 100644 starkdpm/AES160hashcLOCI_witness.cpp create mode 100644 starkdpm/constraints_AES160hashcLOCI.txt create mode 100644 starkdpm/row_constraints_parser_AES160LOCIhashc.py diff --git a/starkdpm/LOCI_AES160hashchain.hpp b/prevstarkdpm/LOCI_AES160hashchain.hpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain.hpp rename to prevstarkdpm/LOCI_AES160hashchain.hpp diff --git a/starkdpm/LOCI_AES160hashchain_EvalPoly.cpp b/prevstarkdpm/LOCI_AES160hashchain_EvalPoly.cpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain_EvalPoly.cpp rename to prevstarkdpm/LOCI_AES160hashchain_EvalPoly.cpp diff --git a/starkdpm/LOCI_AES160hashchain__GenWitness.cpp b/prevstarkdpm/LOCI_AES160hashchain__GenWitness.cpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain__GenWitness.cpp rename to prevstarkdpm/LOCI_AES160hashchain__GenWitness.cpp diff --git a/starkdpm/LOCI_AES160hashchain_constraints.cpp b/prevstarkdpm/LOCI_AES160hashchain_constraints.cpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain_constraints.cpp rename to prevstarkdpm/LOCI_AES160hashchain_constraints.cpp diff --git a/starkdpm/LOCI_AES160hashchain_instance.cpp b/prevstarkdpm/LOCI_AES160hashchain_instance.cpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain_instance.cpp rename to prevstarkdpm/LOCI_AES160hashchain_instance.cpp diff --git a/starkdpm/LOCI_AES160hashchain_instance.hpp b/prevstarkdpm/LOCI_AES160hashchain_instance.hpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain_instance.hpp rename to prevstarkdpm/LOCI_AES160hashchain_instance.hpp diff --git a/starkdpm/LOCI_AES160hashchain_witness.cpp b/prevstarkdpm/LOCI_AES160hashchain_witness.cpp similarity index 100% rename from starkdpm/LOCI_AES160hashchain_witness.cpp rename to prevstarkdpm/LOCI_AES160hashchain_witness.cpp diff --git a/starkdpm/constraints_ACSPforLOCI_AES160HashChain.txt b/prevstarkdpm/constraints_ACSPforLOCI_AES160HashChain.txt similarity index 100% rename from starkdpm/constraints_ACSPforLOCI_AES160HashChain.txt rename to prevstarkdpm/constraints_ACSPforLOCI_AES160HashChain.txt diff --git a/prevstarkdpm/main.cpp b/prevstarkdpm/main.cpp new file mode 100644 index 0000000..6fc527f --- /dev/null +++ b/prevstarkdpm/main.cpp @@ -0,0 +1,141 @@ +#include +#include +#include +#include +#include +#include "LOCI_AES160hashchain.hpp" + +using namespace stark_dpm; +using namespace stark_dpm::ACSP_FOR_AES160LOCIhashchain; +using std::cout; +using std::endl; +using std::string; +using std::stoul; +using AES160LOCIhashchain::dpmpair_t; +using AES160LOCIhashchain::fingerprint_t; +using AES160LOCIhashchain::database_t; + +const string securityPrefix = "-s"; + + +void printHelp(const string exeName){ + cout<<"Usage:"<"< [" + securityPrefix + "]"<"<> hashC; + std::vector Result = AES160LOCIhashchain::genHashchain(hashC, db); + AES160LOCIhashchain::evalp::setParams(Result, Algebra::power(xFE(), params.length), fprint); + libstark::BairWitness bair_witness = buildBairWitness(params, hashC, fprint); + + libstark::Protocols::executeProtocol(bair_instance, bair_witness,securityParameter,false,false,true); +} + +dpmpair_t readPair(const string pairStr){ + std::regex regex{R"([.]+)"}; // split on period + std::sregex_token_iterator it{pairStr.begin(), pairStr.end(), regex, -1}; + std::vector words{it, {}}; + + if(words.size() != 2){ + cout<<"Each pair must contain 2 elements"< words{it, {}}; + + if(words.size() != 20){ + cout<<"Each line must contain 20 pairs"<(ifs)),std::istreambuf_iterator()); + + std::regex regex{R"([\n]+)"}; // split to lines + std::sregex_token_iterator it{content.begin(), content.end(), regex, -1}; + std::vector lines{it, {}}; + + database_t db(lines.size()); + + for(unsigned int i=0; i + +#define PRNMSG(str) do { std::cout << str << std::endl; } while( false ) +//#define DBGMSG(str) do { std::cout << str << std::endl; } while( false ) +#define DBGMSG(str) do { } while ( false ) + +#define EXTDIM 64 + +using namespace Algebra; + +namespace AES160hashcLOCI { + + //FieldElement eval(const std::vector& vars, const std::vector RootHash, const FieldElement values[][2], FieldElement lastPow); + FieldElement evalCPoly(const std::vector & vars, + const std::vector & RootHash, const FieldElement& gN); + + + class evalp + { + public: + static void setParams(const std::vector&, const FieldElement&, const int); + static FieldElement ep(const std::vector&); + private: + static std::vector rHash; + static FieldElement last_leaf_index; + }; + + const short NUMREGS = 81; + + namespace reg { + typedef enum RegType{ + + B00 = 0, B01, B02, B03, B04, + B10, B11, B12, B13, B14, + B20, B21, B22, B23, B24, + B30, B31, B32, B33, B34, + + K00, K01, K02, K03, K04, + K10, K11, K12, K13, K14, + K20, K21, K22, K23, K24, + K30, K31, K32, K33, K34, + + inv1, inv2, inv3, inv4, inv5, + W11, W12, W13, + W21, W22, W23, + W31, W32, W33, + W41, W42, W43, + W51, W52, W53, + + FLAG1, FLAG2, RC, invRC, + + A, B, C, STATE, + K, + MATCH, isSecondPhaseComparingLOCI, PartialMATCH, PHASE, + L1, L2, L3, L4, L5, L6, + ST2, ST3, + } RegType; + } + + typedef std::vector< std::vector > & witnessType; + short getDim(long long); + std::vector genHashchain(witnessType, int, int); + void genWitnessLOCIHashcAES160WithPadding(witnessType, const witnessType, int, const int); + + namespace consts { +#define zFE (mapIntegerToFieldElement(0, EXTDIM, 0)) + + const short ROUNDS = 10; + const FieldElement xFEinv = xFE().inverse(); + const FieldElement minus1 = mapIntegerToFieldElement(0, EXTDIM, 0xfffff); + const FieldElement oneTransformed = mapIntegerToFieldElement(0, EXTDIM, 0x1); + const FieldElement xFETransformed = mapIntegerToFieldElement(0, EXTDIM, 0x33CE8BEDDC8A656); + const FieldElement xFEAndOneTransformed = mapIntegerToFieldElement(0, EXTDIM, 0x33CE8BEDDC8A657); + const FieldElement B_Transformed = mapIntegerToFieldElement(0, EXTDIM, 0xFF6C97771E353011); + + + const FieldElement Rcon_round11 = xFETransformed *xFETransformed*xFETransformed*xFETransformed* + xFETransformed*xFETransformed*xFETransformed*xFETransformed*xFETransformed*xFETransformed;// + + const FieldElement xFE_4 = mapIntegerToFieldElement(0, EXTDIM, size_t(1) << 4); + const FieldElement xFE_8 = mapIntegerToFieldElement(0, EXTDIM, size_t(1) << 8); + const FieldElement xFE_minus4 = xFE_4.inverse(); + const FieldElement xFE_minus8 = xFE_minus4*xFE_minus4; + + const FieldElement Transformator[8] = { + + mapIntegerToFieldElement(0, EXTDIM, 0x1), + mapIntegerToFieldElement(0, EXTDIM, 0x33CE8BEDDC8A656), + mapIntegerToFieldElement(0, EXTDIM, 0x512620375ED2A108), + mapIntegerToFieldElement(0, EXTDIM, 0xC9E636090AAFC01), + + + mapIntegerToFieldElement(0, EXTDIM, 0xBA4F3CD82801769C), + mapIntegerToFieldElement(0, EXTDIM, 0xBA26E7904ADB4A47), + mapIntegerToFieldElement(0, EXTDIM, 0x467698598926DC01), + mapIntegerToFieldElement(0, EXTDIM, 0x4418AE808B28BDD0) + + }; + + /*const FieldElement Transformator[8] = { + mapIntegerToFieldElement(0, EXTDIM, 0x4418AE808B28BDD0), + mapIntegerToFieldElement(0, EXTDIM, 0x467698598926DC01), + mapIntegerToFieldElement(0, EXTDIM, 0xBA26E7904ADB4A47), + mapIntegerToFieldElement(0, EXTDIM, 0xBA4F3CD82801769C), + mapIntegerToFieldElement(0, EXTDIM, 0xC9E636090AAFC01), + mapIntegerToFieldElement(0, EXTDIM, 0x512620375ED2A108), + mapIntegerToFieldElement(0, EXTDIM, 0x33CE8BEDDC8A656), + mapIntegerToFieldElement(0, EXTDIM, 0x1) + };*/ + + const FieldElement MixColMat[4][4] = { + { xFETransformed, xFEAndOneTransformed, oneTransformed, oneTransformed }, + { oneTransformed, xFETransformed, xFEAndOneTransformed, oneTransformed }, + { oneTransformed, oneTransformed, xFETransformed, xFEAndOneTransformed }, + { xFEAndOneTransformed, oneTransformed, oneTransformed, xFETransformed } + }; + + const FieldElement invTransformator[14] = { + mapIntegerToFieldElement(0, EXTDIM, 0x1), + mapIntegerToFieldElement(0, EXTDIM, 0xFD), + mapIntegerToFieldElement(0, EXTDIM, 0x7F), + mapIntegerToFieldElement(0, EXTDIM, 0x4C), + mapIntegerToFieldElement(0, EXTDIM, 0x2A), + zFE, + mapIntegerToFieldElement(0, EXTDIM, 0xA3), + zFE, zFE, zFE, + mapIntegerToFieldElement(0, EXTDIM, 0x41), + zFE, zFE, + mapIntegerToFieldElement(0, EXTDIM, 0x48) + }; + + const FieldElement polyFromMatrix[8] = { + mapIntegerToFieldElement(0, EXTDIM, 0x512620375ED2A109), + mapIntegerToFieldElement(0, EXTDIM, 0xC9E636090AAFC00), + mapIntegerToFieldElement(0, EXTDIM, 0xE998EF1F07EA10A), + mapIntegerToFieldElement(0, EXTDIM, 0xEB00C7A71409EB4E), + mapIntegerToFieldElement(0, EXTDIM, 0x5321CDA63E06FC02), + mapIntegerToFieldElement(0, EXTDIM, 0x1), + mapIntegerToFieldElement(0, EXTDIM, 0x155755FFB7202002), + mapIntegerToFieldElement(0, EXTDIM, 0x1A9C05699898468E) + }; + } +} + +namespace stark_dpm{ + namespace ACSP_FOR_AES160hashcLOCI{ + typedef struct{ + long long length; + int seed; + std::vector head; + }AES160hashcLOCICommonParams; + + libstark::BairInstance buildBairInstance(const AES160hashcLOCICommonParams&); + libstark::BairWitness buildBairWitness(const AES160hashcLOCICommonParams&, const AES160hashcLOCI::witnessType&); + } +} + +#endif // __ACSP_FOR_AES160hashcLOCI_HPP__ diff --git a/starkdpm/AES160hashcLOCI_EvalPoly.cpp b/starkdpm/AES160hashcLOCI_EvalPoly.cpp new file mode 100644 index 0000000..46bfe65 --- /dev/null +++ b/starkdpm/AES160hashcLOCI_EvalPoly.cpp @@ -0,0 +1,952 @@ +#include "AES160hashcLOCI.hpp" + +#define RI(n) n +//#define RI(n) 0 +#define RN 643 + +using namespace Algebra; + +namespace AES160hashcLOCI{ + + FieldElement randCoeff[RN]; + //namespace { //anonymous namespace for polys and common vars + + + inline FieldElement evalCPolyAES160_SB_And_SR_FLAGS_ARE_00(const std::vector & vars, FieldElement results[]){ + FieldElement tval = vars[reg::FLAG1 + NUMREGS]; + tval += randCoeff[RI(0)] * (vars[reg::FLAG2 + NUMREGS] + one()); + tval += randCoeff[RI(1)] * (vars[reg::B10 + NUMREGS] + vars[reg::B10]); + tval += randCoeff[RI(2)] * (vars[reg::B11 + NUMREGS] + vars[reg::B11]); + tval += randCoeff[RI(3)] * (vars[reg::B12 + NUMREGS] + vars[reg::B12]); + tval += randCoeff[RI(4)] * (vars[reg::B13 + NUMREGS] + vars[reg::B13]); + tval += randCoeff[RI(5)] * (vars[reg::B14 + NUMREGS] + vars[reg::B14]); + tval += randCoeff[RI(6)] * (vars[reg::B20 + NUMREGS] + vars[reg::B20]); + tval += randCoeff[RI(7)] * (vars[reg::B21 + NUMREGS] + vars[reg::B21]); + tval += randCoeff[RI(8)] * (vars[reg::B22 + NUMREGS] + vars[reg::B22]); + tval += randCoeff[RI(9)] * (vars[reg::B23 + NUMREGS] + vars[reg::B23]); + tval += randCoeff[RI(10)] * (vars[reg::B24 + NUMREGS] + vars[reg::B24]); + tval += randCoeff[RI(11)] * (vars[reg::B30 + NUMREGS] + vars[reg::B30]); + tval += randCoeff[RI(12)] * (vars[reg::B31 + NUMREGS] + vars[reg::B31]); + tval += randCoeff[RI(13)] * (vars[reg::B32 + NUMREGS] + vars[reg::B32]); + tval += randCoeff[RI(14)] * (vars[reg::B33 + NUMREGS] + vars[reg::B33]); + tval += randCoeff[RI(15)] * (vars[reg::B34 + NUMREGS] + vars[reg::B34]); + + tval += randCoeff[RI(16)] * (vars[reg::B00] * vars[reg::inv1] + one())*(vars[reg::B00] + randCoeff[RI(17)] * vars[reg::inv1]); + tval += randCoeff[RI(18)] * ( + vars[reg::B00 + NUMREGS] + + results[0]); + + tval += randCoeff[RI(19)] * (vars[reg::B01] * vars[reg::inv2] + one())*(vars[reg::B01] + randCoeff[RI(20)] * vars[reg::inv2]); + tval += randCoeff[RI(21)] * ( + vars[reg::B01 + NUMREGS] + + results[1]); + + tval += randCoeff[RI(22)] * (vars[reg::B02] * vars[reg::inv3] + one())*(vars[reg::B02] + randCoeff[RI(23)] * vars[reg::inv3]); + tval += randCoeff[RI(24)] * ( + vars[reg::B02 + NUMREGS] + + results[2]); + + tval += randCoeff[RI(25)] * (vars[reg::B03] * vars[reg::inv4] + one())*(vars[reg::B03] + randCoeff[RI(26)] * vars[reg::inv4]); + tval += randCoeff[RI(27)] * ( + vars[reg::B03 + NUMREGS] + + results[3]); + + tval += randCoeff[RI(28)] * (vars[reg::B04] * vars[reg::inv5] + one())*(vars[reg::B04] + randCoeff[RI(29)] * vars[reg::inv5]); + tval += randCoeff[RI(30)] * ( + vars[reg::B04 + NUMREGS] + + results[4]); + + return tval; + } + inline FieldElement evalCPolyAES160_SB_And_SR_FLAGS_ARE_01(const std::vector & vars, FieldElement results[]){ + FieldElement tval = zero(); + tval += vars[reg::FLAG1 + NUMREGS] + one(); + tval += randCoeff[RI(31)] * (vars[reg::FLAG2 + NUMREGS] + zero()); + tval += randCoeff[RI(32)] * (vars[reg::B00 + NUMREGS] + vars[reg::B00]); + tval += randCoeff[RI(33)] * (vars[reg::B01 + NUMREGS] + vars[reg::B01]); + tval += randCoeff[RI(34)] * (vars[reg::B02 + NUMREGS] + vars[reg::B02]); + tval += randCoeff[RI(35)] * (vars[reg::B03 + NUMREGS] + vars[reg::B03]); + tval += randCoeff[RI(36)] * (vars[reg::B04 + NUMREGS] + vars[reg::B04]); + tval += randCoeff[RI(37)] * (vars[reg::B20 + NUMREGS] + vars[reg::B20]); + tval += randCoeff[RI(38)] * (vars[reg::B21 + NUMREGS] + vars[reg::B21]); + tval += randCoeff[RI(39)] * (vars[reg::B22 + NUMREGS] + vars[reg::B22]); + tval += randCoeff[RI(40)] * (vars[reg::B23 + NUMREGS] + vars[reg::B23]); + tval += randCoeff[RI(41)] * (vars[reg::B24 + NUMREGS] + vars[reg::B24]); + tval += randCoeff[RI(42)] * (vars[reg::B30 + NUMREGS] + vars[reg::B30]); + tval += randCoeff[RI(43)] * (vars[reg::B31 + NUMREGS] + vars[reg::B31]); + tval += randCoeff[RI(44)] * (vars[reg::B32 + NUMREGS] + vars[reg::B32]); + tval += randCoeff[RI(45)] * (vars[reg::B33 + NUMREGS] + vars[reg::B33]); + tval += randCoeff[RI(46)] * (vars[reg::B34 + NUMREGS] + vars[reg::B34]); + + tval += randCoeff[RI(47)] * (vars[reg::B10] * vars[reg::inv1] + one())*(vars[reg::B10] + randCoeff[RI(48)] * vars[reg::inv1]); + tval += randCoeff[RI(49)] * ( + vars[reg::B14 + NUMREGS] + + results[0]); + + tval += randCoeff[RI(50)] * (vars[reg::B11] * vars[reg::inv2] + one())*(vars[reg::B11] + randCoeff[RI(51)] * vars[reg::inv2]); + tval += randCoeff[RI(52)] * ( + vars[reg::B10 + NUMREGS] + + results[1]); + + tval += randCoeff[RI(53)] * (vars[reg::B12] * vars[reg::inv3] + one())*(vars[reg::B12] + randCoeff[RI(54)] * vars[reg::inv3]); + tval += randCoeff[RI(55)] * ( + vars[reg::B11 + NUMREGS] + + results[2]); + + tval += randCoeff[RI(56)] * (vars[reg::B13] * vars[reg::inv4] + one())*(vars[reg::B13] + randCoeff[RI(57)] * vars[reg::inv4]); + tval += randCoeff[RI(58)] * ( + vars[reg::B12 + NUMREGS] + + results[3]); + + tval += randCoeff[RI(59)] * (vars[reg::B14] * vars[reg::inv5] + one())*(vars[reg::B14] + randCoeff[RI(60)] * vars[reg::inv5]); + tval += randCoeff[RI(61)] * ( + vars[reg::B13 + NUMREGS] + + results[4]); + + return tval; + } + + inline FieldElement evalCPolyAES160_SB_And_SR_FLAGS_ARE_10(const std::vector & vars, FieldElement results[]){ + + FieldElement tval = vars[reg::FLAG1 + NUMREGS] + one(); + tval += randCoeff[RI(62)] * (vars[reg::FLAG2 + NUMREGS] + one()); + tval += randCoeff[RI(63)] * (vars[reg::B00 + NUMREGS] + vars[reg::B00]); + tval += randCoeff[RI(64)] * (vars[reg::B01 + NUMREGS] + vars[reg::B01]); + tval += randCoeff[RI(65)] * (vars[reg::B02 + NUMREGS] + vars[reg::B02]); + tval += randCoeff[RI(66)] * (vars[reg::B03 + NUMREGS] + vars[reg::B03]); + tval += randCoeff[RI(67)] * (vars[reg::B04 + NUMREGS] + vars[reg::B04]); + tval += randCoeff[RI(68)] * (vars[reg::B10 + NUMREGS] + vars[reg::B10]); + tval += randCoeff[RI(69)] * (vars[reg::B11 + NUMREGS] + vars[reg::B11]); + tval += randCoeff[RI(70)] * (vars[reg::B12 + NUMREGS] + vars[reg::B12]); + tval += randCoeff[RI(71)] * (vars[reg::B13 + NUMREGS] + vars[reg::B13]); + tval += randCoeff[RI(72)] * (vars[reg::B14 + NUMREGS] + vars[reg::B14]); + tval += randCoeff[RI(73)] * (vars[reg::B30 + NUMREGS] + vars[reg::B30]); + tval += randCoeff[RI(74)] * (vars[reg::B31 + NUMREGS] + vars[reg::B31]); + tval += randCoeff[RI(75)] * (vars[reg::B32 + NUMREGS] + vars[reg::B32]); + tval += randCoeff[RI(76)] * (vars[reg::B33 + NUMREGS] + vars[reg::B33]); + tval += randCoeff[RI(77)] * (vars[reg::B34 + NUMREGS] + vars[reg::B34]); + + + tval += randCoeff[RI(78)] * (vars[reg::B20] * vars[reg::inv1] + one())*(vars[reg::B20] + randCoeff[RI(79)] * vars[reg::inv1]); + tval += randCoeff[RI(80)] * ( + vars[reg::B23 + NUMREGS] + + results[0]); + + tval += randCoeff[RI(81)] * (vars[reg::B21] * vars[reg::inv2] + one())*(vars[reg::B21] + randCoeff[RI(82)] * vars[reg::inv2]); + tval += randCoeff[RI(83)] * ( + vars[reg::B24 + NUMREGS] + + results[1]); + + tval += randCoeff[RI(84)] * (vars[reg::B22] * vars[reg::inv3] + one())*(vars[reg::B22] + randCoeff[RI(85)] * vars[reg::inv3]); + tval += randCoeff[RI(86)] * ( + vars[reg::B20 + NUMREGS] + + results[2]); + + tval += randCoeff[RI(87)] * (vars[reg::B23] * vars[reg::inv4] + one())*(vars[reg::B23] + randCoeff[RI(88)] * vars[reg::inv4]); + tval += randCoeff[RI(89)] * ( + vars[reg::B21 + NUMREGS] + + results[3]); + + tval += randCoeff[RI(90)] * (vars[reg::B24] * vars[reg::inv5] + one())*(vars[reg::B24] + randCoeff[RI(91)] * vars[reg::inv5]); + tval += randCoeff[RI(92)] * ( + vars[reg::B22 + NUMREGS] + + results[4]); + return tval; + + } + + + inline FieldElement evalCPolyAES160_SB_And_SR_FLAGS_ARE_11(const std::vector & vars, FieldElement results[]){ + + FieldElement tval = vars[reg::FLAG1 + NUMREGS] + xFE(); + tval += randCoeff[RI(93)] * (vars[reg::B00 + NUMREGS] + vars[reg::B00]); + tval += randCoeff[RI(94)] * (vars[reg::B01 + NUMREGS] + vars[reg::B01]); + tval += randCoeff[RI(95)] * (vars[reg::B02 + NUMREGS] + vars[reg::B02]); + tval += randCoeff[RI(96)] * (vars[reg::B03 + NUMREGS] + vars[reg::B03]); + tval += randCoeff[RI(97)] * (vars[reg::B04 + NUMREGS] + vars[reg::B04]); + tval += randCoeff[RI(98)] * (vars[reg::B10 + NUMREGS] + vars[reg::B10]); + tval += randCoeff[RI(99)] * (vars[reg::B11 + NUMREGS] + vars[reg::B11]); + tval += randCoeff[RI(100)] * (vars[reg::B12 + NUMREGS] + vars[reg::B12]); + tval += randCoeff[RI(101)] * (vars[reg::B13 + NUMREGS] + vars[reg::B13]); + tval += randCoeff[RI(102)] * (vars[reg::B14 + NUMREGS] + vars[reg::B14]); + tval += randCoeff[RI(103)] * (vars[reg::B20 + NUMREGS] + vars[reg::B20]); + tval += randCoeff[RI(104)] * (vars[reg::B21 + NUMREGS] + vars[reg::B21]); + tval += randCoeff[RI(105)] * (vars[reg::B22 + NUMREGS] + vars[reg::B22]); + tval += randCoeff[RI(106)] * (vars[reg::B23 + NUMREGS] + vars[reg::B23]); + tval += randCoeff[RI(107)] * (vars[reg::B24 + NUMREGS] + vars[reg::B24]); + + + tval += randCoeff[RI(108)] * (vars[reg::B30] * vars[reg::inv1] + one())*(vars[reg::B30] + randCoeff[RI(109)] * vars[reg::inv1]); + tval += randCoeff[RI(110)] * ( + vars[reg::B32 + NUMREGS] + + results[0]); + + tval += randCoeff[RI(111)] * (vars[reg::B31] * vars[reg::inv2] + one())*(vars[reg::B31] + randCoeff[RI(112)] * vars[reg::inv2]); + tval += randCoeff[RI(113)] * ( + vars[reg::B33 + NUMREGS] + + results[1]); + + tval += randCoeff[RI(114)] * (vars[reg::B32] * vars[reg::inv3] + one())*(vars[reg::B32] + randCoeff[RI(115)] * vars[reg::inv3]); + tval += randCoeff[RI(116)] * ( + vars[reg::B34 + NUMREGS] + + results[2]); + + tval += randCoeff[RI(117)] * (vars[reg::B33] * vars[reg::inv4] + one())*(vars[reg::B33] + randCoeff[RI(118)] * vars[reg::inv4]); + tval += randCoeff[RI(119)] * ( + vars[reg::B30 + NUMREGS] + + results[3]); + + tval += randCoeff[RI(120)] * (vars[reg::B34] * vars[reg::inv5] + one())*(vars[reg::B34] + randCoeff[RI(121)] * vars[reg::inv5]); + tval += randCoeff[RI(122)] * ( + vars[reg::B31 + NUMREGS] + + results[4]); + + return tval; + + + + } + inline FieldElement evalCPolyAES160_SB_And_SR(const std::vector & vars, FieldElement results[], FieldElement PolyComputationInversePowers){ + FieldElement tval = vars[reg::STATE + NUMREGS] + one(); + tval += randCoeff[RI(123)] * (vars[reg::RC + NUMREGS] + vars[reg::RC]); + tval += randCoeff[RI(124)] * (vars[reg::K00 + NUMREGS] + vars[reg::K00]); + tval += randCoeff[RI(125)] * (vars[reg::K01 + NUMREGS] + vars[reg::K01]); + tval += randCoeff[RI(126)] * (vars[reg::K02 + NUMREGS] + vars[reg::K02]); + tval += randCoeff[RI(127)] * (vars[reg::K03 + NUMREGS] + vars[reg::K03]); + tval += randCoeff[RI(128)] * (vars[reg::K04 + NUMREGS] + vars[reg::K04]); + tval += randCoeff[RI(129)] * (vars[reg::K10 + NUMREGS] + vars[reg::K10]); + tval += randCoeff[RI(130)] * (vars[reg::K11 + NUMREGS] + vars[reg::K11]); + tval += randCoeff[RI(131)] * (vars[reg::K12 + NUMREGS] + vars[reg::K12]); + tval += randCoeff[RI(132)] * (vars[reg::K13 + NUMREGS] + vars[reg::K13]); + tval += randCoeff[RI(133)] * (vars[reg::K14 + NUMREGS] + vars[reg::K14]); + tval += randCoeff[RI(134)] * (vars[reg::K20 + NUMREGS] + vars[reg::K20]); + tval += randCoeff[RI(135)] * (vars[reg::K21 + NUMREGS] + vars[reg::K21]); + tval += randCoeff[RI(136)] * (vars[reg::K22 + NUMREGS] + vars[reg::K22]); + tval += randCoeff[RI(137)] * (vars[reg::K23 + NUMREGS] + vars[reg::K23]); + tval += randCoeff[RI(138)] * (vars[reg::K24 + NUMREGS] + vars[reg::K24]); + tval += randCoeff[RI(139)] * (vars[reg::K30 + NUMREGS] + vars[reg::K30]); + tval += randCoeff[RI(140)] * (vars[reg::K31 + NUMREGS] + vars[reg::K31]); + tval += randCoeff[RI(141)] * (vars[reg::K32 + NUMREGS] + vars[reg::K32]); + tval += randCoeff[RI(142)] * (vars[reg::K33 + NUMREGS] + vars[reg::K33]); + tval += randCoeff[RI(143)] * (vars[reg::K34 + NUMREGS] + vars[reg::K34]); + + + + + tval += randCoeff[RI(144)] * (vars[reg::FLAG1] + one()) *(vars[reg::FLAG2] + one()) * evalCPolyAES160_SB_And_SR_FLAGS_ARE_00(vars, results); + tval += randCoeff[RI(145)] * (vars[reg::FLAG1] + one()) *(vars[reg::FLAG2]) * evalCPolyAES160_SB_And_SR_FLAGS_ARE_01(vars, results); + tval += randCoeff[RI(146)] * (vars[reg::FLAG1]) *(vars[reg::FLAG2] + one()) * evalCPolyAES160_SB_And_SR_FLAGS_ARE_10(vars, results); + tval += randCoeff[RI(147)] * (vars[reg::FLAG1]) *(vars[reg::FLAG2]) * evalCPolyAES160_SB_And_SR_FLAGS_ARE_11(vars, results); + + return tval; + + + } + + inline FieldElement evalCPolyLastRound(const std::vector & vars, FieldElement K_next[][5], FieldElement lastStepConstraints){ + FieldElement tval = lastStepConstraints; + + tval += vars[reg::B00 + NUMREGS] + vars[reg::B00] + K_next[0][0]; + tval += randCoeff[RI(148)] * (vars[reg::B01 + NUMREGS] + vars[reg::B01] + K_next[0][1]); + tval += randCoeff[RI(149)] * (vars[reg::B02 + NUMREGS] + vars[reg::B02] + K_next[0][2]); + tval += randCoeff[RI(150)] * (vars[reg::B03 + NUMREGS] + vars[reg::B03] + K_next[0][3]); + tval += randCoeff[RI(151)] * (vars[reg::B04 + NUMREGS] + vars[reg::B04] + K_next[0][4]); + + tval += randCoeff[RI(152)] * (vars[reg::B10 + NUMREGS] + vars[reg::B10] + K_next[1][0]); + tval += randCoeff[RI(153)] * (vars[reg::B11 + NUMREGS] + vars[reg::B11] + K_next[1][1]); + tval += randCoeff[RI(154)] * (vars[reg::B12 + NUMREGS] + vars[reg::B12] + K_next[1][2]); + tval += randCoeff[RI(155)] * (vars[reg::B13 + NUMREGS] + vars[reg::B13] + K_next[1][3]); + tval += randCoeff[RI(156)] * (vars[reg::B14 + NUMREGS] + vars[reg::B14] + K_next[1][4]); + + tval += randCoeff[RI(157)] * (vars[reg::B20 + NUMREGS] + vars[reg::B20] + K_next[2][0]); + tval += randCoeff[RI(158)] * (vars[reg::B21 + NUMREGS] + vars[reg::B21] + K_next[2][1]); + tval += randCoeff[RI(159)] * (vars[reg::B22 + NUMREGS] + vars[reg::B22] + K_next[2][2]); + tval += randCoeff[RI(160)] * (vars[reg::B23 + NUMREGS] + vars[reg::B23] + K_next[2][3]); + tval += randCoeff[RI(161)] * (vars[reg::B24 + NUMREGS] + vars[reg::B24] + K_next[2][4]); + + tval += randCoeff[RI(162)] * (vars[reg::B30 + NUMREGS] + vars[reg::B30] + K_next[3][0]); + tval += randCoeff[RI(163)] * (vars[reg::B31 + NUMREGS] + vars[reg::B31] + K_next[3][1]); + tval += randCoeff[RI(164)] * (vars[reg::B32 + NUMREGS] + vars[reg::B32] + K_next[3][2]); + tval += randCoeff[RI(165)] * (vars[reg::B33 + NUMREGS] + vars[reg::B33] + K_next[3][3]); + tval += randCoeff[RI(166)] * (vars[reg::B34 + NUMREGS] + vars[reg::B34] + K_next[3][4]); + + return tval; + + } + inline FieldElement evalCPolyNonLastRound(const std::vector & vars, FieldElement K_next[][5]){ + FieldElement tval = vars[reg::RC + NUMREGS] + consts::xFETransformed*vars[reg::RC]; + tval += randCoeff[RI(167)] * (vars[reg::STATE + NUMREGS] + one()); + + + tval += randCoeff[RI(168)] * (vars[reg::K00 + NUMREGS] + K_next[0][0]); + tval += randCoeff[RI(169)] * (vars[reg::K01 + NUMREGS] + vars[reg::K00 + NUMREGS] + vars[reg::K01]); + tval += randCoeff[RI(170)] * (vars[reg::K02 + NUMREGS] + vars[reg::K01 + NUMREGS] + vars[reg::K02]); + tval += randCoeff[RI(171)] * (vars[reg::K03 + NUMREGS] + vars[reg::K02 + NUMREGS] + vars[reg::K03]); + tval += randCoeff[RI(172)] * (vars[reg::K04 + NUMREGS] + vars[reg::K03 + NUMREGS] + vars[reg::K04]); + + tval += randCoeff[RI(173)] * (vars[reg::K10 + NUMREGS] + K_next[1][0]); + tval += randCoeff[RI(174)] * (vars[reg::K11 + NUMREGS] + vars[reg::K10 + NUMREGS] + vars[reg::K11]); + tval += randCoeff[RI(175)] * (vars[reg::K12 + NUMREGS] + vars[reg::K11 + NUMREGS] + vars[reg::K12]); + tval += randCoeff[RI(176)] * (vars[reg::K13 + NUMREGS] + vars[reg::K12 + NUMREGS] + vars[reg::K13]); + tval += randCoeff[RI(177)] * (vars[reg::K14 + NUMREGS] + vars[reg::K13 + NUMREGS] + vars[reg::K14]); + + tval += randCoeff[RI(178)] * (vars[reg::K20 + NUMREGS] + K_next[2][0]); + tval += randCoeff[RI(179)] * (vars[reg::K21 + NUMREGS] + vars[reg::K20 + NUMREGS] + vars[reg::K21]); + tval += randCoeff[RI(180)] * (vars[reg::K22 + NUMREGS] + vars[reg::K21 + NUMREGS] + vars[reg::K22]); + tval += randCoeff[RI(181)] * (vars[reg::K23 + NUMREGS] + vars[reg::K22 + NUMREGS] + vars[reg::K23]); + tval += randCoeff[RI(182)] * (vars[reg::K24 + NUMREGS] + vars[reg::K23 + NUMREGS] + vars[reg::K24]); + + tval += randCoeff[RI(183)] * (vars[reg::K30 + NUMREGS] + K_next[3][0]); + tval += randCoeff[RI(184)] * (vars[reg::K31 + NUMREGS] + vars[reg::K30 + NUMREGS] + vars[reg::K31]); + tval += randCoeff[RI(185)] * (vars[reg::K32 + NUMREGS] + vars[reg::K31 + NUMREGS] + vars[reg::K32]); + tval += randCoeff[RI(186)] * (vars[reg::K33 + NUMREGS] + vars[reg::K32 + NUMREGS] + vars[reg::K33]); + tval += randCoeff[RI(187)] * (vars[reg::K34 + NUMREGS] + vars[reg::K33 + NUMREGS] + vars[reg::K34]); + + tval += randCoeff[RI(188)] * (vars[reg::B00 + NUMREGS] + + consts::MixColMat[0][0] * vars[reg::B00] + consts::MixColMat[0][1] * vars[reg::B10] + + consts::MixColMat[0][2] * vars[reg::B20] + consts::MixColMat[0][3] * vars[reg::B30] + vars[reg::K00 + NUMREGS]); + + + tval += randCoeff[RI(189)] * (vars[reg::B01 + NUMREGS] + + consts::MixColMat[0][0] * vars[reg::B01] + consts::MixColMat[0][1] * vars[reg::B11] + + consts::MixColMat[0][2] * vars[reg::B21] + consts::MixColMat[0][3] * vars[reg::B31] + vars[reg::K01 + NUMREGS]); + + tval += randCoeff[RI(190)] * (vars[reg::B02 + NUMREGS] + + consts::MixColMat[0][0] * vars[reg::B02] + consts::MixColMat[0][1] * vars[reg::B12] + + consts::MixColMat[0][2] * vars[reg::B22] + consts::MixColMat[0][3] * vars[reg::B32] + vars[reg::K02 + NUMREGS]); + + tval += randCoeff[RI(191)] * (vars[reg::B03 + NUMREGS] + + consts::MixColMat[0][0] * vars[reg::B03] + consts::MixColMat[0][1] * vars[reg::B13] + + consts::MixColMat[0][2] * vars[reg::B23] + consts::MixColMat[0][3] * vars[reg::B33] + vars[reg::K03 + NUMREGS]); + + tval += randCoeff[RI(192)] * (vars[reg::B04 + NUMREGS] + + consts::MixColMat[0][0] * vars[reg::B04] + consts::MixColMat[0][1] * vars[reg::B14] + + consts::MixColMat[0][2] * vars[reg::B24] + consts::MixColMat[0][3] * vars[reg::B34] + vars[reg::K04 + NUMREGS]); + + + + tval += randCoeff[RI(193)] * (vars[reg::B10 + NUMREGS] + + consts::MixColMat[1][0] * vars[reg::B00] + consts::MixColMat[1][1] * vars[reg::B10] + + consts::MixColMat[1][2] * vars[reg::B20] + consts::MixColMat[1][3] * vars[reg::B30] + vars[reg::K10 + NUMREGS]); + + tval += randCoeff[RI(194)] * (vars[reg::B11 + NUMREGS] + + consts::MixColMat[1][0] * vars[reg::B01] + consts::MixColMat[1][1] * vars[reg::B11] + + consts::MixColMat[1][2] * vars[reg::B21] + consts::MixColMat[1][3] * vars[reg::B31] + vars[reg::K11 + NUMREGS]); + + tval += randCoeff[RI(195)] * (vars[reg::B12 + NUMREGS] + + consts::MixColMat[1][0] * vars[reg::B02] + consts::MixColMat[1][1] * vars[reg::B12] + + consts::MixColMat[1][2] * vars[reg::B22] + consts::MixColMat[1][3] * vars[reg::B32] + vars[reg::K12 + NUMREGS]); + + tval += randCoeff[RI(196)] * (vars[reg::B13 + NUMREGS] + + consts::MixColMat[1][0] * vars[reg::B03] + consts::MixColMat[1][1] * vars[reg::B13] + + consts::MixColMat[1][2] * vars[reg::B23] + consts::MixColMat[1][3] * vars[reg::B33] + vars[reg::K13 + NUMREGS]); + + tval += randCoeff[RI(197)] * (vars[reg::B14 + NUMREGS] + + consts::MixColMat[1][0] * vars[reg::B04] + consts::MixColMat[1][1] * vars[reg::B14] + + consts::MixColMat[1][2] * vars[reg::B24] + consts::MixColMat[1][3] * vars[reg::B34] + vars[reg::K14 + NUMREGS]); + + + + tval += randCoeff[RI(198)] * (vars[reg::B20 + NUMREGS] + + consts::MixColMat[2][0] * vars[reg::B00] + consts::MixColMat[2][1] * vars[reg::B10] + + consts::MixColMat[2][2] * vars[reg::B20] + consts::MixColMat[2][3] * vars[reg::B30] + vars[reg::K20 + NUMREGS]); + + tval += randCoeff[RI(199)] * (vars[reg::B21 + NUMREGS] + + consts::MixColMat[2][0] * vars[reg::B01] + consts::MixColMat[2][1] * vars[reg::B11] + + consts::MixColMat[2][2] * vars[reg::B21] + consts::MixColMat[2][3] * vars[reg::B31] + vars[reg::K21 + NUMREGS]); + + tval += randCoeff[RI(200)] * (vars[reg::B22 + NUMREGS] + + consts::MixColMat[2][0] * vars[reg::B02] + consts::MixColMat[2][1] * vars[reg::B12] + + consts::MixColMat[2][2] * vars[reg::B22] + consts::MixColMat[2][3] * vars[reg::B32] + vars[reg::K22 + NUMREGS]); + + tval += randCoeff[RI(201)] * (vars[reg::B23 + NUMREGS] + + consts::MixColMat[2][0] * vars[reg::B03] + consts::MixColMat[2][1] * vars[reg::B13] + + consts::MixColMat[2][2] * vars[reg::B23] + consts::MixColMat[2][3] * vars[reg::B33] + vars[reg::K23 + NUMREGS]); + + tval += randCoeff[RI(202)] * (vars[reg::B24 + NUMREGS] + + consts::MixColMat[2][0] * vars[reg::B04] + consts::MixColMat[2][1] * vars[reg::B14] + + consts::MixColMat[2][2] * vars[reg::B24] + consts::MixColMat[2][3] * vars[reg::B34] + vars[reg::K24 + NUMREGS]); + + + + tval += randCoeff[RI(203)] * (vars[reg::B30 + NUMREGS] + + consts::MixColMat[3][0] * vars[reg::B00] + consts::MixColMat[3][1] * vars[reg::B10] + + consts::MixColMat[3][2] * vars[reg::B20] + consts::MixColMat[3][3] * vars[reg::B30] + vars[reg::K30 + NUMREGS]); + + tval += randCoeff[RI(204)] * (vars[reg::B31 + NUMREGS] + + consts::MixColMat[3][0] * vars[reg::B01] + consts::MixColMat[3][1] * vars[reg::B11] + + consts::MixColMat[3][2] * vars[reg::B21] + consts::MixColMat[3][3] * vars[reg::B31] + vars[reg::K31 + NUMREGS]); + + tval += randCoeff[RI(205)] * (vars[reg::B32 + NUMREGS] + + consts::MixColMat[3][0] * vars[reg::B02] + consts::MixColMat[3][1] * vars[reg::B12] + + consts::MixColMat[3][2] * vars[reg::B22] + consts::MixColMat[3][3] * vars[reg::B32] + vars[reg::K32 + NUMREGS]); + + tval += randCoeff[RI(206)] * (vars[reg::B33 + NUMREGS] + + consts::MixColMat[3][0] * vars[reg::B03] + consts::MixColMat[3][1] * vars[reg::B13] + + consts::MixColMat[3][2] * vars[reg::B23] + consts::MixColMat[3][3] * vars[reg::B33] + vars[reg::K33 + NUMREGS]); + + tval += randCoeff[RI(207)] * (vars[reg::B34 + NUMREGS] + + consts::MixColMat[3][0] * vars[reg::B04] + consts::MixColMat[3][1] * vars[reg::B14] + + consts::MixColMat[3][2] * vars[reg::B24] + consts::MixColMat[3][3] * vars[reg::B34] + vars[reg::K34 + NUMREGS]); + + return tval; + } + + inline FieldElement evalCPolyAES160_MC_And_ARK(const std::vector & vars, FieldElement results[], + FieldElement PolyComputationInversePowers, FieldElement lastStepConstraints){ + FieldElement tval = zero(); + + tval += vars[reg::FLAG1 + NUMREGS]; + tval += randCoeff[RI(208)] * (vars[reg::FLAG2 + NUMREGS]); + tval += randCoeff[RI(209)] * (vars[reg::K14] * vars[reg::inv1] + one())*(vars[reg::K14] + randCoeff[RI(210)] * vars[reg::inv1]); + tval += randCoeff[RI(211)] * (vars[reg::K24] * vars[reg::inv2] + one())*(vars[reg::K24] + randCoeff[RI(212)] * vars[reg::inv2]); + tval += randCoeff[RI(213)] * (vars[reg::K34] * vars[reg::inv3] + one())*(vars[reg::K34] + randCoeff[RI(214)] * vars[reg::inv3]); + tval += randCoeff[RI(215)] * (vars[reg::K04] * vars[reg::inv4] + one())*(vars[reg::K04] + randCoeff[RI(216)] * vars[reg::inv4]); + + FieldElement K_next[4][5]; + + K_next[0][0] = results[0] + vars[reg::K00] + vars[reg::RC]; + K_next[0][1] = K_next[0][0] + vars[reg::K01]; + K_next[0][2] = K_next[0][1] + vars[reg::K02]; + K_next[0][3] = K_next[0][2] + vars[reg::K03]; + K_next[0][4] = K_next[0][3] + vars[reg::K04]; + + K_next[1][0] = results[1] + vars[reg::K10]; + K_next[1][1] = K_next[1][0] + vars[reg::K11]; + K_next[1][2] = K_next[1][1] + vars[reg::K12]; + K_next[1][3] = K_next[1][2] + vars[reg::K13]; + K_next[1][4] = K_next[1][3] + vars[reg::K14]; + + K_next[2][0] = results[2] + vars[reg::K20]; + K_next[2][1] = K_next[2][0] + vars[reg::K21]; + K_next[2][2] = K_next[2][1] + vars[reg::K22]; + K_next[2][3] = K_next[2][2] + vars[reg::K23]; + K_next[2][4] = K_next[2][3] + vars[reg::K24]; + + K_next[3][0] = results[3] + vars[reg::K30]; + K_next[3][1] = K_next[3][0] + vars[reg::K31]; + K_next[3][2] = K_next[3][1] + vars[reg::K32]; + K_next[3][3] = K_next[3][2] + vars[reg::K33]; + K_next[3][4] = K_next[3][3] + vars[reg::K34]; + + tval += randCoeff[RI(217)] * (vars[reg::RC] + consts::Rcon_round11)*evalCPolyNonLastRound(vars, K_next); + tval += randCoeff[RI(218)] * (one() + (vars[reg::RC] + consts::Rcon_round11)*vars[reg::invRC])*evalCPolyLastRound(vars, K_next, lastStepConstraints); + return tval; + + } + inline FieldElement evalCPolyAES160_LoopBody(const std::vector & vars, FieldElement lastStepConstraints){ + + FieldElement results[5]; + + results[0] = + vars[reg::inv1] * consts::polyFromMatrix[0] + + vars[reg::inv1] * vars[reg::inv1] * consts::polyFromMatrix[1] + + vars[reg::W11] * consts::polyFromMatrix[2] + + vars[reg::W11] * vars[reg::W11] * consts::polyFromMatrix[3] + + vars[reg::W12] * consts::polyFromMatrix[4] + + vars[reg::W12] * vars[reg::W12] * consts::polyFromMatrix[5] + + vars[reg::W13] * consts::polyFromMatrix[6] + + vars[reg::W13] * vars[reg::W13] * consts::polyFromMatrix[7] + + consts::B_Transformed; + ; + results[1] = + vars[reg::inv2] * consts::polyFromMatrix[0] + + vars[reg::inv2] * vars[reg::inv2] * consts::polyFromMatrix[1] + + vars[reg::W21] * consts::polyFromMatrix[2] + + vars[reg::W21] * vars[reg::W21] * consts::polyFromMatrix[3] + + vars[reg::W22] * consts::polyFromMatrix[4] + + vars[reg::W22] * vars[reg::W22] * consts::polyFromMatrix[5] + + vars[reg::W23] * consts::polyFromMatrix[6] + + vars[reg::W23] * vars[reg::W23] * consts::polyFromMatrix[7] + + consts::B_Transformed; + ; + results[2] = + vars[reg::inv3] * consts::polyFromMatrix[0] + + vars[reg::inv3] * vars[reg::inv3] * consts::polyFromMatrix[1] + + vars[reg::W31] * consts::polyFromMatrix[2] + + vars[reg::W31] * vars[reg::W31] * consts::polyFromMatrix[3] + + vars[reg::W32] * consts::polyFromMatrix[4] + + vars[reg::W32] * vars[reg::W32] * consts::polyFromMatrix[5] + + vars[reg::W33] * consts::polyFromMatrix[6] + + vars[reg::W33] * vars[reg::W33] * consts::polyFromMatrix[7] + + consts::B_Transformed; + ; + results[3] = + vars[reg::inv4] * consts::polyFromMatrix[0] + + vars[reg::inv4] * vars[reg::inv4] * consts::polyFromMatrix[1] + + vars[reg::W41] * consts::polyFromMatrix[2] + + vars[reg::W41] * vars[reg::W41] * consts::polyFromMatrix[3] + + vars[reg::W42] * consts::polyFromMatrix[4] + + vars[reg::W42] * vars[reg::W42] * consts::polyFromMatrix[5] + + vars[reg::W43] * consts::polyFromMatrix[6] + + vars[reg::W43] * vars[reg::W43] * consts::polyFromMatrix[7] + + consts::B_Transformed; + ; + results[4] = + vars[reg::inv5] * consts::polyFromMatrix[0] + + vars[reg::inv5] * vars[reg::inv5] * consts::polyFromMatrix[1] + + vars[reg::W51] * consts::polyFromMatrix[2] + + vars[reg::W51] * vars[reg::W51] * consts::polyFromMatrix[3] + + vars[reg::W52] * consts::polyFromMatrix[4] + + vars[reg::W52] * vars[reg::W52] * consts::polyFromMatrix[5] + + vars[reg::W53] * consts::polyFromMatrix[6] + + vars[reg::W53] * vars[reg::W53] * consts::polyFromMatrix[7] + + consts::B_Transformed; + ; + + FieldElement PolyComputationInversePowers = vars[reg::W11] + vars[reg::inv1] * vars[reg::inv1] * vars[reg::inv1] * vars[reg::inv1]; + PolyComputationInversePowers += randCoeff[RI(219)] * (vars[reg::W12] + vars[reg::W11] * vars[reg::W11] * vars[reg::W11] * vars[reg::W11]); + PolyComputationInversePowers += randCoeff[RI(220)] * (vars[reg::W13] + vars[reg::W12] * vars[reg::W12] * vars[reg::W12] * vars[reg::W12]); + + PolyComputationInversePowers += randCoeff[RI(221)] * (vars[reg::W21] + vars[reg::inv2] * vars[reg::inv2] * vars[reg::inv2] * vars[reg::inv2]); + PolyComputationInversePowers += randCoeff[RI(222)] * (vars[reg::W22] + vars[reg::W21] * vars[reg::W21] * vars[reg::W21] * vars[reg::W21]); + PolyComputationInversePowers += randCoeff[RI(223)] * (vars[reg::W23] + vars[reg::W22] * vars[reg::W22] * vars[reg::W22] * vars[reg::W22]); + + PolyComputationInversePowers += randCoeff[RI(224)] * (vars[reg::W31] + vars[reg::inv3] * vars[reg::inv3] * vars[reg::inv3] * vars[reg::inv3]); + PolyComputationInversePowers += randCoeff[RI(225)] * (vars[reg::W32] + vars[reg::W31] * vars[reg::W31] * vars[reg::W31] * vars[reg::W31]); + PolyComputationInversePowers += randCoeff[RI(226)] * (vars[reg::W33] + vars[reg::W32] * vars[reg::W32] * vars[reg::W32] * vars[reg::W32]); + + PolyComputationInversePowers += randCoeff[RI(227)] * (vars[reg::W41] + vars[reg::inv4] * vars[reg::inv4] * vars[reg::inv4] * vars[reg::inv4]); + PolyComputationInversePowers += randCoeff[RI(228)] * (vars[reg::W42] + vars[reg::W41] * vars[reg::W41] * vars[reg::W41] * vars[reg::W41]); + PolyComputationInversePowers += randCoeff[RI(229)] * (vars[reg::W43] + vars[reg::W42] * vars[reg::W42] * vars[reg::W42] * vars[reg::W42]); + + PolyComputationInversePowers += randCoeff[RI(230)] * (vars[reg::W51] + vars[reg::inv5] * vars[reg::inv5] * vars[reg::inv5] * vars[reg::inv5]); + PolyComputationInversePowers += randCoeff[RI(231)] * (vars[reg::W52] + vars[reg::W51] * vars[reg::W51] * vars[reg::W51] * vars[reg::W51]); + PolyComputationInversePowers += randCoeff[RI(232)] * (vars[reg::W53] + vars[reg::W52] * vars[reg::W52] * vars[reg::W52] * vars[reg::W52]); + + + FieldElement tval = randCoeff[RI(233)] * PolyComputationInversePowers; + + tval += randCoeff[RI(234)] * (vars[reg::FLAG1] + xFE())*evalCPolyAES160_SB_And_SR(vars, results, PolyComputationInversePowers); + tval += randCoeff[RI(235)] * vars[reg::FLAG1] * (vars[reg::FLAG1] + one())*evalCPolyAES160_MC_And_ARK(vars, results, PolyComputationInversePowers, lastStepConstraints); + return tval; + } + + inline FieldElement evalCPolyST2isXX(const std::vector & vars){ + FieldElement tval = vars[reg::PHASE + NUMREGS] + one(); + tval += randCoeff[RI(236)] * (vars[reg::STATE + NUMREGS] + one()); + tval += randCoeff[RI(237)] * (vars[reg::FLAG1 + NUMREGS]); + tval += randCoeff[RI(238)] * (vars[reg::FLAG2 + NUMREGS]); + + FieldElement gval = vars[reg::isSecondPhaseComparingLOCI + NUMREGS]; + gval += randCoeff[RI(244)] * vars[reg::PartialMATCH + NUMREGS] * (vars[reg::PartialMATCH + NUMREGS] + one()) * (vars[reg::MATCH + NUMREGS] + xFE()); + gval += randCoeff[RI(245)] * vars[reg::MATCH] * (vars[reg::MATCH] + one()) * (vars[reg::MATCH + NUMREGS] + xFE()); + gval += randCoeff[RI(246)] * vars[reg::PartialMATCH + NUMREGS] * (vars[reg::PartialMATCH + NUMREGS] + xFE()) * (vars[reg::MATCH] + xFE()) * (vars[reg::MATCH + NUMREGS] + one()); + gval += randCoeff[RI(247)] * (vars[reg::PartialMATCH + NUMREGS] + one())* (vars[reg::PartialMATCH + NUMREGS] + xFE()) * (vars[reg::MATCH] + one()) * (vars[reg::MATCH] + xFE()) * vars[reg::MATCH + NUMREGS]; + + gval *= vars[reg::isSecondPhaseComparingLOCI]; + + gval += (vars[reg::isSecondPhaseComparingLOCI] + one()) * + ((vars[reg::isSecondPhaseComparingLOCI + NUMREGS] + one()) + randCoeff[RI(242)] * (vars[reg::MATCH + NUMREGS] + vars[reg::MATCH]) + randCoeff[RI(243)] * (vars[reg::PartialMATCH + NUMREGS] + vars[reg::PartialMATCH])); + + tval += randCoeff[RI(248)] * gval; + + for (int i = 0; i < 20; i++){ + tval += randCoeff[RI(249 + i)] * (vars[reg::B00 + i + NUMREGS] + vars[reg::B00 + i]); + } + + tval += randCoeff[RI(269)] * (vars[reg::A + NUMREGS] + vars[reg::B00] + + xFE()*(vars[reg::B10] + + xFE()*(vars[reg::B20] + + xFE()*(vars[reg::B30] + + xFE()*(vars[reg::B01] + + xFE()*(vars[reg::B11] + + xFE()*(vars[reg::B21] + + xFE()*(vars[reg::B31])))))))); + + tval += randCoeff[RI(270)] * (vars[reg::B + NUMREGS] + vars[reg::B02] + + xFE()*(vars[reg::B12] + + xFE()*(vars[reg::B22] + + xFE()*(vars[reg::B32] + + xFE()*(vars[reg::B03] + + xFE()*(vars[reg::B13] + + xFE()*(vars[reg::B23] + + xFE()*(vars[reg::B33])))))))); + + tval += randCoeff[RI(271)] * (vars[reg::C + NUMREGS] + vars[reg::B04] + + xFE()*(vars[reg::B14] + + xFE()*(vars[reg::B24] + + xFE()*(vars[reg::B34])))); + + gval = vars[reg::L1] + vars[reg::A + NUMREGS]; + gval += randCoeff[RI(272)] * (vars[reg::L2] + vars[reg::B + NUMREGS]); + gval += randCoeff[RI(273)] * (vars[reg::L3] + vars[reg::C + NUMREGS]); + gval += randCoeff[RI(274)] * (vars[reg::L4] + vars[reg::K00] + + xFE()*(vars[reg::K10] + + xFE()*(vars[reg::K20] + + xFE()*(vars[reg::K30] + + xFE()*(vars[reg::K01] + + xFE()*(vars[reg::K11] + + xFE()*(vars[reg::K21] + + xFE()*(vars[reg::K31])))))))); + gval += randCoeff[RI(275)] * (vars[reg::L5] + vars[reg::K02] + + xFE()*(vars[reg::K12] + + xFE()*(vars[reg::K22] + + xFE()*(vars[reg::K32] + + xFE()*(vars[reg::K03] + + xFE()*(vars[reg::K13] + + xFE()*(vars[reg::K23] + + xFE()*(vars[reg::K33])))))))); + gval += randCoeff[RI(276)] * (vars[reg::L6] + vars[reg::K04] + + xFE()*(vars[reg::K14] + + xFE()*(vars[reg::K24] + + xFE()*(vars[reg::K34])))); + + gval *= ((vars[reg::K] + one())*vars[reg::STATE] + one()); + + tval += randCoeff[RI(277)] * gval; + return vars[reg::ST3] * (vars[reg::ST2] + one() + xFE()) * tval; + } + + inline FieldElement evalCPolyST2is1(const std::vector & vars){ + FieldElement tval = vars[reg::PHASE + NUMREGS]; + tval += randCoeff[RI(278)] * (vars[reg::isSecondPhaseComparingLOCI + NUMREGS] + vars[reg::isSecondPhaseComparingLOCI]); + tval += randCoeff[RI(279)] * (vars[reg::ST2 + NUMREGS] + xFE()); + + for (int i = 0; i < 4; ++i) + for (int j = 0; j < 5; ++j) + tval += randCoeff[RI(280 + 5*i + j)] * (vars[reg::B00 + j + 5 * i] + power(vars[reg::B00 + j + 5 * i + NUMREGS], 4)); + tval += randCoeff[RI(300)] * (vars[reg::W11] + power(vars[reg::B00], 4)) + randCoeff[RI(301)] * (vars[reg::W12] + power(vars[reg::W11], 4)); + tval += randCoeff[RI(302)] * (vars[reg::B00 + NUMREGS] + power(vars[reg::W12], 4)); + tval += randCoeff[RI(303)] * (vars[reg::W13] + power(vars[reg::B01], 4)) + randCoeff[RI(304)] * (vars[reg::W21] + power(vars[reg::W13], 4)); + tval += randCoeff[RI(305)] * (vars[reg::B01 + NUMREGS] + power(vars[reg::W21], 4)); + tval += randCoeff[RI(306)] * (vars[reg::W22] + power(vars[reg::B10], 4)) + randCoeff[RI(307)] * (vars[reg::W23] + power(vars[reg::W22], 4)); + tval += randCoeff[RI(308)] * (vars[reg::B10 + NUMREGS] + power(vars[reg::W23], 4)); + tval += randCoeff[RI(309)] * (vars[reg::W31] + power(vars[reg::B11], 4)) + randCoeff[RI(310)] * (vars[reg::W32] + power(vars[reg::W31], 4)); + tval += randCoeff[RI(311)] * (vars[reg::B11 + NUMREGS] + power(vars[reg::W32], 4)); + tval += randCoeff[RI(312)] * (vars[reg::W33] + power(vars[reg::B20], 4)) + randCoeff[RI(313)] * (vars[reg::W41] + power(vars[reg::W33], 4)); + tval += randCoeff[RI(314)] * (vars[reg::B20 + NUMREGS] + power(vars[reg::W41], 4)); + tval += randCoeff[RI(315)] * (vars[reg::W42] + power(vars[reg::B21], 4)) + randCoeff[RI(316)] * (vars[reg::W43] + power(vars[reg::W42], 4)); + tval += randCoeff[RI(317)] * (vars[reg::B21 + NUMREGS] + power(vars[reg::W43], 4)); + tval += randCoeff[RI(318)] * (vars[reg::W51] + power(vars[reg::B30], 4)) + randCoeff[RI(319)] * (vars[reg::W52] + power(vars[reg::W51], 4)); + tval += randCoeff[RI(320)] * (vars[reg::B30 + NUMREGS] + power(vars[reg::W52], 4)); + tval += randCoeff[RI(321)] * (vars[reg::W53] + power(vars[reg::B31], 4)) + randCoeff[RI(322)] * (vars[reg::W11 + NUMREGS] + power(vars[reg::W53], 4)); + tval += randCoeff[RI(323)] * (vars[reg::B31 + NUMREGS] + power(vars[reg::W11 + NUMREGS], 4)); + tval += randCoeff[RI(324)] * (vars[reg::W12 + NUMREGS] + power(vars[reg::B02], 4)) + randCoeff[RI(325)] * (vars[reg::W13 + NUMREGS] + power(vars[reg::W12 + NUMREGS], 4)); + tval += randCoeff[RI(326)] * (vars[reg::B02 + NUMREGS] + power(vars[reg::W13 + NUMREGS], 4)); + tval += randCoeff[RI(327)] * (vars[reg::W21 + NUMREGS] + power(vars[reg::B03], 4)) + randCoeff[RI(328)] * (vars[reg::W22 + NUMREGS] + power(vars[reg::W21 + NUMREGS], 4)); + tval += randCoeff[RI(329)] * (vars[reg::B03 + NUMREGS] + power(vars[reg::W22 + NUMREGS], 4)); + tval += randCoeff[RI(330)] * (vars[reg::W23 + NUMREGS] + power(vars[reg::B12], 4)) + randCoeff[RI(331)] * (vars[reg::W31 + NUMREGS] + power(vars[reg::W23 + NUMREGS], 4)); + tval += randCoeff[RI(332)] * (vars[reg::B12 + NUMREGS] + power(vars[reg::W31 + NUMREGS], 4)); + tval += randCoeff[RI(333)] * (vars[reg::W32 + NUMREGS] + power(vars[reg::B13], 4)) + randCoeff[RI(334)] * (vars[reg::W33 + NUMREGS] + power(vars[reg::W32 + NUMREGS], 4)); + tval += randCoeff[RI(335)] * (vars[reg::B13 + NUMREGS] + power(vars[reg::W33 + NUMREGS], 4)); + tval += randCoeff[RI(336)] * (vars[reg::W41 + NUMREGS] + power(vars[reg::B22], 4)) + randCoeff[RI(337)] * (vars[reg::W42 + NUMREGS] + power(vars[reg::W41 + NUMREGS], 4)); + tval += randCoeff[RI(338)] * (vars[reg::B22 + NUMREGS] + power(vars[reg::W42 + NUMREGS], 4)); + tval += randCoeff[RI(339)] * (vars[reg::W43 + NUMREGS] + power(vars[reg::B23], 4)) + randCoeff[RI(340)] * (vars[reg::W51 + NUMREGS] + power(vars[reg::W43 + NUMREGS], 4)); + tval += randCoeff[RI(341)] * (vars[reg::B23 + NUMREGS] + power(vars[reg::W51 + NUMREGS], 4)); + tval += randCoeff[RI(342)] * (vars[reg::W52 + NUMREGS] + power(vars[reg::B32], 4)) + randCoeff[RI(343)] * (vars[reg::W53 + NUMREGS] + power(vars[reg::W52 + NUMREGS], 4)); + tval += randCoeff[RI(344)] * (vars[reg::B32 + NUMREGS] + power(vars[reg::W53 + NUMREGS], 4)); + tval += randCoeff[RI(345)] * (vars[reg::inv1] + power(vars[reg::B33], 4)) + randCoeff[RI(346)] * (vars[reg::inv2] + power(vars[reg::inv1], 4)); + tval += randCoeff[RI(347)] * (vars[reg::B33 + NUMREGS] + power(vars[reg::inv2], 4)); + tval += randCoeff[RI(348)] * (vars[reg::inv3] + power(vars[reg::B04], 4)) + randCoeff[RI(349)] * (vars[reg::inv4] + power(vars[reg::inv3], 4)); + tval += randCoeff[RI(350)] * (vars[reg::B04 + NUMREGS] + power(vars[reg::inv4], 4)); + tval += randCoeff[RI(351)] * (vars[reg::inv5] + power(vars[reg::B14], 4)) + randCoeff[RI(352)] * (vars[reg::inv1 + NUMREGS] + power(vars[reg::inv5], 4)); + tval += randCoeff[RI(353)] * (vars[reg::B14 + NUMREGS] + power(vars[reg::inv1 + NUMREGS], 4)); + tval += randCoeff[RI(354)] * (vars[reg::inv2 + NUMREGS] + power(vars[reg::B24], 4)) + randCoeff[RI(355)] * (vars[reg::inv3 + NUMREGS] + power(vars[reg::inv2 + NUMREGS], 4)); + tval += randCoeff[RI(356)] * (vars[reg::B24 + NUMREGS] + power(vars[reg::inv3 + NUMREGS], 4)); + tval += randCoeff[RI(357)] * (vars[reg::inv4 + NUMREGS] + power(vars[reg::B34], 4)) + randCoeff[RI(358)] * (vars[reg::inv5 + NUMREGS] + power(vars[reg::inv4 + NUMREGS], 4)); + tval += randCoeff[RI(359)] * (vars[reg::B34 + NUMREGS] + power(vars[reg::inv5 + NUMREGS], 4)); + + FieldElement gval = (vars[reg::L4] + vars[reg::B00 + NUMREGS] + + xFE()*(vars[reg::B10 + NUMREGS] + + xFE()*(vars[reg::B20 + NUMREGS] + + xFE()*(vars[reg::B30 + NUMREGS] + + xFE()*(vars[reg::B01 + NUMREGS] + + xFE()*(vars[reg::B11 + NUMREGS] + + xFE()*(vars[reg::B21 + NUMREGS] + + xFE()*(vars[reg::B31 + NUMREGS])))))))); + gval += randCoeff[RI(360)] * (vars[reg::L5] + vars[reg::B02 + NUMREGS] + + xFE()*(vars[reg::B12 + NUMREGS] + + xFE()*(vars[reg::B22 + NUMREGS] + + xFE()*(vars[reg::B32 + NUMREGS] + + xFE()*(vars[reg::B03 + NUMREGS] + + xFE()*(vars[reg::B13 + NUMREGS] + + xFE()*(vars[reg::B23 + NUMREGS] + + xFE()*(vars[reg::B33 + NUMREGS])))))))); + gval += randCoeff[RI(361)] * (vars[reg::L6] + vars[reg::B04 + NUMREGS] + + xFE()*(vars[reg::B14 + NUMREGS] + + xFE()*(vars[reg::B24 + NUMREGS] + + xFE()*(vars[reg::B34 + NUMREGS])))); + gval *= vars[reg::isSecondPhaseComparingLOCI]; + FieldElement hval = (vars[reg::L1] + vars[reg::B00 + NUMREGS] + + xFE()*(vars[reg::B10 + NUMREGS] + + xFE()*(vars[reg::B20 + NUMREGS] + + xFE()*(vars[reg::B30 + NUMREGS] + + xFE()*(vars[reg::B01 + NUMREGS] + + xFE()*(vars[reg::B11 + NUMREGS] + + xFE()*(vars[reg::B21 + NUMREGS] + + xFE()*(vars[reg::B31 + NUMREGS])))))))); + hval += randCoeff[RI(362)] * (vars[reg::L2] + vars[reg::B02 + NUMREGS] + + xFE()*(vars[reg::B12 + NUMREGS] + + xFE()*(vars[reg::B22 + NUMREGS] + + xFE()*(vars[reg::B32 + NUMREGS] + + xFE()*(vars[reg::B03 + NUMREGS] + + xFE()*(vars[reg::B13 + NUMREGS] + + xFE()*(vars[reg::B23 + NUMREGS] + + xFE()*(vars[reg::B33 + NUMREGS])))))))); + hval += randCoeff[RI(363)] * (vars[reg::L3] + vars[reg::B04 + NUMREGS] + + xFE()*(vars[reg::B14 + NUMREGS] + + xFE()*(vars[reg::B24 + NUMREGS] + + xFE()*(vars[reg::B34 + NUMREGS])))); + hval *= (vars[reg::isSecondPhaseComparingLOCI] + one()); + tval += randCoeff[RI(364)] * (gval + hval); + return (vars[reg::PHASE] + one()) * (vars[reg::ST2] + xFE()) * (vars[reg::ST2] + one() + xFE()) * (vars[reg::ST2] + xFE() * xFE()) * tval; + } + + inline FieldElement evalCPolyST2isX(const std::vector & vars){ + FieldElement tval = vars[reg::PHASE + NUMREGS]; + tval += randCoeff[RI(365)] * (vars[reg::isSecondPhaseComparingLOCI + NUMREGS] + vars[reg::isSecondPhaseComparingLOCI]); + tval += randCoeff[RI(366)] * (vars[reg::ST2 + NUMREGS] + one() + xFE()); + for (int i = 0; i < 20; i++) + tval += randCoeff[RI(367 + i)] * (vars[reg::B00 + i + NUMREGS] + vars[reg::B00 + i]); + tval *= (vars[reg::ST2] + one()) * (vars[reg::ST2] + one() + xFE()) * (vars[reg::ST2] + xFE()*xFE()); + return tval; + } + + inline FieldElement evalCPolyST2is1XCompareLOCI(const std::vector & vars){ + FieldElement tval = vars[reg::PHASE + NUMREGS]; + tval += randCoeff[RI(387)] * (vars[reg::ST2 + NUMREGS] + xFE()*xFE()); + tval += randCoeff[RI(388)] * (vars[reg::isSecondPhaseComparingLOCI + NUMREGS] + vars[reg::isSecondPhaseComparingLOCI]); + tval += randCoeff[RI(389)] * (vars[reg::isSecondPhaseComparingLOCI] + one()) * (vars[reg::PartialMATCH] + xFE()); + const int rounds = 10; + for (int i = 0, nextFlagIndex = reg::PartialMATCH, AUX_REGRegIndex, lastFlagIndex; i < rounds; i++){ + int firstPartOfPairIndex = reg::B00 + NUMREGS + i; + int secondPartOfPairIndex = reg::B20 + NUMREGS + i; + lastFlagIndex = nextFlagIndex; + if (i < 8) { + nextFlagIndex = reg::FLAG1 + i; + } + else { + nextFlagIndex = (8 == i ? (reg::RC + NUMREGS) : (reg::PartialMATCH + NUMREGS)); + } + if (i < 5) { + AUX_REGRegIndex = reg::inv1 + 4 * i + NUMREGS; + } + else { + AUX_REGRegIndex = reg::inv1 + 4 * (i - 5); + } + //PRNMSG("regIndex = " << AUX_REGRegIndex); + //PRNMSG("firstPartIndex = " << firstPartOfPairIndex); + //PRNMSG("secondPartIndex = " << secondPartOfPairIndex); + //PRNMSG("lastFlagIndex = " << lastFlagIndex); + //PRNMSG("nextFlagIndex = " << nextFlagIndex); + + FieldElement tmp = (vars[firstPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS]) * (vars[firstPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS]); + //FieldElement tmp = (vars[firstPartOfPairIndex] + values[i + secondCompareLoci * rounds][0]) * (vars[firstPartOfPairIndex] + values[i + secondCompareLoci * rounds][1]); + tval += randCoeff[RI(390 + i)] * tmp*(vars[secondPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS])*(vars[secondPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS])*(vars[nextFlagIndex]); + tval += randCoeff[RI(400 + i)] * tmp*((vars[secondPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 2] + one())*vars[lastFlagIndex] * (vars[nextFlagIndex] + one()); + tval += randCoeff[RI(410 + i)] * tmp*((vars[secondPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 3] + one())*vars[lastFlagIndex] * (vars[nextFlagIndex] + one()); + tmp = (vars[secondPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS])*(vars[secondPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS]); + tval += randCoeff[RI(420 + i)] * ((vars[firstPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 0] + one())*tmp*vars[lastFlagIndex] * (vars[nextFlagIndex] + one()); + tval += randCoeff[RI(430 + i)] * ((vars[firstPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 1] + one())*tmp* vars[lastFlagIndex] * (vars[nextFlagIndex] + one()); + + tval += randCoeff[RI(440 + i)] * ((vars[firstPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 1] + one())*((vars[secondPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 2] + one())* (vars[nextFlagIndex] + vars[lastFlagIndex]); + tval += randCoeff[RI(450 + i)] * ((vars[firstPartOfPairIndex] + vars[firstPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 0] + one())*((vars[secondPartOfPairIndex] + vars[secondPartOfPairIndex - NUMREGS])*vars[AUX_REGRegIndex + 3] + one())*(vars[nextFlagIndex] + vars[lastFlagIndex]); + tval += randCoeff[RI(460 + i)] * (vars[lastFlagIndex] + one())*(vars[lastFlagIndex] + xFE())*vars[nextFlagIndex]; + } + tval *= vars[reg::ST3] * (vars[reg::ST2] + xFE()*xFE()); + return tval; + } + + inline FieldElement evalCPolyStateIsX_FLAGS_ARE_11_lastStep(const std::vector & vars, const std::vector & RootHash){ + FieldElement tval = zero(); + for (int i = 0; i < 20; i++){ + tval += randCoeff[RI(470 + i)] * (vars[reg::B00 + i] + RootHash[i] ); + } + + tval += randCoeff[RI(490)] * (vars[reg::PHASE + NUMREGS] + one()); + tval += randCoeff[RI(491)] * (vars[reg::STATE + NUMREGS] + xFE()); + tval += randCoeff[RI(492)] * (vars[reg::FLAG1 + NUMREGS] + one()); + tval += randCoeff[RI(493)] * (vars[reg::FLAG2 + NUMREGS] + one()); + tval += randCoeff[RI(494)] * (vars[reg::K + NUMREGS] + vars[reg::K]); + + return tval; + } + + inline FieldElement evalCPolyStateIsX_FLAGS_ARE_11(const std::vector & vars, const std::vector & RootHash, const FieldElement& gN){ + FieldElement tval = vars[reg::PHASE + NUMREGS]; + for (int i = 0; i < 20; i++){ + tval += randCoeff[RI(495)] * (vars[reg::K00 + i + NUMREGS] + vars[reg::B00 + i]); + } + tval *= (vars[reg::K] + one()); + tval += randCoeff[RI(515)] * (vars[reg::K + NUMREGS] + vars[reg::K] * xFE()); + + tval = (xFE()*vars[reg::K] + gN) * tval; + tval += ((xFE()*vars[reg::K] + gN) * vars[reg::A] + one()) * evalCPolyStateIsX_FLAGS_ARE_11_lastStep(vars, RootHash); + return tval; + } + + + inline FieldElement evalCPolyStateIsX_FLAGS_ARE_00(const std::vector & vars){ + FieldElement tval = vars[reg::FLAG1 + NUMREGS]; + tval += randCoeff[RI(516)] * (vars[reg::FLAG2 + NUMREGS] + one()); + tval += randCoeff[RI(517)] * (vars[reg::B + NUMREGS] + vars[reg::B]); + tval += randCoeff[RI(518)] * (vars[reg::C + NUMREGS] + vars[reg::C]); + tval += randCoeff[RI(519)] * (vars[reg::A + NUMREGS] + vars[reg::K00 + 4 * 8] + xFE()*vars[reg::K00 + 4 * 9]); + reg::RegType regs[8] = { reg::K00, reg::K04, reg::K13, reg::K22, reg::K31, reg::inv1, reg::inv5, reg::W21}; + + FieldElement gval = zero(); + for (int i = 7; i >= 0; i--){ + gval = xFE()*gval + vars[regs[i]]; + } + tval += randCoeff[RI(520)] * (vars[reg::A] + gval); + + tval += randCoeff[RI(521)] * (vars[reg::B00 + NUMREGS] + vars[reg::B00] + vars[reg::K00]); + tval += randCoeff[RI(522)] * (vars[reg::B10 + NUMREGS] + vars[reg::B10] + vars[reg::K04]); + tval += randCoeff[RI(523)] * (vars[reg::B20 + NUMREGS] + vars[reg::B20] + vars[reg::K13]); + tval += randCoeff[RI(524)] * (vars[reg::B30 + NUMREGS] + vars[reg::B30] + vars[reg::K22]); + + tval += randCoeff[RI(525)] * (vars[reg::B01 + NUMREGS] + vars[reg::B01] + vars[reg::K31]); + tval += randCoeff[RI(526)] * (vars[reg::B11 + NUMREGS] + vars[reg::B11] + vars[reg::inv1]); + tval += randCoeff[RI(527)] * (vars[reg::B21 + NUMREGS] + vars[reg::B21] + vars[reg::inv5]); + tval += randCoeff[RI(528)] * (vars[reg::B31 + NUMREGS] + vars[reg::B31] + vars[reg::W21]); + + tval += randCoeff[RI(529)] * (vars[reg::B04 + NUMREGS] + vars[reg::B04] + vars[reg::W32]); + tval += randCoeff[RI(530)] * (vars[reg::B14 + NUMREGS] + vars[reg::B14] + vars[reg::W43]); + // + tval += randCoeff[RI(531)] * (vars[reg::B02 + NUMREGS] + vars[reg::B02]); + tval += randCoeff[RI(532)] * (vars[reg::B12 + NUMREGS] + vars[reg::B12]); + tval += randCoeff[RI(533)] * (vars[reg::B22 + NUMREGS] + vars[reg::B22]); + tval += randCoeff[RI(534)] * (vars[reg::B32 + NUMREGS] + vars[reg::B32]); + + tval += randCoeff[RI(535)] * (vars[reg::B03 + NUMREGS] + vars[reg::B03]); + tval += randCoeff[RI(536)] * (vars[reg::B13 + NUMREGS] + vars[reg::B13]); + tval += randCoeff[RI(537)] * (vars[reg::B23 + NUMREGS] + vars[reg::B23]); + tval += randCoeff[RI(538)] * (vars[reg::B33 + NUMREGS] + vars[reg::B33]); + + tval += randCoeff[RI(539)] * (vars[reg::B24 + NUMREGS] + vars[reg::B24]); + tval += randCoeff[RI(540)] * (vars[reg::B34 + NUMREGS] + vars[reg::B34]); + + + return tval; + + } + + inline FieldElement evalCPolyStateIsX_FLAGS_ARE_01(const std::vector & vars){ + FieldElement tval = vars[reg::FLAG1 + NUMREGS] + one(); + tval += randCoeff[RI(541)] * (vars[reg::FLAG2 + NUMREGS] + one()); + tval += randCoeff[RI(542)] * (vars[reg::A] + vars[reg::C] + xFE()*xFE()*(vars[reg::K00 + 4 * 8] + xFE()*vars[reg::K00 + 4 * 9])); + + reg::RegType regs[8] = { reg::K00, reg::K04, reg::K13, reg::K22, reg::K31, reg::inv1, reg::inv5, reg::W21 }; + + FieldElement gval = zero(); + for (int i = 7; i >= 0; i--){ + gval = xFE()*gval + vars[regs[i]]; + } + tval += randCoeff[RI(543)] * (vars[reg::B] + gval); + + tval += randCoeff[RI(544)] * (vars[reg::B02 + NUMREGS] + vars[reg::B02] + vars[reg::K00]); + tval += randCoeff[RI(545)] * (vars[reg::B12 + NUMREGS] + vars[reg::B12] + vars[reg::K04]); + tval += randCoeff[RI(546)] * (vars[reg::B22 + NUMREGS] + vars[reg::B22] + vars[reg::K13]); + tval += randCoeff[RI(547)] * (vars[reg::B32 + NUMREGS] + vars[reg::B32] + vars[reg::K22]); + + tval += randCoeff[RI(548)] * (vars[reg::B03 + NUMREGS] + vars[reg::B03] + vars[reg::K31]); + tval += randCoeff[RI(549)] * (vars[reg::B13 + NUMREGS] + vars[reg::B13] + vars[reg::inv1]); + tval += randCoeff[RI(550)] * (vars[reg::B23 + NUMREGS] + vars[reg::B23] + vars[reg::inv5]); + tval += randCoeff[RI(551)] * (vars[reg::B33 + NUMREGS] + vars[reg::B33] + vars[reg::W21]); + + tval += randCoeff[RI(552)] * (vars[reg::B24 + NUMREGS] + vars[reg::B24] + vars[reg::W32]); + tval += randCoeff[RI(553)] * (vars[reg::B34 + NUMREGS] + vars[reg::B34] + vars[reg::W43]); + + tval += randCoeff[RI(554)] * (vars[reg::B00 + NUMREGS] + vars[reg::B00]); + tval += randCoeff[RI(555)] * (vars[reg::B10 + NUMREGS] + vars[reg::B10]); + tval += randCoeff[RI(556)] * (vars[reg::B20 + NUMREGS] + vars[reg::B20]); + tval += randCoeff[RI(557)] * (vars[reg::B30 + NUMREGS] + vars[reg::B30]); + + tval += randCoeff[RI(558)] * (vars[reg::B01 + NUMREGS] + vars[reg::B01]); + tval += randCoeff[RI(559)] * (vars[reg::B11 + NUMREGS] + vars[reg::B11]); + tval += randCoeff[RI(560)] * (vars[reg::B21 + NUMREGS] + vars[reg::B21]); + tval += randCoeff[RI(561)] * (vars[reg::B31 + NUMREGS] + vars[reg::B31]); + + tval += randCoeff[RI(562)] * (vars[reg::B04 + NUMREGS] + vars[reg::B04]); + tval += randCoeff[RI(563)] * (vars[reg::B14 + NUMREGS] + vars[reg::B14]); + + return tval; + + } + + inline FieldElement evalCPolyStateIsX_FLAGS_ARE_0_(const std::vector & vars){ + FieldElement tval = vars[reg::STATE + NUMREGS] + xFE(); + tval += randCoeff[RI(564)] * (vars[reg::K + NUMREGS] + vars[reg::K]); + + for (int i = 0; i < 10; i++){ + tval += randCoeff[RI(565 + i)] * (vars[reg::K00 + 4 * i + 1] + power(vars[reg::K00 + 4 * i], 4)); + tval += randCoeff[RI(575 + i)] * (vars[reg::K00 + 4 * i + 2] + power(vars[reg::K00 + 4 * i + 1], 4)); + tval += randCoeff[RI(585 + i)] * (vars[reg::K00 + 4 * i + 3] + power(vars[reg::K00 + 4 * i + 2], 4)); + tval += randCoeff[RI(595 + i)] * (vars[reg::K00 + 4 * i] + power(vars[reg::K00 + 4 * i + 3], 4)); // for field x elment in group which size 2^n, pow(x, n) = x + } + + + return tval; + } + inline FieldElement evalCPolyStateIsX(const std::vector & vars, FieldElement lastStepConstraints, const std::vector & RootHash, FieldElement gN){ + FieldElement tval = (vars[reg::FLAG1] + one()) * evalCPolyStateIsX_FLAGS_ARE_0_(vars); + tval += randCoeff[RI(605)] * (vars[reg::FLAG1] + one()) * (vars[reg::FLAG2] + one()) * evalCPolyStateIsX_FLAGS_ARE_00(vars); + tval += randCoeff[RI(606)] * (vars[reg::FLAG1] + one()) * vars[reg::FLAG2] * evalCPolyStateIsX_FLAGS_ARE_01(vars); + tval += randCoeff[RI(607)] * vars[reg::FLAG1] * vars[reg::FLAG2] * evalCPolyStateIsX_FLAGS_ARE_11(vars, RootHash, gN); + + return tval; //TODO: remove some rand coeffs + } + + FieldElement evalCPoly(const std::vector & vars, + const std::vector & RootHash, const FieldElement& gN){ +#if 0 + for (int i = 0; i < RN; i++){ + randCoeff[i] = one(); + } +#endif + FieldElement lastStepConstraintsOfAes160 = (vars[reg::STATE + NUMREGS] + xFE()); + + FieldElement tval = vars[reg::A + NUMREGS] + vars[reg::A]; + tval += randCoeff[RI(608)]*(vars[reg::B + NUMREGS] + vars[reg::B]); + tval += randCoeff[RI(609)]*(vars[reg::C + NUMREGS] + vars[reg::C]); + tval += randCoeff[RI(610)] * (vars[reg::K + NUMREGS] + vars[reg::K]); + tval += randCoeff[RI(611)] * (vars[reg::PHASE + NUMREGS] + vars[reg::PHASE]); + + tval = (vars[reg::STATE] + xFE()) * (tval + randCoeff[RI(612)] * evalCPolyAES160_LoopBody(vars, lastStepConstraintsOfAes160)); + tval += (vars[reg::STATE] + one()) * evalCPolyStateIsX(vars, zero(), RootHash, gN); + tval += randCoeff[RI(613)] * (vars[reg::ST2 + NUMREGS] + one()); + tval += randCoeff[RI(614)] * (vars[reg::isSecondPhaseComparingLOCI + NUMREGS] + vars[reg::isSecondPhaseComparingLOCI]); + tval *= vars[reg::PHASE]; + + FieldElement gval = zero(); + for (int i = 0; i < 20; i++){ + gval += randCoeff[RI(615 + i)] * (vars[reg::K00 + i + NUMREGS] + vars[reg::K00 + i]); + } + tval += (vars[reg::PHASE] + one()) * gval; + + gval = evalCPolyST2is1(vars); + gval += evalCPolyST2isX(vars); + gval += evalCPolyST2is1XCompareLOCI(vars); + gval += evalCPolyST2isXX(vars); + + tval = randCoeff[RI(635)] * tval + randCoeff[RI(636)] * gval; + tval += randCoeff[RI(637)] * (vars[reg::L1 + NUMREGS] + vars[reg::L1]); + tval += randCoeff[RI(638)] * (vars[reg::L2 + NUMREGS] + vars[reg::L2]); + tval += randCoeff[RI(639)] * (vars[reg::L3 + NUMREGS] + vars[reg::L3]); + tval += randCoeff[RI(640)] * (vars[reg::L4 + NUMREGS] + vars[reg::L4]); + tval += randCoeff[RI(641)] * (vars[reg::L5 + NUMREGS] + vars[reg::L5]); + tval += randCoeff[RI(642)] * (vars[reg::L6 + NUMREGS] + vars[reg::L6]); + tval += vars[reg::ST3] + (vars[reg::ST2] + one()) * (vars[reg::ST2] + xFE()); + return tval; + } + + + std::vector evalp::rHash = std::vector(20); + FieldElement evalp::last_leaf_index; + void evalp::setParams(const std::vector& rootHash, const FieldElement& last_leaf_index, const int prngseed) { + Algebra::rng.seed(prngseed); + evalp::last_leaf_index = last_leaf_index; + for (int i = 0; i < 20; i++) + rHash[i] = rootHash[reg::B00 + i]; + for (int i = 0; i < RN; ++i) + randCoeff[i] = Algebra::generateRandom(); + } + FieldElement evalp::ep(const std::vector& vars) { + return evalCPoly(vars, evalp::rHash, evalp::last_leaf_index); + } + +#if 0 +#include "pyeval_AES160LOCIhashc.cpp" +#endif +} //namespace diff --git a/starkdpm/AES160hashcLOCI_GenWitness.cpp b/starkdpm/AES160hashcLOCI_GenWitness.cpp new file mode 100644 index 0000000..2e30776 --- /dev/null +++ b/starkdpm/AES160hashcLOCI_GenWitness.cpp @@ -0,0 +1,819 @@ +//#include +#include "AES160hashcLOCI.hpp" +//#include + +//#define DBGwitness +#define CYCLES 62 +#define LOCIseed 123 + +using namespace Algebra; + +namespace AES160hashcLOCI { + +#ifndef DBGwitness +#define DBGGET(a,b,c) (a)[(b)][(c)] +#else + std::set> dbgSet; + inline FieldElement& DBGGET(witnessType a, size_t row, int column) { + std::pair tmp = std::pair(row, column); + dbgSet.insert(tmp); + return a[row][column]; + } +#endif + + void isZeroDigitCompute(witnessType arr, size_t t, FieldElement NUM, reg::RegType BIT, reg::RegType W, int digit) { + if ((size_t(1) << digit) & mapFieldElementToInteger(0, EXTDIM, NUM)) { + DBGGET(arr, t, BIT) = one(); + DBGGET(arr, t, W) = extractBit(mapIntegerToFieldElement(0, EXTDIM, size_t(1) << digit)*arr[t][BIT] + NUM, digit); + } + else { + DBGGET(arr, t, BIT) = zero(); + DBGGET(arr, t, W) = extractBit(NUM, digit); + } + } + void SaveRegisters(witnessType arr, size_t t){ + for (int i = 0; i < NUMREGS; i++){ + DBGGET(arr, t + 1, i) = arr[t][i]; + } + } + + + void SubBytesAUX_REG2(witnessType arr, size_t t, int x, size_t resT, int y, int z, int u, int v, int w){ + DBGGET(arr, t, y) = (arr[t][x] != zero()) ? arr[t][x].inverse() : zero(); + FieldElement a = arr[t][y]; + FieldElement b = a*a; + DBGGET(arr, t, u) = b*b;//inv^4 + + a = arr[t][u]; + b = a*a; + DBGGET(arr, t, v) = b*b;//inv^16 + + a = arr[t][v]; + b = a*a; + DBGGET(arr, t, w) = b*b;//inv^64 + + DBGGET(arr, resT, z) = consts::polyFromMatrix[0] * arr[t][y] + consts::polyFromMatrix[1] * arr[t][y] * arr[t][y] + + consts::polyFromMatrix[2] * arr[t][u] + consts::polyFromMatrix[3] * arr[t][u] * arr[t][u] + + consts::polyFromMatrix[4] * arr[t][v] + consts::polyFromMatrix[5] * arr[t][v] * arr[t][v] + + consts::polyFromMatrix[6] * arr[t][w] + consts::polyFromMatrix[7] * arr[t][w] * arr[t][w] + consts::B_Transformed; + + //std::cout << "--------- check: ---------- x = " << x << arr[t + 1][z] << std::endl; + + } + + void SubBytesAUX_REGMethodA(witnessType arr, size_t t, reg::RegType regs[], size_t resT, reg::RegType res[], int size){ + reg::RegType W = reg::W11; + for (int i = 0; i < size; i++){ + SubBytesAUX_REG2(arr, t, regs[i], resT, (reg::RegType((int)reg::inv1 + i)), + res[i], W + i * 3, W + i * 3 + 1, W + i * 3 + 2); + } + } + + void MixColumns(witnessType arr, size_t t){ + DBGGET(arr, t + 1, reg::B00) = consts::MixColMat[0][0] * arr[t][reg::B00] + consts::MixColMat[0][1] * arr[t][reg::B10] + + consts::MixColMat[0][2] * arr[t][reg::B20] + consts::MixColMat[0][3] * arr[t][reg::B30]; + + DBGGET(arr, t + 1, reg::B01) = consts::MixColMat[0][0] * arr[t][reg::B01] + consts::MixColMat[0][1] * arr[t][reg::B11] + + consts::MixColMat[0][2] * arr[t][reg::B21] + consts::MixColMat[0][3] * arr[t][reg::B31]; + + DBGGET(arr, t + 1, reg::B02) = consts::MixColMat[0][0] * arr[t][reg::B02] + consts::MixColMat[0][1] * arr[t][reg::B12] + + consts::MixColMat[0][2] * arr[t][reg::B22] + consts::MixColMat[0][3] * arr[t][reg::B32]; + + DBGGET(arr, t + 1, reg::B03) = consts::MixColMat[0][0] * arr[t][reg::B03] + consts::MixColMat[0][1] * arr[t][reg::B13] + + consts::MixColMat[0][2] * arr[t][reg::B23] + consts::MixColMat[0][3] * arr[t][reg::B33]; + + DBGGET(arr, t + 1, reg::B04) = consts::MixColMat[0][0] * arr[t][reg::B04] + consts::MixColMat[0][1] * arr[t][reg::B14] + + consts::MixColMat[0][2] * arr[t][reg::B24] + consts::MixColMat[0][3] * arr[t][reg::B34]; + + + + DBGGET(arr, t + 1, reg::B10) = consts::MixColMat[1][0] * arr[t][reg::B00] + consts::MixColMat[1][1] * arr[t][reg::B10] + + consts::MixColMat[1][2] * arr[t][reg::B20] + consts::MixColMat[1][3] * arr[t][reg::B30]; + + DBGGET(arr, t + 1, reg::B11) = consts::MixColMat[1][0] * arr[t][reg::B01] + consts::MixColMat[1][1] * arr[t][reg::B11] + + consts::MixColMat[1][2] * arr[t][reg::B21] + consts::MixColMat[1][3] * arr[t][reg::B31]; + + DBGGET(arr, t + 1, reg::B12) = consts::MixColMat[1][0] * arr[t][reg::B02] + consts::MixColMat[1][1] * arr[t][reg::B12] + + consts::MixColMat[1][2] * arr[t][reg::B22] + consts::MixColMat[1][3] * arr[t][reg::B32]; + + DBGGET(arr, t + 1, reg::B13) = consts::MixColMat[1][0] * arr[t][reg::B03] + consts::MixColMat[1][1] * arr[t][reg::B13] + + consts::MixColMat[1][2] * arr[t][reg::B23] + consts::MixColMat[1][3] * arr[t][reg::B33]; + + DBGGET(arr, t + 1, reg::B14) = consts::MixColMat[1][0] * arr[t][reg::B04] + consts::MixColMat[1][1] * arr[t][reg::B14] + + consts::MixColMat[1][2] * arr[t][reg::B24] + consts::MixColMat[1][3] * arr[t][reg::B34]; + + + DBGGET(arr, t + 1, reg::B20) = consts::MixColMat[2][0] * arr[t][reg::B00] + consts::MixColMat[2][1] * arr[t][reg::B10] + + consts::MixColMat[2][2] * arr[t][reg::B20] + consts::MixColMat[2][3] * arr[t][reg::B30]; + + DBGGET(arr, t + 1, reg::B21) = consts::MixColMat[2][0] * arr[t][reg::B01] + consts::MixColMat[2][1] * arr[t][reg::B11] + + consts::MixColMat[2][2] * arr[t][reg::B21] + consts::MixColMat[2][3] * arr[t][reg::B31]; + + DBGGET(arr, t + 1, reg::B22) = consts::MixColMat[2][0] * arr[t][reg::B02] + consts::MixColMat[2][1] * arr[t][reg::B12] + + consts::MixColMat[2][2] * arr[t][reg::B22] + consts::MixColMat[2][3] * arr[t][reg::B32]; + + DBGGET(arr, t + 1, reg::B23) = consts::MixColMat[2][0] * arr[t][reg::B03] + consts::MixColMat[2][1] * arr[t][reg::B13] + + consts::MixColMat[2][2] * arr[t][reg::B23] + consts::MixColMat[2][3] * arr[t][reg::B33]; + + DBGGET(arr, t + 1, reg::B24) = consts::MixColMat[2][0] * arr[t][reg::B04] + consts::MixColMat[2][1] * arr[t][reg::B14] + + consts::MixColMat[2][2] * arr[t][reg::B24] + consts::MixColMat[2][3] * arr[t][reg::B34]; + + + DBGGET(arr, t + 1, reg::B30) = consts::MixColMat[3][0] * arr[t][reg::B00] + consts::MixColMat[3][1] * arr[t][reg::B10] + + consts::MixColMat[3][2] * arr[t][reg::B20] + consts::MixColMat[3][3] * arr[t][reg::B30]; + + DBGGET(arr, t + 1, reg::B31) = consts::MixColMat[3][0] * arr[t][reg::B01] + consts::MixColMat[3][1] * arr[t][reg::B11] + + consts::MixColMat[3][2] * arr[t][reg::B21] + consts::MixColMat[3][3] * arr[t][reg::B31]; + + DBGGET(arr, t + 1, reg::B32) = consts::MixColMat[3][0] * arr[t][reg::B02] + consts::MixColMat[3][1] * arr[t][reg::B12] + + consts::MixColMat[3][2] * arr[t][reg::B22] + consts::MixColMat[3][3] * arr[t][reg::B32]; + + DBGGET(arr, t + 1, reg::B33) = consts::MixColMat[3][0] * arr[t][reg::B03] + consts::MixColMat[3][1] * arr[t][reg::B13] + + consts::MixColMat[3][2] * arr[t][reg::B23] + consts::MixColMat[3][3] * arr[t][reg::B33]; + + DBGGET(arr, t + 1, reg::B34) = consts::MixColMat[3][0] * arr[t][reg::B04] + consts::MixColMat[3][1] * arr[t][reg::B14] + + consts::MixColMat[3][2] * arr[t][reg::B24] + consts::MixColMat[3][3] * arr[t][reg::B34]; + + } + + + size_t loopBody(witnessType arr, size_t t, bool isLastRound = false){ + SaveRegisters(arr, t); + if (arr[t][reg::FLAG1] == zero() && arr[t][reg::FLAG2] == zero()){ + if (arr[t][reg::RC] + consts::Rcon_round11 != zero()){ + DBGGET(arr, t, reg::invRC) = DBGGET(arr, t + 1, reg::invRC) = (arr[t][reg::RC] + consts::Rcon_round11).inverse(); + } + reg::RegType regs[8] = { reg::B00, reg::B01, reg::B02, reg::B03, reg::B04 }; + reg::RegType res[8] = { reg::B00, reg::B01, reg::B02, reg::B03, reg::B04 }; + + SubBytesAUX_REGMethodA(arr, t, regs, t + 1, res, 5); + DBGGET(arr, t + 1, reg::FLAG2) = one(); + } + else if (arr[t][reg::FLAG1] == zero() && arr[t][reg::FLAG2] == one()){ + + reg::RegType regs[8] = { reg::B10, reg::B11, reg::B12, reg::B13, reg::B14 }; + reg::RegType res[8] = { reg::B14, reg::B10, reg::B11, reg::B12, reg::B13 }; + SubBytesAUX_REGMethodA(arr, t, regs, t + 1, res, 5); + DBGGET(arr, t + 1, reg::FLAG1) = one(); + DBGGET(arr, t + 1, reg::FLAG2) = zero(); + DBGMSG("t = " << t << ": -----inv4: " << arr[t][reg::inv4] << "\nB13: " << arr[t][reg::B13] << std::endl); + + } + else if (arr[t][reg::FLAG1] == one() && arr[t][reg::FLAG2] == zero()){ + reg::RegType regs[8] = { reg::B20, reg::B21, reg::B22, reg::B23, reg::B24 }; + reg::RegType res[8] = { reg::B23, reg::B24, reg::B20, reg::B21, reg::B22 }; + SubBytesAUX_REGMethodA(arr, t, regs, t + 1, res, 5); + DBGGET(arr, t + 1, reg::FLAG2) = one(); + + } + else if (arr[t][reg::FLAG1] == one() && arr[t][reg::FLAG2] == one()){ + reg::RegType regs[8] = { reg::B30, reg::B31, reg::B32, reg::B33, reg::B34 }; + reg::RegType res[8] = { reg::B32, reg::B33, reg::B34, reg::B30, reg::B31 }; + SubBytesAUX_REGMethodA(arr, t, regs, t + 1, res, 5); + DBGGET(arr, t + 1, reg::FLAG1) = xFE(); + + DBGGET(arr, t + 1, reg::FLAG2) = zero(); + } + else if (arr[t][reg::FLAG1] == xFE()){ + DBGGET(arr, t + 1, reg::FLAG2) = zero(); + DBGGET(arr, t + 1, reg::invRC) = zero(); + + if (!isLastRound)//do it with RC + { + DBGGET(arr, t + 1, reg::RC) = arr[t][reg::RC] * consts::xFETransformed; + MixColumns(arr, t); + //DBGGET(arr, t + 1, reg::RC) = arr[t][reg::RC] * consts::xFETransformed; + } + //arr[t][reg::K13] = zero(); + reg::RegType regs[] = { reg::K14, reg::K24, reg::K34, reg::K04 }; + reg::RegType res[] = { reg::W51, reg::W52, reg::W53, reg::inv5 }; + + SubBytesAUX_REGMethodA(arr, t, regs, t, res, 4); + + DBGGET(arr, t + 1, reg::K00) = arr[t][reg::W51] + arr[t][reg::K00] + arr[t][reg::RC]; + DBGGET(arr, t + 1, reg::K10) = arr[t][reg::W52] + arr[t][reg::K10]; + DBGGET(arr, t + 1, reg::K20) = arr[t][reg::W53] + arr[t][reg::K20]; + DBGGET(arr, t + 1, reg::K30) = arr[t][reg::inv5] + arr[t][reg::K30]; + + DBGGET(arr, t + 1, reg::K01) = arr[t + 1][reg::K00] + arr[t][reg::K01]; + DBGGET(arr, t + 1, reg::K11) = arr[t + 1][reg::K10] + arr[t][reg::K11]; + DBGGET(arr, t + 1, reg::K21) = arr[t + 1][reg::K20] + arr[t][reg::K21]; + DBGGET(arr, t + 1, reg::K31) = arr[t + 1][reg::K30] + arr[t][reg::K31]; + + DBGGET(arr, t + 1, reg::K02) = arr[t + 1][reg::K01] + arr[t][reg::K02]; + DBGGET(arr, t + 1, reg::K12) = arr[t + 1][reg::K11] + arr[t][reg::K12]; + DBGGET(arr, t + 1, reg::K22) = arr[t + 1][reg::K21] + arr[t][reg::K22]; + DBGGET(arr, t + 1, reg::K32) = arr[t + 1][reg::K31] + arr[t][reg::K32]; + + DBGGET(arr, t + 1, reg::K03) = arr[t + 1][reg::K02] + arr[t][reg::K03]; + DBGGET(arr, t + 1, reg::K13) = arr[t + 1][reg::K12] + arr[t][reg::K13]; + DBGGET(arr, t + 1, reg::K23) = arr[t + 1][reg::K22] + arr[t][reg::K23]; + DBGGET(arr, t + 1, reg::K33) = arr[t + 1][reg::K32] + arr[t][reg::K33]; + + DBGGET(arr, t + 1, reg::K04) = arr[t + 1][reg::K03] + arr[t][reg::K04]; + DBGGET(arr, t + 1, reg::K14) = arr[t + 1][reg::K13] + arr[t][reg::K14]; + DBGGET(arr, t + 1, reg::K24) = arr[t + 1][reg::K23] + arr[t][reg::K24]; + DBGGET(arr, t + 1, reg::K34) = arr[t + 1][reg::K33] + arr[t][reg::K34]; + + for (int w = 0; w < 20; w++){ + DBGGET(arr, t + 1, reg::B00 + w) = arr[t + 1][reg::B00 + w] + arr[t + 1][(reg::K00 + w)]; + + } + + DBGGET(arr, t, reg::W51) = zero(); + DBGGET(arr, t, reg::W52) = zero(); + DBGGET(arr, t, reg::W53) = zero(); + DBGGET(arr, t, reg::inv5) = zero(); + + if (isLastRound) + { + DBGGET(arr, t + 1, reg::FLAG2) = zero(); + DBGGET(arr, t + 1, reg::invRC) = one(); + //DBGGET(arr, t + 1, reg::RC) = zero(); + //DBGGET(arr, t + 1, reg::STATE) = xFE(); + } + else{ + DBGGET(arr, t + 1, reg::FLAG1) = DBGGET(arr, t + 1, reg::FLAG2) = zero(); + + } + } + else { + DBGMSG("ERROR: need satisfy one condition"); + } + + return t + 1; + } + + size_t genWitnessAES160(witnessType arr, size_t t){ + DBGMSG("tppppp = " << t << ": flag1 = " << arr[t][reg::FLAG1]); + DBGMSG("tppppp = " << t << ": flag2 = " << arr[t][reg::FLAG2]); + while (arr[t][reg::RC] != consts::Rcon_round11) + { + t = loopBody(arr, t); + + } + + + t = loopBody(arr, t, true); + t = loopBody(arr, t, true); + t = loopBody(arr, t, true); + t = loopBody(arr, t, true); + + t = loopBody(arr, t, true); + DBGMSG("t......... = " << t << ": res1 = " << arr[t][reg::K20]); + return t; + + } + + + size_t computeAES160(witnessType arr){ + FieldElement RC = one(); + std::vector arr2(20); + for (int i = 0; i < 20; i++){ + arr2[i] = arr[0][reg::B00 + i]; + } + size_t t = 0; + for (RC = one(); RC != consts::Rcon_round11*consts::xFETransformed; RC *= consts::xFETransformed){ + + reg::RegType regs[8] = { reg::B00, reg::B01, reg::B02, reg::B03, reg::B04 }; + reg::RegType res[8] = { reg::B00, reg::B01, reg::B02, reg::B03, reg::B04 }; + SubBytesAUX_REGMethodA(arr, t, regs, t + 1, res, 5); + + reg::RegType regs2[8] = { reg::B10, reg::B11, reg::B12, reg::B13, reg::B14 }; + reg::RegType res2[8] = { reg::B14, reg::B10, reg::B11, reg::B12, reg::B13 }; + SubBytesAUX_REGMethodA(arr, t, regs2, t + 1, res2, 5); + + reg::RegType regs3[8] = { reg::B20, reg::B21, reg::B22, reg::B23, reg::B24 }; + reg::RegType res3[8] = { reg::B23, reg::B24, reg::B20, reg::B21, reg::B22 }; + SubBytesAUX_REGMethodA(arr, t, regs3, t + 1, res3, 5); + + reg::RegType regs4[8] = { reg::B30, reg::B31, reg::B32, reg::B33, reg::B34 }; + reg::RegType res4[8] = { reg::B32, reg::B33, reg::B34, reg::B30, reg::B31 }; + SubBytesAUX_REGMethodA(arr, t, regs4, t + 1, res4, 5); + + for (int i = 0; i < 20; i++){ + arr[t][reg::B00 + i] = arr[t + 1][reg::B00 + i]; + } + + if (RC != consts::Rcon_round11)//do it with RC + { + MixColumns(arr, t); + //DBGGET(arr, t + 1, reg::RC) = arr[t][reg::RC] * consts::xFETransformed; + } + //arr[t][reg::K13] = zero(); + reg::RegType regs5[] = { reg::K14, reg::K24, reg::K34, reg::K04 }; + reg::RegType res5[] = { reg::W51, reg::W52, reg::W53, reg::inv5 }; + + SubBytesAUX_REGMethodA(arr, t, regs5, t, res5, 4); + + DBGGET(arr, t + 1, reg::K00) = arr[t][reg::W51] + arr[t][reg::K00] + RC; + DBGGET(arr, t + 1, reg::K10) = arr[t][reg::W52] + arr[t][reg::K10]; + DBGGET(arr, t + 1, reg::K20) = arr[t][reg::W53] + arr[t][reg::K20]; + DBGGET(arr, t + 1, reg::K30) = arr[t][reg::inv5] + arr[t][reg::K30]; + + DBGGET(arr, t + 1, reg::K01) = arr[t + 1][reg::K00] + arr[t][reg::K01]; + DBGGET(arr, t + 1, reg::K11) = arr[t + 1][reg::K10] + arr[t][reg::K11]; + DBGGET(arr, t + 1, reg::K21) = arr[t + 1][reg::K20] + arr[t][reg::K21]; + DBGGET(arr, t + 1, reg::K31) = arr[t + 1][reg::K30] + arr[t][reg::K31]; + + DBGGET(arr, t + 1, reg::K02) = arr[t + 1][reg::K01] + arr[t][reg::K02]; + DBGGET(arr, t + 1, reg::K12) = arr[t + 1][reg::K11] + arr[t][reg::K12]; + DBGGET(arr, t + 1, reg::K22) = arr[t + 1][reg::K21] + arr[t][reg::K22]; + DBGGET(arr, t + 1, reg::K32) = arr[t + 1][reg::K31] + arr[t][reg::K32]; + + DBGGET(arr, t + 1, reg::K03) = arr[t + 1][reg::K02] + arr[t][reg::K03]; + DBGGET(arr, t + 1, reg::K13) = arr[t + 1][reg::K12] + arr[t][reg::K13]; + DBGGET(arr, t + 1, reg::K23) = arr[t + 1][reg::K22] + arr[t][reg::K23]; + DBGGET(arr, t + 1, reg::K33) = arr[t + 1][reg::K32] + arr[t][reg::K33]; + + DBGGET(arr, t + 1, reg::K04) = arr[t + 1][reg::K03] + arr[t][reg::K04]; + DBGGET(arr, t + 1, reg::K14) = arr[t + 1][reg::K13] + arr[t][reg::K14]; + DBGGET(arr, t + 1, reg::K24) = arr[t + 1][reg::K23] + arr[t][reg::K24]; + DBGGET(arr, t + 1, reg::K34) = arr[t + 1][reg::K33] + arr[t][reg::K34]; + + for (int w = 0; w < 20; w++){ + DBGGET(arr, t + 1, reg::B00 + w) = arr[t + 1][reg::B00 + w] + arr[t + 1][(reg::K00 + w)]; + + } + t++; + } + for (int i = 0; i < 20; i++) + arr[t][reg::B00 + i] += arr2[i]; + return t; + } + + + size_t genWitnessHashByAES160(witnessType arr, size_t t, size_t stepOfCollapsing){ + DBGGET(arr, t, reg::RC) = one(); + DBGGET(arr, t, reg::STATE) = one(); + DBGGET(arr, t, reg::FLAG1) = zero(); + DBGGET(arr, t, reg::FLAG2) = zero(); + stepOfCollapsing = t; + DBGMSG("PLAESEPPPPPPPPPPPPPPPPp!\n\nt = " << t << ": A = " << arr[t][reg::A] << std::endl << std::endl); + t = genWitnessAES160(arr, t); + SaveRegisters(arr, t); + DBGGET(arr, t, reg::STATE) = xFE(); + DBGGET(arr, t, reg::FLAG1) = zero(); + DBGGET(arr, t, reg::FLAG2) = zero(); + reg::RegType regs[10] = { reg::B00, reg::B10, reg::B20, reg::B30, reg::B01, reg::B11, reg::B21, reg::B31, reg::B04, reg::B14 }; + //DBGGET(arr, t, reg::invRC) = one(); + + + for (int i = 0; i < 10; i++){ + //TODO: it is problem because I use K_ij without justification. no need to fix it in the generate witness, + //need to verify computing K-ij of last round of aes160 in the constraints polynomial without connection to K-ij registers. + DBGGET(arr, t + 1, regs[i]) = arr[t][regs[i]] + arr[stepOfCollapsing][regs[i]]; + DBGGET(arr, t, reg::K00 + 4 * i) = arr[stepOfCollapsing][regs[i]]; + DBGGET(arr, t, reg::K00 + 4 * i + 1) = power(arr[t][reg::K00 + 4 * i], 4); + DBGGET(arr, t, reg::K00 + 4 * i + 2) = power(arr[t][reg::K00 + 4 * i + 1], 4); + DBGGET(arr, t, reg::K00 + 4 * i + 3) = power(arr[t][reg::K00 + 4 * i + 2], 4); + } + DBGGET(arr, t + 1, reg::A) = arr[stepOfCollapsing][reg::B04] + xFE()*arr[stepOfCollapsing][reg::B14]; + + t++; + + SaveRegisters(arr, t); + + DBGGET(arr, t, reg::STATE) = xFE(); + DBGGET(arr, t, reg::FLAG1) = zero(); + DBGGET(arr, t, reg::FLAG2) = one(); + + reg::RegType regs2[10] = { reg::B02, reg::B12, reg::B22, reg::B32, reg::B03, reg::B13, reg::B23, reg::B33, reg::B24, reg::B34 }; + for (int i = 0; i < 10; i++){ + //TODO: it is problem because I use K_ij without justification. no need to fix it in the generate witness, + //need to verify computing K-ij of last round of aes160 in the constraints polynomial without connection to K-ij registers. + DBGGET(arr, t + 1, regs2[i]) = arr[t][regs2[i]] + arr[stepOfCollapsing][regs2[i]]; + DBGGET(arr, t, reg::K00 + 4 * i) = arr[stepOfCollapsing][regs2[i]]; + DBGGET(arr, t, reg::K00 + 4 * i + 1) = power(arr[t][reg::K00 + 4 * i], 4); + DBGGET(arr, t, reg::K00 + 4 * i + 2) = power(arr[t][reg::K00 + 4 * i + 1], 4); + DBGGET(arr, t, reg::K00 + 4 * i + 3) = power(arr[t][reg::K00 + 4 * i + 2], 4); + } + // iddo: unlike reg::A above? + return t + 1; + } + + void genWitnessHashST2EQ1(witnessType arr, size_t t){ + DBGGET(arr, t, reg::ST2) = one(); + DBGGET(arr, t, reg::ST3) = (one() + arr[t][reg::ST2])*(xFE() + arr[t][reg::ST2]); + + for (int i = 0; i < 4; ++i) + for (int j = 0; j < 5; ++j) + DBGGET(arr, t, reg::B00 + j + 5 * i) = power(arr[t + 1][reg::B00 + j + 5 * i], 4); + + DBGGET(arr, t, reg::W11) = power(arr[t][reg::B00], 4); DBGGET(arr, t, reg::W12) = power(arr[t][reg::W11], 4); + DBGGET(arr, t, reg::W13) = power(arr[t][reg::B01], 4); DBGGET(arr, t, reg::W21) = power(arr[t][reg::W13], 4); + DBGGET(arr, t, reg::W22) = power(arr[t][reg::B10], 4); DBGGET(arr, t, reg::W23) = power(arr[t][reg::W22], 4); + DBGGET(arr, t, reg::W31) = power(arr[t][reg::B11], 4); DBGGET(arr, t, reg::W32) = power(arr[t][reg::W31], 4); + DBGGET(arr, t, reg::W33) = power(arr[t][reg::B20], 4); DBGGET(arr, t, reg::W41) = power(arr[t][reg::W33], 4); + DBGGET(arr, t, reg::W42) = power(arr[t][reg::B21], 4); DBGGET(arr, t, reg::W43) = power(arr[t][reg::W42], 4); + DBGGET(arr, t, reg::W51) = power(arr[t][reg::B30], 4); DBGGET(arr, t, reg::W52) = power(arr[t][reg::W51], 4); + DBGGET(arr, t, reg::W53) = power(arr[t][reg::B31], 4); DBGGET(arr, t + 1, reg::W11) = power(arr[t][reg::W53], 4); + DBGGET(arr, t + 1, reg::W12) = power(arr[t][reg::B02], 4); DBGGET(arr, t + 1, reg::W13) = power(arr[t + 1][reg::W12], 4); + DBGGET(arr, t + 1, reg::W21) = power(arr[t][reg::B03], 4); DBGGET(arr, t + 1, reg::W22) = power(arr[t + 1][reg::W21], 4); + DBGGET(arr, t + 1, reg::W23) = power(arr[t][reg::B12], 4); DBGGET(arr, t + 1, reg::W31) = power(arr[t + 1][reg::W23], 4); + DBGGET(arr, t + 1, reg::W32) = power(arr[t][reg::B13], 4); DBGGET(arr, t + 1, reg::W33) = power(arr[t + 1][reg::W32], 4); + DBGGET(arr, t + 1, reg::W41) = power(arr[t][reg::B22], 4); DBGGET(arr, t + 1, reg::W42) = power(arr[t + 1][reg::W41], 4); + DBGGET(arr, t + 1, reg::W43) = power(arr[t][reg::B23], 4); DBGGET(arr, t + 1, reg::W51) = power(arr[t + 1][reg::W43], 4); + DBGGET(arr, t + 1, reg::W52) = power(arr[t][reg::B32], 4); DBGGET(arr, t + 1, reg::W53) = power(arr[t + 1][reg::W52], 4); + DBGGET(arr, t, reg::inv1) = power(arr[t][reg::B33], 4); DBGGET(arr, t, reg::inv2) = power(arr[t][reg::inv1], 4); + DBGGET(arr, t, reg::inv3) = power(arr[t][reg::B04], 4); DBGGET(arr, t, reg::inv4) = power(arr[t][reg::inv3], 4); + DBGGET(arr, t, reg::inv5) = power(arr[t][reg::B04 + 5], 4); DBGGET(arr, t + 1, reg::inv1) = power(arr[t][reg::inv5], 4); + DBGGET(arr, t + 1, reg::inv2) = power(arr[t][reg::B04 + 5 + 5], 4); DBGGET(arr, t + 1, reg::inv3) = power(arr[t + 1][reg::inv2], 4); + DBGGET(arr, t + 1, reg::inv4) = power(arr[t][reg::B04 + 5 + 5 + 5], 4); DBGGET(arr, t + 1, reg::inv5) = power(arr[t + 1][reg::inv4], 4); + } + + void genWitnessHashST2EQ1X(witnessType arr, size_t t, FieldElement& lastFlag){ + DBGGET(arr, t, reg::ST2) = one() + xFE(); + DBGGET(arr, t, reg::ST3) = (one() + arr[t][reg::ST2])*(xFE() + arr[t][reg::ST2]); + + for (int i = 0, tt, AUX_REGRegIndex, ttt, nextFlagIndex; i < 10; i++) + { + if (i < 8) { //TODO: less branching via consecutive registers order + nextFlagIndex = reg::FLAG1 + i; + ttt = t; + } + else { + nextFlagIndex = (8 == i ? reg::RC : reg::PartialMATCH); + ttt = t + 1; + } + if (i < 5) { + AUX_REGRegIndex = reg::inv1 + 4 * i; + tt = t + 1; + } + else { + AUX_REGRegIndex = reg::inv1 + 4 * (i - 5); + tt = t; + } + DBGMSG("lastFlag = " << lastFlag); + FieldElement tmp = arr[t + 1][reg::B00 + i] + arr[t][reg::B00 + i]; + //DBGMSG("tmp = " << tmp); + DBGGET(arr, tt, AUX_REGRegIndex) = (tmp == zero()) ? zero() : tmp.inverse(); + tmp = arr[t + 1][reg::B00 + i] + arr[t][reg::B20 + i];; + //DBGMSG("tmp = " << tmp); + DBGGET(arr, tt, AUX_REGRegIndex + 1) = (tmp == zero()) ? zero() : tmp.inverse(); + tmp = arr[t + 1][reg::B20 + i] + arr[t][reg::B00 + i];; + //DBGMSG("tmp = " << tmp); + DBGGET(arr, tt, AUX_REGRegIndex + 2) = (tmp == zero()) ? zero() : tmp.inverse(); + tmp = arr[t + 1][reg::B20 + i] + arr[t][reg::B20 + i];; + //DBGMSG("tmp = " << tmp); + DBGGET(arr, tt, AUX_REGRegIndex + 3) = (tmp == zero()) ? zero() : tmp.inverse(); + + if (lastFlag == zero()){ + DBGGET(arr, ttt, nextFlagIndex) = zero(); + } + else if (arr[tt][AUX_REGRegIndex] == zero()){ + if (arr[tt][AUX_REGRegIndex + 3] == zero()){ + DBGGET(arr, ttt, nextFlagIndex) = lastFlag; + DBGMSG("t = " << ttt << ": reg enum = " << nextFlagIndex); + + } + else{ + if (lastFlag != zero()){ + DBGGET(arr, ttt, nextFlagIndex) = one(); + } + } + } + else if (arr[tt][AUX_REGRegIndex + 1] == zero()){ + if (arr[tt][AUX_REGRegIndex + 2] == zero()){ + DBGGET(arr, ttt, nextFlagIndex) = lastFlag; + DBGMSG("t = " << ttt << ": reg enum = " << nextFlagIndex); + + } + else{ + if (lastFlag != zero()){ + DBGGET(arr, ttt, nextFlagIndex) = one(); + } + } + } + else { + if (arr[tt][AUX_REGRegIndex + 2] == zero() || arr[tt][AUX_REGRegIndex + 3] == zero()){ + if (lastFlag != zero()){ + DBGGET(arr, ttt, nextFlagIndex) = one(); + } + } + else{ + DBGGET(arr, ttt, nextFlagIndex) = zero(); + } + } + DBGMSG("nextFlag" << arr[ttt][nextFlagIndex]); + lastFlag = arr[ttt][nextFlagIndex]; + } + } + + void genWitnessHashST2EQXX(witnessType arr, size_t t){ + DBGGET(arr, t, reg::ST2) = xFE()*xFE(); + DBGGET(arr, t, reg::ST3) = (one() + arr[t][reg::ST2])*(xFE() + arr[t][reg::ST2]); + DBGGET(arr, t + 1, reg::isSecondPhaseComparingLOCI) = arr[t][reg::isSecondPhaseComparingLOCI] + one(); + DBGGET(arr, t + 1, reg::A) = (arr[t + 1][reg::B00] + + xFE()*(arr[t + 1][reg::B10] + + xFE()*(arr[t + 1][reg::B20] + + xFE()*(arr[t + 1][reg::B30] + + xFE()*(arr[t + 1][reg::B01] + + xFE()*(arr[t + 1][reg::B11] + + xFE()*(arr[t + 1][reg::B21] + + xFE()*(arr[t + 1][reg::B31])))))))); + + DBGGET(arr, t + 1, reg::B) = (arr[t + 1][reg::B02] + + xFE()*(arr[t + 1][reg::B12] + + xFE()*(arr[t + 1][reg::B22] + + xFE()*(arr[t + 1][reg::B32] + + xFE()*(arr[t + 1][reg::B03] + + xFE()*(arr[t + 1][reg::B13] + + xFE()*(arr[t + 1][reg::B23] + + xFE()*(arr[t + 1][reg::B33])))))))); + + DBGGET(arr, t + 1, reg::C) = (arr[t + 1][reg::B04] + + xFE()*(arr[t + 1][reg::B14] + + xFE()*(arr[t + 1][reg::B24] + + xFE()*(arr[t + 1][reg::B34])))); + DBGGET(arr, t, reg::STATE) = (arr[t][reg::K]+one()).inverse(); + } + + std::vector genHashchain(witnessType HashChain, int len, int prngseed){ + HashChain.resize(len); + for (auto &i : HashChain) i.resize(20); + + Algebra::rng.seed(prngseed+1); + + for (int k = 0; k < len; k++){ + for (int i = 0; i < 20; i++){ + int randval = Algebra::rng() & 255; + HashChain[k][i] = (255 == randval) ? Algebra::zero() : power(consts::xFETransformed, randval); + } + } + std::vector< std::vector > myArr2(12, std::vector(NUMREGS)); + size_t t = 0; + for (int j = 0; j < 20; j++){ + myArr2[0][reg::B00 + j] = zero(); + myArr2[0][reg::K00 + j] = zero(); + } + + for (int k = 0; k < len; k++){ + + for (int j = 0; j < 20; j++){ + myArr2[0][reg::K00 + j] = myArr2[t][reg::B00 + j]; + myArr2[0][reg::B00 + j] = HashChain[k][j]; + } + t = computeAES160(myArr2); + + DBGMSG(k); + } + + return myArr2[t]; + } + inline FieldElement max(FieldElement a, FieldElement b){ + if (mapFieldElementToInteger(0, EXTDIM, a) >= mapFieldElementToInteger(0, EXTDIM, b)){ + return a; + } + return b; + } + + size_t genWitness(witnessType arr, const witnessType HashChain, const int N, const FieldElement LOCI_input[][2]){ + size_t t = 0; + for (int i = 0; i < NUMREGS; i++){ + DBGGET(arr, t, i) = zero(); + } + + FieldElement lastStep = power(xFE(), N+1); + DBGGET(arr, t, reg::K) = one(); + int counter = 0; + + //confidential input + DBGGET(arr, t, reg::PHASE) = zero(); + DBGGET(arr, t, reg::ST2) = xFE()*xFE(); + DBGGET(arr, t, reg::ST3) = (one() + arr[t][reg::ST2])*(xFE() + arr[t][reg::ST2]); + for (int j = 0; j < 20; j++){ + arr[t][reg::B00 + j] = LOCI_input[j][0]; + arr[t][reg::K00 + j] = LOCI_input[j][1]; + } + for (int i = 0; i < 2; ++i) + for (int j = 0; j < 3; ++j) { + if (j < 2) + for (int k = 0; k < 4; ++k) + arr[t][reg::L1 + j + 3 * i] = xFE()*arr[t][reg::L1 + j + 3 * i] + LOCI_input[16 + 2*j - 5*k][i]; + for (int k = 0; k < 4; ++k) + arr[t][reg::L1 + j + 3 * i] = xFE()*arr[t][reg::L1 + j + 3 * i] + LOCI_input[15 + 2 * j - 5 * k][i]; + } + arr[t][reg::A] = arr[t][reg::L1]; + arr[t][reg::B] = arr[t][reg::L2]; + arr[t][reg::C] = arr[t][reg::L3]; + SaveRegisters(arr, t); + DBGGET(arr, t, reg::isSecondPhaseComparingLOCI) = one(); + t++; + DBGGET(arr, t, reg::PHASE) = one(); + DBGGET(arr, t, reg::STATE) = one(); + DBGGET(arr, t, reg::isSecondPhaseComparingLOCI) = zero(); + DBGGET(arr, t, reg::ST2) = one(); + DBGGET(arr, t, reg::ST3) = (one() + arr[t][reg::ST2])*(xFE() + arr[t][reg::ST2]); + t = genWitnessHashByAES160(arr, t, t); + SaveRegisters(arr, t); + for (int i = 0; i < 20; i++){ + arr[t + 1][reg::K00 + i] = zero(); + } + DBGGET(arr, t, reg::STATE) = xFE(); + DBGGET(arr, t, reg::FLAG1) = DBGGET(arr, t, reg::FLAG2) = one(); + DBGGET(arr, t, reg::A) = (lastStep + xFE()).inverse(); + t++; + DBGGET(arr, t, reg::K) = xFE(); + //end confidential input + + while (1) { + int secondCompareLoci = 0; + + FieldElement lastFlag = xFE(); + if (arr[t][reg::isSecondPhaseComparingLOCI] == one()){ + secondCompareLoci = 1; + lastFlag = arr[t][reg::PartialMATCH]; + } + FieldElement SaveLastFlagBeforeLOCI = lastFlag; + + DBGGET(arr, t, reg::PHASE) = zero(); + SaveRegisters(arr, t); + for (int j = 0; j < 20; j++) + DBGGET(arr, t + 1, reg::B00 + j) = LOCI_input[j][secondCompareLoci]; + genWitnessHashST2EQ1(arr, t); + t++; + SaveRegisters(arr, t); + DBGGET(arr, t, reg::ST2) = xFE(); + DBGGET(arr, t, reg::ST3) = (one() + arr[t][reg::ST2])*(xFE() + arr[t][reg::ST2]); + t++; + SaveRegisters(arr, t); + for (int i = 0; i < 20; i++) + DBGGET(arr, t + 1, reg::B00 + i) = HashChain[counter][i]; + genWitnessHashST2EQ1X(arr, t, lastFlag); + DBGGET(arr, t, reg::PartialMATCH) = SaveLastFlagBeforeLOCI; + t++; + SaveRegisters(arr, t); + genWitnessHashST2EQXX(arr, t); + if (secondCompareLoci){ + DBGGET(arr, t + 1, reg::MATCH) = max(arr[t][reg::MATCH], arr[t + 1][reg::PartialMATCH]); + } + t++; + DBGGET(arr, t, reg::PHASE) = DBGGET(arr, t, reg::STATE) = one(); + DBGGET(arr, t, reg::FLAG1) = DBGGET(arr, t, reg::FLAG2) = zero(); + SaveRegisters(arr, t); + t = genWitnessHashByAES160(arr, t, t); + SaveRegisters(arr, t); + for (int i = 0; i < 20; i++){ + arr[t + 1][reg::K00 + i] = arr[t][reg::B00 + i]; + } + DBGGET(arr, t, reg::STATE) = xFE(); + DBGGET(arr, t, reg::FLAG1) = one(); + DBGGET(arr, t, reg::FLAG2) = one(); + + if (lastStep + xFE()*arr[t][reg::K] != zero()){ + DBGGET(arr, t, reg::A) = (lastStep + xFE()*arr[t][reg::K]).inverse(); + DBGGET(arr, t + 1, reg::K) = xFE()*arr[t][reg::K]; + } + else{ + break; + } + t++; + counter++; + } + + + return t + 1; + } + + inline void pairsPRNG(FieldElement LOCIpairs[][2], const int prngseed){ + Algebra::rng.seed(prngseed); + for (int i = 0; i < 20; i++){ + unsigned long long rfull = Algebra::rng(); + unsigned int rbits = rfull & 255; + LOCIpairs[i][0] = (255 == rbits) ? Algebra::zero() : power(consts::xFETransformed, rbits); + rbits = (rfull >> 8) & 255; + LOCIpairs[i][1] = (255 == rbits) ? Algebra::zero() : power(consts::xFETransformed, rbits); + } + } + + void genWitnessLOCIHashcAES160WithPadding(witnessType arr, const witnessType HashChain, const int LEN, const int prngseed){ + FieldElement LOCI_pairs[20][2]; + + pairsPRNG(LOCI_pairs, prngseed); + size_t t = genWitness(arr, HashChain, LEN, LOCI_pairs); + DBGMSG("t = " << t << std::endl); + DBGGET(arr, t, reg::PHASE) = one(); + DBGGET(arr, t, reg::STATE) = xFE(); + DBGGET(arr, t, reg::FLAG1) = one(); + DBGGET(arr, t, reg::FLAG2) = one(); + for (; t < arr.size() - 1; t++){ + SaveRegisters(arr, t); + for (int i = 0; i < 20; i++){ + arr[t][reg::K00 + i] = zero(); + arr[t][reg::inv1 + i] = one(); + arr[t + 1][reg::B00 + i] = arr[t][reg::B00 + i]; + } + DBGGET(arr, t + 1, reg::PHASE) = one(); + DBGGET(arr, t + 1, reg::STATE) = xFE(); + DBGGET(arr, t + 1, reg::FLAG1) = one(); + DBGGET(arr, t + 1, reg::FLAG2) = one(); + DBGGET(arr, t + 1, reg::K) = arr[t][reg::K]; + } + } + short getDim(long long len){ + return ceil(Infrastructure::Log2((long long)CYCLES * (len + 1) -2)); + } + +#if 0 + TEST(ACSPWitnessChecker, AES160LOCIh) { + using namespace std; + + vector rr = Configuration::getInstance().getRandomArgs(); + int len = 5; + if (1 == rr.size()) + len = stoi(rr[0]); + + vector< vector > HashChain; + + vector Result = genHashchain(HashChain, len, LOCIseed); + + //size_t steps = CYCLES * (len + 1) - 2; + size_t total_t = pow(2, getDim(len)); + + vector< vector > myArr(total_t, vector(NUMREGS)); + + genWitnessLOCIHashcAES160WithPadding(myArr, HashChain, len, LOCIseed); + + vector RootHash(20); + for (int i = 0; i < 20; i++){ + RootHash[i] = Result[reg::B00 + i]; + } + + vector vvals(2 * NUMREGS); +#if 0 + Algebra::rng.seed(126); + for (int j = 0; j < 9; ++j){ + for (int u = 0; u < vvals.size(); u++) + vvals[u] = Algebra::generateRandom(); + + FieldElement polyVal = eval(vvals, RootHash, NULL, power(xFE(), len)); + FieldElement polyCVal = evalCPoly(vvals, RootHash, power(xFE(), len)); + + //std::cout << "polyPVal: " << polyVal << std::endl; + //std::cout << "polyCVal: " << polyCVal << std::endl; + + std::cout << "polyDiff: " << polyVal + polyCVal << std::endl; + } + return; +#endif + clock_t measureTime = clock(); + for (int i = 0; i < total_t - 1; ++i) { + + auto v = vvals.begin(); + for (auto &k : myArr[i]) + *(v++) = k; + for (auto &k : myArr[i + 1]) + *(v++) = k; + + + //FieldElement polyVal = eval(vvals, RootHash, NULL, power(xFE(), len+1)); + FieldElement polyVal = evalCPoly(vvals, RootHash, power(xFE(), len+1)); + if (polyVal != zero()){ + cout << std::hex; + const char* regtxt[] = {"B00", "B01", "B02", "B03", "B04", + "B10", "B11", "B12", "B13", "B14", + "B20", "B21", "B22", "B23", "B24", + "B30", "B31", "B32", "B33", "B34", + + "K00", "K01", "K02", "K03", "K04", + "K10", "K11", "K12", "K13", "K14", + "K20", "K21", "K22", "K23", "K24", + "K30", "K31", "K32", "K33", "K34", + + "inv1", "inv2", "inv3", "inv4", "inv5", + "W11", "W12", "W13", + "W21", "W22", "W23", + "W31", "W32", "W33", + "W41", "W42", "W43", + "W51", "W52", "W53", + + "FLAG1", "FLAG2", "RC", "invRC", + + "A", "B", "C", "STATE", + "K", + "MATCH", "isSecondPhaseComparingLOCI", "PartialMATCH", "PHASE", + "L1", "L2", "L3", "L4", "L5", "L6", + "ST2", "ST3"}; + for (int j = 0; j < NUMREGS; j++){ + PRNMSG(regtxt[j] << ": " /*<< mapFieldElementToInteger(0, 64, myArr[i-1][j]) << " , "*/ << mapFieldElementToInteger(0, 64, myArr[i][j]) << " , " << mapFieldElementToInteger(0, 64, myArr[i + 1][j])); + } + cout << dec << "i =" << i << std::endl; + return; + } + } + measureTime = clock() - measureTime; + std::cout << "eval() time: " << (measureTime / ((double)CLOCKS_PER_SEC)) << std::endl; + +#ifdef DBGwitness + for (size_t i = 0; i < total_t; ++i) + for (int j = 0; j < NUMREGS; ++j) { + std::pair tmp = std::pair(i, j); + if (dbgSet.find(tmp) == dbgSet.end()) + cout << "missing: " << i << "," << j << endl; + } +#endif + + } +#endif +} //namespace diff --git a/starkdpm/AES160hashcLOCI_constraints.cpp b/starkdpm/AES160hashcLOCI_constraints.cpp new file mode 100644 index 0000000..dfa155c --- /dev/null +++ b/starkdpm/AES160hashcLOCI_constraints.cpp @@ -0,0 +1,271 @@ + + #include "AES160hashcLOCI_instance.hpp" + #include + #include "languages/Bair/BairInstance.hpp" + #include "languages/Bair/BairWitness.hpp" + + + #define ttgenRand (Algebra::one()) + //#define ttgenRand (generateRandom()) + + using Algebra::FieldElement; + using Algebra::PolynomialInterface; + using Algebra::PolynomialDegree; + using Algebra::degreeOfProduct; + using Algebra::one; + using Algebra::generateRandom; + + namespace stark_dpm{ + namespace ACSP_FOR_AES160hashcLOCI{ + + namespace { //anonymous namespace for polys and common vars + using Algebra::mapIntegerToFieldElement; + + class polyAES160hashcLOCI_class : public PolynomialInterface{ + public: + polyAES160hashcLOCI_class() {}; + + Algebra::FieldElement eval(const std::vector& x)const{ + return AES160hashcLOCI::evalp::ep(x); + } + + bool isEffectiveInput(const size_t varId)const{ + switch(varId) + { + case AES160hashcLOCI::NUMREGS + AES160hashcLOCI::reg::ST3: return false; + case AES160hashcLOCI::NUMREGS + AES160hashcLOCI::reg::invRC: return false; + default: return true; + } + } + + Algebra::PolynomialDegree getDegreeBound(const std::vector& inputDegrees)const{ + + //std::vector inputDegrees(inputDegrees_.size(), PolynomialDegree(1)); + + struct ttdeg{ + long long deg_; + ttdeg(const PolynomialDegree& d):deg_(PolynomialDegree::integral_t(d)){}; + ttdeg(const long long& d):deg_(d){}; + + ttdeg operator*(const ttdeg& d)const{ + return degreeOfProduct(PolynomialDegree(deg_),PolynomialDegree(d.deg_)); + } + + ttdeg operator+(const ttdeg& d)const{ + return std::max(deg_,d.deg_); + } + }; + + const ttdeg K00 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K00]); + const ttdeg K01 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K01]); + const ttdeg K02 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K02]); + const ttdeg K03 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K03]); + const ttdeg K04 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K04]); + const ttdeg K10 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K10]); + const ttdeg K11 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K11]); + const ttdeg K12 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K12]); + const ttdeg K13 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K13]); + const ttdeg K14 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K14]); + const ttdeg K20 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K20]); + const ttdeg K21 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K21]); + const ttdeg K22 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K22]); + const ttdeg K23 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K23]); + const ttdeg K24 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K24]); + const ttdeg K30 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K30]); + const ttdeg K31 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K31]); + const ttdeg K32 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K32]); + const ttdeg K33 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K33]); + const ttdeg K34 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K34]); + + const ttdeg B00 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B00]); + const ttdeg B01 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B01]); + const ttdeg B02 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B02]); + const ttdeg B03 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B03]); + const ttdeg B04 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B04]); + const ttdeg B10 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B10]); + const ttdeg B11 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B11]); + const ttdeg B12 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B12]); + const ttdeg B13 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B13]); + const ttdeg B14 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B14]); + const ttdeg B20 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B20]); + const ttdeg B21 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B21]); + const ttdeg B22 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B22]); + const ttdeg B23 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B23]); + const ttdeg B24 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B24]); + const ttdeg B30 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B30]); + const ttdeg B31 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B31]); + const ttdeg B32 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B32]); + const ttdeg B33 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B33]); + const ttdeg B34 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B34]); + + const ttdeg W11 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W11]); + const ttdeg W12 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W12]); + const ttdeg W13 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W13]); + const ttdeg W21 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W21]); + const ttdeg W22 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W22]); + const ttdeg W23 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W23]); + const ttdeg W31 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W31]); + const ttdeg W32 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W32]); + const ttdeg W33 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W33]); + const ttdeg W41 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W41]); + const ttdeg W42 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W42]); + const ttdeg W43 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W43]); + const ttdeg W51 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W51]); + const ttdeg W52 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W52]); + const ttdeg W53 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W53]); + + const ttdeg inv1 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv1]); + const ttdeg inv2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv2]); + const ttdeg inv3 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv3]); + const ttdeg inv4 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv4]); + const ttdeg inv5 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv5]); + + const ttdeg STATE = ttdeg(inputDegrees[AES160hashcLOCI::reg::STATE]); + const ttdeg PHASE = ttdeg(inputDegrees[AES160hashcLOCI::reg::PHASE]); + const ttdeg MATCH = ttdeg(inputDegrees[AES160hashcLOCI::reg::MATCH]); + const ttdeg ST2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST2]); + const ttdeg ST3 = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST3]); + const ttdeg L1 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L1]); + const ttdeg L2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L2]); + const ttdeg L3 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L3]); + const ttdeg L4 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L4]); + const ttdeg L5 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L5]); + const ttdeg L6 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L6]); + const ttdeg PartialMATCH = ttdeg(inputDegrees[AES160hashcLOCI::reg::PartialMATCH]); + const ttdeg isSecondPhaseComparingLOCI = ttdeg(inputDegrees[AES160hashcLOCI::reg::isSecondPhaseComparingLOCI]); + const ttdeg FLAG1 = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG1]); + const ttdeg FLAG2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG2]); + const ttdeg RC = ttdeg(inputDegrees[AES160hashcLOCI::reg::RC]); + const ttdeg A = ttdeg(inputDegrees[AES160hashcLOCI::reg::A]); + const ttdeg B = ttdeg(inputDegrees[AES160hashcLOCI::reg::B]); + const ttdeg C = ttdeg(inputDegrees[AES160hashcLOCI::reg::C]); + const ttdeg K = ttdeg(inputDegrees[AES160hashcLOCI::reg::K]); + const ttdeg invRC = ttdeg(inputDegrees[AES160hashcLOCI::reg::invRC]); + + const ttdeg K00_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K00 + AES160hashcLOCI::NUMREGS]); + const ttdeg K01_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K01 + AES160hashcLOCI::NUMREGS]); + const ttdeg K02_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K02 + AES160hashcLOCI::NUMREGS]); + const ttdeg K03_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K03 + AES160hashcLOCI::NUMREGS]); + const ttdeg K04_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K04 + AES160hashcLOCI::NUMREGS]); + const ttdeg K10_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K10 + AES160hashcLOCI::NUMREGS]); + const ttdeg K11_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K11 + AES160hashcLOCI::NUMREGS]); + const ttdeg K12_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K12 + AES160hashcLOCI::NUMREGS]); + const ttdeg K13_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K13 + AES160hashcLOCI::NUMREGS]); + const ttdeg K14_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K14 + AES160hashcLOCI::NUMREGS]); + const ttdeg K20_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K20 + AES160hashcLOCI::NUMREGS]); + const ttdeg K21_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K21 + AES160hashcLOCI::NUMREGS]); + const ttdeg K22_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K22 + AES160hashcLOCI::NUMREGS]); + const ttdeg K23_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K23 + AES160hashcLOCI::NUMREGS]); + const ttdeg K24_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K24 + AES160hashcLOCI::NUMREGS]); + const ttdeg K30_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K30 + AES160hashcLOCI::NUMREGS]); + const ttdeg K31_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K31 + AES160hashcLOCI::NUMREGS]); + const ttdeg K32_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K32 + AES160hashcLOCI::NUMREGS]); + const ttdeg K33_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K33 + AES160hashcLOCI::NUMREGS]); + const ttdeg K34_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K34 + AES160hashcLOCI::NUMREGS]); + + const ttdeg B00_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B00 + AES160hashcLOCI::NUMREGS]); + const ttdeg B01_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B01 + AES160hashcLOCI::NUMREGS]); + const ttdeg B02_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B02 + AES160hashcLOCI::NUMREGS]); + const ttdeg B03_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B03 + AES160hashcLOCI::NUMREGS]); + const ttdeg B04_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B04 + AES160hashcLOCI::NUMREGS]); + const ttdeg B10_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B10 + AES160hashcLOCI::NUMREGS]); + const ttdeg B11_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B11 + AES160hashcLOCI::NUMREGS]); + const ttdeg B12_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B12 + AES160hashcLOCI::NUMREGS]); + const ttdeg B13_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B13 + AES160hashcLOCI::NUMREGS]); + const ttdeg B14_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B14 + AES160hashcLOCI::NUMREGS]); + const ttdeg B20_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B20 + AES160hashcLOCI::NUMREGS]); + const ttdeg B21_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B21 + AES160hashcLOCI::NUMREGS]); + const ttdeg B22_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B22 + AES160hashcLOCI::NUMREGS]); + const ttdeg B23_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B23 + AES160hashcLOCI::NUMREGS]); + const ttdeg B24_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B24 + AES160hashcLOCI::NUMREGS]); + const ttdeg B30_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B30 + AES160hashcLOCI::NUMREGS]); + const ttdeg B31_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B31 + AES160hashcLOCI::NUMREGS]); + const ttdeg B32_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B32 + AES160hashcLOCI::NUMREGS]); + const ttdeg B33_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B33 + AES160hashcLOCI::NUMREGS]); + const ttdeg B34_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B34 + AES160hashcLOCI::NUMREGS]); + + const ttdeg W11_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W11 + AES160hashcLOCI::NUMREGS]); + const ttdeg W12_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W12 + AES160hashcLOCI::NUMREGS]); + const ttdeg W13_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W13 + AES160hashcLOCI::NUMREGS]); + const ttdeg W21_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W21 + AES160hashcLOCI::NUMREGS]); + const ttdeg W22_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W22 + AES160hashcLOCI::NUMREGS]); + const ttdeg W23_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W23 + AES160hashcLOCI::NUMREGS]); + const ttdeg W31_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W31 + AES160hashcLOCI::NUMREGS]); + const ttdeg W32_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W32 + AES160hashcLOCI::NUMREGS]); + const ttdeg W33_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W33 + AES160hashcLOCI::NUMREGS]); + const ttdeg W41_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W41 + AES160hashcLOCI::NUMREGS]); + const ttdeg W42_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W42 + AES160hashcLOCI::NUMREGS]); + const ttdeg W43_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W43 + AES160hashcLOCI::NUMREGS]); + const ttdeg W51_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W51 + AES160hashcLOCI::NUMREGS]); + const ttdeg W52_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W52 + AES160hashcLOCI::NUMREGS]); + const ttdeg W53_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W53 + AES160hashcLOCI::NUMREGS]); + + const ttdeg inv1_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv1 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv2 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv3_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv3 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv4_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv4 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv5_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv5 + AES160hashcLOCI::NUMREGS]); + + const ttdeg STATE_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::STATE + AES160hashcLOCI::NUMREGS]); + const ttdeg PHASE_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::PHASE + AES160hashcLOCI::NUMREGS]); + const ttdeg MATCH_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::MATCH + AES160hashcLOCI::NUMREGS]); + const ttdeg ST2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST2 + AES160hashcLOCI::NUMREGS]); + //const ttdeg ST3_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST3 + AES160hashcLOCI::NUMREGS]); + const ttdeg L1_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L1 + AES160hashcLOCI::NUMREGS]); + const ttdeg L2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L2 + AES160hashcLOCI::NUMREGS]); + const ttdeg L3_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L3 + AES160hashcLOCI::NUMREGS]); + const ttdeg L4_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L4 + AES160hashcLOCI::NUMREGS]); + const ttdeg L5_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L5 + AES160hashcLOCI::NUMREGS]); + const ttdeg L6_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L6 + AES160hashcLOCI::NUMREGS]); + const ttdeg PartialMATCH_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::PartialMATCH + AES160hashcLOCI::NUMREGS]); + const ttdeg isSecondPhaseComparingLOCI_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::isSecondPhaseComparingLOCI + AES160hashcLOCI::NUMREGS]); + const ttdeg FLAG1_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG1 + AES160hashcLOCI::NUMREGS]); + const ttdeg FLAG2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG2 + AES160hashcLOCI::NUMREGS]); + const ttdeg RC_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::RC + AES160hashcLOCI::NUMREGS]); + const ttdeg A_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::A + AES160hashcLOCI::NUMREGS]); + const ttdeg B_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B + AES160hashcLOCI::NUMREGS]); + const ttdeg C_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::C + AES160hashcLOCI::NUMREGS]); + const ttdeg K_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K + AES160hashcLOCI::NUMREGS]); + //const ttdeg invRC_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::invRC + AES160hashcLOCI::NUMREGS]); + + const ttdeg resTmp = ((ST3+(ST2)*(ST2))+(L1_next+L1)+(L2_next+L2)+(L3_next+L3)+(L4_next+L4)+(L5_next+L5)+(L6_next+L6)+((PHASE)*((K00_next+K00)+(K01_next+K01)+(K02_next+K02)+(K03_next+K03)+(K04_next+K04)+(K10_next+K10)+(K11_next+K11)+(K12_next+K12)+(K13_next+K13)+(K14_next+K14)+(K20_next+K20)+(K21_next+K21)+(K22_next+K22)+(K23_next+K23)+(K24_next+K24)+(K30_next+K30)+(K31_next+K31)+(K32_next+K32)+(K33_next+K33)+(K34_next+K34))+PHASE*((ST2_next)+(isSecondPhaseComparingLOCI_next+isSecondPhaseComparingLOCI)+((STATE)*((A_next+A)+(B_next+B)+(C_next+C)+(K_next+K)+(PHASE_next+PHASE)+(W11+inv1*inv1*inv1*inv1)+(W12+W11*W11*W11*W11)+(W13+W12*W12*W12*W12)+(W21+inv2*inv2*inv2*inv2)+(W22+W21*W21*W21*W21)+(W23+W22*W22*W22*W22)+(W31+inv3*inv3*inv3*inv3)+(W32+W31*W31*W31*W31)+(W33+W32*W32*W32*W32)+(W41+inv4*inv4*inv4*inv4)+(W42+W41*W41*W41*W41)+(W43+W42*W42*W42*W42)+(W51+inv5*inv5*inv5*inv5)+(W52+W51*W51*W51*W51)+(W53+W52*W52*W52*W52)+((FLAG1)*((STATE_next)+(RC_next+RC)+(K00_next+K00)+(K01_next+K01)+(K02_next+K02)+(K03_next+K03)+(K04_next+K04)+(K10_next+K10)+(K11_next+K11)+(K12_next+K12)+(K13_next+K13)+(K14_next+K14)+(K20_next+K20)+(K21_next+K21)+(K22_next+K22)+(K23_next+K23)+(K24_next+K24)+(K30_next+K30)+(K31_next+K31)+(K32_next+K32)+(K33_next+K33)+(K34_next+K34)+(FLAG1)*(FLAG2)*(FLAG1_next+(FLAG2_next)+(B10_next+B10)+(B11_next+B11)+(B12_next+B12)+(B13_next+B13)+(B14_next+B14)+(B20_next+B20)+(B21_next+B21)+(B22_next+B22)+(B23_next+B23)+(B24_next+B24)+(B30_next+B30)+(B31_next+B31)+(B32_next+B32)+(B33_next+B33)+(B34_next+B34)+(inv1*B00)*(B00+inv1)+(B00_next+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13)+(inv2*B01)*(B01+inv2)+(B01_next+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23)+(inv3*B02)*(B02+inv3)+(B02_next+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33)+(inv4*B03)*(B03+inv4)+(B03_next+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43)+(inv5*B04)*(B04+inv5)+(B04_next+inv5+inv5*inv5+W51+W51*W51+W52+W52*W52+W53+W53*W53))+(FLAG1)*FLAG2*((FLAG1_next)+FLAG2_next+(B00_next+B00)+(B01_next+B01)+(B02_next+B02)+(B03_next+B03)+(B04_next+B04)+(B20_next+B20)+(B21_next+B21)+(B22_next+B22)+(B23_next+B23)+(B24_next+B24)+(B30_next+B30)+(B31_next+B31)+(B32_next+B32)+(B33_next+B33)+(B34_next+B34)+(inv1*B10)*(B10+inv1)+(B14_next+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13)+(inv2*B11)*(B11+inv2)+(B10_next+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23)+(inv3*B12)*(B12+inv3)+(B11_next+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33)+(inv4*B13)*(B13+inv4)+(B12_next+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43)+(inv5*B14)*(B14+inv5)+(B13_next+inv5+inv5*inv5+W51+W51*W51+W52+W52*W52+W53+W53*W53))+FLAG1*(FLAG2)*((FLAG1_next)+(FLAG2_next)+(B00_next+B00)+(B01_next+B01)+(B02_next+B02)+(B03_next+B03)+(B04_next+B04)+(B10_next+B10)+(B11_next+B11)+(B12_next+B12)+(B13_next+B13)+(B14_next+B14)+(B30_next+B30)+(B31_next+B31)+(B32_next+B32)+(B33_next+B33)+(B34_next+B34)+(inv1*B20)*(B20+inv1)+(B23_next+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13)+(inv2*B21)*(B21+inv2)+(B24_next+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23)+(inv3*B22)*(B22+inv3)+(B20_next+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33)+(inv4*B23)*(B23+inv4)+(B21_next+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43)+(inv5*B24)*(B24+inv5)+(B22_next+inv5+inv5*inv5+W51+W51*W51+W52+W52*W52+W53+W53*W53))+FLAG1*FLAG2*((FLAG1_next)+(B00_next+B00)+(B01_next+B01)+(B02_next+B02)+(B03_next+B03)+(B04_next+B04)+(B10_next+B10)+(B11_next+B11)+(B12_next+B12)+(B13_next+B13)+(B14_next+B14)+(B20_next+B20)+(B21_next+B21)+(B22_next+B22)+(B23_next+B23)+(B24_next+B24)+(inv1*B30)*(B30+inv1)+(B32_next+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13)+(inv2*B31)*(B31+inv2)+(B33_next+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23)+(inv3*B32)*(B32+inv3)+(B34_next+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33)+(inv4*B33)*(B33+inv4)+(B30_next+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43)+(inv5*B34)*(B34+inv5)+(B31_next+inv5+inv5*inv5+W51+W51*W51+W52+W52*W52+W53+W53*W53)))+FLAG1*(FLAG1)*(FLAG1_next+(FLAG2_next)+(inv1*K14)*(K14+inv1)+(inv2*K24)*(K24+inv2)+(inv3*K34)*(K34+inv3)+(inv4*K04)*(K04+inv4)+(RC)*((RC_next+RC)+(STATE_next)+(K00_next+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13+K00+RC)+(K10_next+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23+K10)+(K20_next+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33+K20)+(K30_next+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43+K30)+(K01_next+K00_next+K01)+(K11_next+K10_next+K11)+(K21_next+K20_next+K21)+(K31_next+K30_next+K31)+(K02_next+K01_next+K02)+(K12_next+K11_next+K12)+(K22_next+K21_next+K22)+(K32_next+K31_next+K32)+(K03_next+K02_next+K03)+(K13_next+K12_next+K13)+(K23_next+K22_next+K23)+(K33_next+K32_next+K33)+(K04_next+K03_next+K04)+(K14_next+K13_next+K14)+(K24_next+K23_next+K24)+(K34_next+K33_next+K34)+(B00_next+B00+B10+B20+B30+K00_next)+(B01_next+B01+B11+B21+B31+K01_next)+(B02_next+B02+B12+B22+B32+K02_next)+(B03_next+B03+B13+B23+B33+K03_next)+(B04_next+B04+B14+B24+B34+K04_next)+(B10_next+B00+B10+B20+B30+K10_next)+(B11_next+B01+B11+B21+B31+K11_next)+(B12_next+B02+B12+B22+B32+K12_next)+(B13_next+B03+B13+B23+B33+K13_next)+(B14_next+B04+B14+B24+B34+K14_next)+(B20_next+B00+B10+B20+B30+K20_next)+(B21_next+B01+B11+B21+B31+K21_next)+(B22_next+B02+B12+B22+B32+K22_next)+(B23_next+B03+B13+B23+B33+K23_next)+(B24_next+B04+B14+B24+B34+K24_next)+(B30_next+B00+B10+B20+B30+K30_next)+(B31_next+B01+B11+B21+B31+K31_next)+(B32_next+B02+B12+B22+B32+K32_next)+(B33_next+B03+B13+B23+B33+K33_next)+(B34_next+B04+B14+B24+B34+K34_next))+((RC)*invRC)*((STATE_next)+(B00_next+B00+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13+K00+RC)+(B10_next+B10+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23+K10)+(B20_next+B20+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33+K20)+(B30_next+B30+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43+K30)+(B01_next+B01+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13+K00+RC+K01)+(B11_next+B11+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23+K10+K11)+(B21_next+B21+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33+K20+K21)+(B31_next+B31+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43+K30+K31)+(B02_next+B02+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13+K00+RC+K01+K02)+(B12_next+B12+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23+K10+K11+K12)+(B22_next+B22+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33+K20+K21+K22)+(B32_next+B32+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43+K30+K31+K32)+(B03_next+B03+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13+K00+RC+K01+K02+K03)+(B13_next+B13+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23+K10+K11+K12+K13)+(B23_next+B23+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33+K20+K21+K22+K23)+(B33_next+B33+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43+K30+K31+K32+K33)+(B04_next+B04+inv1+inv1*inv1+W11+W11*W11+W12+W12*W12+W13+W13*W13+K00+RC+K01+K02+K03+K04)+(B14_next+B14+inv2+inv2*inv2+W21+W21*W21+W22+W22*W22+W23+W23*W23+K10+K11+K12+K13+K14)+(B24_next+B24+inv3+inv3*inv3+W31+W31*W31+W32+W32*W32+W33+W33*W33+K20+K21+K22+K23+K24)+(B34_next+B34+inv4+inv4*inv4+W41+W41*W41+W42+W42*W42+W43+W43*W43+K30+K31+K32+K33+K34)))))+(STATE)*((FLAG1)*((K_next+K)+(STATE_next)+(K01+K00*K00*K00*K00)+(K02+K01*K01*K01*K01)+(K03+K02*K02*K02*K02)+(K00+K03*K03*K03*K03)+(K10+K04*K04*K04*K04)+(K11+K10*K10*K10*K10)+(K12+K11*K11*K11*K11)+(K04+K12*K12*K12*K12)+(K14+K13*K13*K13*K13)+(K20+K14*K14*K14*K14)+(K21+K20*K20*K20*K20)+(K13+K21*K21*K21*K21)+(K23+K22*K22*K22*K22)+(K24+K23*K23*K23*K23)+(K30+K24*K24*K24*K24)+(K22+K30*K30*K30*K30)+(K32+K31*K31*K31*K31)+(K33+K32*K32*K32*K32)+(K34+K33*K33*K33*K33)+(K31+K34*K34*K34*K34)+(inv2+inv1*inv1*inv1*inv1)+(inv3+inv2*inv2*inv2*inv2)+(inv4+inv3*inv3*inv3*inv3)+(inv1+inv4*inv4*inv4*inv4)+(W11+inv5*inv5*inv5*inv5)+(W12+W11*W11*W11*W11)+(W13+W12*W12*W12*W12)+(inv5+W13*W13*W13*W13)+(W22+W21*W21*W21*W21)+(W23+W22*W22*W22*W22)+(W31+W23*W23*W23*W23)+(W21+W31*W31*W31*W31)+(W33+W32*W32*W32*W32)+(W41+W33*W33*W33*W33)+(W42+W41*W41*W41*W41)+(W32+W42*W42*W42*W42)+(W51+W43*W43*W43*W43)+(W52+W51*W51*W51*W51)+(W53+W52*W52*W52*W52)+(W43+W53*W53*W53*W53)+((FLAG2)*((B_next+B)+(C_next+C)+FLAG1_next+(FLAG2_next)+(A_next+W32+W43)+(A+K00+(K04+(K13+(K22+(K31+(inv1+(inv5+(W21))))))))+(B00_next+B00+K00)+(B10_next+B10+K04)+(B20_next+B20+K13)+(B30_next+B30+K22)+(B01_next+B01+K31)+(B11_next+B11+inv1)+(B21_next+B21+inv5)+(B31_next+B31+W21)+(B04_next+B04+W32)+(B14_next+B14+W43)+(B02_next+B02)+(B12_next+B12)+(B22_next+B22)+(B32_next+B32)+(B03_next+B03)+(B13_next+B13)+(B23_next+B23)+(B33_next+B33)+(B24_next+B24)+(B34_next+B34))+FLAG2*((FLAG1_next)+(FLAG2_next)+(C+A+(W32+W43))+(B+K00+(K04+(K13+(K22+(K31+(inv1+(inv5+(W21))))))))+(B02_next+B02+K00)+(B12_next+B12+K04)+(B22_next+B22+K13)+(B32_next+B32+K22)+(B03_next+B03+K31)+(B13_next+B13+inv1)+(B23_next+B23+inv5)+(B33_next+B33+W21)+(B24_next+B24+W32)+(B34_next+B34+W43)+(B00_next+B00)+(B10_next+B10)+(B20_next+B20)+(B30_next+B30)+(B01_next+B01)+(B11_next+B11)+(B21_next+B21)+(B31_next+B31)+(B04_next+B04)+(B14_next+B14))))+FLAG1*(FLAG2*((K)*((K_next+K)+((K)*(PHASE_next+(K00_next+B00)+(K01_next+B01)+(K02_next+B02)+(K03_next+B03)+(K04_next+B04)+(K10_next+B10)+(K11_next+B11)+(K12_next+B12)+(K13_next+B13)+(K14_next+B14)+(K20_next+B20)+(K21_next+B21)+(K22_next+B22)+(K23_next+B23)+(K24_next+B24)+(K30_next+B30)+(K31_next+B31)+(K32_next+B32)+(K33_next+B33)+(K34_next+B34))))+((K)*A)*((PHASE_next)+(K_next+K)+(STATE_next)+(FLAG1_next)+(FLAG2_next)+B00+B01+B02+B03+B04+B10+B11+B12+B13+B14+B20+B21+B22+B23+B24+B30+B31+B32+B33+B34)))))))+((PHASE)*(ST2)*(ST2)*(ST2)*(PHASE_next+(ST2_next)+(isSecondPhaseComparingLOCI_next+isSecondPhaseComparingLOCI)+(B00+B00_next*B00_next*B00_next*B00_next)+(W11+B00*B00*B00*B00)+(W12+W11*W11*W11*W11)+(B00_next+W12*W12*W12*W12)+(B01+B01_next*B01_next*B01_next*B01_next)+(W13+B01*B01*B01*B01)+(W21+W13*W13*W13*W13)+(B01_next+W21*W21*W21*W21)+(B10+B10_next*B10_next*B10_next*B10_next)+(W22+B10*B10*B10*B10)+(W23+W22*W22*W22*W22)+(B10_next+W23*W23*W23*W23)+(B11+B11_next*B11_next*B11_next*B11_next)+(W31+B11*B11*B11*B11)+(W32+W31*W31*W31*W31)+(B11_next+W32*W32*W32*W32)+(B20+B20_next*B20_next*B20_next*B20_next)+(W33+B20*B20*B20*B20)+(W41+W33*W33*W33*W33)+(B20_next+W41*W41*W41*W41)+(B21+B21_next*B21_next*B21_next*B21_next)+(W42+B21*B21*B21*B21)+(W43+W42*W42*W42*W42)+(B21_next+W43*W43*W43*W43)+(B30+B30_next*B30_next*B30_next*B30_next)+(W51+B30*B30*B30*B30)+(W52+W51*W51*W51*W51)+(B30_next+W52*W52*W52*W52)+(B31+B31_next*B31_next*B31_next*B31_next)+(W53+B31*B31*B31*B31)+(W11_next+W53*W53*W53*W53)+(B31_next+W11_next*W11_next*W11_next*W11_next)+(B02+B02_next*B02_next*B02_next*B02_next)+(W12_next+B02*B02*B02*B02)+(W13_next+W12_next*W12_next*W12_next*W12_next)+(B02_next+W13_next*W13_next*W13_next*W13_next)+(B03+B03_next*B03_next*B03_next*B03_next)+(W21_next+B03*B03*B03*B03)+(W22_next+W21_next*W21_next*W21_next*W21_next)+(B03_next+W22_next*W22_next*W22_next*W22_next)+(B12+B12_next*B12_next*B12_next*B12_next)+(W23_next+B12*B12*B12*B12)+(W31_next+W23_next*W23_next*W23_next*W23_next)+(B12_next+W31_next*W31_next*W31_next*W31_next)+(B13+B13_next*B13_next*B13_next*B13_next)+(W32_next+B13*B13*B13*B13)+(W33_next+W32_next*W32_next*W32_next*W32_next)+(B13_next+W33_next*W33_next*W33_next*W33_next)+(B22+B22_next*B22_next*B22_next*B22_next)+(W41_next+B22*B22*B22*B22)+(W42_next+W41_next*W41_next*W41_next*W41_next)+(B22_next+W42_next*W42_next*W42_next*W42_next)+(B23+B23_next*B23_next*B23_next*B23_next)+(W43_next+B23*B23*B23*B23)+(W51_next+W43_next*W43_next*W43_next*W43_next)+(B23_next+W51_next*W51_next*W51_next*W51_next)+(B32+B32_next*B32_next*B32_next*B32_next)+(W52_next+B32*B32*B32*B32)+(W53_next+W52_next*W52_next*W52_next*W52_next)+(B32_next+W53_next*W53_next*W53_next*W53_next)+(B33+B33_next*B33_next*B33_next*B33_next)+(inv1+B33*B33*B33*B33)+(inv2+inv1*inv1*inv1*inv1)+(B33_next+inv2*inv2*inv2*inv2)+(B04+B04_next*B04_next*B04_next*B04_next)+(inv3+B04*B04*B04*B04)+(inv4+inv3*inv3*inv3*inv3)+(B04_next+inv4*inv4*inv4*inv4)+(B14+B14_next*B14_next*B14_next*B14_next)+(inv5+B14*B14*B14*B14)+(inv1_next+inv5*inv5*inv5*inv5)+(B14_next+inv1_next*inv1_next*inv1_next*inv1_next)+(B24+B24_next*B24_next*B24_next*B24_next)+(inv2_next+B24*B24*B24*B24)+(inv3_next+inv2_next*inv2_next*inv2_next*inv2_next)+(B24_next+inv3_next*inv3_next*inv3_next*inv3_next)+(B34+B34_next*B34_next*B34_next*B34_next)+(inv4_next+B34*B34*B34*B34)+(inv5_next+inv4_next*inv4_next*inv4_next*inv4_next)+(B34_next+inv5_next*inv5_next*inv5_next*inv5_next)+(isSecondPhaseComparingLOCI*((L4+B00_next+(B10_next+(B20_next+(B30_next+(B01_next+(B11_next+(B21_next+(B31_next))))))))+(L5+B02_next+(B12_next+(B22_next+(B32_next+(B03_next+(B13_next+(B23_next+(B33_next))))))))+(L6+B04_next+(B14_next+(B24_next+(B34_next)))))+(isSecondPhaseComparingLOCI)*((L1+B00_next+(B10_next+(B20_next+(B30_next+(B01_next+(B11_next+(B21_next+(B31_next))))))))+(L2+B02_next+(B12_next+(B22_next+(B32_next+(B03_next+(B13_next+(B23_next+(B33_next))))))))+(L3+B04_next+(B14_next+(B24_next+(B34_next)))))))+(ST2)*(ST2)*(ST2)*(PHASE_next+(isSecondPhaseComparingLOCI_next+isSecondPhaseComparingLOCI)+(ST2_next)+(B00_next+B00)+(B01_next+B01)+(B02_next+B02)+(B03_next+B03)+(B04_next+B04)+(B10_next+B10)+(B11_next+B11)+(B12_next+B12)+(B13_next+B13)+(B14_next+B14)+(B20_next+B20)+(B21_next+B21)+(B22_next+B22)+(B23_next+B23)+(B24_next+B24)+(B30_next+B30)+(B31_next+B31)+(B32_next+B32)+(B33_next+B33)+(B34_next+B34))+ST3*(ST2)*(PHASE_next+(ST2_next)+(isSecondPhaseComparingLOCI_next+isSecondPhaseComparingLOCI)+(isSecondPhaseComparingLOCI)*(PartialMATCH)+(B00_next+B00)*(B00_next+B20)*((B20_next+B00)*(B20_next+B20)*FLAG1+PartialMATCH*(FLAG1)*(((B20_next+B00)*inv3_next)+((B20_next+B20)*inv4_next)))+(B20_next+B00)*(B20_next+B20)*(PartialMATCH*(FLAG1)*(((B00_next+B00)*inv1_next)+((B00_next+B20)*inv2_next)))+((B00_next+B20)*inv2_next)*((B20_next+B00)*inv3_next)*(FLAG1+PartialMATCH)+((B00_next+B00)*inv1_next)*((B20_next+B20)*inv4_next)*(FLAG1+PartialMATCH)+(PartialMATCH)*(PartialMATCH)*FLAG1+(B01_next+B01)*(B01_next+B21)*((B21_next+B01)*(B21_next+B21)*FLAG2+FLAG1*(FLAG2)*(((B21_next+B01)*W12_next)+((B21_next+B21)*W13_next)))+(B21_next+B01)*(B21_next+B21)*(FLAG1*(FLAG2)*(((B01_next+B01)*inv5_next)+((B01_next+B21)*W11_next)))+((B01_next+B21)*W11_next)*((B21_next+B01)*W12_next)*(FLAG2+FLAG1)+((B01_next+B01)*inv5_next)*((B21_next+B21)*W13_next)*(FLAG2+FLAG1)+(FLAG1)*(FLAG1)*FLAG2+(B02_next+B02)*(B02_next+B22)*((B22_next+B02)*(B22_next+B22)*RC+FLAG2*(RC)*(((B22_next+B02)*W23_next)+((B22_next+B22)*W31_next)))+(B22_next+B02)*(B22_next+B22)*(FLAG2*(RC)*(((B02_next+B02)*W21_next)+((B02_next+B22)*W22_next)))+((B02_next+B22)*W22_next)*((B22_next+B02)*W23_next)*(RC+FLAG2)+((B02_next+B02)*W21_next)*((B22_next+B22)*W31_next)*(RC+FLAG2)+(FLAG2)*(FLAG2)*RC+(B03_next+B03)*(B03_next+B23)*((B23_next+B03)*(B23_next+B23)*invRC+RC*(invRC)*(((B23_next+B03)*W41_next)+((B23_next+B23)*W42_next)))+(B23_next+B03)*(B23_next+B23)*(RC*(invRC)*(((B03_next+B03)*W32_next)+((B03_next+B23)*W33_next)))+((B03_next+B23)*W33_next)*((B23_next+B03)*W41_next)*(invRC+RC)+((B03_next+B03)*W32_next)*((B23_next+B23)*W42_next)*(invRC+RC)+(RC)*(RC)*invRC+(B04_next+B04)*(B04_next+B24)*((B24_next+B04)*(B24_next+B24)*A+invRC*(A)*(((B24_next+B04)*W52_next)+((B24_next+B24)*W53_next)))+(B24_next+B04)*(B24_next+B24)*(invRC*(A)*(((B04_next+B04)*W43_next)+((B04_next+B24)*W51_next)))+((B04_next+B24)*W51_next)*((B24_next+B04)*W52_next)*(A+invRC)+((B04_next+B04)*W43_next)*((B24_next+B24)*W53_next)*(A+invRC)+(invRC)*(invRC)*A+(B10_next+B10)*(B10_next+B30)*((B30_next+B10)*(B30_next+B30)*B+A*(B)*(((B30_next+B10)*inv3)+((B30_next+B30)*inv4)))+(B30_next+B10)*(B30_next+B30)*(A*(B)*(((B10_next+B10)*inv1)+((B10_next+B30)*inv2)))+((B10_next+B30)*inv2)*((B30_next+B10)*inv3)*(B+A)+((B10_next+B10)*inv1)*((B30_next+B30)*inv4)*(B+A)+(A)*(A)*B+(B11_next+B11)*(B11_next+B31)*((B31_next+B11)*(B31_next+B31)*C+B*(C)*(((B31_next+B11)*W12)+((B31_next+B31)*W13)))+(B31_next+B11)*(B31_next+B31)*(B*(C)*(((B11_next+B11)*inv5)+((B11_next+B31)*W11)))+((B11_next+B31)*W11)*((B31_next+B11)*W12)*(C+B)+((B11_next+B11)*inv5)*((B31_next+B31)*W13)*(C+B)+(B)*(B)*C+(B12_next+B12)*(B12_next+B32)*((B32_next+B12)*(B32_next+B32)*STATE+C*(STATE)*(((B32_next+B12)*W23)+((B32_next+B32)*W31)))+(B32_next+B12)*(B32_next+B32)*(C*(STATE)*(((B12_next+B12)*W21)+((B12_next+B32)*W22)))+((B12_next+B32)*W22)*((B32_next+B12)*W23)*(STATE+C)+((B12_next+B12)*W21)*((B32_next+B32)*W31)*(STATE+C)+(C)*(C)*STATE+(B13_next+B13)*(B13_next+B33)*((B33_next+B13)*(B33_next+B33)*RC_next+STATE*(RC_next)*(((B33_next+B13)*W41)+((B33_next+B33)*W42)))+(B33_next+B13)*(B33_next+B33)*(STATE*(RC_next)*(((B13_next+B13)*W32)+((B13_next+B33)*W33)))+((B13_next+B33)*W33)*((B33_next+B13)*W41)*(RC_next+STATE)+((B13_next+B13)*W32)*((B33_next+B33)*W42)*(RC_next+STATE)+(STATE)*(STATE)*RC_next+(B14_next+B14)*(B14_next+B34)*((B34_next+B14)*(B34_next+B34)*PartialMATCH_next+RC_next*(PartialMATCH_next)*(((B34_next+B14)*W52)+((B34_next+B34)*W53)))+(B34_next+B14)*(B34_next+B34)*(RC_next*(PartialMATCH_next)*(((B14_next+B14)*W43)+((B14_next+B34)*W51)))+((B14_next+B34)*W51)*((B34_next+B14)*W52)*(PartialMATCH_next+RC_next)+((B14_next+B14)*W43)*((B34_next+B34)*W53)*(PartialMATCH_next+RC_next)+(RC_next)*(RC_next)*PartialMATCH_next)+ST3*(ST2)*((PHASE_next)+(STATE_next)+FLAG1_next+FLAG2_next+(isSecondPhaseComparingLOCI*(isSecondPhaseComparingLOCI_next+PartialMATCH_next*(PartialMATCH_next)*(MATCH_next)+MATCH*(MATCH)*(MATCH_next)+PartialMATCH_next*(PartialMATCH_next)*(MATCH)*(MATCH_next)+(PartialMATCH_next)*(PartialMATCH_next)*(MATCH)*(MATCH)*MATCH_next)+(isSecondPhaseComparingLOCI)*((isSecondPhaseComparingLOCI_next)+(MATCH_next+MATCH)+(PartialMATCH_next+PartialMATCH)))+(B00_next+B00)+(B01_next+B01)+(B02_next+B02)+(B03_next+B03)+(B04_next+B04)+(B10_next+B10)+(B11_next+B11)+(B12_next+B12)+(B13_next+B13)+(B14_next+B14)+(B20_next+B20)+(B21_next+B21)+(B22_next+B22)+(B23_next+B23)+(B24_next+B24)+(B30_next+B30)+(B31_next+B31)+(B32_next+B32)+(B33_next+B33)+(B34_next+B34)+(A_next+B00+(B10+(B20+(B30+(B01+(B11+(B21+(B31))))))))+(B_next+B02+(B12+(B22+(B32+(B03+(B13+(B23+(B33))))))))+(C_next+B04+(B14+(B24+(B34))))+((K)*STATE)*((L1+A_next)+(L2+B_next)+(L3+C_next)+(L4+K00+(K10+(K20+(K30+(K01+(K11+(K21+(K31))))))))+(L5+K02+(K12+(K22+(K32+(K03+(K13+(K23+(K33))))))))+(L6+K04+(K14+(K24+(K34)))))))); + + //std::cout << "TMP!!degreeBound()=" << resTmp.deg_ << std::endl; + return PolynomialDegree(resTmp.deg_); + } + + + std::unique_ptr clone()const{ + return std::unique_ptr(new polyAES160hashcLOCI_class); + } + + size_t numVars()const{ + return AES160hashcLOCI::NUMREGS; + } + + }; + + } //anonymous namespace for polys + + AES160hashcLOCI_CS::AES160hashcLOCI_CS(){ + polys_.push_back(polyPtr_t(new polyAES160hashcLOCI_class())); + + } + + AES160hashcLOCI_CS* AES160hashcLOCI_CS::clone() const{ + return new AES160hashcLOCI_CS(); + } + + using std::vector; + vector AES160hashcLOCI_CS::eval(const vector& assignment) const{ + vector res; + for(const auto& p: polys_){ + res.push_back(p->eval(assignment)); + } + + return res; + } + + } // ACSP_FOR_AES160hashcLOCI namespace + } // stark_dpm namespace + diff --git a/starkdpm/AES160hashcLOCI_instance.cpp b/starkdpm/AES160hashcLOCI_instance.cpp new file mode 100644 index 0000000..79e5e06 --- /dev/null +++ b/starkdpm/AES160hashcLOCI_instance.cpp @@ -0,0 +1,58 @@ +#include "AES160hashcLOCI_instance.hpp" + +namespace stark_dpm{ +namespace ACSP_FOR_AES160hashcLOCI{ + +namespace{ + +using std::vector; + +class empty_CS : public libstark::ConstraintSys{ + public: + + /// the amount of inputs each polynomial expects + size_t numVars() const{ return 2 * AES160hashcLOCI::NUMREGS; } + size_t numMappings() const{return polys.size();} + empty_CS* clone() const{return new empty_CS();} + + /// the constraint polynomials + virtual const polySet_t& constraints() const{return polys;} + vector eval(const vector& assignment) const{ + vector res; + for(const auto& p : polys){ + res.push_back(p->eval(assignment)); + } + + return res; + } + +private: + polySet_t polys; +}; +} + +libstark::BairInstance buildBairInstance(const AES160hashcLOCICommonParams& params){ + using Algebra::FieldElement; + using Algebra::zero; + using Algebra::mapIntegerToFieldElement; + using libstark::BairInstance; + + const size_t vectorsLen = AES160hashcLOCI::NUMREGS; + const short domainSizeIndicator = AES160hashcLOCI::getDim(params.length); + BairInstance::constraintsPtr_t constraints_assignment(new AES160hashcLOCI_CS()); + BairInstance::constraintsPtr_t constraints_permutation(new empty_CS()); + + BairInstance::boundaryConstraints_t boundary; + boundary[BairInstance::point_t(0, AES160hashcLOCI::reg::PHASE)] = Algebra::zero(); + boundary[BairInstance::point_t(0, AES160hashcLOCI::reg::ST2)] = Algebra::xFE()*Algebra::xFE(); + boundary[BairInstance::point_t(0, AES160hashcLOCI::reg::MATCH)] = Algebra::zero(); + const unsigned long lastTimestamp = (1UL<(AES160hashcLOCI::NUMREGS, zero())); +} + +} // namespace ACSP_FOR_AES160hashcLOCI +} // namespace stark_dpm diff --git a/starkdpm/AES160hashcLOCI_instance.hpp b/starkdpm/AES160hashcLOCI_instance.hpp new file mode 100644 index 0000000..0659446 --- /dev/null +++ b/starkdpm/AES160hashcLOCI_instance.hpp @@ -0,0 +1,31 @@ +#ifndef __ACSP_FOR_AES160hashcLOCI_INSTANCE_HPP__ +#define __ACSP_FOR_AES160hashcLOCI_INSTANCE_HPP__ + +#include "AES160hashcLOCI.hpp" +#include "languages/Bair/ConstraintsSys.hpp" + +namespace stark_dpm{ +namespace ACSP_FOR_AES160hashcLOCI{ + + class AES160hashcLOCI_CS : public libstark::ConstraintSys{ + public: + AES160hashcLOCI_CS(); + + /// the amount of inputs each polynomial expects + size_t numVars() const{return 2*AES160hashcLOCI::NUMREGS;} + size_t numMappings() const{return polys_.size();} + + AES160hashcLOCI_CS* clone() const; + + /// the constraint polynomials + const polySet_t& constraints() const{return polys_;} + std::vector eval(const std::vector& assignment) const; + + private: + polySet_t polys_; +}; + +} // namespace ACSP_FOR_AES160hashcLOCI +} // namespace stark_dpm + +#endif // __ACSP_FOR_AES160hashcLOCI_INSTANCE_HPP__ diff --git a/starkdpm/AES160hashcLOCI_witness.cpp b/starkdpm/AES160hashcLOCI_witness.cpp new file mode 100644 index 0000000..a042629 --- /dev/null +++ b/starkdpm/AES160hashcLOCI_witness.cpp @@ -0,0 +1,46 @@ +#include "AES160hashcLOCI_instance.hpp" +#include "common/Utils/ErrorHandling.hpp" + +namespace stark_dpm{ +namespace ACSP_FOR_AES160hashcLOCI{ + +using std::vector; +using Algebra::FieldElement; +using namespace AES160hashcLOCI; + +namespace{ + class idPermutation : public libstark::BairWitness::permutation_t{ + public: + size_t getElementByIndex(index_t index)const{ + return index; + } + }; + + class coloringClass : public libstark::BairWitness::assignment_t{ + private: + std::vector coloring_; + public: + coloringClass(const AES160hashcLOCICommonParams& commonParams, const witnessType hashC): + coloring_((size_t(1) << AES160hashcLOCI::getDim(commonParams.length))-1, vector(AES160hashcLOCI::NUMREGS)) + { + AES160hashcLOCI::genWitnessLOCIHashcAES160WithPadding(coloring_, hashC, commonParams.length, commonParams.seed); + //std::cout << "done " << coloring_[0][AES160hashchain::reg::STATE] << std::endl; + } + + libstark::BairWitness::color_t getElementByIndex(index_t index)const{ + _COMMON_ASSERT(index < coloring_.size(),"index of color out of range"); + return coloring_[index]; + } + }; +} + +libstark::BairWitness buildBairWitness(const AES160hashcLOCICommonParams& commonParams, const witnessType hashC){ + using libstark::BairWitness; + BairWitness::permutation_ptr perm(new idPermutation()); + BairWitness::assignment_ptr assignment(new coloringClass(commonParams, hashC)); + + return BairWitness(std::move(assignment), std::move(perm)); +} + +} // namespace ACSP_FOR_AES160hashcLOCI +} // namespace stark_dpm diff --git a/starkdpm/constraints_AES160hashcLOCI.txt b/starkdpm/constraints_AES160hashcLOCI.txt new file mode 100644 index 0000000..8e41a72 --- /dev/null +++ b/starkdpm/constraints_AES160hashcLOCI.txt @@ -0,0 +1,2046 @@ +(ST3 + (ST2 + 1)*(ST2 + X)) +& +(L1_next + L1) +& +(L2_next + L2) +& +(L3_next + L3) +& +(L4_next + L4) +& +(L5_next + L5) +& +(L6_next + L6) +& +( +(PHASE + 1)* +( + (K00_next + K00) + & + (K01_next + K01) + & + (K02_next + K02) + & + (K03_next + K03) + & + (K04_next + K04) + & + (K10_next + K10) + & + (K11_next + K11) + & + (K12_next + K12) + & + (K13_next + K13) + & + (K14_next + K14) + & + (K20_next + K20) + & + (K21_next + K21) + & + (K22_next + K22) + & + (K23_next + K23) + & + (K24_next + K24) + & + (K30_next + K30) + & + (K31_next + K31) + & + (K32_next + K32) + & + (K33_next + K33) + & + (K34_next + K34) +) ++ +PHASE* +( + (ST2_next + 1) + & + (isSecondPhaseComparingLOCI_next + isSecondPhaseComparingLOCI) + & + ( + (STATE + X)* + ( + (A_next + A) + & + (B_next + B) + & + (C_next + C) + & + (K_next + K) + & + (PHASE_next + PHASE) + & + (W11 + inv1*inv1*inv1*inv1) + & + (W12 + W11*W11*W11*W11) + & + (W13 + W12*W12*W12*W12) + & + (W21 + inv2*inv2*inv2*inv2) + & + (W22 + W21*W21*W21*W21) + & + (W23 + W22*W22*W22*W22) + & + (W31 + inv3*inv3*inv3*inv3) + & + (W32 + W31*W31*W31*W31) + & + (W33 + W32*W32*W32*W32) + & + (W41 + inv4*inv4*inv4*inv4) + & + (W42 + W41*W41*W41*W41) + & + (W43 + W42*W42*W42*W42) + & + (W51 + inv5*inv5*inv5*inv5) + & + (W52 + W51*W51*W51*W51) + & + (W53 + W52*W52*W52*W52) + & + ( + (FLAG1 + X)* + ( + (STATE_next + 1) + & + (RC_next + RC) + & + (K00_next + K00) + & + (K01_next + K01) + & + (K02_next + K02) + & + (K03_next + K03) + & + (K04_next + K04) + & + (K10_next + K10) + & + (K11_next + K11) + & + (K12_next + K12) + & + (K13_next + K13) + & + (K14_next + K14) + & + (K20_next + K20) + & + (K21_next + K21) + & + (K22_next + K22) + & + (K23_next + K23) + & + (K24_next + K24) + & + (K30_next + K30) + & + (K31_next + K31) + & + (K32_next + K32) + & + (K33_next + K33) + & + (K34_next + K34) + & + (FLAG1 + 1)*(FLAG2 + 1)* + ( + FLAG1_next + & + (FLAG2_next + 1) + & + (B10_next + B10) + & + (B11_next + B11) + & + (B12_next + B12) + & + (B13_next + B13) + & + (B14_next + B14) + & + (B20_next + B20) + & + (B21_next + B21) + & + (B22_next + B22) + & + (B23_next + B23) + & + (B24_next + B24) + & + (B30_next + B30) + & + (B31_next + B31) + & + (B32_next + B32) + & + (B33_next + B33) + & + (B34_next + B34) + & + (inv1*B00 + 1)*(B00 & inv1) + & + (B00_next + + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv2*B01 + 1)*(B01 & inv2) + & + (B01_next + + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv3*B02 + 1)*(B02 & inv3) + & + (B02_next + + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv4*B03 + 1)*(B03 & inv4) + & + (B03_next + + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv5*B04 + 1)*(B04 & inv5) + & + (B04_next + + inv5 * polyFromMatrix_0 + + inv5 * inv5 * polyFromMatrix_1 + + W51 * polyFromMatrix_2 + + W51 * W51 * polyFromMatrix_3 + + W52 * polyFromMatrix_4 + + W52 * W52 * polyFromMatrix_5 + + W53 * polyFromMatrix_6 + + W53 * W53 * polyFromMatrix_7 + + B_Transformed + ) + ) + & + (FLAG1 + 1)*FLAG2* + ( + (FLAG1_next + 1) + & + FLAG2_next + & + (B00_next + B00) + & + (B01_next + B01) + & + (B02_next + B02) + & + (B03_next + B03) + & + (B04_next + B04) + & + (B20_next + B20) + & + (B21_next + B21) + & + (B22_next + B22) + & + (B23_next + B23) + & + (B24_next + B24) + & + (B30_next + B30) + & + (B31_next + B31) + & + (B32_next + B32) + & + (B33_next + B33) + & + (B34_next + B34) + & + (inv1*B10 + 1)*(B10 & inv1) + & + (B14_next + + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv2*B11 + 1)*(B11 & inv2) + & + (B10_next + + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv3*B12 + 1)*(B12 & inv3) + & + (B11_next + + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv4*B13 + 1)*(B13 & inv4) + & + (B12_next + + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv5*B14 + 1)*(B14 & inv5) + & + (B13_next + + inv5 * polyFromMatrix_0 + + inv5 * inv5 * polyFromMatrix_1 + + W51 * polyFromMatrix_2 + + W51 * W51 * polyFromMatrix_3 + + W52 * polyFromMatrix_4 + + W52 * W52 * polyFromMatrix_5 + + W53 * polyFromMatrix_6 + + W53 * W53 * polyFromMatrix_7 + + B_Transformed + ) + ) + & + FLAG1*(FLAG2 + 1)* + ( + (FLAG1_next + 1) + & + (FLAG2_next + 1) + & + (B00_next + B00) + & + (B01_next + B01) + & + (B02_next + B02) + & + (B03_next + B03) + & + (B04_next + B04) + & + (B10_next + B10) + & + (B11_next + B11) + & + (B12_next + B12) + & + (B13_next + B13) + & + (B14_next + B14) + & + (B30_next + B30) + & + (B31_next + B31) + & + (B32_next + B32) + & + (B33_next + B33) + & + (B34_next + B34) + & + (inv1*B20 + 1)*(B20 & inv1) + & + (B23_next + + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv2*B21 + 1)*(B21 & inv2) + & + (B24_next + + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv3*B22 + 1)*(B22 & inv3) + & + (B20_next + + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv4*B23 + 1)*(B23 & inv4) + & + (B21_next + + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv5*B24 + 1)*(B24 & inv5) + & + (B22_next + + inv5 * polyFromMatrix_0 + + inv5 * inv5 * polyFromMatrix_1 + + W51 * polyFromMatrix_2 + + W51 * W51 * polyFromMatrix_3 + + W52 * polyFromMatrix_4 + + W52 * W52 * polyFromMatrix_5 + + W53 * polyFromMatrix_6 + + W53 * W53 * polyFromMatrix_7 + + B_Transformed + ) + ) + + & + FLAG1*FLAG2* + ( + (FLAG1_next + X) + & + (B00_next + B00) + & + (B01_next + B01) + & + (B02_next + B02) + & + (B03_next + B03) + & + (B04_next + B04) + & + (B10_next + B10) + & + (B11_next + B11) + & + (B12_next + B12) + & + (B13_next + B13) + & + (B14_next + B14) + & + (B20_next + B20) + & + (B21_next + B21) + & + (B22_next + B22) + & + (B23_next + B23) + & + (B24_next + B24) + & + (inv1*B30 + 1)*(B30 & inv1) + & + (B32_next + + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv2*B31 + 1)*(B31 & inv2) + & + (B33_next + + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv3*B32 + 1)*(B32 & inv3) + & + (B34_next + + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv4*B33 + 1)*(B33 & inv4) + & + (B30_next + + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + ) + & + (inv5*B34 + 1)*(B34 & inv5) + & + (B31_next + + inv5 * polyFromMatrix_0 + + inv5 * inv5 * polyFromMatrix_1 + + W51 * polyFromMatrix_2 + + W51 * W51 * polyFromMatrix_3 + + W52 * polyFromMatrix_4 + + W52 * W52 * polyFromMatrix_5 + + W53 * polyFromMatrix_6 + + W53 * W53 * polyFromMatrix_7 + + B_Transformed + ) + ) + ) + + + FLAG1*(FLAG1 + 1)* + ( + FLAG1_next + & + (FLAG2_next) + & + (inv1*K14 + 1)*(K14 & inv1) + & + (inv2*K24 + 1)*(K24 & inv2) + & + (inv3*K34 + 1)*(K34 & inv3) + & + (inv4*K04 + 1)*(K04 & inv4) + & + (RC + Rcon_round11)* + ( + (RC_next + xFETransformed*RC) + & + (STATE_next + 1) + & + (K00_next + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + K00 + RC + ) + & + (K10_next + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + K10 + ) + & + (K20_next + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + K20 + ) + & + (K30_next + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + K30 + ) + & + (K01_next + K00_next + K01) + & + (K11_next + K10_next + K11) + & + (K21_next + K20_next + K21) + & + (K31_next + K30_next + K31) + & + (K02_next + K01_next + K02) + & + (K12_next + K11_next + K12) + & + (K22_next + K21_next + K22) + & + (K32_next + K31_next + K32) + & + (K03_next + K02_next + K03) + & + (K13_next + K12_next + K13) + & + (K23_next + K22_next + K23) + & + (K33_next + K32_next + K33) + & + (K04_next + K03_next + K04) + & + (K14_next + K13_next + K14) + & + (K24_next + K23_next + K24) + & + (K34_next + K33_next + K34) + & + (B00_next + + MixColMat_0_0 * B00 + MixColMat_0_1 * B10 + + MixColMat_0_2 * B20 + MixColMat_0_3 * B30 + K00_next + ) + & + (B01_next + + MixColMat_0_0 * B01 + MixColMat_0_1 * B11 + + MixColMat_0_2 * B21 + MixColMat_0_3 * B31 + K01_next + ) + & + (B02_next + + MixColMat_0_0 * B02 + MixColMat_0_1 * B12 + + MixColMat_0_2 * B22 + MixColMat_0_3 * B32 + K02_next + ) + & + (B03_next + + MixColMat_0_0 * B03 + MixColMat_0_1 * B13 + + MixColMat_0_2 * B23 + MixColMat_0_3 * B33 + K03_next + ) + & + (B04_next + + MixColMat_0_0 * B04 + MixColMat_0_1 * B14 + + MixColMat_0_2 * B24 + MixColMat_0_3 * B34 + K04_next + ) + & + (B10_next + + MixColMat_1_0 * B00 + MixColMat_1_1 * B10 + + MixColMat_1_2 * B20 + MixColMat_1_3 * B30 + K10_next + ) + & + (B11_next + + MixColMat_1_0 * B01 + MixColMat_1_1 * B11 + + MixColMat_1_2 * B21 + MixColMat_1_3 * B31 + K11_next + ) + & + (B12_next + + MixColMat_1_0 * B02 + MixColMat_1_1 * B12 + + MixColMat_1_2 * B22 + MixColMat_1_3 * B32 + K12_next + ) + & + (B13_next + + MixColMat_1_0 * B03 + MixColMat_1_1 * B13 + + MixColMat_1_2 * B23 + MixColMat_1_3 * B33 + K13_next + ) + & + (B14_next + + MixColMat_1_0 * B04 + MixColMat_1_1 * B14 + + MixColMat_1_2 * B24 + MixColMat_1_3 * B34 + K14_next + ) + & + (B20_next + + MixColMat_2_0 * B00 + MixColMat_2_1 * B10 + + MixColMat_2_2 * B20 + MixColMat_2_3 * B30 + K20_next + ) + & + (B21_next + + MixColMat_2_0 * B01 + MixColMat_2_1 * B11 + + MixColMat_2_2 * B21 + MixColMat_2_3 * B31 + K21_next + ) + & + (B22_next + + MixColMat_2_0 * B02 + MixColMat_2_1 * B12 + + MixColMat_2_2 * B22 + MixColMat_2_3 * B32 + K22_next + ) + & + (B23_next + + MixColMat_2_0 * B03 + MixColMat_2_1 * B13 + + MixColMat_2_2 * B23 + MixColMat_2_3 * B33 + K23_next + ) + & + (B24_next + + MixColMat_2_0 * B04 + MixColMat_2_1 * B14 + + MixColMat_2_2 * B24 + MixColMat_2_3 * B34 + K24_next + ) + & + (B30_next + + MixColMat_3_0 * B00 + MixColMat_3_1 * B10 + + MixColMat_3_2 * B20 + MixColMat_3_3 * B30 + K30_next + ) + & + (B31_next + + MixColMat_3_0 * B01 + MixColMat_3_1 * B11 + + MixColMat_3_2 * B21 + MixColMat_3_3 * B31 + K31_next + ) + & + (B32_next + + MixColMat_3_0 * B02 + MixColMat_3_1 * B12 + + MixColMat_3_2 * B22 + MixColMat_3_3 * B32 + K32_next + ) + & + (B33_next + + MixColMat_3_0 * B03 + MixColMat_3_1 * B13 + + MixColMat_3_2 * B23 + MixColMat_3_3 * B33 + K33_next + ) + & + (B34_next + + MixColMat_3_0 * B04 + MixColMat_3_1 * B14 + + MixColMat_3_2 * B24 + MixColMat_3_3 * B34 + K34_next + ) + ) + + + (1 + (RC + Rcon_round11)*invRC)* + ( + (STATE_next + X) + & + (B00_next + B00 + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + K00 + RC + ) + & + (B10_next + B10 + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + K10 + ) + & + (B20_next + B20 + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + K20 + ) + & + (B30_next + B30 + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + K30 + ) + & + (B01_next + B01 + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + K00 + RC + K01 + ) + & + (B11_next + B11 + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + K10 + K11 + ) + & + (B21_next + B21 + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + K20 + K21 + ) + & + (B31_next + B31 + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + K30 + K31 + ) + & + (B02_next + B02 + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + K00 + RC + K01 + K02 + ) + & + (B12_next + B12 + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + K10 + K11 + K12 + ) + & + (B22_next + B22 + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + K20 + K21 + K22 + ) + & + (B32_next + B32 + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + K30 + K31 + K32 + ) + & + (B03_next + B03 + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + K00 + RC + K01 + K02 + K03 + ) + & + (B13_next + B13 + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + K10 + K11 + K12 + K13 + ) + & + (B23_next + B23 + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + K20 + K21 + K22 + K23 + ) + & + (B33_next + B33 + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + K30 + K31 + K32 + K33 + ) + & + (B04_next + B04 + inv1 * polyFromMatrix_0 + + inv1 * inv1 * polyFromMatrix_1 + + W11 * polyFromMatrix_2 + + W11 * W11 * polyFromMatrix_3 + + W12 * polyFromMatrix_4 + + W12 * W12 * polyFromMatrix_5 + + W13 * polyFromMatrix_6 + + W13 * W13 * polyFromMatrix_7 + + B_Transformed + K00 + RC + K01 + K02 + K03 + K04 + ) + & + (B14_next + B14 + inv2 * polyFromMatrix_0 + + inv2 * inv2 * polyFromMatrix_1 + + W21 * polyFromMatrix_2 + + W21 * W21 * polyFromMatrix_3 + + W22 * polyFromMatrix_4 + + W22 * W22 * polyFromMatrix_5 + + W23 * polyFromMatrix_6 + + W23 * W23 * polyFromMatrix_7 + + B_Transformed + K10 + K11 + K12 + K13 + K14 + ) + & + (B24_next + B24 + inv3 * polyFromMatrix_0 + + inv3 * inv3 * polyFromMatrix_1 + + W31 * polyFromMatrix_2 + + W31 * W31 * polyFromMatrix_3 + + W32 * polyFromMatrix_4 + + W32 * W32 * polyFromMatrix_5 + + W33 * polyFromMatrix_6 + + W33 * W33 * polyFromMatrix_7 + + B_Transformed + K20 + K21 + K22 + K23 + K24 + ) + & + (B34_next + B34 + inv4 * polyFromMatrix_0 + + inv4 * inv4 * polyFromMatrix_1 + + W41 * polyFromMatrix_2 + + W41 * W41 * polyFromMatrix_3 + + W42 * polyFromMatrix_4 + + W42 * W42 * polyFromMatrix_5 + + W43 * polyFromMatrix_6 + + W43 * W43 * polyFromMatrix_7 + + B_Transformed + K30 + K31 + K32 + K33 + K34 + ) + ) + ) + ) + ) + + + (STATE + 1)* + ( + (FLAG1 + 1) * + ( + (K_next + K) + & + (STATE_next + X) + & + (K01 + K00*K00*K00*K00) + & + (K02 + K01*K01*K01*K01) + & + (K03 + K02*K02*K02*K02) + & + (K00 + K03*K03*K03*K03) + & + (K10 + K04*K04*K04*K04) + & + (K11 + K10*K10*K10*K10) + & + (K12 + K11*K11*K11*K11) + & + (K04 + K12*K12*K12*K12) + & + (K14 + K13*K13*K13*K13) + & + (K20 + K14*K14*K14*K14) + & + (K21 + K20*K20*K20*K20) + & + (K13 + K21*K21*K21*K21) + & + (K23 + K22*K22*K22*K22) + & + (K24 + K23*K23*K23*K23) + & + (K30 + K24*K24*K24*K24) + & + (K22 + K30*K30*K30*K30) + & + (K32 + K31*K31*K31*K31) + & + (K33 + K32*K32*K32*K32) + & + (K34 + K33*K33*K33*K33) + & + (K31 + K34*K34*K34*K34) + & + (inv2 + inv1*inv1*inv1*inv1) + & + (inv3 + inv2*inv2*inv2*inv2) + & + (inv4 + inv3*inv3*inv3*inv3) + & + (inv1 + inv4*inv4*inv4*inv4) + & + (W11 + inv5*inv5*inv5*inv5) + & + (W12 + W11*W11*W11*W11) + & + (W13 + W12*W12*W12*W12) + & + (inv5 + W13*W13*W13*W13) + & + (W22 + W21*W21*W21*W21) + & + (W23 + W22*W22*W22*W22) + & + (W31 + W23*W23*W23*W23) + & + (W21 + W31*W31*W31*W31) + & + (W33 + W32*W32*W32*W32) + & + (W41 + W33*W33*W33*W33) + & + (W42 + W41*W41*W41*W41) + & + (W32 + W42*W42*W42*W42) + & + (W51 + W43*W43*W43*W43) + & + (W52 + W51*W51*W51*W51) + & + (W53 + W52*W52*W52*W52) + & + (W43 + W53*W53*W53*W53) + & + ( + (FLAG2 + 1)* + ( + (B_next + B) + & + (C_next + C) + & + FLAG1_next + & + (FLAG2_next + 1) + & + (A_next + W32 + X*W43) + & + (A + K00 + + X * (K04 + + X * (K13 + + X * (K22 + + X * (K31 + + X * (inv1 + + X * (inv5 + + X * (W21 + ))))))) + ) + & + (B00_next + B00 + K00) + & + (B10_next + B10 + K04) + & + (B20_next + B20 + K13) + & + (B30_next + B30 + K22) + & + (B01_next + B01 + K31) + & + (B11_next + B11 + inv1) + & + (B21_next + B21 + inv5) + & + (B31_next + B31 + W21) + & + (B04_next + B04 + W32) + & + (B14_next + B14 + W43) + & + (B02_next + B02) + & + (B12_next + B12) + & + (B22_next + B22) + & + (B32_next + B32) + & + (B03_next + B03) + & + (B13_next + B13) + & + (B23_next + B23) + & + (B33_next + B33) + & + (B24_next + B24) + & + (B34_next + B34) + + ) + + + FLAG2* + ( + (FLAG1_next + 1) + & + (FLAG2_next + 1) + & + (C + A + X*X*(W32 + X*W43)) + & + (B + K00 + + X * (K04 + + X * (K13 + + X * (K22 + + X * (K31 + + X * (inv1 + + X * (inv5 + + X * (W21 + ))))))) + ) + & + (B02_next + B02 + K00) + & + (B12_next + B12 + K04) + & + (B22_next + B22 + K13) + & + (B32_next + B32 + K22) + & + (B03_next + B03 + K31) + & + (B13_next + B13 + inv1) + & + (B23_next + B23 + inv5) + & + (B33_next + B33 + W21) + & + (B24_next + B24 + W32) + & + (B34_next + B34 + W43) + & + (B00_next + B00) + & + (B10_next + B10) + & + (B20_next + B20) + & + (B30_next + B30) + & + (B01_next + B01) + & + (B11_next + B11) + & + (B21_next + B21) + & + (B31_next + B31) + & + (B04_next + B04) + & + (B14_next + B14) + ) + ) + ) + + + FLAG1 * + ( + FLAG2* + ( + (X*K + last_pow)* + ( + (K_next + K*X) + & + ( + (K + 1)* + ( + PHASE_next + & + (K00_next + B00) + & + (K01_next + B01) + & + (K02_next + B02) + & + (K03_next + B03) + & + (K04_next + B04) + & + (K10_next + B10) + & + (K11_next + B11) + & + (K12_next + B12) + & + (K13_next + B13) + & + (K14_next + B14) + & + (K20_next + B20) + & + (K21_next + B21) + & + (K22_next + B22) + & + (K23_next + B23) + & + (K24_next + B24) + & + (K30_next + B30) + & + (K31_next + B31) + & + (K32_next + B32) + & + (K33_next + B33) + & + (K34_next + B34) + ) + ) + ) + + + ((X*K + last_pow)*A + 1)* + ( + (PHASE_next + 1) + & + (K_next + K) + & + (STATE_next + X) + & + (FLAG1_next + 1) + & + (FLAG2_next + 1) + & + B00 + ROOT_HASH_00 + & + B01 + ROOT_HASH_01 + & + B02 + ROOT_HASH_02 + & + B03 + ROOT_HASH_03 + & + B04 + ROOT_HASH_04 + & + B10 + ROOT_HASH_05 + & + B11 + ROOT_HASH_06 + & + B12 + ROOT_HASH_07 + & + B13 + ROOT_HASH_08 + & + B14 + ROOT_HASH_09 + & + B20 + ROOT_HASH_10 + & + B21 + ROOT_HASH_11 + & + B22 + ROOT_HASH_12 + & + B23 + ROOT_HASH_13 + & + B24 + ROOT_HASH_14 + & + B30 + ROOT_HASH_15 + & + B31 + ROOT_HASH_16 + & + B32 + ROOT_HASH_17 + & + B33 + ROOT_HASH_18 + & + B34 + ROOT_HASH_19 + ) + ) + + ) + ) + ) +) +) +& +( +(PHASE + 1)*(ST2 + X)*(ST2 + 1+X)*(ST2 + X*X)* +( + PHASE_next + & + (ST2_next + X) + & + (isSecondPhaseComparingLOCI_next + isSecondPhaseComparingLOCI) + & + (B00 + B00_next*B00_next*B00_next*B00_next) + & + (W11 + B00*B00*B00*B00) + & + (W12 + W11*W11*W11*W11) + & + (B00_next + W12*W12*W12*W12) + & + (B01 + B01_next*B01_next*B01_next*B01_next) + & + (W13 + B01*B01*B01*B01) + & + (W21 + W13*W13*W13*W13) + & + (B01_next + W21*W21*W21*W21) + & + (B10 + B10_next*B10_next*B10_next*B10_next) + & + (W22 + B10*B10*B10*B10) + & + (W23 + W22*W22*W22*W22) + & + (B10_next + W23*W23*W23*W23) + & + (B11 + B11_next*B11_next*B11_next*B11_next) + & + (W31 + B11*B11*B11*B11) + & + (W32 + W31*W31*W31*W31) + & + (B11_next + W32*W32*W32*W32) + & + (B20 + B20_next*B20_next*B20_next*B20_next) + & + (W33 + B20*B20*B20*B20) + & + (W41 + W33*W33*W33*W33) + & + (B20_next + W41*W41*W41*W41) + & + (B21 + B21_next*B21_next*B21_next*B21_next) + & + (W42 + B21*B21*B21*B21) + & + (W43 + W42*W42*W42*W42) + & + (B21_next + W43*W43*W43*W43) + & + (B30 + B30_next*B30_next*B30_next*B30_next) + & + (W51 + B30*B30*B30*B30) + & + (W52 + W51*W51*W51*W51) + & + (B30_next + W52*W52*W52*W52) + & + (B31 + B31_next*B31_next*B31_next*B31_next) + & + (W53 + B31*B31*B31*B31) + & + (W11_next + W53*W53*W53*W53) + & + (B31_next + W11_next*W11_next*W11_next*W11_next) + & + (B02 + B02_next*B02_next*B02_next*B02_next) + & + (W12_next + B02*B02*B02*B02) + & + (W13_next + W12_next*W12_next*W12_next*W12_next) + & + (B02_next + W13_next*W13_next*W13_next*W13_next) + & + (B03 + B03_next*B03_next*B03_next*B03_next) + & + (W21_next + B03*B03*B03*B03) + & + (W22_next + W21_next*W21_next*W21_next*W21_next) + & + (B03_next + W22_next*W22_next*W22_next*W22_next) + & + (B12 + B12_next*B12_next*B12_next*B12_next) + & + (W23_next + B12*B12*B12*B12) + & + (W31_next + W23_next*W23_next*W23_next*W23_next) + & + (B12_next + W31_next*W31_next*W31_next*W31_next) + & + (B13 + B13_next*B13_next*B13_next*B13_next) + & + (W32_next + B13*B13*B13*B13) + & + (W33_next + W32_next*W32_next*W32_next*W32_next) + & + (B13_next + W33_next*W33_next*W33_next*W33_next) + & + (B22 + B22_next*B22_next*B22_next*B22_next) + & + (W41_next + B22*B22*B22*B22) + & + (W42_next + W41_next*W41_next*W41_next*W41_next) + & + (B22_next + W42_next*W42_next*W42_next*W42_next) + & + (B23 + B23_next*B23_next*B23_next*B23_next) + & + (W43_next + B23*B23*B23*B23) + & + (W51_next + W43_next*W43_next*W43_next*W43_next) + & + (B23_next + W51_next*W51_next*W51_next*W51_next) + & + (B32 + B32_next*B32_next*B32_next*B32_next) + & + (W52_next + B32*B32*B32*B32) + & + (W53_next + W52_next*W52_next*W52_next*W52_next) + & + (B32_next + W53_next*W53_next*W53_next*W53_next) + & + (B33 + B33_next*B33_next*B33_next*B33_next) + & + (inv1 + B33*B33*B33*B33) + & + (inv2 + inv1*inv1*inv1*inv1) + & + (B33_next + inv2*inv2*inv2*inv2) + & + (B04 + B04_next*B04_next*B04_next*B04_next) + & + (inv3 + B04*B04*B04*B04) + & + (inv4 + inv3*inv3*inv3*inv3) + & + (B04_next + inv4*inv4*inv4*inv4) + & + (B14 + B14_next*B14_next*B14_next*B14_next) + & + (inv5 + B14*B14*B14*B14) + & + (inv1_next + inv5*inv5*inv5*inv5) + & + (B14_next + inv1_next*inv1_next*inv1_next*inv1_next) + & + (B24 + B24_next*B24_next*B24_next*B24_next) + & + (inv2_next + B24*B24*B24*B24) + & + (inv3_next + inv2_next*inv2_next*inv2_next*inv2_next) + & + (B24_next + inv3_next*inv3_next*inv3_next*inv3_next) + & + (B34 + B34_next*B34_next*B34_next*B34_next) + & + (inv4_next + B34*B34*B34*B34) + & + (inv5_next + inv4_next*inv4_next*inv4_next*inv4_next) + & + (B34_next + inv5_next*inv5_next*inv5_next*inv5_next) + & + ( + isSecondPhaseComparingLOCI* + ( + (L4 + B00_next + + X * (B10_next + + X * (B20_next + + X * (B30_next + + X * (B01_next + + X * (B11_next + + X * (B21_next + + X * (B31_next + )))))))) + & + (L5 + B02_next + + X * (B12_next + + X * (B22_next + + X * (B32_next + + X * (B03_next + + X * (B13_next + + X * (B23_next + + X * (B33_next + )))))))) + & + (L6 + B04_next + + X * (B14_next + + X * (B24_next + + X * (B34_next + )))) + ) + + (isSecondPhaseComparingLOCI + 1)* + ( + (L1 + B00_next + + X * (B10_next + + X * (B20_next + + X * (B30_next + + X * (B01_next + + X * (B11_next + + X * (B21_next + + X * (B31_next + )))))))) + & + (L2 + B02_next + + X * (B12_next + + X * (B22_next + + X * (B32_next + + X * (B03_next + + X * (B13_next + + X * (B23_next + + X * (B33_next + )))))))) + & + (L3 + B04_next + + X * (B14_next + + X * (B24_next + + X * (B34_next + )))) + ) + ) +) ++ +(ST2 + 1)*(ST2 + 1+X)*(ST2 + X*X)* +( + PHASE_next + & + (isSecondPhaseComparingLOCI_next + isSecondPhaseComparingLOCI) + & + (ST2_next + 1+X) + & + (B00_next + B00) + & + (B01_next + B01) + & + (B02_next + B02) + & + (B03_next + B03) + & + (B04_next + B04) + & + (B10_next + B10) + & + (B11_next + B11) + & + (B12_next + B12) + & + (B13_next + B13) + & + (B14_next + B14) + & + (B20_next + B20) + & + (B21_next + B21) + & + (B22_next + B22) + & + (B23_next + B23) + & + (B24_next + B24) + & + (B30_next + B30) + & + (B31_next + B31) + & + (B32_next + B32) + & + (B33_next + B33) + & + (B34_next + B34) +) ++ +ST3*(ST2 + X*X)* +( + PHASE_next + & + (ST2_next + X*X) + & + (isSecondPhaseComparingLOCI_next + isSecondPhaseComparingLOCI) + & + (isSecondPhaseComparingLOCI + 1)*(PartialMATCH + X) + & + (B00_next + B00)*(B00_next + B20)* + ( + (B20_next + B00)*(B20_next + B20)*FLAG1 + & + PartialMATCH*(FLAG1 + 1)* + ( + ((B20_next + B00)*inv3_next + 1) + & + ((B20_next + B20)*inv4_next + 1) + ) + ) + & + (B20_next + B00)*(B20_next + B20)* + ( + PartialMATCH*(FLAG1 + 1)* + ( + ((B00_next + B00)*inv1_next + 1) + & + ((B00_next + B20)*inv2_next + 1) + ) + ) + & + ((B00_next + B20)*inv2_next + 1)*((B20_next + B00)*inv3_next + 1)*(FLAG1 + PartialMATCH) + & + ((B00_next + B00)*inv1_next + 1)*((B20_next + B20)*inv4_next + 1)*(FLAG1 + PartialMATCH) + & + (PartialMATCH + 1)*(PartialMATCH + X)*FLAG1 + & + (B01_next + B01)*(B01_next + B21)* + ( + (B21_next + B01)*(B21_next + B21)*FLAG2 + & + FLAG1*(FLAG2 + 1)* + ( + ((B21_next + B01)*W12_next + 1) + & + ((B21_next + B21)*W13_next + 1) + ) + ) + & + (B21_next + B01)*(B21_next + B21)* + ( + FLAG1*(FLAG2 + 1)* + ( + ((B01_next + B01)*inv5_next + 1) + & + ((B01_next + B21)*W11_next + 1) + ) + ) + & + ((B01_next + B21)*W11_next + 1)*((B21_next + B01)*W12_next + 1)*(FLAG2 + FLAG1) + & + ((B01_next + B01)*inv5_next + 1)*((B21_next + B21)*W13_next + 1)*(FLAG2 + FLAG1) + & + (FLAG1 + 1)*(FLAG1 + X)*FLAG2 + & + (B02_next + B02)*(B02_next + B22)* + ( + (B22_next + B02)*(B22_next + B22)*RC + & + FLAG2*(RC + 1)* + ( + ((B22_next + B02)*W23_next + 1) + & + ((B22_next + B22)*W31_next + 1) + ) + ) + & + (B22_next + B02)*(B22_next + B22)* + ( + FLAG2*(RC + 1)* + ( + ((B02_next + B02)*W21_next + 1) + & + ((B02_next + B22)*W22_next + 1) + ) + ) + & + ((B02_next + B22)*W22_next + 1)*((B22_next + B02)*W23_next + 1)*(RC + FLAG2) + & + ((B02_next + B02)*W21_next + 1)*((B22_next + B22)*W31_next + 1)*(RC + FLAG2) + & + (FLAG2 + 1)*(FLAG2 + X)*RC + & + (B03_next + B03)*(B03_next + B23)* + ( + (B23_next + B03)*(B23_next + B23)*invRC + & + RC*(invRC + 1)* + ( + ((B23_next + B03)*W41_next + 1) + & + ((B23_next + B23)*W42_next + 1) + ) + ) + & + (B23_next + B03)*(B23_next + B23)* + ( + RC*(invRC + 1)* + ( + ((B03_next + B03)*W32_next + 1) + & + ((B03_next + B23)*W33_next + 1) + ) + ) + & + ((B03_next + B23)*W33_next + 1)*((B23_next + B03)*W41_next + 1)*(invRC + RC) + & + ((B03_next + B03)*W32_next + 1)*((B23_next + B23)*W42_next + 1)*(invRC + RC) + & + (RC + 1)*(RC + X)*invRC + & + (B04_next + B04)*(B04_next + B24)* + ( + (B24_next + B04)*(B24_next + B24)*A + & + invRC*(A + 1)* + ( + ((B24_next + B04)*W52_next + 1) + & + ((B24_next + B24)*W53_next + 1) + ) + ) + & + (B24_next + B04)*(B24_next + B24)* + ( + invRC*(A + 1)* + ( + ((B04_next + B04)*W43_next + 1) + & + ((B04_next + B24)*W51_next + 1) + ) + ) + & + ((B04_next + B24)*W51_next + 1)*((B24_next + B04)*W52_next + 1)*(A + invRC) + & + ((B04_next + B04)*W43_next + 1)*((B24_next + B24)*W53_next + 1)*(A + invRC) + & + (invRC + 1)*(invRC + X)*A + & + (B10_next + B10)*(B10_next + B30)* + ( + (B30_next + B10)*(B30_next + B30)*B + & + A*(B + 1)* + ( + ((B30_next + B10)*inv3 + 1) + & + ((B30_next + B30)*inv4 + 1) + ) + ) + & + (B30_next + B10)*(B30_next + B30)* + ( + A*(B + 1)* + ( + ((B10_next + B10)*inv1 + 1) + & + ((B10_next + B30)*inv2 + 1) + ) + ) + & + ((B10_next + B30)*inv2 + 1)*((B30_next + B10)*inv3 + 1)*(B + A) + & + ((B10_next + B10)*inv1 + 1)*((B30_next + B30)*inv4 + 1)*(B + A) + & + (A + 1)*(A + X)*B + & + (B11_next + B11)*(B11_next + B31)* + ( + (B31_next + B11)*(B31_next + B31)*C + & + B*(C + 1)* + ( + ((B31_next + B11)*W12 + 1) + & + ((B31_next + B31)*W13 + 1) + ) + ) + & + (B31_next + B11)*(B31_next + B31)* + ( + B*(C + 1)* + ( + ((B11_next + B11)*inv5 + 1) + & + ((B11_next + B31)*W11 + 1) + ) + ) + & + ((B11_next + B31)*W11 + 1)*((B31_next + B11)*W12 + 1)*(C + B) + & + ((B11_next + B11)*inv5 + 1)*((B31_next + B31)*W13 + 1)*(C + B) + & + (B + 1)*(B + X)*C + & + (B12_next + B12)*(B12_next + B32)* + ( + (B32_next + B12)*(B32_next + B32)*STATE + & + C*(STATE + 1)* + ( + ((B32_next + B12)*W23 + 1) + & + ((B32_next + B32)*W31 + 1) + ) + ) + & + (B32_next + B12)*(B32_next + B32)* + ( + C*(STATE + 1)* + ( + ((B12_next + B12)*W21 + 1) + & + ((B12_next + B32)*W22 + 1) + ) + ) + & + ((B12_next + B32)*W22 + 1)*((B32_next + B12)*W23 + 1)*(STATE + C) + & + ((B12_next + B12)*W21 + 1)*((B32_next + B32)*W31 + 1)*(STATE + C) + & + (C + 1)*(C + X)*STATE + & + (B13_next + B13)*(B13_next + B33)* + ( + (B33_next + B13)*(B33_next + B33)*RC_next + & + STATE*(RC_next + 1)* + ( + ((B33_next + B13)*W41 + 1) + & + ((B33_next + B33)*W42 + 1) + ) + ) + & + (B33_next + B13)*(B33_next + B33)* + ( + STATE*(RC_next + 1)* + ( + ((B13_next + B13)*W32 + 1) + & + ((B13_next + B33)*W33 + 1) + ) + ) + & + ((B13_next + B33)*W33 + 1)*((B33_next + B13)*W41 + 1)*(RC_next + STATE) + & + ((B13_next + B13)*W32 + 1)*((B33_next + B33)*W42 + 1)*(RC_next + STATE) + & + (STATE + 1)*(STATE + X)*RC_next + & + (B14_next + B14)*(B14_next + B34)* + ( + (B34_next + B14)*(B34_next + B34)*PartialMATCH_next + & + RC_next*(PartialMATCH_next + 1)* + ( + ((B34_next + B14)*W52 + 1) + & + ((B34_next + B34)*W53 + 1) + ) + ) + & + (B34_next + B14)*(B34_next + B34)* + ( + RC_next*(PartialMATCH_next + 1)* + ( + ((B14_next + B14)*W43 + 1) + & + ((B14_next + B34)*W51 + 1) + ) + ) + & + ((B14_next + B34)*W51 + 1)*((B34_next + B14)*W52 + 1)*(PartialMATCH_next + RC_next) + & + ((B14_next + B14)*W43 + 1)*((B34_next + B34)*W53 + 1)*(PartialMATCH_next + RC_next) + & + (RC_next + 1)*(RC_next + X)*PartialMATCH_next +) ++ +ST3*(ST2 + 1+X)* +( + (PHASE_next + 1) + & + (STATE_next + 1) + & + FLAG1_next + & + FLAG2_next + & + ( + isSecondPhaseComparingLOCI* + ( + isSecondPhaseComparingLOCI_next + & + PartialMATCH_next*(PartialMATCH_next + 1)*(MATCH_next + X) + & + MATCH*(MATCH + 1)*(MATCH_next + X) + & + PartialMATCH_next*(PartialMATCH_next + X)*(MATCH + X)*(MATCH_next + 1) + & + (PartialMATCH_next + 1)*(PartialMATCH_next + X)*(MATCH + 1)*(MATCH + X)*MATCH_next + ) + + (isSecondPhaseComparingLOCI + 1)* + ( + (isSecondPhaseComparingLOCI_next +1) + & + (MATCH_next + MATCH) + & + (PartialMATCH_next + PartialMATCH) + ) + ) + & + (B00_next + B00) + & + (B01_next + B01) + & + (B02_next + B02) + & + (B03_next + B03) + & + (B04_next + B04) + & + (B10_next + B10) + & + (B11_next + B11) + & + (B12_next + B12) + & + (B13_next + B13) + & + (B14_next + B14) + & + (B20_next + B20) + & + (B21_next + B21) + & + (B22_next + B22) + & + (B23_next + B23) + & + (B24_next + B24) + & + (B30_next + B30) + & + (B31_next + B31) + & + (B32_next + B32) + & + (B33_next + B33) + & + (B34_next + B34) + & + (A_next + B00 + + X * (B10 + + X * (B20 + + X * (B30 + + X * (B01 + + X * (B11 + + X * (B21 + + X * (B31 + ))))))) + ) + & + (B_next + B02 + + X * (B12 + + X * (B22 + + X * (B32 + + X * (B03 + + X * (B13 + + X * (B23 + + X * (B33 + ))))))) + ) + & + (C_next + B04 + + X * (B14 + + X * (B24 + + X * (B34 + ))) + ) + & + ((K + 1)*STATE + 1)* //store Li at start for all the next cycles + ( + (L1 + A_next) + & + (L2 + B_next) + & + (L3 + C_next) + & + (L4 + K00 + + X * (K10 + + X * (K20 + + X * (K30 + + X * (K01 + + X * (K11 + + X * (K21 + + X * (K31 + )))))))) + & + (L5 + K02 + + X * (K12 + + X * (K22 + + X * (K32 + + X * (K03 + + X * (K13 + + X * (K23 + + X * (K33 + )))))))) + & + (L6 + K04 + + X * (K14 + + X * (K24 + + X * (K34 + )))) + ) +) +) diff --git a/starkdpm/main.cpp b/starkdpm/main.cpp index 6fc527f..9f7085d 100644 --- a/starkdpm/main.cpp +++ b/starkdpm/main.cpp @@ -1,121 +1,56 @@ #include -#include #include -#include #include -#include "LOCI_AES160hashchain.hpp" +#include "AES160hashcLOCI.hpp" using namespace stark_dpm; -using namespace stark_dpm::ACSP_FOR_AES160LOCIhashchain; +using namespace stark_dpm::ACSP_FOR_AES160hashcLOCI; using std::cout; using std::endl; using std::string; using std::stoul; -using AES160LOCIhashchain::dpmpair_t; -using AES160LOCIhashchain::fingerprint_t; -using AES160LOCIhashchain::database_t; const string securityPrefix = "-s"; - -void printHelp(const string exeName){ - cout<<"Usage:"<"< [" + securityPrefix + "]"<"<> hashC; - std::vector Result = AES160LOCIhashchain::genHashchain(hashC, db); - AES160LOCIhashchain::evalp::setParams(Result, Algebra::power(xFE(), params.length), fprint); - libstark::BairWitness bair_witness = buildBairWitness(params, hashC, fprint); - - libstark::Protocols::executeProtocol(bair_instance, bair_witness,securityParameter,false,false,true); -} - -dpmpair_t readPair(const string pairStr){ - std::regex regex{R"([.]+)"}; // split on period - std::sregex_token_iterator it{pairStr.begin(), pairStr.end(), regex, -1}; - std::vector words{it, {}}; - - if(words.size() != 2){ - cout<<"Each pair must contain 2 elements"<> hashC; + std::vector Result = AES160hashcLOCI::genHashchain(hashC, params.length, params.seed); + AES160hashcLOCI::evalp::setParams(Result, Algebra::power(xFE(), 1 + params.length), params.seed); + libstark::BairWitness bair_witness = buildBairWitness(params, hashC); - return res; + libstark::Protocols::executeProtocol(bair_instance, bair_witness,securityParameter,false,false,true); } -fingerprint_t readEntry(const string line){ - std::regex regex{R"([\s]+)"}; // split on space - std::sregex_token_iterator it{line.begin(), line.end(), regex, -1}; - std::vector words{it, {}}; - - if(words.size() != 20){ - cout<<"Each line must contain 20 pairs"<= 2) { + length = std::stoll(argv[1]); } - return fprint; -} - -database_t readDatabaseFromFile(const string filename){ - std::ifstream ifs(filename); - std::string content((std::istreambuf_iterator(ifs)),std::istreambuf_iterator()); - - std::regex regex{R"([\n]+)"}; // split to lines - std::sregex_token_iterator it{content.begin(), content.end(), regex, -1}; - std::vector lines{it, {}}; - - database_t db(lines.size()); - - for(unsigned int i=0; i= 3) { + seed = std::stoi(argv[2]); } - - return db; -} - -int main(int argc, char *argv[]) { - if(argc < 3){ - printHelp(argv[0]); - return 0; + if (argc >= 4) { + const std::string inp(argv[3]); + const std::string verOnly("verifier_only"); + measureVerifierOnly = !verOnly.compare(inp); } - database_t db = readDatabaseFromFile(argv[1]); - fingerprint_t fprint; - { - database_t tmp = readDatabaseFromFile(argv[2]); - if(tmp.size() <1){ - cout<<"bad format of fingerprint file, at least one fingerprint expected"<= 0): + if(s[i] == '(') : counter+=1 + if(s[i] == ')') : counter-=1 + i+=1 + return s[:i-1] + +def str_cartesizn_prod(l1,l2): + lres = [] + for s1 in l1: + if len(s1) == 0 or s1[-1] == '*' or s1[-1] == "+": + for s2 in l2: + lres += [s1+"("+s2+")"] + else: + lres += [s1] + return lres + +def parse_constraints(constraints_str): + res = [""] + i = 0 + while (i < len(constraints_str)): + + if (constraints_str[i] == '(') : + clauses_content = get_clauses_content(constraints_str[i+1:]) + i+= 1+len(clauses_content) + clauses_res = parse_constraints(clauses_content) + res = str_cartesizn_prod(res,clauses_res) + + elif (constraints_str[i] == '&'): + res += [""] + + else: + res[-1] += constraints_str[i] + + i+=1 + + return res + + +def get_polys_from_constraints(constraints_str): + return parse_constraints(constraints_str.replace('\n','').replace(' ','')) + +def get_poly_degree_bound_cpp(poly_str): + poly_str_fixed = poly_str.replace("X^minus1","xxdeg") + + poly_str_fixed = poly_str_fixed.replace("converted","") + poly_str_fixed = poly_str_fixed.replace("X^10","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^11","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^12","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^13","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^14","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^15","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^16","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^17","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^18","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^19","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^20","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^21","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^22","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^23","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^24","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^25","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^26","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^27","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^28","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^29","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^30","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^31","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^32","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^33","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^34","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^35","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^36","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^37","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^38","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^39","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^40","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^41","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^42","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^43","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^44","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^45","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^46","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^47","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^48","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^2","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^3","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^4","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^5","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^6","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^7","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^8","xxdeg") + poly_str_fixed = poly_str_fixed.replace("X^9","xxdeg") + #poly_str_fixed = re.compile("(?& inputDegrees)const{ + + //std::vector inputDegrees(inputDegrees_.size(), PolynomialDegree(1)); + + struct ttdeg{ + long long deg_; + ttdeg(const PolynomialDegree& d):deg_(PolynomialDegree::integral_t(d)){}; + ttdeg(const long long& d):deg_(d){}; + + ttdeg operator*(const ttdeg& d)const{ + return degreeOfProduct(PolynomialDegree(deg_),PolynomialDegree(d.deg_)); + } + + ttdeg operator+(const ttdeg& d)const{ + return std::max(deg_,d.deg_); + } + }; + + const ttdeg K00 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K00]); + const ttdeg K01 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K01]); + const ttdeg K02 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K02]); + const ttdeg K03 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K03]); + const ttdeg K04 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K04]); + const ttdeg K10 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K10]); + const ttdeg K11 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K11]); + const ttdeg K12 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K12]); + const ttdeg K13 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K13]); + const ttdeg K14 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K14]); + const ttdeg K20 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K20]); + const ttdeg K21 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K21]); + const ttdeg K22 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K22]); + const ttdeg K23 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K23]); + const ttdeg K24 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K24]); + const ttdeg K30 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K30]); + const ttdeg K31 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K31]); + const ttdeg K32 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K32]); + const ttdeg K33 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K33]); + const ttdeg K34 = ttdeg(inputDegrees[AES160hashcLOCI::reg::K34]); + + const ttdeg B00 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B00]); + const ttdeg B01 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B01]); + const ttdeg B02 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B02]); + const ttdeg B03 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B03]); + const ttdeg B04 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B04]); + const ttdeg B10 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B10]); + const ttdeg B11 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B11]); + const ttdeg B12 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B12]); + const ttdeg B13 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B13]); + const ttdeg B14 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B14]); + const ttdeg B20 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B20]); + const ttdeg B21 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B21]); + const ttdeg B22 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B22]); + const ttdeg B23 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B23]); + const ttdeg B24 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B24]); + const ttdeg B30 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B30]); + const ttdeg B31 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B31]); + const ttdeg B32 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B32]); + const ttdeg B33 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B33]); + const ttdeg B34 = ttdeg(inputDegrees[AES160hashcLOCI::reg::B34]); + + const ttdeg W11 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W11]); + const ttdeg W12 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W12]); + const ttdeg W13 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W13]); + const ttdeg W21 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W21]); + const ttdeg W22 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W22]); + const ttdeg W23 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W23]); + const ttdeg W31 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W31]); + const ttdeg W32 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W32]); + const ttdeg W33 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W33]); + const ttdeg W41 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W41]); + const ttdeg W42 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W42]); + const ttdeg W43 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W43]); + const ttdeg W51 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W51]); + const ttdeg W52 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W52]); + const ttdeg W53 = ttdeg(inputDegrees[AES160hashcLOCI::reg::W53]); + + const ttdeg inv1 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv1]); + const ttdeg inv2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv2]); + const ttdeg inv3 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv3]); + const ttdeg inv4 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv4]); + const ttdeg inv5 = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv5]); + + const ttdeg STATE = ttdeg(inputDegrees[AES160hashcLOCI::reg::STATE]); + const ttdeg PHASE = ttdeg(inputDegrees[AES160hashcLOCI::reg::PHASE]); + const ttdeg MATCH = ttdeg(inputDegrees[AES160hashcLOCI::reg::MATCH]); + const ttdeg ST2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST2]); + const ttdeg ST3 = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST3]); + const ttdeg L1 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L1]); + const ttdeg L2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L2]); + const ttdeg L3 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L3]); + const ttdeg L4 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L4]); + const ttdeg L5 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L5]); + const ttdeg L6 = ttdeg(inputDegrees[AES160hashcLOCI::reg::L6]); + const ttdeg PartialMATCH = ttdeg(inputDegrees[AES160hashcLOCI::reg::PartialMATCH]); + const ttdeg isSecondPhaseComparingLOCI = ttdeg(inputDegrees[AES160hashcLOCI::reg::isSecondPhaseComparingLOCI]); + const ttdeg FLAG1 = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG1]); + const ttdeg FLAG2 = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG2]); + const ttdeg RC = ttdeg(inputDegrees[AES160hashcLOCI::reg::RC]); + const ttdeg A = ttdeg(inputDegrees[AES160hashcLOCI::reg::A]); + const ttdeg B = ttdeg(inputDegrees[AES160hashcLOCI::reg::B]); + const ttdeg C = ttdeg(inputDegrees[AES160hashcLOCI::reg::C]); + const ttdeg K = ttdeg(inputDegrees[AES160hashcLOCI::reg::K]); + const ttdeg invRC = ttdeg(inputDegrees[AES160hashcLOCI::reg::invRC]); + + const ttdeg K00_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K00 + AES160hashcLOCI::NUMREGS]); + const ttdeg K01_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K01 + AES160hashcLOCI::NUMREGS]); + const ttdeg K02_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K02 + AES160hashcLOCI::NUMREGS]); + const ttdeg K03_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K03 + AES160hashcLOCI::NUMREGS]); + const ttdeg K04_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K04 + AES160hashcLOCI::NUMREGS]); + const ttdeg K10_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K10 + AES160hashcLOCI::NUMREGS]); + const ttdeg K11_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K11 + AES160hashcLOCI::NUMREGS]); + const ttdeg K12_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K12 + AES160hashcLOCI::NUMREGS]); + const ttdeg K13_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K13 + AES160hashcLOCI::NUMREGS]); + const ttdeg K14_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K14 + AES160hashcLOCI::NUMREGS]); + const ttdeg K20_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K20 + AES160hashcLOCI::NUMREGS]); + const ttdeg K21_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K21 + AES160hashcLOCI::NUMREGS]); + const ttdeg K22_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K22 + AES160hashcLOCI::NUMREGS]); + const ttdeg K23_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K23 + AES160hashcLOCI::NUMREGS]); + const ttdeg K24_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K24 + AES160hashcLOCI::NUMREGS]); + const ttdeg K30_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K30 + AES160hashcLOCI::NUMREGS]); + const ttdeg K31_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K31 + AES160hashcLOCI::NUMREGS]); + const ttdeg K32_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K32 + AES160hashcLOCI::NUMREGS]); + const ttdeg K33_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K33 + AES160hashcLOCI::NUMREGS]); + const ttdeg K34_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K34 + AES160hashcLOCI::NUMREGS]); + + const ttdeg B00_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B00 + AES160hashcLOCI::NUMREGS]); + const ttdeg B01_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B01 + AES160hashcLOCI::NUMREGS]); + const ttdeg B02_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B02 + AES160hashcLOCI::NUMREGS]); + const ttdeg B03_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B03 + AES160hashcLOCI::NUMREGS]); + const ttdeg B04_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B04 + AES160hashcLOCI::NUMREGS]); + const ttdeg B10_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B10 + AES160hashcLOCI::NUMREGS]); + const ttdeg B11_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B11 + AES160hashcLOCI::NUMREGS]); + const ttdeg B12_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B12 + AES160hashcLOCI::NUMREGS]); + const ttdeg B13_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B13 + AES160hashcLOCI::NUMREGS]); + const ttdeg B14_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B14 + AES160hashcLOCI::NUMREGS]); + const ttdeg B20_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B20 + AES160hashcLOCI::NUMREGS]); + const ttdeg B21_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B21 + AES160hashcLOCI::NUMREGS]); + const ttdeg B22_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B22 + AES160hashcLOCI::NUMREGS]); + const ttdeg B23_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B23 + AES160hashcLOCI::NUMREGS]); + const ttdeg B24_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B24 + AES160hashcLOCI::NUMREGS]); + const ttdeg B30_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B30 + AES160hashcLOCI::NUMREGS]); + const ttdeg B31_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B31 + AES160hashcLOCI::NUMREGS]); + const ttdeg B32_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B32 + AES160hashcLOCI::NUMREGS]); + const ttdeg B33_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B33 + AES160hashcLOCI::NUMREGS]); + const ttdeg B34_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B34 + AES160hashcLOCI::NUMREGS]); + + const ttdeg W11_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W11 + AES160hashcLOCI::NUMREGS]); + const ttdeg W12_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W12 + AES160hashcLOCI::NUMREGS]); + const ttdeg W13_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W13 + AES160hashcLOCI::NUMREGS]); + const ttdeg W21_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W21 + AES160hashcLOCI::NUMREGS]); + const ttdeg W22_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W22 + AES160hashcLOCI::NUMREGS]); + const ttdeg W23_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W23 + AES160hashcLOCI::NUMREGS]); + const ttdeg W31_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W31 + AES160hashcLOCI::NUMREGS]); + const ttdeg W32_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W32 + AES160hashcLOCI::NUMREGS]); + const ttdeg W33_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W33 + AES160hashcLOCI::NUMREGS]); + const ttdeg W41_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W41 + AES160hashcLOCI::NUMREGS]); + const ttdeg W42_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W42 + AES160hashcLOCI::NUMREGS]); + const ttdeg W43_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W43 + AES160hashcLOCI::NUMREGS]); + const ttdeg W51_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W51 + AES160hashcLOCI::NUMREGS]); + const ttdeg W52_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W52 + AES160hashcLOCI::NUMREGS]); + const ttdeg W53_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::W53 + AES160hashcLOCI::NUMREGS]); + + const ttdeg inv1_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv1 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv2 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv3_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv3 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv4_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv4 + AES160hashcLOCI::NUMREGS]); + const ttdeg inv5_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::inv5 + AES160hashcLOCI::NUMREGS]); + + const ttdeg STATE_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::STATE + AES160hashcLOCI::NUMREGS]); + const ttdeg PHASE_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::PHASE + AES160hashcLOCI::NUMREGS]); + const ttdeg MATCH_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::MATCH + AES160hashcLOCI::NUMREGS]); + const ttdeg ST2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST2 + AES160hashcLOCI::NUMREGS]); + const ttdeg ST3_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::ST3 + AES160hashcLOCI::NUMREGS]); + const ttdeg L1_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L1 + AES160hashcLOCI::NUMREGS]); + const ttdeg L2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L2 + AES160hashcLOCI::NUMREGS]); + const ttdeg L3_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L3 + AES160hashcLOCI::NUMREGS]); + const ttdeg L4_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L4 + AES160hashcLOCI::NUMREGS]); + const ttdeg L5_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L5 + AES160hashcLOCI::NUMREGS]); + const ttdeg L6_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::L6 + AES160hashcLOCI::NUMREGS]); + const ttdeg PartialMATCH_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::PartialMATCH + AES160hashcLOCI::NUMREGS]); + const ttdeg isSecondPhaseComparingLOCI_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::isSecondPhaseComparingLOCI + AES160hashcLOCI::NUMREGS]); + const ttdeg FLAG1_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG1 + AES160hashcLOCI::NUMREGS]); + const ttdeg FLAG2_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::FLAG2 + AES160hashcLOCI::NUMREGS]); + const ttdeg RC_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::RC + AES160hashcLOCI::NUMREGS]); + const ttdeg A_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::A + AES160hashcLOCI::NUMREGS]); + const ttdeg B_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::B + AES160hashcLOCI::NUMREGS]); + const ttdeg C_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::C + AES160hashcLOCI::NUMREGS]); + const ttdeg K_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::K + AES160hashcLOCI::NUMREGS]); + const ttdeg invRC_next = ttdeg(inputDegrees[AES160hashcLOCI::reg::invRC + AES160hashcLOCI::NUMREGS]); + + const ttdeg resTmp = """ + poly_str_fixed + """; + //std::cout << "TMP!!degreeBound()=" << resTmp.deg_ << std::endl; + return PolynomialDegree(resTmp.deg_); + } + """ + + return res_cpp + +def poly_to_cpp_is_used_var(poly_str): + + poly_str_fixed = re.compile("randomElements.vals\[\d*\]\*").sub("",poly_str) + poly_str_fixed = poly_str_fixed.replace("X^minus1","") + poly_str_fixed = poly_str_fixed.replace("alpha_inv_lsb","") + poly_str_fixed = poly_str_fixed.replace("X^10","") + poly_str_fixed = poly_str_fixed.replace("X^11","") + poly_str_fixed = poly_str_fixed.replace("X^12","") + poly_str_fixed = poly_str_fixed.replace("X^13","") + poly_str_fixed = poly_str_fixed.replace("X^14","") + poly_str_fixed = poly_str_fixed.replace("X^15","") + poly_str_fixed = poly_str_fixed.replace("X^16","") + poly_str_fixed = poly_str_fixed.replace("X^17","") + poly_str_fixed = poly_str_fixed.replace("X^18","") + poly_str_fixed = poly_str_fixed.replace("X^19","") + poly_str_fixed = poly_str_fixed.replace("X^20","") + poly_str_fixed = poly_str_fixed.replace("X^21","") + poly_str_fixed = poly_str_fixed.replace("X^22","") + poly_str_fixed = poly_str_fixed.replace("X^23","") + poly_str_fixed = poly_str_fixed.replace("X^24","") + poly_str_fixed = poly_str_fixed.replace("X^25","") + poly_str_fixed = poly_str_fixed.replace("X^26","") + poly_str_fixed = poly_str_fixed.replace("X^27","") + poly_str_fixed = poly_str_fixed.replace("X^28","") + poly_str_fixed = poly_str_fixed.replace("X^29","") + poly_str_fixed = poly_str_fixed.replace("X^30","") + poly_str_fixed = poly_str_fixed.replace("X^31","") + poly_str_fixed = poly_str_fixed.replace("X^32","") + poly_str_fixed = poly_str_fixed.replace("X^33","") + poly_str_fixed = poly_str_fixed.replace("X^34","") + poly_str_fixed = poly_str_fixed.replace("X^35","") + poly_str_fixed = poly_str_fixed.replace("X^36","") + poly_str_fixed = poly_str_fixed.replace("X^37","") + poly_str_fixed = poly_str_fixed.replace("X^38","") + poly_str_fixed = poly_str_fixed.replace("X^39","") + poly_str_fixed = poly_str_fixed.replace("X^40","") + poly_str_fixed = poly_str_fixed.replace("X^41","") + poly_str_fixed = poly_str_fixed.replace("X^42","") + poly_str_fixed = poly_str_fixed.replace("X^43","") + poly_str_fixed = poly_str_fixed.replace("X^44","") + poly_str_fixed = poly_str_fixed.replace("X^45","") + poly_str_fixed = poly_str_fixed.replace("X^46","") + poly_str_fixed = poly_str_fixed.replace("X^47","") + poly_str_fixed = poly_str_fixed.replace("X^48","") + poly_str_fixed = poly_str_fixed.replace("X^2","") + poly_str_fixed = poly_str_fixed.replace("X^3","") + poly_str_fixed = poly_str_fixed.replace("X^4","") + poly_str_fixed = poly_str_fixed.replace("X^5","") + poly_str_fixed = poly_str_fixed.replace("X^6","") + poly_str_fixed = poly_str_fixed.replace("X^7","") + poly_str_fixed = poly_str_fixed.replace("X^8","") + poly_str_fixed = poly_str_fixed.replace("X^9","") + + #poly_str_fixed = poly_str_fixed.replace("X","") + #poly_str_fixed = re.compile("(?]", poly_str_fixed) + poly_str_fixed = re.sub("polyFromMatrix_(\d{1,2})", "polyFromMatrix[\g<1>]", poly_str_fixed) + poly_str_fixed = re.sub("Transformator_(\d{1,2})", "Transformator[\g<1>]", poly_str_fixed) + poly_str_fixed = re.sub("ROOT_HASH_1(\d{1,2})", "RootHash[1\g<1>]", poly_str_fixed) + poly_str_fixed = re.sub("ROOT_HASH_0(\d{1,2})", "RootHash[\g<1>]", poly_str_fixed) + poly_str_fixed = re.sub("MixColMat_(\d{1,2})_(\d{1,2})", "MixColMat[\g<1>][\g<2>]", poly_str_fixed) + poly_str_fixed = re.sub("values_0(\d{1,2})_(\d{1,2})", "values[\g<1>][\g<2>]", poly_str_fixed) + poly_str_fixed = re.sub("values_1(\d{1,2})_(\d{1,2})", "values[1\g<1>][\g<2>]", poly_str_fixed) + + + poly_str_fixed = re.compile("(?& x, const std::vector RootHash, + const FieldElement values[][2], FieldElement last_pow)const{ + + const FieldElement& K00 = x[AES160hashcLOCI::reg::K00]; + const FieldElement& K01 = x[AES160hashcLOCI::reg::K01]; + const FieldElement& K02 = x[AES160hashcLOCI::reg::K02]; + const FieldElement& K03 = x[AES160hashcLOCI::reg::K03]; + const FieldElement& K04 = x[AES160hashcLOCI::reg::K04]; + const FieldElement& K10 = x[AES160hashcLOCI::reg::K10]; + const FieldElement& K11 = x[AES160hashcLOCI::reg::K11]; + const FieldElement& K12 = x[AES160hashcLOCI::reg::K12]; + const FieldElement& K13 = x[AES160hashcLOCI::reg::K13]; + const FieldElement& K14 = x[AES160hashcLOCI::reg::K14]; + const FieldElement& K20 = x[AES160hashcLOCI::reg::K20]; + const FieldElement& K21 = x[AES160hashcLOCI::reg::K21]; + const FieldElement& K22 = x[AES160hashcLOCI::reg::K22]; + const FieldElement& K23 = x[AES160hashcLOCI::reg::K23]; + const FieldElement& K24 = x[AES160hashcLOCI::reg::K24]; + const FieldElement& K30 = x[AES160hashcLOCI::reg::K30]; + const FieldElement& K31 = x[AES160hashcLOCI::reg::K31]; + const FieldElement& K32 = x[AES160hashcLOCI::reg::K32]; + const FieldElement& K33 = x[AES160hashcLOCI::reg::K33]; + const FieldElement& K34 = x[AES160hashcLOCI::reg::K34]; + + const FieldElement& B00 = x[AES160hashcLOCI::reg::B00]; + const FieldElement& B01 = x[AES160hashcLOCI::reg::B01]; + const FieldElement& B02 = x[AES160hashcLOCI::reg::B02]; + const FieldElement& B03 = x[AES160hashcLOCI::reg::B03]; + const FieldElement& B04 = x[AES160hashcLOCI::reg::B04]; + const FieldElement& B10 = x[AES160hashcLOCI::reg::B10]; + const FieldElement& B11 = x[AES160hashcLOCI::reg::B11]; + const FieldElement& B12 = x[AES160hashcLOCI::reg::B12]; + const FieldElement& B13 = x[AES160hashcLOCI::reg::B13]; + const FieldElement& B14 = x[AES160hashcLOCI::reg::B14]; + const FieldElement& B20 = x[AES160hashcLOCI::reg::B20]; + const FieldElement& B21 = x[AES160hashcLOCI::reg::B21]; + const FieldElement& B22 = x[AES160hashcLOCI::reg::B22]; + const FieldElement& B23 = x[AES160hashcLOCI::reg::B23]; + const FieldElement& B24 = x[AES160hashcLOCI::reg::B24]; + const FieldElement& B30 = x[AES160hashcLOCI::reg::B30]; + const FieldElement& B31 = x[AES160hashcLOCI::reg::B31]; + const FieldElement& B32 = x[AES160hashcLOCI::reg::B32]; + const FieldElement& B33 = x[AES160hashcLOCI::reg::B33]; + const FieldElement& B34 = x[AES160hashcLOCI::reg::B34]; + + const FieldElement& W11 = x[AES160hashcLOCI::reg::W11]; + const FieldElement& W12 = x[AES160hashcLOCI::reg::W12]; + const FieldElement& W13 = x[AES160hashcLOCI::reg::W13]; + const FieldElement& W21 = x[AES160hashcLOCI::reg::W21]; + const FieldElement& W22 = x[AES160hashcLOCI::reg::W22]; + const FieldElement& W23 = x[AES160hashcLOCI::reg::W23]; + const FieldElement& W31 = x[AES160hashcLOCI::reg::W31]; + const FieldElement& W32 = x[AES160hashcLOCI::reg::W32]; + const FieldElement& W33 = x[AES160hashcLOCI::reg::W33]; + const FieldElement& W41 = x[AES160hashcLOCI::reg::W41]; + const FieldElement& W42 = x[AES160hashcLOCI::reg::W42]; + const FieldElement& W43 = x[AES160hashcLOCI::reg::W43]; + const FieldElement& W51 = x[AES160hashcLOCI::reg::W51]; + const FieldElement& W52 = x[AES160hashcLOCI::reg::W52]; + const FieldElement& W53 = x[AES160hashcLOCI::reg::W53]; + + const FieldElement& inv1 = x[AES160hashcLOCI::reg::inv1]; + const FieldElement& inv2 = x[AES160hashcLOCI::reg::inv2]; + const FieldElement& inv3 = x[AES160hashcLOCI::reg::inv3]; + const FieldElement& inv4 = x[AES160hashcLOCI::reg::inv4]; + const FieldElement& inv5 = x[AES160hashcLOCI::reg::inv5]; + + const FieldElement& STATE = x[AES160hashcLOCI::reg::STATE]; + const FieldElement& PHASE = x[AES160hashcLOCI::reg::PHASE]; + const FieldElement& MATCH = x[AES160hashcLOCI::reg::MATCH]; + const FieldElement& ST2 = x[AES160hashcLOCI::reg::ST2]; + const FieldElement& ST3 = x[AES160hashcLOCI::reg::ST3]; + const FieldElement& L1 = x[AES160hashcLOCI::reg::L1]; + const FieldElement& L2 = x[AES160hashcLOCI::reg::L2]; + const FieldElement& L3 = x[AES160hashcLOCI::reg::L3]; + const FieldElement& L4 = x[AES160hashcLOCI::reg::L4]; + const FieldElement& L5 = x[AES160hashcLOCI::reg::L5]; + const FieldElement& L6 = x[AES160hashcLOCI::reg::L6]; + const FieldElement& PartialMATCH = x[AES160hashcLOCI::reg::PartialMATCH]; + const FieldElement& isSecondPhaseComparingLOCI = x[AES160hashcLOCI::reg::isSecondPhaseComparingLOCI]; + const FieldElement& FLAG1 = x[AES160hashcLOCI::reg::FLAG1]; + const FieldElement& FLAG2 = x[AES160hashcLOCI::reg::FLAG2]; + const FieldElement& RC = x[AES160hashcLOCI::reg::RC]; + const FieldElement& A = x[AES160hashcLOCI::reg::A]; + const FieldElement& B = x[AES160hashcLOCI::reg::B]; + const FieldElement& C = x[AES160hashcLOCI::reg::C]; + const FieldElement& K = x[AES160hashcLOCI::reg::K]; + const FieldElement& invRC = x[AES160hashcLOCI::reg::invRC]; + + const FieldElement& K00_next = x[AES160hashcLOCI::reg::K00 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K01_next = x[AES160hashcLOCI::reg::K01 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K02_next = x[AES160hashcLOCI::reg::K02 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K03_next = x[AES160hashcLOCI::reg::K03 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K04_next = x[AES160hashcLOCI::reg::K04 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K10_next = x[AES160hashcLOCI::reg::K10 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K11_next = x[AES160hashcLOCI::reg::K11 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K12_next = x[AES160hashcLOCI::reg::K12 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K13_next = x[AES160hashcLOCI::reg::K13 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K14_next = x[AES160hashcLOCI::reg::K14 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K20_next = x[AES160hashcLOCI::reg::K20 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K21_next = x[AES160hashcLOCI::reg::K21 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K22_next = x[AES160hashcLOCI::reg::K22 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K23_next = x[AES160hashcLOCI::reg::K23 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K24_next = x[AES160hashcLOCI::reg::K24 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K30_next = x[AES160hashcLOCI::reg::K30 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K31_next = x[AES160hashcLOCI::reg::K31 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K32_next = x[AES160hashcLOCI::reg::K32 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K33_next = x[AES160hashcLOCI::reg::K33 + AES160hashcLOCI::NUMREGS]; + const FieldElement& K34_next = x[AES160hashcLOCI::reg::K34 + AES160hashcLOCI::NUMREGS]; + + const FieldElement& B00_next = x[AES160hashcLOCI::reg::B00 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B01_next = x[AES160hashcLOCI::reg::B01 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B02_next = x[AES160hashcLOCI::reg::B02 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B03_next = x[AES160hashcLOCI::reg::B03 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B04_next = x[AES160hashcLOCI::reg::B04 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B10_next = x[AES160hashcLOCI::reg::B10 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B11_next = x[AES160hashcLOCI::reg::B11 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B12_next = x[AES160hashcLOCI::reg::B12 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B13_next = x[AES160hashcLOCI::reg::B13 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B14_next = x[AES160hashcLOCI::reg::B14 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B20_next = x[AES160hashcLOCI::reg::B20 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B21_next = x[AES160hashcLOCI::reg::B21 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B22_next = x[AES160hashcLOCI::reg::B22 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B23_next = x[AES160hashcLOCI::reg::B23 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B24_next = x[AES160hashcLOCI::reg::B24 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B30_next = x[AES160hashcLOCI::reg::B30 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B31_next = x[AES160hashcLOCI::reg::B31 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B32_next = x[AES160hashcLOCI::reg::B32 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B33_next = x[AES160hashcLOCI::reg::B33 + AES160hashcLOCI::NUMREGS]; + const FieldElement& B34_next = x[AES160hashcLOCI::reg::B34 + AES160hashcLOCI::NUMREGS]; + + const FieldElement& W11_next = x[AES160hashcLOCI::reg::W11 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W12_next = x[AES160hashcLOCI::reg::W12 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W13_next = x[AES160hashcLOCI::reg::W13 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W21_next = x[AES160hashcLOCI::reg::W21 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W22_next = x[AES160hashcLOCI::reg::W22 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W23_next = x[AES160hashcLOCI::reg::W23 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W31_next = x[AES160hashcLOCI::reg::W31 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W32_next = x[AES160hashcLOCI::reg::W32 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W33_next = x[AES160hashcLOCI::reg::W33 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W41_next = x[AES160hashcLOCI::reg::W41 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W42_next = x[AES160hashcLOCI::reg::W42 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W43_next = x[AES160hashcLOCI::reg::W43 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W51_next = x[AES160hashcLOCI::reg::W51 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W52_next = x[AES160hashcLOCI::reg::W52 + AES160hashcLOCI::NUMREGS]; + const FieldElement& W53_next = x[AES160hashcLOCI::reg::W53 + AES160hashcLOCI::NUMREGS]; + + const FieldElement& inv1_next = x[AES160hashcLOCI::reg::inv1 + AES160hashcLOCI::NUMREGS]; + const FieldElement& inv2_next = x[AES160hashcLOCI::reg::inv2 + AES160hashcLOCI::NUMREGS]; + const FieldElement& inv3_next = x[AES160hashcLOCI::reg::inv3 + AES160hashcLOCI::NUMREGS]; + const FieldElement& inv4_next = x[AES160hashcLOCI::reg::inv4 + AES160hashcLOCI::NUMREGS]; + const FieldElement& inv5_next = x[AES160hashcLOCI::reg::inv5 + AES160hashcLOCI::NUMREGS]; + + const FieldElement& STATE_next = x[AES160hashcLOCI::reg::STATE + AES160hashcLOCI::NUMREGS]; + const FieldElement& PHASE_next = x[AES160hashcLOCI::reg::PHASE + AES160hashcLOCI::NUMREGS]; + const FieldElement& MATCH_next = x[AES160hashcLOCI::reg::MATCH + AES160hashcLOCI::NUMREGS]; + const FieldElement& ST2_next = x[AES160hashcLOCI::reg::ST2 + AES160hashcLOCI::NUMREGS]; + const FieldElement& ST3_next = x[AES160hashcLOCI::reg::ST3 + AES160hashcLOCI::NUMREGS]; + const FieldElement& L1_next = x[AES160hashcLOCI::reg::L1 + AES160hashcLOCI::NUMREGS]; + const FieldElement& L2_next = x[AES160hashcLOCI::reg::L2 + AES160hashcLOCI::NUMREGS]; + const FieldElement& L3_next = x[AES160hashcLOCI::reg::L3 + AES160hashcLOCI::NUMREGS]; + const FieldElement& L4_next = x[AES160hashcLOCI::reg::L4 + AES160hashcLOCI::NUMREGS]; + const FieldElement& L5_next = x[AES160hashcLOCI::reg::L5 + AES160hashcLOCI::NUMREGS]; + const FieldElement& L6_next = x[AES160hashcLOCI::reg::L6 + AES160hashcLOCI::NUMREGS]; + const FieldElement& PartialMATCH_next = x[AES160hashcLOCI::reg::PartialMATCH + AES160hashcLOCI::NUMREGS]; + const FieldElement& isSecondPhaseComparingLOCI_next = x[AES160hashcLOCI::reg::isSecondPhaseComparingLOCI + AES160hashcLOCI::NUMREGS]; + const FieldElement& FLAG1_next = x[AES160hashcLOCI::reg::FLAG1 + AES160hashcLOCI::NUMREGS]; + const FieldElement& FLAG2_next = x[AES160hashcLOCI::reg::FLAG2 + AES160hashcLOCI::NUMREGS]; + const FieldElement& RC_next = x[AES160hashcLOCI::reg::RC + AES160hashcLOCI::NUMREGS]; + const FieldElement& A_next = x[AES160hashcLOCI::reg::A + AES160hashcLOCI::NUMREGS]; + const FieldElement& B_next = x[AES160hashcLOCI::reg::B + AES160hashcLOCI::NUMREGS]; + const FieldElement& C_next = x[AES160hashcLOCI::reg::C + AES160hashcLOCI::NUMREGS]; + const FieldElement& K_next = x[AES160hashcLOCI::reg::K + AES160hashcLOCI::NUMREGS]; + const FieldElement& invRC_next = x[AES160hashcLOCI::reg::invRC + AES160hashcLOCI::NUMREGS]; + + FieldElement tval = """ + poly_str_fixed + """ + return tval; + } + """ + + return cpp_eval_func + + +def poly_to_cpp_class(poly_str,class_name): +# """ + poly_to_cpp_is_used_var(poly_str) + """ + classContent = "class " + class_name + """ : public PolynomialInterface{ + public: + """ + class_name + "() {};" + """ + """ + poly_to_cpp_eval(poly_str) + """ + """ + poly_to_cpp_is_used_var(poly_str) + """ + """ + get_poly_degree_bound_cpp(poly_str) + """ + + std::unique_ptr clone()const{ + return std::unique_ptr(new """+class_name+"""); + } + + }; + """ + + return classContent + + +def create_cpp_file_withInteractivness(row_file_path): + + with open (row_file_path, "r") as row_file: + row_str = re.sub(re.compile("//.*?\n" ) ,"" , row_file.read()) #delete c++ style comments + row_str = row_str.replace(' + 0','').replace('\n','').replace(' ','').replace('\t','').replace('&','+') #last for no rand_coeffs + + polys = get_polys_from_constraints(row_str) + + theFile = """ + #include "AES160hashcLOCI_instance.hpp" + #include + #include "languages/BREX/BrexInstance.hpp" + #include "languages/BREX/BrexWitness.hpp" + + + #define ttgenRand (Algebra::one()) + //#define ttgenRand (generateRandom()) + + using Algebra::FieldElement; + using Algebra::PolynomialInterface; + using Algebra::PolynomialDegree; + using Algebra::degreeOfProduct; + using Algebra::one; + using Algebra::generateRandom; + + namespace PCP_Project{ + namespace ACSP_FOR_AES160hashcLOCI{ + + namespace { //anonymous namespace for polys and common vars + using Algebra::mapIntegerToFieldElement; + using AES160hashcLOCI::consts::polyFromMatrix; + using AES160hashcLOCI::consts::MixColMat; + using AES160hashcLOCI::consts::Transformator; + using AES160hashcLOCI::consts::minus1; + using AES160hashcLOCI::consts::B_Transformed; + using AES160hashcLOCI::consts::xFETransformed; + using AES160hashcLOCI::consts::Rcon_round11; + + const FieldElement ONE = mapIntegerToFieldElement(0,1,1); + const FieldElement X = mapIntegerToFieldElement(1,1,1); + + const FieldElement X_aes02 =mapIntegerToFieldElement(2,1,1); + const FieldElement X_aes03 =mapIntegerToFieldElement(3,1,1); + const FieldElement X_aes04 =mapIntegerToFieldElement(4,1,1); + const FieldElement X_aes05 =mapIntegerToFieldElement(5,1,1); + const FieldElement X_aes06 =mapIntegerToFieldElement(6,1,1); + const FieldElement X_aes07 =mapIntegerToFieldElement(7,1,1); + const FieldElement X_aes08 =mapIntegerToFieldElement(8,1,1); + const FieldElement X_aes09 =mapIntegerToFieldElement(9,1,1); + const FieldElement X_aes10 =mapIntegerToFieldElement(10,1,1); + const FieldElement X_aes11 =mapIntegerToFieldElement(11,1,1); + const FieldElement X_aes12 =mapIntegerToFieldElement(12,1,1); + const FieldElement X_aes13 =mapIntegerToFieldElement(13,1,1); + const FieldElement X_aes14 =mapIntegerToFieldElement(14,1,1); + const FieldElement X_aes15 =mapIntegerToFieldElement(15,1,1); + const FieldElement X_aes16 =mapIntegerToFieldElement(16,1,1); + const FieldElement X_aes17 =mapIntegerToFieldElement(17,1,1); + const FieldElement X_aes18 =mapIntegerToFieldElement(18,1,1); + const FieldElement X_aes19 =mapIntegerToFieldElement(19,1,1); + const FieldElement X_aes20 =mapIntegerToFieldElement(20,1,1); + const FieldElement X_aes21 =mapIntegerToFieldElement(21,1,1); + const FieldElement X_aes22 =mapIntegerToFieldElement(22,1,1); + const FieldElement X_aes23 =mapIntegerToFieldElement(23,1,1); + const FieldElement X_aes24 =mapIntegerToFieldElement(24,1,1); + const FieldElement X_aes25 =mapIntegerToFieldElement(25,1,1); + const FieldElement X_aes26 =mapIntegerToFieldElement(26,1,1); + const FieldElement X_aes27 =mapIntegerToFieldElement(27,1,1); + const FieldElement X_aes28 =mapIntegerToFieldElement(28,1,1); + const FieldElement X_aes29 =mapIntegerToFieldElement(29,1,1); + const FieldElement X_aes30 =mapIntegerToFieldElement(30,1,1); + const FieldElement X_aes31 =mapIntegerToFieldElement(31,1,1); + const FieldElement X_aes32 =mapIntegerToFieldElement(32,1,1); + const FieldElement X_aes33 =mapIntegerToFieldElement(33,1,1); + const FieldElement X_aes34 =mapIntegerToFieldElement(34,1,1); + const FieldElement X_aes35 =mapIntegerToFieldElement(35,1,1); + const FieldElement X_aes36 =mapIntegerToFieldElement(36,1,1); + const FieldElement X_aes37 =mapIntegerToFieldElement(37,1,1); + const FieldElement X_aes38 =mapIntegerToFieldElement(38,1,1); + const FieldElement X_aes39 =mapIntegerToFieldElement(39,1,1); + const FieldElement X_aes40 =mapIntegerToFieldElement(40,1,1); + const FieldElement X_aes41 =mapIntegerToFieldElement(41,1,1); + const FieldElement X_aes42 =mapIntegerToFieldElement(42,1,1); + const FieldElement X_aes43 =mapIntegerToFieldElement(43,1,1); + const FieldElement X_aes44 =mapIntegerToFieldElement(44,1,1); + const FieldElement X_aes45 =mapIntegerToFieldElement(45,1,1); + const FieldElement X_aes46 =mapIntegerToFieldElement(46,1,1); + const FieldElement X_aes47 =mapIntegerToFieldElement(47,1,1); + const FieldElement X_aes48 =mapIntegerToFieldElement(48,1,1); + + class randomElements_t{ + public: + FieldElement vals[""" + str(len(polys)) + """]; + randomElements_t(){ + Algebra::rng.seed(123); + """ + + + + thePoly="" + polyId = 0 + isFirst = True + for p in polys: + theFile += "vals[%d] = ttgenRand;\n"%polyId + if(not isFirst): + thePoly+="tval += " + isFirst = False + thePoly += "randomElements.vals[%d]*(%s);\n"%(polyId,p) + polyId += 1 + + theFile += """} + }randomElements; + """ + theFile += poly_to_cpp_class(thePoly,"polyAES160hashcLOCI_class") + "\n" + + theFile += """ } //anonymous namespace for polys + + AES160hashcLOCI_CS::AES160hashcLOCI_CS(){ + """ + + theFile += "polys_.insert(polyPtr_t(new polyAES160hashcLOCI_class()));\n" + + theFile += """ + } + + } // ACSP_FOR_AES160hashcLOCI namespace + } // PCP_Project namespace + """ + + return theFile + + + +if __name__ == "__main__": + print(create_cpp_file_withInteractivness("constraints_AES160hashcLOCI.txt"))