Add Semaphore

Author: jadnohra

.claude/settings.local.json

@@ -0,0 +1,15 @@
+{
+  "permissions": {
+    "allow": [
+      "Read(/Users/jad_irred/Downloads/**)",
+      "Bash(cargo build:*)",
+      "Bash(cargo test:*)",
+      "Bash(mkdir:*)",
+      "Bash(grep:*)",
+      "Bash(RUST_BACKTRACE=1 cargo test -p binius-frontend test_semaphore_keccak_single_member --release)",
+      "Bash(cargo run:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

crates/examples/Cargo.toml

@@ -23,6 +23,7 @@ rand.workspace = true
 base64.workspace = true
 jwt-simple.workspace = true
 sha2.workspace = true
+hex = "0.4"
 
 [dev-dependencies]
 criterion.workspace = true
@@ -47,3 +48,7 @@ path = "examples/prover.rs"
 [[example]]
 name = "verifier"
 path = "examples/verifier.rs"
+
+[[example]]
+name = "semaphore"
+path = "examples/semaphore.rs"

crates/examples/examples/semaphore.rs

@@ -0,0 +1,10 @@
+use anyhow::Result;
+use binius_examples::{Cli, circuits::semaphore::SemaphoreExample};
+
+fn main() -> Result<()> {
+    let _tracing_guard = tracing_profile::init_tracing()?;
+
+    Cli::<SemaphoreExample>::new("semaphore")
+        .about("Anonymous group membership proofs with nullifiers - supports both Keccak and ECDSA variants")
+        .run()
+}

crates/examples/src/circuits/mod.rs

@@ -1,5 +1,6 @@
 pub mod ethsign;
 pub mod keccak;
+pub mod semaphore;
 pub mod sha256;
 pub mod sha512;
 pub mod zklogin;

crates/examples/src/circuits/semaphore.rs

@@ -0,0 +1,242 @@
+use anyhow::{Result, ensure};
+use binius_frontend::{
+    circuits::{
+        semaphore::{Identity, MerkleTree, SemaphoreProofKeccak},
+        semaphore_ecdsa::{SemaphoreProofECDSA, circuit::IdentityECDSA},
+    },
+    compiler::{CircuitBuilder, circuit::WitnessFiller},
+};
+use clap::Args;
+
+use crate::ExampleCircuit;
+
+/// Semaphore anonymous group membership proof example
+pub struct SemaphoreExample {
+    circuit_type: CircuitType,
+    tree_height: usize,
+    message_len_bytes: usize, 
+    scope_len_bytes: usize,
+}
+
+enum CircuitType {
+    Keccak(SemaphoreProofKeccak),
+    ECDSA(SemaphoreProofECDSA),
+}
+
+#[derive(Args, Debug, Clone)]
+pub struct Params {
+    /// Use ECDSA key derivation (Ethereum-compatible) instead of basic Keccak
+    #[arg(long)]
+    pub use_ecdsa: bool,
+    
+    /// Height of the Merkle tree (determines max group size = 2^height)
+    #[arg(long, default_value_t = 2)]
+    pub tree_height: usize,
+    
+    /// Maximum message length in bytes
+    #[arg(long, default_value_t = 32)]
+    pub message_len_bytes: usize,
+    
+    /// Maximum scope length in bytes  
+    #[arg(long, default_value_t = 24)]
+    pub scope_len_bytes: usize,
+}
+
+#[derive(Args, Debug, Clone)]
+pub struct Instance {
+    /// Number of group members to create
+    #[arg(long, default_value_t = 4)]
+    pub group_size: usize,
+    
+    /// Index of the member generating the proof (0-based)
+    #[arg(long, default_value_t = 1)]
+    pub prover_index: usize,
+    
+    /// Message to include in the proof
+    #[arg(long, default_value = "I vote YES on proposal #42")]
+    pub message: String,
+    
+    /// Scope for this signal (prevents double-signaling within scope)
+    #[arg(long, default_value = "dao_vote_2024_q1")]
+    pub scope: String,
+    
+}
+
+impl ExampleCircuit for SemaphoreExample {
+    type Params = Params;
+    type Instance = Instance;
+    
+    fn build(params: Params, builder: &mut CircuitBuilder) -> Result<Self> {
+        ensure!(params.tree_height > 0, "Tree height must be > 0");
+        ensure!(params.message_len_bytes > 0, "Message length must be > 0");
+        ensure!(params.scope_len_bytes > 0, "Scope length must be > 0");
+        
+        let circuit_type = if params.use_ecdsa {
+            CircuitType::ECDSA(SemaphoreProofECDSA::new(
+                builder,
+                params.tree_height,
+                params.message_len_bytes,
+                params.scope_len_bytes,
+            ))
+        } else {
+            CircuitType::Keccak(SemaphoreProofKeccak::new(
+                builder,
+                params.tree_height, 
+                params.message_len_bytes,
+                params.scope_len_bytes,
+            ))
+        };
+        
+        Ok(Self {
+            circuit_type,
+            tree_height: params.tree_height,
+            message_len_bytes: params.message_len_bytes,
+            scope_len_bytes: params.scope_len_bytes,
+        })
+    }
+    
+    fn populate_witness(&self, instance: Instance, witness: &mut WitnessFiller) -> Result<()> {
+        
+        // Validate inputs
+        ensure!(instance.group_size > 0, "Group size must be > 0");
+        ensure!(instance.prover_index < instance.group_size, "Prover index must be < group size");
+        ensure!(instance.group_size <= (1 << self.tree_height), "Group size exceeds tree capacity");
+        ensure!(instance.message.len() <= self.message_len_bytes, "Message too long");
+        ensure!(instance.scope.len() <= self.scope_len_bytes, "Scope too long");
+        
+        // Let the standard tracing system handle all output like other examples
+        
+        match &self.circuit_type {
+            CircuitType::Keccak(circuit) => {
+                self.populate_keccak_witness(circuit, &instance, witness)
+            }
+            CircuitType::ECDSA(circuit) => {
+                self.populate_ecdsa_witness(circuit, &instance, witness)
+            }
+        }?;
+        
+        // Tracing system handles timing automatically
+        
+        Ok(())
+    }
+}
+
+impl SemaphoreExample {
+    fn populate_keccak_witness(
+        &self, 
+        circuit: &SemaphoreProofKeccak,
+        instance: &Instance,
+        witness: &mut WitnessFiller
+    ) -> Result<()> {
+        // Create group members
+        let mut identities = Vec::new();
+        for i in 0..instance.group_size {
+            let trapdoor = [((i + 1) as u8); 32];
+            let nullifier = [((i + 100) as u8); 32];
+            identities.push(Identity::new(trapdoor, nullifier));
+        }
+        
+        // Build Merkle tree
+        let mut tree = MerkleTree::new(self.tree_height);
+        for identity in &identities {
+            tree.add_leaf(identity.commitment());
+        }
+        
+        // Get proof for the prover
+        let prover_identity = &identities[instance.prover_index];
+        let merkle_proof = tree.proof(instance.prover_index);
+        
+        // Generate nullifier (computed but not displayed like other examples)
+        
+        // Populate witness
+        circuit.populate_witness(
+            witness,
+            prover_identity,
+            &merkle_proof,
+            instance.message.as_bytes(),
+            instance.scope.as_bytes(),
+        );
+        
+        Ok(())
+    }
+    
+    fn populate_ecdsa_witness(
+        &self,
+        circuit: &SemaphoreProofECDSA, 
+        instance: &Instance,
+        witness: &mut WitnessFiller
+    ) -> Result<()> {
+        // Create ECDSA identities 
+        let mut identities = Vec::new();
+        for i in 0..instance.group_size {
+            let secret_scalar = [((i + 42) as u8); 32];
+            identities.push(IdentityECDSA::new(secret_scalar));
+        }
+        
+        // Build Merkle tree
+        let mut tree = MerkleTree::new(self.tree_height);
+        for identity in &identities {
+            tree.add_leaf(identity.commitment());
+        }
+        
+        // Get proof for the prover
+        let prover_identity = &identities[instance.prover_index];
+        let merkle_proof = tree.proof(instance.prover_index);
+        
+        // Generate nullifier (computed but not displayed like other examples)
+        
+        // Populate witness
+        circuit.populate_witness(
+            witness,
+            prover_identity,
+            &merkle_proof,
+            instance.message.as_bytes(),
+            instance.scope.as_bytes(),
+        );
+        
+        Ok(())
+    }
+}
+
+/// Helper function to show comparison between variants (used by CLI)
+pub fn show_comparison() -> Result<()> {
+    println!("\n╔══════════════════════════════════════════════╗");
+    println!("║              Variant Comparison               ║");
+    println!("╚══════════════════════════════════════════════╝\n");
+    
+    // Build both circuits to get constraint counts
+    let keccak_builder = CircuitBuilder::new();
+    let _keccak_circuit = SemaphoreProofKeccak::new(&keccak_builder, 2, 32, 24);
+    let keccak_compiled = keccak_builder.build();
+    let keccak_cs = keccak_compiled.constraint_system();
+    let keccak_total = keccak_cs.and_constraints.len() + keccak_cs.mul_constraints.len();
+    
+    let ecdsa_builder = CircuitBuilder::new();
+    let _ecdsa_circuit = SemaphoreProofECDSA::new(&ecdsa_builder, 2, 32, 24);
+    let ecdsa_compiled = ecdsa_builder.build();
+    let ecdsa_cs = ecdsa_compiled.constraint_system();
+    let ecdsa_total = ecdsa_cs.and_constraints.len() + ecdsa_cs.mul_constraints.len();
+    
+    println!("┌─────────────────────┬────────────┬────────────┬─────────────────────┐");
+    println!("│ Version             │ Constraints│ AND        │ MUL                 │");
+    println!("├─────────────────────┼────────────┼────────────┼─────────────────────┤");
+    println!("│ Keccak-only         │ {:>10} │ {:>10} │ {:>19} │", 
+             keccak_total, keccak_cs.and_constraints.len(), keccak_cs.mul_constraints.len());
+    println!("│ ECDSA + Keccak      │ {:>10} │ {:>10} │ {:>19} │", 
+             ecdsa_total, ecdsa_cs.and_constraints.len(), ecdsa_cs.mul_constraints.len());
+    println!("│ Future Poseidon     │      ~5000 │      ~4999 │                   1 │");
+    println!("└─────────────────────┴────────────┴────────────┴─────────────────────┘");
+    
+    println!("\nUse Cases:");
+    println!("• Keccak-only: Efficient anonymous voting, private group membership");
+    println!("• ECDSA+Keccak: Ethereum wallet integration, existing key infrastructure");
+    println!("• Poseidon (future): On-chain verification, minimal proof sizes");
+    
+    println!("\nKey Features:");
+    println!("✓ Anonymous group membership proofs");
+    println!("✓ Nullifiers prevent double-signaling within scope");
+    println!("✓ Different scopes allow separate voting contexts");
+    println!("✓ Zero-knowledge: proves membership without revealing identity");
+    
+    Ok(())
+}

crates/frontend/src/circuits/keccak/mod.rs

@@ -14,6 +14,9 @@ pub const N_WORDS_PER_STATE: usize = 25;
 pub const RATE_BYTES: usize = 136;
 pub const N_WORDS_PER_BLOCK: usize = RATE_BYTES / 8;
 
+// Semantic constants for hash output sizes
+pub const KECCAK256_OUTPUT_BYTES: usize = N_WORDS_PER_DIGEST * 8;
+
 /// Keccak-256 circuit that can handle variable-length inputs up to a specified maximum length.
 ///
 /// # Arguments
@@ -49,6 +52,10 @@ impl Keccak {
 		message: Vec<Wire>,
 	) -> Self {
 		let max_len_bytes = message.len() << 3;
+		
+		assert!(!message.is_empty(), "Keccak message wires cannot be empty");
+		assert!(max_len_bytes > 0, "Keccak max message length must be > 0, got {} bytes from {} wires", max_len_bytes, message.len());
+		
 		// number of blocks needed for the maximum sized message
 		let n_blocks = (max_len_bytes + 1).div_ceil(RATE_BYTES);
 
@@ -236,11 +243,11 @@ impl Keccak {
 	/// * w - The witness filler to populate
 	/// * message_bytes - The input message as a byte slice
 	pub fn populate_message(&self, w: &mut WitnessFiller<'_>, message_bytes: &[u8]) {
+		let max_capacity = self.max_len_bytes();
 		assert!(
-			message_bytes.len() <= self.max_len_bytes(),
-			"Message length {} exceeds maximum {}",
-			message_bytes.len(),
-			self.max_len_bytes()
+			message_bytes.len() <= max_capacity,
+			"Message length {} exceeds maximum capacity {} (allocated {} wires × 8 = {} bytes)",
+			message_bytes.len(), max_capacity, self.message.len(), self.message.len() * 8
 		);
 
 		// populate message words from input bytes

crates/frontend/src/circuits/mod.rs

@@ -15,6 +15,8 @@ pub mod multiplexer;
 pub mod popcount;
 pub mod rs256;
 pub mod secp256k1;
+pub mod semaphore;
+pub mod semaphore_ecdsa;
 pub mod sha256;
 pub mod sha512;
 pub mod skein512;