Add Semaphore

Author: jadnohra

crates/examples/Cargo.toml

@@ -24,6 +24,8 @@ base64.workspace = true
 blake2.workspace = true
 jwt-simple.workspace = true
 sha2.workspace = true
+hex = "0.4"
+k256 = { workspace = true, features = ["arithmetic"] }
 
 [dev-dependencies]
 criterion.workspace = true
@@ -52,3 +54,7 @@ path = "examples/prover.rs"
 [[example]]
 name = "verifier"
 path = "examples/verifier.rs"
+
+[[example]]
+name = "padding_validation_test"
+path = "examples/padding_validation_test.rs"

crates/examples/examples/semaphore_ecdsa.rs

@@ -0,0 +1,10 @@
+use anyhow::Result;
+use binius_examples::{Cli, circuits::semaphore_ecdsa::SemaphoreExample};
+
+fn main() -> Result<()> {
+    let _tracing_guard = tracing_profile::init_tracing()?;
+
+    Cli::<SemaphoreExample>::new("semaphore_ecdsa")
+        .about("Anonymous group membership proofs with nullifiers using ECDSA key derivation")
+        .run()
+}

crates/examples/snapshots/semaphore_ecdsa.snap

@@ -0,0 +1,11 @@
+semaphore_ecdsa circuit
+--
+Number of gates: 475686
+Number of evaluation instructions: 563535
+Number of AND constraints: 609289
+Number of MUL constraints: 48536
+Length of value vec: 1048576
+  Constants: 72
+  Inout: 11
+  Witness: 97
+  Internal: 887101

crates/examples/src/circuits/mod.rs

@@ -1,6 +1,7 @@
 pub mod blake2s;
 pub mod ethsign;
 pub mod keccak;
+pub mod semaphore_ecdsa;
 pub mod sha256;
 pub mod sha512;
 pub mod zklogin;

crates/examples/src/circuits/semaphore_ecdsa.rs

@@ -0,0 +1,135 @@
+use anyhow::{Result, ensure};
+use binius_frontend::{
+    circuits::semaphore_ecdsa::{
+        SemaphoreProofECDSA, 
+        circuit::IdentityECDSA,
+        MerkleTree,
+    },
+    compiler::{CircuitBuilder, circuit::WitnessFiller},
+};
+use clap::Args;
+
+use crate::ExampleCircuit;
+
+/// Semaphore anonymous group membership proof with ECDSA key derivation
+pub struct SemaphoreExample {
+    circuit: SemaphoreProofECDSA,
+    tree_height: usize,
+    message_len_bytes: usize, 
+    scope_len_bytes: usize,
+}
+
+#[derive(Args, Debug, Clone)]
+pub struct Params {
+    /// Height of the Merkle tree (determines max group size = 2^height)
+    #[arg(long, default_value_t = 2)]
+    pub tree_height: usize,
+    
+    /// Maximum message length in bytes
+    #[arg(long, default_value_t = 32)]
+    pub message_len_bytes: usize,
+    
+    /// Maximum scope length in bytes  
+    #[arg(long, default_value_t = 24)]
+    pub scope_len_bytes: usize,
+}
+
+#[derive(Args, Debug, Clone)]
+pub struct Instance {
+    /// Number of group members to create
+    #[arg(long, default_value_t = 4)]
+    pub group_size: usize,
+    
+    /// Index of the member generating the proof (0-based)
+    #[arg(long, default_value_t = 1)]
+    pub prover_index: usize,
+    
+    /// Message to include in the proof
+    #[arg(long, default_value = "I vote YES on proposal #42")]
+    pub message: String,
+    
+    /// Scope for this signal (prevents double-signaling within scope)
+    #[arg(long, default_value = "dao_vote_2024_q1")]
+    pub scope: String,
+}
+
+impl ExampleCircuit for SemaphoreExample {
+    type Params = Params;
+    type Instance = Instance;
+    
+    fn build(params: Params, builder: &mut CircuitBuilder) -> Result<Self> {
+        ensure!(params.tree_height > 0, "Tree height must be > 0");
+        ensure!(params.message_len_bytes > 0, "Message length must be > 0");
+        ensure!(params.scope_len_bytes > 0, "Scope length must be > 0");
+        
+        let circuit = SemaphoreProofECDSA::new(
+            builder,
+            params.tree_height,
+            params.message_len_bytes,
+            params.scope_len_bytes,
+        );
+        
+        Ok(Self {
+            circuit,
+            tree_height: params.tree_height,
+            message_len_bytes: params.message_len_bytes,
+            scope_len_bytes: params.scope_len_bytes,
+        })
+    }
+    
+    fn populate_witness(&self, instance: Instance, witness: &mut WitnessFiller) -> Result<()> {
+        // Validate inputs
+        ensure!(instance.group_size > 0, "Group size must be > 0");
+        ensure!(instance.prover_index < instance.group_size, "Prover index must be < group size");
+        ensure!(instance.group_size <= (1 << self.tree_height), "Group size exceeds tree capacity");
+        ensure!(instance.message.len() <= self.message_len_bytes, "Message too long");
+        ensure!(instance.scope.len() <= self.scope_len_bytes, "Scope too long");
+        
+        // Create ECDSA identities 
+        let mut identities = Vec::new();
+        for i in 0..instance.group_size {
+            let secret_scalar = [((i + 42) as u8); 32];
+            identities.push(IdentityECDSA::new(secret_scalar));
+        }
+        
+        // Build Merkle tree
+        let mut tree = MerkleTree::new(self.tree_height);
+        for identity in &identities {
+            tree.add_leaf(identity.commitment());
+        }
+        
+        // Get proof for the prover
+        let prover_identity = &identities[instance.prover_index];
+        let merkle_proof = tree.proof(instance.prover_index);
+        
+        // Populate witness
+        self.circuit.populate_witness(
+            witness,
+            prover_identity,
+            &merkle_proof,
+            instance.message.as_bytes(),
+            instance.scope.as_bytes(),
+        );
+        
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use binius_frontend::circuits::semaphore_ecdsa::circuit::IdentityECDSA;
+
+    #[test]
+    fn test_examples_crate_identity_commitment() {
+        // Test the same computation from the examples crate
+        let secret_scalar = [0x2b; 32];
+        println!("Examples crate - Testing secret_scalar: {:02x?}", secret_scalar);
+        
+        let identity = IdentityECDSA::new(secret_scalar);
+        let commitment = identity.commitment();
+        println!("Examples crate - Direct commitment result: {:02x?}", commitment);
+        
+        // Let's see if this matches what the frontend crate produces
+    }
+}

crates/frontend/Cargo.toml

@@ -19,6 +19,7 @@ serde_json.workspace = true
 sha2.workspace = true
 sha3.workspace = true
 smallvec.workspace = true
+k256 = { workspace = true, features = ["arithmetic"] }
 
 [dev-dependencies]
 base64 = { workspace = true }

crates/frontend/src/circuits/ecdsa/scalar_mul.rs

@@ -345,7 +345,7 @@ mod tests {
 	use binius_core::word::Word;
 	use k256::{
 		ProjectivePoint, Scalar, U256,
-		elliptic_curve::{ops::MulByGenerator, scalar::FromUintUnchecked, sec1::ToEncodedPoint},
+		elliptic_curve::{ops::MulByGenerator, scalar::FromUintUnchecked, sec1::ToEncodedPoint, PrimeField},
 	};
 	use rand::prelude::*;
 
@@ -403,6 +403,48 @@ mod tests {
 		assert_eq!(w[result.is_point_at_infinity], Word::ZERO);
 	}
 
+	#[test]
+	fn test_scalar_mul_naive_256bit() {
+		// Test with full 256-bit scalar to ensure production compatibility
+		let builder = CircuitBuilder::new();
+		let curve = Secp256k1::new(&builder);
+		
+		// Use a 256-bit test scalar
+		let scalar_bytes = [0x2b; 32];
+		let scalar_value = num_bigint::BigUint::from_bytes_le(&scalar_bytes);
+		
+		// Use k256 to compute expected result
+		let mut scalar_be = scalar_bytes;
+		scalar_be.reverse();
+		let k256_scalar = Scalar::from_repr(scalar_be.into()).unwrap();
+		let k256_point = ProjectivePoint::mul_by_generator(&k256_scalar).to_affine();
+		
+		// Extract expected coordinates
+		let point_bytes = k256_point.to_encoded_point(false).to_bytes();
+		let x_coord = num_bigint::BigUint::from_bytes_be(&point_bytes[1..33]);
+		let y_coord = num_bigint::BigUint::from_bytes_be(&point_bytes[33..65]);
+		
+		// Create circuit scalar
+		let scalar = BigUint::new_constant(&builder, &scalar_value);
+		let expected_x = BigUint::new_constant(&builder, &x_coord);
+		let expected_y = BigUint::new_constant(&builder, &y_coord);
+		
+		let generator = Secp256k1Affine::generator(&builder);
+		
+		// Test with full 256 bits
+		let result = scalar_mul_naive(&builder, &curve, 256, &scalar, generator);
+		
+		// Verify result matches k256
+		assert_eq(&builder, "result_x_256bit", &result.x, &expected_x);
+		assert_eq(&builder, "result_y_256bit", &result.y, &expected_y);
+		
+		// Build and verify circuit
+		let cs = builder.build();
+		let mut w = cs.new_witness_filler();
+		assert!(cs.populate_wire_witness(&mut w).is_ok());
+		assert_eq!(w[result.is_point_at_infinity], Word::ZERO);
+	}
+
 	#[test]
 	fn test_scalar_mul_with_endomorphism() {
 		let builder = CircuitBuilder::new();

crates/frontend/src/circuits/keccak/mod.rs

@@ -14,6 +14,9 @@ pub const N_WORDS_PER_STATE: usize = 25;
 pub const RATE_BYTES: usize = 136;
 pub const N_WORDS_PER_BLOCK: usize = RATE_BYTES / 8;
 
+// Semantic constants for hash output sizes
+pub const KECCAK256_OUTPUT_BYTES: usize = N_WORDS_PER_DIGEST * 8;
+
 /// Keccak-256 circuit that can handle variable-length inputs up to a specified maximum length.
 ///
 /// # Arguments
@@ -49,6 +52,10 @@ impl Keccak {
 		message: Vec<Wire>,
 	) -> Self {
 		let max_len_bytes = message.len() << 3;
+		
+		assert!(!message.is_empty(), "Keccak message wires cannot be empty");
+		assert!(max_len_bytes > 0, "Keccak max message length must be > 0, got {} bytes from {} wires", max_len_bytes, message.len());
+		
 		// number of blocks needed for the maximum sized message
 		let n_blocks = (max_len_bytes + 1).div_ceil(RATE_BYTES);
 
@@ -236,11 +243,11 @@ impl Keccak {
 	/// * w - The witness filler to populate
 	/// * message_bytes - The input message as a byte slice
 	pub fn populate_message(&self, w: &mut WitnessFiller<'_>, message_bytes: &[u8]) {
+		let max_capacity = self.max_len_bytes();
 		assert!(
-			message_bytes.len() <= self.max_len_bytes(),
-			"Message length {} exceeds maximum {}",
-			message_bytes.len(),
-			self.max_len_bytes()
+			message_bytes.len() <= max_capacity,
+			"Message length {} exceeds maximum capacity {} (allocated {} wires × 8 = {} bytes)",
+			message_bytes.len(), max_capacity, self.message.len(), self.message.len() * 8
 		);
 
 		// populate message words from input bytes

crates/frontend/src/circuits/mod.rs

@@ -17,6 +17,7 @@ pub mod popcount;
 pub mod ripemd;
 pub mod rs256;
 pub mod secp256k1;
+pub mod semaphore_ecdsa;
 pub mod sha256;
 pub mod sha512;
 pub mod skein512;