github.com/consensys/gnark-crypto@v0.14.0/internal/generator/crypto/hash/mimc/template/mimc.go.tmpl

import (
	"errors"
	"hash"

	"math/big"
	"github.com/consensys/gnark-crypto/ecc/{{ .Name }}/fr"
	"golang.org/x/crypto/sha3"
	"sync"
)

const (
{{ if eq .Name "bn254" }}
	mimcNbRounds = 110
{{- else if eq .Name "bls12-381"}}
	mimcNbRounds = 111
{{- else if eq .Name "bls12-377"}}
	mimcNbRounds = 62
{{- else if or (eq .Name "bls12-378") (eq .Name "bls24-315")}}
	mimcNbRounds = 109
{{- else if eq .Name "bls24-317"}}
	mimcNbRounds = 91
{{- else if eq .Name "bw6-633"}}
	mimcNbRounds = 136
{{- else if or (eq .Name "bw6-761") (eq .Name "bw6-756")}}
	mimcNbRounds = 163
{{- end}}
	seed = "seed" 		 // seed to derive the constants
	BlockSize = fr.Bytes // BlockSize size that mimc consumes
)

// Params constants for the mimc hash function
var (
	mimcConstants [mimcNbRounds]fr.Element
	once sync.Once
)



// digest represents the partial evaluation of the checksum
// along with the params of the mimc function
type digest struct {
	h      fr.Element
	data   []fr.Element // data to hash
	byteOrder fr.ByteOrder
}

// GetConstants exposed to be used in gnark
func GetConstants() []big.Int {
	once.Do(initConstants) // init constants
	res := make([]big.Int, mimcNbRounds)
	for i := 0; i < mimcNbRounds; i++ {
		mimcConstants[i].BigInt(&res[i])
	}
	return res
}

// NewMiMC returns a MiMCImpl object, pure-go reference implementation
func NewMiMC(opts ...Option) hash.Hash {
	d := new(digest)
	d.Reset()
	cfg := mimcOptions(opts...)
	d.byteOrder = cfg.byteOrder
	return d
}

// Reset resets the Hash to its initial state.
func (d *digest) Reset() {
	d.data = d.data[:0]
	d.h = fr.Element{0, 0, 0, 0}
}

// Sum appends the current hash to b and returns the resulting slice.
// It does not change the underlying hash state.
func (d *digest) Sum(b []byte) []byte {
	buffer := d.checksum()
	d.data = nil // flush the data already hashed
	hash := buffer.Bytes()
	b = append(b, hash[:]...)
	return b
}

// BlockSize returns the hash's underlying block size.
// The Write method must be able to accept any amount
// of data, but it may operate more efficiently if all writes
// are a multiple of the block size.
func (d *digest) Size() int {
	return BlockSize
}

// BlockSize returns the number of bytes Sum will return.
func (d *digest) BlockSize() int {
	return BlockSize
}

// Write (via the embedded io.Writer interface) adds more data to the running hash.
//
// Each []byte block of size BlockSize represents a big endian fr.Element.
//
// If len(p) is not a multiple of BlockSize and any of the []byte in p represent an integer
// larger than fr.Modulus, this function returns an error.
//
// To hash arbitrary data ([]byte not representing canonical field elements) use fr.Hash first
func (d *digest) Write(p []byte) (int, error) {
	// we usually expect multiple of block size. But sometimes we hash short
	// values (FS transcript). Instead of forcing to hash to field, we left-pad the
	// input here.
	if len(p) > 0 && len(p) < BlockSize {
		pp := make([]byte,BlockSize)
		copy(pp[len(pp)-len(p):], p)
		p = pp
	}

	var start int
	for start = 0; start < len(p); start += BlockSize {
		if elem, err := d.byteOrder.Element((*[BlockSize]byte)(p[start:start+BlockSize])); err == nil {
			d.data = append(d.data, elem)
		} else {
			return 0, err
		}
	}

	if start != len(p) {
		return 0, errors.New("invalid input length: must represent a list of field elements, expects a []byte of len m*BlockSize")
	}
	return len(p), nil
}

// Hash hash using Miyaguchi-Preneel:
// https://en.wikipedia.org/wiki/One-way_compression_function
// The XOR operation is replaced by field addition, data is in Montgomery form
func (d *digest) checksum() fr.Element {
	// Write guarantees len(data) % BlockSize == 0

	// TODO @ThomasPiellard shouldn't Sum() returns an error if there is no data?
	// TODO: @Tabaie, @Thomas Piellard Now sure what to make of this
	/*if len(d.data) == 0 {
		d.data = make([]byte, BlockSize)
	}*/

	for i := range d.data {
		r := d.encrypt(d.data[i])
		d.h.Add(&r, &d.h).Add(&d.h, &d.data[i])
	}

	return d.h
}


{{ if eq .Name "bls12-377" }}
// plain execution of a mimc run
// m: message
// k: encryption key
func (d *digest) encrypt(m fr.Element) fr.Element {
	once.Do(initConstants) // init constants

	var tmp fr.Element
	for i:=0; i < mimcNbRounds; i++ {
		// m = (m+k+c)^**17
		tmp.Add(&m, &d.h).Add(&tmp, &mimcConstants[i])
		m.Square(&tmp).
			Square(&m).
			Square(&m).
			Square(&m).
			Mul(&m, &tmp)
	}
	m.Add(&m, &d.h)
	return m
}
{{ else if eq .Name "bls24-317" }}
// plain execution of a mimc run
// m: message
// k: encryption key
func (d *digest) encrypt(m fr.Element) fr.Element {
	once.Do(initConstants) // init constants

	var tmp1, tmp2 fr.Element
	for i := 0; i < mimcNbRounds; i++ {
		// m = (m+k+c)^7
		tmp1.Add(&m, &d.h).Add(&tmp1, &mimcConstants[i])
		tmp2.Square(&tmp1)
		m.Square(&tmp2).
			Mul(&m, &tmp2).
			Mul(&m, &tmp1)
	}

	m.Add(&m, &d.h)
	return m
}
{{ else }}
// plain execution of a mimc run
// m: message
// k: encryption key
func (d *digest) encrypt(m fr.Element) fr.Element {
	once.Do(initConstants) // init constants

	var tmp fr.Element
	for i := 0; i < mimcNbRounds; i++ {
		// m = (m+k+c)^5
		tmp.Add(&m, &d.h).Add(&tmp, &mimcConstants[i])
		m.Square(&tmp).
			Square(&m).
			Mul(&m, &tmp)
	}
	m.Add(&m, &d.h)
	return m
}
{{end}}

// Sum computes the mimc hash of msg from seed
func Sum(msg []byte) ([]byte, error) {
	var d digest
	if _, err := d.Write(msg); err != nil {
		return nil, err
	}
	h := d.checksum()
	bytes := h.Bytes()
	return bytes[:], nil
}


func initConstants() {
	bseed := ([]byte)(seed)

	hash := sha3.NewLegacyKeccak256()
	_, _ = hash.Write(bseed)
	rnd := hash.Sum(nil) // pre hash before use
	hash.Reset()
	_, _ = hash.Write(rnd)

	for i := 0; i < mimcNbRounds; i++ {
		rnd = hash.Sum(nil)
		mimcConstants[i].SetBytes(rnd)
		hash.Reset()
		_, _ = hash.Write(rnd)
	}
}

// WriteString writes a string that doesn't necessarily consist of field elements
func (d *digest) WriteString(rawBytes []byte) error {
	if elems, err := fr.Hash(rawBytes, []byte("string:"), 1); err != nil {
		return err
	} else {
		d.data = append(d.data, elems[0])
	}
	return nil
}