init

n-for-1-auth · Apr 6, 2021 · cab0973 · cab0973
1 parent 55de94f
commit cab0973
Show file tree

Hide file tree

Showing 60 changed files with 6,980,307 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.DS_Store
+.idea
diff --git a/README.md b/README.md
@@ -1,2 +1,27 @@
-# circuits
-A collection of Bristol format circuit files
+# N-for-1 Auth's collection of circuits
+
+When we develop N-for-1 Auth ([ePrint 2021/342](https://eprint.iacr.org/2021/342)), many circuit files that we need were unavailable. 
+
+This repository contains the circuits that we synthesize or assemble using existing works.
+
+## Methods
+
+To synthesize circuits, we leverage the DFF library from [TinyGarble](https://github.com/esonghori/TinyGarble) and scripts from [SCALE-MAMBA](https://github.com/KULeuven-COSIC/SCALE-MAMBA/tree/master/Circuits). The synthesizing is done with the Synopsys tools thanks to UC Berkeley's subscription.
+
+To assemble circuits, we use base circuits from [Nigel Smart](https://homes.esat.kuleuven.be/~nsmart/MPC/) and [Matteo Campanelli](https://github.com/matteocam/sha256-circuit). We want to highlight the latter's SHA256 circuit: [Steven Goldfeder](http://stevengoldfeder.com/) discovered that previous methods to synthesize SHA256 circuits are suboptimal, and special tricks are needed to force the synthesizer to use a simple adder.
+The assembly is done using [EMP-toolkit](https://github.com/emp-toolkit/emp-tool), which has a powerful plaintext engine for making circuit files.
+
+## Summary
+
+A collection of Bristol format circuit files related to TLS-in-SMPC.
+
+- **[\[key-derivation\]](./key-derivation):** Circuits for key derivation in TLS
+- **[\[aes\]](./aes):** Circuits for AES 
+- **[\[gcm\]](./gcm):** Circuits for computing GCM power shares
+- **[\[sha256\]](./sha256):** Circuits for multi-block SHA256  
+- **[\[generator\]](./generator):** Program that assembles these circuits
+
+## Regulatory issue
+This repository is not subject to the U.S. Export Administration Regulation (EAR) because it is publicly available; notifications to U.S. Bureau of Industry and Security (BIS) and National Security Agency (NSA) have been sent.
+
+For more information about this regulatory issue, see [this post](https://www.eff.org/deeplinks/2019/08/us-export-controls-and-published-encryption-source-code-explained) by Electronic Frontier Foundation (EFF).
diff --git a/aes/README.md b/aes/README.md
@@ -0,0 +1,40 @@
+# AES circuits
+
+This directory contains a full AES circuit (same as the one commonly available) and a version of AES where the key schedule is separate.
+
+| Filename    | Description | Number of AND gates |
+| ----------- | ----------- | ----------- |
+| aes128_full.txt  | Full AES circuit | 6400 |
+| aes128_key_schedule.txt  | Part of AES circuit: Key scheduling | 1280 |
+| aes128.txt  | Part of AES circuit: Post key-scheduling       | 5120 |
+
+## Syntax
+
+### aes128_full.txt
+
+- **Alice's Input:** 256 bits. 
+  * First 128 bits belong to the key. 
+  * Second 128 bits belong to the plaintext.
+  * Remark: this differs from the well-known `AES-non-expanded.txt` circuit.
+- **Output:** 128 bits. 
+
+### aes128_key_schedule.txt
+
+- **Alice's Input:** 128 bits, the key.
+- **Output:** 1408 bits, 11 round keys for 10 rounds-AES.
+
+### aes128.txt
+
+- **Alice's Input:** 1408 bits, the round keys.
+- **Bob's Input:** 128 bits, the plaintext.
+- **Output:** 128 bits.
+
+## Synthesis 
+
+The subdirectory [synthesis](./synthesis) provides more information on how these circuits are made. 
+
+## Warning: Endianness and byte-ordering
+
+When integrating the circuits with some other protocols (e.g., TLS-in-SMPC), we often need to rematch the endianness and byte-ordering. We did not have a magical way to do this (but seems to be highly possible). 
+
+We recommend, nevertheless, to match the endianness and byte-ordering by trying different inputs, from all-zero to completely random. This method has helped us match the representation with wolfssl.