Merge branch 'master' into topic/rewrite

README.md

@@ -212,6 +212,15 @@ The MPCL runtime defines the following builtin functions:
      - [ ] local variables in for-loop unrolling
    - [ ] Compound init values must be zero-padded to full size
 
+## Circuit Optimization
+
+Optimizations from [stevengoldfeder.com](http://stevengoldfeder.com/projects/circuits/sha2circuit.html):
+
+| File            | No. ANDs        | No. XORs | No. INVs |         |
+| :-------------- | :-------------- | -------: | -------: | ------: |
+| Our circuit     | sha256Final.txt | 22,272   | 91,780   | 2,194   |
+| Bristol circuit | sha-256.txt     | 90,825   | 42,029   | 103,258 |
+
 # Benchmarks and tests
 
 Please, see the [benchmarks.md](benchmarks.md) file for information

compiler/ast/builtin.go

@@ -1,5 +1,5 @@
 //
-// Copyright (c) 2019-2023 Markku Rossi
+// Copyright (c) 2019-2024 Markku Rossi
 //
 // All rights reserved.
 //
@@ -47,6 +47,10 @@ var builtins = map[string]Builtin{
 	"native": {
 		SSA: nativeSSA,
 	},
+	"panic": {
+		SSA:  panicSSA,
+		Eval: panicEval,
+	},
 	"size": {
 		SSA:  sizeSSA,
 		Eval: sizeEval,
@@ -403,6 +407,69 @@ func nativeCircuit(name string, block *ssa.Block, ctx *Codegen,
 	return block, result, nil
 }
 
+func panicSSA(block *ssa.Block, ctx *Codegen, gen *ssa.Generator,
+	args []ssa.Value, loc utils.Point) (*ssa.Block, []ssa.Value, error) {
+
+	var arr []string
+	for _, arg := range args {
+		var str string
+		if arg.Const {
+			str = fmt.Sprintf("%v", arg.ConstValue)
+		} else {
+			str = arg.String()
+		}
+		arr = append(arr, str)
+	}
+
+	return nil, nil, ctx.Errorf(loc, "panic: %v", panicMessage(arr))
+}
+
+func panicEval(args []AST, env *Env, ctx *Codegen, gen *ssa.Generator,
+	loc utils.Point) (ssa.Value, bool, error) {
+
+	var arr []string
+	for _, arg := range args {
+		arr = append(arr, arg.String())
+	}
+
+	return ssa.Undefined, false, ctx.Errorf(loc, "panic: %v", panicMessage(arr))
+}
+
+func panicMessage(args []string) string {
+	if len(args) == 0 {
+		return ""
+	}
+	format := args[0]
+	args = args[1:]
+
+	var result string
+
+	for i := 0; i < len(format); i++ {
+		if format[i] != '%' || i+1 >= len(format) {
+			result += string(format[i])
+			continue
+		}
+		i++
+		if len(args) == 0 {
+			result += fmt.Sprintf("%%!%c(MISSING)", format[i])
+			continue
+		}
+		switch format[i] {
+		case 'v':
+			result += args[0]
+		default:
+			result += fmt.Sprintf("%%!%c(%v)", format[i], args[0])
+		}
+		args = args[1:]
+	}
+
+	for _, arg := range args {
+		result += " " + arg
+	}
+
+	return result
+}
+
 func sizeSSA(block *ssa.Block, ctx *Codegen, gen *ssa.Generator,
 	args []ssa.Value, loc utils.Point) (*ssa.Block, []ssa.Value, error) {
 

pkg/README.md

@@ -2,7 +2,7 @@
 
 ## SCALE-MAMBA Software
 
-The following circuit files are from the [SCALE-MAMBA Software](https://homes.esat.kuleuven.be/~nsmart/SCALE/):
+The following circuit files are from the [SCALE-MAMBA Software](https://github.com/KULeuven-COSIC/SCALE-MAMBA):
 
  - [crypto/aes/aes_128.circ](crypto/aes/aes_128.circ)
  - [crypto/aes/aes_192.circ](crypto/aes/aes_192.circ)
@@ -16,24 +16,30 @@ The following circuit files are from the [SCALE-MAMBA Software](https://homes.es
 
 The SCALE-MAMBA license is as follows:
 
-> This software incorporates components from the original SPDZ system, as well as various
-> extensions. It's  copyright therefore rests with the following two institutions:
->
-> Copyright (c) 2017, The University of Bristol, Senate House, Tyndall Avenue, Bristol, BS8 1TH, United Kingdom.
-> Copyright (c) 2020, COSIC-KU Leuven, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium.
->
-> All rights reserved
->
-> Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
->
-> 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
->
-> 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
->
-> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
->
->
-> Any use of the software for commercial purposes should be reported to the nigel.smart@kuleuven.be
-> This is for impact and usage monitoring purposes only.
->
-> Enquiries about further applications and development opportunities are welcome. Please contact nigel.smart@kuleuven.be
+```
+This software incorporates components from the original SPDZ system from the University
+of Bristol, as well as various extensions. The scasm assembler and wasca system for
+compiling Rust programs is a co-development between KU Leuven and Cosmian
+
+ The copyright therefore rests with the following three institutions:
+
+Copyright (c) 2017, The University of Bristol, Senate House, Tyndall Avenue, Bristol, BS8 1TH, United Kingdom.
+Copyright (c) 2021, imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium.
+Copyright (c) 2021, Copyright (c) 2021, Cosmian Tech SAS, 53-55 rue La Boétie, Paris, France.
+
+All rights reserved
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+It would be helpful if any use of the software for commercial purposes is reported to the nigel.smart@kuleuven.be
+This is for impact and usage monitoring purposes only.
+
+Enquiries about further applications and development opportunities are welcome. Please contact nigel.smart@kuleuven.be
+```

pkg/builtin.mpcl

@@ -1,12 +1,12 @@
 // -*- go -*-
 //
-// Copyright (c) 2020-2023 Markku Rossi
+// Copyright (c) 2020-2024 Markku Rossi
 //
 // All rights reserved.
 //
 
-// Package builtin defines MPCL builtin functions and types. This
-// package is always imported and the functions and types can be used
+// Package builtin defines MPCL built-in functions and types. This
+// package is always imported, and the functions and types can be used
 // in all programs.
 package builtin
 
@@ -43,9 +43,9 @@ func floorPow2(v int) int {}
 //	String: the number of bytes in the string
 func len(v Type) int32 {}
 
-// The native built-in function loads native circuit from the named
-// file. The circuit must be located in the same directory as the
-// calling MPCL script. The native built-in function supports the
+// The native built-in function loads the native circuit from the
+// named file. The circuit must be located in the same directory as
+// the calling MPCL program. The native built-in function supports the
 // following circuit formats:
 //
 //	.circ   Bristol circuit format
@@ -55,3 +55,21 @@ func native(name string) []Type {}
 // The size built-in function returns the size of the argument value
 // in bits. The argument value can be of any type.
 func size(v Type) int32 {}
+
+// The panic built-in function terminates the compilation with an
+// error message. The first argument is used as a format string, and
+// the remaining arguments are positional arguments for the formatted
+// message. Any extra arguments are appended to the result string,
+// separated by a space character. The panic built-in function is a
+// compile-time call. If any of the live execution paths contains a
+// panic call, it will be triggered during the compilation phase and
+// terminate the compilation. The panic function is usually used in
+// parametrized functions to assert pre-conditions:
+//
+//	func CryptBlocks(data []byte) []byte {
+//	    if len(data)%blockSize != 0 {
+//	        panic("input not full blocks")
+//	    }
+//	    ...
+//	}
+func panic(args any) {}

pkg/crypto/cipher/cts/cts.mpcl

@@ -0,0 +1,129 @@
+// -*- go -*-
+//
+// Copyright (c) 2024 Markku Rossi
+//
+// All rights reserved.
+//
+
+// Package cts implements the ciphertext stealing (CTS) mode of
+// operation for block ciphers. The implementation uses the CTS-3
+// (Kerberos) variant for formatting the cipher text.
+package cts
+
+import (
+	"crypto/aes"
+)
+
+// EncryptAES128 encrypts the data in AES-CTS mode. The key specifies
+// the AES encryption key and iv is a random initialization vector.
+func EncryptAES128(key [16]byte, iv [aes.BlockSize]byte, data []byte) []byte {
+	numBlocks := len(data) / aes.BlockSize
+	tail := len(data) % aes.BlockSize
+
+	if tail != 0 {
+		numBlocks++
+	} else {
+		tail = aes.BlockSize
+	}
+	if numBlocks < 2 {
+		panic("cts.EncryptAES128: input must be at least 2 block")
+	}
+	var block [aes.BlockSize]byte
+	block = memcpy(block, 0, iv, 0)
+
+	var plain [aes.BlockSize]byte
+	var cipher [len(data)]byte
+
+	// Standard CBC for the first numBlocks-1 blocks.
+	for i := 0; i < numBlocks-1; i++ {
+		plain = memcpy(plain, 0, data, i*aes.BlockSize)
+		for j := 0; j < aes.BlockSize; j++ {
+			plain[j] ^= block[j]
+		}
+		block = aes.EncryptBlock(key, plain)
+		if i < numBlocks-2 {
+			// Store standard CBC output block.
+			cipher = memcpy(cipher, i*aes.BlockSize, block, 0)
+		} else {
+			// Store last ciphertext block.
+			cipher = memcpy(cipher, (numBlocks-1)*aes.BlockSize, block, 0)
+		}
+	}
+
+	// Create last input block.
+	plain = memcpy(plain, 0, data, (numBlocks-1)*aes.BlockSize)
+	for i := tail; i < aes.BlockSize; i++ {
+		plain[i] = 0
+	}
+	for j := 0; j < aes.BlockSize; j++ {
+		plain[j] ^= block[j]
+	}
+	block = aes.EncryptBlock(key, plain)
+	cipher = memcpy(cipher, (numBlocks-2)*aes.BlockSize, block, 0)
+
+	return cipher
+}
+
+// DecryptAES128 decrypts the data that is encrypted in AES-CTS
+// mode. The key specifies the AES encryption key and iv is the random
+// initialization vector used in encryption.
+func DecryptAES128(key [16]byte, iv [aes.BlockSize]byte, data []byte) []byte {
+	numBlocks := len(data) / aes.BlockSize
+	tail := len(data) % aes.BlockSize
+
+	if tail != 0 {
+		numBlocks++
+	} else {
+		tail = aes.BlockSize
+	}
+
+	if numBlocks < 2 {
+		panic("cts.DecryptAES128: input must be at least 2 blocks")
+	}
+	var block [aes.BlockSize]byte
+	var cipher [aes.BlockSize]byte
+	var tmp2 [aes.BlockSize]byte
+	var plain [len(data)]byte
+
+	// Standard CBC for the first numBlocks-2 blocks.
+	for i := 0; i < numBlocks-2; i++ {
+		cipher = memcpy(cipher, 0, data, i*aes.Blocks)
+		block = aes.DecryptBlock(key, cipher)
+		for j := 0; j < aes.BlockSize; j++ {
+			block[j] ^= iv[j]
+		}
+		plain = memcpy(plain, i*aes.BlockSize, block, 0)
+		iv = memcpy(iv, 0, cipher, 0)
+	}
+
+	// Decrypt second-to-last cipher block.
+	cipher = memcpy(cipher, 0, data, (numBlocks-2)*aes.BlockSize)
+	tmp := aes.DecryptBlock(key, cipher)
+
+	// Create padded last cipher block.
+	tmp2 = memcpy(tmp2, 0, data, (numBlocks-1)*aes.BlockSize)
+	tmp2 = memcpy(tmp2, tail, tmp, tail)
+
+	// Decrypt second-to-last block.
+	block = aes.DecryptBlock(key, tmp2)
+	for j := 0; j < aes.BlockSize; j++ {
+		block[j] ^= iv[j]
+	}
+	plain = memcpy(plain, (numBlocks-2)*aes.BlockSize, block, 0)
+	iv = memcpy(iv, 0, tmp2, 0)
+
+	// Finalize last block.
+	for j := 0; j < aes.BlockSize; j++ {
+		tmp[j] ^= iv[j]
+	}
+	plain = memcpy(plain, (numBlocks-1)*aes.BlockSize, tmp, 0)
+
+	return plain
+}
+
+func memcpy(dst []byte, dstOfs int, src []byte, srcOfs int) []byte {
+	for i := 0; srcOfs+i < len(src) && dstOfs+i < len(dst); i++ {
+		dst[dstOfs+i] = src[srcOfs+i]
+	}
+	return dst
+}

testsuite/crypto/cipher/cts/aes128_cts_dec.mpcl

@@ -0,0 +1,19 @@
+// -*- go -*-
+
+package main
+
+import (
+	"crypto/cipher/cts"
+)
+
+// @Hex
+// @LSB
+// @Test 0xc6353568f2bf8cb4d8a580362da7ff7f97 _ = 0x4920776f756c64206c696b652074686520
+func main(data []byte, e []byte) []byte {
+	key := []byte{
+		0x63, 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x20,
+		0x74, 0x65, 0x72, 0x69, 0x79, 0x61, 0x6b, 0x69,
+	}
+	var iv [16]byte
+	return cts.DecryptAES128(key, iv, data)
+}

testsuite/crypto/cipher/cts/aes128_cts_enc.mpcl

@@ -0,0 +1,19 @@
+// -*- go -*-
+
+package main
+
+import (
+	"crypto/cipher/cts"
+)
+
+// @Hex
+// @LSB
+// @Test 0x4920776f756c64206c696b652074686520 _ = 0xc6353568f2bf8cb4d8a580362da7ff7f97
+func main(data []byte, e []byte) []byte {
+	key := []byte{
+		0x63, 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x20,
+		0x74, 0x65, 0x72, 0x69, 0x79, 0x61, 0x6b, 0x69,
+	}
+	var iv [16]byte
+	return cts.EncryptAES128(key, iv, data)
+}