@@ -2,90 +2,93 @@ pragma circom 2.1.8;
22
33include " ./hmac/circuits/hmac.circom"
44
5- // ss : secret length
6- // is : info length
5+ // s : salt length
6+ // i : info length
77// k : key length
88// m : number of keys to extract
99// n : key length
1010template HKDFSha256 (s,i,k,m,n ){
11- signal input secret [s];
11+ signal input salt [s];
1212 signal input info[i];
1313 signal input key[k];
1414
15- component hmac = HmacSha256(s, k);
1615 signal output out[m][n];
1716
18- hmac.message <== secret;
19- hmac.key <== key;
17+ component extract = Extract(s, k);
18+ extract.salt <== salt;
19+ extract.key <== key;
2020
21- component extract = Extract (i, 32 , m, n);
22- extract .info <== info;
23- extract .key <== hmac.hmac ;
21+ component expand = Expand (i, 32 , m, n);
22+ expand .info <== info;
23+ expand .key <== extract.out ;
2424
25- out <== extract .out;
25+ out <== expand .out;
2626}
2727
28- // n : message length
28+ // s : salt length
2929// k : key length
3030// out : 32 bytes from sha256 hmac
31- template Expand ( n ,k
32- signal input secret[n ];
31+ template Extract ( s ,k
32+ signal input salt[s ];
3333 signal input key[k];
3434
35- component hmac = HmacSha256(n, k );
35+ component hmac = HmacSha256(k,s );
3636 signal output out[32 ];
3737
38- hmac.message <== secret ;
39- hmac.key <== key ;
38+ hmac.message <== key ;
39+ hmac.key <== salt ;
4040
4141 out <== hmac.hmac;
4242}
4343
44- // n : message length
44+ // i : info length
4545// k : key length
4646// m : number of keys to extract
47- // s : key length
48- template Extract ( n ,k,m,s
49- signal input info[n ];
47+ // n : key length
48+ template Expand ( i ,k,m,n
49+ signal input info[i ];
5050 signal input key[k];
5151
52- var size = 32 + n + 1 ; // 32 bytes for hmac, n bytes for info, 1 byte for counter
52+ var size = 32 + i + 1 ; // 32 bytes for hmac, i bytes for info, 1 byte for counter
5353
5454 // hash size is 32 bytes
55- var rounds = (m* s )\(32 );
56- rounds = (rounds * 32 ) < (m* s ) ? rounds + 1 : rounds;
55+ var rounds = (m* n )\(32 );
56+ rounds = (rounds * 32 ) < (m* n ) ? rounds + 1 : rounds;
5757
5858
5959 component hmac[rounds];
6060
6161 signal expandedKeys [rounds][32 ];
62- signal output out[m][s ];
62+ signal output out[m][n ];
6363
64- hmac[0 ] = HmacSha256(1 , k);
65- hmac[0 ].message[0 ] <== 1 ; // here counter is byte(1)
66- hmac[0 ].key <== key;
64+ hmac[0 ] = HmacSha256(i+ 1 ,k);
65+ hmac[0 ].key <== key;
66+ for (var j = 0 ; j < i; j++ ){
67+ hmac[0 ].message[j] <== info[j];
68+ }
69+ hmac[0 ].message[i] <== 1 ; // here counter is byte(1)
6770 expandedKeys[0 ] <== hmac[0 ].hmac;
6871
6972 var counter = 2 ; // counter is byte(2)
7073
71- for (var i = 1 ; i < rounds; i ++ ){
72- hmac[i ] = HmacSha256(size, k);
73- for (var j = 0 ; j < 32 ; j ++ ){
74- hmac[i ].message[j ] <== expandedKeys[i - 1 ][j ];
74+ for (var j = 1 ; j < rounds; j ++ ){
75+ hmac[j ] = HmacSha256(size, k);
76+ for (var o = 0 ; o < 32 ; o ++ ){
77+ hmac[j ].message[o ] <== expandedKeys[j - 1 ][o ];
7578 }
76- for (var j = 0 ; j < n; j ++ ){
77- hmac[i ].message[32 + j ] <== info[j ];
79+ for (var o = 0 ; o < i; o ++ ){
80+ hmac[j ].message[32 + o ] <== info[o ];
7881 }
79- hmac[i ].message[32 + n ] <== counter;
80- hmac[i ].key <== key;
81- expandedKeys[i ] <== hmac[i ].hmac;
82+ hmac[j ].message[32 + i ] <== counter;
83+ hmac[j ].key <== key;
84+ expandedKeys[j ] <== hmac[j ].hmac;
8285 counter = counter + 1 ;
8386 }
8487
8588 var byteIndex = 0 ;
86- for (var i = 0 ; i < m; i ++ ) {
87- for (var j = 0 ; j < s; j ++ ) {
88- out[i][j ] <== expandedKeys[byteIndex \ 32 ][byteIndex % 32 ];
89+ for (var j = 0 ; j < m; j ++ ) {
90+ for (var o = 0 ; o < n; o ++ ) {
91+ out[j][o ] <== expandedKeys[byteIndex \ 32 ][byteIndex % 32 ];
8992 byteIndex++ ;
9093 }
9194 }
0 commit comments