The main idea is to prove z_n = H(H(...~H(H(H(z_0))))), where n is the number of Keccak256 hashes (H) that we compute. Proving this in a 'normal' R1CS circuit for a large n would be too costly, but with folding we can manage to prove it in a reasonable time span.

For more info about Sonobe, check out Sonobe's docs.

Usage

sha_chain.rs (arkworks circuit)

Proves a chain of SHA256 hashes, using the arkworks/sha256 circuit, with Nova+CycleFold.

cargo test --release sha_chain -- --nocapture

keccak_chain.rs (circom circuit)

Proves a chain of keccak256 hashes, using the vocdoni/keccak256-circom circuit, with Nova+CycleFold.

Assuming rust and circom have been installed:

./compile-circuit.sh
cargo test --release keccak_chain -- --nocapture

Note: the Circom variant currently has a bit of extra overhead since at each folding step it uses Circom witness generation to obtain the witness and then it imports it into the arkworks constraint system.

Repo structure

the Circom circuit (that defines the keccak-chain) to be folded is defined at ./circuit/keccak-chain.circom
the logic to fold the circuit using Sonobe is defined at src/{sha_chain, keccak_chain}.rs