You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

46 lines
2.9 KiB

8 months ago
7 months ago
7 months ago
8 months ago
7 months ago
8 months ago
7 months ago
  1. # hash-chain-sonobe
  2. Repo showcasing usage of [Sonobe](https://github.com/privacy-scaling-explorations/sonobe) with [Arkworks](https://github.com/arkworks-rs) and [Circom](https://github.com/iden3/circom) circuits.
  3. The main idea is to prove $z_n = H(H(...~H(H(H(z_0)))))$, where $n$ is the number of Keccak256 hashes ($H$) that we compute. Proving this in a 'normal' R1CS circuit for a large $n$ would be too costly, but with folding we can manage to prove it in a reasonable time span.
  4. For more info about Sonobe, check out [Sonobe's docs](https://privacy-scaling-explorations.github.io/sonobe-docs).
  5. <p align="center">
  6. <img src="https://privacy-scaling-explorations.github.io/sonobe-docs/imgs/folding-main-idea-diagram.png" style="width:70%;" />
  7. </p>
  8. ### Usage
  9. ### poseidon_chain.rs (arkworks circuit)
  10. Proves a chain of Poseidon hashes, using the [arkworks/poseidon](https://github.com/arkworks-rs/crypto-primitives/blob/main/crypto-primitives/src/sponge/poseidon/constraints.rs) circuit, with [Nova](https://eprint.iacr.org/2021/370.pdf)+[CycleFold](https://eprint.iacr.org/2023/1192.pdf).
  11. - `cargo test --release poseidon_chain -- --nocapture`
  12. ### sha_chain_offchain.rs (arkworks circuit)
  13. Proves a chain of SHA256 hashes, using the [arkworks/sha256](https://github.com/arkworks-rs/crypto-primitives/blob/main/crypto-primitives/src/crh/sha256/constraints.rs) circuit, with [Nova](https://eprint.iacr.org/2021/370.pdf)+[CycleFold](https://eprint.iacr.org/2023/1192.pdf).
  14. - `cargo test --release sha_chain_offchain -- --nocapture`
  15. ### keccak_chain.rs (circom circuit)
  16. Proves a chain of keccak256 hashes, using the [vocdoni/keccak256-circom](https://github.com/vocdoni/keccak256-circom) circuit, with [Nova](https://eprint.iacr.org/2021/370.pdf)+[CycleFold](https://eprint.iacr.org/2023/1192.pdf).
  17. Assuming rust and circom have been installed:
  18. - `./compile-circuit.sh`
  19. - `cargo test --release keccak_chain -- --nocapture`
  20. Note: the Circom variant currently has a bit of extra overhead since at each folding step it uses Circom witness generation to obtain the witness and then it imports it into the arkworks constraint system.
  21. ### Repo structure
  22. - the Circom circuit (that defines the keccak-chain) to be folded is defined at [./circuit/keccak-chain.circom](https://github.com/arnaucube/hash-chain-sonobe/blob/main/circuit/keccak-chain.circom)
  23. - the logic to fold the circuit using Sonobe is defined at [src/{poseidon_chain, sha_chain_{offchain, onchain}, keccak_chain}.rs](https://github.com/arnaucube/hash-chain-sonobe/blob/main/src)
  24. ## Other
  25. Additionally there is the `src/naive_approach_{poseidon,sha}_chain.rs` file, which mimics the amount of hashes computed by the `src/{poseidon,sha}_chain.rs` file, but instead of folding it does it by building a big circuit that does all the hashes at once, as we would do before folding existed.
  26. To run it:
  27. - `cargo test --release naive_approach_sha_chain -- --nocapture`
  28. - `cargo test --release naive_approach_poseidon_chain -- --nocapture`