Add bn254 support and expose poseidon/poseidon2 host functions#1667
Add bn254 support and expose poseidon/poseidon2 host functions#1667leighmcculloch merged 17 commits intomainfrom
Conversation
### What This is the same PR as #1613, but onto `p25-preview` branch instead of `master`, so that it doesn't interfere with any potential p24 patch work. All comments have been addressed in the original PR. --------- Co-authored-by: Siddharth Suresh <siddharth@stellar.org> Co-authored-by: Leigh <351529+leighmcculloch@users.noreply.github.com>
### What Implements Poseidon, Poseidon: - two new hash functions under `Crypto` which performs Poseidon/Poseidon2 hashing. Underneath they wrap the permutation host function call with a sponge implementation - provide reference parameters for Poseidon/Poseidon2 for bn254 - results match both circom (for Poseidon) and noir (for Poseidon2) with test cases - also expose the two permutation host functions in `CryptoHazmat`, to support custom sponge implementation / parameter sets. ### Why [TODO: Why this change is being made. Include any context required to understand the why.] ### Known limitations For Poseidon only supports `hash2` (t=3, hashing two inputs into one output) for now. Only support BN254 for now. To add support for the rest, need to generate and import those parameters, which will be done in a followup.
Marked as draft because we need to fix the tests.
Implement `Neg` trait for `G1Affine`. This is useful for verifying Groth16 proofs. ### What - Introduce an `Fq` newtype wrapping `BytesN<FP_SERIALIZED_SIZE>` as the BN254 base field element - Implement `Neg` for `Fq` - Implement `Neg` for `G1Affine` by: ### Why - We need this operation to make cheaper groth16 verification on the bn254 curve. BLS has implemented this feature as well. ### Known limitations - Negation is implemented only for G1Affine; G2Affine and other types (e.g. projective representations) do not yet have Neg implementations. --------- Co-authored-by: Siddharth Suresh <siddharth@stellar.org>
### What Merge main into v25-preview --------- Co-authored-by: Leigh <351529+leighmcculloch@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
### What This is just #1644 with cleaner history. --------- Co-authored-by: Nando Vieira <me@fnando.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
### What Update typenames and add the contracttype mapping.
Co-authored-by: Leigh <351529+leighmcculloch@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
Can we name the title of this PR, and its description with the crypto features being merged so that the git history on main captures what the features are being introduced? We can probably lift details from the PRs that were merged into the v25 branch. The final commit is written using the PR title and description. |
mootz12
changed the title
@leighmcculloch yeah, let's merge that one first, since it contains a few additions/improvements to the Poseidon(2). |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
@jayz22 Could we add more constants to the Poseidon config? With the current parameters (T = 3 and the constants) in poseidon_params, hashing is limited to just two inputs. Supporting more inputs would be much more useful. EDIT: i just saw that you have an open PR with T=4, can we add a few more? :) Happy to review the PR if needed |
@teddav thanks for your interest in trying the Poseidon! Also to point out, there is no hard rule between number of inputs and internal state size. I.e. you can use a sponge with internal t=4 and hash input length of 100, internally the sponge alternate between absorb and permute until the entire input is consumed. I.e. you can do the following |
…1663) ## Summary This PR provides comprehensive Poseidon and Poseidon2 hash function implementations for both BN254 and BLS12-381 curves, with extensive parameter coverage and test validation against external reference implementations. ## Changes ### Convenience Hash Methods - Added poseidon_hash<N>() - matches https://github.com/iden3/circomlib/blob/35e54ea21da3e8762557234298dbb553c175ea8d/circuits/poseidon.circom - Added poseidon2_hash<N>() - matches https://github.com/noir-lang/noir/blob/abfee1f54b20984172ba23482f4af160395cfba5/noir_stdlib/src/hash/poseidon2.nr ### Poseidon Parameters (poseidon_params.rs) - BN254: MDS matrix and round constants for t=2, t=3, t=4 (validated against circomlib) - BLS12-381: MDS matrix and round constants for t=2, t=3, t=4 (validated against reference Sage script and [poseidon-bls12381-circom](https://github.com/jmagan/poseidon-bls12381-circom)) ### Poseidon2 Parameters (poseidon2_params.rs) - BN254: Diagonal matrix (MAT_DIAG) and round constants for t=2, t=3, t=4 - BLS12-381: Diagonal matrix and round constants for t=2, t=3, t=4 - Parameters generated using reference Sage script and validated against reference test vectors (generated by the script) ### Sponge Implementations - PoseidonSponge and Poseidon2Sponge with configurable parameters via PoseidonConfig and Poseidon2Config - Proper capacity/rate handling matching reference implementations ### Test Coverage - Poseidon (BN254) - hash_n validated against circomlib - Poseidon (BLS12-381) - hash_n validated against poseidon-bls12381-circom - Poseidon2 (BN254) - hash validated against barretenberg, permutation validated against reference test vectors - Poseidon2 (BLS12-381) - permutation validated against reference test vectors
There was a problem hiding this comment.
I thought all the changes in this pr were already reviewed on other PRs before merging to the v25-preview, but upon review of the PRs, not all of them were reviewed or approved.
I took a look through and noted a few minor things, comments inline. cc @jayz22
Can folks from the core team who are familiar with the crypto being added please do a full review? cc @stellar/contract-committers
The changes should ideally be reviewed by someone who wasn't the author. The authors were @jayz22 @Oghma @sisuresh. But @sisuresh's changes were all reviewed, so the reviewer just needs to be someone other than @jayz22 @Oghma.
### What Remove Poseidon, Poseidon2 code from the sdk. ### Why To prepare for migrating this into a separate repo, for independent review/audit/release cadence from the regular sdk.
jayz22
changed the title
jayz22
changed the title
6 participants
What
crypto/bn254.rswith Bn254 point and field types, and expose related host operations.Negtrait forG1Affine(Feature/bn254 neg trait #1630)CryptoHazmat, gated by "hazmat-crypto" featureWhy
Expose new crypto functions for protocol 25
Known limitations
Only the raw host function exposure for Poseidon/Poseidon2 has been added in this PR. The more elaborate setup for sponge, parameters, hash function wrappers will be done in a separate repo here