Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Poseidon circuit #21

Closed
sinui0 opened this issue Apr 24, 2022 · 4 comments
Closed

Poseidon circuit #21

sinui0 opened this issue Apr 24, 2022 · 4 comments
Labels
enhancement New feature or request research

Comments

@sinui0
Copy link
Member

sinui0 commented Apr 24, 2022

Regarding our recent discussion to produce SNARK-friendly hashes of the query and response data using 2PC, we'll need to produce the boolean circuits for Poseidon.
@sinui0 sinui0 added enhancement New feature or request research labels Apr 24, 2022
@themighty1
Copy link
Member

Just to recap. We have a garbling scheme BMR16 already implemented in Rust here https://github.com/GaloisInc/swanky/tree/master/fancy-garbling
This scheme's has very attractive properties in terms of bandwidth cost:

  • free addition
  • free multiplication by a constant
  • constant cost of exponentiation by a public exponent regardless of the size of the exponent.

We are looking for a snark-friendly hash which fits all those criteria.
It seems by looking at the source code of https://github.com/iden3/go-iden3-crypto/blob/master/poseidon/poseidon.go that Poseidon is a perfect fit because
it does not multiply two variables but only multiplies by a constant.

@themighty1
Copy link
Member

themighty1 commented Apr 25, 2022
edited
Loading

in the BMR16 paper Figure 3 (p.16) shows that for 64-bit numbers exponentiation-by-constant gate costs 365*16=~5KB.

Usually in zksnarks we deal with 256-bit numbers, so we can extrapolate that it will cost ~30KB to exponentiate a 256-bit number.

Edit: Poseidon hashes 16 field elements (of 31 bytes each), not 16 bytes. Fixed numbers accordingly.

It takes 204 exponentiations to hash 16*31=496 bytes of data with vanilla Poseidon. That's gonna cost us (204 * 30) / 496 * 16 = ~200KB of bandwidth per 16 bytes of plaintext. Not ideal but a starting reference point.

@themighty1
Copy link
Member

themighty1 commented Apr 25, 2022
edited
Loading

Oh, just realized that have some kind of "golden poseidon". It operates on 64-bit fields (i guess that's the new field from plonky2).
It does 118 exponentiations to process 8 Field elements, so it will cost us (356 * 16 * 118) / (8 * 8) * 16 =~168KB per 16 bytes of plaintext.

@sinui0
Copy link
Member Author

sinui0 commented Jun 9, 2022

Closing this issue as we determined that Poseidon can't viably be computed with a boolean circuit, and the BMR16 scheme does not support constant cost exponentiation by a prime.

We're instead pursuing another technique to generate Poseidon commitments using a combination of garbled circuits and SNARK

@sinui0 sinui0 closed this as completed Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request research
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@themighty1 @sinui0