-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PR for Merkle-friendly 32-byte Pedersen hash functions #2
Comments
I just discovered *edit: scratch that, that would defeat the purpose of getting better performance with Pedersen hashses. Back to the drawing board... |
Pedersen needs to go to window3. |
fix: makes mimcsponge act like the paper description
…ping update-docs+remove-escaping
Hi Jordi,
Would you be interested in a pull request to add new circuits and JS code for the following features?
All the code is here: https://github.com/weijiekoh/snarschain
PedersenHash
circuitEncodePedersenPoint
circuitEncodePedersenPoint
circuitx
andy
(32-byte bigInts)x
, but its most significant 8 bits are the 8 most significant bits ofy
.JoinHashes
circuitleft
andright
left
concatenated with the 128 LSBs ofright
PedersenHashDouble
circuitleft
andright
, a 32-byte bigInt eachout[2]
: the x- and y-outputs of a Pedersen circuitEncodePedersenPoint
circuitThese circuits achieve two goals:
Have an easy-to-use Pedersen hash circuit which outputs 32 bytes. Since the Pedersen hash function outputs a point on the BabyJub curve, which is symmetrical across the y-axis, the only relevant data is the x-value and the sign of the y-value. However, the
babyJub.packPoint()
function will cause an integer overflow within circom, so the next best option is to return 32 bytes consisting of the most significant 8 bits of y and the least significant 248 bits of x.Have an easy-to-use Pedersen hash circuit which can be plugged in to a Merkle tree validator circuit. Since it needs to hash two 32-byte values, it takes 16 bytes from each input and then pipes them into the Pedersen single-input hash circuit described above.
I'm curious about what you think. If you like the idea, I'm happy to package what I've written as a PR to
circomlib
and submit that. I'm also keen to improveEncodePedersenPoint
andJoinHashes
if they are incorrect or insecure.Thanks!
The text was updated successfully, but these errors were encountered: