Poseidon primitive #41
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
str4d
commented
Mar 11, 2021
Codecov Report
@@ Coverage Diff @@
## main #41 +/- ##
===========================================
+ Coverage 46.66% 76.36% +29.70%
===========================================
Files 5 9 +4
Lines 75 347 +272
===========================================
+ Hits 35 265 +230
- Misses 40 82 +42
Continue to review full report at Codecov.
|
daira
reviewed
Mar 14, 2021
str4d
commented
Mar 15, 2021
str4d
force-pushed
the
poseidon-primitive
branch
from
ccbe17e to
43b521d
Compare
|
Rebased on #40. |
These are generated using v1.1 of the reference implementation.
We don't currently require SboxType::Inv, so let's simplify for now.
Poseidon specifications are now all concrete, and only generation of constants at runtime requires an instance of the specification.
We reuse this type for the per-round round constants, and rows of the MDS, to provide some type-level same-length guarantees. Once we can use const generics, these will all be replaced by [F; Spec::ARITY].
This removes the need for specifying the rate at runtime, and removes the remaining heap allocations from Duplex::absorb and Duplex::squeeze.
I'm using range loops explicitly to make certain logic clearer.
Domain separation is implemented as specified in the Poseidon paper. We only require constant-input-length hashing.
For Orchard, we want a Poseidon instance with a width of 3 field elements and an output of one field element. The Poseidon instances defined in the Poseidon paper have their output size equal to their capacity size; with a capacity of 1 and pallas::Base as the field, Poseidon-128 has the corresponding security level. We do deviate from the paper's instance by adding a single partial round, which makes the circuit easier to implement in Halo 2.
We now hard-code the Poseidon round constants and MDS for the Poseidon specification used for Orchard nullifiers, as produced by the reference implementation, and test that our constant generation can recreate them.
To match the paper more closely (arity specifically refers to Merkle tree instantiations).
str4d
force-pushed
the
poseidon-primitive
branch
from
43b521d to
1ceb603
Compare
ebfull
approved these changes
Mar 22, 2021
| } | ||
| } | ||
|
|
||
| // $ sage generate_parameters_grain.sage 1 0 255 3 8 58 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001 |
There was a problem hiding this comment.
I did not check these constants.
therealyingtong
approved these changes
Mar 25, 2021
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Orchard specification defines
PoseidonHashin the simplest way as 𝑓([𝑥, 𝑦, 265])[0], but this PR implements the duplex sponge explicitly to make the sponge construction clear.This PR includes the following specification for Poseidon-128:
Closes #37.