Closed lightning-li closed 1 year ago
In the circuit, you truncate and pack A1..A4 into one element A1(64)||A2(64)||A3(64)||A4(64) why not write 4 elements into hash instead?
In the circuit, you truncate and pack A1..A4 into one element A1(64)||A2(64)||A3(64)||A4(64) why not write 4 elements into hash instead?
There are many elements needed to be hashed, I want to reduce the number of constraints in circuit, and the overhead for verifier (L1 smart contract) to generate the same hash
Hi, so I think the solution to the issue is to decompose the []byte
slice buffer in the "real" (=non snark) version of mimc in base p (so the slice is interpreted as a number a0 + a1*r + a2*r^2 + .. + an*r^n
where r is the size of the snark field), and use as blocks the digits ai
. The r-basis decomposition ensures there is a one-to-one correspondence between sequences of blocks and byte slices.
Currently the implementation in gnark-crypto does not do that, but rather decomposes the []byte
slice as blocks of size 256bits for instance for bn254. It's a security bug as a matter of fact, I raised the corresponding issue in gnark-crypto.
MIMC is based on finite field, Suppose there is a uint256 number a, and the fr.Element modulus is q, then this equation will hold: MIMC(a) = MIMC(a + q). I want to use MIMC function in circuit:
This test passed, it shows that if prover provide verifier
FooConstraint {A1: 3486998266802970666, A2: 13281191951274694750, A3: 2896914383306846354, A4: 4891460686036598786}
, verifier use mimc calculate this hash, use it as circuit public input, the circuit verify can pass.What should I do to make sure that verifier is convinced by the fact prover use
FooConstraint {A1: 1, A2: 1, A3: 1, A4: 1}
notFooConstraint {A1: 3486998266802970666, A2: 13281191951274694750, A3: 2896914383306846354, A4: 4891460686036598786}
in circuit? One way I can think of is changeCollectDataFromFoo
toAnd Verifier use the same way to calculate mimc hash. Is this a recommend way? Is there a better way?