Commitment Gadget Design

[stechu]

Commitment Gadget Design

Goal

Make a commitment gadget library based on ark-plonk.

Initial Design

We still need those features:

• A two-to-one hash:

  • candidate 1: Poseidon Hash (Used as Leaf Hash, or arity-2/ arity-4 hash)
  • candidate 2: Reimforcement-Concrete

• Two commitment schemes

  1. take a single scalar as input, output a group element
  2. take a bitarray as input, output a scalar

• Commitment Scheme using API like this (native and constraints)

  trait Commitment{
  type Input;      //i.e. bitarray, a single scalar
  type Output;     //i.e. a single scalar, or a group element
  type CommitKey;
  type VerifyKey;
  type Proof;
  type Parameters;
  
  fn setup(...);
  fn commit<R: Rng>(parameters: &Parameters, ck: &CommitKey, input: &Input, rng: &mut R) -> Output;
  fn open(parameters: &Parameters,ck: &CommitKey, input: &Input, output: &Output) -> Proof;
  fn verify(parameters: &Parameters, vk: VerifyKey, input: &Input, output: &Output, proof: &Proof) -> bool;
  }

• Choice Merkle Tree Leaf Hash that matches the output of Manta's commitment

trait LeafHash{
    type Input; 
    type Output;

    fn setup(...);
    fn evaluate(input: &Input) -> Output;
}

Questions:

• Can we design the trait that fits both native and constraints?

[bhgomes]

We don't need partial commitments yet, so we should restrict ourselves to commit only, and remove the Rng requirement, replacing it with an associated type.

trait CommitmentScheme {
    type Parameters;
    type Input: ?Sized;
    type Randomness: ?Sized;
    type Output;

    fn commit(
        parameters: &Self::Parameters,
        input: &Self::Input,
        randomness: &Self::Randomness
    ) -> Self::Output;
}

[mathcrypto]

I would say candidate 2 Reinforcement-Concrete is a good choice since it was designed to support Plookup based on KZG commitments but it's also a fairly new design and there isn't cryptanalysis research done to verify if it's secure.

[LukePearson1]

@stechu I would have liked for this issue and others concerning gadgets, in be a new repo; a gadgets repo. I would like this issue to be discussed in its own thread.

[EDGDrummond]

The authors of reinforced concrete claim that its design uses more analysed and battle-tested design principles than was previously possible in zk hash functions. So there is that in favour of it, but as @mathcrypto said, its overall design has still had very limited cryptanalysis.