weijiekoh
commented
5 years ago I just discovered sha256compression.circom! I will try to use that instead of the naive concatenation method described above.
*edit: scratch that, that would defeat the purpose of getting better performance with Pedersen hashses. Back to the drawing board...
jbaylina
Hi Jordi,
Would you be interested in a pull request to add new circuits and JS code for the following features?
All the code is here: https://github.com/weijiekoh/snarschain
PedersenHashcircuitEncodePedersenPointcircuitEncodePedersenPointcircuitxandy(32-byte bigInts)x, but its most significant 8 bits are the 8 most significant bits ofy.JoinHashescircuitleftandrightleftconcatenated with the 128 LSBs ofrightPedersenHashDoublecircuitleftandright, a 32-byte bigInt eachout[2]: the x- and y-outputs of a Pedersen circuitEncodePedersenPointcircuitThese circuits achieve two goals:
Have an easy-to-use Pedersen hash circuit which outputs 32 bytes. Since the Pedersen hash function outputs a point on the BabyJub curve, which is symmetrical across the y-axis, the only relevant data is the x-value and the sign of the y-value. However, the
babyJub.packPoint()function will cause an integer overflow within circom, so the next best option is to return 32 bytes consisting of the most significant 8 bits of y and the least significant 248 bits of x.Have an easy-to-use Pedersen hash circuit which can be plugged in to a Merkle tree validator circuit. Since it needs to hash two 32-byte values, it takes 16 bytes from each input and then pipes them into the Pedersen single-input hash circuit described above.
I'm curious about what you think. If you like the idea, I'm happy to package what I've written as a PR to
circomliband submit that. I'm also keen to improveEncodePedersenPointandJoinHashesif they are incorrect or insecure.Thanks!