search

privacy-scaling-explorations / zk-kit.rust

A monorepo of reusable crates for zero-knowledge technologies.
https://privacy-scaling-explorations.github.io/zk-kit.rust/
MIT License
10 stars 7 forks source link

Create a crate for EdDSA Poseidon (BabyJubjub curve) #9

Open cedoor opened 3 months ago

cedoor commented 3 months ago

Describe the package you'd like

ZK-Kit already provides a package to generate EdDSA keys that uses Poseidon hashes and is based on the BabyJubjub elliptic curve. The Rust crate should be compatible with the JS version.

Possible dependencies:

It is worth checking whether an implementation in Rust already exists.

cedoor commented 3 months ago

Hey @arnaucube, may I know if you're still maintaining babyjubjub-rs and poseidon-rs?

Might you be interested in including them in the ZK-Kit package set? You would remain the author ofc.

For context. ZK-Kit is a collective effort of PSE devs that aims to provide a set of reusable libraries in a context where standards on code quality, documentation, test coverage, and audits are guaranteed.

arnaucube commented 3 months ago

Hi, sure, they both are compatible with circomlib's version (also with circomlibjs's version). And if useful, there exists also compatible implementations of both Poseidon & BabyJubJub's EdDSA in Go in https://github.com/iden3/go-iden3-crypto 's repo.

If useful, there is also other a merkletree implementation in Go that is compatible with circomlib's sparsemerkletree version, with the main feature (appart from full compatibility) that it parallelizes by CPUs so it goes faster than the js one (eg. 2m09s vs 0.436s adding 10k leafs): https://github.com/vocdoni/arbo .

Regarding being maintained, the mentioned repos are not actively being developed since they reached the desired features, but if there are future fixes to potential bugs they will be taken care of.

kilic commented 3 months ago

Another way might be just using arkworks backend as in here https://github.com/kilic/arkeddsa/ both for poseidon and jubjub

cedoor commented 3 months ago

@kilic interesting. Is Poseidon compatible with the Iden3 version?

kilic commented 3 months ago

@kilic interesting. Is Poseidon compatible with the Iden3 version?

Not as it is in kilic/arkeddsa but so close

  1. We should give the matching config params
  2. Circom takes 0th element of the state as output and arkworks skips 0th element. However in arkworks sponge state is public so 0th element is accessible and then it becomes circom compatible as it is done here
arnaucube commented 3 months ago

oh right! Agree with @kilic ^^, if you can do with with arkworks it would be much better than depending on the initially mentioned libs, less dependencies to maintain, and more compatible with other projects (in the arkworks ecosystem).

cedoor commented 2 months ago

Thank you guys 🙏🏽 I'll leave this issue open for anyone who wants to implement it and follow your suggestions.

1010adigupta commented 2 months ago

@cedoor I would like to take this up

cedoor commented 2 months ago

@1010adigupta Sure, I'll assign this issue to you then :)

sripwoud commented 1 month ago

@1010adigupta Are you still working on this? (If not we may assign it to someone else)

1010adigupta commented 1 month ago

@1010adigupta Are you still working on this? (If not we may assign it to someone else)

yes, you may assign it to someone else, got busy with some other stuff

ozgurarmanc commented 1 month ago

@cedoor @sripwoud Can I get this issue?

cedoor commented 1 month ago

Hey @ozgurarmanc, ofc 👍🏽

Some-of-the-things commented 3 weeks ago

I can take a crack at picking this one up if you'd like...

cedoor commented 2 weeks ago

@Some-of-the-things ofc, I'll assign it to you 👍🏽

alv-around commented 2 weeks ago

I had a look at it last week, and here are my two cents:

@kilic interesting. Is Poseidon compatible with the Iden3 version?

Not as it is in kilic/arkeddsa but so close

1. We should give the matching config params

2. Circom takes 0th element of the state as output and arkworks skips 0th element. However in arkworks [sponge state](https://github.com/arkworks-rs/crypto-primitives/blob/6b195553444650fb37663ee1919c9fd885f5dbd9/crypto-primitives/src/sponge/poseidon/mod.rs#L54) is public so 0th element is accessible and then it becomes circom compatible as it is done [here](https://github.com/privacy-scaling-explorations/sonobe/blob/edadcdd520b8cf657cfa5c679dd09c6579759b0c/folding-schemes/src/transcript/poseidon.rs#L136)

Actually the main problem compatibility problem with kilic/arkeddsa is not the poseidon hash, rather the blake digest circom uses for the signatures. blake-hash, which is also used in babyjubjub-rs, depends on digest v0.9 while arkeddsa expects v0.10. The traits change quite a bit between these two versions.

I went on and try to update the blake-hash dependencies here, but I did not manage to test this yet. Using babyjubjub-rs for the time beign could be an easy win.