Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EVM Friendly Transcript #328

Closed
sragss opened this issue Apr 25, 2024 · 8 comments
Closed

EVM Friendly Transcript #328

sragss opened this issue Apr 25, 2024 · 8 comments

Comments

@sragss
Copy link
Collaborator

sragss commented Apr 25, 2024
edited
Loading

One of the quickest routes to on-chain verification is to switch the commitment scheme to Zeromorph then verify those proofs directly on-chain. Currently our Fiat-shamir transcript uses the Merlin library which depends on the Strobe RNG. We'll want to swap this to Keccak to support cheaper EVM verification using the Keccak precompiles.

The Honk on-chain verifier has an example of the transcript written in solidity.

Steps:

  1. Make the transcript generic over the hash function
  2. Support keccak and poseidon2
  3. Reduce count and size of domain separators (in Merlin these are referred to as 'labels')
  4. Integration test for parity with EVM version
@sragss sragss mentioned this issue Apr 25, 2024
Closed
@MatteoMer
Copy link
Contributor

I'd be happy to work on that!

To make sure I understand correctly the idea is to completely remove merlin and write jolt own implementation of the transcript?

Also, I'm not sure I understand exactly the 3rd step, do you mean removing the number of append_message in the code?

I think I'll just work to be 1/1 with the EVM version 😄

@Maddiaa0
Copy link

Maddiaa0 commented Apr 30, 2024
edited
Loading

Looking into Merlin it appears that it is already using keccak as its hash function? (based on https://github.com/dalek-cryptography/merlin/blob/53535f32e6d6de421372d67f56176af0c0f55fd7/src/strobe.rs#L97)

@sragss
Copy link
Collaborator Author

sragss commented Apr 30, 2024
edited
Loading

That would be great @MatteoMer!

Good point @Maddiaa0 – new step 1 would be to determine if RustCrypto/sponges keccak::f1600(...) (used by Merlin) is the same as the EVM's Keccak256 and determine the additional augmentations done by Merlin.

We'd like to append the same values to transcript in Rust and EVM and then sample the same bytes of randomness.

If we can do this and keep Merlin, great. If not, let's write our own.

@MatteoMer
Copy link
Contributor

Haven't took time to dive into determine if both keccak implementations are the same yet (will do soon)

But came across this recently: https://github.com/arkworks-rs/nimue (an hash-agnostic fiat-shamir library), and while I don't think it's ready for use yet, I think it's interesting to put it here, since in the original ticket, you were talking about being generic

@PatStiles
Copy link
Contributor

@moodlezoup Interested in taking this on!

@aleph-v
Copy link
Collaborator

aleph-v commented Jun 25, 2024

I just added changes relevant to this in #402 and will be following up with the onchain transcript with integration tests.

@PatStiles
Copy link
Contributor

Hey @aleph-v Is your plan to finish the on chain verifier?

@sragss sragss mentioned this issue Jul 26, 2024
Merged
@aleph-v
Copy link
Collaborator

aleph-v commented Jul 29, 2024

Hi, @PatStiles with respect to this issue it should be closed when #419 is merged. Some key components remain in the onchain verifier which I may not be able to finish and I will create issue for those

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@moodlezoup @aleph-v @MatteoMer @PatStiles @Maddiaa0 @sragss