Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: use truncated sha256 hashes in protocol circuits (wip) #3839

Conversation

dan-aztec
Copy link
Contributor

@dan-aztec dan-aztec commented Jan 4, 2024

confirmed by cryptography research that this is OK to do!

Reduces the hash values to a single Field (previously used 2 254-bit Field elements, as U128s, to maintain the the full 256 bit value).

Applies to:
Encrypted Logs Hash
Unencrypted Logs Hash
L1 to L2 Messages Hash
CallDataHash

in Noir, uses hash::sha256_truncate_to_field and which was added to typescript as Sha256TruncateToField. this is in contrast to doing division by the field modulus to reduce to a single field value, which Fr.FromBufferReduce does.

This reduces our security from 128 bits to 126 bits, which should still be enough.

This also requires changes on Decoder.sol to mirror the logic - switch the nested sha256 of logs to use sha256ToField, however this does the prime modulus reduction, instead of the "2 128bit numbers" approach of Noir/TS.

Verified

This commit was signed with the committer’s verified signature.
localheinz Andreas Möller
@dan-aztec dan-aztec linked an issue Jan 4, 2024 that may be closed by this pull request
@dan-aztec dan-aztec changed the title feat: truncate hashes to field in protocol circuits feat: truncate hashes to field in protocol circuits (wip) Jan 4, 2024
Copy link
Contributor

github-actions bot commented Jan 4, 2024

Changes to circuit sizes

Generated at commit: 102b9a53455c86f1bfbb5fbc920acac6cb095b94, compared to commit: a935ca3abb55b126a4eb8d2fe58d6929e6102221

🧾 Summary (100% most significant diffs)

Program ACIR opcodes (+/-) % Circuit size (+/-) %
private_kernel_ordering -2 ✅ -0.00% -4 ✅ -0.00%
rollup_base -208 ✅ -0.07% -2,788 ✅ -0.17%
private_kernel_init_simulated -2 ✅ -0.24% -4 ✅ -0.24%
private_kernel_inner_simulated -2 ✅ -0.24% -4 ✅ -0.24%
public_kernel_private_previous_simulated -2 ✅ -0.24% -4 ✅ -0.24%
public_kernel_public_previous_simulated -2 ✅ -0.24% -4 ✅ -0.24%
private_kernel_ordering_simulated -2 ✅ -0.41% -4 ✅ -0.41%
private_kernel_inner -292 ✅ -0.19% -4,365 ✅ -0.58%
public_kernel_private_previous -149 ✅ -0.18% -2,632 ✅ -0.63%
public_kernel_public_previous -149 ✅ -0.18% -2,632 ✅ -0.63%
private_kernel_init -292 ✅ -0.61% -3,746 ✅ -0.98%
rollup_base_simulated 0 ➖ 0.00% -1 ✅ -2.86%
rollup_root -288 ✅ -13.97% -4,768 ✅ -4.59%
rollup_merge -144 ✅ -34.78% -4,432 ✅ -9.76%

Full diff report 👇
Program ACIR opcodes (+/-) % Circuit size (+/-) %
private_kernel_ordering 290,211 (-2) -0.00% 888,218 (-4) -0.00%
rollup_base 293,818 (-208) -0.07% 1,667,708 (-2,788) -0.17%
private_kernel_init_simulated 825 (-2) -0.24% 1,653 (-4) -0.24%
private_kernel_inner_simulated 825 (-2) -0.24% 1,653 (-4) -0.24%
public_kernel_private_previous_simulated 825 (-2) -0.24% 1,653 (-4) -0.24%
public_kernel_public_previous_simulated 825 (-2) -0.24% 1,653 (-4) -0.24%
private_kernel_ordering_simulated 489 (-2) -0.41% 981 (-4) -0.41%
private_kernel_inner 149,909 (-292) -0.19% 748,245 (-4,365) -0.58%
public_kernel_private_previous 80,727 (-149) -0.18% 413,885 (-2,632) -0.63%
public_kernel_public_previous 80,719 (-149) -0.18% 413,877 (-2,632) -0.63%
private_kernel_init 47,637 (-292) -0.61% 378,611 (-3,746) -0.98%
rollup_base_simulated 1 (0) 0.00% 34 (-1) -2.86%
rollup_root 1,774 (-288) -13.97% 99,124 (-4,768) -4.59%
rollup_merge 270 (-144) -34.78% 40,983 (-4,432) -9.76%

… dan/truncate-sha-256-instead-of-splitting-into-two-fr-fields
@dan-aztec dan-aztec changed the title feat: truncate hashes to field in protocol circuits (wip) feat: use modulus remainder of hashes protocol circuits (wip) Jan 5, 2024
…into-two-fr-fields
@@ -326,8 +323,12 @@ describe('sequencer/solo_block_builder', () => {

processedTx.data.end.newL2ToL1Msgs = makeTuple(MAX_NEW_L2_TO_L1_MSGS_PER_TX, fr, seed + 0x300);
processedTx.data.end.newContracts = [makeNewContractData(seed + 0x1000)];
processedTx.data.end.encryptedLogsHash = to2Fields(L2Block.computeKernelLogsHash(processedTx.encryptedLogs));
processedTx.data.end.unencryptedLogsHash = to2Fields(L2Block.computeKernelLogsHash(processedTx.unencryptedLogs));
processedTx.data.end.encryptedLogsHash = Fr.fromBufferReduce(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fromBufferReduce also does the modulus remainder style reduction to the prime field

dan-aztec and others added 12 commits January 5, 2024 17:25
…into-two-fr-fields
@dan-aztec dan-aztec changed the title feat: use modulus remainder of hashes protocol circuits (wip) feat: use modulus remainder of hashes in protocol circuits (wip) Jan 6, 2024
dan-aztec and others added 6 commits January 6, 2024 01:13
…into-two-fr-fields
…ields' of https://github.com/AztecProtocol/aztec-packages into dan/truncate-sha-256-instead-of-splitting-into-two-fr-fields
@dan-aztec dan-aztec changed the title feat: use modulus remainder of hashes in protocol circuits (wip) feat: use truncated sha256 hashes in protocol circuits (wip) Jan 8, 2024
dan-aztec and others added 8 commits January 8, 2024 16:43
…into-two-fr-fields
@ludamad ludamad closed this Aug 22, 2024
@ludamad ludamad deleted the dan/truncate-sha-256-instead-of-splitting-into-two-fr-fields branch August 22, 2024 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Truncate sha-256 instead of splitting output into two Fr fields
2 participants