#fields #framework #derive #zk-snarks #interfacing #integer #fawkes-crypto

macro ff-uint_derive

Library for building and interfacing with fixed-sized integers and finite fields

10 releases

0.2.4 Mar 10, 2022
0.2.2 Jan 23, 2022
0.2.0 Nov 22, 2021
0.1.7 Jul 28, 2021
0.1.1 Sep 23, 2020

#8 in #integers

Download history 40/week @ 2024-07-29 34/week @ 2024-08-05 35/week @ 2024-08-12 23/week @ 2024-08-19 55/week @ 2024-08-26 16/week @ 2024-09-02 19/week @ 2024-09-09 11/week @ 2024-09-16 41/week @ 2024-09-23 11/week @ 2024-09-30 10/week @ 2024-10-07 20/week @ 2024-10-14 6/week @ 2024-10-21 45/week @ 2024-10-28 16/week @ 2024-11-04 2/week @ 2024-11-11

73 downloads per month
Used in 10 crates (via ff-uint)

MIT/Apache

34KB
764 lines

Fawkes-Crypto - zkSNARKs framework

Abstract

Fawkes-Crypto is a lightweight framework for building circuits in bellman, using groth16 proving system and BN254 curve.

The framework is targeted to use best practices for circuit building from circom and sapling-crypto.

Final fields and circuit math are wrapped and operators are implemented, so, in most cases if you want to type a+b, you can do it.

Example

Here is an example, how Merkle tree implementation is working. Also you may check the rollup here.

#[derive(Clone, Signal)]
#[Value="MerkleProof<CS::F, L>"]
pub struct CMerkleProof<'a, CS: ConstraintSystem, const L: usize> {
    pub sibling: SizedVec<CNum<'a, CS>, L>,
    pub path: SizedVec<CBool<'a, CS>, L>
}


pub fn c_poseidon_merkle_proof_root<'a, CS: ConstraintSystem, const L: usize>(
    leaf:  &CNum<'a, CS>, 
    proof: &CMerkleProof<'a, CS, L>,
    params: &PoseidonParams<CS::F>
) -> CNum<'a, CS> {
    let mut root = leaf.clone();
    for (p, s) in proof.path.iter().zip(proof.sibling.iter()) {
        let first = s.switch(p, &root); 
        let second = &root + s - &first;
        root = c_poseidon( [first, second].as_ref(), params);
    }
    root
}

Signal is a sparse linear combination of inputs, based on ordered linked list, so we perform arithmetics with Signal with U(N) complexity. With Signal bellman will allocate additional inputs only when you really need it (for example, in the case when you multiply two nonconstant Signal). If you perform multiplication with constant or zero Signal, no additional inputs will be allocated.

Benchmarks

Circuit Constraints Per bit
poseidon hash (4, 8, 54) 255 0.33
jubjub oncurve+subgroup check 19
ecmul_const 254 bits 513 2.02
ecmul 254 bits 2296 9.04
poseidon merkle proof 32 7328
poseidon eddsa 3860
rollup 1024 txs, 2^32 set 35695616

At i9-9900K rollup is proved for 628 seconds.

Source code of the rollup is available at https://github.com/snjax/fawkes-rollup.

Circuit improvements

  • We are using indeterministic subgroup checks, performing most part of computations as witness-only and perform cofactor multiplication at the circuit.
  • ecmul and ecmul_cost operations are working assuming that the base point is in the subgroup. This allows us to use Montgomery (0, 0) point as adder initial state. Then the adder never reaches zero point and subgroup point, because (0, 0) is not in subgroup and we can use cheap montgomery_add circuit safely.
  • improved compconstant circuit. The same PR into circomlib available here

See more as ethresear.ch here.

Authors

Igor Gulamov

Disclaimer

Fawkes-Crypto is audited, but experimental and provided as is, use at your own risk.

License

Fawkes-Crypto is available under Apache License 2.0 license or MIT as your choice.

Dependencies

~2.5MB
~57K SLoC