Poseidon hash #114
Poseidon hash #114
Conversation
GhostOfGauss
added
T-feature
GhostOfGauss
requested review from
bhgomes,
davidnevadoc,
tsunrise and
LukePearson1
|
Is this PR ready for review @GhostOfGauss? If so, please convert from draft. |
|
No, not ready yet |
plonk-hashing/src/lib.rs
Outdated
| #[macro_use] | ||
| pub extern crate ark_std; |
There was a problem hiding this comment.
We should not depend on ark_std and use the core and alloc libraries instead.
There was a problem hiding this comment.
The ark_ff::vec should be removed in favor of alloc::vec. It's just a re-export.
| } | ||
| } | ||
|
|
||
| trait HashFunction<const WIDTH: usize, COM = ()> { |
There was a problem hiding this comment.
This should be arity, not width since the notion of "width" is a poseidon-only thing.
There was a problem hiding this comment.
Agreed, but see comment below regarding const generic expressions
| // The input ought to have size ARITY, but const generic expressions aren't | ||
| // allowed yet | ||
| fn hash(&self, input: &[Self::Input], compiler: &mut COM) -> Self::Output; |
There was a problem hiding this comment.
We can use const-generics. See this example: https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=cc008c861ad5c5455d1ca26622284a4b.
There was a problem hiding this comment.
But can we use const-generic expressions? The issue I was referring to is that as you said above, HashFunction trait should have the generic ARITY but within PoseidonSpec we need to arrays whose size is ARITY + 1. That produces "error: generic parameters may not be used in const operations" with the suggestion to "use #![feature(generic_const_exprs)] to allow generic const expressions"
There was a problem hiding this comment.
The notion of width is internal to Poseidon, so the way it's represented in memory is an implementation detail, not something that is exposed to the interface. Using arrays would be nice but since the feature is unstable, the other options are to use a Vec for the state vector (of length ARITY + 1) or to separate the state into two parts like this:
type State = (F, [F; ARITY]);In either case, the input to the hash function is of the form [F; ARITY], the rest of the state is not part of the interface.
NB: In my implementation in manta-rs I use Vec for simplicity but for the production circuit I'm going to try and use State as above.
There was a problem hiding this comment.
Just a side note, this poseidon implementation use WIDTH (ARITY + 1) instead of ARITY. We can change it to ARITY once generic_const_exprs is stable.
@bhgomes I guess we have to use slice instead of const generics? because
- as @GhostOfGauss said, cannot evaluate
WIDTH - 1at compile time - compiler will probably optimize the overhead out?
There was a problem hiding this comment.
@tsunrise To make it equivalent to the array case in terms of efficiency, we only need to keep all the data on the stack, so we can use something like (F, [F; ARITY]) as the state vector. This also preserves the input memory format since the state enters the algorithm in these two parts anyway, so copy elision will remove some overhead here that you would have if you had to copy everything into a [F; ARITY + 1] which is more nontrivial to optimize. Maybe the Rust optimizer is very good but I wouldn't rely on optimizations that are not explicitly based on the language semantics like ownership and moving.
| type NepArity = generic_array::typenum::U2; | ||
|
|
||
| let (nep_consts, ark_consts) = | ||
| collect_neptune_constants::<NepArity>(Strength::Standard); |
There was a problem hiding this comment.
collect_neptune_constants is missing, as well as neptune dev_dependencies? Nice to have these tests.
There was a problem hiding this comment.
This code is from plonk_prototype repo and we temporarily used neptune library as a reference to check the correctness of our code.
Anyway, we should not even import neptune library here. We need to hardcoded tests.
There was a problem hiding this comment.
You mean hardcoded test vectors. Sounds good.
There was a problem hiding this comment.
Those hardcoded test vectors are now here: https://github.com/Manta-Network/Plonk-Prototype/blob/d2e25aae7ad4526791f4543cebf1e4df5fbf14ac/src/poseidon/poseidon_ref.rs#L380-L415. Those test vectors come from my modified variants of the original sage script. @GhostOfGauss You can add this test here remove any dependency on Neptune
| }); | ||
| let plonk_hash = poseidon_circuit.output_hash(&mut c); | ||
|
|
||
| c.check_circuit_satisfied(); |
There was a problem hiding this comment.
check_circuit_satisfied requires #[cfg(feature = "trace")]
| constants: PoseidonConstants<S::ParameterField>, | ||
| ) -> Self { | ||
| let mut elements = S::zeros(c); | ||
| elements[0] = S::alloc(c, constants.domain_tag); |
There was a problem hiding this comment.
This loads constants.domain_tag into a witness variable using c.add_input, but how do we constrain the witness to correspond to the actual constants?
There was a problem hiding this comment.
Good point... a naive way is that for the input phase we can just use an zero_var for element[0] and keep track of domain tag, and then we can handle this in the first round of add_round_constants and s-box.
LukePearson1
requested review from
lopeetall
and removed request for
lopeetall
| @@ -0,0 +1,473 @@ | |||
| //! Library independent specification for field trait. | |||
There was a problem hiding this comment.
I don't think this file is needed here
| // The input ought to have size ARITY, but const generic expressions aren't | ||
| // allowed yet | ||
| fn hash(&self, input: &[Self::Input], compiler: &mut COM) -> Self::Output; |
There was a problem hiding this comment.
Just a side note, this poseidon implementation use WIDTH (ARITY + 1) instead of ARITY. We can change it to ARITY once generic_const_exprs is stable.
@bhgomes I guess we have to use slice instead of const generics? because
- as @GhostOfGauss said, cannot evaluate
WIDTH - 1at compile time - compiler will probably optimize the overhead out?
| constants: PoseidonConstants<S::ParameterField>, | ||
| ) -> Self { | ||
| let mut elements = S::zeros(c); | ||
| elements[0] = S::alloc(c, constants.domain_tag); |
There was a problem hiding this comment.
Good point... a naive way is that for the input phase we can just use an zero_var for element[0] and keep track of domain tag, and then we can handle this in the first round of add_round_constants and s-box.
| ) | ||
| } | ||
|
|
||
| #[test] |
There was a problem hiding this comment.
we do not need to test on r1cs.
(Indeed, we should remove everything related r1cs here. It's not relevant. )
| conversion::cast_field, | ||
| neptune_hyper_parameter::collect_neptune_constants, | ||
| }; | ||
| use neptune::{ |
There was a problem hiding this comment.
We should use some hardcoded test instead of relying on neptune library.
| type NepArity = generic_array::typenum::U2; | ||
|
|
||
| let (nep_consts, ark_consts) = | ||
| collect_neptune_constants::<NepArity>(Strength::Standard); |
There was a problem hiding this comment.
This code is from plonk_prototype repo and we temporarily used neptune library as a reference to check the correctness of our code.
Anyway, we should not even import neptune library here. We need to hardcoded tests.
| match field { | ||
| 1 => { | ||
| for _ in 0..num_constants { | ||
| while { |
There was a problem hiding this comment.
use F::from_le_bytes_mod_order instead of while loop here. See https://github.com/arkworks-rs/sponge/blob/51d6fc9aac1fa69f44a04839202b5de828584ed8/src/poseidon/grain_lfsr.rs#L135
|
@GhostOfGauss The round constant generation code in Manta's plonk prototype repo was incorrect, and I fixed that so it now passes the hardcoded tests. When you have some time can you sync those changes here? |
| impl<F: PrimeField> PoseidonConstants<F> { | ||
| /// Generate all constants needed for poseidon hash of specified | ||
| /// width. Note that WIDTH = ARITY + 1 | ||
| pub fn generate<const WIDTH: usize>() -> Self { |
There was a problem hiding this comment.
Would it make sense to declare WIDTH as a constant to the structure rather than the function? This way we ensure that the poseidon trait and the constants used are initialised for the same width.
| if !last_round { | ||
| let needed = *const_offset + to_take; | ||
| assert!( | ||
| needed <= constants.compressed_round_constants.len(), |
There was a problem hiding this comment.
This overflow could happen in any round, not only the last, right? Might be missing some check performed on the number of constants though. But maybe bounding the constants with the Width (as suggested in a different comment) might help in avoiding these type of overflows.
| /// A `SparseMatrix` is specifically one of the form of M''. | ||
| /// This means its first row and column are each dense, and the interior matrix | ||
| /// (minor to the element in both the row and column) is the identity. | ||
| /// We will pluralize this compact structure `sparse_matrixes` to distinguish |
There was a problem hiding this comment.
Naming could be confusing. What about sparse_factorized instead of sparse_matrixes?
| // | ||
| // // First row is dense. | ||
| let tmp = Self::muli(c, &state[0], &matrix.v_rest[j - 1]); | ||
| *val = Self::add(c, val, &tmp); |
There was a problem hiding this comment.
might be missing important points of how constraints are built, but would it be possible to merge both additions into one? First one is after all an addition of zero
*val = Self::add(c, state[j], &tmp);
There was a problem hiding this comment.
Yes, you are right. I've updated the code in the prototype repo here. I believe those changes will soon be synced to this PR.
| /// `w_hat` is the first column of the M'' matrix. It will be directly | ||
| /// multiplied (scalar product) with a row of state elements. | ||
| pub w_hat: Vec<F>, | ||
| /// `v_rest` contains all but the first (already included in `w_hat`). |
There was a problem hiding this comment.
| /// `v_rest` contains all but the first (already included in `w_hat`). | |
| /// `v_rest` contains the first row except for the first value (already included in `w_hat`). |
| pub m_hat: Matrix<F>, | ||
| pub m_hat_inv: Matrix<F>, | ||
| pub m_prime: Matrix<F>, | ||
| pub m_double_prime: Matrix<F>, |
There was a problem hiding this comment.
can't this one be defined as sparse?
| fn output_hash( | ||
| c: &mut COM, | ||
| elements: &[Self::Field; WIDTH], | ||
| constants: &PoseidonConstants<Self::ParameterField>, |
There was a problem hiding this comment.
Could we consider adding an index for the output element here? Or maybe some understanding on why the 2nd element is selected and not the 1st (0-indexed element).
This PR adds our first hash function--the optimized Poseidon hash, complete with parameter generation written in Rust. Credit goes to @tsunrise and @BoyuanFeng for writing this. The contents of this PR is adapted from their implementation here. (See also this spec) The biggest change is the addition of a
HashFunctiontrait and making hashing stateless.Some work remains, but I'm opening this draft to start collecting feedback. What remains is documentation and testing.
Feedback is needed on the overall interface with hash functions. The
HashFunctiontrait is a starting point for discussion. This topic was opened in Issue #109 and discussion should continue there.This will close #104