Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Alex Gluchowski
    @gluk64
    I tested a parallelized version on a powerful AWS instance, managed to get 40,000 hashes per second
    what project are you working on?
    oh, I'm sorry again
    Drew Stone
    @drewstone
    huh
    and Edgeware
    Alex Gluchowski
    @gluk64
    it's not 1000 hashes, it was 1000 Merkle tree updates
    24 hashes per update
    you get an idea
    Drew Stone
    @drewstone
    lol yep
    Alex Gluchowski
    @gluk64
    what is Edgeware?
    Drew Stone
    @drewstone
    But specifically, I'm trying to implement this circuit in a substrate runtime
    to do anonymous voting initially
    If it seems worthwhile, then it would be good to add sapling_crypto types into the codec that substrate uses, but still doing the exploration phase
    Alex Gluchowski
    @gluk64
    this is cool!
    thanks!
    do you know of any implementations of signatures of knowledge using similar tools?
    Alex Gluchowski
    @gluk64
    have you seen the work of @barryWhitehat?
    Drew Stone
    @drewstone
    Yea, most of the ideas are derived from miximus
    Drew Stone
    @drewstone
    I probably should have realised but in its current state bellman can't be integrated into substrate due to std dependence. Does it sound correct that adding no_std support would start at ff?
    Alexander
    @shamatar
    Do you need just the verification in a substrate?
    Drew Stone
    @drewstone
    And baby_pedersen_hashing for building merkle trees.
    Drew Stone
    @drewstone
    I could potentially suffice with just verification by switching over to blake2 in the circuit, since that is supported in the runtime
    Drew Stone
    @drewstone
    With SONIC as your proof system, is it correct to think you can use the same CRS for circuits of growing depth, since I can update it on the fly?
    For example, in bellman with groth16/Jubjub256 to generate the parameters I have to pass in a mock circuit that has the same depth as what a real instance has. I'm curious if in the SONIC case, I can use a CRS over a depth 1 merkle tree for merkle trees of arbitrary depth if I'm building them on the fly
    Alexander
    @shamatar
    Hm, never tried to mock a Groth16 this way, cause your final proving key depends on the R1CS -> QAP. SONIC allows to have universal CRS for circuits up to some size. Unfortunately old CRS can not be extended, the only option is to generate a fresh one
    Osuke
    @osuketh
    Hi all. I'm working on zkp stuff for substrate. I use the bellman for SNARKs and you can send confidential payment on Substrate here.
    https://github.com/LayerXcom/zero-chain
    The code might be helpful for @drewstone
    Drew Stone
    @drewstone
    nice!
    Osuke
    @osuketh
    Hey. Sonic implementation is available now? I intend to use sonic in Edcon hackathon.
    Drew Stone
    @drewstone
    This may be a silly question, but if I'm writing a snark that operates on [u8; 32] and verifies blake2s hashes, how do I separate which inputs are public and private? I can't find the API that is similar to inputize or alloc for other types.
    Drew Stone
    @drewstone
    Similarly is there a way to coerce [u8; 32] into field points of BN256? I suppose I can cast as strings and so on and so forth.
    Alexander
    @shamatar
    You can try to start from https://github.com/matter-labs/pairing/blob/d2c8b93fe96073344d45a6fe6d3bc6998712cb6c/src/tests/curve.rs#L444 as an example, and compressed/uncompressed points should implement std::io::Read and Write
    Hash functions are defined over Boolean type, so first you somehow fee those Booleans into the circuit, and then calculate a hash. If you want to supply have preimage to the circuit you can use miltipack module https://github.com/matter-labs/sapling-crypto/blob/master/src/circuit/multipack.rs or manually assemble it from field elements
    Johann Eid
    @JohannEid
    Hey guys. I had some question about the architecture you guys are building. Currently if I understand correctly you plan to have a plasma chain on which users can transact then using ZK to generate a proof of validity for the generated block of transactions. However how do you plan to implement privacy in your system? Do you have any idea on how you could succesfully implement privacy while still allowing for exits on the plasma chain ?
    Alexander
    @shamatar
    Hello Johann. We would like to implement privacy, but at the moment it’s not feasible due to limitation in number of constraints on BN256 curve and lack of curves that support recursion. Also without a lot of research true privacy would most likely force us to use UTXO model instead of accounts and we don’t like this UX tradeoff
    Johann Eid
    @JohannEid
    Thanks a lot for the answer Alexander duely noted.
    Johann Eid
    @JohannEid
    Could the storage problems posed by a UTXO model be solved by using something like an IPFS storage solution?
    Alexander
    @shamatar
    My expectation is that storage of UTXO set will be smaller burden than proving costs for validators. But as you have pointed “storage” is a problem that should be tackled. Take for example a current situation with Ethereum state inflation and proposals for storage rent. Over time models should evolve to users having responsibility over their share of state/utxo set/general data
    Drew Stone
    @drewstone
    Apologies if this isn't the right place to ask debug questions. I'm using blake2s from circuit/blake2 as
    let mut hash = blake2s(cs.namespace(|| "blake hash 0"), &preimage, SUBSTRATE_BLAKE2_PERSONALIZATION).unwrap();
    and am getting no result (all none types in the Vec<Boolean>).
    It seems that blake2s begins to parse the input correctly, but fails somewhere in the execution. For clarity, preimage is a 512 sized Vec<Boolean> that is well-formed from the looks of it. Any ideas?
    Alexander
    @shamatar
    Values are not evaluated unless you use TestConstraintSystem (kind-of lazy evaluation), it’s normal behavior
    Reason for it is that values are not used for constraints and proving key generation, and you can not use any value for it by mistake
    Drew Stone
    @drewstone
    How might one pass in a personalization vector to match the blake2 RFC 7693, which doesn't use one?
    I would like to get the blake2s circuit to match a blake2b on 32 byte outputs
    Ah potentially its just to pass in this;
              IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i)
              is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 )
              and sqrt(x) is the square root of x.
    Drew Stone
    @drewstone
    Can anyone confirm whether blake2s is equal to blake2b though, I'm seeing there may be extra permutation rounds?