Add keccak transcript

[grandchildrice]

issue

#14

what i do

• Add Keccak Transcript using 2 libraries (tiny-keccak and SHA3)
  • impl minimal functions
  • impl fn get_challenge_nbits()
  • impl KeccakTranscriptVar
• Test it on Pedersen Circuit
• Measure the performance
• Decide which to use

comments

• I didn't impl fn get_challenge_nbits() and KeccakTranscriptVar because they are currently not called by anywhere. Please let me know if we should include this scope on this PR.
• After deciding which library to use, delete the rest and then we can merge it.

how to review

$ cargo test

[arnaucube]

Thanks for contribuiting ^^

I don't have much time now (currently OOO), but leaving some comments as a first high level pass.

Also, thanks a lot for providing the two versions (tiny_keccak & sha3 libs). I don't have strong opinions on which one to use and haven't checked what other projects are using (having Ethereum's EVM compatibility in mind), but probably @CPerezz & @han0110 have more thoughts on this.
Again, thanks for this PR!

[grandchildrice]

Hi @arnaucube Thanks for your feedbacks! I outdated all of your feedbacks right now.

[han0110]

Should we re-initialize the sponge here? I saw other impls just drops the inputs after absorbing them.

See:

• https://github.com/AztecProtocol/barretenberg/blob/9de42a37415f8a3f1bd7de3ec460b1b299dd15fa/sol/src/ultra/BaseUltraVerifier.sol
• https://github.com/matter-labs/solidity_plonk_verifier/blob/f6eea6bde11321d3104b20d100e9b6051102a2a2/bellman_vk_codegen/template.sol#L264

[grandchildrice]

@han0110 Thanks for pointing out!

You mean we don't need to call absorb() (or update()) after squeeze() here, right?

I just checked, and it seems that since finalize() on tiny-keccak/SHA3 does not update the original sponge, thus we no need to call absorb() afterwards as you mentioned.

I have pushed a fix and new tests which can make sure that. ✅ 0685d37

[han0110]

hmm not really, I mean we should re-initialize self.sponge after we've called finalize, otherwise next time we call get_challenge it's equal to hashing all the previous thing again, for evm verifier it seems inefficient.

so it would look like:

         let mut output = [0u8; 32];
-        self.sponge.clone().finalize(&mut output);
+        std::mem::replace(&mut self.sponge, Keccak::v256()).finalize(&mut output);
         self.sponge.update(&[output[0]]);

[arnaucube]

@CPerezz @han0110 what are your thoughts between going with tiny-keccak or sha3?

[CPerezz]

Also @arnaucube. I don't have any preferences. The only thing that I'd make sure we address is checking exactly what to use here. If Sha2_256 or Sha3_256 or Shake256.

Aside from that, some nits that require addressing.

[CPerezz]

Suggested change

	phantom: PhantomData<C>,
	_marker: PhantomData<C>,

This is how usually PhantomData is set inside of structs in rust.

[CPerezz]

Suggested change

	phantom: PhantomData,
	_marker: PhantomData,

[CPerezz]

If we're going to drop the config, why getting it as a parameter in first place?

[arnaucube]

This comes from the Transcript trait, which in cases like Poseidon needs the config. For Keccak is not used, but needed in the function signature to fit with the Transcript trait, so happy with the most rust-style approach.

What I see that is done in other similar arkworks cases is for example:

• in Poseidon's CRH evaluate method:
  https://github.com/arkworks-rs/crypto-primitives/tree/1e4f16cddba8d18f4eb219fa33ac25b2c852f198/src/crh/poseidon/mod.rs#L28
• in Sha256 CRH evaluate method:
  https://github.com/arkworks-rs/crypto-primitives/tree/1e4f16cddba8d18f4eb219fa33ac25b2c852f198/src/crh/sha256/mod.rs#L34

In our case for this Keccak256, we could do something like is done in the last link of sha256, something like:

Suggested change

	fn new(config: &Self::TranscriptConfig) -> Self {
	let _ = config;
	fn new(_config: &Self::TranscriptConfig) -> Self {

[CPerezz]

We need to make sure that the point is encoded as [bytes_x, bytes_y].flatten() format. If we're doing any size-optimizations like just storing one coordinate and the sign of the other, simulating the transcript inside of a SNARK (if we needed it at any point) wouldn't work.

[arnaucube]

Regarding simulating the transcript inside a SNARK, I currently think (=I might be wrong) that we will not need it for the Keccak transcript as mentioned in this comment, since the keccak transcript is intended to be used only in non-circuit cases (eg. in Nova's main transcript), but not in-circuit (eg. HyperNova's SumCheck transcript, where we would use for example Poseidon's Transcript to later reproduce it in-circuit) (more details in the original comment itself).

[CPerezz]

This should be addressed.

[CPerezz]

Suggested change

	phantom: PhantomData<C>,
	_marker: PhantomData<C>,

[CPerezz]

Suggested change

	phantom: PhantomData,
	_marker: PhantomData,

[CPerezz]

ditto as with keccak.

[CPerezz]

ditto as with keccak

[CPerezz]

Suggested change

	/// WARNING the method poseidon_test_config is for tests only
	/// WARNING the method `sha3_256_test_config` is for tests only

Use sha3 or whatever is decided at the end. But this is definitely not Poseidon.

[CPerezz]

Hey @0xvon how is this going? Can we help you with anything?