zkevm-circuits icon indicating copy to clipboard operation
zkevm-circuits copied to clipboard

Published 20 hours ago verified publisher icon privacy-scaling-explorations

sha256 circuit

Open Brechtpd opened this issue 3 years ago • 6 comments
trafficstars

Adds a sha256 circuit with the same lookup interface as the keccak circuit.

  • Requires 72 rows/sha256 permutation (64 bytes absorbed per permutation)
  • Uses ~130 columns
  • Would be a bit faster when making the circuit x4 wider (and then of course also using x4 fewer rows)
  • Current expression degree is 4, should be possible to lower this to 3 after the no-zk halo2 is usable
  • Is around 4x faster than keccak for same length inputs (keccak absorbs ~2x the amount of data per permutation so sha256 needs ~2x the number of permutations to process a similar amount of data)

Brechtpd avatar Sep 09 '22 03:09 Brechtpd

Ooh, nice! I would love to see this adapted to implement the Sha256Instructions trait from halo2_gadgets, as then circuit developers would have a very easy time switching between our 10-column chip and this ~130-column one.

str4d avatar Sep 14 '22 14:09 str4d

Hey @Brechtpd I'm adding the challenge API to all three keccak implementations we currently have in https://github.com/privacy-scaling-explorations/zkevm-circuits/pull/925. I hope this does not collide with that (Otherwise, I'll code it with features or an option or whatever).

Please, ping me to review it! Since reviewed the last 3 I guess I'd be a bit faster!

Thanks for working on this!!!! :smile:

CPerezz avatar Nov 23 '22 18:11 CPerezz

I don't think there will be any conflict with the keccak implementations, and will update the code confirming to #925 if it's decided this implementation will be used for the sha256 precompile (or if useful regardless of that to e.g. compare between different implementations). :)

Brechtpd avatar Nov 23 '22 21:11 Brechtpd

this implementation will be used for the sha256 precompile (or if useful regardless of that to e.g. compare between different implementations). :)

That's nice!! Thanks a lot!! I'd also consider the 4 options and stick to only 1 or 2. Otherwise we need to mantain a lot more code. WDYT?

CPerezz avatar Nov 24 '22 08:11 CPerezz

What do you mean 4 options? I think for sha256 there's only like 2 I guess (this one or the halo2 one). Or are you talking about keccak?

Brechtpd avatar Nov 24 '22 17:11 Brechtpd

What do you mean 4 options? I think for sha256 there's only like 2 I guess (this one or the halo2 one). Or are you talking about keccak?

Indeed mate.. My brain classified SHA256 and keccak as the same thing xD

Apologies, we already discussed the 3 different keccak implementations privately. :pray:

CPerezz avatar Nov 24 '22 18:11 CPerezz