feat: replace rolling-hash transcript with Spongefish Fiat-Shamir#15
feat: replace rolling-hash transcript with Spongefish Fiat-Shamir#15shreyas-londhe wants to merge 1 commit intoa16z:mainfrom
Conversation
shreyas-londhe
changed the title
moodlezoup
left a comment
moodlezoup
left a comment
There was a problem hiding this comment.
did a quick skim, just one question
src/backends/arkworks/domain.rs
Outdated
| ds = FieldDomainSeparator::<Fq12>::add_scalars(ds, 2, "vmv-gt"); | ||
| ds = GroupDomainSeparator::<G1Projective>::add_points(ds, 1, "vmv-g1"); | ||
|
|
||
| if zk { |
There was a problem hiding this comment.
is there a reason to use a zk: bool instead of cfg gates, like we do elsewhere?
There was a problem hiding this comment.
zk: bool is correct and can't be replaced with #[cfg(feature = "zk")]. The reason is that the zk feature flag controls whether ZK code exists (e.g., ZK mode type, sigma proof functions), but zk: bool on the domain separator controls which DS variant is used for a given proof.
When --all-features is enabled, both Transparent and ZK modes coexist — transparent proofs need a DS without ZK absorbs, and ZK proofs need one with them. A compile-time gate would force all proofs to include ZK elements when the feature is on, breaking transparent proofs.
Replace the custom Blake2b rolling-hash transcript with spongefish's duplex-sponge construction. Proofs are now opaque NARG byte strings instead of serialized Proof structs. Key changes: - Add CheckedProverState/CheckedVerifierState with InteractionPattern enforcement for compile-time protocol structure validation - Declare reusable sub-patterns (sigma1, sigma2, reduce round, scalar product) composed via scoped nesting for diagnostic paths - Domain separator binds (sigma, zk) into sponge instance - Remove Proof struct, blake2b transcript, ark_proof, VMVMessage - Add check_eof() to all tests, benches, and examples - Use macros to reduce spongefish codec boilerplate - Pin spongefish to commit 45df37a7 on fork Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
This PR has been superseded by #17, which includes a cleaner commit history and all the same changes. |
2 participants
Summary
Migrates Dory's Fiat-Shamir transcript from a custom Blake2b rolling-hash implementation to Spongefish 0.2.0-alpha's NARG transcript model.
Why: The old transcript required maintaining a separate
DoryProofstruct for serialization alongside the hash-based Fiat-Shamir state. Spongefishunifies these — the proof is the transcript. This eliminates an entire class of bugs where proof data could be absorbed into the hash in a different
order than it appears in the serialized proof, and gives us domain separation for free via Spongefish's
DomainSeparator.What changed:
Vec<u8>) instead of a typedDoryProofstruct. Prover writes toProverState, verifier reads fromVerifierState.dory_domain_separator(sigma, zk)dynamically builds the protocol's domain separator, declaring every absorb/squeeze operation upfront.check_proof_length(proof_bytes, sigma, zk)enables anti-malleability — callers reject proofs with unexpected length since Spongefish silently ignorestrailing bytes.
ProverTranscript(infallible absorb/squeeze) andVerifierTranscript(fallible read/squeeze).DoryProof,ArkDoryProof,Blake2bTranscript,Sigma1Proof,Sigma2Proofstructs.bincode,serdedependencies; replacedblake2/digestwithspongefish.accessible.
Test plan
cargo nextest run --all-features --release)check_proof_lengthbasic_e2e,homomorphic,homomorphic_mixed_sizes,non_square,zk_e2e,zk_statistical)cargo clippy,cargo fmt,cargo docall clean