|
|
|
@ -11784,6 +11784,7 @@ $\ValueCommit{}$ can be implemented in: |
|
|
|
for a total cost of $?$ constraints. |
|
|
|
|
|
|
|
|
|
|
|
\introsection |
|
|
|
\subsubsection{BLAKE2s hashes} \label{cctblake2s} |
|
|
|
|
|
|
|
\introlist |
|
|
|
@ -11830,7 +11831,7 @@ The Initialization Vector is defined as: |
|
|
|
&\hexint{510E527F} &\hexint{9B05688C} &\hexint{1F83D9AB} &\hexint{5BE0CD19}\,] \\ |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
\vspace{2ex} |
|
|
|
\vspace{10ex} |
|
|
|
\intropart |
|
|
|
The full hash function applied to an $8$-byte personalization string and a single |
|
|
|
$64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows. |
|
|
|
@ -11840,7 +11841,7 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol |
|
|
|
\begin{formulae} |
|
|
|
\item let $\BlakeParamBlock \typecolon \byteseq{32} = [32, 0, 1, 1] \bconcat\, \zerobytes{20} \bconcat p$ |
|
|
|
\item let $[\,t_0, t_1, f_0, f_1\,] \typecolon \typeexp{\binaryrange{32}}{4} = [\,0, 0, 0, \hexint{FFFFFFFF}, 0\,]$ |
|
|
|
\item \vspace{-2ex} |
|
|
|
\item \vspace{-3ex} |
|
|
|
\item let $h \typecolon \typeexp{\binaryrange{32}}{8} = |
|
|
|
\listcomp{\LEOStoIPOf{32}{\BlakeParamBlock_{\barerange{4 \mult i}{4 \mult i\,+\,3}}} \xor \BlakeIV_i \for i \from 0 \upto 7}$ |
|
|
|
\item let $v \typecolon \typeexp{\binaryrange{32}}{16} = |
|
|
|
@ -11848,23 +11849,24 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol |
|
|
|
t_0 \xor \BlakeIV_4, t_1 \xor \BlakeIV_5, f_0 \xor \BlakeIV_6, f_1 \xor \BlakeIV_7\,]$ |
|
|
|
\item let $m \typecolon \typeexp{\binaryrange{32}}{16} = |
|
|
|
\listcomp{\LEOStoIPOf{32}{x_{\barerange{4 \mult i}{4 \mult i\,+\,3}}} \for i \from 0 \upto 15}$ |
|
|
|
\vspace{2ex} |
|
|
|
\vspace{1ex} |
|
|
|
\item for $r$ from $0$ up to $9$: |
|
|
|
\vspace{-1ex} |
|
|
|
\vspace{-2ex} |
|
|
|
\item \begin{tabular}{@{\tab set\;}T@{}T@{}T@{}U@{}T@{}T@{}T@{}T@{}T@{}U@{}U} |
|
|
|
(v_{ 0}, &v_{ 4}, &v_{ 8}, &v_{12}&) := G(v_{ 0}, &v_{ 4}, &v_{ 8}, &v_{12}, &m_{\sigma_{r, 0}}, &m_{\sigma_{r, 1}}&) \\ |
|
|
|
(v_{ 1}, &v_{ 5}, &v_{ 9}, &v_{13}&) := G(v_{ 1}, &v_{ 5}, &v_{ 9}, &v_{13}, &m_{\sigma_{r, 2}}, &m_{\sigma_{r, 3}}&) \\ |
|
|
|
(v_{ 2}, &v_{ 6}, &v_{10}, &v_{14}&) := G(v_{ 2}, &v_{ 6}, &v_{10}, &v_{14}, &m_{\sigma_{r, 4}}, &m_{\sigma_{r, 5}}&) \\ |
|
|
|
(v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}&) := G(v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}, &m_{\sigma_{r, 6}}, &m_{\sigma_{r, 7}}&) \\[2ex] |
|
|
|
(v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}&) := G(v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}, &m_{\sigma_{r, 6}}, &m_{\sigma_{r, 7}}&) \\[1ex] |
|
|
|
(v_{ 0}, &v_{ 5}, &v_{10}, &v_{15}&) := G(v_{ 0}, &v_{ 5}, &v_{10}, &v_{15}, &m_{\sigma_{r, 8}}, &m_{\sigma_{r, 9}}&) \\ |
|
|
|
(v_{ 1}, &v_{ 6}, &v_{11}, &v_{12}&) := G(v_{ 1}, &v_{ 6}, &v_{11}, &v_{12}, &m_{\sigma_{r,10}}, &m_{\sigma_{r,11}}&) \\ |
|
|
|
(v_{ 2}, &v_{ 7}, &v_{ 8}, &v_{13}&) := G(v_{ 2}, &v_{ 7}, &v_{ 8}, &v_{13}, &m_{\sigma_{r,12}}, &m_{\sigma_{r,13}}&) \\ |
|
|
|
(v_{ 3}, &v_{ 4}, &v_{ 9}, &v_{14}&) := G(v_{ 3}, &v_{ 4}, &v_{ 9}, &v_{14}, &m_{\sigma_{r,14}}, &m_{\sigma_{r,15}}&) \\ |
|
|
|
\end{tabular} |
|
|
|
\item |
|
|
|
\item \vspace{-1ex} |
|
|
|
\item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$ |
|
|
|
\end{formulae} |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
In practice the message and output will be expressed as bit sequences. In the \Sapling |
|
|
|
circuit, the personalization string will be constant for each use. |
|
|
|
|
|
|
|
@ -11887,7 +11889,7 @@ The equality checks are batched; as many sets of $33$ or $34$ boolean variables |
|
|
|
will fit in a $\GF{\ParamS{r}}$ field element are equated together using one constraint. |
|
|
|
This allows $7$ such checks per constraint. |
|
|
|
|
|
|
|
\vspace{2ex} |
|
|
|
\vspace{1ex} |
|
|
|
\introlist |
|
|
|
Each $G$ evaluation requires $262$ constraints: |
|
|
|
\begin{itemize} |
|
|
|
@ -11899,6 +11901,7 @@ Each $G$ evaluation requires $262$ constraints: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
\vspace{-1ex} |
|
|
|
The overall cost is $21262$ constraints: |
|
|
|
\begin{itemize} |
|
|
|
\item $10 \mult 8 \mult 262 = 20960$ constraints for $80$ $G$ evaluations, excluding |
|
|
|
|
Daira Hopwood
6 years ago