impl skyscraper

2026-01-02 13:53:09 +00:00 · 2025-01-28 14:12:59 +01:00 · 2025-01-28 14:12:59 +01:00 · 88a662f034
commit 88a662f034
parent 0db2f80df0
7 changed files with 241 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 .DS_Store
+.idea
 Cargo.lock
 /target
 /tmp
--- a/README.md
+++ b/README.md
@ -9,6 +9,7 @@ Hash functions implemented:

 - [x] Poseidon2
 - [x] Griffin
+- [x] skyscraper

 We plan to integrate this into Plonky2, to allow an efficient BN254 recursive wrapper.
 For this we need some custom features: For example when computing the Fiat-Shamir
--- a/src/hash.rs
+++ b/src/hash.rs
@ -3,7 +3,7 @@ use ark_ff::prelude::{Zero};
 use ark_bn254::Fr as F;

 use crate::state::*;
-use crate::poseidon2;
+use crate::{poseidon2, skyscraper};
 use crate::griffin;

 //------------------------------------------------------------------------------
--- a/src/lib.rs
+++ b/src/lib.rs
@ -7,3 +7,4 @@ pub mod hash;
 pub mod poseidon2;
 pub mod griffin;
 pub mod sponge;
+pub mod skyscraper;
--- a/src/skyscraper/constants.rs
+++ b/src/skyscraper/constants.rs
@ -0,0 +1,90 @@
+use std::str::FromStr;
+use lazy_static::lazy_static;
+use ark_bn254::Fr as F;
+use ark_ff::BigInteger256;
+
+
+/// enum for deciding which function (Square or Bar) to apply
+#[derive(Clone, Copy, Debug)]
+pub enum FunctionBlock {
+    Square,
+    Bar,
+}
+
+/// round schedule
+pub static RF1: [FunctionBlock; 10] = [
+    FunctionBlock::Square, FunctionBlock::Square,
+    FunctionBlock::Bar,    FunctionBlock::Bar,
+    FunctionBlock::Square, FunctionBlock::Square,
+    FunctionBlock::Bar,    FunctionBlock::Bar,
+    FunctionBlock::Square, FunctionBlock::Square,
+];
+
+/// round constants - same as in:
+/// https://extgit.isec.tugraz.at/krypto/zkfriendlyhashzoo/-/blob/master/plain_impls/src/skyscraper/skyscraper_instances.rs?ref_type=heads
+static RC_STR: [&str; 24] = [
+    "17829420340877239108687448009732280677191990375576158938221412342251481978692",
+    "27740342931201890067831390843279536630457710544396725670188095857896839417202",
+    "17048088173265532689680903955395019356591870902241717143279822196003888806966",
+    "109512792282736997633398631034649037613028427788284511060520396554381700616124",
+    "23518768991468467328187394347260979305359711922005254253047385842741274989784",
+    "95360373645575887695357714105933674592754581048282220961740831584356266637451",
+    "57106046715138585370392400429108362862843547132381623658436718362793140581845",
+    "16971509144034029782226530622087626979814683266929655790026304723118124142299",
+    "8608910393531852188108777530736778805001620473682472554749734455948859886057",
+    "54566392379700209585884878067585451869449334062644668287971552334629853792764",
+    "18708129585851494907644197977764586873688181219062643217509404046560774277231",
+    "52159802752268413629255578890890486811485406260370834838036769779232029980820",
+    "98108525134123848500172941527936985409086875223276518679938863940387852105202",
+    "105831033594660236721345339515389948186304708551041643590872398526195732523291",
+    "53084450331558915295247017186532447841918727727492403087452333633170905880952",
+    "78730946611419899835403512890231154575719512053287438310527615801825503526967",
+    "62089842541186043938517187437087053794210809382724083686360536771123796704819",
+    "32303085017979849099049635709265581104054174293154472699090841350494692332148",
+    "19361794324495443451354916303398190341881571975219162871160427826227778850994",
+    "65021267664773559966759214868166670507376995901124257419858229816098767301789",
+    "94847021352352647235478120180321422709509900436733319635143815989658015262598",
+    "51591271359432809566841356156562526830388219805637947403945613063492005256674",
+    "44534956566050763472510245910556224585100739093572801527559057220740673520964",
+    "84085239597197409225577945757724209425761279846653606664394225962327262179862",
+];
+
+/// same as above but in raw representation (just for checking consistency)
+static RC_STR_RAW: [&str; 24] = [
+    "17829420340877239108687448009732280677191990375576158938221412342251481978692",
+    "5852100059362614845584985098022261541909346143980691326489891671321030921585",
+    "17048088173265532689680903955395019356591870902241717143279822196003888806966",
+    "71577923540621522166602308362662170286605786204339342029375621502658138039",
+    "1630526119629192105940988602003704216811347521589219909349181656165466494167",
+    "7807402158218786806372091124904574238561123446618083586948014838053032654983",
+    "13329560971460034925899588938593812685746818331549554971040309989641523590611",
+    "16971509144034029782226530622087626979814683266929655790026304723118124142299",
+    "8608910393531852188108777530736778805001620473682472554749734455948859886057",
+    "10789906636021659141392066577070901692352605261812599600575143961478236801530",
+    "18708129585851494907644197977764586873688181219062643217509404046560774277231",
+    "8383317008589863184762767400375936634388677459538766150640361406080412989586",
+    "10555553646766747611187318546907885054893417621612381305146047194084618122734",
+    "18278062107303135832359716534360847832111250949377506216079581779892498540823",
+    "9307964587880364850754205696017897664821998926660334400055925260019288889718",
+    "13066217995902074168664295654459329310074418852039335279433003242098078040116",
+    "18313356797507493494024375946572503617114080581892014998964128397972179713585",
+    "10414842146140573876803229964008306015505809892738438355392637163918883836531",
+    "19361794324495443451354916303398190341881571975219162871160427826227778850994",
+    "21244781921095009522266403377652120330280267100292188732461821442947150310555",
+    "7294049864995546346492497199292322355316442835069182260350999243354781280130",
+    "7814785615754259122348544666047976653291491004805878716549204690340388265440",
+    "758470822372213028017434420041674408004010292740732840162648847589056529730",
+    "18420510981679583558838728521952384160116186645405503633299613402599836693011",
+];
+
+lazy_static! {
+    pub static ref RC: Vec<F> = RC_STR
+        .iter()
+        .map(|s| F::new_unchecked(BigInteger256::from_str(s).unwrap()))
+        .collect();
+
+    pub static ref RC_RAW: Vec<F> = RC_STR_RAW
+        .iter()
+        .map(|s| F::new_unchecked(BigInteger256::from_str(s).unwrap()))
+        .collect();
+}
--- a/src/skyscraper/mod.rs
+++ b/src/skyscraper/mod.rs
@ -0,0 +1,2 @@
+pub mod permutation;
+mod constants;
--- a/src/skyscraper/permutation.rs
+++ b/src/skyscraper/permutation.rs
@ -0,0 +1,145 @@
+use ark_bn254::{Fr as F};
+use ark_ff::{BigInteger256, Field, One, PrimeField};
+use core::str::FromStr;
+use crate::skyscraper::constants::{FunctionBlock, RF1, RC, RC_RAW};
+
+pub fn bars_inplace_mont(x: &mut F) {
+    // x → two 128‐bit chunks.
+    let bi = x.0;
+    let limbs = bi.0;
+    let mut data = [0u128; 2];
+    data[0] = (limbs[0] as u128) | ((limbs[1] as u128) << 64);
+    data[1] = (limbs[2] as u128) | ((limbs[3] as u128) << 64);
+
+    let t_function = |value: u128|  {
+        let t1 = ((value & 0x80808080808080808080808080808080) >> 7) | ((value & 0x7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F) << 1); //circular left rot by 1
+        let t2 = ((value & 0xC0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0) >> 6) | ((value & 0x3F3F3F3F3F3F3F3F3F3F3F3F3F3F3F3F) << 2); //circular left rot by 2
+        let t3 = ((value & 0xE0E0E0E0E0E0E0E0E0E0E0E0E0E0E0E0) >> 5) | ((value & 0x1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F) << 3); //circular left rot by 3
+        let tmp = (!t1 & t2 & t3) ^ value;
+        ((tmp & 0x80808080808080808080808080808080) >> 7) | ((tmp & 0x7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F) << 1) // Final left rot by 1
+    };
+
+    // T‐function to each chunk.
+    let tmp_lo = t_function(data[1]);
+    let tmp_hi = t_function(data[0]);
+    data[0] = tmp_lo;
+    data[1] = tmp_hi;
+
+    // reduce
+    reduce_small::<F>(&mut data);
+
+    // put back into x
+    let (lo, hi) = (data[0], data[1]);
+    let mut out = BigInteger256::new([0, 0, 0, 0]);
+    out.0[0] = (lo & 0xFFFFFFFFFFFFFFFF) as u64;
+    out.0[1] = (lo >> 64) as u64;
+    out.0[2] = (hi & 0xFFFFFFFFFFFFFFFF) as u64;
+    out.0[3] = (hi >> 64) as u64;
+
+    *x = F::new_unchecked(out)
+}
+
+// same reduction strategy as in the zkfriendlyhashzoo
+fn reduce_small<F: PrimeField>(lhs: &mut [u128; 2]) {
+    let p = F::characteristic(); // same as Modulus
+    let pa = p.as_ref();
+    // prime in two 128‐bit limbs
+    let mut prime = [0u128; 2];
+    prime[0] = (pa[0] as u128) | ((pa[1] as u128) << 64);
+    prime[1] = (pa[2] as u128) | ((pa[3] as u128) << 64);
+
+    loop {
+        for idx in (0..2).rev() {
+            if lhs[idx] < prime[idx] {
+                return;
+            }
+            if lhs[idx] > prime[idx] {
+                sub_full(lhs, &prime);
+                break;
+            }
+            if idx == 0 && lhs[idx] == prime[idx] {
+                lhs[0] = 0;
+                lhs[1] = 0;
+                return;
+            }
+        }
+    }
+}
+
+pub fn sub_full(lhs: &mut [u128], rhs: &[u128]) {
+    let mut overflow: bool;
+    let mut overflow_part: u128;
+    (lhs[0], overflow) = lhs[0].overflowing_sub(rhs[0]);
+    overflow_part = if overflow {1} else {0};
+
+    for index in 1..rhs.len(){
+        (lhs[index], overflow) = lhs[index].overflowing_sub(overflow_part);
+        overflow_part = if overflow {1} else {0};
+        (lhs[index], overflow) = lhs[index].overflowing_sub(rhs[index]);
+        incr(&mut overflow_part, overflow);
+    }
+}
+#[inline(always)]
+pub fn incr(left: &mut u128, right: bool){
+    if right {
+        *left += 1;
+    }
+}
+
+
+fn square_inplace(x: &mut F) {
+    *x *= *x;
+}
+
+pub fn permute(input: [F; 2]) -> [F; 2] {
+    let mut current_state = input;
+    let mut left  = current_state[0];
+    let mut right = current_state[1];
+
+    for (i, &fun) in RF1.iter().enumerate() {
+        // s‐box on `left`
+        match fun {
+            FunctionBlock::Square => square_inplace(&mut left),
+            FunctionBlock::Bar => bars_inplace_mont(&mut left),
+        }
+
+        if i > 0 && i < (RF1.len() - 1) {
+            right += RC_RAW[i - 1];
+        }
+
+        // combine
+        left += right;
+
+        // the feistel rotation
+        right = current_state[0];
+        current_state[0] = left;
+    }
+    current_state[1] = right;
+    current_state
+}
+
+pub fn compress(x: F, y: F) -> F {
+    let p_out = permute([x, y]);
+    let out = x + p_out[0];
+    out
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_k_permutation() {
+        let init = [F::from(1234u64), F::from(5678u64)];
+        let init_mont = [F::new_unchecked(init[0].into_bigint()), F::new_unchecked(init[1].into_bigint())];
+        let out = permute(init_mont);
+        println!("Permutation on (1234,5678) => ({},{})", out[0].0, out[1].0);
+        let expected = [
+            BigInteger256::from_str("10398388528337208913702213361515546865573572771332206462397283188708690721181").unwrap(),
+            BigInteger256::from_str("21827939006013637437091304277086947125806852726479468249428384625000968262245").unwrap()
+        ];
+
+        assert_eq!(out[0].0, expected[0]);
+        assert_eq!(out[1].0, expected[1]);
+    }
+}