Hash Function Decision

Question

Hash Function Decision

Closed this issue 7 months ago · 4 comments

We're settling on using merkle-trees for in several places (e.g., see #150 and #166) but we haven't settled on the hash function. This matters because, unfortunately, the EVM.

So, I'm going to suggest keccak256 to be EVM friendly, even though we don't use it anywhere else. Otherwise validating merkle-trees could get a bit expensive.

That is, unless someone has a suggestion for a different snark-friendly hash function? But I'm not aware of an efficient snark-friendly hash function.

Answer 1 · 2024-05-01T00:01:40.000Z

blake2b (or even blake3) might be a better option for snarks, I would have to look into keccak256 padding rules to check if it has the same issue as SHA2/3 where hashing 64bytes requires two invocations of compression function due to padding rules.

blake2/3 has precompile in EVM land AFAIK

Answer 2 · 2024-05-01T00:26:22.000Z

If we were hashing a single large object, sha256 would be fine. But... the EVM charges 700 gas per call to the SHA2 precompile.

On the other hand, there's a KECCAK256 opcode that costs 30 gas plus 6 gas per word. So, validating a Keccak merkle-tree is much cheaper.

Answer 3 · 2024-05-06T19:52:46.000Z

Note: it looks like CometBLS uses MiMC for zk compatibility. IMO, this won't matter until we create a snark-friendly power table as we're planning on doing all of our hashing outside of snarks anyways.

Answer 4 · 2024-05-14T03:35:52.000Z

We're using keccak256 for the merkle-trees.