use near mds matrix and change alpha to 17 (#19)

* use near mds matrix * security check script
o1-labs · Jan 19, 2020 · 72f621b · 72f621b
1 parent adf5c3b
commit 72f621b
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 46 deletions.
diff --git a/oracle/src/bn_382/fp.rs b/oracle/src/bn_382/fp.rs
@@ -5,21 +5,7 @@ use std::str::FromStr;
 
 pub fn params() -> ArithmeticSpongeParams<Fp> {
     ArithmeticSpongeParams {
-        mds:
-            vec![ vec![
-                  Fp::from_str("4926718831512540855203478495979679874185641835428705237807701341316303469093728860979847281433445543762468419547411").unwrap()
-                , Fp::from_str("4453596550915421838691584449484083455887331059810907256950733279540412430443020452528503585415545381600691692720802").unwrap()
-                , Fp::from_str("1809585458879543727351605930307281128231661313471183867681242998028598391382436278589655704222701087043779610899776").unwrap()
-                ]
-            , vec![ Fp::from_str("3780881913608981191949291171826187563049531728010823449829977324390598960444713739971716972221840264885560113043153").unwrap()
-                , Fp::from_str("2776232227357305515637478180339794495756715372405744816056109665788926102619439001152349187314657683550310562099867").unwrap()
-                , Fp::from_str("5103043266714397927073209822516498302262227174566336138856687248083295588845596823903140201767618523431001452833199").unwrap()
-                ]
-            , vec![ Fp::from_str("2159355678817062797712812554732125404698639502388517586006300841333631216487588790808135492514630783259920881851018").unwrap()
-                , Fp::from_str("3193464442349738376799117666463048091278737759406985595335727474699041234966227606028409475413066859111860974240541").unwrap()
-                , Fp::from_str("3068849848776138129466484826306219095394321880438971409892892215677003762666783452446184790715435684915272918256552").unwrap()
-                ] ]
-        , round_constants:
+        round_constants:
       vec![ vec![ Fp::from_str("78119860594733808983474265082430117124674905785489385612351809573030163625517").unwrap()
           , Fp::from_str("41917899842730241418346215913324270532073353586134123463219061327941260175271").unwrap()
           , Fp::from_str("74594641694171623328644944059182600919855574964222988275913344198970402906473").unwrap()

diff --git a/oracle/src/bn_382/fq.rs b/oracle/src/bn_382/fq.rs
@@ -5,20 +5,6 @@ use std::str::FromStr;
 
 pub fn params() -> ArithmeticSpongeParams<Fq> {
     ArithmeticSpongeParams {
-        mds:
-      vec![ vec![ Fq::from_str("2663538809597650435844500745640128112500797729229320076136089551791530014683740176469459837095745057420024990698304").unwrap()
-          , Fq::from_str("3372673220977743741609068262704292488957271565700673274891426149291073445433316668667874458522247135736401556339737").unwrap()
-          , Fq::from_str("4702399048364054789745695060954166226249916683594965873315202085308155435886379283955080194729213218481069112754347").unwrap()
-         ]
-       , vec![ Fq::from_str("2215778453553447259216822687321394545528815439827126692759606056122905656424424554076355712016973336681821219494537").unwrap()
-          , Fq::from_str("1284753801167450198664971157009572170099813485759371112881157467066929464161583508786486164543283350228782139803094").unwrap()
-          , Fq::from_str("1136441139974396511543268992916724168911879411721635269198331720240499757381302440272659128030869203409955304203115").unwrap()
-         ]
-       , vec![ Fq::from_str("5295202322853619951220986804473857321275810243906349721146315070442772012272591642930885737122084843222525444659152").unwrap()
-          , Fq::from_str("2585574180998322214773500417577043354533137309395421285678021891228333612974808568921533701659765694493897008321886").unwrap()
-          , Fq::from_str("4327637570022845964174929847928171567054668769686956705326721990617716210727017530524703225454617877992054172811917").unwrap()
-         ] ]
-            ,
         round_constants:
       vec![ vec![ Fq::from_str("78119860594733808983474265082430117124674905785489385612351809573030163625517").unwrap()
           , Fq::from_str("41917899842730241418346215913324270532073353586134123463219061327941260175271").unwrap()

diff --git a/oracle/src/poseidon.rs b/oracle/src/poseidon.rs
@@ -10,7 +10,7 @@ It implements Poseidon Hash Function primitive
 use algebra::Field;
 
 pub const ROUNDS_FULL: usize = 8;
-pub const ROUNDS_PARTIAL: usize = 55;
+pub const ROUNDS_PARTIAL: usize = 30;
 const HALF_ROUNDS_FULL: usize = ROUNDS_FULL / 2;
 pub const SPONGE_CAPACITY: usize = 1;
 pub const SPONGE_RATE: usize = 2;
@@ -22,25 +22,25 @@ pub trait Sponge<Input, Digest> {
     fn squeeze(&mut self, params: &Self::Params) -> Digest;
 }
 
-// x^5
+// x^17
 fn sbox<F: Field>(x: F) -> F {
     let mut res = x;
     res.square_in_place(); //x^2
     res.square_in_place(); //x^4
-    res.mul_assign(&x);
+    res.square_in_place(); //x^8
+    res.square_in_place(); //x^16
+    res.mul_assign(&x); // x^17
     res
 }
 
-fn apply_matrix<F: Field>(mat: &Vec<Vec<F>>, v: &Vec<F>) -> Vec<F> {
-    mat.iter()
-        .map(|row| {
-            let mut res = F::zero();
-            for (i, r) in row.iter().enumerate() {
-                res += &v[i].mul(r);
-            }
-            res
-        })
-        .collect()
+/*
+Apply the matrix
+[[1, 0, 1],
+ [1, 1, 0],
+ [0, 1, 1]]
+ */
+fn apply_near_mds_matrix<F: Field>(v: &Vec<F>) -> Vec<F> {
+    vec![v[0] + &v[2], v[0] + &v[1], v[1] + &v[2]]
 }
 
 enum SpongeState {
@@ -51,7 +51,6 @@ enum SpongeState {
 #[derive(Clone)]
 pub struct ArithmeticSpongeParams<F: Field> {
     pub round_constants: Vec<Vec<F>>,
-    pub mds: Vec<Vec<F>>,
 }
 
 pub struct ArithmeticSponge<F: Field> {
@@ -69,7 +68,7 @@ impl<F: Field> ArithmeticSponge<F> {
             for i in 0..self.state.len() {
                 self.state[i] = sbox(self.state[i]);
             }
-            let new_state = apply_matrix(&params.mds, &self.state);
+            let new_state = apply_near_mds_matrix(&self.state);
             for i in 0..new_state.len() {
                 self.state[i] = new_state[i];
             }
@@ -83,7 +82,7 @@ impl<F: Field> ArithmeticSponge<F> {
                 self.state[i].add_assign(&x);
             }
             self.state[0] = sbox(self.state[0]);
-            let new_state = apply_matrix(&params.mds, &self.state);
+            let new_state = apply_near_mds_matrix(&self.state);
             for i in 0..new_state.len() {
                 self.state[i] = new_state[i];
             }
@@ -99,7 +98,7 @@ impl<F: Field> ArithmeticSponge<F> {
             for i in 0..self.state.len() {
                 self.state[i] = sbox(self.state[i]);
             }
-            let new_state = apply_matrix(&params.mds, &self.state);
+            let new_state = apply_near_mds_matrix(&self.state);
             for i in 0..new_state.len() {
                 self.state[i] = new_state[i];
             }

diff --git a/sponge_cost.sage b/sponge_cost.sage
@@ -0,0 +1,25 @@
+import math
+
+def grobner_complexity(state_size, alpha, rounds_full, rounds_partial):
+    num_vars = (state_size - 1) * rounds_full + rounds_partial
+    num_equations = num_vars
+    d_reg = (1 + num_equations * (alpha - 1)) // 2
+    return math.log(binomial(num_vars + d_reg, d_reg) ** 2, 2)
+
+security = 128
+
+def interpolation_rounds_lower_bound(state_size, alpha):
+    return 1 + security * math.log(2, alpha) + math.log(state_size, alpha)
+
+rounds_full = 8
+rounds_partial = 30
+
+# security margin
+rounds_full = int(rounds_full / 1.25)
+rounds_partial = int(rounds_partial / 1.075)
+
+state_size = 3 # the state size
+alpha = 17
+
+assert (rounds_full + rounds_partial >= interpolation_rounds_lower_bound(state_size, alpha))
+assert (security <= grobner_complexity(state_size, alpha, rounds_full, rounds_partial))