L.Anemoi
Helper functions for the Anemoi Hash defined over the scalar field of the BLS12-381 curve.
val anemoi_round :
kx:Csir.Scalar.t ->
ky:Csir.Scalar.t ->
(scalar repr * scalar repr) ->
(scalar * scalar) repr t
anemoi_round ~kx ~ky (x0, y0)
returns (x1, y1)
, the result of applying an Anemoi round (parametrized by kx
and ky
) to the 2-registers state (x0, y0)
.
In particular, x1 = u + kx + 7 * (v + ky)
and y1 = 7 * (u + kx) + 50 * (v + ky)
where (u, v) = S-BOX(x0, y0)
defined as: u := t + beta * (y0 - t^(1/5))^2 + delta
and v := y0 - t^(1/5)
where t := x0 - beta * y0^2 - gamma
and beta
, gamma
, delta
are system parameters.
val anemoi_double_round :
kx1:Csir.Scalar.t ->
ky1:Csir.Scalar.t ->
kx2:Csir.Scalar.t ->
ky2:Csir.Scalar.t ->
(scalar repr * scalar repr) ->
(scalar * scalar) repr t
anemoi_double_round ~kx1 ~ky1 ~kx2 ~ky2 (x0, y0)
returns (x2, y2)
, the result of applying two Anemoi rounds.
In particular, it is equivalent to anemoi_round ~kx:kx2 ~ky:ky2 (anemoi_round ~kx:kx1 ~ky:ky1 (x0, y0))
, but models the necessary constraints with 5 PlonK rows instead of 8.
(Note that anemoi_round
requires 4 PlonK rows.)
val anemoi_custom :
kx1:Csir.Scalar.t ->
ky1:Csir.Scalar.t ->
kx2:Csir.Scalar.t ->
ky2:Csir.Scalar.t ->
(scalar repr * scalar repr) ->
(scalar * scalar) repr t
anemoi_custom ~kx1 ~ky1 ~kx2 ~ky2 (x0, y0)
returns (x2, y2)
, the result of applying two Anemoi rounds.
In particular, it is equivalent to anemoi_round ~kx:kx2 ~ky:ky2 (anemoi_round ~kx:kx1 ~ky:ky1 (x0, y0))
, but models the necessary constraints with 2 Plonk rows.
This is possible thanks to our custom gate for Anemoi double rounds.
See Lib_plonk
.Hash_gates. Furthermore, the second row is "compatible" with the one after if another Anemoi round follows this one. (Our optimizer would combine such rows in that case).