(WIP) docs: add detail documentation around Summa MST implementation #4
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Analayize Summa's Merkle Sum Tree
Circuit
Summa have halo2 circuit to verify Merkle Sum Tree's inclusion proof. To understand circuit, we will go through how does composed chips enable constraint for proper value of cells in circuit.
MstInclusionCircuit
is composed with 3 chips : 1) MerkleSumTreeChip, 2) PoseidonChip, 3) RangeCheckChipMerkleSumTreeChip
bool constraint:
vec![s * swap_bit.clone() * (Expression::Constant(Fp::from(1)) - swap_bit)]
,swap_bit * ( 1- swap_bit ) = 0 as a constraint (= swap_bit should be 0 or 1)
swap constraint:
vec![swap_constraint_1, swap_constraint_2]
(element_r_cur.clone() - element_l_cur.clone()) * swap_bit.clone() + element_l_cur.clone() = element_l_next
element_r_next = (element_l_cur - element_r_cur)*swap_bit + element_r_cur
sum constraint:
s * (left_balance + right_balance - computed_sum)
with N elements (N is currencies)< Assign Region >
sum nodes balances per currency
current_balance
element_balance
sum of balances
PoseidonChip :
This chip used
halo2_gadgets::poseidon::Pow5Config
to construct table.poseidon_entry_chip
(Poseidon chip used to hash leaf node)poseidon_middle_chip
(Poseidon chip used to hash middle node)The definition below is from comment in Summa code.
S
: The specification for the Poseidon hash function,WIDTH
: The width of the Poseidon permutation,RATE
: The rate of the Poseidon permutation, typically WIDTH - 1.L
: The length of the input array to the Poseidon hash function.N_CURRENCIES
: The number of currencies for which the solvency is verified.RangeCheckChip :
lookup_enable_selector * diff, u8_range
synthesize
H(username, balance[0], balance[1], ..., balance[N_ASSETS - 1])
format asH
using poseidon hash.In this code base, what poseidon entry chip compute
Poseiodn(username, balance[0], balance[1], ..., balance[N_ASSETS - 1])
and expose the result as public input ( Instance column ).Summa's Merkle Sum Tree Implementation
Summa's implementation of the Merkle Sum Tree is designed for higher efficiency and addresses the vulnerabilities found in the Original Merkle Sum Tree, as described in a particular paper. It includes zkProofs for verifying tree integrity without revealing user details and an efficient approach for hashing in the middle nodes.
Middle Node Hash Comparison
H(LeftChild.hash, LeftChild.balance[0], LeftChild.balance[1], ..., LeftChild.balance[N_ASSETS], RightChild.hash, RightChild.balance[0], RightChild.balance[1], ..., RightChild.balance[N_ASSETS])
H(LeftChild.balance[0] + RightChild.balance[0], LeftChild.balance[1] + RightChild.balance[1], ..., LeftChild.balance[N_ASSETS - 1] + RightChild.balance[N_ASSETS - 1], LeftChild.hash, RightChild.hash)
2 * (1 + N_ASSETS)
N_ASSETS + 2
Broken Merkel Sum Tree is a solution about Original Merkle Sum Tree’s vulnerability from this paper. As means, it have zkProof for verify tree’s integrity without revealing detail info about user(solution 2) and implemented middle node’s hash in hash(vl || vr || || h(l) || h(r)) this format (solution 1). However in terms of efficiency, Summa takes a unique approach to hash.
Compared to the original middle node hash described on paper as Broken Merkle Tree, for shorter hashing and cost for building the tree, building the zk proof of inclusion, Summa’s middle node hash formula is designed differently in this PR.
Summa's MST Implementation Details
Leaf Node
H(username, balance[0], balance[1], ..., balance[N_ASSETS - 1])
balance[0], balance[1], ..., balance[N_ASSETS - 1]
Middle Node
H(LeftChild.balance[0] + RightChild.balance[0], LeftChild.balance[1] + RightChild.balance[1], ..., LeftChild.balance[N_ASSETS - 1] + RightChild.balance[N_ASSETS - 1], LeftChild.hash, RightChild.hash)
LeftChild.balance[0] + RightChild.balance[0], LeftChild.balance[1] + RightChild.balance[1], ..., LeftChild.balance[N_ASSETS - 1] + RightChild.balance[N_ASSETS - 1]