Add BLS12-381 Poseidon, Jubjub-in-circuit support#1
Merged
Conversation
The BN254-over-BLS hybrid previously used by BLS12-381 Poseidon callers was non-interoperable with any published BLS12-381 Poseidon implementation, making third-party verification of ZeroJ-produced hashes impossible. ADR-0015 replaces the hybrid with paper-canonical BLS12-381 Poseidon (t=3, alpha=5, RF=8, RP=57) while preserving BN254 circomlib compatibility for existing callers. Changes: - PoseidonGrainLFSR: pure-Java port of the hadeshash Sage parameter generator, byte-verified against iden3/circomlibjs BN254 constants. - PoseidonParams record + codegen-produced BN254/BLS12-381 t=3 presets. - Poseidon / PoseidonN / SignalPoseidon gadgets parameterized on PoseidonParams; back-compat no-param overloads default to BN254. - PoseidonHash standalone BigInteger permutation for off-circuit use. - CircuitAPI.requireField + CircuitBuilder compile/witness-time guard: converts field-vs-curve mismatches from silent non-canonical-hash footguns into thrown exceptions. - PoseidonCacheVersion: SHA-256-derived marker that auto-wipes stale SRS/R1CS/Merkle caches when Poseidon parameters change. - SageMath reference implementation committed under src/test/resources/ poseidon-sage/ with Docker-pinned golden output. Test asserts Java fixtures byte-match the Sage-produced paper-spec reference. - PoseidonConstants marked @deprecated; retained as BN254 facade. Evidence: 92 tests pass including LFSR byte-match vs circomlibjs, in-circuit == off-circuit self-consistency over 100 random inputs per preset, Sage golden-file match for Poseidon_BLS12_381(0,0)/(1,2)/(123,456), field-guard rejections, cache-version wipe behavior. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds the twisted-Edwards Jubjub curve embedded in the BLS12-381 scalar field, with both off-circuit primitives (curve arithmetic, EdDSA, Pedersen) and in-circuit gadgets (Jubjub doubling/addition, EdDSA verify with kModL/kQuotient witness reduction, Pedersen commitment). Tests cover round-trip signing/verification both off- and in-circuit. Also gitignores .playwright-mcp/ used by browser MCP runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds standards-compatible Poseidon constants for t=5 (4-input hash) on BLS12-381 alongside the existing t=2/3/4. Bundles the reference Sage script (generate_parameters_grain.sage.py) so the constants can be regenerated and audited. Minor LFSR + codegen tweaks support t=5. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures the design for selective-disclosure-friendly credential circuits (rich multi-field VC, EdDSA-Jubjub issuer signature, predicate-per-circuit pattern) underpinning the selective-disclosure usecase. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
satran004
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds standards-compatible Poseidon for BLS12-381, in-circuit Jubjub/EdDSA/Pedersen primitives, and three ADRs scoping the next round of zk-credential work.
Changes