Cryptographic Primitives

1. Baby Jubjub Elliptic Curve

Baby Jubjub is a twisted Edwards elliptic curve specifically designed for efficient zero-knowledge proof systems. It operates over the prime field Fr of the BN254 curve, making it highly compatible with zk-SNARK circuits and the Ethereum ecosystem.

Baby Jubjub is defined by the twisted Edwards equation:

ax² + y² = 1 + dx²y²

Where:

  • Prime field: p = 21888242871839275222246405745257275088548364400416034343698204186575808495617

Curve parameters:

  • a = 168700

  • d = 168696

For more details, see circomlib implementation.

2. Poseidon Hash Function

Poseidon is a cryptographic hash function specifically designed for zero-knowledge proof systems. It provides significant efficiency improvements over traditional hash functions like SHA-256 when used in arithmetic circuits.

Poseidon operates directly over prime fields, eliminating the need for expensive bit operations in zk-SNARK circuits:

  • Field Operations: Uses only addition and multiplication in Fr

  • No Bit Manipulation: Avoids costly binary operations

  • Constraint Efficiency: Requires significantly fewer R1CS constraints

Parameters for BN254 Field

  • Field Prime: Same as Baby Jubjub (p = 21888242871839275222246405745257275088548364400416034343698204186575808495617)

Round Function

Each Poseidon round consists of three operations:

  1. AddRoundConstants: state[i] = state[i] + roundConstant[i]

  2. SubWords (S-box): state[i] = state[i]^5

  3. MixLayer: Linear transformation using MDS matrix

For more details, see circomlib parameters of Poseidon.

3. zk-SNARK (Groth16)

Hinkal’s privacy logic is expressed as Circom circuits compiled to R1CS and proven with Groth16 over the BN254 field. Groth16 provides constant-size proofs and fast on-chain verification, making it a practical choice for Ethereum.

Arithmetization

  • Field: Fr of BN254 (same prime p as above).

  • Model: Rank-1 Constraint System (R1CS).

  • Libs: Circom 2.x with circomlib primitives (BabyJubjub ops, Poseidon hash, Merkle path gadgets).

Trusted Setup (two-phase; Phase 1 from Polygon)

  • Phase 1 (universal “Powers of Tau”): We reuse Polygon Hermez’s first-stage trusted setup as the universal CRS (Common Reference String). This stage is circuit-agnostic and need not be rerun when circuits change.

  • Phase 2 (circuit-specific): Starting from the Phase-1 CRS, we run a per-circuit setup to derive the proving key (pk) and verifying key (vk). Any circuit change requires redoing Phase 2 only; the on-chain verifier uses the fixed vk.

PreviousSetupNextKey Derivation & Stealth Addresses

Last updated