Hi,
Soon, the Cardano blockchain will fork to give it low level BLS12-381 bindings to verify in its smart-contract language (Plutus) pairing-based crypto protocols. In light of this, I would love to connect the Circom + SnarkJS ecosystem to Cardano. To explore this viability, I already did some integration work and managed to fork SnarkJS so that the fiat shamir argument matches how Cardano needs to verify this.
To be more specific, I changed the hash function to use blake2b-224 (which directly maps into the bls scalar field for convenience), this is cost wise/gas wise also cheaper to run than Keccak onchain. Besides that, the low-level bindings of the BLS ops in Plutus, only allow a smart contract to retrieve points in their compressed form. This means that I had to change the transcript to not use x and y in the base field, but the compressed version, where we encode y in the leading bits of x.
This together allowed to make an initial POC implementation of a smart contract that runs Plonk (via Circom + snarkJS) on one of the testnet of Cardano (SanchoNet), where these BLS bindings are already present.
I would love to help, of course :)
Hi,
Soon, the Cardano blockchain will fork to give it low level BLS12-381 bindings to verify in its smart-contract language (Plutus) pairing-based crypto protocols. In light of this, I would love to connect the Circom + SnarkJS ecosystem to Cardano. To explore this viability, I already did some integration work and managed to fork SnarkJS so that the fiat shamir argument matches how Cardano needs to verify this.
To be more specific, I changed the hash function to use blake2b-224 (which directly maps into the bls scalar field for convenience), this is cost wise/gas wise also cheaper to run than Keccak onchain. Besides that, the low-level bindings of the BLS ops in Plutus, only allow a smart contract to retrieve points in their compressed form. This means that I had to change the transcript to not use x and y in the base field, but the compressed version, where we encode y in the leading bits of x.
This together allowed to make an initial POC implementation of a smart contract that runs Plonk (via Circom + snarkJS) on one of the testnet of Cardano (SanchoNet), where these BLS bindings are already present.
I would love to help, of course :)