Circuit Design - SnapDeals (Lightweight CC Sector Updates)

Design goals

There are two major pathways we use when designing the circuit

  • challenge generation and hash computation inside
  • or outside.

We investigate feasibility of doing both challenge generation as well as computing hashes used as randomness during LSU, inside the circuit.

Challenge Generation

Challenge generation is a process in which we are aiming to generate a number of challenges .

The and is sector size nodes. The Result of Poseidon-128 is split into 31 bit chunks (discarding 7 high bits) forming eight challenges, which then are taken .

Based on input from ZCash team, Poseidon can be used as PRG for challenge generation. Using it in this manner would mean using Poseidon-128 in 2-ary variant, costing ~311 constraints, plus additional 256 constrains for binary decomposition (binary decomposition constraints may already be included in the cost of inclusion proofs).

This results in 0.85M additional constraints.

One Poseidon, Multiple challenges

The Poseidon-128 outputs Fr field element which after decomposition results in 254.x bits of randomness. Our biggest requires 31 bits of randomness. This means that we could use one Poseidon-128 evaluation to generate 8 challenges. It would reduce cost of challenge generation by factor of 8 as the binary decomposition can be shared as well.

Randomness Generation

We are settling on number of per sector (but want to keep some flexibility in final circuit), this gives us two options, we can either compute all H ฯ values and use lookup to access ฯ from these computed values; or we can compute ฯ for each challenge and not use the fact that only H ฯ computations need to be done.

The latter option is promising as 512-ary lookup of dynamic values will cost at least 512 constraints. (please verify)

As both and are powers of two the computation can be easily performed using bit shift by selecting bits from decomposed .

This results in ~312 constraints for generation (no decomposition, it is used as Fr).

This results in additional 0.6M constraints when compared with accepting as public input.


Overall in circuit challenge and randomness generation increases circuit size by ~1.4M constraints which is 14% of estimated size of the circuit. Given that it decreases the number of public inputs by 4400, or 99.9%, the 14% increased proving cost will be well worth the reduction of verification cost.


The ~311 constraints for Poseidon is taken from here.

Domain separation to be applied for both uses of Poseidon by means of Poseidon DST in Capacity field.

The Circuit

Single sector per circuit.

Circuit needs to fulfill following roles:

  • Challenge Generation
  • Verifying Inclusion Proofs:
    • NewCommR
    • OldCommR
    • Data Commitment
  • Verifying Encoding
    • Generating


- sector size in nodes

- number of encoding hashes

- number of challenges

Public inputs

  • OldCommR - CommR of existing CC sector
  • NewCommR - CommR of the sector after being updated with deals
  • CommD - Data commitment for data which is being updated into the sector
  • SectorID - not sure it needs to be a public input, on the actors side we have clear mapping of SectorID to OldCommR.
  • hSelect - one-hot encoding (bit-vector of 6 values, with only one bit set) of

Private inputs

  • CommC
  • CommRLast
  • SectorID
  • for each
    • vanilla proofs
    • , , - old replica at , data at , new replica at


The circuit consists of 2200 independent challenges to be verified.

One part of circuit that may be shared is proving the openings of NewCommR and OldCommR to arrive at NewCommRLast and OldCommRLast.

For :

  • Challenge Generation:
  • Consists of one 2-ary Poseidon Hash and binary decomposition, binary decomposition allows to take the .

For each following sub-circuit is created:

  • Generation:
  • The can be constructed from binary decomposition of .

    To increase flexibility of the circuit at minimal cost we are suggesting ability to adjust value based on public input.

    This can be easily done in circuit by having 5 computations of (one for each value), which are just linear combinations of decomposed bits, and then selecting them based on the one-hot encoding of hSelect public input.

    If we do shared circuit for 32GB and 64GB, the condition or flag will need to feed into this circuit.

  • Inclusion proofs:
    • is opening of OldCommR at position
    • is opening of NewCommR at position
    • is opening of CommD at position
  • Encoding Check: computed in .