ZK Hints
SNARK Primitives
Hash functions, Merkle trees, and other ZK building blocks
Writing Circuits
๐ข Recommended ๐ก Usable with caution ๐ด Not recommended
๐ Hash Functions
| Name | Type | Use Case | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|---|
| Poseidon | Permutation | Merkle Tree, Commitment, PRF | โ | ๐ข | Circom, Arkworks, Halo2 | SNARK-native, fast in R1CS/PLONK |
| MiMC | Feistel-like | Merkle Tree, PRF | โ | ๐ข | Circom, Arkworks | Minimal constraints per round |
| Rescue | Sponge | Hash, PRF | โ | ๐ก | Halo2, Winterfell | Algebraic structure, STARK-friendly |
| Pedersen | EC-based | Commitment | โ ๏ธ Partial | ๐ก | Circom, Sapling, Arkworks | Curve-dependent |
| SHA2/SHA3 | Standard | Compatibility with EVM systems | โ | ๐ด | Circom | Very high cost in R1CS |
๐ฒ Merkle Tree Primitives
| Variant | Hash Used | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|
| Poseidon MT | Poseidon | โ | ๐ข | Circom, Noir | Fully SNARK-native |
| MiMC MT | MiMC | โ | ๐ข | Circom | Lightweight and efficient |
| Pedersen MT | Pedersen | โ ๏ธ Moderate | ๐ก | Sapling | Legacy zkApp use |
| SHA MT | SHA2/SHA3 | โ | ๐ด | Circom | Expensive in constraint count |
๐งพ Commitment Schemes
| Scheme | Binding | Hiding | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|---|
| Pedersen | โ | โ | โ | ๐ข | Circom, Arkworks | Fast, curve-based |
| Poseidon-based | โ | โ | โ | ๐ข | Noir, Halo2 | Fully arithmetized |
| KZG Commitment | โ | โ | โ ๏ธ Limited | ๐ก | PLONK (zkEVMs) | Trusted setup required |
๐ Polynomial-Related Primitives
| Primitive | Use Case | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|
| FFT | Polynomial commitment | โ | ๐ข | PLONK, STARK systems | Core of modern SNARKs |
| Lagrange Interp. | Witness construction | โ | ๐ข | Internal | Used in identity checks |
| Kate Commitment | Openings for poly evals | โ | ๐ก | PLONK, zkEVM | Pairing-based, used in KZG |
๐ฃ Bit-level Encodings
| Primitive | Use Case | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|
| Bit Decomposition | Range proofs, logic | โ | ๐ข | Circom, Halo2 | Common, but costly |
| Field Packing | Efficient encoding | โ | ๐ข | Circom, Arkworks | Reduce input size |
๐ Application Mapping Quick Guide
| Application | Recommended Primitive(s) | Notes |
|---|---|---|
| Efficient Merkle Tree | Poseidon, MiMC | Avoid SHA-based in ZK |
| Privacy-preserving commitment | Pedersen, Poseidon-based | Group or native |
| Range / logic constraints | Bit Decomposition | Optimize with custom gadgets |
| Public compatibility (EVM) | SHA2, Keccak256 | Only if EVM compatibility needed |
| Polynomial-based proving system | FFT, KZG, Lagrange Interp. | Backbone of PLONK/STARK |
๐ Hash To Curve (Sha256 + Secp256k1)
| Component | Non-Linear Constraints | Linear Constraints |
|---|---|---|
| hash_to_field | 288,787 | 15,572 |
| map_to_curve | 147,600 | 5,202 |
| hash_to_curve | 586,502 | 26,091 |
Description
hash_to_curve(msg) Input: msg, an arbitrary-length byte string. Output: P, a point in the secp256k1 curve. Steps: 1. u = hash_to_field(msg) 2. Q0 = map_to_curve(u[0]) 3. Q1 = map_to_curve(u[1]) 4. R = iso_map(Q0) + iso_map(Q1) 5. return P
๐ Legend
- Use Case: Main application scenarios
- ZK-Friendly: Designed for low constraints
- Recommend: Developer priority recommendation
- Implementations: Frameworks with mature implementations (Circom, Arkworks, Noir, Halo2, etc.)