ZK Hints
SNARK Primitives
Hash functions, Merkle trees, and other ZK building blocks
Writing Circuits
🟢 Recommended 🟡 Usable with caution 🔴 Not recommended
🔐 Hash Functions
| Name | Type | Use Case | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|---|
| Poseidon | Permutation | Merkle Tree, Commitment, PRF | ✅ | 🟢 | Circom, Arkworks, Halo2 | SNARK-native, fast in R1CS/PLONK |
| MiMC | Feistel-like | Merkle Tree, PRF | ✅ | 🟢 | Circom, Arkworks | Minimal constraints per round |
| Rescue | Sponge | Hash, PRF | ✅ | 🟡 | Halo2, Winterfell | Algebraic structure, STARK-friendly |
| Pedersen | EC-based | Commitment | ⚠️ Partial | 🟡 | Circom, Sapling, Arkworks | Curve-dependent |
| SHA2/SHA3 | Standard | Compatibility with EVM systems | ❌ | 🔴 | Circom | Very high cost in R1CS |
🌲 Merkle Tree Primitives
| Variant | Hash Used | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|
| Poseidon MT | Poseidon | ✅ | 🟢 | Circom, Noir | Fully SNARK-native |
| MiMC MT | MiMC | ✅ | 🟢 | Circom | Lightweight and efficient |
| Pedersen MT | Pedersen | ⚠️ Moderate | 🟡 | Sapling | Legacy zkApp use |
| SHA MT | SHA2/SHA3 | ❌ | 🔴 | Circom | Expensive in constraint count |
🧾 Commitment Schemes
| Scheme | Binding | Hiding | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|---|
| Pedersen | ✅ | ✅ | ✅ | 🟢 | Circom, Arkworks | Fast, curve-based |
| Poseidon-based | ✅ | ✅ | ✅ | 🟢 | Noir, Halo2 | Fully arithmetized |
| KZG Commitment | ✅ | ❌ | ⚠️ Limited | 🟡 | PLONK (zkEVMs) | Trusted setup required |
📐 Polynomial-Related Primitives
| Primitive | Use Case | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|
| FFT | Polynomial commitment | ✅ | 🟢 | PLONK, STARK systems | Core of modern SNARKs |
| Lagrange Interp. | Witness construction | ✅ | 🟢 | Internal | Used in identity checks |
| Kate Commitment | Openings for poly evals | ✅ | 🟡 | PLONK, zkEVM | Pairing-based, used in KZG |
🔣 Bit-level Encodings
| Primitive | Use Case | ZK-Friendly | Recommend | Implementations | Notes |
|---|---|---|---|---|---|
| Bit Decomposition | Range proofs, logic | ✅ | 🟢 | Circom, Halo2 | Common, but costly |
| Field Packing | Efficient encoding | ✅ | 🟢 | Circom, Arkworks | Reduce input size |
🔗 Application Mapping Quick Guide
| Application | Recommended Primitive(s) | Notes |
|---|---|---|
| Efficient Merkle Tree | Poseidon, MiMC | Avoid SHA-based in ZK |
| Privacy-preserving commitment | Pedersen, Poseidon-based | Group or native |
| Range / logic constraints | Bit Decomposition | Optimize with custom gadgets |
| Public compatibility (EVM) | SHA2, Keccak256 | Only if EVM compatibility needed |
| Polynomial-based proving system | FFT, KZG, Lagrange Interp. | Backbone of PLONK/STARK |
📊 Hash To Curve (Sha256 + Secp256k1)
| Component | Non-Linear Constraints | Linear Constraints |
|---|---|---|
| hash_to_field | 288,787 | 15,572 |
| map_to_curve | 147,600 | 5,202 |
| hash_to_curve | 586,502 | 26,091 |
Description
hash_to_curve(msg) Input: msg, an arbitrary-length byte string. Output: P, a point in the secp256k1 curve. Steps: 1. u = hash_to_field(msg) 2. Q0 = map_to_curve(u[0]) 3. Q1 = map_to_curve(u[1]) 4. R = iso_map(Q0) + iso_map(Q1) 5. return P
📎 Legend
- Use Case: Main application scenarios
- ZK-Friendly: Designed for low constraints
- Recommend: Developer priority recommendation
- Implementations: Frameworks with mature implementations (Circom, Arkworks, Noir, Halo2, etc.)