Skip to main content

Sha256 Support

· 3 min read
Andrew Morris
Andrew Morris
Team Lead

You can now use Sha256 in Summon and import other Bristol circuits. 🎉

Importing Circuits

This is part of a broader feature to translate any Bristol circuit into Summon. You can now do that like this:

# in the summon repo
cargo run --bin bristol_to_summon -- -i sha256.txt -o sha256.ts

The Bristol circuit used defines the core of Sha256 which takes a 512-bit block and a 256-bit state and outputs a new 256-bit state. In Summon we can take that a step further by implementing the static padding and block splitting so that we can simply provide the complete Sha256 function rather than just the core mechanism.

Why

Adding this enables MPC use cases that need verified data. Our current vanilla demos allow you to input anything you like. With a hash function like Sha256, we can ensure that inputs correspond to hashes:

if (!bitsEqual(hash(input), knownHash)) {
  throw new Error('failed hash check');
}

To make this a little more concrete, suppose input is provided by Alice. Bob knows hash(input), but input is Alice’s secret. Enforcing hash(input) effectively enforces input itself - it’s computationally infeasible for Alice to find evilInput such that hash(evilInput) == hash(input), so Alice has no choice but to provide her genuine input if she wants to participate in an MPC protocol that contains this check.

This is particularly useful for signed data. Signature algorithms are typically structured as sign(hash(input)), rather than simply sign(input) (and hash is very often Sha256). This means Bob can learn that hash(input) represents a correctly signed hash without learning input itself, which means we don’t need to do the signature algorithm inside MPC. In short, we verify the signature outside MPC, then verify the hash inside MPC, which is great for both simplicity and efficiency.

Performance

In-browser 2PC calculation of sha256('summon') was achieved in 2.4s. The chart below shows how this grows with more parties.

Sha256 Performance

Note:

  • This measures a single sha256. If you need a sha256 for each party (eg to verify the inputs of all parties), you'll need to (roughly) multiply these results by the number of parties.
  • Each party is running in a web worker. Better results should be possible by running each party on a separate device, especially for large party sizes.
  • This local test has negligible latency. Adjust by adding about 20x your ping time (a flat cost that does not grow with parties or gates).

Fun Fact

Prior to this change, in the bytecode that Summon uses internally, addresses were 16-bit. Sha256 broke that, because it produced bytecodes that were longer than 2^16 bytes (64KiB) for the first time. Summon bytecode now uses 32-bit addresses.

Join Us!

Thanks for building privacy‑preserving magic with us! 🪄

MPC Framework
Made by PSE with support from the Ethereum Foundation