You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The encryption flow is quite difficult to follow due to the passing of lambdas and wanting to do either constrained or unconstrained encryption. Something that is not obvious is that even when doing unconstrained encryption, we're still constraining the computation of the ovpk_hash.
I was originally puzzled by this, as I imagined these constraints would be dropped since ovpk_hash is not used for any constrained computation, but it actually is: we do the encryption using the app-siloed ovsk, which requires a kernel request:
let ovsk_app:Field = context.request_ovsk_app(ovpk.hash());let(encrypted_log, log_hash) = inner_compute(...,ovsk_app);// This is unconstrained
The hashing itself is not that expensive, but the combination of hash plus siloing request does result in multiple hundred extra gates. It'd be good to make it so that we only constrain the request of the app-siloed secret key if we're also doing constrained encryption - there's no point in doing this for the unconstrained case.
Doing this might be sort of tricky, since we can't just pass the context mutable reference to the function pointer, as mutable references are not allowed to cross the constrained -> unconstrained boundary. Perhaps we could have emit_with_keys receive the ovsk and either constrain it or not by encode_and_encrypt_note and encode_and_encrypt_note_unconstrained.
The text was updated successfully, but these errors were encountered:
nventuro
changed the title
Don't constraint hashing public keys for unconstrained encryption
Don't constrain hashing public keys for unconstrained encryption
Aug 9, 2024
The encryption flow is quite difficult to follow due to the passing of lambdas and wanting to do either constrained or unconstrained encryption. Something that is not obvious is that even when doing unconstrained encryption, we're still constraining the computation of the
ovpk_hash
.I was originally puzzled by this, as I imagined these constraints would be dropped since
ovpk_hash
is not used for any constrained computation, but it actually is: we do the encryption using the app-siloedovsk
, which requires a kernel request:The hashing itself is not that expensive, but the combination of hash plus siloing request does result in multiple hundred extra gates. It'd be good to make it so that we only constrain the request of the app-siloed secret key if we're also doing constrained encryption - there's no point in doing this for the unconstrained case.
Doing this might be sort of tricky, since we can't just pass the context mutable reference to the function pointer, as mutable references are not allowed to cross the constrained -> unconstrained boundary. Perhaps we could have
emit_with_keys
receive theovsk
and either constrain it or not byencode_and_encrypt_note
andencode_and_encrypt_note_unconstrained
.The text was updated successfully, but these errors were encountered: