Supporting variants of SHA2

CHANGELOG.md

@@ -17,6 +17,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased](https://github.com/o1-labs/o1js/compare/b857516...HEAD)
 
+### Added
+
+- Gadgets for 224, 384 and 512 bit variants of SHA2 https://github.com/o1-labs/o1js/pull/1957
+
 ## [2.2.0](https://github.com/o1-labs/o1js/compare/e1bac02...b857516) - 2024-12-10
 
 ### Added

src/examples/zkapps/hashing/hash.ts

@@ -24,19 +24,19 @@ export class HashStorage extends SmartContract {
     this.commitment.set(initialCommitment);
   }
 
-  @method async SHA256(xs: Bytes32) {
+  @method async SHA3_256(xs: Bytes32) {
     const shaHash = Hash.SHA3_256.hash(xs);
     const commitment = Hash.hash(shaHash.toFields());
     this.commitment.set(commitment);
   }
 
-  @method async SHA384(xs: Bytes32) {
+  @method async SHA3_384(xs: Bytes32) {
     const shaHash = Hash.SHA3_384.hash(xs);
     const commitment = Hash.hash(shaHash.toFields());
     this.commitment.set(commitment);
   }
 
-  @method async SHA512(xs: Bytes32) {
+  @method async SHA3_512(xs: Bytes32) {
     const shaHash = Hash.SHA3_512.hash(xs);
     const commitment = Hash.hash(shaHash.toFields());
     this.commitment.set(commitment);

src/examples/zkapps/hashing/run.ts

@@ -35,27 +35,27 @@ const initialState =
 let currentState;
 console.log('Initial State', initialState);
 
-console.log(`Updating commitment from ${initialState} using SHA256 ...`);
+console.log(`Updating commitment from ${initialState} using SHA3-256 ...`);
 txn = await Mina.transaction(feePayer, async () => {
-  await contract.SHA256(hashData);
+  await contract.SHA3_256(hashData);
 });
 await txn.prove();
 await txn.sign([feePayer.key]).send();
 currentState = Mina.getAccount(contractAccount).zkapp?.appState?.[0].toString();
 console.log(`Current state successfully updated to ${currentState}`);
 
-console.log(`Updating commitment from ${initialState} using SHA384 ...`);
+console.log(`Updating commitment from ${initialState} using SHA3-384 ...`);
 txn = await Mina.transaction(feePayer, async () => {
-  await contract.SHA384(hashData);
+  await contract.SHA3_384(hashData);
 });
 await txn.prove();
 await txn.sign([feePayer.key]).send();
 currentState = Mina.getAccount(contractAccount).zkapp?.appState?.[0].toString();
 console.log(`Current state successfully updated to ${currentState}`);
 
-console.log(`Updating commitment from ${initialState} using SHA512 ...`);
+console.log(`Updating commitment from ${initialState} using SHA3-512 ...`);
 txn = await Mina.transaction(feePayer, async () => {
-  await contract.SHA512(hashData);
+  await contract.SHA3_512(hashData);
 });
 await txn.prove();
 await txn.sign([feePayer.key]).send();

src/lib/provable/crypto/hash.ts

@@ -49,6 +49,19 @@ const Hash = {
     hash: Gadgets.SHA256.hash,
   },
 
+  /**
+   * The SHA2 hash function with an output length of 224 | 256 | 384 | 512 bits.
+   */
+    SHA2: {
+      /**
+       * Hashes the given bytes using SHA2.
+       *
+       * This is an alias for `Gadgets.SHA2.hash(length,bytes)`.\
+       * See {@link Gadgets.SHA2.hash} for details and usage examples.
+       */
+      hash: Gadgets.SHA2.hash,
+    },
+
   /**
    * The SHA3 hash function with an output length of 256 bits.
    */

src/lib/provable/gadgets/gadgets.ts

@@ -29,6 +29,7 @@ import {
   Sum as ForeignFieldSum,
 } from './foreign-field.js';
 import { divMod32, addMod32, divMod64, addMod64 } from './arithmetic.js';
+import { SHA2 } from './sha2.js';
 import { SHA256 } from './sha256.js';
 import { BLAKE2B } from './blake2b.js';
 import { rangeCheck3x12 } from './lookup.js';
@@ -439,7 +440,7 @@ const Gadgets = {
    * Bitwise AND gadget on {@link Field} elements. Equivalent to the [bitwise AND `&` operator in JavaScript](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Bitwise_AND).
    * The AND gate works by comparing two bits and returning `1` if both bits are `1`, and `0` otherwise.
    *
-   * It can be checked by a double generic gate that verifies the following relationship between the values 
+   * It can be checked by a double generic gate that verifies the following relationship between the values
    * below (in the process it also invokes the {@link Gadgets.xor} gadget which will create additional constraints depending on `length`).
    *
    * The generic gate verifies:\
@@ -452,7 +453,7 @@ const Gadgets = {
    * You can find more details about the implementation in the [Mina book](https://o1-labs.github.io/proof-systems/specs/kimchi.html?highlight=gates#and)
    *
    * The `length` parameter lets you define how many bits should be compared. `length` is rounded
-   * to the nearest multiple of 16, `paddedLength = ceil(length / 16) * 16`, and both input values 
+   * to the nearest multiple of 16, `paddedLength = ceil(length / 16) * 16`, and both input values
    * are constrained to fit into `paddedLength` bits. The output is guaranteed to have at most `paddedLength` bits as well.
    *
    * **Note:** Specifying a larger `length` parameter adds additional constraints.
@@ -476,8 +477,8 @@ const Gadgets = {
    * Bitwise OR gadget on {@link Field} elements. Equivalent to the [bitwise OR `|` operator in JavaScript](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Bitwise_OR).
    * The OR gate works by comparing two bits and returning `1` if at least one bit is `1`, and `0` otherwise.
    *
-   * The `length` parameter lets you define how many bits should be compared. `length` is rounded 
-   * to the nearest multiple of 16, `paddedLength = ceil(length / 16) * 16`, and both input values 
+   * The `length` parameter lets you define how many bits should be compared. `length` is rounded
+   * to the nearest multiple of 16, `paddedLength = ceil(length / 16) * 16`, and both input values
    * are constrained to fit into `paddedLength` bits. The output is guaranteed to have at most `paddedLength` bits as well.
    *
    * **Note:** Specifying a larger `length` parameter adds additional constraints.
@@ -973,6 +974,27 @@ const Gadgets = {
    */
   SHA256: SHA256,
 
+  /**
+   * Implementation of the [SHA2 hash function.](https://en.wikipedia.org/wiki/SHA-2) Hash function
+   * with 224 | 256 | 384 | 512 bit output.
+   *
+   * Applies the SHA2 hash function to a list of byte-sized elements.
+   *
+   * The function accepts {@link Bytes} as the input message, which is a type that represents a static-length list of byte-sized field elements (range-checked using {@link Gadgets.rangeCheck8}).
+   * Alternatively, you can pass plain `number[]`, `bigint[]` or `Uint8Array` to perform a hash outside provable code.
+   *
+   * Produces an output of {@link Bytes} that conforms to the chosen bit length.
+   *
+   * @param length - 224 | 256 | 384 | 512 representing the length of the hash.
+   * @param data - {@link Bytes} representing the message to hash.
+   *
+   * ```ts
+   * let preimage = Bytes.fromString("hello world");
+   * let digest = Gadgets.SHA2.hash(512, preimage);
+   * ```
+   *   */
+  SHA2: SHA2,
+
   /**
    * Implementation of the [BLAKE2b hash function.](https://en.wikipedia.org/wiki/BLAKE_(hash_function)#BLAKE2) Hash function with arbitrary length output.
    *