You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

168 lines
6.4 KiB

Add solidity groth16, kzg10 and final decider verifiers in a dedicated workspace (#70) * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * Update FoldingSchemes trait, fit Nova+CycleFold - update lib.rs's `FoldingScheme` trait interface - fit Nova+CycleFold into the `FoldingScheme` trait - refactor `src/nova/*` * chore: add serialization assets for testing Now we include an `assets` folder with a serialized proof & vk for tests * Add `examples` dir, with Nova's `FoldingScheme` example * polishing * expose poseidon_test_config outside tests * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * feat: templating kzg working * chore: add emv and revm * feat: start evm file * chore: add ark-poly-commit * chore: move `commitment` to `folding-schemes` * chore: update `.gitignore` to ignore generated contracts * chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces * refactor: update template with no lib * feat: add evm deploy code, compile and create kzg verifier * chore: update `Cargo.toml` to have `folding-schemes` available with verifiers * feat: start kzg prove and verify with sol * chore: compute crs from kzg prover * feat: evm kzg verification passing * tmp * change: Swap order of G2 coordinates within the template * Update way to serialize proof with correct order * chore: update `Cargo.toml` * chore: add revm * chore: add `save_solidity` * refactor: verifiers in dedicated mod * refactor: have dedicated `utils` module * chore: expose modules * chore: update verifier for kzg * chore: rename templates * fix: look for binary using also name of contract * refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key * chore: template renaming * fix: switch circuit for circuit that simply adds * feat: generates test data on the fly * feat: update to latest groth16 verifier * refactor: rename folder, update `.gitignore` * chore: update `Cargo.toml` * chore: update templates extension to indicate that they are templates * chore: rename templates, both files and structs * fix: template inheritance working * feat: template spdx and pragma statements * feat: decider verifier compiles, update test for kzg10 and groth16 templates * feat: parameterize which size of the crs should be stored on the contract * chore: add comment on how the groth16 and kzg10 proofs will be linked together * chore: cargo clippy run * chore: cargo clippy tests * chore: cargo fmt * refactor: remove unused lifetime parameter * chore: end merge * chore: move examples to `folding-schemes` workspace * get latest main changes * fix: temp fix clippy warnings, will remove lints once not used in tests only * fix: cargo clippy lint added on `code_size` * fix: update path to test circuit and add step for installing solc * chore: remove `save_solidity` steps * fix: the borrowed expression implements the required traits * chore: update `Cargo.toml` * chore: remove extra `[patch.crates-io]` * fix: update to patch at the workspace level and add comment explaining this * refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing * refactor: expose modules and remove `dead_code` calls * chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments * chore: be clearer on attributions on `kzg10` --------- Co-authored-by: CPerezz <c.perezbaro@gmail.com> Co-authored-by: arnaucube <root@arnaucube.com>
9 months ago
Add CLI interface for verifier contract generation (#74) * add: solidity-verifier workspace member * chore: Update toolchain to 1.74 * feat: Add basic clap cli interface for solidity verifier This includes a cli parser that serves as a way to the user to generate the desired Solidity contracts. * chore: Expose SoldityVerifier template struct * feat: Finish first working version * change: Modify some settings * fix: Fix rebase conflicts * chore: Leave resolver 2 for workspace * chore: Rename KZG+G16 template Now the template refers to Nova + Cyclefold and has a Warning attached to it * fixup * chore: Rename to NovaCyclefoldDecider the template * chore: Change constructors to `new` instead of `from` * add: ProtocolData trait helper This trait helps to treat the serialized data required by the Template as a single element while still allowing a flexible usage. This is specially interesting as allows the cli to operate considering a single path of input data where all the data for the selected protocol co-exists. Reducing the amount of parsing and arguments the user needs to pass to the cli. * chore: Create `From` impls formally Previously we had functions called `from` which had nothing to do with the trait `From`. This addresses this issue and fixes it. Now both `new` and `from` are avaliable. But `from` follows the `From` trait. * add: Support G16, KZG and Nova+Cyclefold in cli This adds a `render` fn for `Protocol` which makes it easier to add new protocols to the CLI as is mainly based in the `ProtocolData` impl behind the scenes of the selected protocol. Aside from that, this commit reworks some minor parts of the CLI config as shorteners for commands or adding `pragma` as an optional parameter. * chore: Adapt `main.rs` to new cli changes As seen, this allows to have a much easier `main.rs` which doesn't have to do any `match` over the selected protocol. * chore: Make solidity helper fns `cfg(test)` * chore: Rework folding-schemes-solidity structure * chore: Remove g1_crs_batch_points_len from KZGData * add: Serde tests for all template targets * tmp: Add NovaCyclefold testing * add: HeaderInclusion template When we use templates that are composed by others (as happens with `NovaCyclefold` one) we sadly see that the License and the `pragma` attributes are rendered once per sub-template. This generic structure solves this issue by being actually the only item rendered which has a sub-template the template we indeed want to render at the end. * chore: Add tests for NovaCyclefold contract This also includes small changes to the lib architecture such as adding constants for GPL3_SDPX_IDENTIFIER or move the default pragma versions used to `mod.rs` * chore: Update g16 to use HeaderInclusion template rendering Now the `ProtocolData` impl falls back to the usage of `HeaderInclusion` it is easier to handle complex templates like `NovaCyclefold`. * add: Small builder-pattern to construct HeaderInclusion Templates As mentioned in previous commits, the idea is that the header is set on an automatic wrapper template applied to the one that we actually want to render. This builder pattern makes it less complex to do such a thing. Specially avoiding unidiomatic `From` implementations. * remove: sdpx & pragma from KZG template Those are externalized and handled by HeaderInclusion template utility * chore: Update templates to use HeaderInclusion builder * chore: Update tests to use HeaderInclusion builderPattern * remove: fixed pragma version in novacyclefold template * chore: Accept Into<Template> in builder * tmp: Only KZG return passes. Fix Groth * fix: Prevent `revert` from paniking for negative tests * feat: Merge G16 and KZG contract results in NovaCyclefold * chore: Add assets for quicker/easier testing Now instead of generating the protocoldata & proofs on each test, we just deserialize * fix: Address clippy & warnings * fix: Spelling to prevent PR farmers LOL * chore: Add about and long_about to CLI tool * add: README.md * chore: Revert asset-based testing approach * remove: Assets folder * fix: Rebase issues * fix: use &mut for Reader * fix: rebase error with Contract name * chore: Reduce tests LOC with setup fn * chore: Set MIT license indentifier for CLI & KZG * chore: Add extra usage example * chore: Update novacyclefold contract comments on soundess * chore: Typo * chore: Allow type complexity clippy for setup fn * chore: Address Pierre's comments * chore: Rename workspace members - folding-schemes-solidity -> soliity-verifiers
8 months ago
Add solidity groth16, kzg10 and final decider verifiers in a dedicated workspace (#70) * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * Update FoldingSchemes trait, fit Nova+CycleFold - update lib.rs's `FoldingScheme` trait interface - fit Nova+CycleFold into the `FoldingScheme` trait - refactor `src/nova/*` * chore: add serialization assets for testing Now we include an `assets` folder with a serialized proof & vk for tests * Add `examples` dir, with Nova's `FoldingScheme` example * polishing * expose poseidon_test_config outside tests * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * feat: templating kzg working * chore: add emv and revm * feat: start evm file * chore: add ark-poly-commit * chore: move `commitment` to `folding-schemes` * chore: update `.gitignore` to ignore generated contracts * chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces * refactor: update template with no lib * feat: add evm deploy code, compile and create kzg verifier * chore: update `Cargo.toml` to have `folding-schemes` available with verifiers * feat: start kzg prove and verify with sol * chore: compute crs from kzg prover * feat: evm kzg verification passing * tmp * change: Swap order of G2 coordinates within the template * Update way to serialize proof with correct order * chore: update `Cargo.toml` * chore: add revm * chore: add `save_solidity` * refactor: verifiers in dedicated mod * refactor: have dedicated `utils` module * chore: expose modules * chore: update verifier for kzg * chore: rename templates * fix: look for binary using also name of contract * refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key * chore: template renaming * fix: switch circuit for circuit that simply adds * feat: generates test data on the fly * feat: update to latest groth16 verifier * refactor: rename folder, update `.gitignore` * chore: update `Cargo.toml` * chore: update templates extension to indicate that they are templates * chore: rename templates, both files and structs * fix: template inheritance working * feat: template spdx and pragma statements * feat: decider verifier compiles, update test for kzg10 and groth16 templates * feat: parameterize which size of the crs should be stored on the contract * chore: add comment on how the groth16 and kzg10 proofs will be linked together * chore: cargo clippy run * chore: cargo clippy tests * chore: cargo fmt * refactor: remove unused lifetime parameter * chore: end merge * chore: move examples to `folding-schemes` workspace * get latest main changes * fix: temp fix clippy warnings, will remove lints once not used in tests only * fix: cargo clippy lint added on `code_size` * fix: update path to test circuit and add step for installing solc * chore: remove `save_solidity` steps * fix: the borrowed expression implements the required traits * chore: update `Cargo.toml` * chore: remove extra `[patch.crates-io]` * fix: update to patch at the workspace level and add comment explaining this * refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing * refactor: expose modules and remove `dead_code` calls * chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments * chore: be clearer on attributions on `kzg10` --------- Co-authored-by: CPerezz <c.perezbaro@gmail.com> Co-authored-by: arnaucube <root@arnaucube.com>
9 months ago
  1. /*
  2. Copyright 2021 0KIMS association.
  3. * `solidity-verifiers` added comment
  4. This file is a template built out of [snarkJS](https://github.com/iden3/snarkjs) groth16 verifier.
  5. See the original ejs template [here](https://github.com/iden3/snarkjs/blob/master/templates/verifier_groth16.sol.ejs)
  6. *
  7. snarkJS is a free software: you can redistribute it and/or modify it
  8. under the terms of the GNU General Public License as published by
  9. the Free Software Foundation, either version 3 of the License, or
  10. (at your option) any later version.
  11. snarkJS is distributed in the hope that it will be useful, but WITHOUT
  12. ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  13. or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
  14. License for more details.
  15. You should have received a copy of the GNU General Public License
  16. along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
  17. */
  18. contract Groth16Verifier {
  19. // Scalar field size
  20. uint256 constant r = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
  21. // Base field size
  22. uint256 constant q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
  23. // Verification Key data
  24. uint256 constant alphax = {{ vkey_alpha_g1.0[0] }};
  25. uint256 constant alphay = {{ vkey_alpha_g1.0[1] }};
  26. uint256 constant betax1 = {{ vkey_beta_g2.0[0][1] }};
  27. uint256 constant betax2 = {{ vkey_beta_g2.0[0][0] }};
  28. uint256 constant betay1 = {{ vkey_beta_g2.0[1][1] }};
  29. uint256 constant betay2 = {{ vkey_beta_g2.0[1][0] }};
  30. uint256 constant gammax1 = {{ vkey_gamma_g2.0[0][1] }};
  31. uint256 constant gammax2 = {{ vkey_gamma_g2.0[0][0] }};
  32. uint256 constant gammay1 = {{ vkey_gamma_g2.0[1][1] }};
  33. uint256 constant gammay2 = {{ vkey_gamma_g2.0[1][0] }};
  34. uint256 constant deltax1 = {{ vkey_delta_g2.0[0][1] }};
  35. uint256 constant deltax2 = {{ vkey_delta_g2.0[0][0] }};
  36. uint256 constant deltay1 = {{ vkey_delta_g2.0[1][1] }};
  37. uint256 constant deltay2 = {{ vkey_delta_g2.0[1][0] }};
  38. {% for (i, point) in gamma_abc_g1.iter().enumerate() %}
  39. uint256 constant IC{{i}}x = {{ point.0[0] }};
  40. uint256 constant IC{{i}}y = {{ point.0[1] }};
  41. {% endfor %}
  42. // Memory data
  43. uint16 constant pVk = 0;
  44. uint16 constant pPairing = 128;
  45. uint16 constant pLastMem = 896;
  46. function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[{{ gamma_abc_len - 1 }}] calldata _pubSignals) public view returns (bool) {
  47. assembly {
  48. function checkField(v) {
  49. if iszero(lt(v, q)) {
  50. mstore(0, 0)
  51. return(0, 0x20)
  52. }
  53. }
  54. // G1 function to multiply a G1 value(x,y) to value in an address
  55. function g1_mulAccC(pR, x, y, s) {
  56. let success
  57. let mIn := mload(0x40)
  58. mstore(mIn, x)
  59. mstore(add(mIn, 32), y)
  60. mstore(add(mIn, 64), s)
  61. success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
  62. if iszero(success) {
  63. mstore(0, 0)
  64. return(0, 0x20)
  65. }
  66. mstore(add(mIn, 64), mload(pR))
  67. mstore(add(mIn, 96), mload(add(pR, 32)))
  68. success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
  69. if iszero(success) {
  70. mstore(0, 0)
  71. return(0, 0x20)
  72. }
  73. }
  74. function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
  75. let _pPairing := add(pMem, pPairing)
  76. let _pVk := add(pMem, pVk)
  77. mstore(_pVk, IC0x)
  78. mstore(add(_pVk, 32), IC0y)
  79. // Compute the linear combination vk_x
  80. {% for (i, _) in gamma_abc_g1.iter().enumerate() %}
  81. {% if loop.first -%}
  82. {%- else -%}
  83. g1_mulAccC(_pVk, IC{{i}}x, IC{{i}}y, calldataload(add(pubSignals, {{(i-1)*32}})))
  84. {%- endif -%}
  85. {% endfor %}
  86. // -A
  87. mstore(_pPairing, calldataload(pA))
  88. mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
  89. // B
  90. mstore(add(_pPairing, 64), calldataload(pB))
  91. mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
  92. mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
  93. mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
  94. // alpha1
  95. mstore(add(_pPairing, 192), alphax)
  96. mstore(add(_pPairing, 224), alphay)
  97. // beta2
  98. mstore(add(_pPairing, 256), betax1)
  99. mstore(add(_pPairing, 288), betax2)
  100. mstore(add(_pPairing, 320), betay1)
  101. mstore(add(_pPairing, 352), betay2)
  102. // vk_x
  103. mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
  104. mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
  105. // gamma2
  106. mstore(add(_pPairing, 448), gammax1)
  107. mstore(add(_pPairing, 480), gammax2)
  108. mstore(add(_pPairing, 512), gammay1)
  109. mstore(add(_pPairing, 544), gammay2)
  110. // C
  111. mstore(add(_pPairing, 576), calldataload(pC))
  112. mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
  113. // delta2
  114. mstore(add(_pPairing, 640), deltax1)
  115. mstore(add(_pPairing, 672), deltax2)
  116. mstore(add(_pPairing, 704), deltay1)
  117. mstore(add(_pPairing, 736), deltay2)
  118. let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
  119. isOk := and(success, mload(_pPairing))
  120. }
  121. let pMem := mload(0x40)
  122. mstore(0x40, add(pMem, pLastMem))
  123. // Validate that all evaluations ∈ F
  124. {% for (i, _) in gamma_abc_g1.iter().enumerate() %}
  125. checkField(calldataload(add(_pubSignals, {{i*32}})))
  126. {% endfor %}
  127. // Validate all evaluations
  128. let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
  129. mstore(0, isValid)
  130. return(0, 0x20)
  131. }
  132. }
  133. }