[refactor] remove pi agg circuit; integrated into proof agg circuit

Author: zhenfeizhang

aggregator/src/batch.rs

@@ -1,19 +1,85 @@
-use eth_types::H256;
+//! This module implements related functions that aggregates public inputs of many chunks into a
+//! single one.
+//!
+//! # Spec
+//!
+//! A chunk is a list of continuous blocks. It consists of 4 hashes:
+//! - state root before this chunk
+//! - state root after this chunk
+//! - the withdraw root of this chunk
+//! - the data hash of this chunk
+//! Those 4 hashes are obtained from the caller.
+//!
+//! A chunk's public input hash is then derived from the above 4 attributes via
+//!
+//! - chunk_pi_hash   := keccak(chain_id || prev_state_root || post_state_root || withdraw_root ||
+//!   chunk_data_hash)
+//!
+//! A batch is a list of continuous chunks. It consists of 2 hashes
+//!
+//! - batch_data_hash := keccak(chunk_0.data_hash || ... || chunk_k-1.data_hash)
+//!
+//! - batch_pi_hash   := keccak(chain_id || chunk_0.prev_state_root || chunk_k-1.post_state_root ||
+//!   chunk_k-1.withdraw_root || batch_data_hash)
+//!
+//! Note that chain_id is used for all public input hashes. But not for any data hashes.
+//!
+//! # Circuit
+//!
+//! A BatchHashCircuit asserts that the batch is well-formed.
+//!
+//! ## Public Input
+//! The public inputs of the circuit (32 Field elements) is constructed as
+//! - batch_pi_hash: 32 Field elements
+//!
+//! ## Constraints
+//! The circuit attests the following statements:
+//!
+//! 1. all hashes are computed correctly
+//! 2. the relations between hash preimages and digests are satisfied
+//!     - batch_data_hash is part of the input to compute batch_pi_hash
+//!     - batch_pi_hash used same roots as chunk_pi_hash
+//!     - same data_hash is used to compute batch_data_hash and chunk_pi_hash for all chunks
+//!     - chunks are continuous: they are linked via the state roots
+//!     - all hashes uses a same chain_id
+//! 3. the batch_pi_hash matches the circuit's public input (32 field elements) above
+
+use eth_types::{Field, H256};
 use ethers_core::utils::keccak256;
 
 use super::chunk::ChunkHash;
 
 #[derive(Default, Debug, Clone)]
 /// A batch is a set of continuous chunks.
 /// A BatchHash consists of 2 hashes.
+/// - batch_data_hash := keccak(chunk_0.data_hash || ... || chunk_k-1.data_hash)
+/// - batch_pi_hash   := keccak(chain_id || chunk_0.prev_state_root || chunk_k-1.post_state_root ||
+///   chunk_k-1.withdraw_root || batch_data_hash)
 pub struct BatchHash {
+    pub(crate) chain_id: u64,
+    pub(crate) chunks: Vec<ChunkHash>,
     pub(crate) data_hash: H256,
     pub(crate) public_input_hash: H256,
 }
 
 impl BatchHash {
+    /// Sample a batch hash circuit from random (for testing)
+    #[cfg(test)]
+    pub(crate) fn mock_batch_hash_circuit<R: rand::RngCore>(r: &mut R, size: usize) -> Self {
+        let mut chunks = (0..size)
+            .map(|_| ChunkHash::mock_chunk_hash(r))
+            .collect::<Vec<_>>();
+        for i in 0..size - 1 {
+            chunks[i + 1].prev_state_root = chunks[i].post_state_root;
+        }
+
+        Self::construct(&chunks)
+    }
+
     /// Build Batch hash from a list of chunks
     pub(crate) fn construct(chunk_hashes: &[ChunkHash]) -> Self {
+        assert!(!chunk_hashes.is_empty(), "input chunk slice is empty");
+
         // sanity: the chunks are continuous
         for i in 0..chunk_hashes.len() - 1 {
             assert_eq!(
@@ -50,8 +116,82 @@ impl BatchHash {
         let public_input_hash = keccak256(preimage);
 
         Self {
+            chain_id: chunk_hashes[0].chain_id,
+            chunks: chunk_hashes.to_vec(),
             data_hash: data_hash.into(),
             public_input_hash: public_input_hash.into(),
         }
     }
+
+    /// Extract all the hash inputs that will ever be used
+    /// orders:
+    /// - batch_public_input_hash
+    /// - batch_data_hash_preimage
+    /// - chunk\[i\].piHash for i in \[0, k)
+    pub(crate) fn extract_hash_preimages(&self) -> Vec<Vec<u8>> {
+        let mut res = vec![];
+
+        // batchPiHash =
+        //  keccak(
+        //      chain_id ||
+        //      chunk[0].prev_state_root ||
+        //      chunk[k-1].post_state_root ||
+        //      chunk[k-1].withdraw_root ||
+        //      batch_data_hash )
+        let batch_public_input_hash_preimage = [
+            self.chain_id.to_le_bytes().as_ref(),
+            self.chunks[0].prev_state_root.as_bytes(),
+            self.chunks.last().unwrap().post_state_root.as_bytes(),
+            self.chunks.last().unwrap().withdraw_root.as_bytes(),
+            self.data_hash.as_bytes(),
+        ]
+        .concat();
+        res.push(batch_public_input_hash_preimage);
+
+        // batchDataHash = keccak(chunk[0].dataHash || ... || chunk[k-1].dataHash)
+        let batch_data_hash_preimage = self
+            .chunks
+            .iter()
+            .flat_map(|x| x.data_hash.as_bytes().iter())
+            .cloned()
+            .collect();
+        res.push(batch_data_hash_preimage);
+
+        // compute piHash for each chunk for i in [0..k)
+        // chunk[i].piHash =
+        // keccak(
+        //        chain id ||
+        //        chunk[i].prevStateRoot || chunk[i].postStateRoot || chunk[i].withdrawRoot ||
+        //        chunk[i].datahash)
+        for chunk in self.chunks.iter() {
+            let chunk_pi_hash_preimage = [
+                self.chain_id.to_le_bytes().as_ref(),
+                chunk.prev_state_root.as_bytes(),
+                chunk.post_state_root.as_bytes(),
+                chunk.withdraw_root.as_bytes(),
+                chunk.data_hash.as_bytes(),
+            ]
+            .concat();
+            res.push(chunk_pi_hash_preimage)
+        }
+
+        res
+    }
+
+    fn num_instance(&self) -> Vec<usize> {
+        // 12 elements from the accumulators
+        // 32 elements from batch_data_hash_digest
+        vec![44]
+    }
+
+    /// Compute the public inputs for this circuit
+    /// which is the public_input_hash
+    pub(crate) fn instances<F: Field>(&self) -> Vec<Vec<F>> {
+        vec![self
+            .public_input_hash
+            .as_bytes()
+            .iter()
+            .map(|&x| F::from(x as u64))
+            .collect()]
+    }
 }

aggregator/src/proof_aggregation.rs

@@ -4,10 +4,35 @@ mod circuit;
 mod circuit_ext;
 /// Config for aggregation circuit
 mod config;
-/// public input aggregation
-mod public_input_aggregation;
 
 pub use circuit::AggregationCircuit;
 pub use config::AggregationConfig;
 
-pub(crate) use public_input_aggregation::*;
+// TODO(ZZ): update to the right degree
+pub(crate) const LOG_DEGREE: u32 = 19;
+
+// ================================
+// indices for hash bytes
+// ================================
+//
+// the preimages are arranged as
+// - chain_id:          8 bytes
+// - prev_state_root    32 bytes
+// - post_state_root    32 bytes
+// - withdraw_root      32 bytes
+// - chunk_data_hash    32 bytes
+//
+// A chain_id is u64 and uses 8 bytes
+pub(crate) const CHAIN_ID_LEN: usize = 8;
+pub(crate) const PREV_STATE_ROOT_INDEX: usize = 8;
+pub(crate) const POST_STATE_ROOT_INDEX: usize = 40;
+pub(crate) const WITHDRAW_ROOT_INDEX: usize = 72;
+pub(crate) const CHUNK_DATA_HASH_INDEX: usize = 104;
+
+// Each round requires (NUM_ROUNDS+1) * DEFAULT_KECCAK_ROWS = 300 rows.
+// This library is hard coded for this parameter.
+// Modifying the following parameters may result into bugs.
+// Adopted from keccak circuit
+pub(crate) const DEFAULT_KECCAK_ROWS: usize = 12;
+// Adopted from keccak circuit
+pub(crate) const NUM_ROUNDS: usize = 24;

aggregator/src/proof_aggregation/circuit.rs

@@ -27,7 +27,7 @@ use crate::{
     core::{assign_batch_hashes, extract_accumulators_and_proof},
     param::{ConfigParams, BITS, LIMBS},
     proof_aggregation::config::AggregationConfig,
-    BatchHashCircuit, ChunkHash, CHAIN_ID_LEN, POST_STATE_ROOT_INDEX, PREV_STATE_ROOT_INDEX,
+    BatchHash, ChunkHash, CHAIN_ID_LEN, POST_STATE_ROOT_INDEX, PREV_STATE_ROOT_INDEX,
     WITHDRAW_ROOT_INDEX,
 };
 
@@ -43,7 +43,7 @@ pub struct AggregationCircuit {
     // accumulation scheme proof, private input
     pub(crate) as_proof: Value<Vec<u8>>,
     // batch hash circuit for which the snarks are generated
-    pub(crate) batch_hash_circuit: BatchHashCircuit<Fr>,
+    pub(crate) batch_hash: BatchHash,
 }
 
 impl AggregationCircuit {
@@ -98,8 +98,8 @@ impl AggregationCircuit {
             .concat();
 
         // extract the pi aggregation circuit's instances
-        let batch_hash_circuit = BatchHashCircuit::construct(chunk_hashes);
-        let pi_aggregation_instances = &batch_hash_circuit.instances()[0];
+        let batch_hash = BatchHash::construct(chunk_hashes);
+        let pi_aggregation_instances = &batch_hash.instances()[0];
 
         let flattened_instances: Vec<Fr> = [
             acc_instances.as_slice(),
@@ -117,7 +117,7 @@ impl AggregationCircuit {
             snarks: snarks.iter().cloned().map_into().collect(),
             flattened_instances,
             as_proof: Value::known(as_proof),
-            batch_hash_circuit,
+            batch_hash,
         }
     }
 
@@ -177,7 +177,7 @@ impl Circuit<Fr> for AggregationCircuit {
         //   circuit
 
         // ==============================================
-        // Step 1: aggregation circuit
+        // Step 1: snark aggregation circuit
         // ==============================================
         let mut accumulator_instances: Vec<AssignedValue<Fr>> = vec![];
         let mut snark_inputs: Vec<AssignedValue<Fr>> = vec![];
@@ -253,7 +253,7 @@ impl Circuit<Fr> for AggregationCircuit {
         let challenges = challenge.values(&layouter);
 
         let timer = start_timer!(|| ("extract hash").to_string());
-        let preimages = self.batch_hash_circuit.extract_hash_preimages();
+        let preimages = self.batch_hash.extract_hash_preimages();
         end_timer!(timer);
 
         let timer = start_timer!(|| ("load aux table").to_string());
@@ -330,51 +330,21 @@ impl Circuit<Fr> for AggregationCircuit {
         )?;
 
         // ====================================================
-        // Last step: Constraint the hash data matches the raw public input
+        // Last step: Constraint the hash data matches the public input
         // ====================================================
         let acc_len = 12;
         {
-            for i in 0..32 {
-                // first_chunk_prev_state_root
-                layouter.constrain_instance(
-                    hash_input_cells[2][PREV_STATE_ROOT_INDEX + i].cell(),
-                    config.instance,
-                    i + acc_len,
-                )?;
-                // last_chunk_post_state_root
-                layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[POST_STATE_ROOT_INDEX + i].cell(),
-                    config.instance,
-                    i + 32 + acc_len,
-                )?;
-                // last_chunk_withdraw_root
-                layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[WITHDRAW_ROOT_INDEX + i].cell(),
-                    config.instance,
-                    i + 64 + acc_len,
-                )?;
-            }
             // batch_public_input_hash
             for i in 0..4 {
                 for j in 0..8 {
                     // digest in circuit has a different endianness
-                    // 96 is the byte position for batch data hash
                     layouter.constrain_instance(
                         hash_output_cells[0][(3 - i) * 8 + j].cell(),
                         config.instance,
-                        i * 8 + j + 96 + acc_len,
+                        i * 8 + j + acc_len,
                     )?;
                 }
             }
-            // last 8 inputs are the chain id
-            // chain_id is put at last here
-            for i in 0..CHAIN_ID_LEN {
-                layouter.constrain_instance(
-                    hash_input_cells[0][i].cell(),
-                    config.instance,
-                    128 + acc_len + i,
-                )?;
-            }
         }
 
         end_timer!(witness_time);

aggregator/src/proof_aggregation/circuit_ext.rs

@@ -7,10 +7,8 @@ impl CircuitExt<Fr> for AggregationCircuit {
     fn num_instance(&self) -> Vec<usize> {
         // accumulator [..lhs, ..rhs]
         let acc_len = 4 * LIMBS;
-        // public input
-        let public_input_agg_instance_len = self.batch_hash_circuit.num_instance()[0];
-
-        vec![public_input_agg_instance_len + acc_len]
+        // 32 elements for batch's public_input_hash
+        vec![acc_len + 32]
     }
 
     fn instances(&self) -> Vec<Vec<Fr>> {

aggregator/src/proof_aggregation/config.rs

@@ -29,13 +29,7 @@ pub struct AggregationConfig {
     pub keccak_circuit_config: KeccakCircuitConfig<Fr>,
     /// Instance for public input; stores
     /// - accumulator from aggregation (12 elements)
-    /// - aggregated public inputs (136 elements):
-    ///     chunk\[0\].prev_state_root ||
-    ///     chunk\[k-1\].post_state_root ||
-    ///     chunk\[k-1\].withdraw_root ||
-    ///     batch_data_hash ||
-    ///     chain_id
-    /// chain_id is put at last here for instance
+    /// - batch_public_input_hash (32 elements)
     pub instance: Column<Instance>,
 }