[fix] chain id u32 -> u64

Author: zhenfeizhang

aggregator/README.md

@@ -49,7 +49,7 @@ It also performs public input aggregation, i.e., reducing the `64k` public eleme
     - last_chunk_post_state_root: 32 Field elements
     - last_chunk_withdraw_root: 32 Field elements
     - batch_public_input_hash: 32 Field elements
-    - chain_id: 4 Field elements
+    - chain_id: 8 Field elements
 
 In addition, it attests that, for chunks indexed from `0` to `k-1`,
 - batch_data_hash := keccak(chunk_0.data_hash || ... || chunk_k-1.data_hash) where chunk_i.data_hash is a public input to the i-th batch snark circuit

aggregator/src/chunk.rs

@@ -12,7 +12,7 @@ use ethers_core::utils::keccak256;
 /// - the data hash of this chunk
 pub struct ChunkHash {
     /// Chain identifier
-    pub(crate) chain_id: u32,
+    pub(crate) chain_id: u64,
     /// state root before this chunk
     pub(crate) prev_state_root: H256,
     /// state root after this chunk

aggregator/src/core.rs

@@ -27,7 +27,7 @@ use zkevm_circuits::{
 
 use crate::{
     util::{assert_equal, capacity, get_indices},
-    LOG_DEGREE,
+    CHAIN_ID_LEN, LOG_DEGREE,
 };
 
 /// Input the hash input bytes,
@@ -127,12 +127,12 @@ pub(crate) fn assign_batch_hashes<F: Field>(
                 for j in 0..8 {
                     // sanity check
                     assert_equal(
-                        &hash_input_cells[0][i * 8 + j + 100],
+                        &hash_input_cells[0][i * 8 + j + 96 + CHAIN_ID_LEN],
                         &hash_output_cells[1][(3 - i) * 8 + j],
                     );
                     region.constrain_equal(
                         // preimage and digest has different endianness
-                        hash_input_cells[0][i * 8 + j + 100].cell(),
+                        hash_input_cells[0][i * 8 + j + 96 + CHAIN_ID_LEN].cell(),
                         hash_output_cells[1][(3 - i) * 8 + j].cell(),
                     )?;
                 }
@@ -158,29 +158,32 @@ pub(crate) fn assign_batch_hashes<F: Field>(
             for i in 0..32 {
                 // 2.2.1 chunk[0].prev_state_root
                 // sanity check
-                assert_equal(&hash_input_cells[0][i + 4], &hash_input_cells[2][i + 4]);
+                assert_equal(
+                    &hash_input_cells[0][i + CHAIN_ID_LEN],
+                    &hash_input_cells[2][i + CHAIN_ID_LEN],
+                );
                 region.constrain_equal(
-                    hash_input_cells[0][i + 4].cell(),
-                    hash_input_cells[2][i + 4].cell(),
+                    hash_input_cells[0][i + CHAIN_ID_LEN].cell(),
+                    hash_input_cells[2][i + CHAIN_ID_LEN].cell(),
                 )?;
                 // 2.2.2 chunk[k-1].post_state_root
                 // sanity check
                 assert_equal(
-                    &hash_input_cells[0][i + 36],
-                    &hash_input_cells[hash_num - 1][i + 36],
+                    &hash_input_cells[0][i + CHAIN_ID_LEN + 32],
+                    &hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 32],
                 );
                 region.constrain_equal(
-                    hash_input_cells[0][i + 36].cell(),
-                    hash_input_cells[hash_num - 1][i + 36].cell(),
+                    hash_input_cells[0][i + CHAIN_ID_LEN + 32].cell(),
+                    hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 32].cell(),
                 )?;
                 // 2.2.3 chunk[k-1].withdraw_root
                 assert_equal(
-                    &hash_input_cells[0][i + 68],
-                    &hash_input_cells[hash_num - 1][i + 68],
+                    &hash_input_cells[0][i + CHAIN_ID_LEN + 64],
+                    &hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 64],
                 );
                 region.constrain_equal(
-                    hash_input_cells[0][i + 68].cell(),
-                    hash_input_cells[hash_num - 1][i + 68].cell(),
+                    hash_input_cells[0][i + CHAIN_ID_LEN + 64].cell(),
+                    hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 64].cell(),
                 )?;
             }
 
@@ -198,8 +201,11 @@ pub(crate) fn assign_batch_hashes<F: Field>(
             for (i, chunk) in hash_input_cells[1].chunks(32).enumerate().take(num_chunks) {
                 for (j, cell) in chunk.iter().enumerate() {
                     // sanity check
-                    assert_equal(cell, &hash_input_cells[2 + i][j + 100]);
-                    region.constrain_equal(cell.cell(), hash_input_cells[2 + i][j + 100].cell())?;
+                    assert_equal(cell, &hash_input_cells[2 + i][j + CHAIN_ID_LEN + 96]);
+                    region.constrain_equal(
+                        cell.cell(),
+                        hash_input_cells[2 + i][j + CHAIN_ID_LEN + 96].cell(),
+                    )?;
                 }
             }
 
@@ -208,21 +214,21 @@ pub(crate) fn assign_batch_hashes<F: Field>(
                 for j in 0..32 {
                     // sanity check
                     assert_equal(
-                        &hash_input_cells[i + 3][4 + j],
-                        &hash_input_cells[i + 2][36 + j],
+                        &hash_input_cells[i + 3][CHAIN_ID_LEN + j],
+                        &hash_input_cells[i + 2][CHAIN_ID_LEN + 32 + j],
                     );
                     region.constrain_equal(
                         // chunk[i+1].prevStateRoot
-                        hash_input_cells[i + 3][4 + j].cell(),
+                        hash_input_cells[i + 3][CHAIN_ID_LEN + j].cell(),
                         // chunk[i].postStateRoot
-                        hash_input_cells[i + 2][36 + j].cell(),
+                        hash_input_cells[i + 2][CHAIN_ID_LEN + 32 + j].cell(),
                     )?;
                 }
             }
 
             // 2.5 assert hashes use a same chain id
             for i in 0..num_chunks {
-                for j in 0..4 {
+                for j in 0..CHAIN_ID_LEN {
                     // sanity check
                     assert_equal(&hash_input_cells[0][j], &hash_input_cells[i + 2][j]);
                     region.constrain_equal(

aggregator/src/proof_aggregation/circuit.rs

@@ -27,7 +27,7 @@ use crate::{
     core::{assign_batch_hashes, extract_accumulators_and_proof},
     param::{ConfigParams, BITS, LIMBS},
     proof_aggregation::config::AggregationConfig,
-    BatchHashCircuit, ChunkHash,
+    BatchHashCircuit, ChunkHash, CHAIN_ID_LEN,
 };
 
 /// Aggregation circuit that does not re-expose any public inputs from aggregated snarks
@@ -329,19 +329,19 @@ impl Circuit<Fr> for AggregationCircuit {
             for i in 0..32 {
                 // first_chunk_prev_state_root
                 layouter.constrain_instance(
-                    hash_input_cells[2][4 + i].cell(),
+                    hash_input_cells[2][CHAIN_ID_LEN + i].cell(),
                     config.instance,
                     i + acc_len,
                 )?;
                 // last_chunk_post_state_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[36 + i].cell(),
+                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 32 + i].cell(),
                     config.instance,
                     i + 32 + acc_len,
                 )?;
                 // last_chunk_withdraw_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[68 + i].cell(),
+                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 64 + i].cell(),
                     config.instance,
                     i + 64 + acc_len,
                 )?;
@@ -357,8 +357,8 @@ impl Circuit<Fr> for AggregationCircuit {
                     )?;
                 }
             }
-            // last 4 inputs are the chain id
-            for i in 0..4 {
+            // last 8 inputs are the chain id
+            for i in 0..CHAIN_ID_LEN {
                 layouter.constrain_instance(
                     hash_input_cells[0][i].cell(),
                     config.instance,

aggregator/src/proof_aggregation/config.rs

@@ -29,7 +29,7 @@ pub struct AggregationConfig {
     pub keccak_circuit_config: KeccakCircuitConfig<Fr>,
     /// Instance for public input; stores
     /// - accumulator from aggregation (12 elements)
-    /// - aggregated public inputs (132 elements):
+    /// - aggregated public inputs (136 elements):
     ///     chain_id ||
     ///     chunk\[0\].prev_state_root ||
     ///     chunk\[k-1\].post_state_root ||

aggregator/src/proof_aggregation/public_input_aggregation.rs

@@ -34,7 +34,7 @@
 //! - last_chunk_post_state_root: 32 Field elements
 //! - last_chunk_withdraw_root: 32 Field elements
 //! - batch_public_input_hash: 32 Field elements
-//! - chain_id: 4 Field elements
+//! - chain_id: 8 Field elements
 //!
 //! ## Constraints
 //! The circuit attests the following statements:
@@ -66,6 +66,9 @@ pub use config::{BatchCircuitConfig, BatchCircuitConfigArgs};
 // TODO(ZZ): update to the right degree
 pub(crate) const LOG_DEGREE: u32 = 19;
 
+// A chain_id is u64 and uses 8 bytes
+pub(crate) const CHAIN_ID_LEN: usize = 8;
+
 // Each round requires (NUM_ROUNDS+1) * DEFAULT_KECCAK_ROWS = 300 rows.
 // This library is hard coded for this parameter.
 // Modifying the following parameters may result into bugs.

aggregator/src/proof_aggregation/public_input_aggregation/circuit.rs

@@ -9,7 +9,7 @@ use halo2_proofs::{
 
 use zkevm_circuits::util::{Challenges, SubCircuitConfig};
 
-use crate::{core::assign_batch_hashes, BatchHash, ChunkHash};
+use crate::{core::assign_batch_hashes, BatchHash, ChunkHash, CHAIN_ID_LEN};
 
 use super::config::{BatchCircuitConfig, BatchCircuitConfigArgs};
 
@@ -19,7 +19,7 @@ use super::config::{BatchCircuitConfig, BatchCircuitConfigArgs};
 /// generate the circuit.
 #[derive(Clone, Debug, Default)]
 pub struct BatchHashCircuit<F: Field> {
-    pub(crate) chain_id: u32,
+    pub(crate) chain_id: u64,
     pub(crate) chunks: Vec<ChunkHash>,
     pub(crate) batch: BatchHash,
     _phantom: PhantomData<F>,
@@ -28,7 +28,7 @@ pub struct BatchHashCircuit<F: Field> {
 /// Public input to a batch circuit.
 /// In raw format. I.e., before converting to field elements.
 pub struct BatchHashCircuitPublicInput {
-    pub(crate) chain_id: u32,
+    pub(crate) chain_id: u64,
     pub(crate) first_chunk_prev_state_root: H256,
     pub(crate) last_chunk_post_state_root: H256,
     pub(crate) last_chunk_withdraw_root: H256,
@@ -184,19 +184,19 @@ impl<F: Field> Circuit<F> for BatchHashCircuit<F> {
             for i in 0..32 {
                 // first_chunk_prev_state_root
                 layouter.constrain_instance(
-                    hash_input_cells[2][4 + i].cell(),
+                    hash_input_cells[2][CHAIN_ID_LEN + i].cell(),
                     config.hash_digest_column,
                     i,
                 )?;
                 // last_chunk_post_state_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[36 + i].cell(),
+                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 32 + i].cell(),
                     config.hash_digest_column,
                     i + 32,
                 )?;
                 // last_chunk_withdraw_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[68 + i].cell(),
+                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 64 + i].cell(),
                     config.hash_digest_column,
                     i + 64,
                 )?;
@@ -212,8 +212,8 @@ impl<F: Field> Circuit<F> for BatchHashCircuit<F> {
                     )?;
                 }
             }
-            // last 4 inputs are the chain id
-            for i in 0..4 {
+            // last 8 inputs are the chain id
+            for i in 0..CHAIN_ID_LEN {
                 layouter.constrain_instance(
                     hash_input_cells[0][i].cell(),
                     config.hash_digest_column,

aggregator/src/proof_aggregation/public_input_aggregation/circuit_ext.rs

@@ -5,7 +5,7 @@ use crate::BatchHashCircuit;
 
 impl<F: Field> CircuitExt<F> for BatchHashCircuit<F> {
     fn num_instance(&self) -> Vec<usize> {
-        vec![132]
+        vec![136]
     }
 
     /// Compute the public inputs for this circuit.

aggregator/src/tests/mock_chunk/circuit_ext.rs

@@ -1,22 +1,27 @@
 use halo2_proofs::halo2curves::bn256::Fr;
 use snark_verifier_sdk::CircuitExt;
 
+use crate::CHAIN_ID_LEN;
+
 use super::MockChunkCircuit;
 
 impl CircuitExt<Fr> for MockChunkCircuit {
     /// 64 elements from digest
     fn num_instance(&self) -> Vec<usize> {
-        vec![64]
+        vec![64 + CHAIN_ID_LEN]
     }
 
     /// return vec![data hash | public input hash]
     fn instances(&self) -> Vec<Vec<Fr>> {
-        vec![self
+        vec![
+            self.chain_id.to_le_bytes().iter().zip(
+            
+            self
             .chunk
             .data_hash
             .as_bytes()
             .iter()
-            .chain(self.chunk.public_input_hash().as_bytes().iter())
+            .chain(self.chunk.public_input_hash().as_bytes().iter()))
             .map(|&x| Fr::from(x as u64))
             .collect()]
     }

aggregator/src/util.rs

@@ -31,7 +31,9 @@ pub(crate) fn get_indices(preimages: &[Vec<u8>]) -> (Vec<usize>, Vec<usize>) {
 
     for preimage in preimages.iter() {
         let num_rounds = 1 + preimage.len() / 136;
-        for (i, round) in preimage.chunks(136).enumerate() {
+        let mut preimage_padded = preimage.clone();
+        preimage_padded.resize(136 * num_rounds, 0);
+        for (i, round) in preimage_padded.chunks(136).enumerate() {
             // indices for preimages
             for (j, _chunk) in round.chunks(8).into_iter().enumerate() {
                 for k in 0..8 {