wip

Author: zhenfeizhang

Diff for: aggregator/Cargo.toml

@@ -14,6 +14,7 @@ ark-std = "0.4.0"
 env_logger = "0.10.0"
 ethers-core = "0.17.0"
 log = "0.4"
+itertools = "0.10.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 rand = "0.8"
@@ -31,5 +32,5 @@ halo2-base = { git = "https://github.com/scroll-tech/halo2-lib", branch = "halo2
 
 
 [features]
-default = []
-# default = [ "ark-std/print-trace" ]
+# default = []
+default = [ "ark-std/print-trace" ]

Diff for: aggregator/configs/compression_wide.config

@@ -1 +1 @@
-{"strategy":"Simple","degree":21,"num_advice":[25],"num_lookup_advice":[1],"num_fixed":1,"lookup_bits":20,"limb_bits":88,"num_limbs":3}
+{"strategy":"Simple","degree":21,"num_advice":[10],"num_lookup_advice":[1],"num_fixed":1,"lookup_bits":20,"limb_bits":88,"num_limbs":3}

Diff for: aggregator/src/lib.rs

@@ -4,6 +4,8 @@ mod chunk;
 // This module implements `Batch` related data types.
 // A batch is a list of chunk.
 mod batch;
+/// Parameters for compression circuit
+pub(crate) mod param;
 /// proof aggregation
 mod proof_aggregation;
 /// proof compression

Diff for: aggregator/src/proof_compression/param.rs renamed to aggregator/src/param.rs

@@ -4,8 +4,8 @@ pub(crate) const LIMBS: usize = 3;
 pub(crate) const BITS: usize = 88;
 
 #[derive(serde::Serialize, serde::Deserialize, Clone, Debug)]
-/// Parameters for aggregation circuit configs.
-pub struct CompressionConfigParams {
+/// Parameters for aggregation circuit and compression circuit configs.
+pub struct ConfigParams {
     pub strategy: FpStrategy,
     pub degree: u32,
     pub num_advice: Vec<usize>,

Diff for: aggregator/src/proof_aggregation.rs

@@ -3,4 +3,5 @@ mod circuit;
 /// public input aggregation
 mod public_input_aggregation;
 
+pub use circuit::AggregationCircuit;
 pub use public_input_aggregation::*;

Diff for: aggregator/src/proof_aggregation/circuit.rs

@@ -1,13 +1,27 @@
 use halo2_proofs::{
     circuit::Value,
-    halo2curves::bn256::{Bn256, Fr, G1Affine},
-    poly::kzg::commitment::ParamsKZG,
+    halo2curves::bn256::{Bn256, Fq, Fr, G1Affine},
+    poly::{commitment::ParamsProver, kzg::commitment::ParamsKZG},
 };
+use itertools::Itertools;
 use rand::Rng;
-use snark_verifier::pcs::kzg::KzgSuccinctVerifyingKey;
-use snark_verifier_sdk::{Snark, SnarkWitness};
+use snark_verifier::{
+    pcs::{
+        kzg::{Bdfg21, Kzg, KzgAccumulator, KzgAs, KzgSuccinctVerifyingKey},
+        AccumulationSchemeProver,
+    },
+    util::arithmetic::fe_to_limbs,
+    verifier::PlonkVerifier,
+};
+use snark_verifier_sdk::{
+    halo2::{aggregation::Shplonk, PoseidonTranscript, POSEIDON_SPEC},
+    NativeLoader, Snark, SnarkWitness,
+};
 
-use crate::{BatchHashCircuit, ChunkHash};
+use crate::{
+    param::{BITS, LIMBS},
+    BatchHashCircuit, ChunkHash,
+};
 
 /// Aggregation circuit that does not re-expose any public inputs from aggregated snarks
 #[derive(Clone)]
@@ -56,6 +70,69 @@ impl AggregationCircuit {
                 });
         }
 
-        todo!()
+        let svk = params.get_g()[0].into();
+
+        // TODO: this is all redundant calculation to get the public output
+        // Halo2 should just be able to expose public output to instance column directly
+        let mut transcript_read =
+            PoseidonTranscript::<NativeLoader, &[u8]>::from_spec(&[], POSEIDON_SPEC.clone());
+        let accumulators = snarks
+            .iter()
+            .flat_map(|snark| {
+                transcript_read.new_stream(snark.proof.as_slice());
+                let proof = Shplonk::read_proof(
+                    &svk,
+                    &snark.protocol,
+                    &snark.instances,
+                    &mut transcript_read,
+                );
+                Shplonk::succinct_verify(&svk, &snark.protocol, &snark.instances, &proof)
+            })
+            .collect::<Vec<_>>();
+
+        let (accumulator, as_proof) = {
+            let mut transcript_write = PoseidonTranscript::<NativeLoader, Vec<u8>>::from_spec(
+                vec![],
+                POSEIDON_SPEC.clone(),
+            );
+            // We always use SHPLONK for accumulation scheme when aggregating proofs
+            let accumulator = KzgAs::<Kzg<Bn256, Bdfg21>>::create_proof::<
+                PoseidonTranscript<NativeLoader, Vec<u8>>,
+                _,
+            >(
+                &Default::default(),
+                &accumulators,
+                &mut transcript_write,
+                rng,
+            )
+            .unwrap();
+            (accumulator, transcript_write.finalize())
+        };
+
+        let KzgAccumulator::<G1Affine, NativeLoader> { lhs, rhs } = accumulator;
+        let acc_instances = [lhs.x, lhs.y, rhs.x, rhs.y]
+            .map(fe_to_limbs::<Fq, Fr, LIMBS, BITS>)
+            .concat();
+        let snark_instance = snarks.iter().flat_map(|snark| {
+            snark
+                .instances
+                .iter()
+                .flat_map(|instance| instance.iter().skip(12))
+        });
+        let flattened_instances = acc_instances
+            .iter()
+            .chain(snark_instance)
+            .cloned()
+            .collect();
+
+        let batch_hash_circuit = BatchHashCircuit::construct(chunk_hashes);
+
+        Self {
+            svk,
+            snarks: snarks.into_iter().cloned().map_into().collect(),
+            flattened_instances,
+            as_proof: Value::known(as_proof),
+            batch_hash_circuit,
+        }
     }
 }

Diff for: aggregator/src/proof_compression.rs

@@ -9,8 +9,5 @@ mod circuit;
 mod circuit_ext;
 /// Config for compression circuit
 mod config;
-/// Parameters for compression circuit
-mod param;
 
 pub use circuit::CompressionCircuit;
-pub use param::CompressionConfigParams;

Diff for: aggregator/src/proof_compression/circuit.rs

@@ -32,9 +32,9 @@ use snark_verifier_sdk::{
     NativeLoader, Snark, SnarkWitness,
 };
 
-use crate::proof_compression::param::{BITS, LIMBS};
+use crate::param::{ConfigParams, BITS, LIMBS};
 
-use super::{config::CompressionConfig, param::CompressionConfigParams};
+use super::config::CompressionConfig;
 
 /// Input a proof, this compression circuit generates a new proof that may have smaller size.
 ///
@@ -79,7 +79,7 @@ impl Circuit<Fr> for CompressionCircuit {
     fn configure(meta: &mut ConstraintSystem<Fr>) -> Self::Config {
         let path = std::env::var("VERIFY_CONFIG")
             .unwrap_or_else(|_| "configs/verify_circuit.config".to_owned());
-        let params: CompressionConfigParams = serde_json::from_reader(
+        let params: ConfigParams = serde_json::from_reader(
             File::open(path.as_str()).unwrap_or_else(|_| panic!("{path:?} does not exist")),
         )
         .unwrap();

Diff for: aggregator/src/proof_compression/circuit_ext.rs

@@ -3,7 +3,7 @@
 use halo2_proofs::{halo2curves::bn256::Fr, plonk::Selector};
 use snark_verifier_sdk::CircuitExt;
 
-use crate::proof_compression::param::LIMBS;
+use crate::param::LIMBS;
 
 use super::circuit::CompressionCircuit;
 

Diff for: aggregator/src/proof_compression/config.rs

@@ -9,9 +9,7 @@ use halo2_proofs::{
 };
 use snark_verifier::loader::halo2::halo2_ecc::fields::fp::FpConfig;
 
-use crate::proof_compression::param::{BITS, LIMBS};
-
-use super::param::CompressionConfigParams;
+use crate::param::{ConfigParams, BITS, LIMBS};
 
 #[derive(Clone, Debug)]
 /// Configurations for compression circuit
@@ -25,7 +23,7 @@ pub struct CompressionConfig {
 
 impl CompressionConfig {
     /// Build a configuration from parameters.
-    pub fn configure(meta: &mut ConstraintSystem<Fr>, params: CompressionConfigParams) -> Self {
+    pub fn configure(meta: &mut ConstraintSystem<Fr>, params: ConfigParams) -> Self {
         assert!(
             params.limb_bits == BITS && params.num_limbs == LIMBS,
             "For now we fix limb_bits = {}, otherwise change code",

Diff for: aggregator/src/tests/mock_chunk.rs

@@ -1,6 +1,11 @@
-use ark_std::test_rng;
+use ark_std::{test_rng, start_timer, end_timer};
+use halo2_base::utils::fs::gen_srs;
 use halo2_proofs::{dev::MockProver, halo2curves::bn256::Fr};
 use snark_verifier_sdk::CircuitExt;
+use snark_verifier_sdk::{
+    gen_pk,
+    halo2::{gen_snark_shplonk, verify_snark_shplonk},
+};
 
 use crate::{ChunkHash, LOG_DEGREE};
 
@@ -11,7 +16,7 @@ mod config;
 #[derive(Debug, Default, Clone, Copy)]
 /// A mock chunk circuit
 pub struct MockChunkCircuit {
-    chunk: ChunkHash,
+    pub(crate) chunk: ChunkHash,
 }
 
 #[test]
@@ -20,10 +25,27 @@ fn test_mock_chunk_prover() {
 
     let mut rng = test_rng();
 
+    let param = gen_srs(LOG_DEGREE);
     let circuit = MockChunkCircuit::random(&mut rng);
     let instance = circuit.instances();
 
     let mock_prover = MockProver::<Fr>::run(LOG_DEGREE, &circuit, instance).unwrap();
 
-    mock_prover.assert_satisfied_par()
+    mock_prover.assert_satisfied_par();
+
+    let timer = start_timer!(|| format!("key generation for k = {}", LOG_DEGREE));
+    let pk = gen_pk(&param, &circuit, None);
+    end_timer!(timer);
+
+    let timer = start_timer!(|| "proving");
+    let snark = gen_snark_shplonk(&param, &pk, circuit, &mut rng, None::<String>);
+    end_timer!(timer);
+
+    let timer = start_timer!(|| "verifying");
+    assert!(verify_snark_shplonk::<MockChunkCircuit>(
+        &param,
+        snark,
+        pk.get_vk()
+    ));
+    end_timer!(timer);
 }

Diff for: aggregator/src/tests/proof_aggregation.rs

@@ -1,31 +1,89 @@
+use std::{fs, path::Path, process};
+
+use ark_std::test_rng;
 use eth_types::H256;
-use halo2_proofs::halo2curves::bn256::Fr;
+use halo2_base::utils::fs::gen_srs;
+use halo2_proofs::{halo2curves::bn256::Fr, poly::commitment::Params};
+use itertools::Itertools;
+use snark_verifier_sdk::{
+    gen_pk,
+    halo2::{gen_snark_shplonk, verify_snark_shplonk},
+};
 
-use crate::{BatchHash, ChunkHash};
+use crate::{AggregationCircuit, BatchHash, ChunkHash};
 
-#[derive(Clone, Debug, Default)]
-// A test circuit that constraints
-// pi = keccak( chain id || prev state root || post state root
-//                       ||   withdraw root || data hash )
-pub(crate) struct TestCircuit {
-    chunk_hashes: Vec<ChunkHash>,
-    batch_hash: BatchHash,
-}
+use super::mock_chunk::MockChunkCircuit;
+
+const CHUNKS_PER_BATCH: usize = 4;
+
+#[test]
+fn test_aggregation_circuit() {
+    env_logger::init();
+
+    let dir = format!("data/{}", process::id());
+    let path = Path::new(dir.as_str());
+    fs::create_dir(path).unwrap();
+
+    let k0 = 19;
+    let k1 = 22;
+    let layer_1_params = gen_srs(k1);
+
+    let mut rng = test_rng();
+    let chunks = (0..CHUNKS_PER_BATCH)
+        .map(|_| ChunkHash::mock_chunk_hash(&mut rng))
+        .collect_vec();
 
-// impl TestCircuit {
-//     fn random<R: rand::RngCore>(r: &mut R, num_chunks: usize) -> Self {
-//         let chunk_hashes = (0..num_chunks)
-//             .map(|_| ChunkHash::mock_chunk_hash(r))
-//             .collect::<Vec<_>>();
-//         let batch_hash = BatchHash::construct(chunk_hashes.as_ref());
-
-//         Self {
-//             chunk_hashes,
-//             batch_hash,
-//         }
-//     }
-
-//     fn instances(&self) -> Vec<Vec<Fr>> {
-//         self.batch_hash.data_hash
-//     }
-// }
+    // build layer 0 snarks
+    let layer_0_snarks = {
+        let layer_0_params = {
+            let mut params = layer_1_params.clone();
+            params.downsize(k0);
+            params
+        };
+
+        let circuits = chunks
+            .iter()
+            .map(|&chunk| MockChunkCircuit { chunk })
+            .collect_vec();
+        log::trace!("finished layer 0 pk generation for circuit");
+        let layer_0_pk = gen_pk(
+            &layer_0_params,
+            &circuits[0],
+            Some(&path.join(Path::new("layer_0.pkey"))),
+        );
+        log::trace!("finished layer 0 pk generation for circuit");
+
+        let layer_0_snarks = circuits
+            .iter()
+            .enumerate()
+            .map(|(i, circuit)| {
+                gen_snark_shplonk(
+                    &layer_0_params,
+                    &layer_0_pk,
+                    circuit.clone(),
+                    &mut rng,
+                    Some(&path.join(Path::new(format!("layer_0_{}.snark", i).as_str()))),
+                )
+            })
+            .collect_vec();
+        log::trace!("finished layer 0 snark generation for circuit");
+
+        // sanity checks
+        layer_0_snarks.iter().for_each(|snark| {
+            assert!(verify_snark_shplonk::<MockChunkCircuit>(
+                &layer_0_params,
+                snark.clone(),
+                layer_0_pk.get_vk()
+            ))
+        });
+        log::trace!("finished layer 0 snark verification");
+
+        layer_0_snarks
+    };
+
+    // build layer 1 the aggregation circuit
+    {
+        let aggregation_circuit =
+            AggregationCircuit::new(&layer_1_params, &layer_0_snarks, rng, &chunks);
+    }
+}

Diff for: aggregator/src/tests/proof_compression.rs

@@ -137,7 +137,7 @@ fn test_proof_compression() {
     fs::create_dir(path).unwrap();
 
     let k0 = 19;
-    let k1 = 21;
+    let k1 = 22;
 
     let mut rng = test_rng();
     let layer_1_params = gen_srs(k1);
@@ -167,7 +167,7 @@ fn test_proof_compression() {
         );
         log::trace!("finished layer 0 snark generation for circuit");
 
-        assert!(verify_snark_shplonk::<TestCircuit>(
+        assert!(verify_snark_shplonk::<MockChunkCircuit>(
             &layer_0_params,
             layer_0_snark.clone(),
             layer_0_pk.get_vk()