[feat] parameterize hard coded constants

Author: zhenfeizhang

aggregator/src/core.rs

@@ -27,7 +27,8 @@ use zkevm_circuits::{
 
 use crate::{
     util::{assert_equal, capacity, get_indices},
-    CHAIN_ID_LEN, LOG_DEGREE,
+    CHAIN_ID_LEN, CHUNK_DATA_HASH_INDEX, LOG_DEGREE, POST_STATE_ROOT_INDEX, PREV_STATE_ROOT_INDEX,
+    WITHDRAW_ROOT_INDEX,
 };
 
 /// Input the hash input bytes,
@@ -50,18 +51,18 @@ pub(crate) fn assign_batch_hashes<F: Field>(
     let num_rows = 1 << LOG_DEGREE;
 
     let timer = start_timer!(|| ("multi keccak").to_string());
-    // wenqing: preimages consists of the following parts
+    // preimages consists of the following parts
     // (1) batchPiHash preimage =
     //      (chain_id ||
     //      chunk[0].prev_state_root ||
     //      chunk[k-1].post_state_root ||
     //      chunk[k-1].withdraw_root ||
     //      batch_data_hash)
-    // (2) batchDataHash preimage = 
+    // (2) batchDataHash preimage =
     //      (chunk[0].dataHash || ... || chunk[k-1].dataHash)
     // (3) chunk[i].piHash preimage =
     //      (chain id ||
-    //      chunk[i].prevStateRoot || chunk[i].postStateRoot || 
+    //      chunk[i].prevStateRoot || chunk[i].postStateRoot ||
     //      chunk[i].withdrawRoot || chunk[i].datahash)
     // each part of the preimage is mapped to image by Keccak256
     let witness = multi_keccak(preimages, challenges, capacity(num_rows))?;
@@ -98,12 +99,12 @@ pub(crate) fn assign_batch_hashes<F: Field>(
                 let row = config.set_row(&mut region, offset, keccak_row)?;
 
                 if cur_preimage_index.is_some() && *cur_preimage_index.unwrap() == offset {
-                    // wenqing: 7-th column is Keccak input in Keccak circuit
+                    // 7-th column is Keccak input in Keccak circuit
                     current_hash_input_cells.push(row[6].clone());
                     cur_preimage_index = preimage_indices_iter.next();
                 }
                 if cur_digest_index.is_some() && *cur_digest_index.unwrap() == offset {
-                    // wenqing: last column is Keccak output in Keccak circuit
+                    // last column is Keccak output in Keccak circuit
                     current_hash_output_cells.push(row.last().unwrap().clone());
                     cur_digest_index = digest_indices_iter.next();
                 }
@@ -142,14 +143,14 @@ pub(crate) fn assign_batch_hashes<F: Field>(
             for i in 0..4 {
                 for j in 0..8 {
                     // sanity check
-                    // wenqing: 96 + CHAIN_ID_LEN is the byte position for batch_data_hash
+                    // CHUNK_DATA_HASH_INDEX is the byte position for batch_data_hash
                     assert_equal(
-                        &hash_input_cells[0][i * 8 + j + 96 + CHAIN_ID_LEN],
+                        &hash_input_cells[0][i * 8 + j + CHUNK_DATA_HASH_INDEX],
                         &hash_output_cells[1][(3 - i) * 8 + j],
                     );
                     region.constrain_equal(
                         // preimage and digest has different endianness
-                        hash_input_cells[0][i * 8 + j + 96 + CHAIN_ID_LEN].cell(),
+                        hash_input_cells[0][i * 8 + j + CHUNK_DATA_HASH_INDEX].cell(),
                         hash_output_cells[1][(3 - i) * 8 + j].cell(),
                     )?;
                 }
@@ -172,39 +173,39 @@ pub(crate) fn assign_batch_hashes<F: Field>(
             //        chunk[i].postStateRoot ||
             //        chunk[i].withdrawRoot  ||
             //        chunk[i].datahash)
-            // wenqing: CHAIN_ID_LEN, 
-            //          CHAIN_ID_LEN+32, 
-            //          CHAIN_ID_LEN+64 used below are byte positions for 
-            //          prev_state_root, post_state_root, withdraw_root
+            //
+            // PREV_STATE_ROOT_INDEX, POST_STATE_ROOT_INDEX, WITHDRAW_ROOT_INDEX
+            // used below are byte positions for
+            // prev_state_root, post_state_root, withdraw_root
             for i in 0..32 {
                 // 2.2.1 chunk[0].prev_state_root
                 // sanity check
                 assert_equal(
-                    &hash_input_cells[0][i + CHAIN_ID_LEN],
-                    &hash_input_cells[2][i + CHAIN_ID_LEN],
+                    &hash_input_cells[0][i + PREV_STATE_ROOT_INDEX],
+                    &hash_input_cells[2][i + PREV_STATE_ROOT_INDEX],
                 );
                 region.constrain_equal(
-                    hash_input_cells[0][i + CHAIN_ID_LEN].cell(),
-                    hash_input_cells[2][i + CHAIN_ID_LEN].cell(),
+                    hash_input_cells[0][i + PREV_STATE_ROOT_INDEX].cell(),
+                    hash_input_cells[2][i + PREV_STATE_ROOT_INDEX].cell(),
                 )?;
                 // 2.2.2 chunk[k-1].post_state_root
                 // sanity check
                 assert_equal(
-                    &hash_input_cells[0][i + CHAIN_ID_LEN + 32],
-                    &hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 32],
+                    &hash_input_cells[0][i + POST_STATE_ROOT_INDEX],
+                    &hash_input_cells[hash_num - 1][i + POST_STATE_ROOT_INDEX],
                 );
                 region.constrain_equal(
-                    hash_input_cells[0][i + CHAIN_ID_LEN + 32].cell(),
-                    hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 32].cell(),
+                    hash_input_cells[0][i + POST_STATE_ROOT_INDEX].cell(),
+                    hash_input_cells[hash_num - 1][i + POST_STATE_ROOT_INDEX].cell(),
                 )?;
                 // 2.2.3 chunk[k-1].withdraw_root
                 assert_equal(
-                    &hash_input_cells[0][i + CHAIN_ID_LEN + 64],
-                    &hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 64],
+                    &hash_input_cells[0][i + WITHDRAW_ROOT_INDEX],
+                    &hash_input_cells[hash_num - 1][i + WITHDRAW_ROOT_INDEX],
                 );
                 region.constrain_equal(
-                    hash_input_cells[0][i + CHAIN_ID_LEN + 64].cell(),
-                    hash_input_cells[hash_num - 1][i + CHAIN_ID_LEN + 64].cell(),
+                    hash_input_cells[0][i + WITHDRAW_ROOT_INDEX].cell(),
+                    hash_input_cells[hash_num - 1][i + WITHDRAW_ROOT_INDEX].cell(),
                 )?;
             }
 
@@ -222,10 +223,10 @@ pub(crate) fn assign_batch_hashes<F: Field>(
             for (i, chunk) in hash_input_cells[1].chunks(32).enumerate().take(num_chunks) {
                 for (j, cell) in chunk.iter().enumerate() {
                     // sanity check
-                    assert_equal(cell, &hash_input_cells[2 + i][j + CHAIN_ID_LEN + 96]);
+                    assert_equal(cell, &hash_input_cells[2 + i][j + CHUNK_DATA_HASH_INDEX]);
                     region.constrain_equal(
                         cell.cell(),
-                        hash_input_cells[2 + i][j + CHAIN_ID_LEN + 96].cell(),
+                        hash_input_cells[2 + i][j + CHUNK_DATA_HASH_INDEX].cell(),
                     )?;
                 }
             }
@@ -235,14 +236,14 @@ pub(crate) fn assign_batch_hashes<F: Field>(
                 for j in 0..32 {
                     // sanity check
                     assert_equal(
-                        &hash_input_cells[i + 3][CHAIN_ID_LEN + j],
-                        &hash_input_cells[i + 2][CHAIN_ID_LEN + 32 + j],
+                        &hash_input_cells[i + 3][PREV_STATE_ROOT_INDEX + j],
+                        &hash_input_cells[i + 2][POST_STATE_ROOT_INDEX + j],
                     );
                     region.constrain_equal(
                         // chunk[i+1].prevStateRoot
-                        hash_input_cells[i + 3][CHAIN_ID_LEN + j].cell(),
+                        hash_input_cells[i + 3][PREV_STATE_ROOT_INDEX + j].cell(),
                         // chunk[i].postStateRoot
-                        hash_input_cells[i + 2][CHAIN_ID_LEN + 32 + j].cell(),
+                        hash_input_cells[i + 2][POST_STATE_ROOT_INDEX + j].cell(),
                     )?;
                 }
             }
@@ -292,7 +293,7 @@ pub(crate) fn extract_accumulators_and_proof(
                 &snark.instances,
                 &mut transcript_read,
             );
-            // wenqing: each accumulator has (lhs, rhs) based on Shplonk
+            // each accumulator has (lhs, rhs) based on Shplonk
             // lhs and rhs are EC points
             Shplonk::succinct_verify(&svk, &snark.protocol, &snark.instances, &proof)
         })
@@ -302,7 +303,7 @@ pub(crate) fn extract_accumulators_and_proof(
         PoseidonTranscript::<NativeLoader, Vec<u8>>::from_spec(vec![], POSEIDON_SPEC.clone());
     // We always use SHPLONK for accumulation scheme when aggregating proofs
     let accumulator =
-        // wenqing: core step
+        // core step
         // KzgAs does KZG accumulation scheme based on given accumulators and random number (for adding blinding)
         // accumulated ec_pt = ec_pt_1 * 1 + ec_pt_2 * r + ... + ec_pt_n * r^{n-1}
         // ec_pt can be lhs and rhs

aggregator/src/proof_aggregation/circuit.rs

@@ -27,7 +27,8 @@ use crate::{
     core::{assign_batch_hashes, extract_accumulators_and_proof},
     param::{ConfigParams, BITS, LIMBS},
     proof_aggregation::config::AggregationConfig,
-    BatchHashCircuit, ChunkHash, CHAIN_ID_LEN,
+    BatchHashCircuit, ChunkHash, CHAIN_ID_LEN, POST_STATE_ROOT_INDEX, PREV_STATE_ROOT_INDEX,
+    WITHDRAW_ROOT_INDEX,
 };
 
 /// Aggregation circuit that does not re-expose any public inputs from aggregated snarks
@@ -68,7 +69,7 @@ impl AggregationCircuit {
             let snark_hash_bytes = &snark.instances[0];
 
             for i in 0..32 {
-                // wenqing: for each snark, 
+                // for each snark,
                 //  first 12 elements are accumulator
                 //  next 32 elements are data hash (44=12+32)
                 //  next 32 elements are public_input_hash
@@ -88,7 +89,7 @@ impl AggregationCircuit {
         // extract the accumulators and proofs
         let svk = params.get_g()[0].into();
 
-        // wenqing: this aggregates MULTIPLE snarks 
+        // this aggregates MULTIPLE snarks
         //  (instead of ONE as in proof compression)
         let (accumulator, as_proof) = extract_accumulators_and_proof(params, snarks, rng);
         let KzgAccumulator::<G1Affine, NativeLoader> { lhs, rhs } = accumulator;
@@ -336,19 +337,19 @@ impl Circuit<Fr> for AggregationCircuit {
             for i in 0..32 {
                 // first_chunk_prev_state_root
                 layouter.constrain_instance(
-                    hash_input_cells[2][CHAIN_ID_LEN + i].cell(),
+                    hash_input_cells[2][PREV_STATE_ROOT_INDEX + i].cell(),
                     config.instance,
                     i + acc_len,
                 )?;
                 // last_chunk_post_state_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 32 + i].cell(),
+                    hash_input_cells.last().unwrap()[POST_STATE_ROOT_INDEX + i].cell(),
                     config.instance,
                     i + 32 + acc_len,
                 )?;
                 // last_chunk_withdraw_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 64 + i].cell(),
+                    hash_input_cells.last().unwrap()[WITHDRAW_ROOT_INDEX + i].cell(),
                     config.instance,
                     i + 64 + acc_len,
                 )?;
@@ -357,7 +358,7 @@ impl Circuit<Fr> for AggregationCircuit {
             for i in 0..4 {
                 for j in 0..8 {
                     // digest in circuit has a different endianness
-                    // wenqing: 96 is the byte position for batch data hash
+                    // 96 is the byte position for batch data hash
                     layouter.constrain_instance(
                         hash_output_cells[0][(3 - i) * 8 + j].cell(),
                         config.instance,
@@ -366,7 +367,7 @@ impl Circuit<Fr> for AggregationCircuit {
                 }
             }
             // last 8 inputs are the chain id
-            // wenqing: chain_id is put at last here
+            // chain_id is put at last here
             for i in 0..CHAIN_ID_LEN {
                 layouter.constrain_instance(
                     hash_input_cells[0][i].cell(),

aggregator/src/proof_aggregation/config.rs

@@ -35,7 +35,7 @@ pub struct AggregationConfig {
     ///     chunk\[k-1\].withdraw_root ||
     ///     batch_data_hash ||
     ///     chain_id
-    /// wenqing: chain_id is put at last here for instance
+    /// chain_id is put at last here for instance
     pub instance: Column<Instance>,
 }
 

aggregator/src/proof_aggregation/public_input_aggregation.rs

@@ -66,8 +66,22 @@ pub use config::{BatchCircuitConfig, BatchCircuitConfigArgs};
 // TODO(ZZ): update to the right degree
 pub(crate) const LOG_DEGREE: u32 = 19;
 
+// ================================
+// indices for hash bytes
+//
+// the preimages are arranged as
+// - chain_id:          8 bytes
+// - prev_state_root    32 bytes
+// - post_state_root    32 bytes
+// - withdraw_root      32 bytes
+// - chunk_data_hash    32 bytes
+//
 // A chain_id is u64 and uses 8 bytes
 pub(crate) const CHAIN_ID_LEN: usize = 8;
+pub(crate) const PREV_STATE_ROOT_INDEX: usize = 8;
+pub(crate) const POST_STATE_ROOT_INDEX: usize = 40;
+pub(crate) const WITHDRAW_ROOT_INDEX: usize = 72;
+pub(crate) const CHUNK_DATA_HASH_INDEX: usize = 104;
 
 // Each round requires (NUM_ROUNDS+1) * DEFAULT_KECCAK_ROWS = 300 rows.
 // This library is hard coded for this parameter.

aggregator/src/proof_aggregation/public_input_aggregation/circuit.rs

@@ -9,7 +9,10 @@ use halo2_proofs::{
 
 use zkevm_circuits::util::{Challenges, SubCircuitConfig};
 
-use crate::{core::assign_batch_hashes, BatchHash, ChunkHash, CHAIN_ID_LEN};
+use crate::{
+    core::assign_batch_hashes, BatchHash, ChunkHash, CHAIN_ID_LEN, POST_STATE_ROOT_INDEX,
+    PREV_STATE_ROOT_INDEX, WITHDRAW_ROOT_INDEX,
+};
 
 use super::config::{BatchCircuitConfig, BatchCircuitConfigArgs};
 
@@ -184,19 +187,19 @@ impl<F: Field> Circuit<F> for BatchHashCircuit<F> {
             for i in 0..32 {
                 // first_chunk_prev_state_root
                 layouter.constrain_instance(
-                    hash_input_cells[2][CHAIN_ID_LEN + i].cell(),
+                    hash_input_cells[2][PREV_STATE_ROOT_INDEX + i].cell(),
                     config.hash_digest_column,
                     i,
                 )?;
                 // last_chunk_post_state_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 32 + i].cell(),
+                    hash_input_cells.last().unwrap()[POST_STATE_ROOT_INDEX + i].cell(),
                     config.hash_digest_column,
                     i + 32,
                 )?;
                 // last_chunk_withdraw_root
                 layouter.constrain_instance(
-                    hash_input_cells.last().unwrap()[CHAIN_ID_LEN + 64 + i].cell(),
+                    hash_input_cells.last().unwrap()[WITHDRAW_ROOT_INDEX + i].cell(),
                     config.hash_digest_column,
                     i + 64,
                 )?;

aggregator/src/proof_compression/circuit.rs

@@ -84,7 +84,7 @@ impl Circuit<Fr> for CompressionCircuit {
         )
         .unwrap();
 
-        // wenqing: circuit configuration is built from config with given num columns etc
+        // circuit configuration is built from config with given num columns etc
         // can be wide or thin circuit
         Self::Config::configure(meta, params)
     }
@@ -168,9 +168,9 @@ impl CompressionCircuit {
     ) -> Self {
         let svk = params.get_g()[0].into();
 
-        // wenqing: for the proof compression, only ONE snark is under accumulation
+        // for the proof compression, only ONE snark is under accumulation
         // it is turned into an accumulator via KzgAs accumulation scheme
-        // in case not first time: 
+        // in case not first time:
         // (old_accumulator, public inputs) -> (new_accumulator, public inputs)
         let (accumulator, as_proof) = extract_accumulators_and_proof(params, &[snark.clone()], rng);
 

aggregator/src/util.rs

@@ -30,11 +30,11 @@ pub(crate) fn get_indices(preimages: &[Vec<u8>]) -> (Vec<usize>, Vec<usize>) {
     let mut round_ctr = 0;
 
     for preimage in preimages.iter() {
-        // wenqing: 136 = 17 * 8 is the size in bits of each 
+        //  136 = 17 * 8 is the size in bits of each
         //  input chunk that can be processed by Keccak circuit using absorb
         //  each chunk of size 136 needs 300 Keccak circuit rows to prove
         //  which consists of 12 Keccak rows for each of 24 + 1 Keccak cicuit rounds
-        //  digest only happens at the end of the last input chunk with 
+        //  digest only happens at the end of the last input chunk with
         //  4 Keccak circuit rounds, so 48 Keccak rows, and 300 - 48 = 256
         let num_rounds = 1 + preimage.len() / 136;
         let mut preimage_padded = preimage.clone();