[refactor] pi aggregation circuit

Author: zhenfeizhang

.gitignore

@@ -6,4 +6,5 @@
 *.log
 *.json
 *.sh
-*.txt
+*.txt
+*.srs

Cargo.lock

@@ -11,7 +11,8 @@ members = [
     "eth-types",
     "external-tracer",
     "mock",
-    "testool"
+    "testool",
+    "aggregator"
 ]
 
 [patch."https://github.com/privacy-scaling-explorations/halo2.git"]

Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "aggregator"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+eth-types = { path = "../eth-types" }
+zkevm-circuits = { path = "../zkevm-circuits" }
+ethers-core = "0.17.0"
+rand = "0.8"
+ark-std = "0.4.0"
+log = "0.4"
+env_logger = "0.10.0"
+
+halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2.git", tag = "v2023_02_02" }
+snark-verifier-sdk =  { git = "https://github.com/scroll-tech/snark-verifier", branch = "halo2-ecc-snark-verifier-0323" }
+
+[dev-dependencies]
+halo2-base = { git = "https://github.com/scroll-tech/halo2-lib", branch = "halo2-ecc-snark-verifier-0323", default-features=false, features=["halo2-pse","display"] }
+snark-verifier =  { git = "https://github.com/scroll-tech/snark-verifier", branch = "halo2-ecc-snark-verifier-0323" }
+
+
+[features]
+default = []
+# default = [ "ark-std/print-trace" ]

aggregator/Cargo.toml

@@ -0,0 +1,6 @@
+/// public input aggregation
+mod public_input_aggregation;
+/// utilities
+mod util;
+
+pub use public_input_aggregation::*;

aggregator/src/lib.rs

@@ -0,0 +1,86 @@
+//! This module implements circuits that aggregates public inputs of many chunks into a single
+//! one.
+//!
+//! # Spec
+//!
+//! A chunk is a list of continuous blocks. It consists of 4 hashes:
+//! - state root before this chunk
+//! - state root after this chunk
+//! - the withdraw root of this chunk
+//! - the data hash of this chunk
+//! Those 4 hashes are obtained from the caller.
+//!
+//! A chunk's public input hash is then derived from the above 4 attributes via
+//! - chunk_pi_hash   := keccak(chain_id    || prev_state_root || post_state_root || withdraw_root
+//!   || chunk_data_hash)
+//!
+//! A batch is a list of continuous chunks. It consists of 2 hashes
+//! - batch_data_hash := keccak(chunk_0.data_hash      || ...                        ||
+//!   chunk_k-1.data_hash)
+//!
+//! - batch_pi_hash   := keccak(chain_id               ||   chunk_0.prev_state_root    ||
+//!   chunk_k-1.post_state_root  || chunk_k-1.withdraw_root    || batch_data_hash)
+//!
+//! Note that chain_id is used for all public input hashes. But not for any data hashes.
+//!
+//! # Circuit
+//!
+//! A BatchHashCircuit asserts that the batch is well-formed.
+//!
+//! ## Public Input
+//! The public inputs of the circuit (132 Field elements) is constructed as
+//! - first_chunk_prev_state_root: 32 Field elements
+//! - last_chunk_post_state_root: 32 Field elements
+//! - last_chunk_withdraw_root: 32 Field elements
+//! - batch_public_input_hash: 32 Field elements
+//! - chain_id: 4 Field elements
+//!
+//! ## Constraints
+//! The circuit attests the following statements:
+//!
+//! 1. all hashes are computed correctly
+//! 2. the relations between hash preimages and digests are satisfied
+//!     - batch_data_hash is part of the input to compute batch_pi_hash
+//!     - batch_pi_hash used same roots as chunk_pi_hash
+//!     - same data_hash is used to compute batch_data_hash and chunk_pi_hash for all chunks
+//!     - chunks are continuous: they are linked via the state roots
+//!     - all hashes uses a same chain_id
+//! 3. the hash data matches the circuit's public input (132 field elements) above
+//!
+//! # Example
+//!
+//! See tests::test_pi_aggregation_circuit
+
+// This module implements `Chunk` related data types.
+// A chunk is a list of blocks.
+mod chunk;
+// This module implements `Batch` related data types.
+// A batch is a list of chunk.
+mod batch;
+// Circuit implementation of `BatchHashCircuit`.
+mod circuit;
+// SubCircuit implementation of `BatchHashCircuit`.
+mod sub_circuit;
+// CircuitExt implementation of `BatchHashCircuit`.
+mod circuit_ext;
+// Circuit and SubCircuit configurations
+mod config;
+
+pub use batch::BatchHash;
+pub use chunk::ChunkHash;
+pub use circuit::{BatchHashCircuit, BatchHashCircuitPublicInput};
+pub use config::{BatchCircuitConfig, BatchCircuitConfigArgs};
+
+// TODO(ZZ): update to the right degree
+pub(crate) const LOG_DEGREE: u32 = 19;
+
+// Each round requires (NUM_ROUNDS+1) * DEFAULT_KECCAK_ROWS = 300 rows.
+// This library is hard coded for this parameter.
+// Modifying the following parameters may result into bugs.
+// Adopted from keccak circuit
+pub(crate) const DEFAULT_KECCAK_ROWS: usize = 12;
+// Adopted from keccak circuit
+pub(crate) const NUM_ROUNDS: usize = 24;
+
+#[cfg(test)]
+mod tests;

aggregator/src/public_input_aggregation.rs

@@ -0,0 +1,57 @@
+use eth_types::H256;
+use ethers_core::utils::keccak256;
+
+use super::chunk::ChunkHash;
+
+#[derive(Default, Debug, Clone)]
+/// A batch is a set of continuous chunks.
+/// A BatchHash consists of 2 hashes.
+pub struct BatchHash {
+    pub(crate) data_hash: H256,
+    pub(crate) public_input_hash: H256,
+}
+
+impl BatchHash {
+    /// Build Batch hash from a list of chunks
+    pub(crate) fn construct(chunk_hashes: &[ChunkHash]) -> Self {
+        // sanity: the chunks are continuous
+        for i in 0..chunk_hashes.len() - 1 {
+            assert_eq!(
+                chunk_hashes[i].post_state_root,
+                chunk_hashes[i + 1].prev_state_root,
+            );
+            assert_eq!(chunk_hashes[i].chain_id, chunk_hashes[i + 1].chain_id,)
+        }
+
+        // batch's data hash is build as
+        //  keccak( chunk[0].data_hash || ... || chunk[k-1].data_hash)
+        let preimage = chunk_hashes
+            .iter()
+            .flat_map(|chunk_hash| chunk_hash.data_hash.0.iter())
+            .cloned()
+            .collect::<Vec<_>>();
+        let data_hash = keccak256(preimage);
+
+        // public input hash is build as
+        //  keccak(
+        //      chain_id ||
+        //      chunk[0].prev_state_root ||
+        //      chunk[k-1].post_state_root ||
+        //      chunk[k-1].withdraw_root ||
+        //      batch_data_hash )
+        let preimage = [
+            chunk_hashes[0].chain_id.to_le_bytes().as_ref(),
+            chunk_hashes[0].prev_state_root.as_bytes(),
+            chunk_hashes.last().unwrap().post_state_root.as_bytes(),
+            chunk_hashes.last().unwrap().withdraw_root.as_bytes(),
+            data_hash.as_slice(),
+        ]
+        .concat();
+        let public_input_hash = keccak256(preimage);
+
+        Self {
+            data_hash: data_hash.into(),
+            public_input_hash: public_input_hash.into(),
+        }
+    }
+}

aggregator/src/public_input_aggregation/batch.rs

@@ -0,0 +1,60 @@
+//! This module implements `Chunk` related data types.
+//! A chunk is a list of blocks.
+use eth_types::H256;
+use ethers_core::utils::keccak256;
+
+#[derive(Default, Debug, Clone)]
+/// A chunk is a set of continuous blocks.
+/// A ChunkHash consists of 4 hashes, representing the changes incurred by this chunk of blocks:
+/// - state root before this chunk
+/// - state root after this chunk
+/// - the withdraw root of this chunk
+/// - the data hash of this chunk
+pub struct ChunkHash {
+    /// Chain identifier
+    pub(crate) chain_id: u32,
+    /// state root before this chunk
+    pub(crate) prev_state_root: H256,
+    /// state root after this chunk
+    pub(crate) post_state_root: H256,
+    /// the withdraw root of this chunk
+    pub(crate) withdraw_root: H256,
+    /// the data hash of this chunk
+    pub(crate) data_hash: H256,
+}
+
+impl ChunkHash {
+    /// Sample a chunk hash from random (for testing)
+    #[cfg(test)]
+    pub(crate) fn mock_chunk_hash<R: rand::RngCore>(r: &mut R) -> Self {
+        let mut prev_state_root = [0u8; 32];
+        r.fill_bytes(&mut prev_state_root);
+        let mut post_state_root = [0u8; 32];
+        r.fill_bytes(&mut post_state_root);
+        let mut withdraw_root = [0u8; 32];
+        r.fill_bytes(&mut withdraw_root);
+        let mut data_hash = [0u8; 32];
+        r.fill_bytes(&mut data_hash);
+        Self {
+            chain_id: 0,
+            prev_state_root: prev_state_root.into(),
+            post_state_root: post_state_root.into(),
+            withdraw_root: withdraw_root.into(),
+            data_hash: data_hash.into(),
+        }
+    }
+
+    /// Public input hash for a given chunk is defined as
+    ///  keccak( chain id || prev state root || post state root || withdraw root || data hash )
+    pub fn public_input_hash(&self) -> H256 {
+        let preimage = [
+            self.chain_id.to_le_bytes().as_ref(),
+            self.prev_state_root.as_bytes(),
+            self.post_state_root.as_bytes(),
+            self.withdraw_root.as_bytes(),
+            self.data_hash.as_bytes(),
+        ]
+        .concat();
+        keccak256::<&[u8]>(preimage.as_ref()).into()
+    }
+}