chore(gnark-key-parser): parse pedersen commitment

Signed-off-by: aeryz <[email protected]>

Author: aeryz

lib/cometbls-groth16-verifier/Cargo.toml

@@ -10,7 +10,7 @@ version      = "0.1.0"
 workspace = true
 
 [package.metadata.crane]
-include = ["lib/cometbls-groth16-verifier/verifying_key.bin"]
+test-include = ["lib/cometbls-groth16-verifier/verifying_key.bin"]
 
 [dependencies]
 ark-ff       = { version = "0.4.2", default-features = false }
@@ -27,9 +27,5 @@ default = []
 std     = []
 
 [build-dependencies]
-byteorder        = { version = "1.4", default-features = false }
 gnark-key-parser = { workspace = true }
-hex-literal      = { workspace = true }
 substrate-bn     = { version = "0.6", default-features = false }
-
-unionlabs = { workspace = true }

lib/cometbls-groth16-verifier/build.rs

@@ -1,41 +1,16 @@
-use std::{env, fs, marker::PhantomData, path::Path};
+use std::{env, fs, path::Path};
 
-use byteorder::BigEndian;
 use gnark_key_parser::VerifyingKey;
-use hex_literal::hex;
 use substrate_bn::{AffineG1, AffineG2};
-use unionlabs::ByteArrayExt;
 
 pub const FQ_SIZE: usize = 32;
 pub const G1_SIZE: usize = 2 * FQ_SIZE;
 pub const G2_SIZE: usize = 2 * G1_SIZE;
 
-pub struct G2Affine<FromOrder>(PhantomData<FromOrder>, substrate_bn::AffineG2);
-
-impl<FromOrder> G2Affine<FromOrder> {
-    fn parse(buf: [u8; G2_SIZE]) -> Self {
-        G2Affine(
-            PhantomData,
-            substrate_bn::AffineG2::new(
-                substrate_bn::Fq2::new(
-                    substrate_bn::Fq::from_slice(&buf.array_slice::<FQ_SIZE, FQ_SIZE>()).unwrap(),
-                    substrate_bn::Fq::from_slice(&buf.array_slice::<0, FQ_SIZE>()).unwrap(),
-                ),
-                substrate_bn::Fq2::new(
-                    substrate_bn::Fq::from_slice(
-                        &buf.array_slice::<{ G1_SIZE + FQ_SIZE }, FQ_SIZE>(),
-                    )
-                    .unwrap(),
-                    substrate_bn::Fq::from_slice(&buf.array_slice::<G1_SIZE, FQ_SIZE>()).unwrap(),
-                ),
-            )
-            .unwrap(),
-        )
-    }
-}
-
 fn parse_verifying_key(buf: &[u8]) -> String {
-    let parsed_key = VerifyingKey::parse(buf).unwrap();
+    let (n_read, parsed_key) = VerifyingKey::parse(buf).unwrap();
+    // we expect the verifying key to be fully parsed
+    assert_eq!(n_read, buf.len());
     let [alpha_g1_x0, alpha_g1_x1, alpha_g1_y0, alpha_g1_y1] =
         unsafe { std::mem::transmute::<AffineG1, [u128; 4]>(parsed_key.alpha_g1) };
     let [beta_g2_x00, beta_g2_x01, beta_g2_x10, beta_g2_x11, beta_g2_y00, beta_g2_y01, beta_g2_y10, beta_g2_y11] =
@@ -44,6 +19,11 @@ fn parse_verifying_key(buf: &[u8]) -> String {
         unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.gamma_g2) };
     let [delta_g2_x00, delta_g2_x01, delta_g2_x10, delta_g2_x11, delta_g2_y00, delta_g2_y01, delta_g2_y10, delta_g2_y11] =
         unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.delta_g2) };
+    let [pedersen_g_x00, pedersen_g_x01, pedersen_g_x10, pedersen_g_x11, pedersen_g_y00, pedersen_g_y01, pedersen_g_y10, pedersen_g_y11] =
+        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.commitment_key.g) };
+    let [pedersen_g_root_sigma_neg_x00, pedersen_g_root_sigma_neg_x01, pedersen_g_root_sigma_neg_x10, pedersen_g_root_sigma_neg_x11, pedersen_g_root_sigma_neg_y00, pedersen_g_root_sigma_neg_y01, pedersen_g_root_sigma_neg_y10, pedersen_g_root_sigma_neg_y11] = unsafe {
+        std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.commitment_key.g_root_sigma_neg)
+    };
 
     let gamma_abc_size = parsed_key.gamma_abc_g1.len();
     let s: String = parsed_key
@@ -66,37 +46,19 @@ fn parse_verifying_key(buf: &[u8]) -> String {
             pub const BETA_G2: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{beta_g2_x00}, {beta_g2_x01}, {beta_g2_x10}, {beta_g2_x11}, {beta_g2_y00}, {beta_g2_y01}, {beta_g2_y10}, {beta_g2_y11}]) }};
             pub const GAMMA_G2: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{gamma_g2_x00}, {gamma_g2_x01}, {gamma_g2_x10}, {gamma_g2_x11}, {gamma_g2_y00}, {gamma_g2_y01}, {gamma_g2_y10}, {gamma_g2_y11}]) }};
             pub const DELTA_G2: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{delta_g2_x00}, {delta_g2_x01}, {delta_g2_x10}, {delta_g2_x11}, {delta_g2_y00}, {delta_g2_y01}, {delta_g2_y10}, {delta_g2_y11}]) }};
+            pub const PEDERSEN_G: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{pedersen_g_x00}, {pedersen_g_x01}, {pedersen_g_x10}, {pedersen_g_x11}, {pedersen_g_y00}, {pedersen_g_y01}, {pedersen_g_y10}, {pedersen_g_y11}]) }};
+            pub const PEDERSEN_G_ROOT_SIGMA_NEG: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{pedersen_g_root_sigma_neg_x00}, {pedersen_g_root_sigma_neg_x01}, {pedersen_g_root_sigma_neg_x10}, {pedersen_g_root_sigma_neg_x11}, {pedersen_g_root_sigma_neg_y00}, {pedersen_g_root_sigma_neg_y01}, {pedersen_g_root_sigma_neg_y10}, {pedersen_g_root_sigma_neg_y11}]) }};
             pub const GAMMA_ABC_G1: [substrate_bn::AffineG1; {gamma_abc_size}] = [{s}];
         "#
     )
 }
 
-fn pedersen_commitment_key() -> String {
-    let g_raw = hex!("257DF6F8132CB0037F7DFDF1A29B04C1FF92BA082EDA513996BA2BFA9FBD198713F0D8D8879885CA567EF99298C30C397E6FBA584658F4127713A814C06DE55A1660EBCC60C7A3AC560EFCEA5993F528EE13685D3A39694ACD74FE67C80D798A15E80642C58DB4DBE0A87F92CE3C65E962F231278353783A691FD64078BA7F34");
-    let g_root_sigma_neg_raw = hex!("2FBFE141A7555CF7E3E86B092660B81CFB68A025AD817E45CEC0B0F2E2CA636802A104DF1C015F2307FA2859627098CDF9FDB521D61D323943343A12304E5BAF27DA3F93ECF3BFD0B3A3354AE2162A6C230C0E539B6D9F82C0826E2B006A59222C0838551CB9E5CF67DB57DE7E2250BB97807F6687F135A6EB910359BA7BDB8D");
-    let G2Affine(_, g) = G2Affine::<BigEndian>::parse(g_raw);
-    let G2Affine(_, g_root_sigma_neg) = G2Affine::<BigEndian>::parse(g_root_sigma_neg_raw);
-    let [g_g2_x00, g_g2_x01, g_g2_x10, g_g2_x11, g_g2_y00, g_g2_y01, g_g2_y10, g_g2_y11] =
-        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(g) };
-    let [g_root_sigma_neg_g2_x00, g_root_sigma_neg_g2_x01, g_root_sigma_neg_g2_x10, g_root_sigma_neg_g2_x11, g_root_sigma_neg_g2_y00, g_root_sigma_neg_g2_y01, g_root_sigma_neg_g2_y10, g_root_sigma_neg_g2_y11] =
-        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(g_root_sigma_neg) };
-    format!(
-        r#"
-            pub const PEDERSEN_G: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{g_g2_x00}, {g_g2_x01}, {g_g2_x10}, {g_g2_x11}, {g_g2_y00}, {g_g2_y01}, {g_g2_y10}, {g_g2_y11}]) }};
-            pub const PEDERSEN_G_ROOT_SIGMA_NEG: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{g_root_sigma_neg_g2_x00}, {g_root_sigma_neg_g2_x01}, {g_root_sigma_neg_g2_x10}, {g_root_sigma_neg_g2_x11}, {g_root_sigma_neg_g2_y00}, {g_root_sigma_neg_g2_y01}, {g_root_sigma_neg_g2_y10}, {g_root_sigma_neg_g2_y11}]) }};
-        "#,
-    )
-}
-
 fn main() {
     println!("cargo:rerun-if-changed=verifying_key.bin");
     let out_dir = env::var_os("OUT_DIR").unwrap();
     let dest_path = Path::new(&out_dir).join("constants.rs");
 
     let data = include_bytes!("./verifying_key.bin");
     let verifying_key = parse_verifying_key(data.as_slice());
-
-    let pedersen_commitment = pedersen_commitment_key();
-
-    fs::write(dest_path, format!("{verifying_key}\n{pedersen_commitment}")).unwrap();
+    fs::write(dest_path, format!("{verifying_key}")).unwrap();
 }

lib/gnark-key-parser/src/lib.rs

@@ -6,6 +6,11 @@ use substrate_bn::{
 
 mod error;
 
+pub struct PedersenVerifyingKey {
+    pub g: AffineG2,
+    pub g_root_sigma_neg: AffineG2,
+}
+
 /// A verification key in the Groth16 SNARK.
 pub struct VerifyingKey {
     /// The `alpha * G`, where `G` is the generator of `E::G1`.
@@ -18,6 +23,8 @@ pub struct VerifyingKey {
     pub delta_g2: substrate_bn::AffineG2,
     /// The `gamma^{-1} * (beta * a_i + alpha * b_i + c_i) * H`, where `H` is the generator of `E::G1`.
     pub gamma_abc_g1: Vec<AffineG1>,
+    pub public_and_commitment_committed: Vec<Vec<u64>>,
+    pub commitment_key: PedersenVerifyingKey,
 }
 
 const MASK: u8 = 0b11 << 6;
@@ -33,32 +40,72 @@ const G2_AFFINE_COMPRESSED_SIZE: usize = 32 * 2;
 const G2_AFFINE_UNCOMPRESSED_SIZE: usize = G2_AFFINE_COMPRESSED_SIZE * 2;
 
 impl VerifyingKey {
-    pub fn parse(buf: &[u8]) -> Result<Self, Error> {
+    pub fn parse(buf: &[u8]) -> Result<(usize, Self), Error> {
         let mut cursor = 0;
-        let (n_bytes, alpha_g1) = parse_affine_g1(&buf[..]).unwrap();
+        let (n_bytes, alpha_g1) = parse_affine_g1(&buf[..])?;
+        cursor += n_bytes;
+        let (n_bytes, _g1_beta) = parse_affine_g1(&buf[cursor..])?;
+        cursor += n_bytes;
+        let (n_bytes, beta_g2) = parse_affine_g2(&buf[cursor..])?;
+        cursor += n_bytes;
+        let (n_bytes, gamma_g2) = parse_affine_g2(&buf[cursor..])?;
+        cursor += n_bytes;
+        let (n_bytes, _g1_delta) = parse_affine_g1(&buf[cursor..])?;
         cursor += n_bytes;
-        let (n_bytes, _g1_beta) = parse_affine_g1(&buf[cursor..]).unwrap();
+        let (n_bytes, delta_g2) = parse_affine_g2(&buf[cursor..])?;
         cursor += n_bytes;
-        let (n_bytes, beta_g2) = parse_affine_g2(&buf[cursor..]).unwrap();
+        let (n_bytes, gamma_abc_g1) = parse_affine_g1_array(&buf[cursor..])?;
         cursor += n_bytes;
-        let (n_bytes, gamma_g2) = parse_affine_g2(&buf[cursor..]).unwrap();
+        let (n_bytes, public_and_commitment_committed) = parse_uint64_slice_slice(&buf[cursor..])?;
         cursor += n_bytes;
-        let (n_bytes, _g1_delta) = parse_affine_g1(&buf[cursor..]).unwrap();
+        let (n_bytes, g) = parse_affine_g2(&buf[cursor..])?;
         cursor += n_bytes;
-        let (n_bytes, delta_g2) = parse_affine_g2(&buf[cursor..]).unwrap();
+        let (n_bytes, g_root_sigma_neg) = parse_affine_g2(&buf[cursor..])?;
         cursor += n_bytes;
-        let (_, gamma_abc_g1) = parse_affine_g1_array(&buf[cursor..]).unwrap();
-
-        Ok(Self {
-            alpha_g1,
-            beta_g2,
-            gamma_g2,
-            delta_g2,
-            gamma_abc_g1,
-        })
+
+        Ok((
+            cursor,
+            Self {
+                alpha_g1,
+                beta_g2,
+                gamma_g2,
+                delta_g2,
+                gamma_abc_g1,
+                public_and_commitment_committed,
+                commitment_key: PedersenVerifyingKey {
+                    g,
+                    g_root_sigma_neg,
+                },
+            },
+        ))
     }
 }
 
+pub fn parse_uint64_slice(buf: &[u8]) -> Result<(usize, Vec<u64>), Error> {
+    let size = u32::from_be_bytes((&buf[0..4]).try_into().expect("impossible"));
+    let mut items = Vec::new();
+    let mut cursor = 4;
+    for _ in 0..size {
+        items.push(u64::from_be_bytes(
+            (&buf[cursor..cursor + 8]).try_into().expect("impossible"),
+        ));
+        cursor += 8;
+    }
+    Ok((cursor, items))
+}
+
+pub fn parse_uint64_slice_slice(buf: &[u8]) -> Result<(usize, Vec<Vec<u64>>), Error> {
+    let size = u32::from_be_bytes((&buf[0..4]).try_into().expect("impossible"));
+    let mut items = Vec::new();
+    let mut cursor = 4;
+    for _ in 0..size {
+        let (cur_read, value) = parse_uint64_slice(&buf[cursor..])?;
+        cursor += cur_read;
+        items.push(value);
+    }
+    Ok((cursor, items))
+}
+
 pub fn parse_affine_g1_array(buf: &[u8]) -> Result<(usize, Vec<AffineG1>), Error> {
     let size = u32::from_be_bytes((&buf[0..4]).try_into().expect("impossible"));
     let mut g1s = Vec::new();
@@ -263,6 +310,31 @@ mod tests {
     }
 
     pub fn universal_vk() -> VerifyingKey {
+        const PEDERSEN_G: substrate_bn::AffineG2 = unsafe {
+            core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([
+                11811635544135052229933151055424244648,
+                38109979931269619311736752979166931278,
+                90391742616114872771404285750669801592,
+                52127860733344004379550038853653983369,
+                94283382067525625571866539274932825678,
+                46211394867610833270624710233881181494,
+                152610685216587622477368049102478160737,
+                13810267963617699865883949649491963230,
+            ])
+        };
+        const PEDERSEN_G_ROOT_SIGMA_NEG: substrate_bn::AffineG2 = unsafe {
+            core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([
+                72813077000167954255887915103454700534,
+                12589073809616840933661747092291565935,
+                337926906408442213219854203224585082877,
+                59919365646951351584569269731816365136,
+                12528477130055848686709301753705522532,
+                49609059301297358295345786701940661278,
+                57099380008375147203174978222963579184,
+                6628981065425146778130938788258647964,
+            ])
+        };
+
         VerifyingKey {
             alpha_g1: make_g1(
                 BigInt!(
@@ -340,16 +412,24 @@ mod tests {
                 ),
                 ),
             ],
+            public_and_commitment_committed: Vec::new(),
+            commitment_key: PedersenVerifyingKey {
+                g: PEDERSEN_G,
+                g_root_sigma_neg: PEDERSEN_G_ROOT_SIGMA_NEG,
+            },
         }
     }
+
     #[test]
     fn it_works() {
         // vk.bin
         let file = hex::decode("8967072901cc7ab63357f1ddc4196c7c1feda50540d8026d7f6f0167c118a899d923def15f75234f2a6d53b566a2528441e98050b38803673e9179b834fc39a499355fd270b7601d5d88408b7e9e53d260512e2180cd260017dc941f2fc96d65153f0344c6bf2d8a891b979bc61d39a98fb11155fcd57418f30ea018ea842874a0e76be91a3148e2f8ef644222b3ce5b939a73bd2e0a40814f7f92a79c483acf2216bbe0c289e07936b4d9653b91521a24c570c808fa46dfd12ec4429e71b61999fcfb245459d63a4923b8f8c488d1e6af7ca358867b88eb0cdefe896c221f09e95e4c18d1e0475de4549b2547611d8301e1afff1047a6f5a288c9314af0b9fc05d403c8c91820a385a72c18d6a4962cef41a3ab93daa7ed289b1e95db4d04eb00000003e71843e52743864f4bb67ce94a2ce8fe82c8f61042c4c1ced8531d94305392818b0dbe71f4d60e02e9160ec2b015cae3a09cbe4f437226e2c02e1a5e5d124bcac29e93d5f47c0c7671350398ed8c40f5bc5c2f5b00363c7e2eb18a91a1c490c70000000100000000a57df6f8132cb0037f7dfdf1a29b04c1ff92ba082eda513996ba2bfa9fbd198713f0d8d8879885ca567ef99298c30c397e6fba584658f4127713a814c06de55aefbfe141a7555cf7e3e86b092660b81cfb68a025ad817e45cec0b0f2e2ca636802a104df1c015f2307fa2859627098cdf9fdb521d61d323943343a12304e5baf").unwrap();
 
         let verifying_key = universal_vk();
 
-        let parsed_key = VerifyingKey::parse(&file[..]).unwrap();
+        let (n_read, parsed_key) = VerifyingKey::parse(&file[..]).unwrap();
+
+        assert_eq!(n_read, file.len());
 
         assert_eq!(verifying_key.alpha_g1, parsed_key.alpha_g1);
         assert_eq!(verifying_key.beta_g2.x(), parsed_key.beta_g2.x());
@@ -359,5 +439,21 @@ mod tests {
         assert_eq!(verifying_key.delta_g2.x(), parsed_key.delta_g2.x());
         assert_eq!(verifying_key.delta_g2.y(), parsed_key.delta_g2.y());
         assert_eq!(verifying_key.gamma_abc_g1, parsed_key.gamma_abc_g1);
+        assert_eq!(
+            verifying_key.commitment_key.g.x(),
+            parsed_key.commitment_key.g.x()
+        );
+        assert_eq!(
+            verifying_key.commitment_key.g.y(),
+            parsed_key.commitment_key.g.y()
+        );
+        assert_eq!(
+            verifying_key.commitment_key.g_root_sigma_neg.x(),
+            parsed_key.commitment_key.g_root_sigma_neg.x()
+        );
+        assert_eq!(
+            verifying_key.commitment_key.g_root_sigma_neg.y(),
+            parsed_key.commitment_key.g_root_sigma_neg.y()
+        );
     }
 }