feat: introduce gnark-key-parser (#1770)

closes #1769 
closes #1378

Author: aeryz

Cargo.lock

@@ -23,6 +23,7 @@ members = [
   "lib/chain-utils",
   "lib/cometbls-groth16-verifier",
   "lib/ethereum-verifier",
+  "lib/gnark-key-parser",
   "lib/ics-008-wasm-client",
   "lib/ics23",
   "lib/macros",
@@ -43,6 +44,7 @@ members = [
   "lib/unionlabs",
   "lib/voyager-message",
   "lib/zktrie-rs",
+  "lib/gnark-key-parser",
 
   "light-clients/cometbls-light-client",
   "light-clients/ethereum-light-client",
@@ -79,6 +81,7 @@ chain-utils               = { path = "lib/chain-utils", default-features = false
 cometbls-groth16-verifier = { path = "lib/cometbls-groth16-verifier", default-features = false }
 contracts                 = { path = "generated/rust/contracts", default-features = false }
 ethereum-verifier         = { path = "lib/ethereum-verifier", default-features = false }
+gnark-key-parser          = { path = "lib/gnark-key-parser", default-features = false }
 ics008-wasm-client        = { path = "lib/ics-008-wasm-client", default-features = false }
 ics23                     = { path = "lib/ics23", default-features = false }
 macros                    = { path = "lib/macros", default-features = false }

Cargo.toml

@@ -9,6 +9,9 @@ version      = "0.1.0"
 [lints]
 workspace = true
 
+[package.metadata.crane]
+test-include = ["lib/cometbls-groth16-verifier/verifying_key.bin"]
+
 [dependencies]
 ark-ff       = { version = "0.4.2", default-features = false }
 byteorder    = { version = "1.4", default-features = false }
@@ -22,3 +25,7 @@ unionlabs    = { workspace = true }
 [features]
 default = []
 std     = []
+
+[build-dependencies]
+gnark-key-parser = { workspace = true }
+substrate-bn     = { version = "0.6", default-features = false }

lib/cometbls-groth16-verifier/Cargo.toml

@@ -0,0 +1,64 @@
+use std::{env, fs, path::Path};
+
+use gnark_key_parser::VerifyingKey;
+use substrate_bn::{AffineG1, AffineG2};
+
+pub const FQ_SIZE: usize = 32;
+pub const G1_SIZE: usize = 2 * FQ_SIZE;
+pub const G2_SIZE: usize = 2 * G1_SIZE;
+
+fn parse_verifying_key(buf: &[u8]) -> String {
+    let (n_read, parsed_key) = VerifyingKey::parse(buf).unwrap();
+    // we expect the verifying key to be fully parsed
+    assert_eq!(n_read, buf.len());
+    let [alpha_g1_x0, alpha_g1_x1, alpha_g1_y0, alpha_g1_y1] =
+        unsafe { std::mem::transmute::<AffineG1, [u128; 4]>(parsed_key.alpha_g1) };
+    let [beta_g2_x00, beta_g2_x01, beta_g2_x10, beta_g2_x11, beta_g2_y00, beta_g2_y01, beta_g2_y10, beta_g2_y11] =
+        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.beta_g2) };
+    let [gamma_g2_x00, gamma_g2_x01, gamma_g2_x10, gamma_g2_x11, gamma_g2_y00, gamma_g2_y01, gamma_g2_y10, gamma_g2_y11] =
+        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.gamma_g2) };
+    let [delta_g2_x00, delta_g2_x01, delta_g2_x10, delta_g2_x11, delta_g2_y00, delta_g2_y01, delta_g2_y10, delta_g2_y11] =
+        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.delta_g2) };
+    let [pedersen_g_x00, pedersen_g_x01, pedersen_g_x10, pedersen_g_x11, pedersen_g_y00, pedersen_g_y01, pedersen_g_y10, pedersen_g_y11] =
+        unsafe { std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.commitment_key.g) };
+    let [pedersen_g_root_sigma_neg_x00, pedersen_g_root_sigma_neg_x01, pedersen_g_root_sigma_neg_x10, pedersen_g_root_sigma_neg_x11, pedersen_g_root_sigma_neg_y00, pedersen_g_root_sigma_neg_y01, pedersen_g_root_sigma_neg_y10, pedersen_g_root_sigma_neg_y11] = unsafe {
+        std::mem::transmute::<AffineG2, [u128; 8]>(parsed_key.commitment_key.g_root_sigma_neg)
+    };
+
+    let gamma_abc_size = parsed_key.gamma_abc_g1.len();
+    let s: String = parsed_key
+        .gamma_abc_g1
+        .into_iter()
+        .map(|g1| {
+            let [g1_x0, g1_x1, g1_y0, g1_y1] =
+                unsafe { std::mem::transmute::<AffineG1, [u128; 4]>(g1) };
+            format!(
+                r#"unsafe {{ core::mem::transmute::<[u128; 4], substrate_bn::AffineG1>
+                        ([{g1_x0}, {g1_x1}, {g1_y0}, {g1_y1}]) }},
+            "#
+            )
+        })
+        .collect();
+
+    format!(
+        r#"
+            pub const ALPHA_G1: substrate_bn::AffineG1 = unsafe {{ core::mem::transmute::<[u128; 4], substrate_bn::AffineG1>([{alpha_g1_x0}, {alpha_g1_x1}, {alpha_g1_y0}, {alpha_g1_y1}]) }};
+            pub const BETA_G2: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{beta_g2_x00}, {beta_g2_x01}, {beta_g2_x10}, {beta_g2_x11}, {beta_g2_y00}, {beta_g2_y01}, {beta_g2_y10}, {beta_g2_y11}]) }};
+            pub const GAMMA_G2: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{gamma_g2_x00}, {gamma_g2_x01}, {gamma_g2_x10}, {gamma_g2_x11}, {gamma_g2_y00}, {gamma_g2_y01}, {gamma_g2_y10}, {gamma_g2_y11}]) }};
+            pub const DELTA_G2: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{delta_g2_x00}, {delta_g2_x01}, {delta_g2_x10}, {delta_g2_x11}, {delta_g2_y00}, {delta_g2_y01}, {delta_g2_y10}, {delta_g2_y11}]) }};
+            pub const PEDERSEN_G: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{pedersen_g_x00}, {pedersen_g_x01}, {pedersen_g_x10}, {pedersen_g_x11}, {pedersen_g_y00}, {pedersen_g_y01}, {pedersen_g_y10}, {pedersen_g_y11}]) }};
+            pub const PEDERSEN_G_ROOT_SIGMA_NEG: substrate_bn::AffineG2 = unsafe {{ core::mem::transmute::<[u128; 8], substrate_bn::AffineG2>([{pedersen_g_root_sigma_neg_x00}, {pedersen_g_root_sigma_neg_x01}, {pedersen_g_root_sigma_neg_x10}, {pedersen_g_root_sigma_neg_x11}, {pedersen_g_root_sigma_neg_y00}, {pedersen_g_root_sigma_neg_y01}, {pedersen_g_root_sigma_neg_y10}, {pedersen_g_root_sigma_neg_y11}]) }};
+            pub const GAMMA_ABC_G1: [substrate_bn::AffineG1; {gamma_abc_size}] = [{s}];
+        "#
+    )
+}
+
+fn main() {
+    println!("cargo:rerun-if-changed=verifying_key.bin");
+    let out_dir = env::var_os("OUT_DIR").unwrap();
+    let dest_path = Path::new(&out_dir).join("constants.rs");
+
+    let data = include_bytes!("./verifying_key.bin");
+    let verifying_key = parse_verifying_key(data.as_slice());
+    fs::write(dest_path, format!("{verifying_key}")).unwrap();
+}

lib/cometbls-groth16-verifier/build.rs

@@ -0,0 +1,3 @@
+#![allow(clippy::unreadable_literal)]
+
+include!(concat!(env!("OUT_DIR"), "/constants.rs"));

lib/cometbls-groth16-verifier/src/constants.rs

@@ -5,8 +5,9 @@ extern crate alloc;
 use alloc::vec::Vec;
 use core::marker::PhantomData;
 
-use ark_ff::{vec, BigInt};
+use ark_ff::vec;
 use byteorder::{BigEndian, ByteOrder};
+use constants::*;
 use hex_literal::hex;
 use sha2::Sha256;
 use sha3::Digest;
@@ -15,6 +16,8 @@ use unionlabs::{
     hash::H256, ibc::lightclients::cometbls::light_header::LightHeader, uint::U256, ByteArrayExt,
 };
 
+mod constants;
+
 pub const NB_PUBLIC_INPUTS: usize = 2;
 
 pub const HMAC_O: &[u8] = &hex!("1F333139281E100F5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C");
@@ -26,103 +29,7 @@ pub const PRIME_R_MINUS_ONE: U256 = U256::from_limbs([
     3486998266802970665,
 ]);
 
-fn make_g1(x: BigInt<4>, y: BigInt<4>) -> substrate_bn::AffineG1 {
-    substrate_bn::AffineG1::new(
-        substrate_bn::Fq::from_u256(x.0.into()).unwrap(),
-        substrate_bn::Fq::from_u256(y.0.into()).unwrap(),
-    )
-    .unwrap()
-}
-
-fn make_g2(x0: BigInt<4>, x1: BigInt<4>, y0: BigInt<4>, y1: BigInt<4>) -> substrate_bn::AffineG2 {
-    substrate_bn::AffineG2::new(
-        substrate_bn::Fq2::new(
-            substrate_bn::Fq::from_u256(x0.0.into()).unwrap(),
-            substrate_bn::Fq::from_u256(x1.0.into()).unwrap(),
-        ),
-        substrate_bn::Fq2::new(
-            substrate_bn::Fq::from_u256(y0.0.into()).unwrap(),
-            substrate_bn::Fq::from_u256(y1.0.into()).unwrap(),
-        ),
-    )
-    .unwrap()
-}
-
-// TODO: this should be computed at compile time
-pub fn pedersen_commitment_key() -> (substrate_bn::AffineG2, substrate_bn::AffineG2) {
-    let g_raw = hex!("257DF6F8132CB0037F7DFDF1A29B04C1FF92BA082EDA513996BA2BFA9FBD198713F0D8D8879885CA567EF99298C30C397E6FBA584658F4127713A814C06DE55A1660EBCC60C7A3AC560EFCEA5993F528EE13685D3A39694ACD74FE67C80D798A15E80642C58DB4DBE0A87F92CE3C65E962F231278353783A691FD64078BA7F34");
-    let g_root_sigma_neg_raw = hex!("2FBFE141A7555CF7E3E86B092660B81CFB68A025AD817E45CEC0B0F2E2CA636802A104DF1C015F2307FA2859627098CDF9FDB521D61D323943343A12304E5BAF27DA3F93ECF3BFD0B3A3354AE2162A6C230C0E539B6D9F82C0826E2B006A59222C0838551CB9E5CF67DB57DE7E2250BB97807F6687F135A6EB910359BA7BDB8D");
-    let G2Affine(_, g) = G2Affine::<BigEndian>::try_from(g_raw).expect("impossible");
-    let G2Affine(_, g_root_sigma_neg) =
-        G2Affine::<BigEndian>::try_from(g_root_sigma_neg_raw).expect("impossible");
-    (g, g_root_sigma_neg)
-}
-
-// TODO: this should be computed at compile time
-pub fn universal_vk() -> VerifyingKey {
-    VerifyingKey {
-        alpha_g1: make_g1(
-            BigInt!("4252850302693242182654534639730627324742305503909561446344356971523664816281"),
-            BigInt!("3971530409048238023625806606514600982127202826003358538821613170737831313919"),
-        ),
-        beta_g2: make_g2(
-            BigInt!("9609903744775525881338738176064678545439912439219033822736570321349357348980"),
-            BigInt!(
-                "11402125448377072234752634956069960846261435348550776006069399216352815312229"
-            ),
-            BigInt!("3876014193556985028076276590285094449745398487447250532380698384573245200038"),
-            BigInt!("6131692356384648492800758325058748831519318785594820705365176509549681793745"),
-        ),
-        gamma_g2: make_g2(
-            BigInt!(
-                "15418804173338388766896385877623893969695670309009587476846726795628238714393"
-            ),
-            BigInt!(
-                "14882897597913405382982164467298010752166363844685258881581520272046793702095"
-            ),
-            BigInt!("4166025151148225057462107057100265181139888889391061071239248954005945470477"),
-            BigInt!("206728492847877950288262169260916452585500374823256459470367014125967964118"),
-        ),
-        delta_g2: make_g2(
-            BigInt!("2636161939055419322743684458857549714230849256995406138405588958157843793131"),
-            BigInt!(
-                "18711435617866698040659011365354165232283248284733617156044102129651710736892"
-            ),
-            BigInt!(
-                "19240355865528042255113556794397480864884450537537107687508383548050491695680"
-            ),
-            BigInt!(
-                "12249371269602120664445362627662636389936048209522657338249293583990077475589"
-            ),
-        ),
-        gamma_abc_g1: vec![
-            make_g1(
-                BigInt!(
-                    "17683074019270049519594214298171697666582975915064153618004061598086681825921"
-                ),
-                BigInt!(
-                    "16826145467743906176166100307225491106961753217491843100452871479833450456070"
-                ),
-            ),
-            make_g1(
-                BigInt!(
-                    "4999724750322169039879775285047941133298355297928988655266615607529011563466"
-                ),
-                BigInt!(
-                    "8614448667589143428827059805500251818303043966026074735628377626634208993292"
-                ),
-            ),
-            make_g1(
-                BigInt!(
-                    "1184807858330365651919114999096473332175166887333719856514157833289677967559"
-                ),
-                BigInt!(
-                    "20327610427697660249999185524229068956160879388632193295649998184224119517657"
-                ),
-            ),
-        ],
-    }
-}
+const _: () = assert!(GAMMA_ABC_G1.len() == NB_PUBLIC_INPUTS + 1);
 
 fn hmac_keccak(message: &[u8]) -> [u8; 32] {
     sha3::Keccak256::new()
@@ -169,7 +76,6 @@ fn hash_commitment(proof_commitment: &substrate_bn::AffineG1) -> Result<U256, Er
 pub const FQ_SIZE: usize = 32;
 pub const G1_SIZE: usize = 2 * FQ_SIZE;
 pub const G2_SIZE: usize = 2 * G1_SIZE;
-pub const COMMITMENT_HASH_SIZE: usize = 32;
 
 pub struct G1Affine<FromOrder: ByteOrder>(PhantomData<FromOrder>, substrate_bn::AffineG1);
 pub type G1AffineBE = G1Affine<BigEndian>;
@@ -303,14 +209,12 @@ pub fn verify_zkp(
     header: &LightHeader,
     zkp: impl Into<Vec<u8>>,
 ) -> Result<(), Error> {
-    let (g, g_root_sigma_neg) = pedersen_commitment_key();
     verify_generic_zkp_2(
-        universal_vk(),
         chain_id,
         trusted_validators_hash,
         header,
-        g,
-        g_root_sigma_neg,
+        PEDERSEN_G,
+        PEDERSEN_G_ROOT_SIGMA_NEG,
         ZKP::try_from(zkp.into().as_ref())?,
     )
 }
@@ -329,7 +233,6 @@ fn g1_to_bytes(g1_point: &G1) -> Result<[u8; 64], Error> {
 }
 
 fn verify_generic_zkp_2(
-    vk: VerifyingKey,
     chain_id: &str,
     trusted_validators_hash: H256,
     header: &LightHeader,
@@ -341,9 +244,6 @@ fn verify_generic_zkp_2(
         return Err(Error::InvalidChainId);
     }
     // Constant + public inputs
-    if vk.gamma_abc_g1.len() != NB_PUBLIC_INPUTS + 1 {
-        return Err(Error::InvalidVerifyingKey);
-    }
     let decode_scalar = move |x: U256| -> Result<substrate_bn::Fr, Error> {
         substrate_bn::Fr::new(x.0 .0.into()).ok_or(Error::InvalidPublicInput)
     };
@@ -388,22 +288,11 @@ fn verify_generic_zkp_2(
         decode_scalar(U256::from_be_bytes(inputs_hash))?,
         decode_scalar(commitment_hash)?,
     ];
-    let initial_point = substrate_bn::G1::from(
-        vk.gamma_abc_g1
-            .first()
-            .copied()
-            .ok_or(Error::InvalidVerifyingKey)?,
-    ) + zkp.proof_commitment.into();
+    let initial_point = substrate_bn::G1::from(GAMMA_ABC_G1[0]) + zkp.proof_commitment.into();
     let public_inputs_msm = public_inputs
         .into_iter()
-        .zip(
-            vk.gamma_abc_g1
-                .into_iter()
-                .skip(1)
-                .map(substrate_bn::G1::from),
-        )
+        .zip(GAMMA_ABC_G1.into_iter().skip(1).map(substrate_bn::G1::from))
         .fold(initial_point, |s, (w_i, gamma_l_i)| s + gamma_l_i * w_i);
-    // TODO: the verifying key transformation, pedersen key decoding and this negations should all be done at compile time
 
     let proof_a: G1 = zkp.proof.a.into();
     let proof_c: G1 = zkp.proof.c.into();
@@ -429,12 +318,9 @@ fn verify_generic_zkp_2(
 
     let result = substrate_bn::pairing_batch(&[
         (proof_a * r1, zkp.proof.b.into()),
-        (public_inputs_msm * r1, -substrate_bn::G2::from(vk.gamma_g2)),
-        (proof_c * r1, -substrate_bn::G2::from(vk.delta_g2)),
-        (
-            G1::from(vk.alpha_g1) * r1,
-            -substrate_bn::G2::from(vk.beta_g2),
-        ),
+        (public_inputs_msm * r1, -substrate_bn::G2::from(GAMMA_G2)),
+        (proof_c * r1, -substrate_bn::G2::from(DELTA_G2)),
+        (G1::from(ALPHA_G1) * r1, -substrate_bn::G2::from(BETA_G2)),
         // Verify pedersen proof of knowledge
         (pc * r2, g.into()),
         (pok * r2, g_root_sigma_neg.into()),

lib/cometbls-groth16-verifier/src/lib.rs

@@ -0,0 +1,17 @@
+[package]
+edition.workspace      = true
+license-file.workspace = true
+name                   = "gnark-key-parser"
+repository.workspace   = true
+version                = "0.1.0"
+
+[dependencies]
+arith        = "0.2.3"
+ark-ff       = { version = "0.4.2", default-features = false }
+base64       = { workspace = true, features = ["alloc"] }
+hex          = { workspace = true, features = ["alloc"] }
+substrate-bn = { version = "0.6", default-features = false }
+thiserror    = { workspace = true, default-features = false }
+
+[lints]
+workspace = true