jf_plonk/transcript/solidity.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184
// Copyright (c) 2022 Espresso Systems (espressosys.com)
// This file is part of the Jellyfish library.
// You should have received a copy of the MIT License
// along with the Jellyfish library. If not, see <https://mit-license.org/>.
//! This module implements solidity transcript.
use super::PlonkTranscript;
use crate::{
constants::KECCAK256_STATE_SIZE, errors::PlonkError, proof_system::structs::VerifyingKey,
};
use ark_ec::{
pairing::Pairing,
short_weierstrass::{Affine, SWCurveConfig},
AffineRepr,
};
use ark_ff::{BigInteger, PrimeField};
use ark_std::vec::Vec;
use jf_pcs::prelude::Commitment;
use jf_utils::to_bytes;
use sha3::{Digest, Keccak256};
/// Transcript with `keccak256` hash function.
///
/// We append new elements to the transcript vector,
/// and when a challenge is generated, the state is updated and transcript is
/// emptied.
///
/// 1. state = hash(state | transcript)
/// 2. transcript = Vec::new()
/// 3. challenge = bytes_to_field(state)
pub struct SolidityTranscript {
pub(crate) state: [u8; KECCAK256_STATE_SIZE],
pub(crate) transcript: Vec<u8>,
}
impl<F: PrimeField> PlonkTranscript<F> for SolidityTranscript {
/// Create a new plonk transcript. `label` is omitted for efficiency.
fn new(_label: &'static [u8]) -> Self {
SolidityTranscript {
state: [0u8; KECCAK256_STATE_SIZE],
transcript: Vec::new(),
}
}
/// Append the message to the transcript. `_label` is omitted for
/// efficiency.
fn append_message(&mut self, _label: &'static [u8], msg: &[u8]) -> Result<(), PlonkError> {
// We remove the labels for better efficiency
self.transcript.extend_from_slice(msg);
Ok(())
}
// override default implementation since we want to use BigEndian serialization
fn append_commitment<E, P>(
&mut self,
label: &'static [u8],
comm: &Commitment<E>,
) -> Result<(), PlonkError>
where
E: Pairing<BaseField = F, G1Affine = Affine<P>>,
P: SWCurveConfig<BaseField = F>,
{
let zero = F::zero();
let (x, y) = if comm.0.is_zero() {
// this is solidity precompile representation of Points of Infinity
(&zero, &zero)
} else {
comm.0.xy().unwrap()
};
<Self as PlonkTranscript<F>>::append_message(
self,
label,
&[x.into_bigint().to_bytes_be(), y.into_bigint().to_bytes_be()].concat(),
)
}
// override default implementation since we want to use BigEndian serialization
fn append_field_elem<E>(
&mut self,
label: &'static [u8],
challenge: &E::ScalarField,
) -> Result<(), PlonkError>
where
E: Pairing<BaseField = F>,
{
<Self as PlonkTranscript<F>>::append_message(
self,
label,
&challenge.into_bigint().to_bytes_be(),
)
}
fn append_vk_and_pub_input<E, P>(
&mut self,
vk: &VerifyingKey<E>,
pub_input: &[E::ScalarField],
) -> Result<(), PlonkError>
where
E: Pairing<BaseField = F, G1Affine = Affine<P>>,
E::ScalarField: PrimeField,
P: SWCurveConfig<BaseField = F>,
{
<Self as PlonkTranscript<F>>::append_message(
self,
b"field size in bits",
E::ScalarField::MODULUS_BIT_SIZE.to_be_bytes().as_ref(),
)?;
<Self as PlonkTranscript<F>>::append_message(
self,
b"domain size",
vk.domain_size.to_be_bytes().as_ref(),
)?;
<Self as PlonkTranscript<F>>::append_message(
self,
b"input size",
vk.num_inputs.to_be_bytes().as_ref(),
)?;
// in EVM, memory word size is 32 bytes, the first 3 fields put onto the
// transcript occupies 4+8+8=20 bytes, thus to align with the memory
// boundray, we pad with 12 bytes of zeros.
<Self as PlonkTranscript<F>>::append_message(
self,
b"EVM word alignment padding",
&[0u8; 12],
)?;
// include [x]_2 G2 point from SRS
// all G1 points from SRS are implicit reflected in committed polys
//
// Since this is a fixed value, we don't need solidity-efficient serialization,
// we simply append the `to_bytes!()` which uses compressed, little-endian form
// instead of other proof-dependent field like number of public inputs or
// concrete polynomial commitments which uses uncompressed, big-endian
// form.
<Self as PlonkTranscript<F>>::append_message(
self,
b"SRS G2 element",
&to_bytes!(&vk.open_key.powers_of_h[1])?,
)?;
self.append_field_elems::<E>(b"wire subsets separators", &vk.k)?;
self.append_commitments(b"selector commitments", &vk.selector_comms)?;
self.append_commitments(b"sigma commitments", &vk.sigma_comms)?;
self.append_field_elems::<E>(b"public input", pub_input)
}
fn get_challenge<E>(&mut self, _label: &'static [u8]) -> Result<E::ScalarField, PlonkError>
where
E: Pairing<BaseField = F>,
E::ScalarField: PrimeField,
{
// 1. state = hash(state | transcript)
let mut hasher = Keccak256::new();
hasher.update(self.state);
hasher.update(&self.transcript);
let buf = hasher.finalize();
self.state.copy_from_slice(&buf);
// 2. transcript = Vec::new()
self.transcript = Vec::new();
// 3. challenge = bytes_to_field(state)
Ok(E::ScalarField::from_be_bytes_mod_order(&buf))
}
}
#[test]
fn test_solidity_keccak() {
use hex::FromHex;
use sha3::{Digest, Keccak256};
let message = "the quick brown fox jumps over the lazy dog".as_bytes();
let mut hasher = Keccak256::new();
hasher.update(message);
let output = hasher.finalize();
// test example result yanked from smart contract execution
assert_eq!(
output[..],
<[u8; 32]>::from_hex("865bf05cca7ba26fb8051e8366c6d19e21cadeebe3ee6bfa462b5c72275414ec")
.unwrap()
);
}