Merge branch 'main' into ce/merge-main

axiom-crypto · Jan 26, 2024 · 8280ae8 · 8280ae8
2 parents 8cdbf54 + 2fe813b
commit 8280ae8
Show file tree

Hide file tree

Showing 28 changed files with 1,693 additions and 74 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -40,6 +40,7 @@ jobs:
         working-directory: "hashes/zkevm"
         run: |
           cargo test packed_multi_keccak_prover::k_14
+          cargo test bit_sha256_prover::k_10
           cargo t test_vanilla_keccak_kat_vectors
 
   lint:

diff --git a/.gitignore b/.gitignore
@@ -20,6 +20,7 @@ Cargo.lock
 /halo2_ecc/src/bn254/data/
 /halo2_ecc/src/secp256k1/data/
 
-/halo2_ecc/params/
-/halo2_ecc/results/
-/halo2_base/params/
+**/params/*
+**/params/
+
+**/.DS_Store
diff --git a/Cargo.toml b/Cargo.toml
@@ -39,3 +39,7 @@ debug = true
 [patch."https://github.com/axiom-crypto/halo2-lib.git"]
 halo2-base = { path = "../halo2-lib/halo2-base" }
 halo2-ecc = { path = "../halo2-lib/halo2-ecc" }
+
+[patch.crates-io]
+halo2-base = { path = "../halo2-lib/halo2-base" }
+halo2-ecc = { path = "../halo2-lib/halo2-ecc" }
diff --git a/README.md b/README.md
@@ -21,11 +21,36 @@ git clone https://github.com/axiom-crypto/halo2-lib.git
 cd halo2-lib
 ```
 
+## Projects built with `halo2-lib`
+
+- [Axiom](https://github.com/axiom-crypto/axiom-eth) -- Prove facts about Ethereum on-chain data via aggregate block header, account, and storage proofs.
+- [Proof of Email](https://github.com/zkemail/) -- Prove facts about emails with the same trust assumption as the email domain.
+  - [halo2-regex](https://github.com/zkemail/halo2-regex)
+  - [halo2-zk-email](https://github.com/zkemail/halo2-zk-email)
+  - [halo2-base64](https://github.com/zkemail/halo2-base64)
+  - [halo2-rsa](https://github.com/zkemail/halo2-rsa/tree/feat/new_bigint)
+- [halo2-fri-gadget](https://github.com/maxgillett/halo2-fri-gadget) -- FRI verifier in halo2.
+- [eth-voice-recovery](https://github.com/SoraSuegami/voice_recovery_circuit) -- Verify the voice recovery process.
+- [zkEVM signature verification circuit](https://github.com/scroll-tech/zkevm-circuits/tree/develop/zkevm-circuits/src/sig_circuit.rs)
+- [zkEVM tx-circuit](https://github.com/scroll-tech/zkevm-circuits/tree/develop/zkevm-circuits/src/tx_circuit)
+- [webauthn-halo2](https://github.com/zkwebauthn/webauthn-halo2) -- Proving and verifying WebAuthn with halo2.
+- [Fixed Point Arithmetic](https://github.com/DCMMC/halo2-scaffold/tree/main/src/gadget) -- Fixed point arithmetic library in halo2.
+- [Spectre](https://github.com/ChainSafe/Spectre) -- Verifying Beacon chain headers via Altair lightclient protocol
+- [halo2-nn-wasm](https://github.com/metavind/halo2-nn-wasm) -- Neural network in halo2 for WASM.
+- [halo2-cairo](https://github.com/odyssey2077/halo2-cairo) -- Prove Cairo program execution in halo2.
+- [indexed-merkle-tree](https://github.com/aerius-labs/indexed-merkle-tree-halo2) -- Indexed Merkle Tree operations in halo2.
+- [zkCert](https://github.com/zkCert/halo2-zkcert) -- Verify a chain of x509 certificates in halo2.
+- [zk-dcap-verifier](https://github.com/CliqueOfficial/zk-dcap-verifier) -- On-chain DCAP attestation verification.
+- [polymon_gan](https://github.com/Modulus-Labs/polymon_gan) -- Prover for the Polymon GAN network.
+- [MynaWallet](https://github.com/MynaWallet/monorepo/tree/develop/packages/halo2-circuits) -- Verifies RSA signatures signed by Myna Card (Japan's ID Card).
+- [zk-face-circuit](https://github.com/team-byof/zk-face-circuit) -- Face Wallet Verification system for Ethereum wallets.
+- [halo2-lib-secp256r1](https://github.com/CliqueOfficial/halo2-lib-secp256r1)
+
 ## halo2-base
 
 This crate provides an additional API for writing circuits in Halo 2 using our [simple vertical gate](https://docs.axiom.xyz/zero-knowledge-proofs/getting-started-with-halo2#halo2-lib). It also provides basic functions built using this API. The provided methods can be found in [`GateInstructions`](https://axiom-crypto.github.io/halo2-lib/halo2_base/gates/trait.GateInstructions.html) and [`RangeInstructions`](https://axiom-crypto.github.io/halo2-lib/halo2_base/gates/trait.RangeInstructions.html). The latter are operations that require using a lookup table for range checks.
 
-- Read the [Rust docs](https://axiom-crypto.github.io/halo2-lib/halo2_base/index.html) for this crate.
+- Read the [Rust docs](https://docs.rs/halo2-base/0.4.1/halo2_base/) for this crate.
 - To get started with Halo 2 and to learn how to build using the `halo2-base` API, see the [Getting Started](https://docs.axiom.xyz/zero-knowledge-proofs/getting-started-with-halo2) guide.
 
 To run some basic tests, run the following command:
@@ -277,20 +302,3 @@ cargo test --release --no-default-features --features "halo2-axiom, mimalloc" --
 | 19  | 20         | 3                 | 1         | 32.6s               |
 | 20  | 11         | 2                 | 1         | 41.3s               |
 | 21  | 6          | 1                 | 1         | 51.9s               |
-
-## Projects built with `halo2-lib`
-
-- [Axiom](https://github.com/axiom-crypto/axiom-eth) -- Prove facts about Ethereum on-chain data via aggregate block header, account, and storage proofs.
-- [Proof of Email](https://github.com/zkemail/) -- Prove facts about emails with the same trust assumption as the email domain.
-  - [halo2-regex](https://github.com/zkemail/halo2-regex)
-  - [halo2-zk-email](https://github.com/zkemail/halo2-zk-email)
-  - [halo2-base64](https://github.com/zkemail/halo2-base64)
-  - [halo2-rsa](https://github.com/zkemail/halo2-rsa/tree/feat/new_bigint)
-- [halo2-fri-gadget](https://github.com/maxgillett/halo2-fri-gadget) -- FRI verifier in halo2.
-- [eth-voice-recovery](https://github.com/SoraSuegami/voice_recovery_circuit)
-  <<<<<<< HEAD
-- # [zkevm signature verification circuit](https://github.com/scroll-tech/zkevm-circuits/tree/develop/zkevm-circuits/src/sig_circuit.rs)
-- [zkevm tx-circuit](https://github.com/scroll-tech/zkevm-circuits/tree/develop/zkevm-circuits/src/tx_circuit)
-  > > > > > > > release-0.4.1-rc
-- [webauthn-halo2](https://github.com/zkwebauthn/webauthn-halo2) -- Proving and verifying WebAuthn with halo2.
-- [Fixed Point Arithmetic](https://github.com/DCMMC/halo2-scaffold/tree/main/src/gadget) -- Fixed point arithmetic library in halo2.
diff --git a/halo2-base/Cargo.toml b/halo2-base/Cargo.toml
@@ -1,7 +1,13 @@
 [package]
 name = "halo2-base"
 version = "0.4.1"
+authors = ["Intrinsic Technologies"]
+license = "MIT"
 edition = "2021"
+repository = "https://github.com/axiom-crypto/halo2-lib"
+readme = "README.md"
+description = "Embedded domain specific language (eDSL) for writing circuits with the [`halo2`](https://github.com/axiom-crypto/halo2) API. It simplifies circuit programming to declaring constraints over a single advice and selector column and provides built-in circuit tuning and support for multi-threaded witness generation."
+rust-version = "1.73.0"
 
 [dependencies]
 itertools = "0.11"
@@ -20,7 +26,7 @@ ark-std = { version = "0.3.0", features = ["print-trace"], optional = true }
 # Use Axiom's custom halo2 monorepo for faster proving when feature = "halo2-axiom" is on
 halo2_proofs_axiom = { version = "0.4", package = "halo2-axiom", optional = true }
 # Use PSE halo2 and halo2curves for compatibility when feature = "halo2-pse" is on
-halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2.git", rev = "7a21656", optional = true }
+halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2.git", tag = "v0.3.0", features = ["circuit-params", "derive_serde"], optional = true }
 
 # This is Scroll's audited poseidon circuit. We only use it for the Native Poseidon spec. We do not use the halo2 circuit at all (and it wouldn't even work because the halo2_proofs tag is not compatbile).
 # We forked it to upgrade to ff v0.13 and removed the circuit module
@@ -53,7 +59,7 @@ mimalloc = { version = "=0.1", default-features = false, optional = true }
 [features]
 default = ["halo2-axiom", "display", "test-utils"]
 asm = ["halo2_proofs_axiom?/asm"]
-dev-graph = ["halo2_proofs/dev-graph", "plotters"] # only works with halo2-pse for now
+dev-graph = ["halo2_proofs?/dev-graph", "plotters"] # only works with halo2-pse for now
 halo2-pse = ["halo2_proofs/circuit-params"]
 halo2-axiom = ["halo2_proofs_axiom"]
 display = []

diff --git a/halo2-base/src/utils/halo2.rs b/halo2-base/src/utils/halo2.rs
@@ -3,11 +3,15 @@ use std::collections::hash_map::Entry;
 use crate::ff::Field;
 use crate::halo2_proofs::{
     circuit::{AssignedCell, Cell, Region, Value},
+    halo2curves::bn256::Bn256,
     plonk::{Advice, Assigned, Circuit, Column, Fixed},
+    poly::kzg::commitment::ParamsKZG,
 };
 use crate::virtual_region::copy_constraints::{CopyConstraintManager, EXTERNAL_CELL_TYPE_ID};
 use crate::AssignedValue;
 
+pub use keygen::ProvingKeyGenerator;
+
 /// Raw (physical) assigned cell in Plonkish arithmetization.
 #[cfg(feature = "halo2-axiom")]
 pub type Halo2AssignedCell<'v, F> = AssignedCell<&'v Assigned<F>, F>;
@@ -136,17 +140,11 @@ pub trait KeygenCircuitIntent<F: Field> {
     ) -> Self::Pinning;
 }
 
-use halo2_proofs_axiom::halo2curves::bn256::Bn256;
-use halo2_proofs_axiom::poly::kzg::commitment::ParamsKZG;
-pub use keygen::ProvingKeyGenerator;
-
 mod keygen {
-    use halo2_proofs_axiom::poly::commitment::Params;
-
     use crate::halo2_proofs::{
         halo2curves::bn256::{Bn256, Fr, G1Affine},
         plonk::{self, ProvingKey},
-        poly::kzg::commitment::ParamsKZG,
+        poly::{commitment::Params, kzg::commitment::ParamsKZG},
     };
 
     use super::KeygenCircuitIntent;

diff --git a/halo2-ecc/Cargo.toml b/halo2-ecc/Cargo.toml
@@ -1,10 +1,16 @@
 [package]
 name = "halo2-ecc"
 version = "0.4.1"
+authors = ["Intrinsic Technologies"]
+license = "MIT"
 edition = "2021"
+repository = "https://github.com/axiom-crypto/halo2-lib"
+readme = "../README.md"
+description = "In-circuit elliptic curve library for halo2."
+rust-version = "1.73.0"
 
 [dependencies]
-itertools = "0.10"
+itertools = "0.11"
 num-bigint = { version = "0.4", features = ["rand"] }
 num-integer = "0.1"
 num-traits = "0.2"
@@ -16,7 +22,7 @@ serde_json = "1.0"
 rayon = "1.8"
 test-case = "3.1.0"
 
-halo2-base = { path = "../halo2-base", default-features = false }
+halo2-base = { version = "=0.4.1", path = "../halo2-base", default-features = false }
 
 # plotting circuit layout
 plotters = { version = "0.3.0", optional = true }
@@ -26,7 +32,7 @@ ark-std = { version = "0.3.0", features = ["print-trace"] }
 pprof = { version = "0.13", features = ["criterion", "flamegraph"] }
 criterion = "0.5.1"
 criterion-macro = "0.4"
-halo2-base = { path = "../halo2-base", default-features = false, features = ["test-utils"] }
+halo2-base = { version = "=0.4.1", path = "../halo2-base", default-features = false, features = ["test-utils"] }
 test-log = "0.2.12"
 env_logger = "0.10.0"
 

diff --git a/hashes/zkevm/Cargo.toml b/hashes/zkevm/Cargo.toml
@@ -1,8 +1,13 @@
 [package]
 name = "zkevm-hashes"
-version = "0.1.4"
-edition = "2021"
+version = "0.2.1"
+authors = ["Privacy Scaling Explorations Team", "Taiko Labs", "Intrinsic Technologies"]
 license = "MIT OR Apache-2.0"
+edition = "2021"
+repository = "https://github.com/axiom-crypto/halo2-lib"
+readme = "README.md"
+description = "Library of ZK gadgets for hash functions in halo2. This is Axiom's modification of the circuits in the zkEVM project."
+rust-version = "1.73.0"
 
 [dependencies]
 array-init = "2.0.0"
@@ -12,13 +17,15 @@ itertools = "0.11"
 lazy_static = "1.4"
 log = "0.4"
 num-bigint = { version = "0.4" }
-halo2-base = { path = "../../halo2-base", default-features = false, features = ["test-utils"] }
+halo2-base = { version = "=0.4.1", path = "../../halo2-base", default-features = false, features = ["test-utils"] }
 serde = { version = "1.0", features = ["derive"] }
 rayon = "1.8"
 sha3 = "0.10.8"
 # always included but without features to use Native poseidon and get CircuitExt trait
-snark-verifier-sdk = { git = "https://github.com/axiom-crypto/snark-verifier.git", branch = "release-0.1.7-rc", default-features = false }
+# snark-verifier-sdk = { version = "=0.1.7", default-features = false }
+snark-verifier-sdk = { version = "=0.1.7", git = "https://github.com/axiom-crypto/snark-verifier.git", tag = "v0.1.7-git", default-features = false }
 getset = "0.1.2"
+type-map = "0.5.0"
 
 [dev-dependencies]
 ethers-signers = "2.0.8"
@@ -29,12 +36,13 @@ rand_core = "0.6.4"
 rand_xorshift = "0.3"
 env_logger = "0.10"
 test-case = "3.1.0"
+sha2 = "0.10.7"
 
 [features]
 default = ["halo2-axiom", "display"]
 display = ["snark-verifier-sdk/display"]
-halo2-pse = ["halo2-base/halo2-pse"]
-halo2-axiom = ["halo2-base/halo2-axiom"]
+halo2-pse = ["halo2-base/halo2-pse", "snark-verifier-sdk/halo2-pse"]
+halo2-axiom = ["halo2-base/halo2-axiom", "snark-verifier-sdk/halo2-axiom"]
 jemallocator = ["halo2-base/jemallocator"]
 mimalloc = ["halo2-base/mimalloc"]
 asm = ["halo2-base/asm"]
diff --git a/hashes/zkevm/README.md b/hashes/zkevm/README.md
@@ -0,0 +1,9 @@
+# zkEVM Hashes
+
+## Keccak
+
+See [readme](./src/keccak/README.md).
+
+## SHA-256
+
+See [readme](./src/sha256/README.md).
diff --git a/hashes/zkevm/src/keccak/component/circuit/shard.rs b/hashes/zkevm/src/keccak/component/circuit/shard.rs
@@ -7,6 +7,7 @@ use crate::{
                 get_words_to_witness_multipliers, num_poseidon_absorb_per_keccak_f,
                 num_word_per_witness,
             },
+            get_poseidon_spec,
             output::{
                 calculate_circuit_outputs_commit, dummy_circuit_output,
                 multi_inputs_to_circuit_outputs, KeccakCircuitOutput,
@@ -31,10 +32,7 @@ use halo2_base::{
         circuit::{Layouter, SimpleFloorPlanner},
         plonk::{Circuit, ConstraintSystem, Error},
     },
-    poseidon::hasher::{
-        spec::OptimizedPoseidonSpec, PoseidonCompactChunkInput, PoseidonCompactOutput,
-        PoseidonHasher,
-    },
+    poseidon::hasher::{PoseidonCompactChunkInput, PoseidonCompactOutput, PoseidonHasher},
     safe_types::{SafeBool, SafeTypeChip},
     virtual_region::copy_constraints::SharedCopyConstraintManager,
     AssignedValue, Context,
@@ -405,11 +403,7 @@ impl<F: Field> KeccakComponentShardCircuit<F> {
 
 pub(crate) fn create_hasher<F: Field>() -> PoseidonHasher<F, POSEIDON_T, POSEIDON_RATE> {
     // Construct in-circuit Poseidon hasher.
-    let spec = OptimizedPoseidonSpec::<F, POSEIDON_T, POSEIDON_RATE>::new::<
-        POSEIDON_R_F,
-        POSEIDON_R_P,
-        POSEIDON_SECURE_MDS,
-    >();
+    let spec = get_poseidon_spec();
     PoseidonHasher::<F, POSEIDON_T, POSEIDON_RATE>::new(spec)
 }
 

diff --git a/hashes/zkevm/src/keccak/component/encode.rs b/hashes/zkevm/src/keccak/component/encode.rs
@@ -8,14 +8,13 @@ use halo2_base::{
 };
 use itertools::Itertools;
 use num_bigint::BigUint;
-use snark_verifier_sdk::{snark_verifier, NativeLoader};
 
 use crate::{
     keccak::vanilla::{keccak_packed_multi::get_num_keccak_f, param::*},
     util::eth_types::Field,
 };
 
-use super::param::*;
+use super::{create_native_poseidon_sponge, param::*};
 
 // TODO: Abstract this module into a trait for all component circuits.
 
@@ -26,12 +25,7 @@ use super::param::*;
 pub fn encode_native_input<F: Field>(bytes: &[u8]) -> F {
     let witnesses_per_keccak_f = pack_native_input(bytes);
     // Absorb witnesses keccak_f by keccak_f.
-    let mut native_poseidon_sponge =
-        snark_verifier::util::hash::Poseidon::<F, F, POSEIDON_T, POSEIDON_RATE>::new::<
-            POSEIDON_R_F,
-            POSEIDON_R_P,
-            POSEIDON_SECURE_MDS,
-        >(&NativeLoader);
+    let mut native_poseidon_sponge = create_native_poseidon_sponge();
     for witnesses in witnesses_per_keccak_f {
         for absorbing in witnesses.chunks(POSEIDON_RATE) {
             // To avoid absorbing witnesses crossing keccak_fs together, pad 0s to make sure absorb.len() == RATE.

diff --git a/hashes/zkevm/src/keccak/component/mod.rs b/hashes/zkevm/src/keccak/component/mod.rs
@@ -1,3 +1,14 @@
+use std::sync::RwLock;
+
+use halo2_base::poseidon::hasher::spec::OptimizedPoseidonSpec;
+use lazy_static::lazy_static;
+use snark_verifier_sdk::{snark_verifier, NativeLoader};
+use type_map::concurrent::TypeMap;
+
+use crate::util::eth_types::Field;
+
+use self::param::{POSEIDON_RATE, POSEIDON_R_F, POSEIDON_R_P, POSEIDON_SECURE_MDS, POSEIDON_T};
+
 /// Module of Keccak component circuit(s).
 pub mod circuit;
 /// Module of encoding raw inputs to component circuit lookup keys.
@@ -10,3 +21,37 @@ pub mod output;
 pub mod param;
 #[cfg(test)]
 mod tests;
+
+lazy_static! {
+    static ref POSEIDON_SPEC_CACHE: RwLock<TypeMap> = Default::default();
+}
+
+pub(crate) fn get_poseidon_spec<F: Field>() -> OptimizedPoseidonSpec<F, POSEIDON_T, POSEIDON_RATE> {
+    let spec = POSEIDON_SPEC_CACHE
+        .read()
+        .unwrap_or_else(|e| e.into_inner())
+        .get::<OptimizedPoseidonSpec<F, POSEIDON_T, POSEIDON_RATE>>()
+        .cloned();
+    if let Some(spec) = spec {
+        return spec;
+    }
+    let spec = {
+        let mut to_write = POSEIDON_SPEC_CACHE.write().unwrap_or_else(|e| e.into_inner());
+        let spec = OptimizedPoseidonSpec::<F, POSEIDON_T, POSEIDON_RATE>::new::<
+            POSEIDON_R_F,
+            POSEIDON_R_P,
+            POSEIDON_SECURE_MDS,
+        >();
+        to_write.insert(spec.clone());
+        spec
+    };
+    spec
+}
+
+pub(crate) fn create_native_poseidon_sponge<F: Field>(
+) -> snark_verifier::util::hash::Poseidon<F, F, POSEIDON_T, POSEIDON_RATE> {
+    snark_verifier::util::hash::Poseidon::<F, F, POSEIDON_T, POSEIDON_RATE>::from_spec(
+        &NativeLoader,
+        get_poseidon_spec(),
+    )
+}