axiom-eth 0.4.0

This crate is the main library for building ZK circuits that prove data about the Ethereum virtual machine (EVM).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470

use ethers_core::types::Chain;
use getset::Getters;
use halo2_base::{
    gates::{flex_gate::threads::parallelize_core, GateChip, RangeChip},
    safe_types::{SafeAddress, SafeBytes32, SafeTypeChip},
    AssignedValue, Context,
};
use itertools::Itertools;

use crate::{
    block_header::{EthBlockHeaderChip, EthBlockHeaderTrace, EthBlockHeaderWitness},
    keccak::KeccakChip,
    mpt::{MPTChip, MPTProof, MPTProofWitness},
    rlc::{
        chip::RlcChip,
        circuit::builder::{RlcCircuitBuilder, RlcContextPair},
        types::RlcTrace,
        FIRST_PHASE,
    },
    rlp::{
        types::{RlpArrayWitness, RlpFieldWitness},
        RlpChip,
    },
    utils::{bytes_be_to_u128, uint_to_bytes_be, AssignedH256},
    Field,
};

pub mod circuit;
#[cfg(all(test, feature = "providers"))]
mod tests;

/*
| Account State Field     | Max bytes   |
|-------------------------|-------------|
| nonce                   | ≤8          |
| balance                 | ≤12         |
| storageRoot             | 32          |
| codeHash                | 32          |

account nonce is uint64 by https://eips.ethereum.org/EIPS/eip-2681
*/
pub const NUM_ACCOUNT_STATE_FIELDS: usize = 4;
pub const ACCOUNT_STATE_FIELDS_MAX_BYTES: [usize; NUM_ACCOUNT_STATE_FIELDS] = [8, 12, 32, 32];
#[allow(dead_code)]
pub const ACCOUNT_STATE_FIELD_IS_VAR_LEN: [bool; NUM_ACCOUNT_STATE_FIELDS] =
    [true, true, false, false];
pub(crate) const ACCOUNT_PROOF_VALUE_MAX_BYTE_LEN: usize = 90;
pub(crate) const STORAGE_PROOF_VALUE_MAX_BYTE_LEN: usize = 33;
#[allow(dead_code)]
pub(crate) const STORAGE_PROOF_KEY_MAX_BYTE_LEN: usize = 32;

/// Stores Account rlcs to be used in later functions. Is returned by `parse_account_proof_phase1`.
#[derive(Clone, Debug)]
pub struct EthAccountTrace<F: Field> {
    pub nonce_trace: RlcTrace<F>,
    pub balance_trace: RlcTrace<F>,
    pub storage_root_trace: RlcTrace<F>,
    pub code_hash_trace: RlcTrace<F>,
}

/// Stores Account information to be used in later functions. Is returned by `parse_account_proof_phase0`.
#[derive(Clone, Debug, Getters)]
pub struct EthAccountWitness<F: Field> {
    pub address: SafeAddress<F>,
    #[getset(get = "pub")]
    pub(crate) array_witness: RlpArrayWitness<F>,
    #[getset(get = "pub")]
    pub(crate) mpt_witness: MPTProofWitness<F>,
}

impl<F: Field> EthAccountWitness<F> {
    pub fn get_nonce(&self) -> &RlpFieldWitness<F> {
        &self.array_witness.field_witness[0]
    }
    pub fn get_balance(&self) -> &RlpFieldWitness<F> {
        &self.array_witness.field_witness[1]
    }
    pub fn get_storage_root(&self) -> &RlpFieldWitness<F> {
        &self.array_witness.field_witness[2]
    }
    pub fn get_code_hash(&self) -> &RlpFieldWitness<F> {
        &self.array_witness.field_witness[3]
    }
}

/// Stores the rlc of a value in a storage slot. Is returned by `parse_storage_proof_phase1`.
#[derive(Clone, Debug)]
pub struct EthStorageTrace<F: Field> {
    pub value_trace: RlcTrace<F>,
}

/// Stores storage slot information as well as a proof of inclusion to be verified in parse_storage_phase1. Is returned
/// by `parse_storage_phase0`.
#[derive(Clone, Debug, Getters)]
pub struct EthStorageWitness<F: Field> {
    pub slot: SafeBytes32<F>,
    #[getset(get = "pub")]
    pub(crate) value_witness: RlpFieldWitness<F>,
    #[getset(get = "pub")]
    pub(crate) mpt_witness: MPTProofWitness<F>,
}

///  Stores the rlcs for an account in a block, and the rlcs of slots in the account. Is returned by `parse_eip1186_proofs_from_block_phase1`.
#[derive(Clone, Debug)]
pub struct EthBlockAccountStorageTrace<F: Field> {
    pub block_trace: EthBlockHeaderTrace<F>,
    pub acct_trace: EthAccountTrace<F>,
    pub storage_trace: Vec<EthStorageTrace<F>>,
}

///  Stores a block, an account, and multiple storage witnesses. Is returned by `parse_eip1186_proofs_from_block_phase0`.
#[derive(Clone, Debug)]
pub struct EthBlockAccountStorageWitness<F: Field> {
    pub block_witness: EthBlockHeaderWitness<F>,
    pub acct_witness: EthAccountWitness<F>,
    pub storage_witness: Vec<EthStorageWitness<F>>,
}

/// Returns public instances from `parse_eip1186_proofs_from_block_phase0`.
#[derive(Clone, Debug)]
pub struct EIP1186ResponseDigest<F: Field> {
    pub block_hash: AssignedH256<F>,
    pub block_number: AssignedValue<F>,
    pub address: AssignedValue<F>,
    // the value U256 is interpreted as H256 (padded with 0s on left)
    /// Pairs of (slot, value) where value is a left padded with 0s to fixed width 32 bytes
    pub slots_values: Vec<(AssignedH256<F>, AssignedH256<F>)>,
    pub address_is_empty: AssignedValue<F>,
    pub slot_is_empty: Vec<AssignedValue<F>>,
}

/// Chip to prove correctness of account and storage proofs
pub struct EthStorageChip<'chip, F: Field> {
    pub mpt: &'chip MPTChip<'chip, F>,
    /// The network to use for block header decoding. Must be provided if using functions that prove into block header (as opposed to state / storage root)
    pub network: Option<Chain>,
}

impl<'chip, F: Field> EthStorageChip<'chip, F> {
    pub fn new(mpt: &'chip MPTChip<'chip, F>, network: Option<Chain>) -> Self {
        Self { mpt, network }
    }

    pub fn gate(&self) -> &GateChip<F> {
        self.mpt.gate()
    }

    pub fn range(&self) -> &RangeChip<F> {
        self.mpt.range()
    }

    pub fn rlc(&self) -> &RlcChip<F> {
        self.mpt.rlc()
    }

    pub fn rlp(&self) -> RlpChip<F> {
        self.mpt.rlp()
    }

    pub fn keccak(&self) -> &KeccakChip<F> {
        self.mpt.keccak()
    }
    /// Does inclusion/exclusion proof of `key = keccak(addr)` into an alleged MPT state trie. Alleged means the proof is with respect to an alleged stateRoot.
    /// RLP decodes the ethereumAccount.
    ///
    /// There is one global state trie, and it is updated every time a client processes a block. In it, a path is always: keccak256(ethereumAddress) and a value is always: rlp(ethereumAccount). More specifically an ethereum account is a 4 item array of [nonce,balance,storageRoot,codeHash].
    ///
    /// Does input validation of `proof` (e.g., checking witnesses are bytes).
    pub fn parse_account_proof_phase0(
        &self,
        ctx: &mut Context<F>,
        address: SafeAddress<F>,
        proof: MPTProof<F>,
    ) -> EthAccountWitness<F> {
        assert_eq!(32, proof.key_bytes.len());

        // check key is keccak(addr)
        let hash_query = self.keccak().keccak_fixed_len(ctx, address.as_ref().to_vec());
        let hash_addr = hash_query.output_bytes.as_ref();

        for (byte, key) in hash_addr.iter().zip_eq(proof.key_bytes.iter()) {
            ctx.constrain_equal(byte, key);
        }

        // parse value RLP([nonce, balance, storage_root, code_hash])
        let array_witness = self.rlp().decompose_rlp_array_phase0(
            ctx,
            proof.value_bytes.clone(),
            &ACCOUNT_STATE_FIELDS_MAX_BYTES,
            false,
        );
        // Check MPT inclusion for:
        // keccak(addr) => RLP([nonce, balance, storage_root, code_hash])
        let mpt_witness = self.mpt.parse_mpt_inclusion_phase0(ctx, proof);

        EthAccountWitness { address, array_witness, mpt_witness }
    }

    /// SecondPhase of account proof parsing.
    pub fn parse_account_proof_phase1(
        &self,
        (ctx_gate, ctx_rlc): RlcContextPair<F>,
        witness: EthAccountWitness<F>,
    ) -> EthAccountTrace<F> {
        // Comments below just to log what load_rlc_cache calls are done in the internal functions:
        // load_rlc_cache bit_length(2*mpt_witness.key_byte_len)
        self.mpt.parse_mpt_inclusion_phase1((ctx_gate, ctx_rlc), witness.mpt_witness);
        // load rlc_cache bit_length(array_witness.rlp_array.len())
        let array_trace: [_; 4] = self
            .rlp()
            .decompose_rlp_array_phase1((ctx_gate, ctx_rlc), witness.array_witness, false)
            .field_trace
            .try_into()
            .unwrap();
        let [nonce_trace, balance_trace, storage_root_trace, code_hash_trace] =
            array_trace.map(|trace| trace.field_trace);
        EthAccountTrace { nonce_trace, balance_trace, storage_root_trace, code_hash_trace }
    }

    /// Does multiple calls to [`parse_account_proof_phase0`] in parallel.
    pub fn parse_account_proofs_phase0(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        addr_proofs: Vec<(SafeAddress<F>, MPTProof<F>)>,
    ) -> Vec<EthAccountWitness<F>> {
        parallelize_core(builder.base.pool(0), addr_proofs, |ctx, (addr, proof)| {
            self.parse_account_proof_phase0(ctx, addr, proof)
        })
    }

    /// SecondPhase of account proofs parsing.
    pub fn parse_account_proofs_phase1(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        acct_witness: Vec<EthAccountWitness<F>>,
    ) -> Vec<EthAccountTrace<F>> {
        // rlc cache is loaded globally when `builder` was constructed; no longer done here to avoid concurrency issues
        builder.parallelize_phase1(acct_witness, |(ctx_gate, ctx_rlc), witness| {
            self.parse_account_proof_phase1((ctx_gate, ctx_rlc), witness)
        })
    }

    /// Does inclusion/exclusion proof of `keccak(slot)` into an alleged MPT storage trie. Alleged means the proof is with respect to an alleged storageRoot.
    ///
    /// storageRoot: A 256-bit hash of the root node of a Merkle Patricia tree that encodes the storage contents of the account (a mapping between 256-bit integer values), encoded into the trie as a mapping from the Keccak 256-bit hash of the 256-bit integer keys to the RLP-encoded 256-bit integer values. The hash is formally denoted σ[a]_s.
    ///
    /// Will do input validation on `proof` (e.g., checking witnesses are bytes).
    pub fn parse_storage_proof_phase0(
        &self,
        ctx: &mut Context<F>,
        slot: SafeBytes32<F>,
        proof: MPTProof<F>,
    ) -> EthStorageWitness<F> {
        assert_eq!(32, proof.key_bytes.len());

        // check key is keccak(slot)
        let hash_query = self.keccak().keccak_fixed_len(ctx, slot.as_ref().to_vec());
        let hash_bytes = hash_query.output_bytes.as_ref();

        for (hash, key) in hash_bytes.iter().zip_eq(proof.key_bytes.iter()) {
            ctx.constrain_equal(hash, key);
        }

        // parse slot value
        let value_witness =
            self.rlp().decompose_rlp_field_phase0(ctx, proof.value_bytes.clone(), 32);
        // check MPT inclusion
        let mpt_witness = self.mpt.parse_mpt_inclusion_phase0(ctx, proof);
        EthStorageWitness { slot, value_witness, mpt_witness }
    }

    /// SecondPhase of storage proof parsing.
    pub fn parse_storage_proof_phase1(
        &self,
        (ctx_gate, ctx_rlc): RlcContextPair<F>,
        witness: EthStorageWitness<F>,
    ) -> EthStorageTrace<F> {
        // Comments below just to log what load_rlc_cache calls are done in the internal functions:
        // load_rlc_cache bit_length(2*mpt_witness.key_byte_len)
        self.mpt.parse_mpt_inclusion_phase1((ctx_gate, ctx_rlc), witness.mpt_witness);
        // load rlc_cache bit_length(value_witness.rlp_field.len())
        let value_trace =
            self.rlp().decompose_rlp_field_phase1((ctx_gate, ctx_rlc), witness.value_witness);
        let value_trace = value_trace.field_trace;
        debug_assert_eq!(value_trace.max_len, 32);
        EthStorageTrace { value_trace }
    }

    /// Does multiple calls to [`parse_storage_proof_phase0`] in parallel.
    pub fn parse_storage_proofs_phase0(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        slot_proofs: Vec<(SafeBytes32<F>, MPTProof<F>)>,
    ) -> Vec<EthStorageWitness<F>> {
        parallelize_core(builder.base.pool(0), slot_proofs, |ctx, (slot, proof)| {
            self.parse_storage_proof_phase0(ctx, slot, proof)
        })
    }

    /// SecondPhase of account proofs parsing.
    pub fn parse_storage_proofs_phase1(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        storage_witness: Vec<EthStorageWitness<F>>,
    ) -> Vec<EthStorageTrace<F>> {
        // rlc cache is loaded globally when `builder` was constructed; no longer done here to avoid concurrency issues
        builder.parallelize_phase1(storage_witness, |(ctx_gate, ctx_rlc), witness| {
            self.parse_storage_proof_phase1((ctx_gate, ctx_rlc), witness)
        })
    }

    /// Does inclusion/exclusion proof of `key = keccak(addr)` into an alleged MPT state trie. Alleged means the proof is with respect to an alleged stateRoot.
    ///
    /// RLP decodes the ethereumAccount, which in particular gives the storageRoot.
    ///
    /// Does (multiple) inclusion/exclusion proof of `keccak(slot)` into the MPT storage trie with root storageRoot.
    pub fn parse_eip1186_proofs_phase0(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        addr: SafeAddress<F>,
        acct_pf: MPTProof<F>,
        storage_pfs: Vec<(SafeBytes32<F>, MPTProof<F>)>, // (slot_bytes, storage_proof)
    ) -> (EthAccountWitness<F>, Vec<EthStorageWitness<F>>) {
        // TODO: spawn separate thread for account proof; just need to get storage_root first somehow
        let ctx = builder.base.main(FIRST_PHASE);
        let acct_trace = self.parse_account_proof_phase0(ctx, addr, acct_pf);
        // ctx dropped
        let storage_root = &acct_trace.get_storage_root().field_cells;
        let storage_trace =
            parallelize_core(builder.base.pool(0), storage_pfs, |ctx, (slot, storage_pf)| {
                let witness = self.parse_storage_proof_phase0(ctx, slot, storage_pf);
                // check MPT root is storage_root
                for (pf_byte, byte) in
                    witness.mpt_witness.root_hash_bytes.iter().zip_eq(storage_root.iter())
                {
                    ctx.constrain_equal(pf_byte, byte);
                }
                witness
            });
        (acct_trace, storage_trace)
    }

    /// SecondPhase of `parse_eip1186_proofs_phase0`
    pub fn parse_eip1186_proofs_phase1(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        (acct_witness, storage_witness): (EthAccountWitness<F>, Vec<EthStorageWitness<F>>),
    ) -> (EthAccountTrace<F>, Vec<EthStorageTrace<F>>) {
        let (ctx_gate, ctx_rlc) = builder.rlc_ctx_pair();
        let acct_trace = self.parse_account_proof_phase1((ctx_gate, ctx_rlc), acct_witness);
        let storage_trace = self.parse_storage_proofs_phase1(builder, storage_witness);

        (acct_trace, storage_trace)
    }

    /// Proves (multiple) storage proofs into storageRoot, prove account proof of storageRoot into stateRoot, and proves stateRoot is an RLP decoded block header.
    /// Computes the block hash by hashing the RLP encoded block header.
    /// In other words, proves block, account, storage with respect to an alleged block hash.
    // inputs have H256 represented in (hi,lo) format as two u128s
    // block number and slot values can be derived from the final trace output
    pub fn parse_eip1186_proofs_from_block_phase0(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        input: EthBlockStorageInputAssigned<F>,
    ) -> (EthBlockAccountStorageWitness<F>, EIP1186ResponseDigest<F>) {
        let ctx = builder.base.main(FIRST_PHASE);
        let address = input.storage.address;
        let block_header = input.block_header;
        let block_witness = {
            let block_header_chip =
                EthBlockHeaderChip::new_from_network(self.rlp(), self.network.unwrap());
            block_header_chip.decompose_block_header_phase0(ctx, self.keccak(), &block_header)
        };

        let state_root = &block_witness.get_state_root().field_cells;
        let block_hash_hi_lo = block_witness.get_block_hash_hi_lo();

        // compute block number from big-endian bytes
        let block_number = block_witness.get_number_value(ctx, self.gate());

        // verify account + storage proof
        let addr_bytes = uint_to_bytes_be(ctx, self.range(), &address, 20);
        let (slots, storage_pfs): (Vec<_>, Vec<_>) = input
            .storage
            .storage_pfs
            .into_iter()
            .map(|(slot, storage_pf)| {
                let slot_bytes =
                    slot.iter().map(|u128| uint_to_bytes_be(ctx, self.range(), u128, 16)).concat();
                (slot, (slot_bytes.try_into().unwrap(), storage_pf))
            })
            .unzip();
        // drop ctx
        let (acct_witness, storage_witness) = self.parse_eip1186_proofs_phase0(
            builder,
            addr_bytes.try_into().unwrap(),
            input.storage.acct_pf,
            storage_pfs,
        );

        let ctx = builder.base.main(FIRST_PHASE);
        // check MPT root of acct_witness is state root
        for (pf_byte, byte) in
            acct_witness.mpt_witness.root_hash_bytes.iter().zip_eq(state_root.iter())
        {
            ctx.constrain_equal(pf_byte, byte);
        }

        let slots_values = slots
            .into_iter()
            .zip(storage_witness.iter())
            .map(|(slot, witness)| {
                // get value as U256 from RLP decoding, convert to H256, then to hi-lo
                let value_bytes = witness.value_witness.field_cells.clone();
                let value_bytes_len = witness.value_witness.field_len;
                let var_bytes =
                    SafeTypeChip::unsafe_to_var_len_bytes_vec(value_bytes, value_bytes_len, 32);
                let value_bytes = var_bytes.left_pad_to_fixed(ctx, self.gate());
                let value: [_; 2] =
                    bytes_be_to_u128(ctx, self.gate(), value_bytes.bytes()).try_into().unwrap();
                (slot, value)
            })
            .collect_vec();
        let digest = EIP1186ResponseDigest {
            block_hash: block_hash_hi_lo,
            block_number,
            address,
            slots_values,
            address_is_empty: acct_witness.mpt_witness.slot_is_empty,
            slot_is_empty: storage_witness
                .iter()
                .map(|witness| witness.mpt_witness.slot_is_empty)
                .collect_vec(),
        };
        (EthBlockAccountStorageWitness { block_witness, acct_witness, storage_witness }, digest)
    }

    pub fn parse_eip1186_proofs_from_block_phase1(
        &self,
        builder: &mut RlcCircuitBuilder<F>,
        witness: EthBlockAccountStorageWitness<F>,
    ) -> EthBlockAccountStorageTrace<F> {
        let block_trace = {
            let block_header_chip =
                EthBlockHeaderChip::new_from_network(self.rlp(), self.network.unwrap());
            block_header_chip
                .decompose_block_header_phase1(builder.rlc_ctx_pair(), witness.block_witness)
        };
        let (acct_trace, storage_trace) = self
            .parse_eip1186_proofs_phase1(builder, (witness.acct_witness, witness.storage_witness));
        EthBlockAccountStorageTrace { block_trace, acct_trace, storage_trace }
    }
}

/// Account and storage proof inputs in compressed form
#[derive(Clone, Debug)]
pub struct EthStorageInputAssigned<F: Field> {
    pub address: AssignedValue<F>, // U160
    pub acct_pf: MPTProof<F>,
    pub storage_pfs: Vec<(AssignedH256<F>, MPTProof<F>)>, // (slot, proof) where slot is H256 as (u128, u128)
}

#[derive(Clone, Debug)]
pub struct EthBlockStorageInputAssigned<F: Field> {
    // block_hash: AssignedH256<F>, // H256 as (u128, u128)
    /// The RLP encoded block header for the block that alleged contains the stateRoot from `storage`.
    pub block_header: Vec<AssignedValue<F>>,
    /// Account proof and (multiple) storage proofs, with respect to an alleged stateRoot.
    pub storage: EthStorageInputAssigned<F>,
}