samaharam 0.2.0

Scalable heterogeneous zero-knowledge proof aggregation for EVM chains
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339

//! Proof data structure with TypeState.

use std::marker::PhantomData;

use super::state::{Batched, Pending, ProofState, Verified};
use crate::error::Error;
use crate::registry::VkId;
use crate::traits::PairingEngine;

/// A zero-knowledge proof with compile-time state tracking.
///
/// The type parameter `S` tracks the proof's lifecycle state:
/// - `Pending`: Just created, needs verification
/// - `Verified`: Verified against VK, can be submitted
/// - `Batched`: In aggregation queue
/// - `Aggregated`: Final aggregated proof
///
/// # Example
///
/// ```rust,ignore
/// let pending = Proof::<Bn254, Pending>::new(data, inputs, vk_id);
/// let verified = pending.verify(&registry)?; // Pending -> Verified
/// let batched = verified.submit();           // Verified -> Batched
/// ```
#[derive(Debug)]
pub struct Proof<E: PairingEngine, S: ProofState> {
    /// Raw proof data (serialized proof bytes)
    data: Vec<u8>,

    /// Public inputs for this proof
    public_inputs: Vec<E::Fr>,

    /// ID of the verification key used for this proof
    vk_id: VkId,

    /// Zero-sized state marker
    _state: PhantomData<S>,
}

impl<E: PairingEngine, S: ProofState> Proof<E, S> {
    /// Get the verification key ID for this proof.
    pub fn vk_id(&self) -> VkId {
        self.vk_id
    }

    /// Get the public inputs for this proof.
    pub fn public_inputs(&self) -> &[E::Fr] {
        &self.public_inputs
    }

    /// Get the raw proof data.
    pub fn data(&self) -> &[u8] {
        &self.data
    }
}

impl<E: PairingEngine> Proof<E, Pending> {
    /// Create a new pending proof.
    ///
    /// # Arguments
    ///
    /// * `data` - Serialized proof bytes
    /// * `public_inputs` - Public inputs for verification
    /// * `vk_id` - ID of the registered verification key
    pub fn new(data: Vec<u8>, public_inputs: Vec<E::Fr>, vk_id: VkId) -> Self {
        Self {
            data,
            public_inputs,
            vk_id,
            _state: PhantomData,
        }
    }

    /// Verify this proof against its registered VK.
    ///
    /// Transitions the proof from `Pending` to `Verified` state.
    ///
    /// # Verification Steps
    ///
    /// 1. Checks that the VK exists in the registry
    /// 2. Validates public input count against VK limits
    /// 3. Deserializes proof data into PlonkProof
    /// 4. Runs cryptographic verification via PlonkVerifier
    ///
    /// # Errors
    ///
    /// - `Error::UnknownVk` if the VK is not registered
    /// - `Error::PublicInputMismatch` if input count exceeds limit
    /// - `Error::VerificationFailed` if proof is invalid or cryptographic check fails
    pub fn verify(
        self,
        registry: &crate::registry::VkRegistry<E>,
    ) -> Result<Proof<E, Verified>, Error> {
        use crate::crypto::{PlonkProof, PlonkVerifier};

        // 1. Check VK exists in registry
        let registered_vk = registry.require(self.vk_id)?;

        // 2. Validate public input count
        if self.public_inputs.len() > registered_vk.vk.num_public_inputs {
            return Err(Error::PublicInputMismatch {
                expected: registered_vk.vk.num_public_inputs,
                got: self.public_inputs.len(),
            });
        }

        // 3. Validate proof data is non-empty
        if self.data.is_empty() {
            return Err(Error::VerificationFailed("empty proof data".into()));
        }

        // 4. Deserialize proof
        let plonk_proof = PlonkProof::<E>::from_bytes(&self.data).map_err(|e| {
            Error::VerificationFailed(format!("proof deserialization failed: {}", e))
        })?;

        // 5. Cryptographic verification via PlonkVerifier
        let verifier = PlonkVerifier::new(registered_vk.vk.clone());
        let is_valid = verifier
            .verify(&plonk_proof, &self.public_inputs)
            .map_err(|e| Error::VerificationFailed(format!("verification error: {}", e)))?;

        if !is_valid {
            return Err(Error::VerificationFailed("pairing check failed".into()));
        }

        // 6. Transition to Verified state
        Ok(Proof {
            data: self.data,
            public_inputs: self.public_inputs,
            vk_id: self.vk_id,
            _state: PhantomData,
        })
    }
}

impl<E: PairingEngine> Proof<E, Verified> {
    /// Create a verified proof directly (for testing/internal use).
    ///
    /// # Safety
    ///
    /// This bypasses verification - only use for testing.
    #[allow(dead_code)]
    pub(crate) fn new_verified(data: Vec<u8>, public_inputs: Vec<E::Fr>, vk_id: VkId) -> Self {
        Self {
            data,
            public_inputs,
            vk_id,
            _state: PhantomData,
        }
    }

    /// Submit this verified proof for aggregation.
    ///
    /// Transitions the proof from `Verified` to `Batched` state.
    pub fn submit(self) -> Proof<E, Batched> {
        Proof {
            data: self.data,
            public_inputs: self.public_inputs,
            vk_id: self.vk_id,
            _state: PhantomData,
        }
    }
}

impl<E: PairingEngine> Proof<E, super::state::Aggregated> {
    /// Create a new aggregated proof.
    pub(crate) fn new_aggregated(data: Vec<u8>, public_inputs: Vec<E::Fr>) -> Self {
        Self {
            data,
            public_inputs,
            vk_id: VkId::new(0), // Aggregated proofs don't have a single VK
            _state: PhantomData,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::backend::bn254::Bn254;
    use crate::crypto::VerificationKey;
    use crate::registry::VkRegistry;
    use group::{Curve, Group};
    use halo2curves::bn256::{Fr, G1, G2};
    use rand::rngs::OsRng;

    fn mock_vk(num_public_inputs: usize) -> VerificationKey<Bn254> {
        VerificationKey {
            num_public_inputs,
            domain_size: 1024,
            selector_commitments: vec![
                G1::random(OsRng).to_affine(),
                G1::random(OsRng).to_affine(),
            ],
            permutation_commitments: vec![G1::random(OsRng).to_affine()],
            x_g2: G2::random(OsRng).to_affine(),
            g2_generator: G2::generator().to_affine(),
        }
    }

    /// Generate valid mock proof data that passes PlonkProof::from_bytes
    fn mock_proof_data() -> Vec<u8> {
        use crate::crypto::{PlonkProof, ProofEvaluations};
        use ff::Field;

        let proof = PlonkProof::<Bn254> {
            wire_commitments: [
                G1::random(OsRng).to_affine(),
                G1::random(OsRng).to_affine(),
                G1::random(OsRng).to_affine(),
            ],
            z_commitment: G1::random(OsRng).to_affine(),
            t_commitments: vec![
                G1::random(OsRng).to_affine(),
                G1::random(OsRng).to_affine(),
                G1::random(OsRng).to_affine(),
            ],
            opening_proof: G1::random(OsRng).to_affine(),
            shifted_opening_proof: G1::random(OsRng).to_affine(),
            evaluations: ProofEvaluations {
                a_eval: Fr::random(OsRng),
                b_eval: Fr::random(OsRng),
                c_eval: Fr::random(OsRng),
                s1_eval: Fr::random(OsRng),
                s2_eval: Fr::random(OsRng),
                z_shifted_eval: Fr::random(OsRng),
            },
        };

        proof.to_bytes()
    }

    #[test]
    fn proof_is_generic_over_state() {
        // This is a compile-time check that Proof<E, S> works with different states
        fn _accepts_pending<E: PairingEngine>(_: &Proof<E, Pending>) {}
        fn _accepts_verified<E: PairingEngine>(_: &Proof<E, Verified>) {}
        fn _accepts_batched<E: PairingEngine>(_: &Proof<E, Batched>) {}

        // The following would fail to compile (good!):
        // fn mixed<E: PairingEngine>(p: Proof<E, Pending>) { _accepts_verified(&p); }
    }

    #[test]
    fn state_transitions_consume_proof() {
        // This documents that verify() and submit() take ownership
        // preventing double-submission or re-verification
        fn _verify_consumes<E: PairingEngine>(p: Proof<E, Pending>) {
            // p.verify(registry) consumes p
            // p would not be usable after this
            let _ = p;
        }

        fn _submit_consumes<E: PairingEngine>(p: Proof<E, Verified>) {
            // p.submit() consumes p
            let _ = p;
        }
    }

    #[test]
    fn verify_rejects_unknown_vk() {
        let registry = VkRegistry::<Bn254>::new();
        // Note: VkId(999) is not registered
        let proof =
            Proof::<Bn254, Pending>::new(mock_proof_data(), vec![Fr::from(1u64)], VkId::new(999));

        let result = proof.verify(&registry);
        assert!(matches!(result, Err(Error::UnknownVk(_))));
    }

    #[test]
    fn verify_rejects_too_many_public_inputs() {
        let registry = VkRegistry::<Bn254>::new();
        let vk_id = registry.register("test", mock_vk(2)); // max 2 inputs

        let proof = Proof::<Bn254, Pending>::new(
            mock_proof_data(),
            vec![Fr::from(1u64), Fr::from(2u64), Fr::from(3u64)], // 3 inputs
            vk_id,
        );

        let result = proof.verify(&registry);
        assert!(matches!(
            result,
            Err(Error::PublicInputMismatch {
                expected: 2,
                got: 3
            })
        ));
    }

    #[test]
    fn verify_rejects_empty_proof() {
        let registry = VkRegistry::<Bn254>::new();
        let vk_id = registry.register("test", mock_vk(5));

        let proof = Proof::<Bn254, Pending>::new(
            vec![], // Empty proof data
            vec![Fr::from(1u64)],
            vk_id,
        );

        let result = proof.verify(&registry);
        assert!(matches!(result, Err(Error::VerificationFailed(_))));
    }

    #[test]
    fn verify_accepts_valid_proof() {
        let registry = VkRegistry::<Bn254>::new();
        // VK num_public_inputs must match the actual inputs provided
        let vk_id = registry.register("test", mock_vk(2)); // exactly 2 inputs

        let proof = Proof::<Bn254, Pending>::new(
            mock_proof_data(),                    // Valid proof data
            vec![Fr::from(1u64), Fr::from(2u64)], // 2 inputs matching VK
            vk_id,
        );

        let verified = proof.verify(&registry).expect("should verify");
        assert_eq!(verified.vk_id(), vk_id);
        assert_eq!(verified.public_inputs().len(), 2);
    }

    #[test]
    fn verify_allows_exact_max_public_inputs() {
        let registry = VkRegistry::<Bn254>::new();
        let vk_id = registry.register("test", mock_vk(3)); // max 3 inputs

        let proof = Proof::<Bn254, Pending>::new(
            mock_proof_data(),
            vec![Fr::from(1u64), Fr::from(2u64), Fr::from(3u64)], // Exactly 3
            vk_id,
        );

        let result = proof.verify(&registry);
        assert!(result.is_ok()); // Should succeed with exact count
    }
}