risc0_aggregation/lib.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534
// Copyright 2025 RISC Zero, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#![deny(rustdoc::broken_intra_doc_links)]
#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
extern crate alloc;
use alloc::vec::Vec;
use core::borrow::Borrow;
use alloy_primitives::{uint, Keccak256, U256};
use risc0_zkvm::{
sha::{Digest, DIGEST_BYTES},
ReceiptClaim,
};
use serde::{Deserialize, Serialize};
#[cfg(feature = "verify")]
mod receipt;
#[cfg(feature = "verify")]
pub use receipt::{
EncodingError, RecursionVerifierParamters, SetInclusionReceipt,
SetInclusionReceiptVerifierParameters,
VerificationError,
/* TODO(#353)
SET_BUILDER_ELF, SET_BUILDER_ID, SET_BUILDER_PATH,
*/
};
alloy_sol_types::sol! {
/// Seal of the SetInclusionReceipt.
#[sol(all_derives)]
struct Seal {
/// Merkle path to the leaf.
bytes32[] path;
/// Root seal.
bytes root_seal;
}
}
/// Input of the aggregation set builder guest.
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct GuestInput {
/// State of the incremental set building process. On first run, this will be the initial
/// state, which does not require verification (it is trivially true that an empty set contains
/// no false claims). On subsequent runs, it will be set to the state written to the journal by
/// the last run of the set builder guest.
pub state: GuestState,
/// Vector of claims to be verified and added to the set of verified claims committed to by the
/// [MerkleMountainRange].
pub claims: Vec<ReceiptClaim>,
/// Whether or not to finalize the Merkle mountain range at the end of guest execution.
///
/// A finalized [MerkleMountainRange] cannot have additional leaves added, but is guaranteed to
/// be a single root. The [MerkleMountainRange] should be finalized to obtain the root for use
/// with the Solidity set verifier contract.
pub finalize: bool,
}
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct GuestState {
/// Image ID of the set builder itself.
///
/// Passed as input since a guest cannot contain its own image ID. All successive calls to the
/// set builder must use the same image ID, which is propagated to the journal as part of the
/// guest output.
pub self_image_id: Digest,
/// Merkle mountain range representing the state of the iterative tree building process at the
/// end of guest execution.
pub mmr: MerkleMountainRange,
}
impl GuestState {
/// Construct the initial, empty, state for for set builder.
pub fn initial(self_image_id: impl Into<Digest>) -> Self {
Self {
self_image_id: self_image_id.into(),
mmr: MerkleMountainRange::empty(),
}
}
/// Returns true if this is the initial state, for an empty claim set.
pub fn is_initial(&self) -> bool {
self.mmr.is_empty()
}
/// Encodes the [GuestState] for committing to the journal. Uses a specialized codec.
/// See [MerkleMountainRange::encode].
pub fn encode(&self) -> Vec<u8> {
[self.self_image_id.as_bytes(), &self.mmr.encode()].concat()
}
/// Decodes the [GuestState] for the journal. Uses a specialized codec.
/// See [MerkleMountainRange::encode].
pub fn decode(bytes: impl AsRef<[u8]>) -> Result<Self, DecodingError> {
// Read the first 32 bytes as the self_image_id.
let (chunk, bytes) = bytes
.as_ref()
.split_at_checked(U256::BYTES)
.ok_or(DecodingError::UnexpectedEnd)?;
let self_image_id = Digest::try_from(chunk).unwrap();
let mmr = MerkleMountainRange::decode(bytes)?;
Ok(Self { self_image_id, mmr })
}
/// Create a [GuestInput] from this [GuestState]. When run with the guest, the given claims
/// will be accumulated into the Merkle mountain range, and will be finalized if `finalize` is
/// set to `true`.
///
/// Will return an error if the [MerkleMountainRange] on the [GuestState] is already
/// finalized, as no more claims may be added and the guest would reject this input.
pub fn into_input(
self,
claims: Vec<ReceiptClaim>,
finalize: bool,
) -> Result<GuestInput, Error> {
if self.mmr.is_finalized() {
return Err(Error::FinalizedError);
}
Ok(GuestInput {
state: self,
claims,
finalize,
})
}
}
/// Incrementally constructable Merkle mountain range.
///
/// Each entry in the list is a pair of (digest, max-depth), where max-depth tracks an upper bound
/// on the size of the subtree for which the digest is the root. The largest subtree is at index 0,
/// the smallest at index len - 1.
///
/// Note that the max size of the internal vec of digests (peaks) is equal to log_2 n where n is
/// the number of leaves in the tree.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[cfg_attr(test, derive(PartialEq, Eq))]
pub struct MerkleMountainRange(Vec<Peak>);
#[derive(Debug, Clone, Serialize, Deserialize)]
#[cfg_attr(test, derive(PartialEq, Eq))]
struct Peak {
/// Digest for the root of the Merkle subtree committed to by this peak.
digest: Digest,
/// An upper-bound on the depth of the subtree rooted rooted at this peak.
///
/// It is expressed as the total height of the subtree - 1, such that a peak with a single node
/// (i.e. a leaf) has a max_depth value of 0.
///
/// A finalized [MerkleMountainRange] will have a single peak with max-depth set to `0xff`.
max_depth: u8,
}
#[derive(Debug, thiserror::Error)]
#[non_exhaustive]
pub enum Error {
#[error("Merkle mountain range is finalized")]
FinalizedError,
#[error("Merkle mountain range is empty")]
EmptyError,
#[error("decoding error: {0}")]
DecodingError(#[from] DecodingError),
}
#[derive(Debug, thiserror::Error)]
#[non_exhaustive]
pub enum DecodingError {
#[error("invalid bitmap")]
InvalidBitmap,
#[error("unexpected end of byte stream")]
UnexpectedEnd,
#[error("trailing bytes")]
TrailingBytes,
}
impl MerkleMountainRange {
/// Constructs a new empty Merkle mountain range.
pub fn empty() -> Self {
Self(Vec::new())
}
/// Construct a new [MerkleMountainRange] in a finalized state, given a root.
pub fn new_finalized(root: Digest) -> Self {
Self(vec![Peak {
max_depth: u8::MAX,
digest: root,
}])
}
/// Push a new leaf onto the Merkle mountain range.
pub fn push(&mut self, leaf: Digest) -> Result<(), Error> {
self.push_peak(Peak {
digest: leaf,
max_depth: 0,
})
}
fn push_peak(&mut self, new_peak: Peak) -> Result<(), Error> {
// If the peak has a max-depth of 255, then the mountain range is finalized and no new
// peaks can be pushed to it. Note that this state can only be achieved by calling
// `finalize` since it is computationally infeasible to push 2^256 nodes onto the MMR,
// although it is theoretically consistent that if an MMR reached a state of being a
// single peak with max depth value of 255, it would be naturally finalized.
if self.is_finalized() {
return Err(Error::FinalizedError);
}
match self.0.last() {
// If the MerkleMountainRange is empty, push the new peak.
None => self.0.push(new_peak),
// If the tail subtree is larger, push the new subtree onto the end.
Some(peak) if peak.max_depth > new_peak.max_depth => {
self.0.push(new_peak);
}
// If the tail subtree is the same size, combine them and recurse.
Some(peak) if peak.max_depth == new_peak.max_depth => {
// Will never panic, since we've already checked that there is at least one peak.
let peak = self.0.pop().unwrap();
self.push_peak(Peak {
digest: commutative_keccak256(&peak.digest, &new_peak.digest),
max_depth: peak.max_depth.checked_add(1).expect(
"violation of invariant on the finalization of the Merkle mountain range",
),
})?;
}
Some(_) => {
unreachable!("violation of ordering invariant in Merkle mountain range builder")
}
};
Ok(())
}
/// Finalize the [MerkleMountainRange], combining all peaks into one root. No new nodes can be
/// added to a finalized commitment.
pub fn finalize(&mut self) -> Result<(), Error> {
let root = self.0.iter().rev().fold(None, |root, peak| {
Some(match root {
Some(root) => commutative_keccak256(&root, &peak.digest),
None => peak.digest,
})
});
let Some(root) = root else {
return Err(Error::EmptyError);
};
self.0.clear();
self.0.push(Peak {
digest: root,
max_depth: u8::MAX,
});
Ok(())
}
/// Finalizes the [MerkleMountainRange] and returns the root, or returns `None` is the
/// [MerkleMountainRange] is empty.
pub fn finalized_root(mut self) -> Option<Digest> {
match self.is_empty() {
true => None,
false => {
// finalize should only fail if the MMR is empty.
self.finalize().unwrap();
Some(self.0[0].digest)
}
}
}
/// Returns true if the [MerkleMountainRange] is finalized. No new nodes can be added to a
/// finalized [MerkleMountainRange].
pub fn is_finalized(&self) -> bool {
// If the peak has a max-depth of 255, then the mountain range is finalized and no new
// peaks can be pushed to it. Note that this state can only be achieved by calling
// `finalize` since it is computationally infeasible to push 2^256 nodes onto the MMR,
// although it is theoretically consistent that if an MMR reached a state of being a
// single peak with max depth value of 255, it would be naturally finalized.
self.0
.first()
.map_or(false, |peak| peak.max_depth == u8::MAX)
}
/// Returns true if the [MerkleMountainRange] is empty.
pub fn is_empty(&self) -> bool {
self.0.is_empty()
}
/// A compact encoding for the [MerkleMountainRange] used in encoding the journal designed to
/// be efficient for use in the EVM, and designed to ensure it is possible to construct the
/// journal encoding of a finalized [MerkleMountainRange] given only the finalized root.
pub fn encode(&self) -> Vec<u8> {
// bitmap encodes the max-depth values present in the MerkleMountainRange. Note that when
// finalized, the bitmap is guaranteed to be equal to 1 << 255.
let mut bitmap = U256::ZERO;
let mut peaks = Vec::<Digest>::with_capacity(self.0.len());
// Iterate over the peaks from greatest to least max-depth.
for peak in self.0.iter() {
bitmap.set_bit(peak.max_depth as usize, true);
peaks.push(peak.digest);
}
[
&bitmap.to_be_bytes::<{ U256::BYTES }>(),
bytemuck::cast_slice(&peaks),
]
.concat()
}
/// Decode the specialized journal encoding. See [MerkleMountainRange::encode].
pub fn decode(bytes: impl AsRef<[u8]>) -> Result<Self, DecodingError> {
// Read the first 32 bytes as the bitmap.
let (mut chunk, mut bytes) = bytes
.as_ref()
.split_at_checked(U256::BYTES)
.ok_or(DecodingError::UnexpectedEnd)?;
let bitmap = U256::from_be_slice(chunk);
if bitmap > (uint!(1_U256 << u8::MAX)) {
// When the leading bit is set, it must be finalized. Any value above 2^255 is invalid.
return Err(DecodingError::InvalidBitmap);
}
// Read the rest of the bytes as the peaks, with depth specified by the bitmap.
let mut peaks = Vec::<Peak>::with_capacity(bitmap.count_ones());
for i in (0..=u8::MAX).rev() {
if !bitmap.bit(i as usize) {
continue;
}
(chunk, bytes) = bytes
.split_at_checked(DIGEST_BYTES)
.ok_or(DecodingError::UnexpectedEnd)?;
peaks.push(Peak {
digest: Digest::try_from(chunk).unwrap(),
max_depth: i,
});
}
if !bytes.is_empty() {
return Err(DecodingError::TrailingBytes);
}
Ok(Self(peaks))
}
}
impl<D: Borrow<Digest>> Extend<D> for MerkleMountainRange {
/// Extend a [MerkleMountainRange] from an iterator of digest leaves.
fn extend<T: IntoIterator<Item = D>>(&mut self, leaves: T) {
for leaf in leaves {
self.push(*leaf.borrow())
.expect("attempted to extend a finalized MerkleMountainRange");
}
}
}
impl<D: Borrow<Digest>> FromIterator<D> for MerkleMountainRange {
/// Construct a [MerkleMountainRange] from an iterator of digest leaves.
fn from_iter<T: IntoIterator<Item = D>>(leaves: T) -> Self {
let mut mmr = Self::empty();
mmr.extend(leaves);
mmr
}
}
/// Calculate the Merkle root for a tree with the given list of digests as leaves.
///
/// Panics if the given list of leaves is empty.
pub fn merkle_root(leaves: &[Digest]) -> Digest {
match leaves {
[] => panic!("digest list is empty, cannot compute Merkle root"),
_ => MerkleMountainRange::from_iter(leaves)
.finalized_root()
.unwrap(),
}
}
// TODO(victor) Should this be assembled into under a struct and impl rather than as discrete
// functions?
/// Calculate the Merkle path proving inclusion of the leaf at the given index in a tree
/// constructed from the given leaves. The leaf and root are not included.
///
/// Panics if the given index is out of bounds.
pub fn merkle_path(leaves: &[Digest], index: usize) -> Vec<Digest> {
assert!(
index < leaves.len(),
"no leaf with index {index} in tree of size {}",
leaves.len()
);
if leaves.len() == 1 {
return Vec::new(); // If only one digest, return an empty path
}
let mut path = Vec::new();
let mut current_leaves = leaves;
let mut current_index = index;
while current_leaves.len() > 1 {
// Split the list into two halves
let mid = current_leaves.len().next_power_of_two() / 2;
let (left, right) = current_leaves.split_at(mid);
// Descent into the respective half
if current_index < mid {
path.push(merkle_root(right));
current_leaves = left;
} else {
path.push(merkle_root(left));
current_leaves = right;
current_index -= mid;
}
}
path.reverse();
path
}
/// Calculate the root of the path assuming the given leaf value.
///
/// NOTE: The result of this function must be checked to be the root of some committed Merkle tree.
pub fn merkle_path_root(
leaf: &Digest,
path: impl IntoIterator<Item = impl Borrow<Digest>>,
) -> Digest {
path.into_iter()
.fold(*leaf, |a, b| commutative_keccak256(a.borrow(), b.borrow()))
}
/// Computes the hash of a sorted pair of [Digest].
fn commutative_keccak256(a: &Digest, b: &Digest) -> Digest {
let mut hasher = Keccak256::new();
if a.as_bytes() < b.as_bytes() {
hasher.update(a.as_bytes());
hasher.update(b.as_bytes());
} else {
hasher.update(b.as_bytes());
hasher.update(a.as_bytes());
}
hasher.finalize().0.into()
}
#[cfg(test)]
mod tests {
use super::*;
use hex::FromHex;
fn assert_merkle_root(digests: &[Digest], expected_root: Digest) {
let root = merkle_root(digests);
assert_eq!(root, expected_root);
}
#[test]
fn test_root_manual() {
let digests = vec![
Digest::from_hex("6a428060b5d51f04583182f2ff1b565f9db661da12ee7bdc003e9ab6d5d91ba9")
.unwrap(),
Digest::from_hex("6a428060b5d51f04583182f2ff1b565f9db661da12ee7bdc003e9ab6d5d91ba9")
.unwrap(),
Digest::from_hex("6a428060b5d51f04583182f2ff1b565f9db661da12ee7bdc003e9ab6d5d91ba9")
.unwrap(),
];
assert_merkle_root(
&digests,
Digest::from_hex("e004c72e4cb697fa97669508df099edbc053309343772a25e56412fc7db8ebef")
.unwrap(),
);
}
#[test]
fn test_merkle_root() {
let digests = vec![Digest::from([0u8; 32])];
assert_merkle_root(&digests, digests[0]);
let digests = vec![
Digest::from([0u8; 32]),
Digest::from([1u8; 32]),
Digest::from([2u8; 32]),
];
assert_merkle_root(
&digests,
commutative_keccak256(
&commutative_keccak256(&digests[0], &digests[1]),
&digests[2],
),
);
let digests = vec![
Digest::from([0u8; 32]),
Digest::from([1u8; 32]),
Digest::from([2u8; 32]),
Digest::from([3u8; 32]),
];
assert_merkle_root(
&digests,
commutative_keccak256(
&commutative_keccak256(&digests[0], &digests[1]),
&commutative_keccak256(&digests[2], &digests[3]),
),
);
}
#[test]
fn test_consistency() {
for length in 1..=128 {
let digests: Vec<Digest> = (0..length)
.map(|_| rand::random::<[u8; 32]>().into())
.collect();
let root = merkle_root(&digests);
for i in 0..length {
let path = merkle_path(&digests, i);
assert_eq!(merkle_path_root(&digests[i], &path), root);
}
}
}
#[test]
fn test_encode_decode() {
for length in 0..=128 {
let digests: Vec<Digest> = (0..length)
.map(|_| rand::random::<[u8; 32]>().into())
.collect();
let mmr = MerkleMountainRange::from_iter(digests);
assert_eq!(mmr, MerkleMountainRange::decode(mmr.encode()).unwrap());
}
}
}