Proof compression circuit

.gitignore

@@ -5,4 +5,6 @@
 .idea
 *.log
 *.json
-*.sh
+*.sh
+*.txt
+*.srs

Cargo.toml

@@ -11,7 +11,8 @@ members = [
     "eth-types",
     "external-tracer",
     "mock",
-    "testool"
+    "testool",
+    "aggregator"
 ]
 
 [patch.crates-io]

aggregator/Cargo.toml

@@ -0,0 +1,29 @@
+[package]
+name = "aggregator"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+eth-types = { path = "../eth-types" }
+zkevm-circuits = { path = "../zkevm-circuits" }
+
+
+ark-std = "0.3.0"
+env_logger = "0.10.0"
+ethers-core = "0.17.0"
+log = "0.4"
+itertools = "0.10.3"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+rand = "0.8"
+
+halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2.git", tag = "v2023_02_02" }
+snark-verifier = { git = "https://github.com/scroll-tech/snark-verifier", branch = "develop" }
+snark-verifier-sdk = { git = "https://github.com/scroll-tech/snark-verifier", branch = "develop", default-features=false, features = ["loader_halo2", "loader_evm", "halo2-pse"] }
+
+
+[features]
+default = []
+print-trace = [ "ark-std/print-trace" ]

aggregator/README.md

@@ -0,0 +1,59 @@
+Proof Aggregation
+-----
+
+![Architecture](./figures/architecture.png)
+
+This repo does proof aggregations for zkEVM proofs.
+
+## zkEVM circuit
+A zkEVM circuits generates a ZK proof for a chunk of blocks. It takes 64 field elements as its public input, consist of 
+- chunk's data hash digest: each byte is encoded in an Fr element
+- chunk's public input hash digest: each byte is encoded in an Fr element
+The total size for a public input is 64 bytes, encoded in 64 Fr element
+
+For the ease of testing, this repo implements a `MockCircuit` which hash same public input APIs as a zkEVM circuit. 
+
+## First compression circuit
+The first compression circuit takes in a fresh snark proof and generates a new (potentially small) snark proof. 
+The public inputs to the new snark proof consists of 
+- 12 elements from the accumulators
+    - an accumulator consists of 2 G1 elements, which are the left and right inputs to the pairing
+    - this is treated as 4 Fq elements, each decomposed into 3 limbs and encoded in Fr  
+- 64 elements from previous snark
+    - re-expose the same public inputs as the original snark
+
+The first compression circuit is configured [wide config file](./configs/compression_wide.config).
+
+## Second compression circuit
+
+The second compression circuit takes in a compressed snark proof and generates a new (potentially small) snark proof. 
+The public inputs to the new snark proof consists of 
+- 12 elements from the accumulators
+    - an accumulator consists of 2 G1 elements, which are the left and right inputs to the pairing
+    - this is treated as 4 Fq elements, each decomposed into 3 limbs and encoded in Fr  
+    - accumulator from the previous snark is accumulated into the current accumulator
+- 64 elements from previous snark
+    - skipping the first 12 elements which are previous accumulator, as they are already accumulated
+    - re-expose the rest 64 field elements as the public inputs 
+
+The second compression circuit is configured [thin config file](./configs/compression_thin.config).
+
+## Aggregation circuit
+An aggregation circuit takes in a batch of `k` proofs, each for a chunk of blocks. 
+It generates a single proof asserting the validity of all the proofs. 
+
+It also performs public input aggregation, i.e., reducing the `64k` public elements  into a fixed number of `144` elements:
+- 12 elements from accumulators, which accumulates all the previous `k` accumulators from each snark
+- 132 elements from the hashes
+    - first_chunk_prev_state_root: 32 Field elements
+    - last_chunk_post_state_root: 32 Field elements
+    - last_chunk_withdraw_root: 32 Field elements
+    - batch_public_input_hash: 32 Field elements
+    - chain_id: 8 Field elements
+
+In addition, it attests that, for chunks indexed from `0` to `k-1`,
+- batch_data_hash := keccak(chunk_0.data_hash || ... || chunk_k-1.data_hash) where chunk_i.data_hash is a public input to the i-th batch snark circuit
+- chunk_pi_hash := keccak(chain_id || prev_state_root || post_state_root || withdraw_root || chunk_data_hash) where chunk_data_hash is a public input to the i-th batch snark circuit
+- and the related field matches public input
+
+See [public input aggregation](./src/proof_aggregation/public_input_aggregation.rs) for the details of public input aggregation.

aggregator/configs/compression_thin.config

@@ -0,0 +1 @@
+{"strategy":"Simple","degree":26,"num_advice":[1],"num_lookup_advice":[1],"num_fixed":1,"lookup_bits":20,"limb_bits":88,"num_limbs":3}

aggregator/configs/compression_wide.config

@@ -0,0 +1 @@
+{"strategy":"Simple","degree":22,"num_advice":[8],"num_lookup_advice":[1],"num_fixed":1,"lookup_bits":20,"limb_bits":88,"num_limbs":3}

aggregator/src/chunk.rs

@@ -0,0 +1,66 @@
+//! This module implements `Chunk` related data types.
+//! A chunk is a list of blocks.
+use eth_types::H256;
+use ethers_core::utils::keccak256;
+
+#[derive(Default, Debug, Clone, Copy)]
+/// A chunk is a set of continuous blocks.
+/// A ChunkHash consists of 4 hashes, representing the changes incurred by this chunk of blocks:
+/// - state root before this chunk
+/// - state root after this chunk
+/// - the withdraw root of this chunk
+/// - the data hash of this chunk
+pub struct ChunkHash {
+    /// Chain identifier
+    pub(crate) chain_id: u64,
+    /// state root before this chunk
+    pub(crate) prev_state_root: H256,
+    /// state root after this chunk
+    pub(crate) post_state_root: H256,
+    /// the withdraw root of this chunk
+    pub(crate) withdraw_root: H256,
+    /// the data hash of this chunk
+    pub(crate) data_hash: H256,
+}
+
+impl ChunkHash {
+    /// Sample a chunk hash from random (for testing)
+    #[cfg(test)]
+    pub(crate) fn mock_chunk_hash<R: rand::RngCore>(r: &mut R) -> Self {
+        let mut prev_state_root = [0u8; 32];
+        r.fill_bytes(&mut prev_state_root);
+        let mut post_state_root = [0u8; 32];
+        r.fill_bytes(&mut post_state_root);
+        let mut withdraw_root = [0u8; 32];
+        r.fill_bytes(&mut withdraw_root);
+        let mut data_hash = [0u8; 32];
+        r.fill_bytes(&mut data_hash);
+        Self {
+            chain_id: 0,
+            prev_state_root: prev_state_root.into(),
+            post_state_root: post_state_root.into(),
+            withdraw_root: withdraw_root.into(),
+            data_hash: data_hash.into(),
+        }
+    }
+
+    /// Public input hash for a given chunk is defined as
+    ///  keccak( chain id || prev state root || post state root || withdraw root || data hash )
+    pub fn public_input_hash(&self) -> H256 {
+        let preimage = self.extract_hash_preimage();
+        keccak256::<&[u8]>(preimage.as_ref()).into()
+    }
+
+    /// Extract the preimage for the hash
+    ///  chain id || prev state root || post state root || withdraw root || data hash
+    pub fn extract_hash_preimage(&self) -> Vec<u8> {
+        [
+            self.chain_id.to_be_bytes().as_ref(),
+            self.prev_state_root.as_bytes(),
+            self.post_state_root.as_bytes(),
+            self.withdraw_root.as_bytes(),
+            self.data_hash.as_bytes(),
+        ]
+        .concat()
+    }
+}

aggregator/src/compression.rs

@@ -0,0 +1,14 @@
+//! Input a proof, a compression circuit generates a new proof that may have smaller size.
+//!
+//! It re-exposes same public inputs from the input snark.
+//! All this circuit does is to reduce the proof size.
+
+/// Circuit implementation of compression circuit.
+mod circuit;
+/// CircuitExt implementation of compression circuit.
+mod circuit_ext;
+/// Config for compression circuit
+mod config;
+
+pub use circuit::CompressionCircuit;
+pub use config::CompressionConfig;