feat(zkey): generate proving keys on release

2026-01-02 13:13:08 +00:00 · 2025-10-30 15:22:19 +04:00 · 2025-10-30 15:22:19 +04:00 · 75977670eb
commit 75977670eb
parent f469ae0f72
2 changed files with 170 additions and 0 deletions
--- a/.github/workflows/build-circuits.yml
+++ b/.github/workflows/build-circuits.yml
@ -40,6 +40,118 @@ jobs:
          echo "tag=$TAG" >> $GITHUB_OUTPUT
          echo "version=$VERSION" >> $GITHUB_OUTPUT

+  generate-proving-keys:
+    name: Generate Proving Keys
+    runs-on: ubuntu-latest
+    needs:
+      - setup
+    env:
+      VERSION: ${{ needs.setup.outputs.version }}
+      PTAU_URL: "https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_21.ptau"
+      PTAU_FILE: "powersOfTau28_hez_final_21.ptau"
+    steps:
+      - name: Install Rust Toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@fb51252c7ba57d633bc668f941da052e410add48
+        with:
+          toolchain: stable
+          cache: false
+
+      - name: Install Circom
+        run: |
+          git clone https://github.com/iden3/circom.git
+          cd circom
+          RUSTFLAGS="-A dead_code" cargo build --release
+          RUSTFLAGS="-A dead_code" cargo install --path circom
+          circom --version
+
+      - name: Checkout
+        uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+
+      - name: Initialise Submodules
+        run: git submodule update --init --recursive
+
+      - name: Setup Node.js
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
+        with:
+          node-version: '20'
+
+      - name: Install snarkjs
+        run: npm install -g snarkjs@latest
+
+      - name: Cache Powers of Tau
+        id: cache-ptau
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
+        with:
+          path: ${{ env.PTAU_FILE }}
+          key: ptau-${{ env.PTAU_FILE }}
+
+      - name: Download Powers of Tau
+        if: steps.cache-ptau.outputs.cache-hit != 'true'
+        run: |
+          echo "Downloading Powers of Tau file (this may take a while, ~3GB)..."
+          curl -L -o "${{ env.PTAU_FILE }}" "${{ env.PTAU_URL }}"
+          echo "Download complete."
+
+      - name: Generate PoL Proving Key
+        run: |
+          cd mantle
+          circom --r1cs --wasm pol.circom
+          snarkjs groth16 setup pol.r1cs ../${{ env.PTAU_FILE }} pol.zkey
+          mkdir -p pol-${{ env.VERSION }}
+          mv pol.zkey pol-${{ env.VERSION }}/
+          tar -czf pol-${{ env.VERSION }}.zkey.tar.gz pol-${{ env.VERSION }}
+
+      - name: Generate PoQ Proving Key
+        run: |
+          cd blend
+          circom --r1cs --wasm poq.circom
+          snarkjs groth16 setup poq.r1cs ../${{ env.PTAU_FILE }} poq.zkey
+          mkdir -p poq-${{ env.VERSION }}
+          mv poq.zkey poq-${{ env.VERSION }}/
+          tar -czf poq-${{ env.VERSION }}.zkey.tar.gz poq-${{ env.VERSION }}
+
+      - name: Generate ZKSign Proving Key
+        run: |
+          cd mantle
+          circom --r1cs --wasm signature.circom
+          snarkjs groth16 setup signature.r1cs ../${{ env.PTAU_FILE }} zksign.zkey
+          mkdir -p zksign-${{ env.VERSION }}
+          mv zksign.zkey zksign-${{ env.VERSION }}/
+          tar -czf zksign-${{ env.VERSION }}.zkey.tar.gz zksign-${{ env.VERSION }}
+
+      - name: Generate PoC Proving Key
+        run: |
+          cd mantle
+          circom --r1cs --wasm poc.circom
+          snarkjs groth16 setup poc.r1cs ../${{ env.PTAU_FILE }} poc.zkey
+          mkdir -p poc-${{ env.VERSION }}
+          mv poc.zkey poc-${{ env.VERSION }}/
+          tar -czf poc-${{ env.VERSION }}.zkey.tar.gz poc-${{ env.VERSION }}
+
+      - name: Upload PoL Proving Key
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: pol-${{ env.VERSION }}.zkey.tar.gz
+          path: mantle/pol-${{ env.VERSION }}.zkey.tar.gz
+
+      - name: Upload PoQ Proving Key
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: poq-${{ env.VERSION }}.zkey.tar.gz
+          path: blend/poq-${{ env.VERSION }}.zkey.tar.gz
+
+      - name: Upload ZKSign Proving Key
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: zksign-${{ env.VERSION }}.zkey.tar.gz
+          path: mantle/zksign-${{ env.VERSION }}.zkey.tar.gz
+
+      - name: Upload PoC Proving Key
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: poc-${{ env.VERSION }}.zkey.tar.gz
+          path: mantle/poc-${{ env.VERSION }}.zkey.tar.gz
+
  build-linux:
    name: Build Linux Binaries (Native)
    runs-on: ubuntu-latest
@ -461,6 +573,7 @@ jobs:
    runs-on: ubuntu-latest
    needs:
      - setup
+      - generate-proving-keys
      - build-linux
      - build-windows
      - build-macos
@ -535,3 +648,36 @@ jobs:
          asset_path: ${{ env.ARTIFACT_NAME }}
          asset_name: ${{ env.ARTIFACT_NAME }}
          asset_content_type: application/octet-stream
+
+  upload-zkey-artifacts:
+    name: Upload Proving Key Artifacts to Release
+    runs-on: ubuntu-latest
+    needs:
+      - setup
+      - publish-release
+    strategy:
+      fail-fast: false
+      matrix:
+        circuit:
+          - pol
+          - poq
+          - zksign
+          - poc
+    env:
+      UPLOAD_URL: ${{ needs.publish-release.outputs.upload_url }}
+      ARTIFACT_NAME: ${{ matrix.circuit }}-${{ needs.setup.outputs.version }}.zkey.tar.gz
+    steps:
+      - name: Download Proving Key Artifact
+        uses: actions/download-artifact@448e3f862ab3ef47aa50ff917776823c9946035b
+        with:
+          name: ${{ env.ARTIFACT_NAME }}
+
+      - name: Upload Proving Key to Release
+        uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ env.UPLOAD_URL }}
+          asset_path: ${{ env.ARTIFACT_NAME }}
+          asset_name: ${{ env.ARTIFACT_NAME }}
+          asset_content_type: application/octet-stream
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -10,6 +10,30 @@ To trigger a release build:

 > Currently, releases published this way are marked as **Draft** and **Pre-Release** to ensure that the changelog and pre-release steps are manually reviewed first.

+### Generated Artifacts
+
+Each release includes the following artifacts:
+
+#### Platform-Specific Binaries
+
+For each supported platform (Linux x86_64, macOS aarch64, Windows x86_64):
+
+- **Prover binaries** (`prover-{version}-{os}-{arch}.tar.gz`)
+  Rapidsnark prover binaries for generating zk-SNARK proofs
+
+- **Verifier binaries** (`verifier-{version}-{os}-{arch}.tar.gz`)
+  Rapidsnark verifier binaries for verifying zk-SNARK proofs
+
+- **Witness generators** (`{circuit}-{version}-{os}-{arch}.tar.gz`)
+  Compiled C++ witness generator binaries for each circuit (PoL, PoQ, ZKSign, PoC)
+
+#### Platform-Independent Proving Keys
+
+- **Proving keys** (`{circuit}-{version}.zkey.tar.gz`)
+  Groth16 proving keys (.zkey files) for each circuit, required for generating proofs
+
+These proving keys are generated using the Hermez Powers of Tau ceremony (`powersOfTau28_hez_final_21.ptau`), which supports circuits with up to 2^21 (~2M) constraints. The keys are platform-independent and can be used with any compatible prover implementation.
+
 ### Example

 ```bash