feat(semaphore): Import protocol, circuit, build

From semaphore-rs.
2025-01-13 07:44:42 +00:00 · 2022-06-01 14:53:50 +01:00 · 2022-06-01 14:53:50 +01:00 · d9b5c9a371
commit d9b5c9a371
parent 04e3e3a7eb
3 changed files with 483 additions and 0 deletions
--- a/semaphore/build.rs
+++ b/semaphore/build.rs
@ -0,0 +1,111 @@
+// Adapted from semaphore-rs/build.rs
+use color_eyre::eyre::{eyre, Result};
+use std::{
+    path::{Component, Path, PathBuf},
+    process::Command,
+};
+
+const ZKEY_FILE: &str = "./vendor/semaphore/build/snark/semaphore_final.zkey";
+const WASM_FILE: &str = "./vendor/semaphore/build/snark/semaphore.wasm";
+
+// See <https://internals.rust-lang.org/t/path-to-lexical-absolute/14940>
+fn absolute(path: &str) -> Result<PathBuf> {
+    let path = Path::new(path);
+    let mut absolute = if path.is_absolute() {
+        PathBuf::new()
+    } else {
+        std::env::current_dir()?
+    };
+    for component in path.components() {
+        match component {
+            Component::CurDir => {}
+            Component::ParentDir => {
+                absolute.pop();
+            }
+            component => absolute.push(component.as_os_str()),
+        }
+    }
+    Ok(absolute)
+}
+
+fn build_circuit() -> Result<()> {
+    println!("cargo:rerun-if-changed=./vendor/semaphore");
+    let run = |cmd: &[&str]| -> Result<()> {
+        // TODO: Use ExitCode::exit_ok() when stable.
+        Command::new(cmd[0])
+            .args(cmd[1..].iter())
+            .current_dir("./vendor/semaphore")
+            .status()?
+            .success()
+            .then(|| ())
+            .ok_or(eyre!("procees returned failure"))?;
+        Ok(())
+    };
+
+    // Compute absolute paths
+    let zkey_file = absolute(ZKEY_FILE)?;
+    let wasm_file = absolute(WASM_FILE)?;
+
+    // Build circuits if not exists
+    // TODO: This does not rebuild if the semaphore submodule is changed.
+    // NOTE: This requires npm / nodejs to be installed.
+    if !(zkey_file.exists() && wasm_file.exists()) {
+        run(&["npm", "install"])?;
+        run(&["npm", "exec", "ts-node", "./scripts/compile-circuits.ts"])?;
+    }
+    assert!(zkey_file.exists());
+    assert!(wasm_file.exists());
+
+    // Export generated paths
+    println!("cargo:rustc-env=BUILD_RS_ZKEY_FILE={}", zkey_file.display());
+    println!("cargo:rustc-env=BUILD_RS_WASM_FILE={}", wasm_file.display());
+
+    Ok(())
+}
+
+#[cfg(feature = "dylib")]
+fn build_dylib() -> Result<()> {
+    use enumset::enum_set;
+    use std::{env, str::FromStr};
+    use wasmer::{Module, Store, Target, Triple};
+    use wasmer_compiler_cranelift::Cranelift;
+    use wasmer_engine_dylib::Dylib;
+
+    let wasm_file = absolute(WASM_FILE)?;
+    assert!(wasm_file.exists());
+
+    let out_dir = env::var("OUT_DIR")?;
+    let out_dir = Path::new(&out_dir).to_path_buf();
+    let dylib_file = out_dir.join("semaphore.dylib");
+    println!(
+        "cargo:rustc-env=CIRCUIT_WASM_DYLIB={}",
+        dylib_file.display()
+    );
+
+    if dylib_file.exists() {
+        return Ok(());
+    }
+
+    // Create a WASM engine for the target that can compile
+    let triple = Triple::from_str(&env::var("TARGET")?).map_err(|e| eyre!(e))?;
+    let cpu_features = enum_set!();
+    let target = Target::new(triple, cpu_features);
+    let compiler_config = Cranelift::default();
+    let engine = Dylib::new(compiler_config).target(target).engine();
+
+    // Compile the WASM module
+    let store = Store::new(&engine);
+    let module = Module::from_file(&store, &wasm_file)?;
+    module.serialize_to_file(&dylib_file)?;
+    assert!(dylib_file.exists());
+    println!("cargo:warning=Circuit dylib is in {}", dylib_file.display());
+
+    Ok(())
+}
+
+fn main() -> Result<()> {
+    build_circuit()?;
+    #[cfg(feature = "dylib")]
+    build_dylib()?;
+    Ok(())
+}
--- a/semaphore/src/circuit.rs
+++ b/semaphore/src/circuit.rs
@ -0,0 +1,79 @@
+// Adapted from semaphore-rs/src/circuit.rs
+use ark_bn254::{Bn254, Fr};
+use ark_circom::{read_zkey, WitnessCalculator};
+use ark_groth16::ProvingKey;
+use ark_relations::r1cs::ConstraintMatrices;
+use core::include_bytes;
+use once_cell::sync::{Lazy, OnceCell};
+use std::{io::Cursor, sync::Mutex};
+use wasmer::{Module, Store};
+
+#[cfg(feature = "dylib")]
+use std::{env, path::Path};
+#[cfg(feature = "dylib")]
+use wasmer::Dylib;
+
+const ZKEY_BYTES: &[u8] = include_bytes!(env!("BUILD_RS_ZKEY_FILE"));
+
+#[cfg(not(feature = "dylib"))]
+const WASM: &[u8] = include_bytes!(env!("BUILD_RS_WASM_FILE"));
+
+static ZKEY: Lazy<(ProvingKey<Bn254>, ConstraintMatrices<Fr>)> = Lazy::new(|| {
+    let mut reader = Cursor::new(ZKEY_BYTES);
+    read_zkey(&mut reader).expect("zkey should be valid")
+});
+
+static WITNESS_CALCULATOR: OnceCell<Mutex<WitnessCalculator>> = OnceCell::new();
+
+/// Initialize the library.
+#[cfg(feature = "dylib")]
+pub fn initialize(dylib_path: &Path) {
+    WITNESS_CALCULATOR
+        .set(from_dylib(dylib_path))
+        .expect("Failed to initialize witness calculator");
+
+    // Force init of ZKEY
+    Lazy::force(&ZKEY);
+}
+
+#[cfg(feature = "dylib")]
+fn from_dylib(path: &Path) -> Mutex<WitnessCalculator> {
+    let store = Store::new(&Dylib::headless().engine());
+    // The module must be exported using [`Module::serialize`].
+    let module = unsafe {
+        Module::deserialize_from_file(&store, path).expect("Failed to load wasm dylib module")
+    };
+    let result =
+        WitnessCalculator::from_module(module).expect("Failed to create witness calculator");
+    Mutex::new(result)
+}
+
+#[must_use]
+pub fn zkey() -> &'static (ProvingKey<Bn254>, ConstraintMatrices<Fr>) {
+    &*ZKEY
+}
+
+#[cfg(feature = "dylib")]
+#[must_use]
+pub fn witness_calculator() -> &'static Mutex<WitnessCalculator> {
+    WITNESS_CALCULATOR.get_or_init(|| {
+        let path = env::var("CIRCUIT_WASM_DYLIB").expect(
+            "Semaphore-rs is not initialized. The library needs to be initialized before use when \
+             build with the `cdylib` feature. You can initialize by calling `initialize` or \
+             seting the `CIRCUIT_WASM_DYLIB` environment variable.",
+        );
+        from_dylib(Path::new(&path))
+    })
+}
+
+#[cfg(not(feature = "dylib"))]
+#[must_use]
+pub fn witness_calculator() -> &'static Mutex<WitnessCalculator> {
+    WITNESS_CALCULATOR.get_or_init(|| {
+        let store = Store::default();
+        let module = Module::from_binary(&store, WASM).expect("wasm should be valid");
+        let result =
+            WitnessCalculator::from_module(module).expect("Failed to create witness calculator");
+        Mutex::new(result)
+    })
+}
--- a/semaphore/src/protocol.rs
+++ b/semaphore/src/protocol.rs
@ -0,0 +1,293 @@
+// Adapted from semaphore-rs/src/protocol.rs
+// For illustration purposes only as an example protocol
+
+// Private module
+use crate::{
+    circuit::{witness_calculator, zkey}
+};
+
+use semaphore::{
+    identity::Identity,
+    merkle_tree::{self, Branch},
+    poseidon_hash,
+    poseidon_tree::PoseidonHash,
+    Field,
+};
+use ark_bn254::{Bn254, Parameters};
+use ark_circom::CircomReduction;
+use ark_ec::bn::Bn;
+use ark_groth16::{
+    create_proof_with_reduction_and_matrices, prepare_verifying_key, Proof as ArkProof,
+};
+use ark_relations::r1cs::SynthesisError;
+use ark_std::UniformRand;
+use color_eyre::Result;
+use primitive_types::U256;
+use rand::{thread_rng, Rng};
+use serde::{Deserialize, Serialize};
+use std::time::Instant;
+use thiserror::Error;
+
+// Matches the private G1Tup type in ark-circom.
+pub type G1 = (U256, U256);
+
+// Matches the private G2Tup type in ark-circom.
+pub type G2 = ([U256; 2], [U256; 2]);
+
+/// Wrap a proof object so we have serde support
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub struct Proof(G1, G2, G1);
+
+impl From<ArkProof<Bn<Parameters>>> for Proof {
+    fn from(proof: ArkProof<Bn<Parameters>>) -> Self {
+        let proof = ark_circom::ethereum::Proof::from(proof);
+        let (a, b, c) = proof.as_tuple();
+        Self(a, b, c)
+    }
+}
+
+impl From<Proof> for ArkProof<Bn<Parameters>> {
+    fn from(proof: Proof) -> Self {
+        let eth_proof = ark_circom::ethereum::Proof {
+            a: ark_circom::ethereum::G1 {
+                x: proof.0 .0,
+                y: proof.0 .1,
+            },
+            #[rustfmt::skip] // Rustfmt inserts some confusing spaces
+            b: ark_circom::ethereum::G2 {
+                // The order of coefficients is flipped.
+                x: [proof.1.0[1], proof.1.0[0]],
+                y: [proof.1.1[1], proof.1.1[0]],
+            },
+            c: ark_circom::ethereum::G1 {
+                x: proof.2 .0,
+                y: proof.2 .1,
+            },
+        };
+        eth_proof.into()
+    }
+}
+
+/// Helper to merkle proof into a bigint vector
+/// TODO: we should create a From trait for this
+fn merkle_proof_to_vec(proof: &merkle_tree::Proof<PoseidonHash>) -> Vec<Field> {
+    proof
+        .0
+        .iter()
+        .map(|x| match x {
+            Branch::Left(value) | Branch::Right(value) => *value,
+        })
+        .collect()
+}
+
+/// Generates the nullifier hash
+#[must_use]
+pub fn generate_nullifier_hash(identity: &Identity, external_nullifier: Field) -> Field {
+    poseidon_hash(&[external_nullifier, identity.nullifier])
+}
+
+#[derive(Error, Debug)]
+pub enum ProofError {
+    #[error("Error reading circuit key: {0}")]
+    CircuitKeyError(#[from] std::io::Error),
+    #[error("Error producing witness: {0}")]
+    WitnessError(color_eyre::Report),
+    #[error("Error producing proof: {0}")]
+    SynthesisError(#[from] SynthesisError),
+}
+
+/// Generates a semaphore proof
+///
+/// # Errors
+///
+/// Returns a [`ProofError`] if proving fails.
+pub fn generate_proof(
+    identity: &Identity,
+    merkle_proof: &merkle_tree::Proof<PoseidonHash>,
+    external_nullifier_hash: Field,
+    signal_hash: Field,
+) -> Result<Proof, ProofError> {
+    generate_proof_rng(
+        identity,
+        merkle_proof,
+        external_nullifier_hash,
+        signal_hash,
+        &mut thread_rng(),
+    )
+}
+
+/// Generates a semaphore proof from entropy
+///
+/// # Errors
+///
+/// Returns a [`ProofError`] if proving fails.
+pub fn generate_proof_rng(
+    identity: &Identity,
+    merkle_proof: &merkle_tree::Proof<PoseidonHash>,
+    external_nullifier_hash: Field,
+    signal_hash: Field,
+    rng: &mut impl Rng,
+) -> Result<Proof, ProofError> {
+    generate_proof_rs(
+        identity,
+        merkle_proof,
+        external_nullifier_hash,
+        signal_hash,
+        ark_bn254::Fr::rand(rng),
+        ark_bn254::Fr::rand(rng),
+    )
+}
+
+fn generate_proof_rs(
+    identity: &Identity,
+    merkle_proof: &merkle_tree::Proof<PoseidonHash>,
+    external_nullifier_hash: Field,
+    signal_hash: Field,
+    r: ark_bn254::Fr,
+    s: ark_bn254::Fr,
+) -> Result<Proof, ProofError> {
+    let inputs = [
+        ("identityNullifier", vec![identity.nullifier]),
+        ("identityTrapdoor", vec![identity.trapdoor]),
+        ("treePathIndices", merkle_proof.path_index()),
+        ("treeSiblings", merkle_proof_to_vec(merkle_proof)),
+        ("externalNullifier", vec![external_nullifier_hash]),
+        ("signalHash", vec![signal_hash]),
+    ];
+    let inputs = inputs.into_iter().map(|(name, values)| {
+        (
+            name.to_string(),
+            values.iter().copied().map(Into::into).collect::<Vec<_>>(),
+        )
+    });
+
+    let now = Instant::now();
+
+    let full_assignment = witness_calculator()
+        .lock()
+        .expect("witness_calculator mutex should not get poisoned")
+        .calculate_witness_element::<Bn254, _>(inputs, false)
+        .map_err(ProofError::WitnessError)?;
+
+    println!("witness generation took: {:.2?}", now.elapsed());
+
+    let now = Instant::now();
+    let zkey = zkey();
+    let ark_proof = create_proof_with_reduction_and_matrices::<_, CircomReduction>(
+        &zkey.0,
+        r,
+        s,
+        &zkey.1,
+        zkey.1.num_instance_variables,
+        zkey.1.num_constraints,
+        full_assignment.as_slice(),
+    )?;
+    let proof = ark_proof.into();
+    println!("proof generation took: {:.2?}", now.elapsed());
+
+    Ok(proof)
+}
+
+/// Verifies a given semaphore proof
+///
+/// # Errors
+///
+/// Returns a [`ProofError`] if verifying fails. Verification failure does not
+/// necessarily mean the proof is incorrect.
+pub fn verify_proof(
+    root: Field,
+    nullifier_hash: Field,
+    signal_hash: Field,
+    external_nullifier_hash: Field,
+    proof: &Proof,
+) -> Result<bool, ProofError> {
+    let zkey = zkey();
+    let pvk = prepare_verifying_key(&zkey.0.vk);
+
+    let public_inputs = [
+        root.into(),
+        nullifier_hash.into(),
+        signal_hash.into(),
+        external_nullifier_hash.into(),
+    ];
+    let ark_proof = (*proof).into();
+    let result = ark_groth16::verify_proof(&pvk, &ark_proof, &public_inputs[..])?;
+    Ok(result)
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use semaphore::{hash_to_field, poseidon_tree::PoseidonTree};
+    use rand::SeedableRng as _;
+    use rand_chacha::ChaChaRng;
+    use serde_json::json;
+
+    fn arb_proof(seed: u64) -> Proof {
+        // Deterministic randomness for testing
+        let mut rng = ChaChaRng::seed_from_u64(seed);
+
+        // generate identity
+        let seed: [u8; 16] = rng.gen();
+        let id = Identity::from_seed(&seed);
+
+        // generate merkle tree
+        let leaf = Field::from(0);
+        let mut tree = PoseidonTree::new(21, leaf);
+        tree.set(0, id.commitment());
+
+        let merkle_proof = tree.proof(0).expect("proof should exist");
+
+        let external_nullifier: [u8; 16] = rng.gen();
+        let external_nullifier_hash = hash_to_field(&external_nullifier);
+
+        let signal: [u8; 16] = rng.gen();
+        let signal_hash = hash_to_field(&signal);
+
+        generate_proof_rng(
+            &id,
+            &merkle_proof,
+            external_nullifier_hash,
+            signal_hash,
+            &mut rng,
+        )
+        .unwrap()
+    }
+
+    #[test]
+    fn test_proof_cast_roundtrip() {
+        let proof = arb_proof(123);
+        let ark_proof: ArkProof<Bn<Parameters>> = proof.into();
+        let result: Proof = ark_proof.into();
+        assert_eq!(proof, result);
+    }
+
+    #[test]
+    fn test_proof_serialize() {
+        let proof = arb_proof(456);
+        let json = serde_json::to_value(&proof).unwrap();
+        assert_eq!(
+            json,
+            json!([
+                [
+                    "0x249ae469686987ee9368da60dd177a8c42891c02f5760e955e590c79d55cfab2",
+                    "0xf22e25870f49388459d388afb24dcf6ec11bb2d4def1e2ec26d6e42f373aad8"
+                ],
+                [
+                    [
+                        "0x17bd25dbd7436c30ea5b8a3a47aadf11ed646c4b25cc14a84ff8cbe0252ff1f8",
+                        "0x1c140668c56688367416534d57b4a14e5a825efdd5e121a6a2099f6dc4cd277b"
+                    ],
+                    [
+                        "0x26a8524759d969ea0682a092cf7a551697d81962d6c998f543f81e52d83e05e1",
+                        "0x273eb3f796fd1807b9df9c6d769d983e3dabdc61677b75d48bb7691303b2c8dd"
+                    ]
+                ],
+                [
+                    "0x62715c53a0eb4c46dbb5f73f1fd7449b9c63d37c1ece65debc39b472065a90f",
+                    "0x114f7becc66f1cd7a8b01c89db8233622372fc0b6fc037c4313bca41e2377fd9"
+                ]
+            ])
+        );
+    }
+}