SSZ Multiproof

eth-types/Cargo.toml

@@ -16,7 +16,8 @@ halo2curves.workspace = true
 ethereum-types.workspace = true
 regex = "1.5.4"
 lazy_static = "1.4"
-subtle = "2.4"
+subtle = "2.5"
+num = "0.4"
 num-bigint.workspace = true
 strum_macros = "0.24"
 strum = "0.24"

eth-types/src/spec.rs

@@ -20,6 +20,10 @@ pub trait Spec: 'static + Sized + Copy + Default + Debug {
     const EXECUTION_STATE_ROOT_DEPTH: usize;
     const FINALIZED_HEADER_INDEX: usize;
     const FINALIZED_HEADER_DEPTH: usize;
+
+    const HEADER_SLOT_INDEX: usize = 8;
+    const HEADER_STATE_ROOT_INDEX: usize = 11;
+    const HEADER_BODY_ROOT_INDEX: usize = 12;
 }
 
 #[derive(Copy, Clone, PartialEq, Eq, Debug, Default)]

lightclient-circuits/src/committee_update_circuit.rs

@@ -5,7 +5,7 @@
 use crate::{
     gadget::crypto::{HashInstructions, Sha256ChipWide, ShaBitGateManager, ShaCircuitBuilder},
     poseidon::{g1_array_poseidon, poseidon_committee_commitment_from_compressed},
-    ssz_merkle::{ssz_merkleize_chunks, verify_merkle_proof},
+    ssz_merkle::{ssz_merkleize_chunks, verify_merkle_multiproof, verify_merkle_proof},
     util::{bytes_be_to_u128, AppCircuit, CommonGateManager, Eth2ConfigPinning, IntoWitness},
     witness::{self, HashInput, HashInputChunk},
     Eth2CircuitBuilder,
@@ -86,16 +86,24 @@ impl<S: Spec, F: Field> CommitteeUpdateCircuit<S, F> {
             .iter()
             .map(|v| builder.main().load_witness(F::from(*v as u64)))
             .collect_vec();
-        let finalized_header_root = ssz_merkleize_chunks(
+        let finalized_header_root = args
+            .finalized_header
+            .tree_hash_root()
+            .0
+            .iter()
+            .map(|v| builder.main().load_witness(F::from(*v as u64)))
+            .collect_vec();
+
+        verify_merkle_multiproof(
             builder,
             &sha256_chip,
-            [
-                args.finalized_header.slot.as_u64().into_witness(),
-                args.finalized_header.proposer_index.into_witness(),
-                args.finalized_header.parent_root.as_ref().into_witness(),
-                finalized_state_root.clone().into(),
-                args.finalized_header.body_root.as_ref().into_witness(),
-            ],
+            args.finalized_header_multiproof
+                .iter()
+                .map(|w| w.clone().into_witness()),
+            [finalized_state_root.clone().into()],
+            &finalized_header_root,
+            [S::HEADER_STATE_ROOT_INDEX],
+            args.finalized_header_helper_indices.clone(),
         )?;
 
         // Verify that the sync committee root is in the finalized state root

lightclient-circuits/src/ssz_merkle.rs

@@ -2,6 +2,8 @@
 // Code: https://github.com/ChainSafe/Spectre
 // SPDX-License-Identifier: LGPL-3.0-only
 
+use std::collections::HashMap;
+
 use crate::{
     gadget::crypto::HashInstructions,
     util::IntoConstant,
@@ -111,6 +113,60 @@ pub fn verify_merkle_proof<F: Field, CircuitBuilder: CommonCircuitBuilder<F>>(
     Ok(())
 }
 
+// Implements following https://github.com/ethereum/consensus-specs/blob/dev/ssz/merkle-proofs.md#merkle-multiproofs
+pub fn verify_merkle_multiproof<F: Field, CircuitBuilder: CommonCircuitBuilder<F>>(
+    builder: &mut CircuitBuilder,
+    hasher: &impl HashInstructions<F, CircuitBuilder = CircuitBuilder>,
+    branch: impl IntoIterator<Item = HashInputChunk<QuantumCell<F>>>,
+    leaves: impl IntoIterator<Item = HashInputChunk<QuantumCell<F>>>,
+    root: &[AssignedValue<F>],
+    gindices: impl IntoIterator<Item = usize>,
+    helper_indices: impl IntoIterator<Item = usize>,
+) -> Result<(), Error> {
+    let mut objects: HashMap<usize, _> = gindices
+        .into_iter()
+        .zip(leaves)
+        .chain(helper_indices.into_iter().zip(branch))
+        .collect();
+    let mut keys = objects.keys().copied().collect_vec();
+    keys.sort_by(|a, b| b.cmp(a));
+
+    let mut pos = 0;
+    while pos < keys.len() {
+        let k = keys[pos];
+        // if the sibling exists AND the parent does NOT, we hash
+        if objects.contains_key(&k)
+            && objects.contains_key(&(k ^ 1))
+            && !objects.contains_key(&(k / 2))
+        {
+            let left = objects[&((k | 1) ^ 1)].clone();
+            let right = objects[&(k | 1)].clone();
+            let computed_hash = hasher
+                .digest(builder, HashInput::TwoToOne(left, right))?
+                .into();
+            objects.insert(k / 2, computed_hash);
+            keys.push(k / 2);
+        }
+        pos += 1;
+    }
+
+    let computed_root = objects
+        .get(&1)
+        .unwrap()
+        .clone()
+        .into_iter()
+        .map(|b| match b {
+            QuantumCell::Existing(av) => av,
+            _ => unreachable!(),
+        });
+
+    computed_root.zip(root.iter()).for_each(|(a, b)| {
+        builder.main().constrain_equal(&a, b);
+    });
+
+    Ok(())
+}
+
 lazy_static! {
     // Calculates padding Merkle notes for the 2 first levels of the Merkle tree.
     // Used to pad the input to a power of two. Only 2 levels are precomputed because the number of not even inputs is limited.

lightclient-circuits/src/sync_step_circuit.rs

@@ -11,7 +11,7 @@ use crate::{
         to_bytes_le,
     },
     poseidon::{g1_array_poseidon, poseidon_committee_commitment_from_uncompressed},
-    ssz_merkle::{ssz_merkleize_chunks, verify_merkle_proof},
+    ssz_merkle::{verify_merkle_multiproof, verify_merkle_proof},
     util::{AppCircuit, Eth2ConfigPinning, IntoWitness},
     witness::{self, HashInput, HashInputChunk, SyncStepArgs},
     Eth2CircuitBuilder,
@@ -109,7 +109,6 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
             y_signs_packed,
         )?;
 
-        // Compute attested header root
         let attested_slot_bytes: HashInputChunk<_> =
             args.attested_header.slot.as_u64().into_witness();
         let attested_header_state_root = args
@@ -119,19 +118,29 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
             .iter()
             .map(|v| builder.main().load_witness(F::from(*v as u64)))
             .collect_vec();
-        let attested_header_root = ssz_merkleize_chunks(
+        let attested_header_root = args
+            .attested_header
+            .tree_hash_root()
+            .0
+            .iter()
+            .map(|v| builder.main().load_witness(F::from(*v as u64)))
+            .collect_vec();
+
+        verify_merkle_multiproof(
             builder,
             &sha256_chip,
+            args.attested_header_multiproof
+                .iter()
+                .map(|w| w.clone().into_witness()),
             [
                 attested_slot_bytes.clone(),
-                args.attested_header.proposer_index.into_witness(),
-                args.attested_header.parent_root.as_ref().into_witness(),
                 attested_header_state_root.clone().into(),
-                args.attested_header.body_root.as_ref().into_witness(),
             ],
+            &attested_header_root,
+            [S::HEADER_SLOT_INDEX, S::HEADER_STATE_ROOT_INDEX],
+            args.attested_header_helper_indices.clone(),
         )?;
 
-        // Compute finalized header root
         let finalized_block_body_root = args
             .finalized_header
             .body_root
@@ -141,16 +150,28 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
             .collect_vec();
         let finalized_slot_bytes: HashInputChunk<_> =
             args.finalized_header.slot.as_u64().into_witness();
-        let finalized_header_root = ssz_merkleize_chunks(
+
+        let finalized_header_root = args
+            .finalized_header
+            .tree_hash_root()
+            .0
+            .iter()
+            .map(|v| builder.main().load_witness(F::from(*v as u64)))
+            .collect_vec();
+
+        verify_merkle_multiproof(
             builder,
             &sha256_chip,
+            args.finalized_header_multiproof
+                .iter()
+                .map(|w| w.clone().into_witness()),
             [
                 finalized_slot_bytes.clone(),
-                args.finalized_header.proposer_index.into_witness(),
-                args.finalized_header.parent_root.as_ref().into_witness(),
-                args.finalized_header.state_root.as_ref().into_witness(),
                 finalized_block_body_root.clone().into(),
             ],
+            &finalized_header_root,
+            [S::HEADER_SLOT_INDEX, S::HEADER_BODY_ROOT_INDEX],
+            args.finalized_header_helper_indices.clone(),
         )?;
 
         let signing_root = sha256_chip.digest(

lightclient-circuits/src/witness/multiproof.rs

@@ -1,9 +1,10 @@
 // TODO: A lot if not all/most of this code is copy pasta from: https://github.com/ralexstokes/ssz-rs/pull/118 which is mostly implemented w.r.t. the spec
 // TODO: Remove this once the above PR lands in ssz-rs
 
-use ethereum_types::Hash256;
+use ethereum_types::{BeaconBlockHeader, Hash256};
 use sha2::{Digest, Sha256};
 use std::collections::{HashMap, HashSet};
+use tree_hash::TreeHash;
 
 pub type GeneralizedIndex = usize;
 
@@ -187,3 +188,31 @@ pub fn create_multiproof(
         .map(|i| merkle_tree[i])
         .collect()
 }
+
+/// Returns nodes representing the leaves a BeaconBlockHeader in merkleized representation.
+pub fn block_header_to_leaves(header: &BeaconBlockHeader) -> [Hash256; 5] {
+    [
+        header.slot.tree_hash_root(),
+        header.proposer_index.tree_hash_root(),
+        header.parent_root.tree_hash_root(),
+        header.state_root.tree_hash_root(),
+        header.body_root.tree_hash_root(),
+    ]
+}
+
+pub fn beacon_header_multiproof_and_helper_indices(
+    header: &BeaconBlockHeader,
+    gindices: &[usize],
+) -> (Vec<Vec<u8>>, Vec<usize>) {
+    let header_leaves = block_header_to_leaves(header);
+    let merkle_tree = merkle_tree(&header_leaves);
+    let helper_indices = get_helper_indices(gindices);
+    let proof = helper_indices
+        .iter()
+        .copied()
+        .map(|i| merkle_tree[i])
+        .map(|n| n.as_ref().to_vec())
+        .collect::<Vec<_>>();
+    assert_eq!(proof.len(), helper_indices.len());
+    (proof, helper_indices)
+}

lightclient-circuits/src/witness/rotation.rs

@@ -9,6 +9,8 @@ use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
 use std::{iter, marker::PhantomData};
 
+use crate::witness::beacon_header_multiproof_and_helper_indices;
+
 /// Input datum for the `CommitteeUpdateCircuit` to map next sync committee SSZ root in the finalized state root to the corresponding Poseidon commitment to the public keys.
 ///
 /// Assumes that public keys are BLS12-381 points on G1; `sync_committee_branch` is exactly `S::SYNC_COMMITTEE_PUBKEYS_DEPTH` hashes in lenght.
@@ -20,6 +22,8 @@ pub struct CommitteeUpdateArgs<S: Spec> {
 
     pub sync_committee_branch: Vec<Vec<u8>>,
 
+    pub finalized_header_multiproof: Vec<Vec<u8>>,
+    pub finalized_header_helper_indices: Vec<usize>,
     #[serde(skip)]
     pub _spec: PhantomData<S>,
 }
@@ -63,13 +67,20 @@ impl<S: Spec> Default for CommitteeUpdateArgs<S> {
         let mut finalized_header = BeaconBlockHeader::empty();
         finalized_header.state_root = state_root.into();
 
+        let (finalized_header_multiproof, finalized_header_helper_indices) =
+            beacon_header_multiproof_and_helper_indices(
+                &mut finalized_header.clone(),
+                &[S::HEADER_STATE_ROOT_INDEX],
+            );
         Self {
             pubkeys_compressed: iter::repeat(dummy_x_bytes)
                 .take(S::SYNC_COMMITTEE_SIZE)
                 .collect_vec(),
             sync_committee_branch,
             finalized_header,
             _spec: PhantomData,
+            finalized_header_multiproof,
+            finalized_header_helper_indices,
         }
     }
 }

lightclient-circuits/src/witness/step.rs

@@ -14,6 +14,8 @@ use serde::{Deserialize, Serialize};
 use std::marker::PhantomData;
 use tree_hash::TreeHash;
 
+use crate::witness::beacon_header_multiproof_and_helper_indices;
+
 use super::mock_root;
 
 /// Input datum for the `StepCircuit` to verify `attested_header` singed by the lightclient sync committee,
@@ -42,6 +44,11 @@ pub struct SyncStepArgs<S: Spec> {
 
     pub domain: [u8; 32],
 
+    pub attested_header_multiproof: Vec<Vec<u8>>,
+    pub attested_header_helper_indices: Vec<usize>,
+    pub finalized_header_multiproof: Vec<Vec<u8>>,
+    pub finalized_header_helper_indices: Vec<usize>,
+
     #[serde(skip)]
     pub _spec: PhantomData<S>,
 }
@@ -109,6 +116,19 @@ impl<S: Spec> Default for SyncStepArgs<S> {
             })
             .collect_vec();
 
+        // Proof length is 3
+        let (attested_header_multiproof, attested_header_helper_indices) =
+            beacon_header_multiproof_and_helper_indices(
+                &mut attested_header.clone(),
+                &[S::HEADER_SLOT_INDEX, S::HEADER_STATE_ROOT_INDEX],
+            );
+        // Proof length is 4
+        let (finalized_header_multiproof, finalized_header_helper_indices) =
+            beacon_header_multiproof_and_helper_indices(
+                &mut finalized_header.clone(),
+                &[S::HEADER_SLOT_INDEX, S::HEADER_BODY_ROOT_INDEX],
+            );
+
         Self {
             signature_compressed,
             pubkeys_uncompressed,
@@ -120,6 +140,11 @@ impl<S: Spec> Default for SyncStepArgs<S> {
             execution_payload_branch: execution_branch,
             execution_payload_root: execution_root,
             _spec: PhantomData,
+
+            attested_header_multiproof,
+            attested_header_helper_indices,
+            finalized_header_multiproof,
+            finalized_header_helper_indices,
         }
     }
 }

preprocessor/src/lib.rs

@@ -129,6 +129,8 @@ mod tests {
             .message;
         let slot = block.slot;
         let period = slot / (32 * 256);
+        const ROTATE_CONFIG_PATH: &str = "../lightclient-circuits/config/committee_update_20.json";
+        const STEP_CONFIG_PATH: &str = "../lightclient-circuits/config/sync_step_20.json";
 
         println!(
             "Fetching light client update at current Slot: {} at Period: {}",
@@ -198,11 +200,8 @@ mod tests {
         finalized_sync_committee_branch.insert(0, c.sync_committee_branch[0].clone());
         finalized_sync_committee_branch[1].clone_from(&c.sync_committee_branch[1]);
         c.sync_committee_branch = finalized_sync_committee_branch;
-        // Replaces the attested header with step circuits finalized header
-        c.finalized_header = s.finalized_header.clone();
 
         let params: ParamsKZG<Bn256> = gen_srs(K);
-
         let circuit = StepCircuit::<Testnet, Fr>::create_circuit(
             CircuitBuilderStage::Mock,
             None,
@@ -214,9 +213,7 @@ mod tests {
         let prover = MockProver::<Fr>::run(K, &circuit, circuit.instances()).unwrap();
         prover.assert_satisfied();
 
-        const CONFIG_PATH: &str = "../lightclient-circuits/config/committee_update_testnet.json";
-
-        let pinning = Eth2ConfigPinning::from_path(CONFIG_PATH);
+        let pinning = Eth2ConfigPinning::from_path(ROTATE_CONFIG_PATH);
         let circuit = CommitteeUpdateCircuit::<Testnet, Fr>::create_circuit(
             CircuitBuilderStage::Mock,
             Some(pinning),