ChainSafe · ec2 · Jan 18, 2024 · Jan 18, 2024 · Jan 18, 2024 · Jan 18, 2024
diff --git a/eth-types/src/spec.rs b/eth-types/src/spec.rs
@@ -20,6 +20,10 @@ pub trait Spec: 'static + Sized + Copy + Default + Debug {
     const FINALIZED_HEADER_DEPTH: usize;
     const BYTES_PER_LOGS_BLOOM: usize = 256;
     const MAX_EXTRA_DATA_BYTES: usize = 32;
+
+    const HEADER_SLOT_INDEX: usize = 8;
+    const HEADER_STATE_ROOT_INDEX: usize = 11;
+    const HEADER_BODY_ROOT_INDEX: usize = 12;
 }
 
 #[derive(Copy, Clone, PartialEq, Eq, Debug, Default)]

diff --git a/lightclient-circuits/src/committee_update_circuit.rs b/lightclient-circuits/src/committee_update_circuit.rs
@@ -5,7 +5,7 @@
 use crate::{
     gadget::crypto::{HashInstructions, Sha256ChipWide, ShaBitGateManager, ShaCircuitBuilder},
     poseidon::{fq_array_poseidon, poseidon_hash_fq_array},
-    ssz_merkle::{ssz_merkleize_chunks, verify_merkle_proof},
+    ssz_merkle::{ssz_merkleize_chunks, verify_merkle_multiproof, verify_merkle_proof},
     sync_step_circuit::clear_3_bits,
     util::{AppCircuit, CommonGateManager, Eth2ConfigPinning, IntoWitness},
     witness::{self, HashInput, HashInputChunk},
@@ -30,7 +30,6 @@ use halo2curves::bls12_381;
 use itertools::Itertools;
 use ssz_rs::{Merkleized, Vector};
 use std::{env::var, iter, marker::PhantomData, vec};
-
 /// `CommitteeUpdateCircuit` maps next sync committee SSZ root in the finalized state root to the corresponding Poseidon commitment to the public keys.
 ///
 /// Assumes that public keys are BLS12-381 points on G1; `sync_committee_branch` is exactly `S::SYNC_COMMITTEE_PUBKEYS_DEPTH` hashes in lenght.
@@ -84,16 +83,26 @@ impl<S: Spec, F: Field> CommitteeUpdateCircuit<S, F> {
             .iter()
             .map(|v| builder.main().load_witness(F::from(*v as u64)))
             .collect_vec();
-        let finalized_header_root = ssz_merkleize_chunks(
+        let finalized_header_root = args
+            .finalized_header
+            .clone()
+            .hash_tree_root()
+            .map_err(|_| Error::Synthesis)?
+            .as_ref()
+            .iter()
+            .map(|v| builder.main().load_witness(F::from(*v as u64)))
+            .collect_vec();
+
+        verify_merkle_multiproof(
             builder,
             &sha256_chip,
-            [
-                args.finalized_header.slot.into_witness(),
-                args.finalized_header.proposer_index.into_witness(),
-                args.finalized_header.parent_root.as_ref().into_witness(),
-                finalized_state_root.clone().into(),
-                args.finalized_header.body_root.as_ref().into_witness(),
-            ],
+            args.finalized_header_multiproof
+                .iter()
+                .map(|w| w.clone().into_witness()),
+            vec![finalized_state_root.clone().into()],
+            &finalized_header_root,
+            [S::HEADER_STATE_ROOT_INDEX],
+            args.finalized_header_helper_indices.clone(),
         )?;
 
         // Verify that the sync committee root is in the finalized state root

diff --git a/lightclient-circuits/src/ssz_merkle.rs b/lightclient-circuits/src/ssz_merkle.rs
@@ -2,6 +2,8 @@
 // Code: https://github.com/ChainSafe/Spectre
 // SPDX-License-Identifier: LGPL-3.0-only
 
+use std::collections::HashMap;
+
 use crate::{
     gadget::crypto::HashInstructions,
     util::IntoConstant,
@@ -94,6 +96,61 @@ pub fn verify_merkle_proof<F: Field, CircuitBuilder: CommonCircuitBuilder<F>>(
     Ok(())
 }
 
+// Implemented following https://github.com/ethereum/consensus-specs/blob/dev/ssz/merkle-proofs.md#merkle-multiproofs
+pub fn verify_merkle_multiproof<F: Field, CircuitBuilder: CommonCircuitBuilder<F>>(
+    builder: &mut CircuitBuilder,
+    hasher: &impl HashInstructions<F, CircuitBuilder = CircuitBuilder>,
+    branch: impl IntoIterator<Item = HashInputChunk<QuantumCell<F>>>,
+    leaves: impl IntoIterator<Item = HashInputChunk<QuantumCell<F>>>,
+    root: &[AssignedValue<F>],
+    gindices: impl IntoIterator<Item = usize>,
+    helper_indices: impl IntoIterator<Item = usize>,
+) -> Result<(), Error> {
+    let mut objects: HashMap<usize, _> = gindices
+        .into_iter()
+        .zip(leaves)
+        .chain(helper_indices.into_iter().zip(branch))
+        .collect();
+    let mut keys = objects.keys().copied().collect_vec();
+    keys.sort_by(|a, b| b.cmp(a));
+
+    let mut pos = 0;
+    while pos < keys.len() {
+        let k = keys[pos];
+        // if the sibling exists AND the parent does NOT, we hash
+        if objects.contains_key(&k)
+            && objects.contains_key(&(k ^ 1))
+            && !objects.contains_key(&(k / 2))
+        {
+            let left = objects[&((k | 1) ^ 1)].clone();
+            let right = objects[&(k | 1)].clone();
+            let computed_hash = hasher
+                .digest(builder, HashInput::TwoToOne(left, right))?
+                .into();
+            objects.insert(k / 2, computed_hash);
+            keys.push(k / 2);
+        }
+        pos += 1;
+    }
+
+    let computed_root = objects
+        .get(&1)
+        .unwrap()
+        .clone()
+        .into_iter()
+        .map(|b| match b {
+            QuantumCell::Existing(av) => av,
+            _ => unreachable!(),
+        });
+
+    computed_root.zip(root.iter()).for_each(|(a, b)| {
+        builder.main().constrain_equal(&a, b);
+    });
+
+    // Ok(())
+    Ok(())
+}
+
 pub const ZERO_HASHES: [[u8; 32]; 2] = [
     [0; 32],
     [

diff --git a/lightclient-circuits/src/sync_step_circuit.rs b/lightclient-circuits/src/sync_step_circuit.rs
@@ -11,7 +11,7 @@ use crate::{
         to_bytes_le,
     },
     poseidon::{fq_array_poseidon, poseidon_hash_fq_array},
-    ssz_merkle::{ssz_merkleize_chunks, verify_merkle_proof},
+    ssz_merkle::{verify_merkle_multiproof, verify_merkle_proof},
     util::{AppCircuit, Eth2ConfigPinning, IntoWitness},
     witness::{self, HashInput, HashInputChunk, SyncStepArgs},
     Eth2CircuitBuilder,
@@ -106,7 +106,6 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
             assigned_affines.iter().map(|p| &p.x),
         )?;
 
-        // Compute attested header root
         let attested_slot_bytes: HashInputChunk<_> = args.attested_header.slot.into_witness();
         let attested_header_state_root = args
             .attested_header
@@ -115,19 +114,31 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
             .iter()
             .map(|v| builder.main().load_witness(F::from(*v as u64)))
             .collect_vec();
-        let attested_header_root = ssz_merkleize_chunks(
+        let attested_header_root = args
+            .attested_header
+            .clone()
+            .hash_tree_root()
+            .map_err(|_| Error::Synthesis)?
+            .as_ref()
+            .iter()
+            .map(|v| builder.main().load_witness(F::from(*v as u64)))
+            .collect_vec();
+
+        verify_merkle_multiproof(
             builder,
             &sha256_chip,
-            [
+            args.attested_header_multiproof
+                .iter()
+                .map(|w| w.clone().into_witness()),
+            vec![
                 attested_slot_bytes.clone(),
-                args.attested_header.proposer_index.into_witness(),
-                args.attested_header.parent_root.as_ref().into_witness(),
                 attested_header_state_root.clone().into(),
-                args.attested_header.body_root.as_ref().into_witness(),
             ],
+            &attested_header_root,
+            [S::HEADER_SLOT_INDEX, S::HEADER_STATE_ROOT_INDEX],
+            args.attested_header_helper_indices.clone(),
         )?;
 
-        // Compute finalized header root
         let finalized_block_body_root = args
             .finalized_header
             .body_root
@@ -136,16 +147,30 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
             .map(|&b| builder.main().load_witness(F::from(b as u64)))
             .collect_vec();
         let finalized_slot_bytes: HashInputChunk<_> = args.finalized_header.slot.into_witness();
-        let finalized_header_root = ssz_merkleize_chunks(
+
+        let finalized_header_root = args
+            .finalized_header
+            .clone()
+            .hash_tree_root()
+            .map_err(|_| Error::Synthesis)?
+            .as_ref()
+            .iter()
+            .map(|v| builder.main().load_witness(F::from(*v as u64)))
+            .collect_vec();
+
+        verify_merkle_multiproof(
             builder,
             &sha256_chip,
-            [
+            args.finalized_header_multiproof
+                .iter()
+                .map(|w| w.clone().into_witness()),
+            vec![
                 finalized_slot_bytes.clone(),
-                args.finalized_header.proposer_index.into_witness(),
-                args.finalized_header.parent_root.as_ref().into_witness(),
-                args.finalized_header.state_root.as_ref().into_witness(),
                 finalized_block_body_root.clone().into(),
             ],
+            &finalized_header_root,
+            [S::HEADER_SLOT_INDEX, S::HEADER_BODY_ROOT_INDEX],
+            args.finalized_header_helper_indices.clone(),
         )?;
 
         let signing_root = sha256_chip.digest(

diff --git a/lightclient-circuits/src/witness/multiproof.rs b/lightclient-circuits/src/witness/multiproof.rs
@@ -1,8 +1,9 @@
 // TODO: A lot if not all/most of this code is copy pasta from: https://github.com/ralexstokes/ssz-rs/pull/118 which is mostly implemented w.r.t. the spec
 // TODO: Remove this once the above PR lands in ssz-rs
 
+use ethereum_consensus_types::BeaconBlockHeader;
 use sha2::{Digest, Sha256};
-use ssz_rs::Node;
+use ssz_rs::{MerkleizationError, Merkleized, Node};
 use std::collections::{HashMap, HashSet};
 
 pub type GeneralizedIndex = usize;
@@ -149,9 +150,7 @@ pub fn calculate_multi_merkle_root(
             hasher.update(left_input.as_ref());
             hasher.update(right_input.as_ref());
 
-            let parent = objects
-                .entry(parent_index)
-                .or_default();
+            let parent = objects.entry(parent_index).or_default();
             parent.as_mut().copy_from_slice(&hasher.finalize_reset());
             keys.push(parent_index);
         }
@@ -186,3 +185,32 @@ pub fn create_multiproof(merkle_tree: &[Node], indices_to_prove: &[GeneralizedIn
         .map(|i| merkle_tree[i])
         .collect()
 }
+
+/// Returns nodes representing the leaves a BeaconBlockHeader in merkleized representation.
+pub fn block_header_to_leaves(
+    header: &mut BeaconBlockHeader,
+) -> Result<[Node; 5], MerkleizationError> {
+    Ok([
+        header.slot.hash_tree_root()?,
+        header.proposer_index.hash_tree_root()?,
+        header.parent_root.hash_tree_root()?,
+        header.state_root.hash_tree_root()?,
+        header.body_root.hash_tree_root()?,
+    ])
+}
+
+pub fn beacon_header_multiproof_and_helper_indices(
+    header: &mut BeaconBlockHeader,
+    gindices: &[usize],
+) -> (Vec<Node>, Vec<usize>) {
+    let header_leaves = block_header_to_leaves(header).unwrap();
+    let merkle_tree = merkle_tree(&header_leaves);
+    let helper_indices = get_helper_indices(gindices);
+    let proof = helper_indices
+        .iter()
+        .copied()
+        .map(|i| merkle_tree[i])
+        .collect::<Vec<_>>();
+    assert_eq!(proof.len(), helper_indices.len());
+    (proof, helper_indices)
+}
diff --git a/lightclient-circuits/src/witness/rotation.rs b/lightclient-circuits/src/witness/rotation.rs
@@ -9,6 +9,8 @@ use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
 use std::{iter, marker::PhantomData};
 
+use crate::witness::beacon_header_multiproof_and_helper_indices;
+
 /// Input datum for the `CommitteeUpdateCircuit` to map next sync committee SSZ root in the finalized state root to the corresponding Poseidon commitment to the public keys.
 ///
 /// Assumes that public keys are BLS12-381 points on G1; `sync_committee_branch` is exactly `S::SYNC_COMMITTEE_PUBKEYS_DEPTH` hashes in lenght.
@@ -20,6 +22,8 @@ pub struct CommitteeUpdateArgs<S: Spec> {
 
     pub sync_committee_branch: Vec<Vec<u8>>,
 
+    pub finalized_header_multiproof: Vec<Vec<u8>>,
+    pub finalized_header_helper_indices: Vec<usize>,
     #[serde(skip)]
     pub _spec: PhantomData<S>,
 }
@@ -59,17 +63,29 @@ impl<S: Spec> Default for CommitteeUpdateArgs<S> {
             &sync_committee_branch,
             S::SYNC_COMMITTEE_PUBKEYS_ROOT_INDEX,
         );
+        let finalized_header = BeaconBlockHeader {
+            state_root: state_root.as_slice().try_into().unwrap(),
+            ..Default::default()
+        };
+
+        let (finalized_header_multiproof, finalized_header_helper_indices) =
+            beacon_header_multiproof_and_helper_indices(
+                &mut finalized_header.clone(),
+                &[S::HEADER_STATE_ROOT_INDEX],
+            );
 
         Self {
             pubkeys_compressed: iter::repeat(dummy_x_bytes)
                 .take(S::SYNC_COMMITTEE_SIZE)
                 .collect_vec(),
             sync_committee_branch,
-            finalized_header: BeaconBlockHeader {
-                state_root: state_root.as_slice().try_into().unwrap(),
-                ..Default::default()
-            },
+            finalized_header,
             _spec: PhantomData,
+            finalized_header_multiproof: finalized_header_multiproof
+                .into_iter()
+                .map(|n| n.as_ref().to_vec())
+                .collect_vec(),
+            finalized_header_helper_indices,
         }
     }
 }

diff --git a/lightclient-circuits/src/witness/step.rs b/lightclient-circuits/src/witness/step.rs
@@ -15,6 +15,8 @@ use std::iter;
 use std::marker::PhantomData;
 use std::ops::Deref;
 
+use crate::witness::beacon_header_multiproof_and_helper_indices;
+
 use super::mock_root;
 
 /// Input datum for the `StepCircuit` to verify `attested_header` singed by the lightclient sync committee,
@@ -43,6 +45,11 @@ pub struct SyncStepArgs<S: Spec> {
 
     pub domain: [u8; 32],
 
+    pub attested_header_multiproof: Vec<Vec<u8>>,
+    pub attested_header_helper_indices: Vec<usize>,
+    pub finalized_header_multiproof: Vec<Vec<u8>>,
+    pub finalized_header_helper_indices: Vec<usize>,
+
     #[serde(skip)]
     pub _spec: PhantomData<S>,
 }
@@ -105,6 +112,19 @@ impl<S: Spec> Default for SyncStepArgs<S> {
             .to_uncompressed_be()
             .to_vec();
 
+        // Proof length is 3
+        let (attested_header_multiproof, attested_header_helper_indices) =
+            beacon_header_multiproof_and_helper_indices(
+                &mut attested_header.clone(),
+                &[S::HEADER_SLOT_INDEX, S::HEADER_STATE_ROOT_INDEX],
+            );
+        // Proof length is 4
+        let (finalized_header_multiproof, finalized_header_helper_indices) =
+            beacon_header_multiproof_and_helper_indices(
+                &mut finalized_header.clone(),
+                &[S::HEADER_SLOT_INDEX, S::HEADER_BODY_ROOT_INDEX],
+            );
+
         Self {
             signature_compressed,
             pubkeys_uncompressed: iter::repeat(pubkey_uncompressed)
@@ -118,6 +138,17 @@ impl<S: Spec> Default for SyncStepArgs<S> {
             execution_payload_branch: execution_branch,
             execution_payload_root: execution_root,
             _spec: PhantomData,
+
+            attested_header_multiproof: attested_header_multiproof
+                .into_iter()
+                .map(|n| n.as_ref().to_vec())
+                .collect_vec(),
+            attested_header_helper_indices,
+            finalized_header_multiproof: finalized_header_multiproof
+                .into_iter()
+                .map(|n| n.as_ref().to_vec())
+                .collect_vec(),
+            finalized_header_helper_indices,
         }
     }
 }

diff --git a/preprocessor/Cargo.toml b/preprocessor/Cargo.toml
@@ -29,6 +29,7 @@ itertools.workspace = true
 serde_json.workspace = true
 serde.workspace = true
 ethereum-consensus-types.workspace = true
+sha2.workspace = true
 # local
 eth-types.workspace = true
 lightclient-circuits.workspace = true