generated from arkworks-rs/template
-
Notifications
You must be signed in to change notification settings - Fork 83
/
constraints.rs
190 lines (154 loc) · 7.33 KB
/
constraints.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
use crate::common::*;
use crate::{Root, SimplePath};
use ark_crypto_primitives::crh::{TwoToOneCRH, TwoToOneCRHGadget, CRH};
use ark_crypto_primitives::merkle_tree::constraints::PathVar;
use ark_r1cs_std::prelude::*;
use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError};
// (You don't need to worry about what's going on in the next two type definitions,
// just know that these are types that you can use.)
/// The R1CS equivalent of the the Merkle tree root.
pub type RootVar = <TwoToOneHashGadget as TwoToOneCRHGadget<TwoToOneHash, ConstraintF>>::OutputVar;
/// The R1CS equivalent of the the Merkle tree path.
pub type SimplePathVar =
PathVar<crate::MerkleConfig, LeafHashGadget, TwoToOneHashGadget, ConstraintF>;
////////////////////////////////////////////////////////////////////////////////
pub struct MerkleTreeVerification {
// These are constants that will be embedded into the circuit
pub leaf_crh_params: <LeafHash as CRH>::Parameters,
pub two_to_one_crh_params: <TwoToOneHash as TwoToOneCRH>::Parameters,
// These are the public inputs to the circuit.
pub root: Root,
pub leaf: u8,
// This is the private witness to the circuit.
pub authentication_path: Option<SimplePath>,
}
impl ConstraintSynthesizer<ConstraintF> for MerkleTreeVerification {
fn generate_constraints(
self,
cs: ConstraintSystemRef<ConstraintF>,
) -> Result<(), SynthesisError> {
// First, we allocate the public inputs
let root = RootVar::new_input(ark_relations::ns!(cs, "root_var"), || Ok(&self.root))?;
let leaf = UInt8::new_input(ark_relations::ns!(cs, "leaf_var"), || Ok(&self.leaf))?;
// Then, we allocate the public parameters as constants:
let leaf_crh_params = LeafHashParamsVar::new_constant(cs.clone(), &self.leaf_crh_params)?;
let two_to_one_crh_params =
TwoToOneHashParamsVar::new_constant(cs.clone(), &self.two_to_one_crh_params)?;
// Finally, we allocate our path as a private witness variable:
let path = SimplePathVar::new_witness(ark_relations::ns!(cs, "path_var"), || {
Ok(self.authentication_path.as_ref().unwrap())
})?;
let leaf_bytes = vec![leaf; 1];
// Now, we have to check membership. How do we do that?
// Hint: look at https://github.com/arkworks-rs/crypto-primitives/blob/6be606259eab0aec010015e2cfd45e4f134cd9bf/src/merkle_tree/constraints.rs#L135
// TODO: FILL IN THE BLANK!
// let is_member = XYZ
//
// is_member.enforce_equal(&Boolean::TRUE)?;
Ok(())
}
}
// Run this test via `cargo test --release test_merkle_tree`.
#[test]
fn merkle_tree_constraints_correctness() {
use ark_relations::r1cs::{ConstraintLayer, ConstraintSystem, TracingMode};
use tracing_subscriber::layer::SubscriberExt;
// Let's set up an RNG for use within tests. Note that this is *not* safe
// for any production use.
let mut rng = ark_std::test_rng();
// First, let's sample the public parameters for the hash functions:
let leaf_crh_params = <LeafHash as CRH>::setup(&mut rng).unwrap();
let two_to_one_crh_params = <TwoToOneHash as TwoToOneCRH>::setup(&mut rng).unwrap();
// Next, let's construct our tree.
// This follows the API in https://github.com/arkworks-rs/crypto-primitives/blob/6be606259eab0aec010015e2cfd45e4f134cd9bf/src/merkle_tree/mod.rs#L156
let tree = crate::SimpleMerkleTree::new(
&leaf_crh_params,
&two_to_one_crh_params,
&[1u8, 2u8, 3u8, 10u8, 9u8, 17u8, 70u8, 45u8], // the i-th entry is the i-th leaf.
)
.unwrap();
// Now, let's try to generate a membership proof for the 5th item, i.e. 9.
let proof = tree.generate_proof(4).unwrap(); // we're 0-indexing!
// This should be a proof for the membership of a leaf with value 9. Let's check that!
// First, let's get the root we want to verify against:
let root = tree.root();
let circuit = MerkleTreeVerification {
// constants
leaf_crh_params,
two_to_one_crh_params,
// public inputs
root,
leaf: 9u8,
// witness
authentication_path: Some(proof),
};
// First, some boilerplat that helps with debugging
let mut layer = ConstraintLayer::default();
layer.mode = TracingMode::OnlyConstraints;
let subscriber = tracing_subscriber::Registry::default().with(layer);
let _guard = tracing::subscriber::set_default(subscriber);
// Next, let's make the circuit!
let cs = ConstraintSystem::new_ref();
circuit.generate_constraints(cs.clone()).unwrap();
// Let's check whether the constraint system is satisfied
let is_satisfied = cs.is_satisfied().unwrap();
if !is_satisfied {
// If it isn't, find out the offending constraint.
println!("{:?}", cs.which_is_unsatisfied());
}
assert!(is_satisfied);
}
// Run this test via `cargo test --release test_merkle_tree_constraints_soundness`.
// This tests that a given invalid authentication path will fail.
#[test]
fn merkle_tree_constraints_soundness() {
use ark_relations::r1cs::{ConstraintLayer, ConstraintSystem, TracingMode};
use tracing_subscriber::layer::SubscriberExt;
// Let's set up an RNG for use within tests. Note that this is *not* safe
// for any production use.
let mut rng = ark_std::test_rng();
// First, let's sample the public parameters for the hash functions:
let leaf_crh_params = <LeafHash as CRH>::setup(&mut rng).unwrap();
let two_to_one_crh_params = <TwoToOneHash as TwoToOneCRH>::setup(&mut rng).unwrap();
// Next, let's construct our tree.
// This follows the API in https://github.com/arkworks-rs/crypto-primitives/blob/6be606259eab0aec010015e2cfd45e4f134cd9bf/src/merkle_tree/mod.rs#L156
let tree = crate::SimpleMerkleTree::new(
&leaf_crh_params,
&two_to_one_crh_params,
&[1u8, 2u8, 3u8, 10u8, 9u8, 17u8, 70u8, 45u8], // the i-th entry is the i-th leaf.
)
.unwrap();
// We just mutate the first leaf
let second_tree = crate::SimpleMerkleTree::new(
&leaf_crh_params,
&two_to_one_crh_params,
&[4u8, 2u8, 3u8, 10u8, 9u8, 17u8, 70u8, 45u8], // the i-th entry is the i-th leaf.
)
.unwrap();
// Now, let's try to generate a membership proof for the 5th item, i.e. 9.
let proof = tree.generate_proof(4).unwrap(); // we're 0-indexing!
// But, let's get the root we want to verify against:
let wrong_root = second_tree.root();
let circuit = MerkleTreeVerification {
// constants
leaf_crh_params,
two_to_one_crh_params,
// public inputs
root: wrong_root,
leaf: 9u8,
// witness
authentication_path: Some(proof),
};
// First, some boilerplate that helps with debugging
let mut layer = ConstraintLayer::default();
layer.mode = TracingMode::OnlyConstraints;
let subscriber = tracing_subscriber::Registry::default().with(layer);
let _guard = tracing::subscriber::set_default(subscriber);
// Next, let's make the constraint system!
let cs = ConstraintSystem::new_ref();
circuit.generate_constraints(cs.clone()).unwrap();
// Let's check whether the constraint system is satisfied
let is_satisfied = cs.is_satisfied().unwrap();
// We expect this to fail!
assert!(!is_satisfied);
}