diff --git a/contracts/foundry.toml b/contracts/foundry.toml index a2d58d9c9..20fc3c426 100644 --- a/contracts/foundry.toml +++ b/contracts/foundry.toml @@ -4,4 +4,11 @@ out = "out" libs = ["lib"] fs_permissions = [{ access = "read-write", path = "./"}] +[fmt] +line_length = 100 +tab_width = 4 +func_attrs_with_params_multiline = true +ignore = ["lib/**"] + + # See more config options https://github.com/foundry-rs/foundry/tree/master/config \ No newline at end of file diff --git a/contracts/script/deploy/FunctionGateway.s.sol b/contracts/script/deploy/FunctionGateway.s.sol index ea81fcf17..6eb02eb80 100644 --- a/contracts/script/deploy/FunctionGateway.s.sol +++ b/contracts/script/deploy/FunctionGateway.s.sol @@ -9,7 +9,9 @@ import {Strings} from "@openzeppelin/contracts/utils/Strings.sol"; contract DeployFunctionGateway is BaseScript { function run() external broadcaster { - console.log("Deploying FunctionGateway contract on chain %s", Strings.toString(block.chainid)); + console.log( + "Deploying FunctionGateway contract on chain %s", Strings.toString(block.chainid) + ); // Check inputs uint256 SCALAR = envUint256("SCALAR"); @@ -23,7 +25,8 @@ contract DeployFunctionGateway is BaseScript { FunctionGateway gatewayImpl = new FunctionGateway{salt: CREATE2_SALT}(); FunctionGateway gateway; if (!UPGRADE) { - gateway = FunctionGateway(address(new Proxy{salt: CREATE2_SALT}(address(gatewayImpl), ""))); + gateway = + FunctionGateway(address(new Proxy{salt: CREATE2_SALT}(address(gatewayImpl), ""))); gateway.initialize(SCALAR, SUCCINCT_FEE_VAULT, TIMELOCK, GUARDIAN); } else { gateway = FunctionGateway(envAddress("FUNCTION_GATEWAY", block.chainid)); diff --git a/contracts/script/deploy/Guardian.s.sol b/contracts/script/deploy/Guardian.s.sol index 749d7f305..916bc34bf 100644 --- a/contracts/script/deploy/Guardian.s.sol +++ b/contracts/script/deploy/Guardian.s.sol @@ -10,7 +10,9 @@ import {Strings} from "@openzeppelin/contracts/utils/Strings.sol"; // "Guardian" refers to a Gnosis Safe proxy. contract DeployGuardian is BaseScript { function run() external broadcaster { - console.log("Deploying Guardian (Safe) contract on chain %s", Strings.toString(block.chainid)); + console.log( + "Deploying Guardian (Safe) contract on chain %s", Strings.toString(block.chainid) + ); // Check inputs @@ -48,6 +50,12 @@ contract DeployGuardian is BaseScript { address(0) ); - return Safe(payable(_safeFactory.createProxyWithNonce(address(_safeSingleton), initializer, uint256(_salt)))); + return Safe( + payable( + _safeFactory.createProxyWithNonce( + address(_safeSingleton), initializer, uint256(_salt) + ) + ) + ); } } diff --git a/contracts/script/deploy/StorageOracle.s.sol b/contracts/script/deploy/StorageOracle.s.sol index 7eac391ee..d54dbcd80 100644 --- a/contracts/script/deploy/StorageOracle.s.sol +++ b/contracts/script/deploy/StorageOracle.s.sol @@ -23,7 +23,8 @@ contract DeployStorageOracle is BaseScript { StorageOracle gatewayImpl = new StorageOracle{salt: CREATE2_SALT}(); StorageOracle gateway; if (!UPGRADE) { - gateway = StorageOracle(address(new Proxy{salt: CREATE2_SALT}(address(gatewayImpl), ""))); + gateway = + StorageOracle(address(new Proxy{salt: CREATE2_SALT}(address(gatewayImpl), ""))); gateway.initialize(FUNCTION_GATEWAY, FUNCTION_ID, TIMELOCK, GUARDIAN); } else { gateway = StorageOracle(envAddress("STORAGE_ORACLE", block.chainid)); diff --git a/contracts/script/deploy/StorageVerifier.sol b/contracts/script/deploy/StorageVerifier.sol index d08bd066a..c1c243481 100644 --- a/contracts/script/deploy/StorageVerifier.sol +++ b/contracts/script/deploy/StorageVerifier.sol @@ -9,7 +9,9 @@ import {IFunctionRegistry} from "src/interfaces/IFunctionRegistry.sol"; contract DeployStorageVerifier is BaseScript { function run() external broadcaster { - console.log("Deploying StorageVerifier contract on chain %s", Strings.toString(block.chainid)); + console.log( + "Deploying StorageVerifier contract on chain %s", Strings.toString(block.chainid) + ); // Check inputs address FUNCTION_GATEWAY = envAddress("FUNCTION_GATEWAY", block.chainid); @@ -17,7 +19,8 @@ contract DeployStorageVerifier is BaseScript { // Deploy contract StorageVerifier verifier = new StorageVerifier{salt: CREATE2_SALT}(); - bytes32 functionId = IFunctionRegistry(FUNCTION_GATEWAY).registerFunction(address(verifier), "storage"); + bytes32 functionId = + IFunctionRegistry(FUNCTION_GATEWAY).registerFunction(address(verifier), "storage"); console.log("FunctionId:"); console.logBytes32(functionId); diff --git a/contracts/script/deploy/SuccinctFeeVault.s.sol b/contracts/script/deploy/SuccinctFeeVault.s.sol index 37a175e30..f09657fd9 100644 --- a/contracts/script/deploy/SuccinctFeeVault.s.sol +++ b/contracts/script/deploy/SuccinctFeeVault.s.sol @@ -8,7 +8,9 @@ import {Strings} from "@openzeppelin/contracts/utils/Strings.sol"; contract DeploySuccinctFeeVault is BaseScript { function run() external broadcaster { - console.log("Deploying SuccinctFeeVault contract on chain %s", Strings.toString(block.chainid)); + console.log( + "Deploying SuccinctFeeVault contract on chain %s", Strings.toString(block.chainid) + ); // Check inputs bytes32 CREATE2_SALT = envBytes32("CREATE2_SALT"); diff --git a/contracts/script/misc/Base.s.sol b/contracts/script/misc/Base.s.sol index 89f6a4ecd..56f810144 100644 --- a/contracts/script/misc/Base.s.sol +++ b/contracts/script/misc/Base.s.sol @@ -76,7 +76,10 @@ abstract contract BaseScript is Script { return value; } - function envUint32s(string memory name, string memory delimiter) internal returns (uint32[] memory) { + function envUint32s(string memory name, string memory delimiter) + internal + returns (uint32[] memory) + { uint256[] memory values = new uint256[](0); values = vm.envOr(name, delimiter, values); if (values.length == 0) { @@ -167,9 +170,12 @@ abstract contract BaseScript is Script { console.log(string.concat(string.concat(addrVar, "="), Strings.toHexString(value))); } - function writeEnvAddresses(string memory file, string memory name, address[] memory values, string memory delimiter) - internal - { + function writeEnvAddresses( + string memory file, + string memory name, + address[] memory values, + string memory delimiter + ) internal { string memory addrVar = string.concat(name, "_", Strings.toString(block.chainid)); string memory line = string.concat(addrVar, "="); string memory addrs; @@ -243,7 +249,11 @@ abstract contract BaseScript is Script { return _b; } - function buildSignaturesFromArray(bytes[] memory _signatures) internal pure returns (bytes memory) { + function buildSignaturesFromArray(bytes[] memory _signatures) + internal + pure + returns (bytes memory) + { bytes memory signatures; for (uint256 i = 0; i < _signatures.length; i++) { signatures = bytes.concat(signatures, bytes(_signatures[i])); diff --git a/contracts/script/misc/Upgrade.s.sol b/contracts/script/misc/Upgrade.s.sol index 8d223127e..9ac4af967 100644 --- a/contracts/script/misc/Upgrade.s.sol +++ b/contracts/script/misc/Upgrade.s.sol @@ -15,7 +15,10 @@ import {Strings} from "@openzeppelin/contracts/utils/Strings.sol"; // ); // contract UpgradeSignSchedule is BaseScript { - function run(address PROXY, address IMPL) external returns (address signer, bytes memory signature) { + function run(address PROXY, address IMPL) + external + returns (address signer, bytes memory signature) + { // Check inputs address TIMELOCK = envAddress("TIMELOCK", block.chainid); address GUARDIAN = envAddress("GUARDIAN", block.chainid); @@ -36,9 +39,12 @@ contract UpgradeSignSchedule is BaseScript { bytes[] memory payloads = new bytes[](1); payloads[0] = abi.encodeWithSelector(IProxy.upgradeTo.selector, IMPL); - bytes32 id = ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); + bytes32 id = + ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); if (ITimelock(TIMELOCK).isOperation(id)) { - revert("operation already exists in Timelock, change CREATE2_SALT to schedule a new one"); + revert( + "operation already exists in Timelock, change CREATE2_SALT to schedule a new one" + ); } scheduleBatchData = abi.encodeWithSelector( @@ -82,7 +88,11 @@ contract UpgradeSignSchedule is BaseScript { // After enough signatures have been collected, a call to Safe.execTransaction(..., signatures) is // made which schedules the call on the Timelock. contract UpgradeSendSchedule is BaseScript { - function run(address PROXY, address IMPL, bytes memory _signatures) external broadcaster returns (bool success) { + function run(address PROXY, address IMPL, bytes memory _signatures) + external + broadcaster + returns (bool success) + { // Check inputs address TIMELOCK = envAddress("TIMELOCK", block.chainid); address GUARDIAN = envAddress("GUARDIAN", block.chainid); @@ -103,9 +113,12 @@ contract UpgradeSendSchedule is BaseScript { bytes[] memory payloads = new bytes[](1); payloads[0] = abi.encodeWithSelector(IProxy.upgradeTo.selector, IMPL); - bytes32 id = ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); + bytes32 id = + ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); if (ITimelock(TIMELOCK).isOperation(id)) { - revert("operation already exists in Timelock, change CREATE2_SALT to schedule a new one"); + revert( + "operation already exists in Timelock, change CREATE2_SALT to schedule a new one" + ); } scheduleBatchData = abi.encodeWithSelector( @@ -122,7 +135,9 @@ contract UpgradeSendSchedule is BaseScript { { if (ISafe(GUARDIAN).getThreshold() * 65 > _signatures.length) { console.log( - "not enough signatures, need %d have %d", ISafe(GUARDIAN).getThreshold(), _signatures.length / 65 + "not enough signatures, need %d have %d", + ISafe(GUARDIAN).getThreshold(), + _signatures.length / 65 ); return false; } @@ -147,7 +162,10 @@ contract UpgradeSendSchedule is BaseScript { // After MINIMUM_DELAY has passed, the call to Timelock.execute() can be made. contract UpgradeSignExecute is BaseScript { - function run(address PROXY, address IMPL) external returns (address signer, bytes memory signature) { + function run(address PROXY, address IMPL) + external + returns (address signer, bytes memory signature) + { // Check inputs address TIMELOCK = envAddress("TIMELOCK", block.chainid); address GUARDIAN = envAddress("GUARDIAN", block.chainid); @@ -168,7 +186,8 @@ contract UpgradeSignExecute is BaseScript { bytes[] memory payloads = new bytes[](1); payloads[0] = abi.encodeWithSelector(IProxy.upgradeTo.selector, IMPL); - bytes32 id = ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); + bytes32 id = + ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); if (ITimelock(TIMELOCK).isOperationDone(id)) { console.log("operation already executed in Timelock"); return (address(0), ""); @@ -212,7 +231,11 @@ contract UpgradeSignExecute is BaseScript { } contract UpgradeSendExecute is BaseScript { - function run(address PROXY, address IMPL, bytes memory _signatures) external broadcaster returns (bool success) { + function run(address PROXY, address IMPL, bytes memory _signatures) + external + broadcaster + returns (bool success) + { // Check inputs address TIMELOCK = envAddress("TIMELOCK", block.chainid); address GUARDIAN = envAddress("GUARDIAN", block.chainid); @@ -233,7 +256,8 @@ contract UpgradeSendExecute is BaseScript { bytes[] memory payloads = new bytes[](1); payloads[0] = abi.encodeWithSelector(IProxy.upgradeTo.selector, IMPL); - bytes32 id = ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); + bytes32 id = + ITimelock(TIMELOCK).hashOperationBatch(targets, values, payloads, 0, CREATE2_SALT); if (ITimelock(TIMELOCK).isOperationDone(id)) { console.log("operation already executed in Timelock"); return true; @@ -253,7 +277,9 @@ contract UpgradeSendExecute is BaseScript { { if (ISafe(GUARDIAN).getThreshold() * 65 > _signatures.length) { console.log( - "not enough signatures, need %d have %d", ISafe(GUARDIAN).getThreshold(), _signatures.length / 65 + "not enough signatures, need %d have %d", + ISafe(GUARDIAN).getThreshold(), + _signatures.length / 65 ); return false; } @@ -338,7 +364,11 @@ interface ISafe { event RemovedOwner(address owner); event SafeReceived(address indexed sender, uint256 value); event SafeSetup( - address indexed initiator, address[] owners, uint256 threshold, address initializer, address fallbackHandler + address indexed initiator, + address[] owners, + uint256 threshold, + address initializer, + address fallbackHandler ); event SignMsg(bytes32 indexed msgHash); @@ -347,10 +377,15 @@ interface ISafe { function approveHash(bytes32 hashToApprove) external; function approvedHashes(address, bytes32) external view returns (uint256); function changeThreshold(uint256 _threshold) external; - function checkNSignatures(bytes32 dataHash, bytes memory data, bytes memory signatures, uint256 requiredSignatures) + function checkNSignatures( + bytes32 dataHash, + bytes memory data, + bytes memory signatures, + uint256 requiredSignatures + ) external view; + function checkSignatures(bytes32 dataHash, bytes memory data, bytes memory signatures) external view; - function checkSignatures(bytes32 dataHash, bytes memory data, bytes memory signatures) external view; function disableModule(address prevModule, address module) external; function domainSeparator() external view returns (bytes32); function enableModule(address module) external; @@ -378,12 +413,18 @@ interface ISafe { address refundReceiver, bytes memory signatures ) external payable returns (bool success); - function execTransactionFromModule(address to, uint256 value, bytes memory data, Enum.Operation operation) - external - returns (bool success); - function execTransactionFromModuleReturnData(address to, uint256 value, bytes memory data, Enum.Operation operation) - external - returns (bool success, bytes memory returnData); + function execTransactionFromModule( + address to, + uint256 value, + bytes memory data, + Enum.Operation operation + ) external returns (bool success); + function execTransactionFromModuleReturnData( + address to, + uint256 value, + bytes memory data, + Enum.Operation operation + ) external returns (bool success, bytes memory returnData); function getChainId() external view returns (uint256); function getModulesPaginated(address start, uint256 pageSize) external diff --git a/contracts/src/FunctionGateway.sol b/contracts/src/FunctionGateway.sol index cb8163980..09a51c06b 100644 --- a/contracts/src/FunctionGateway.sol +++ b/contracts/src/FunctionGateway.sol @@ -37,12 +37,14 @@ contract FunctionGateway is IFunctionGateway, FunctionRegistry, TimelockedUpgrad __TimelockedUpgradeable_init(_timelock, _guardian); } - function request(bytes32 _functionId, bytes memory _input, bytes4 _callbackSelector, bytes memory _context) - external - payable - returns (bytes32) - { - return request(_functionId, _input, _callbackSelector, _context, DEFAULT_GAS_LIMIT, tx.origin); + function request( + bytes32 _functionId, + bytes memory _input, + bytes4 _callbackSelector, + bytes memory _context + ) external payable returns (bytes32) { + return + request(_functionId, _input, _callbackSelector, _context, DEFAULT_GAS_LIMIT, tx.origin); } /// @dev Requests for a proof to be generated by the marketplace. @@ -158,12 +160,23 @@ contract FunctionGateway is IFunctionGateway, FunctionRegistry, TimelockedUpgrad // Verify the aggregate proof. address aggregationVerifier = verifiers[AGGREGATION_FUNCTION_ID]; - if (!IFunctionVerifier(aggregationVerifier).verify(_inputsRoot, _outputsRoot, _aggregateProof)) { - revert InvalidProof(address(aggregationVerifier), _inputsRoot, _outputsRoot, _aggregateProof); + if ( + !IFunctionVerifier(aggregationVerifier).verify( + _inputsRoot, _outputsRoot, _aggregateProof + ) + ) { + revert InvalidProof( + address(aggregationVerifier), _inputsRoot, _outputsRoot, _aggregateProof + ); } emit ProofBatchFulfilled( - _requestIds, _aggregateProof, _inputsRoot, _outputHashes, _outputsRoot, _verificationKeyRoot + _requestIds, + _aggregateProof, + _inputsRoot, + _outputHashes, + _outputsRoot, + _verificationKeyRoot ); } @@ -190,7 +203,8 @@ contract FunctionGateway is IFunctionGateway, FunctionRegistry, TimelockedUpgrad r.callbackFulfilled = true; // Call the callback. - (bool status,) = r.callbackAddress.call(abi.encodeWithSelector(r.callbackSelector, _output, _context)); + (bool status,) = + r.callbackAddress.call(abi.encodeWithSelector(r.callbackSelector, _output, _context)); if (!status) { revert CallbackFailed(r.callbackAddress, r.callbackSelector); } @@ -221,10 +235,12 @@ contract FunctionGateway is IFunctionGateway, FunctionRegistry, TimelockedUpgrad /// @dev Calculates the feeAmount for the request, sends the feeAmount to the FeeVault, and /// sends the excess amount as a refund to the refundAccount. - function _handlePayment(uint256 _gasLimit, address _refundAccount, address _senderAccount, uint256 _value) - private - returns (uint256 feeAmount) - { + function _handlePayment( + uint256 _gasLimit, + address _refundAccount, + address _senderAccount, + uint256 _value + ) private returns (uint256 feeAmount) { feeAmount = calculateFeeAmount(_gasLimit); if (_value < feeAmount) { revert InsufficientFeeAmount(feeAmount, _value); diff --git a/contracts/src/FunctionRegistry.sol b/contracts/src/FunctionRegistry.sol index 17d0221b9..bfe91ad81 100644 --- a/contracts/src/FunctionRegistry.sol +++ b/contracts/src/FunctionRegistry.sol @@ -13,7 +13,10 @@ contract FunctionRegistry is IFunctionRegistry { /// @notice Registers a function, using a pre-deployed verifier. /// @param _verifier The address of the verifier. /// @param _name The name of the function to be registered. - function registerFunction(address _verifier, string memory _name) external returns (bytes32 functionId) { + function registerFunction(address _verifier, string memory _name) + external + returns (bytes32 functionId) + { functionId = getFunctionId(msg.sender, _name); if (address(verifiers[functionId]) != address(0)) { revert FunctionAlreadyRegistered(functionId); // should call update instead @@ -49,7 +52,10 @@ contract FunctionRegistry is IFunctionRegistry { /// @notice Updates the function, using a pre-deployed verifier. /// @param _verifier The address of the verifier. /// @param _name The name of the function to be updated. - function updateFunction(address _verifier, string memory _name) external returns (bytes32 functionId) { + function updateFunction(address _verifier, string memory _name) + external + returns (bytes32 functionId) + { functionId = getFunctionId(msg.sender, _name); if (msg.sender != verifierOwners[functionId]) { revert NotFunctionOwner(msg.sender, verifierOwners[functionId]); @@ -82,11 +88,18 @@ contract FunctionRegistry is IFunctionRegistry { /// @notice Returns the functionId for a given owner and function name. /// @param _owner The owner of the function (sender of registerFunction). /// @param _name The name of the function. - function getFunctionId(address _owner, string memory _name) public pure returns (bytes32 functionId) { + function getFunctionId(address _owner, string memory _name) + public + pure + returns (bytes32 functionId) + { functionId = keccak256(abi.encode(_owner, _name)); } - function _deploy(bytes memory _bytecode, bytes32 _salt) internal returns (address deployedAddr) { + function _deploy(bytes memory _bytecode, bytes32 _salt) + internal + returns (address deployedAddr) + { if (_bytecode.length == 0) revert EmptyBytecode(); assembly { diff --git a/contracts/src/examples/storage/NounsOwnership.sol b/contracts/src/examples/storage/NounsOwnership.sol index ac22511bd..f15abce5b 100644 --- a/contracts/src/examples/storage/NounsOwnership.sol +++ b/contracts/src/examples/storage/NounsOwnership.sol @@ -28,14 +28,16 @@ contract NounsOwnership { /// @param _tokenId The token Id of the noun to check ownership of. function ownerOf(uint256 _tokenId) external view returns (address owner) { - (bytes32 value,) = - StorageOracle(STORAGE_ORACLE).slots(NOUNS_ADDRESS, uint256(keccak256(abi.encode(_tokenId, OWNERS_SLOT)))); + (bytes32 value,) = StorageOracle(STORAGE_ORACLE).slots( + NOUNS_ADDRESS, uint256(keccak256(abi.encode(_tokenId, OWNERS_SLOT))) + ); return address(uint160(uint256(value))); } /// @param _tokenId The token Id of the noun to last updated block of. function lastUpdatedBlock(uint256 _tokenId) external view returns (uint256 blockNumber) { - (, blockNumber) = - StorageOracle(STORAGE_ORACLE).slots(NOUNS_ADDRESS, uint256(keccak256(abi.encode(_tokenId, OWNERS_SLOT)))); + (, blockNumber) = StorageOracle(STORAGE_ORACLE).slots( + NOUNS_ADDRESS, uint256(keccak256(abi.encode(_tokenId, OWNERS_SLOT))) + ); } } diff --git a/contracts/src/examples/storage/StorageOracle.sol b/contracts/src/examples/storage/StorageOracle.sol index 4855e12ff..0e0e659b8 100644 --- a/contracts/src/examples/storage/StorageOracle.sol +++ b/contracts/src/examples/storage/StorageOracle.sol @@ -21,14 +21,22 @@ contract StorageOracle is TimelockedUpgradeable { } /// @dev https://community.optimism.io/docs/developers/build/differences/#opcode-differences - L1BlockPrecompile public constant L1_BLOCK = L1BlockPrecompile(0x4200000000000000000000000000000000000015); + L1BlockPrecompile public constant L1_BLOCK = + L1BlockPrecompile(0x4200000000000000000000000000000000000015); address public gateway; bytes32 public functionId; /// @notice Mapping for L1 account -> storage slot number -> storage slot value. mapping(address => mapping(uint256 => StorageSlot)) public slots; - event SlotRequested(uint256 indexed blockNumber, bytes32 indexed blockHash, address indexed account, uint256 slot); - event SlotUpdated(uint256 indexed blockNumber, address indexed account, uint256 slot, bytes32 value); + event SlotRequested( + uint256 indexed blockNumber, + bytes32 indexed blockHash, + address indexed account, + uint256 slot + ); + event SlotUpdated( + uint256 indexed blockNumber, address indexed account, uint256 slot, bytes32 value + ); error InvalidL1BlockHash(); error InvalidL1BlockNumber(); @@ -47,7 +55,11 @@ contract StorageOracle is TimelockedUpgradeable { } /// @notice Request a storage slot value for a given account on L1. - function requestStorageSlot(address _account, uint256 _slot) external payable returns (bytes32 requestId) { + function requestStorageSlot(address _account, uint256 _slot) + external + payable + returns (bytes32 requestId) + { bytes32 blockHash = L1_BLOCK.hash(); if (blockHash == bytes32(0)) { revert InvalidL1BlockHash(); @@ -74,7 +86,8 @@ contract StorageOracle is TimelockedUpgradeable { } bytes32 slotValue = abi.decode(_output, (bytes32)); - (uint256 blockNumber, address account, uint256 slot) = abi.decode(_context, (uint256, address, uint256)); + (uint256 blockNumber, address account, uint256 slot) = + abi.decode(_context, (uint256, address, uint256)); if (blockNumber <= slots[account][slot].blockNumber) { revert OutdatedBlockNumber(blockNumber, slots[account][slot].blockNumber); } diff --git a/contracts/src/examples/storage/StorageVerifier.sol b/contracts/src/examples/storage/StorageVerifier.sol index a7d126e07..6d5ed6709 100644 --- a/contracts/src/examples/storage/StorageVerifier.sol +++ b/contracts/src/examples/storage/StorageVerifier.sol @@ -2,7 +2,8 @@ pragma solidity ^0.8.16; library Pairing { - uint256 constant PRIME_Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; + uint256 constant PRIME_Q = + 21888242871839275222246405745257275088696311157297823662689037894645226208583; struct G1Point { uint256 X; @@ -140,7 +141,8 @@ library Pairing { // solium-disable-next-line security/no-inline-assembly assembly { - success := staticcall(sub(gas(), 2000), 8, add(input, 0x20), mul(inputSize, 0x20), out, 0x20) + success := + staticcall(sub(gas(), 2000), 8, add(input, 0x20), mul(inputSize, 0x20), out, 0x20) // Use "invalid" to make gas estimation work switch success case 0 { invalid() } @@ -155,8 +157,10 @@ library Pairing { contract Verifier { using Pairing for *; - uint256 constant SNARK_SCALAR_FIELD = 21888242871839275222246405745257275088548364400416034343698204186575808495617; - uint256 constant PRIME_Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; + uint256 constant SNARK_SCALAR_FIELD = + 21888242871839275222246405745257275088548364400416034343698204186575808495617; + uint256 constant PRIME_Q = + 21888242871839275222246405745257275088696311157297823662689037894645226208583; struct VerifyingKey { Pairing.G1Point alfa1; @@ -234,11 +238,12 @@ contract Verifier { * @returns Whether the proof is valid given the hardcoded verifying key * above and the public inputs */ - function verifyProof(uint256[2] memory a, uint256[2][2] memory b, uint256[2] memory c, uint256[65] memory input) - public - view - returns (bool r) - { + function verifyProof( + uint256[2] memory a, + uint256[2][2] memory b, + uint256[2] memory c, + uint256[65] memory input + ) public view returns (bool r) { Proof memory proof; proof.A = Pairing.G1Point(a[0], a[1]); proof.B = Pairing.G2Point([b[0][0], b[0][1]], [b[1][0], b[1][1]]); @@ -278,282 +283,425 @@ contract Verifier { // temporary point to avoid extra allocations in accumulate Pairing.G1Point memory q = Pairing.G1Point(0, 0); - vk_x.X = uint256(7654151173307285122173887557943556592926627323803440265411428835933171698030); // vk.K[0].X - vk_x.Y = uint256(1267569108851906122418933906145913022663962383604792269197553633453069852082); // vk.K[0].Y + vk_x.X = + uint256(7654151173307285122173887557943556592926627323803440265411428835933171698030); // vk.K[0].X + vk_x.Y = + uint256(1267569108851906122418933906145913022663962383604792269197553633453069852082); // vk.K[0].Y mul_input[0] = uint256(0); // vk.K[1].X mul_input[1] = uint256(0); // vk.K[1].Y mul_input[2] = input[0]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[1] * input[0] - mul_input[0] = uint256(10855663286981623084541363489660102193206622537607772833968317321581433303751); // vk.K[2].X - mul_input[1] = uint256(12156643609098206979852635788280459246023978138921482912702542075055217047953); // vk.K[2].Y + mul_input[0] = + uint256(10855663286981623084541363489660102193206622537607772833968317321581433303751); // vk.K[2].X + mul_input[1] = + uint256(12156643609098206979852635788280459246023978138921482912702542075055217047953); // vk.K[2].Y mul_input[2] = input[1]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[2] * input[1] - mul_input[0] = uint256(379076147614366186237852555128877932752707022181195558773951575810360280983); // vk.K[3].X - mul_input[1] = uint256(20275768584033756898412813982387176725473685447816316945827890314022804466668); // vk.K[3].Y + mul_input[0] = + uint256(379076147614366186237852555128877932752707022181195558773951575810360280983); // vk.K[3].X + mul_input[1] = + uint256(20275768584033756898412813982387176725473685447816316945827890314022804466668); // vk.K[3].Y mul_input[2] = input[2]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[3] * input[2] - mul_input[0] = uint256(2030788471383854807393572254897579868967448362247501984749898450508158620589); // vk.K[4].X - mul_input[1] = uint256(16007079715104718539427533809679786172137912244729461946995485300671697674877); // vk.K[4].Y + mul_input[0] = + uint256(2030788471383854807393572254897579868967448362247501984749898450508158620589); // vk.K[4].X + mul_input[1] = + uint256(16007079715104718539427533809679786172137912244729461946995485300671697674877); // vk.K[4].Y mul_input[2] = input[3]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[4] * input[3] - mul_input[0] = uint256(3659729532935328078600286048545654261948161883356705951517335433023302604447); // vk.K[5].X - mul_input[1] = uint256(6719541045159043658238314026173320015187154961043383047031507241065433979987); // vk.K[5].Y + mul_input[0] = + uint256(3659729532935328078600286048545654261948161883356705951517335433023302604447); // vk.K[5].X + mul_input[1] = + uint256(6719541045159043658238314026173320015187154961043383047031507241065433979987); // vk.K[5].Y mul_input[2] = input[4]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[5] * input[4] - mul_input[0] = uint256(9023351031242744707107208505085543026451788790872710445827418724631815295840); // vk.K[6].X - mul_input[1] = uint256(2498974708525416644646883774124922731192136194723500432208844468584751225497); // vk.K[6].Y + mul_input[0] = + uint256(9023351031242744707107208505085543026451788790872710445827418724631815295840); // vk.K[6].X + mul_input[1] = + uint256(2498974708525416644646883774124922731192136194723500432208844468584751225497); // vk.K[6].Y mul_input[2] = input[5]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[6] * input[5] - mul_input[0] = uint256(11760246946898200849775229670108235157754487907263669813035215235872743186597); // vk.K[7].X - mul_input[1] = uint256(5382428339030687870768870582444025050484374185231261099126636032475175446148); // vk.K[7].Y + mul_input[0] = + uint256(11760246946898200849775229670108235157754487907263669813035215235872743186597); // vk.K[7].X + mul_input[1] = + uint256(5382428339030687870768870582444025050484374185231261099126636032475175446148); // vk.K[7].Y mul_input[2] = input[6]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[7] * input[6] - mul_input[0] = uint256(332103316032981202977921170491728275515984536882295042122024740487031669015); // vk.K[8].X - mul_input[1] = uint256(484223038059012831998672398465994235268759953393977542517196949254233028660); // vk.K[8].Y + mul_input[0] = + uint256(332103316032981202977921170491728275515984536882295042122024740487031669015); // vk.K[8].X + mul_input[1] = + uint256(484223038059012831998672398465994235268759953393977542517196949254233028660); // vk.K[8].Y mul_input[2] = input[7]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[8] * input[7] - mul_input[0] = uint256(5344906529970141689021459145557374163117422738842071706750631467728871290394); // vk.K[9].X - mul_input[1] = uint256(7731978403516757842874921595990408683343135883653940410950541995815224341199); // vk.K[9].Y + mul_input[0] = + uint256(5344906529970141689021459145557374163117422738842071706750631467728871290394); // vk.K[9].X + mul_input[1] = + uint256(7731978403516757842874921595990408683343135883653940410950541995815224341199); // vk.K[9].Y mul_input[2] = input[8]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[9] * input[8] - mul_input[0] = uint256(10362237886978658404784044741070389359500890596626548033780244659029433510363); // vk.K[10].X - mul_input[1] = uint256(6285629694982155865291087094189363562595967452963101197020929967022416193184); // vk.K[10].Y + mul_input[0] = + uint256(10362237886978658404784044741070389359500890596626548033780244659029433510363); // vk.K[10].X + mul_input[1] = + uint256(6285629694982155865291087094189363562595967452963101197020929967022416193184); // vk.K[10].Y mul_input[2] = input[9]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[10] * input[9] - mul_input[0] = uint256(1936826942872850266674041622347967683160440267203145838962497651901744863132); // vk.K[11].X - mul_input[1] = uint256(2489418929250071077827953016163896767277738430716133365272418875838627300251); // vk.K[11].Y + mul_input[0] = + uint256(1936826942872850266674041622347967683160440267203145838962497651901744863132); // vk.K[11].X + mul_input[1] = + uint256(2489418929250071077827953016163896767277738430716133365272418875838627300251); // vk.K[11].Y mul_input[2] = input[10]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[11] * input[10] - mul_input[0] = uint256(12779474367520445587507333272472534286610205070395166091355451386189619020759); // vk.K[12].X - mul_input[1] = uint256(16098399295897998668449640624417961627391582297976508801357763570695142130577); // vk.K[12].Y + mul_input[0] = + uint256(12779474367520445587507333272472534286610205070395166091355451386189619020759); // vk.K[12].X + mul_input[1] = + uint256(16098399295897998668449640624417961627391582297976508801357763570695142130577); // vk.K[12].Y mul_input[2] = input[11]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[12] * input[11] - mul_input[0] = uint256(443172960809137696796573525061835890990476988281640266727036593096513946387); // vk.K[13].X - mul_input[1] = uint256(20448435027686077373503601710307109999095366634908587134616976911597013705326); // vk.K[13].Y + mul_input[0] = + uint256(443172960809137696796573525061835890990476988281640266727036593096513946387); // vk.K[13].X + mul_input[1] = + uint256(20448435027686077373503601710307109999095366634908587134616976911597013705326); // vk.K[13].Y mul_input[2] = input[12]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[13] * input[12] - mul_input[0] = uint256(4420010271881666237419507746577855992446973907995876983937642148718830707448); // vk.K[14].X - mul_input[1] = uint256(14540506650087850032683132977210992280987068520451687156325445797696065869484); // vk.K[14].Y + mul_input[0] = + uint256(4420010271881666237419507746577855992446973907995876983937642148718830707448); // vk.K[14].X + mul_input[1] = + uint256(14540506650087850032683132977210992280987068520451687156325445797696065869484); // vk.K[14].Y mul_input[2] = input[13]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[14] * input[13] - mul_input[0] = uint256(19641835005247180332480402296715294035949028476829642551362696889499513656838); // vk.K[15].X - mul_input[1] = uint256(4812315591576788861668368040515410531600872313469076363556584755378733696050); // vk.K[15].Y + mul_input[0] = + uint256(19641835005247180332480402296715294035949028476829642551362696889499513656838); // vk.K[15].X + mul_input[1] = + uint256(4812315591576788861668368040515410531600872313469076363556584755378733696050); // vk.K[15].Y mul_input[2] = input[14]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[15] * input[14] - mul_input[0] = uint256(12640577748972357982630117727971303258087585863699713717297881582503076631360); // vk.K[16].X - mul_input[1] = uint256(13065923353823232570476651439967308146274765135151428476341066795511706991767); // vk.K[16].Y + mul_input[0] = + uint256(12640577748972357982630117727971303258087585863699713717297881582503076631360); // vk.K[16].X + mul_input[1] = + uint256(13065923353823232570476651439967308146274765135151428476341066795511706991767); // vk.K[16].Y mul_input[2] = input[15]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[16] * input[15] - mul_input[0] = uint256(13572128760084308415140083506753360673600577607804820189016855697861704739224); // vk.K[17].X - mul_input[1] = uint256(8442833044896943902431485896013816816589701482716364853929712353957738745885); // vk.K[17].Y + mul_input[0] = + uint256(13572128760084308415140083506753360673600577607804820189016855697861704739224); // vk.K[17].X + mul_input[1] = + uint256(8442833044896943902431485896013816816589701482716364853929712353957738745885); // vk.K[17].Y mul_input[2] = input[16]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[17] * input[16] - mul_input[0] = uint256(12782767107221283109044396047775873882831103174902550450883267206197174805868); // vk.K[18].X - mul_input[1] = uint256(21725909149821822419863341739266801796457530684451541722014143306092290491812); // vk.K[18].Y + mul_input[0] = + uint256(12782767107221283109044396047775873882831103174902550450883267206197174805868); // vk.K[18].X + mul_input[1] = + uint256(21725909149821822419863341739266801796457530684451541722014143306092290491812); // vk.K[18].Y mul_input[2] = input[17]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[18] * input[17] - mul_input[0] = uint256(11078573045918050069962548128864339547899985435179862834648073403084209835710); // vk.K[19].X - mul_input[1] = uint256(12399059488837415085805609005448464807782897587253414030053853866684873097988); // vk.K[19].Y + mul_input[0] = + uint256(11078573045918050069962548128864339547899985435179862834648073403084209835710); // vk.K[19].X + mul_input[1] = + uint256(12399059488837415085805609005448464807782897587253414030053853866684873097988); // vk.K[19].Y mul_input[2] = input[18]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[19] * input[18] - mul_input[0] = uint256(10315226201173711467954752250803493769599555861590514433803248756358327104145); // vk.K[20].X - mul_input[1] = uint256(2856544295114544565653429320946926740804556743379163983013096592795845303539); // vk.K[20].Y + mul_input[0] = + uint256(10315226201173711467954752250803493769599555861590514433803248756358327104145); // vk.K[20].X + mul_input[1] = + uint256(2856544295114544565653429320946926740804556743379163983013096592795845303539); // vk.K[20].Y mul_input[2] = input[19]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[20] * input[19] - mul_input[0] = uint256(9354895592827270566590945984304896833859741287021261458869270672256004059535); // vk.K[21].X - mul_input[1] = uint256(15011309793775328188185572246572377707679615478035837762242785740323839285319); // vk.K[21].Y + mul_input[0] = + uint256(9354895592827270566590945984304896833859741287021261458869270672256004059535); // vk.K[21].X + mul_input[1] = + uint256(15011309793775328188185572246572377707679615478035837762242785740323839285319); // vk.K[21].Y mul_input[2] = input[20]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[21] * input[20] - mul_input[0] = uint256(13313466138074340718734302586098076097388950008677954748589938155741454888448); // vk.K[22].X - mul_input[1] = uint256(12353745256729266438311891904289828780910344800526689870927542307621168813347); // vk.K[22].Y + mul_input[0] = + uint256(13313466138074340718734302586098076097388950008677954748589938155741454888448); // vk.K[22].X + mul_input[1] = + uint256(12353745256729266438311891904289828780910344800526689870927542307621168813347); // vk.K[22].Y mul_input[2] = input[21]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[22] * input[21] - mul_input[0] = uint256(15190018048332196524754887079224540675648717818816895400470708784186351975840); // vk.K[23].X - mul_input[1] = uint256(10147458378909811594952055908189722911538701320475523176144463017748535907490); // vk.K[23].Y + mul_input[0] = + uint256(15190018048332196524754887079224540675648717818816895400470708784186351975840); // vk.K[23].X + mul_input[1] = + uint256(10147458378909811594952055908189722911538701320475523176144463017748535907490); // vk.K[23].Y mul_input[2] = input[22]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[23] * input[22] - mul_input[0] = uint256(234614104392190853693722220259832416753154027782029485053737056100888951760); // vk.K[24].X - mul_input[1] = uint256(4128702334020980420987327656543100690673142825029758802716705558844651759585); // vk.K[24].Y + mul_input[0] = + uint256(234614104392190853693722220259832416753154027782029485053737056100888951760); // vk.K[24].X + mul_input[1] = + uint256(4128702334020980420987327656543100690673142825029758802716705558844651759585); // vk.K[24].Y mul_input[2] = input[23]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[24] * input[23] - mul_input[0] = uint256(6931986590268588882910380631925893379786131874131718051994417017802935487518); // vk.K[25].X - mul_input[1] = uint256(6553771184053803320674257601817296516132168924473495362665037590748879926835); // vk.K[25].Y + mul_input[0] = + uint256(6931986590268588882910380631925893379786131874131718051994417017802935487518); // vk.K[25].X + mul_input[1] = + uint256(6553771184053803320674257601817296516132168924473495362665037590748879926835); // vk.K[25].Y mul_input[2] = input[24]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[25] * input[24] - mul_input[0] = uint256(8007641449250544351042554455733868623978825618215306263257441983965247015306); // vk.K[26].X - mul_input[1] = uint256(6989427805525814667453773033842061928861369548889935848958642430130423311990); // vk.K[26].Y + mul_input[0] = + uint256(8007641449250544351042554455733868623978825618215306263257441983965247015306); // vk.K[26].X + mul_input[1] = + uint256(6989427805525814667453773033842061928861369548889935848958642430130423311990); // vk.K[26].Y mul_input[2] = input[25]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[26] * input[25] - mul_input[0] = uint256(14741810725607764328249036718716826447801414725797362707614991969593535198061); // vk.K[27].X - mul_input[1] = uint256(16924891809278267680585602860764437386367597260415854373705866086335127810942); // vk.K[27].Y + mul_input[0] = + uint256(14741810725607764328249036718716826447801414725797362707614991969593535198061); // vk.K[27].X + mul_input[1] = + uint256(16924891809278267680585602860764437386367597260415854373705866086335127810942); // vk.K[27].Y mul_input[2] = input[26]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[27] * input[26] - mul_input[0] = uint256(19606675076775461784511771066572876373775296642178524644407593031446474991396); // vk.K[28].X - mul_input[1] = uint256(8606522840804950948717310490003731381536956837776527018324136881608861581571); // vk.K[28].Y + mul_input[0] = + uint256(19606675076775461784511771066572876373775296642178524644407593031446474991396); // vk.K[28].X + mul_input[1] = + uint256(8606522840804950948717310490003731381536956837776527018324136881608861581571); // vk.K[28].Y mul_input[2] = input[27]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[28] * input[27] - mul_input[0] = uint256(3378778428452374523256569312957451002365689609349537175414837663286905789890); // vk.K[29].X - mul_input[1] = uint256(3398091315042692109385568436973712260471414367803233969505626729524803304405); // vk.K[29].Y + mul_input[0] = + uint256(3378778428452374523256569312957451002365689609349537175414837663286905789890); // vk.K[29].X + mul_input[1] = + uint256(3398091315042692109385568436973712260471414367803233969505626729524803304405); // vk.K[29].Y mul_input[2] = input[28]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[29] * input[28] - mul_input[0] = uint256(8552650451497299813794466582330968619836679761737303659681933318167757098631); // vk.K[30].X - mul_input[1] = uint256(4217931479579097251137035220978681356363760563375323313336646382986482561900); // vk.K[30].Y + mul_input[0] = + uint256(8552650451497299813794466582330968619836679761737303659681933318167757098631); // vk.K[30].X + mul_input[1] = + uint256(4217931479579097251137035220978681356363760563375323313336646382986482561900); // vk.K[30].Y mul_input[2] = input[29]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[30] * input[29] - mul_input[0] = uint256(17389761499517884028227459747393901628845657128749005600031578978917606598569); // vk.K[31].X - mul_input[1] = uint256(10555185012236734284382729900325079069840722015806083080596709578503001010042); // vk.K[31].Y + mul_input[0] = + uint256(17389761499517884028227459747393901628845657128749005600031578978917606598569); // vk.K[31].X + mul_input[1] = + uint256(10555185012236734284382729900325079069840722015806083080596709578503001010042); // vk.K[31].Y mul_input[2] = input[30]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[31] * input[30] - mul_input[0] = uint256(20522064923903915435529181641985382408182131990229432495749925727116732333618); // vk.K[32].X - mul_input[1] = uint256(9262127328114327567334564923775981849508792353488856435505031509658876768785); // vk.K[32].Y + mul_input[0] = + uint256(20522064923903915435529181641985382408182131990229432495749925727116732333618); // vk.K[32].X + mul_input[1] = + uint256(9262127328114327567334564923775981849508792353488856435505031509658876768785); // vk.K[32].Y mul_input[2] = input[31]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[32] * input[31] mul_input[0] = uint256(0); // vk.K[33].X mul_input[1] = uint256(0); // vk.K[33].Y mul_input[2] = input[32]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[33] * input[32] - mul_input[0] = uint256(19805515723576526151865962480176526559600946331940416602919435733744559178939); // vk.K[34].X - mul_input[1] = uint256(14436323825307532673910662135739037295632234829812967405189138584329725932226); // vk.K[34].Y + mul_input[0] = + uint256(19805515723576526151865962480176526559600946331940416602919435733744559178939); // vk.K[34].X + mul_input[1] = + uint256(14436323825307532673910662135739037295632234829812967405189138584329725932226); // vk.K[34].Y mul_input[2] = input[33]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[34] * input[33] - mul_input[0] = uint256(19769937692070903973717952756328400818768446873200827647850618096003799853020); // vk.K[35].X - mul_input[1] = uint256(21577770339510253918286877921192503157062550953375939162858739967204290523211); // vk.K[35].Y + mul_input[0] = + uint256(19769937692070903973717952756328400818768446873200827647850618096003799853020); // vk.K[35].X + mul_input[1] = + uint256(21577770339510253918286877921192503157062550953375939162858739967204290523211); // vk.K[35].Y mul_input[2] = input[34]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[35] * input[34] - mul_input[0] = uint256(21463274337361306731827127358497242847186037166889108461214045419815817218996); // vk.K[36].X - mul_input[1] = uint256(19499490089855815631318730286338300201490444832730925605965665171488963647858); // vk.K[36].Y + mul_input[0] = + uint256(21463274337361306731827127358497242847186037166889108461214045419815817218996); // vk.K[36].X + mul_input[1] = + uint256(19499490089855815631318730286338300201490444832730925605965665171488963647858); // vk.K[36].Y mul_input[2] = input[35]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[36] * input[35] - mul_input[0] = uint256(12057739572080112380123927889780603267198763016607327963671783717329310186493); // vk.K[37].X - mul_input[1] = uint256(7303684643153206320562424737389940301747294453769658376891530120300287091977); // vk.K[37].Y + mul_input[0] = + uint256(12057739572080112380123927889780603267198763016607327963671783717329310186493); // vk.K[37].X + mul_input[1] = + uint256(7303684643153206320562424737389940301747294453769658376891530120300287091977); // vk.K[37].Y mul_input[2] = input[36]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[37] * input[36] - mul_input[0] = uint256(17217188987453618497424883038450136632316646488983452367886954124919864036693); // vk.K[38].X - mul_input[1] = uint256(21375339730127974465467984229113021398656189521351737743163893047555883800246); // vk.K[38].Y + mul_input[0] = + uint256(17217188987453618497424883038450136632316646488983452367886954124919864036693); // vk.K[38].X + mul_input[1] = + uint256(21375339730127974465467984229113021398656189521351737743163893047555883800246); // vk.K[38].Y mul_input[2] = input[37]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[38] * input[37] - mul_input[0] = uint256(18787439887787093780339026828453522129057912122177599159715079795672616250109); // vk.K[39].X - mul_input[1] = uint256(17851621594125688853191944994514545725947854063365545119007748240805316325955); // vk.K[39].Y + mul_input[0] = + uint256(18787439887787093780339026828453522129057912122177599159715079795672616250109); // vk.K[39].X + mul_input[1] = + uint256(17851621594125688853191944994514545725947854063365545119007748240805316325955); // vk.K[39].Y mul_input[2] = input[38]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[39] * input[38] - mul_input[0] = uint256(15022035693900431687276953568986992848817580330708047655879922986997313472221); // vk.K[40].X - mul_input[1] = uint256(20284983706070006505302341041678459987145987163750240764970385624811896664406); // vk.K[40].Y + mul_input[0] = + uint256(15022035693900431687276953568986992848817580330708047655879922986997313472221); // vk.K[40].X + mul_input[1] = + uint256(20284983706070006505302341041678459987145987163750240764970385624811896664406); // vk.K[40].Y mul_input[2] = input[39]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[40] * input[39] - mul_input[0] = uint256(17682250282074192986606512022644465366834162256038110695035322304798987194845); // vk.K[41].X - mul_input[1] = uint256(17735039760536327883984565482595346927072649564075439600588336978864313757679); // vk.K[41].Y + mul_input[0] = + uint256(17682250282074192986606512022644465366834162256038110695035322304798987194845); // vk.K[41].X + mul_input[1] = + uint256(17735039760536327883984565482595346927072649564075439600588336978864313757679); // vk.K[41].Y mul_input[2] = input[40]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[41] * input[40] - mul_input[0] = uint256(20899706779328863341678425647248526006380374041381805254108969921590054971843); // vk.K[42].X - mul_input[1] = uint256(9208903989072050237486846027857559959173926655646571064322647318415126307423); // vk.K[42].Y + mul_input[0] = + uint256(20899706779328863341678425647248526006380374041381805254108969921590054971843); // vk.K[42].X + mul_input[1] = + uint256(9208903989072050237486846027857559959173926655646571064322647318415126307423); // vk.K[42].Y mul_input[2] = input[41]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[42] * input[41] - mul_input[0] = uint256(8094119844233180842261868250217351476703160601947508218059277542084472590858); // vk.K[43].X - mul_input[1] = uint256(3931401739387971212950794367903322610453707604654345792724304050982429234275); // vk.K[43].Y + mul_input[0] = + uint256(8094119844233180842261868250217351476703160601947508218059277542084472590858); // vk.K[43].X + mul_input[1] = + uint256(3931401739387971212950794367903322610453707604654345792724304050982429234275); // vk.K[43].Y mul_input[2] = input[42]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[43] * input[42] - mul_input[0] = uint256(1316264156504633102498105591347442946770583029642110683067801761935109545631); // vk.K[44].X - mul_input[1] = uint256(6410737200033529651526204670194859866494250065115817937275936426766906855619); // vk.K[44].Y + mul_input[0] = + uint256(1316264156504633102498105591347442946770583029642110683067801761935109545631); // vk.K[44].X + mul_input[1] = + uint256(6410737200033529651526204670194859866494250065115817937275936426766906855619); // vk.K[44].Y mul_input[2] = input[43]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[44] * input[43] - mul_input[0] = uint256(8804621950111225410125455844142464146394958064668792060504877361795418468316); // vk.K[45].X - mul_input[1] = uint256(8580620024820260438211068784935002090479952452161813928224108672526860866015); // vk.K[45].Y + mul_input[0] = + uint256(8804621950111225410125455844142464146394958064668792060504877361795418468316); // vk.K[45].X + mul_input[1] = + uint256(8580620024820260438211068784935002090479952452161813928224108672526860866015); // vk.K[45].Y mul_input[2] = input[44]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[45] * input[44] - mul_input[0] = uint256(7112295527738970285127563356966652173102917507489227391418611658263599307482); // vk.K[46].X - mul_input[1] = uint256(17275281338238142402668320571083598275071996182405634500711023887464421538127); // vk.K[46].Y + mul_input[0] = + uint256(7112295527738970285127563356966652173102917507489227391418611658263599307482); // vk.K[46].X + mul_input[1] = + uint256(17275281338238142402668320571083598275071996182405634500711023887464421538127); // vk.K[46].Y mul_input[2] = input[45]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[46] * input[45] - mul_input[0] = uint256(5240121977703409724976930147474666123582523807199050824430926013248898323413); // vk.K[47].X - mul_input[1] = uint256(9235777244560018425574571644168716210830462792585067951593424650639702291943); // vk.K[47].Y + mul_input[0] = + uint256(5240121977703409724976930147474666123582523807199050824430926013248898323413); // vk.K[47].X + mul_input[1] = + uint256(9235777244560018425574571644168716210830462792585067951593424650639702291943); // vk.K[47].Y mul_input[2] = input[46]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[47] * input[46] - mul_input[0] = uint256(16709515988692486378095964497727607992954421154155836143184835325120234108282); // vk.K[48].X - mul_input[1] = uint256(4318821262168551260213596218763477445736619275692986821452072174624316039747); // vk.K[48].Y + mul_input[0] = + uint256(16709515988692486378095964497727607992954421154155836143184835325120234108282); // vk.K[48].X + mul_input[1] = + uint256(4318821262168551260213596218763477445736619275692986821452072174624316039747); // vk.K[48].Y mul_input[2] = input[47]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[48] * input[47] - mul_input[0] = uint256(4635653803757786734812939730130448826232706399998169438201812455241736781365); // vk.K[49].X - mul_input[1] = uint256(10620534372183167886846599595246470641725726870973800884133180230395135737336); // vk.K[49].Y + mul_input[0] = + uint256(4635653803757786734812939730130448826232706399998169438201812455241736781365); // vk.K[49].X + mul_input[1] = + uint256(10620534372183167886846599595246470641725726870973800884133180230395135737336); // vk.K[49].Y mul_input[2] = input[48]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[49] * input[48] - mul_input[0] = uint256(21882091146466759727378676055635488784699217830186438786659067805274266463217); // vk.K[50].X - mul_input[1] = uint256(18598242203333244012781528775935406341731159877256787836648474120945984728668); // vk.K[50].Y + mul_input[0] = + uint256(21882091146466759727378676055635488784699217830186438786659067805274266463217); // vk.K[50].X + mul_input[1] = + uint256(18598242203333244012781528775935406341731159877256787836648474120945984728668); // vk.K[50].Y mul_input[2] = input[49]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[50] * input[49] - mul_input[0] = uint256(4981598058944746539451200624832095463060756413653505740624778630043872771559); // vk.K[51].X - mul_input[1] = uint256(15417437381372953121848338347341631007478788246258161716837437944605430967710); // vk.K[51].Y + mul_input[0] = + uint256(4981598058944746539451200624832095463060756413653505740624778630043872771559); // vk.K[51].X + mul_input[1] = + uint256(15417437381372953121848338347341631007478788246258161716837437944605430967710); // vk.K[51].Y mul_input[2] = input[50]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[51] * input[50] - mul_input[0] = uint256(16449857651479430087361783294716085780818735843608843357258053633847274952841); // vk.K[52].X - mul_input[1] = uint256(15723174467364037738901289426375812656268714827433964282590968293223190370878); // vk.K[52].Y + mul_input[0] = + uint256(16449857651479430087361783294716085780818735843608843357258053633847274952841); // vk.K[52].X + mul_input[1] = + uint256(15723174467364037738901289426375812656268714827433964282590968293223190370878); // vk.K[52].Y mul_input[2] = input[51]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[52] * input[51] - mul_input[0] = uint256(20648916574105536651189253176665249822733862047163598918925707075866654074662); // vk.K[53].X - mul_input[1] = uint256(21287059011152424060114653424447126287308325233923052797964482922876748269568); // vk.K[53].Y + mul_input[0] = + uint256(20648916574105536651189253176665249822733862047163598918925707075866654074662); // vk.K[53].X + mul_input[1] = + uint256(21287059011152424060114653424447126287308325233923052797964482922876748269568); // vk.K[53].Y mul_input[2] = input[52]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[53] * input[52] - mul_input[0] = uint256(18585476542396457205150744199897004875593607482225637447845157197513269605578); // vk.K[54].X - mul_input[1] = uint256(3417167586405724706465908229613681922657557710181148039128574753784005202656); // vk.K[54].Y + mul_input[0] = + uint256(18585476542396457205150744199897004875593607482225637447845157197513269605578); // vk.K[54].X + mul_input[1] = + uint256(3417167586405724706465908229613681922657557710181148039128574753784005202656); // vk.K[54].Y mul_input[2] = input[53]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[54] * input[53] - mul_input[0] = uint256(4511397141251924031887085372482825080786918659993462057314369239464754481694); // vk.K[55].X - mul_input[1] = uint256(21717095464432043238756681501430279756357661473638833021102155654431510563342); // vk.K[55].Y + mul_input[0] = + uint256(4511397141251924031887085372482825080786918659993462057314369239464754481694); // vk.K[55].X + mul_input[1] = + uint256(21717095464432043238756681501430279756357661473638833021102155654431510563342); // vk.K[55].Y mul_input[2] = input[54]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[55] * input[54] - mul_input[0] = uint256(9212519189230801322001536903365645225220584836288401322046467666908189548807); // vk.K[56].X - mul_input[1] = uint256(19744538517056645677142028979018732961431154170994932788904230767809445689768); // vk.K[56].Y + mul_input[0] = + uint256(9212519189230801322001536903365645225220584836288401322046467666908189548807); // vk.K[56].X + mul_input[1] = + uint256(19744538517056645677142028979018732961431154170994932788904230767809445689768); // vk.K[56].Y mul_input[2] = input[55]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[56] * input[55] - mul_input[0] = uint256(12289453430414039567836724210064005227666479474586979621733298761776796474516); // vk.K[57].X - mul_input[1] = uint256(12989757651650597082755681430685414608745195391709803644101621833221841663099); // vk.K[57].Y + mul_input[0] = + uint256(12289453430414039567836724210064005227666479474586979621733298761776796474516); // vk.K[57].X + mul_input[1] = + uint256(12989757651650597082755681430685414608745195391709803644101621833221841663099); // vk.K[57].Y mul_input[2] = input[56]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[57] * input[56] - mul_input[0] = uint256(2369478084041109780531328278734355652837607008951232860940114157378030098765); // vk.K[58].X - mul_input[1] = uint256(6119868655329830957213547984204983011004726394242293527463828569451316899897); // vk.K[58].Y + mul_input[0] = + uint256(2369478084041109780531328278734355652837607008951232860940114157378030098765); // vk.K[58].X + mul_input[1] = + uint256(6119868655329830957213547984204983011004726394242293527463828569451316899897); // vk.K[58].Y mul_input[2] = input[57]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[58] * input[57] - mul_input[0] = uint256(17989837724212112366551871898291137740340429905303785911117451851352882896345); // vk.K[59].X - mul_input[1] = uint256(17949950156855941131881511270898739855917513493341349952799783132793577741533); // vk.K[59].Y + mul_input[0] = + uint256(17989837724212112366551871898291137740340429905303785911117451851352882896345); // vk.K[59].X + mul_input[1] = + uint256(17949950156855941131881511270898739855917513493341349952799783132793577741533); // vk.K[59].Y mul_input[2] = input[58]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[59] * input[58] - mul_input[0] = uint256(7262439193785268583033241221853354235600977055409379173808433414317405448832); // vk.K[60].X - mul_input[1] = uint256(12203906070920291015993347316731095119713139475700145895368333405554307230470); // vk.K[60].Y + mul_input[0] = + uint256(7262439193785268583033241221853354235600977055409379173808433414317405448832); // vk.K[60].X + mul_input[1] = + uint256(12203906070920291015993347316731095119713139475700145895368333405554307230470); // vk.K[60].Y mul_input[2] = input[59]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[60] * input[59] - mul_input[0] = uint256(1162813742019157110963043810774081780095578126075902578179759093147701028966); // vk.K[61].X - mul_input[1] = uint256(6196461946796674808960015791266782945323722628464646545853640633136894953642); // vk.K[61].Y + mul_input[0] = + uint256(1162813742019157110963043810774081780095578126075902578179759093147701028966); // vk.K[61].X + mul_input[1] = + uint256(6196461946796674808960015791266782945323722628464646545853640633136894953642); // vk.K[61].Y mul_input[2] = input[60]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[61] * input[60] - mul_input[0] = uint256(8734960838152226512446036029393702945097778032815532218825582662229148105809); // vk.K[62].X - mul_input[1] = uint256(14156597841489472902105242066512520003665698393998522446948180722237464995747); // vk.K[62].Y + mul_input[0] = + uint256(8734960838152226512446036029393702945097778032815532218825582662229148105809); // vk.K[62].X + mul_input[1] = + uint256(14156597841489472902105242066512520003665698393998522446948180722237464995747); // vk.K[62].Y mul_input[2] = input[61]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[62] * input[61] - mul_input[0] = uint256(4584525156462878436907385844466134332162203762915420480339839395820190826598); // vk.K[63].X - mul_input[1] = uint256(20896772351738173920864818723101902251047201025669140610634794223821078661262); // vk.K[63].Y + mul_input[0] = + uint256(4584525156462878436907385844466134332162203762915420480339839395820190826598); // vk.K[63].X + mul_input[1] = + uint256(20896772351738173920864818723101902251047201025669140610634794223821078661262); // vk.K[63].Y mul_input[2] = input[62]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[63] * input[62] - mul_input[0] = uint256(15548856620589266889065140246191848830841596843403455464590867915077143726220); // vk.K[64].X - mul_input[1] = uint256(19703685940179675295187023238588296384286868782044376229887047852708735602340); // vk.K[64].Y + mul_input[0] = + uint256(15548856620589266889065140246191848830841596843403455464590867915077143726220); // vk.K[64].X + mul_input[1] = + uint256(19703685940179675295187023238588296384286868782044376229887047852708735602340); // vk.K[64].Y mul_input[2] = input[63]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[64] * input[63] - mul_input[0] = uint256(6512240350257283986195670322307359040229223793918266787712417443520969192740); // vk.K[65].X - mul_input[1] = uint256(17883424236536710893435059391856918208546300448278439854180388920157605103236); // vk.K[65].Y + mul_input[0] = + uint256(6512240350257283986195670322307359040229223793918266787712417443520969192740); // vk.K[65].X + mul_input[1] = + uint256(17883424236536710893435059391856918208546300448278439854180388920157605103236); // vk.K[65].Y mul_input[2] = input[64]; accumulate(mul_input, q, add_input, vk_x); // vk_x += vk.K[65] * input[64] - return - Pairing.pairing(Pairing.negate(proof.A), proof.B, vk.alfa1, vk.beta2, vk_x, vk.gamma2, proof.C, vk.delta2); + return Pairing.pairing( + Pairing.negate(proof.A), + proof.B, + vk.alfa1, + vk.beta2, + vk_x, + vk.gamma2, + proof.C, + vk.delta2 + ); } } interface IFunctionVerifier { - function verify(bytes32 _inputHash, bytes32 _outputHash, bytes memory _proof) external view returns (bool); + function verify(bytes32 _inputHash, bytes32 _outputHash, bytes memory _proof) + external + view + returns (bool); function verificationKeyHash() external pure returns (bytes32); } contract StorageVerifier is IFunctionVerifier, Verifier { - function verify(bytes32 _inputHash, bytes32 _outputHash, bytes memory _proof) external pure returns (bool) { + function verify(bytes32 _inputHash, bytes32 _outputHash, bytes memory _proof) + external + pure + returns (bool) + { (uint256[2] memory a, uint256[2][2] memory b, uint256[2] memory c) = abi.decode(_proof, (uint256[2], uint256[2][2], uint256[2])); diff --git a/contracts/src/interfaces/IFunctionGateway.sol b/contracts/src/interfaces/IFunctionGateway.sol index 81209fe0f..3d8b861dd 100644 --- a/contracts/src/interfaces/IFunctionGateway.sol +++ b/contracts/src/interfaces/IFunctionGateway.sol @@ -58,10 +58,12 @@ interface IFunctionGateway is IFunctionGatewayEvents, IFunctionGatewayErrors { view returns (bytes32, bytes32, bytes32, bytes32, address, bytes4, bool, bool); - function request(bytes32 functionId, bytes memory input, bytes4 callbackSelector, bytes memory context) - external - payable - returns (bytes32); + function request( + bytes32 functionId, + bytes memory input, + bytes4 callbackSelector, + bytes memory context + ) external payable returns (bytes32); function request( bytes32 functionId, diff --git a/contracts/src/interfaces/IFunctionRegistry.sol b/contracts/src/interfaces/IFunctionRegistry.sol index 1797f7261..697886040 100644 --- a/contracts/src/interfaces/IFunctionRegistry.sol +++ b/contracts/src/interfaces/IFunctionRegistry.sol @@ -2,10 +2,14 @@ pragma solidity >=0.5.0; interface IFunctionRegistryEvents { - event FunctionRegistered(bytes32 indexed functionId, address verifier, string name, address owner); + event FunctionRegistered( + bytes32 indexed functionId, address verifier, string name, address owner + ); event FunctionVerifierUpdated(bytes32 indexed functionId, address verifier); event FunctionOwnerUpdated(bytes32 indexed functionId, address owner); - event Deployed(bytes32 indexed bytecodeHash, bytes32 indexed salt, address indexed deployedAddress); + event Deployed( + bytes32 indexed bytecodeHash, bytes32 indexed salt, address indexed deployedAddress + ); } interface IFunctionRegistryErrors { @@ -19,13 +23,20 @@ interface IFunctionRegistryErrors { interface IFunctionRegistry is IFunctionRegistryEvents, IFunctionRegistryErrors { function verifiers(bytes32 functionId) external view returns (address verifier); function verifierOwners(bytes32 functionId) external view returns (address owner); - function registerFunction(address verifier, string memory name) external returns (bytes32 functionId); + function registerFunction(address verifier, string memory name) + external + returns (bytes32 functionId); function deployAndRegisterFunction(bytes memory bytecode, string memory name) external returns (bytes32 functionId, address verifier); - function updateFunction(address verifier, string memory name) external returns (bytes32 functionId); + function updateFunction(address verifier, string memory name) + external + returns (bytes32 functionId); function deployAndUpdateFunction(bytes memory bytecode, string memory _name) external returns (bytes32 functionId, address verifier); - function getFunctionId(address owner, string memory name) external pure returns (bytes32 functionId); + function getFunctionId(address owner, string memory name) + external + pure + returns (bytes32 functionId); } diff --git a/contracts/src/interfaces/IFunctionVerifier.sol b/contracts/src/interfaces/IFunctionVerifier.sol index 1c5817c9d..7b8652557 100644 --- a/contracts/src/interfaces/IFunctionVerifier.sol +++ b/contracts/src/interfaces/IFunctionVerifier.sol @@ -2,7 +2,9 @@ pragma solidity >=0.5.0; interface IFunctionVerifier { - function verify(bytes32 inputHash, bytes32 outputHash, bytes memory proof) external returns (bool); + function verify(bytes32 inputHash, bytes32 outputHash, bytes memory proof) + external + returns (bool); function verificationKeyHash() external view returns (bytes32); } diff --git a/contracts/src/libraries/OutputReader.sol b/contracts/src/libraries/OutputReader.sol index 48cc7efe6..f52c57bc6 100644 --- a/contracts/src/libraries/OutputReader.sol +++ b/contracts/src/libraries/OutputReader.sol @@ -1,7 +1,11 @@ pragma solidity ^0.8.16; library OutputReader { - function readUint256(bytes memory _output, uint256 _offset) internal pure returns (uint256, uint256) { + function readUint256(bytes memory _output, uint256 _offset) + internal + pure + returns (uint256, uint256) + { uint256 value; assembly { value := mload(add(add(_output, 0x20), _offset)) @@ -9,7 +13,11 @@ library OutputReader { return (_offset + 32, value); } - function readUint128(bytes memory _output, uint256 _offset) internal pure returns (uint256, uint128) { + function readUint128(bytes memory _output, uint256 _offset) + internal + pure + returns (uint256, uint128) + { uint128 value; assembly { value := mload(add(add(_output, 0x10), _offset)) @@ -17,7 +25,11 @@ library OutputReader { return (_offset + 16, value); } - function readUint64(bytes memory _output, uint256 _offset) internal pure returns (uint256, uint64) { + function readUint64(bytes memory _output, uint256 _offset) + internal + pure + returns (uint256, uint64) + { uint64 value; assembly { value := mload(add(add(_output, 0x08), _offset)) @@ -25,7 +37,11 @@ library OutputReader { return (_offset + 8, value); } - function readUint32(bytes memory _output, uint256 _offset) internal pure returns (uint256, uint32) { + function readUint32(bytes memory _output, uint256 _offset) + internal + pure + returns (uint256, uint32) + { uint32 value; assembly { value := mload(add(add(_output, 0x04), _offset)) diff --git a/contracts/src/mocks/MockFunctionGateway.sol b/contracts/src/mocks/MockFunctionGateway.sol index f79098190..d4566037d 100644 --- a/contracts/src/mocks/MockFunctionGateway.sol +++ b/contracts/src/mocks/MockFunctionGateway.sol @@ -29,12 +29,14 @@ contract MockFunctionGateway is IFunctionGateway { requests[_requestId] = _request; } - function request(bytes32 _functionId, bytes memory _input, bytes4 _callbackSelector, bytes memory _context) - external - payable - returns (bytes32) - { - return request(_functionId, _input, _callbackSelector, _context, DEFAULT_GAS_LIMIT, tx.origin); + function request( + bytes32 _functionId, + bytes memory _input, + bytes4 _callbackSelector, + bytes memory _context + ) external payable returns (bytes32) { + return + request(_functionId, _input, _callbackSelector, _context, DEFAULT_GAS_LIMIT, tx.origin); } function request( @@ -61,7 +63,15 @@ contract MockFunctionGateway is IFunctionGateway { bytes32 requestId = keccak256(abi.encode(nonce, r)); requests[requestId] = r; - emit ProofRequested(nonce, _functionId, requestId, _input, _context, _gasLimit, calculateFeeAmount(_gasLimit)); + emit ProofRequested( + nonce, + _functionId, + requestId, + _input, + _context, + _gasLimit, + calculateFeeAmount(_gasLimit) + ); nonce++; // If fixture has been pre-loaded, automatically fulfill and callback. @@ -71,7 +81,8 @@ contract MockFunctionGateway is IFunctionGateway { r.proofFulfilled = true; r.callbackFulfilled = true; - (bool status,) = msg.sender.call(abi.encodeWithSelector(_callbackSelector, output, _context)); + (bool status,) = + msg.sender.call(abi.encodeWithSelector(_callbackSelector, output, _context)); if (!status) { revert CallbackFailed(msg.sender, _callbackSelector); } @@ -104,7 +115,12 @@ contract MockFunctionGateway is IFunctionGateway { } emit ProofBatchFulfilled( - _requestIds, _aggregateProof, _inputsRoot, _outputHashes, _outputsRoot, _verificationKeyRoot + _requestIds, + _aggregateProof, + _inputsRoot, + _outputHashes, + _outputsRoot, + _verificationKeyRoot ); } @@ -112,7 +128,8 @@ contract MockFunctionGateway is IFunctionGateway { FunctionRequest storage r = requests[_requestId]; r.callbackFulfilled = true; - (bool status,) = r.callbackAddress.call(abi.encodeWithSelector(r.callbackSelector, _output, _context)); + (bool status,) = + r.callbackAddress.call(abi.encodeWithSelector(r.callbackSelector, _output, _context)); if (!status) { revert CallbackFailed(r.callbackAddress, r.callbackSelector); } diff --git a/contracts/src/upgrades/Timelock.sol b/contracts/src/upgrades/Timelock.sol index 817c733ad..a505b37c6 100644 --- a/contracts/src/upgrades/Timelock.sol +++ b/contracts/src/upgrades/Timelock.sol @@ -10,7 +10,10 @@ contract Timelock is TimelockController { /// @param _proposers accounts to be granted proposer and canceller roles /// @param _executors accounts to be granted executor role /// @param _admin optional account to be granted admin role; disable with zero address - constructor(uint256 _minDelay, address[] memory _proposers, address[] memory _executors, address _admin) - TimelockController(_minDelay, _proposers, _executors, _admin) - {} + constructor( + uint256 _minDelay, + address[] memory _proposers, + address[] memory _executors, + address _admin + ) TimelockController(_minDelay, _proposers, _executors, _admin) {} } diff --git a/contracts/src/upgrades/TimelockedUpgradeable.sol b/contracts/src/upgrades/TimelockedUpgradeable.sol index db7e1dfef..c01bbf030 100644 --- a/contracts/src/upgrades/TimelockedUpgradeable.sol +++ b/contracts/src/upgrades/TimelockedUpgradeable.sol @@ -4,12 +4,18 @@ pragma solidity ^0.8.16; import {Versioned} from "src/upgrades/Versioned.sol"; import {Initializable} from "@openzeppelin-upgradeable/contracts/proxy/utils/Initializable.sol"; import {UUPSUpgradeable} from "@openzeppelin-upgradeable/contracts/proxy/utils/UUPSUpgradeable.sol"; -import {AccessControlUpgradeable} from "@openzeppelin-upgradeable/contracts/access/AccessControlUpgradeable.sol"; +import {AccessControlUpgradeable} from + "@openzeppelin-upgradeable/contracts/access/AccessControlUpgradeable.sol"; /// @title TimelockedUpgradeable /// @notice A base contract that has modifiers to specify that certain functions are only callable /// by a sender with a timelock or guardian role. -abstract contract TimelockedUpgradeable is Versioned, Initializable, UUPSUpgradeable, AccessControlUpgradeable { +abstract contract TimelockedUpgradeable is + Versioned, + Initializable, + UUPSUpgradeable, + AccessControlUpgradeable +{ /// @notice A random constant used to identify addresses with the permission of a 'timelock'. /// @dev Should be set to a 'timelock' contract, which may only execute calls after being /// for a certain amount of time. @@ -43,7 +49,10 @@ abstract contract TimelockedUpgradeable is Versioned, Initializable, UUPSUpgrade /// @notice Initializes the contract. /// @dev The DEFAULT_ADMIN_ROLE needs to be set but should be unused. - function __TimelockedUpgradeable_init(address _timelock, address _guardian) internal onlyInitializing { + function __TimelockedUpgradeable_init(address _timelock, address _guardian) + internal + onlyInitializing + { __AccessControl_init(); __UUPSUpgradeable_init(); _grantRole(DEFAULT_ADMIN_ROLE, _timelock); diff --git a/contracts/test/FunctionGateway.t.sol b/contracts/test/FunctionGateway.t.sol index ff8cc8363..3ff5dfb6e 100644 --- a/contracts/test/FunctionGateway.t.sol +++ b/contracts/test/FunctionGateway.t.sol @@ -53,8 +53,9 @@ contract FunctionGatewayTest is Test, IFunctionGatewayEvents, IFunctionGatewayEr FunctionGateway(gateway).initialize(DEFAULT_SCALAR, feeVault, timelock, guardian); vm.prank(sender); - (FUNCTION_ID, verifier) = - IFunctionRegistry(gateway).deployAndRegisterFunction(type(TestFunctionVerifier).creationCode, FUNCTION_NAME); + (FUNCTION_ID, verifier) = IFunctionRegistry(gateway).deployAndRegisterFunction( + type(TestFunctionVerifier).creationCode, FUNCTION_NAME + ); expectedRequest = FunctionRequest({ functionId: FUNCTION_ID, @@ -66,7 +67,8 @@ contract FunctionGatewayTest is Test, IFunctionGatewayEvents, IFunctionGatewayEr proofFulfilled: false, callbackFulfilled: false }); - EXPECTED_REQUEST_ID = keccak256(abi.encode(FunctionGateway(gateway).nonce(), expectedRequest)); + EXPECTED_REQUEST_ID = + keccak256(abi.encode(FunctionGateway(gateway).nonce(), expectedRequest)); vm.deal(sender, DEFAULT_FEE); vm.deal(consumer, DEFAULT_FEE); @@ -162,7 +164,9 @@ contract FunctionGatewayTest is Test, IFunctionGatewayEvents, IFunctionGatewayEr 0 ); vm.prank(consumer); - bytes32 requestId = FunctionGateway(gateway).request(FUNCTION_ID, REQUEST, CALLBACK_SELECTOR, CALLBACK_CONTEXT); + bytes32 requestId = FunctionGateway(gateway).request( + FUNCTION_ID, REQUEST, CALLBACK_SELECTOR, CALLBACK_CONTEXT + ); assertEq(EXPECTED_REQUEST_ID, requestId); ( @@ -281,7 +285,9 @@ contract FunctionGatewayTest is Test, IFunctionGatewayEvents, IFunctionGatewayEr // Callback // inner error: vm.expectRevert(abi.encodeWithSelector(CallbackAlreadyFulfilled.selector, requestId)); vm.expectRevert( - abi.encodeWithSelector(CallbackFailed.selector, consumer, AttackConsumer.handleRequest.selector) + abi.encodeWithSelector( + CallbackFailed.selector, consumer, AttackConsumer.handleRequest.selector + ) ); FunctionGateway(gateway).callback(requestId, REQUEST_OUTPUT, CALLBACK_CONTEXT); } diff --git a/contracts/test/NounsOwnership.t.sol b/contracts/test/NounsOwnership.t.sol index 2c730609f..e98fa2b85 100644 --- a/contracts/test/NounsOwnership.t.sol +++ b/contracts/test/NounsOwnership.t.sol @@ -9,7 +9,9 @@ import {StorageOracle} from "../src/examples/storage/StorageOracle.sol"; import {NounsOwnership} from "../src/examples/storage/NounsOwnership.sol"; import {FunctionGateway} from "../src/FunctionGateway.sol"; -import {IFunctionGatewayEvents, IFunctionGatewayErrors} from "../src/interfaces/IFunctionGateway.sol"; +import { + IFunctionGatewayEvents, IFunctionGatewayErrors +} from "../src/interfaces/IFunctionGateway.sol"; import {MockFunctionGateway} from "../src/mocks/MockFunctionGateway.sol"; import {Proxy} from "src/upgrades/Proxy.sol"; @@ -21,8 +23,15 @@ contract TestError is IFunctionGatewayErrors { } contract TestEvents is IFunctionGatewayEvents { - event SlotRequested(uint256 indexed blockNumber, bytes32 indexed blockHash, address indexed account, uint256 slot); - event SlotUpdated(uint256 indexed blockNumber, address indexed account, uint256 slot, bytes32 value); + event SlotRequested( + uint256 indexed blockNumber, + bytes32 indexed blockHash, + address indexed account, + uint256 slot + ); + event SlotUpdated( + uint256 indexed blockNumber, address indexed account, uint256 slot, bytes32 value + ); } contract NounsOwnershipTest is Test, TestError, TestEvents { @@ -75,8 +84,16 @@ contract NounsOwnershipTest is Test, TestError, TestEvents { function test_ClaimOwnership() public onlyWithFork { bytes32 requestId = NounsOwnership(nounsOwnership).claimOwnership(NOUN_NUMBER); - (bytes32 functionId,,,, address callbackAddress,, bool proofFulfilled, bool callbackFulfilled) = - FunctionGateway(gateway).requests(requestId); + ( + bytes32 functionId, + , + , + , + address callbackAddress, + , + bool proofFulfilled, + bool callbackFulfilled + ) = FunctionGateway(gateway).requests(requestId); assertEq(FUNCTION_ID, functionId); assertEq(storageOracle, callbackAddress); assertEq(false, proofFulfilled); diff --git a/contracts/test/TestUtils.sol b/contracts/test/TestUtils.sol index ee9e5a223..56e0c75d0 100644 --- a/contracts/test/TestUtils.sol +++ b/contracts/test/TestUtils.sol @@ -12,7 +12,9 @@ library TestFuncLib { bytes4 _callbackSelector, bytes memory _context ) internal returns (bytes32) { - return FunctionGateway(_gateway).request{value: msg.value}(_functionId, _input, _callbackSelector, _context); + return FunctionGateway(_gateway).request{value: msg.value}( + _functionId, _input, _callbackSelector, _context + ); } function decode(bytes memory _output) internal pure returns (bool) { @@ -74,7 +76,9 @@ contract AttackConsumer { return TestFuncLib.request(_gateway, _functionId, _input, _callbackSelector, _context); } - function setCallbackParams(bytes32 _requestId, bytes memory _output, bytes memory _proof) external { + function setCallbackParams(bytes32 _requestId, bytes memory _output, bytes memory _proof) + external + { requestId = _requestId; output = _output; context = _proof; diff --git a/contracts/test/verifiers/VerifierGroth16.sol b/contracts/test/verifiers/VerifierGroth16.sol index 090737fa9..15497b876 100644 --- a/contracts/test/verifiers/VerifierGroth16.sol +++ b/contracts/test/verifiers/VerifierGroth16.sol @@ -42,45 +42,71 @@ contract Verifier { // Fp2 elements are encoded in the public interface as this became convention. // Constants in Fp - uint256 constant FRACTION_1_2_FP = 0x183227397098d014dc2822db40c0ac2ecbc0b548b438e5469e10460b6c3e7ea4; - uint256 constant FRACTION_27_82_FP = 0x2b149d40ceb8aaae81be18991be06ac3b5b4c5e559dbefa33267e6dc24a138e5; - uint256 constant FRACTION_3_82_FP = 0x2fcd3ac2a640a154eb23960892a85a68f031ca0c8344b23a577dcf1052b9e775; + uint256 constant FRACTION_1_2_FP = + 0x183227397098d014dc2822db40c0ac2ecbc0b548b438e5469e10460b6c3e7ea4; + uint256 constant FRACTION_27_82_FP = + 0x2b149d40ceb8aaae81be18991be06ac3b5b4c5e559dbefa33267e6dc24a138e5; + uint256 constant FRACTION_3_82_FP = + 0x2fcd3ac2a640a154eb23960892a85a68f031ca0c8344b23a577dcf1052b9e775; // Exponents for inversions and square roots mod P - uint256 constant EXP_INVERSE_FP = 0x30644E72E131A029B85045B68181585D97816A916871CA8D3C208C16D87CFD45; // P - 2 + uint256 constant EXP_INVERSE_FP = + 0x30644E72E131A029B85045B68181585D97816A916871CA8D3C208C16D87CFD45; // P - 2 uint256 constant EXP_SQRT_FP = 0xC19139CB84C680A6E14116DA060561765E05AA45A1C72A34F082305B61F3F52; // (P + 1) / 4; // Groth16 alpha point in G1 - uint256 constant ALPHA_X = 7191762284594917313270496592699838670300366763721693826840778095402675094099; - uint256 constant ALPHA_Y = 6689610893311981980012512757431514205505629932471635369619398835507016194527; + uint256 constant ALPHA_X = + 7191762284594917313270496592699838670300366763721693826840778095402675094099; + uint256 constant ALPHA_Y = + 6689610893311981980012512757431514205505629932471635369619398835507016194527; // Groth16 beta point in G2 in powers of i - uint256 constant BETA_NEG_X_0 = 7432452678743287780054266289251424001011104290831611692995936218496470956063; - uint256 constant BETA_NEG_X_1 = 18123316610154995907808360091102759307721691062115296648800005454085039978508; - uint256 constant BETA_NEG_Y_0 = 18138532004479061933338819808622872726696102711363422031504092384344649063398; - uint256 constant BETA_NEG_Y_1 = 2412875426524353066896726063783429656211160668758409430460678375636563964693; + uint256 constant BETA_NEG_X_0 = + 7432452678743287780054266289251424001011104290831611692995936218496470956063; + uint256 constant BETA_NEG_X_1 = + 18123316610154995907808360091102759307721691062115296648800005454085039978508; + uint256 constant BETA_NEG_Y_0 = + 18138532004479061933338819808622872726696102711363422031504092384344649063398; + uint256 constant BETA_NEG_Y_1 = + 2412875426524353066896726063783429656211160668758409430460678375636563964693; // Groth16 gamma point in G2 in powers of i - uint256 constant GAMMA_NEG_X_0 = 6893515703761821986376000525040572547627853830347199552209266009657314034231; - uint256 constant GAMMA_NEG_X_1 = 13088418089195761311598988154835674871172676391774493268269386894888204467124; - uint256 constant GAMMA_NEG_Y_0 = 4055497322553729028803820319745081587647721281335855423485384512564338231939; - uint256 constant GAMMA_NEG_Y_1 = 1475219735743682528161090238412236128189870848900950781740983983032426148838; + uint256 constant GAMMA_NEG_X_0 = + 6893515703761821986376000525040572547627853830347199552209266009657314034231; + uint256 constant GAMMA_NEG_X_1 = + 13088418089195761311598988154835674871172676391774493268269386894888204467124; + uint256 constant GAMMA_NEG_Y_0 = + 4055497322553729028803820319745081587647721281335855423485384512564338231939; + uint256 constant GAMMA_NEG_Y_1 = + 1475219735743682528161090238412236128189870848900950781740983983032426148838; // Groth16 delta point in G2 in powers of i - uint256 constant DELTA_NEG_X_0 = 14326929548255454246493212463309102825668430415529859396786379753149606771079; - uint256 constant DELTA_NEG_X_1 = 11689887026907063767739334201310677037034639292694336927611599804586372010862; - uint256 constant DELTA_NEG_Y_0 = 6963136076764944144911980872134653691940342598753462391967541377010513219479; - uint256 constant DELTA_NEG_Y_1 = 16676898437550420220509490368384039920586642507726789429103906256057524588684; + uint256 constant DELTA_NEG_X_0 = + 14326929548255454246493212463309102825668430415529859396786379753149606771079; + uint256 constant DELTA_NEG_X_1 = + 11689887026907063767739334201310677037034639292694336927611599804586372010862; + uint256 constant DELTA_NEG_Y_0 = + 6963136076764944144911980872134653691940342598753462391967541377010513219479; + uint256 constant DELTA_NEG_Y_1 = + 16676898437550420220509490368384039920586642507726789429103906256057524588684; // Constant and public input points - uint256 constant CONSTANT_X = 2337299022666095870965334581031411636062112822363653072649960945881372178017; - uint256 constant CONSTANT_Y = 13136969239754770688407119288423504407937297704319142769424711501043567132597; - uint256 constant PUB_0_X = 19099476937402324909194208209825562307852182662517509743676497897260504732512; - uint256 constant PUB_0_Y = 20028922012528722057705529708286855480436546445192813910535158033962012218781; - uint256 constant PUB_1_X = 19099476937402324909194208209825562307852182662517509743676497897260504732512; - uint256 constant PUB_1_Y = 20028922012528722057705529708286855480436546445192813910535158033962012218781; - uint256 constant PUB_2_X = 11889244704813280517243848650354300010539043696492425502144908554150056345696; - uint256 constant PUB_2_Y = 15675168965315997779710315205375571650649075586308976753989000299217918262148; + uint256 constant CONSTANT_X = + 2337299022666095870965334581031411636062112822363653072649960945881372178017; + uint256 constant CONSTANT_Y = + 13136969239754770688407119288423504407937297704319142769424711501043567132597; + uint256 constant PUB_0_X = + 19099476937402324909194208209825562307852182662517509743676497897260504732512; + uint256 constant PUB_0_Y = + 20028922012528722057705529708286855480436546445192813910535158033962012218781; + uint256 constant PUB_1_X = + 19099476937402324909194208209825562307852182662517509743676497897260504732512; + uint256 constant PUB_1_Y = + 20028922012528722057705529708286855480436546445192813910535158033962012218781; + uint256 constant PUB_2_X = + 11889244704813280517243848650354300010539043696492425502144908554150056345696; + uint256 constant PUB_2_Y = + 15675168965315997779710315205375571650649075586308976753989000299217918262148; /// Negation in Fp. /// @notice Returns a number x such that a + x = 0 in Fp. @@ -172,7 +198,11 @@ contract Verifier { /// @param hint A hint which of two possible signs to pick in the equation. /// @return x0 The real part of the square root. /// @return x1 The imaginary part of the square root. - function sqrt_Fp2(uint256 a0, uint256 a1, bool hint) internal view returns (uint256 x0, uint256 x1) { + function sqrt_Fp2(uint256 a0, uint256 a1, bool hint) + internal + view + returns (uint256 x0, uint256 x1) + { // If this square root reverts there is no solution in Fp2. uint256 d = sqrt_Fp(addmod(mulmod(a0, a0, P), mulmod(a1, a1, P), P)); if (hint) { @@ -184,7 +214,10 @@ contract Verifier { // Check result to make sure we found a root. // Note: this also fails if a0 or a1 is not reduced. - if (a0 != addmod(mulmod(x0, x0, P), negate(mulmod(x1, x1, P)), P) || a1 != mulmod(2, mulmod(x0, x1, P), P)) { + if ( + a0 != addmod(mulmod(x0, x0, P), negate(mulmod(x1, x1, P)), P) + || a1 != mulmod(2, mulmod(x0, x1, P), P) + ) { revert ProofInvalid(); } } @@ -362,7 +395,11 @@ contract Verifier { /// @param input The public inputs. These are elements of the scalar field Fr. /// @return x The X coordinate of the resulting G1 point. /// @return y The Y coordinate of the resulting G1 point. - function publicInputMSM(uint256[3] calldata input) internal view returns (uint256 x, uint256 y) { + function publicInputMSM(uint256[3] calldata input) + internal + view + returns (uint256 x, uint256 y) + { // Note: The ECMUL precompile does not reject unreduced values, so we check this. // Note: Unrolling this loop does not cost much extra in code-size, the bulk of the // code-size is in the PUB_ constants. @@ -415,7 +452,11 @@ contract Verifier { /// verifyProof. I.e. Groth16 points (A, B, C) encoded as in EIP-197. /// @return compressed The compressed proof. Elements are in the same order as for /// verifyCompressedProof. I.e. points (A, B, C) in compressed format. - function compressProof(uint256[8] calldata proof) public view returns (uint256[4] memory compressed) { + function compressProof(uint256[8] calldata proof) + public + view + returns (uint256[4] memory compressed) + { compressed[0] = compress_g1(proof[0], proof[1]); (compressed[2], compressed[1]) = compress_g2(proof[3], proof[2], proof[5], proof[4]); compressed[3] = compress_g1(proof[6], proof[7]); @@ -430,9 +471,13 @@ contract Verifier { /// matching the output of compressProof. /// @param input the public input field elements in the scalar field Fr. /// Elements must be reduced. - function verifyCompressedProof(uint256[4] calldata compressedProof, uint256[3] calldata input) public view { + function verifyCompressedProof(uint256[4] calldata compressedProof, uint256[3] calldata input) + public + view + { (uint256 Ax, uint256 Ay) = decompress_g1(compressedProof[0]); - (uint256 Bx0, uint256 Bx1, uint256 By0, uint256 By1) = decompress_g2(compressedProof[2], compressedProof[1]); + (uint256 Bx0, uint256 Bx1, uint256 By0, uint256 By1) = + decompress_g2(compressedProof[2], compressedProof[1]); (uint256 Cx, uint256 Cy) = decompress_g1(compressedProof[3]); (uint256 Lx, uint256 Ly) = publicInputMSM(input); diff --git a/contracts/test/verifiers/VerifierPlonk.sol b/contracts/test/verifiers/VerifierPlonk.sol index b3851d848..75d7ca7ee 100644 --- a/contracts/test/verifiers/VerifierPlonk.sol +++ b/contracts/test/verifiers/VerifierPlonk.sol @@ -19,20 +19,26 @@ pragma solidity ^0.8.19; contract PlonkVerifier { - uint256 private constant r_mod = 21888242871839275222246405745257275088548364400416034343698204186575808495617; - uint256 private constant p_mod = 21888242871839275222246405745257275088696311157297823662689037894645226208583; + uint256 private constant r_mod = + 21888242871839275222246405745257275088548364400416034343698204186575808495617; + uint256 private constant p_mod = + 21888242871839275222246405745257275088696311157297823662689037894645226208583; uint256 private constant g2_srs_0_x_0 = 11559732032986387107991004021392285783925812861821192530917403151452391805634; uint256 private constant g2_srs_0_x_1 = 10857046999023057135944570762232829481370756359578518086990519993285655852781; - uint256 private constant g2_srs_0_y_0 = 4082367875863433681332203403145435568316851327593401208105741076214120093531; - uint256 private constant g2_srs_0_y_1 = 8495653923123431417604973247489272438418190587263600148770280649306958101930; + uint256 private constant g2_srs_0_y_0 = + 4082367875863433681332203403145435568316851327593401208105741076214120093531; + uint256 private constant g2_srs_0_y_1 = + 8495653923123431417604973247489272438418190587263600148770280649306958101930; uint256 private constant g2_srs_1_x_0 = 14184380469316848647399916994526908634873673556047703492928820707587405857357; - uint256 private constant g2_srs_1_x_1 = 482275098823665719974591155934619915930048247564089153862907740325982636821; - uint256 private constant g2_srs_1_y_0 = 9081740555712312681676101658142837412124700599863904881497360479980542967997; + uint256 private constant g2_srs_1_x_1 = + 482275098823665719974591155934619915930048247564089153862907740325982636821; + uint256 private constant g2_srs_1_y_0 = + 9081740555712312681676101658142837412124700599863904881497360479980542967997; uint256 private constant g2_srs_1_y_1 = 10788505562695957146517509586265372291431743735546853483226752798469396098331; @@ -40,26 +46,39 @@ contract PlonkVerifier { uint256 private constant vk_domain_size = 8; uint256 private constant vk_inv_domain_size = 19152212512859365819465605027100115702479818850364030050735928663253832433665; - uint256 private constant vk_omega = 19540430494807482326159819597004422086093766032135589407132600596362845576832; - uint256 private constant vk_ql_com_x = 21146737814662248939271101735192940543382366687977110484636304065631052234661; - uint256 private constant vk_ql_com_y = 17244895415666211266680412689420596204100592899763916548999226920673373295795; - uint256 private constant vk_qr_com_x = 12034157544991483751879070773917816837151424951659313593179465195961958636762; - uint256 private constant vk_qr_com_y = 21128964842635530241689801368183970178962786540029862999283336804588522584697; + uint256 private constant vk_omega = + 19540430494807482326159819597004422086093766032135589407132600596362845576832; + uint256 private constant vk_ql_com_x = + 21146737814662248939271101735192940543382366687977110484636304065631052234661; + uint256 private constant vk_ql_com_y = + 17244895415666211266680412689420596204100592899763916548999226920673373295795; + uint256 private constant vk_qr_com_x = + 12034157544991483751879070773917816837151424951659313593179465195961958636762; + uint256 private constant vk_qr_com_y = + 21128964842635530241689801368183970178962786540029862999283336804588522584697; uint256 private constant vk_qm_com_x = 0; uint256 private constant vk_qm_com_y = 0; - uint256 private constant vk_qo_com_x = 9690145773039397511522502225033489318603819532491614216035810227753062202328; - uint256 private constant vk_qo_com_y = 13758061819365328413779269411839899429431070095046925263255802702279536261884; + uint256 private constant vk_qo_com_x = + 9690145773039397511522502225033489318603819532491614216035810227753062202328; + uint256 private constant vk_qo_com_y = + 13758061819365328413779269411839899429431070095046925263255802702279536261884; uint256 private constant vk_qk_com_x = 0; uint256 private constant vk_qk_com_y = 0; - uint256 private constant vk_s1_com_x = 17182197487722945203768515568014680528614078471464176366870022784845400646403; - uint256 private constant vk_s1_com_y = 20906636482132349356265024019355776966766221689385434048938253293206541987941; + uint256 private constant vk_s1_com_x = + 17182197487722945203768515568014680528614078471464176366870022784845400646403; + uint256 private constant vk_s1_com_y = + 20906636482132349356265024019355776966766221689385434048938253293206541987941; - uint256 private constant vk_s2_com_x = 2847633030445395915601715055583454986756161565327551832016327694440474004530; - uint256 private constant vk_s2_com_y = 19207431948149911445928003407925263528194340126876487591340310230428671229550; + uint256 private constant vk_s2_com_x = + 2847633030445395915601715055583454986756161565327551832016327694440474004530; + uint256 private constant vk_s2_com_y = + 19207431948149911445928003407925263528194340126876487591340310230428671229550; - uint256 private constant vk_s3_com_x = 19086081295379119079520891096686420879294280039419717609102045282826926824183; - uint256 private constant vk_s3_com_y = 6844673266018017607568220197100655211356735831371287938772913139123642785933; + uint256 private constant vk_s3_com_x = + 19086081295379119079520891096686420879294280039419717609102045282826926824183; + uint256 private constant vk_s3_com_y = + 6844673266018017607568220197100655211356735831371287938772913139123642785933; uint256 private constant vk_coset_shift = 5; @@ -151,9 +170,14 @@ contract PlonkVerifier { uint256 private constant state_last_mem = 0x220; // -------- errors - uint256 private constant error_string_id = 0x08c379a000000000000000000000000000000000000000000000000000000000; // selector for function Error(string) - - function Verify(bytes calldata proof, uint256[] calldata public_inputs) public view returns (bool success) { + uint256 private constant error_string_id = + 0x08c379a000000000000000000000000000000000000000000000000000000000; // selector for function Error(string) + + function Verify(bytes calldata proof, uint256[] calldata public_inputs) + public + view + returns (bool success) + { assembly { let mem := mload(0x40) let freeMem := add(mem, state_last_mem) @@ -165,14 +189,16 @@ contract PlonkVerifier { // compute the challenges let prev_challenge_non_reduced - prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) + prev_challenge_non_reduced := + derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) derive_zeta(proof.offset, prev_challenge_non_reduced) // evaluation of Z=Xⁿ-1 at ζ, we save this value let zeta := mload(add(mem, state_zeta)) - let zeta_power_n_minus_one := addmod(pow(zeta, vk_domain_size, freeMem), sub(r_mod, 1), r_mod) + let zeta_power_n_minus_one := + addmod(pow(zeta, vk_domain_size, freeMem), sub(r_mod, 1), r_mod) mstore(add(mem, state_zeta_power_n_minus_one), zeta_power_n_minus_one) // public inputs contribution @@ -349,7 +375,8 @@ contract PlonkVerifier { // wire commitment commit api let _proof := add(aproof, proof_openings_selector_commit_api_at_zeta) _proof := add(_proof, mul(vk_nb_commitments_commit_api, 0x20)) - let size_wire_commitments_commit_api_in_bytes := mul(vk_nb_commitments_commit_api, 0x40) + let size_wire_commitments_commit_api_in_bytes := + mul(vk_nb_commitments_commit_api, 0x40) calldatacopy(_mPtr, _proof, size_wire_commitments_commit_api_in_bytes) _mPtr := add(_mPtr, size_wire_commitments_commit_api_in_bytes) @@ -520,21 +547,31 @@ contract PlonkVerifier { let folded_quotients := mPtr mPtr := add(folded_quotients, 0x40) mstore(folded_quotients, calldataload(add(aproof, proof_batch_opening_at_zeta_x))) - mstore(add(folded_quotients, 0x20), calldataload(add(aproof, proof_batch_opening_at_zeta_y))) - point_acc_mul_calldata(folded_quotients, add(aproof, proof_opening_at_zeta_omega_x), random, mPtr) + mstore( + add(folded_quotients, 0x20), + calldataload(add(aproof, proof_batch_opening_at_zeta_y)) + ) + point_acc_mul_calldata( + folded_quotients, add(aproof, proof_opening_at_zeta_omega_x), random, mPtr + ) let folded_digests := add(state, state_folded_digests_x) - point_acc_mul_calldata(folded_digests, add(aproof, proof_grand_product_commitment_x), random, mPtr) + point_acc_mul_calldata( + folded_digests, add(aproof, proof_grand_product_commitment_x), random, mPtr + ) let folded_evals := add(state, state_folded_claimed_values) - fr_acc_mul_calldata(folded_evals, add(aproof, proof_grand_product_at_zeta_omega), random) + fr_acc_mul_calldata( + folded_evals, add(aproof, proof_grand_product_at_zeta_omega), random + ) let folded_evals_commit := mPtr mPtr := add(folded_evals_commit, 0x40) mstore(folded_evals_commit, 1) mstore(add(folded_evals_commit, 0x20), 2) mstore(add(folded_evals_commit, 0x40), mload(folded_evals)) - let check_staticcall := staticcall(gas(), 7, folded_evals_commit, 0x60, folded_evals_commit, 0x40) + let check_staticcall := + staticcall(gas(), 7, folded_evals_commit, 0x60, folded_evals_commit, 0x40) if eq(check_staticcall, 0) { error_verify() } let folded_evals_commit_y := add(folded_evals_commit, 0x20) @@ -552,7 +589,10 @@ contract PlonkVerifier { let zeta_omega := mulmod(mload(add(state, state_zeta)), vk_omega, r_mod) random := mulmod(random, zeta_omega, r_mod) point_acc_mul_calldata( - folded_points_quotients, add(aproof, proof_opening_at_zeta_omega_x), random, mPtr + folded_points_quotients, + add(aproof, proof_opening_at_zeta_omega_x), + random, + mPtr ) point_add(folded_digests, folded_digests, folded_points_quotients, mPtr) @@ -611,36 +651,78 @@ contract PlonkVerifier { calldataload(add(aproof, proof_quotient_polynomial_at_zeta)) ) - point_acc_mul(add(state, state_folded_digests_x), add(mPtr, 0x80), acc_gamma, mPtrOffset) + point_acc_mul( + add(state, state_folded_digests_x), add(mPtr, 0x80), acc_gamma, mPtrOffset + ) fr_acc_mul_calldata( - add(state, state_folded_claimed_values), add(aproof, proof_linearised_polynomial_at_zeta), acc_gamma + add(state, state_folded_claimed_values), + add(aproof, proof_linearised_polynomial_at_zeta), + acc_gamma ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, r_mod) - point_acc_mul(add(state, state_folded_digests_x), add(mPtr, 0xc0), acc_gamma, mPtrOffset) - fr_acc_mul_calldata(add(state, state_folded_claimed_values), add(aproof, proof_l_at_zeta), acc_gamma) + point_acc_mul( + add(state, state_folded_digests_x), add(mPtr, 0xc0), acc_gamma, mPtrOffset + ) + fr_acc_mul_calldata( + add(state, state_folded_claimed_values), add(aproof, proof_l_at_zeta), acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, r_mod) - point_acc_mul(add(state, state_folded_digests_x), add(mPtr, 0x100), acc_gamma, add(mPtr, offset)) - fr_acc_mul_calldata(add(state, state_folded_claimed_values), add(aproof, proof_r_at_zeta), acc_gamma) + point_acc_mul( + add(state, state_folded_digests_x), + add(mPtr, 0x100), + acc_gamma, + add(mPtr, offset) + ) + fr_acc_mul_calldata( + add(state, state_folded_claimed_values), add(aproof, proof_r_at_zeta), acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, r_mod) - point_acc_mul(add(state, state_folded_digests_x), add(mPtr, 0x140), acc_gamma, add(mPtr, offset)) - fr_acc_mul_calldata(add(state, state_folded_claimed_values), add(aproof, proof_o_at_zeta), acc_gamma) + point_acc_mul( + add(state, state_folded_digests_x), + add(mPtr, 0x140), + acc_gamma, + add(mPtr, offset) + ) + fr_acc_mul_calldata( + add(state, state_folded_claimed_values), add(aproof, proof_o_at_zeta), acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, r_mod) - point_acc_mul(add(state, state_folded_digests_x), add(mPtr, 0x180), acc_gamma, add(mPtr, offset)) - fr_acc_mul_calldata(add(state, state_folded_claimed_values), add(aproof, proof_s1_at_zeta), acc_gamma) + point_acc_mul( + add(state, state_folded_digests_x), + add(mPtr, 0x180), + acc_gamma, + add(mPtr, offset) + ) + fr_acc_mul_calldata( + add(state, state_folded_claimed_values), + add(aproof, proof_s1_at_zeta), + acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, r_mod) - point_acc_mul(add(state, state_folded_digests_x), add(mPtr, 0x1c0), acc_gamma, add(mPtr, offset)) - fr_acc_mul_calldata(add(state, state_folded_claimed_values), add(aproof, proof_s2_at_zeta), acc_gamma) + point_acc_mul( + add(state, state_folded_digests_x), + add(mPtr, 0x1c0), + acc_gamma, + add(mPtr, offset) + ) + fr_acc_mul_calldata( + add(state, state_folded_claimed_values), + add(aproof, proof_s2_at_zeta), + acc_gamma + ) let poscaz := add(aproof, proof_openings_selector_commit_api_at_zeta) let opca := add(mPtr, 0x200) // offset_proof_commits_api for { let i := 0 } lt(i, vk_nb_commitments_commit_api) { i := add(i, 1) } { acc_gamma := mulmod(acc_gamma, l_gamma_kzg, r_mod) - point_acc_mul(add(state, state_folded_digests_x), opca, acc_gamma, add(mPtr, offset)) + point_acc_mul( + add(state, state_folded_digests_x), opca, acc_gamma, add(mPtr, offset) + ) fr_acc_mul_calldata(add(state, state_folded_claimed_values), poscaz, acc_gamma) poscaz := add(poscaz, 0x20) opca := add(opca, 0x40) @@ -679,8 +761,13 @@ contract PlonkVerifier { let offset := 0x200 - mstore(add(mPtr, offset), calldataload(add(aproof, proof_quotient_polynomial_at_zeta))) - mstore(add(mPtr, add(offset, 0x20)), calldataload(add(aproof, proof_linearised_polynomial_at_zeta))) + mstore( + add(mPtr, offset), calldataload(add(aproof, proof_quotient_polynomial_at_zeta)) + ) + mstore( + add(mPtr, add(offset, 0x20)), + calldataload(add(aproof, proof_linearised_polynomial_at_zeta)) + ) mstore(add(mPtr, add(offset, 0x40)), calldataload(add(aproof, proof_l_at_zeta))) mstore(add(mPtr, add(offset, 0x60)), calldataload(add(aproof, proof_r_at_zeta))) mstore(add(mPtr, add(offset, 0x80)), calldataload(add(aproof, proof_o_at_zeta))) @@ -691,7 +778,14 @@ contract PlonkVerifier { let size_input := add(0x16, mul(vk_nb_commitments_commit_api, 3)) // number of 32bytes elmts = 0x16 (zeta+2*7+7 for the digests+openings) + 2*vk_nb_commitments_commit_api (for the commitments of the selectors) + vk_nb_commitments_commit_api (for the openings of the selectors) size_input := add(0x5, mul(size_input, 0x20)) // size in bytes: 15*32 bytes + 5 bytes for gamma let check_staticcall := - staticcall(gas(), 0x2, add(mPtr, start_input), size_input, add(state, state_gamma_kzg), 0x20) + staticcall( + gas(), + 0x2, + add(mPtr, start_input), + size_input, + add(state, state_gamma_kzg), + 0x20 + ) if eq(check_staticcall, 0) { error_verify() } mstore(add(state, state_gamma_kzg), mod(mload(add(state, state_gamma_kzg)), r_mod)) } @@ -719,7 +813,11 @@ contract PlonkVerifier { ) let rl := - mulmod(calldataload(add(aproof, proof_l_at_zeta)), calldataload(add(aproof, proof_r_at_zeta)), r_mod) + mulmod( + calldataload(add(aproof, proof_l_at_zeta)), + calldataload(add(aproof, proof_r_at_zeta)), + r_mod + ) mstore(mPtr, vk_qm_com_x) mstore(add(mPtr, 0x20), vk_qm_com_y) point_acc_mul(add(state, state_linearised_polynomial_x), mPtr, rl, add(mPtr, 0x40)) @@ -744,7 +842,13 @@ contract PlonkVerifier { let commits_api_at_zeta := add(aproof, proof_openings_selector_commit_api_at_zeta) let commits_api := - add(aproof, add(proof_openings_selector_commit_api_at_zeta, mul(vk_nb_commitments_commit_api, 0x20))) + add( + aproof, + add( + proof_openings_selector_commit_api_at_zeta, + mul(vk_nb_commitments_commit_api, 0x20) + ) + ) for { let i := 0 } lt(i, vk_nb_commitments_commit_api) { i := add(i, 1) } { mstore(mPtr, calldataload(commits_api)) mstore(add(mPtr, 0x20), calldataload(add(commits_api, 0x20))) @@ -781,7 +885,8 @@ contract PlonkVerifier { let l_zeta := mload(add(state, state_zeta)) let l_alpha := mload(add(state, state_alpha)) - let u := mulmod(calldataload(add(aproof, proof_grand_product_at_zeta_omega)), l_beta, r_mod) + let u := + mulmod(calldataload(add(aproof, proof_grand_product_at_zeta_omega)), l_beta, r_mod) let v := mulmod(l_beta, calldataload(add(aproof, proof_s1_at_zeta)), r_mod) v := addmod(v, calldataload(add(aproof, proof_l_at_zeta)), r_mod) v := addmod(v, l_gamma, r_mod) @@ -827,13 +932,29 @@ contract PlonkVerifier { let n_plus_two := add(vk_domain_size, 2) let mPtr := add(mload(0x40), state_last_mem) let zeta_power_n_plus_two := pow(mload(add(state, state_zeta)), n_plus_two, mPtr) - point_mul_calldata(add(state, state_folded_h_x), add(aproof, proof_h_2_x), zeta_power_n_plus_two, mPtr) + point_mul_calldata( + add(state, state_folded_h_x), + add(aproof, proof_h_2_x), + zeta_power_n_plus_two, + mPtr + ) point_add_calldata( - add(state, state_folded_h_x), add(state, state_folded_h_x), add(aproof, proof_h_1_x), mPtr + add(state, state_folded_h_x), + add(state, state_folded_h_x), + add(aproof, proof_h_1_x), + mPtr + ) + point_mul( + add(state, state_folded_h_x), + add(state, state_folded_h_x), + zeta_power_n_plus_two, + mPtr ) - point_mul(add(state, state_folded_h_x), add(state, state_folded_h_x), zeta_power_n_plus_two, mPtr) point_add_calldata( - add(state, state_folded_h_x), add(state, state_folded_h_x), add(aproof, proof_h_0_x), mPtr + add(state, state_folded_h_x), + add(state, state_folded_h_x), + add(aproof, proof_h_0_x), + mPtr ) } @@ -847,26 +968,54 @@ contract PlonkVerifier { // (l(ζ)+β*s1(ζ)+γ) let s1 := add(mload(0x40), state_last_mem) - mstore(s1, mulmod(calldataload(add(aproof, proof_s1_at_zeta)), mload(add(state, state_beta)), r_mod)) + mstore( + s1, + mulmod( + calldataload(add(aproof, proof_s1_at_zeta)), + mload(add(state, state_beta)), + r_mod + ) + ) mstore(s1, addmod(mload(s1), mload(add(state, state_gamma)), r_mod)) mstore(s1, addmod(mload(s1), calldataload(add(aproof, proof_l_at_zeta)), r_mod)) // (r(ζ)+β*s2(ζ)+γ) let s2 := add(s1, 0x20) - mstore(s2, mulmod(calldataload(add(aproof, proof_s2_at_zeta)), mload(add(state, state_beta)), r_mod)) + mstore( + s2, + mulmod( + calldataload(add(aproof, proof_s2_at_zeta)), + mload(add(state, state_beta)), + r_mod + ) + ) mstore(s2, addmod(mload(s2), mload(add(state, state_gamma)), r_mod)) mstore(s2, addmod(mload(s2), calldataload(add(aproof, proof_r_at_zeta)), r_mod)) // _s2 := mload(s2) // (o(ζ)+γ) let o := add(s1, 0x40) - mstore(o, addmod(calldataload(add(aproof, proof_o_at_zeta)), mload(add(state, state_gamma)), r_mod)) + mstore( + o, + addmod( + calldataload(add(aproof, proof_o_at_zeta)), + mload(add(state, state_gamma)), + r_mod + ) + ) // α*(Z(μζ))*(l(ζ)+β*s1(ζ)+γ)*(r(ζ)+β*s2(ζ)+γ)*(o(ζ)+γ) mstore(s1, mulmod(mload(s1), mload(s2), r_mod)) mstore(s1, mulmod(mload(s1), mload(o), r_mod)) mstore(s1, mulmod(mload(s1), mload(add(state, state_alpha)), r_mod)) - mstore(s1, mulmod(mload(s1), calldataload(add(aproof, proof_grand_product_at_zeta_omega)), r_mod)) + mstore( + s1, + mulmod( + mload(s1), + calldataload(add(aproof, proof_grand_product_at_zeta_omega)), + r_mod + ) + ) let computed_quotient := add(s1, 0x60) @@ -883,7 +1032,9 @@ contract PlonkVerifier { mstore( computed_quotient, addmod( - mload(computed_quotient), sub(r_mod, mload(add(state, state_alpha_square_lagrange_0))), r_mod + mload(computed_quotient), + sub(r_mod, mload(add(state, state_alpha_square_lagrange_0))), + r_mod ) ) mstore( diff --git a/contracts/test/verifiers/VerifierPlonkRangeCheck.sol b/contracts/test/verifiers/VerifierPlonkRangeCheck.sol index 61eb03f83..e2848eb92 100644 --- a/contracts/test/verifiers/VerifierPlonkRangeCheck.sol +++ b/contracts/test/verifiers/VerifierPlonkRangeCheck.sol @@ -19,17 +19,22 @@ pragma solidity ^0.8.19; contract PlonkVerifier { - uint256 private constant R_MOD = 21888242871839275222246405745257275088548364400416034343698204186575808495617; - uint256 private constant P_MOD = 21888242871839275222246405745257275088696311157297823662689037894645226208583; + uint256 private constant R_MOD = + 21888242871839275222246405745257275088548364400416034343698204186575808495617; + uint256 private constant P_MOD = + 21888242871839275222246405745257275088696311157297823662689037894645226208583; uint256 private constant G2_SRS_0_X_0 = 11559732032986387107991004021392285783925812861821192530917403151452391805634; uint256 private constant G2_SRS_0_X_1 = 10857046999023057135944570762232829481370756359578518086990519993285655852781; - uint256 private constant G2_SRS_0_Y_0 = 4082367875863433681332203403145435568316851327593401208105741076214120093531; - uint256 private constant G2_SRS_0_Y_1 = 8495653923123431417604973247489272438418190587263600148770280649306958101930; + uint256 private constant G2_SRS_0_Y_0 = + 4082367875863433681332203403145435568316851327593401208105741076214120093531; + uint256 private constant G2_SRS_0_Y_1 = + 8495653923123431417604973247489272438418190587263600148770280649306958101930; - uint256 private constant G2_SRS_1_X_0 = 7814172549830033238223606142675268636058600480250623615512765003821404917357; + uint256 private constant G2_SRS_1_X_0 = + 7814172549830033238223606142675268636058600480250623615512765003821404917357; uint256 private constant G2_SRS_1_X_1 = 13645852243604263853237508664752124496968745818264599716927438924652849501499; uint256 private constant G2_SRS_1_Y_0 = @@ -45,31 +50,50 @@ contract PlonkVerifier { uint256 private constant VK_DOMAIN_SIZE = 64; uint256 private constant VK_INV_DOMAIN_SIZE = 21546239076966786546898805655487630165289796206659533807077919746160561487873; - uint256 private constant VK_OMEGA = 9088801421649573101014283686030284801466796108869023335878462724291607593530; - uint256 private constant VK_QL_COM_X = 10398584435073889797632122505093129513546316083460155042201669609474507761393; - uint256 private constant VK_QL_COM_Y = 11330777933755117102961799810839691375686334590014561389258521851457877230369; - uint256 private constant VK_QR_COM_X = 4890069554988477196605704578982437675387725852092351667744598097766173864387; - uint256 private constant VK_QR_COM_Y = 19349603681767160646759566177297921942938550747056136456536680869640643726362; - uint256 private constant VK_QM_COM_X = 15102395100711249652702189888971210884726661069253717232051424256238336296154; - uint256 private constant VK_QM_COM_Y = 8429507290274846664135226417545857237016221800833374220037179018375269797509; - uint256 private constant VK_QO_COM_X = 8308944175243810613431144809106337373933253400523298809621497139697227011081; - uint256 private constant VK_QO_COM_Y = 15017491915531595518283812274044246345396629679070431756435244459826623666365; - uint256 private constant VK_QK_COM_X = 3633008490673505938984875516723788205584619065077429967414171095484684355226; - uint256 private constant VK_QK_COM_Y = 5924043858531262811057741401548398852576813068998609832283300183984594490265; - - uint256 private constant VK_S1_COM_X = 1831950617253311161965086323296612321621431881366015012145754662717020653254; - uint256 private constant VK_S1_COM_Y = 12552778567595986457625193226638552613143112724414943417872328062638651381509; - - uint256 private constant VK_S2_COM_X = 9282332095318458810329272575154746196077473337194803812097690515423473875292; - uint256 private constant VK_S2_COM_Y = 4132295717165950971373345207419370482187113718476938372487185645861198998345; - - uint256 private constant VK_S3_COM_X = 5528050128912291205450410066466372880115605758861985145700038793768988564158; - uint256 private constant VK_S3_COM_Y = 5265831924970622321828286611341299461171200084467948717918107531865540077415; + uint256 private constant VK_OMEGA = + 9088801421649573101014283686030284801466796108869023335878462724291607593530; + uint256 private constant VK_QL_COM_X = + 10398584435073889797632122505093129513546316083460155042201669609474507761393; + uint256 private constant VK_QL_COM_Y = + 11330777933755117102961799810839691375686334590014561389258521851457877230369; + uint256 private constant VK_QR_COM_X = + 4890069554988477196605704578982437675387725852092351667744598097766173864387; + uint256 private constant VK_QR_COM_Y = + 19349603681767160646759566177297921942938550747056136456536680869640643726362; + uint256 private constant VK_QM_COM_X = + 15102395100711249652702189888971210884726661069253717232051424256238336296154; + uint256 private constant VK_QM_COM_Y = + 8429507290274846664135226417545857237016221800833374220037179018375269797509; + uint256 private constant VK_QO_COM_X = + 8308944175243810613431144809106337373933253400523298809621497139697227011081; + uint256 private constant VK_QO_COM_Y = + 15017491915531595518283812274044246345396629679070431756435244459826623666365; + uint256 private constant VK_QK_COM_X = + 3633008490673505938984875516723788205584619065077429967414171095484684355226; + uint256 private constant VK_QK_COM_Y = + 5924043858531262811057741401548398852576813068998609832283300183984594490265; + + uint256 private constant VK_S1_COM_X = + 1831950617253311161965086323296612321621431881366015012145754662717020653254; + uint256 private constant VK_S1_COM_Y = + 12552778567595986457625193226638552613143112724414943417872328062638651381509; + + uint256 private constant VK_S2_COM_X = + 9282332095318458810329272575154746196077473337194803812097690515423473875292; + uint256 private constant VK_S2_COM_Y = + 4132295717165950971373345207419370482187113718476938372487185645861198998345; + + uint256 private constant VK_S3_COM_X = + 5528050128912291205450410066466372880115605758861985145700038793768988564158; + uint256 private constant VK_S3_COM_Y = + 5265831924970622321828286611341299461171200084467948717918107531865540077415; uint256 private constant VK_COSET_SHIFT = 5; - uint256 private constant VK_QCP_0_X = 21793598771508025947887671914700122097813101646208783481283278104736097325441; - uint256 private constant VK_QCP_0_Y = 19261568386046758090660517995286593584435610364418601346457053212061975687679; + uint256 private constant VK_QCP_0_X = + 21793598771508025947887671914700122097813101646208783481283278104736097325441; + uint256 private constant VK_QCP_0_Y = + 19261568386046758090660517995286593584435610364418601346457053212061975687679; uint256 private constant VK_INDEX_COMMIT_API0 = 14; uint256 private constant VK_NB_CUSTOM_GATES = 1; @@ -160,7 +184,8 @@ contract PlonkVerifier { uint256 private constant STATE_LAST_MEM = 0x220; // -------- errors - uint256 private constant ERROR_STRING_ID = 0x08c379a000000000000000000000000000000000000000000000000000000000; // selector for function Error(string) + uint256 private constant ERROR_STRING_ID = + 0x08c379a000000000000000000000000000000000000000000000000000000000; // selector for function Error(string) // -------- utils (for hash_fr) uint256 private constant HASH_FR_BB = 340282366920938463463374607431768211456; // 2**128 @@ -176,7 +201,11 @@ contract PlonkVerifier { /// @param proof serialised plonk proof (using gnark's MarshalSolidity) /// @param public_inputs (must be reduced) /// @return success true if the proof passes false otherwise - function Verify(bytes calldata proof, uint256[] calldata public_inputs) public view returns (bool success) { + function Verify(bytes calldata proof, uint256[] calldata public_inputs) + public + view + returns (bool success) + { assembly { let mem := mload(0x40) let freeMem := add(mem, STATE_LAST_MEM) @@ -189,14 +218,16 @@ contract PlonkVerifier { // compute the challenges let prev_challenge_non_reduced - prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) + prev_challenge_non_reduced := + derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) derive_zeta(proof.offset, prev_challenge_non_reduced) // evaluation of Z=Xⁿ-1 at ζ, we save this value let zeta := mload(add(mem, STATE_ZETA)) - let zeta_power_n_minus_one := addmod(pow(zeta, VK_DOMAIN_SIZE, freeMem), sub(R_MOD, 1), R_MOD) + let zeta_power_n_minus_one := + addmod(pow(zeta, VK_DOMAIN_SIZE, freeMem), sub(R_MOD, 1), R_MOD) mstore(add(mem, STATE_ZETA_POWER_N_MINUS_ONE), zeta_power_n_minus_one) // public inputs contribution @@ -600,7 +631,10 @@ contract PlonkVerifier { let h_fr, ith_lagrange h_fr := hash_fr(calldataload(p), calldataload(add(p, 0x20)), mPtr) - ith_lagrange := compute_ith_lagrange_at_z(z, zpnmo, add(nb_public_inputs, VK_INDEX_COMMIT_API0), mPtr) + ith_lagrange := + compute_ith_lagrange_at_z( + z, zpnmo, add(nb_public_inputs, VK_INDEX_COMMIT_API0), mPtr + ) pi_commit := addmod(pi_commit, mulmod(h_fr, ith_lagrange, R_MOD), R_MOD) p := add(p, 0x40) } @@ -769,21 +803,31 @@ contract PlonkVerifier { let folded_quotients := mPtr mPtr := add(folded_quotients, 0x40) mstore(folded_quotients, calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) - mstore(add(folded_quotients, 0x20), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) - point_acc_mul_calldata(folded_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr) + mstore( + add(folded_quotients, 0x20), + calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y)) + ) + point_acc_mul_calldata( + folded_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr + ) let folded_digests := add(state, STATE_FOLDED_DIGESTS_X) - point_acc_mul_calldata(folded_digests, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), random, mPtr) + point_acc_mul_calldata( + folded_digests, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), random, mPtr + ) let folded_evals := add(state, STATE_FOLDED_CLAIMED_VALUES) - fr_acc_mul_calldata(folded_evals, add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA), random) + fr_acc_mul_calldata( + folded_evals, add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA), random + ) let folded_evals_commit := mPtr mPtr := add(folded_evals_commit, 0x40) mstore(folded_evals_commit, G1_SRS_X) mstore(add(folded_evals_commit, 0x20), G1_SRS_Y) mstore(add(folded_evals_commit, 0x40), mload(folded_evals)) - let check_staticcall := staticcall(gas(), 7, folded_evals_commit, 0x60, folded_evals_commit, 0x40) + let check_staticcall := + staticcall(gas(), 7, folded_evals_commit, 0x60, folded_evals_commit, 0x40) if iszero(check_staticcall) { error_verify() } let folded_evals_commit_y := add(folded_evals_commit, 0x20) @@ -801,7 +845,10 @@ contract PlonkVerifier { let zeta_omega := mulmod(mload(add(state, STATE_ZETA)), VK_OMEGA, R_MOD) random := mulmod(random, zeta_omega, R_MOD) point_acc_mul_calldata( - folded_points_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr + folded_points_quotients, + add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), + random, + mPtr ) point_add(folded_digests, folded_digests, folded_points_quotients, mPtr) @@ -861,34 +908,58 @@ contract PlonkVerifier { calldataload(add(aproof, PROOF_QUOTIENT_POLYNOMIAL_AT_ZETA)) ) - point_acc_mul(state_folded_digests, add(state, STATE_LINEARISED_POLYNOMIAL_X), acc_gamma, mPtr) + point_acc_mul( + state_folded_digests, add(state, STATE_LINEARISED_POLYNOMIAL_X), acc_gamma, mPtr + ) fr_acc_mul_calldata( - add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_LINEARISED_POLYNOMIAL_AT_ZETA), acc_gamma + add(state, STATE_FOLDED_CLAIMED_VALUES), + add(aproof, PROOF_LINEARISED_POLYNOMIAL_AT_ZETA), + acc_gamma ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - point_acc_mul_calldata(add(state, STATE_FOLDED_DIGESTS_X), add(aproof, PROOF_L_COM_X), acc_gamma, mPtr) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma) + point_acc_mul_calldata( + add(state, STATE_FOLDED_DIGESTS_X), add(aproof, PROOF_L_COM_X), acc_gamma, mPtr + ) + fr_acc_mul_calldata( + add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_R_COM_X), acc_gamma, mPtr) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma) + point_acc_mul_calldata( + state_folded_digests, add(aproof, PROOF_R_COM_X), acc_gamma, mPtr + ) + fr_acc_mul_calldata( + add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_O_COM_X), acc_gamma, mPtr) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma) + point_acc_mul_calldata( + state_folded_digests, add(aproof, PROOF_O_COM_X), acc_gamma, mPtr + ) + fr_acc_mul_calldata( + add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) mstore(mPtr, VK_S1_COM_X) mstore(mPtr20, VK_S1_COM_Y) point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S1_AT_ZETA), acc_gamma) + fr_acc_mul_calldata( + add(state, STATE_FOLDED_CLAIMED_VALUES), + add(aproof, PROOF_S1_AT_ZETA), + acc_gamma + ) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) mstore(mPtr, VK_S2_COM_X) mstore(mPtr20, VK_S2_COM_Y) point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) + fr_acc_mul_calldata( + add(state, STATE_FOLDED_CLAIMED_VALUES), + add(aproof, PROOF_S2_AT_ZETA), + acc_gamma + ) let poscaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) @@ -937,8 +1008,13 @@ contract PlonkVerifier { mstore(add(mPtr, add(offset, 0x20)), VK_QCP_0_Y) offset := add(offset, 0x40) - mstore(add(mPtr, offset), calldataload(add(aproof, PROOF_QUOTIENT_POLYNOMIAL_AT_ZETA))) - mstore(add(mPtr, add(offset, 0x20)), calldataload(add(aproof, PROOF_LINEARISED_POLYNOMIAL_AT_ZETA))) + mstore( + add(mPtr, offset), calldataload(add(aproof, PROOF_QUOTIENT_POLYNOMIAL_AT_ZETA)) + ) + mstore( + add(mPtr, add(offset, 0x20)), + calldataload(add(aproof, PROOF_LINEARISED_POLYNOMIAL_AT_ZETA)) + ) mstore(add(mPtr, add(offset, 0x40)), calldataload(add(aproof, PROOF_L_AT_ZETA))) mstore(add(mPtr, add(offset, 0x60)), calldataload(add(aproof, PROOF_R_AT_ZETA))) mstore(add(mPtr, add(offset, 0x80)), calldataload(add(aproof, PROOF_O_AT_ZETA))) @@ -960,7 +1036,14 @@ contract PlonkVerifier { let size_input := add(0x17, mul(VK_NB_CUSTOM_GATES, 3)) // number of 32bytes elmts = 0x17 (zeta+2*7+7 for the digests+openings) + 2*VK_NB_CUSTOM_GATES (for the commitments of the selectors) + VK_NB_CUSTOM_GATES (for the openings of the selectors) size_input := add(0x5, mul(size_input, 0x20)) // size in bytes: 15*32 bytes + 5 bytes for gamma let check_staticcall := - staticcall(gas(), 0x2, add(mPtr, start_input), size_input, add(state, STATE_GAMMA_KZG), 0x20) + staticcall( + gas(), + 0x2, + add(mPtr, start_input), + size_input, + add(state, STATE_GAMMA_KZG), + 0x20 + ) if iszero(check_staticcall) { error_verify() } mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) } @@ -988,7 +1071,11 @@ contract PlonkVerifier { ) let rl := - mulmod(calldataload(add(aproof, PROOF_L_AT_ZETA)), calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + mulmod( + calldataload(add(aproof, PROOF_L_AT_ZETA)), + calldataload(add(aproof, PROOF_R_AT_ZETA)), + R_MOD + ) mstore(mPtr, VK_QM_COM_X) mstore(add(mPtr, 0x20), VK_QM_COM_Y) point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, rl, add(mPtr, 0x40)) @@ -1050,7 +1137,8 @@ contract PlonkVerifier { let l_zeta := mload(add(state, STATE_ZETA)) let l_alpha := mload(add(state, STATE_ALPHA)) - let u := mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) + let u := + mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) let v := mulmod(l_beta, calldataload(add(aproof, PROOF_S1_AT_ZETA)), R_MOD) v := addmod(v, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) v := addmod(v, l_gamma, R_MOD) @@ -1097,13 +1185,29 @@ contract PlonkVerifier { let n_plus_two := add(VK_DOMAIN_SIZE, 2) let mPtr := add(mload(0x40), STATE_LAST_MEM) let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - point_mul_calldata(add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_2_X), zeta_power_n_plus_two, mPtr) + point_mul_calldata( + add(state, STATE_FOLDED_H_X), + add(aproof, PROOF_H_2_X), + zeta_power_n_plus_two, + mPtr + ) point_add_calldata( - add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_1_X), mPtr + add(state, STATE_FOLDED_H_X), + add(state, STATE_FOLDED_H_X), + add(aproof, PROOF_H_1_X), + mPtr + ) + point_mul( + add(state, STATE_FOLDED_H_X), + add(state, STATE_FOLDED_H_X), + zeta_power_n_plus_two, + mPtr ) - point_mul(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), zeta_power_n_plus_two, mPtr) point_add_calldata( - add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_0_X), mPtr + add(state, STATE_FOLDED_H_X), + add(state, STATE_FOLDED_H_X), + add(aproof, PROOF_H_0_X), + mPtr ) } @@ -1118,26 +1222,54 @@ contract PlonkVerifier { // (l(ζ)+β*s1(ζ)+γ) let s1 := add(mload(0x40), STATE_LAST_MEM) - mstore(s1, mulmod(calldataload(add(aproof, PROOF_S1_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD)) + mstore( + s1, + mulmod( + calldataload(add(aproof, PROOF_S1_AT_ZETA)), + mload(add(state, STATE_BETA)), + R_MOD + ) + ) mstore(s1, addmod(mload(s1), mload(add(state, STATE_GAMMA)), R_MOD)) mstore(s1, addmod(mload(s1), calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD)) // (r(ζ)+β*s2(ζ)+γ) let s2 := add(s1, 0x20) - mstore(s2, mulmod(calldataload(add(aproof, PROOF_S2_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD)) + mstore( + s2, + mulmod( + calldataload(add(aproof, PROOF_S2_AT_ZETA)), + mload(add(state, STATE_BETA)), + R_MOD + ) + ) mstore(s2, addmod(mload(s2), mload(add(state, STATE_GAMMA)), R_MOD)) mstore(s2, addmod(mload(s2), calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD)) // _s2 := mload(s2) // (o(ζ)+γ) let o := add(s1, 0x40) - mstore(o, addmod(calldataload(add(aproof, PROOF_O_AT_ZETA)), mload(add(state, STATE_GAMMA)), R_MOD)) + mstore( + o, + addmod( + calldataload(add(aproof, PROOF_O_AT_ZETA)), + mload(add(state, STATE_GAMMA)), + R_MOD + ) + ) // α*(Z(μζ))*(l(ζ)+β*s1(ζ)+γ)*(r(ζ)+β*s2(ζ)+γ)*(o(ζ)+γ) mstore(s1, mulmod(mload(s1), mload(s2), R_MOD)) mstore(s1, mulmod(mload(s1), mload(o), R_MOD)) mstore(s1, mulmod(mload(s1), mload(add(state, STATE_ALPHA)), R_MOD)) - mstore(s1, mulmod(mload(s1), calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), R_MOD)) + mstore( + s1, + mulmod( + mload(s1), + calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), + R_MOD + ) + ) let computed_quotient := add(s1, 0x60) @@ -1154,7 +1286,9 @@ contract PlonkVerifier { mstore( computed_quotient, addmod( - mload(computed_quotient), sub(R_MOD, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0))), R_MOD + mload(computed_quotient), + sub(R_MOD, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0))), + R_MOD ) ) mstore(