Key verification

aggregator_server/aggregator_server.cpp

@@ -5,7 +5,8 @@
 // Read the zecale config, include the appropriate pairing selector and define
 // the corresponding pairing parameters type.
 
-#include "libzecale/circuits/aggregator_circuit_wrapper.hpp"
+#include "libzecale/circuits/aggregator_circuit.hpp"
+#include "libzecale/circuits/null_hash_gadget.hpp"
 #include "libzecale/core/application_pool.hpp"
 #include "libzecale/serialization/proto_utils.hpp"
 #include "zecale_config.h"
@@ -19,7 +20,6 @@
 #include <grpcpp/server_context.h>
 #include <iostream>
 #include <libsnark/common/data_structures/merkle_tree.hpp>
-#include <libzeth/circuits/circuit_types.hpp>
 #include <libzeth/core/utils.hpp>
 #include <libzeth/serialization/proto_utils.hpp>
 #include <libzeth/serialization/r1cs_serialization.hpp>
@@ -51,28 +51,29 @@ using npp = libzecale::other_curve<wpp>;
 #if defined(ZECALE_SNARK_PGHR13)
 #include <libzecale/circuits/pghr13_verifier/pghr13_verifier_parameters.hpp>
 #include <libzeth/snarks/pghr13/pghr13_api_handler.hpp>
-using wverifier = libzecale::pghr13_verifier_parameters<wpp>;
+using wsnark = libzeth::pghr13_snark<wpp>;
 using wapi_handler = libzeth::pghr13_api_handler<wpp>;
-using nsnark = libzeth::pghr13_snark<npp>;
+using nverifier = libzecale::pghr13_verifier_parameters<wpp>;
 using napi_handler = libzeth::pghr13_api_handler<npp>;
 #elif defined(ZECALE_SNARK_GROTH16)
 #include <libzecale/circuits/groth16_verifier/groth16_verifier_parameters.hpp>
 #include <libzeth/snarks/groth16/groth16_api_handler.hpp>
-using wverifier = libzecale::groth16_verifier_parameters<wpp>;
+using wsnark = libzeth::groth16_snark<wpp>;
 using wapi_handler = libzeth::groth16_api_handler<wpp>;
-using nsnark = libzeth::groth16_snark<npp>;
+using nverifier = libzecale::groth16_verifier_parameters<wpp>;
 using napi_handler = libzeth::groth16_api_handler<npp>;
 #else
 #error "ZECALE_SNARK_* variable not set to supported ZK snark"
 #endif
 
-using wsnark = typename wverifier::snark;
+using nsnark = typename nverifier::snark;
+using hash = libzecale::null_hash_gadget<libff::Fr<wpp>>;
 
 static const size_t batch_size = 2;
 static const size_t num_inputs_per_nested_proof = 1;
 
-using aggregator_circuit_wrapper = libzecale::
-    aggregator_circuit_wrapper<npp, wpp, nsnark, wverifier, batch_size>;
+using aggregator_circuit =
+    libzecale::aggregator_circuit<wpp, wsnark, nverifier, hash, batch_size>;
 
 /// The aggregator_server class inherits from the Aggregator service defined in
 /// the proto files, and provides an implementation of the service.
@@ -82,17 +83,17 @@ class aggregator_server final : public zecale_proto::Aggregator::Service
     using application_pool =
         libzecale::application_pool<npp, nsnark, batch_size>;
 
-    aggregator_circuit_wrapper aggregator;
+    aggregator_circuit &aggregator;
 
     // The keypair is the result of the setup for the aggregation circuit
-    wsnark::keypair keypair;
+    const wsnark::keypair &keypair;
 
     // The nested verification key is the vk used to verify the nested proofs
     std::map<std::string, application_pool *> application_pools;
 
 public:
     explicit aggregator_server(
-        aggregator_circuit_wrapper &aggregator, const wsnark::keypair &keypair)
+        aggregator_circuit &aggregator, const wsnark::keypair &keypair)
         : aggregator(aggregator), keypair(keypair)
     {
     }
@@ -183,12 +184,17 @@ class aggregator_server final : public zecale_proto::Aggregator::Service
             application_pool *const app_pool =
                 application_pools.at(transaction->application_name());
 
-            // Add the application to the list of applications supported by
-            // the server.
+            // Sanity-check the transaction (number of inputs).
             const libzecale::transaction_to_aggregate<npp, nsnark> tx =
                 libzecale::
                     transaction_to_aggregate_from_proto<npp, napi_handler>(
                         *transaction);
+            if (tx.extended_proof().get_primary_inputs().size() !=
+                num_inputs_per_nested_proof) {
+                throw std::invalid_argument("invalid number of inputs");
+            }
+
+            // Add the proof to the pool for the named application.
             app_pool->add_tx(tx);
 
             std::cout << "[DEBUG] Registered tx with ext proof:\n";
@@ -238,10 +244,11 @@ class aggregator_server final : public zecale_proto::Aggregator::Service
             std::array<const libzeth::extended_proof<npp, nsnark> *, batch_size>
                 nested_proofs;
             for (size_t i = 0; i < batch_size; ++i) {
+                nested_proofs[i] = &batch[i].extended_proof();
+
                 std::cout << "[DEBUG] got tx " << std::to_string(i)
                           << " with ext proof:\n";
-                batch[i].extended_proof().write_json(std::cout);
-                nested_proofs[i] = &batch[i].extended_proof();
+                nested_proofs[i]->write_json(std::cout);
             }
 
             // Retrieve the nested verification key for this application.
@@ -310,8 +317,7 @@ void display_server_start_message()
 }
 
 static void RunServer(
-    aggregator_circuit_wrapper &aggregator,
-    const typename wsnark::keypair &keypair)
+    aggregator_circuit &aggregator, const typename wsnark::keypair &keypair)
 {
     // Listen for incoming connections on 0.0.0.0:50052
     // TODO: Move this in a config file
@@ -401,9 +407,8 @@ int main(int argc, char **argv)
     npp::init_public_params();
     wpp::init_public_params();
 
-    libzecale::
-        aggregator_circuit_wrapper<npp, wpp, nsnark, wverifier, batch_size>
-            aggregator(num_inputs_per_nested_proof);
+    libzecale::aggregator_circuit<wpp, wsnark, nverifier, hash, batch_size>
+        aggregator(num_inputs_per_nested_proof);
     wsnark::keypair keypair = [&keypair_file, &aggregator]() {
         if (!keypair_file.empty()) {
 #ifdef ZKSNARK_GROTH16

libzecale/circuits/aggregator_circuit.hpp

@@ -0,0 +1,121 @@
+// Copyright (c) 2015-2020 Clearmatics Technologies Ltd
+//
+// SPDX-License-Identifier: LGPL-3.0+
+
+#ifndef __ZECALE_CORE_AGGREGATOR_CIRCUIT_HPP__
+#define __ZECALE_CORE_AGGREGATOR_CIRCUIT_HPP__
+
+#include "libzecale/circuits/aggregator_gadget.hpp"
+#include "libzecale/circuits/pairing/pairing_params.hpp"
+#include "libzecale/circuits/verification_key_hash_gadget.hpp"
+
+#include <libzeth/core/extended_proof.hpp>
+
+using namespace libzeth;
+
+namespace libzecale
+{
+
+/// Creates a circuit for creating a wrapping proof aggregating a batch of
+/// nested proofs. Inputs are allocated as follows:
+///
+///   <hash of nested verification key>
+///   <input[1,1]>
+///   ...
+///   <input[1,M]>
+///   <result[1]>
+///   ...
+///   ...
+///   ...
+///   <input[N,1]>
+///   ...
+///   <input[N,M]>
+///   <result[N]>
+///
+/// where:
+///   N = NumProofs,
+///   M = num_inputs_per_nested_proof,
+///   input[i,j] = j-th input to i-th proof,
+///   result[i] = result of i-th proof verification)
+template<
+    typename wppT,
+    typename wsnarkT,
+    typename nverifierT,
+    typename hashT,
+    size_t NumProofs>
+class aggregator_circuit
+{
+private:
+    using npp = other_curve<wppT>;
+    using nsnark = typename nverifierT::snark;
+    using verification_key_variable_gadget =
+        typename nverifierT::verification_key_variable_gadget;
+    using proof_variable_gadget = typename nverifierT::proof_variable_gadget;
+
+    const size_t _num_inputs_per_nested_proof;
+
+    libsnark::protoboard<libff::Fr<wppT>> _pb;
+
+    /// (Primary) Variable holding the hash of the verification key for nested
+    /// proofs. Verified against the actual verification key values, by the
+    /// _nested_vk_hash_gadget.
+    libsnark::pb_variable<libff::Fr<wppT>> _nested_vk_hash;
+
+    /// (Primary) The nested primary inputs lie in the scalar field
+    /// `libff::Fr<nppT>`, and must be represented as elements of
+    /// `libff::Fr<wppT>` for use in the wrapper proof.
+    std::array<libsnark::pb_variable_array<libff::Fr<wppT>>, NumProofs>
+        _nested_primary_inputs;
+
+    /// (Primary) The array of the results of the verifiers. 1 meaning that the
+    /// nested proof is valid, 0 meaning it may not be valid.
+    std::array<libsnark::pb_variable<libff::Fr<wppT>>, NumProofs>
+        _nested_proof_results;
+
+    /// (Auxiliary) Verification key used to verify the nested proofs. Consists
+    /// of group elements of `nppT`, which again, can be represented using
+    /// elements in `libff::Fr<wppT>`.
+    std::shared_ptr<verification_key_variable_gadget> _nested_vk;
+
+    /// (Auxiliary) The nested proofs (defined over `nppT`) to verify. As above,
+    /// these are verified by virtue of the fact that the base field for nppT is
+    /// the scalar field of wppT. These gadgets handle take a witness in the
+    /// form of a proof with group elements from nppT and represent them as
+    /// variables in the wppT scalar field.
+    /// (Variables are expected to be auxiliary inputs).
+    std::array<std::shared_ptr<proof_variable_gadget>, NumProofs>
+        _nested_proofs;
+
+    /// Gadget to check the hash of the nested verification key.
+    std::shared_ptr<verification_key_hash_gadget<wppT, nverifierT, hashT>>
+        _nested_vk_hash_gadget;
+
+    /// Gadget to aggregate proofs.
+    std::shared_ptr<aggregator_gadget<wppT, nverifierT, NumProofs>>
+        _aggregator_gadget;
+
+public:
+    explicit aggregator_circuit(const size_t inputs_per_nested_proof);
+
+    aggregator_circuit(const aggregator_circuit &other) = delete;
+    const aggregator_circuit &operator=(const aggregator_circuit &other) =
+        delete;
+
+    typename wsnarkT::keypair generate_trusted_setup() const;
+
+    const libsnark::protoboard<libff::Fr<wppT>> &get_constraint_system() const;
+
+    /// Generate a proof and returns an extended proof
+    extended_proof<wppT, wsnarkT> prove(
+        const typename nsnark::verification_key &nested_vk,
+        const std::array<
+            const libzeth::extended_proof<npp, nsnark> *,
+            NumProofs> &extended_proofs,
+        const typename wsnarkT::proving_key &aggregator_proving_key);
+};
+
+} // namespace libzecale
+
+#include "aggregator_circuit.tcc"
+
+#endif // __ZECALE_CORE_AGGREGATOR_CIRCUIT_HPP__