feat: enable verifying compressed gnark groth16 proof (#2454)

Author: PayneJoe

crates/test-artifacts/build.rs

@@ -31,15 +31,23 @@ fn main() -> Result<()> {
     build_program_with_args(
         "../verifier/guest-verify-programs",
         BuildArgs {
-            binaries: vec!["groth16_verify".to_string(), "plonk_verify".to_string()],
+            binaries: vec![
+                "groth16_verify".to_string(),
+                "groth16_verify_compressed".to_string(),
+                "plonk_verify".to_string(),
+            ],
             ..Default::default()
         },
     );
 
     build_program_with_args(
         "../verifier/guest-verify-programs",
         BuildArgs {
-            binaries: vec!["groth16_verify_blake3".to_string(), "plonk_verify_blake3".to_string()],
+            binaries: vec![
+                "groth16_verify_blake3".to_string(),
+                "groth16_verify_compressed_blake3".to_string(),
+                "plonk_verify_blake3".to_string(),
+            ],
             features: vec!["blake3".to_string()],
             ..Default::default()
         },

crates/test-artifacts/src/lib.rs

@@ -88,6 +88,10 @@ pub const GROTH16_ELF: &[u8] = include_elf!("groth16_verify");
 
 pub const GROTH16_BLAKE3_ELF: &[u8] = include_elf!("groth16_verify_blake3");
 
+pub const GROTH16_COMPRESSED_ELF: &[u8] = include_elf!("groth16_verify_compressed");
+
+pub const GROTH16_COMPRESSED_BLAKE3_ELF: &[u8] = include_elf!("groth16_verify_compressed_blake3");
+
 pub const PLONK_ELF: &[u8] = include_elf!("plonk_verify");
 
 pub const PLONK_BLAKE3_ELF: &[u8] = include_elf!("plonk_verify_blake3");

crates/verifier/guest-verify-programs/Cargo.toml

@@ -13,6 +13,15 @@ name = "groth16_verify_blake3"
 path = "src/groth16_verify.rs"
 required-features = ["blake3"]
 
+[[bin]]
+name = "groth16_verify_compressed"
+path = "src/groth16_verify_compressed.rs"
+
+[[bin]]
+name = "groth16_verify_compressed_blake3"
+path = "src/groth16_verify_compressed.rs"
+required-features = ["blake3"]
+
 [[bin]]
 name = "plonk_verify"
 path = "src/plonk_verify.rs"
@@ -27,4 +36,4 @@ sp1-zkvm = { path = "../../zkvm/entrypoint" }
 sp1-verifier = { path = "../" }
 
 [features]
-blake3 = ["sp1-zkvm/blake3"]
+blake3 = ["sp1-zkvm/blake3"]

crates/verifier/guest-verify-programs/src/groth16_verify_compressed.rs

@@ -0,0 +1,17 @@
+#![no_main]
+sp1_zkvm::entrypoint!(main);
+
+use sp1_verifier::Groth16Verifier;
+
+fn main() {
+    // Read the proof, public values, and vkey hash from the input stream.
+    let proof = sp1_zkvm::io::read_vec();
+    let sp1_public_values = sp1_zkvm::io::read_vec();
+    let sp1_vkey_hash: String = sp1_zkvm::io::read();
+
+    // Verify the plonk proof.
+    let groth16_vk = *sp1_verifier::GROTH16_VK_BYTES;
+    let result =
+        Groth16Verifier::verify_compressed(&proof, &sp1_public_values, &sp1_vkey_hash, groth16_vk)
+            .unwrap();
+}

crates/verifier/src/constants.rs

@@ -10,6 +10,7 @@ pub(crate) const COMPRESSED_INFINITY: u8 = 0b01 << 6;
 
 pub(crate) const VK_HASH_PREFIX_LENGTH: usize = 4;
 pub(crate) const GROTH16_PROOF_LENGTH: usize = 256;
+pub(crate) const COMPRESSED_GROTH16_PROOF_LENGTH: usize = 128;
 pub(crate) const PLONK_CLAIMED_VALUES_COUNT: usize = 5;
 pub(crate) const PLONK_CLAIMED_VALUES_OFFSET: usize = 384;
 pub(crate) const PLONK_Z_SHIFTED_OPENING_VALUE_OFFSET: usize = 96;

crates/verifier/src/converter.rs

@@ -7,6 +7,43 @@ use crate::{
     error::Error,
 };
 
+/// Compresse an G1 point to a buffer.
+///
+/// This is a reveresed function against `unchecked_compressed_x_to_g1_point`, return the compressed
+/// G1 point which hardcoded the sign flag of y coordinate.
+pub(crate) fn compress_g1_point_to_x(g1: &AffineG1) -> Result<[u8; 32], Error> {
+    let mut x_bytes = [0u8; 32];
+    g1.x().to_big_endian(&mut x_bytes).map_err(Error::Field)?;
+
+    if g1.y() > -g1.y() {
+        x_bytes[0] |= CompressedPointFlag::Negative as u8;
+    } else {
+        x_bytes[0] = (x_bytes[0] & !MASK) | (CompressedPointFlag::Positive as u8);
+    }
+
+    Ok(x_bytes)
+}
+
+/// Compresse an G2 point to a buffer.
+///
+/// This is a reveresed function against `unchecked_compressed_x_to_g1_point`, return the compressed
+/// G2 point which hardcoded the sign flag of y coordinate.
+pub(crate) fn compress_g2_point_to_x(g2: &AffineG2) -> Result<[u8; 64], Error> {
+    let mut x_bytes = [0u8; 64];
+    let x1 = Fq::from_u256(g2.x().0.imaginary().0).map_err(Error::Field)?;
+    let x0 = Fq::from_u256(g2.x().0.real().0).map_err(Error::Field)?;
+    x1.to_big_endian(&mut x_bytes[..32]).map_err(Error::Field)?;
+    x0.to_big_endian(&mut x_bytes[32..64]).map_err(Error::Field)?;
+
+    if g2.y().0 > -g2.y().0 {
+        x_bytes[0] |= CompressedPointFlag::Negative as u8;
+    } else {
+        x_bytes[0] = (x_bytes[0] & !MASK) | (CompressedPointFlag::Positive as u8);
+    }
+
+    Ok(x_bytes)
+}
+
 /// Deserializes an Fq element from a buffer.
 ///
 /// If this Fq element is part of a compressed point, the flag that indicates the sign of the
@@ -70,6 +107,16 @@ pub(crate) fn uncompressed_bytes_to_g1_point(buf: &[u8]) -> Result<AffineG1, Err
     AffineG1::new(x, y).map_err(Error::Group)
 }
 
+/// Converts an AffineG1 point to an uncompressed byte array.
+///
+/// The uncompressed byte array is represented as two fq elements.
+pub(crate) fn g1_point_to_uncompressed_bytes(point: &AffineG1) -> Result<[u8; 64], Error> {
+    let mut buffer = [0u8; 64];
+    point.x().to_big_endian(&mut buffer[..32]).map_err(Error::Field)?;
+    point.y().to_big_endian(&mut buffer[32..]).map_err(Error::Field)?;
+    Ok(buffer)
+}
+
 /// Converts a compressed G2 point to an AffineG2 point.
 ///
 /// Asserts that the compressed point is represented as a single fq2 element: the x coordinate
@@ -120,3 +167,28 @@ pub(crate) fn uncompressed_bytes_to_g2_point(buf: &[u8]) -> Result<AffineG2, Err
 
     AffineG2::new(x, y).map_err(Error::Group)
 }
+
+/// Converts an AffineG2 point to an uncompressed byte array.
+///
+/// The uncompressed byte array is represented as two fq2 elements.
+pub(crate) fn g2_point_to_uncompressed_bytes(point: &AffineG2) -> Result<[u8; 128], Error> {
+    let mut buffer = [0u8; 128];
+    Fq::from_u256(point.x().0.imaginary().0)
+        .unwrap()
+        .to_big_endian(&mut buffer[..32])
+        .map_err(Error::Field)?;
+    Fq::from_u256(point.x().0.real().0)
+        .unwrap()
+        .to_big_endian(&mut buffer[32..64])
+        .map_err(Error::Field)?;
+    Fq::from_u256(point.y().0.imaginary().0)
+        .unwrap()
+        .to_big_endian(&mut buffer[64..96])
+        .map_err(Error::Field)?;
+    Fq::from_u256(point.y().0.real().0)
+        .unwrap()
+        .to_big_endian(&mut buffer[96..128])
+        .map_err(Error::Field)?;
+
+    Ok(buffer)
+}

crates/verifier/src/groth16/converter.rs

@@ -1,17 +1,59 @@
 use alloc::vec::Vec;
 
 use crate::{
-    constants::GROTH16_PROOF_LENGTH,
+    constants::{COMPRESSED_GROTH16_PROOF_LENGTH, GROTH16_PROOF_LENGTH},
     converter::{
-        unchecked_compressed_x_to_g1_point, unchecked_compressed_x_to_g2_point,
-        uncompressed_bytes_to_g1_point, uncompressed_bytes_to_g2_point,
+        compress_g1_point_to_x, compress_g2_point_to_x, g1_point_to_uncompressed_bytes,
+        g2_point_to_uncompressed_bytes, unchecked_compressed_x_to_g1_point,
+        unchecked_compressed_x_to_g2_point, uncompressed_bytes_to_g1_point,
+        uncompressed_bytes_to_g2_point,
     },
     error::Error,
     groth16::{Groth16G1, Groth16G2, Groth16Proof, Groth16VerifyingKey},
 };
 
 use super::error::Groth16Error;
 
+/// Compress the Groth16 proof from a byte slice to a compressed byte slice.
+///
+/// The compressed byte slice is represented as 2 compressed g1 points, and one compressed g2 point,
+/// as outputted from Gnark.
+pub fn compress_groth16_proof_from_bytes(
+    buf: &[u8],
+) -> Result<[u8; COMPRESSED_GROTH16_PROOF_LENGTH], Groth16Error> {
+    if buf.len() < GROTH16_PROOF_LENGTH {
+        return Err(Groth16Error::GeneralError(Error::InvalidData));
+    }
+
+    let proof = load_groth16_proof_from_bytes(buf)?;
+    let mut buffer = [0u8; COMPRESSED_GROTH16_PROOF_LENGTH];
+    buffer[..32].copy_from_slice(&compress_g1_point_to_x(&proof.ar)?);
+    buffer[32..96].copy_from_slice(&compress_g2_point_to_x(&proof.bs)?);
+    buffer[96..128].copy_from_slice(&compress_g1_point_to_x(&proof.krs)?);
+
+    Ok(buffer)
+}
+
+/// Decompress the Groth16 proof from a compressed byte slice to a byte slice.
+///
+/// The byte slice is represented as 2 uncompressed g1 points, and one uncompressed g2 point,
+/// as outputted from Gnark.
+pub fn decompress_groth16_proof_from_bytes(
+    buf: &[u8],
+) -> Result<[u8; GROTH16_PROOF_LENGTH], Groth16Error> {
+    if buf.len() < COMPRESSED_GROTH16_PROOF_LENGTH {
+        return Err(Groth16Error::GeneralError(Error::InvalidData));
+    }
+
+    let proof = load_compressed_groth16_proof_from_bytes(buf)?;
+    let mut buffer = [0u8; GROTH16_PROOF_LENGTH];
+    buffer[..64].copy_from_slice(&g1_point_to_uncompressed_bytes(&proof.ar)?);
+    buffer[64..192].copy_from_slice(&g2_point_to_uncompressed_bytes(&proof.bs)?);
+    buffer[192..256].copy_from_slice(&g1_point_to_uncompressed_bytes(&proof.krs)?);
+
+    Ok(buffer)
+}
+
 /// Load the Groth16 proof from the given byte slice.
 ///
 /// The byte slice is represented as 2 uncompressed g1 points, and one uncompressed g2 point,
@@ -36,7 +78,7 @@ pub(crate) fn load_groth16_proof_from_bytes(buffer: &[u8]) -> Result<Groth16Proo
 pub(crate) fn load_compressed_groth16_proof_from_bytes(
     buffer: &[u8],
 ) -> Result<Groth16Proof, Groth16Error> {
-    if buffer.len() < GROTH16_PROOF_LENGTH / 2 {
+    if buffer.len() < COMPRESSED_GROTH16_PROOF_LENGTH {
         return Err(Groth16Error::GeneralError(Error::InvalidData));
     }
     let (ar, bs, krs) = (

crates/verifier/src/groth16/mod.rs

@@ -1,4 +1,4 @@
-mod converter;
+pub mod converter;
 pub mod error;
 mod verify;
 
@@ -126,6 +126,72 @@ impl Groth16Verifier {
         verify_groth16_algebraic(&groth16_vk, &proof, &public_inputs)
     }
 
+    /// Verifies an SP1 compressed Groth16 proof, as generated by the SP1 SDK.
+    ///
+    /// # Arguments
+    ///
+    /// * `proof` - The proof bytes.
+    /// * `public_inputs` - The SP1 public inputs.
+    /// * `sp1_vkey_hash` - The SP1 vkey hash. This is generated in the following manner:
+    ///
+    /// ```ignore
+    /// use sp1_sdk::ProverClient;
+    /// let client = ProverClient::new();
+    /// let (pk, vk) = client.setup(ELF);
+    /// let sp1_vkey_hash = vk.bytes32();
+    /// ```
+    /// * `groth16_vk` - The Groth16 verifying key bytes. Usually this will be the
+    ///   [`static@crate::GROTH16_VK_BYTES`] constant, which is the Groth16 verifying key for the
+    ///   current SP1 version.
+    ///
+    /// # Returns
+    ///
+    /// A success [`Result`] if verification succeeds, or a [`Groth16Error`] if verification fails.
+    pub fn verify_compressed(
+        proof: &[u8],
+        sp1_public_inputs: &[u8],
+        sp1_vkey_hash: &str,
+        groth16_vk: &[u8],
+    ) -> Result<(), Groth16Error> {
+        if proof.len() < VK_HASH_PREFIX_LENGTH {
+            return Err(Groth16Error::GeneralError(Error::InvalidData));
+        }
+
+        // Hash the vk and get the first 4 bytes.
+        let groth16_vk_hash: [u8; 4] = Sha256::digest(groth16_vk)[..VK_HASH_PREFIX_LENGTH]
+            .try_into()
+            .map_err(|_| Groth16Error::GeneralError(Error::InvalidData))?;
+
+        // Check to make sure that this proof was generated by the groth16 proving key corresponding
+        // to the given groth16_vk.
+        //
+        // SP1 prepends the raw Groth16 proof with the first 4 bytes of the groth16 vkey to
+        // facilitate this check.
+        if groth16_vk_hash != proof[..VK_HASH_PREFIX_LENGTH] {
+            return Err(Groth16Error::Groth16VkeyHashMismatch);
+        }
+
+        let sp1_vkey_hash = decode_sp1_vkey_hash(sp1_vkey_hash)?;
+
+        // It is computationally infeasible to find two distinct inputs, one processed with
+        // SHA256 and the other with Blake3, that yield the same hash value.
+        if Self::verify_compressed_gnark_proof(
+            &proof[VK_HASH_PREFIX_LENGTH..],
+            &[sp1_vkey_hash, hash_public_inputs(sp1_public_inputs)],
+            groth16_vk,
+        )
+        .is_ok()
+        {
+            return Ok(());
+        }
+
+        Self::verify_compressed_gnark_proof(
+            &proof[VK_HASH_PREFIX_LENGTH..],
+            &[sp1_vkey_hash, hash_public_inputs_with_fn(sp1_public_inputs, blake3_hash)],
+            groth16_vk,
+        )
+    }
+
     /// Verifies a compressed Gnark Groth16 proof using raw byte inputs.
     ///
     /// WARNING: if you're verifying an SP1 proof, you should use [`verify`] instead.

crates/verifier/src/lib.rs

@@ -28,7 +28,7 @@ mod error;
 mod utils;
 pub use utils::*;
 
-pub use groth16::{error::Groth16Error, Groth16Verifier};
+pub use groth16::{converter::*, error::Groth16Error, Groth16Verifier};
 mod groth16;
 
 #[cfg(feature = "ark")]