feat(gateway-contracts): implement coprocessor contexts

Author: melanciani

.github/workflows/gateway-contracts-upgrade-tests.yml

@@ -33,10 +33,7 @@ jobs:
   sc-upgrade:
     name: gateway-contracts-upgrade-tests/sc-upgrade (bpr)
     needs: check-changes
-    # if: ${{ needs.check-changes.outputs.changes-gw-contracts == 'true' }}
-    # TODO: Re-enable the upgrade tests once fhevm 0.9 is released
-    # See https://github.com/zama-ai/fhevm-internal/issues/439
-    if: false
+    if: ${{ needs.check-changes.outputs.changes-gw-contracts == 'true' }}
     permissions:
       contents: 'read' # Required to checkout repository code
       checks: 'write' # Required to create GitHub checks for test results
@@ -48,7 +45,7 @@ jobs:
         with:
           # This version should be updated whenever we release new contract versions or
           # touch a contract upgrade path.
-          ref: v0.8.0-6
+          ref: v0.9.0
           path: previous-fhevm
           persist-credentials: 'false'
 

gateway-contracts/.env.example

@@ -55,24 +55,30 @@ KMS_SIGNER_ADDRESS_3="0xDb216ECeC4cEd51CdfD9609b6Ce7653aB04f6cAd" # accounts[10]
 KMS_NODE_IP_ADDRESS_3="127.0.0.4" # (string)
 KMS_NODE_STORAGE_URL_3="s3://kms-bucket-4" # (string)
 
+# Coprocessor feature set
+COPROCESSORS_FEATURE_SET="1" # (uint256)
+
 # Coprocessors
 # The number of coprocessors must be lower or equal to the number of coprocessors' metadata defined below
 NUM_COPROCESSORS="3" # (number)
 
 # Coprocessor 1
+COPROCESSOR_NAME_0="Coprocessor 1" # (string)
 COPROCESSOR_TX_SENDER_ADDRESS_0="0x6518D50aDc9036Df37119eA465a8159E34417E2E" # accounts[11] (address)
 COPROCESSOR_SIGNER_ADDRESS_0="0xa5eE8292dA52d8234248709F3E217ffEBA5E8312" # accounts[12] (address)
-COPROCESSOR_S3_BUCKET_URL_0="s3://coprocessor-bucket-1" # (string)
+COPROCESSOR_STORAGE_URL_0="s3://coprocessor-bucket-1" # (string)
 
 # Coprocessor 2
+COPROCESSOR_NAME_1="Coprocessor 2" # (string)
 COPROCESSOR_TX_SENDER_ADDRESS_1="0xCFbF539CB91c92ace0343c5B0487149Ad0b82078" # accounts[13] (address)
 COPROCESSOR_SIGNER_ADDRESS_1="0xA951F315d5FD35Cac111dFB5250DF231FB8eF905" # accounts[14] (address)
-COPROCESSOR_S3_BUCKET_URL_1="s3://coprocessor-bucket-2" # (string)
+COPROCESSOR_STORAGE_URL_1="s3://coprocessor-bucket-2" # (string)
 
 # Coprocessor 3
+COPROCESSOR_NAME_2="Coprocessor 3" # (string)
 COPROCESSOR_TX_SENDER_ADDRESS_2="0x3C0033584da3A0f61AA5C7bde50eAF3642875a21" # accounts[15] (address)
 COPROCESSOR_SIGNER_ADDRESS_2="0x420AF5A5BBfAd922aE5a501d9a8Bf70a55F52E03" # accounts[16] (address)
-COPROCESSOR_S3_BUCKET_URL_2="s3://coprocessor-bucket-3" # (string)
+COPROCESSOR_STORAGE_URL_2="s3://coprocessor-bucket-3" # (string)
 
 # Custodians
 # The number of custodians must be lower or equal to the number of custodians' metadata defined below

gateway-contracts/contracts/CiphertextCommits.sol

@@ -1,20 +1,33 @@
 // SPDX-License-Identifier: BSD-3-Clause-Clear
 pragma solidity ^0.8.24;
-import { gatewayConfigAddress, kmsGenerationAddress } from "../addresses/GatewayAddresses.sol";
+import {
+    gatewayConfigAddress,
+    kmsGenerationAddress,
+    coprocessorContextsAddress
+} from "../addresses/GatewayAddresses.sol";
 import { Strings } from "@openzeppelin/contracts/utils/Strings.sol";
 import { ICiphertextCommits } from "./interfaces/ICiphertextCommits.sol";
 import { IGatewayConfig } from "./interfaces/IGatewayConfig.sol";
 import { IKMSGeneration } from "./interfaces/IKMSGeneration.sol";
+import { ICoprocessorContexts } from "./interfaces/ICoprocessorContexts.sol";
 import { UUPSUpgradeableEmptyProxy } from "./shared/UUPSUpgradeableEmptyProxy.sol";
 import { GatewayConfigChecks } from "./shared/GatewayConfigChecks.sol";
 import { GatewayOwnable } from "./shared/GatewayOwnable.sol";
 import { CiphertextMaterial, SnsCiphertextMaterial } from "./shared/Structs.sol";
+import { ContextStatus } from "./shared/Enums.sol";
+import { ContextChecks } from "./shared/ContextChecks.sol";
 
 /**
  * @title CiphertextCommits smart contract
  * @notice See {ICiphertextCommits}.
  */
-contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, GatewayOwnable, GatewayConfigChecks {
+contract CiphertextCommits is
+    ICiphertextCommits,
+    UUPSUpgradeableEmptyProxy,
+    GatewayOwnable,
+    GatewayConfigChecks,
+    ContextChecks
+{
     /**
      * @notice The address of the GatewayConfig contract, used for fetching information about coprocessors.
      */
@@ -25,14 +38,17 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
      */
     IKMSGeneration private constant KMS_GENERATION = IKMSGeneration(kmsGenerationAddress);
 
+    /// @notice The address of the CoprocessorContexts contract, used for fetching information about coprocessors.
+    ICoprocessorContexts private constant COPROCESSOR_CONTEXTS = ICoprocessorContexts(coprocessorContextsAddress);
+
     /**
      * @dev The following constants are used for versioning the contract. They are made private
      * in order to force derived contracts to consider a different version. Note that
      * they can still define their own private constants with the same name.
      */
     string private constant CONTRACT_NAME = "CiphertextCommits";
     uint256 private constant MAJOR_VERSION = 0;
-    uint256 private constant MINOR_VERSION = 1;
+    uint256 private constant MINOR_VERSION = 2;
     uint256 private constant PATCH_VERSION = 0;
 
     /**
@@ -41,7 +57,7 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
      * This constant does not represent the number of time a specific contract have been upgraded,
      * as a contract deployed from version VX will have a REINITIALIZER_VERSION > 2.
      */
-    uint64 private constant REINITIALIZER_VERSION = 2;
+    uint64 private constant REINITIALIZER_VERSION = 3;
 
     /**
      * @notice The contract's variable storage struct (@dev see ERC-7201)
@@ -75,6 +91,11 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
             alreadyAddedCoprocessorTxSenders;
         /// @notice The coprocessor transaction senders involved in a consensus for a ciphertext material addition.
         mapping(bytes32 addCiphertextHash => address[] coprocessorTxSenderAddresses) coprocessorTxSenderAddresses;
+        // ----------------------------------------------------------------------------------------------
+        // Coprocessor context state variables:
+        // ----------------------------------------------------------------------------------------------
+        /// @notice The coprocessor context ID associated to the add ciphertext
+        mapping(bytes32 addCiphertextHash => uint256 contextId) addCiphertextContextId;
     }
 
     /**
@@ -99,34 +120,54 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
 
     /**
      * @notice Re-initializes the contract from V1.
-     * @dev Define a `reinitializeVX` function once the contract needs to be upgraded.
      */
     /// @custom:oz-upgrades-unsafe-allow missing-initializer-call
     /// @custom:oz-upgrades-validate-as-initializer
-    // function reinitializeV2() public virtual reinitializer(REINITIALIZER_VERSION) {}
+    function reinitializeV2() public virtual reinitializer(REINITIALIZER_VERSION) {}
 
-    /**
-     * @notice See {ICiphertextCommits-addCiphertextMaterial}.
-     */
+    /// @notice See {ICiphertextCommits-addCiphertextMaterial}.
     function addCiphertextMaterial(
         bytes32 ctHandle,
         uint256 keyId,
         bytes32 ciphertextDigest,
         bytes32 snsCiphertextDigest
-    ) external virtual onlyCoprocessorTxSender onlyHandleFromRegisteredHostChain(ctHandle) {
+    ) external virtual onlyHandleFromRegisteredHostChain(ctHandle) refreshCoprocessorContextStatuses {
+        // The addCiphertextHash is the hash of all received input arguments which means that multiple
+        // Coprocessors can only have a consensus on a ciphertext material with the same information.
+        // This hash is used to differentiate different calls to the function, in particular when
+        // tracking the consensus on the received ciphertext material.
+        // Note that chainId is not included in the hash because it is already contained in the ctHandle.
+        bytes32 addCiphertextHash = keccak256(abi.encode(ctHandle, keyId, ciphertextDigest, snsCiphertextDigest));
+
         CiphertextCommitsStorage storage $ = _getCiphertextCommitsStorage();
 
+        // Get the context ID from the input verification context ID mapping
+        // This ID may be 0 (invalid) if this is the first addCiphertextMaterial call for this
+        // addCiphertextHash (see right below)
+        uint256 contextId = $.addCiphertextContextId[addCiphertextHash];
+
+        // If the context ID is null, get the active coprocessor context's ID and associate it to
+        // this ciphertext material addition
+        if (contextId == 0) {
+            contextId = COPROCESSOR_CONTEXTS.getActiveCoprocessorContextId();
+            $.addCiphertextContextId[addCiphertextHash] = contextId;
+
+            // Else, that means a coprocessor already started to add the ciphertext material
+            // and we need to check that the context is active or suspended
+            // If it is not, that means the context is no longer valid for this operation and we revert
+        } else if (!COPROCESSOR_CONTEXTS.isCoprocessorContextActiveOrSuspended(contextId)) {
+            ContextStatus contextStatus = COPROCESSOR_CONTEXTS.getCoprocessorContextStatus(contextId);
+            revert InvalidCoprocessorContextAddCiphertext(ctHandle, contextId, contextStatus);
+        }
+
+        // Only accept coprocessor transaction senders from the same context
+        _checkIsCoprocessorTxSenderFromContext(contextId, msg.sender);
+
         // Check if the coprocessor transaction sender has already added the ciphertext handle.
         if ($.alreadyAddedCoprocessorTxSenders[ctHandle][msg.sender]) {
             revert CoprocessorAlreadyAdded(ctHandle, msg.sender);
         }
 
-        // The addCiphertextHash is the hash of all received input arguments which means that multiple
-        // Coprocessors can only have a consensus on a ciphertext material with the same information.
-        // This hash is used to differentiate different calls to the function, in particular when
-        // tracking the consensus on the received ciphertext material.
-        // Note that chainId is not included in the hash because it is already contained in the ctHandle.
-        bytes32 addCiphertextHash = keccak256(abi.encode(ctHandle, keyId, ciphertextDigest, snsCiphertextDigest));
         $.addCiphertextHashCounters[addCiphertextHash]++;
 
         // It is ok to only the handle can be considered here as a handle should only be added once
@@ -143,9 +184,10 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
 
         // Send the event if and only if the consensus is reached in the current response call.
         // This means a "late" response will not be reverted, just ignored and no event will be emitted
+        // Besides, consensus only considers the coprocessors of the same context
         if (
             !$.isCiphertextMaterialAdded[ctHandle] &&
-            _isConsensusReached($.addCiphertextHashCounters[addCiphertextHash])
+            _isConsensusReached(contextId, $.addCiphertextHashCounters[addCiphertextHash])
         ) {
             $.ciphertextDigests[ctHandle] = ciphertextDigest;
             $.snsCiphertextDigests[ctHandle] = snsCiphertextDigest;
@@ -159,12 +201,7 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
             // by only knowing the handle, since a consensus can only happen once per handle
             $.ctHandleConsensusHash[ctHandle] = addCiphertextHash;
 
-            emit AddCiphertextMaterial(
-                ctHandle,
-                ciphertextDigest,
-                snsCiphertextDigest,
-                $.coprocessorTxSenderAddresses[addCiphertextHash]
-            );
+            emit AddCiphertextMaterial(ctHandle, ciphertextDigest, snsCiphertextDigest, contextId);
         }
     }
 
@@ -191,16 +228,10 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
                 revert CiphertextMaterialNotFound(ctHandles[i]);
             }
 
-            // Get the unique hash associated to the handle and use it to get the list of coprocessor
-            // transaction sender address that were involved in the consensus
-            bytes32 addCiphertextHash = $.ctHandleConsensusHash[ctHandles[i]];
-            address[] memory coprocessorTxSenderAddresses = $.coprocessorTxSenderAddresses[addCiphertextHash];
-
             ctMaterials[i] = CiphertextMaterial(
                 ctHandles[i],
                 $.keyIds[ctHandles[i]],
-                $.ciphertextDigests[ctHandles[i]],
-                coprocessorTxSenderAddresses
+                $.ciphertextDigests[ctHandles[i]]
             );
         }
 
@@ -222,29 +253,21 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
                 revert CiphertextMaterialNotFound(ctHandles[i]);
             }
 
-            // Get the unique hash associated to the handle and use it to get the list of coprocessor
-            // transaction sender address that were involved in the consensus
-            bytes32 addCiphertextHash = $.ctHandleConsensusHash[ctHandles[i]];
-            address[] memory coprocessorTxSenderAddresses = $.coprocessorTxSenderAddresses[addCiphertextHash];
-
             snsCtMaterials[i] = SnsCiphertextMaterial(
                 ctHandles[i],
                 $.keyIds[ctHandles[i]],
-                $.snsCiphertextDigests[ctHandles[i]],
-                coprocessorTxSenderAddresses
+                $.snsCiphertextDigests[ctHandles[i]]
             );
         }
 
         return snsCtMaterials;
     }
 
     /**
-     * @notice See {ICiphertextCommits-getAddCiphertextMaterialConsensusTxSenders}.
+     * @notice See {ICiphertextCommits-getConsensusTxSenders}.
      * The list remains empty until the consensus is reached.
      */
-    function getAddCiphertextMaterialConsensusTxSenders(
-        bytes32 ctHandle
-    ) external view virtual returns (address[] memory) {
+    function getConsensusTxSenders(bytes32 ctHandle) external view virtual returns (address[] memory) {
         CiphertextCommitsStorage storage $ = _getCiphertextCommitsStorage();
 
         // Get the unique hash associated to the handle in order to retrieve the list of transaction
@@ -255,6 +278,54 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
         return $.coprocessorTxSenderAddresses[addCiphertextHash];
     }
 
+    /**
+     * @notice See {ICiphertextCommits-getConsensusStorageUrls}.
+     */
+    function getConsensusStorageUrls(bytes32[] calldata ctHandles) external view virtual returns (string[][] memory) {
+        CiphertextCommitsStorage storage $ = _getCiphertextCommitsStorage();
+        string[][] memory consensusStorageUrls = new string[][](ctHandles.length);
+
+        for (uint256 i = 0; i < ctHandles.length; i++) {
+            // Check that the consensus has been reached
+            if (!isCiphertextMaterialAdded(ctHandles[i])) {
+                revert CiphertextMaterialNotFound(ctHandles[i]);
+            }
+
+            // Get the unique hash associated to the handle in order to retrieve the list of transaction
+            // sender address that participated in the consensus
+            // This digest is null (0x0) for version V1.
+            bytes32 addCiphertextHash = $.ctHandleConsensusHash[ctHandles[i]];
+
+            // Get the transaction sender addresses and the context ID associated to the consensus
+            // If the consensus has been reached but the hash is 0x0, it means that the handle has been
+            // added in V1: the handle was used to retrieve the list of transaction sender addresses
+            // instead of the hash, under the first context (`contextId=1`).
+            // We therefore consider this in order to be backward compatible.
+            // DEPRECATED: to remove in next state reset
+            // See https://github.com/zama-ai/fhevm-internal/issues/471
+            address[] memory coprocessorTxSenderAddresses;
+            uint256 contextId;
+            if (addCiphertextHash == bytes32(0)) {
+                coprocessorTxSenderAddresses = $.coprocessorTxSenderAddresses[ctHandles[i]];
+                contextId = 1;
+            } else {
+                coprocessorTxSenderAddresses = $.coprocessorTxSenderAddresses[addCiphertextHash];
+                contextId = $.addCiphertextContextId[addCiphertextHash];
+            }
+
+            // Get the list of storage URLs associated to the transaction sender addresses
+            string[] memory coprocessorStorageUrls = new string[](coprocessorTxSenderAddresses.length);
+            for (uint256 j = 0; j < coprocessorTxSenderAddresses.length; j++) {
+                coprocessorStorageUrls[j] = COPROCESSOR_CONTEXTS
+                    .getCoprocessorFromContext(contextId, coprocessorTxSenderAddresses[j])
+                    .storageUrl;
+            }
+            consensusStorageUrls[i] = coprocessorStorageUrls;
+        }
+
+        return consensusStorageUrls;
+    }
+
     /**
      * @notice See {ICiphertextCommits-getVersion}.
      */
@@ -280,12 +351,13 @@ contract CiphertextCommits is ICiphertextCommits, UUPSUpgradeableEmptyProxy, Gat
     function _authorizeUpgrade(address _newImplementation) internal virtual override onlyGatewayOwner {}
 
     /**
-     * @notice Checks if the consensus is reached among the Coprocessors.
+     * @notice Checks if the consensus is reached among the coprocessors from the same context.
+     * @param contextId The coprocessor context ID
      * @param coprocessorCounter The number of coprocessors that agreed
      * @return Whether the consensus is reached
      */
-    function _isConsensusReached(uint256 coprocessorCounter) internal view virtual returns (bool) {
-        uint256 consensusThreshold = GATEWAY_CONFIG.getCoprocessorMajorityThreshold();
+    function _isConsensusReached(uint256 contextId, uint256 coprocessorCounter) internal view virtual returns (bool) {
+        uint256 consensusThreshold = COPROCESSOR_CONTEXTS.getCoprocessorMajorityThresholdFromContext(contextId);
         return coprocessorCounter >= consensusThreshold;
     }