merge main

.github/workflows/build-and-test.yml

@@ -2,8 +2,8 @@ name: Build and Test
 on: push
 
 env:
-  RUST_VERSION: 1.70.0
-  NIGHTLY_VERSION: nightly-2023-05-31
+  RUST_VERSION: 1.76.0
+  NIGHTLY_VERSION: nightly-2024-02-04
   CARGO_VET_VERSION: 0.7.0
   CARGO_VET_REPO: https://github.com/mozilla/cargo-vet
 

Cargo.toml

@@ -4,7 +4,8 @@ version = "0.1.0"
 edition = "2021"
 authors = [
     "Remco Bloemen <[email protected]>",
-    "Philipp Sippl <[email protected]>"]
+    "Philipp Sippl <[email protected]>",
+]
 homepage = "https://github.com/worldcoin/semaphore-rs"
 repository = "https://github.com/worldcoin/semaphore-rs"
 description = "Rust support library for Semaphore"
@@ -20,9 +21,18 @@ members = ["crates/*"]
 default = []
 bench = ["criterion", "proptest"]
 dylib = ["wasmer/dylib", "wasmer-engine-dylib", "wasmer-compiler-cranelift"]
-depth_16 = ["semaphore-depth-config/depth_16", "semaphore-depth-macros/depth_16"]
-depth_20 = ["semaphore-depth-config/depth_20", "semaphore-depth-macros/depth_20"]
-depth_30 = ["semaphore-depth-config/depth_30", "semaphore-depth-macros/depth_30"]
+depth_16 = [
+    "semaphore-depth-config/depth_16",
+    "semaphore-depth-macros/depth_16",
+]
+depth_20 = [
+    "semaphore-depth-config/depth_20",
+    "semaphore-depth-macros/depth_20",
+]
+depth_30 = [
+    "semaphore-depth-config/depth_30",
+    "semaphore-depth-macros/depth_30",
+]
 
 [[bench]]
 name = "criterion"
@@ -32,12 +42,23 @@ required-features = ["bench", "proptest"]
 
 [dependencies]
 ark-bn254 = { version = "0.3.0" }
-ark-circom = { git = "https://github.com/gakonst/ark-circom", rev = "a93c8b0", features = ["circom-2"] }
-ark-ec = { version = "0.3.0", default-features = false, features = ["parallel"] }
-ark-ff = { version = "0.3.0", default-features = false, features = ["parallel", "asm"] }
-ark-groth16 = { git = "https://github.com/arkworks-rs/groth16", rev = "765817f", features = ["parallel"] }
+ark-circom = { git = "https://github.com/gakonst/ark-circom", rev = "a93c8b0", features = [
+    "circom-2",
+] }
+ark-ec = { version = "0.3.0", default-features = false, features = [
+    "parallel",
+] }
+ark-ff = { version = "0.3.0", default-features = false, features = [
+    "parallel",
+    "asm",
+] }
+ark-groth16 = { git = "https://github.com/arkworks-rs/groth16", rev = "765817f", features = [
+    "parallel",
+] }
 ark-relations = { version = "0.3.0", default-features = false }
-ark-std = { version = "0.3.0", default-features = false, features = ["parallel"] }
+ark-std = { version = "0.3.0", default-features = false, features = [
+    "parallel",
+] }
 color-eyre = "0.6"
 criterion = { version = "0.3", optional = true, features = ["async_tokio"] }
 hex = "0.4.0"
@@ -47,7 +68,12 @@ once_cell = "1.8"
 proptest = { version = "1.0", optional = true }
 rand = "0.8.4"
 rayon = "1.5.1"
-ruint = { git = "https://github.com/recmo/uint.git", rev = "1b14a406ec64e7e084c7e8116e349bc1a598e339", features = ["serde", "num-bigint", "ark-ff", "bytemuck"] }
+ruint = { version = "=1.11.0", features = [
+    "serde",
+    "num-bigint",
+    "ark-ff",
+    "bytemuck",
+] }
 semaphore-depth-config = { path = "crates/semaphore-depth-config" }
 serde = "1.0"
 sha2 = "0.10.1"

build.rs

@@ -90,7 +90,7 @@ fn build_circuit(depth: usize) -> Result<()> {
 #[cfg(feature = "dylib")]
 fn build_dylib(depth: usize) -> Result<()> {
     use color_eyre::eyre::eyre;
-    use enumset::enum_set;
+    use enumset::{enum_set, EnumSet};
     use std::{env, str::FromStr};
     use wasmer::{Module, Store, Target, Triple};
     use wasmer_compiler_cranelift::Cranelift;

crates/semaphore-depth-macros/src/lib.rs

@@ -101,8 +101,8 @@ impl VisitMut for IdentReplacer {
                 }
             }
             syn::Expr::Macro(mcr) => {
-                let Ok(mut args) =  mcr.mac.parse_body::<MacroArgs>() else {
-                     return;
+                let Ok(mut args) = mcr.mac.parse_body::<MacroArgs>() else {
+                    return;
                 };
                 for arg in &mut args.args {
                     self.visit_expr_mut(arg);

mit-license.md

@@ -1,6 +1,6 @@
 # The MIT License (MIT)
 
-Copyright © 2021 Worldcoin
+Copyright © 2021-2023 Worldcoin Foundation
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

src/lazy_merkle_tree.rs

@@ -1136,7 +1136,7 @@ impl<H: Hasher> MmapMutWrapper<H> {
         };
 
         file.set_len(file_size).expect("cannot set file size");
-        if file.write_all(&buf).is_err() {
+        if file.write_all(buf).is_err() {
             return Err(DenseMMapError::FileCannotWriteBytes);
         }
 

src/lib.rs

@@ -35,6 +35,7 @@ mod test {
         hash_to_field,
         identity::Identity,
         poseidon_tree::LazyPoseidonTree,
+        protocol,
         protocol::{generate_nullifier_hash, generate_proof, verify_proof},
         Field,
     };
@@ -90,6 +91,36 @@ mod test {
             assert!(success);
         }
     }
+
+    #[test_all_depths]
+    fn test_auth_flow(depth: usize) {
+        let mut secret = *b"oh so secret";
+        let id = Identity::from_secret(&mut secret[..], None);
+        let signal_hash = hash_to_field(b"signal");
+        let external_nullifier_hash = hash_to_field(b"appId");
+        let nullifier_hash = generate_nullifier_hash(&id, external_nullifier_hash);
+        let id_commitment = id.commitment();
+
+        let proof = protocol::authentication::generate_proof(
+            depth,
+            &id,
+            external_nullifier_hash,
+            signal_hash,
+        )
+        .unwrap();
+
+        let success = protocol::authentication::verify_proof(
+            depth,
+            id_commitment,
+            nullifier_hash,
+            signal_hash,
+            external_nullifier_hash,
+            &proof,
+        )
+        .unwrap();
+        assert!(success);
+    }
+
     #[test_all_depths]
     fn test_single(depth: usize) {
         // Note that rust will still run tests in parallel
@@ -114,15 +145,19 @@ mod test {
 #[cfg(feature = "bench")]
 pub mod bench {
     use crate::{
-        hash_to_field, identity::Identity, poseidon_tree::LazyPoseidonTree,
-        protocol::generate_proof, Field,
+        hash_to_field,
+        identity::Identity,
+        poseidon_tree::LazyPoseidonTree,
+        protocol::{generate_proof, generate_witness},
+        Field,
     };
     use criterion::Criterion;
     use semaphore_depth_config::get_supported_depths;
 
     pub fn group(criterion: &mut Criterion) {
         for depth in get_supported_depths() {
             bench_proof(criterion, *depth);
+            bench_witness(criterion, *depth);
         }
         crate::lazy_merkle_tree::bench::group(criterion);
     }
@@ -147,4 +182,25 @@ pub mod bench {
             });
         });
     }
+
+    fn bench_witness(criterion: &mut Criterion, depth: usize) {
+        let leaf = Field::from(0);
+
+        // Create tree
+        let mut hello = *b"hello";
+        let id = Identity::from_secret(&mut hello, None);
+        let mut tree = LazyPoseidonTree::new(depth, leaf).derived();
+        tree = tree.update(0, &id.commitment());
+        let merkle_proof = tree.proof(0);
+
+        // change signal and external_nullifier here
+        let signal_hash = hash_to_field(b"xxx");
+        let external_nullifier_hash = hash_to_field(b"appId");
+
+        criterion.bench_function(&format!("witness_{depth}"), move |b| {
+            b.iter(|| {
+                generate_witness(&id, &merkle_proof, external_nullifier_hash, signal_hash).unwrap();
+            });
+        });
+    }
 }

src/merkle_tree.rs

@@ -47,7 +47,8 @@ pub enum Branch<H: Hasher> {
 }
 
 /// Merkle proof path, bottom to top.
-#[derive(Clone, PartialEq, Eq, Serialize)]
+#[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(bound(deserialize = "H::Hash: Deserialize<'de>",))]
 pub struct Proof<H: Hasher>(pub Vec<Branch<H>>);
 
 /// For a given node index, return the parent node index

src/protocol/authentication.rs

@@ -0,0 +1,39 @@
+use crate::{
+    identity::Identity,
+    poseidon_tree::LazyPoseidonTree,
+    protocol::{Proof, ProofError},
+    Field,
+};
+
+pub fn generate_proof(
+    depth: usize,
+    identity: &Identity,
+    ext_nullifier_hash: Field,
+    signal_hash: Field,
+) -> Result<Proof, ProofError> {
+    let merkle_proof = LazyPoseidonTree::new(depth, Field::from(0))
+        .update(0, &identity.commitment())
+        .proof(0);
+    return super::generate_proof(identity, &merkle_proof, ext_nullifier_hash, signal_hash);
+}
+
+pub fn verify_proof(
+    depth: usize,
+    id_commitment: Field,
+    nullifier_hash: Field,
+    signal_hash: Field,
+    ext_nullifier_hash: Field,
+    proof: &Proof,
+) -> Result<bool, ProofError> {
+    let root = LazyPoseidonTree::new(depth, Field::from(0))
+        .update(0, &id_commitment)
+        .root();
+    return super::verify_proof(
+        root,
+        nullifier_hash,
+        signal_hash,
+        ext_nullifier_hash,
+        proof,
+        depth,
+    );
+}

src/protocol.rs → src/protocol/mod.rs

@@ -6,9 +6,10 @@ use crate::{
     poseidon_tree::PoseidonHash,
     Field,
 };
-use ark_bn254::{Bn254, Parameters};
+use ark_bn254::{Bn254, FrParameters, Parameters};
 use ark_circom::CircomReduction;
 use ark_ec::bn::Bn;
+use ark_ff::Fp256;
 use ark_groth16::{
     create_proof_with_reduction_and_matrices, prepare_verifying_key, Proof as ArkProof,
 };
@@ -18,9 +19,10 @@ use color_eyre::Result;
 use ethers_core::types::U256;
 use rand::{thread_rng, Rng};
 use serde::{Deserialize, Serialize};
-use std::time::Instant;
 use thiserror::Error;
 
+pub mod authentication;
+
 // Matches the private G1Tup type in ark-circom.
 pub type G1 = (U256, U256);
 
@@ -141,6 +143,31 @@ fn generate_proof_rs(
     r: ark_bn254::Fr,
     s: ark_bn254::Fr,
 ) -> Result<Proof, ProofError> {
+    let depth = merkle_proof.0.len();
+    let full_assignment =
+        generate_witness(identity, merkle_proof, external_nullifier_hash, signal_hash)?;
+
+    let zkey = zkey(depth);
+    let ark_proof = create_proof_with_reduction_and_matrices::<_, CircomReduction>(
+        &zkey.0,
+        r,
+        s,
+        &zkey.1,
+        zkey.1.num_instance_variables,
+        zkey.1.num_constraints,
+        full_assignment.as_slice(),
+    )?;
+    let proof = ark_proof.into();
+
+    Ok(proof)
+}
+
+pub fn generate_witness(
+    identity: &Identity,
+    merkle_proof: &merkle_tree::Proof<PoseidonHash>,
+    external_nullifier_hash: Field,
+    signal_hash: Field,
+) -> Result<Vec<Fp256<FrParameters>>, ProofError> {
     let depth = merkle_proof.0.len();
     let inputs = [
         ("identityNullifier", vec![identity.nullifier]),
@@ -157,31 +184,11 @@ fn generate_proof_rs(
         )
     });
 
-    let now = Instant::now();
-
-    let full_assignment = witness_calculator(depth)
+    witness_calculator(depth)
         .lock()
         .expect("witness_calculator mutex should not get poisoned")
         .calculate_witness_element::<Bn254, _>(inputs, false)
-        .map_err(ProofError::WitnessError)?;
-
-    println!("witness generation took: {:.2?}", now.elapsed());
-
-    let now = Instant::now();
-    let zkey = zkey(depth);
-    let ark_proof = create_proof_with_reduction_and_matrices::<_, CircomReduction>(
-        &zkey.0,
-        r,
-        s,
-        &zkey.1,
-        zkey.1.num_instance_variables,
-        zkey.1.num_constraints,
-        full_assignment.as_slice(),
-    )?;
-    let proof = ark_proof.into();
-    println!("proof generation took: {:.2?}", now.elapsed());
-
-    Ok(proof)
+        .map_err(ProofError::WitnessError)
 }
 
 /// Verifies a given semaphore proof