Skip to content

mithril_risc0: RISC0 host-converter support on top of 2617.0#2

Open
Sbcdn wants to merge 1 commit into
mainfrom
mithril_risc0_2617
Open

mithril_risc0: RISC0 host-converter support on top of 2617.0#2
Sbcdn wants to merge 1 commit into
mainfrom
mithril_risc0_2617

Conversation

@Sbcdn

@Sbcdn Sbcdn commented Jun 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Refresh of the fork patches needed by downstream RISC0 zkVM verifier consumers (e.g. mithril-dwarf) on top of upstream Mithril distribution 2617.0. Three patch groups, all additive — no behaviour change to upstream Mithril clients that don't enable the new APIs.

1. Build / dependency pins for RISC0 compatibility

  • mithril-common/Cargo.toml: pin ed25519-dalek to =2.1.1. The RISC0 curve25519-dalek precompile fork is tagged on the 2.1.x line; 2.2.0 isn't supported yet.
  • mithril-common/Cargo.toml: pin fixed to =1.29.0. fixed 1.30+ requires rustc 1.93, ahead of what the RISC0 toolchain ships.
  • mithril-stm/Cargo.toml: pin blst to =0.3.15. Matches the version downstream consumers rely on for their BLS identity-point rejection behaviour pin.

2. API exposure for custom serializer / deserializer consumers

Downstream zkVM verifiers maintain their own zero-copy wire format and need to construct, inspect, and round-trip the 2617.0 type hierarchy from arbitrary byte input. Surfaces the constructors and borrowing getters that are currently pub(crate):

  • MerkleTreeBatchCommitment::new + nr_leaves()
  • MerkleBatchPath::values() + indices() (needed because 2617.0 switched to_bytes() to CBOR; consumers that maintain the legacy raw layout need direct field access)
  • ConcatenationProof::new + signatures()
  • SingleSignatureForConcatenation::new + sigma() + indexes() (plus crate-level visibility on the type)
  • SingleSignature::new + concatenation_signature()
  • AggregateVerificationKeyForConcatenation::new + get_mt_commitment()
  • Crate-root re-exports for the membership-commitment and proof-system types

3. Defensive bounds check

AggregateVerificationKeyForConcatenation::from_bytes_legacy previously sliced &bytes[size - 8..] without bounds-checking, causing a panic on inputs shorter than 8 bytes instead of returning SerializationError. Now checked_sub guarded.

Diff footprint

12 files, +126 / −21. None of this changes serialization or verification behaviour for existing upstream consumers — every change is either an additive pub constructor / getter, a tightened version pin in a non-public Cargo manifest, or a defensive bounds check.

Test plan

  • cargo build --release -p mithril-stm and -p mithril-common clean
  • cargo build --release -p mithril-stm --features benchmark-internals,num-integer-backend clean
  • cargo build --release -p mithril-client --features num-integer-backend,rustls clean
  • Downstream consumer (mithril-dwarf) builds against this rev with its full equivalence harness green (12/12 equivalence tests, 7/7 intentional-divergence pins, 8/8 src/ unit tests)

Downstream

Notes

This branch supersedes the older mithril_risc0 branch which targeted Mithril 2537.0. Once this lands, that branch can be archived.

Three patch groups, all needed for downstream RISC0 zkVM verifier
consumers (e.g. mithril-dwarf) to construct, inspect, and serialize
the new 2617.0 type hierarchy from their custom wire format.

## Build / dependency pins for RISC0 compatibility

* mithril-common/Cargo.toml: pin ed25519-dalek to =2.1.1 (RISC0's
  curve25519-dalek precompile fork is tagged on the 2.1.x line; 2.2.0
  is not yet supported by the precompile).
* mithril-common/Cargo.toml: pin fixed to =1.29.0 (fixed 1.30+ requires
  rustc 1.93, ahead of what the RISC0 toolchain ships).
* mithril-stm/Cargo.toml: pin blst to =0.3.15 (matches the blst
  version downstream consumers rely on for their BLS identity-point
  rejection behaviour pin; 0.3.16 tightens identity rejection which
  would break that pin's contract).

## API exposure for custom serializer / deserializer consumers

mithril-stm/src/lib.rs:
* Re-export MerkleBatchPath, MerkleTreeBatchCommitment,
  MerkleTreeConcatenationLeaf, MerkleTreeLeaf so downstream consumers
  don't have to reach into private modules.
* Re-export ConcatenationProof and SingleSignatureForConcatenation
  from the proof_system layer (both were previously pub(crate)).
* Gate `pub use hash::poseidon::MidnightPoseidonDigest` on
  `all(feature = "benchmark-internals", feature = "future_snark")`;
  the previous gate on `benchmark-internals` alone failed to compile
  when `future_snark` was off because `mod hash` is gated on
  `future_snark`.

mithril-stm/src/membership_commitment/merkle_tree/commitment.rs:
* Promote `MerkleTreeBatchCommitment::new` from `pub(crate)` to `pub`.
* Add `pub fn nr_leaves(&self) -> usize` getter.

mithril-stm/src/membership_commitment/merkle_tree/path.rs:
* Add `pub fn values(&self) -> &[Vec<u8>]` and
  `pub fn indices(&self) -> &[usize]` getters on `MerkleBatchPath`.
  Needed because 2617.0 switched `to_bytes()` to CBOR with a version
  prefix, but downstream consumers maintain the legacy raw byte
  layout in their wire format and need direct access to the
  components to emit it.

mithril-stm/src/proof_system/concatenation/aggregate_key.rs:
* Add `pub fn new(mt_commitment, total_stake)` constructor and
  `pub fn get_mt_commitment(&self) -> &MerkleTreeBatchCommitment<...>`
  borrowing getter on `AggregateVerificationKeyForConcatenation`.

mithril-stm/src/proof_system/concatenation/proof.rs:
* Add `pub fn new(signatures, batch_proof)` constructor and
  `pub fn signatures(&self) -> &[SingleSignatureWithRegisteredParty]`
  borrowing getter on `ConcatenationProof`.

mithril-stm/src/proof_system/concatenation/single_signature.rs:
* Promote `SingleSignatureForConcatenation` from `pub(crate)` to `pub`.
* Promote its `new(sigma, indexes)` constructor from `pub(crate)` to
  `pub` and add `sigma()` / `indexes()` borrowing getters.

mithril-stm/src/proof_system/concatenation/mod.rs:
mithril-stm/src/proof_system/mod.rs:
* Re-export `SingleSignatureForConcatenation` publicly at both module
  layers (was `pub(crate)`).

mithril-stm/src/protocol/single_signature/signature.rs:
* Add `pub fn new(concatenation_signature, signer_index, ...)`
  constructor and `pub fn concatenation_signature(&self) -> &...`
  borrowing getter on `SingleSignature`.

## Defensive bounds check on legacy AVK decoder

mithril-stm/src/proof_system/concatenation/aggregate_key.rs:
* `AggregateVerificationKeyForConcatenation::from_bytes_legacy`
  previously sliced `&bytes[size - 8..]` without bounds-checking, so
  inputs shorter than 8 bytes caused an out-of-range slice panic
  instead of returning the proper SerializationError. Now bounds-
  checked via `checked_sub` so malformed input returns
  `MerkleTreeError::SerializationError` and the caller can handle it.
  Surfaces when upstream's `verify_aggregate_verification_key_chaining`
  calls `try_from(&str)` on a NextAvk string that fails to decode
  cleanly (e.g. during round-trip-canonicalisation testing).
Comment on lines +35 to +39
pub fn new(
concatenation_signature: SingleSignatureForConcatenation,
signer_index: SignerIndex,
#[cfg(feature = "future_snark")] snark_signature: Option<SingleSignatureForSnark>,
) -> Self {
Comment on lines +35 to +39
pub fn new(
concatenation_signature: SingleSignatureForConcatenation,
signer_index: SignerIndex,
#[cfg(feature = "future_snark")] snark_signature: Option<SingleSignatureForSnark>,
) -> Self {
@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

Test Results

     5 files  ± 0     206 suites  ±0   55m 5s ⏱️ - 3h 47m 42s
 3 065 tests  - 54   3 065 ✅  - 54  0 💤 ±0  0 ❌ ±0 
10 473 runs   - 57  10 473 ✅  - 57  0 💤 ±0  0 ❌ ±0 

Results for commit 7e787de. ± Comparison against base commit 443ace0.

This pull request removes 54 tests.
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::index_out_of_bounds
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::index_too_large_for_circuit_range
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::indices_not_increasing
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::leaf_merkle_path_mismatch
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::leaf_swap_keep_merkle_path
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::leaf_wrong_verification_key
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::merkle_path_corrupt_sibling
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::merkle_path_flip_position
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::merkle_path_length_long
mithril-stm ‑ circuits::halo2::tests::golden::cases::negative::slow::merkle_path_length_short
…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants