From ba7db5d456e1cc13a3d4695ddfe00f1547738198 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lucas=20Men=C3=A9ndez?= <hi@lucasmenendez.me>
Date: Thu, 14 Nov 2024 17:35:38 +0100
Subject: [PATCH] initial version (does not work)

---
 arbo/mimc_bls12_377/gnark.pprof            | Bin 0 -> 6079 bytes
 arbo/mimc_bls12_377/verifier.go            |  74 ++++++++++++
 arbo/mimc_bls12_377/verifier_test.go       | 134 +++++++++++++++++++++
 arbo/poseidon_bn254/gnark.pprof            | Bin 0 -> 4157 bytes
 arbo/{ => poseidon_bn254}/verifier.go      |   2 +-
 arbo/{ => poseidon_bn254}/verifier_test.go |   0
 go.mod                                     |   3 +
 7 files changed, 212 insertions(+), 1 deletion(-)
 create mode 100644 arbo/mimc_bls12_377/gnark.pprof
 create mode 100644 arbo/mimc_bls12_377/verifier.go
 create mode 100644 arbo/mimc_bls12_377/verifier_test.go
 create mode 100644 arbo/poseidon_bn254/gnark.pprof
 rename arbo/{ => poseidon_bn254}/verifier.go (97%)
 rename arbo/{ => poseidon_bn254}/verifier_test.go (100%)

diff --git a/arbo/mimc_bls12_377/gnark.pprof b/arbo/mimc_bls12_377/gnark.pprof
new file mode 100644
index 0000000000000000000000000000000000000000..37a6e0a182f65f057745427dfcfbc143bc97b9a2
GIT binary patch
literal 6079
zcmeI0YfMvD0LRg(u%T1OlsQCLmZ$^)5doo)8kdNamjhR%NKtu?0#|vJw%Tf#kKr1I
zRB%AsIp{7>u<}+)twPEKEXbqOs%=H&QQKM`?WKj5j?5VQL6&`8((~cmoAW;>x#xH8
zJ?EF}aLvl%pJG&q(tzkB!-E+{eOYhl5Unz1G7BT88d^yhFM_AH&5`6gpEm^tmo>RR
zxxD*!W+^H}@p5bpx#WS^`U2=Tw(Sd*<;=QV>qkjHzDdloljW;z=t;r^x^!~Z=jS3z
zX`+iu0_cS-a}ENFF`6M~(RK2>!XMq~`4%YU5Ag*am?Rae-=((kl4hX;A9pHkq&BKC
zkzeYG`ENHO2KjI!aj9d-c4JAu-*MMwFJ?l@h-;dJRIgKHmJ}36){LiQCJ?oP3jRG_
zNXy-**cYjL(%%92SgmzfSF>JvpX)~&)mhpblXX|y=)h-&k9B?5rpK<j<*;IW;oyZQ
z8&^yZIv$*|TrqXr<f#5+#dMR^riE22rdDgL{^gn1tp16(;!um#s}8|ePA^)Rr~96c
zd3E2DSiYKHW)m3ZZ`TBdd8;ykVcwZdV3-dg6By=m*93-HGd{pDYsLo_X3a2RVPVz`
z6B=gCFo9v#3=<e;%`kys)(jIE|4Yr-ddP^#^x@pO?h;eOU|@Q2h#=hZzcz;nCu$Ey
zb__a88_Yll^@<W{;Vvu&s-@IB+@A&Fq5cRQ0-QtnQnTkM$XOJs`xy@5#9~l5<=}AD
z&DhuE;m7joLPMMrP$_7qm5P9gUJsmqT_P!}Cj!-rkp)9Y+Mp<3kCYsltZ^p6xcivJ
z+%h*Ib6hpqOHR>U(aoMihhapq7#zZO7Uf$O(;b2LWic{E*OnWc)tdG~TD7Y_+6AaY
zqQjyfP*(>aBkxnZ2N`d8aJNaaIu#uz7fB~o@DkzR;g(`B>)!SB38xqzyfUS^?N@O4
zHqv&ELWBFU3uh7fv2xt4uZhf}!Ehu-@En9K&mM`Y7Ee_+m3u}rl^#?|iU=i7)u8-g
z!k%YxDkU_@u5M0gO{E|kz-Zg&{aN9NC}wk%6Il^17rkjqgigpa77@D`0!0clrmio(
zzjYQ`?mg0A#Bh$sV7&;{8siPDD|@63UDr@Mw1CpQ#X}kL8!63&+0h*6(o%#$FdBcN
z@6Wt}TqGp#>|V+pA)UoG!P>J4VEX`9qY<LzX!+y(4Cs`*y?EP}p|T3u8Pa~XgzL+3
z-@_LAw$2B@qIqik{9-~>a1u}g1n-3LPQEaXLdiK;V-EI!NXaj7>Kfmb01*6cO620-
zLc1DIw+rlwIc^#Gl7imTC@2TIl9$o?mF-yFD<MZ22&g1E0JcFuQ2R(>xy^*J!}Egv
za-p4qoW7wZ?{Lvsk(j0yrWYh8V7+j0`*#GxWm0W<SZrSlo}DKWOFF-e<yoG;N{h`t
z8r(Y&e@>p0-KEdFjRc8%adAht8v5M}&Oh$FNQXb%sC(&7oTkIODhfwtVy{+U(eP1V
zc=Pmt&B70*Qtd=Ni_d5CrX_@-?$@D4<yz?Ez89sx1knFrtq17}{!W%6B!FEZn)-b=
zAy1|ZR1FMsjWdS$eVoX*8!qz#wUURUkp!Zx8>!ljG|zw4mwZA^f^K?4x`pXaCGtAm
z!#TVA`YJdat{q=G2^uHjmNqXQ^C9V#SO~iy_4&r1p4JC2+1@$<S-2o})8>oqDOiHF
zkfh&YSbHFYz`Kjr&i!={ZJ(v>AP8_${UBX+tG*U5Lrqc#VBRdOR4P@H#)7`P76CW(
z0Ij~K34`2R{jRwj-S_TPHJ8xgpcu`SKP{;&4+-cL@x`2_=mK3f!7;`U>Z{V9x#RH+
zKShE9L+`3mw{u&upaGyy*SEtAiXtNSsng{~8@Q}<W-JU3ptkF)4(!g^u^8wONC-1H
RTUZ#4k5XSk(!F0={0)3bxF7%k

literal 0
HcmV?d00001

diff --git a/arbo/mimc_bls12_377/verifier.go b/arbo/mimc_bls12_377/verifier.go
new file mode 100644
index 0000000..068c0e3
--- /dev/null
+++ b/arbo/mimc_bls12_377/verifier.go
@@ -0,0 +1,74 @@
+package arbo
+
+import (
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/hash/mimc"
+)
+
+// prevLevel function calculates the previous level of the merkle tree given the
+// current leaf, the current path bit of the leaf, the validity of the sibling
+// and the sibling itself.
+func prevLevel(api frontend.API, leaf, ipath, valid, sibling frontend.Variable) (frontend.Variable, error) {
+	// l, r = path == 1 ? sibling, current : current, sibling
+	l, r := api.Select(ipath, sibling, leaf), api.Select(ipath, leaf, sibling)
+	// intermediateLeafKey = H(l | r)
+	hash, err := mimc.NewMiMC(api)
+	if err != nil {
+		return 0, err
+	}
+	hash.Write(l, r)
+	intermediateLeafKey := hash.Sum()
+	// newCurrent = valid == 1 ? current : intermediateLeafKey
+	return api.Select(valid, intermediateLeafKey, leaf), nil
+}
+
+// strictCmp function compares a and b and returns:
+//
+//	1 a != b
+//	0 a == b
+func strictCmp(api frontend.API, a, b frontend.Variable) frontend.Variable {
+	return api.Select(api.IsZero(api.Sub(a, b)), 0, 1)
+}
+
+// isValid function returns 1 if the the sibling provided is a valid sibling or
+// 0 otherwise. To check if the sibling is valid, its leaf value and it must be
+// different from the previous leaf value and the previous sibling.
+func isValid(api frontend.API, sibling, prevSibling, leaf, prevLeaf frontend.Variable) frontend.Variable {
+	cmp1, cmp2 := strictCmp(api, leaf, prevLeaf), strictCmp(api, sibling, prevSibling)
+	return api.Select(api.Or(cmp1, cmp2), 1, 0)
+}
+
+// CheckProof receives the parameters of a proof of Arbo to recalculate the
+// root with them and compare it with the provided one, verifiying the proof.
+func CheckProof(api frontend.API, key, value, root frontend.Variable, siblings []frontend.Variable) error {
+	// calculate the path from the provided key to decide which leaf is the
+	// correct one in every level of the tree
+	path := api.ToBinary(key, len(siblings))
+	// calculate the value leaf to start with it to rebuild the tree
+	//   leafValue = H(key | value | 1)
+	hash, err := mimc.NewMiMC(api)
+	if err != nil {
+		return err
+	}
+	hash.Write(key, value, 1)
+	leafValue := hash.Sum()
+	api.Println("[gnark] leafKey", key)
+	api.Println("[gnark] leafValue", leafValue)
+	// calculate the root and compare it with the provided one
+	prevLeaf := leafValue
+	currentLeaf := leafValue
+	prevSibling := frontend.Variable(0)
+	for i := len(siblings) - 1; i >= 0; i-- {
+		// check if the sibling is valid
+		valid := isValid(api, siblings[i], prevSibling, currentLeaf, prevLeaf)
+		prevLeaf = currentLeaf
+		prevSibling = siblings[i]
+		// compute the next leaf value
+		currentLeaf, err = prevLevel(api, currentLeaf, path[i], valid, siblings[i])
+		if err != nil {
+			return err
+		}
+	}
+	api.AssertIsEqual(currentLeaf, root)
+	return nil
+}
diff --git a/arbo/mimc_bls12_377/verifier_test.go b/arbo/mimc_bls12_377/verifier_test.go
new file mode 100644
index 0000000..9f0ecd2
--- /dev/null
+++ b/arbo/mimc_bls12_377/verifier_test.go
@@ -0,0 +1,134 @@
+package arbo
+
+import (
+	"fmt"
+	"log"
+	"math/big"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark/backend"
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/frontend/cs/r1cs"
+	"github.com/consensys/gnark/profile"
+	"github.com/consensys/gnark/test"
+	arbotree "github.com/vocdoni/arbo"
+	"go.vocdoni.io/dvote/db"
+	"go.vocdoni.io/dvote/db/pebbledb"
+	"go.vocdoni.io/dvote/tree/arbo"
+	"go.vocdoni.io/dvote/util"
+)
+
+type testVerifierCircuit struct {
+	Root     frontend.Variable
+	Key      frontend.Variable
+	Value    frontend.Variable
+	Siblings [160]frontend.Variable
+}
+
+func (circuit *testVerifierCircuit) Define(api frontend.API) error {
+	return CheckProof(api, circuit.Key, circuit.Value, circuit.Root, circuit.Siblings[:])
+}
+
+func TestVerifier(t *testing.T) {
+	p := profile.Start()
+	now := time.Now()
+	_, _ = frontend.Compile(ecc.BLS12_377.ScalarField(), r1cs.NewBuilder, &testVerifierCircuit{})
+	fmt.Println("elapsed", time.Since(now))
+	p.Stop()
+	fmt.Println("constrains", p.NbConstraints())
+
+	assert := test.NewAssert(t)
+
+	// inputs := successInputs(t, 10)
+	inputs, err := generateCensusProof(10, util.RandomBytes(20), big.NewInt(10).Bytes())
+	if err != nil {
+		t.Fatal(err)
+	}
+	// binputs, _ := json.MarshalIndent(inputs, "  ", "  ")
+	// fmt.Println("inputs", string(binputs))
+	assert.SolvingSucceeded(&testVerifierCircuit{}, &inputs, test.WithCurves(ecc.BLS12_377), test.WithBackends(backend.GROTH16))
+}
+
+var baseField, _ = new(big.Int).SetString("25825498262808887005865186224201665565126143020923472090132963926938185026661", 10)
+
+// BigToFF function returns the finite field representation of the big.Int
+// provided. It uses Euclidean Modulus and the BN254 curve scalar field to
+// represent the provided number.
+func BigToFF(iv *big.Int) *big.Int {
+	z := big.NewInt(0)
+	if c := iv.Cmp(baseField); c == 0 {
+		return z
+	} else if c != 1 && iv.Cmp(z) != -1 {
+		return iv
+	}
+	return z.Mod(iv, baseField)
+}
+
+func generateCensusProof(n int, k, v []byte) (testVerifierCircuit, error) {
+	dir := os.TempDir()
+	defer func() {
+		_ = os.RemoveAll(dir)
+	}()
+	database, err := pebbledb.New(db.Options{Path: dir})
+	if err != nil {
+		return testVerifierCircuit{}, err
+	}
+	tree, err := arbotree.NewTree(arbotree.Config{
+		Database:     database,
+		MaxLevels:    160,
+		HashFunction: arbotree.HashFunctionMiMC_BLS12_377,
+	})
+	if err != nil {
+		return testVerifierCircuit{}, err
+	}
+	k = BigToFF(new(big.Int).SetBytes(k)).Bytes()
+	// add the first key-value pair
+	if err = tree.Add(k, v); err != nil {
+		return testVerifierCircuit{}, err
+	}
+	h := tree.HashFunction()
+	r, _ := h.Hash(k, v, []byte{1})
+	log.Println("[go] leafKey", new(big.Int).SetBytes(k))
+	log.Println("[go] leafValue", new(big.Int).SetBytes(r))
+	// add random addresses
+	for i := 1; i < n; i++ {
+		rk := BigToFF(new(big.Int).SetBytes(util.RandomBytes(20))).Bytes()
+		rv := new(big.Int).SetBytes(util.RandomBytes(8)).Bytes()
+		if err = tree.Add(rk, rv); err != nil {
+			return testVerifierCircuit{}, err
+		}
+	}
+	// generate the proof
+	_, _, siblings, exist, err := tree.GenProof(k)
+	if err != nil {
+		return testVerifierCircuit{}, err
+	}
+	if !exist {
+		return testVerifierCircuit{}, fmt.Errorf("error building the merkle tree: key not found")
+	}
+	unpackedSiblings, err := arbo.UnpackSiblings(arbo.HashFunctionPoseidon, siblings)
+	if err != nil {
+		return testVerifierCircuit{}, err
+	}
+	paddedSiblings := [160]frontend.Variable{}
+	for i := 0; i < 160; i++ {
+		if i < len(unpackedSiblings) {
+			paddedSiblings[i] = arbo.BytesLEToBigInt(unpackedSiblings[i])
+		} else {
+			paddedSiblings[i] = big.NewInt(0)
+		}
+	}
+	root, err := tree.Root()
+	if err != nil {
+		return testVerifierCircuit{}, err
+	}
+	return testVerifierCircuit{
+		Root:     root,
+		Key:      k,
+		Value:    new(big.Int).SetBytes(v),
+		Siblings: paddedSiblings,
+	}, nil
+}
diff --git a/arbo/poseidon_bn254/gnark.pprof b/arbo/poseidon_bn254/gnark.pprof
new file mode 100644
index 0000000000000000000000000000000000000000..528d18950545ed0257022d115d851a7cbd7d3f85
GIT binary patch
literal 4157
zcmeI0Yg1EK6o&0+MO!qT0R@Zpd~n24!9xKBnqbBoj>UquBjN>)+5)zMfdGb(khG<e
zu?$H&TmniGryxvA5jDjKCzsMFr$I=-RJkT8#DGA^#RL+PoSXtbpuZsd)0(}XnRm^a
zz1O>D0~H(AtS-zrlul~M&Ooe1QOSG9J|iQ?g;h<t<8WA0bBAc>PiakC228)StsAZB
z3jF$DAX4Al7|M^-ANdIUHkut*b~tYGy<taL@mlfQF+ysc%O$$6DED^S<Kb)WXa`|9
znW5`Hcy=y1mz2v-#}}2{XH4aYrvAF|ZqVKfkMpd~UvdbY!{Y>D=R$9%EkzlWs?_w>
zFYT+V*pp=#PxsXJE&g~mo-*bykMx&&Wc#?OeZ8IVlcpH%nU%o9B<<fn1WDd#CiMCj
z*+|FLAujSTzIfhM1zwYSdn#KHo+1CL&3HLbwq&3DYxbz9<U8J1L1#v0k5a6L2lJ;N
zl?>*78C-rTxIFVBH+5xuBQ5_rwWckjkPE$YzWFfr$~jvj;&&iw{ZOEye{S+f!^Ks;
zv^CuJko4`%fbguzbt~yb{+?COEnRz};o`>uyH}A*`<{u7Ar~jtRn*6IuMqyNXQwiC
zYXWws^*!0RB6=yUKMHiOuZ!!x9GbjJ$iJzjj>P`?WaHN8{O?zY;8bDXGwEBQ$@lAS
z2CUZM{;kZ6#Z8g<-#=Z}S`~WXOGWOhitn!YUXZV^_`0pngM4=AvqRtL^#23pVnmN(
zq+e~A7iva34xWXJy1>jfpt{3UC9VDfz0)x36@!LC;)gA8YiU>+<K%ixs_fKD_rgOh
zI`pfwI(iwI(atBukKuYpOo`B^Gk$l&Wse?+`=N!9Od$k@XqfkwqgDvKt&v5r+wF6i
zt?sc7X>|d5NBmr4Op2F@4Gh_-z2OEK_?3v@y__$8Odrriu*aV1bs(Eti!je^2SE<@
zFitw!&MnZ$HoHE*XD=g5X>FhZM(<pBt({HUwpTFgMiV=`evk#*Lk#C+8C@nI2>5&9
zu6Tr0JyZ*MrqyU7RRV!QFqTHgDj6pq!3CvZv9%P}L8w=$ZkKct(qAXda9f_0hLI8&
zrb==F6=9~0Pt6<3h{F+?Z6W?c6s572{2Lx0jt_zFHkkIa&g0vSwNbB?n^d6ekv2W}
zIzEV!6tB+3f%6x%5r!Pctff~;p(KTA@`{V7+)C4^#q~V*diy3wNBvS%-Dc{^%chpx
zr4<Z=Dbrn|@>s5k?pU<M);iz;bjtGb%|AtEe+pM88Ae}PG={HX8tJj9fNJLrzMQaM
zVG!_j+jppr&9T(1V@RV2I5DkP@MZ>EM4UvKZHy+m&OvPYlpdiXyUJ>mD~y(jS5Dqw
z<%pYQlbnY|K(a}*O{E=i%a`Z`y!VQ?yRd{r&x>(2!c}?|pw;3Vv^t2;@4VtQ&@t0s
zx3L0MWvLtW)<GUBU-Dvw0;^Y`M1)IT35(@tbL$(IPpmqlj%Ok|Crw^-hKIH@`NU$o
zMB>ot+!+gWw;wK4@IkoXN>suvvxdi3YWUk#4t5K0g1tElVr#MTGen|P$i)72+R*j`
zuZFCLWaPOUB{BT|-4%kTZ{oLtg;$q;C*Ee{MFJe@1b=tNl-|!{NTUC&I?y9PX92yM
z<)7j`L_n2h;xy?Wb%@8a3;ifU>wFQw+z&7g9PmuG2xsiV!DD+wr7;QO=!9FIH_hf9
zN+~^$P-^bZAv4JYY7E~D^j%AF$h@gmj#<?#1gCJDHzTS7H+qbN{SjoI)L<_FOp8MV
zpRs!yWyRgGi~STL{ib<A{WJj7TIL{!O2zTICb}hqILHD#fV76^3KFJ}(;9U&<$3S}
z+Pq?H6z*`V5rnchRRue6iA2{H#)rDR+Z@QEW|HT!Rr!=p-Y-vaTIKFW9ArNYUL%`k
zC=7ZeMz_PN0+nHBdxK|ycnhNwZnGJd2BHwb0emMa092tY1kf@gUDkKKyAoh^O@OYx
zj~M?rw$oOFu?5rH_~Y5`S2VXG$Bs^W(il;##2F6a=wTr$^f-~>RHV4Nb3Cs(2&c!9
b;jChmwD{?k%*%fT7*@UI+^+*~ZCLXkf|<hE

literal 0
HcmV?d00001

diff --git a/arbo/verifier.go b/arbo/poseidon_bn254/verifier.go
similarity index 97%
rename from arbo/verifier.go
rename to arbo/poseidon_bn254/verifier.go
index 3ffe3f8..df47060 100644
--- a/arbo/verifier.go
+++ b/arbo/poseidon_bn254/verifier.go
@@ -41,7 +41,7 @@ func isValid(api frontend.API, sibling, prevSibling, leaf, prevLeaf frontend.Var
 func CheckProof(api frontend.API, key, value, root frontend.Variable, siblings []frontend.Variable) error {
 	// calculate the path from the provided key to decide which leaf is the
 	// correct one in every level of the tree
-	path := api.ToBinary(key, api.Compiler().FieldBitLen())
+	path := api.ToBinary(key, len(siblings))
 	// calculate the value leaf to start with it to rebuild the tree
 	//   leafValue = H(key | value | 1)
 	leafValue, err := poseidon.Hash(api, key, value, 1)
diff --git a/arbo/verifier_test.go b/arbo/poseidon_bn254/verifier_test.go
similarity index 100%
rename from arbo/verifier_test.go
rename to arbo/poseidon_bn254/verifier_test.go
diff --git a/go.mod b/go.mod
index 3349c52..6636e79 100644
--- a/go.mod
+++ b/go.mod
@@ -2,10 +2,13 @@ module github.com/vocdoni/gnark-crypto-primitives
 
 go 1.23.2
 
+replace github.com/vocdoni/arbo => ../arbo
+
 require (
 	github.com/consensys/gnark v0.11.0
 	github.com/consensys/gnark-crypto v0.14.0
 	github.com/iden3/go-iden3-crypto v0.0.17
+	github.com/vocdoni/arbo v0.0.0-20241114123238-8b237b4e83fa
 	github.com/vocdoni/vocdoni-z-sandbox v0.0.0-20241113074257-1a711ad38a6b
 	go.vocdoni.io/dvote v1.10.2-0.20241024102542-c1ce6d744bc5
 )