update RStarM compiling

Author: 0xmovses

protocol-units/dispute/src/Dispute.sol

@@ -5,20 +5,31 @@ import {Output, OutputLib, Receipt, ReceiptClaim, ReceiptClaimLib, IRiscZeroVeri
 import {Groth16Verifier} from "./groth16/Groth16Verifier.sol";
 import {SafeCast} from "openzeppelin-contracts/contracts/utils/math/SafeCast.sol";
 
-contract Dispute is IRiscZeroVerifier, Groth16Verifier {
+/// @notice A Groth16 seal over the claimed receipt claim.
+struct Seal {
+    uint256[2] a;
+    uint256[2][2] b;
+    uint256[2] c;
+}
+
+contract RStarM is IRiscZeroVerifier, Groth16Verifier {
+    using ReceiptClaimLib for ReceiptClaim;
+    using OutputLib for Output;
+    using SafeCast for uint256;
+
     struct Validator {
         bool isRegistered;
         uint256 stake;
     }
 
     struct OptimisticCommitment {
-        bytes blockHash;
+        bytes32 blockHash;
         bytes stateCommitment; // The state commitment associated with the block
         uint256 validatorCount; // Number of validators who have submitted this commitment
     }
 
     struct Dispute {
-        bytes blockHash;
+        bytes32 blockHash;
         uint256 timestamp;
         DisputeState state;
     }
@@ -45,17 +56,27 @@ contract Dispute is IRiscZeroVerifier, Groth16Verifier {
     uint256 public p; // Time to run the zero-knowledge proof
     uint256 public m; // Minimum number of validators required to accept a block
 
+    /// @notice Control ID hash for the identity_p254 predicate decomposed by `splitDigest`.
+    /// @dev This value controls what set of recursion programs, and therefore what version of the
+    /// zkVM circuit, will be accepted by this contract. Each instance of this verifier contract
+    /// will accept a single release of the RISC Zero circuits.
+    ///
+    /// New releases of RISC Zero's zkVM require updating these values. These values can be
+    /// obtained by running `cargo run --bin bonsai-ethereum-contracts -F control-id`
+    uint256 public immutable CONTROL_ID_0;
+    uint256 public immutable CONTROL_ID_1;
+
     mapping(address => Validator) public validators;
-    mapping(bytes => Dispute) public disputes;
+    mapping(bytes32 => Dispute) public disputes;
     mapping(bytes32 => Proof) public verifiedProofs; // Maps blockHash to Proof
     mapping(bytes32 => OptimisticCommitment) public optimisticCommitments; // Maps blockHash to OptimisticCommitment
 
     IRiscZeroVerifier public verifier;
 
     event ValidatorRegistered(address indexed validator, uint256 stake);
     event ValidatorDeregistered(address indexed validator);
-    event DisputeSubmitted(bytes indexed disputeHash, bytes blockHash, address indexed submitter);
-    event DisputeResolved(bytes indexed disputeHash, DisputeState state);
+    event DisputeSubmitted(bytes32 indexed disputeHash, bytes32 blockHash, address indexed submitter);
+    event DisputeResolved(bytes32 indexed disputeHash, DisputeState state);
     event ProofSubmitted(bytes32 indexed blockHash, bool isValid);
     event ProofVerified(bytes32 indexed blockHash, bool isValid);
     event BlockAccepted(bytes32 indexed blockHash);
@@ -86,14 +107,16 @@ contract Dispute is IRiscZeroVerifier, Groth16Verifier {
         emit ValidatorDeregistered(msg.sender);
     }
 
-    function submitDispute(bytes calldata blockHash) external {
-        bytes memory disputeHash = abi.encodePacked(blockHash, msg.sender, block.timestamp);
+    // We probably want to use bytes calldata here to reduce gas but going with bytes32 for now as we 
+    // need it elsewhere.
+    function submitDispute(bytes32 blockHash) external {
+        bytes32 disputeHash = keccak256(abi.encodePacked(blockHash, msg.sender, block.timestamp));
         require(disputes[disputeHash].timestamp == 0, "Dispute already submitted");
         disputes[disputeHash] = Dispute(blockHash, block.timestamp, DisputeState.SUBMITTED);
         emit DisputeSubmitted(disputeHash, blockHash, msg.sender);
     }
 
-    function resolveDispute(bytes calldata disputeHash, DisputeState state) external {
+    function resolveDispute(bytes32 disputeHash, DisputeState state) external {
         require(state > DisputeState.SUBMITTED && state <= DisputeState.UNVERIFIABLE, "Invalid state transition");
         Dispute storage dispute = disputes[disputeHash];
         require(dispute.timestamp != 0, "Dispute not found");
@@ -102,17 +125,53 @@ contract Dispute is IRiscZeroVerifier, Groth16Verifier {
         emit DisputeResolved(disputeHash, state);
     }
 
-    function submitProof(bytes32 blockHash, Receipt calldata receipt, bytes32[] calldata publicInputs) external {
+    // removed publicInputs from the function signature as I don't think we need it. 
+    function submitProof(bytes32 blockHash, Receipt calldata receipt) external {
         require(!verifiedProofs[blockHash].exists, "Proof already submitted for this block");
         bool isValid = verifier.verify_integrity(receipt);
         verifiedProofs[blockHash] = Proof(blockHash, isValid, true);
         emit ProofSubmitted(blockHash, isValid);
     }
 
-    // Additional checks or logic could be implemented here based on the application's needs
-    function verifyProof(bytes32 blockHash) external view returns (bool isValid, bool exists) {
-        require(verifiedProofs[blockHash].exists, "Proof not found");
-        return (verifiedProofs[blockHash].isValid, verifiedProofs[blockHash].exists);
+    /// @notice splits a digest into two 128-bit words to use as public signal inputs.
+    /// @dev RISC Zero's Circom verifier circuit takes each of two hash digests in two 128-bit
+    /// chunks. These values can be derived from the digest by splitting the digest in half and
+    /// then reversing the bytes of each.
+    function splitDigest(bytes32 digest) internal pure returns (uint256, uint256) {
+        uint256 reversed = reverseByteOrderUint256(uint256(digest));
+        return (uint256(uint128(uint256(reversed))), uint256(reversed >> 128));
+    }
+
+    function verify(bytes calldata seal, bytes32 imageId, bytes32 postStateDigest, bytes32 journalDigest)
+        public
+        view
+        returns (bool)
+    {
+        //require(verifiedProofs[blockHash].exists, "Proof not found");
+        Receipt memory receipt = Receipt(
+            seal,
+            ReceiptClaim(
+                imageId,
+                postStateDigest,
+                ExitCode(SystemExitCode.Halted, 0),
+                bytes32(0),
+                Output(journalDigest, bytes32(0)).digest()
+            )
+        );
+        return grothVerify(receipt);
+    }
+
+    function grothVerify(Receipt memory receipt) public view returns (bool) {
+        (uint256 claim0, uint256 claim1) = splitDigest(receipt.claim.digest());
+        Seal memory seal = abi.decode(receipt.seal, (Seal));
+        return this.verifyProof(seal.a, seal.b, seal.c, [CONTROL_ID_0, CONTROL_ID_1, claim0, claim1]);
+    }
+
+    // The camel case here is not standard solidity practice. But we use it because its the implemntation of the interface.
+    function verify_integrity(Receipt memory receipt) public view returns (bool) {
+        (uint256 claim0, uint256 claim1) = splitDigest(receipt.claim.digest());
+        Seal memory seal = abi.decode(receipt.seal, (Seal));
+        return this.verifyProof(seal.a, seal.b, seal.c, [CONTROL_ID_0, CONTROL_ID_1, claim0, claim1]);
     }
 
     function submitOptimisticCommitment(bytes32 blockHash, bytes calldata stateCommitment) external {
@@ -134,4 +193,31 @@ contract Dispute is IRiscZeroVerifier, Groth16Verifier {
             emit BlockAccepted(blockHash);
         }
     }
+
+    /// @notice reverse the byte order of the uint256 value.
+    /// @dev Soldity uses a big-endian ABI encoding. Reversing the byte order before encoding
+    /// ensure that the encoded value will be little-endian.
+    /// Written by k06a. https://ethereum.stackexchange.com/a/83627
+    function reverseByteOrderUint256(uint256 input) public pure returns (uint256 v) {
+        v = input;
+
+        // swap bytes
+        v = ((v & 0xFF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00) >> 8)
+            | ((v & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) << 8);
+
+        // swap 2-byte long pairs
+        v = ((v & 0xFFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000) >> 16)
+            | ((v & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) << 16);
+
+        // swap 4-byte long pairs
+        v = ((v & 0xFFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000) >> 32)
+            | ((v & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) << 32);
+
+        // swap 8-byte long pairs
+        v = ((v & 0xFFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF0000000000000000) >> 64)
+            | ((v & 0x0000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF) << 64);
+
+        // swap 16-byte long pairs
+        v = (v >> 128) | (v << 128);
+    }
 }

protocol-units/dispute/src/RiscZeroCheats.sol

@@ -37,28 +37,25 @@ contract Groth16Verifier {
     uint256 constant gammax2 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
     uint256 constant gammay1 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
     uint256 constant gammay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
-    uint256 constant deltax1 = 17459137677540232029121579111806194201335604911445641118023073971023969565095;
-    uint256 constant deltax2 = 16850927772192893321067430466725055468022063819919435552018169508037555801891;
-    uint256 constant deltay1 = 16440269342816906375775882524040730637133399248560416660251195197654028701204;
-    uint256 constant deltay2 = 20318668496029522144912607185068507665315850570859328375503723843595483973858;
+    uint256 constant deltax1 = 18518940221910320856687047018635785128750837022059566906616608708313475199865;
+    uint256 constant deltax2 = 9492326610711013918333865133991413442330971822743127449106067493230447878125;
+    uint256 constant deltay1 = 19483644759748826533215810634368877792922012485854314246298395665859158607201;
+    uint256 constant deltay2 = 21375251776817431660251933179512026180139877181625068362970095925425149918084;
 
-    uint256 constant IC0x = 8446592859352799428420270221449902464741693648963397251242447530457567083492;
-    uint256 constant IC0y = 1064796367193003797175961162477173481551615790032213185848276823815288302804;
+    uint256 constant IC0x = 5283414572476013565779278723585415063371186194506872223482170607932178811733;
+    uint256 constant IC0y = 18704069070102836155408936676819275373965966640372164023392964533091458933020;
 
-    uint256 constant IC1x = 3179835575189816632597428042194253779818690147323192973511715175294048485951;
-    uint256 constant IC1y = 20895841676865356752879376687052266198216014795822152491318012491767775979074;
+    uint256 constant IC1x = 4204832149120840018317309580010992142700029278901617154852760187580780425598;
+    uint256 constant IC1y = 12454324579480242399557363837918019584959512625719173397955145140913291575910;
 
-    uint256 constant IC2x = 5332723250224941161709478398807683311971555792614491788690328996478511465287;
-    uint256 constant IC2y = 21199491073419440416471372042641226693637837098357067793586556692319371762571;
+    uint256 constant IC2x = 14956117485756386823219519866025248834283088288522682527835557402788427995664;
+    uint256 constant IC2y = 6968527870554016879785099818512699922114301060378071349626144898778340839382;
 
-    uint256 constant IC3x = 12457994489566736295787256452575216703923664299075106359829199968023158780583;
-    uint256 constant IC3y = 19706766271952591897761291684837117091856807401404423804318744964752784280790;
+    uint256 constant IC3x = 6512168907754184210144919576616764035747139382744482291187821746087116094329;
+    uint256 constant IC3y = 17156131719875889332084290091263207055049222677188492681713268727972722760739;
 
-    uint256 constant IC4x = 19617808913178163826953378459323299110911217259216006187355745713323154132237;
-    uint256 constant IC4y = 21663537384585072695701846972542344484111393047775983928357046779215877070466;
-
-    uint256 constant IC5x = 6834578911681792552110317589222010969491336870276623105249474534788043166867;
-    uint256 constant IC5y = 15060583660288623605191393599883223885678013570733629274538391874953353488393;
+    uint256 constant IC4x = 5195346330747727606774560791771406703229046454464300598774280139349802276261;
+    uint256 constant IC4y = 16279160127031959334335024858510026085227931356896384961436876214395869945425;
 
     // Memory data
     uint16 constant pVk = 0;
@@ -70,7 +67,7 @@ contract Groth16Verifier {
         uint256[2] calldata _pA,
         uint256[2][2] calldata _pB,
         uint256[2] calldata _pC,
-        uint256[5] calldata _pubSignals
+        uint256[4] calldata _pubSignals
     ) public view returns (bool) {
         assembly {
             function checkField(v) {
@@ -123,8 +120,6 @@ contract Groth16Verifier {
 
                 g1_mulAccC(_pVk, IC4x, IC4y, calldataload(add(pubSignals, 96)))
 
-                g1_mulAccC(_pVk, IC5x, IC5y, calldataload(add(pubSignals, 128)))
-
                 // -A
                 mstore(_pPairing, calldataload(pA))
                 mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
@@ -185,13 +180,11 @@ contract Groth16Verifier {
 
             checkField(calldataload(add(_pubSignals, 128)))
 
-            checkField(calldataload(add(_pubSignals, 160)))
-
             // Validate all evaluations
             let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
 
             mstore(0, isValid)
             return(0, 0x20)
         }
     }
-}
+}