Network
All
MEGA Testnet
Solana
Movement
Base
Arbitrum One
Zora
Celo
Ethereum
Xai
World Chain
Rari
Forma
Mode
Palm Testnet
Palm
Aptos
coming soon
Celestia
coming soon
Eclipse
coming soon
Metal L2
coming soon
Xai Testnet
coming soon
Astria Devnet
coming soon
LUKSO
coming soon
Arbitrum Nova
coming soon
Astria
coming soon
Polygon ZKEVM
coming soon
Optimism
coming soon
zkSync Era
coming soon
Binance Smart Chain
coming soon
Polygon
coming soon
Mantle
coming soon
账户
0xa7...530b
0xa7...530B
$500
此合同的源代码已经过验证!
合同元数据
编译器
0.8.13+commit.abaa5c0e
语言
Solidity
合同源代码
文件 1 的 16:BlockHashMessenger.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity >=0.8.0;
import "./lib/MerkleTree.sol";
import "./interfaces/IReliquary.sol";
import "./interfaces/IProxyBlockHistory.sol";
/**
* @title BlockHashMessenger
* @author Theori, Inc.
* @notice Sends a block hash verified by the L1 BlockHistory and sends them to
* a ProxyBlockHistory. This contract is abstract so different message
* passing logic can be impelemented for each L2 / side chain.
*/
abstract contract BlockHashMessenger {
IReliquary public immutable reliquary;
address public immutable blockHistory;
constructor(IReliquary _reliquary, address _blockHistory) {
reliquary = _reliquary;
blockHistory = _blockHistory;
}
function _sendMessage(
address destination,
bytes calldata params,
bytes memory message
) internal virtual;
function sendBlockHash(
address destination,
bytes calldata params,
uint256 number,
bytes32 blockHash,
bytes calldata proof
) external payable {
require(
reliquary.validBlockHash(blockHistory, blockHash, number, proof),
"Invalid block hash"
);
_sendMessage(
destination,
params,
abi.encodeWithSelector(IProxyBlockHistory.importTrustedHash.selector, number, blockHash)
);
}
}
合同源代码
文件 2 的 16:Facts.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity >=0.8.12;
type FactSignature is bytes32;
struct Fact {
address account;
FactSignature sig;
bytes data;
}
library Facts {
uint8 internal constant NO_FEE = 0;
function toFactSignature(uint8 cls, bytes memory data) internal pure returns (FactSignature) {
return FactSignature.wrap(bytes32((uint256(keccak256(data)) << 8) | cls));
}
function toFactClass(FactSignature factSig) internal pure returns (uint8) {
return uint8(uint256(FactSignature.unwrap(factSig)));
}
}
合同源代码
文件 3 的 16:IAllowList.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
interface IAllowList {
/*//////////////////////////////////////////////////////////////
EVENTS
//////////////////////////////////////////////////////////////*/
/// @notice Access mode of target contract is changed
event UpdateAccessMode(address indexed target, AccessMode previousMode, AccessMode newMode);
/// @notice Permission to call is changed
event UpdateCallPermission(address indexed caller, address indexed target, bytes4 indexed functionSig, bool status);
/// @notice Type of access to a specific contract includes three different modes
/// @param Closed No one has access to the contract
/// @param SpecialAccessOnly Any address with granted special access can interact with a contract (see `hasSpecialAccessToCall`)
/// @param Public Everyone can interact with a contract
enum AccessMode {
Closed,
SpecialAccessOnly,
Public
}
/// @dev A struct that contains deposit limit data of a token
/// @param depositLimitation Whether any deposit limitation is placed or not
/// @param depositCap The maximum amount that can be deposited.
struct Deposit {
bool depositLimitation;
uint256 depositCap;
}
/*//////////////////////////////////////////////////////////////
GETTERS
//////////////////////////////////////////////////////////////*/
function getAccessMode(address _target) external view returns (AccessMode);
function hasSpecialAccessToCall(
address _caller,
address _target,
bytes4 _functionSig
) external view returns (bool);
function canCall(
address _caller,
address _target,
bytes4 _functionSig
) external view returns (bool);
function getTokenDepositLimitData(address _l1Token) external view returns (Deposit memory);
/*//////////////////////////////////////////////////////////////
ALLOW LIST LOGIC
//////////////////////////////////////////////////////////////*/
function setBatchAccessMode(address[] calldata _targets, AccessMode[] calldata _accessMode) external;
function setAccessMode(address _target, AccessMode _accessMode) external;
function setBatchPermissionToCall(
address[] calldata _callers,
address[] calldata _targets,
bytes4[] calldata _functionSigs,
bool[] calldata _enables
) external;
function setPermissionToCall(
address _caller,
address _target,
bytes4 _functionSig,
bool _enable
) external;
/*//////////////////////////////////////////////////////////////
DEPOSIT LIMIT LOGIC
//////////////////////////////////////////////////////////////*/
function setDepositLimit(
address _l1Token,
bool _depositLimitation,
uint256 _depositCap
) external;
}
合同源代码
文件 4 的 16:IBlockHistory.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity >=0.8.0;
/**
* @title Block history provider
* @author Theori, Inc.
* @notice IBlockHistory provides a way to verify a blockhash
*/
interface IBlockHistory {
/**
* @notice Determine if the given hash corresponds to the given block
* @param hash the hash if the block in question
* @param num the number of the block in question
* @param proof any witness data required to prove the block hash is
* correct (such as a Merkle or SNARK proof)
* @return boolean indicating if the block hash can be verified correct
*/
function validBlockHash(
bytes32 hash,
uint256 num,
bytes calldata proof
) external view returns (bool);
}
合同源代码
文件 5 的 16:IMailbox.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import {L2Log, L2Message} from "../Storage.sol";
/// @dev The enum that represents the transaction execution status
/// @param Failure The transaction execution failed
/// @param Success The transaction execution succeeded
enum TxStatus {
Failure,
Success
}
interface IMailbox {
/// @dev Structure that includes all fields of the L2 transaction
/// @dev The hash of this structure is the "canonical L2 transaction hash" and can be used as a unique identifier of a tx
/// @param txType The tx type number, depending on which the L2 transaction can be interpreted differently
/// @param from The sender's address. `uint256` type for possible address format changes and maintaining backward compatibility
/// @param to The recipient's address. `uint256` type for possible address format changes and maintaining backward compatibility
/// @param gasLimit The L2 gas limit for L2 transaction. Analog to the `gasLimit` on an L1 transactions
/// @param gasPerPubdataByteLimit Maximum number of L2 gas that will cost one byte of pubdata (every piece of data that will be stored on L1 as calldata)
/// @param maxFeePerGas The absolute maximum sender willing to pay per unit of L2 gas to get the transaction included in a block. Analog to the EIP-1559 `maxFeePerGas` on an L1 transactions
/// @param maxPriorityFeePerGas The additional fee that is paid directly to the validator to incentivize them to include the transaction in a block. Analog to the EIP-1559 `maxPriorityFeePerGas` on an L1 transactions
/// @param paymaster The address of the EIP-4337 paymaster, that will pay fees for the transaction. `uint256` type for possible address format changes and maintaining backward compatibility
/// @param nonce The nonce of the transaction. For L1->L2 transactions it is the priority operation Id.
/// @param value The value to pass with the transaction
/// @param reserved The fixed-length fields for usage in a future extension of transaction formats
/// @param data The calldata that is transmitted for the transaction call
/// @param signature An abstract set of bytes that are used for transaction authorization
/// @param factoryDeps The set of L2 bytecode hashes whose preimages were shown on L1
/// @param paymasterInput The arbitrary-length data that is used as a calldata to the paymaster pre-call
/// @param reservedDynamic The arbitrary-length field for usage in a future extension of transaction formats
struct L2CanonicalTransaction {
uint256 txType;
uint256 from;
uint256 to;
uint256 gasLimit;
uint256 gasPerPubdataByteLimit;
uint256 maxFeePerGas;
uint256 maxPriorityFeePerGas;
uint256 paymaster;
uint256 nonce;
uint256 value;
// In the future, we might want to add some
// new fields to the struct. The `txData` struct
// is to be passed to account and any changes to its structure
// would mean a breaking change to these accounts. To prevent this,
// we should keep some fields as "reserved".
// It is also recommended that their length is fixed, since
// it would allow easier proof integration (in case we will need
// some special circuit for preprocessing transactions).
uint256[4] reserved;
bytes data;
bytes signature;
uint256[] factoryDeps;
bytes paymasterInput;
// Reserved dynamic type for the future use-case. Using it should be avoided,
// But it is still here, just in case we want to enable some additional functionality.
bytes reservedDynamic;
}
/// @dev Internal structure that contains the parameters for the writePriorityOp
/// internal function.
/// @param sender The sender's address.
/// @param txId The id of the priority transaction.
/// @param l2Value The msg.value of the L2 transaction.
/// @param contractAddressL2 The address of the contract on L2 to call.
/// @param expirationTimestamp The timestamp by which the priority operation must be processed by the operator.
/// @param l2GasLimit The limit of the L2 gas for the L2 transaction
/// @param l2GasPricePerPubdata The price for a single pubdata byte in L2 gas.
/// @param valueToMint The amount of ether that should be minted on L2 as the result of this transaction.
/// @param refundRecipient The recipient of the refund for the transaction on L2. If the transaction fails, then
/// this address will receive the `l2Value`.
struct WritePriorityOpParams {
address sender;
uint256 txId;
uint256 l2Value;
address contractAddressL2;
uint64 expirationTimestamp;
uint256 l2GasLimit;
uint256 l2GasPrice;
uint256 l2GasPricePerPubdata;
uint256 valueToMint;
address refundRecipient;
}
function proveL2MessageInclusion(
uint256 _blockNumber,
uint256 _index,
L2Message calldata _message,
bytes32[] calldata _proof
) external view returns (bool);
function proveL2LogInclusion(
uint256 _blockNumber,
uint256 _index,
L2Log memory _log,
bytes32[] calldata _proof
) external view returns (bool);
function proveL1ToL2TransactionStatus(
bytes32 _l2TxHash,
uint256 _l2BlockNumber,
uint256 _l2MessageIndex,
uint16 _l2TxNumberInBlock,
bytes32[] calldata _merkleProof,
TxStatus _status
) external view returns (bool);
function finalizeEthWithdrawal(
uint256 _l2BlockNumber,
uint256 _l2MessageIndex,
uint16 _l2TxNumberInBlock,
bytes calldata _message,
bytes32[] calldata _merkleProof
) external;
function requestL2Transaction(
address _contractL2,
uint256 _l2Value,
bytes calldata _calldata,
uint256 _l2GasLimit,
uint256 _l2GasPerPubdataByteLimit,
bytes[] calldata _factoryDeps,
address _refundRecipient
) external payable returns (bytes32 canonicalTxHash);
function l2TransactionBaseCost(
uint256 _gasPrice,
uint256 _l2GasLimit,
uint256 _l2GasPerPubdataByteLimit
) external view returns (uint256);
/// @notice New priority request event. Emitted when a request is placed into the priority queue
/// @param txId Serial number of the priority operation
/// @param txHash keccak256 hash of encoded transaction representation
/// @param expirationTimestamp Timestamp up to which priority request should be processed
/// @param transaction The whole transaction structure that is requested to be executed on L2
/// @param factoryDeps An array of bytecodes that were shown in the L1 public data. Will be marked as known bytecodes in L2
event NewPriorityRequest(
uint256 txId,
bytes32 txHash,
uint64 expirationTimestamp,
L2CanonicalTransaction transaction,
bytes[] factoryDeps
);
/// @notice Emitted when the withdrawal is finalized on L1 and funds are released.
/// @param to The address to which the funds were sent
/// @param amount The amount of funds that were sent
event EthWithdrawalFinalized(address indexed to, uint256 amount);
}
合同源代码
文件 6 的 16:IProxyBlockHistory.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity >=0.8.0;
import "./IBlockHistory.sol";
/**
* @title Block history provider
* @author Theori, Inc.
* @notice IBlockHistory provides a way to verify a blockhash
*/
interface IProxyBlockHistory is IBlockHistory {
/**
* @notice Import a trusted block hash from the messenger
* @param number the block number to import
* @param hash the block hash
*/
function importTrustedHash(uint256 number, bytes32 hash) external;
}
合同源代码
文件 7 的 16:IReliquary.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity >=0.8.12;
import "../lib/Facts.sol";
interface IReliquary {
event NewProver(address prover, uint64 version);
event PendingProverAdded(address prover, uint64 version, uint64 timestamp);
event ProverRevoked(address prover, uint64 version);
event RoleAdminChanged(
bytes32 indexed role,
bytes32 indexed previousAdminRole,
bytes32 indexed newAdminRole
);
event RoleGranted(bytes32 indexed role, address indexed account, address indexed sender);
event RoleRevoked(bytes32 indexed role, address indexed account, address indexed sender);
struct ProverInfo {
uint64 version;
FeeInfo feeInfo;
bool revoked;
}
enum FeeFlags {
FeeNone,
FeeNative,
FeeCredits,
FeeExternalDelegate,
FeeExternalToken
}
struct FeeInfo {
uint8 flags;
uint16 feeCredits;
// feeWei = feeWeiMantissa * pow(10, feeWeiExponent)
uint8 feeWeiMantissa;
uint8 feeWeiExponent;
uint32 feeExternalId;
}
function ADD_PROVER_ROLE() external view returns (bytes32);
function CREDITS_ROLE() external view returns (bytes32);
function DEFAULT_ADMIN_ROLE() external view returns (bytes32);
function DELAY() external view returns (uint64);
function GOVERNANCE_ROLE() external view returns (bytes32);
function SUBSCRIPTION_ROLE() external view returns (bytes32);
function activateProver(address prover) external;
function addCredits(address user, uint192 amount) external;
function addProver(address prover, uint64 version) external;
function addSubscriber(address user, uint64 ts) external;
function assertValidBlockHash(
address verifier,
bytes32 hash,
uint256 num,
bytes memory proof
) external payable;
function assertValidBlockHashFromProver(
address verifier,
bytes32 hash,
uint256 num,
bytes memory proof
) external view;
function checkProveFactFee(address sender) external payable;
function checkProver(ProverInfo memory prover) external pure;
function credits(address user) external view returns (uint192);
function debugValidBlockHash(
address verifier,
bytes32 hash,
uint256 num,
bytes memory proof
) external view returns (bool);
function debugVerifyFact(address account, FactSignature factSig)
external
view
returns (
bool exists,
uint64 version,
bytes memory data
);
function factFees(uint8)
external
view
returns (
uint8 flags,
uint16 feeCredits,
uint8 feeWeiMantissa,
uint8 feeWeiExponent,
uint32 feeExternalId
);
function feeAccounts(address)
external
view
returns (uint64 subscriberUntilTime, uint192 credits);
function feeExternals(uint256) external view returns (address);
function getFact(address account, FactSignature factSig)
external
view
returns (
bool exists,
uint64 version,
bytes memory data
);
function getProveFactNativeFee(address prover) external view returns (uint256);
function getProveFactTokenFee(address prover) external view returns (uint256);
function getRoleAdmin(bytes32 role) external view returns (bytes32);
function getVerifyFactNativeFee(FactSignature factSig) external view returns (uint256);
function getVerifyFactTokenFee(FactSignature factSig) external view returns (uint256);
function grantRole(bytes32 role, address account) external;
function hasRole(bytes32 role, address account) external view returns (bool);
function initialized() external view returns (bool);
function isSubscriber(address user) external view returns (bool);
function pendingProvers(address) external view returns (uint64 timestamp, uint64 version);
function provers(address) external view returns (ProverInfo memory);
function removeCredits(address user, uint192 amount) external;
function removeSubscriber(address user) external;
function renounceRole(bytes32 role, address account) external;
function resetFact(address account, FactSignature factSig) external;
function revokeProver(address prover) external;
function revokeRole(bytes32 role, address account) external;
function setCredits(address user, uint192 amount) external;
function setFact(
address account,
FactSignature factSig,
bytes memory data
) external;
function setFactFee(
uint8 cls,
FeeInfo memory feeInfo,
address feeExternal
) external;
function setInitialized() external;
function setProverFee(
address prover,
FeeInfo memory feeInfo,
address feeExternal
) external;
function setValidBlockFee(FeeInfo memory feeInfo, address feeExternal) external;
function supportsInterface(bytes4 interfaceId) external view returns (bool);
function validBlockHash(
address verifier,
bytes32 hash,
uint256 num,
bytes memory proof
) external payable returns (bool);
function validBlockHashFromProver(
address verifier,
bytes32 hash,
uint256 num,
bytes memory proof
) external view returns (bool);
function verifyBlockFeeInfo()
external
view
returns (
uint8 flags,
uint16 feeCredits,
uint8 feeWeiMantissa,
uint8 feeWeiExponent,
uint32 feeExternalId
);
function verifyFact(address account, FactSignature factSig)
external
payable
returns (
bool exists,
uint64 version,
bytes memory data
);
function verifyFactNoFee(address account, FactSignature factSig)
external
view
returns (
bool exists,
uint64 version,
bytes memory data
);
function verifyFactVersion(address account, FactSignature factSig)
external
payable
returns (bool exists, uint64 version);
function verifyFactVersionNoFee(address account, FactSignature factSig)
external
view
returns (bool exists, uint64 version);
function versions(uint64) external view returns (address);
function withdrawFees(address token, address dest) external;
}
合同源代码
文件 8 的 16:MerkleTree.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity >=0.8.0;
/**
* @title Merkle Tree
* @author Theori, Inc.
* @notice Gas optimized SHA256 Merkle tree code.
*/
library MerkleTree {
/**
* @notice performs one merkle combination of two node hashes
*/
function combine(bytes32 left, bytes32 right) internal view returns (bytes32 result) {
assembly {
mstore(0, left)
mstore(0x20, right)
// compute sha256
if iszero(staticcall(gas(), 0x2, 0x0, 0x40, 0x0, 0x20)) {
revert(0, 0)
}
result := mload(0)
}
}
/**
* @notice computes a SHA256 merkle root of the provided hashes, in place
* @param temp the mutable array of hashes
* @return the merkle root hash
*/
function computeRoot(bytes32[] memory temp) internal view returns (bytes32) {
uint256 count = temp.length;
assembly {
// repeat until we arrive at one root hash
for {
} gt(count, 1) {
} {
let dataElementLocation := add(temp, 0x20)
let hashElementLocation := add(temp, 0x20)
for {
let i := 0
} lt(i, count) {
i := add(i, 2)
} {
if iszero(
staticcall(gas(), 0x2, hashElementLocation, 0x40, dataElementLocation, 0x20)
) {
revert(0, 0)
}
dataElementLocation := add(dataElementLocation, 0x20)
hashElementLocation := add(hashElementLocation, 0x40)
}
count := shr(1, count)
}
}
return temp[0];
}
/**
* @notice compute the root of the merkle tree according to the proof
* @param index the index of the node to check
* @param leaf the leaf to check
* @param proofHashes the proof, i.e. the sequence of siblings from the
* node to root
*/
function proofRoot(
uint256 index,
bytes32 leaf,
bytes32[] calldata proofHashes
) internal view returns (bytes32 result) {
assembly {
result := leaf
let start := proofHashes.offset
let end := add(start, mul(proofHashes.length, 0x20))
for {
let ptr := start
} lt(ptr, end) {
ptr := add(ptr, 0x20)
} {
let proofHash := calldataload(ptr)
// use scratch space (0x0 - 0x40) for hash input
switch and(index, 1)
case 0 {
mstore(0x0, result)
mstore(0x20, proofHash)
}
case 1 {
mstore(0x0, proofHash)
mstore(0x20, result)
}
// compute sha256
if iszero(staticcall(gas(), 0x2, 0x0, 0x40, 0x0, 0x20)) {
revert(0, 0)
}
result := mload(0x0)
index := shr(1, index)
}
}
require(index == 0, "invalid index for proof");
}
/**
* @notice compute the root of the merkle tree containing the given leaf
* at index 0 and default values for all other leaves
* @param depth the depth of the tree
* @param leaf the non-default leaf
* @param defaultLeaf the default leaf for all other positions
*/
function rootWithDefault(
uint256 depth,
bytes32 leaf,
bytes32 defaultLeaf
) internal view returns (bytes32 result) {
assembly {
result := leaf
// the default value will live at 0x20 and be updated each iteration
mstore(0x20, defaultLeaf)
for { } depth { depth := sub(depth, 1) } {
// compute sha256 of result || default
mstore(0x0, result)
if iszero(staticcall(gas(), 0x2, 0x0, 0x40, 0x0, 0x20)) {
revert(0, 0)
}
result := mload(0x0)
if iszero(depth) {
break
}
// compute sha256 of default || default
mstore(0x0, mload(0x20))
if iszero(staticcall(gas(), 0x2, 0x0, 0x40, 0x20, 0x20)) {
revert(0, 0)
}
}
}
}
/**
* @notice check if a hash is in the merkle tree for rootHash
* @param rootHash the merkle root
* @param index the index of the node to check
* @param hash the hash to check
* @param proofHashes the proof, i.e. the sequence of siblings from the
* node to root
*/
function validProof(
bytes32 rootHash,
uint256 index,
bytes32 hash,
bytes32[] calldata proofHashes
) internal view returns (bool result) {
return rootHash == proofRoot(index, hash, proofHashes);
}
}
合同源代码
文件 9 的 16:PairingsBn254.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
library PairingsBn254 {
uint256 constant q_mod = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
uint256 constant r_mod = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
uint256 constant bn254_b_coeff = 3;
struct G1Point {
uint256 X;
uint256 Y;
}
struct Fr {
uint256 value;
}
function new_fr(uint256 fr) internal pure returns (Fr memory) {
require(fr < r_mod);
return Fr({value: fr});
}
function copy(Fr memory self) internal pure returns (Fr memory n) {
n.value = self.value;
}
function assign(Fr memory self, Fr memory other) internal pure {
self.value = other.value;
}
function inverse(Fr memory fr) internal view returns (Fr memory) {
require(fr.value != 0);
return pow(fr, r_mod - 2);
}
function add_assign(Fr memory self, Fr memory other) internal pure {
self.value = addmod(self.value, other.value, r_mod);
}
function sub_assign(Fr memory self, Fr memory other) internal pure {
self.value = addmod(self.value, r_mod - other.value, r_mod);
}
function mul_assign(Fr memory self, Fr memory other) internal pure {
self.value = mulmod(self.value, other.value, r_mod);
}
function pow(Fr memory self, uint256 power) internal view returns (Fr memory) {
uint256[6] memory input = [32, 32, 32, self.value, power, r_mod];
uint256[1] memory result;
bool success;
assembly {
success := staticcall(gas(), 0x05, input, 0xc0, result, 0x20)
}
require(success);
return Fr({value: result[0]});
}
// Encoding of field elements is: X[0] * z + X[1]
struct G2Point {
uint256[2] X;
uint256[2] Y;
}
function P1() internal pure returns (G1Point memory) {
return G1Point(1, 2);
}
function new_g1(uint256 x, uint256 y) internal pure returns (G1Point memory) {
return G1Point(x, y);
}
// function new_g1_checked(uint256 x, uint256 y) internal pure returns (G1Point memory) {
function new_g1_checked(uint256 x, uint256 y) internal pure returns (G1Point memory) {
if (x == 0 && y == 0) {
// point of infinity is (0,0)
return G1Point(x, y);
}
// check encoding
require(x < q_mod, "x axis isn't valid");
require(y < q_mod, "y axis isn't valid");
// check on curve
uint256 lhs = mulmod(y, y, q_mod); // y^2
uint256 rhs = mulmod(x, x, q_mod); // x^2
rhs = mulmod(rhs, x, q_mod); // x^3
rhs = addmod(rhs, bn254_b_coeff, q_mod); // x^3 + b
require(lhs == rhs, "is not on curve");
return G1Point(x, y);
}
function new_g2(uint256[2] memory x, uint256[2] memory y) internal pure returns (G2Point memory) {
return G2Point(x, y);
}
function copy_g1(G1Point memory self) internal pure returns (G1Point memory result) {
result.X = self.X;
result.Y = self.Y;
}
function P2() internal pure returns (G2Point memory) {
// for some reason ethereum expects to have c1*v + c0 form
return
G2Point(
[
0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2,
0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed
],
[
0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b,
0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa
]
);
}
function negate(G1Point memory self) internal pure {
// The prime q in the base field F_q for G1
if (self.Y == 0) {
require(self.X == 0);
return;
}
self.Y = q_mod - self.Y;
}
function point_add(G1Point memory p1, G1Point memory p2) internal view returns (G1Point memory r) {
point_add_into_dest(p1, p2, r);
return r;
}
function point_add_assign(G1Point memory p1, G1Point memory p2) internal view {
point_add_into_dest(p1, p2, p1);
}
function point_add_into_dest(
G1Point memory p1,
G1Point memory p2,
G1Point memory dest
) internal view {
if (p2.X == 0 && p2.Y == 0) {
// we add zero, nothing happens
dest.X = p1.X;
dest.Y = p1.Y;
return;
} else if (p1.X == 0 && p1.Y == 0) {
// we add into zero, and we add non-zero point
dest.X = p2.X;
dest.Y = p2.Y;
return;
} else {
uint256[4] memory input;
input[0] = p1.X;
input[1] = p1.Y;
input[2] = p2.X;
input[3] = p2.Y;
bool success;
assembly {
success := staticcall(gas(), 6, input, 0x80, dest, 0x40)
}
require(success);
}
}
function point_sub_assign(G1Point memory p1, G1Point memory p2) internal view {
point_sub_into_dest(p1, p2, p1);
}
function point_sub_into_dest(
G1Point memory p1,
G1Point memory p2,
G1Point memory dest
) internal view {
if (p2.X == 0 && p2.Y == 0) {
// we subtracted zero, nothing happens
dest.X = p1.X;
dest.Y = p1.Y;
return;
} else if (p1.X == 0 && p1.Y == 0) {
// we subtract from zero, and we subtract non-zero point
dest.X = p2.X;
dest.Y = q_mod - p2.Y;
return;
} else {
uint256[4] memory input;
input[0] = p1.X;
input[1] = p1.Y;
input[2] = p2.X;
input[3] = q_mod - p2.Y;
bool success = false;
assembly {
success := staticcall(gas(), 6, input, 0x80, dest, 0x40)
}
require(success);
}
}
function point_mul(G1Point memory p, Fr memory s) internal view returns (G1Point memory r) {
// https://eips.ethereum.org/EIPS/eip-197
// Elliptic curve points are encoded as a Jacobian pair (X, Y) where the point at infinity is encoded as (0, 0)
if (p.X == 0 && p.Y == 1) {
p.Y = 0;
}
point_mul_into_dest(p, s, r);
return r;
}
function point_mul_assign(G1Point memory p, Fr memory s) internal view {
point_mul_into_dest(p, s, p);
}
function point_mul_into_dest(
G1Point memory p,
Fr memory s,
G1Point memory dest
) internal view {
uint256[3] memory input;
input[0] = p.X;
input[1] = p.Y;
input[2] = s.value;
bool success;
assembly {
success := staticcall(gas(), 7, input, 0x60, dest, 0x40)
}
require(success);
}
function pairing(G1Point[] memory p1, G2Point[] memory p2) internal view returns (bool) {
require(p1.length == p2.length);
uint256 elements = p1.length;
uint256 inputSize = elements * 6;
uint256[] memory input = new uint256[](inputSize);
for (uint256 i = 0; i < elements; ) {
input[i * 6 + 0] = p1[i].X;
input[i * 6 + 1] = p1[i].Y;
input[i * 6 + 2] = p2[i].X[0];
input[i * 6 + 3] = p2[i].X[1];
input[i * 6 + 4] = p2[i].Y[0];
input[i * 6 + 5] = p2[i].Y[1];
unchecked {
++i;
}
}
uint256[1] memory out;
bool success;
assembly {
success := staticcall(gas(), 8, add(input, 0x20), mul(inputSize, 0x20), out, 0x20)
}
require(success);
return out[0] != 0;
}
/// Convenience method for a pairing check for two pairs.
function pairingProd2(
G1Point memory a1,
G2Point memory a2,
G1Point memory b1,
G2Point memory b2
) internal view returns (bool) {
G1Point[] memory p1 = new G1Point[](2);
G2Point[] memory p2 = new G2Point[](2);
p1[0] = a1;
p1[1] = b1;
p2[0] = a2;
p2[1] = b2;
return pairing(p1, p2);
}
}
合同源代码
文件 10 的 16:Plonk4VerifierWithAccessToDNext.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import "./libraries/PairingsBn254.sol";
import "./libraries/TranscriptLib.sol";
import "../common/libraries/UncheckedMath.sol";
uint256 constant STATE_WIDTH = 4;
uint256 constant NUM_G2_ELS = 2;
struct VerificationKey {
uint256 domain_size;
uint256 num_inputs;
PairingsBn254.Fr omega;
PairingsBn254.G1Point[2] gate_selectors_commitments;
PairingsBn254.G1Point[8] gate_setup_commitments;
PairingsBn254.G1Point[STATE_WIDTH] permutation_commitments;
PairingsBn254.G1Point lookup_selector_commitment;
PairingsBn254.G1Point[4] lookup_tables_commitments;
PairingsBn254.G1Point lookup_table_type_commitment;
PairingsBn254.Fr[STATE_WIDTH - 1] non_residues;
PairingsBn254.G2Point[NUM_G2_ELS] g2_elements;
}
contract Plonk4VerifierWithAccessToDNext {
using PairingsBn254 for PairingsBn254.G1Point;
using PairingsBn254 for PairingsBn254.G2Point;
using PairingsBn254 for PairingsBn254.Fr;
using TranscriptLib for TranscriptLib.Transcript;
using UncheckedMath for uint256;
struct Proof {
uint256[] input_values;
// commitments
PairingsBn254.G1Point[STATE_WIDTH] state_polys_commitments;
PairingsBn254.G1Point copy_permutation_grand_product_commitment;
PairingsBn254.G1Point[STATE_WIDTH] quotient_poly_parts_commitments;
// openings
PairingsBn254.Fr[STATE_WIDTH] state_polys_openings_at_z;
PairingsBn254.Fr[1] state_polys_openings_at_z_omega;
PairingsBn254.Fr[1] gate_selectors_openings_at_z;
PairingsBn254.Fr[STATE_WIDTH - 1] copy_permutation_polys_openings_at_z;
PairingsBn254.Fr copy_permutation_grand_product_opening_at_z_omega;
PairingsBn254.Fr quotient_poly_opening_at_z;
PairingsBn254.Fr linearization_poly_opening_at_z;
// lookup commitments
PairingsBn254.G1Point lookup_s_poly_commitment;
PairingsBn254.G1Point lookup_grand_product_commitment;
// lookup openings
PairingsBn254.Fr lookup_s_poly_opening_at_z_omega;
PairingsBn254.Fr lookup_grand_product_opening_at_z_omega;
PairingsBn254.Fr lookup_t_poly_opening_at_z;
PairingsBn254.Fr lookup_t_poly_opening_at_z_omega;
PairingsBn254.Fr lookup_selector_poly_opening_at_z;
PairingsBn254.Fr lookup_table_type_poly_opening_at_z;
PairingsBn254.G1Point opening_proof_at_z;
PairingsBn254.G1Point opening_proof_at_z_omega;
}
struct PartialVerifierState {
PairingsBn254.Fr zero;
PairingsBn254.Fr alpha;
PairingsBn254.Fr beta;
PairingsBn254.Fr gamma;
PairingsBn254.Fr[9] alpha_values;
PairingsBn254.Fr eta;
PairingsBn254.Fr beta_lookup;
PairingsBn254.Fr gamma_lookup;
PairingsBn254.Fr beta_plus_one;
PairingsBn254.Fr beta_gamma;
PairingsBn254.Fr v;
PairingsBn254.Fr u;
PairingsBn254.Fr z;
PairingsBn254.Fr z_omega;
PairingsBn254.Fr z_minus_last_omega;
PairingsBn254.Fr l_0_at_z;
PairingsBn254.Fr l_n_minus_one_at_z;
PairingsBn254.Fr t;
PairingsBn254.G1Point tp;
}
function evaluate_l0_at_point(uint256 domain_size, PairingsBn254.Fr memory at)
internal
view
returns (PairingsBn254.Fr memory num)
{
PairingsBn254.Fr memory one = PairingsBn254.new_fr(1);
PairingsBn254.Fr memory size_fe = PairingsBn254.new_fr(domain_size);
PairingsBn254.Fr memory den = at.copy();
den.sub_assign(one);
den.mul_assign(size_fe);
den = den.inverse();
num = at.pow(domain_size);
num.sub_assign(one);
num.mul_assign(den);
}
function evaluate_lagrange_poly_out_of_domain(
uint256 poly_num,
uint256 domain_size,
PairingsBn254.Fr memory omega,
PairingsBn254.Fr memory at
) internal view returns (PairingsBn254.Fr memory res) {
// (omega^i / N) / (X - omega^i) * (X^N - 1)
require(poly_num < domain_size);
PairingsBn254.Fr memory one = PairingsBn254.new_fr(1);
PairingsBn254.Fr memory omega_power = omega.pow(poly_num);
res = at.pow(domain_size);
res.sub_assign(one);
require(res.value != 0); // Vanishing polynomial can not be zero at point `at`
res.mul_assign(omega_power);
PairingsBn254.Fr memory den = PairingsBn254.copy(at);
den.sub_assign(omega_power);
den.mul_assign(PairingsBn254.new_fr(domain_size));
den = den.inverse();
res.mul_assign(den);
}
function evaluate_vanishing(uint256 domain_size, PairingsBn254.Fr memory at)
internal
view
returns (PairingsBn254.Fr memory res)
{
res = at.pow(domain_size);
res.sub_assign(PairingsBn254.new_fr(1));
}
function initialize_transcript(Proof memory proof, VerificationKey memory vk)
internal
pure
returns (PartialVerifierState memory state)
{
TranscriptLib.Transcript memory transcript = TranscriptLib.new_transcript();
for (uint256 i = 0; i < vk.num_inputs; i = i.uncheckedInc()) {
transcript.update_with_u256(proof.input_values[i]);
}
for (uint256 i = 0; i < STATE_WIDTH; i = i.uncheckedInc()) {
transcript.update_with_g1(proof.state_polys_commitments[i]);
}
state.eta = transcript.get_challenge();
transcript.update_with_g1(proof.lookup_s_poly_commitment);
state.beta = transcript.get_challenge();
state.gamma = transcript.get_challenge();
transcript.update_with_g1(proof.copy_permutation_grand_product_commitment);
state.beta_lookup = transcript.get_challenge();
state.gamma_lookup = transcript.get_challenge();
transcript.update_with_g1(proof.lookup_grand_product_commitment);
state.alpha = transcript.get_challenge();
for (uint256 i = 0; i < proof.quotient_poly_parts_commitments.length; i = i.uncheckedInc()) {
transcript.update_with_g1(proof.quotient_poly_parts_commitments[i]);
}
state.z = transcript.get_challenge();
transcript.update_with_fr(proof.quotient_poly_opening_at_z);
for (uint256 i = 0; i < proof.state_polys_openings_at_z.length; i = i.uncheckedInc()) {
transcript.update_with_fr(proof.state_polys_openings_at_z[i]);
}
for (uint256 i = 0; i < proof.state_polys_openings_at_z_omega.length; i = i.uncheckedInc()) {
transcript.update_with_fr(proof.state_polys_openings_at_z_omega[i]);
}
for (uint256 i = 0; i < proof.gate_selectors_openings_at_z.length; i = i.uncheckedInc()) {
transcript.update_with_fr(proof.gate_selectors_openings_at_z[i]);
}
for (uint256 i = 0; i < proof.copy_permutation_polys_openings_at_z.length; i = i.uncheckedInc()) {
transcript.update_with_fr(proof.copy_permutation_polys_openings_at_z[i]);
}
state.z_omega = state.z.copy();
state.z_omega.mul_assign(vk.omega);
transcript.update_with_fr(proof.copy_permutation_grand_product_opening_at_z_omega);
transcript.update_with_fr(proof.lookup_t_poly_opening_at_z);
transcript.update_with_fr(proof.lookup_selector_poly_opening_at_z);
transcript.update_with_fr(proof.lookup_table_type_poly_opening_at_z);
transcript.update_with_fr(proof.lookup_s_poly_opening_at_z_omega);
transcript.update_with_fr(proof.lookup_grand_product_opening_at_z_omega);
transcript.update_with_fr(proof.lookup_t_poly_opening_at_z_omega);
transcript.update_with_fr(proof.linearization_poly_opening_at_z);
state.v = transcript.get_challenge();
transcript.update_with_g1(proof.opening_proof_at_z);
transcript.update_with_g1(proof.opening_proof_at_z_omega);
state.u = transcript.get_challenge();
}
// compute some powers of challenge alpha([alpha^1, .. alpha^8])
function compute_powers_of_alpha(PartialVerifierState memory state) public pure {
require(state.alpha.value != 0);
state.alpha_values[0] = PairingsBn254.new_fr(1);
state.alpha_values[1] = state.alpha.copy();
PairingsBn254.Fr memory current_alpha = state.alpha.copy();
for (uint256 i = 2; i < state.alpha_values.length; i = i.uncheckedInc()) {
current_alpha.mul_assign(state.alpha);
state.alpha_values[i] = current_alpha.copy();
}
}
function verify(Proof memory proof, VerificationKey memory vk) internal view returns (bool) {
// we initialize all challenges beforehand, we can draw each challenge in its own place
PartialVerifierState memory state = initialize_transcript(proof, vk);
if (verify_quotient_evaluation(vk, proof, state) == false) {
return false;
}
require(proof.state_polys_openings_at_z_omega.length == 1);
PairingsBn254.G1Point memory quotient_result = proof.quotient_poly_parts_commitments[0].copy_g1();
{
// block scope
PairingsBn254.Fr memory z_in_domain_size = state.z.pow(vk.domain_size);
PairingsBn254.Fr memory current_z = z_in_domain_size.copy();
PairingsBn254.G1Point memory tp;
// start from i =1
for (uint256 i = 1; i < proof.quotient_poly_parts_commitments.length; i = i.uncheckedInc()) {
tp = proof.quotient_poly_parts_commitments[i].copy_g1();
tp.point_mul_assign(current_z);
quotient_result.point_add_assign(tp);
current_z.mul_assign(z_in_domain_size);
}
}
Queries memory queries = prepare_queries(vk, proof, state);
queries.commitments_at_z[0] = quotient_result;
queries.values_at_z[0] = proof.quotient_poly_opening_at_z;
queries.commitments_at_z[1] = aggregated_linearization_commitment(vk, proof, state);
queries.values_at_z[1] = proof.linearization_poly_opening_at_z;
require(queries.commitments_at_z.length == queries.values_at_z.length);
PairingsBn254.G1Point memory aggregated_commitment_at_z = queries.commitments_at_z[0];
PairingsBn254.Fr memory aggregated_opening_at_z = queries.values_at_z[0];
PairingsBn254.Fr memory aggregation_challenge = PairingsBn254.new_fr(1);
PairingsBn254.G1Point memory scaled;
for (uint256 i = 1; i < queries.commitments_at_z.length; i = i.uncheckedInc()) {
aggregation_challenge.mul_assign(state.v);
scaled = queries.commitments_at_z[i].point_mul(aggregation_challenge);
aggregated_commitment_at_z.point_add_assign(scaled);
state.t = queries.values_at_z[i];
state.t.mul_assign(aggregation_challenge);
aggregated_opening_at_z.add_assign(state.t);
}
aggregation_challenge.mul_assign(state.v);
PairingsBn254.G1Point memory aggregated_commitment_at_z_omega = queries.commitments_at_z_omega[0].point_mul(
aggregation_challenge
);
PairingsBn254.Fr memory aggregated_opening_at_z_omega = queries.values_at_z_omega[0];
aggregated_opening_at_z_omega.mul_assign(aggregation_challenge);
for (uint256 i = 1; i < queries.commitments_at_z_omega.length; i = i.uncheckedInc()) {
aggregation_challenge.mul_assign(state.v);
scaled = queries.commitments_at_z_omega[i].point_mul(aggregation_challenge);
aggregated_commitment_at_z_omega.point_add_assign(scaled);
state.t = queries.values_at_z_omega[i];
state.t.mul_assign(aggregation_challenge);
aggregated_opening_at_z_omega.add_assign(state.t);
}
return
final_pairing(
vk.g2_elements,
proof,
state,
aggregated_commitment_at_z,
aggregated_commitment_at_z_omega,
aggregated_opening_at_z,
aggregated_opening_at_z_omega
);
}
function verify_quotient_evaluation(
VerificationKey memory vk,
Proof memory proof,
PartialVerifierState memory state
) internal view returns (bool) {
uint256[] memory lagrange_poly_numbers = new uint256[](vk.num_inputs);
for (uint256 i = 0; i < lagrange_poly_numbers.length; i = i.uncheckedInc()) {
lagrange_poly_numbers[i] = i;
}
require(vk.num_inputs > 0);
PairingsBn254.Fr memory inputs_term = PairingsBn254.new_fr(0);
for (uint256 i = 0; i < vk.num_inputs; i = i.uncheckedInc()) {
state.t = evaluate_lagrange_poly_out_of_domain(i, vk.domain_size, vk.omega, state.z);
state.t.mul_assign(PairingsBn254.new_fr(proof.input_values[i]));
inputs_term.add_assign(state.t);
}
inputs_term.mul_assign(proof.gate_selectors_openings_at_z[0]);
PairingsBn254.Fr memory result = proof.linearization_poly_opening_at_z.copy();
result.add_assign(inputs_term);
// compute powers of alpha
compute_powers_of_alpha(state);
PairingsBn254.Fr memory factor = state.alpha_values[4].copy();
factor.mul_assign(proof.copy_permutation_grand_product_opening_at_z_omega);
// - alpha_0 * (a + perm(z) * beta + gamma)*()*(d + gamma) * z(z*omega)
require(proof.copy_permutation_polys_openings_at_z.length == STATE_WIDTH - 1);
PairingsBn254.Fr memory t; // TMP;
for (uint256 i = 0; i < proof.copy_permutation_polys_openings_at_z.length; i = i.uncheckedInc()) {
t = proof.copy_permutation_polys_openings_at_z[i].copy();
t.mul_assign(state.beta);
t.add_assign(proof.state_polys_openings_at_z[i]);
t.add_assign(state.gamma);
factor.mul_assign(t);
}
t = proof.state_polys_openings_at_z[3].copy();
t.add_assign(state.gamma);
factor.mul_assign(t);
result.sub_assign(factor);
// - L_0(z) * alpha_1
PairingsBn254.Fr memory l_0_at_z = evaluate_l0_at_point(vk.domain_size, state.z);
l_0_at_z.mul_assign(state.alpha_values[4 + 1]);
result.sub_assign(l_0_at_z);
PairingsBn254.Fr memory lookup_quotient_contrib = lookup_quotient_contribution(vk, proof, state);
result.add_assign(lookup_quotient_contrib);
PairingsBn254.Fr memory lhs = proof.quotient_poly_opening_at_z.copy();
lhs.mul_assign(evaluate_vanishing(vk.domain_size, state.z));
return lhs.value == result.value;
}
function lookup_quotient_contribution(
VerificationKey memory vk,
Proof memory proof,
PartialVerifierState memory state
) internal view returns (PairingsBn254.Fr memory result) {
PairingsBn254.Fr memory t;
PairingsBn254.Fr memory one = PairingsBn254.new_fr(1);
state.beta_plus_one = state.beta_lookup.copy();
state.beta_plus_one.add_assign(one);
state.beta_gamma = state.beta_plus_one.copy();
state.beta_gamma.mul_assign(state.gamma_lookup);
// (s'*beta + gamma)*(zw')*alpha
t = proof.lookup_s_poly_opening_at_z_omega.copy();
t.mul_assign(state.beta_lookup);
t.add_assign(state.beta_gamma);
t.mul_assign(proof.lookup_grand_product_opening_at_z_omega);
t.mul_assign(state.alpha_values[6]);
// (z - omega^{n-1}) for this part
PairingsBn254.Fr memory last_omega = vk.omega.pow(vk.domain_size - 1);
state.z_minus_last_omega = state.z.copy();
state.z_minus_last_omega.sub_assign(last_omega);
t.mul_assign(state.z_minus_last_omega);
result.add_assign(t);
// - alpha_1 * L_{0}(z)
state.l_0_at_z = evaluate_lagrange_poly_out_of_domain(0, vk.domain_size, vk.omega, state.z);
t = state.l_0_at_z.copy();
t.mul_assign(state.alpha_values[6 + 1]);
result.sub_assign(t);
// - alpha_2 * beta_gamma_powered L_{n-1}(z)
PairingsBn254.Fr memory beta_gamma_powered = state.beta_gamma.pow(vk.domain_size - 1);
state.l_n_minus_one_at_z = evaluate_lagrange_poly_out_of_domain(
vk.domain_size - 1,
vk.domain_size,
vk.omega,
state.z
);
t = state.l_n_minus_one_at_z.copy();
t.mul_assign(beta_gamma_powered);
t.mul_assign(state.alpha_values[6 + 2]);
result.sub_assign(t);
}
function aggregated_linearization_commitment(
VerificationKey memory vk,
Proof memory proof,
PartialVerifierState memory state
) internal view returns (PairingsBn254.G1Point memory result) {
// qMain*(Q_a * A + Q_b * B + Q_c * C + Q_d * D + Q_m * A*B + Q_const + Q_dNext * D_next)
result = PairingsBn254.new_g1(0, 0);
// Q_a * A
PairingsBn254.G1Point memory scaled = vk.gate_setup_commitments[0].point_mul(
proof.state_polys_openings_at_z[0]
);
result.point_add_assign(scaled);
// Q_b * B
scaled = vk.gate_setup_commitments[1].point_mul(proof.state_polys_openings_at_z[1]);
result.point_add_assign(scaled);
// Q_c * C
scaled = vk.gate_setup_commitments[2].point_mul(proof.state_polys_openings_at_z[2]);
result.point_add_assign(scaled);
// Q_d * D
scaled = vk.gate_setup_commitments[3].point_mul(proof.state_polys_openings_at_z[3]);
result.point_add_assign(scaled);
// Q_m* A*B or Q_ab*A*B
PairingsBn254.Fr memory t = proof.state_polys_openings_at_z[0].copy();
t.mul_assign(proof.state_polys_openings_at_z[1]);
scaled = vk.gate_setup_commitments[4].point_mul(t);
result.point_add_assign(scaled);
// Q_AC* A*C
t = proof.state_polys_openings_at_z[0].copy();
t.mul_assign(proof.state_polys_openings_at_z[2]);
scaled = vk.gate_setup_commitments[5].point_mul(t);
result.point_add_assign(scaled);
// Q_const
result.point_add_assign(vk.gate_setup_commitments[6]);
// Q_dNext * D_next
scaled = vk.gate_setup_commitments[7].point_mul(proof.state_polys_openings_at_z_omega[0]);
result.point_add_assign(scaled);
result.point_mul_assign(proof.gate_selectors_openings_at_z[0]);
PairingsBn254.G1Point
memory rescue_custom_gate_linearization_contrib = rescue_custom_gate_linearization_contribution(
vk,
proof,
state
);
result.point_add_assign(rescue_custom_gate_linearization_contrib);
require(vk.non_residues.length == STATE_WIDTH - 1);
PairingsBn254.Fr memory one = PairingsBn254.new_fr(1);
PairingsBn254.Fr memory factor = state.alpha_values[4].copy();
for (uint256 i = 0; i < proof.state_polys_openings_at_z.length; ) {
t = state.z.copy();
if (i == 0) {
t.mul_assign(one);
} else {
t.mul_assign(vk.non_residues[i - 1]);
}
t.mul_assign(state.beta);
t.add_assign(state.gamma);
t.add_assign(proof.state_polys_openings_at_z[i]);
factor.mul_assign(t);
unchecked {
++i;
}
}
scaled = proof.copy_permutation_grand_product_commitment.point_mul(factor);
result.point_add_assign(scaled);
// - (a(z) + beta*perm_a + gamma)*()*()*z(z*omega) * beta * perm_d(X)
factor = state.alpha_values[4].copy();
factor.mul_assign(state.beta);
factor.mul_assign(proof.copy_permutation_grand_product_opening_at_z_omega);
for (uint256 i = 0; i < STATE_WIDTH - 1; i = i.uncheckedInc()) {
t = proof.copy_permutation_polys_openings_at_z[i].copy();
t.mul_assign(state.beta);
t.add_assign(state.gamma);
t.add_assign(proof.state_polys_openings_at_z[i]);
factor.mul_assign(t);
}
scaled = vk.permutation_commitments[3].point_mul(factor);
result.point_sub_assign(scaled);
// + L_0(z) * Z(x)
state.l_0_at_z = evaluate_lagrange_poly_out_of_domain(0, vk.domain_size, vk.omega, state.z);
require(state.l_0_at_z.value != 0);
factor = state.l_0_at_z.copy();
factor.mul_assign(state.alpha_values[4 + 1]);
scaled = proof.copy_permutation_grand_product_commitment.point_mul(factor);
result.point_add_assign(scaled);
PairingsBn254.G1Point memory lookup_linearization_contrib = lookup_linearization_contribution(proof, state);
result.point_add_assign(lookup_linearization_contrib);
}
function rescue_custom_gate_linearization_contribution(
VerificationKey memory vk,
Proof memory proof,
PartialVerifierState memory state
) public view returns (PairingsBn254.G1Point memory result) {
PairingsBn254.Fr memory t;
PairingsBn254.Fr memory intermediate_result;
// a^2 - b = 0
t = proof.state_polys_openings_at_z[0].copy();
t.mul_assign(t);
t.sub_assign(proof.state_polys_openings_at_z[1]);
// t.mul_assign(challenge1);
t.mul_assign(state.alpha_values[1]);
intermediate_result.add_assign(t);
// b^2 - c = 0
t = proof.state_polys_openings_at_z[1].copy();
t.mul_assign(t);
t.sub_assign(proof.state_polys_openings_at_z[2]);
t.mul_assign(state.alpha_values[1 + 1]);
intermediate_result.add_assign(t);
// c*a - d = 0;
t = proof.state_polys_openings_at_z[2].copy();
t.mul_assign(proof.state_polys_openings_at_z[0]);
t.sub_assign(proof.state_polys_openings_at_z[3]);
t.mul_assign(state.alpha_values[1 + 2]);
intermediate_result.add_assign(t);
result = vk.gate_selectors_commitments[1].point_mul(intermediate_result);
}
function lookup_linearization_contribution(Proof memory proof, PartialVerifierState memory state)
internal
view
returns (PairingsBn254.G1Point memory result)
{
PairingsBn254.Fr memory zero = PairingsBn254.new_fr(0);
PairingsBn254.Fr memory t;
PairingsBn254.Fr memory factor;
// s(x) from the Z(x*omega)*(\gamma*(1 + \beta) + s(x) + \beta * s(x*omega)))
factor = proof.lookup_grand_product_opening_at_z_omega.copy();
factor.mul_assign(state.alpha_values[6]);
factor.mul_assign(state.z_minus_last_omega);
PairingsBn254.G1Point memory scaled = proof.lookup_s_poly_commitment.point_mul(factor);
result.point_add_assign(scaled);
// Z(x) from - alpha_0 * Z(x) * (\beta + 1) * (\gamma + f(x)) * (\gamma(1 + \beta) + t(x) + \beta * t(x*omega))
// + alpha_1 * Z(x) * L_{0}(z) + alpha_2 * Z(x) * L_{n-1}(z)
// accumulate coefficient
factor = proof.lookup_t_poly_opening_at_z_omega.copy();
factor.mul_assign(state.beta_lookup);
factor.add_assign(proof.lookup_t_poly_opening_at_z);
factor.add_assign(state.beta_gamma);
// (\gamma + f(x))
PairingsBn254.Fr memory f_reconstructed;
PairingsBn254.Fr memory current = PairingsBn254.new_fr(1);
PairingsBn254.Fr memory tmp0;
for (uint256 i = 0; i < STATE_WIDTH - 1; i = i.uncheckedInc()) {
tmp0 = proof.state_polys_openings_at_z[i].copy();
tmp0.mul_assign(current);
f_reconstructed.add_assign(tmp0);
current.mul_assign(state.eta);
}
// add type of table
t = proof.lookup_table_type_poly_opening_at_z.copy();
t.mul_assign(current);
f_reconstructed.add_assign(t);
f_reconstructed.mul_assign(proof.lookup_selector_poly_opening_at_z);
f_reconstructed.add_assign(state.gamma_lookup);
// end of (\gamma + f(x)) part
factor.mul_assign(f_reconstructed);
factor.mul_assign(state.beta_plus_one);
t = zero.copy();
t.sub_assign(factor);
factor = t;
factor.mul_assign(state.alpha_values[6]);
// Multiply by (z - omega^{n-1})
factor.mul_assign(state.z_minus_last_omega);
// L_{0}(z) in front of Z(x)
t = state.l_0_at_z.copy();
t.mul_assign(state.alpha_values[6 + 1]);
factor.add_assign(t);
// L_{n-1}(z) in front of Z(x)
t = state.l_n_minus_one_at_z.copy();
t.mul_assign(state.alpha_values[6 + 2]);
factor.add_assign(t);
scaled = proof.lookup_grand_product_commitment.point_mul(factor);
result.point_add_assign(scaled);
}
struct Queries {
PairingsBn254.G1Point[13] commitments_at_z;
PairingsBn254.Fr[13] values_at_z;
PairingsBn254.G1Point[6] commitments_at_z_omega;
PairingsBn254.Fr[6] values_at_z_omega;
}
function prepare_queries(
VerificationKey memory vk,
Proof memory proof,
PartialVerifierState memory state
) public view returns (Queries memory queries) {
// we set first two items in calee side so start idx from 2
uint256 idx = 2;
for (uint256 i = 0; i < STATE_WIDTH; i = i.uncheckedInc()) {
queries.commitments_at_z[idx] = proof.state_polys_commitments[i];
queries.values_at_z[idx] = proof.state_polys_openings_at_z[i];
idx = idx.uncheckedInc();
}
require(proof.gate_selectors_openings_at_z.length == 1);
queries.commitments_at_z[idx] = vk.gate_selectors_commitments[0];
queries.values_at_z[idx] = proof.gate_selectors_openings_at_z[0];
idx = idx.uncheckedInc();
for (uint256 i = 0; i < STATE_WIDTH - 1; i = i.uncheckedInc()) {
queries.commitments_at_z[idx] = vk.permutation_commitments[i];
queries.values_at_z[idx] = proof.copy_permutation_polys_openings_at_z[i];
idx = idx.uncheckedInc();
}
queries.commitments_at_z_omega[0] = proof.copy_permutation_grand_product_commitment;
queries.commitments_at_z_omega[1] = proof.state_polys_commitments[STATE_WIDTH - 1];
queries.values_at_z_omega[0] = proof.copy_permutation_grand_product_opening_at_z_omega;
queries.values_at_z_omega[1] = proof.state_polys_openings_at_z_omega[0];
PairingsBn254.G1Point memory lookup_t_poly_commitment_aggregated = vk.lookup_tables_commitments[0];
PairingsBn254.Fr memory current_eta = state.eta.copy();
for (uint256 i = 1; i < vk.lookup_tables_commitments.length; i = i.uncheckedInc()) {
state.tp = vk.lookup_tables_commitments[i].point_mul(current_eta);
lookup_t_poly_commitment_aggregated.point_add_assign(state.tp);
current_eta.mul_assign(state.eta);
}
queries.commitments_at_z[idx] = lookup_t_poly_commitment_aggregated;
queries.values_at_z[idx] = proof.lookup_t_poly_opening_at_z;
idx = idx.uncheckedInc();
queries.commitments_at_z[idx] = vk.lookup_selector_commitment;
queries.values_at_z[idx] = proof.lookup_selector_poly_opening_at_z;
idx = idx.uncheckedInc();
queries.commitments_at_z[idx] = vk.lookup_table_type_commitment;
queries.values_at_z[idx] = proof.lookup_table_type_poly_opening_at_z;
queries.commitments_at_z_omega[2] = proof.lookup_s_poly_commitment;
queries.values_at_z_omega[2] = proof.lookup_s_poly_opening_at_z_omega;
queries.commitments_at_z_omega[3] = proof.lookup_grand_product_commitment;
queries.values_at_z_omega[3] = proof.lookup_grand_product_opening_at_z_omega;
queries.commitments_at_z_omega[4] = lookup_t_poly_commitment_aggregated;
queries.values_at_z_omega[4] = proof.lookup_t_poly_opening_at_z_omega;
}
function final_pairing(
// VerificationKey memory vk,
PairingsBn254.G2Point[NUM_G2_ELS] memory g2_elements,
Proof memory proof,
PartialVerifierState memory state,
PairingsBn254.G1Point memory aggregated_commitment_at_z,
PairingsBn254.G1Point memory aggregated_commitment_at_z_omega,
PairingsBn254.Fr memory aggregated_opening_at_z,
PairingsBn254.Fr memory aggregated_opening_at_z_omega
) internal view returns (bool) {
// q(x) = f(x) - f(z) / (x - z)
// q(x) * (x-z) = f(x) - f(z)
// f(x)
PairingsBn254.G1Point memory pair_with_generator = aggregated_commitment_at_z.copy_g1();
aggregated_commitment_at_z_omega.point_mul_assign(state.u);
pair_with_generator.point_add_assign(aggregated_commitment_at_z_omega);
// - f(z)*g
PairingsBn254.Fr memory aggregated_value = aggregated_opening_at_z_omega.copy();
aggregated_value.mul_assign(state.u);
aggregated_value.add_assign(aggregated_opening_at_z);
PairingsBn254.G1Point memory tp = PairingsBn254.P1().point_mul(aggregated_value);
pair_with_generator.point_sub_assign(tp);
// +z * q(x)
tp = proof.opening_proof_at_z.point_mul(state.z);
PairingsBn254.Fr memory t = state.z_omega.copy();
t.mul_assign(state.u);
PairingsBn254.G1Point memory t1 = proof.opening_proof_at_z_omega.point_mul(t);
tp.point_add_assign(t1);
pair_with_generator.point_add_assign(tp);
// rhs
PairingsBn254.G1Point memory pair_with_x = proof.opening_proof_at_z_omega.point_mul(state.u);
pair_with_x.point_add_assign(proof.opening_proof_at_z);
pair_with_x.negate();
// Pairing precompile expects points to be in a `i*x[1] + x[0]` form instead of `x[0] + i*x[1]`
// so we handle it in code generation step
PairingsBn254.G2Point memory first_g2 = g2_elements[0];
PairingsBn254.G2Point memory second_g2 = g2_elements[1];
return PairingsBn254.pairingProd2(pair_with_generator, first_g2, pair_with_x, second_g2);
}
}
合同源代码
文件 11 的 16:PriorityQueue.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
/// @notice The structure that contains meta information of the L2 transaction that was requested from L1
/// @dev The weird size of fields was selected specifically to minimize the structure storage size
/// @param canonicalTxHash Hashed L2 transaction data that is needed to process it
/// @param expirationTimestamp Expiration timestamp for this request (must be satisfied before)
/// @param layer2Tip Additional payment to the validator as an incentive to perform the operation
struct PriorityOperation {
bytes32 canonicalTxHash;
uint64 expirationTimestamp;
uint192 layer2Tip;
}
/// @author Matter Labs
/// @dev The library provides the API to interact with the priority queue container
/// @dev Order of processing operations from queue - FIFO (Fist in - first out)
library PriorityQueue {
using PriorityQueue for Queue;
/// @notice Container that stores priority operations
/// @param data The inner mapping that saves priority operation by its index
/// @param head The pointer to the first unprocessed priority operation, equal to the tail if the queue is empty
/// @param tail The pointer to the free slot
struct Queue {
mapping(uint256 => PriorityOperation) data;
uint256 tail;
uint256 head;
}
/// @notice Returns zero if and only if no operations were processed from the queue
/// @return Index of the oldest priority operation that wasn't processed yet
function getFirstUnprocessedPriorityTx(Queue storage _queue) internal view returns (uint256) {
return _queue.head;
}
/// @return The total number of priority operations that were added to the priority queue, including all processed ones
function getTotalPriorityTxs(Queue storage _queue) internal view returns (uint256) {
return _queue.tail;
}
/// @return The total number of unprocessed priority operations in a priority queue
function getSize(Queue storage _queue) internal view returns (uint256) {
return uint256(_queue.tail - _queue.head);
}
/// @return Whether the priority queue contains no operations
function isEmpty(Queue storage _queue) internal view returns (bool) {
return _queue.tail == _queue.head;
}
/// @notice Add the priority operation to the end of the priority queue
function pushBack(Queue storage _queue, PriorityOperation memory _operation) internal {
// Save value into the stack to avoid double reading from the storage
uint256 tail = _queue.tail;
_queue.data[tail] = _operation;
_queue.tail = tail + 1;
}
/// @return The first unprocessed priority operation from the queue
function front(Queue storage _queue) internal view returns (PriorityOperation memory) {
require(!_queue.isEmpty(), "D"); // priority queue is empty
return _queue.data[_queue.head];
}
/// @notice Remove the first unprocessed priority operation from the queue
/// @return priorityOperation that was popped from the priority queue
function popFront(Queue storage _queue) internal returns (PriorityOperation memory priorityOperation) {
require(!_queue.isEmpty(), "s"); // priority queue is empty
// Save value into the stack to avoid double reading from the storage
uint256 head = _queue.head;
priorityOperation = _queue.data[head];
delete _queue.data[head];
_queue.head = head + 1;
}
}
合同源代码
文件 12 的 16:Storage.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import "./Verifier.sol";
import "../common/interfaces/IAllowList.sol";
import "./libraries/PriorityQueue.sol";
/// @notice Indicates whether an upgrade is initiated and if yes what type
/// @param None Upgrade is NOT initiated
/// @param Transparent Fully transparent upgrade is initiated, upgrade data is publicly known
/// @param Shadow Shadow upgrade is initiated, upgrade data is hidden
enum UpgradeState {
None,
Transparent,
Shadow
}
/// @dev Logically separated part of the storage structure, which is responsible for everything related to proxy upgrades and diamond cuts
/// @param proposedUpgradeHash The hash of the current upgrade proposal, zero if there is no active proposal
/// @param state Indicates whether an upgrade is initiated and if yes what type
/// @param securityCouncil Address which has the permission to approve instant upgrades (expected to be a Gnosis multisig)
/// @param approvedBySecurityCouncil Indicates whether the security council has approved the upgrade
/// @param proposedUpgradeTimestamp The timestamp when the upgrade was proposed, zero if there are no active proposals
/// @param currentProposalId The serial number of proposed upgrades, increments when proposing a new one
struct UpgradeStorage {
bytes32 proposedUpgradeHash;
UpgradeState state;
address securityCouncil;
bool approvedBySecurityCouncil;
uint40 proposedUpgradeTimestamp;
uint40 currentProposalId;
}
/// @dev The log passed from L2
/// @param l2ShardId The shard identifier, 0 - rollup, 1 - porter. All other values are not used but are reserved for the future
/// @param isService A boolean flag that is part of the log along with `key`, `value`, and `sender` address.
/// This field is required formally but does not have any special meaning.
/// @param txNumberInBlock The L2 transaction number in a block, in which the log was sent
/// @param sender The L2 address which sent the log
/// @param key The 32 bytes of information that was sent in the log
/// @param value The 32 bytes of information that was sent in the log
// Both `key` and `value` are arbitrary 32-bytes selected by the log sender
struct L2Log {
uint8 l2ShardId;
bool isService;
uint16 txNumberInBlock;
address sender;
bytes32 key;
bytes32 value;
}
/// @dev An arbitrary length message passed from L2
/// @notice Under the hood it is `L2Log` sent from the special system L2 contract
/// @param txNumberInBlock The L2 transaction number in a block, in which the message was sent
/// @param sender The address of the L2 account from which the message was passed
/// @param data An arbitrary length message
struct L2Message {
uint16 txNumberInBlock;
address sender;
bytes data;
}
/// @notice Part of the configuration parameters of ZKP circuits
struct VerifierParams {
bytes32 recursionNodeLevelVkHash;
bytes32 recursionLeafLevelVkHash;
bytes32 recursionCircuitsSetVksHash;
}
/// @dev storing all storage variables for zkSync facets
/// NOTE: It is used in a proxy, so it is possible to add new variables to the end
/// NOTE: but NOT to modify already existing variables or change their order
/// NOTE: DiamondCutStorage is unused, but it must remain a member of AppStorage to not have storage collision
/// NOTE: instead UpgradeStorage is used that is appended to the end of the AppStorage struct
struct AppStorage {
/// @dev Storage of variables needed for deprecated diamond cut facet
uint256[7] __DEPRECATED_diamondCutStorage;
/// @notice Address which will exercise governance over the network i.e. change validator set, conduct upgrades
address governor;
/// @notice Address that the governor proposed as one that will replace it
address pendingGovernor;
/// @notice List of permitted validators
mapping(address => bool) validators;
/// @dev Verifier contract. Used to verify aggregated proof for blocks
Verifier verifier;
/// @notice Total number of executed blocks i.e. blocks[totalBlocksExecuted] points at the latest executed block (block 0 is genesis)
uint256 totalBlocksExecuted;
/// @notice Total number of proved blocks i.e. blocks[totalBlocksProved] points at the latest proved block
uint256 totalBlocksVerified;
/// @notice Total number of committed blocks i.e. blocks[totalBlocksCommitted] points at the latest committed block
uint256 totalBlocksCommitted;
/// @dev Stored hashed StoredBlock for block number
mapping(uint256 => bytes32) storedBlockHashes;
/// @dev Stored root hashes of L2 -> L1 logs
mapping(uint256 => bytes32) l2LogsRootHashes;
/// @dev Container that stores transactions requested from L1
PriorityQueue.Queue priorityQueue;
/// @dev The smart contract that manages the list with permission to call contract functions
IAllowList allowList;
/// @notice Part of the configuration parameters of ZKP circuits. Used as an input for the verifier smart contract
VerifierParams verifierParams;
/// @notice Bytecode hash of bootloader program.
/// @dev Used as an input to zkp-circuit.
bytes32 l2BootloaderBytecodeHash;
/// @notice Bytecode hash of default account (bytecode for EOA).
/// @dev Used as an input to zkp-circuit.
bytes32 l2DefaultAccountBytecodeHash;
/// @dev Indicates that the porter may be touched on L2 transactions.
/// @dev Used as an input to zkp-circuit.
bool zkPorterIsAvailable;
/// @dev The maximum number of the L2 gas that a user can request for L1 -> L2 transactions
/// @dev This is the maximum number of L2 gas that is available for the "body" of the transaction, i.e.
/// without overhead for proving the block.
uint256 priorityTxMaxGasLimit;
/// @dev Storage of variables needed for upgrade facet
UpgradeStorage upgrades;
/// @dev A mapping L2 block number => message number => flag.
/// @dev The L2 -> L1 log is sent for every withdrawal, so this mapping is serving as
/// a flag to indicate that the message was already processed.
/// @dev Used to indicate that eth withdrawal was already processed
mapping(uint256 => mapping(uint256 => bool)) isEthWithdrawalFinalized;
/// @dev The most recent withdrawal time and amount reset
uint256 __DEPRECATED_lastWithdrawalLimitReset;
/// @dev The accumulated withdrawn amount during the withdrawal limit window
uint256 __DEPRECATED_withdrawnAmountInWindow;
/// @dev A mapping user address => the total deposited amount by the user
mapping(address => uint256) totalDepositedAmountPerUser;
}
合同源代码
文件 13 的 16:TranscriptLib.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import "./PairingsBn254.sol";
library TranscriptLib {
// flip 0xe000000000000000000000000000000000000000000000000000000000000000;
uint256 constant FR_MASK = 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;
uint32 constant DST_0 = 0;
uint32 constant DST_1 = 1;
uint32 constant DST_CHALLENGE = 2;
struct Transcript {
bytes32 state_0;
bytes32 state_1;
uint32 challenge_counter;
}
function new_transcript() internal pure returns (Transcript memory t) {
t.state_0 = bytes32(0);
t.state_1 = bytes32(0);
t.challenge_counter = 0;
}
function update_with_u256(Transcript memory self, uint256 value) internal pure {
bytes32 old_state_0 = self.state_0;
self.state_0 = keccak256(abi.encodePacked(DST_0, old_state_0, self.state_1, value));
self.state_1 = keccak256(abi.encodePacked(DST_1, old_state_0, self.state_1, value));
}
function update_with_fr(Transcript memory self, PairingsBn254.Fr memory value) internal pure {
update_with_u256(self, value.value);
}
function update_with_g1(Transcript memory self, PairingsBn254.G1Point memory p) internal pure {
update_with_u256(self, p.X);
update_with_u256(self, p.Y);
}
function get_challenge(Transcript memory self) internal pure returns (PairingsBn254.Fr memory challenge) {
bytes32 query = keccak256(abi.encodePacked(DST_CHALLENGE, self.state_0, self.state_1, self.challenge_counter));
self.challenge_counter += 1;
challenge = PairingsBn254.Fr({value: uint256(query) & FR_MASK});
}
}
合同源代码
文件 14 的 16:UncheckedMath.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
library UncheckedMath {
function uncheckedInc(uint256 _number) internal pure returns (uint256) {
unchecked {
return _number + 1;
}
}
function uncheckedAdd(uint256 _lhs, uint256 _rhs) internal pure returns (uint256) {
unchecked {
return _lhs + _rhs;
}
}
}
合同源代码
文件 15 的 16:Verifier.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import "./Plonk4VerifierWithAccessToDNext.sol";
import "../common/libraries/UncheckedMath.sol";
contract Verifier is Plonk4VerifierWithAccessToDNext {
using UncheckedMath for uint256;
function get_verification_key() public pure returns (VerificationKey memory vk) {
vk.num_inputs = 1;
vk.domain_size = 67108864;
vk.omega = PairingsBn254.new_fr(0x1dba8b5bdd64ef6ce29a9039aca3c0e524395c43b9227b96c75090cc6cc7ec97);
// coefficients
vk.gate_setup_commitments[0] = PairingsBn254.new_g1(
0x08fa9d6f0dd6ac1cbeb94ae20fe7a23df05cb1095df66fb561190e615a4037ef,
0x196dcc8692fe322d21375920559944c12ba7b1ba8b732344cf4ba2e3aa0fc8b4
);
vk.gate_setup_commitments[1] = PairingsBn254.new_g1(
0x0074aaf5d97bd57551311a8b3e4aa7840bc55896502020b2f43ad6a98d81a443,
0x2d275a3ad153dc9d89ebb9c9b6a0afd2dde82470554e9738d905c328fbb4c8bc
);
vk.gate_setup_commitments[2] = PairingsBn254.new_g1(
0x287f1975a9aeaef5d2bb0767b5ef538f76e82f7da01c0cb6db8c6f920818ec4f,
0x2fff6f53594129f794a7731d963d27e72f385c5c6d8e08829e6f66a9d29a12ea
);
vk.gate_setup_commitments[3] = PairingsBn254.new_g1(
0x038809fa3d4b7320d43e023454194f0a7878baa7e73a295d2d105260f1c34cbc,
0x25418b1105cf45b2a3da6c349bab1d9caaf145eaf24d1e8fb92c11654c000781
);
vk.gate_setup_commitments[4] = PairingsBn254.new_g1(
0x0561cafd527ac3f0bc550db77d87cd1c63938f7ec051e62ebf84a5bbe07f9840,
0x28f87201b4cbe19f1517a1c29ca6d6cb074502ccfed4c31c8931c6992c3eea43
);
vk.gate_setup_commitments[5] = PairingsBn254.new_g1(
0x27e0af572bac6e36d31c33808cb44c0ef8ceee5e2850e916fb01f3747db72491,
0x1da20087ba61c59366b21e31e4ac6889d357cf11bf16b94d875f94f41525c427
);
vk.gate_setup_commitments[6] = PairingsBn254.new_g1(
0x2c2bcafea8f93d07f96874f470985a8d272c09c8ed49373f36497ee80bd8da17,
0x299276cf6dca1a7e3780f6276c5d067403f6e024e83e0cc1ab4c5f7252b7f653
);
vk.gate_setup_commitments[7] = PairingsBn254.new_g1(
0x0ba9d4a53e050da25b8410045b634f1ca065ff74acd35bab1a72bf1f20047ef3,
0x1f1eefc8b0507a08f852f554bd7abcbd506e52de390ca127477a678d212abfe5
);
// gate selectors
vk.gate_selectors_commitments[0] = PairingsBn254.new_g1(
0x1c6b68d9920620012d85a4850dad9bd6d03ae8bbc7a08b827199e85dba1ef2b1,
0x0f6380560d1b585628ed259289cec19d3a7c70c60e66bbfebfcb70c8c312d91e
);
vk.gate_selectors_commitments[1] = PairingsBn254.new_g1(
0x0dfead780e5067181aae631ff734a33fca302773472997daca58ba49dbd20dcc,
0x00f13fa6e356f525d2fd1c533acf2858c0d2b9f0a9b3180f94e1543929c75073
);
// permutation
vk.permutation_commitments[0] = PairingsBn254.new_g1(
0x1df0747c787934650d99c5696f9273088ad07ec3e0825c9d39685a9b9978ebed,
0x2ace2a277becbc69af4e89518eb50960a733d9d71354845ea43d2e65c8e0e4cb
);
vk.permutation_commitments[1] = PairingsBn254.new_g1(
0x06598c8236a5f5045cd7444dc87f3e1f66f99bf01251e13be4dc0ab1f7f1af4b,
0x14ca234fe9b3bb1e5517fc60d6b90f8ad44b0899a2d4f71a64c9640b3142ce8b
);
vk.permutation_commitments[2] = PairingsBn254.new_g1(
0x01889e2c684caefde60471748f4259196ecf4209a735ccdf7b1816f05bafa50a,
0x092d287a080bfe2fd40ad392ff290e462cd0e347b8fd9d05b90af234ce77a11b
);
vk.permutation_commitments[3] = PairingsBn254.new_g1(
0x0dd98eeb5bc12c221da969398b67750a8774dbdd37a78da52367f9fc0e566d5c,
0x06750ceb40c9fb87fc424df9599340938b7552b759914a90cb0e41d3915c945b
);
// lookup table commitments
vk.lookup_selector_commitment = PairingsBn254.new_g1(
0x2f491c662ae53ceb358f57a868dc00b89befa853bd9a449127ea2d46820995bd,
0x231fe6538634ff8b6fa21ca248fb15e7f43d82eb0bfa705490d24ddb3e3cad77
);
vk.lookup_tables_commitments[0] = PairingsBn254.new_g1(
0x0ebe0de4a2f39df3b903da484c1641ffdffb77ff87ce4f9508c548659eb22d3c,
0x12a3209440242d5662729558f1017ed9dcc08fe49a99554dd45f5f15da5e4e0b
);
vk.lookup_tables_commitments[1] = PairingsBn254.new_g1(
0x1b7d54f8065ca63bed0bfbb9280a1011b886d07e0c0a26a66ecc96af68c53bf9,
0x2c51121fff5b8f58c302f03c74e0cb176ae5a1d1730dec4696eb9cce3fe284ca
);
vk.lookup_tables_commitments[2] = PairingsBn254.new_g1(
0x0138733c5faa9db6d4b8df9748081e38405999e511fb22d40f77cf3aef293c44,
0x269bee1c1ac28053238f7fe789f1ea2e481742d6d16ae78ed81e87c254af0765
);
vk.lookup_tables_commitments[3] = PairingsBn254.new_g1(
0x1b1be7279d59445065a95f01f16686adfa798ec4f1e6845ffcec9b837e88372e,
0x057c90cb96d8259238ed86b05f629efd55f472a721efeeb56926e979433e6c0e
);
vk.lookup_table_type_commitment = PairingsBn254.new_g1(
0x12cd873a6f18a4a590a846d9ebf61565197edf457efd26bc408eb61b72f37b59,
0x19890cbdac892682e7a5910ca6c238c082130e1c71f33d0c9c901153377770d1
);
// non residues
vk.non_residues[0] = PairingsBn254.new_fr(0x0000000000000000000000000000000000000000000000000000000000000005);
vk.non_residues[1] = PairingsBn254.new_fr(0x0000000000000000000000000000000000000000000000000000000000000007);
vk.non_residues[2] = PairingsBn254.new_fr(0x000000000000000000000000000000000000000000000000000000000000000a);
// g2 elements
vk.g2_elements[0] = PairingsBn254.new_g2(
[
0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2,
0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed
],
[
0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b,
0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa
]
);
vk.g2_elements[1] = PairingsBn254.new_g2(
[
0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1,
0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0
],
[
0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4,
0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55
]
);
}
function deserialize_proof(uint256[] calldata public_inputs, uint256[] calldata serialized_proof)
internal
pure
returns (Proof memory proof)
{
require(serialized_proof.length == 44);
proof.input_values = new uint256[](public_inputs.length);
for (uint256 i = 0; i < public_inputs.length; i = i.uncheckedInc()) {
proof.input_values[i] = public_inputs[i];
}
uint256 j;
for (uint256 i = 0; i < STATE_WIDTH; i = i.uncheckedInc()) {
proof.state_polys_commitments[i] = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
j = j.uncheckedAdd(2);
}
proof.copy_permutation_grand_product_commitment = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
j = j.uncheckedAdd(2);
proof.lookup_s_poly_commitment = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
j = j.uncheckedAdd(2);
proof.lookup_grand_product_commitment = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
j = j.uncheckedAdd(2);
for (uint256 i = 0; i < proof.quotient_poly_parts_commitments.length; i = i.uncheckedInc()) {
proof.quotient_poly_parts_commitments[i] = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
j = j.uncheckedAdd(2);
}
for (uint256 i = 0; i < proof.state_polys_openings_at_z.length; i = i.uncheckedInc()) {
proof.state_polys_openings_at_z[i] = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
}
for (uint256 i = 0; i < proof.state_polys_openings_at_z_omega.length; i = i.uncheckedInc()) {
proof.state_polys_openings_at_z_omega[i] = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
}
for (uint256 i = 0; i < proof.gate_selectors_openings_at_z.length; i = i.uncheckedInc()) {
proof.gate_selectors_openings_at_z[i] = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
}
for (uint256 i = 0; i < proof.copy_permutation_polys_openings_at_z.length; i = i.uncheckedInc()) {
proof.copy_permutation_polys_openings_at_z[i] = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
}
proof.copy_permutation_grand_product_opening_at_z_omega = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.lookup_s_poly_opening_at_z_omega = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.lookup_grand_product_opening_at_z_omega = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.lookup_t_poly_opening_at_z = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.lookup_t_poly_opening_at_z_omega = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.lookup_selector_poly_opening_at_z = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.lookup_table_type_poly_opening_at_z = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.quotient_poly_opening_at_z = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.linearization_poly_opening_at_z = PairingsBn254.new_fr(serialized_proof[j]);
j = j.uncheckedInc();
proof.opening_proof_at_z = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
j = j.uncheckedAdd(2);
proof.opening_proof_at_z_omega = PairingsBn254.new_g1_checked(
serialized_proof[j],
serialized_proof[j.uncheckedInc()]
);
}
function verify_serialized_proof(uint256[] calldata public_inputs, uint256[] calldata serialized_proof)
public
view
returns (bool)
{
VerificationKey memory vk = get_verification_key();
require(vk.num_inputs == public_inputs.length);
Proof memory proof = deserialize_proof(public_inputs, serialized_proof);
return verify(proof, vk);
}
}
合同源代码
文件 16 的 16:ZkSyncBlockHashMessenger.sol
/// SPDX-License-Identifier: UNLICENSED
/// (c) Theori, Inc. 2022
/// All rights reserved
pragma solidity ^0.8.0;
import "@matterlabs/zksync-contracts/l1/contracts/zksync/interfaces/IMailbox.sol";
import "./interfaces/IReliquary.sol";
import "./BlockHashMessenger.sol";
/**
* @title ZkSyncBlockHashMessenger
* @author Theori, Inc.
* @notice The L1 messenger contract to send block hashes to zkSync.
*/
contract ZkSyncBlockHashMessenger is BlockHashMessenger {
address public immutable zkSync;
constructor(
IReliquary _reliquary,
address _blockHistory,
address _zkSync
) BlockHashMessenger(_reliquary, _blockHistory) {
zkSync = _zkSync;
}
function _sendMessage(
address destination,
bytes calldata params,
bytes memory data
) internal override {
(uint256 l2GasLimit, uint256 l2GasPerPubdataByteLimit) = abi.decode(
params,
(uint256, uint256)
);
IMailbox(zkSync).requestL2Transaction{value: msg.value}(
destination,
0,
data,
l2GasLimit,
l2GasPerPubdataByteLimit,
new bytes[](0),
msg.sender
);
}
}
设置
{
"compilationTarget": {
"contracts/ZkSyncBlockHashMessenger.sol": "ZkSyncBlockHashMessenger"
},
"evmVersion": "london",
"libraries": {},
"metadata": {
"bytecodeHash": "ipfs",
"useLiteralContent": true
},
"optimizer": {
"enabled": true,
"runs": 1000
},
"remappings": []
}ABI
[{"inputs":[{"internalType":"contract IReliquary","name":"_reliquary","type":"address"},{"internalType":"address","name":"_blockHistory","type":"address"},{"internalType":"address","name":"_zkSync","type":"address"}],"stateMutability":"nonpayable","type":"constructor"},{"inputs":[],"name":"blockHistory","outputs":[{"internalType":"address","name":"","type":"address"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"reliquary","outputs":[{"internalType":"contract IReliquary","name":"","type":"address"}],"stateMutability":"view","type":"function"},{"inputs":[{"internalType":"address","name":"destination","type":"address"},{"internalType":"bytes","name":"params","type":"bytes"},{"internalType":"uint256","name":"number","type":"uint256"},{"internalType":"bytes32","name":"blockHash","type":"bytes32"},{"internalType":"bytes","name":"proof","type":"bytes"}],"name":"sendBlockHash","outputs":[],"stateMutability":"payable","type":"function"},{"inputs":[],"name":"zkSync","outputs":[{"internalType":"address","name":"","type":"address"}],"stateMutability":"view","type":"function"}]