Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rln): trustless root onchain #36

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 16 additions & 15 deletions .gas-snapshot
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
RlnTest:test__Constants() (gas: 8619)
RlnTest:test__InvalidRegistration__DuplicateCommitment(uint256) (runs: 1000, μ: 144113, ~: 144113)
RlnTest:test__InvalidRegistration__FullSet() (gas: 1433224)
RlnTest:test__InvalidRegistration__InsufficientDeposit(uint256) (runs: 1000, μ: 17440, ~: 17440)
RlnTest:test__InvalidRegistration__InvalidIdCommitment(uint256) (runs: 1000, μ: 17053, ~: 17058)
RlnTest:test__InvalidRegistration__InvalidUserMessageLimit() (gas: 17055)
RlnTest:test__InvalidRegistration__MaxUserMessageLimit() (gas: 17203)
RlnTest:test__InvalidSlash__InvalidProof() (gas: 1081919)
RlnTest:test__InvalidSlash__MemberNotRegistered(uint256) (runs: 1000, μ: 32521, ~: 32521)
RlnTest:test__InvalidSlash__NoStake(uint256,address) (runs: 1000, μ: 319630, ~: 319682)
RlnTest:test__InvalidSlash__ToRlnAddress() (gas: 151034)
RlnTest:test__InvalidSlash__ToZeroAddress() (gas: 150939)
RlnTest:test__InvalidWithdraw__InsufficientContractBalance() (gas: 145224)
RlnTest:test__InvalidRegistration__DuplicateCommitment(uint256) (runs: 1000, μ: 144283, ~: 144283)
RlnTest:test__InvalidRegistration__FullSet() (gas: 1576547)
RlnTest:test__InvalidRegistration__InsufficientDeposit(uint256) (runs: 1000, μ: 17525, ~: 17525)
RlnTest:test__InvalidRegistration__InvalidIdCommitment(uint256) (runs: 1000, μ: 17098, ~: 17103)
RlnTest:test__InvalidRegistration__InvalidUserMessageLimit() (gas: 17100)
RlnTest:test__InvalidRegistration__MaxUserMessageLimit() (gas: 17248)
RlnTest:test__InvalidSlash__InvalidProof() (gas: 1224746)
RlnTest:test__InvalidSlash__MemberNotRegistered(uint256) (runs: 1000, μ: 30343, ~: 30343)
RlnTest:test__InvalidSlash__NoStake(uint256,address) (runs: 1000, μ: 319487, ~: 319492)
RlnTest:test__InvalidSlash__ToRlnAddress() (gas: 151119)
RlnTest:test__InvalidSlash__ToZeroAddress() (gas: 151024)
RlnTest:test__InvalidWithdraw__InsufficientContractBalance() (gas: 145148)
RlnTest:test__InvalidWithdraw__InsufficientWithdrawalBalance() (gas: 10538)
RlnTest:test__ValidRegistration(uint256) (runs: 1000, μ: 135760, ~: 135760)
RlnTest:test__ValidSlash(uint256,address) (runs: 1000, μ: 203402, ~: 203412)
RlnTest:test__ValidWithdraw(address) (runs: 1000, μ: 202120, ~: 202108)
RlnTest:test__ValidRegistration(uint256) (runs: 1000, μ: 135845, ~: 135845)
RlnTest:test__ValidSlash(uint256,address) (runs: 1000, μ: 203289, ~: 203298)
RlnTest:test__ValidWithdraw(address) (runs: 1000, μ: 202042, ~: 202032)
RlnTest:test__root() (gas: 8171348)
54 changes: 45 additions & 9 deletions deployments/11155111/latest.json

Large diffs are not rendered by default.

125 changes: 125 additions & 0 deletions src/BinaryIMTMemory.sol
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

import { PoseidonT3 } from "poseidon-solidity/PoseidonT3.sol";

// stripped down version of
// solhint-disable-next-line max-line-length
// https://github.com/privacy-scaling-explorations/zk-kit/blob/718a5c2fa0f6cd577cee3fd08373609ac985d3bb/packages/imt.sol/contracts/internal/InternalBinaryIMT.sol
// that allows getting the root of the rln tree without expensive storage reads/writes
struct BinaryIMTMemoryData {
uint256 root; // Root hash of the tree.
uint256 numberOfLeaves; // Number of leaves of the tree.
uint256 depth; // Depth of the tree.
}

/// @title In memory Incremental binary Merkle tree Root calculator
/// @dev This helper library allows to calculate the root hash of the tree without using storage
library BinaryIMTMemory {
uint8 public constant MAX_DEPTH = 20;
uint256 public constant SNARK_SCALAR_FIELD =
21_888_242_871_839_275_222_246_405_745_257_275_088_548_364_400_416_034_343_698_204_186_575_808_495_617;

uint256 public constant Z_0 = 0;
uint256 public constant Z_1 =
14_744_269_619_966_411_208_579_211_824_598_458_697_587_494_354_926_760_081_771_325_075_741_142_829_156;
uint256 public constant Z_2 =
7_423_237_065_226_347_324_353_380_772_367_382_631_490_014_989_348_495_481_811_164_164_159_255_474_657;
uint256 public constant Z_3 =
11_286_972_368_698_509_976_183_087_595_462_810_875_513_684_078_608_517_520_839_298_933_882_497_716_792;
uint256 public constant Z_4 =
3_607_627_140_608_796_879_659_380_071_776_844_901_612_302_623_152_076_817_094_415_224_584_923_813_162;
uint256 public constant Z_5 =
19_712_377_064_642_672_829_441_595_136_074_946_683_621_277_828_620_209_496_774_504_837_737_984_048_981;
uint256 public constant Z_6 =
20_775_607_673_010_627_194_014_556_968_476_266_066_927_294_572_720_319_469_184_847_051_418_138_353_016;
uint256 public constant Z_7 =
3_396_914_609_616_007_258_851_405_644_437_304_192_397_291_162_432_396_347_162_513_310_381_425_243_293;
uint256 public constant Z_8 =
21_551_820_661_461_729_022_865_262_380_882_070_649_935_529_853_313_286_572_328_683_688_269_863_701_601;
uint256 public constant Z_9 =
6_573_136_701_248_752_079_028_194_407_151_022_595_060_682_063_033_565_181_951_145_966_236_778_420_039;
uint256 public constant Z_10 =
12_413_880_268_183_407_374_852_357_075_976_609_371_175_688_755_676_981_206_018_884_971_008_854_919_922;
uint256 public constant Z_11 =
14_271_763_308_400_718_165_336_499_097_156_975_241_954_733_520_325_982_997_864_342_600_795_471_836_726;
uint256 public constant Z_12 =
20_066_985_985_293_572_387_227_381_049_700_832_219_069_292_839_614_107_140_851_619_262_827_735_677_018;
uint256 public constant Z_13 =
9_394_776_414_966_240_069_580_838_672_673_694_685_292_165_040_808_226_440_647_796_406_499_139_370_960;
uint256 public constant Z_14 =
11_331_146_992_410_411_304_059_858_900_317_123_658_895_005_918_277_453_009_197_229_807_340_014_528_524;
uint256 public constant Z_15 =
15_819_538_789_928_229_930_262_697_811_477_882_737_253_464_456_578_333_862_691_129_291_651_619_515_538;
uint256 public constant Z_16 =
19_217_088_683_336_594_659_449_020_493_828_377_907_203_207_941_212_636_669_271_704_950_158_751_593_251;
uint256 public constant Z_17 =
21_035_245_323_335_827_719_745_544_373_081_896_983_162_834_604_456_827_698_288_649_288_827_293_579_666;
uint256 public constant Z_18 =
6_939_770_416_153_240_137_322_503_476_966_641_397_417_391_950_902_474_480_970_945_462_551_409_848_591;
uint256 public constant Z_19 =
10_941_962_436_777_715_901_943_463_195_175_331_263_348_098_796_018_438_960_955_633_645_115_732_864_202;
uint256 public constant Z_20 =
15_019_797_232_609_675_441_998_260_052_101_280_400_536_945_603_062_888_308_240_081_994_073_687_793_470;

// solhint-disable-next-line code-complexity
function defaultZero(uint256 index) public pure returns (uint256) {
if (index == 0) return Z_0;
if (index == 1) return Z_1;
if (index == 2) return Z_2;
if (index == 3) return Z_3;
if (index == 4) return Z_4;
if (index == 5) return Z_5;
if (index == 6) return Z_6;
if (index == 7) return Z_7;
if (index == 8) return Z_8;
if (index == 9) return Z_9;
if (index == 10) return Z_10;
if (index == 11) return Z_11;
if (index == 12) return Z_12;
if (index == 13) return Z_13;
if (index == 14) return Z_14;
if (index == 15) return Z_15;
if (index == 16) return Z_16;
if (index == 17) return Z_17;
if (index == 18) return Z_18;
if (index == 19) return Z_19;
if (index == 20) return Z_20;
revert("IncrementalBinaryTree: defaultZero bad index");

Check warning on line 88 in src/BinaryIMTMemory.sol

View workflow job for this annotation

GitHub Actions / lint

Error message for revert is too long

Check warning on line 88 in src/BinaryIMTMemory.sol

View check run for this annotation

Codecov / codecov/patch

src/BinaryIMTMemory.sol#L88

Added line #L88 was not covered by tests
}

/// @dev Computes the root of the tree given the leaves.
/// @param self: Tree data.
/// @param leaves: Leaves in the tree
function calcRoot(
Copy link

@alrevuelta alrevuelta Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this taken from somewhere? can we add unit tests?

does it work for eg 10.000 memberships? even view functions have limits so I suspect with a high amount of leaves.length this wont work, since too many hashes to do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is a test for 20 memberships as well as the gas snapshot has been committed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've linked the original implementation before modifying it to not use storage

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function is not meant to be called by other contracts, and will only be resolved at the node level through eth_call's

BinaryIMTMemoryData memory self,
uint256 depth,
uint256[] memory leaves
)
public
pure
returns (uint256)
{
uint256[2][] memory lastSubtrees = new uint256[2][](depth);

for (uint8 j = 0; j < leaves.length; j++) {
uint256 index = self.numberOfLeaves;
uint256 hash = leaves[j];
for (uint8 i = 0; i < depth;) {
if (index & 1 == 0) {
lastSubtrees[i] = [hash, defaultZero(i)];
} else {
lastSubtrees[i][1] = hash;
}
hash = PoseidonT3.hash(lastSubtrees[i]);
index >>= 1;
unchecked {
++i;
}
}
self.root = hash;
self.numberOfLeaves += 1;
}
return self.root;
}
}
14 changes: 14 additions & 0 deletions src/RlnBase.sol
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
pragma solidity ^0.8.19;

import { IVerifier } from "./IVerifier.sol";
import { BinaryIMTMemory, BinaryIMTMemoryData } from "./BinaryIMTMemory.sol";
import { PoseidonT3 } from "poseidon-solidity/PoseidonT3.sol";
import "forge-std/console2.sol";

Check warning on line 8 in src/RlnBase.sol

View workflow job for this annotation

GitHub Actions / lint

global import of path forge-std/console2.sol is not allowed. Specify names to import individually or bind all exports of the module into a name (import "path" as Name)

/// The tree is full
error FullTree();
Expand Down Expand Up @@ -51,23 +54,23 @@
21_888_242_871_839_275_222_246_405_745_257_275_088_548_364_400_416_034_343_698_204_186_575_808_495_617;

/// @notice The max message limit per epoch
uint256 public immutable MAX_MESSAGE_LIMIT;

Check warning on line 57 in src/RlnBase.sol

View workflow job for this annotation

GitHub Actions / lint

Variable name must be in mixedCase

/// @notice The deposit amount required to register as a member
uint256 public immutable MEMBERSHIP_DEPOSIT;

Check warning on line 60 in src/RlnBase.sol

View workflow job for this annotation

GitHub Actions / lint

Variable name must be in mixedCase

/// @notice The depth of the merkle tree
uint256 public immutable DEPTH;

Check warning on line 63 in src/RlnBase.sol

View workflow job for this annotation

GitHub Actions / lint

Variable name must be in mixedCase

/// @notice The size of the merkle tree, i.e 2^depth
uint256 public immutable SET_SIZE;

Check warning on line 66 in src/RlnBase.sol

View workflow job for this annotation

GitHub Actions / lint

Variable name must be in mixedCase

/// @notice The index of the next member to be registered
uint256 public idCommitmentIndex = 0;

/// @notice The amount of eth staked by each member
/// maps from idCommitment to the amount staked
mapping(uint256 => uint256) public stakedAmounts;

Check warning on line 73 in src/RlnBase.sol

View workflow job for this annotation

GitHub Actions / lint

Main key parameter in mapping stakedAmounts is not named

/// @notice The membership status of each member
/// maps from idCommitment to their index in the set
Expand Down Expand Up @@ -278,4 +281,15 @@
}
return commitments;
}

function root() public view returns (uint256) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

related to https://github.com/vacp2p/rln-contract/pull/36/files#r1500330402

does this work with hundred or thousand of leafs? calcRoot has to do tons of hashes.

even view functions have limits so I suspect with a high amount of leaves.length this wont work, since too many hashes to do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can test

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if it's above 500M gas then it will be rejected by popular rpc providers, otherwise it's okay.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

500M seems too high.

https://community.infura.io/t/gas-limit-on-eth-call/1115
Says: 19 981 536

https://docs.infura.io/api/networks/ethereum/json-rpc-methods/eth_estimategas

To prevent abuse of the API, the gas parameter in this eth_estimateGas method and in eth_call is capped at 10x (1000%) the current block gas limit. You can recreate this behavior in your local test environment (besu, geth, or other client) via the rpc.gascap command-line option.

and from geth 50 000 000

From geth
--rpc.gascap value (default: 50000000)

How many leafs do we need to hit this limit?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

@rymnc rymnc Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

caps out at 255 leaves (100M gas) (127 leaves @ 50M gas), not ideal, but perhaps we can split the computation and make the calcRoot function accept an array of prefilled nodes of the tree, and make multiple rpc calls to calcRoot like pagination

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ow yeap quite small tree which makes it not practical. It could be interesting to do so, but perhaps with that it loses the purpose. I mean, with this a client has to keep calling back and forth, downloading the leafs, keeping some local state, which is error prone and makes me wonder if its practical. Of course its more gas efficient than the LazyIMT approach, so we should asses what matters more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

applications which will have smaller trees can probably use this - and have the benefits that this approach brings. will think of another approach how we can consume less gas and make the least amount of rpc calls.

BinaryIMTMemoryData memory imtData;
uint256[] memory leaves = new uint256[](idCommitmentIndex);
for (uint256 i = 0; i < idCommitmentIndex; i++) {
uint256 idCommitment = indexToCommitment[i];
uint256 userMessageLimit = userMessageLimits[idCommitment];
leaves[i] = PoseidonT3.hash([idCommitment, userMessageLimit]);
}
return BinaryIMTMemory.calcRoot(imtData, DEPTH, leaves);
}
}
56 changes: 56 additions & 0 deletions test/Rln.t.sol
Original file line number Diff line number Diff line change
Expand Up @@ -218,4 +218,60 @@ contract RlnTest is Test {
rln.withdraw();
assertEq(rln.withdrawalBalance(to), 0);
}

function test__root() public {
uint256[] memory idCommitments = new uint256[](20);
idCommitments[0] =
20_247_267_680_401_005_346_274_578_821_543_189_710_026_653_465_287_274_953_093_311_729_853_323_564_993;
idCommitments[1] =
17_156_989_550_607_148_435_222_849_763_909_493_047_059_958_780_520_493_064_916_232_951_463_175_150_232;
idCommitments[2] =
19_407_226_803_745_267_103_608_182_642_384_012_885_199_367_851_532_943_079_325_397_211_138_049_136_059;
idCommitments[3] =
10_843_159_696_774_792_948_443_591_344_995_886_877_305_260_668_485_645_797_849_607_534_704_262_422_614;
idCommitments[4] =
15_752_850_412_139_811_972_088_845_441_337_097_950_281_706_419_552_473_737_567_891_612_825_963_973_284;
idCommitments[5] =
4_519_863_328_057_168_189_298_631_669_175_527_040_337_788_759_018_171_546_425_601_895_038_423_288_676;
idCommitments[6] =
20_627_603_771_378_896_374_342_882_478_326_393_493_797_675_723_581_644_707_860_442_401_185_847_711_606;
idCommitments[7] =
15_154_129_217_924_019_401_315_002_167_199_740_344_372_362_483_772_641_456_490_923_254_762_406_760_783;
idCommitments[8] =
3_015_981_008_465_776_671_380_535_237_073_859_585_910_422_946_858_408_575_400_681_261_858_382_907_193;
idCommitments[9] =
224_054_746_800_950_089_703_161_552_547_065_908_637_798_421_998_793_333_020_881_640_418_719_302_913;
idCommitments[10] =
11_312_879_727_214_499_351_626_352_295_289_579_557_712_856_071_583_396_259_776_980_542_429_783_930_998;
idCommitments[11] =
12_465_380_480_462_031_386_424_255_751_937_172_435_855_917_781_265_550_857_371_960_580_299_590_023_804;
idCommitments[12] =
10_532_759_670_323_423_548_160_832_454_733_716_332_118_269_972_426_626_732_736_793_882_239_669_630_595;
idCommitments[13] =
5_363_974_916_211_877_996_441_994_123_101_828_809_420_707_174_378_417_661_497_477_404_431_739_760_929;
idCommitments[14] =
16_136_233_734_969_897_677_998_619_926_295_968_066_529_681_582_940_418_030_166_845_477_723_796_227_875;
idCommitments[15] =
19_482_780_886_140_959_996_233_254_660_604_422_414_723_443_061_405_603_031_287_446_813_590_162_051_267;
idCommitments[16] =
10_229_567_829_413_302_626_314_791_721_752_882_914_790_767_942_876_437_744_444_365_366_344_582_485_888;
idCommitments[17] =
13_243_196_170_549_739_682_068_942_953_623_914_146_349_583_225_049_284_668_843_899_390_874_999_176_721;
idCommitments[18] =
10_860_831_981_296_153_559_626_134_370_426_776_811_139_720_916_552_827_925_568_614_682_099_174_768_128;
idCommitments[19] =
18_217_334_211_520_937_958_971_536_517_166_530_749_184_547_628_672_204_353_760_850_739_130_586_503_124;

vm.pauseGasMetering();
for (uint256 i = 0; i < idCommitments.length; i++) {
// default 1 message limit
rln.register{ value: MEMBERSHIP_DEPOSIT }(idCommitments[i], 1);
}
vm.resumeGasMetering();

assertEq(
rln.root(),
11_878_758_533_199_576_052_254_314_452_742_479_731_463_159_441_555_548_457_402_116_093_772_672_905_513
);
}
}
Loading