feat(core): Plonky2 proofs onchain verification (part 1)

[ekovalev]

Overview

This is the first part of a bigger change (#4393 ) in order to break down the original PR into several more or less independent and tractable parts.

The ultimate goal is to provide a framework for zk-related apps on top of (currently) Vara blockchain. Specifically, it supports on-chain verification of Plonky2 proofs for arbitrary circuits. This would require speeding up of computationally greedy tasks in order to ensure any verify operation fits in a single block.

The big picture looks like so:

                            +-------------------------------------------------------------------------+
                            |                                                          WASM           |
+------------+              |   +---------------------------+                ( Gear programs realm )  |
|            |     proof    |   |   Application Contract    |                                         |
|   Prover   | -------------|-> |                           |                                         |
|            |              |   |  (verifier_circuit_data)  |                                         |
+------------+              |   +---------------------------+                                         |
                            |                 |                                                       |
                            |                 | concatenate( verifier_circuit_data, proof )           |
                            |                 v                                                       |
                            |   +---------------------------+                                         |
                            |   |     Verifier Contract     |                                         |
                            |   |                           |         +---------------------------+   |
                            |   |     plonky2::verify()     |         |   GoldilocksField  impl   |   |
                            |   |       |                   |         |                           |   |
                            |   |       +- GF::poseidon() --+-------> |    Poseidon::permute()    |   |
                            |   +---------------------------+         +-------------|-------------+   |
                            +-------------------------------------------------------|-----------------+
                                                                                    | syscall
                                                                                    v
                                                                      +---------------------------+
                                                                      |        Vara runtime       |
                                                                      |                           |
                                                                      |   gr_poseidon_permute()   |
                                                                      +-------------|-------------+
                                                                                    | host call
                                                                                    v
                                                                      +---------------------------+
                                                                      |           Client          |
                                                                      |                           |
                                                                      |  permute primitives impl  |
                                                                      +---------------------------+

Most of the workflow happens in the user-space. We define a set of contracts with (potentially) well-known addresses:

• an Application contract contains the main app logic, and, therefore, stores the circuit-specific data; every proof sent to it for verification is prepended with the encoded circuit data;
• the Verifier contract (can be a single instance for the entire chain) wraps the original Plonky2 code for proofs verification; however, the underlying primitives (GoldilocksField) are custom-implemented in such a way that heavy operations are offloaded to the host (through a chain of a syscall->host call).

The runtime part includes a syscall implementation to export heavy computing outside of WASM environment, as well as a runtime-interface to proxy a call to the host.

On the host we only maintain a self-sustained set of primitives (independent of the Plonky implementation) that ensure a client will always be able to carry out the Poseidon permute operation without requiring additional dependencies.

Changes


This PR only concerns the runtime part and the “user-space” part for the sake of keeping the PR size under control:

• A syscall for Poseidon permutation computation;
• Example verifier contract with a custom GoldilocksField implementation to plug into the out-of-the-box plonky2 verifier;
• Runtime tests.

The host call is replaced with a mock - the actual host call comes in a separate PR.

[mertwole]

Generally, LGTM

[mertwole]

Maybe input.map(...)? I'm sure that it will be no-op in the compiled code but will not require unsafe

[ekovalev]

Clearly, unsafe is safe in this case.
If we replace type transmutation with a map, some overhead will definitely be there (at least in terms of the code size): compare. And in a contract the size is crucial.

Not sure if it has any runtime impact, but definitely this doesn't make anything better, in my opinion.