From d672a9de6f25416ba8a0a75e41e784e664603f90 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 14 Dec 2025 17:19:24 +0000 Subject: [PATCH 1/4] Initial plan From acfcc38c9395a2d5b0a462f7d73ed4ba3e06d6f1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 14 Dec 2025 17:22:20 +0000 Subject: [PATCH 2/4] Replace placeholder with comprehensive Groth16 state circuit documentation Co-authored-by: Steake <530040+Steake@users.noreply.github.com> --- docs/issue-45.md | 94 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 3 deletions(-) diff --git a/docs/issue-45.md b/docs/issue-45.md index ad48be7..32e8e66 100644 --- a/docs/issue-45.md +++ b/docs/issue-45.md @@ -1,5 +1,93 @@ -# Issue 45 +# Issue 45: Groth16 State Circuit Constraints -Work in progress by Emulated Coder. +## Background -Ref: #45 \ No newline at end of file +Groth16 is a widely used zk-SNARK proving system that requires careful circuit design to ensure correctness, security, and efficiency. In our project, the state circuit is responsible for enforcing the validity of state transitions within the zero-knowledge proof. Proper constraints must be implemented to guarantee that only valid transitions are provable. + +## Problem Statement + +The BitCell system requires robust zero-knowledge proof circuits to ensure privacy and integrity of state transitions. Groth16 state circuit constraints are essential for: +- Verifying Merkle tree state transitions +- Ensuring nullifier uniqueness to prevent double-spending +- Validating commitment derivation for new state elements +- Maintaining consistency between old and new state roots + +## Current Implementation Status + +✅ **IMPLEMENTED** - The Groth16 state circuit constraints are fully implemented in `crates/bitcell-zkp/src/state_constraints.rs`. + +### Key Components + +1. **StateCircuit** - Main state transition circuit with R1CS constraints for: + - Merkle tree path verification for old state root + - Nullifier derivation from leaf values + - Commitment computation for new leaf values + - Merkle tree path verification for new state root + +2. **NullifierCircuit** - Nullifier set membership verification circuit: + - Verifies whether a nullifier exists in the nullifier set + - Uses Merkle tree membership proofs + - Prevents double-spending attacks + +3. **Constraint Implementation**: + - Merkle tree depth: 32 levels + - Uses arkworks library for R1CS constraint synthesis + - Compatible with Groth16 proving system on BN254 curve + - Implements proper public/private input separation + +4. **Hash Functions**: + - Simplified hash functions for proof-of-concept + - Note: Production deployment should use Poseidon or other SNARK-friendly hash functions + +### Technical Specifications + +- **Proving System**: Groth16 (via arkworks-rs) +- **Curve**: BN254 (Bn254) +- **Field**: Fr (scalar field of BN254) +- **Merkle Tree Depth**: 32 +- **Public Inputs**: + - StateCircuit: old_root, new_root, nullifier, commitment + - NullifierCircuit: nullifier, set_root, is_member + +### Implementation Details + +The circuits enforce the following constraints: + +**StateCircuit Constraints:** +1. `computed_old_root == old_root` - Verifies the old Merkle tree state +2. `H(leaf) == nullifier` - Ensures proper nullifier derivation +3. `H(new_leaf) == commitment` - Validates new commitment +4. `computed_new_root == new_root` - Verifies the new Merkle tree state + +**NullifierCircuit Constraints:** +1. `(computed_root == set_root) == is_member` - Membership verification + +### API Methods + +Both circuits provide: +- `setup()` - Generate proving and verifying keys +- `prove(&self, pk)` - Generate a proof for the circuit instance +- `verify(vk, proof, public_inputs)` - Verify a proof +- `public_inputs(&self)` - Extract public inputs vector + +## Testing + +The implementation includes comprehensive tests: +- Constraint satisfiability tests +- End-to-end proof generation and verification +- Merkle tree computation verification + +## Future Improvements + +- [ ] Replace simplified hash functions with Poseidon hash +- [ ] Add range check constraints for enhanced security +- [ ] Optimize constraint count for faster proving +- [ ] Add batch verification support +- [ ] Implement circuit-specific optimizations + +## References + +- [Groth16 Paper](https://eprint.iacr.org/2016/260.pdf) +- [Arkworks Documentation](https://arkworks.rs/) +- Implementation: `crates/bitcell-zkp/src/state_constraints.rs` +- [GitHub Issue #45](https://github.com/Steake/BitCell/issues/45) \ No newline at end of file From 531888c1185a34fe51c23527ac1040d569c87420 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 14 Dec 2025 17:23:25 +0000 Subject: [PATCH 3/4] Fix documentation issues from code review Co-authored-by: Steake <530040+Steake@users.noreply.github.com> --- docs/issue-45.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/issue-45.md b/docs/issue-45.md index 32e8e66..5f4f36c 100644 --- a/docs/issue-45.md +++ b/docs/issue-45.md @@ -41,7 +41,7 @@ The BitCell system requires robust zero-knowledge proof circuits to ensure priva ### Technical Specifications -- **Proving System**: Groth16 (via arkworks-rs) +- **Proving System**: Groth16 (via arkworks) - **Curve**: BN254 (Bn254) - **Field**: Fr (scalar field of BN254) - **Merkle Tree Depth**: 32 @@ -60,7 +60,7 @@ The circuits enforce the following constraints: 4. `computed_new_root == new_root` - Verifies the new Merkle tree state **NullifierCircuit Constraints:** -1. `(computed_root == set_root) == is_member` - Membership verification +1. `computed_root.is_eq(set_root) == is_member` - Verifies that the Merkle root equality check result matches the membership flag ### API Methods @@ -88,6 +88,6 @@ The implementation includes comprehensive tests: ## References - [Groth16 Paper](https://eprint.iacr.org/2016/260.pdf) -- [Arkworks Documentation](https://arkworks.rs/) +- [Arkworks Groth16 Documentation](https://docs.rs/ark-groth16/) - Implementation: `crates/bitcell-zkp/src/state_constraints.rs` - [GitHub Issue #45](https://github.com/Steake/BitCell/issues/45) \ No newline at end of file From eb5448a82d2c93297c91a217d628023c423c6796 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 14 Dec 2025 17:24:46 +0000 Subject: [PATCH 4/4] Improve constraint descriptions for accuracy Co-authored-by: Steake <530040+Steake@users.noreply.github.com> --- docs/issue-45.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/issue-45.md b/docs/issue-45.md index 5f4f36c..2a822c2 100644 --- a/docs/issue-45.md +++ b/docs/issue-45.md @@ -55,12 +55,12 @@ The circuits enforce the following constraints: **StateCircuit Constraints:** 1. `computed_old_root == old_root` - Verifies the old Merkle tree state -2. `H(leaf) == nullifier` - Ensures proper nullifier derivation -3. `H(new_leaf) == commitment` - Validates new commitment +2. `H(leaf) == nullifier` - Validates that the nullifier is correctly derived from the leaf value +3. `H(new_leaf) == commitment` - Validates that the commitment is correctly derived from the new leaf value 4. `computed_new_root == new_root` - Verifies the new Merkle tree state **NullifierCircuit Constraints:** -1. `computed_root.is_eq(set_root) == is_member` - Verifies that the Merkle root equality check result matches the membership flag +1. The circuit enforces that `roots_equal == is_member`, where `roots_equal` is the boolean result of checking if the computed Merkle root matches the set root. This ensures that membership verification is correct: if `is_member` is true, the roots must match, and if false, they must differ. ### API Methods