From dc549478b7a48539b988d1cd97e6609c56bcab0d Mon Sep 17 00:00:00 2001 From: kanthub <564080210@qq.com> Date: Thu, 4 Dec 2025 23:29:17 +0800 Subject: [PATCH 1/2] add policy router --- src/core/AgeVerifier.sol | 558 ++++++++++++++++++++++++++++ src/core/KYCPolicyRouter.sol | 91 +++++ src/core/KYCPolicyRouterStorage.sol | 24 ++ src/interfaces/IOracleKYCPod.sol | 22 ++ src/interfaces/IPolicyRouter.sol | 6 + src/interfaces/IVerifier.sol | 6 + 6 files changed, 707 insertions(+) create mode 100644 src/core/AgeVerifier.sol create mode 100644 src/core/KYCPolicyRouter.sol create mode 100644 src/core/KYCPolicyRouterStorage.sol create mode 100644 src/interfaces/IOracleKYCPod.sol create mode 100644 src/interfaces/IPolicyRouter.sol create mode 100644 src/interfaces/IVerifier.sol diff --git a/src/core/AgeVerifier.sol b/src/core/AgeVerifier.sol new file mode 100644 index 0000000..2cbfa6a --- /dev/null +++ b/src/core/AgeVerifier.sol @@ -0,0 +1,558 @@ + +// SPDX-License-Identifier: MIT + +pragma solidity ^0.8.0; + +/// @title Groth16 verifier template. +/// @author Remco Bloemen +/// @notice Supports verifying Groth16 proofs. Proofs can be in uncompressed +/// (256 bytes) and compressed (128 bytes) format. A view function is provided +/// to compress proofs. +/// @notice See for further explanation. +contract Verifier { + + /// Some of the provided public input values are larger than the field modulus. + /// @dev Public input elements are not automatically reduced, as this is can be + /// a dangerous source of bugs. + error PublicInputNotInField(); + + /// The proof is invalid. + /// @dev This can mean that provided Groth16 proof points are not on their + /// curves, that pairing equation fails, or that the proof is not for the + /// provided public input. + error ProofInvalid(); + + // Addresses of precompiles + uint256 constant PRECOMPILE_MODEXP = 0x05; + uint256 constant PRECOMPILE_ADD = 0x06; + uint256 constant PRECOMPILE_MUL = 0x07; + uint256 constant PRECOMPILE_VERIFY = 0x08; + + // Base field Fp order P and scalar field Fr order R. + // For BN254 these are computed as follows: + // t = 4965661367192848881 + // P = 36⋅t⁴ + 36⋅t³ + 24⋅t² + 6⋅t + 1 + // R = 36⋅t⁴ + 36⋅t³ + 18⋅t² + 6⋅t + 1 + uint256 constant P = 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47; + uint256 constant R = 0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001; + + // Extension field Fp2 = Fp[i] / (i² + 1) + // Note: This is the complex extension field of Fp with i² = -1. + // Values in Fp2 are represented as a pair of Fp elements (a₀, a₁) as a₀ + a₁⋅i. + // Note: The order of Fp2 elements is *opposite* that of the pairing contract, which + // expects Fp2 elements in order (a₁, a₀). This is also the order in which + // Fp2 elements are encoded in the public interface as this became convention. + + // Constants in Fp + uint256 constant FRACTION_1_2_FP = 0x183227397098d014dc2822db40c0ac2ecbc0b548b438e5469e10460b6c3e7ea4; + uint256 constant FRACTION_27_82_FP = 0x2b149d40ceb8aaae81be18991be06ac3b5b4c5e559dbefa33267e6dc24a138e5; + uint256 constant FRACTION_3_82_FP = 0x2fcd3ac2a640a154eb23960892a85a68f031ca0c8344b23a577dcf1052b9e775; + + // Exponents for inversions and square roots mod P + uint256 constant EXP_INVERSE_FP = 0x30644E72E131A029B85045B68181585D97816A916871CA8D3C208C16D87CFD45; // P - 2 + uint256 constant EXP_SQRT_FP = 0xC19139CB84C680A6E14116DA060561765E05AA45A1C72A34F082305B61F3F52; // (P + 1) / 4; + + // Groth16 alpha point in G1 + uint256 constant ALPHA_X = 12315601846733473496803853198652790375673584909617555354523919394629851109001; + uint256 constant ALPHA_Y = 936255689790077807672541190314066083014420543580386604191676843717243332603; + + // Groth16 beta point in G2 in powers of i + uint256 constant BETA_NEG_X_0 = 17918906900121633039182321175153388148893136083830972089386615295141627463139; + uint256 constant BETA_NEG_X_1 = 16908984494295375232911262663676353933428618117172892998592796326112101532461; + uint256 constant BETA_NEG_Y_0 = 21285888857490310678378688378178069921459989223711424262645417257147615662316; + uint256 constant BETA_NEG_Y_1 = 5169562458875882005299136885046636569198799446266638500025684179815640106313; + + // Groth16 gamma point in G2 in powers of i + uint256 constant GAMMA_NEG_X_0 = 17665094498514892935552860781421290494973194193178152672879283587964313607642; + uint256 constant GAMMA_NEG_X_1 = 21679973654500672343789041303904038180644471416701873909469583020707728112634; + uint256 constant GAMMA_NEG_Y_0 = 17769016423707383400093745979659455869780611871883702940691541248703779742825; + uint256 constant GAMMA_NEG_Y_1 = 16131075161033938281997584018760155377607329985245982732381767213848354868551; + + // Groth16 delta point in G2 in powers of i + uint256 constant DELTA_NEG_X_0 = 6530841045976275737270085700563305388637020165772373397991462099980585574858; + uint256 constant DELTA_NEG_X_1 = 9366685160590517683191576588696469634769350722898038435997892410378040296271; + uint256 constant DELTA_NEG_Y_0 = 9727744619077905788035079778528940769182142617396049461177158637438430898363; + uint256 constant DELTA_NEG_Y_1 = 18017840902822858305342192080577550822003982585343449238034621738270194653380; + + // Constant and public input points + uint256 constant CONSTANT_X = 4545991169193665866250943347446334193630990083241913229354588596552700728204; + uint256 constant CONSTANT_Y = 1095491432137214958999461505112945752452346883056723117986902186773829173686; + uint256 constant PUB_0_X = 3863898214721944658809334279347561777723895687680657503635350578049126848267; + uint256 constant PUB_0_Y = 9566913821536250928468588046076291157382037271664698616622161981344584452410; + uint256 constant PUB_1_X = 7527888804953712673224969116648621988569560044129848730048486388470325105371; + uint256 constant PUB_1_Y = 5815065138941460064030266566173563112668017145158949144162417449178195134097; + uint256 constant PUB_2_X = 20108840330079693105617169897744526677430250332561394146867522538159316653358; + uint256 constant PUB_2_Y = 20189276730545103007469244518242712901246088645094147727047742132921642864030; + uint256 constant PUB_3_X = 21290759822956721357271033545312066040027692397096569476478988470839414437207; + uint256 constant PUB_3_Y = 14800571931590144458166352733996314870483824573919794610357068494691284881805; + + /// Negation in Fp. + /// @notice Returns a number x such that a + x = 0 in Fp. + /// @notice The input does not need to be reduced. + /// @param a the base + /// @return x the result + function negate(uint256 a) internal pure returns (uint256 x) { + unchecked { + x = (P - (a % P)) % P; // Modulo is cheaper than branching + } + } + + /// Exponentiation in Fp. + /// @notice Returns a number x such that a ^ e = x in Fp. + /// @notice The input does not need to be reduced. + /// @param a the base + /// @param e the exponent + /// @return x the result + function exp(uint256 a, uint256 e) internal view returns (uint256 x) { + bool success; + assembly ("memory-safe") { + let f := mload(0x40) + mstore(f, 0x20) + mstore(add(f, 0x20), 0x20) + mstore(add(f, 0x40), 0x20) + mstore(add(f, 0x60), a) + mstore(add(f, 0x80), e) + mstore(add(f, 0xa0), P) + success := staticcall(gas(), PRECOMPILE_MODEXP, f, 0xc0, f, 0x20) + x := mload(f) + } + if (!success) { + // Exponentiation failed. + // Should not happen. + revert ProofInvalid(); + } + } + + /// Invertsion in Fp. + /// @notice Returns a number x such that a * x = 1 in Fp. + /// @notice The input does not need to be reduced. + /// @notice Reverts with ProofInvalid() if the inverse does not exist + /// @param a the input + /// @return x the solution + function invert_Fp(uint256 a) internal view returns (uint256 x) { + x = exp(a, EXP_INVERSE_FP); + if (mulmod(a, x, P) != 1) { + // Inverse does not exist. + // Can only happen during G2 point decompression. + revert ProofInvalid(); + } + } + + /// Square root in Fp. + /// @notice Returns a number x such that x * x = a in Fp. + /// @notice Will revert with InvalidProof() if the input is not a square + /// or not reduced. + /// @param a the square + /// @return x the solution + function sqrt_Fp(uint256 a) internal view returns (uint256 x) { + x = exp(a, EXP_SQRT_FP); + if (mulmod(x, x, P) != a) { + // Square root does not exist or a is not reduced. + // Happens when G1 point is not on curve. + revert ProofInvalid(); + } + } + + /// Square test in Fp. + /// @notice Returns whether a number x exists such that x * x = a in Fp. + /// @notice Will revert with InvalidProof() if the input is not a square + /// or not reduced. + /// @param a the square + /// @return x the solution + function isSquare_Fp(uint256 a) internal view returns (bool) { + uint256 x = exp(a, EXP_SQRT_FP); + return mulmod(x, x, P) == a; + } + + /// Square root in Fp2. + /// @notice Fp2 is the complex extension Fp[i]/(i^2 + 1). The input is + /// a0 + a1 ⋅ i and the result is x0 + x1 ⋅ i. + /// @notice Will revert with InvalidProof() if + /// * the input is not a square, + /// * the hint is incorrect, or + /// * the input coefficients are not reduced. + /// @param a0 The real part of the input. + /// @param a1 The imaginary part of the input. + /// @param hint A hint which of two possible signs to pick in the equation. + /// @return x0 The real part of the square root. + /// @return x1 The imaginary part of the square root. + function sqrt_Fp2(uint256 a0, uint256 a1, bool hint) internal view returns (uint256 x0, uint256 x1) { + // If this square root reverts there is no solution in Fp2. + uint256 d = sqrt_Fp(addmod(mulmod(a0, a0, P), mulmod(a1, a1, P), P)); + if (hint) { + d = negate(d); + } + // If this square root reverts there is no solution in Fp2. + x0 = sqrt_Fp(mulmod(addmod(a0, d, P), FRACTION_1_2_FP, P)); + x1 = mulmod(a1, invert_Fp(mulmod(x0, 2, P)), P); + + // Check result to make sure we found a root. + // Note: this also fails if a0 or a1 is not reduced. + if (a0 != addmod(mulmod(x0, x0, P), negate(mulmod(x1, x1, P)), P) + || a1 != mulmod(2, mulmod(x0, x1, P), P)) { + revert ProofInvalid(); + } + } + + /// Compress a G1 point. + /// @notice Reverts with InvalidProof if the coordinates are not reduced + /// or if the point is not on the curve. + /// @notice The point at infinity is encoded as (0,0) and compressed to 0. + /// @param x The X coordinate in Fp. + /// @param y The Y coordinate in Fp. + /// @return c The compresed point (x with one signal bit). + function compress_g1(uint256 x, uint256 y) internal view returns (uint256 c) { + if (x >= P || y >= P) { + // G1 point not in field. + revert ProofInvalid(); + } + if (x == 0 && y == 0) { + // Point at infinity + return 0; + } + + // Note: sqrt_Fp reverts if there is no solution, i.e. the x coordinate is invalid. + uint256 y_pos = sqrt_Fp(addmod(mulmod(mulmod(x, x, P), x, P), 3, P)); + if (y == y_pos) { + return (x << 1) | 0; + } else if (y == negate(y_pos)) { + return (x << 1) | 1; + } else { + // G1 point not on curve. + revert ProofInvalid(); + } + } + + /// Decompress a G1 point. + /// @notice Reverts with InvalidProof if the input does not represent a valid point. + /// @notice The point at infinity is encoded as (0,0) and compressed to 0. + /// @param c The compresed point (x with one signal bit). + /// @return x The X coordinate in Fp. + /// @return y The Y coordinate in Fp. + function decompress_g1(uint256 c) internal view returns (uint256 x, uint256 y) { + // Note that X = 0 is not on the curve since 0³ + 3 = 3 is not a square. + // so we can use it to represent the point at infinity. + if (c == 0) { + // Point at infinity as encoded in EIP196 and EIP197. + return (0, 0); + } + bool negate_point = c & 1 == 1; + x = c >> 1; + if (x >= P) { + // G1 x coordinate not in field. + revert ProofInvalid(); + } + + // Note: (x³ + 3) is irreducible in Fp, so it can not be zero and therefore + // y can not be zero. + // Note: sqrt_Fp reverts if there is no solution, i.e. the point is not on the curve. + y = sqrt_Fp(addmod(mulmod(mulmod(x, x, P), x, P), 3, P)); + if (negate_point) { + y = negate(y); + } + } + + /// Compress a G2 point. + /// @notice Reverts with InvalidProof if the coefficients are not reduced + /// or if the point is not on the curve. + /// @notice The G2 curve is defined over the complex extension Fp[i]/(i^2 + 1) + /// with coordinates (x0 + x1 ⋅ i, y0 + y1 ⋅ i). + /// @notice The point at infinity is encoded as (0,0,0,0) and compressed to (0,0). + /// @param x0 The real part of the X coordinate. + /// @param x1 The imaginary poart of the X coordinate. + /// @param y0 The real part of the Y coordinate. + /// @param y1 The imaginary part of the Y coordinate. + /// @return c0 The first half of the compresed point (x0 with two signal bits). + /// @return c1 The second half of the compressed point (x1 unmodified). + function compress_g2(uint256 x0, uint256 x1, uint256 y0, uint256 y1) + internal view returns (uint256 c0, uint256 c1) { + if (x0 >= P || x1 >= P || y0 >= P || y1 >= P) { + // G2 point not in field. + revert ProofInvalid(); + } + if ((x0 | x1 | y0 | y1) == 0) { + // Point at infinity + return (0, 0); + } + + // Compute y^2 + // Note: shadowing variables and scoping to avoid stack-to-deep. + uint256 y0_pos; + uint256 y1_pos; + { + uint256 n3ab = mulmod(mulmod(x0, x1, P), P-3, P); + uint256 a_3 = mulmod(mulmod(x0, x0, P), x0, P); + uint256 b_3 = mulmod(mulmod(x1, x1, P), x1, P); + y0_pos = addmod(FRACTION_27_82_FP, addmod(a_3, mulmod(n3ab, x1, P), P), P); + y1_pos = negate(addmod(FRACTION_3_82_FP, addmod(b_3, mulmod(n3ab, x0, P), P), P)); + } + + // Determine hint bit + // If this sqrt fails the x coordinate is not on the curve. + bool hint; + { + uint256 d = sqrt_Fp(addmod(mulmod(y0_pos, y0_pos, P), mulmod(y1_pos, y1_pos, P), P)); + hint = !isSquare_Fp(mulmod(addmod(y0_pos, d, P), FRACTION_1_2_FP, P)); + } + + // Recover y + (y0_pos, y1_pos) = sqrt_Fp2(y0_pos, y1_pos, hint); + if (y0 == y0_pos && y1 == y1_pos) { + c0 = (x0 << 2) | (hint ? 2 : 0) | 0; + c1 = x1; + } else if (y0 == negate(y0_pos) && y1 == negate(y1_pos)) { + c0 = (x0 << 2) | (hint ? 2 : 0) | 1; + c1 = x1; + } else { + // G1 point not on curve. + revert ProofInvalid(); + } + } + + /// Decompress a G2 point. + /// @notice Reverts with InvalidProof if the input does not represent a valid point. + /// @notice The G2 curve is defined over the complex extension Fp[i]/(i^2 + 1) + /// with coordinates (x0 + x1 ⋅ i, y0 + y1 ⋅ i). + /// @notice The point at infinity is encoded as (0,0,0,0) and compressed to (0,0). + /// @param c0 The first half of the compresed point (x0 with two signal bits). + /// @param c1 The second half of the compressed point (x1 unmodified). + /// @return x0 The real part of the X coordinate. + /// @return x1 The imaginary poart of the X coordinate. + /// @return y0 The real part of the Y coordinate. + /// @return y1 The imaginary part of the Y coordinate. + function decompress_g2(uint256 c0, uint256 c1) + internal view returns (uint256 x0, uint256 x1, uint256 y0, uint256 y1) { + // Note that X = (0, 0) is not on the curve since 0³ + 3/(9 + i) is not a square. + // so we can use it to represent the point at infinity. + if (c0 == 0 && c1 == 0) { + // Point at infinity as encoded in EIP197. + return (0, 0, 0, 0); + } + bool negate_point = c0 & 1 == 1; + bool hint = c0 & 2 == 2; + x0 = c0 >> 2; + x1 = c1; + if (x0 >= P || x1 >= P) { + // G2 x0 or x1 coefficient not in field. + revert ProofInvalid(); + } + + uint256 n3ab = mulmod(mulmod(x0, x1, P), P-3, P); + uint256 a_3 = mulmod(mulmod(x0, x0, P), x0, P); + uint256 b_3 = mulmod(mulmod(x1, x1, P), x1, P); + + y0 = addmod(FRACTION_27_82_FP, addmod(a_3, mulmod(n3ab, x1, P), P), P); + y1 = negate(addmod(FRACTION_3_82_FP, addmod(b_3, mulmod(n3ab, x0, P), P), P)); + + // Note: sqrt_Fp2 reverts if there is no solution, i.e. the point is not on the curve. + // Note: (X³ + 3/(9 + i)) is irreducible in Fp2, so y can not be zero. + // But y0 or y1 may still independently be zero. + (y0, y1) = sqrt_Fp2(y0, y1, hint); + if (negate_point) { + y0 = negate(y0); + y1 = negate(y1); + } + } + + /// Compute the public input linear combination. + /// @notice Reverts with PublicInputNotInField if the input is not in the field. + /// @notice Computes the multi-scalar-multiplication of the public input + /// elements and the verification key including the constant term. + /// @param input The public inputs. These are elements of the scalar field Fr. + /// @return x The X coordinate of the resulting G1 point. + /// @return y The Y coordinate of the resulting G1 point. + function publicInputMSM(uint256[4] calldata input) + internal view returns (uint256 x, uint256 y) { + // Note: The ECMUL precompile does not reject unreduced values, so we check this. + // Note: Unrolling this loop does not cost much extra in code-size, the bulk of the + // code-size is in the PUB_ constants. + // ECMUL has input (x, y, scalar) and output (x', y'). + // ECADD has input (x1, y1, x2, y2) and output (x', y'). + // We reduce commitments(if any) with constants as the first point argument to ECADD. + // We call them such that ecmul output is already in the second point + // argument to ECADD so we can have a tight loop. + bool success = true; + assembly ("memory-safe") { + let f := mload(0x40) + let g := add(f, 0x40) + let s + mstore(f, CONSTANT_X) + mstore(add(f, 0x20), CONSTANT_Y) + mstore(g, PUB_0_X) + mstore(add(g, 0x20), PUB_0_Y) + s := calldataload(input) + mstore(add(g, 0x40), s) + success := and(success, lt(s, R)) + success := and(success, staticcall(gas(), PRECOMPILE_MUL, g, 0x60, g, 0x40)) + success := and(success, staticcall(gas(), PRECOMPILE_ADD, f, 0x80, f, 0x40)) + mstore(g, PUB_1_X) + mstore(add(g, 0x20), PUB_1_Y) + s := calldataload(add(input, 32)) + mstore(add(g, 0x40), s) + success := and(success, lt(s, R)) + success := and(success, staticcall(gas(), PRECOMPILE_MUL, g, 0x60, g, 0x40)) + success := and(success, staticcall(gas(), PRECOMPILE_ADD, f, 0x80, f, 0x40)) + mstore(g, PUB_2_X) + mstore(add(g, 0x20), PUB_2_Y) + s := calldataload(add(input, 64)) + mstore(add(g, 0x40), s) + success := and(success, lt(s, R)) + success := and(success, staticcall(gas(), PRECOMPILE_MUL, g, 0x60, g, 0x40)) + success := and(success, staticcall(gas(), PRECOMPILE_ADD, f, 0x80, f, 0x40)) + mstore(g, PUB_3_X) + mstore(add(g, 0x20), PUB_3_Y) + s := calldataload(add(input, 96)) + mstore(add(g, 0x40), s) + success := and(success, lt(s, R)) + success := and(success, staticcall(gas(), PRECOMPILE_MUL, g, 0x60, g, 0x40)) + success := and(success, staticcall(gas(), PRECOMPILE_ADD, f, 0x80, f, 0x40)) + + x := mload(f) + y := mload(add(f, 0x20)) + } + if (!success) { + // Either Public input not in field, or verification key invalid. + // We assume the contract is correctly generated, so the verification key is valid. + revert PublicInputNotInField(); + } + } + + /// Compress a proof. + /// @notice Will revert with InvalidProof if the curve points are invalid, + /// but does not verify the proof itself. + /// @param proof The uncompressed Groth16 proof. Elements are in the same order as for + /// verifyProof. I.e. Groth16 points (A, B, C) encoded as in EIP-197. + /// @return compressed The compressed proof. Elements are in the same order as for + /// verifyCompressedProof. I.e. points (A, B, C) in compressed format. + function compressProof(uint256[8] calldata proof) + public view returns (uint256[4] memory compressed) { + compressed[0] = compress_g1(proof[0], proof[1]); + (compressed[2], compressed[1]) = compress_g2(proof[3], proof[2], proof[5], proof[4]); + compressed[3] = compress_g1(proof[6], proof[7]); + } + + /// Verify a Groth16 proof with compressed points. + /// @notice Reverts with InvalidProof if the proof is invalid or + /// with PublicInputNotInField the public input is not reduced. + /// @notice There is no return value. If the function does not revert, the + /// proof was successfully verified. + /// @param compressedProof the points (A, B, C) in compressed format + /// matching the output of compressProof. + /// @param input the public input field elements in the scalar field Fr. + /// Elements must be reduced. + function verifyCompressedProof( + uint256[4] calldata compressedProof, + uint256[4] calldata input + ) public view { + uint256[24] memory pairings; + + { + (uint256 Ax, uint256 Ay) = decompress_g1(compressedProof[0]); + (uint256 Bx0, uint256 Bx1, uint256 By0, uint256 By1) = decompress_g2(compressedProof[2], compressedProof[1]); + (uint256 Cx, uint256 Cy) = decompress_g1(compressedProof[3]); + (uint256 Lx, uint256 Ly) = publicInputMSM(input); + + // Verify the pairing + // Note: The precompile expects the F2 coefficients in big-endian order. + // Note: The pairing precompile rejects unreduced values, so we won't check that here. + // e(A, B) + pairings[ 0] = Ax; + pairings[ 1] = Ay; + pairings[ 2] = Bx1; + pairings[ 3] = Bx0; + pairings[ 4] = By1; + pairings[ 5] = By0; + // e(C, -δ) + pairings[ 6] = Cx; + pairings[ 7] = Cy; + pairings[ 8] = DELTA_NEG_X_1; + pairings[ 9] = DELTA_NEG_X_0; + pairings[10] = DELTA_NEG_Y_1; + pairings[11] = DELTA_NEG_Y_0; + // e(α, -β) + pairings[12] = ALPHA_X; + pairings[13] = ALPHA_Y; + pairings[14] = BETA_NEG_X_1; + pairings[15] = BETA_NEG_X_0; + pairings[16] = BETA_NEG_Y_1; + pairings[17] = BETA_NEG_Y_0; + // e(L_pub, -γ) + pairings[18] = Lx; + pairings[19] = Ly; + pairings[20] = GAMMA_NEG_X_1; + pairings[21] = GAMMA_NEG_X_0; + pairings[22] = GAMMA_NEG_Y_1; + pairings[23] = GAMMA_NEG_Y_0; + + // Check pairing equation. + bool success; + uint256[1] memory output; + assembly ("memory-safe") { + success := staticcall(gas(), PRECOMPILE_VERIFY, pairings, 0x300, output, 0x20) + } + if (!success || output[0] != 1) { + // Either proof or verification key invalid. + // We assume the contract is correctly generated, so the verification key is valid. + revert ProofInvalid(); + } + } + } + + /// Verify an uncompressed Groth16 proof. + /// @notice Reverts with InvalidProof if the proof is invalid or + /// with PublicInputNotInField the public input is not reduced. + /// @notice There is no return value. If the function does not revert, the + /// proof was successfully verified. + /// @param proof the points (A, B, C) in EIP-197 format matching the output + /// of compressProof. + /// @param input the public input field elements in the scalar field Fr. + /// Elements must be reduced. + function verifyProof( + uint256[8] calldata proof, + uint256[4] calldata input + ) public view { + (uint256 x, uint256 y) = publicInputMSM(input); + + // Note: The precompile expects the F2 coefficients in big-endian order. + // Note: The pairing precompile rejects unreduced values, so we won't check that here. + bool success; + assembly ("memory-safe") { + let f := mload(0x40) // Free memory pointer. + + // Copy points (A, B, C) to memory. They are already in correct encoding. + // This is pairing e(A, B) and G1 of e(C, -δ). + calldatacopy(f, proof, 0x100) + + // Complete e(C, -δ) and write e(α, -β), e(L_pub, -γ) to memory. + // OPT: This could be better done using a single codecopy, but + // Solidity (unlike standalone Yul) doesn't provide a way to + // to do this. + mstore(add(f, 0x100), DELTA_NEG_X_1) + mstore(add(f, 0x120), DELTA_NEG_X_0) + mstore(add(f, 0x140), DELTA_NEG_Y_1) + mstore(add(f, 0x160), DELTA_NEG_Y_0) + mstore(add(f, 0x180), ALPHA_X) + mstore(add(f, 0x1a0), ALPHA_Y) + mstore(add(f, 0x1c0), BETA_NEG_X_1) + mstore(add(f, 0x1e0), BETA_NEG_X_0) + mstore(add(f, 0x200), BETA_NEG_Y_1) + mstore(add(f, 0x220), BETA_NEG_Y_0) + mstore(add(f, 0x240), x) + mstore(add(f, 0x260), y) + mstore(add(f, 0x280), GAMMA_NEG_X_1) + mstore(add(f, 0x2a0), GAMMA_NEG_X_0) + mstore(add(f, 0x2c0), GAMMA_NEG_Y_1) + mstore(add(f, 0x2e0), GAMMA_NEG_Y_0) + + // Check pairing equation. + success := staticcall(gas(), PRECOMPILE_VERIFY, f, 0x300, f, 0x20) + // Also check returned value (both are either 1 or 0). + success := and(success, mload(f)) + } + if (!success) { + // Either proof or verification key invalid. + // We assume the contract is correctly generated, so the verification key is valid. + revert ProofInvalid(); + } + } +} diff --git a/src/core/KYCPolicyRouter.sol b/src/core/KYCPolicyRouter.sol new file mode 100644 index 0000000..a086c64 --- /dev/null +++ b/src/core/KYCPolicyRouter.sol @@ -0,0 +1,91 @@ +// SPDX-License-Identifier: MIT +pragma solidity ^0.8.20; + +import "../interfaces/IOracleKYCPod.sol"; +import "../interfaces/IVerifier.sol"; + +import "@openzeppelin-upgrades/contracts/proxy/utils/Initializable.sol"; +import "@openzeppelin-upgrades/contracts/access/OwnableUpgradeable.sol"; +import "../libraries/BN254.sol"; +import "./KYCPolicyRouterStorage.sol"; + +/// @title KYCPolicyRouter +/// @notice Upper-layer design, Layer 3: zkID Policy Verifier & Oracle Router +/// - Route to the corresponding Oracle KYC Pod based on different policyId +/// - Call OracleSigVerifier.verify() to verify BLS signatures +/// - (Reserved) Call zk proof verifier to verify zero-knowledge proofs +contract KYCPolicyRouter is Initializable, OwnableUpgradeable, KYCPolicyRouterStorage { + // ============================ Functions ============================== + + /// @notice Initialize the contract + function initialize(address _initialOwner) public initializer { + __Ownable_init(_initialOwner); + } + + /// @dev Set zkVerifier; different verifiers can be used for different policies, + /// such as checking age, nationality, etc. + /// @dev Can also be set to address(0) to skip zk proof verification + /// @param description Verifier description, e.g. "age_over_18" + /// @param _verifier Verifier contract address + function setZkVerifier(string memory description, address _verifier) external onlyOwner { + zkVerifiers[description] = IVerifier(_verifier); + } + + /// @dev Set zkVerifier threshold + /// @param description Verifier description, e.g. "age_over_18" + /// @param threshold Threshold value for the verifier + function setZkThreshold(string memory description, uint256 threshold) external onlyOwner { + zkThresholds[description] = threshold; + } + + /// @dev Bind an Oracle KYC Pod to a specific policy + /// @dev Also acts as registration for the Oracle KYC Pod + /// @param policyId Business policy ID + /// @param kycPod Oracle KYC Pod contract address + function setPolicykycPod(uint256 policyId, address kycPod) external onlyOwner { + policyToKycPod[policyId] = IOracleKYCPod(kycPod); + } + + /// @dev Update the latest version number of a specific policy + /// @param policyId Business policy ID + /// @param version Latest version + function setLatestPolicyVersion(uint256 policyId, uint256 version) external onlyOwner { + latestPolicyVersion[policyId] = version; + } + + // =============== Verification Logic =============== + + /// @notice Full pipeline for BLS + ZK verification + /// @param policyId Business policy ID + /// @param version Policy version + /// @param proof zk proof (placeholder) + function verifyAll(uint256 policyId, uint256 version, uint256[8] calldata proof, string memory zkVerifierDescription) external returns (bool) { + // 1. Find the corresponding Oracle KYC Pod by policyId + require(version == latestPolicyVersion[policyId], "PolicyRouter: policy version mismatch"); // Must match the Oracle's latest version + IOracleKYCPod kycPod = policyToKycPod[policyId]; + require(address(kycPod) != address(0), "PolicyRouter: kycPod not set"); + + // 2. First perform Oracle KYC verification + require(kycPod.isVerified(msg.sender), "PolicyRouter: user not verified"); + uint256 commitment = kycPod.getCommitment(msg.sender); + + // 3. Verify zk proof (requires zk proof to pass) + IVerifier zkVerifier = zkVerifiers[zkVerifierDescription]; + uint256 threshold = zkThresholds[zkVerifierDescription]; + require(address(zkVerifier) != address(0), "PolicyRouter: zk verifier not set"); + + _verify(zkVerifier, proof, policyId, version, commitment, threshold); + emit Verified(policyId, version, zkVerifierDescription, address(zkVerifier), msg.sender); + return true; + } + + function _verify(IVerifier zkVerifier, uint256[8] calldata proof, uint256 policyId, uint256 version, uint256 commitment, uint256 threshold) internal view { + uint256[4] memory pubInputs; + pubInputs[0] = policyId; + pubInputs[1] = version; + pubInputs[2] = commitment; + pubInputs[3] = threshold; + + require(zkVerifier.verifyProof(proof, pubInputs), "PolicyRouter: zk proof invalid"); + } +} diff --git a/src/core/KYCPolicyRouterStorage.sol b/src/core/KYCPolicyRouterStorage.sol new file mode 100644 index 0000000..4ac7f30 --- /dev/null +++ b/src/core/KYCPolicyRouterStorage.sol @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: MIT +pragma solidity ^0.8.20; + +import "./interfaces/IOracleKYCPod.sol"; +import "./interfaces/IVerifier.sol"; + +contract KYCPolicyRouterStorage { + // ============================ Events =============================== + event Verified(uint256 policyId, uint256 version, string zkVerifierDescription, address indexed zkVerifier, address indexed verifierCaller); + + // ============================ Storage ================================ + + /// @dev policyId => BLS KYC Pod address + mapping(uint256 => IOracleKYCPod) public policyToKycPod; + /// @dev policyId => latest version number + mapping(uint256 => uint256) public latestPolicyVersion; + /// @dev zk proof verifier address (optional, to be integrated later) + mapping(string => IVerifier) public zkVerifiers; + + /// @dev zk proof verifier threshold + mapping(string => uint256) public zkThresholds; + + uint256[50] private __gap; +} diff --git a/src/interfaces/IOracleKYCPod.sol b/src/interfaces/IOracleKYCPod.sol new file mode 100644 index 0000000..09d4060 --- /dev/null +++ b/src/interfaces/IOracleKYCPod.sol @@ -0,0 +1,22 @@ +// SPDX-License-Identifier: MIT +pragma solidity ^0.8.20; + +interface IOracleKYCPod { + struct Record { + uint256 commitment; // Poseidon(m, did, policy_id, version) + bool verified; // Whether verification has succeeded + } + + event KYCRecorded(address indexed user, uint256 commitment); + + /// @notice Record the KYC verification result (callable only by the manager contract) + function recordVerification(address user, bool isVerified, uint256 commitment) external; + + /// @notice Check whether a given DID has been verified + function isVerified(address user) external view returns (bool); + + /// @notice Query the full record + function getRecord(address user) external view returns (Record memory); + + function getCommitment(address user) external view returns (uint256); +} diff --git a/src/interfaces/IPolicyRouter.sol b/src/interfaces/IPolicyRouter.sol new file mode 100644 index 0000000..7e4267b --- /dev/null +++ b/src/interfaces/IPolicyRouter.sol @@ -0,0 +1,6 @@ +// SPDX-License-Identifier: MIT +pragma solidity ^0.8.20; + +interface IPolicyRouter { + function verifyAll(uint256 policyId, uint256 version, bytes calldata P, bytes calldata sigma, bytes calldata proof, uint256[] calldata pubInputs) external view returns (bool); +} diff --git a/src/interfaces/IVerifier.sol b/src/interfaces/IVerifier.sol new file mode 100644 index 0000000..1ec426d --- /dev/null +++ b/src/interfaces/IVerifier.sol @@ -0,0 +1,6 @@ +// SPDX-License-Identifier: MIT +pragma solidity ^0.8.20; + +interface IVerifier { + function verifyProof(uint256[8] calldata proof, uint256[4] calldata pubInputs) external view returns (bool); +} From dbe479015b6f5633d4407f0f3987bc90173bea9f Mon Sep 17 00:00:00 2001 From: kanthub <564080210@qq.com> Date: Fri, 5 Dec 2025 18:50:27 +0800 Subject: [PATCH 2/2] fix interface --- src/core/KYCPolicyRouterStorage.sol | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/KYCPolicyRouterStorage.sol b/src/core/KYCPolicyRouterStorage.sol index 4ac7f30..069de9c 100644 --- a/src/core/KYCPolicyRouterStorage.sol +++ b/src/core/KYCPolicyRouterStorage.sol @@ -1,8 +1,8 @@ // SPDX-License-Identifier: MIT pragma solidity ^0.8.20; -import "./interfaces/IOracleKYCPod.sol"; -import "./interfaces/IVerifier.sol"; +import "../interfaces/IOracleKYCPod.sol"; +import "../interfaces/IVerifier.sol"; contract KYCPolicyRouterStorage { // ============================ Events ===============================