domain-separation when initializing Fiat Shamir

Author: TomWambsgans

Cargo.lock

@@ -16,9 +16,6 @@ utils.workspace = true
 xmss.workspace = true
 rand.workspace = true
 
-
-
-
 tracing.workspace = true
 air.workspace = true
 sub_protocols.workspace = true
@@ -28,4 +25,5 @@ backend.workspace = true
 itertools.workspace = true
 
 [dev-dependencies]
-xmss.workspace = true
+xmss.workspace = true
+rec_aggregation.workspace = true

crates/lean_prover/Cargo.toml

@@ -24,6 +24,10 @@ pub const WHIR_INITIAL_FOLDING_FACTOR: usize = 7;
 pub const WHIR_SUBSEQUENT_FOLDING_FACTOR: usize = 5;
 pub const RS_DOMAIN_INITIAL_REDUCTION_FACTOR: usize = 5;
 
+pub const SNARK_DOMAIN_SEP: [F; 8] = F::new_array([
+    1315460930, 529218348, 108777370, 1613857347, 1651741419, 1909799493, 1515625756, 1569520942,
+]);
+
 pub fn default_whir_config(starting_log_inv_rate: usize) -> WhirConfigBuilder {
     WhirConfigBuilder {
         folding_factor: FoldingFactor::new(WHIR_INITIAL_FOLDING_FACTOR, WHIR_SUBSEQUENT_FOLDING_FACTOR),
@@ -39,3 +43,38 @@ pub fn default_whir_config(starting_log_inv_rate: usize) -> WhirConfigBuilder {
         starting_log_inv_rate,
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use backend::default_koalabear_poseidon2_16;
+    use backend::{PrimeCharacteristicRing, hash_slice};
+    use lean_vm::F;
+    use rec_aggregation::{get_aggregation_bytecode, init_aggregation_bytecode};
+    use utils::poseidon16_compress_pair;
+
+    use crate::SNARK_DOMAIN_SEP;
+
+    #[test]
+    fn verify_snark_domain_sep() {
+        init_aggregation_bytecode();
+        let recursion_bytecode_hash = get_aggregation_bytecode().hash;
+        let name_fe = "leanMultisig-0.6.0"
+            .as_bytes()
+            .iter()
+            .map(|b| F::from_u8(*b))
+            .collect::<Vec<_>>();
+        let mut prefix_free_name_fe = vec![F::ZERO; 8];
+        let len = name_fe.len();
+        prefix_free_name_fe.extend(name_fe);
+        while prefix_free_name_fe.len() % 8 != 7 {
+            prefix_free_name_fe.push(F::ZERO);
+        }
+        prefix_free_name_fe.push(F::from_u64(len as u64));
+        let comp = default_koalabear_poseidon2_16();
+        let name_hash = hash_slice::<_, _, _, 8, 8>(&comp, &prefix_free_name_fe);
+
+        let expected_domain_sep = poseidon16_compress_pair(&name_hash, &recursion_bytecode_hash);
+
+        assert_eq!(expected_domain_sep, SNARK_DOMAIN_SEP);
+    }
+}

crates/lean_prover/src/lib.rs

@@ -41,7 +41,7 @@ pub fn prove_execution(
     }
     let mut prover_state = build_prover_state();
     prover_state.observe_scalars(public_input);
-    prover_state.observe_scalars(&bytecode.hash);
+    prover_state.observe_scalars(&poseidon16_compress_pair(&bytecode.hash, &SNARK_DOMAIN_SEP));
     prover_state.add_base_scalars(
         &[
             vec![whir_config.starting_log_inv_rate, log2_strict_usize(memory.len())],

crates/lean_prover/src/prove_execution.rs

@@ -19,7 +19,7 @@ pub fn verify_execution(
 ) -> Result<(ProofVerificationDetails, RawProof<F>), ProofError> {
     let mut verifier_state = VerifierState::<EF, _>::new(proof, get_poseidon16().clone())?;
     verifier_state.observe_scalars(public_input);
-    verifier_state.observe_scalars(&bytecode.hash);
+    verifier_state.observe_scalars(&poseidon16_compress_pair(&bytecode.hash, &SNARK_DOMAIN_SEP));
     let dims = verifier_state
         .next_base_scalars_vec(2 + N_TABLES)?
         .into_iter()

crates/lean_prover/src/verify_execution.rs

@@ -47,7 +47,7 @@ def recursion(inner_public_memory, proof_transcript, bytecode_value_hint):
 
     inner_pub_input = inner_public_memory + NONRESERVED_PROGRAM_INPUT_START
     fs = fs_observe(fs, inner_pub_input, PUB_INPUT_SIZE)  # observe public input
-    fs = fs_observe(fs, inner_pub_input + BYTECODE_HASH_OFFSET, DIGEST_LEN)  # observe bytecode hash
+    fs = fs_observe(fs, inner_pub_input + BYTECODE_HASH_OFFSET, DIGEST_LEN)  # observe hash(bytecode hash, domain sep)
 
     # table dims
     debug_assert(N_TABLES + 1 < DIGEST_LEN)

crates/rec_aggregation/recursion.py

@@ -17,7 +17,7 @@ use crate::{MERKLE_LEVELS_PER_CHUNK_FOR_SLOT, N_MERKLE_CHUNKS_FOR_SLOT};
 
 static BYTECODE: OnceLock<Bytecode> = OnceLock::new();
 
-pub(crate) fn get_aggregation_bytecode() -> &'static Bytecode {
+pub fn get_aggregation_bytecode() -> &'static Bytecode {
     BYTECODE
         .get()
         .unwrap_or_else(|| panic!("call init_aggregation_bytecode() first"))

crates/rec_aggregation/src/compilation.rs

@@ -1,5 +1,6 @@
 #![cfg_attr(not(test), allow(unused_crate_dependencies))]
 use backend::*;
+use lean_prover::SNARK_DOMAIN_SEP;
 use lean_prover::prove_execution::prove_execution;
 use lean_prover::verify_execution::ProofVerificationDetails;
 use lean_prover::verify_execution::verify_execution;
@@ -14,10 +15,10 @@ use xmss::{
 use serde::{Deserialize, Serialize};
 use std::collections::HashSet;
 
-use crate::compilation::get_aggregation_bytecode;
+pub use crate::compilation::{get_aggregation_bytecode, init_aggregation_bytecode};
 
 pub mod benchmark;
-pub mod compilation;
+mod compilation;
 
 const MERKLE_LEVELS_PER_CHUNK_FOR_SLOT: usize = 4;
 const N_MERKLE_CHUNKS_FOR_SLOT: usize = LOG_LIFETIME / MERKLE_LEVELS_PER_CHUNK_FOR_SLOT;
@@ -73,7 +74,7 @@ fn build_non_reserved_public_input(
     pi.push(slot_hi);
     pi.extend(compute_merkle_chunks_for_slot(slot));
     pi.extend_from_slice(bytecode_claim_output);
-    pi.extend_from_slice(bytecode_hash);
+    pi.extend_from_slice(&poseidon16_compress_pair(bytecode_hash, &SNARK_DOMAIN_SEP));
     pi
 }
 
@@ -411,7 +412,7 @@ pub fn hash_bytecode_claims(claims: &[Evaluation<EF>]) -> [F; DIGEST_LEN] {
         data.resize(data.len().next_multiple_of(DIGEST_LEN), F::ZERO);
 
         let claim_hash = poseidon_compress_slice(&data, false);
-        running_hash = poseidon16_compress_pair(running_hash, claim_hash);
+        running_hash = poseidon16_compress_pair(&running_hash, &claim_hash);
     }
     running_hash
 }

crates/rec_aggregation/src/lib.rs

@@ -31,10 +31,10 @@ pub fn poseidon16_compress(input: [KoalaBear; 16]) -> [KoalaBear; 8] {
     get_poseidon16().compress(input)[0..8].try_into().unwrap()
 }
 
-pub fn poseidon16_compress_pair(left: [KoalaBear; 8], right: [KoalaBear; 8]) -> [KoalaBear; 8] {
+pub fn poseidon16_compress_pair(left: &[KoalaBear; 8], right: &[KoalaBear; 8]) -> [KoalaBear; 8] {
     let mut input = [KoalaBear::default(); 16];
-    input[..8].copy_from_slice(&left);
-    input[8..].copy_from_slice(&right);
+    input[..8].copy_from_slice(left);
+    input[8..].copy_from_slice(right);
     poseidon16_compress(input)
 }
 

crates/utils/src/poseidon2.rs

@@ -109,7 +109,7 @@ impl WotsPublicKey {
 }
 
 pub fn iterate_hash(a: &Digest, n: usize) -> Digest {
-    (0..n).fold(*a, |acc, _| poseidon16_compress_pair(acc, Default::default()))
+    (0..n).fold(*a, |acc, _| poseidon16_compress_pair(&acc, &Default::default()))
 }
 
 pub fn iterate_hash_with_poseidon_trace(