Proper mocks

Add the `--mock` CLI parameter to appropriate commands.
Add the `mock` field to `NormalizedSpell`.

When verifying with `--mock`, both mock and non-mock spells are considered "correct". Without `--mock`, only non-mock spells are correct.

Mock proofs are real Groth16 proofs over BLS12-381 generated with a dummy circuit.

Author: imikushin

Cargo.lock

@@ -16,6 +16,14 @@ license = "MIT"
 
 [dependencies]
 anyhow = { workspace = true }
+ark-bls12-381 = { workspace = true }
+ark-ec = { workspace = true }
+ark-ff = { workspace = true }
+ark-groth16 = { workspace = true }
+ark-relations = { workspace = true }
+ark-serialize = { workspace = true }
+ark-snark = { workspace = true }
+ark-std = { workspace = true }
 axum = { version = "0.8.4", features = ["http2"] }
 axum-macros = { version = "0.5.0" }
 bincode = { version = "1.3.3" }
@@ -70,6 +78,14 @@ resolver = "3"
 
 [workspace.dependencies]
 anyhow = { version = "1.0.98" }
+ark-bls12-381 = { version = "0.5.0" }
+ark-ec = { version = "0.5.0" }
+ark-ff = { version = "0.5.0" }
+ark-groth16 = { version = "0.5.0" }
+ark-relations = { version = "0.5.0" }
+ark-serialize = { version = "0.5.0" }
+ark-snark = { version = "0.5.0" }
+ark-std = { version = "0.5.0" }
 bitcoin = { version = "0.32.6" }
 ciborium = { version = "0.2.2" }
 ciborium-io = { version = "0.2.2" }

Cargo.toml

@@ -9,6 +9,11 @@ license.workspace = true
 
 [dependencies]
 anyhow = { workspace = true }
+ark-bls12-381 = { workspace = true }
+ark-ff = { workspace = true }
+ark-groth16 = { workspace = true }
+ark-serialize = { workspace = true }
+ark-snark = { workspace = true }
 bitcoin = { workspace = true, features = ["serde"] }
 charms-app-runner = { path = "../charms-app-runner", version = "0.8.0" }
 charms-data = { path = "../charms-data", version = "0.8.0" }

charms-client/Cargo.toml

@@ -0,0 +1,23 @@
+use anyhow::anyhow;
+use ark_bls12_381::Bls12_381;
+use ark_ff::ToConstraintField;
+use ark_groth16::{Groth16, Proof, VerifyingKey, prepare_verifying_key};
+use ark_serialize::CanonicalDeserialize;
+use ark_snark::SNARK;
+use sha2::{Digest, Sha256};
+
+pub fn verify_groth16_proof(
+    proof: &[u8],
+    public_inputs: &[u8],
+    vk_bytes: &[u8],
+) -> anyhow::Result<()> {
+    let vk = VerifyingKey::deserialize_compressed(vk_bytes)
+        .map_err(|e| anyhow!("Failed to deserialize verifying key: {}", e))?;
+    let pvk = prepare_verifying_key::<Bls12_381>(&vk);
+    let proof = Proof::deserialize_compressed(proof)?;
+    let field_elements = Sha256::digest(public_inputs)
+        .to_field_elements()
+        .expect("non-empty vector");
+    Groth16::<Bls12_381>::verify_with_processed_vk(&pvk, &[field_elements[0]], &proof)?;
+    Ok(())
+}

charms-client/src/ark.rs

@@ -1,15 +1,14 @@
-use crate::{tx::EnchantedTx, NormalizedSpell, Proof};
+use crate::{NormalizedSpell, Proof, tx, tx::EnchantedTx};
 use anyhow::{anyhow, bail, ensure};
 use bitcoin::{
+    TxIn,
     consensus::encode::{deserialize_hex, serialize_hex},
     hashes::Hash,
     opcodes::all::{OP_ENDIF, OP_IF},
     script::{Instruction, PushBytes},
-    TxIn,
 };
-use charms_data::{util, TxId, UtxoId};
+use charms_data::{TxId, UtxoId, util};
 use serde::{Deserialize, Serialize};
-use sp1_verifier::Groth16Verifier;
 
 #[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
 pub struct BitcoinTx(pub bitcoin::Transaction);
@@ -22,7 +21,11 @@ impl BitcoinTx {
 }
 
 impl EnchantedTx for BitcoinTx {
-    fn extract_and_verify_spell(&self, spell_vk: &str) -> anyhow::Result<NormalizedSpell> {
+    fn extract_and_verify_spell(
+        &self,
+        spell_vk: &str,
+        mock: bool,
+    ) -> anyhow::Result<NormalizedSpell> {
         let tx = &self.0;
 
         let Some((spell_tx_in, tx_ins)) = tx.input.split_last() else {
@@ -31,26 +34,25 @@ impl EnchantedTx for BitcoinTx {
 
         let (spell, proof) = parse_spell_and_proof(spell_tx_in)?;
 
+        if !mock {
+            ensure!(!spell.mock, "spell is a mock, but we are not in mock mode");
+        }
         ensure!(
-            &spell.tx.ins.is_none(),
+            spell.tx.ins.is_none(),
             "spell must inherit inputs from the enchanted tx"
         );
         ensure!(
-            &spell.tx.outs.len() <= &tx.output.len(),
+            spell.tx.outs.len() <= tx.output.len(),
             "spell tx outs mismatch"
         );
 
         let spell = spell_with_ins(spell, tx_ins);
 
-        let (spell_vk, groth16_vk) = crate::tx::vks(spell.version, spell_vk)?;
+        let spell_vk = tx::spell_vk(spell.version, spell_vk, spell.mock)?;
+
+        let public_values = tx::to_serialized_pv(spell.version, &(spell_vk, &spell));
 
-        Groth16Verifier::verify(
-            &proof,
-            crate::tx::to_sp1_pv(spell.version, &(spell_vk, &spell)).as_slice(),
-            spell_vk,
-            groth16_vk,
-        )
-        .map_err(|e| anyhow!("could not verify spell proof: {}", e))?;
+        tx::verify_snark_proof(&proof, &public_values, spell_vk, spell.version, spell.mock)?;
 
         Ok(spell)
     }

charms-client/src/bitcoin_tx.rs

@@ -1,14 +1,12 @@
-use crate::{tx::EnchantedTx, NormalizedSpell, Proof};
+use crate::{NormalizedSpell, Proof, tx, tx::EnchantedTx};
 use anyhow::{anyhow, ensure};
-use charms_data::{util, TxId, UtxoId};
+use charms_data::{TxId, UtxoId, util};
 use cml_chain::{
+    Deserialize, Serialize, SetTransactionInput,
     crypto::TransactionHash,
     plutus::PlutusData,
     transaction::{ConwayFormatTxOut, DatumOption, Transaction, TransactionOutput},
-    Deserialize, Serialize, SetTransactionInput,
 };
-use sp1_verifier::Groth16Verifier;
-
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub struct CardanoTx(pub Transaction);
 
@@ -31,7 +29,11 @@ impl CardanoTx {
 }
 
 impl EnchantedTx for CardanoTx {
-    fn extract_and_verify_spell(&self, spell_vk: &str) -> anyhow::Result<NormalizedSpell> {
+    fn extract_and_verify_spell(
+        &self,
+        spell_vk: &str,
+        mock: bool,
+    ) -> anyhow::Result<NormalizedSpell> {
         let tx = &self.0;
 
         let inputs = &tx.body.inputs;
@@ -60,6 +62,9 @@ impl EnchantedTx for CardanoTx {
         let (spell, proof): (NormalizedSpell, Proof) = util::read(spell_data.as_slice())
             .map_err(|e| anyhow!("could not parse spell and proof: {}", e))?;
 
+        if !mock {
+            ensure!(!spell.mock, "spell is a mock, but we are not in mock mode");
+        }
         ensure!(
             &spell.tx.ins.is_none(),
             "spell must inherit inputs from the enchanted tx"
@@ -71,15 +76,11 @@ impl EnchantedTx for CardanoTx {
 
         let spell = spell_with_ins(spell, inputs);
 
-        let (spell_vk, groth16_vk) = crate::tx::vks(spell.version, spell_vk)?;
+        let spell_vk = tx::spell_vk(spell.version, spell_vk, spell.mock)?;
+
+        let public_values = tx::to_serialized_pv(spell.version, &(spell_vk, &spell));
 
-        Groth16Verifier::verify(
-            &proof,
-            crate::tx::to_sp1_pv(spell.version, &(spell_vk, &spell)).as_slice(),
-            spell_vk,
-            groth16_vk,
-        )
-        .map_err(|e| anyhow!("could not verify spell proof: {}", e))?;
+        tx::verify_snark_proof(&proof, &public_values, spell_vk, spell.version, spell.mock)?;
 
         Ok(spell)
     }

charms-client/src/cardano_tx.rs

@@ -6,6 +6,7 @@ use std::collections::{BTreeMap, BTreeSet};
 
 pub use charms_app_runner::{AppProverInput, AppProverOutput};
 
+pub mod ark;
 pub mod bitcoin_tx;
 pub mod cardano_tx;
 pub mod tx;
@@ -14,6 +15,8 @@ pub const APP_VK: [u32; 8] = [
     773139792, 1871461666, 1172442063, 346922495, 1779450904, 263758648, 121652725, 113479979,
 ];
 
+pub const MOCK_SPELL_VK: &str = "7c38e8639a2eac0074cee920982b92376513e8940f4a7ca6859f17a728af5b0e";
+
 /// Verification key for version `0` of the protocol implemented by `charms-spell-checker` binary.
 pub const V0_SPELL_VK: &str = "0x00e9398ac819e6dd281f81db3ada3fe5159c3cc40222b5ddb0e7584ed2327c5d";
 /// Verification key for version `1` of the protocol implemented by `charms-spell-checker` binary.
@@ -84,7 +87,7 @@ impl NormalizedTransaction {
 }
 
 /// Proof of spell correctness.
-pub type Proof = Box<[u8]>;
+pub type Proof = Vec<u8>;
 
 /// Normalized representation of a spell.
 /// Can be committed as public input.
@@ -96,6 +99,9 @@ pub struct NormalizedSpell {
     pub tx: NormalizedTransaction,
     /// Maps all `App`s in the transaction to (potentially empty) public input data.
     pub app_public_inputs: BTreeMap<App, Data>,
+    /// Is this a mock spell?
+    #[serde(skip_serializing_if = "std::ops::Not::not", default)]
+    pub mock: bool,
 }
 
 pub fn utxo_id_hash(utxo_id: &UtxoId) -> B32 {
@@ -108,6 +114,7 @@ pub fn utxo_id_hash(utxo_id: &UtxoId) -> B32 {
 pub fn prev_spells(
     prev_txs: &Vec<Tx>,
     spell_vk: &str,
+    mock: bool,
 ) -> BTreeMap<TxId, (Option<NormalizedSpell>, usize)> {
     prev_txs
         .iter()
@@ -116,7 +123,7 @@ pub fn prev_spells(
             (
                 tx_id,
                 (
-                    extract_and_verify_spell(spell_vk, tx)
+                    extract_and_verify_spell(spell_vk, tx, mock)
                         .map_err(|e| {
                             tracing::info!("no correct spell in tx {}: {}", tx_id, e);
                         })

charms-client/src/lib.rs

@@ -1,17 +1,23 @@
 use crate::{
-    CURRENT_VERSION, NormalizedSpell, V0, V0_SPELL_VK, V1, V1_SPELL_VK, V2, V2_SPELL_VK, V3,
-    V3_SPELL_VK, V4, V4_SPELL_VK, V5, V5_SPELL_VK, bitcoin_tx::BitcoinTx, cardano_tx::CardanoTx,
+    CURRENT_VERSION, MOCK_SPELL_VK, NormalizedSpell, V0, V0_SPELL_VK, V1, V1_SPELL_VK, V2,
+    V2_SPELL_VK, V3, V3_SPELL_VK, V4, V4_SPELL_VK, V5, V5_SPELL_VK, ark, bitcoin_tx::BitcoinTx,
+    cardano_tx::CardanoTx,
 };
-use anyhow::bail;
+use anyhow::{anyhow, bail};
 use charms_data::{TxId, util};
 use enum_dispatch::enum_dispatch;
 use serde::{Deserialize, Serialize};
 use serde_with::{IfIsHumanReadable, serde_as};
 use sp1_primitives::io::SP1PublicValues;
+use sp1_verifier::Groth16Verifier;
 
 #[enum_dispatch]
 pub trait EnchantedTx {
-    fn extract_and_verify_spell(&self, spell_vk: &str) -> anyhow::Result<NormalizedSpell>;
+    fn extract_and_verify_spell(
+        &self,
+        spell_vk: &str,
+        mock: bool,
+    ) -> anyhow::Result<NormalizedSpell>;
     fn tx_outs_len(&self) -> usize;
     fn tx_id(&self) -> TxId;
     fn hex(&self) -> String;
@@ -65,23 +71,48 @@ impl Tx {
 /// Extract a [`NormalizedSpell`] from a transaction and verify it.
 /// Incorrect spells are rejected.
 #[tracing::instrument(level = "debug", skip_all)]
-pub fn extract_and_verify_spell(spell_vk: &str, tx: &Tx) -> anyhow::Result<NormalizedSpell> {
-    tx.extract_and_verify_spell(spell_vk)
+pub fn extract_and_verify_spell(
+    spell_vk: &str,
+    tx: &Tx,
+    mock: bool,
+) -> anyhow::Result<NormalizedSpell> {
+    tx.extract_and_verify_spell(spell_vk, mock)
 }
 
-pub fn vks(spell_version: u32, spell_vk: &str) -> anyhow::Result<(&str, &[u8])> {
+pub fn spell_vk(spell_version: u32, spell_vk: &str, mock: bool) -> anyhow::Result<&str> {
+    if mock {
+        return Ok(MOCK_SPELL_VK);
+    }
     match spell_version {
-        CURRENT_VERSION => Ok((spell_vk, CURRENT_GROTH16_VK_BYTES)),
-        V5 => Ok((V5_SPELL_VK, V5_GROTH16_VK_BYTES)),
-        V4 => Ok((V4_SPELL_VK, V4_GROTH16_VK_BYTES)),
-        V3 => Ok((V3_SPELL_VK, V3_GROTH16_VK_BYTES)),
-        V2 => Ok((V2_SPELL_VK, V2_GROTH16_VK_BYTES)),
-        V1 => Ok((V1_SPELL_VK, V1_GROTH16_VK_BYTES)),
-        V0 => Ok((V0_SPELL_VK, V0_GROTH16_VK_BYTES)),
+        CURRENT_VERSION => Ok(spell_vk),
+        V5 => Ok(V5_SPELL_VK),
+        V4 => Ok(V4_SPELL_VK),
+        V3 => Ok(V3_SPELL_VK),
+        V2 => Ok(V2_SPELL_VK),
+        V1 => Ok(V1_SPELL_VK),
+        V0 => Ok(V0_SPELL_VK),
         _ => bail!("unsupported spell version: {}", spell_version),
     }
 }
 
+pub fn groth16_vk(spell_version: u32, mock: bool) -> anyhow::Result<&'static [u8]> {
+    if mock {
+        return Ok(MOCK_GROTH16_VK_BYTES);
+    }
+    match spell_version {
+        CURRENT_VERSION => Ok(CURRENT_GROTH16_VK_BYTES),
+        V5 => Ok(V5_GROTH16_VK_BYTES),
+        V4 => Ok(V4_GROTH16_VK_BYTES),
+        V3 => Ok(V3_GROTH16_VK_BYTES),
+        V2 => Ok(V2_GROTH16_VK_BYTES),
+        V1 => Ok(V1_GROTH16_VK_BYTES),
+        V0 => Ok(V0_GROTH16_VK_BYTES),
+        _ => bail!("unsupported spell version: {}", spell_version),
+    }
+}
+
+pub const MOCK_GROTH16_VK_BYTES: &'static [u8] = include_bytes!("../vk/mock/mock-groth16-vk.bin");
+
 pub const V0_GROTH16_VK_BYTES: &'static [u8] = include_bytes!("../vk/v0/groth16_vk.bin");
 pub const V1_GROTH16_VK_BYTES: &'static [u8] = include_bytes!("../vk/v1/groth16_vk.bin");
 pub const V2_GROTH16_VK_BYTES: &'static [u8] = V1_GROTH16_VK_BYTES;
@@ -91,21 +122,36 @@ pub const V5_GROTH16_VK_BYTES: &'static [u8] = V4_GROTH16_VK_BYTES;
 pub const V6_GROTH16_VK_BYTES: &'static [u8] = V5_GROTH16_VK_BYTES;
 pub const CURRENT_GROTH16_VK_BYTES: &'static [u8] = V6_GROTH16_VK_BYTES;
 
-pub fn to_sp1_pv<T: Serialize>(spell_version: u32, t: &T) -> SP1PublicValues {
-    let mut pv = SP1PublicValues::new();
+pub fn to_serialized_pv<T: Serialize>(spell_version: u32, t: &T) -> Vec<u8> {
     match spell_version {
         CURRENT_VERSION | V5 | V4 | V3 | V2 | V1 => {
             // we commit to CBOR-encoded tuple `(spell_vk, n_spell)`
-            pv.write_slice(util::write(t).unwrap().as_slice());
+            util::write(t).unwrap()
         }
         V0 => {
             // we used to commit to the tuple `(spell_vk, n_spell)`, which was serialized internally
             // by SP1
+            let mut pv = SP1PublicValues::new();
             pv.write(t);
+            pv.to_vec()
         }
         _ => unreachable!(),
     }
-    pv
+}
+
+pub fn verify_snark_proof(
+    proof: &[u8],
+    public_inputs: &[u8],
+    vk_hash: &str,
+    spell_version: u32,
+    mock: bool,
+) -> anyhow::Result<()> {
+    let groth16_vk = groth16_vk(spell_version, mock)?;
+    match mock {
+        false => Groth16Verifier::verify(proof, public_inputs, vk_hash, groth16_vk)
+            .map_err(|e| anyhow!("could not verify spell proof: {}", e)),
+        true => ark::verify_groth16_proof(proof, public_inputs, groth16_vk),
+    }
 }
 
 #[cfg(test)]