SMT proof verification (#149)

* Add proof verification for SMT

* refactor and add on-chain siblings trimming

* refactor and bump the patch version

Author: mllwchrry

contracts/libs/data-structures/SparseMerkleTree.sol

@@ -55,6 +55,8 @@ pragma solidity ^0.8.21;
  *
  * SparseMerkleTree.Proof memory proof = uintTree.getProof(100);
  *
+ * uintTree.verifyProof(proof);
+ *
  * uintTree.getNodeByKey(100);
  *
  * uintTree.remove(100);
@@ -177,6 +179,18 @@ library SparseMerkleTree {
         return _proof(tree._tree, bytes32(key_));
     }
 
+    /**
+     * @notice The function to verify the proof for inclusion or exclusion of a node in the SMT.
+     * Complexity is O(log(n)), where n is the max depth of the tree.
+     *
+     * @param tree self.
+     * @param proof_ The SMT proof struct.
+     * @return True if the proof is valid, false otherwise.
+     */
+    function verifyProof(UintSMT storage tree, Proof memory proof_) internal view returns (bool) {
+        return _verifyProof(tree._tree, proof_);
+    }
+
     /**
      * @notice The function to get the root of the Merkle tree.
      * Complexity is O(1).
@@ -347,6 +361,21 @@ library SparseMerkleTree {
         return _proof(tree._tree, key_);
     }
 
+    /**
+     * @notice The function to verify the proof for inclusion or exclusion of a node in the SMT.
+     * Complexity is O(log(n)), where n is the max depth of the tree.
+     *
+     * @param tree self.
+     * @param proof_ The SMT proof struct.
+     * @return True if the proof is valid, false otherwise.
+     */
+    function verifyProof(
+        Bytes32SMT storage tree,
+        Proof memory proof_
+    ) internal view returns (bool) {
+        return _verifyProof(tree._tree, proof_);
+    }
+
     /**
      * @notice The function to get the root of the Merkle tree.
      * Complexity is O(1).
@@ -523,6 +552,21 @@ library SparseMerkleTree {
         return _proof(tree._tree, key_);
     }
 
+    /**
+     * @notice The function to verify the proof for inclusion or exclusion of a node in the SMT.
+     * Complexity is O(log(n)), where n is the max depth of the tree.
+     *
+     * @param tree self.
+     * @param proof_ The SMT proof struct.
+     * @return True if the proof is valid, false otherwise.
+     */
+    function verifyProof(
+        AddressSMT storage tree,
+        Proof memory proof_
+    ) internal view returns (bool) {
+        return _verifyProof(tree._tree, proof_);
+    }
+
     /**
      * @notice The function to get the root of the Merkle tree.
      * Complexity is O(1).
@@ -988,12 +1032,10 @@ library SparseMerkleTree {
      * non-empty nodes and is not intended for external use.
      */
     function _getNodeHash(SMT storage tree, Node memory node_) private view returns (bytes32) {
-        function(bytes32, bytes32) view returns (bytes32) hash2_ = tree.isCustomHasherSet
-            ? tree.hash2
-            : _hash2;
-        function(bytes32, bytes32, bytes32) view returns (bytes32) hash3_ = tree.isCustomHasherSet
-            ? tree.hash3
-            : _hash3;
+        (
+            function(bytes32, bytes32) view returns (bytes32) hash2_,
+            function(bytes32, bytes32, bytes32) view returns (bytes32) hash3_
+        ) = _getHashFunctions(tree);
 
         if (node_.nodeType == NodeType.LEAF) {
             return hash3_(node_.key, node_.value, bytes32(uint256(1)));
@@ -1054,6 +1096,66 @@ library SparseMerkleTree {
         return proof_;
     }
 
+    /**
+     * @dev Computes the root by hashing up the path from the leaf or aux leaf of the proof.
+     * The `tree` argument is used only to access its configured hash functions.
+     * If no custom hash functions are configured, default hashing implementations are used instead.
+     */
+    function _verifyProof(SMT storage tree, Proof memory proof_) private view returns (bool) {
+        // invalid exclusion proof
+        if (!proof_.existence && proof_.auxExistence && proof_.key == proof_.auxKey) {
+            return false;
+        }
+
+        (
+            function(bytes32, bytes32) view returns (bytes32) hash2_,
+            function(bytes32, bytes32, bytes32) view returns (bytes32) hash3_
+        ) = _getHashFunctions(tree);
+
+        bytes32 computedHash_;
+
+        if (proof_.existence) {
+            computedHash_ = hash3_(proof_.key, proof_.value, bytes32(uint256(1)));
+        } else if (proof_.auxExistence) {
+            computedHash_ = hash3_(proof_.auxKey, proof_.auxValue, bytes32(uint256(1)));
+        } else {
+            computedHash_ = bytes32(0);
+        }
+
+        uint256 pathIndex_ = uint256(proof_.key);
+        uint256 depth_ = proof_.siblings.length;
+
+        while (depth_ > 0 && proof_.siblings[depth_ - 1] == bytes32(0)) {
+            --depth_;
+        }
+
+        for (uint256 i = depth_; i > 0; --i) {
+            uint256 sIndex_ = i - 1;
+
+            if ((pathIndex_ >> sIndex_) & 1 == 1) {
+                computedHash_ = hash2_(proof_.siblings[sIndex_], computedHash_);
+            } else {
+                computedHash_ = hash2_(computedHash_, proof_.siblings[sIndex_]);
+            }
+        }
+
+        return computedHash_ == proof_.root;
+    }
+
+    function _getHashFunctions(
+        SMT storage tree
+    )
+        private
+        view
+        returns (
+            function(bytes32, bytes32) view returns (bytes32) hash2_,
+            function(bytes32, bytes32, bytes32) view returns (bytes32) hash3_
+        )
+    {
+        hash2_ = tree.isCustomHasherSet ? tree.hash2 : _hash2;
+        hash3_ = tree.isCustomHasherSet ? tree.hash3 : _hash3;
+    }
+
     function _hash2(bytes32 a_, bytes32 b_) private pure returns (bytes32 result_) {
         assembly {
             mstore(0, a_)

contracts/mock/libs/data-structures/SparseMerkleTreeMock.sol

@@ -103,6 +103,22 @@ contract SparseMerkleTreeMock {
         return _addressTree.getProof(key_);
     }
 
+    function verifyUintProof(SparseMerkleTree.Proof memory proof_) external view returns (bool) {
+        return _uintTree.verifyProof(proof_);
+    }
+
+    function verifyBytes32Proof(
+        SparseMerkleTree.Proof memory proof_
+    ) external view returns (bool) {
+        return _bytes32Tree.verifyProof(proof_);
+    }
+
+    function verifyAddressProof(
+        SparseMerkleTree.Proof memory proof_
+    ) external view returns (bool) {
+        return _addressTree.verifyProof(proof_);
+    }
+
     function getUintRoot() external view returns (bytes32) {
         return _uintTree.getRoot();
     }

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@solarity/solidity-lib",
-  "version": "3.1.1",
+  "version": "3.1.2",
   "license": "MIT",
   "author": "Distributed Lab",
   "readme": "README.md",

package.json

@@ -410,6 +410,65 @@ describe("SparseMerkleTree", () => {
 
       expect((await merkleTree.getUintNodeByKey(5n)).nodeType).to.be.equal(0);
     });
+
+    it("should handle proof verification correctly", async () => {
+      const treeSize = 20;
+
+      const keys: string[] = new Array(treeSize);
+
+      for (let i = 1; i <= treeSize; i++) {
+        const value = BigInt(toBeHex(ethers.hexlify(ethers.randomBytes(28)), 32));
+        const key = poseidonHash(toBeHex(`0x` + value.toString(16), 32));
+
+        keys[i - 1] = key;
+
+        await merkleTree.addUint(key, value);
+
+        await localMerkleTree.add(BigInt(key), BigInt(value));
+      }
+
+      const randomNum = Math.floor(Math.random() * (treeSize - 1));
+      const randomKey = keys[randomNum];
+
+      const inclusionProof = JSON.parse(JSON.stringify(await merkleTree.getUintProof(randomKey)));
+
+      expect(await merkleTree.verifyUintProof(inclusionProof)).to.be.true;
+
+      inclusionProof[0] = inclusionProof[3];
+      expect(await merkleTree.verifyUintProof(inclusionProof)).to.be.false;
+
+      await merkleTree.removeUint(randomKey);
+
+      let exclusionProof = JSON.parse(JSON.stringify(await merkleTree.getUintProof(randomKey)));
+
+      expect(await merkleTree.verifyUintProof(exclusionProof)).to.be.true;
+
+      exclusionProof[0] = exclusionProof[3];
+      expect(await merkleTree.verifyUintProof(exclusionProof)).to.be.false;
+
+      const [root, siblings, , , value, , , auxValue] = exclusionProof;
+
+      const invalidExclusionProof = {
+        root,
+        siblings,
+        key: randomKey,
+        value,
+        existence: false,
+        auxKey: randomKey,
+        auxValue,
+        auxExistence: true,
+      };
+
+      expect(await merkleTree.verifyUintProof(invalidExclusionProof)).to.be.false;
+
+      do {
+        const outOfRangeKey = toBeHex(ethers.hexlify(ethers.randomBytes(28)), 32);
+
+        exclusionProof = JSON.parse(JSON.stringify(await merkleTree.getUintProof(outOfRangeKey)));
+      } while (exclusionProof[2] || exclusionProof[5]);
+
+      expect(await merkleTree.verifyUintProof(exclusionProof)).to.be.true;
+    });
   });
 
   describe("Bytes32 SMT", () => {
@@ -525,6 +584,39 @@ describe("SparseMerkleTree", () => {
         expect(await verifyProof(await localMerkleTree.root(), onchainProof, BigInt(key), BigInt(value))).to.be.true;
       }
     });
+
+    it("should handle proof verification correctly", async () => {
+      const treeSize = 20;
+
+      const keys: string[] = new Array(treeSize);
+
+      for (let i = 1; i <= treeSize; i++) {
+        const value = toBeHex(ethers.hexlify(ethers.randomBytes(28)), 32);
+        const key = poseidonHash(value);
+
+        keys[i - 1] = key;
+
+        await merkleTree.addBytes32(key, value);
+      }
+
+      const randomKey = keys[Math.floor(Math.random() * (treeSize - 1))];
+
+      const inclusionProof = JSON.parse(JSON.stringify(await merkleTree.getBytes32Proof(randomKey)));
+
+      expect(await merkleTree.verifyBytes32Proof(inclusionProof)).to.be.true;
+
+      inclusionProof[0] = inclusionProof[3];
+      expect(await merkleTree.verifyBytes32Proof(inclusionProof)).to.be.false;
+
+      await merkleTree.removeBytes32(randomKey);
+
+      const exclusionProof = JSON.parse(JSON.stringify(await merkleTree.getBytes32Proof(randomKey)));
+
+      expect(await merkleTree.verifyBytes32Proof(exclusionProof)).to.be.true;
+
+      exclusionProof[0] = exclusionProof[3];
+      expect(await merkleTree.verifyBytes32Proof(exclusionProof)).to.be.false;
+    });
   });
 
   describe("Address SMT", () => {
@@ -640,5 +732,38 @@ describe("SparseMerkleTree", () => {
         expect(await verifyProof(await localMerkleTree.root(), onchainProof, BigInt(key), BigInt(value))).to.be.true;
       }
     });
+
+    it("should handle proof verification correctly", async () => {
+      const treeSize = 20;
+
+      const keys: string[] = new Array(treeSize);
+
+      for (let i = 1; i <= treeSize; i++) {
+        const value = toBeHex(BigInt(await USER1.getAddress()) + BigInt(i));
+        const key = poseidonHash(value);
+
+        keys[i - 1] = key;
+
+        await merkleTree.addAddress(key, value);
+      }
+
+      const randomKey = keys[Math.floor(Math.random() * (treeSize - 1))];
+
+      const inclusionProof = JSON.parse(JSON.stringify(await merkleTree.getAddressProof(randomKey)));
+
+      expect(await merkleTree.verifyAddressProof(inclusionProof)).to.be.true;
+
+      inclusionProof[0] = inclusionProof[3];
+      expect(await merkleTree.verifyAddressProof(inclusionProof)).to.be.false;
+
+      await merkleTree.removeAddress(randomKey);
+
+      const exclusionProof = JSON.parse(JSON.stringify(await merkleTree.getAddressProof(randomKey)));
+
+      expect(await merkleTree.verifyAddressProof(exclusionProof)).to.be.true;
+
+      exclusionProof[0] = exclusionProof[3];
+      expect(await merkleTree.verifyAddressProof(exclusionProof)).to.be.false;
+    });
   });
 });