[Protocol3] Switch hash function from MiMC/e7r91 to Poseidon (#256)

* [Protocol3] Swtiched to Poseidon for Merkle tree hashes

* [Protocol3] Arbitrary n-ary Merkle tree

* [Protocol3] Updated ethsnarks

* [Protocol3] Use poseidon in eddsa signatures

* [Protocol3] Updated ethsnarks

* [Protocol3] Added EVM implementation of poseidon

* [Protocol3] Fixed failing tests

* [Protocol3] Fixed verifyProof on python SparseMerkleTree implementation

* Update ExchangeBalances.sol

* Update ExchangeBalances.sol

* Update PoseidonContract.sol

* Update ExchangeWithdrawals.sol

* Update IExchange.sol

* Update IExchange.sol

* Update ExchangeAccounts.sol

* [Protocol3] Use constant for genesis Merkle root

* [Protocol3] Cleaned up EdDSA code

* removed circuit_service building code

Author: Brechtpd

.gitmodules

@@ -1,3 +1,4 @@
 [submodule "packages/loopring_v3/ethsnarks"]
 	path = packages/loopring_v3/ethsnarks
 	url = https://github.com/HarryR/ethsnarks
+	branch = master

packages/loopring_v3/ABI/version30/IExchange.abi

@@ -7,6 +7,4 @@ set(circuit_src_folder "../../../../protocol3-circuits/")
 add_executable(dex_circuit "${circuit_src_folder}/main.cpp")
 target_link_libraries(dex_circuit ethsnarks_jubjub)
 
-add_library(circuit_service SHARED "${circuit_src_folder}/service.cpp")
-target_link_libraries(circuit_service ethsnarks_jubjub)
 

packages/loopring_v3/circuit/CMakeLists.txt

@@ -241,8 +241,8 @@ contract IExchange
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] calldata accountMerkleProof,
-        uint256[8]  calldata balanceMerkleProof
+        uint256[30] calldata accountMerkleProof,
+        uint256[12] calldata balanceMerkleProof
         )
         external
         pure
@@ -344,7 +344,7 @@ contract IExchange
     /// @param  amount The amount of LRC that needs to be withdrawn
     function withdrawProtocolFeeStake(
         address recipient,
-        uint amount
+        uint    amount
         )
         external;
 
@@ -523,7 +523,7 @@ contract IExchange
     /// @param blockIdx The 0-based index of the block to be verified with the given proof
     /// @param proof The ZK proof
     function verifyBlock(
-        uint blockIdx,
+        uint       blockIdx,
         uint256[8] calldata proof
         )
         external;
@@ -771,8 +771,8 @@ contract IExchange
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] calldata accountMerkleProof,
-        uint256[8]  calldata balanceMerkleProof
+        uint256[30] calldata accountMerkleProof,
+        uint256[12] calldata balanceMerkleProof
         )
         external;
 
@@ -806,8 +806,8 @@ contract IExchange
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] calldata accountMerkleProof,
-        uint256[8]  calldata balanceMerkleProof
+        uint256[30] calldata accountMerkleProof,
+        uint256[12] calldata balanceMerkleProof
         )
         external;
 

packages/loopring_v3/contracts/iface/IExchange.sol

@@ -194,8 +194,8 @@ contract Exchange is IExchange, Claimable, ReentrancyGuard
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] calldata accountPath,
-        uint256[8] calldata balancePath
+        uint256[30] calldata accountPath,
+        uint256[12] calldata balancePath
         )
         external
         pure
@@ -600,8 +600,8 @@ contract Exchange is IExchange, Claimable, ReentrancyGuard
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] calldata accountPath,
-        uint256[8] calldata balancePath
+        uint256[30] calldata accountPath,
+        uint256[12] calldata balancePath
         )
         external
         nonReentrant
@@ -628,8 +628,8 @@ contract Exchange is IExchange, Claimable, ReentrancyGuard
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] calldata accountPath,
-        uint256[8] calldata balancePath
+        uint256[30] calldata accountPath,
+        uint256[12] calldata balancePath
         )
         external
         nonReentrant

packages/loopring_v3/contracts/impl/Exchange.sol

@@ -166,8 +166,8 @@ library ExchangeAccounts
         uint32 nonce,
         uint96 balance,
         uint256 tradeHistoryRoot,
-        uint256[20] memory accountMerkleProof,
-        uint256[8]  memory balanceMerkleProof
+        uint256[30] memory accountMerkleProof,
+        uint256[12] memory balanceMerkleProof
         )
         public
         view

packages/loopring_v3/contracts/impl/libexchange/ExchangeAccounts.sol

@@ -17,8 +17,7 @@
 pragma solidity 0.5.7;
 
 import "../../lib/MathUint.sol";
-
-import "../../thirdparty/MiMC.sol";
+import "../../lib/Poseidon.sol";
 
 
 /// @title ExchangeBalances.
@@ -37,8 +36,8 @@ library ExchangeBalances
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] memory accountMerkleProof,
-        uint256[8]  memory balanceMerkleProof
+        uint256[30] memory accountMerkleProof,
+        uint256[12] memory balanceMerkleProof
         )
         public
         pure
@@ -67,8 +66,8 @@ library ExchangeBalances
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] memory accountMerkleProof,
-        uint256[8]  memory balanceMerkleProof
+        uint256[30] memory accountMerkleProof,
+        uint256[12] memory balanceMerkleProof
         )
         public
         pure
@@ -96,29 +95,45 @@ library ExchangeBalances
         uint16 tokenID,
         uint   balance,
         uint   tradeHistoryRoot,
-        uint256[8] memory balanceMerkleProof
+        uint256[12] memory balanceMerkleProof
         )
         internal
         pure
         returns (uint256)
     {
-        uint256[29] memory salts;
-        getMerkleTreeHashingSalts(salts);
-
-        uint256[] memory balanceLeafElements = new uint256[](2);
-        balanceLeafElements[0] = balance;
-        balanceLeafElements[1] = tradeHistoryRoot;
-        uint256 balanceItem = MiMC.Hash(balanceLeafElements, 1);
-
-        // Calculate merkle root of balances tree
+        uint256 balanceItem = hashImpl(balance, tradeHistoryRoot, 0, 0);
         uint _id = tokenID;
-        for (uint depth = 0; depth < 8; depth++) {
-            if (_id & 1 == 1) {
-                balanceItem = hashImpl(balanceMerkleProof[depth], balanceItem, salts[depth]);
-            } else {
-                balanceItem = hashImpl(balanceItem, balanceMerkleProof[depth], salts[depth]);
+        for (uint depth = 0; depth < 4; depth++) {
+            if (_id & 3 == 0) {
+                balanceItem = hashImpl(
+                    balanceItem,
+                    balanceMerkleProof[depth * 3],
+                    balanceMerkleProof[depth * 3 + 1],
+                    balanceMerkleProof[depth * 3 + 2]
+                );
+            } else if (_id & 3 == 1) {
+                balanceItem = hashImpl(
+                    balanceMerkleProof[depth * 3],
+                    balanceItem,
+                    balanceMerkleProof[depth * 3 + 1],
+                    balanceMerkleProof[depth * 3 + 2]
+                );
+            } else if (_id & 3 == 2) {
+                balanceItem = hashImpl(
+                    balanceMerkleProof[depth * 3],
+                    balanceMerkleProof[depth * 3 + 1],
+                    balanceItem,
+                    balanceMerkleProof[depth * 3 + 2]
+                );
+            } else if (_id & 3 == 3) {
+                balanceItem = hashImpl(
+                    balanceMerkleProof[depth * 3],
+                    balanceMerkleProof[depth * 3 + 1],
+                    balanceMerkleProof[depth * 3 + 2],
+                    balanceItem
+                );
             }
-            _id = _id / 2;
+            _id = _id >> 2;
         }
         return balanceItem;
     }
@@ -129,89 +144,59 @@ library ExchangeBalances
         uint256 pubKeyY,
         uint256 nonce,
         uint256 balancesRoot,
-        uint256[20] memory accountMerkleProof
+        uint256[30] memory accountMerkleProof
         )
         internal
         pure
         returns (uint256)
     {
-        uint256[29] memory salts;
-        getMerkleTreeHashingSalts(salts);
-
-        uint256[] memory accountLeafElements = new uint256[](4);
-        accountLeafElements[0] = pubKeyX;
-        accountLeafElements[1] = pubKeyY;
-        accountLeafElements[2] = nonce;
-        accountLeafElements[3] = balancesRoot;
-        uint256 accountItem = MiMC.Hash(accountLeafElements, 1);
-
+        uint256 accountItem = hashImpl(pubKeyX, pubKeyY, nonce, balancesRoot);
         uint _id = accountID;
-        for (uint depth = 0; depth < 20; depth++) {
-            if (_id & 1 == 1) {
-                accountItem = hashImpl(accountMerkleProof[depth], accountItem, salts[depth]);
-            } else {
-                accountItem = hashImpl(accountItem, accountMerkleProof[depth], salts[depth]);
+        for (uint depth = 0; depth < 10; depth++) {
+            if (_id & 3 == 0) {
+                accountItem = hashImpl(
+                    accountItem,
+                    accountMerkleProof[depth * 3],
+                    accountMerkleProof[depth * 3 + 1],
+                    accountMerkleProof[depth * 3 + 2]
+                );
+            } else if (_id & 3 == 1) {
+                accountItem = hashImpl(
+                    accountMerkleProof[depth * 3],
+                    accountItem,
+                    accountMerkleProof[depth * 3 + 1],
+                    accountMerkleProof[depth * 3 + 2]
+                );
+            } else if (_id & 3 == 2) {
+                accountItem = hashImpl(
+                    accountMerkleProof[depth * 3],
+                    accountMerkleProof[depth * 3 + 1],
+                    accountItem,
+                    accountMerkleProof[depth * 3 + 2]
+                );
+            } else if (_id & 3 == 3) {
+                accountItem = hashImpl(
+                    accountMerkleProof[depth * 3],
+                    accountMerkleProof[depth * 3 + 1],
+                    accountMerkleProof[depth * 3 + 2],
+                    accountItem
+                );
             }
-            _id = _id / 2;
+            _id = _id >> 2;
         }
         return accountItem;
     }
 
-    function hashImpl (
-        uint256 left,
-        uint256 right,
-        uint256 IV
+    function hashImpl(
+        uint256 t0,
+        uint256 t1,
+        uint256 t2,
+        uint256 t3
         )
         internal
         pure
         returns (uint256)
     {
-        uint256[] memory x = new uint256[](2);
-        x[0] = left;
-        x[1] = right;
-
-        return MiMC.Hash(x, IV);
-    }
-
-    function getMerkleTreeHashingSalts (
-        uint256[29] memory salts
-        )
-        public
-        pure
-    {
-        // Actually only up to 20 items in the list will be used in 3.0. We keep more in case
-        // we will change the depth of the Merkle tree in the future.
-
-        // When we calculate the tree hashes, the leaf nodes will use salts[0] as the hashing
-        // salt, the parent nodes of the leafs will use salts[1], ...
-        salts[0] = 149674538925118052205057075966660054952481571156186698930522557832224430770;
-        salts[1] = 9670701465464311903249220692483401938888498641874948577387207195814981706974;
-        salts[2] = 18318710344500308168304415114839554107298291987930233567781901093928276468271;
-        salts[3] = 6597209388525824933845812104623007130464197923269180086306970975123437805179;
-        salts[4] = 21720956803147356712695575768577036859892220417043839172295094119877855004262;
-        salts[5] = 10330261616520855230513677034606076056972336573153777401182178891807369896722;
-        salts[6] = 17466547730316258748333298168566143799241073466140136663575045164199607937939;
-        salts[7] = 18881017304615283094648494495339883533502299318365959655029893746755475886610;
-        salts[8] = 21580915712563378725413940003372103925756594604076607277692074507345076595494;
-        salts[9] = 12316305934357579015754723412431647910012873427291630993042374701002287130550;
-        salts[10] = 18905410889238873726515380969411495891004493295170115920825550288019118582494;
-        salts[11] = 12819107342879320352602391015489840916114959026915005817918724958237245903353;
-        salts[12] = 8245796392944118634696709403074300923517437202166861682117022548371601758802;
-        salts[13] = 16953062784314687781686527153155644849196472783922227794465158787843281909585;
-        salts[14] = 19346880451250915556764413197424554385509847473349107460608536657852472800734;
-        salts[15] = 14486794857958402714787584825989957493343996287314210390323617462452254101347;
-        salts[16] = 11127491343750635061768291849689189917973916562037173191089384809465548650641;
-        salts[17] = 12217916643258751952878742936579902345100885664187835381214622522318889050675;
-        salts[18] = 722025110834410790007814375535296040832778338853544117497481480537806506496;
-        salts[19] = 15115624438829798766134408951193645901537753720219896384705782209102859383951;
-        salts[20] = 11495230981884427516908372448237146604382590904456048258839160861769955046544;
-        salts[21] = 16867999085723044773810250829569850875786210932876177117428755424200948460050;
-        salts[22] = 1884116508014449609846749684134533293456072152192763829918284704109129550542;
-        salts[23] = 14643335163846663204197941112945447472862168442334003800621296569318670799451;
-        salts[24] = 1933387276732345916104540506251808516402995586485132246682941535467305930334;
-        salts[25] = 7286414555941977227951257572976885370489143210539802284740420664558593616067;
-        salts[26] = 16932161189449419608528042274282099409408565503929504242784173714823499212410;
-        salts[27] = 16562533130736679030886586765487416082772837813468081467237161865787494093536;
-        salts[28] = 6037428193077828806710267464232314380014232668931818917272972397574634037180;
+        return Poseidon.hash_t5f6p52(t0, t1, t2, t3, 0);
     }
-}
+}

packages/loopring_v3/contracts/impl/libexchange/ExchangeBalances.sol

@@ -161,6 +161,9 @@ library ExchangeData
         uint96 amount;
     }
 
+    function GENESIS_MERKLE_ROOT() internal pure returns (bytes32) {
+        return 0x2b4827daf74c0ab30deb68b1c337dec40579bb3ff45ce9478288e1a2b83a3a01;
+    }
     function MAX_PROOF_GENERATION_TIME_IN_SECONDS() internal pure returns (uint32) { return 1 hours; }
     function MAX_GAP_BETWEEN_FINALIZED_AND_VERIFIED_BLOCKS() internal pure returns (uint32) { return 2500; }
     function MAX_OPEN_DEPOSIT_REQUESTS() internal pure returns (uint16) { return 1024; }

packages/loopring_v3/contracts/impl/libexchange/ExchangeData.sol

@@ -58,7 +58,7 @@ library ExchangeGenesis
         S.lrcAddress = loopring.lrcAddress();
 
         ExchangeData.Block memory genesisBlock = ExchangeData.Block(
-            0x06ea7e01611a784ff676387ee0a6f58933eb184d8a2ff765608488e7e8da76d3,
+            ExchangeData.GENESIS_MERKLE_ROOT(),
             0x0,
             ExchangeData.BlockState.VERIFIED,
             ExchangeData.BlockType(0),

packages/loopring_v3/contracts/impl/libexchange/ExchangeGenesis.sol

@@ -161,8 +161,8 @@ library ExchangeWithdrawals
         uint32  nonce,
         uint96  balance,
         uint256 tradeHistoryRoot,
-        uint256[20] memory accountMerkleProof,
-        uint256[8]  memory balanceMerkleProof
+        uint256[30] memory accountMerkleProof,
+        uint256[12] memory balanceMerkleProof
         )
         public
     {