[Protocol3] Batched proof verification (#283)

* [Protocol3] Added batched proof verification (of the same circuit)

* [Protocol3] Batched proof testing + improvements to BlockVerifier

* [Protocol3] Test fixes for BlockVerifier changes

* [Protocol3] Fixed tests

* [Protocol3] Added basic BlockVerifier tests

* [Protocol3] Added more tests for proof verification in BlockVerifier

* Update .soliumignore

* [Protocol3] Make BatchVerifier return true/false instead of throwing

* [Protocol3] Removed unused solium exceptions

* [Protocol3] Added some verifyBlocks tests + some docs fixes

* [Protocol3] Rollback formatting changes

* [Protocol3] More rollbacks of formatting changes

* [Protocol3] Rolled back more formatting

* Update .soliumignore

* Update Exchange.sol

* Update BlockVerifier.sol

Author: Brechtpd

packages/loopring_v3/.soliumignore

@@ -1,5 +1,3 @@
 node_modules
 contracts/Migrations.sol
-contracts/thirdparty/MiMC.sol
-contracts/thirdparty/MerkleTree.sol
-contracts/thirdparty/Proxy.sol
+contracts/thirdparty

packages/loopring_v3/ABI/version30/IBlockVerifier.abi

@@ -1 +1 @@
-[{"constant":false,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"},{"name":"vk","type":"uint256[18]"}],"name":"setVerifyingKey","outputs":[],"payable":false,"stateMutability":"nonpayable","type":"function"},{"constant":true,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"},{"name":"publicDataHash","type":"bytes32"},{"name":"proof","type":"uint256[8]"}],"name":"verifyProof","outputs":[{"name":"","type":"bool"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"}],"name":"canVerify","outputs":[{"name":"","type":"bool"}],"payable":false,"stateMutability":"view","type":"function"}]
+[{"constant":true,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"},{"name":"publicInputs","type":"uint256[]"},{"name":"proofs","type":"uint256[]"}],"name":"verifyProofs","outputs":[{"name":"","type":"bool"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"}],"name":"isCircuitEnabled","outputs":[{"name":"","type":"bool"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"}],"name":"isCircuitRegistered","outputs":[{"name":"","type":"bool"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":false,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"},{"name":"vk","type":"uint256[18]"}],"name":"registerCircuit","outputs":[],"payable":false,"stateMutability":"nonpayable","type":"function"},{"constant":false,"inputs":[{"name":"blockType","type":"uint8"},{"name":"onchainDataAvailability","type":"bool"},{"name":"blockSize","type":"uint16"},{"name":"blockVersion","type":"uint8"}],"name":"disableCircuit","outputs":[],"payable":false,"stateMutability":"nonpayable","type":"function"},{"anonymous":false,"inputs":[{"indexed":false,"name":"blockType","type":"uint8"},{"indexed":false,"name":"onchainDataAvailability","type":"bool"},{"indexed":false,"name":"blockSize","type":"uint16"},{"indexed":false,"name":"blockVersion","type":"uint8"}],"name":"CircuitRegistered","type":"event"},{"anonymous":false,"inputs":[{"indexed":false,"name":"blockType","type":"uint8"},{"indexed":false,"name":"onchainDataAvailability","type":"bool"},{"indexed":false,"name":"blockSize","type":"uint16"},{"indexed":false,"name":"blockVersion","type":"uint8"}],"name":"CircuitDisabled","type":"event"}]

packages/loopring_v3/ABI/version30/IExchange.abi

@@ -21,15 +21,35 @@ pragma solidity 0.5.7;
 /// @author Brecht Devos - <[email protected]>
 contract IBlockVerifier
 {
-    /// @dev Sets or updates the verifying key for the given block type
-    ///      and permutation.
+    // -- Events --
+
+    event CircuitRegistered(
+        uint8  blockType,
+        bool   onchainDataAvailability,
+        uint16 blockSize,
+        uint8  blockVersion
+    );
+
+    event CircuitDisabled(
+        uint8  blockType,
+        bool   onchainDataAvailability,
+        uint16 blockSize,
+        uint8  blockVersion
+    );
+
+    // -- Public functions --
+
+    /// @dev Sets the verifying key for the specified circuit.
+    ///      Every block permutation needs its own circuit and thus its own set of
+    ///      verification keys. Only a limited number of block sizes per block
+    ///      type are supported.
     /// @param blockType The type of the block See @BlockType
     /// @param onchainDataAvailability True if the block expects onchain
     ///        data availability data as public input, false otherwise
     /// @param blockSize The number of requests handled in the block
     /// @param blockVersion The block version (i.e. which circuit version needs to be used)
     /// @param vk The verification key
-    function setVerifyingKey(
+    function registerCircuit(
         uint8  blockType,
         bool   onchainDataAvailability,
         uint16 blockSize,
@@ -38,47 +58,76 @@ contract IBlockVerifier
         )
         external;
 
-    /// @dev Checks if a block with the given parameters can be verified.
-    ///      Every block permutation needs its own circuit and thus its own set of
-    ///      verification keys. Only a limited number of blocks sizes per block
-    ///      type are supported.
+    /// @dev Disables the use of the specified circuit.
+    ///      This will stop NEW blocks from using the given circuit, blocks that were already committed
+    ///      can still be verified.
     /// @param blockType The type of the block See @BlockType
     /// @param onchainDataAvailability True if the block expects onchain
     ///        data availability data as public input, false otherwise
     /// @param blockSize The number of requests handled in the block
     /// @param blockVersion The block version (i.e. which circuit version needs to be used)
-    /// @return True if the block can be verified, false otherwise
-    function canVerify(
+    function disableCircuit(
         uint8  blockType,
         bool   onchainDataAvailability,
         uint16 blockSize,
         uint8  blockVersion
         )
-        external
-        view
-        returns (bool);
+        external;
 
-    /// @dev Verifies a block with the given public data and proof.
+    /// @dev Verify blocks with the given public data and proofs.
     ///      Verifying a block makes sure all requests handled in the block
     ///      are correctly handled by the operator.
     /// @param blockType The type of block See @BlockType
     /// @param onchainDataAvailability True if the block expects onchain
     ///        data availability data as public input, false otherwise
     /// @param blockSize The number of requests handled in the block
     /// @param blockVersion The block version (i.e. which circuit version needs to be used)
-    /// @param publicDataHash The hash of all the public data
-    /// @param proof The ZK proof that the block is correct
+    /// @param publicInputs The hash of all the public data of the blocks
+    /// @param proofs The ZK proofs proving that the blocks are correct
     /// @return True if the block is valid, false otherwise
-    function verifyProof(
+    function verifyProofs(
         uint8   blockType,
         bool    onchainDataAvailability,
         uint16  blockSize,
         uint8   blockVersion,
-        bytes32 publicDataHash,
-        uint256[8] calldata proof
+        uint256[] calldata publicInputs,
+        uint256[] calldata proofs
         )
         external
         view
         returns (bool);
 
+    /// @dev Checks if a circuit with the specified parameters is registered.
+    /// @param blockType The type of the block See @BlockType
+    /// @param onchainDataAvailability True if the block expects onchain
+    ///        data availability data as public input, false otherwise
+    /// @param blockSize The number of requests handled in the block
+    /// @param blockVersion The block version (i.e. which circuit version needs to be used)
+    /// @return True if the circuit is registered, false otherwise
+    function isCircuitRegistered(
+        uint8  blockType,
+        bool   onchainDataAvailability,
+        uint16 blockSize,
+        uint8  blockVersion
+        )
+        external
+        view
+        returns (bool);
+
+    /// @dev Checks if a circuit can still be used to commit new blocks.
+    /// @param blockType The type of the block See @BlockType
+    /// @param onchainDataAvailability True if the block expects onchain
+    ///        data availability data as public input, false otherwise
+    /// @param blockSize The number of requests handled in the block
+    /// @param blockVersion The block version (i.e. which circuit version needs to be used)
+    /// @return True if the circuit is enabled, false otherwise
+    function isCircuitEnabled(
+        uint8  blockType,
+        bool   onchainDataAvailability,
+        uint16 blockSize,
+        uint8  blockVersion
+        )
+        external
+        view
+        returns (bool);
 }

packages/loopring_v3/contracts/iface/IBlockVerifier.sol

@@ -514,17 +514,20 @@ contract IExchange
         )
         external;
 
-    /// @dev Submit a ZK proof onchain to verify a previously committed block. Submitting an
+    /// @dev Submits ZK proofs onchain to verify previously committed blocks. Submitting an
     ///      invalid proof will not change the state of the exchange. Note that proofs can
     ///      be submitted in a different order than the blocks themselves.
     ///
-    ///      This method can be called by anyone with a valid proof.
+    ///      Multiple blocks can be verified at once (in any order) IF they use the same circuit.
+    ///      This function will throw if blocks using different circuits need to be verified.
     ///
-    /// @param blockIdx The 0-based index of the block to be verified with the given proof
-    /// @param proof The ZK proof
-    function verifyBlock(
-        uint       blockIdx,
-        uint256[8] calldata proof
+    ///      This method can only be called by the operator.
+    ///
+    /// @param blockIndices The 0-based index of the blocks to be verified with the given proofs
+    /// @param proofs The ZK proof for all blockIndices (proofs.length % 8 == 0).
+    function verifyBlocks(
+        uint[]    calldata blockIndices,
+        uint256[] calldata proofs
         )
         external;
 

packages/loopring_v3/contracts/iface/IExchange.sol

@@ -23,15 +23,23 @@ import "../lib/Claimable.sol";
 import "../impl/libexchange/ExchangeData.sol";
 
 import "../thirdparty/Verifier.sol";
+import "../thirdparty/BatchVerifier.sol";
 
 
 /// @title An Implementation of IBlockVerifier.
 /// @author Brecht Devos - <[email protected]>
 contract BlockVerifier is IBlockVerifier, Claimable
 {
-    mapping (bool => mapping (uint8 => mapping (uint16 => mapping (uint8 => uint256[18])))) verificationKeys;
+    struct Circuit
+    {
+        bool registered;
+        bool enabled;
+        uint256[18] verificationKey;
+    }
+
+    mapping (bool => mapping (uint8 => mapping (uint16 => mapping (uint8 => Circuit)))) public circuits;
 
-    function setVerifyingKey(
+    function registerCircuit(
         uint8  blockType,
         bool   onchainDataAvailability,
         uint16 blockSize,
@@ -41,54 +49,110 @@ contract BlockVerifier is IBlockVerifier, Claimable
         external
         onlyOwner
     {
-        // While vk[0] could be 0, we don't allow it so we can use this to easily check
-        // if the verification key is set
-        require(vk[0] != 0, "INVALID_DATA");
         bool dataAvailability = needsDataAvailability(blockType, onchainDataAvailability);
         require(dataAvailability == onchainDataAvailability, "NO_DATA_AVAILABILITY_NEEDED");
+        Circuit storage circuit = circuits[onchainDataAvailability][blockType][blockSize][blockVersion];
+        require(circuit.registered == false, "ALREADY_REGISTERED");
+
         for (uint i = 0; i < 18; i++) {
-            verificationKeys[onchainDataAvailability][blockType][blockSize][blockVersion][i] = vk[i];
+            circuit.verificationKey[i] = vk[i];
         }
+        circuit.registered = true;
+        circuit.enabled = true;
+
+        emit CircuitRegistered(
+            blockType,
+            onchainDataAvailability, 
+            blockSize,
+            blockVersion
+        );
     }
 
-    function canVerify(
+    function disableCircuit(
         uint8  blockType,
         bool   onchainDataAvailability,
         uint16 blockSize,
         uint8  blockVersion
         )
         external
-        view
-        returns (bool)
+        onlyOwner
     {
-        bool dataAvailability = needsDataAvailability(blockType, onchainDataAvailability);
-        return verificationKeys[dataAvailability][blockType][blockSize][blockVersion][0] != 0;
+        Circuit storage circuit = circuits[onchainDataAvailability][blockType][blockSize][blockVersion];
+        require(circuit.registered == true, "NOT_REGISTERED");
+        require(circuit.enabled == true, "ALREADY_DISABLED");
+
+        circuit.enabled = false;
+
+        emit CircuitDisabled(
+            blockType,
+            onchainDataAvailability,
+            blockSize,
+            blockVersion
+        );
     }
 
-    function verifyProof(
+    function verifyProofs(
         uint8   blockType,
         bool    onchainDataAvailability,
         uint16  blockSize,
         uint8   blockVersion,
-        bytes32 publicDataHash,
-        uint256[8] calldata proof
+        uint256[] calldata publicInputs,
+        uint256[] calldata proofs
         )
         external
         view
         returns (bool)
     {
         bool dataAvailability = needsDataAvailability(blockType, onchainDataAvailability);
-        uint256[18] storage vk = verificationKeys[dataAvailability][blockType][blockSize][blockVersion];
+        Circuit storage circuit = circuits[dataAvailability][blockType][blockSize][blockVersion];
+        require(circuit.registered == true, "NOT_REGISTERED");
 
+        uint256[18] storage vk = circuit.verificationKey;
         uint256[14] memory _vk = [
             vk[0], vk[1], vk[2], vk[3], vk[4], vk[5], vk[6],
             vk[7], vk[8], vk[9], vk[10], vk[11], vk[12], vk[13]
         ];
         uint256[4] memory _vk_gammaABC = [vk[14], vk[15], vk[16], vk[17]];
-        // Maybe we should strip the highest bits of the hash so we don't have any overflow (uint256/prime field)
-        uint256[1] memory publicInputs = [uint256(publicDataHash)];
 
-        return Verifier.Verify(_vk, _vk_gammaABC, proof, publicInputs);
+        if (publicInputs.length == 1) {
+            return Verifier.Verify(_vk, _vk_gammaABC, proofs, publicInputs);
+        } else {
+            return BatchVerifier.BatchVerify(
+                _vk,
+                _vk_gammaABC,
+                proofs,
+                publicInputs,
+                publicInputs.length
+            );
+        }
+    }
+
+    function isCircuitRegistered(
+        uint8  blockType,
+        bool   onchainDataAvailability,
+        uint16 blockSize,
+        uint8  blockVersion
+        )
+        external
+        view
+        returns (bool)
+    {
+        bool dataAvailability = needsDataAvailability(blockType, onchainDataAvailability);
+        return circuits[dataAvailability][blockType][blockSize][blockVersion].registered;
+    }
+
+    function isCircuitEnabled(
+        uint8  blockType,
+        bool   onchainDataAvailability,
+        uint16 blockSize,
+        uint8  blockVersion
+        )
+        external
+        view
+        returns (bool)
+    {
+        bool dataAvailability = needsDataAvailability(blockType, onchainDataAvailability);
+        return circuits[dataAvailability][blockType][blockSize][blockVersion].enabled;
     }
 
     function needsDataAvailability(

packages/loopring_v3/contracts/impl/BlockVerifier.sol

@@ -430,15 +430,15 @@ contract Exchange is IExchange, Claimable, ReentrancyGuard
         state.commitBlock(blockType, blockSize, blockVersion, decompressed, offchainData);
     }
 
-    function verifyBlock(
-        uint blockIdx,
-        uint256[8] calldata proof
+    function verifyBlocks(
+        uint[] calldata blockIndices,
+        uint[] calldata proofs
         )
         external
         nonReentrant
         onlyOperator
     {
-        state.verifyBlock(blockIdx, proof);
+        state.verifyBlocks(blockIndices, proofs);
     }
 
     function revertBlock(