OpenZeppelin
diff --git a/‎contracts/mocks/account/AccountZKEmailMock.sol
Lines changed: 3 additions & 3 deletions b/‎contracts/mocks/account/AccountZKEmailMock.sol
Lines changed: 3 additions & 3 deletions
diff --git a/‎contracts/mocks/import.sol
Lines changed: 5 additions & 1 deletion b/‎contracts/mocks/import.sol
Lines changed: 5 additions & 1 deletion
diff --git a/‎contracts/mocks/utils/cryptography/ZKEmailGroth16VerifierMock.sol
Lines changed: 24 additions & 0 deletions b/‎contracts/mocks/utils/cryptography/ZKEmailGroth16VerifierMock.sol
Lines changed: 24 additions & 0 deletions
diff --git a/‎contracts/mocks/utils/cryptography/ZKEmailVerifierMock.sol
Lines changed: 0 additions & 16 deletions b/‎contracts/mocks/utils/cryptography/ZKEmailVerifierMock.sol
Lines changed: 0 additions & 16 deletions
diff --git a/‎contracts/utils/cryptography/ZKEmailUtils.sol
Lines changed: 105 additions & 12 deletions b/‎contracts/utils/cryptography/ZKEmailUtils.sol
Lines changed: 105 additions & 12 deletions
diff --git a/‎contracts/utils/cryptography/signers/SignerZKEmail.sol
Lines changed: 10 additions & 10 deletions b/‎contracts/utils/cryptography/signers/SignerZKEmail.sol
Lines changed: 10 additions & 10 deletions
diff --git a/‎contracts/utils/cryptography/verifiers/ERC7913ZKEmailVerifier.sol
Lines changed: 10 additions & 8 deletions b/‎contracts/utils/cryptography/verifiers/ERC7913ZKEmailVerifier.sol
Lines changed: 10 additions & 8 deletions
@@ -9,18 +9,18 @@ import {ERC721Holder} from "@openzeppelin/contracts/token/ERC721/utils/ERC721Hol
 import {ERC1155Holder} from "@openzeppelin/contracts/token/ERC1155/utils/ERC1155Holder.sol";
 import {SignerZKEmail} from "../../utils/cryptography/signers/SignerZKEmail.sol";
 import {IDKIMRegistry} from "@zk-email/contracts/DKIMRegistry.sol";
-import {IVerifier} from "@zk-email/email-tx-builder/src/interfaces/IVerifier.sol";
+import {IGroth16Verifier} from "@zk-email/email-tx-builder/src/interfaces/IGroth16Verifier.sol";
 
 contract AccountZKEmailMock is Account, SignerZKEmail, ERC7739, ERC7821, ERC721Holder, ERC1155Holder {
     constructor(
         bytes32 accountSalt_,
         IDKIMRegistry registry_,
-        IVerifier verifier_,
+        IGroth16Verifier groth16Verifier_,
         uint256 templateId_
     ) EIP712("AccountZKEmailMock", "1") {
         _setAccountSalt(accountSalt_);
         _setDKIMRegistry(registry_);
-        _setVerifier(verifier_);
+        _setVerifier(groth16Verifier_);
         _setTemplateId(templateId_);
     }
 
 
@@ -7,7 +7,11 @@ import {UpgradeableBeacon} from "@openzeppelin/contracts/proxy/beacon/Upgradeabl
 import {ERC721} from "@openzeppelin/contracts/token/ERC721/ERC721.sol";
 import {ERC721Enumerable} from "@openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol";
 import {ERC1155} from "@openzeppelin/contracts/token/ERC1155/ERC1155.sol";
-import {AccountECDSAMock, AccountERC7579Mock} from "@openzeppelin/contracts/mocks/account/AccountMock.sol";
+import {
+    AccountECDSAMock,
+    AccountERC7579Mock,
+    AccountERC7913Mock
+} from "@openzeppelin/contracts/mocks/account/AccountMock.sol";
 import {ERC1271WalletMock} from "@openzeppelin/contracts/mocks/ERC1271WalletMock.sol";
 import {CallReceiverMock} from "@openzeppelin/contracts/mocks/CallReceiverMock.sol";
 import {ERC7913P256Verifier} from "@openzeppelin/contracts/utils/cryptography/verifiers/ERC7913P256Verifier.sol";
 
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.20;
+
+import {IGroth16Verifier} from "@zk-email/email-tx-builder/src/interfaces/IGroth16Verifier.sol";
+
+contract ZKEmailGroth16VerifierMock is IGroth16Verifier {
+    function verifyProof(
+        uint[2] calldata _pA,
+        uint[2][2] calldata _pB,
+        uint[2] calldata _pC,
+        uint[34] calldata /* _pubSignals */
+    ) public pure returns (bool) {
+        return
+            _pA[0] == 1 &&
+            _pA[1] == 2 &&
+            _pB[0][0] == 3 &&
+            _pB[0][1] == 4 &&
+            _pB[1][0] == 5 &&
+            _pB[1][1] == 6 &&
+            _pC[0] == 7 &&
+            _pC[1] == 8;
+    }
+}
@@ -5,12 +5,12 @@ pragma solidity ^0.8.24;
 import {Bytes} from "@openzeppelin/contracts/utils/Bytes.sol";
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
 import {IDKIMRegistry} from "@zk-email/contracts/DKIMRegistry.sol";
-import {IVerifier} from "@zk-email/email-tx-builder/src/interfaces/IVerifier.sol";
+import {IGroth16Verifier} from "@zk-email/email-tx-builder/src/interfaces/IGroth16Verifier.sol";
 import {EmailAuthMsg} from "@zk-email/email-tx-builder/src/interfaces/IEmailTypes.sol";
 import {CommandUtils} from "@zk-email/email-tx-builder/src/libraries/CommandUtils.sol";
 
 /**
- * @dev Library for https://docs.zk.email[ZKEmail] signature validation utilities.
+ * @dev Library for https://docs.zk.email[ZKEmail] Groth16 proof validation utilities.
  *
  * ZKEmail is a protocol that enables email-based authentication and authorization for smart contracts
  * using zero-knowledge proofs. It allows users to prove ownership of an email address without revealing
@@ -23,20 +23,29 @@ import {CommandUtils} from "@zk-email/email-tx-builder/src/libraries/CommandUtil
  * * A https://docs.zk.email/email-tx-builder/architecture/command-templates[command template] validation
  * mechanism to ensure the email command matches the expected format and parameters.
  * * A https://docs.zk.email/architecture/zk-proofs#how-zk-email-uses-zero-knowledge-proofs[zero-knowledge proof] verification
- * mechanism to ensure the email was actually sent and received without revealing its contents. Defined by an `IVerifier` interface.
+ * mechanism to ensure the email was actually sent and received without revealing its contents. Defined by an `IGroth16Verifier` interface.
  */
 library ZKEmailUtils {
     using CommandUtils for bytes[];
     using Bytes for bytes;
     using Strings for string;
 
+    uint256 public constant DOMAIN_FIELDS = 9;
+    uint256 public constant DOMAIN_BYTES = 255;
+    uint256 public constant COMMAND_FIELDS = 20;
+    uint256 public constant COMMAND_BYTES = 605;
+
+    /// @dev The base field size for BN254 elliptic curve used in Groth16 proofs.
+    uint256 constant Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
+
     /// @dev Enumeration of possible email proof validation errors.
     enum EmailProofError {
         NoError,
         DKIMPublicKeyHash, // The DKIM public key hash verification fails
         MaskedCommandLength, // The masked command length exceeds the maximum
         SkippedCommandPrefixSize, // The skipped command prefix size is invalid
         MismatchedCommand, // The command does not match the proof command
+        InvalidFieldPoint, // The Groth16 field point is invalid
         EmailProof // The email proof verification fails
     }
 
@@ -52,12 +61,12 @@ library ZKEmailUtils {
     function isValidZKEmail(
         EmailAuthMsg memory emailAuthMsg,
         IDKIMRegistry dkimregistry,
-        IVerifier verifier
+        IGroth16Verifier groth16Verifier
     ) internal view returns (EmailProofError) {
         string[] memory signHashTemplate = new string[](2);
         signHashTemplate[0] = "signHash";
         signHashTemplate[1] = CommandUtils.UINT_MATCHER; // UINT_MATCHER is always lowercase
-        return isValidZKEmail(emailAuthMsg, dkimregistry, verifier, signHashTemplate, Case.LOWERCASE);
+        return isValidZKEmail(emailAuthMsg, dkimregistry, groth16Verifier, signHashTemplate, Case.LOWERCASE);
     }
 
     /**
@@ -73,10 +82,10 @@ library ZKEmailUtils {
     function isValidZKEmail(
         EmailAuthMsg memory emailAuthMsg,
         IDKIMRegistry dkimregistry,
-        IVerifier verifier,
+        IGroth16Verifier groth16Verifier,
         string[] memory template
     ) internal view returns (EmailProofError) {
-        return isValidZKEmail(emailAuthMsg, dkimregistry, verifier, template, Case.ANY);
+        return isValidZKEmail(emailAuthMsg, dkimregistry, groth16Verifier, template, Case.ANY);
     }
 
     /**
@@ -87,23 +96,42 @@ library ZKEmailUtils {
     function isValidZKEmail(
         EmailAuthMsg memory emailAuthMsg,
         IDKIMRegistry dkimregistry,
-        IVerifier verifier,
+        IGroth16Verifier groth16Verifier,
         string[] memory template,
         Case stringCase
     ) internal view returns (EmailProofError) {
-        if (emailAuthMsg.skippedCommandPrefix >= verifier.commandBytes()) {
+        if (emailAuthMsg.skippedCommandPrefix >= COMMAND_BYTES) {
             return EmailProofError.SkippedCommandPrefixSize;
-        } else if (bytes(emailAuthMsg.proof.maskedCommand).length > verifier.commandBytes()) {
+        } else if (bytes(emailAuthMsg.proof.maskedCommand).length > COMMAND_BYTES) {
             return EmailProofError.MaskedCommandLength;
         } else if (!_commandMatch(emailAuthMsg, template, stringCase)) {
             return EmailProofError.MismatchedCommand;
         } else if (
             !dkimregistry.isDKIMPublicKeyHashValid(emailAuthMsg.proof.domainName, emailAuthMsg.proof.publicKeyHash)
         ) {
             return EmailProofError.DKIMPublicKeyHash;
-        } else {
-            return verifier.verifyEmailProof(emailAuthMsg.proof) ? EmailProofError.NoError : EmailProofError.EmailProof;
         }
+        (uint256[2] memory pA, uint256[2][2] memory pB, uint256[2] memory pC) = abi.decode(
+            emailAuthMsg.proof.proof,
+            (uint256[2], uint256[2][2], uint256[2])
+        );
+
+        uint256 q = Q - 1; // upper bound of the field elements
+        if (
+            pA[0] > q ||
+            pA[1] > q ||
+            pB[0][0] > q ||
+            pB[0][1] > q ||
+            pB[1][0] > q ||
+            pB[1][1] > q ||
+            pC[0] > q ||
+            pC[1] > q
+        ) return EmailProofError.InvalidFieldPoint;
+
+        return
+            groth16Verifier.verifyProof(pA, pB, pC, toPubSignals(emailAuthMsg))
+                ? EmailProofError.NoError
+                : EmailProofError.EmailProof;
     }
 
     /// @dev Compares the command in the email authentication message with the expected command.
@@ -123,4 +151,69 @@ library ZKEmailUtils {
             commandParams.computeExpectedCommand(template, uint8(Case.UPPERCASE)).equal(command) ||
             commandParams.computeExpectedCommand(template, uint8(Case.CHECKSUM)).equal(command);
     }
+
+    /**
+     * @dev Builds the expected public signals array for the Groth16 verifier from the given EmailAuthMsg.
+     *
+     * Packs the domain, public key hash, email nullifier, timestamp, masked command, account salt, and isCodeExist fields
+     * into a uint256 array in the order expected by the verifier circuit.
+     */
+    function toPubSignals(
+        EmailAuthMsg memory emailAuthMsg
+    ) internal pure returns (uint256[DOMAIN_FIELDS + COMMAND_FIELDS + 5] memory pubSignals) {
+        uint256[] memory stringFields;
+
+        stringFields = _packBytes2Fields(bytes(emailAuthMsg.proof.domainName), DOMAIN_BYTES);
+        for (uint256 i = 0; i < DOMAIN_FIELDS; i++) {
+            pubSignals[i] = stringFields[i];
+        }
+
+        pubSignals[DOMAIN_FIELDS] = uint256(emailAuthMsg.proof.publicKeyHash);
+        pubSignals[DOMAIN_FIELDS + 1] = uint256(emailAuthMsg.proof.emailNullifier);
+        pubSignals[DOMAIN_FIELDS + 2] = uint256(emailAuthMsg.proof.timestamp);
+
+        stringFields = _packBytes2Fields(bytes(emailAuthMsg.proof.maskedCommand), COMMAND_BYTES);
+        for (uint256 i = 0; i < COMMAND_FIELDS; i++) {
+            pubSignals[DOMAIN_FIELDS + 3 + i] = stringFields[i];
+        }
+
+        pubSignals[DOMAIN_FIELDS + 3 + COMMAND_FIELDS] = uint256(emailAuthMsg.proof.accountSalt);
+        pubSignals[DOMAIN_FIELDS + 3 + COMMAND_FIELDS + 1] = emailAuthMsg.proof.isCodeExist ? 1 : 0;
+
+        return pubSignals;
+    }
+
+    /**
+     * @dev Packs a bytes array into an array of uint256 fields, each field representing up to 31 bytes.
+     * If the input is shorter than the padded size, the remaining bytes are zero-padded.
+     */
+    function _packBytes2Fields(bytes memory _bytes, uint256 _paddedSize) private pure returns (uint256[] memory) {
+        uint256 remain = _paddedSize % 31;
+        uint256 numFields = (_paddedSize - remain) / 31;
+        if (remain > 0) {
+            numFields += 1;
+        }
+        uint256[] memory fields = new uint[](numFields);
+        uint256 idx = 0;
+        uint256 byteVal = 0;
+        for (uint256 i = 0; i < numFields; i++) {
+            for (uint256 j = 0; j < 31; j++) {
+                idx = i * 31 + j;
+                if (idx >= _paddedSize) {
+                    break;
+                }
+                if (idx >= _bytes.length) {
+                    byteVal = 0;
+                } else {
+                    byteVal = uint256(uint8(_bytes[idx]));
+                }
+                if (j == 0) {
+                    fields[i] = byteVal;
+                } else {
+                    fields[i] += (byteVal << (8 * j));
+                }
+            }
+        }
+        return fields;
+    }
 }
@@ -3,7 +3,7 @@
 pragma solidity ^0.8.24;
 
 import {IDKIMRegistry} from "@zk-email/contracts/DKIMRegistry.sol";
-import {IVerifier} from "@zk-email/email-tx-builder/src/interfaces/IVerifier.sol";
+import {IGroth16Verifier} from "@zk-email/email-tx-builder/src/interfaces/IGroth16Verifier.sol";
 import {EmailAuthMsg} from "@zk-email/email-tx-builder/src/interfaces/IEmailTypes.sol";
 import {AbstractSigner} from "@openzeppelin/contracts/utils/cryptography/signers/AbstractSigner.sol";
 import {ZKEmailUtils} from "../ZKEmailUtils.sol";
@@ -22,7 +22,7 @@ import {ZKEmailUtils} from "../ZKEmailUtils.sol";
  *
  * * {accountSalt} - A unique identifier derived from the user's email address and account code.
  * * {DKIMRegistry} - An instance of the DKIM registry contract for domain verification.
- * * {verifier} - An instance of the Verifier contract for zero-knowledge proof validation.
+ * * {verifier} - An instance of the Groth16Verifier contract for zero-knowledge proof validation.
  * * {templateId} - The template ID of the sign hash command, defining the expected format.
  *
  * Example of usage:
@@ -32,13 +32,13 @@ import {ZKEmailUtils} from "../ZKEmailUtils.sol";
  *   function initialize(
  *       bytes32 accountSalt,
  *       IDKIMRegistry registry,
- *       IVerifier verifier,
+ *       IGroth16Verifier groth16Verifier,
  *       uint256 templateId
  *   ) public initializer {
  *       // Will revert if the signer is already initialized
  *       _setAccountSalt(accountSalt);
  *       _setDKIMRegistry(registry);
- *       _setVerifier(verifier);
+ *       _setGroth16Verifier(groth16Verifier);
  *       _setTemplateId(templateId);
  *   }
  * }
@@ -53,7 +53,7 @@ abstract contract SignerZKEmail is AbstractSigner {
 
     bytes32 private _accountSalt;
     IDKIMRegistry private _registry;
-    IVerifier private _verifier;
+    IGroth16Verifier private _groth16Verifier;
     uint256 private _templateId;
 
     /// @dev Proof verification error.
@@ -87,11 +87,11 @@ abstract contract SignerZKEmail is AbstractSigner {
     }
 
     /**
-     * @dev An instance of the Verifier contract.
+     * @dev An instance of the Groth16Verifier contract.
      * See https://docs.zk.email/architecture/zk-proofs#how-zk-email-uses-zero-knowledge-proofs[ZK Proofs].
      */
-    function verifier() public view virtual returns (IVerifier) {
-        return _verifier;
+    function verifier() public view virtual returns (IGroth16Verifier) {
+        return _groth16Verifier;
     }
 
     /// @dev The command template of the sign hash command.
@@ -110,8 +110,8 @@ abstract contract SignerZKEmail is AbstractSigner {
     }
 
     /// @dev Set the {verifier} contract address.
-    function _setVerifier(IVerifier verifier_) internal virtual {
-        _verifier = verifier_;
+    function _setVerifier(IGroth16Verifier verifier_) internal virtual {
+        _groth16Verifier = verifier_;
     }
 
     /// @dev Set the command's {templateId}.
 
@@ -3,7 +3,7 @@
 pragma solidity ^0.8.24;
 
 import {IDKIMRegistry} from "@zk-email/contracts/DKIMRegistry.sol";
-import {IVerifier} from "@zk-email/email-tx-builder/src/interfaces/IVerifier.sol";
+import {IGroth16Verifier} from "@zk-email/email-tx-builder/src/interfaces/IGroth16Verifier.sol";
 import {EmailAuthMsg} from "@zk-email/email-tx-builder/src/interfaces/IEmailTypes.sol";
 import {IERC7913SignatureVerifier} from "@openzeppelin/contracts/interfaces/IERC7913.sol";
 import {ZKEmailUtils} from "../ZKEmailUtils.sol";
@@ -25,7 +25,7 @@ import {ZKEmailUtils} from "../ZKEmailUtils.sol";
  *   function _decodeKey(bytes calldata key) internal view override returns (
  *       IDKIMRegistry registry,
  *       bytes32 accountSalt,
- *       IVerifier verifier,
+ *       IGroth16Verifier verifier,
  *       uint256 templateId
  *   ) {
  *       (registry, accountSalt, verifier, templateId) = super._decodeKey(key);
@@ -35,17 +35,17 @@ import {ZKEmailUtils} from "../ZKEmailUtils.sol";
  *   }
  * ```
  */
-abstract contract ERC7913ZKEmailVerifier is IERC7913SignatureVerifier {
+contract ERC7913ZKEmailVerifier is IERC7913SignatureVerifier {
     using ZKEmailUtils for EmailAuthMsg;
 
     /**
      * @dev Verifies a zero-knowledge proof of an email signature validated by a {DKIMRegistry} contract.
      *
-     * The key format is ABI-encoded (IDKIMRegistry, bytes32, IVerifier, uint256) where:
+     * The key format is ABI-encoded (IDKIMRegistry, bytes32, IGroth16Verifier, uint256) where:
      *
      * * IDKIMRegistry: The registry contract that validates DKIM public key hashes
      * * bytes32: The account salt that uniquely identifies the user's email address
-     * * IVerifier: The verifier contract instance for ZK proof verification.
+     * * IGroth16Verifier: The verifier contract instance for ZK proof verification.
      * * uint256: The template ID for the command
      *
      * See {_decodeKey} for the key encoding format.
@@ -77,7 +77,9 @@ abstract contract ERC7913ZKEmailVerifier is IERC7913SignatureVerifier {
         bytes32 hash,
         bytes calldata signature
     ) public view virtual override returns (bytes4) {
-        (IDKIMRegistry registry_, bytes32 accountSalt_, IVerifier verifier_, uint256 templateId_) = _decodeKey(key);
+        (IDKIMRegistry registry_, bytes32 accountSalt_, IGroth16Verifier verifier_, uint256 templateId_) = _decodeKey(
+            key
+        );
         EmailAuthMsg memory emailAuthMsg = abi.decode(signature, (EmailAuthMsg));
 
         return
@@ -102,8 +104,8 @@ abstract contract ERC7913ZKEmailVerifier is IERC7913SignatureVerifier {
         internal
         view
         virtual
-        returns (IDKIMRegistry registry, bytes32 accountSalt, IVerifier verifier, uint256 templateId)
+        returns (IDKIMRegistry registry, bytes32 accountSalt, IGroth16Verifier verifier, uint256 templateId)
     {
-        return abi.decode(key, (IDKIMRegistry, bytes32, IVerifier, uint256));
+        return abi.decode(key, (IDKIMRegistry, bytes32, IGroth16Verifier, uint256));
     }
 }