Merge pull request #11 from distributed-lab/proof_extension

Proof extension

Author: Arvolear

README.md

@@ -38,13 +38,61 @@ The list parameters to be passed:
 5. `minConfirmationsCount` - Number of required mainchain confirmation for the block to have.
 
 > [!TIP]
-> Please check out [this test case](./test/SPVContract.test.ts#L223) for more integration information.
+> Please check out [this test case](./test/SPVGateway.test.ts#L223) for more integration information.
 
 ## Permissionlessness
 
-In order for the gateway to be truly permissionless, the contract's bootstrapping needs to be permissionless as well. We are working on a "proof-of-bitcoin" ZK proof to initialize the gateway in a trustless manner.
+In order for the gateway to be truly permissionless, the contract's initialization needs to be permissionless as well. Alongside the regular `SPVGateway`, the repository hosts a `HistoricalSPVGateway` contract, that uses a "proof-of-bitcoin" ZK proof for its initialization. This enables verification of historical Bitcoin blocks and transactions otherwise too expensive to include. Since syncing up the gateway from Bitcoin's genesis would cost ~100 ETH on the mainnet.
 
-This will enable verification of historical Bitcoin transactions otherwise too expensive to include. Syncing up the gateway from Bitcoin's genesis would cost ~100 ETH on the mainnet.
+# HistoricalSPVGateway
+
+`HistoricalSPVGateway` is an extension of the basic `SPVGateway` contract. It uses "proof-of-bitcoin" ZK proof that compresses the entire Bitcoin block history into a single Merkle root to be used during the contract's initialization. This root can then used to verify the "historical" existence of some blocks and transactions.
+
+> [!IMPORTANT]
+> Currently, the "proof-of-bitcoin" ZK proof is generated to the first *912384* Bitcoin blocks. The circuits source code can be found [here](https://github.com/distributed-lab/bitcoin-prover).
+
+## Building the History Merkle Tree
+
+In order to prove the historical block existence, you need to pass the corresponding Merkle path to a smart contract. For that, the entire historical Merkle tree needs to be built:
+
+1. Fetch all block hashes from the genesis block up to the height of `provedBlocksCount - 1`.
+2. Split these blocks into *1024-block* chunks.
+3. Create Level1 Merkle trees for each chunk.
+4. Create an array containing all the Level1 tree roots.
+5. Pad the array from the previous step with zeros for its length to reach the next power of 2.
+6. Create a Level2 Merkle tree, using the array from the previous step as the tree's values.
+
+> [!NOTE]
+> For the Level1 Merkle tree use `SHA256("leaf1" | blockHash)` and `SHA256("node1" | left | right)` for hashing leaves and nodes. And for the Level2 Merkle tree, `SHA256("leaf2" | level1MerkleRoot)` and `SHA256("node2" | left | right)` respectively.
+
+## Verifying History Bitcoin Blocks Inclusion
+
+To verify the existence of a historical Bitcoin block, call the `checkHistoryBlockInclusion` function.
+
+This function requires a `HistoryBlockInclusionProofData` struct as a parameter, which contains the following fields:
+
+1. `level1MerkleProof` - Level1 Merkle path for the block hash being checked.
+2. `level2MerkleProof` - Level2 Merkle path for the Level1 Merkle root (which is calculated from the `level1MerkleProof`)
+3. `blockHash` - Block hash to be checked.
+4. `blockHeight` - Block height of the passed block hash.
+
+> [!TIP]
+> Please check out [this test cases](./test/HistoricalSPVGateway.test.ts#L181) for more integration information.
+
+## Verifying History Bitcoin Tx Inclusion
+
+In order to verify the tx existence in the proven Bitcoin history, the `checkHistoryTxInclusion` function needs to be called. 
+
+The list of parameters to be passed:
+
+1. `merkleProof` - Merkle path for a given transaction to be checked. The Merkle path can either be built locally or by calling `gettxoutproof` on a Bitcoin node.
+2. `blockHeaderRaw` - Raw block header of the block to check the transaction's inclusion against.
+3. `txId` - Tx hash (Merkle leaf) to be checked.
+4. `txIndex` - The Merkle "direction bits" to decide on left or right hashing order.
+5. `blockInclusionProofData` - The proof data for the historical block hash inclusion.
+
+> [!TIP]
+> Please check out [this test case](./test/HistoricalSPVGateway.test.ts#L309) for more integration information.
 
 # Disclaimer
 

contracts/HistoricalSPVGateway.sol

@@ -0,0 +1,119 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import {BlockHeader} from "@solarity/solidity-lib/libs/bitcoin/BlockHeader.sol";
+import {TxMerkleProof} from "@solarity/solidity-lib/libs/bitcoin/TxMerkleProof.sol";
+import {EndianConverter} from "@solarity/solidity-lib/libs/utils/EndianConverter.sol";
+
+import {TargetsHelper} from "./libs/TargetsHelper.sol";
+import {BlockHistory} from "./libs/BlockHistory.sol";
+
+import {IHistoricalSPVGateway} from "./interfaces/IHistoricalSPVGateway.sol";
+
+import {SPVGateway} from "./SPVGateway.sol";
+
+contract HistoricalSPVGateway is IHistoricalSPVGateway, SPVGateway {
+    using BlockHeader for bytes;
+    using TargetsHelper for bytes32;
+    using EndianConverter for bytes32;
+    using BlockHistory for bytes32[];
+
+    bytes32 public constant HISTORICAL_SPV_GATEWAY_STORAGE_SLOT =
+        keccak256("spv.gateway.historical.spv.gateway.storage");
+
+    struct HistoricalSPVGatewayStorage {
+        uint256 historyBlocksCount;
+        bytes32 historyBlocksTreeRoot;
+    }
+
+    function _getHistoricalSPVGatewayStorage()
+        private
+        pure
+        returns (HistoricalSPVGatewayStorage storage _hspvs)
+    {
+        bytes32 slot_ = HISTORICAL_SPV_GATEWAY_STORAGE_SLOT;
+
+        assembly {
+            _hspvs.slot := slot_
+        }
+    }
+
+    function __HistoricalSPVGateway_init(
+        bytes calldata blockHeaderRaw_,
+        uint64 blockHeight_,
+        uint256 cumulativeWork_,
+        bytes32 historyBlocksTreeRoot_,
+        BlockHistory.HistoryProofData calldata proofData_
+    ) external initializer {
+        (BlockHeader.HeaderData memory blockHeader_, bytes32 blockHash_) = _parseBlockHeaderRaw(
+            blockHeaderRaw_
+        );
+
+        BlockHistory.verifyHistoryProof(
+            historyBlocksTreeRoot_,
+            blockHash_,
+            blockHeight_,
+            cumulativeWork_,
+            proofData_
+        );
+
+        _initialize(blockHeader_, blockHash_, blockHeight_, cumulativeWork_);
+
+        _getHistoricalSPVGatewayStorage().historyBlocksCount = blockHeight_;
+        _getHistoricalSPVGatewayStorage().historyBlocksTreeRoot = historyBlocksTreeRoot_;
+    }
+
+    /// @inheritdoc IHistoricalSPVGateway
+    function checkHistoryTxInclusion(
+        bytes32[] calldata merkleProof_,
+        bytes calldata blockHeaderRaw_,
+        bytes32 txId_,
+        uint256 txIndex_,
+        HistoryBlockInclusionProofData calldata blockInclusionProofData_
+    ) external view returns (bool) {
+        (BlockHeader.HeaderData memory blockHeader_, bytes32 blockHash_) = blockHeaderRaw_
+            .parseBlockHeader(true);
+
+        require(
+            blockHash_ == blockInclusionProofData_.blockHash,
+            DifferentBlockHashes(blockHash_, blockInclusionProofData_.blockHash)
+        );
+
+        require(
+            checkHistoryBlockInclusion(blockInclusionProofData_),
+            BlockHashNotInHistory(blockHash_)
+        );
+
+        bytes32 leRoot_ = blockHeader_.merkleRoot.bytes32BEtoLE();
+
+        return TxMerkleProof.verify(merkleProof_, leRoot_, txId_, txIndex_);
+    }
+
+    /// @inheritdoc IHistoricalSPVGateway
+    function checkHistoryBlockInclusion(
+        HistoryBlockInclusionProofData calldata inclusionProofData_
+    ) public view returns (bool) {
+        bytes32 level1Root_ = inclusionProofData_.level1MerkleProof.processLevel1Proof(
+            inclusionProofData_.blockHash,
+            inclusionProofData_.blockHeight
+        );
+
+        return
+            inclusionProofData_.level2MerkleProof.verifyLevel2Proof(
+                getHistoryBlocksTreeRoot(),
+                level1Root_,
+                BlockHistory.getChunkNumber(getHistoryBlocksCount()),
+                BlockHistory.getChunkNumber(inclusionProofData_.blockHeight)
+            );
+    }
+
+    /// @inheritdoc IHistoricalSPVGateway
+    function getHistoryBlocksCount() public view returns (uint256) {
+        return _getHistoricalSPVGatewayStorage().historyBlocksCount;
+    }
+
+    /// @inheritdoc IHistoricalSPVGateway
+    function getHistoryBlocksTreeRoot() public view returns (bytes32) {
+        return _getHistoricalSPVGatewayStorage().historyBlocksTreeRoot;
+    }
+}

contracts/SPVGateway.sol

@@ -51,9 +51,7 @@ contract SPVGateway is ISPVGateway, Initializable {
         });
         bytes32 genesisBlockHash_ = 0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f;
 
-        _addBlock(genesisBlockHeader_, genesisBlockHash_, 0);
-
-        emit MainchainHeadUpdated(0, genesisBlockHash_);
+        _initialize(genesisBlockHeader_, genesisBlockHash_, 0, 0);
     }
 
     function __SPVGateway_init(
@@ -65,15 +63,7 @@ contract SPVGateway is ISPVGateway, Initializable {
             blockHeaderRaw_
         );
 
-        require(
-            blockHeight_ == 0 || TargetsHelper.isTargetAdjustmentBlock(blockHeight_),
-            InvalidInitialBlockHeight(blockHeight_)
-        );
-
-        _addBlock(blockHeader_, blockHash_, blockHeight_);
-        _getSPVGatewayStorage().lastEpochCumulativeWork = cumulativeWork_;
-
-        emit MainchainHeadUpdated(blockHeight_, blockHash_);
+        _initialize(blockHeader_, blockHash_, blockHeight_, cumulativeWork_);
     }
 
     function _getSPVGatewayStorage() private pure returns (SPVGatewayStorage storage _spvs) {
@@ -248,6 +238,31 @@ contract SPVGateway is ISPVGateway, Initializable {
         return getBlockHash(getBlockHeight(blockHash_)) == blockHash_;
     }
 
+    function _initialize(
+        BlockHeader.HeaderData memory blockHeader_,
+        bytes32 blockHash_,
+        uint64 blockHeight_,
+        uint256 cumulativeWork_
+    ) internal onlyInitializing {
+        _addBlock(blockHeader_, blockHash_, blockHeight_);
+
+        if (blockHeight_ > 0) {
+            uint256 lastEpochCumulativeWork_ = cumulativeWork_;
+
+            if (!TargetsHelper.isTargetAdjustmentBlock(blockHeight_)) {
+                bytes32 target_ = TargetsHelper.bitsToTarget(blockHeader_.bits);
+
+                lastEpochCumulativeWork_ -= target_.countCumulativeWork(
+                    TargetsHelper.getEpochBlockNumber(blockHeight_) + 1
+                );
+            }
+
+            _getSPVGatewayStorage().lastEpochCumulativeWork = lastEpochCumulativeWork_;
+        }
+
+        emit MainchainHeadUpdated(blockHeight_, blockHash_);
+    }
+
     function _addBlock(
         BlockHeader.HeaderData memory blockHeader_,
         bytes32 blockHash_,

contracts/interfaces/IHistoricalSPVGateway.sol

@@ -0,0 +1,78 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import {ISPVGateway} from "./ISPVGateway.sol";
+
+/**
+ * @title IHistoricalSPVGateway
+ * @notice An interface for the Historical SPV Gateway that extends ISPVGateway.
+ *
+ * This contract allows for the trustless initialization of the gateway using a "proof-of-bitcoin" ZK proof.
+ * It also includes functions to verify the inclusion of historical blocks and transactions using Merkle proofs.
+ */
+interface IHistoricalSPVGateway is ISPVGateway {
+    /**
+     * @notice Data structure for block inclusion proof in history.
+     * @param level1MerkleProof Merkle proof for the first level of the history tree.
+     * @param level2MerkleProof Merkle proof for the second level of the history tree.
+     * @param blockHash Hash of the block being proved.
+     * @param blockHeight Height of the block in the Bitcoin blockchain.
+     */
+    struct HistoryBlockInclusionProofData {
+        bytes32[] level1MerkleProof;
+        bytes32[] level2MerkleProof;
+        bytes32 blockHash;
+        uint256 blockHeight;
+    }
+
+    /**
+     * @notice Error thrown when block header hash and inclusion proof hash differ.
+     * @param blockHeaderHash Hash of the block header.
+     * @param inclusionProofHash Hash from the inclusion proof.
+     */
+    error DifferentBlockHashes(bytes32 blockHeaderHash, bytes32 inclusionProofHash);
+
+    /**
+     * @notice Error thrown when a block hash is not found in the history.
+     * @param blockHash Hash of the block not found in history.
+     */
+    error BlockHashNotInHistory(bytes32 blockHash);
+
+    /**
+     * @notice Checks whether a transaction is included in a historical block.
+     * @param merkleProof_ Merkle proof for transaction inclusion.
+     * @param blockHeaderRaw_ Raw block header data.
+     * @param txId_ Transaction ID to verify.
+     * @param txIndex_ Index of the transaction in the block.
+     * @param blockInclusionProofData_ Proof data for block inclusion in history.
+     * @return Returns true if the transaction is included in the historical block, false - otherwise.
+     */
+    function checkHistoryTxInclusion(
+        bytes32[] calldata merkleProof_,
+        bytes calldata blockHeaderRaw_,
+        bytes32 txId_,
+        uint256 txIndex_,
+        HistoryBlockInclusionProofData calldata blockInclusionProofData_
+    ) external view returns (bool);
+
+    /**
+     * @notice Checks whether a block is included in the historical blocks tree.
+     * @param inclusionProofData_ Proof data for block inclusion in history.
+     * @return Returns true if the block is included in the historical blocks tree, false - otherwise.
+     */
+    function checkHistoryBlockInclusion(
+        HistoryBlockInclusionProofData calldata inclusionProofData_
+    ) external view returns (bool);
+
+    /**
+     * @notice Gets the total number of historical blocks stored.
+     * @return Returns the number of historical blocks.
+     */
+    function getHistoryBlocksCount() external view returns (uint256);
+
+    /**
+     * @notice Gets the root of the historical blocks tree.
+     * @return Returns the root hash of the historical blocks tree.
+     */
+    function getHistoryBlocksTreeRoot() external view returns (bytes32);
+}

contracts/interfaces/IHistoryProofVerifier.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+/**
+ * @title IHistoryProofVerifier
+ * @notice An interface for verifying a historical proof using a ZK-SNARK.
+ */
+interface IHistoryProofVerifier {
+    /**
+     * @notice Verifies a ZK-SNARK proof against a set of public inputs.
+     * @param proof_ The serialized ZK-SNARK proof.
+     * @param publicInputs_ An array of public inputs required for proof verification.
+     * @return A boolean value indicating whether the proof is valid (true) or not (false).
+     */
+    function verify(
+        bytes calldata proof_,
+        bytes32[] calldata publicInputs_
+    ) external view returns (bool);
+}