Merge pull request #2171 from o1-labs/boray/vk-validation

Add Verification Key Validation To Localblockchain

Author: boray

CHANGELOG.md

@@ -42,7 +42,11 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ### Added
 
-- Added bitwise operation methods (xor, not, and, or) to `UInt8` class. https://github.com/o1-labs/o1js/pull/2144$0
+- Added bitwise operation methods (xor, not, and, or) to `UInt8` class. https://github.com/o1-labs/o1js/pull/2144
+
+### Changed
+
+- Added verification key validity checks to `LocalBlockchain`. https://github.com/o1-labs/o1js/pull/2171
 
 ## [2.4.0](https://github.com/o1-labs/o1js/compare/fb625f...6ff7f8470a) - 2025-04-01
 

src/examples/zkapps/zkapp-self-update.ts

@@ -59,7 +59,30 @@ Provable.log('original verification key', fooVerificationKey);
 
 const { verificationKey: barVerificationKey } = await Bar.compile();
 
+try {
+  const invalidVerificationKey = new VerificationKey({
+    data: fooVerificationKey!.data,
+    hash: barVerificationKey.hash,
+  });
+
+  const tx2x = await Mina.transaction(deployer, async () => {
+    // VK with mismatched hash and data should throw
+    await contract.replaceVerificationKey(invalidVerificationKey);
+  });
+  await tx2x.prove();
+  await tx2x.sign([deployer.key]).send();
+} catch (error: any) {
+  if (
+    error.message.includes('The verification key hash is not consistent with the provided data')
+  ) {
+    console.log('correctly threw on invalid verification key');
+  } else {
+    throw error;
+  }
+}
+
 const tx2 = await Mina.transaction(deployer, async () => {
+  // This call will work because the vk is valid
   await contract.replaceVerificationKey(barVerificationKey);
 });
 await tx2.prove();

src/lib/mina/v1/transaction-validation.ts

@@ -21,6 +21,7 @@ import { Types, TypesBigint } from '../../../bindings/mina-transaction/v1/types.
 import type { NetworkId } from '../../../mina-signer/src/types.js';
 import type { Account } from './account.js';
 import type { NetworkValue } from './precondition.js';
+import { VerificationKey } from '../../proof-system/verification-key.js';
 
 export {
   reportGetAccountError,
@@ -242,8 +243,13 @@ async function verifyAccountUpdate(
         publicOutput: [],
       };
 
-      let verificationKey = account.zkapp?.verificationKey?.data;
-      assert(verificationKey !== undefined, 'Account does not have a verification key');
+      let verificationKeyRaw = account.zkapp?.verificationKey;
+      assert(verificationKeyRaw !== undefined, 'Account does not have a verification key');
+      let verificationKey = verificationKeyRaw.data;
+
+      const isVkValid = await VerificationKey.checkValidity(verificationKeyRaw);
+      if (!isVkValid)
+        throw Error(`The verification key hash is not consistent with the provided data`);
 
       isValidProof = await verify(proof, verificationKey);
       if (!isValidProof) {
@@ -305,6 +311,13 @@ async function verifyAccountUpdate(
     }
   });
 
+  if (accountUpdate.update.verificationKey.isSome.toBoolean()) {
+    const isVkValid = await VerificationKey.checkValidity(
+      accountUpdate.update.verificationKey.value
+    );
+    if (!isVkValid)
+      throw Error(`The verification key hash is not consistent with the provided data`);
+  }
   // checks the sequence events (which result in an updated sequence state)
   if (accountUpdate.body.actions.data.length > 0) {
     let p = permissionForUpdate('actions');

src/lib/proof-system/verification-key.ts

@@ -1,7 +1,9 @@
 import { initializeBindings, Pickles } from '../../snarky.js';
+import { synchronousRunners } from '../provable/core/provable-context.js';
 import { provable } from '../provable/types/provable-derivers.js';
 import { Struct } from '../provable/types/struct.js';
 import { Field } from '../provable/wrapped.js';
+import { inCircuitVkHash } from './zkprogram.js';
 
 export { VerificationKey };
 
@@ -26,6 +28,21 @@ class VerificationKey extends Struct({
       hash: Field(RAW_VERIFICATION_KEY.hash),
     });
   }
+
+  static async checkValidity(key: VerificationKey): Promise<boolean> {
+    try {
+      let { runAndCheckSync } = await synchronousRunners();
+
+      runAndCheckSync(() => {
+        let vk = Pickles.sideLoaded.vkToCircuit(() => key.data);
+        let inCircuitHash = inCircuitVkHash(vk);
+        inCircuitHash.assertEquals(key.hash);
+      });
+      return true;
+    } catch {
+      return false;
+    }
+  }
 }
 
 const RAW_VERIFICATION_KEY = {

src/lib/proof-system/verification-key.unit-test.ts

@@ -1,9 +1,22 @@
 import { assert } from 'console';
 import { VerificationKey } from './verification-key.js';
+import { Field } from '../provable/wrapped.js';
 
 console.log('verification key consistency check (generated and cached)');
 let generated = await VerificationKey.dummy();
 let cached = VerificationKey.dummySync();
 
 assert(generated.data === cached.data, 'data equals');
 assert(generated.hash.equals(cached.hash).toBoolean(), 'hash equals');
+
+let vkIsValid = await VerificationKey.checkValidity(generated);
+assert(vkIsValid, 'valid verification key is being rejected as invalid');
+
+const invalidVerificationKey = new VerificationKey({
+    data: generated.data,
+    hash: Field.random(),
+  });
+
+
+let vkIsNotValid = await VerificationKey.checkValidity(invalidVerificationKey);
+assert(vkIsNotValid === false, 'invalid verification key is being accepted as valid');

src/lib/proof-system/zkprogram.ts

@@ -60,6 +60,7 @@ export {
   TupleToInstances,
   PrivateInput,
   Proof,
+  inCircuitVkHash,
 };
 
 type Undefined = undefined;