Initial commit

Co-authored-by: Hadrien Charlanes <[email protected]>
Co-authored-by: Gabin <[email protected]>
Co-authored-by: CharlsCharls <[email protected]>

.eslintignore

@@ -0,0 +1,10 @@
+node_modules
+cache
+artifacts
+types/**
+lib
+hydra-s1.wasm
+hydra-s1.zkey
+HydraS1Verifier.sol
+build
+hydra-s1_verification_key.json

.eslintrc.json

@@ -0,0 +1,21 @@
+{
+    "env": {
+        "browser": true,
+        "node": true,
+        "es2022": true
+    },
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended"
+    ],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "ecmaVersion": "latest",
+        "sourceType": "module"
+    },
+    "plugins": [
+        "@typescript-eslint"
+    ],
+    "rules": {
+    }
+}

.github/workflows/push.yml

@@ -0,0 +1,29 @@
+name: On Push
+on:
+  push:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    if: github.ref != 'refs/heads/main'
+    name: Test
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup Node
+        uses: actions/setup-node@v2
+        with:
+          node-version: "16.x"
+      - name: Setup Rust
+        uses: ATiltedTree/setup-rust@v1
+        with:
+          rust-version: stable
+      - run: yarn install --frozen-lockfile
+      - name: Install circom
+        run: git clone https://github.com/iden3/circom.git
+      - run: cd circom && cargo build --release
+      - run: cd circom && cargo install --path circom
+      - run: yarn compile-circuits
+      - run: yarn generate-contract
+      - run: yarn compile-contracts
+      - run: cd package && yarn
+      - run: cd package && yarn build
+      - run: yarn test

.gitignore

@@ -0,0 +1,17 @@
+.vscode
+.DS_Store
+
+node_modules
+cache
+artifacts
+types
+deployments
+
+package-lock.json
+
+lib
+
+#hydra-s1.wasm
+#hydra-s1.zkey
+
+build

.husky/.gitignore

@@ -0,0 +1 @@
+_

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx lint-staged

.npmrc

@@ -0,0 +1 @@
+engine-strict = true

.prettierignore

@@ -0,0 +1,10 @@
+node_modules
+cache
+artifacts
+types/**
+lib
+hydra-s1.wasm
+hydra-s1.zkey
+HydraS1Verifier.sol
+build
+hydra-s1_verification_key.json

.releaserc.yml

@@ -0,0 +1,3 @@
+{
+  "branches": ["main"]
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Sismo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,88 @@
+<br />
+<div align="center">
+  <img src="https://static.sismo.io/readme/top-main.png" alt="Logo" width="150" height="150" style="borderRadius: 20px">
+
+  <h3 align="center">
+    Hydra-S1 ZKPS
+  </h3>
+
+  <p align="center">
+    Hydra-S1 Zero-Knowledge Proving Scheme
+  </p>
+
+  <p align="center">
+    Made by <a href="https://www.docs.sismo.io/" target="_blank">Sismo</a>
+  </p>
+
+  <p align="center">
+    <a href="https://discord.gg/sismo" target="_blank">
+        <img src="https://img.shields.io/badge/Discord-7289DA?style=for-the-badge&logo=discord&logoColor=white"/>
+    </a>
+    <a href="https://twitter.com/sismo_eth" target="_blank">
+        <img src="https://img.shields.io/badge/Twitter-1DA1F2?style=for-the-badge&logo=twitter&logoColor=white"/>
+    </a>
+  </p>
+  <a href="https://www.sismo.io/" target="_blank"></a>
+</div>
+
+
+Hydra-S1 is a Zero-Knowledge Proving Scheme used by [Hydra S1 attesters](https://github.com/sismo-core/sismo-protocol/tree/main/contracts/attesters/hydra-s1) of the Sismo Protocol.
+
+Hydra-S1 generates ZK Proofs from a merkle tree storing groups of accounts with values (e.g group of ENS DAO voters where the account value is the number of votes). 
+
+Hydra-S1 enables users to prove from these groups: 
+- Ownerships: They own two accounts, a source account and a destination account. (via Hydra Delegate Proof of Ownership)
+- Account inclusion: Their source account is part of a group (e.g group ENS DAO voters)
+- Account value: Their source account holds a specific value (e.g number of votes in the group of ENS DAO voters) 
+- Ticket Generation: They computed a ticket (a.k.a nullifierHash) from a ticket identifier (a.k.a externalNullifier). The ticket is deterministically generated from their source account and the ticket identifier. It can be stored by proof verifiers to only accept one ZK Proof per account per ticket identifier
+
+Please make sure to read our documentation:
+-  [Hydra-S1 general documentation](https://hydra-s1.docs.sismo.io)
+-  [Registry Tree](https://registry-tree.docs.sismo.io) The custom merkle tree which stores the groups of accounts.
+- [Hydra Proof of Ownership](https://hydra.docs.sismo.io) via the [Commitment Mapper](https://commitment-mapper.docs.sismo.io)
+
+## Circuits and Package
+
+Hydra-S1 Proving Scheme was developed using [circom](https://github.com/iden3/circom) and [snarkjs](https://github.com/iden3/snarkjs). This repo contains the circuits.
+
+It outputs an off-chain prover and verifiers (both on-chain and off-chain).
+
+Theses implementations of prover and verifiers are in the [@sismo-core/hydra-s1](./package) npm package.
+
+```sh
+$ yarn add @sismo-core/hydra-s1
+```
+
+## Installation
+
+- Install [Circom2](https://docs.circom.io/getting-started/installation/) (rust version)
+- Build
+
+```sh
+$ yarn build
+```
+
+## Test
+
+```sh
+$ yarn test 
+$ test:circuits
+$ test:verifier-js
+$ test:verifier-contract
+$ test:prover-js
+```
+
+## License
+
+Distributed under the MIT License.
+
+## Contribute
+
+Please, feel free to open issues, PRs or simply provide feedback!
+
+## Contact
+
+Prefer [Discord](https://discord.gg/sismo) or [Twitter](https://twitter.com/sismo_eth)
+
+<br/>
+<img src="https://static.sismo.io/readme/bottom-main.png" alt="bottom" width="100%" >

circuits/common/verify-hydra-commitment.circom

@@ -0,0 +1,38 @@
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/eddsaposeidon.circom";
+include "../../node_modules/circomlib/circuits/poseidon.circom";
+
+
+// This template verify a Hydra Delegated Proof Of Ownership
+// For more informations about Delegated Proof Of Ownership
+// See the Commitment Mapper https://commitment-mapper.docs.sismo.io 
+template VerifyHydraCommitment() {
+  signal input address; 
+  signal input secret;
+
+  signal input commitmentMapperPubKey[2];
+  signal input commitmentReceipt[3];
+
+  // Verify that the user have the right commitment secret
+  // This is a Proof Of Commitment Ownership
+  component commitment = Poseidon(1);
+  commitment.inputs[0] <== secret;
+
+  // Re-create the commitment mapping between the address and 
+  // the commitment
+  component message = Poseidon(2);
+  message.inputs[0] <== address;
+  message.inputs[1] <== commitment.out;
+
+  // Verify the Hydra commitment receipt
+  // of the given commitmentMapperPubKey
+  component eddsa = EdDSAPoseidonVerifier();
+  eddsa.enabled <== 1;
+  eddsa.Ax <== commitmentMapperPubKey[0];
+  eddsa.Ay <== commitmentMapperPubKey[1];
+  eddsa.R8x <== commitmentReceipt[0];
+  eddsa.R8y <== commitmentReceipt[1];
+  eddsa.S <== commitmentReceipt[2];
+  eddsa.M <== message.out;
+}

circuits/common/verify-merkle-path.circom

@@ -0,0 +1,48 @@
+// Highly inspired from tornado cash https://github.com/tornadocash/tornado-core/tree/master/circuits
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/poseidon.circom";
+include "../../node_modules/circomlib/circuits/bitify.circom";
+include "../../node_modules/circomlib/circuits/comparators.circom";
+
+// if s == 0 returns [in[0], in[1]]
+// if s == 1 returns [in[1], in[0]]
+template PositionSwitcher() {
+    signal input in[2];
+    signal input s;
+    signal output out[2];
+
+    s * (1 - s) === 0;
+    out[0] <== (in[1] - in[0])*s + in[0];
+    out[1] <== (in[0] - in[1])*s + in[1];
+}
+
+
+// Verifies that merkle path is correct for given merkle root and a leaf
+// pathIndices input is an array of 0/1 selectors telling whether given 
+// pathElement is on the left or right side of merkle path
+template VerifyMerklePath(levels) {
+    signal input leaf;
+    signal input root;
+    signal input pathElements[levels];
+    signal input pathIndices[levels];
+
+    component selectors[levels];
+    component hashers[levels];
+
+    signal computedPath[levels];
+
+    for (var i = 0; i < levels; i++) {
+        selectors[i] = PositionSwitcher();
+        selectors[i].in[0] <== i == 0 ? leaf : computedPath[i - 1];
+        selectors[i].in[1] <== pathElements[i];
+        selectors[i].s <== pathIndices[i];
+
+        hashers[i] = Poseidon(2);
+        hashers[i].inputs[0] <== selectors[i].out[0];
+        hashers[i].inputs[1] <== selectors[i].out[1];
+        computedPath[i] <== hashers[i].out;
+    }
+
+    root === computedPath[levels - 1];
+}