Semaphore V4

[cedoor]

Description

This PR updates the Semaphore codebase based on the findings from the analysis and research period described in the research repository.

The only supported tree depth is 10 at the moment. Another PR (based on issue #482) will be created to support a tree depth range from 1 to 32.

This is not the final version of the PR. The tasks that will follow are listed below. However, an initial review is necessary before proceeding.

ZK circuits

• The identity trapdoor and identity nullifier have been replaced with a single value, the private key, from which an EdDSA public key is derived. The Poseidon hash of the public key is the new identity commitment.
• Some input and output names in the circuits have been changed.
  • External Nullifier → Scope
  • SignalHash → Message
  • NullifierHash → Nullifier
  • Siblings → Tree Siblings
  • Path Indices → Tree Indices
• The new circuit uses Anonymous Components to make the code clearer and more concise (24 lines of code without comments, rather than 90).
• The circuit used to calculate the Merkle tree root is now part of an external package (@zk-kit/circuits - BinaryMerkleRoot) and supports dynamic depths.
• Circomkit has been used for tests and scripts
• The new circuit will be published on NPM (@semaphore-protocol/circuit)

JS libraries

• The core Semaphore libraries have been updated to support the new LeanIMT data structure and the new V4 circuits.
• The identity library now supports the generation of public/private keys using EdDSA and Baby Jubjub, as well as signatures.
• The group and proof libraries have been greatly simplified.
• The proof library now automatically downloads wasm/zkey artifacts on browsers and also on NodeJS.
• JS tests have been moved outside the src folder. A new tests folder has been created for them.
• @semaphore-protocol/heyauthn tests have been updated to support the new core libraries
• @semaphore-protocol/hardhat has been updated to support the new contracts

Solidity contracts

• The contracts have been updated with the new LeanIMT.
• SemaphoreGroups.sol has been adapted to the new data structure, which does not require zero nodes and has a static depth.
• SemaphoreGroups.sol now also manages access to functions (group admins).
• The verifier has been updated with the latest version of the template provided by SnarkJS.
• The VerifiedProof event now includes all the parameters of the proof, allowing anyone to verify the proof off-chain (Add private proof values to the VerifiedProof event #328).

Related Issue

Closes #357

Does this introduce a breaking change?

• Yes
• No

Other information

Next tasks

Before merging this PR to the main branch it is necessary to work on other tasks, which will be merged to this branch first.

• Use merkleTreeSize instead fo merkleTreeDepth #530
• Switch to new NodeJS LTS #531
• Update Licenses for 2024 #532
• Fix ISemaphore typo for custom error #533
• Explore OpenZeppelin Defender 2.0 for Semaphore V4 contracts #486
• Add references to EdDSA and Poseidon in the README #534
• Remove Goerli from the supported networks #352
• Create fake zk artifacts for all tree depths (from 1 to 12) #482
• Add a function to verify proof without storing any nullifier #329
• Deploy Semaphore V4 contracts #485
• Integrate new LeanIMT function to insert many leaves in V4 contracts #521
• Update variable names related to merkle proof parameters in the V4 circuit #522
• Update Solidity pragma version and Hardhat in Semaphore V4 #524
• Update subgraph according to Semaphore V4 changes #543
• Update @semaphore-protocol/data according to Semphore V4 changes #544
• Update CLI packages according to Semphore V4 changes #545

[openzeppelin-code]

Semaphore V4

Generated at commit: 0dbf5f64dadad9c5968950f384a4a8aeab098431

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	0 0 0 4 14 18
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[vplasencia]

Issues regarding the Merkle Tree circuit:

1. When the parent of an element is itself.
   • Example: tree with members 1, 2, 3, 4, 5 and the index 4 which is the element 5.
   • This issue is related to this other issue: Generating the path indices for the merkle proof (https://github.com/semaphore-protocol/semaphore/blob/feat/semaphore-v4/packages/proof/src/generate-proof.ts#L46-L52).
     • The path indices and siblings are not correct for the circuit.
2. When the depth of the circuit is the same as the MAX_DEPTH.
   • To solve this we could add something like this code before out <== root; at the end.

     var a = IsEqual()([depth, MAX_DEPTH]);
     
     roots[MAX_DEPTH] <== a * nodes[MAX_DEPTH];
     
     root += roots[MAX_DEPTH];

     And the roots signal should be signal roots[MAX_DEPTH + 1];

[cedoor]

Issues regarding the Merkle Tree circuit:

1. When the parent of an element is itself.

What happens exactly? Could you add a test for it, or share the code you used here?

2. When the depth of the circuit is the same as the MAX_DEPTH.

Good catch! I feel like this should be done here: https://github.com/privacy-scaling-explorations/zk-kit/blob/main/packages/circuits/circom/binary-merkle-root.circom. What do you think?

[vplasencia]

@cedoor Yes, sure, I will create an example of test for it. Some changes should be in the zk-kit package and others in the semaphore proof package. For 2, yes, all the changes are in zk-kit.

[vplasencia]

1. When the parent of an element is itself.

Actually, this issue is related to variable naming in the Merkle Tree circuit because the name depth works for the IMT but not for the LeanIMT.

A test case could be to use the leaves:

BigInt(1), BigInt(2), BigInt(3), BigInt(4), BigInt(5)

And generate the merkle proof of the position 4.

Replace this part (https://github.com/privacy-scaling-explorations/zk-kit/blob/main/packages/circuits/tests/binary-merkle-root.test.ts#L12-L20) with this:

    const leaf = BigInt(5)

    for (let i = 1; i < 6; i += 1) {
        tree.insert(BigInt(i))
    }

    const { siblings, index } = tree.generateProof(4)

With that, the test will not pass.

To pass the test, we can add const siblingsLength = siblings.length here:

    const indices: number[] = []
    const siblingsLength = siblings.length

    for (let i = 0; i < MAX_DEPTH; i += 1) {
        indices.push((index >> i) & 1)

        if (siblings[i] === undefined) {
            siblings[i] = BigInt(0)
        }
    }

And update the input:

    const INPUT = {
        leaf,
        depth: siblingsLength,
        indices,
        siblings
    }

To solve this issue, I think that it is better to change the name of the variable depth here and use another to refer to the siblings' length.

[cedoor]

@vplasencia

Actually, this issue is related to variable naming in the Merkle Tree circuit because the name depth works for the IMT but not for the LeanIMT

The LeanIMT works a bit differently compared to the old IMT. The Merkle proof could contain a different index and number of siblings due to the tree properties. I'm not sure if the variable name should be something different than depth, as in most cases it is the actual tree depth, and the circuit also supports the IMT in theory.

The @semaphore-protocol/proof package uses the sibling list length anyway, which is the actual depth in most cases:

semaphore/packages/proof/src/generate-proof.ts

Line 31 in 406bbc4

const merkleProofLength = merkleProof.siblings.length

It could be different when the leaf is on the right side of the tree.

Proposal:

https://github.com/privacy-scaling-explorations/zk-kit/blob/main/packages/circuits/circom/binary-merkle-root.circom could still use depth, as it's not necessary related to the LeanIMT.

Semaphore could use other names, like treeProofLength, treeProofIndices and treeProofSiblings.

[vplasencia]

@cedoor

Regarding this:
#480 (comment)

I like this proposal 👍.

[0xjei]

Outstanding job 🥇 - Thank you @cedoor.

Left some comments and minor nits around.

[vplasencia]

Great work! ✨