fix: allow to use blake3 to hash PV (#2236)

Author: leruaa

.github/workflows/pr.yml

@@ -152,15 +152,6 @@ jobs:
           RUSTFLAGS: -Copt-level=3 -Coverflow-checks=y -Cdebuginfo=0 -C target-cpu=native
           RUST_BACKTRACE: 1
 
-      - name: Run cargo test with Blake3 PV hashing
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --release --package sp1-verifier -F blake3
-        env:
-          RUSTFLAGS: -Copt-level=3 -Coverflow-checks=y -Cdebuginfo=0 -C target-cpu=native
-          RUST_BACKTRACE: 1
-
   lint:
     name: Formatting & Clippy
     runs-on: [runs-on, runner=16cpu-linux-x64, disk=large, "run-id=${{ github.run_id }}"]

Cargo.lock

@@ -103,7 +103,7 @@ serde = "1.0.204"
 serde_json = "1.0.132"
 tracing = "0.1.40"
 tracing-subscriber = "0.3.18"
-blake3 = "1.6.1"
+blake3 = { version = "1.6.1", default-features = false }
 
 [workspace.metadata.typos]
 default.extend-ignore-re = [

Cargo.toml

@@ -11,6 +11,8 @@ categories = { workspace = true }
 
 [dependencies]
 bincode = "1.3.3"
+blake3 = { workspace = true }
+cfg-if = "1.0.0"
 hex = "0.4.3"
 lazy_static = "1.5.0"
 num-bigint = { version = "0.4.6", default-features = false }

crates/primitives/Cargo.toml

@@ -52,24 +52,34 @@ impl SP1PublicValues {
         self.buffer.write_slice(slice);
     }
 
-    /// Hash the public values.
+    /// Hash the public values using SHA256.
     pub fn hash(&self) -> Vec<u8> {
-        let mut hasher = Sha256::new();
-        hasher.update(self.buffer.data.as_slice());
-        hasher.finalize().to_vec()
+        sha256_hash(self.buffer.data.as_slice())
     }
 
-    /// Hash the public values, mask the top 3 bits and return a BigUint. Matches the implementation
-    /// of `hashPublicValues` in the Solidity verifier.
+    /// Hash the public values using Blake3.
+    pub fn blake3_hash(&self) -> Vec<u8> {
+        blake3_hash(self.buffer.data.as_slice())
+    }
+
+    /// Hash the public values using SHA256, mask the top 3 bits and return a BigUint.
+    /// Matches the implementation of `hashPublicValues` in the Solidity verifier.
     ///
     /// ```solidity
     /// sha256(publicValues) & bytes32(uint256((1 << 253) - 1));
     /// ```
     pub fn hash_bn254(&self) -> BigUint {
+        self.hash_bn254_with_fn(sha256_hash)
+    }
+
+    /// Hash the public values using the provided `hasher` function, mask the top 3 bits and
+    /// return a BigUint.
+    pub fn hash_bn254_with_fn<F>(&self, hasher: F) -> BigUint
+    where
+        F: Fn(&[u8]) -> Vec<u8>,
+    {
         // Hash the public values.
-        let mut hasher = Sha256::new();
-        hasher.update(self.buffer.data.as_slice());
-        let mut hash = hasher.finalize();
+        let mut hash = hasher(self.buffer.data.as_slice());
 
         // Mask the top 3 bits.
         hash[0] &= 0b00011111;
@@ -85,6 +95,18 @@ impl AsRef<[u8]> for SP1PublicValues {
     }
 }
 
+/// Hash the input using SHA256.
+pub fn sha256_hash(input: &[u8]) -> Vec<u8> {
+    let mut hasher = Sha256::new();
+    hasher.update(input);
+    hasher.finalize().to_vec()
+}
+
+/// Hash the input using Blake3.
+pub fn blake3_hash(input: &[u8]) -> Vec<u8> {
+    blake3::hash(input).as_bytes().to_vec()
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -103,4 +125,19 @@ mod tests {
 
         assert_eq!(hash, expected_hash_biguint);
     }
+
+    #[test]
+    fn test_hash_public_values_blake3() {
+        let test_hex = "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
+        let test_bytes = hex::decode(test_hex).unwrap();
+
+        let mut public_values = SP1PublicValues::new();
+        public_values.write_slice(&test_bytes);
+        let hash = public_values.hash_bn254_with_fn(blake3_hash);
+
+        let expected_hash = "1639647ab9e42519f0cbdcf343033482b018c0c1ed48f8367f32381c60913447";
+        let expected_hash_biguint = BigUint::from_bytes_be(&hex::decode(expected_hash).unwrap());
+
+        assert_eq!(hash, expected_hash_biguint);
+    }
 }

crates/primitives/src/io.rs

@@ -6,7 +6,10 @@ use p3_baby_bear::BabyBear;
 use p3_field::{AbstractField, PrimeField};
 use sp1_core_executor::{subproof::SubproofVerifier, SP1ReduceProof};
 use sp1_core_machine::cpu::MAX_CPU_LOG_DEGREE;
-use sp1_primitives::{consts::WORD_SIZE, io::SP1PublicValues};
+use sp1_primitives::{
+    consts::WORD_SIZE,
+    io::{blake3_hash, SP1PublicValues},
+};
 
 use sp1_recursion_circuit::machine::RootPublicValues;
 use sp1_recursion_core::{air::RecursionPublicValues, stark::BabyBearPoseidon2Outer};
@@ -448,10 +451,7 @@ pub fn verify_plonk_bn254_public_inputs(
         return Err(PlonkVerificationError::InvalidVerificationKey.into());
     }
 
-    let public_values_hash = public_values.hash_bn254();
-    if public_values_hash != expected_public_values_hash {
-        return Err(PlonkVerificationError::InvalidPublicValues.into());
-    }
+    verify_public_values(public_values, expected_public_values_hash)?;
 
     Ok(())
 }
@@ -471,9 +471,32 @@ pub fn verify_groth16_bn254_public_inputs(
         return Err(Groth16VerificationError::InvalidVerificationKey.into());
     }
 
-    let public_values_hash = public_values.hash_bn254();
-    if public_values_hash != expected_public_values_hash {
-        return Err(Groth16VerificationError::InvalidPublicValues.into());
+    verify_public_values(public_values, expected_public_values_hash)?;
+
+    Ok(())
+}
+
+/// In SP1, a proof's public values can either be hashed with SHA2 or Blake3. In SP1 V4, there is no
+/// metadata attached to the proof about which hasher function was used for public values hashing.
+/// Instead, when verifying the proof, the public values are hashed with SHA2 and Blake3, and
+/// if either matches the `expected_public_values_hash`, the verification is successful.
+///
+/// The security for this verification in SP1 V4 derives from the fact that both SHA2 and Blake3 are
+/// designed to be collision resistant. It is computationally infeasible to find an input i1 for
+/// SHA256 and an input i2 for Blake3 that the same hash value. Doing so would require breaking both
+/// algorithms simultaneously.
+fn verify_public_values(
+    public_values: &SP1PublicValues,
+    expected_public_values_hash: BigUint,
+) -> Result<()> {
+    // First, check if the public values are hashed with SHA256. If that fails, attempt hashing with
+    // Blake3. If neither match, return an error.
+    let sha256_public_values_hash = public_values.hash_bn254();
+    if sha256_public_values_hash != expected_public_values_hash {
+        let blake3_public_values_hash = public_values.hash_bn254_with_fn(blake3_hash);
+        if blake3_public_values_hash != expected_public_values_hash {
+            return Err(Groth16VerificationError::InvalidPublicValues.into());
+        }
     }
 
     Ok(())

crates/prover/src/verify.rs

@@ -85,6 +85,15 @@ pub enum SP1VerificationError {
     Other(anyhow::Error),
 }
 
+/// In SP1, a proof's public values can either be hashed with SHA2 or Blake3. In SP1 V4, there is no
+/// metadata attached to the proof about which hasher function was used for public values hashing.
+/// Instead, when verifying the proof, the public values are hashed with SHA2 and Blake3, and
+/// if either matches the `expected_public_values_hash`, the verification is successful.
+///
+/// The security for this verification in SP1 V4 derives from the fact that both SHA2 and Blake3 are
+/// designed to be collision resistant. It is computationally infeasible to find an input i1 for
+/// SHA256 and an input i2 for Blake3 that the same hash value. Doing so would require breaking both
+/// algorithms simultaneously.
 pub(crate) fn verify_proof<C: SP1ProverComponents>(
     prover: &SP1Prover<C>,
     version: &str,
@@ -109,10 +118,12 @@ pub(crate) fn verify_proof<C: SP1ProverComponents>(
                 .collect_vec();
 
             // Make sure the committed value digest matches the public values hash.
-            for (a, b) in committed_value_digest_bytes.iter().zip_eq(bundle.public_values.hash()) {
-                if *a != b {
-                    return Err(SP1VerificationError::InvalidPublicValues);
-                }
+            // It is computationally infeasible to find two distinct inputs, one processed with
+            // SHA256 and the other with Blake3, that yield the same hash value.
+            if committed_value_digest_bytes != bundle.public_values.hash() &&
+                committed_value_digest_bytes != bundle.public_values.blake3_hash()
+            {
+                return Err(SP1VerificationError::InvalidPublicValues);
             }
 
             // Verify the core proof.
@@ -132,10 +143,12 @@ pub(crate) fn verify_proof<C: SP1ProverComponents>(
                 .collect_vec();
 
             // Make sure the committed value digest matches the public values hash.
-            for (a, b) in committed_value_digest_bytes.iter().zip_eq(bundle.public_values.hash()) {
-                if *a != b {
-                    return Err(SP1VerificationError::InvalidPublicValues);
-                }
+            // It is computationally infeasible to find two distinct inputs, one processed with
+            // SHA256 and the other with Blake3, that yield the same hash value.
+            if committed_value_digest_bytes != bundle.public_values.hash() &&
+                committed_value_digest_bytes != bundle.public_values.blake3_hash()
+            {
+                return Err(SP1VerificationError::InvalidPublicValues);
             }
 
             prover.verify_compressed(proof, vkey).map_err(SP1VerificationError::Recursion)

crates/sdk/src/prover.rs

@@ -15,7 +15,7 @@ sha2 = { version = "0.10.8", default-features = false }
 thiserror = { version = "2", default-features = false }
 hex = { version = "0.4.3", default-features = false, features = ["alloc"] }
 lazy_static = { version = "1.5.0", default-features = false }
-blake3 = { workspace = true, optional = true }
+blake3 = { workspace = true }
 cfg-if = "1.0.0"
 
 # arkworks
@@ -32,12 +32,12 @@ num-bigint = "0.4.6"
 num-traits = "0.2.19"
 cfg-if = "1.0.0"
 serial_test = "3.2.0"
+rstest = "0.25.0"
 
 [features]
 default = ["std"]
 std = ["thiserror/std"]
 ark = ["ark-bn254", "ark-serialize", "ark-ff", "ark-groth16", "ark-ec"]
-blake3 = ["dep:blake3"]
 
 [lints]
 workspace = true