Add groth16 verification for zkid transaction signatures

[heliuchuan]

Description

This adds the ability to verify groth16 proofs as an option to authenticate transactions. This builds on #11681 and implements the privacy-preserving path based on Groth16 ZKPs.

SignedGroth16Zkp

pub struct SignedGroth16Zkp {
    pub proof: Groth16Zkp,
    /// The signature of the proof signed by the private key of the `ephemeral_pubkey`.
    pub non_malleability_signature: EphemeralSignature,
}

pub struct Groth16Zkp {
    a: G1Bytes,
    b: G2Bytes,
    c: G1Bytes,
}

pub struct G1Bytes(pub(crate) [u8; G1_PROJECTIVE_COMPRESSED_NUM_BYTES]);

pub struct G2Bytes(
    #[serde(with = "BigArray")] pub(crate) [u8; G2_PROJECTIVE_COMPRESSED_NUM_BYTES],
);

Signature size

Groth16Zkp.a -> 32 bytes
Groth16Zkp.b -> 64 bytes
Groth16Zkp.c -> 32 bytes
Groth16Zkp = ~ 128 bytes

SignedGroth16Zkp.proof -> 128 bytes
SignedGroth16Zkp.non_malleability_signature -> 66 bytes (when Ed25519 is used, schemes in the future could differ)
SignedGroth16Zkp = ~ 194 bytes

ZkIdSignature.sig -> 1 bytes (enum) + ~ 194 bytes
ZkIdSignature.jwt_header -> ~ 100 bytes
ZkIdSignature.exp_timestamp_secs -> 8 bytes (u64)
ZkIdSignature.ephemeral_pubkey -> 34 bytes (when Ed25519 is used but up to 93 bytes)
ZkIdSignature.ephemeral_signature -> 66 bytes (when Ed25519 is used, schemes in the future could differ)
ZkIdSignature= ~ 403 bytes

ZkIdPublicKey.iss -> ~27 bytes (google)
ZkIdPublicKey.idc -> ~32 byte
ZkIdPublicKey= ~ 59 bytes

Total Size Estimate
Total for ZkId Groth16 Authenticator = ~462

Signature verification

To verify an SignedGroth16Zkp with a ZkIdSignature, the following checks must pass

1. The SignedGroth16Zkp.non_malleability_signature must be verified with the ZkIdSignature.ephemeral_pubkey to be the valid signature for SignedGroth16Zkp.proof
2. Check that ZkIdSignature.exp_timestamp_secs < now (the current time on-chain at validation time)
3. Fetch the JWK associated with ZkIdSignature.jwt_header and construct the public_inputs_hash from the JWK, ZkIdSignature, and ZkIdPublicKey. Verify that SignedGroth16Zkp.proof is a valid proof with the public_inputs_hash and corresponding verification key.

Todos after circuit finalization

• Update claim max length constants when finalized
• add recovery field

Test Plan

Smoke tested and unit tested

[trunk-io]

⏱️ 57h 15m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
windows-build	13h 54m	🟩 🟩 🟩 🟩 🟩 (+45 more)
rust-unit-tests	13h 21m	⬜ 🟥 ⬜ ⬜ 🟩 (+45 more)
rust-lints	4h 25m	⬜ 🟩 ⬜ 🟩 🟩 (+45 more)
run-tests-main-branch	3h 26m	⬜ 🟩 🟩 🟩 🟩 (+45 more)
rust-smoke-tests	3h 22m	⬜ 🟩 ⬜ ⬜ 🟩 (+5 more)
check	2h 54m	⬜ 🟩 ⬜ 🟩 🟩 (+45 more)
execution-performance / single-node-performance	2h 44m	🟩 🟩 🟩 🟩 🟩 (+4 more)
rust-move-unit-coverage	2h 15m	🟩 🟥 ⬜ ⬜ 🟩 (+1 more)
general-lints	1h 57m	🟩 🟩 ⬜ 🟩 🟩 (+45 more)
check-dynamic-deps	1h 49m	🟩 🟩 🟩 🟩 🟩 (+45 more)
rust-images / rust-all	1h 43m	🟩 🟩 ⬜ 🟩 🟩 (+4 more)
rust-move-tests	1h 18m	🟩 🟩 ⬜ ⬜ 🟩 (+1 more)
forge-e2e-test / forge	1h 17m	🟩 ⬜ 🟩 ⬜ 🟩 (+3 more)
forge-compat-test / forge	1h 11m	🟩 ⬜ 🟩 ⬜ 🟩 (+3 more)
cli-e2e-tests / run-cli-tests	43m	🟩 ⬜ 🟩 ⬜ 🟩 (+3 more)
semgrep/ci	18m	🟩 🟩 🟩 🟩 🟩 (+44 more)
file_change_determinator	8m	🟩 🟩 🟩 🟩 🟩 (+45 more)
file_change_determinator	8m	🟩 🟩 🟩 🟩 🟩 (+43 more)
node-api-compatibility-tests / node-api-compatibility-tests	7m	🟩 🟩 🟩 ⬜ 🟩 (+3 more)
permission-check	2m	🟩 🟩 🟩 🟩 🟩 (+42 more)
permission-check	2m	🟩 🟩 🟩 🟩 🟩 (+42 more)
permission-check	2m	🟩 🟩 🟩 🟩 🟩 (+43 more)
permission-check	2m	🟩 🟩 🟩 🟩 🟩 (+43 more)
file_change_determinator	2m	🟩 🟩 🟩 🟩 🟩 (+4 more)
execution-performance / file_change_determinator	2m	🟩 🟩 🟩 🟩 🟩 (+4 more)
execution-performance / parallel-execution-performance	44s	🟩 🟩 🟩 🟩 🟩
execution-performance / sequential-execution-performance	40s	🟩 🟩 🟩 🟩 🟩
determine-docker-build-metadata	26s	🟩 🟩 🟩 🟩 🟩 (+4 more)
permission-check	23s	🟩 🟩 🟩 🟩 🟩 (+4 more)

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[mstraka100]

Some minor comments, LGTM overall. Should probably be reviewed by someone more involved with the JWK consensus work

[codecov]

Codecov Report

Attention: 286 lines in your changes are missing coverage. Please review.

Comparison is base (10bf671) 71.3% compared to head (040488c) 71.2%.
Report is 8 commits behind head on main.

❗ Current head 040488c differs from pull request most recent head 4e7faa6. Consider uploading reports for the commit 4e7faa6 to get more accurate results

Files	Patch %	Lines
types/src/bn254_circom.rs	0.0%	172 Missing ⚠️
types/src/zkid.rs	0.0%	42 Missing ⚠️
aptos-move/aptos-vm/src/zkid_validation.rs	10.2%	35 Missing ⚠️
types/src/jwks/rsa.rs	0.0%	16 Missing ⚠️
aptos-move/aptos-vm/src/aptos_vm.rs	52.6%	9 Missing ⚠️
types/src/on_chain_config/aptos_features.rs	0.0%	6 Missing ⚠️
crates/aptos-crypto/src/poseidon_bn254.rs	0.0%	4 Missing ⚠️
types/src/transaction/authenticator.rs	0.0%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             main   #11772     +/-   ##
=========================================
- Coverage    71.3%    71.2%   -0.1%     
=========================================
  Files         792      794      +2     
  Lines      182415   182760    +345     
=========================================
+ Hits       130076   130212    +136     
- Misses      52339    52548    +209     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

✅ Forge suite compat success on aptos-node-v1.8.3 ==> 4e7faa6432d815b722e554b814017e53462d3852

Compatibility test results for aptos-node-v1.8.3 ==> 4e7faa6432d815b722e554b814017e53462d3852 (PR)
1. Check liveness of validators at old version: aptos-node-v1.8.3
compatibility::simple-validator-upgrade::liveness-check : committed: 4876 txn/s, latency: 6697 ms, (p50: 6800 ms, p90: 10200 ms, p99: 12300 ms), latency samples: 180420
2. Upgrading first Validator to new version: 4e7faa6432d815b722e554b814017e53462d3852
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 1779 txn/s, latency: 16007 ms, (p50: 19000 ms, p90: 22100 ms, p99: 22600 ms), latency samples: 92520
3. Upgrading rest of first batch to new version: 4e7faa6432d815b722e554b814017e53462d3852
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 1783 txn/s, latency: 16145 ms, (p50: 18900 ms, p90: 22200 ms, p99: 22400 ms), latency samples: 92760
4. upgrading second batch to new version: 4e7faa6432d815b722e554b814017e53462d3852
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 3552 txn/s, latency: 8821 ms, (p50: 9900 ms, p90: 12600 ms, p99: 13200 ms), latency samples: 142100
5. check swarm health
Compatibility test for aptos-node-v1.8.3 ==> 4e7faa6432d815b722e554b814017e53462d3852 passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite realistic_env_max_load success on 4e7faa6432d815b722e554b814017e53462d3852

two traffics test: inner traffic : committed: 7858 txn/s, latency: 4886 ms, (p50: 4500 ms, p90: 6000 ms, p99: 13200 ms), latency samples: 3395000
two traffics test : committed: 100 txn/s, latency: 2092 ms, (p50: 2000 ms, p90: 2200 ms, p99: 5600 ms), latency samples: 1880
Latency breakdown for phase 0: ["QsBatchToPos: max: 0.223, avg: 0.201", "QsPosToProposal: max: 0.133, avg: 0.121", "ConsensusProposalToOrdered: max: 0.541, avg: 0.513", "ConsensusOrderedToCommit: max: 0.452, avg: 0.432", "ConsensusProposalToCommit: max: 0.971, avg: 0.945"]
Max round gap was 2 [limit 4] at version 3452845. Max no progress secs was 7.936493 [limit 15] at version 1177955.
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking