fix(stark-prover): replace 128-bit XOR accumulator with 256-bit BLAKE3 leaf dual accumulator (Phase 4a+4b)#56
Merged
Conversation
- Rename pq_hints → address_registry in ShellStateDb; clearer semantics - Add register_pq_address(), resolve_address(), clear_address_registry(), address_registry_snapshot() methods - Remove pq_addr_map field from TxExecutionResult; eliminates HashMap clone duplication on every commit path - Refactor commit_pqvm_state to take &mut ShellStateDb<S> directly; uses address_registry for correct PQ address resolution - Add commit_pqvm_state_raw(result, world_state, chain_store, registry) for block_producer's dual-commit pattern (evm + persistent WorldState) - Extract do_commit_state() core logic shared by both commit variants - block_producer snapshots registry before first commit and uses raw variant for the persistent WorldState mirror - All 236 pqvm tests pass (including 3 AA integration tests) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…3 leaf dual accumulator
- air.rs: 4-column trace (acc_lo, acc_hi, leaf_lo, leaf_hi), 2 degree-3
transition constraints, 4 boundary assertions, SigBatchPublicInputs now
carries batch_root_lo/hi split
- prover.rs: SigBatchEntry.to_leaf_bytes() = BLAKE3(msg_hash || pk_hash),
to_field_elements() splits 32-byte leaf into (lo, hi) f128 pair,
compute_batch_root() returns [u8; 32], build_trace() dual accumulator,
verify_sig_batch() skips empty proof_bytes (commitment-only)
- proof.rs: batch_root_bytes [u8; 16] -> [u8; 32], version 1 -> 2,
commitment_only() + has_proof() constructors
- Cargo.toml: add blake3 = { workspace = true }
- block_producer.rs: compute batch root synchronously before block signing,
embed SigBatchProof::commitment_only() in header.sig_aggregate_proof
- block_importer.rs: skip full STARK verify for commitment-only proofs;
accept them with debug log (full proof arrives via ProofAmendment)
- system_rewards.rs / mod.rs: extract lo-half [0..16] for L2 aggregation
inputs (SettledL1Input.batch_root: u128 unchanged); fix test fixtures
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR upgrades the STARK signature batch commitment from a 128-bit XOR-fold accumulator to a 256-bit dual-channel BLAKE3 accumulator (Phase 4a), and embeds the commitment-only batch root directly in the block header before signing so it is covered by the proposer seal (Phase 4b). A separate refactor moves PQ address resolution out of TxExecutionResult.pq_addr_map into a ShellStateDb.address_registry snapshot, and introduces a commit_pqvm_state_raw variant for committing to a second WorldState.
Changes:
- STARK AIR / prover / proof: 4-column trace
[acc_lo, acc_hi, leaf_lo, leaf_hi]with two degree-3 transitions, BLAKE3 leaves, 32-bytebatch_root_bytes, version bump 1→2, andcommitment_only()/has_proof()helpers. - Block producer embeds
SigBatchProof::commitment_only(...)in the header before signing; block importer accepts commitment-only payloads and defers full STARK verification toProofAmendmentarrival. - PQVM commit path is refactored:
commit_pqvm_state(&result, &mut state_db)for in-place commits,commit_pqvm_state_raw(..., ®istry)for a second target (node's persistentWorldState).
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| crates/stark-prover/Cargo.toml | Adds blake3 workspace dep for the new leaf hash. |
| crates/stark-prover/src/air.rs | Dual-accumulator AIR: 4 cols, 2 degree-3 transitions, 4 boundary assertions; lo/hi public inputs. |
| crates/stark-prover/src/proof.rs | batch_root_bytes becomes [u8;32]; version → 2; commitment_only() and has_proof() constructors. |
| crates/stark-prover/src/prover.rs | BLAKE3 leaves, dual-channel trace, 32-byte compute_batch_root, commitment-only rejected in verify_sig_batch. |
| crates/node/src/node/block_producer.rs | Synchronously computes batch root, embeds commitment-only proof in header before signing; snapshots address registry across dual commits. |
| crates/node/src/node/block_importer.rs | Skips full STARK verification for commitment-only payloads; updated to new commit_pqvm_state signature. |
| crates/node/src/node/system_rewards.rs | Extracts lo-half (bytes[0..16]) from 32-byte root for u128-based L2 recursive circuit. |
| crates/node/src/node/mod.rs | Re-exports commit_pqvm_state_raw, SigBatchProof, compute_batch_root; test fixtures updated to 32-byte roots. |
| crates/pqvm/src/lib.rs | Re-exports commit_pqvm_state_raw. |
| crates/pqvm/src/executor.rs | Removes pq_addr_map from TxExecutionResult; introduces do_commit_state core helper plus commit_pqvm_state / commit_pqvm_state_raw. |
| crates/pqvm/src/state_db.rs | Renames pq_hints/hint_pq_address to address_registry/register_pq_address; adds resolve_address and address_registry_snapshot. |
| crates/pqvm/tests/common/mod.rs | Updates to new commit_pqvm_state signature. |
| crates/pqvm/tests/integration.rs | Updates to new commit_pqvm_state signature and address-registry naming. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aligns the STARK signature batch commitment with WP §STARK — replaces the 128-bit XOR-fold accumulator with a 256-bit dual-channel BLAKE3 accumulator, and wires the batch-root commitment directly into the block header (proof-carrier).
Changes
Phase 4a — STARK accumulator upgrade
air.rs: 4-column trace[acc_lo, acc_hi, leaf_lo, leaf_hi], 2 degree-3 transition constraints, 4 boundary assertions;SigBatchPublicInputs.batch_root_lo/hisplitprover.rs:SigBatchEntry.to_leaf_bytes()=BLAKE3(msg_hash ‖ pk_hash);to_field_elements()splits 32-byte leaf into(lo, hi)f128 pair; dual-channelbuild_trace();compute_batch_root()returns[u8; 32];verify_sig_batch()returns error for commitment-only proofsproof.rs:batch_root_bytes [u8; 16] → [u8; 32], version 1 → 2;commitment_only()+has_proof()constructorsCargo.toml:blake3 = { workspace = true }Phase 4b — Proof carrier (header field population)
block_producer.rs: synchronously compute batch root before signing; embedSigBatchProof::commitment_only(batch_root, n)inheader.sig_aggregate_proofso it is covered by the block hash and proposer sealblock_importer.rs: skip full STARK verification for commitment-only proofs; log debug and continue — full STARK proof arrives viaProofAmendmentCompatibility fixes
system_rewards.rs/mod.rs: extract lo-half[0..16]from 32-byte batch_root_bytes forSettledL1Input.batch_root: u128feeding the L2 recursive circuit (unchanged interface)Test results
White paper alignment
sig_aggregate_proof— ✅ProofAmendment, not inline — ✅