hypercall_state_commitment/

mmr.rs

use ckb_merkle_mountain_range::{
    MMRStoreReadOps, MMRStoreWriteOps, Merge, Result as MmrResult, MMR,
};
use sha3::{Digest, Keccak256};
use std::cell::RefCell;
use std::collections::HashMap;
use std::sync::RwLock;

#[derive(Clone, Debug, PartialEq, Eq)]
pub struct MmrHash(pub [u8; 32]);

pub struct Keccak256Merge;

impl Merge for Keccak256Merge {
    type Item = MmrHash;

    fn merge(left: &MmrHash, right: &MmrHash) -> MmrResult<MmrHash> {
        let mut h = Keccak256::new();
        h.update([0x01]); // domain tag: internal node
        h.update(left.0);
        h.update(right.0);
        Ok(MmrHash(h.finalize().into()))
    }
}

/// In-memory MMR store backed by a HashMap.
pub struct MemoryMmrStore {
    pub data: RwLock<HashMap<u64, MmrHash>>,
}

impl Default for MemoryMmrStore {
    fn default() -> Self {
        Self {
            data: RwLock::new(HashMap::new()),
        }
    }
}

impl MMRStoreReadOps<MmrHash> for &MemoryMmrStore {
    fn get_elem(&self, pos: u64) -> MmrResult<Option<MmrHash>> {
        Ok(self.data.read().unwrap().get(&pos).cloned())
    }
}

impl MMRStoreWriteOps<MmrHash> for &MemoryMmrStore {
    fn append(&mut self, pos: u64, elems: Vec<MmrHash>) -> MmrResult<()> {
        let mut data = self.data.write().unwrap();
        for (i, elem) in elems.into_iter().enumerate() {
            let p = pos + i as u64;
            debug_assert!(
                !data.contains_key(&p),
                "MMR append overwrites existing position {p}"
            );
            data.insert(p, elem);
        }
        Ok(())
    }
}

/// Metadata needed to resume an MMR at the exact append position.
pub trait MmrMetadataStore {
    fn load_mmr_size(&self) -> anyhow::Result<u64>;
}

pub trait SupportedMmrStore: MmrMetadataStore {}

pub trait PrepareMmrStore: SupportedMmrStore {
    fn prepare_append_many_from(
        size: u64,
        store: &Self,
        data: &[[u8; 32]],
    ) -> anyhow::Result<PreparedMmrAppend>;
}

impl MmrMetadataStore for MemoryMmrStore {
    fn load_mmr_size(&self) -> anyhow::Result<u64> {
        Ok(0)
    }
}

impl SupportedMmrStore for MemoryMmrStore {}

impl PrepareMmrStore for MemoryMmrStore {
    fn prepare_append_many_from(
        size: u64,
        store: &Self,
        data: &[[u8; 32]],
    ) -> anyhow::Result<PreparedMmrAppend> {
        prepare_append_many_with_store(size, store, data)
    }
}

pub(crate) fn prepare_append_many_with_store<S>(
    size: u64,
    store: &S,
    data: &[[u8; 32]],
) -> anyhow::Result<PreparedMmrAppend>
where
    for<'a> &'a S: MMRStoreReadOps<MmrHash>,
    for<'a> &'a StagedMmrStore<'a, S>: MMRStoreReadOps<MmrHash> + MMRStoreWriteOps<MmrHash>,
{
    if data.is_empty() {
        let root = if size == 0 {
            MmrHash([0u8; 32])
        } else {
            let mmr = MMR::<MmrHash, Keccak256Merge, _>::new(size, store);
            mmr.get_root().expect("MMR root should exist")
        };
        return Ok(PreparedMmrAppend {
            start_pos: size,
            elems: Vec::new(),
            next_size: size,
            root,
        });
    }

    let staged = StagedMmrStore::new(store);
    let mut mmr = MMR::<MmrHash, Keccak256Merge, _>::new(size, &staged);
    for item in data {
        mmr.push(hash_mmr_leaf(item))
            .expect("MMR push should not fail");
    }
    mmr.commit().expect("MMR commit should not fail");
    let next_size = mmr.mmr_size();
    let root = mmr.get_root().expect("MMR root should exist");
    let writes = staged.flattened_writes()?;
    let start_pos = writes.first().map(|(pos, _)| *pos).unwrap_or(size);
    let elems = writes.into_iter().map(|(_, elem)| elem).collect();

    Ok(PreparedMmrAppend {
        start_pos,
        elems,
        next_size,
        root,
    })
}

/// Self-contained MMR that owns its store.
///
/// Wraps the ckb MMR with its backing store so callers don't have to
/// manage store lifetimes. Exposes append + peaks_hash. Runtime code can
/// provide a durable store; tests default to the in-memory store.
pub struct HypercallMmr<S = MemoryMmrStore> {
    store: S,
    size: u64,
}

#[derive(Clone, Debug)]
pub struct PreparedMmrAppend {
    start_pos: u64,
    elems: Vec<MmrHash>,
    next_size: u64,
    root: MmrHash,
}

impl PreparedMmrAppend {
    pub fn root(&self) -> MmrHash {
        self.root.clone()
    }

    pub fn is_empty(&self) -> bool {
        self.elems.is_empty()
    }
}

pub(crate) struct StagedMmrStore<'a, S> {
    pub(crate) base: &'a S,
    pub(crate) writes: RefCell<Vec<(u64, Vec<MmrHash>)>>,
}

impl<'a, S> StagedMmrStore<'a, S> {
    fn new(base: &'a S) -> Self {
        Self {
            base,
            writes: RefCell::new(Vec::new()),
        }
    }

    fn flattened_writes(&self) -> MmrResult<Vec<(u64, MmrHash)>> {
        let mut out = Vec::new();
        for (start, elems) in self.writes.borrow().iter() {
            for (index, elem) in elems.iter().enumerate() {
                out.push((start + index as u64, elem.clone()));
            }
        }
        Ok(out)
    }
}

macro_rules! impl_staged_mmr_read {
    ($store:ty) => {
        impl MMRStoreReadOps<MmrHash> for &StagedMmrStore<'_, $store> {
            fn get_elem(&self, pos: u64) -> MmrResult<Option<MmrHash>> {
                for (start, elems) in self.writes.borrow().iter().rev() {
                    if pos >= *start {
                        let index = (pos - *start) as usize;
                        if let Some(elem) = elems.get(index) {
                            return Ok(Some(elem.clone()));
                        }
                    }
                }
                self.base.get_elem(pos)
            }
        }
    };
}

impl_staged_mmr_read!(MemoryMmrStore);

impl<S> MMRStoreWriteOps<MmrHash> for &StagedMmrStore<'_, S> {
    fn append(&mut self, pos: u64, elems: Vec<MmrHash>) -> MmrResult<()> {
        self.writes.borrow_mut().push((pos, elems));
        Ok(())
    }
}

impl HypercallMmr<MemoryMmrStore> {
    pub fn new() -> Self {
        Self {
            store: MemoryMmrStore::default(),
            size: 0,
        }
    }
}

impl<S> HypercallMmr<S>
where
    S: PrepareMmrStore,
    for<'a> &'a S: MMRStoreReadOps<MmrHash> + MMRStoreWriteOps<MmrHash>,
{
    pub fn from_store(store: S) -> anyhow::Result<Self> {
        let size = store.load_mmr_size()?;
        Ok(Self { store, size })
    }

    /// Append a raw 32-byte hash as a leaf.
    pub fn append(&mut self, data: [u8; 32]) -> anyhow::Result<()> {
        let prepared = self.prepare_append_many(std::slice::from_ref(&data))?;
        self.apply_prepared_append(prepared)?;
        Ok(())
    }

    pub fn prepare_append_many(&self, data: &[[u8; 32]]) -> anyhow::Result<PreparedMmrAppend> {
        S::prepare_append_many_from(self.size, &self.store, data)
    }

    pub fn apply_prepared_append(&mut self, prepared: PreparedMmrAppend) -> anyhow::Result<()> {
        if prepared.is_empty() {
            self.size = prepared.next_size;
            return Ok(());
        }

        let mut store = &self.store;
        store
            .append(prepared.start_pos, prepared.elems)
            .map_err(|error| anyhow::anyhow!("failed to apply prepared MMR append: {error:?}"))?;
        self.size = prepared.next_size;
        Ok(())
    }

    /// Get the peaks hash (root commitment).
    ///
    /// Returns a zero hash if the MMR is empty.
    pub fn peaks_hash(&self) -> MmrHash {
        if self.size == 0 {
            return MmrHash([0u8; 32]);
        }
        let mmr = MMR::<MmrHash, Keccak256Merge, _>::new(self.size, &self.store);
        mmr.get_root().expect("MMR root should exist")
    }

    pub fn size(&self) -> u64 {
        self.size
    }
}

impl Default for HypercallMmr {
    fn default() -> Self {
        Self::new()
    }
}

/// Hash arbitrary data into an MMR leaf with domain separation.
/// Domain tag 0x00 for leaves, 0x01 for internal nodes (in Merge).
/// This prevents second-preimage attacks where a leaf hash could be
/// mistaken for an internal node hash.
pub fn hash_mmr_leaf(data: &[u8]) -> MmrHash {
    let mut h = Keccak256::new();
    h.update([0x00]); // domain tag: leaf
    h.update(data);
    MmrHash(h.finalize().into())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn append_and_get_root() {
        let store = MemoryMmrStore::default();
        let mut mmr = MMR::<MmrHash, Keccak256Merge, _>::new(0, &store);

        let leaf = hash_mmr_leaf(b"command-1");
        mmr.push(leaf.clone()).expect("push should succeed");
        mmr.commit().expect("commit should succeed");

        let root = mmr.get_root().expect("root should exist");
        assert_eq!(root, leaf, "single-element MMR root equals the leaf");
    }

    #[test]
    fn root_changes_on_append() {
        let store = MemoryMmrStore::default();
        let mut mmr = MMR::<MmrHash, Keccak256Merge, _>::new(0, &store);

        mmr.push(hash_mmr_leaf(b"cmd-1")).unwrap();
        mmr.commit().unwrap();
        let root1 = mmr.get_root().unwrap();

        mmr.push(hash_mmr_leaf(b"cmd-2")).unwrap();
        mmr.commit().unwrap();
        let root2 = mmr.get_root().unwrap();

        assert_ne!(root1, root2);
    }

    #[test]
    fn inclusion_proof_verifies() {
        let store = MemoryMmrStore::default();
        let mut mmr = MMR::<MmrHash, Keccak256Merge, _>::new(0, &store);

        let positions: Vec<u64> = (0..5)
            .map(|i| {
                let pos = mmr
                    .push(hash_mmr_leaf(format!("cmd-{}", i).as_bytes()))
                    .unwrap();
                pos
            })
            .collect();
        mmr.commit().unwrap();

        let root = mmr.get_root().unwrap();
        let _mmr_size = mmr.mmr_size();

        for &pos in &positions {
            let proof = mmr.gen_proof(vec![pos]).unwrap();
            let leaf = store.data.read().unwrap().get(&pos).cloned().unwrap();
            assert!(
                proof.verify(root.clone(), vec![(pos, leaf)]).unwrap(),
                "proof for position {} should verify",
                pos
            );
        }
    }

    #[test]
    fn deterministic_roots() {
        let store_a = MemoryMmrStore::default();
        let store_b = MemoryMmrStore::default();
        let mut mmr_a = MMR::<MmrHash, Keccak256Merge, _>::new(0, &store_a);
        let mut mmr_b = MMR::<MmrHash, Keccak256Merge, _>::new(0, &store_b);

        for i in 0..10 {
            let leaf = hash_mmr_leaf(format!("command-{}", i).as_bytes());
            mmr_a.push(leaf.clone()).unwrap();
            mmr_b.push(leaf).unwrap();
        }
        mmr_a.commit().unwrap();
        mmr_b.commit().unwrap();

        assert_eq!(
            mmr_a.get_root().unwrap(),
            mmr_b.get_root().unwrap(),
            "same inputs should produce same root"
        );
    }

    #[test]
    fn many_appends() {
        let store = MemoryMmrStore::default();
        let mut mmr = MMR::<MmrHash, Keccak256Merge, _>::new(0, &store);

        for i in 0..1000 {
            mmr.push(hash_mmr_leaf(format!("{}", i).as_bytes()))
                .unwrap();
        }
        mmr.commit().unwrap();

        let root = mmr.get_root().unwrap();
        assert_ne!(root.0, [0u8; 32]);
    }
}