Submission and verification
Once you have registered your application's verifying key(s) you are ready to submit application proofs to NEBRA UPA. In this section you will learn how to submit and verify proofs using our SDK.
Steps to submit and verify proofs
Proofs are submitted to UPA on-chain by calling the submit
function in the NEBRA UPA contract.
Each submission can contain one or more proofs. For convenience and type-safety, we recommend that you use our SDK to submit proofs instead of calling this function directly.
Step 1: Export proof data
SnarkJS
Let proofData
be the output of snarkjs' fullProve
function, i.e.
You may save the json serialization of proofData
into a file snarkjs_proof.json
if you intend to submit the proof with the upa
tool. You can generate a UPA-compatible proof data file with the following command
Alternatively, if you want to submit via the typescript sdk, you can easily extract the UPA-compatible proof and inputs from proofData
:
Gnark
You can modify your gnark circuit code to export the proof and the inputs as follows:
If you intend to submit the proof with the upa
tool, you may generate a UPA-compatible proof data file with the following command
Alternatively, if you want to submit via the typescript sdk, you can convert the gnark proofs and inputs to the UPA-compatible format as follows
where gnarkProof
and gnarkInputs
can be obtained from the gnark_proof.json
and gnark_inputs.json
files, respectively. For example
Note on gnark proofs
For gnark proofs with a Pedersen commitment point, the UPA only supports those which have been generated with keccak256
as the hash to field function. In other words, you must run the prover with the following options:
Note gnark
's default is the hash function RFC9380, which is not currently supported by NEBRA's UPA.
Step 2: Prepare proof data
Each proof is submitted along with its corresponding Circuit Id and public inputs as a CircuitIdProofsAndInputs
, defined as the following type in the application
module of the sdk.
Prepare an array CircuitIdProofsAndInputs[]
of the proofs you will submit.
Alternatively, proofs may be submitted alongside a verifying key instead of a circuit Id, as an array of AppVkProofInputs
:
Step 3: Submit proofs
Option A: Off-chain submission
Before sending an off-chain submission, you need to deposit ether to the off-chain aggregator's deposit contract. You can make a deposit using the command
Then prepare a JSON file containing an array of AppVkProofInputs
objects. Note that for off-chain submissions, you must submit a verifying key along with the proofs, not a circuit Id.
To submit a proof(s) file named proof.upa.json
, run the following command
If the aggregator agrees to aggregate your submission, then this command outputs a signed response from the aggregator, which you may use to refund the aggregation fee if your submission has not been aggregated by a certain expiration block. (See the command upa off-chain refund-fee
)
Otherwise, the aggregator rejects your submission then it will respond with an error message.
Option B: On-chain submission
Using your UpaClient
(see setup), submit your array CircuitIdProofsAndInputs[]
.
Be sure to keep the returned submissionHandle
as it contains information used by your application contract to check whether the proof has been verified by NEBRA UPA. It contains a Submission
object that stores the proof Ids for each submitted proof and a submission Id for the entire submission. See Single and multi-proof submissions for more details.
Fee estimation (optional)
NEBRA UPA charges a nominal fee for each proof submission. Your UpaClient
can estimate this fee.
This fee amount value
can then be passed as a PayableOverrides
option into upaClient.submitProofs
. If no value
is specified then the fee is computed automatically.
Proof submission via the upa
tool
upa
tool If you have a json file with UPA-compatible proof data such as proof.upa.json
generated in the previous step.
First, you need to create a file with the circuitId, the proof and the inputs. You can do that e.g. using jq
:
where cid
is the actual value of the circuit Id computed at vk registration time.
To submit the proof(s), run the following command
The option --proof-ids-file
produces an output file with the proof id(s). In the case of multi-proof submissions, the option--submission-file
saves the submission data to a file.
If more convenient, it is also possible to submit a file with the verifying key (instead of the circuitId), the proof and the inputs. You can generate such a file with the following command:
and then submit the file as before
Step 4: Wait for proofs to be verified on NEBRA UPA
Using your submission's submissionId
, wait for NEBRA UPA to verify your submission by awaiting waitForSubmissionVerified
.
Once your submission has been verified, you can send a request to your application contract with inputs corresponding to your submission. This request uses the same inputs as before, but you will no longer need to pass in a proof when using NEBRA UPA. Your application contract will use NEBRA UPA to check the verification status of these inputs before executing the request.
Step 5: Application contract checks verification status
Your app smart contract will call isProofVerified
from the NEBRA UPA contracts to check whether a proof has been verified or not.
For single-proof submissions, your smart contract calls isProofVerified
as follows.
For multi-proof submissions, your application contract will also need to provide a ProofReference
to identify a specific proof in the submission (see Proof references).
If you used our typescript SDK for a multi-proof submission, your SubmissionHandle
can compute this proof reference which can then be passed to your application contract as part of your request.
What is a Proof Id?
Verifying a Proof Id directly
The IUpaVerifier
interface contract also provides the following variations of isProofVerified
:
In some cases, computing the proof Id internally in the application contract and calling isProofVerified
with that proof Id instead of the circuit Id and the public inputs will translate into further gas savings. In that case, we provide the following library function to call from your application contract internally:
We recommend application developers to always measure the gas costs of both variants before choosing an implementation.
Single and multi-proof submissions
A submission's proofs are either all accepted if all of them are valid, or they are all rejected if any proof is invalid.
An aggregated batch can contain proofs from different submissions.
A submission may span multiple batches.
Proof references
Atomic verification of multi-proof submissions
In the case of multi-proof submissions, you can save even more gas at verification time by calling isSubmissionVerified
instead of repeated calls to isProofVerified
. The IUpaVerifier
interfaces provides the following functions
which attests to whether every proof in a submission has been verified or not.
As with isProofVerified
, we provide the following variant which only takes a submission Id
and the following UpaLib
library functions to compute the submission Id in your application contract:
Last updated