Docker reproducible builds, more VE content (#34)

nuke-web3 · web-flow · commit 3c499a268e7e · 2025-06-23T18:05:12.000-06:00
* fix #28 - add talk on VE * docker reproducible builds * shitty workaround for sp1 tooling :-(
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,11 +22,10 @@ sp1-zkvm = "5.0"
 sp1-sdk = "5.0"
 sp1-build = "5.0"
 chacha20 = "0.9"
-jsonrpsee = { version = "0.24", features = ["macros", "server", "http-client"] }
+jsonrpsee = { version = "0.25", features = ["macros", "server", "http-client"] }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_json = "1.0"
 tokio = { version = "1", features = ["full"] }
-tonic = { version = "0.12", default-features = false }
 celestia-types = "0.11"
 dotenv = "0.15"
 hyper-rustls = "0.27.6"
@@ -48,3 +47,6 @@ rustls-pemfile = "2.2"
 [patch.crates-io]
 # TODO: update to 5.0?
 sha2 = { git = "https://github.com/sp1-patches/RustCrypto-hashes", tag = "patch-sha2-0.10.8-sp1-4.0.0" }
+
+[workspace.features]
+reproducible-elf = ["service/reproducible-elf"]
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,12 @@
 #  Base with Rust, Go, CUDA, SP1, and cargo-chef
-FROM nvidia/cuda:12.8.1-devel-ubuntu24.04 AS base-dev
+FROM nvidia/cuda:12.9.1-devel-ubuntu24.04 AS base-dev
 
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive \
   apt-get install --no-install-recommends -y \
   clang libclang-dev docker.io curl tar build-essential pkg-config git ca-certificates gnupg2 \
   && rm -rf /var/lib/apt/lists/*
  
-ENV GO_VERSION=1.22.0
+ENV GO_VERSION=1.24.4
 ENV GO_URL="https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
 RUN curl -L --proto '=https' --tlsv1.2 -sSf ${GO_URL} -o go.tar.gz && \
     mkdir -p /opt/go && \
@@ -49,17 +49,18 @@ RUN --mount=type=cache,id=target_cache,target=/app/target \
 COPY . .
 
 # Build SP1 ELF to be proven (with optimizations)
+# TODO: need to use `cargo prove --docker` for repoducible builds?
 RUN --mount=type=cache,id=target_cache,target=/app/target \
-  /root/.sp1/bin/cargo-prove prove build -p chacha-program
-
+  RUSTFLAGS="-Copt-level=3 -Clto=fat -Ccodegen-units=1 -Cdebuginfo=1 -Cembed-bitcode=yes" /root/.sp1/bin/cargo-prove prove build -p chacha-program
 # Build the final binary
+# NOTE: default feature is to use --docker ELF
 RUN --mount=type=cache,id=target_cache,target=/app/target \
-  cargo build --release && \
+  cargo build --release --no-default-features && \
   strip /app/target/release/pda-proxy && \
   cp target/release/pda-proxy /app/pda-proxy # pop out of cache
 
 ####################################################################################################
-FROM nvidia/cuda:12.8.1-base-ubuntu24.04 AS runtime
+FROM nvidia/cuda:12.9.1-base-ubuntu24.04 AS runtime
 
 # SP1 CUDA support needs Docker-in-Docker to run `moongate-server` prover service
 # Internally run on localhost:3000
diff --git a/doc/verifiable_encryption.md b/doc/verifiable_encryption.md
@@ -1,5 +1,21 @@
 # Verifiable Encryption
 
+<figure align="center">
+  <iframe
+    width="560"
+    height="315"
+    src="https://www.youtube.com/embed/6P7yWZ4Cshs?si=RzSswRKxYD-gFa7T"
+    title="YouTube video player"
+    frameborder="0"
+    allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
+    referrerpolicy="strict-origin-when-cross-origin"
+    allowfullscreen>
+  </iframe>
+  <figcaption>
+     May 2025 overview talk - <a href="https://hackmd.io/@Nuke/SyHBUsdWlg">Slides here</a>
+  </figcaption>
+</figure>
+
 ### _A New Primitive Empowering Private Data Availability_
 
 > “Don’t trust. Verify.”
@@ -64,7 +80,7 @@ In a world where chain data is globally replicated and indexed, **encryption at
 
 - **PDA as a database** for collaborative dApps with fine-grained access control.
 - **Private rollups** with programmable cryptography, enabling [obfuscated state](https://0xparc.org/blog/programmable-cryptography-1).
-- **Private bridging and escrow** sending verifibly correctm but private messages around web2 and/or web3 apps.
+- **Private bridging and escrow** sending verifiably correct but private messages around web2 and/or web3 apps.
 - **Drop-in support** for existing DA users via a [proxy service](../README.md), simplifying migration to PDA.
 
 ### _Trustless Data Markets_
@@ -76,7 +92,7 @@ Here is a [diagram inspired by them](https://docs.google.com/presentation/d/1qq1
 
 ```mermaid
 flowchart LR
-    Data["Data to be Sold"] --> zkVM_Algo["zkVM(tranform media)"]
+    Data["Data to be Sold"] --> zkVM_Algo["zkVM(transform media)"]
     zkVM_Algo -- "proven data transform w/ VE anchor" --> Contract["Marketplace on <dApp chain>"]
     Data -- "VE data" --> Celestia["Celestia"]
     Celestia -- "header" --> Blobstream["Blobstream on <dApp chain>"]
@@ -85,7 +101,7 @@ flowchart LR
 
 ### _Verifiable Private Backups_
 
-> NOTE: Celestia does _not_ guarantee that data will be avalible forever!
+> NOTE: Celestia does _not_ guarantee that data will be available forever!
 > See [the docs on retrievability](https://docs.celestia.org/learn/retrievability#data-retrievability-and-pruning-in-celestia-node) for the latest safe assumptions to use.
 
 With PDA, sensitive data can be publicly published in encrypted form, with **predefined methods for recovery** - without revealing its contents.
diff --git a/example.env b/example.env
@@ -60,7 +60,9 @@ PDA_PORT=26657
 # IMPORTANT: the prover programs *embed the ELF* into their own bin,
 # so this vat is only for development & compilation
 # NOTE: MUST USE FULL PATH, used in scripts, so relative will fail.
-ZK_PROGRAM_ELF_PATH=
+ZK_PROGRAM_ELF_PATH=/full/path/to/target/elf-compilation/release/riscv32im-succinct-zkvm-elf/release/chacha-program
+# See https://docs.succinct.xyz/docs/sp1/writing-programs/compiling#production-builds
+ZK_PROGRAM_REPRODUCIBLE_ELF_PATH=/full/path/to/target/elf-compilation/docker/riscv32im-succinct-zkvm-elf/release/chacha-program
 
 # 'mock' for generating mock proofs locally, 'cpu', 'cuda', or 'network'
 SP1_PROVER=cuda
diff --git a/justfile b/justfile
@@ -30,7 +30,8 @@ initial-config-installs:
     @just sp1 initial-config-installs
 
 _pre-build:
-    @just sp1 build-elf
+    # ALWAYS build with docker
+    @just sp1 build-elf-reproducible
 
 _pre-run:
     echo "just pre-run TODO"
@@ -50,7 +51,7 @@ run-debug *FLAGS: _pre-build _pre-run
 
 # Build docker image & tag
 docker-build:
-    docker build --build-arg BUILDKIT_INLINE_CACHE=1 --tag "$DOCKER_CONTAINER_NAME" --progress=plain .
+    DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 --tag "$DOCKER_CONTAINER_NAME" --progress=plain .
 
 # Save docker image to a tar.gz
 docker-save:
diff --git a/service/Cargo.toml b/service/Cargo.toml
@@ -10,7 +10,6 @@ serde_json.workspace = true
 celestia-types.workspace = true
 jsonrpsee.workspace = true
 tokio.workspace = true
-tonic.workspace = true
 hyper = { workspace = true, features = ["http1", "server"] }
 hyper-util = { workspace = true, features = ["tokio"] }
 http-body-util.workspace = true
@@ -27,3 +26,8 @@ rustls.workspace = true
 tokio-rustls.workspace = true
 rustls-pemfile.workspace = true
 hyper-rustls.workspace = true
+
+[features]
+default = ["reproducible-elf"]
+
+reproducible-elf = []
diff --git a/service/src/internal/runner.rs b/service/src/internal/runner.rs
@@ -12,9 +12,17 @@ use std::sync::Arc;
 use tokio::sync::{OnceCell, mpsc};
 
 /// Hardcoded ELF binary for the crate `program-keccak-inclusion`
-static CHACHA_ELF: &[u8] = include_bytes!(
+/// For reproducible builds, you need `cargo prove --docker`
+#[cfg(feature = "reproducible-elf")]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../target/elf-compilation/docker/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
+
+#[cfg(not(feature = "reproducible-elf"))]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
     "../../../target/elf-compilation/riscv32im-succinct-zkvm-elf/release/chacha-program"
 );
+
 /// Hardcoded ID for the crate `program-keccak-inclusion`
 static CHACHA_ID: OnceCell<SuccNetProgramId> = OnceCell::const_new();
 
diff --git a/zkVM/common/Cargo.toml b/zkVM/common/Cargo.toml
@@ -11,5 +11,6 @@ rand = { workspace = true, default-features = false, optional = true, features =
 sha2 = { workspace = true, optional = true }
 
 [features]
-default = ["std"]
+default = ["std", "reproducible-elf"]
 std = ["rand/os_rng", "sha2"]
+reproducible-elf = []
diff --git a/zkVM/common/src/lib.rs b/zkVM/common/src/lib.rs
@@ -1,5 +1,14 @@
 // Include the binary input file
-pub const INPUT_BYTES: &[u8] = include_bytes!("../../static/proof_input_example.bin");
+/// For reproducible builds, you need `cargo prove --docker`
+#[cfg(feature = "reproducible-elf")]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../target/elf-compilation/docker/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
+
+#[cfg(not(feature = "reproducible-elf"))]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../target/elf-compilation/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
 
 use chacha20::ChaCha20;
 use chacha20::cipher::{KeyIvInit, StreamCipher};
diff --git a/zkVM/sp1/Cargo.toml b/zkVM/sp1/Cargo.toml
@@ -31,3 +31,8 @@ opt-level = 3
 lto = "fat"
 codegen-units = 1
 debug = 1
+
+[features]
+default = ["reproducible-elf"]
+
+reproducible-elf = []
diff --git a/zkVM/sp1/justfile b/zkVM/sp1/justfile
@@ -43,9 +43,27 @@ build-elf:
         echo -e "Can't find ELF at \`$ZK_PROGRAM_ELF_PATH\`.\nAttempting to build it..."; \
         RUSTFLAGS="-Copt-level=3 -Clto=fat -Ccodegen-units=1 -Cdebuginfo=1 -Cembed-bitcode=yes" cargo prove build -p chacha-program; \
     else \
-        echo "✅ ELF Exists, skipping SP1 build"; \
+        echo "✅ RELEASE - ELF Exists, skipping SP1 build"; \
     fi
 
+
+# Build only the zkVM ELF program using sp1 docker (bitwise identical ELFs)
+build-elf-reproducible:
+    if ! {{ path_exists(cargo-prove-path) }}; then \
+        echo -e "⛔ Missing zkVM Compiler.\nRun \`just initial-config-installs\` to prepare your environment"; \
+        exit 1; \
+    fi; \
+    source {{ env-settings }}; \
+    if [ ! -f "$ZK_PROGRAM_REPRODUCIBLE_ELF_PATH" ]; then \
+        echo -e "Can't find ELF at \`$ZK_PROGRAM_REPRODUCIBLE_ELF_PATH\`.\nAttempting to build it..."; \
+        RUSTFLAGS="-Copt-level=3 -Clto=fat -Ccodegen-units=1 -Cdebuginfo=1 -Cembed-bitcode=yes" \
+        echo -r "\n******\nNOTE: the first run will download an sp1 docker image ~5GB\ncheck network usage if you are not seeing any progress on this step...\n"; \
+        RUSTFLAGS="-Copt-level=3 -Clto=fat -Ccodegen-units=1 -Cdebuginfo=1 -Cembed-bitcode=yes" cargo prove build --docker -p chacha-program; \
+    else \
+        echo "✅ REPRODUCIBLE - ELF Exists, skipping SP1 build"; \
+    fi
+
+
 # Run the proxy in release mode with debug logs
 run-release *FLAGS: build-elf
     RUST_LOG=pda_proxy=debug cargo r -r -- {{ FLAGS }}
diff --git a/zkVM/sp1/src/bin/cli.rs b/zkVM/sp1/src/bin/cli.rs
@@ -1,12 +1,21 @@
 use clap::Parser;
 use hex::FromHex;
 use sha2::{Digest, Sha256};
-use sp1_sdk::{ProverClient, SP1Stdin, include_elf};
+use sp1_sdk::{ProverClient, SP1Stdin};
 
 use zkvm_common::{KEY_LEN, NONCE_LEN, chacha, std_only::ZkvmOutput};
 
 /// The ELF (executable and linkable format) file for the Succinct RISC-V zkVM.
-pub const CHACHA_ELF: &[u8] = include_elf!("chacha-program");
+/// For reproducible builds, you need `cargo prove --docker`
+#[cfg(feature = "reproducible-elf")]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../../target/elf-compilation/docker/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
+
+#[cfg(not(feature = "reproducible-elf"))]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../../target/elf-compilation/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
 
 /// The arguments for the command.
 #[derive(Parser, Debug)]
@@ -56,8 +65,8 @@ fn main() {
     stdin.write_slice(&input_nonce);
 
     // TODO: replace example bytes with service interface
-    let input_plaintext: &[u8] = zkvm_common::INPUT_BYTES;
-    stdin.write_slice(input_plaintext);
+    const INPUT_BYTES: &[u8] = include_bytes!("../../../static/proof_input_example.bin");
+    stdin.write_slice(INPUT_BYTES);
 
     let client = ProverClient::from_env();
     if args.execute {
@@ -73,7 +82,7 @@ fn main() {
             ZkvmOutput::from_bytes(output_buffer.as_slice()).expect("Failed to parse header");
 
         // Check against the input
-        let input_plaintext_digest = Sha256::digest(input_plaintext);
+        let input_plaintext_digest = Sha256::digest(INPUT_BYTES);
         println!(
             "Input -> plaintext hash: 0x{}",
             zkvm_common::std_only::bytes_to_hex(&input_plaintext_digest)
@@ -86,7 +95,7 @@ fn main() {
         let mut output_plaintext = output.ciphertext.to_owned();
         chacha(&input_key, &output.nonce, &mut output_plaintext);
 
-        assert_eq!(output_plaintext, input_plaintext);
+        assert_eq!(output_plaintext, INPUT_BYTES);
         println!("Decryption of zkVM ciphertext matches input!");
         let input_key_hash = Sha256::digest(input_key);
         assert_eq!(input_key_hash.as_slice(), output.privkey_hash);
diff --git a/zkVM/sp1/src/bin/vkey.rs b/zkVM/sp1/src/bin/vkey.rs
@@ -1,7 +1,16 @@
-use sp1_sdk::{HashableKey, Prover, ProverClient, include_elf};
+use sp1_sdk::{HashableKey, Prover, ProverClient};
 
 /// The ELF (executable and linkable format) file for the Succinct RISC-V zkVM.
-pub const CHACHA_ELF: &[u8] = include_elf!("chacha-program");
+/// For reproducible builds, you need `cargo prove --docker`
+#[cfg(feature = "reproducible-elf")]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../../target/elf-compilation/docker/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
+
+#[cfg(not(feature = "reproducible-elf"))]
+pub const CHACHA_ELF: &[u8] = include_bytes!(
+    "../../../../target/elf-compilation/riscv32im-succinct-zkvm-elf/release/chacha-program"
+);
 
 fn main() {
     let prover = ProverClient::builder().cpu().build();
