feat(rln): proof generation and verification with on-chain merkle proof/root

[adklempner]

Problem / Description

The RLN contracts and zerokit libraries have been updated to work in a stateless manner, where maintaining a local merkle tree of memberships is no longer necessary; instead, the smart contracts provide a function for getting the latest root of the on-chain tree along with a proof for a given identity commitment in that tree.

The RLN package needs to be updated to use this functionality for generating and verifying RLN proofs in the browser.

Solution

• Update zerokit WASM dependencies
• Update library functions used to call the WASM functions (assumes most inputs have been serialized to bytes)
• Add static membership keystore and root/proof for testing (based on actual membership registered in deployed contract)
• Test to generate and validate RLN proof using above membership

Notes

• Depends on feat(rln)!: generate contract types, migrate from ethers to viem #2705
• Resolves feat: generate proofs from roots without merkle tree #1919
• This PR does not guarantee that the generated proofs work with nwaku, nor does it implement the RLN encoder/decoder

---

Checklist

• Code changes are covered by unit tests.
• Code changes are covered by e2e tests, if applicable.
• Dogfooding has been performed, if feasible.
• A test version has been published, if required.
• All CI checks pass successfully.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
Waku node	96.24 KB (0%)	2 s (0%)	1.4 s (+62.59% 🔺)	3.3 s
Waku Simple Light Node	147.6 KB (0%)	3 s (0%)	648 ms (-55.89% 🔽)	3.6 s
ECIES encryption	22.62 KB (0%)	453 ms (0%)	550 ms (+96.94% 🔺)	1.1 s
Symmetric encryption	22 KB (0%)	440 ms (0%)	288 ms (-25.3% 🔽)	728 ms
DNS discovery	52.17 KB (0%)	1.1 s (0%)	580 ms (-11.3% 🔽)	1.7 s
Peer Exchange discovery	52.91 KB (0%)	1.1 s (0%)	433 ms (-14.48% 🔽)	1.5 s
Peer Cache Discovery	46.64 KB (0%)	933 ms (0%)	651 ms (+52.27% 🔺)	1.6 s
Privacy preserving protocols	77.31 KB (0%)	1.6 s (0%)	1.1 s (+46.71% 🔺)	2.6 s
Waku Filter	79.82 KB (0%)	1.6 s (0%)	1.2 s (+40.24% 🔺)	2.8 s
Waku LightPush	77.97 KB (0%)	1.6 s (0%)	1.2 s (+9.4% 🔺)	2.7 s
History retrieval protocols	83.74 KB (0%)	1.7 s (0%)	1.6 s (+52.63% 🔺)	3.2 s
Deterministic Message Hashing	28.98 KB (0%)	580 ms (0%)	548 ms (-17.37% 🔽)	1.2 s

[weboko]

nit: remove this duplication as there is literally the same function below

[weboko]

question: how fast does it load?

[adklempner]

I tried adding benchmarks and it logged 0.00 ms for both init functions. However, this is likely because of how karma prepares the bundles for each test. If the corresponding wasm files are not already loaded and need to be fetched, then this would probably take longer.

[weboko]

how fast it works in the browser? karma won't show accurate numbers

[Copilot]

Pull request overview

This PR implements stateless RLN proof generation and verification using on-chain Merkle proofs, eliminating the need to maintain a local Merkle tree. The implementation updates the zerokit WASM dependencies and adds comprehensive functionality for generating and verifying RLN proofs directly in the browser using smart contract-provided roots and proofs.

Key Changes:

• Added generateRLNProof() and verifyRLNProof() methods to the Zerokit class for proof generation and verification
• Implemented Merkle tree utilities for root reconstruction and path direction extraction from on-chain proofs
• Updated hash utilities to use new zerokit-rln-wasm-utils package with simplified APIs
• Fixed BigInt serialization in Keystore to handle JSON conversion properly

Reviewed changes

Copilot reviewed 11 out of 14 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
packages/rln/src/zerokit.ts	Adds core proof generation/verification methods with witness serialization and external nullifier calculation
packages/rln/src/utils/merkle.ts	New Merkle tree utilities for root reconstruction, rate commitment calculation, and path direction extraction
packages/rln/src/utils/hash.ts	Updates hash functions to use new zerokit-rln-wasm-utils package
packages/rln/src/utils/bytes.ts	Adds fromBigInt() method for converting BigInt to byte arrays with configurable endianness
packages/rln/src/utils/epoch.ts	Simplifies epoch encoding using BytesUtils.writeUIntLE
packages/rln/src/proof.spec.ts	Integration test validating end-to-end proof generation and verification with real keystore data
packages/rln/src/zerokit.browser.spec.ts	Browser test for seeded identity credential generation consistency
packages/rln/src/utils/test_keystore.ts	Static test data with membership keystore and on-chain Merkle proof/root
packages/rln/src/rln.ts	Initializes new zerokit-rln-wasm-utils package
packages/rln/src/keystore/keystore.ts	Fixes BigInt JSON serialization with custom replacer function
packages/rln/karma.conf.cjs	Adds WASM file configuration for zerokit-rln-wasm-utils
packages/rln/package.json	Adds zerokit-rln-wasm-utils dependency, removes unused @waku/interfaces
packages/rln/.mocharc.cjs	Minor formatting fix (trailing newline)
package-lock.json	Updates dependencies including viem, @wagmi/cli, and adds zerokit-rln-wasm-utils

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing validation for value parameter. The function should validate that the BigInt value fits within 32 bytes (i.e., value < 2n ** 256n). If a larger value is provided, the function will silently truncate it by only taking the lower 32 bytes, which could lead to incorrect results without any indication of error.

[adklempner]

removed this, we now have an equivalent function with proper checks in bytesutils

[Copilot]

Variable name shadowing: the parameter name proof in the map callback shadows the outer variable merkleProof being mapped. This is confusing and could lead to errors. Consider renaming to: merkleProof.map((element) => BytesUtils.fromBigInt(element, 32, "little"))

Suggested change

	merkleProof.map((proof) => BytesUtils.fromBigInt(proof, 32, "little")),
	merkleProof.map((element) => BytesUtils.fromBigInt(element, 32, "little")),

[Copilot]

Missing validation for x parameter. The function should validate that x.length === 32 since it represents a SHA-256 hash output. Incorrect length could lead to malformed witness data.

Suggested change

	): Promise<Uint8Array> {
	): Promise<Uint8Array> {
	if (x.length !== 32) {
	throw new Error("x must be a 32-byte SHA-256 hash");
	}

[adklempner]

we don't use x outside of this function, so i'm moving the generation of x from the input into here

[Copilot]

Missing validation for epoch parameter. The function should validate that epoch.length === 32 to ensure it represents a properly formatted epoch value. Incorrect length could lead to invalid external nullifier calculation.

Suggested change

	): Promise<Uint8Array> {
	): Promise<Uint8Array> {
	if (!(epoch instanceof Uint8Array) || epoch.length !== 32) {
	throw new Error("epoch must be a 32-byte Uint8Array");
	}

[adklempner]

this was added

[Copilot]

Error messages "invalid epoch" and "invalid id secret hash" are not descriptive enough. They should specify the expected length. Consider: "Epoch must be 32 bytes, got ${epoch.length}" and "ID secret hash must be 32 bytes, got ${idSecretHash.length}"

Suggested change

	if (epoch.length !== 32) throw new Error("invalid epoch");
	if (idSecretHash.length !== 32) throw new Error("invalid id secret hash");
	if (epoch.length !== 32) throw new Error(`Epoch must be 32 bytes, got ${epoch.length}`);
	if (idSecretHash.length !== 32) throw new Error(`ID secret hash must be 32 bytes, got ${idSecretHash.length}`);

[Copilot]

Pull request overview

Copilot reviewed 11 out of 14 changed files in this pull request and generated 13 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing JSDoc documentation for the serializeWitness method. This public method performs complex serialization and should include documentation explaining the purpose, the format of each parameter, and what the returned Uint8Array represents.

[Copilot]

The index parameter is validated but never used in the function. While identityPathIndex contains path direction bits derived from the index, the raw index parameter itself serves no purpose in the proof generation. Consider removing this parameter or adding a comment explaining why it's validated but not used.

[Copilot]

Missing input validation for pathElements and identityPathIndex arrays. The function should validate that pathElements has length equal to MERKLE_TREE_DEPTH (20), that each element is 32 bytes, and that identityPathIndex has the same length with each element being 1 byte. Without these checks, incorrect inputs could lead to silent failures or incorrect proofs.

[Copilot]

Missing validation for the roots array parameter. The function should validate that the roots array is not empty and that each root is 32 bytes. An empty roots array or incorrectly sized roots could lead to verification failures or unexpected behavior.

[Copilot]

Missing test coverage for verifyRLNProof method. While the integration test verifies a successful proof verification, there should be unit tests for edge cases like invalid proof format, empty roots array, incorrect signal length, and invalid proofs that should fail verification.

[Copilot]

Missing documentation for the return value format. The method returns a Uint8Array representing the RLN proof, but the documentation doesn't specify the structure or format of this proof data, which would be helpful for users of this API to understand what they're receiving.

[Copilot]

Missing test coverage for serializeWitness method. This is a public method that performs critical serialization for proof generation and should have unit tests to verify correct serialization of all input parameters, including edge cases like empty arrays or maximum-length inputs.

[Copilot]

Missing test coverage for error handling in generateRLNProof. The function has multiple validation checks that throw errors, but there are no tests verifying that these error conditions are properly handled (e.g., invalid epoch length, invalid ID secret hash length, negative index, out-of-range rate limit).

[Copilot]

Missing JSDoc documentation for the verifyRLNProof method. This is a public API method that should include documentation explaining the parameters (especially the format/encoding requirements for signalLength, signal, proof, and roots) and what the boolean return value indicates.

[weboko]

nit: as copilot pointed out - unit tests would be nice

[weboko]

or better yet to use some lib for it

[adklempner]

updated to use viem util for the main logic

[weboko]

nit: to keep compatible with JS definitions it should be writeUintLE instead of writeUIntLE

[weboko]

what is the difference between hash and posseidonHash?

also I'd keep poseidonHash as it is, poseidon is kind of too generic

[adklempner]

hash is sha256, poseidon is poseidon

poseidonHash is how it's used outside of this file, need to import as poseidon to avoid naming conflicts

[weboko]

question: why it is this hardcoded string?

[adklempner]

this is the default rln identifier used in messaging-nim (and thus TWN)

[weboko]

rule of thumb - if you use some comment in code - then code is not explicit enough

Suggested change

	messageId: number // number of message sent by the user in this epoch
	messageNumberId: number

[weboko]

nit: public should be before private methods

[weboko]

lgtm except comment that I left + please, add unit tests for src/utils as you added some code easily testable