From 35fdd66f134ed9a6f2ca9674d12d8d067905a89b Mon Sep 17 00:00:00 2001
From: Vu Vo <vu.voth@gmail.com>
Date: Mon, 9 Jan 2023 23:42:05 +0800
Subject: [PATCH] wip

---
 semaphore/halo2-semaphore/Cargo.lock          |  19 +-
 semaphore/halo2-semaphore/Cargo.toml          |  11 +-
 .../src/circuit/merkle_tree.rs                |  49 +-
 .../halo2-semaphore/src/verifier/aggregate.rs | 513 ++++++++++++++++++
 semaphore/halo2-semaphore/src/verifier/mod.rs |  27 +-
 .../halo2-semaphore/src/verifier/snark.rs     |   2 +-
 6 files changed, 565 insertions(+), 56 deletions(-)
 create mode 100644 semaphore/halo2-semaphore/src/verifier/aggregate.rs

diff --git a/semaphore/halo2-semaphore/Cargo.lock b/semaphore/halo2-semaphore/Cargo.lock
index 006cdc5..1d60be4 100644
--- a/semaphore/halo2-semaphore/Cargo.lock
+++ b/semaphore/halo2-semaphore/Cargo.lock
@@ -508,10 +508,10 @@ dependencies = [
 [[package]]
 name = "ecc"
 version = "0.1.0"
-source = "git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip#52841ecf6069718c2485ae99a67d9fcf65969fc1"
+source = "git+https://github.com/privacy-scaling-explorations/halo2wrong#5bf79a81b61d2ef1c876250e1d505187fd364e64"
 dependencies = [
  "group",
- "integer 0.1.0 (git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip)",
+ "integer 0.1.0 (git+https://github.com/privacy-scaling-explorations/halo2wrong)",
  "num-bigint",
  "num-integer",
  "num-traits",
@@ -683,6 +683,7 @@ dependencies = [
 name = "halo2-semaphore"
 version = "0.1.0"
 dependencies = [
+ "ecc 0.1.0 (git+https://github.com/privacy-scaling-explorations/halo2wrong?tag=v2022_10_22)",
  "halo2_gadgets",
  "halo2_proofs 0.2.0 (git+https://github.com/privacy-scaling-explorations/halo2.git?tag=v2022_10_22)",
  "halo2curves",
@@ -774,7 +775,7 @@ dependencies = [
 [[package]]
 name = "halo2wrong"
 version = "0.1.0"
-source = "git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip#52841ecf6069718c2485ae99a67d9fcf65969fc1"
+source = "git+https://github.com/privacy-scaling-explorations/halo2wrong#5bf79a81b61d2ef1c876250e1d505187fd364e64"
 dependencies = [
  "group",
  "halo2_proofs 0.2.0 (git+https://github.com/privacy-scaling-explorations/halo2.git?tag=v2022_10_22)",
@@ -898,10 +899,10 @@ dependencies = [
 [[package]]
 name = "integer"
 version = "0.1.0"
-source = "git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip#52841ecf6069718c2485ae99a67d9fcf65969fc1"
+source = "git+https://github.com/privacy-scaling-explorations/halo2wrong#5bf79a81b61d2ef1c876250e1d505187fd364e64"
 dependencies = [
  "group",
- "maingate 0.1.0 (git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip)",
+ "maingate 0.1.0 (git+https://github.com/privacy-scaling-explorations/halo2wrong)",
  "num-bigint",
  "num-integer",
  "num-traits",
@@ -1002,10 +1003,10 @@ dependencies = [
 [[package]]
 name = "maingate"
 version = "0.1.0"
-source = "git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip#52841ecf6069718c2485ae99a67d9fcf65969fc1"
+source = "git+https://github.com/privacy-scaling-explorations/halo2wrong#5bf79a81b61d2ef1c876250e1d505187fd364e64"
 dependencies = [
  "group",
- "halo2wrong 0.1.0 (git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip)",
+ "halo2wrong 0.1.0 (git+https://github.com/privacy-scaling-explorations/halo2wrong)",
  "num-bigint",
  "num-integer",
  "num-traits",
@@ -1792,9 +1793,9 @@ dependencies = [
 [[package]]
 name = "transcript"
 version = "0.1.0"
-source = "git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip#52841ecf6069718c2485ae99a67d9fcf65969fc1"
+source = "git+https://github.com/privacy-scaling-explorations/halo2wrong#5bf79a81b61d2ef1c876250e1d505187fd364e64"
 dependencies = [
- "ecc 0.1.0 (git+https://github.com/vuvoth/halo2wrong?branch=export-hasher-chip)",
+ "ecc 0.1.0 (git+https://github.com/privacy-scaling-explorations/halo2wrong)",
  "group",
  "poseidon",
  "subtle",
diff --git a/semaphore/halo2-semaphore/Cargo.toml b/semaphore/halo2-semaphore/Cargo.toml
index b385594..e68c5c2 100644
--- a/semaphore/halo2-semaphore/Cargo.toml
+++ b/semaphore/halo2-semaphore/Cargo.toml
@@ -8,13 +8,16 @@ edition = "2021"
 [dependencies]
 halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2.git", features = ["dev-graph"], tag = "v2022_10_22"}
 halo2_gadgets = { git = "https://github.com/privacy-scaling-explorations/halo2.git"}
-halo2curves = { git = 'https://github.com/privacy-scaling-explorations/halo2curves', tag = '0.3.0' }
-snark-verifier = {git = 'https://github.com/privacy-scaling-explorations/snark-verifier'}
+halo2_curves = { git = "https://github.com/privacy-scaling-explorations/halo2curves", tag = "0.3.0", package = "halo2curves" }
+snark-verifier = {git = 'https://github.com/privacy-scaling-explorations/snark-verifier',features = ["loader_evm", "loader_halo2", "system_halo2"]}
 # halo2wrong = {git = 'https://github.com/vuvoth/halo2wrong.git', features = ["dev-graph"]}
-transcript = {git = 'https://github.com/vuvoth/halo2wrong', branch = 'export-hasher-chip'}
+halo2_wrong_ecc = { git = "https://github.com/privacy-scaling-explorations/halo2wrong", tag = "v2022_10_22", package = "ecc", optional = true }
+transcript = {git = 'https://github.com/privacy-scaling-explorations/halo2wrong'}
 poseidon = {git = 'https://github.com/privacy-scaling-explorations/poseidon.git', tag = "v2022_10_22"}
 rand_core = { version = "0.6", default-features = false }
 plotters = { version = "0.3.0" }
 rand = "0.8"
 
-itertools = "0.10.3"
\ No newline at end of file
+itertools = "0.10.3"
+
+[features]
diff --git a/semaphore/halo2-semaphore/src/circuit/merkle_tree.rs b/semaphore/halo2-semaphore/src/circuit/merkle_tree.rs
index 698c7fe..67b3d17 100644
--- a/semaphore/halo2-semaphore/src/circuit/merkle_tree.rs
+++ b/semaphore/halo2-semaphore/src/circuit/merkle_tree.rs
@@ -1,4 +1,4 @@
-use halo2curves::FieldExt;
+use halo2_curves::{FieldExt, bn256::Fr};
 use poseidon::Spec;
 use transcript::{
     halo2::{
@@ -73,31 +73,40 @@ impl<F: FieldExt> Circuit<F> for MerkleTreeCircuit<F> {
     }
 }
 
+pub fn gen_merkle_circuit_data(n: u64) -> MerkleTreeCircuit<Fr>{
+    let mut leaf = Fr::from(123);
+    let mut merkle_proof = Vec::new();
+    let mut hasher = poseidon::Poseidon::<Fr, 3, 2>::new(8, 57);
+
+    for value in 0..n {
+        hasher.update(&[leaf, Fr::from(value)]);
+        leaf = hasher.squeeze();
+        merkle_proof.push(Fr::from(value));
+    }
+
+    let circuit = MerkleTreeCircuit {
+        leaf_node: Value::known(Fr::from(123)),
+        merkle_path: (0..5).map(|_| Value::known(Fr::from(1))).collect(),
+        hash_root: leaf,
+        merkle_proof: merkle_proof.iter().map(|v| Value::known(*v)).collect(),
+    };
+    circuit
+}
+
 #[cfg(test)]
-mod tests {
-    use halo2curves::bn256::Fr;
+pub mod tests {
+    use halo2_curves::{bn256::Fr, FieldExt};
     use transcript::{halo2::circuit::Value, maingate::mock_prover_verify};
 
-    use super::MerkleTreeCircuit;
+    use crate::circuit::merkle_tree::gen_merkle_circuit_data;
+
+
+   
 
     #[test]
     fn test_circuit() {
-        let mut leaf = Fr::from(123);
-        let mut merkle_proof = Vec::new();
-        let mut hasher = poseidon::Poseidon::<Fr, 3, 2>::new(8, 57);
-
-        for value in 0..5 {
-            hasher.update(&[leaf, Fr::from(value)]);
-            leaf = hasher.squeeze();
-            merkle_proof.push(Fr::from(value));
-        }
-
-        let circuit = MerkleTreeCircuit {
-            leaf_node: Value::known(Fr::from(123)),
-            merkle_path: (0..5).map(|_| Value::known(Fr::from(1))).collect(),
-            hash_root: leaf,
-            merkle_proof: merkle_proof.iter().map(|v| Value::known(*v)).collect(),
-        };
+        
+        let circuit = gen_merkle_circuit_data(5); 
 
         // use plotters::prelude::*;
         // let root = BitMapBackend::new("./target/semaphore.png", (1024, 768)).into_drawing_area();
diff --git a/semaphore/halo2-semaphore/src/verifier/aggregate.rs b/semaphore/halo2-semaphore/src/verifier/aggregate.rs
new file mode 100644
index 0000000..ea7b1d3
--- /dev/null
+++ b/semaphore/halo2-semaphore/src/verifier/aggregate.rs
@@ -0,0 +1,513 @@
+use halo2_curves::bn256::{Bn256, Fq, Fr, G1Affine};
+use halo2_proofs::{
+    dev::MockProver,
+    plonk::{create_proof, keygen_pk, keygen_vk, verify_proof, Circuit, ProvingKey, VerifyingKey},
+    poly::{
+        commitment::{Params, ParamsProver},
+        kzg::{
+            commitment::{KZGCommitmentScheme, ParamsKZG},
+            multiopen::{ProverGWC, VerifierGWC},
+            strategy::AccumulatorStrategy,
+        },
+        VerificationStrategy,
+    },
+    transcript::{EncodedChallenge, TranscriptReadBuffer, TranscriptWriterBuffer},
+};
+use itertools::Itertools;
+use rand::rngs::OsRng;
+use snark_verifier::{
+    loader::{
+        evm::{self, encode_calldata, Address, EvmLoader, ExecutorBuilder},
+        native::NativeLoader,
+    },
+    pcs::kzg::{Gwc19, KzgAs, LimbsEncoding},
+    system::halo2::{compile, transcript::evm::EvmTranscript, Config},
+    verifier::{self, SnarkVerifier},
+};
+use std::{io::Cursor, rc::Rc};
+
+use crate::circuit::merkle_tree::gen_merkle_circuit_data;
+
+const LIMBS: usize = 4;
+const BITS: usize = 68;
+
+type As = KzgAs<Bn256, Gwc19>;
+type PlonkSuccinctVerifier = verifier::plonk::PlonkSuccinctVerifier<As, LimbsEncoding<LIMBS, BITS>>;
+type PlonkVerifier = verifier::plonk::PlonkVerifier<As, LimbsEncoding<LIMBS, BITS>>;
+
+mod aggregation {
+    use super::{As, PlonkSuccinctVerifier, BITS, LIMBS};
+    use halo2_curves::bn256::{Bn256, Fq, Fr, G1Affine};
+    use halo2_proofs::{
+        circuit::{Layouter, SimpleFloorPlanner, Value},
+        plonk::{self, Circuit, ConstraintSystem, Error},
+        poly::{commitment::ParamsProver, kzg::commitment::ParamsKZG},
+    };
+    use halo2_wrong_ecc::{
+        integer::rns::Rns,
+        maingate::{
+            MainGate, MainGateConfig, MainGateInstructions, RangeChip, RangeConfig,
+            RangeInstructions, RegionCtx,
+        },
+        EccConfig,
+    };
+    use itertools::Itertools;
+    use rand::rngs::OsRng;
+    use snark_verifier::{
+        loader::{self, halo2::halo2_wrong_ecc, native::NativeLoader},
+        pcs::{
+            kzg::{KzgAccumulator, KzgSuccinctVerifyingKey, LimbsEncodingInstructions},
+            AccumulationScheme, AccumulationSchemeProver,
+        },
+        system,
+        util::arithmetic::{fe_to_limbs, FieldExt},
+        verifier::{plonk::PlonkProtocol, SnarkVerifier},
+    };
+    use std::rc::Rc;
+
+    const T: usize = 5;
+    const RATE: usize = 4;
+    const R_F: usize = 8;
+    const R_P: usize = 60;
+
+    type Svk = KzgSuccinctVerifyingKey<G1Affine>;
+    type BaseFieldEccChip = halo2_wrong_ecc::BaseFieldEccChip<G1Affine, LIMBS, BITS>;
+    type Halo2Loader<'a> = loader::halo2::Halo2Loader<'a, G1Affine, BaseFieldEccChip>;
+    pub type PoseidonTranscript<L, S> =
+        system::halo2::transcript::halo2::PoseidonTranscript<G1Affine, L, S, T, RATE, R_F, R_P>;
+
+    pub struct Snark {
+        protocol: PlonkProtocol<G1Affine>,
+        instances: Vec<Vec<Fr>>,
+        proof: Vec<u8>,
+    }
+
+    impl Snark {
+        pub fn new(
+            protocol: PlonkProtocol<G1Affine>,
+            instances: Vec<Vec<Fr>>,
+            proof: Vec<u8>,
+        ) -> Self {
+            Self {
+                protocol,
+                instances,
+                proof,
+            }
+        }
+    }
+
+    impl From<Snark> for SnarkWitness {
+        fn from(snark: Snark) -> Self {
+            Self {
+                protocol: snark.protocol,
+                instances: snark
+                    .instances
+                    .into_iter()
+                    .map(|instances| instances.into_iter().map(Value::known).collect_vec())
+                    .collect(),
+                proof: Value::known(snark.proof),
+            }
+        }
+    }
+
+    #[derive(Clone)]
+    pub struct SnarkWitness {
+        protocol: PlonkProtocol<G1Affine>,
+        instances: Vec<Vec<Value<Fr>>>,
+        proof: Value<Vec<u8>>,
+    }
+
+    impl SnarkWitness {
+        fn without_witnesses(&self) -> Self {
+            SnarkWitness {
+                protocol: self.protocol.clone(),
+                instances: self
+                    .instances
+                    .iter()
+                    .map(|instances| vec![Value::unknown(); instances.len()])
+                    .collect(),
+                proof: Value::unknown(),
+            }
+        }
+
+        fn proof(&self) -> Value<&[u8]> {
+            self.proof.as_ref().map(Vec::as_slice)
+        }
+    }
+
+    pub fn aggregate<'a>(
+        svk: &Svk,
+        loader: &Rc<Halo2Loader<'a>>,
+        snarks: &[SnarkWitness],
+        as_proof: Value<&'_ [u8]>,
+    ) -> KzgAccumulator<G1Affine, Rc<Halo2Loader<'a>>> {
+        let assign_instances = |instances: &[Vec<Value<Fr>>]| {
+            instances
+                .iter()
+                .map(|instances| {
+                    instances
+                        .iter()
+                        .map(|instance| loader.assign_scalar(*instance))
+                        .collect_vec()
+                })
+                .collect_vec()
+        };
+
+        let accumulators = snarks
+            .iter()
+            .flat_map(|snark| {
+                let protocol = snark.protocol.loaded(loader);
+                let instances = assign_instances(&snark.instances);
+                let mut transcript =
+                    PoseidonTranscript::<Rc<Halo2Loader>, _>::new(loader, snark.proof());
+                let proof =
+                    PlonkSuccinctVerifier::read_proof(svk, &protocol, &instances, &mut transcript)
+                        .unwrap();
+                PlonkSuccinctVerifier::verify(svk, &protocol, &instances, &proof).unwrap()
+            })
+            .collect_vec();
+
+        let acccumulator = {
+            let mut transcript = PoseidonTranscript::<Rc<Halo2Loader>, _>::new(loader, as_proof);
+            let proof =
+                As::read_proof(&Default::default(), &accumulators, &mut transcript).unwrap();
+            As::verify(&Default::default(), &accumulators, &proof).unwrap()
+        };
+
+        acccumulator
+    }
+
+    #[derive(Clone)]
+    pub struct AggregationConfig {
+        main_gate_config: MainGateConfig,
+        range_config: RangeConfig,
+    }
+
+    impl AggregationConfig {
+        pub fn configure<F: FieldExt>(
+            meta: &mut ConstraintSystem<F>,
+            composition_bits: Vec<usize>,
+            overflow_bits: Vec<usize>,
+        ) -> Self {
+            let main_gate_config = MainGate::<F>::configure(meta);
+            let range_config =
+                RangeChip::<F>::configure(meta, &main_gate_config, composition_bits, overflow_bits);
+            AggregationConfig {
+                main_gate_config,
+                range_config,
+            }
+        }
+
+        pub fn main_gate(&self) -> MainGate<Fr> {
+            MainGate::new(self.main_gate_config.clone())
+        }
+
+        pub fn range_chip(&self) -> RangeChip<Fr> {
+            RangeChip::new(self.range_config.clone())
+        }
+
+        pub fn ecc_chip(&self) -> BaseFieldEccChip {
+            BaseFieldEccChip::new(EccConfig::new(
+                self.range_config.clone(),
+                self.main_gate_config.clone(),
+            ))
+        }
+    }
+
+    #[derive(Clone)]
+    pub struct AggregationCircuit {
+        svk: Svk,
+        snarks: Vec<SnarkWitness>,
+        instances: Vec<Fr>,
+        as_proof: Value<Vec<u8>>,
+    }
+
+    impl AggregationCircuit {
+        pub fn new(params: &ParamsKZG<Bn256>, snarks: impl IntoIterator<Item = Snark>) -> Self {
+            let svk = params.get_g()[0].into();
+            let snarks = snarks.into_iter().collect_vec();
+
+            let accumulators = snarks
+                .iter()
+                .flat_map(|snark| {
+                    let mut transcript =
+                        PoseidonTranscript::<NativeLoader, _>::new(snark.proof.as_slice());
+                    let proof = PlonkSuccinctVerifier::read_proof(
+                        &svk,
+                        &snark.protocol,
+                        &snark.instances,
+                        &mut transcript,
+                    )
+                    .unwrap();
+                    PlonkSuccinctVerifier::verify(&svk, &snark.protocol, &snark.instances, &proof)
+                        .unwrap()
+                })
+                .collect_vec();
+
+            let (accumulator, as_proof) = {
+                let mut transcript = PoseidonTranscript::<NativeLoader, _>::new(Vec::new());
+                let accumulator =
+                    As::create_proof(&Default::default(), &accumulators, &mut transcript, OsRng)
+                        .unwrap();
+                (accumulator, transcript.finalize())
+            };
+
+            let KzgAccumulator { lhs, rhs } = accumulator;
+            let instances = [lhs.x, lhs.y, rhs.x, rhs.y]
+                .map(fe_to_limbs::<_, _, LIMBS, BITS>)
+                .concat();
+
+            Self {
+                svk,
+                snarks: snarks.into_iter().map_into().collect(),
+                instances,
+                as_proof: Value::known(as_proof),
+            }
+        }
+
+        pub fn accumulator_indices() -> Vec<(usize, usize)> {
+            (0..4 * LIMBS * 3).map(|idx| (0, idx)).collect()
+        }
+
+        pub fn num_instance() -> Vec<usize> {
+            vec![4 * LIMBS * 3]
+        }
+
+        pub fn instances(&self) -> Vec<Vec<Fr>> {
+            vec![self.instances.clone()]
+        }
+
+        pub fn as_proof(&self) -> Value<&[u8]> {
+            self.as_proof.as_ref().map(Vec::as_slice)
+        }
+    }
+
+    impl Circuit<Fr> for AggregationCircuit {
+        type Config = AggregationConfig;
+        type FloorPlanner = SimpleFloorPlanner;
+
+        fn without_witnesses(&self) -> Self {
+            Self {
+                svk: self.svk,
+                snarks: self
+                    .snarks
+                    .iter()
+                    .map(SnarkWitness::without_witnesses)
+                    .collect(),
+                instances: Vec::new(),
+                as_proof: Value::unknown(),
+            }
+        }
+
+        fn configure(meta: &mut plonk::ConstraintSystem<Fr>) -> Self::Config {
+            AggregationConfig::configure(
+                meta,
+                vec![BITS / LIMBS],
+                Rns::<Fq, Fr, LIMBS, BITS>::construct().overflow_lengths(),
+            )
+        }
+
+        fn synthesize(
+            &self,
+            config: Self::Config,
+            mut layouter: impl Layouter<Fr>,
+        ) -> Result<(), plonk::Error> {
+            let main_gate = config.main_gate();
+            let range_chip = config.range_chip();
+
+            range_chip.load_table(&mut layouter)?;
+
+            let accumulator_limbs = layouter.assign_region(
+                || "",
+                |region| {
+                    let ctx = RegionCtx::new(region, 0);
+
+                    let ecc_chip = config.ecc_chip();
+                    let loader = Halo2Loader::new(ecc_chip, ctx);
+                    let accumulator = aggregate(&self.svk, &loader, &self.snarks, self.as_proof());
+
+                    let accumulator_limbs = [accumulator.lhs, accumulator.rhs]
+                        .iter()
+                        .map(|ec_point| {
+                            loader.ecc_chip().assign_ec_point_to_limbs(
+                                &mut loader.ctx_mut(),
+                                ec_point.assigned(),
+                            )
+                        })
+                        .collect::<Result<Vec<_>, Error>>()?
+                        .into_iter()
+                        .flatten();
+
+                    Ok(accumulator_limbs)
+                },
+            )?;
+
+            for (row, limb) in accumulator_limbs.enumerate() {
+                main_gate.expose_public(layouter.namespace(|| ""), limb, row)?;
+            }
+
+            Ok(())
+        }
+    }
+}
+
+fn gen_srs(k: u32) -> ParamsKZG<Bn256> {
+    ParamsKZG::<Bn256>::read_or_create_srs(k, OsRng)
+}
+
+fn gen_pk<C: Circuit<Fr>>(params: &ParamsKZG<Bn256>, circuit: &C) -> ProvingKey<G1Affine> {
+    let vk = keygen_vk(params, circuit).unwrap();
+    keygen_pk(params, vk, circuit).unwrap()
+}
+
+fn gen_proof<
+    C: Circuit<Fr>,
+    E: EncodedChallenge<G1Affine>,
+    TR: TranscriptReadBuffer<Cursor<Vec<u8>>, G1Affine, E>,
+    TW: TranscriptWriterBuffer<Vec<u8>, G1Affine, E>,
+>(
+    params: &ParamsKZG<Bn256>,
+    pk: &ProvingKey<G1Affine>,
+    circuit: C,
+    instances: Vec<Vec<Fr>>,
+) -> Vec<u8> {
+    MockProver::run(params.k(), &circuit, instances.clone())
+        .unwrap()
+        .assert_satisfied();
+
+    let instances = instances
+        .iter()
+        .map(|instances| instances.as_slice())
+        .collect_vec();
+    let proof = {
+        let mut transcript = TW::init(Vec::new());
+        create_proof::<KZGCommitmentScheme<Bn256>, ProverGWC<_>, _, _, TW, _>(
+            params,
+            pk,
+            &[circuit],
+            &[instances.as_slice()],
+            OsRng,
+            &mut transcript,
+        )
+        .unwrap();
+        transcript.finalize()
+    };
+
+    let accept = {
+        let mut transcript = TR::init(Cursor::new(proof.clone()));
+        VerificationStrategy::<_, VerifierGWC<_>>::finalize(
+            verify_proof::<_, VerifierGWC<_>, _, TR, _>(
+                params.verifier_params(),
+                pk.get_vk(),
+                AccumulatorStrategy::new(params.verifier_params()),
+                &[instances.as_slice()],
+                &mut transcript,
+            )
+            .unwrap(),
+        )
+    };
+    assert!(accept);
+
+    proof
+}
+
+fn gen_application_snark(params: &ParamsKZG<Bn256>) -> aggregation::Snark {
+    let circuit = gen_merkle_circuit_data(4);
+    let pk = gen_pk(params, &circuit);
+    let instances = vec![vec![circuit.hash_root]];
+
+    let protocol = compile(
+        params,
+        pk.get_vk(),
+        Config::kzg().with_num_instance(vec![1]),
+    );
+
+    let proof = gen_proof::<
+        _,
+        _,
+        aggregation::PoseidonTranscript<NativeLoader, _>,
+        aggregation::PoseidonTranscript<NativeLoader, _>,
+    >(params, &pk, circuit.clone(), instances.clone());
+    aggregation::Snark::new(protocol, instances, proof)
+}
+
+fn gen_aggregation_evm_verifier(
+    params: &ParamsKZG<Bn256>,
+    vk: &VerifyingKey<G1Affine>,
+    num_instance: Vec<usize>,
+    accumulator_indices: Vec<(usize, usize)>,
+) -> Vec<u8> {
+    let protocol = compile(
+        params,
+        vk,
+        Config::kzg()
+            .with_num_instance(num_instance.clone())
+            .with_accumulator_indices(Some(accumulator_indices)),
+    );
+    let vk = (params.get_g()[0], params.g2(), params.s_g2()).into();
+
+    let loader = EvmLoader::new::<Fq, Fr>();
+    let protocol = protocol.loaded(&loader);
+    let mut transcript = EvmTranscript::<_, Rc<EvmLoader>, _, _>::new(&loader);
+
+    let instances = transcript.load_instances(num_instance);
+    let proof = PlonkVerifier::read_proof(&vk, &protocol, &instances, &mut transcript).unwrap();
+    PlonkVerifier::verify(&vk, &protocol, &instances, &proof).unwrap();
+
+    evm::compile_yul(&loader.yul_code())
+}
+
+fn evm_verify(deployment_code: Vec<u8>, instances: Vec<Vec<Fr>>, proof: Vec<u8>) {
+    let calldata = encode_calldata(&instances, &proof);
+    let success = {
+        let mut evm = ExecutorBuilder::default()
+            .with_gas_limit(u64::MAX.into())
+            .build();
+
+        let caller = Address::from_low_u64_be(0xfe);
+        let verifier = evm
+            .deploy(caller, deployment_code.into(), 0.into())
+            .address
+            .unwrap();
+        let result = evm.call_raw(caller, verifier, calldata.into(), 0.into());
+
+        dbg!(result.gas_used);
+
+        !result.reverted
+    };
+    assert!(success);
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_aggragate() {
+        let params = gen_srs(22);
+        let params_app = {
+            let mut params = params.clone();
+            params.downsize(15);
+            params
+        };
+
+        let snarks = [(); 3].map(|_| gen_application_snark(&params_app));
+        let agg_circuit = aggregation::AggregationCircuit::new(&params, snarks);
+        let pk = gen_pk(&params, &agg_circuit);
+        let deployment_code = gen_aggregation_evm_verifier(
+            &params,
+            pk.get_vk(),
+            aggregation::AggregationCircuit::num_instance(),
+            aggregation::AggregationCircuit::accumulator_indices(),
+        );
+
+        let proof = gen_proof::<
+            _,
+            _,
+            EvmTranscript<G1Affine, _, _, _>,
+            EvmTranscript<G1Affine, _, _, _>,
+        >(&params, &pk, agg_circuit.clone(), agg_circuit.instances());
+        evm_verify(deployment_code, agg_circuit.instances(), proof);
+        assert!(true)
+    }
+}
diff --git a/semaphore/halo2-semaphore/src/verifier/mod.rs b/semaphore/halo2-semaphore/src/verifier/mod.rs
index 390d412..a55c609 100644
--- a/semaphore/halo2-semaphore/src/verifier/mod.rs
+++ b/semaphore/halo2-semaphore/src/verifier/mod.rs
@@ -1,38 +1,21 @@
 
 mod snark;
-
+mod aggregate;
 
 #[cfg(test)]
 mod tests {
     use std::vec;
 
     use halo2_proofs::{circuit::Value};
-    use halo2curves::bn256::Fr;
+    use halo2_curves::bn256::Fr;
 
-    use crate::circuit::merkle_tree::MerkleTreeCircuit;
+    use crate::circuit::merkle_tree::{MerkleTreeCircuit, gen_merkle_circuit_data};
 
     use super::snark::*;
 
-
     #[test]
-    fn test_snark_verifier() {
-        let mut leaf = Fr::from(123);
-        let mut merkle_proof = Vec::new();
-        let mut hasher = poseidon::Poseidon::<Fr, 3, 2>::new(8, 57);
-
-        for value in 0..5 {
-            hasher.update(&[leaf, Fr::from(value)]);
-            leaf = hasher.squeeze();
-            merkle_proof.push(Fr::from(value));
-        }
-
-        let my_circuit = MerkleTreeCircuit {
-            leaf_node: Value::known(Fr::from(123)),
-            merkle_path: (0..5).map(|_| Value::known(Fr::from(1))).collect(),
-            hash_root: leaf,
-            merkle_proof: merkle_proof.iter().map(|v| Value::known(*v)).collect(),
-        };
-
+    fn test_snark_verifier() {    
+        let my_circuit = gen_merkle_circuit_data(5);
 
         let params =MyProver::gen_srs(14);
         
diff --git a/semaphore/halo2-semaphore/src/verifier/snark.rs b/semaphore/halo2-semaphore/src/verifier/snark.rs
index 854ded7..4823a55 100644
--- a/semaphore/halo2-semaphore/src/verifier/snark.rs
+++ b/semaphore/halo2-semaphore/src/verifier/snark.rs
@@ -14,7 +14,7 @@ use halo2_proofs::{
     },
     transcript::{TranscriptReadBuffer, TranscriptWriterBuffer},
 };
-use halo2curves::bn256::{Bn256, Fq, Fr, G1Affine};
+use halo2_curves::bn256::{Bn256, Fq, Fr, G1Affine};
 use itertools::Itertools;
 
 use rand::{rngs::OsRng};