[zk-token-sdk] add range-proof proof instruction

[samkim-crypto]

Problem

The zk-token-proof program does not yet have an instruction that can verify range proof on a Pedersen commitment.

Summary of Changes

Add VerifyRangeProof64 instruction. This instruction can be used to prove that a committed value is in a certain range.

The verification for these instruction was benched in the devserver and CU units were computed assuming that 1 CU should take roughly 33ns (as per #25464 (comment)).

Fixes #

[codecov]

Codecov Report

Merging #31788 (8669c33) into master (e396a10) will increase coverage by 0.0%.
The diff coverage is 66.6%.

@@           Coverage Diff           @@
##           master   #31788   +/-   ##
=======================================
  Coverage    81.8%    81.9%           
=======================================
  Files         737      738    +1     
  Lines      205994   206036   +42     
=======================================
+ Hits       168699   168746   +47     
+ Misses      37295    37290    -5     

[mvines]

105_066 CUs is pretty exact. Where did this come from?
I guess more generally does it make sense to have such precise values (ie, like 2,619 for VerifyPubkeyValidity) instead of a more round number like 105_000? These are basically just rough estimates anyway?

[samkim-crypto]

Sorry I forgot to write it in the pr description. So the data verification was benchmarked on my solana devserver and the time was divided the time by 33ns (https://discordapp.com/channels/428295358100013066/977244255212937306/1027500524901253140). I was hoping to include the benchmark code on a subsequent pr. These are approximate, so they don't have to be precise.

Do you think it makes sense to round each instruction costs to a clean number? It probably makes sense to do it in a separate PR for the rest of the instructions.

[mvines]

The very specific numbers to me convey more than a rough approximation, but practically I guess it doesn't matter much. Definitely a separate PR if we want to change them. My main argument for doing so would be for easy of future communication: 100k or even 105k is much easier to discuss than 105,066.

[samkim-crypto]

Okay, I will update the numbers in a follow-up PR and perhaps also add bench code in that PR as well.

[mvines]

I'd prefer an instruction name that is more specific to the actual operation it's performing, which I think if I understood the comment at the top of range_proof.rs might look more like:

Suggested change

	ProofInstruction::VerifyRangeProof64,
	ProofInstruction::VerifyPedersenCommitmentHoldsExactU64Value,

[samkim-crypto]

Yes, that is exactly what the range proof is certifying. If we do go this route though, then we would want to change the names for the other instructions as well for consistency, but the compact names for many of the instructions are not clear (#31793 (comment) and also token-2022 specific instructions like Transfer and Withdraw).

What do you think about naming it VerifyRangeProofBitLength64 to be a little more specific and then perhaps moving the proof descriptions on top of the instruction submodules like range_proof.rs directly to zk_token_proof_instruction.rs on top of each instruction?

[CriesofCarrots]

Unless there's something fundamentally different between BitLength64 and U64 that I'm missing, my preference would be for VerifyRangeProofU64.

[samkim-crypto]

Yes, let's make it VerifyRangeProofU64 to make it short and simple!

[mvines]

This is common for all the other instructions, but I think it'd be helpful to also say that the "The proof context account" is expected to be allocated to the expected data size and assigned to the proof program before invoking this instruction

[samkim-crypto]

Yes, you are right. I'll include that remark in the instruction description.

[mvines]

Regarding the instruction renaming to something like VerifyRangeProofBitLength64: I feel like we could maybe deal with in comments, here, instead actually. Currently one needs to dig through the header of zk-token-sdk/src/instruction/range_proof.rs to figure out exactly what this instruction is doing. But this comment block here is going to be the first place anybody who wants to understand what the instruction is goes to. So if we boost up the docs inline here (the other docs are fine too!), then that would also mostly solve my comment (likewise for the instructions being added in the other PR)

[CriesofCarrots]

Yeah, I like the idea of flashing this out some.

[samkim-crypto]

Great, I will move the instruction descriptions to zk_token_proof_instruction.rs.

[CriesofCarrots]

Unless there's something fundamentally different between BitLength64 and U64 that I'm missing, my preference would be for VerifyRangeProofU64.

[CriesofCarrots]

Yeah, I like the idea of flashing this out some.

[CriesofCarrots]

Would it be possible to use u64::BITS instead of adding this new constant?

[samkim-crypto]

Oh, I never knew/used u64::BITS before. I think it will work!

[CriesofCarrots]

r+ nits

[CriesofCarrots]

lgtm