From 0509fbddc205db690a5433e20b7e99d6b20b3940 Mon Sep 17 00:00:00 2001 From: moana Date: Tue, 6 Aug 2024 11:28:58 +0200 Subject: [PATCH] circuits: Re-do `TxCircuit` construction Resolves #229 --- circuits/CHANGELOG.md | 16 ++ circuits/src/lib.rs | 372 ++++++++++++++++++++++++++++- circuits/src/transaction.rs | 436 ---------------------------------- circuits/tests/transaction.rs | 203 +++++++++------- 4 files changed, 498 insertions(+), 529 deletions(-) diff --git a/circuits/CHANGELOG.md b/circuits/CHANGELOG.md index 45a7580..a52c71d 100644 --- a/circuits/CHANGELOG.md +++ b/circuits/CHANGELOG.md @@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Removed + +- Delete `TxInputNoteWitness` struct [#229] +- Delete `TxCircuit::new` constructor [#229] +- Delete `TxOutputNote::new` constructor [#229] + +### Changed + +- Make all `TxCircuit` fields public [#229] +- Make all `TxOutputNote` fields public [#229] +- Move `sender_blinder` field from `TxCircuit` to `TxOutputNote` [#229] +- Move `TxCircuit` from `transaction` module to root module [#229] +- Rename `TxInputNote` to `InputNoteInfo` [#229] +- Rename `TxOutputNote` to `OutputNoteInfo` [#229] + ## [0.2.1] - 2024-07-03 ### Changed @@ -55,6 +70,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update `poseidon-merkle` to v0.6 [#179] +[#229]: https://github.com/dusk-network/phoenix/issues/229 [#214]: https://github.com/dusk-network/phoenix/issues/214 [#201]: https://github.com/dusk-network/phoenix/issues/201 [#197]: https://github.com/dusk-network/phoenix/issues/197 diff --git a/circuits/src/lib.rs b/circuits/src/lib.rs index 3a662e7..ef10d69 100644 --- a/circuits/src/lib.rs +++ b/circuits/src/lib.rs @@ -13,8 +13,374 @@ mod encryption; mod sender_enc; -/// Transaction structs, and circuit -pub mod transaction; - /// ElGamal asymmetric cipher pub use encryption::elgamal; + +use dusk_jubjub::{JubJubAffine, JubJubScalar, GENERATOR, GENERATOR_NUMS}; +use dusk_plonk::prelude::*; +use dusk_poseidon::{Domain, HashGadget}; +use jubjub_schnorr::{gadgets, Signature as SchnorrSignature, SignatureDouble}; +use poseidon_merkle::{zk::opening_gadget, Item, Opening, Tree}; + +use phoenix_core::{Note, PublicKey, SecretKey, OUTPUT_NOTES}; + +extern crate alloc; +use alloc::vec::Vec; + +/// Declaration of the transaction circuit calling the [`gadget`]. +#[derive(Debug)] +pub struct TxCircuit { + /// All information needed in relation to the transaction input-notes + pub input_notes_info: [InputNoteInfo; I], + /// All information needed in relation to the transaction output-notes + pub output_notes_info: [OutputNoteInfo; OUTPUT_NOTES], + /// The hash of the transaction-payload + pub payload_hash: BlsScalar, + /// The root of the tree of notes corresponding to the input-note openings + pub root: BlsScalar, + /// The deposit of the transaction, is zero if there is no deposit + pub deposit: u64, + /// The maximum fee that the transaction may spend + pub max_fee: u64, + /// The public key of the sender used for the sender-encryption + pub sender_pk: PublicKey, + /// The signature of the payload-hash signed with sk.a and sk.b + pub signatures: (SchnorrSignature, SchnorrSignature), +} + +impl Circuit for TxCircuit { + /// Transaction gadget proving the following properties in ZK for a generic + /// `I` input-notes and [`OUTPUT_NOTES`] output-notes: + /// + /// 1. Membership: every input-note is included in the Merkle tree of notes. + /// 2. Ownership: the sender holds the note secret key for every input-note. + /// 3. Nullification: the nullifier is calculated correctly. + /// 4. Minting: the value commitment for every input-note is computed + /// correctly. + /// 5. Balance integrity: the sum of the values of all input-notes is equal + /// to the sum of the values of all output-notes + the gas fee + /// + a deposit, where a deposit refers to funds being transferred to a + /// contract. + /// 6. Sender-data: Verify that the sender was encrypted correctly for each + /// output-note. + /// + /// The circuit has the following public inputs: + /// - `payload_hash` + /// - `root` + /// - `[nullifier; I]` + /// - `[output_value_commitment; 2]` + /// - `max_fee` + /// - `deposit` + /// - `(npk_out_0, npk_out_1)` + /// - `(enc_A_npk_out_0, enc_B_npk_out_0)` + /// - `(enc_A_npk_out_1, enc_B_npk_out_1)` + fn circuit(&self, composer: &mut Composer) -> Result<(), Error> { + // Make the payload hash a public input of the circuit + let payload_hash = composer.append_public(self.payload_hash); + + // Append the root as public input + let root_pi = composer.append_public(self.root); + + let mut input_notes_sum = Composer::ZERO; + + // Check membership, ownership and nullification of all input notes + for input_note_info in &self.input_notes_info { + let ( + note_pk, + note_pk_p, + note_type, + pos, + value, + value_blinder, + nullifier, + signature_u, + signature_r, + signature_r_p, + ) = input_note_info.append_to_circuit(composer); + + // Verify: 2. Ownership + gadgets::verify_signature_double( + composer, + signature_u, + signature_r, + signature_r_p, + note_pk, + note_pk_p, + payload_hash, + )?; + + // Verify: 3. Nullification + let computed_nullifier = HashGadget::digest( + composer, + Domain::Other, + &[*note_pk_p.x(), *note_pk_p.y(), pos], + )[0]; + composer.assert_equal(computed_nullifier, nullifier); + + // Perform a range check ([0, 2^64 - 1]) on the value of the note + composer.component_range::<32>(value); + + // Sum up all the input note values + let constraint = Constraint::new() + .left(1) + .a(input_notes_sum) + .right(1) + .b(value); + input_notes_sum = composer.gate_add(constraint); + + // Commit to the value of the note + let pc_1 = composer.component_mul_generator(value, GENERATOR)?; + let pc_2 = composer + .component_mul_generator(value_blinder, GENERATOR_NUMS)?; + let value_commitment = composer.component_add_point(pc_1, pc_2); + + // Compute the note hash + let note_hash = HashGadget::digest( + composer, + Domain::Other, + &[ + note_type, + *value_commitment.x(), + *value_commitment.y(), + *note_pk.x(), + *note_pk.y(), + pos, + ], + )[0]; + + // Verify: 1. Membership + let root = opening_gadget( + composer, + &input_note_info.merkle_opening, + note_hash, + ); + composer.assert_equal(root, root_pi); + } + + let mut tx_output_sum = Composer::ZERO; + + // Commit to all output notes + for output_note_info in &self.output_notes_info { + // Append the witnesses to the circuit + let value = composer.append_witness(output_note_info.value); + // Append the value-commitment as public input + let expected_value_commitment = + composer.append_public_point(output_note_info.value_commitment); + let value_blinder = + composer.append_witness(output_note_info.value_blinder); + + // Perform a range check ([0, 2^64 - 1]) on the value of the note + composer.component_range::<32>(value); + + // Sum up all the output note values + let constraint = + Constraint::new().left(1).a(tx_output_sum).right(1).b(value); + tx_output_sum = composer.gate_add(constraint); + + // Commit to the value of the note + let pc_1 = composer.component_mul_generator(value, GENERATOR)?; + let pc_2 = composer + .component_mul_generator(value_blinder, GENERATOR_NUMS)?; + let computed_value_commitment = + composer.component_add_point(pc_1, pc_2); + + // Verify: 4. Minting + composer.assert_equal_point( + expected_value_commitment, + computed_value_commitment, + ); + } + + // Append max_fee and deposit as public inputs + let max_fee = composer.append_public(self.max_fee); + let deposit = composer.append_public(self.deposit); + + // Add the deposit and the max fee to the sum of the output-values + let constraint = Constraint::new() + .left(1) + .a(tx_output_sum) + .right(1) + .b(max_fee) + .fourth(1) + .d(deposit); + tx_output_sum = composer.gate_add(constraint); + + // Verify: 5. Balance integrity + composer.assert_equal(input_notes_sum, tx_output_sum); + + // Verify: 6. Sender-data + // appends as public input the note-pk of both output-noes: + // `(npk_out_0, npk_out_1)` + // and the encryption of the sender-pk.A and sender-pk.B, + // encrypted first with the note-pk of one output note: + // `(enc_A_npk_out_0, enc_B_npk_out_0) + // and then with the note-pk of the other note: + // `(enc_A_npk_out_1, enc_B_npk_out_1) + sender_enc::gadget( + composer, + self.sender_pk, + self.signatures, + [ + self.output_notes_info[0].note_pk, + self.output_notes_info[1].note_pk, + ], + [ + self.output_notes_info[0].sender_blinder, + self.output_notes_info[1].sender_blinder, + ], + self.output_notes_info[0].sender_enc, + self.output_notes_info[1].sender_enc, + payload_hash, + )?; + + Ok(()) + } +} + +impl Default for TxCircuit { + fn default() -> Self { + let sk = + SecretKey::new(JubJubScalar::default(), JubJubScalar::default()); + + let mut tree = Tree::<(), H>::new(); + let payload_hash = BlsScalar::default(); + + let mut input_notes_info = Vec::new(); + let note = Note::empty(); + let item = Item { + hash: note.hash(), + data: (), + }; + tree.insert(*note.pos(), item); + + for _ in 0..I { + let merkle_opening = tree.opening(*note.pos()).expect("Tree read."); + input_notes_info.push(InputNoteInfo { + merkle_opening, + note: note.clone(), + note_pk_p: JubJubAffine::default(), + value: 0u64, + value_blinder: JubJubScalar::default(), + nullifier: BlsScalar::default(), + signature: SignatureDouble::default(), + }); + } + + let output_note_info_0 = OutputNoteInfo { + value: 0, + value_commitment: JubJubAffine::default(), + value_blinder: JubJubScalar::default(), + note_pk: JubJubAffine::default(), + sender_enc: [(JubJubAffine::default(), JubJubAffine::default()); 2], + sender_blinder: [JubJubScalar::default(), JubJubScalar::default()], + }; + let output_note_info_1 = output_note_info_0.clone(); + + let output_notes_info = [output_note_info_0, output_note_info_1]; + + let root = BlsScalar::default(); + let deposit = u64::default(); + let max_fee = u64::default(); + + let signatures = + (SchnorrSignature::default(), SchnorrSignature::default()); + + Self { + input_notes_info: input_notes_info.try_into().unwrap(), + output_notes_info, + payload_hash, + root, + deposit, + max_fee, + sender_pk: PublicKey::from(&sk), + signatures, + } + } +} + +/// Struct holding all information needed by the transfer circuit regarding the +/// transaction input-notes. +#[derive(Debug, Clone)] +pub struct InputNoteInfo { + /// the merkle opening for the note + pub merkle_opening: Opening<(), H>, + /// the input note + pub note: Note, + /// the note-public-key prime + pub note_pk_p: JubJubAffine, + /// the value associated to the note + pub value: u64, + /// the value blinder used to obfuscate the value + pub value_blinder: JubJubScalar, + /// the nullifier used to spend the note + pub nullifier: BlsScalar, + /// the signature of the payload-hash, signed with the note-sk + pub signature: SignatureDouble, +} + +impl InputNoteInfo { + fn append_to_circuit( + &self, + composer: &mut Composer, + ) -> ( + WitnessPoint, + WitnessPoint, + Witness, + Witness, + Witness, + Witness, + Witness, + Witness, + WitnessPoint, + WitnessPoint, + ) { + // Append the nullifier as public-input + let nullifier = composer.append_public(self.nullifier); + + let note_pk = composer + .append_point(*self.note.stealth_address().note_pk().as_ref()); + let note_pk_p = composer.append_point(self.note_pk_p); + + let note_type = composer + .append_witness(BlsScalar::from(self.note.note_type() as u64)); + let pos = composer.append_witness(BlsScalar::from(*self.note.pos())); + + let value = composer.append_witness(self.value); + let value_blinder = composer.append_witness(self.value_blinder); + + let signature_u = composer.append_witness(*self.signature.u()); + let signature_r = composer.append_point(self.signature.R()); + let signature_r_p = composer.append_point(self.signature.R_prime()); + + ( + note_pk, + note_pk_p, + note_type, + pos, + value, + value_blinder, + nullifier, + signature_u, + signature_r, + signature_r_p, + ) + } +} + +/// Struct holding all information needed by the transfer circuit regarding the +/// transaction output-notes. +#[derive(Debug, Clone)] +pub struct OutputNoteInfo { + /// The value of the note + pub value: u64, + /// The value-commitment of the note + pub value_commitment: JubJubAffine, + /// The blinder used to calculate the value commitment + pub value_blinder: JubJubScalar, + /// the public key of the note + pub note_pk: JubJubAffine, + /// The encrypted sender information of the note + pub sender_enc: [(JubJubAffine, JubJubAffine); 2], + /// The blinder used to encrypt the sender + pub sender_blinder: [JubJubScalar; 2], +} diff --git a/circuits/src/transaction.rs b/circuits/src/transaction.rs index 5842a7e..7dafdf4 100644 --- a/circuits/src/transaction.rs +++ b/circuits/src/transaction.rs @@ -3,439 +3,3 @@ // file, You can obtain one at http://mozilla.org/MPL/2.0/. // // Copyright (c) DUSK NETWORK. All rights reserved. - -use dusk_jubjub::{ - JubJubAffine, JubJubScalar, GENERATOR, GENERATOR_NUMS, - GENERATOR_NUMS_EXTENDED, -}; -use dusk_plonk::prelude::*; -use dusk_poseidon::{Domain, Hash, HashGadget}; -use jubjub_schnorr::{gadgets, Signature as SchnorrSignature, SignatureDouble}; -use poseidon_merkle::{zk::opening_gadget, Item, Opening, Tree}; - -use rand::rngs::StdRng; -use rand::{CryptoRng, RngCore, SeedableRng}; - -extern crate alloc; -use alloc::vec::Vec; - -use phoenix_core::{ - Error as PhoenixError, Note, PublicKey, SecretKey, ViewKey, OUTPUT_NOTES, -}; - -use crate::sender_enc; - -/// Struct representing a note willing to be spent, in a way -/// suitable for being introduced in the transfer circuit -#[derive(Debug, Clone)] -pub struct TxInputNote { - /// the merkle opening for the note - pub merkle_opening: Opening<(), H>, - /// the input note - pub note: Note, - /// the note-public-key prime - pub note_pk_p: JubJubAffine, - /// the value associated to the note - pub value: u64, - /// the value blinder used to obfuscate the value - pub value_blinder: JubJubScalar, - /// the nullifier used to spend the note - pub nullifier: BlsScalar, - /// the signature of the payload-hash - pub signature: SignatureDouble, -} - -#[derive(Debug, Clone)] -struct WitnessTxInputNote { - note_pk: WitnessPoint, - note_pk_p: WitnessPoint, - note_type: Witness, - pos: Witness, - value: Witness, - value_blinder: Witness, - nullifier: Witness, - signature_u: Witness, - signature_r: WitnessPoint, - signature_r_p: WitnessPoint, -} - -impl TxInputNote { - /// Create a tx input note - pub fn new( - rng: &mut (impl RngCore + CryptoRng), - note: &Note, - merkle_opening: poseidon_merkle::Opening<(), H>, - sk: &SecretKey, - payload_hash: BlsScalar, - ) -> Result, PhoenixError> { - let note_sk = sk.gen_note_sk(note.stealth_address()); - let note_pk_p = - JubJubAffine::from(GENERATOR_NUMS_EXTENDED * note_sk.as_ref()); - - let vk = ViewKey::from(sk); - let value = note.value(Some(&vk))?; - let value_blinder = note.value_blinder(Some(&vk))?; - - let nullifier = Hash::digest( - Domain::Other, - &[note_pk_p.get_u(), note_pk_p.get_v(), (*note.pos()).into()], - )[0]; - - let signature = note_sk.sign_double(rng, payload_hash); - - Ok(crate::transaction::TxInputNote { - merkle_opening, - note: note.clone(), - note_pk_p, - value, - value_blinder, - nullifier, - signature, - }) - } - - fn append_to_circuit(&self, composer: &mut Composer) -> WitnessTxInputNote { - let nullifier = composer.append_public(self.nullifier); - - let note_pk = composer - .append_point(*self.note.stealth_address().note_pk().as_ref()); - let note_pk_p = composer.append_point(self.note_pk_p); - - let note_type = composer - .append_witness(BlsScalar::from(self.note.note_type() as u64)); - let pos = composer.append_witness(BlsScalar::from(*self.note.pos())); - - let value = composer.append_witness(self.value); - let value_blinder = composer.append_witness(self.value_blinder); - - let signature_u = composer.append_witness(*self.signature.u()); - let signature_r = composer.append_point(self.signature.R()); - let signature_r_p = composer.append_point(self.signature.R_prime()); - - WitnessTxInputNote { - note_pk, - note_pk_p, - - note_type, - pos, - value, - value_blinder, - - nullifier, - - signature_u, - signature_r, - signature_r_p, - } - } -} - -/// Struct representing a note willing to be created, in a way -/// suitable for being introduced in the transfer circuit -#[derive(Debug, Clone)] -pub struct TxOutputNote { - value: u64, - value_commitment: JubJubAffine, - value_blinder: JubJubScalar, - note_pk: JubJubAffine, - sender_enc: [(JubJubAffine, JubJubAffine); 2], -} - -impl TxOutputNote { - /// Create a new `TxOutputNote`. - pub fn new( - value: u64, - value_commitment: JubJubAffine, - value_blinder: JubJubScalar, - note_pk: JubJubAffine, - sender_enc: [(JubJubAffine, JubJubAffine); 2], - ) -> Self { - Self { - value, - value_commitment, - value_blinder, - note_pk, - sender_enc, - } - } -} - -/// Declaration of the transaction circuit calling the [`gadget`]. -#[derive(Debug)] -pub struct TxCircuit { - tx_input_notes: [TxInputNote; I], - tx_output_notes: [TxOutputNote; OUTPUT_NOTES], - payload_hash: BlsScalar, - root: BlsScalar, - deposit: u64, - max_fee: u64, - sender_pk: PublicKey, - signatures: (SchnorrSignature, SchnorrSignature), - sender_blinder: [[JubJubScalar; 2]; OUTPUT_NOTES], -} - -impl Default for TxCircuit { - fn default() -> Self { - let sk = - SecretKey::new(JubJubScalar::default(), JubJubScalar::default()); - - let mut tree = Tree::<(), H>::new(); - let payload_hash = BlsScalar::default(); - - let mut tx_input_notes = Vec::new(); - let note = Note::empty(); - let item = Item { - hash: note.hash(), - data: (), - }; - tree.insert(*note.pos(), item); - - for _ in 0..I { - let merkle_opening = tree.opening(*note.pos()).expect("Tree read."); - let tx_input_note = TxInputNote::new( - &mut StdRng::seed_from_u64(0xb001), - ¬e, - merkle_opening, - &sk, - payload_hash, - ) - .expect("Note created properly."); - - tx_input_notes.push(tx_input_note); - } - - let tx_output_note_1 = TxOutputNote { - value: 0, - value_commitment: JubJubAffine::default(), - value_blinder: JubJubScalar::default(), - note_pk: JubJubAffine::default(), - sender_enc: [(JubJubAffine::default(), JubJubAffine::default()); 2], - }; - let tx_output_note_2 = tx_output_note_1.clone(); - - let tx_output_notes = [tx_output_note_1, tx_output_note_2]; - - let root = BlsScalar::default(); - let deposit = u64::default(); - let max_fee = u64::default(); - - let signatures = - (SchnorrSignature::default(), SchnorrSignature::default()); - let sender_blinder = - [[JubJubScalar::default(), JubJubScalar::default()]; OUTPUT_NOTES]; - - Self { - tx_input_notes: tx_input_notes.try_into().unwrap(), - tx_output_notes, - payload_hash, - root, - deposit, - max_fee, - sender_pk: PublicKey::from(&sk), - signatures, - sender_blinder, - } - } -} - -impl TxCircuit { - /// Create a new transfer circuit - pub fn new( - tx_input_notes: [TxInputNote; I], - tx_output_notes: [TxOutputNote; OUTPUT_NOTES], - payload_hash: BlsScalar, - root: BlsScalar, - deposit: u64, - max_fee: u64, - sender_pk: PublicKey, - signatures: (SchnorrSignature, SchnorrSignature), - sender_blinder: [[JubJubScalar; 2]; OUTPUT_NOTES], - ) -> Self { - Self { - tx_input_notes, - tx_output_notes, - payload_hash, - root, - deposit, - max_fee, - sender_pk, - signatures, - sender_blinder, - } - } -} - -impl Circuit for TxCircuit { - /// Transaction gadget proving the following properties in ZK for a generic - /// `I` [`TxInputNote`] and [`OUTPUT_NOTES`] [`TxOutputNote`]: - /// - /// 1. Membership: every [`TxInputNote`] is included in the Merkle tree of - /// notes. - /// 2. Ownership: the sender holds the note secret key for every - /// [`TxInputNote`]. - /// 3. Nullification: the nullifier is calculated correctly. - /// 4. Minting: the value commitment for every [`TxOutputNote`] is computed - /// correctly. - /// 5. Balance integrity: the sum of the values of all [`TxInputNote`] is - /// equal to the sum of the values of all [`TxOutputNote`] + the gas fee - /// + a deposit, where a deposit refers to funds being transfered to a - /// contract. - /// 6. Sender-data: Verify that the sender was encrypted correctly. - /// - /// The circuit has the following public inputs: - /// - `payload_hash` - /// - `root` - /// - `[nullifier; I]` - /// - `[output_value_commitment; 2]` - /// - `max_fee` - /// - `deposit` - /// - `(npk_0, npk_1)` - /// - `(enc_A_npk_0, enc_B_npk_0)` - /// - `(enc_A_npk_1, enc_B_npk_1)` - fn circuit(&self, composer: &mut Composer) -> Result<(), Error> { - // Make the payload hash a public input of the circuit - let payload_hash = composer.append_public(self.payload_hash); - - // Append the root as public input - let root_pi = composer.append_public(self.root); - - let mut tx_input_notes_sum = Composer::ZERO; - - // Check membership, ownership and nullification of all input notes - for tx_input_note in &self.tx_input_notes { - let w_tx_input_note = tx_input_note.append_to_circuit(composer); - - // Verify: 2. Ownership - gadgets::verify_signature_double( - composer, - w_tx_input_note.signature_u, - w_tx_input_note.signature_r, - w_tx_input_note.signature_r_p, - w_tx_input_note.note_pk, - w_tx_input_note.note_pk_p, - payload_hash, - )?; - - // Verify: 3. Nullification - let nullifier = HashGadget::digest( - composer, - Domain::Other, - &[ - *w_tx_input_note.note_pk_p.x(), - *w_tx_input_note.note_pk_p.y(), - w_tx_input_note.pos, - ], - )[0]; - composer.assert_equal(nullifier, w_tx_input_note.nullifier); - - // Perform a range check ([0, 2^64 - 1]) on the value of the note - composer.component_range::<32>(w_tx_input_note.value); - - // Sum up all the tx input note values - let constraint = Constraint::new() - .left(1) - .a(tx_input_notes_sum) - .right(1) - .b(w_tx_input_note.value); - tx_input_notes_sum = composer.gate_add(constraint); - - // Commit to the value of the note - let pc_1 = composer - .component_mul_generator(w_tx_input_note.value, GENERATOR)?; - let pc_2 = composer.component_mul_generator( - w_tx_input_note.value_blinder, - GENERATOR_NUMS, - )?; - let value_commitment = composer.component_add_point(pc_1, pc_2); - - // Compute the note hash - let note_hash = HashGadget::digest( - composer, - Domain::Other, - &[ - w_tx_input_note.note_type, - *value_commitment.x(), - *value_commitment.y(), - *w_tx_input_note.note_pk.x(), - *w_tx_input_note.note_pk.y(), - w_tx_input_note.pos, - ], - )[0]; - - // Verify: 1. Membership - let root = opening_gadget( - composer, - &tx_input_note.merkle_opening, - note_hash, - ); - composer.assert_equal(root, root_pi); - } - - let mut tx_output_sum = Composer::ZERO; - - // Commit to all tx output notes - for tx_output_note in &self.tx_output_notes { - // Append the witnesses to the circuit - let value = composer.append_witness(tx_output_note.value); - let expected_value_commitment = - composer.append_public_point(tx_output_note.value_commitment); - let value_blinder = - composer.append_witness(tx_output_note.value_blinder); - - // Perform a range check ([0, 2^64 - 1]) on the value OF THE NOTE - composer.component_range::<32>(value); - - // Sum up all the tx output note values - let constraint = - Constraint::new().left(1).a(tx_output_sum).right(1).b(value); - tx_output_sum = composer.gate_add(constraint); - - // Commit to the value of the note - let pc_1 = composer.component_mul_generator(value, GENERATOR)?; - let pc_2 = composer - .component_mul_generator(value_blinder, GENERATOR_NUMS)?; - let computed_value_commitment = - composer.component_add_point(pc_1, pc_2); - - // Verify: 4. Minting - composer.assert_equal_point( - expected_value_commitment, - computed_value_commitment, - ); - } - - // Append max_fee and deposit as public inputs - let max_fee = composer.append_public(self.max_fee); - let deposit = composer.append_public(self.deposit); - - // Add the deposit and the max fee to the sum of the output-values - let constraint = Constraint::new() - .left(1) - .a(tx_output_sum) - .right(1) - .b(max_fee) - .fourth(1) - .d(deposit); - tx_output_sum = composer.gate_add(constraint); - - // Verify: 5. Balance integrity - composer.assert_equal(tx_input_notes_sum, tx_output_sum); - - // Verify: 6. Sender-data - sender_enc::gadget( - composer, - self.sender_pk, - self.signatures, - [ - self.tx_output_notes[0].note_pk, - self.tx_output_notes[1].note_pk, - ], - self.sender_blinder, - self.tx_output_notes[0].sender_enc, - self.tx_output_notes[1].sender_enc, - payload_hash, - )?; - - Ok(()) - } -} diff --git a/circuits/tests/transaction.rs b/circuits/tests/transaction.rs index c2a16a0..b93ac9f 100644 --- a/circuits/tests/transaction.rs +++ b/circuits/tests/transaction.rs @@ -8,7 +8,7 @@ use rand::rngs::StdRng; use rand::SeedableRng; use rand::{CryptoRng, RngCore}; -use dusk_jubjub::JubJubScalar; +use dusk_jubjub::{JubJubAffine, JubJubScalar, GENERATOR_NUMS_EXTENDED}; use dusk_plonk::prelude::*; use ff::Field; use jubjub_schnorr::{ @@ -16,9 +16,10 @@ use jubjub_schnorr::{ }; use poseidon_merkle::{Item, Tree}; -use phoenix_circuits::transaction::{TxCircuit, TxInputNote, TxOutputNote}; +use phoenix_circuits::{InputNoteInfo, OutputNoteInfo, TxCircuit}; use phoenix_core::{ - elgamal, value_commitment, Note, PublicKey, SecretKey, OUTPUT_NOTES, + elgamal, value_commitment, Note, PublicKey, SecretKey, ViewKey, + OUTPUT_NOTES, }; #[macro_use] @@ -30,7 +31,7 @@ const HEIGHT: usize = 17; struct TestingParameters { pp: PublicParameters, - tx_input_notes: [TxInputNote; 4], + input_notes_info: Vec>, payload_hash: BlsScalar, root: BlsScalar, deposit: u64, @@ -56,7 +57,7 @@ lazy_static! { let payload_hash = BlsScalar::from(1234u64); // create and insert into the tree 4 testing tx input notes - let tx_input_notes = create_test_tx_input_notes::<4>( + let input_notes_info = create_test_input_notes_information( &mut rng, &mut tree, &sender_sk, @@ -100,7 +101,7 @@ lazy_static! { TestingParameters { pp, - tx_input_notes, + input_notes_info, payload_hash, root, deposit, @@ -139,16 +140,20 @@ fn create_and_insert_test_note( note } -fn create_test_tx_input_notes( +fn create_test_input_notes_information( rng: &mut (impl RngCore + CryptoRng), tree: &mut Tree<(), HEIGHT>, sender_sk: &SecretKey, payload_hash: BlsScalar, -) -> [TxInputNote; I] { +) -> Vec> { let sender_pk = PublicKey::from(sender_sk); + let sender_vk = ViewKey::from(sender_sk); + let total_inputs = 4; + // we first need to crate all the notes and insert them into the tree before + // we can fetch their openings let mut notes = Vec::new(); - for i in 0..I { + for i in 0..total_inputs { notes.push(create_and_insert_test_note( rng, tree, @@ -158,30 +163,42 @@ fn create_test_tx_input_notes( )); } - let mut input_notes = Vec::new(); - for i in 0..I { - let merkle_opening = tree.opening(*notes[i].pos()).expect("Tree read."); - let input_note = TxInputNote::new( - rng, - ¬es[i], + let mut input_notes_info = Vec::new(); + for note in notes.into_iter() { + let note_sk = sender_sk.gen_note_sk(note.stealth_address()); + let merkle_opening = tree + .opening(*note.pos()) + .expect("There should be a note at the given position"); + let note_pk_p = + JubJubAffine::from(GENERATOR_NUMS_EXTENDED * note_sk.as_ref()); + let value = note + .value(Some(&sender_vk)) + .expect("sender_sk should own the note"); + let value_blinder = note + .value_blinder(Some(&sender_vk)) + .expect("sender_sk should own the note"); + let nullifier = note.gen_nullifier(&sender_sk); + let signature = note_sk.sign_double(rng, payload_hash); + input_notes_info.push(InputNoteInfo { merkle_opening, - sender_sk, - payload_hash, - ) - .expect("Note created properly."); - - input_notes.push(input_note); + note, + note_pk_p, + value, + value_blinder, + nullifier, + signature, + }); } - input_notes.try_into().unwrap() + input_notes_info } -fn create_tx_output_note( +fn create_output_note_information( rng: &mut (impl RngCore + CryptoRng), value: u64, note_pk: JubJubAffine, sender_blinder: [JubJubScalar; 2], -) -> TxOutputNote { +) -> OutputNoteInfo { let value_blinder = JubJubScalar::random(&mut *rng); let value_commitment = value_commitment(value, value_blinder); @@ -196,13 +213,14 @@ fn create_tx_output_note( let sender_enc_a = (sender_enc_a.0.into(), sender_enc_a.1.into()); let sender_enc_b = (sender_enc_b.0.into(), sender_enc_b.1.into()); - TxOutputNote::new( + OutputNoteInfo { value, value_commitment, value_blinder, note_pk, - [sender_enc_a, sender_enc_b], - ) + sender_enc: [sender_enc_a, sender_enc_b], + sender_blinder, + } } #[test] @@ -213,17 +231,17 @@ fn test_transfer_circuit_1_2() { Compiler::compile::>(&TP.pp, LABEL) .expect("failed to compile circuit"); - let input_notes = [TP.tx_input_notes[0].clone()]; + let input_notes_info = [TP.input_notes_info[0].clone()]; // create 2 testing tx output notes - let tx_output_notes = [ - create_tx_output_note( + let output_notes_info = [ + create_output_note_information( &mut rng, 10, TP.output_npk[0], TP.sender_blinder[0], ), - create_tx_output_note( + create_output_note_information( &mut rng, 5, TP.output_npk[1], @@ -234,17 +252,16 @@ fn test_transfer_circuit_1_2() { let (proof, public_inputs) = prover .prove( &mut rng, - &TxCircuit::new( - input_notes, - tx_output_notes, - TP.payload_hash, - TP.root, - TP.deposit, - TP.max_fee, - TP.sender_pk, - TP.signatures, - [TP.sender_blinder[0], TP.sender_blinder[1]], - ), + &TxCircuit { + input_notes_info, + output_notes_info, + payload_hash: TP.payload_hash, + root: TP.root, + deposit: TP.deposit, + max_fee: TP.max_fee, + sender_pk: TP.sender_pk, + signatures: TP.signatures, + }, ) .expect("failed to prove"); @@ -261,18 +278,20 @@ fn test_transfer_circuit_2_2() { Compiler::compile::>(&TP.pp, LABEL) .expect("failed to compile circuit"); - let input_notes = - [TP.tx_input_notes[0].clone(), TP.tx_input_notes[1].clone()]; + let input_notes_info = [ + TP.input_notes_info[0].clone(), + TP.input_notes_info[1].clone(), + ]; // create 2 testing tx output notes - let tx_output_notes = [ - create_tx_output_note( + let output_notes_info = [ + create_output_note_information( &mut rng, 35, TP.output_npk[0], TP.sender_blinder[0], ), - create_tx_output_note( + create_output_note_information( &mut rng, 5, TP.output_npk[1], @@ -283,17 +302,16 @@ fn test_transfer_circuit_2_2() { let (proof, public_inputs) = prover .prove( &mut rng, - &TxCircuit::new( - input_notes, - tx_output_notes, - TP.payload_hash, - TP.root, - TP.deposit, - TP.max_fee, - TP.sender_pk, - TP.signatures, - [TP.sender_blinder[0], TP.sender_blinder[1]], - ), + &TxCircuit { + input_notes_info, + output_notes_info, + payload_hash: TP.payload_hash, + root: TP.root, + deposit: TP.deposit, + max_fee: TP.max_fee, + sender_pk: TP.sender_pk, + signatures: TP.signatures, + }, ) .expect("failed to prove"); @@ -310,21 +328,21 @@ fn test_transfer_circuit_3_2() { Compiler::compile::>(&TP.pp, LABEL) .expect("failed to compile circuit"); - let input_notes = [ - TP.tx_input_notes[0].clone(), - TP.tx_input_notes[1].clone(), - TP.tx_input_notes[2].clone(), + let input_notes_info = [ + TP.input_notes_info[0].clone(), + TP.input_notes_info[1].clone(), + TP.input_notes_info[2].clone(), ]; // create 2 testing tx output notes - let tx_output_notes = [ - create_tx_output_note( + let output_notes_info = [ + create_output_note_information( &mut rng, 35, TP.output_npk[0], TP.sender_blinder[0], ), - create_tx_output_note( + create_output_note_information( &mut rng, 30, TP.output_npk[1], @@ -335,17 +353,16 @@ fn test_transfer_circuit_3_2() { let (proof, public_inputs) = prover .prove( &mut rng, - &TxCircuit::new( - input_notes, - tx_output_notes, - TP.payload_hash, - TP.root, - TP.deposit, - TP.max_fee, - TP.sender_pk, - TP.signatures, - [TP.sender_blinder[0], TP.sender_blinder[1]], - ), + &TxCircuit { + input_notes_info, + output_notes_info, + payload_hash: TP.payload_hash, + root: TP.root, + deposit: TP.deposit, + max_fee: TP.max_fee, + sender_pk: TP.sender_pk, + signatures: TP.signatures, + }, ) .expect("failed to prove"); @@ -362,15 +379,22 @@ fn test_transfer_circuit_4_2() { Compiler::compile::>(&TP.pp, LABEL) .expect("failed to compile circuit"); + let input_notes_info = [ + TP.input_notes_info[0].clone(), + TP.input_notes_info[1].clone(), + TP.input_notes_info[2].clone(), + TP.input_notes_info[3].clone(), + ]; + // create 2 testing tx output notes - let tx_output_notes = [ - create_tx_output_note( + let output_notes_info = [ + create_output_note_information( &mut rng, 60, TP.output_npk[0], TP.sender_blinder[0], ), - create_tx_output_note( + create_output_note_information( &mut rng, 30, TP.output_npk[1], @@ -381,17 +405,16 @@ fn test_transfer_circuit_4_2() { let (proof, public_inputs) = prover .prove( &mut rng, - &TxCircuit::new( - TP.tx_input_notes.clone(), - tx_output_notes, - TP.payload_hash, - TP.root, - TP.deposit, - TP.max_fee, - TP.sender_pk, - TP.signatures, - [TP.sender_blinder[0], TP.sender_blinder[1]], - ), + &TxCircuit { + input_notes_info, + output_notes_info, + payload_hash: TP.payload_hash, + root: TP.root, + deposit: TP.deposit, + max_fee: TP.max_fee, + sender_pk: TP.sender_pk, + signatures: TP.signatures, + }, ) .expect("failed to prove");