cl: nullifier proof -> input proof; add death_cm to input proof

cl/cl/src/lib.rs

@@ -12,7 +12,7 @@ pub mod partial_tx;
 pub use balance::{Balance, BalanceWitness};
 pub use bundle::{Bundle, BundleWitness};
 pub use input::{Input, InputWitness};
-pub use note::{NoteCommitment, NoteWitness};
+pub use note::{DeathCommitment, NoteCommitment, NoteWitness};
 pub use nullifier::{Nullifier, NullifierCommitment, NullifierNonce, NullifierSecret};
 pub use output::{Output, OutputWitness};
 pub use partial_tx::{PartialTx, PartialTxWitness, PtxRoot};

cl/cl/src/note.rs

@@ -7,6 +7,17 @@ use crate::{
     nullifier::{NullifierCommitment, NullifierNonce},
 };
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
+pub struct DeathCommitment([u8; 32]);
+pub fn death_commitment(death_constraint: &[u8]) -> DeathCommitment {
+    let mut hasher = Sha256::new();
+    hasher.update(b"NOMOS_CL_DEATH_COMMIT");
+    hasher.update(death_constraint);
+    let death_cm: [u8; 32] = hasher.finalize().into();
+
+    DeathCommitment(death_cm)
+}
+
 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
 pub struct NoteCommitment([u8; 32]);
 
@@ -65,6 +76,10 @@ impl NoteWitness {
     pub fn balance(&self) -> Balance {
         self.balance.commit()
     }
+
+    pub fn death_commitment(&self) -> DeathCommitment {
+        death_commitment(&self.death_constraint)
+    }
 }
 
 #[cfg(test)]

cl/ledger/src/input.rs

@@ -1,36 +1,33 @@
-use proof_statements::nullifier::{NullifierPrivate, NullifierPublic};
+use proof_statements::input::{InputPrivate, InputPublic};
 
 use crate::error::Result;
 
 const MAX_NOTE_COMMS: usize = 2usize.pow(8);
 
 #[derive(Debug, Clone)]
-pub struct InputNullifierProof {
+pub struct InputProof {
     receipt: risc0_zkvm::Receipt,
 }
 
-impl InputNullifierProof {
-    pub fn public(&self) -> Result<NullifierPublic> {
+impl InputProof {
+    pub fn public(&self) -> Result<InputPublic> {
         Ok(self.receipt.journal.decode()?)
     }
 
-    pub fn verify(&self, expected_public_inputs: NullifierPublic) -> bool {
+    pub fn verify(&self, expected_public_inputs: &InputPublic) -> bool {
         let Ok(public_inputs) = self.public() else {
             return false;
         };
 
-        public_inputs == expected_public_inputs
-            && self
-                .receipt
-                .verify(nomos_cl_risc0_proofs::NULLIFIER_ID)
-                .is_ok()
+        &public_inputs == expected_public_inputs
+            && self.receipt.verify(nomos_cl_risc0_proofs::INPUT_ID).is_ok()
     }
 }
 
 pub fn prove_input_nullifier(
     input: &cl::InputWitness,
     note_commitments: &[cl::NoteCommitment],
-) -> InputNullifierProof {
+) -> InputProof {
     let output = input.to_output_witness();
     let cm_leaves = note_commitment_leaves(note_commitments);
     let output_cm = output.commit_note();
@@ -40,7 +37,7 @@ pub fn prove_input_nullifier(
         .unwrap();
     let cm_path = cl::merkle::path(cm_leaves, cm_idx);
 
-    let secrets = NullifierPrivate {
+    let secrets = InputPrivate {
         nf_sk: input.nf_sk,
         output,
         cm_path,
@@ -62,7 +59,7 @@ pub fn prove_input_nullifier(
     // This struct contains the receipt along with statistics about execution of the guest
     let opts = risc0_zkvm::ProverOpts::succinct();
     let prove_info = prover
-        .prove_with_opts(env, nomos_cl_risc0_proofs::NULLIFIER_ELF, &opts)
+        .prove_with_opts(env, nomos_cl_risc0_proofs::INPUT_ELF, &opts)
         .unwrap();
 
     println!(
@@ -72,7 +69,7 @@ pub fn prove_input_nullifier(
     );
     // extract the receipt.
     let receipt = prove_info.receipt;
-    InputNullifierProof { receipt }
+    InputProof { receipt }
 }
 
 fn note_commitment_leaves(note_commitments: &[cl::NoteCommitment]) -> [[u8; 32]; MAX_NOTE_COMMS] {
@@ -83,10 +80,9 @@ fn note_commitment_leaves(note_commitments: &[cl::NoteCommitment]) -> [[u8; 32];
 
 #[cfg(test)]
 mod test {
-    use proof_statements::nullifier::NullifierPublic;
     use rand::thread_rng;
 
-    use super::{note_commitment_leaves, prove_input_nullifier};
+    use super::*;
 
     #[test]
     fn test_input_nullifier_prover() {
@@ -105,22 +101,35 @@ mod test {
 
         let proof = prove_input_nullifier(&input, &notes);
 
-        let expected_public_inputs = NullifierPublic {
+        let expected_public_inputs = InputPublic {
             cm_root: cl::merkle::root(note_commitment_leaves(&notes)),
             nf: input.commit().nullifier,
+            death_cm: cl::note::death_commitment(&[]),
         };
 
-        assert!(proof.verify(expected_public_inputs));
+        assert!(proof.verify(&expected_public_inputs));
 
-        let wrong_public_inputs = NullifierPublic {
-            cm_root: cl::merkle::root(note_commitment_leaves(&notes)),
-            nf: cl::Nullifier::new(
-                cl::NullifierSecret::random(&mut rng),
-                cl::NullifierNonce::random(&mut rng),
-            ),
-        };
+        let wrong_public_inputs = [
+            InputPublic {
+                cm_root: cl::merkle::root([cl::merkle::leaf(b"bad_root")]),
+                ..expected_public_inputs.clone()
+            },
+            InputPublic {
+                nf: cl::Nullifier::new(
+                    cl::NullifierSecret::random(&mut rng),
+                    cl::NullifierNonce::random(&mut rng),
+                ),
+                ..expected_public_inputs.clone()
+            },
+            InputPublic {
+                death_cm: cl::note::death_commitment(b"wrong death vk"),
+                ..expected_public_inputs
+            },
+        ];
 
-        assert!(!proof.verify(wrong_public_inputs));
+        for wrong_input in wrong_public_inputs {
+            assert!(!proof.verify(&wrong_input));
+        }
     }
 
     // ----- The following tests still need to be built. -----

cl/proof_statements/src/input.rs

@@ -1,21 +1,22 @@
 use serde::{Deserialize, Serialize};
 
-/// for public input `nf` (nullifier) and `root_cm` (root of merkle tree over commitment set).
+/// for public inputs `nf` (nullifier), `root_cm` (root of merkle tree over commitment set) and `death_cm` (commitment to death constraint).
 /// the prover has knowledge of `output = (note, nf_pk, nonce)`, `nf` and `path` s.t. that the following constraints hold
 /// 0. nf_pk = hash(nf_sk)
 /// 1. nf = hash(nonce||nf_sk)
 /// 2. note_cm = output_commitment(output)
 /// 3. verify_merkle_path(note_cm, root, path)
+/// 4. death_cm = death_commitment(note.death_constraint)
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-pub struct NullifierPublic {
+pub struct InputPublic {
     pub cm_root: [u8; 32],
     pub nf: cl::Nullifier,
-    // TODO: we need a way to link this statement to a particular input. i.e. prove that the nullifier is actually derived from the input note.
+    pub death_cm: cl::DeathCommitment,
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-pub struct NullifierPrivate {
+pub struct InputPrivate {
     pub nf_sk: cl::NullifierSecret,
     pub output: cl::OutputWitness,
     pub cm_path: Vec<cl::merkle::PathNode>,

cl/proof_statements/src/lib.rs

@@ -1 +1 @@
-pub mod nullifier;
+pub mod input;

cl/risc0_proofs/Cargo.toml

@@ -7,5 +7,5 @@ edition = "2021"
 risc0-build = { version = "1.0" }
 
 [package.metadata.risc0]
-methods = ["nullifier"]
+methods = ["input"]
 

cl/risc0_proofs/input/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "nullifier"
+name = "input"
 version = "0.1.0"
 edition = "2021"
 

cl/risc0_proofs/input/src/main.rs

@@ -0,0 +1,24 @@
+/// Input Proof
+use cl::merkle;
+use cl::nullifier::Nullifier;
+use proof_statements::input::{InputPrivate, InputPublic};
+use risc0_zkvm::guest::env;
+
+fn main() {
+    let secret: InputPrivate = env::read();
+    assert_eq!(secret.output.nf_pk, secret.nf_sk.commit());
+
+    let cm_out = secret.output.commit_note();
+    let cm_leaf = merkle::leaf(cm_out.as_bytes());
+    let cm_root = merkle::path_root(cm_leaf, &secret.cm_path);
+
+    let nf = Nullifier::new(secret.nf_sk, secret.output.nonce);
+
+    let death_cm = secret.output.note.death_commitment();
+
+    env::commit(&InputPublic {
+        cm_root,
+        nf,
+        death_cm,
+    });
+}

cl/risc0_proofs/nullifier/src/main.rs

@@ -1,28 +0,0 @@
-/// Nullifier Proof
-///
-/// Our goal: prove the nullifier nf was derived from a note that had previously been committed to.
-///
-/// More formally, nullifier statement says:
-/// for public input `nf` (nullifier) and `root_cm` (root of merkle tree over commitment set).
-/// the prover has knowledge of `output = (note, nf_pk, nonce)`, `nf` and `path` s.t. that the following constraints hold
-/// 0. nf_pk = hash(nf_sk)
-/// 1. nf = hash(nonce||nf_sk)
-/// 2. note_cm = output_commitment(output)
-/// 3. verify_merkle_path(note_cm, root, path)
-use cl::merkle;
-use cl::nullifier::Nullifier;
-use proof_statements::nullifier::{NullifierPrivate, NullifierPublic};
-use risc0_zkvm::guest::env;
-
-fn main() {
-    let secret: NullifierPrivate = env::read();
-    assert_eq!(secret.output.nf_pk, secret.nf_sk.commit());
-
-    let cm_out = secret.output.commit_note();
-    let cm_leaf = merkle::leaf(cm_out.as_bytes());
-    let cm_root = merkle::path_root(cm_leaf, &secret.cm_path);
-
-    let nf = Nullifier::new(secret.nf_sk, secret.output.nonce);
-
-    env::commit(&NullifierPublic { cm_root, nf });
-}