2025-12-24 22:58:33 +03:00
|
|
|
use std::{
|
2026-01-14 00:52:09 +03:00
|
|
|
collections::{HashMap, HashSet, VecDeque, hash_map::Entry},
|
2025-12-24 22:58:33 +03:00
|
|
|
convert::Infallible,
|
|
|
|
|
};
|
2025-10-03 18:31:56 -03:00
|
|
|
|
2025-08-18 07:39:41 -03:00
|
|
|
use nssa_core::{
|
2026-05-07 16:54:57 +02:00
|
|
|
InputAccountIdentity, NullifierPublicKey, PrivacyPreservingCircuitInput,
|
|
|
|
|
account::{Account, AccountId, AccountWithMetadata},
|
2025-12-24 22:58:33 +03:00
|
|
|
program::{
|
2026-03-28 03:13:46 -03:00
|
|
|
AccountPostState, BlockValidityWindow, ChainedCall, Claim, DEFAULT_PROGRAM_ID,
|
2026-04-17 15:36:20 +02:00
|
|
|
MAX_NUMBER_CHAINED_CALLS, PdaSeed, ProgramId, ProgramOutput, TimestampValidityWindow,
|
refactor: unify PDA AccountId construction via AccountId::for_{public,private}_pda
Addresses the following review comment:
- "I think this should be a constructor `AccountId::for_private_pda`.
Consider also removing the existing `impl From<(ProgramId, Seed)> for
AccountId` for public pdas in favor of a `AccountId::for_public_pda`
to have a unified way of constructing pdas"
I replaced `impl From<(&ProgramId, &PdaSeed)> for AccountId` with
`AccountId::for_public_pda(program_id: &ProgramId, seed: &PdaSeed) ->
Self` and replaced the free function `private_pda_account_id(...)`
with `AccountId::for_private_pda(program_id: &ProgramId, seed:
&PdaSeed, npk: &NullifierPublicKey) -> Self`. Both live in an inherent
`impl AccountId` block in nssa/core/src/program.rs next to the PDA
derivation logic. Migrated all call sites across nssa/core,
nssa/src/state.rs, nssa/src/validated_state_diff.rs,
program_methods/guest/src/bin/privacy_preserving_circuit.rs,
programs/amm/core, programs/associated_token_account/core, the example
tail-call binary, and the ATA tutorial doc. Test function names that
referenced the old free function were also renamed
(private_pda_account_id_* to for_private_pda_*).
2026-04-21 12:35:19 +02:00
|
|
|
validate_execution,
|
2025-12-24 22:58:33 +03:00
|
|
|
},
|
2025-08-18 07:39:41 -03:00
|
|
|
};
|
2025-11-28 18:41:12 -05:00
|
|
|
use risc0_zkvm::{guest::env, serde::to_vec};
|
2025-08-18 07:39:41 -03:00
|
|
|
|
2026-05-07 16:54:57 +02:00
|
|
|
mod output;
|
2026-04-24 17:04:40 -03:00
|
|
|
|
2026-01-17 03:31:50 +03:00
|
|
|
/// State of the involved accounts before and after program execution.
|
2025-12-24 22:58:33 +03:00
|
|
|
struct ExecutionState {
|
|
|
|
|
pre_states: Vec<AccountWithMetadata>,
|
|
|
|
|
post_states: HashMap<AccountId, Account>,
|
2026-03-28 03:13:46 -03:00
|
|
|
block_validity_window: BlockValidityWindow,
|
|
|
|
|
timestamp_validity_window: TimestampValidityWindow,
|
2026-04-30 15:44:51 +02:00
|
|
|
/// Positions (in `pre_states`) of private-PDA accounts whose supplied npk has been bound
|
|
|
|
|
/// to their `AccountId` via a proven `AccountId::for_private_pda(program_id, seed, npk)`
|
refactor: unify PDA AccountId construction via AccountId::for_{public,private}_pda
Addresses the following review comment:
- "I think this should be a constructor `AccountId::for_private_pda`.
Consider also removing the existing `impl From<(ProgramId, Seed)> for
AccountId` for public pdas in favor of a `AccountId::for_public_pda`
to have a unified way of constructing pdas"
I replaced `impl From<(&ProgramId, &PdaSeed)> for AccountId` with
`AccountId::for_public_pda(program_id: &ProgramId, seed: &PdaSeed) ->
Self` and replaced the free function `private_pda_account_id(...)`
with `AccountId::for_private_pda(program_id: &ProgramId, seed:
&PdaSeed, npk: &NullifierPublicKey) -> Self`. Both live in an inherent
`impl AccountId` block in nssa/core/src/program.rs next to the PDA
derivation logic. Migrated all call sites across nssa/core,
nssa/src/state.rs, nssa/src/validated_state_diff.rs,
program_methods/guest/src/bin/privacy_preserving_circuit.rs,
programs/amm/core, programs/associated_token_account/core, the example
tail-call binary, and the ATA tutorial doc. Test function names that
referenced the old free function were also renamed
(private_pda_account_id_* to for_private_pda_*).
2026-04-21 12:35:19 +02:00
|
|
|
/// check.
|
refactor: rename mask3 to private_pda in tests and circuit
Addresses the following review comments:
- "I'd rename all mask_3 references in test names and variables to a
private pda wording. If in the future we change the mask number for
the private pda, this naming will silently get outdated."
I renamed all tests and the local variable mask3_account to
private_pda_account.
- "Let's use more descriptive names. `mask3` is not very meaningful."
I renamed all `mask3` into `private_pda`. Panic messages and .expect
strings updated to match. Doc comments that factually describe the
encoding (e.g. "mask-3 account" meaning "an account whose visibility
mask is 3") are left as-is since they are accurate and remain stable
until the mask value itself changes.
- "..._panics" to "..._fails"
Covered above. The tests assert Err(CircuitProvingError), so
execute_and_prove returns an Err, the test process itself never
panics.
- "we can return `Some((*seed, true, caller))` to avoid having to unwrap
the `caller_program_id` again in line 290"
I changed matched_caller_seed from Option<(PdaSeed, bool)> to
Option<(PdaSeed, bool, ProgramId)>, return the `caller` captured by
the enclosing and_then from each match arm, and dropped the .expect
at the consumer site. Bundled with the rename since both touch the
same branch and a single guest ELF rebuild covers them.
2026-04-21 01:43:57 +02:00
|
|
|
/// Two proof paths populate this set: a `Claim::Pda(seed)` in a program's `post_state` on
|
|
|
|
|
/// that `pre_state`, or a caller's `ChainedCall.pda_seeds` entry matching that `pre_state`
|
|
|
|
|
/// under the private derivation. Binding is an idempotent property, not an event: the same
|
|
|
|
|
/// position can legitimately be bound through both paths in the same tx (e.g. a program
|
|
|
|
|
/// claims a private PDA and then delegates it to a callee), and the set uses `contains`,
|
2026-04-30 15:44:51 +02:00
|
|
|
/// not `assert!(insert)`. After the main loop, every private-PDA position must appear in
|
|
|
|
|
/// this set; otherwise the npk is unbound and the circuit rejects.
|
refactor: rename mask3 to private_pda in tests and circuit
Addresses the following review comments:
- "I'd rename all mask_3 references in test names and variables to a
private pda wording. If in the future we change the mask number for
the private pda, this naming will silently get outdated."
I renamed all tests and the local variable mask3_account to
private_pda_account.
- "Let's use more descriptive names. `mask3` is not very meaningful."
I renamed all `mask3` into `private_pda`. Panic messages and .expect
strings updated to match. Doc comments that factually describe the
encoding (e.g. "mask-3 account" meaning "an account whose visibility
mask is 3") are left as-is since they are accurate and remain stable
until the mask value itself changes.
- "..._panics" to "..._fails"
Covered above. The tests assert Err(CircuitProvingError), so
execute_and_prove returns an Err, the test process itself never
panics.
- "we can return `Some((*seed, true, caller))` to avoid having to unwrap
the `caller_program_id` again in line 290"
I changed matched_caller_seed from Option<(PdaSeed, bool)> to
Option<(PdaSeed, bool, ProgramId)>, return the `caller` captured by
the enclosing and_then from each match arm, and dropped the .expect
at the consumer site. Bundled with the rename since both touch the
same branch and a single guest ELF rebuild covers them.
2026-04-21 01:43:57 +02:00
|
|
|
private_pda_bound_positions: HashSet<usize>,
|
2026-04-17 15:36:20 +02:00
|
|
|
/// Across the whole transaction, each `(program_id, seed)` pair may resolve to at most one
|
docs: split miscoupled private-PDA test docs and clean phrasing
Addresses the following review comments:
- "Isn't two_mask_3_claims_under_same_seed_are_rejected already checking
that there's a mechanism protecting against this exploit scenario?"
The doc block at nssa/src/state.rs:2488-2504 mixes three paragraphs,
one about reuse, one TODO about wallet side input, one exploit pin,
all attached to two_mask_3_claims_under_same_seed_are_rejected. The
reuse test below it had no doc at all. I split as follows: the
exploit-pin paragraph stays on two_mask_3_claims_..., the reuse
paragraph moves to a fresh docstring on
mask_3_reuse_across_txs_currently_unsupported.
- "I don't understand this. I think this should fail because ... the
input pre_state which is marked with is_authorized=true will make
things fail."
The reuse test's new docstring cites the actual reject site, the
post-loop private_pda_bound_positions assertion in
privacy_preserving_circuit.rs:185-192. At top level the Entry::Vacant
arm accepts is_authorized=true unconditionally, the rejection comes
from the bound-positions check firing because noop emits no Claim::Pda
and there is no caller ChainedCall.pda_seeds.
- "let's dont have this TODO as part of the doc"
The block is moved out into regular // comments immediately above
mask_3_reuse_across_txs_currently_unsupported.
- "let's not add implementation details to docs"
In caller_pda_seeds_authorize_mask_3_private_pda_for_callee's
docstring, I dropped the parenthetical "(Occupied branch)" and the
trailing sentence about which validate_and_sync_states code path gets
exercised.
- "what does \`Claim::Pda(seed)\` / \`pda_seeds\` mean?"
I rewrote the pda_family_binding docstring at
privacy_preserving_circuit.rs:33-39: replaced the ambiguous
"Claim::PrivatePda and ChainedCall's private seeds into plain
Claim::Pda(seed) / pda_seeds" phrase with "a Claim::Pda(seed) in a
program's post_state or a caller's ChainedCall.pda_seeds entry".
- Suggestion on nssa/src/validated_state_diff.rs:226 rewriting
"The public-execution path only sees mask-0 accounts" to
"The public-execution path only sees public accounts".
Applied: "The public-execution path only sees public accounts".
- Clarification requested on the private_pda_bound_positions field:
I expanded the docstring at privacy_preserving_circuit.rs:26-31 to
state that binding is an idempotent property, not an event, and to
enumerate the two proof paths that populate it (a Claim::Pda on a
mask-3 pre_state, or a caller's pda_seeds matching under the private
derivation).
2026-04-21 00:37:06 +02:00
|
|
|
/// `AccountId`. A seed under a program can derive a family of accounts, one public PDA and
|
|
|
|
|
/// one private PDA per distinct npk. Without this check, a single `pda_seeds: [S]` entry in
|
|
|
|
|
/// a chained call could authorize multiple family members at once (different npks under the
|
|
|
|
|
/// same seed) and let a callee mix balances across them. Every claim and every
|
|
|
|
|
/// caller-authorization resolution is recorded here, either as a new `(program, seed)` →
|
|
|
|
|
/// `AccountId` entry or as an equality check against the existing one, making the rule: one
|
|
|
|
|
/// `(program, seed)` → one account per tx.
|
2026-04-17 15:36:20 +02:00
|
|
|
pda_family_binding: HashMap<(ProgramId, PdaSeed), AccountId>,
|
2026-04-30 15:44:51 +02:00
|
|
|
/// Map from a private-PDA `pre_state`'s position in `account_identities` to the npk that
|
|
|
|
|
/// variant supplies for that position. Populated once in `derive_from_outputs` by walking
|
|
|
|
|
/// `account_identities` and consulting `npk_if_private_pda`. Used later by the claim and
|
2026-04-28 17:50:28 +02:00
|
|
|
/// caller-seeds authorization paths to verify
|
|
|
|
|
/// `AccountId::for_private_pda(program_id, seed, npk) == pre_state.account_id`.
|
2026-04-22 15:55:35 +02:00
|
|
|
private_pda_npk_by_position: HashMap<usize, NullifierPublicKey>,
|
2025-12-24 22:58:33 +03:00
|
|
|
}
|
2025-11-18 01:38:47 -03:00
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
impl ExecutionState {
|
|
|
|
|
/// Validate program outputs and derive the overall execution state.
|
2026-03-27 21:43:28 +03:00
|
|
|
pub fn derive_from_outputs(
|
2026-04-30 15:44:51 +02:00
|
|
|
account_identities: &[InputAccountIdentity],
|
2026-03-27 21:43:28 +03:00
|
|
|
program_id: ProgramId,
|
|
|
|
|
program_outputs: Vec<ProgramOutput>,
|
|
|
|
|
) -> Self {
|
2026-04-30 15:44:51 +02:00
|
|
|
// Build position → npk map for private-PDA pre_states, indexed by position in
|
|
|
|
|
// `account_identities`. The vec is documented as 1:1 with the program's pre_state order,
|
|
|
|
|
// so position here matches `pre_state_position` used downstream in
|
|
|
|
|
// `validate_and_sync_states`.
|
2026-04-22 15:55:35 +02:00
|
|
|
let mut private_pda_npk_by_position: HashMap<usize, NullifierPublicKey> = HashMap::new();
|
2026-04-30 15:44:51 +02:00
|
|
|
for (pos, account_identity) in account_identities.iter().enumerate() {
|
|
|
|
|
if let Some(npk) = account_identity.npk_if_private_pda() {
|
2026-04-28 17:50:28 +02:00
|
|
|
private_pda_npk_by_position.insert(pos, npk);
|
2026-04-22 15:55:35 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-28 01:13:48 -03:00
|
|
|
let block_valid_from = program_outputs
|
2026-03-19 16:07:20 -03:00
|
|
|
.iter()
|
2026-03-28 01:13:48 -03:00
|
|
|
.filter_map(|output| output.block_validity_window.start())
|
2026-03-19 16:07:20 -03:00
|
|
|
.max();
|
2026-03-28 01:13:48 -03:00
|
|
|
let block_valid_until = program_outputs
|
2026-03-19 16:07:20 -03:00
|
|
|
.iter()
|
2026-03-28 01:13:48 -03:00
|
|
|
.filter_map(|output| output.block_validity_window.end())
|
2026-03-19 16:07:20 -03:00
|
|
|
.min();
|
2026-03-28 01:13:48 -03:00
|
|
|
let ts_valid_from = program_outputs
|
2026-03-24 10:24:05 +01:00
|
|
|
.iter()
|
2026-03-28 01:13:48 -03:00
|
|
|
.filter_map(|output| output.timestamp_validity_window.start())
|
2026-03-24 10:24:05 +01:00
|
|
|
.max();
|
2026-03-28 01:13:48 -03:00
|
|
|
let ts_valid_until = program_outputs
|
2026-03-24 10:24:05 +01:00
|
|
|
.iter()
|
2026-03-28 01:13:48 -03:00
|
|
|
.filter_map(|output| output.timestamp_validity_window.end())
|
2026-03-24 10:24:05 +01:00
|
|
|
.min();
|
2026-03-19 16:07:20 -03:00
|
|
|
|
2026-03-28 03:13:46 -03:00
|
|
|
let block_validity_window: BlockValidityWindow = (block_valid_from, block_valid_until)
|
2026-03-24 11:49:15 +01:00
|
|
|
.try_into()
|
|
|
|
|
.expect(
|
2026-03-28 01:13:48 -03:00
|
|
|
"There should be non empty intersection in the program output block validity windows",
|
2026-03-24 11:49:15 +01:00
|
|
|
);
|
2026-03-28 03:13:46 -03:00
|
|
|
let timestamp_validity_window: TimestampValidityWindow =
|
2026-03-28 01:13:48 -03:00
|
|
|
(ts_valid_from, ts_valid_until)
|
|
|
|
|
.try_into()
|
|
|
|
|
.expect(
|
|
|
|
|
"There should be non empty intersection in the program output timestamp validity windows",
|
|
|
|
|
);
|
2026-03-20 13:16:52 -03:00
|
|
|
|
2026-03-19 16:07:20 -03:00
|
|
|
let mut execution_state = Self {
|
|
|
|
|
pre_states: Vec::new(),
|
|
|
|
|
post_states: HashMap::new(),
|
2026-03-28 01:13:48 -03:00
|
|
|
block_validity_window,
|
|
|
|
|
timestamp_validity_window,
|
refactor: rename mask3 to private_pda in tests and circuit
Addresses the following review comments:
- "I'd rename all mask_3 references in test names and variables to a
private pda wording. If in the future we change the mask number for
the private pda, this naming will silently get outdated."
I renamed all tests and the local variable mask3_account to
private_pda_account.
- "Let's use more descriptive names. `mask3` is not very meaningful."
I renamed all `mask3` into `private_pda`. Panic messages and .expect
strings updated to match. Doc comments that factually describe the
encoding (e.g. "mask-3 account" meaning "an account whose visibility
mask is 3") are left as-is since they are accurate and remain stable
until the mask value itself changes.
- "..._panics" to "..._fails"
Covered above. The tests assert Err(CircuitProvingError), so
execute_and_prove returns an Err, the test process itself never
panics.
- "we can return `Some((*seed, true, caller))` to avoid having to unwrap
the `caller_program_id` again in line 290"
I changed matched_caller_seed from Option<(PdaSeed, bool)> to
Option<(PdaSeed, bool, ProgramId)>, return the `caller` captured by
the enclosing and_then from each match arm, and dropped the .expect
at the consumer site. Bundled with the rename since both touch the
same branch and a single guest ELF rebuild covers them.
2026-04-21 01:43:57 +02:00
|
|
|
private_pda_bound_positions: HashSet::new(),
|
2026-04-17 15:36:20 +02:00
|
|
|
pda_family_binding: HashMap::new(),
|
2026-04-22 15:55:35 +02:00
|
|
|
private_pda_npk_by_position,
|
2026-03-19 16:07:20 -03:00
|
|
|
};
|
|
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
let Some(first_output) = program_outputs.first() else {
|
2026-01-14 00:52:09 +03:00
|
|
|
panic!("No program outputs provided");
|
2025-12-24 22:58:33 +03:00
|
|
|
};
|
2025-11-26 17:37:22 -03:00
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
let initial_call = ChainedCall {
|
|
|
|
|
program_id,
|
|
|
|
|
instruction_data: first_output.instruction_data.clone(),
|
|
|
|
|
pre_states: first_output.pre_states.clone(),
|
|
|
|
|
pda_seeds: Vec::new(),
|
|
|
|
|
};
|
2026-01-14 00:52:09 +03:00
|
|
|
let mut chained_calls = VecDeque::from_iter([(initial_call, None)]);
|
2025-12-09 22:27:38 -03:00
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
let mut program_outputs_iter = program_outputs.into_iter();
|
|
|
|
|
let mut chain_calls_counter = 0;
|
2026-01-17 03:31:50 +03:00
|
|
|
|
2026-01-14 00:52:09 +03:00
|
|
|
while let Some((chained_call, caller_program_id)) = chained_calls.pop_front() {
|
2025-12-24 22:58:33 +03:00
|
|
|
assert!(
|
|
|
|
|
chain_calls_counter <= MAX_NUMBER_CHAINED_CALLS,
|
|
|
|
|
"Max chained calls depth is exceeded"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let Some(program_output) = program_outputs_iter.next() else {
|
|
|
|
|
panic!("Insufficient program outputs for chained calls");
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Check that instruction data in chained call is the instruction data in program output
|
|
|
|
|
assert_eq!(
|
|
|
|
|
chained_call.instruction_data, program_output.instruction_data,
|
|
|
|
|
"Mismatched instruction data between chained call and program output"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Check that `program_output` is consistent with the execution of the corresponding
|
|
|
|
|
// program.
|
|
|
|
|
let program_output_words =
|
|
|
|
|
&to_vec(&program_output).expect("program_output must be serializable");
|
|
|
|
|
env::verify(chained_call.program_id, program_output_words).unwrap_or_else(
|
|
|
|
|
|_: Infallible| unreachable!("Infallible error is never constructed"),
|
|
|
|
|
);
|
|
|
|
|
|
2026-04-02 00:39:36 +02:00
|
|
|
// Verify that the program output's self_program_id matches the expected program ID.
|
|
|
|
|
// This ensures the proof commits to which program produced the output.
|
|
|
|
|
assert_eq!(
|
|
|
|
|
program_output.self_program_id, chained_call.program_id,
|
2026-04-02 19:32:21 +02:00
|
|
|
"Program output self_program_id does not match chained call program_id"
|
2026-04-02 00:39:36 +02:00
|
|
|
);
|
|
|
|
|
|
2026-04-07 19:03:06 +02:00
|
|
|
// Verify that the program output's caller_program_id matches the actual caller.
|
|
|
|
|
// This prevents a malicious user from privately executing an internal function
|
|
|
|
|
// by spoofing caller_program_id (e.g. passing caller_program_id = self_program_id
|
|
|
|
|
// to bypass access control checks).
|
|
|
|
|
assert_eq!(
|
|
|
|
|
program_output.caller_program_id, caller_program_id,
|
|
|
|
|
"Program output caller_program_id does not match actual caller"
|
|
|
|
|
);
|
|
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
// Check that the program is well behaved.
|
|
|
|
|
// See the # Programs section for the definition of the `validate_execution` method.
|
2026-04-07 00:03:01 +03:00
|
|
|
let validated_execution = validate_execution(
|
2025-12-24 22:58:33 +03:00
|
|
|
&program_output.pre_states,
|
|
|
|
|
&program_output.post_states,
|
|
|
|
|
chained_call.program_id,
|
|
|
|
|
);
|
2026-04-07 00:03:01 +03:00
|
|
|
if let Err(err) = validated_execution {
|
|
|
|
|
panic!(
|
|
|
|
|
"Invalid program behavior in program {:?}: {err}",
|
|
|
|
|
chained_call.program_id
|
|
|
|
|
);
|
|
|
|
|
}
|
2025-12-24 22:58:33 +03:00
|
|
|
|
|
|
|
|
for next_call in program_output.chained_calls.iter().rev() {
|
2026-01-14 00:52:09 +03:00
|
|
|
chained_calls.push_front((next_call.clone(), Some(chained_call.program_id)));
|
2025-12-24 22:58:33 +03:00
|
|
|
}
|
2025-11-18 01:38:47 -03:00
|
|
|
|
2026-01-14 00:52:09 +03:00
|
|
|
execution_state.validate_and_sync_states(
|
2026-04-30 15:44:51 +02:00
|
|
|
account_identities,
|
2026-01-14 00:52:09 +03:00
|
|
|
chained_call.program_id,
|
2026-04-17 07:29:40 +02:00
|
|
|
caller_program_id,
|
|
|
|
|
&chained_call.pda_seeds,
|
2026-01-14 00:52:09 +03:00
|
|
|
program_output.pre_states,
|
|
|
|
|
program_output.post_states,
|
|
|
|
|
);
|
2026-03-04 18:42:33 +03:00
|
|
|
chain_calls_counter = chain_calls_counter.checked_add(1).expect(
|
|
|
|
|
"Chain calls counter should not overflow as it checked before incrementing",
|
|
|
|
|
);
|
2025-11-18 01:38:47 -03:00
|
|
|
}
|
2025-12-10 23:06:35 -03:00
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
assert!(
|
|
|
|
|
program_outputs_iter.next().is_none(),
|
|
|
|
|
"Inner call without a chained call found",
|
|
|
|
|
);
|
2025-11-18 01:38:47 -03:00
|
|
|
|
2026-04-28 17:50:28 +02:00
|
|
|
// Every private-PDA pre_state must have had its npk bound to its account_id, either via
|
|
|
|
|
// a `Claim::Pda(seed)` in some program's post_state or via a caller's `pda_seeds`
|
|
|
|
|
// matching the private derivation. An unbound private-PDA pre_state has no
|
|
|
|
|
// cryptographic link between the supplied npk and the account_id, and must be rejected.
|
2026-04-30 15:44:51 +02:00
|
|
|
for (pos, account_identity) in account_identities.iter().enumerate() {
|
|
|
|
|
if account_identity.is_private_pda() {
|
2026-04-17 07:29:40 +02:00
|
|
|
assert!(
|
refactor: rename mask3 to private_pda in tests and circuit
Addresses the following review comments:
- "I'd rename all mask_3 references in test names and variables to a
private pda wording. If in the future we change the mask number for
the private pda, this naming will silently get outdated."
I renamed all tests and the local variable mask3_account to
private_pda_account.
- "Let's use more descriptive names. `mask3` is not very meaningful."
I renamed all `mask3` into `private_pda`. Panic messages and .expect
strings updated to match. Doc comments that factually describe the
encoding (e.g. "mask-3 account" meaning "an account whose visibility
mask is 3") are left as-is since they are accurate and remain stable
until the mask value itself changes.
- "..._panics" to "..._fails"
Covered above. The tests assert Err(CircuitProvingError), so
execute_and_prove returns an Err, the test process itself never
panics.
- "we can return `Some((*seed, true, caller))` to avoid having to unwrap
the `caller_program_id` again in line 290"
I changed matched_caller_seed from Option<(PdaSeed, bool)> to
Option<(PdaSeed, bool, ProgramId)>, return the `caller` captured by
the enclosing and_then from each match arm, and dropped the .expect
at the consumer site. Bundled with the rename since both touch the
same branch and a single guest ELF rebuild covers them.
2026-04-21 01:43:57 +02:00
|
|
|
execution_state.private_pda_bound_positions.contains(&pos),
|
|
|
|
|
"private PDA pre_state at position {pos} has no proven (seed, npk) binding via Claim::Pda or caller pda_seeds"
|
2026-04-17 07:29:40 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-17 03:31:50 +03:00
|
|
|
// Check that all modified uninitialized accounts were claimed
|
|
|
|
|
for (account_id, post) in execution_state
|
|
|
|
|
.pre_states
|
|
|
|
|
.iter()
|
|
|
|
|
.filter(|a| a.account.program_owner == DEFAULT_PROGRAM_ID)
|
|
|
|
|
.map(|a| {
|
|
|
|
|
let post = execution_state
|
|
|
|
|
.post_states
|
|
|
|
|
.get(&a.account_id)
|
|
|
|
|
.expect("Post state must exist for pre state");
|
|
|
|
|
(a, post)
|
|
|
|
|
})
|
|
|
|
|
.filter(|(pre_default, post)| pre_default.account != **post)
|
|
|
|
|
.map(|(pre, post)| (pre.account_id, post))
|
|
|
|
|
{
|
|
|
|
|
assert_ne!(
|
|
|
|
|
post.program_owner, DEFAULT_PROGRAM_ID,
|
2026-03-27 21:43:28 +03:00
|
|
|
"Account {account_id} was modified but not claimed"
|
2026-01-17 03:31:50 +03:00
|
|
|
);
|
2025-11-07 20:42:00 -03:00
|
|
|
}
|
|
|
|
|
|
2025-12-24 22:58:33 +03:00
|
|
|
execution_state
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 00:52:09 +03:00
|
|
|
/// Validate program pre and post states and populate the execution state.
|
|
|
|
|
fn validate_and_sync_states(
|
|
|
|
|
&mut self,
|
2026-04-30 15:44:51 +02:00
|
|
|
account_identities: &[InputAccountIdentity],
|
2026-01-14 00:52:09 +03:00
|
|
|
program_id: ProgramId,
|
2026-04-17 07:29:40 +02:00
|
|
|
caller_program_id: Option<ProgramId>,
|
2026-04-17 15:36:20 +02:00
|
|
|
caller_pda_seeds: &[PdaSeed],
|
2026-01-14 00:52:09 +03:00
|
|
|
pre_states: Vec<AccountWithMetadata>,
|
|
|
|
|
post_states: Vec<AccountPostState>,
|
|
|
|
|
) {
|
|
|
|
|
for (pre, mut post) in pre_states.into_iter().zip(post_states) {
|
2025-12-24 22:58:33 +03:00
|
|
|
let pre_account_id = pre.account_id;
|
2026-03-27 21:43:28 +03:00
|
|
|
let pre_is_authorized = pre.is_authorized;
|
2026-01-14 00:52:09 +03:00
|
|
|
let post_states_entry = self.post_states.entry(pre.account_id);
|
|
|
|
|
match &post_states_entry {
|
|
|
|
|
Entry::Occupied(occupied) => {
|
2026-03-27 21:43:28 +03:00
|
|
|
#[expect(
|
|
|
|
|
clippy::shadow_unrelated,
|
|
|
|
|
reason = "Shadowing is intentional to use all fields"
|
|
|
|
|
)]
|
|
|
|
|
let AccountWithMetadata {
|
|
|
|
|
account: pre_account,
|
|
|
|
|
account_id: pre_account_id,
|
|
|
|
|
is_authorized: pre_is_authorized,
|
|
|
|
|
} = pre;
|
|
|
|
|
|
2026-01-14 00:52:09 +03:00
|
|
|
// Ensure that new pre state is the same as known post state
|
|
|
|
|
assert_eq!(
|
|
|
|
|
occupied.get(),
|
2026-03-27 21:43:28 +03:00
|
|
|
&pre_account,
|
|
|
|
|
"Inconsistent pre state for account {pre_account_id}",
|
2026-01-14 00:52:09 +03:00
|
|
|
);
|
|
|
|
|
|
2026-04-17 07:29:40 +02:00
|
|
|
let (previous_is_authorized, pre_state_position) = self
|
2026-01-14 00:52:09 +03:00
|
|
|
.pre_states
|
|
|
|
|
.iter()
|
2026-04-17 07:29:40 +02:00
|
|
|
.enumerate()
|
|
|
|
|
.find(|(_, acc)| acc.account_id == pre_account_id)
|
2026-03-03 23:21:08 +03:00
|
|
|
.map_or_else(
|
|
|
|
|
|| panic!(
|
2026-03-27 21:43:28 +03:00
|
|
|
"Pre state must exist in execution state for account {pre_account_id}",
|
2026-03-03 23:21:08 +03:00
|
|
|
),
|
2026-04-17 07:29:40 +02:00
|
|
|
|(pos, acc)| (acc.is_authorized, pos)
|
2026-03-03 23:21:08 +03:00
|
|
|
);
|
2026-01-14 00:52:09 +03:00
|
|
|
|
2026-04-22 15:55:35 +02:00
|
|
|
let is_authorized = resolve_authorization_and_record_bindings(
|
|
|
|
|
&mut self.pda_family_binding,
|
|
|
|
|
&mut self.private_pda_bound_positions,
|
|
|
|
|
&self.private_pda_npk_by_position,
|
|
|
|
|
pre_account_id,
|
|
|
|
|
pre_state_position,
|
|
|
|
|
caller_program_id,
|
|
|
|
|
caller_pda_seeds,
|
|
|
|
|
previous_is_authorized,
|
|
|
|
|
);
|
2026-01-14 00:52:09 +03:00
|
|
|
|
|
|
|
|
assert_eq!(
|
2026-03-27 21:43:28 +03:00
|
|
|
pre_is_authorized, is_authorized,
|
|
|
|
|
"Inconsistent authorization for account {pre_account_id}",
|
2026-01-14 00:52:09 +03:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
Entry::Vacant(_) => {
|
2026-03-27 21:43:28 +03:00
|
|
|
// Pre state for the initial call
|
2026-01-14 00:52:09 +03:00
|
|
|
self.pre_states.push(pre);
|
|
|
|
|
}
|
2025-11-07 20:42:00 -03:00
|
|
|
}
|
|
|
|
|
|
2026-03-27 21:43:28 +03:00
|
|
|
if let Some(claim) = post.required_claim() {
|
2025-12-24 22:58:33 +03:00
|
|
|
// The invoked program can only claim accounts with default program id.
|
2026-03-27 21:43:28 +03:00
|
|
|
assert_eq!(
|
|
|
|
|
post.account().program_owner,
|
|
|
|
|
DEFAULT_PROGRAM_ID,
|
|
|
|
|
"Cannot claim an initialized account {pre_account_id}"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let pre_state_position = self
|
|
|
|
|
.pre_states
|
|
|
|
|
.iter()
|
|
|
|
|
.position(|acc| acc.account_id == pre_account_id)
|
|
|
|
|
.expect("Pre state must exist at this point");
|
|
|
|
|
|
2026-04-30 15:44:51 +02:00
|
|
|
let account_identity = &account_identities[pre_state_position];
|
|
|
|
|
if account_identity.is_public() {
|
2026-04-28 17:50:28 +02:00
|
|
|
match claim {
|
2026-03-27 21:43:28 +03:00
|
|
|
Claim::Authorized => {
|
|
|
|
|
// Note: no need to check authorized pdas because we have already
|
|
|
|
|
// checked consistency of authorization above.
|
|
|
|
|
assert!(
|
|
|
|
|
pre_is_authorized,
|
|
|
|
|
"Cannot claim unauthorized account {pre_account_id}"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
Claim::Pda(seed) => {
|
refactor: unify PDA AccountId construction via AccountId::for_{public,private}_pda
Addresses the following review comment:
- "I think this should be a constructor `AccountId::for_private_pda`.
Consider also removing the existing `impl From<(ProgramId, Seed)> for
AccountId` for public pdas in favor of a `AccountId::for_public_pda`
to have a unified way of constructing pdas"
I replaced `impl From<(&ProgramId, &PdaSeed)> for AccountId` with
`AccountId::for_public_pda(program_id: &ProgramId, seed: &PdaSeed) ->
Self` and replaced the free function `private_pda_account_id(...)`
with `AccountId::for_private_pda(program_id: &ProgramId, seed:
&PdaSeed, npk: &NullifierPublicKey) -> Self`. Both live in an inherent
`impl AccountId` block in nssa/core/src/program.rs next to the PDA
derivation logic. Migrated all call sites across nssa/core,
nssa/src/state.rs, nssa/src/validated_state_diff.rs,
program_methods/guest/src/bin/privacy_preserving_circuit.rs,
programs/amm/core, programs/associated_token_account/core, the example
tail-call binary, and the ATA tutorial doc. Test function names that
referenced the old free function were also renamed
(private_pda_account_id_* to for_private_pda_*).
2026-04-21 12:35:19 +02:00
|
|
|
let pda = AccountId::for_public_pda(&program_id, &seed);
|
2026-03-27 21:43:28 +03:00
|
|
|
assert_eq!(
|
|
|
|
|
pre_account_id, pda,
|
|
|
|
|
"Invalid PDA claim for account {pre_account_id} which does not match derived PDA {pda}"
|
|
|
|
|
);
|
2026-04-17 15:36:20 +02:00
|
|
|
assert_family_binding(
|
|
|
|
|
&mut self.pda_family_binding,
|
|
|
|
|
program_id,
|
|
|
|
|
seed,
|
|
|
|
|
pre_account_id,
|
|
|
|
|
);
|
2026-03-27 21:43:28 +03:00
|
|
|
}
|
2026-04-28 17:50:28 +02:00
|
|
|
}
|
2026-04-30 15:44:51 +02:00
|
|
|
} else if account_identity.is_private_pda() {
|
2026-04-28 17:50:28 +02:00
|
|
|
match claim {
|
|
|
|
|
Claim::Authorized => {
|
|
|
|
|
assert!(
|
|
|
|
|
pre_is_authorized,
|
|
|
|
|
"Cannot claim unauthorized private PDA {pre_account_id}"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
Claim::Pda(seed) => {
|
|
|
|
|
let npk = self
|
2026-04-22 15:55:35 +02:00
|
|
|
.private_pda_npk_by_position
|
|
|
|
|
.get(&pre_state_position)
|
2026-04-29 08:54:19 +02:00
|
|
|
.expect(
|
|
|
|
|
"private PDA pre_state must have an npk in the position map",
|
|
|
|
|
);
|
2026-04-28 17:50:28 +02:00
|
|
|
let pda = AccountId::for_private_pda(&program_id, &seed, npk);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
pre_account_id, pda,
|
|
|
|
|
"Invalid private PDA claim for account {pre_account_id}"
|
|
|
|
|
);
|
|
|
|
|
self.private_pda_bound_positions.insert(pre_state_position);
|
|
|
|
|
assert_family_binding(
|
|
|
|
|
&mut self.pda_family_binding,
|
|
|
|
|
program_id,
|
|
|
|
|
seed,
|
|
|
|
|
pre_account_id,
|
|
|
|
|
);
|
2026-04-15 13:57:09 +02:00
|
|
|
}
|
2026-04-22 15:55:35 +02:00
|
|
|
}
|
2026-04-28 17:50:28 +02:00
|
|
|
} else {
|
2026-04-30 15:44:51 +02:00
|
|
|
// Standalone private accounts: don't enforce the claim semantics.
|
2026-04-28 17:50:28 +02:00
|
|
|
// Unauthorized private claiming is intentionally allowed since operating
|
|
|
|
|
// these accounts requires the npk/nsk keypair anyway.
|
2025-11-18 01:38:47 -03:00
|
|
|
}
|
2026-03-27 21:43:28 +03:00
|
|
|
|
|
|
|
|
post.account_mut().program_owner = program_id;
|
2025-11-07 20:42:00 -03:00
|
|
|
}
|
|
|
|
|
|
2026-01-14 00:52:09 +03:00
|
|
|
post_states_entry.insert_entry(post.into_account());
|
2025-12-24 22:58:33 +03:00
|
|
|
}
|
2025-09-02 12:38:31 -03:00
|
|
|
}
|
2025-08-18 07:39:41 -03:00
|
|
|
|
2026-05-07 16:54:57 +02:00
|
|
|
/// Consume self and yield the validity windows alongside an iterator over pre and post
|
|
|
|
|
/// states of each account involved in the execution. Returning the windows here keeps the
|
|
|
|
|
/// fields module-private rather than forcing them visible to downstream consumers.
|
|
|
|
|
pub fn into_parts(
|
2025-12-24 22:58:33 +03:00
|
|
|
mut self,
|
2026-05-07 16:54:57 +02:00
|
|
|
) -> (
|
|
|
|
|
BlockValidityWindow,
|
|
|
|
|
TimestampValidityWindow,
|
|
|
|
|
impl ExactSizeIterator<Item = (AccountWithMetadata, Account)>,
|
|
|
|
|
) {
|
|
|
|
|
let block_validity_window = self.block_validity_window;
|
|
|
|
|
let timestamp_validity_window = self.timestamp_validity_window;
|
|
|
|
|
let states_iter = self.pre_states.into_iter().map(move |pre| {
|
2025-12-24 22:58:33 +03:00
|
|
|
let post = self
|
|
|
|
|
.post_states
|
|
|
|
|
.remove(&pre.account_id)
|
|
|
|
|
.expect("Account from pre states should exist in state diff");
|
|
|
|
|
(pre, post)
|
2026-05-07 16:54:57 +02:00
|
|
|
});
|
|
|
|
|
(block_validity_window, timestamp_validity_window, states_iter)
|
2025-08-19 10:39:47 -03:00
|
|
|
}
|
2025-12-24 22:58:33 +03:00
|
|
|
}
|
|
|
|
|
|
2026-04-17 15:36:20 +02:00
|
|
|
/// Record or re-verify the `(program_id, seed) → account_id` family binding for the
|
|
|
|
|
/// transaction. Any claim or caller-seed authorization that resolves a `pre_state` under
|
|
|
|
|
/// `(program_id, seed)` must agree with every prior resolution of the same pair; otherwise a
|
|
|
|
|
/// single `pda_seeds: [seed]` entry could authorize multiple private-PDA family members at
|
|
|
|
|
/// once (different npks under the same seed) and let a callee mix balances across them. Free
|
|
|
|
|
/// function so callers can pass `&mut self.pda_family_binding` without holding a borrow on
|
|
|
|
|
/// the surrounding struct's other fields.
|
|
|
|
|
fn assert_family_binding(
|
|
|
|
|
bindings: &mut HashMap<(ProgramId, PdaSeed), AccountId>,
|
|
|
|
|
program_id: ProgramId,
|
|
|
|
|
seed: PdaSeed,
|
|
|
|
|
account_id: AccountId,
|
|
|
|
|
) {
|
|
|
|
|
match bindings.entry((program_id, seed)) {
|
|
|
|
|
Entry::Vacant(e) => {
|
|
|
|
|
e.insert(account_id);
|
|
|
|
|
}
|
|
|
|
|
Entry::Occupied(e) => {
|
|
|
|
|
assert_eq!(
|
|
|
|
|
*e.get(),
|
|
|
|
|
account_id,
|
|
|
|
|
"Two different accounts resolved under the same (program, seed) in one transaction: existing {}, new {account_id}",
|
|
|
|
|
e.get()
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-22 15:55:35 +02:00
|
|
|
/// Resolve the authorization state of a `pre_state` seen again in a chained call and record
|
|
|
|
|
/// any resulting bindings. Returns `true` if the `pre_state` is authorized through either a
|
|
|
|
|
/// previously-seen authorization or a matching caller seed (under the public or private
|
|
|
|
|
/// derivation). When a caller seed matches, also records the `(caller, seed) → account_id`
|
|
|
|
|
/// family binding and, for the private form, marks the position in
|
|
|
|
|
/// `private_pda_bound_positions`. Only reachable when `caller_program_id.is_some()`,
|
|
|
|
|
/// top-level flows have no caller-emitted seeds, so binding at top level must come from the
|
|
|
|
|
/// claim path. Free function so callers can pass individual `&mut self.*` field borrows
|
|
|
|
|
/// without holding a borrow on the surrounding struct's other fields.
|
|
|
|
|
#[expect(
|
|
|
|
|
clippy::too_many_arguments,
|
|
|
|
|
reason = "breaking out a context struct does not buy us anything here"
|
|
|
|
|
)]
|
|
|
|
|
fn resolve_authorization_and_record_bindings(
|
|
|
|
|
pda_family_binding: &mut HashMap<(ProgramId, PdaSeed), AccountId>,
|
|
|
|
|
private_pda_bound_positions: &mut HashSet<usize>,
|
|
|
|
|
private_pda_npk_by_position: &HashMap<usize, NullifierPublicKey>,
|
|
|
|
|
pre_account_id: AccountId,
|
|
|
|
|
pre_state_position: usize,
|
|
|
|
|
caller_program_id: Option<ProgramId>,
|
|
|
|
|
caller_pda_seeds: &[PdaSeed],
|
|
|
|
|
previous_is_authorized: bool,
|
|
|
|
|
) -> bool {
|
|
|
|
|
let matched_caller_seed: Option<(PdaSeed, bool, ProgramId)> =
|
|
|
|
|
caller_program_id.and_then(|caller| {
|
|
|
|
|
caller_pda_seeds.iter().find_map(|seed| {
|
|
|
|
|
if AccountId::for_public_pda(&caller, seed) == pre_account_id {
|
|
|
|
|
return Some((*seed, false, caller));
|
|
|
|
|
}
|
|
|
|
|
if let Some(npk) = private_pda_npk_by_position.get(&pre_state_position)
|
|
|
|
|
&& AccountId::for_private_pda(&caller, seed, npk) == pre_account_id
|
|
|
|
|
{
|
|
|
|
|
return Some((*seed, true, caller));
|
|
|
|
|
}
|
|
|
|
|
None
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if let Some((seed, is_private_form, caller)) = matched_caller_seed {
|
|
|
|
|
assert_family_binding(pda_family_binding, caller, seed, pre_account_id);
|
|
|
|
|
if is_private_form {
|
|
|
|
|
private_pda_bound_positions.insert(pre_state_position);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
previous_is_authorized || matched_caller_seed.is_some()
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-04 18:42:33 +03:00
|
|
|
fn main() {
|
|
|
|
|
let PrivacyPreservingCircuitInput {
|
|
|
|
|
program_outputs,
|
2026-04-30 15:44:51 +02:00
|
|
|
account_identities,
|
2026-03-04 18:42:33 +03:00
|
|
|
program_id,
|
|
|
|
|
} = env::read();
|
|
|
|
|
|
2026-04-28 17:50:28 +02:00
|
|
|
let execution_state =
|
2026-04-30 15:44:51 +02:00
|
|
|
ExecutionState::derive_from_outputs(&account_identities, program_id, program_outputs);
|
2026-03-04 18:42:33 +03:00
|
|
|
|
2026-05-07 16:54:57 +02:00
|
|
|
let output = output::compute_circuit_output(execution_state, &account_identities);
|
2026-03-04 18:42:33 +03:00
|
|
|
|
|
|
|
|
env::commit(&output);
|
2025-10-03 18:31:56 -03:00
|
|
|
}
|