2025-11-22 17:48:29 -03:00
|
|
|
use std::collections::HashMap;
|
2025-10-03 18:31:56 -03:00
|
|
|
|
2025-08-18 07:39:41 -03:00
|
|
|
use nssa_core::{
|
2025-11-07 20:42:00 -03:00
|
|
|
Commitment, CommitmentSetDigest, DUMMY_COMMITMENT_HASH, EncryptionScheme, Nullifier,
|
|
|
|
|
NullifierPublicKey, PrivacyPreservingCircuitInput, PrivacyPreservingCircuitOutput,
|
2025-09-19 12:23:11 -03:00
|
|
|
account::{Account, AccountId, AccountWithMetadata},
|
|
|
|
|
compute_digest_for_path,
|
|
|
|
|
encryption::Ciphertext,
|
2025-11-18 01:38:47 -03:00
|
|
|
program::{DEFAULT_PROGRAM_ID, MAX_NUMBER_CHAINED_CALLS, validate_execution},
|
2025-08-18 07:39:41 -03:00
|
|
|
};
|
2025-11-28 18:41:12 -05:00
|
|
|
use risc0_zkvm::{guest::env, serde::to_vec};
|
2025-08-18 07:39:41 -03:00
|
|
|
|
|
|
|
|
fn main() {
|
|
|
|
|
let PrivacyPreservingCircuitInput {
|
2025-11-06 19:35:47 -03:00
|
|
|
program_outputs,
|
2025-08-18 07:39:41 -03:00
|
|
|
visibility_mask,
|
2025-08-18 18:18:16 -03:00
|
|
|
private_account_nonces,
|
|
|
|
|
private_account_keys,
|
2025-11-14 01:28:34 -03:00
|
|
|
private_account_nsks,
|
|
|
|
|
private_account_membership_proofs,
|
2025-11-07 20:42:00 -03:00
|
|
|
mut program_id,
|
2025-08-18 07:39:41 -03:00
|
|
|
} = env::read();
|
|
|
|
|
|
2025-11-07 20:42:00 -03:00
|
|
|
let mut pre_states: Vec<AccountWithMetadata> = Vec::new();
|
|
|
|
|
let mut state_diff: HashMap<AccountId, Account> = HashMap::new();
|
2025-11-06 19:35:47 -03:00
|
|
|
|
2025-11-18 01:38:47 -03:00
|
|
|
let num_calls = program_outputs.len();
|
|
|
|
|
if num_calls > MAX_NUMBER_CHAINED_CALLS {
|
2025-11-25 14:20:56 -03:00
|
|
|
panic!("Max chained calls depth is exceeded");
|
2025-11-18 01:38:47 -03:00
|
|
|
}
|
|
|
|
|
|
2025-12-09 22:27:38 -03:00
|
|
|
let Some(last_program_call) = program_outputs.last() else {
|
|
|
|
|
panic!("Program outputs is empty")
|
|
|
|
|
};
|
2025-08-18 07:39:41 -03:00
|
|
|
|
2025-12-09 22:27:38 -03:00
|
|
|
if !last_program_call.chained_calls.is_empty() {
|
2025-11-18 01:38:47 -03:00
|
|
|
panic!("Call stack is incomplete");
|
|
|
|
|
}
|
|
|
|
|
|
2025-11-26 17:37:22 -03:00
|
|
|
for window in program_outputs.windows(2) {
|
|
|
|
|
let caller = &window[0];
|
|
|
|
|
let callee = &window[1];
|
|
|
|
|
|
2025-12-09 22:27:38 -03:00
|
|
|
if caller.chained_calls.len() > 1 {
|
|
|
|
|
panic!("Privacy Multi-chained calls are not supported yet");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TODO: Modify when multi-chain calls are supported in the circuit
|
2025-12-10 23:06:35 -03:00
|
|
|
let Some(caller_chained_call) = &caller.chained_calls.first() else {
|
2025-11-18 01:38:47 -03:00
|
|
|
panic!("Expected chained call");
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Check that instruction data in caller is the instruction data in callee
|
2025-12-10 23:06:35 -03:00
|
|
|
if caller_chained_call.instruction_data != callee.instruction_data {
|
2025-11-18 01:38:47 -03:00
|
|
|
panic!("Invalid instruction data");
|
|
|
|
|
}
|
2025-12-10 23:06:35 -03:00
|
|
|
|
|
|
|
|
// Check that account pre_states in caller are the ones in calle
|
|
|
|
|
if caller_chained_call.pre_states != callee.pre_states {
|
|
|
|
|
panic!("Invalid pre states");
|
|
|
|
|
}
|
2025-11-18 01:38:47 -03:00
|
|
|
}
|
|
|
|
|
|
2025-11-20 01:40:05 -03:00
|
|
|
for (i, program_output) in program_outputs.iter().enumerate() {
|
2025-11-18 01:38:47 -03:00
|
|
|
let mut program_output = program_output.clone();
|
2025-08-18 07:39:41 -03:00
|
|
|
|
2025-11-14 01:28:34 -03:00
|
|
|
// Check that `program_output` is consistent with the execution of the corresponding
|
|
|
|
|
// program.
|
2025-11-25 15:15:14 -03:00
|
|
|
let program_output_words =
|
|
|
|
|
&to_vec(&program_output).expect("program_output must be serializable");
|
|
|
|
|
env::verify(program_id, program_output_words)
|
|
|
|
|
.expect("program output must match the program's execution");
|
2025-08-18 07:39:41 -03:00
|
|
|
|
2025-11-07 20:42:00 -03:00
|
|
|
// Check that the program is well behaved.
|
|
|
|
|
// See the # Programs section for the definition of the `validate_execution` method.
|
|
|
|
|
if !validate_execution(
|
|
|
|
|
&program_output.pre_states,
|
|
|
|
|
&program_output.post_states,
|
|
|
|
|
program_id,
|
|
|
|
|
) {
|
|
|
|
|
panic!("Bad behaved program");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The invoked program claims the accounts with default program id.
|
2025-12-09 22:27:38 -03:00
|
|
|
for post in program_output
|
|
|
|
|
.post_states
|
|
|
|
|
.iter_mut()
|
|
|
|
|
.filter(|post| post.requires_claim())
|
|
|
|
|
{
|
|
|
|
|
// The invoked program can only claim accounts with default program id.
|
|
|
|
|
if post.account().program_owner == DEFAULT_PROGRAM_ID {
|
|
|
|
|
post.account_mut().program_owner = program_id;
|
|
|
|
|
} else {
|
|
|
|
|
panic!("Cannot claim an initialized account")
|
2025-11-07 20:42:00 -03:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (pre, post) in program_output
|
|
|
|
|
.pre_states
|
|
|
|
|
.iter()
|
|
|
|
|
.zip(&program_output.post_states)
|
|
|
|
|
{
|
2025-11-18 01:38:47 -03:00
|
|
|
if let Some(account_pre) = state_diff.get(&pre.account_id) {
|
|
|
|
|
if account_pre != &pre.account {
|
|
|
|
|
panic!("Invalid input");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2025-11-07 20:42:00 -03:00
|
|
|
pre_states.push(pre.clone());
|
|
|
|
|
}
|
2025-12-09 22:27:38 -03:00
|
|
|
state_diff.insert(pre.account_id.clone(), post.account().clone());
|
2025-11-07 20:42:00 -03:00
|
|
|
}
|
|
|
|
|
|
2025-12-09 22:27:38 -03:00
|
|
|
// TODO: Modify when multi-chain calls are supported in the circuit
|
|
|
|
|
if let Some(next_chained_call) = &program_output.chained_calls.first() {
|
2025-11-07 20:42:00 -03:00
|
|
|
program_id = next_chained_call.program_id;
|
2025-11-20 01:40:05 -03:00
|
|
|
} else if i != program_outputs.len() - 1 {
|
|
|
|
|
panic!("Inner call without a chained call found")
|
2025-11-07 20:42:00 -03:00
|
|
|
};
|
2025-09-02 12:38:31 -03:00
|
|
|
}
|
2025-08-18 07:39:41 -03:00
|
|
|
|
|
|
|
|
let n_accounts = pre_states.len();
|
2025-08-19 10:39:47 -03:00
|
|
|
if visibility_mask.len() != n_accounts {
|
2025-09-02 12:56:01 -03:00
|
|
|
panic!("Invalid visibility mask length");
|
2025-08-19 10:39:47 -03:00
|
|
|
}
|
2025-08-18 07:39:41 -03:00
|
|
|
|
|
|
|
|
// These lists will be the public outputs of this circuit
|
|
|
|
|
// and will be populated next.
|
|
|
|
|
let mut public_pre_states: Vec<AccountWithMetadata> = Vec::new();
|
|
|
|
|
let mut public_post_states: Vec<Account> = Vec::new();
|
2025-08-25 14:51:46 -03:00
|
|
|
let mut ciphertexts: Vec<Ciphertext> = Vec::new();
|
2025-08-18 07:39:41 -03:00
|
|
|
let mut new_commitments: Vec<Commitment> = Vec::new();
|
2025-08-25 09:22:59 -03:00
|
|
|
let mut new_nullifiers: Vec<(Nullifier, CommitmentSetDigest)> = Vec::new();
|
2025-08-18 07:39:41 -03:00
|
|
|
|
2025-08-19 10:39:47 -03:00
|
|
|
let mut private_nonces_iter = private_account_nonces.iter();
|
|
|
|
|
let mut private_keys_iter = private_account_keys.iter();
|
2025-11-14 01:28:34 -03:00
|
|
|
let mut private_nsks_iter = private_account_nsks.iter();
|
|
|
|
|
let mut private_membership_proofs_iter = private_account_membership_proofs.iter();
|
2025-08-19 10:39:47 -03:00
|
|
|
|
2025-08-22 14:59:57 -03:00
|
|
|
let mut output_index = 0;
|
2025-08-18 07:39:41 -03:00
|
|
|
for i in 0..n_accounts {
|
2025-08-19 10:39:47 -03:00
|
|
|
match visibility_mask[i] {
|
|
|
|
|
0 => {
|
2025-08-22 18:49:46 -03:00
|
|
|
// Public account
|
|
|
|
|
public_pre_states.push(pre_states[i].clone());
|
|
|
|
|
|
2025-11-18 00:04:53 -03:00
|
|
|
let mut post = state_diff.get(&pre_states[i].account_id).unwrap().clone();
|
2025-12-11 08:59:28 -05:00
|
|
|
|
2025-08-22 14:59:57 -03:00
|
|
|
if post.program_owner == DEFAULT_PROGRAM_ID {
|
|
|
|
|
// Claim account
|
|
|
|
|
post.program_owner = program_id;
|
|
|
|
|
}
|
|
|
|
|
public_post_states.push(post);
|
2025-08-18 07:39:41 -03:00
|
|
|
}
|
2025-08-19 10:39:47 -03:00
|
|
|
1 | 2 => {
|
|
|
|
|
let new_nonce = private_nonces_iter.next().expect("Missing private nonce");
|
2025-08-27 18:02:10 -03:00
|
|
|
let (npk, shared_secret) = private_keys_iter.next().expect("Missing keys");
|
2025-08-19 10:39:47 -03:00
|
|
|
|
2025-09-12 09:18:40 -03:00
|
|
|
if AccountId::from(npk) != pre_states[i].account_id {
|
|
|
|
|
panic!("AccountId mismatch");
|
2025-09-10 18:56:34 -03:00
|
|
|
}
|
|
|
|
|
|
2025-08-19 10:39:47 -03:00
|
|
|
if visibility_mask[i] == 1 {
|
|
|
|
|
// Private account with authentication
|
2025-11-14 01:28:34 -03:00
|
|
|
let nsk = private_nsks_iter.next().expect("Missing nsk");
|
|
|
|
|
|
2025-08-27 18:23:56 -03:00
|
|
|
// Verify the nullifier public key
|
2025-08-27 18:02:10 -03:00
|
|
|
let expected_npk = NullifierPublicKey::from(nsk);
|
|
|
|
|
if &expected_npk != npk {
|
|
|
|
|
panic!("Nullifier public key mismatch");
|
2025-08-19 10:39:47 -03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check pre_state authorization
|
|
|
|
|
if !pre_states[i].is_authorized {
|
|
|
|
|
panic!("Pre-state not authorized");
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-12 16:53:30 +03:00
|
|
|
let membership_proof_opt = private_membership_proofs_iter
|
|
|
|
|
.next()
|
|
|
|
|
.expect("Missing membership proof");
|
|
|
|
|
let (nullifier, set_digest) = membership_proof_opt
|
|
|
|
|
.as_ref()
|
|
|
|
|
.map(|membership_proof| {
|
|
|
|
|
// Compute commitment set digest associated with provided auth path
|
|
|
|
|
let commitment_pre = Commitment::new(npk, &pre_states[i].account);
|
|
|
|
|
let set_digest =
|
|
|
|
|
compute_digest_for_path(&commitment_pre, membership_proof);
|
|
|
|
|
|
|
|
|
|
// Compute update nullifier
|
|
|
|
|
let nullifier = Nullifier::for_account_update(&commitment_pre, nsk);
|
|
|
|
|
(nullifier, set_digest)
|
|
|
|
|
})
|
|
|
|
|
.unwrap_or_else(|| {
|
|
|
|
|
if pre_states[i].account != Account::default() {
|
|
|
|
|
panic!("Found new private account with non default values.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Compute initialization nullifier
|
|
|
|
|
let nullifier = Nullifier::for_account_initialization(npk);
|
|
|
|
|
(nullifier, DUMMY_COMMITMENT_HASH)
|
|
|
|
|
});
|
2025-08-25 09:22:59 -03:00
|
|
|
new_nullifiers.push((nullifier, set_digest));
|
2025-08-19 10:39:47 -03:00
|
|
|
} else {
|
2025-12-12 16:53:30 +03:00
|
|
|
// Private account without authentication
|
2025-08-19 12:52:52 -03:00
|
|
|
if pre_states[i].account != Account::default() {
|
|
|
|
|
panic!("Found new private account with non default values.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if pre_states[i].is_authorized {
|
|
|
|
|
panic!("Found new private account marked as authorized.");
|
2025-08-19 10:39:47 -03:00
|
|
|
}
|
2025-10-03 20:44:29 -03:00
|
|
|
|
2025-12-12 16:53:30 +03:00
|
|
|
let membership_proof_opt = private_membership_proofs_iter
|
|
|
|
|
.next()
|
|
|
|
|
.expect("Missing membership proof");
|
|
|
|
|
assert!(
|
|
|
|
|
membership_proof_opt.is_none(),
|
|
|
|
|
"Membership proof must be None for unauthorized accounts"
|
|
|
|
|
);
|
2025-10-03 20:44:29 -03:00
|
|
|
let nullifier = Nullifier::for_account_initialization(npk);
|
|
|
|
|
new_nullifiers.push((nullifier, DUMMY_COMMITMENT_HASH));
|
2025-08-19 10:39:47 -03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update post-state with new nonce
|
2025-11-18 00:04:53 -03:00
|
|
|
let mut post_with_updated_values =
|
|
|
|
|
state_diff.get(&pre_states[i].account_id).unwrap().clone();
|
2025-08-21 14:32:57 -03:00
|
|
|
post_with_updated_values.nonce = *new_nonce;
|
|
|
|
|
|
|
|
|
|
if post_with_updated_values.program_owner == DEFAULT_PROGRAM_ID {
|
2025-08-21 15:52:35 -03:00
|
|
|
// Claim account
|
2025-08-21 14:32:57 -03:00
|
|
|
post_with_updated_values.program_owner = program_id;
|
|
|
|
|
}
|
2025-08-19 10:39:47 -03:00
|
|
|
|
2025-08-21 15:52:35 -03:00
|
|
|
// Compute commitment
|
2025-08-27 18:02:10 -03:00
|
|
|
let commitment_post = Commitment::new(npk, &post_with_updated_values);
|
2025-08-19 10:39:47 -03:00
|
|
|
|
|
|
|
|
// Encrypt and push post state
|
2025-08-26 14:53:02 -03:00
|
|
|
let encrypted_account = EncryptionScheme::encrypt(
|
2025-08-22 14:59:57 -03:00
|
|
|
&post_with_updated_values,
|
2025-08-25 14:51:46 -03:00
|
|
|
shared_secret,
|
2025-08-26 14:14:08 -03:00
|
|
|
&commitment_post,
|
2025-08-22 14:59:57 -03:00
|
|
|
output_index,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
new_commitments.push(commitment_post);
|
2025-08-25 14:51:46 -03:00
|
|
|
ciphertexts.push(encrypted_account);
|
2025-08-22 14:59:57 -03:00
|
|
|
output_index += 1;
|
2025-08-19 10:39:47 -03:00
|
|
|
}
|
|
|
|
|
_ => panic!("Invalid visibility mask value"),
|
2025-08-18 07:39:41 -03:00
|
|
|
}
|
|
|
|
|
}
|
2025-10-03 18:31:56 -03:00
|
|
|
|
2025-08-19 12:52:52 -03:00
|
|
|
if private_nonces_iter.next().is_some() {
|
2025-11-14 01:28:34 -03:00
|
|
|
panic!("Too many nonces");
|
2025-08-19 12:52:52 -03:00
|
|
|
}
|
2025-10-03 18:31:56 -03:00
|
|
|
|
2025-08-19 12:52:52 -03:00
|
|
|
if private_keys_iter.next().is_some() {
|
2025-11-14 01:28:34 -03:00
|
|
|
panic!("Too many private account keys");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if private_nsks_iter.next().is_some() {
|
|
|
|
|
panic!("Too many private account authentication keys");
|
2025-08-19 12:52:52 -03:00
|
|
|
}
|
|
|
|
|
|
2025-11-14 01:28:34 -03:00
|
|
|
if private_membership_proofs_iter.next().is_some() {
|
|
|
|
|
panic!("Too many private account membership proofs");
|
2025-08-19 12:52:52 -03:00
|
|
|
}
|
|
|
|
|
|
2025-08-18 07:39:41 -03:00
|
|
|
let output = PrivacyPreservingCircuitOutput {
|
|
|
|
|
public_pre_states,
|
|
|
|
|
public_post_states,
|
2025-08-25 14:51:46 -03:00
|
|
|
ciphertexts,
|
2025-08-18 07:39:41 -03:00
|
|
|
new_commitments,
|
|
|
|
|
new_nullifiers,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
env::commit(&output);
|
2025-10-03 18:31:56 -03:00
|
|
|
}
|
