mirror of
https://github.com/logos-co/nomos-pocs.git
synced 2025-01-11 18:04:22 +00:00
commit
5547b739c5
4
.gitmodules
vendored
4
.gitmodules
vendored
@ -1,3 +1,3 @@
|
||||
[submodule "proof_of_leadership/circom/circomlib"]
|
||||
path = proof_of_leadership/circom/circomlib
|
||||
[submodule "circomlib"]
|
||||
path = circom_circuits/circomlib
|
||||
url = https://github.com/iden3/circomlib.git
|
||||
|
197
circom_circuits/Jubjub/escalarmulanyJubjub.circom
Normal file
197
circom_circuits/Jubjub/escalarmulanyJubjub.circom
Normal file
@ -0,0 +1,197 @@
|
||||
/*
|
||||
Copyright 2018 0KIMS association.
|
||||
|
||||
This file is part of circom (Zero Knowledge Circuit Compiler).
|
||||
|
||||
circom is a free software: you can redistribute it and/or modify it
|
||||
under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
circom is distributed in the hope that it will be useful, but WITHOUT
|
||||
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
pragma circom 2.0.0;
|
||||
|
||||
include "montgomeryJubjub.circom";
|
||||
include "jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/comparators.circom";
|
||||
|
||||
template Multiplexor2() {
|
||||
signal input sel;
|
||||
signal input in[2][2];
|
||||
signal output out[2];
|
||||
|
||||
out[0] <== (in[1][0] - in[0][0])*sel + in[0][0];
|
||||
out[1] <== (in[1][1] - in[0][1])*sel + in[0][1];
|
||||
}
|
||||
|
||||
template BitElementMulAny() {
|
||||
signal input sel;
|
||||
signal input dblIn[2];
|
||||
signal input addIn[2];
|
||||
signal output dblOut[2];
|
||||
signal output addOut[2];
|
||||
|
||||
component doubler = MontgomeryDouble();
|
||||
component adder = MontgomeryAdd();
|
||||
component selector = Multiplexor2();
|
||||
|
||||
|
||||
sel ==> selector.sel;
|
||||
|
||||
dblIn[0] ==> doubler.in[0];
|
||||
dblIn[1] ==> doubler.in[1];
|
||||
doubler.out[0] ==> adder.in1[0];
|
||||
doubler.out[1] ==> adder.in1[1];
|
||||
addIn[0] ==> adder.in2[0];
|
||||
addIn[1] ==> adder.in2[1];
|
||||
addIn[0] ==> selector.in[0][0];
|
||||
addIn[1] ==> selector.in[0][1];
|
||||
adder.out[0] ==> selector.in[1][0];
|
||||
adder.out[1] ==> selector.in[1][1];
|
||||
|
||||
doubler.out[0] ==> dblOut[0];
|
||||
doubler.out[1] ==> dblOut[1];
|
||||
selector.out[0] ==> addOut[0];
|
||||
selector.out[1] ==> addOut[1];
|
||||
}
|
||||
|
||||
// p is montgomery point
|
||||
// n must be <= 248
|
||||
// returns out in twisted edwards
|
||||
// Double is in montgomery to be linked;
|
||||
|
||||
template SegmentMulAny(n) {
|
||||
signal input e[n];
|
||||
signal input p[2];
|
||||
signal output out[2];
|
||||
signal output dbl[2];
|
||||
|
||||
component bits[n-1];
|
||||
|
||||
component e2m = Edwards2Montgomery();
|
||||
|
||||
p[0] ==> e2m.in[0];
|
||||
p[1] ==> e2m.in[1];
|
||||
|
||||
var i;
|
||||
|
||||
bits[0] = BitElementMulAny();
|
||||
e2m.out[0] ==> bits[0].dblIn[0];
|
||||
e2m.out[1] ==> bits[0].dblIn[1];
|
||||
e2m.out[0] ==> bits[0].addIn[0];
|
||||
e2m.out[1] ==> bits[0].addIn[1];
|
||||
e[1] ==> bits[0].sel;
|
||||
|
||||
for (i=1; i<n-1; i++) {
|
||||
bits[i] = BitElementMulAny();
|
||||
|
||||
bits[i-1].dblOut[0] ==> bits[i].dblIn[0];
|
||||
bits[i-1].dblOut[1] ==> bits[i].dblIn[1];
|
||||
bits[i-1].addOut[0] ==> bits[i].addIn[0];
|
||||
bits[i-1].addOut[1] ==> bits[i].addIn[1];
|
||||
e[i+1] ==> bits[i].sel;
|
||||
}
|
||||
|
||||
bits[n-2].dblOut[0] ==> dbl[0];
|
||||
bits[n-2].dblOut[1] ==> dbl[1];
|
||||
|
||||
component m2e = Montgomery2Edwards();
|
||||
|
||||
bits[n-2].addOut[0] ==> m2e.in[0];
|
||||
bits[n-2].addOut[1] ==> m2e.in[1];
|
||||
|
||||
component eadder = JubjubAdd();
|
||||
|
||||
m2e.out[0] ==> eadder.x1;
|
||||
m2e.out[1] ==> eadder.y1;
|
||||
-p[0] ==> eadder.x2;
|
||||
p[1] ==> eadder.y2;
|
||||
|
||||
component lastSel = Multiplexor2();
|
||||
|
||||
e[0] ==> lastSel.sel;
|
||||
eadder.xout ==> lastSel.in[0][0];
|
||||
eadder.yout ==> lastSel.in[0][1];
|
||||
m2e.out[0] ==> lastSel.in[1][0];
|
||||
m2e.out[1] ==> lastSel.in[1][1];
|
||||
|
||||
lastSel.out[0] ==> out[0];
|
||||
lastSel.out[1] ==> out[1];
|
||||
}
|
||||
|
||||
// This function assumes that p is in the subgroup and it is different to 0
|
||||
|
||||
template EscalarMulAny(n) {
|
||||
signal input e[n]; // Input in binary format
|
||||
signal input p[2]; // Point (Twisted format)
|
||||
signal output out[2]; // Point (Twisted format)
|
||||
|
||||
var nsegments = (n-1)\148 +1;
|
||||
var nlastsegment = n - (nsegments-1)*148;
|
||||
|
||||
component segments[nsegments];
|
||||
component doublers[nsegments-1];
|
||||
component m2e[nsegments-1];
|
||||
component adders[nsegments-1];
|
||||
component zeropoint = IsZero();
|
||||
zeropoint.in <== p[0];
|
||||
|
||||
var s;
|
||||
var i;
|
||||
var nseg;
|
||||
|
||||
for (s=0; s<nsegments; s++) {
|
||||
|
||||
nseg = (s < nsegments-1) ? 148 : nlastsegment;
|
||||
|
||||
segments[s] = SegmentMulAny(nseg);
|
||||
|
||||
for (i=0; i<nseg; i++) {
|
||||
e[s*148+i] ==> segments[s].e[i];
|
||||
}
|
||||
|
||||
if (s==0) {
|
||||
// force G8 point if input point is zero
|
||||
segments[s].p[0] <== p[0] + (0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b - p[0])*zeropoint.out;
|
||||
segments[s].p[1] <== p[1] + (0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa - p[1])*zeropoint.out;
|
||||
} else {
|
||||
doublers[s-1] = MontgomeryDouble();
|
||||
m2e[s-1] = Montgomery2Edwards();
|
||||
adders[s-1] = JubjubAdd();
|
||||
|
||||
segments[s-1].dbl[0] ==> doublers[s-1].in[0];
|
||||
segments[s-1].dbl[1] ==> doublers[s-1].in[1];
|
||||
|
||||
doublers[s-1].out[0] ==> m2e[s-1].in[0];
|
||||
doublers[s-1].out[1] ==> m2e[s-1].in[1];
|
||||
|
||||
m2e[s-1].out[0] ==> segments[s].p[0];
|
||||
m2e[s-1].out[1] ==> segments[s].p[1];
|
||||
|
||||
if (s==1) {
|
||||
segments[s-1].out[0] ==> adders[s-1].x1;
|
||||
segments[s-1].out[1] ==> adders[s-1].y1;
|
||||
} else {
|
||||
adders[s-2].xout ==> adders[s-1].x1;
|
||||
adders[s-2].yout ==> adders[s-1].y1;
|
||||
}
|
||||
segments[s].out[0] ==> adders[s-1].x2;
|
||||
segments[s].out[1] ==> adders[s-1].y2;
|
||||
}
|
||||
}
|
||||
|
||||
if (nsegments == 1) {
|
||||
segments[0].out[0]*(1-zeropoint.out) ==> out[0];
|
||||
segments[0].out[1]+(1-segments[0].out[1])*zeropoint.out ==> out[1];
|
||||
} else {
|
||||
adders[nsegments-2].xout*(1-zeropoint.out) ==> out[0];
|
||||
adders[nsegments-2].yout+(1-adders[nsegments-2].yout)*zeropoint.out ==> out[1];
|
||||
}
|
||||
}
|
63
circom_circuits/Jubjub/jubjub.circom
Normal file
63
circom_circuits/Jubjub/jubjub.circom
Normal file
@ -0,0 +1,63 @@
|
||||
/*
|
||||
Copyright 2018 0KIMS association.
|
||||
|
||||
This file is part of circom (Zero Knowledge Circuit Compiler).
|
||||
|
||||
circom is a free software: you can redistribute it and/or modify it
|
||||
under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
circom is distributed in the hope that it will be useful, but WITHOUT
|
||||
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
pragma circom 2.1.9;
|
||||
|
||||
template JubjubAdd() {
|
||||
signal input x1;
|
||||
signal input y1;
|
||||
signal input x2;
|
||||
signal input y2;
|
||||
signal output xout;
|
||||
signal output yout;
|
||||
|
||||
signal beta;
|
||||
signal gamma;
|
||||
signal delta;
|
||||
signal tau;
|
||||
|
||||
var a = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000;
|
||||
var d = 0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1;
|
||||
|
||||
beta <== x1*y2;
|
||||
gamma <== y1*x2;
|
||||
delta <== (-a*x1+y1)*(x2 + y2);
|
||||
tau <== beta * gamma;
|
||||
|
||||
xout <-- (beta + gamma) / (1+ d*tau);
|
||||
(1+ d*tau) * xout === (beta + gamma);
|
||||
|
||||
yout <-- (delta + a*beta - gamma) / (1-d*tau);
|
||||
(1-d*tau)*yout === (delta + a*beta - gamma);
|
||||
}
|
||||
|
||||
template JubjubDbl() {
|
||||
signal input x;
|
||||
signal input y;
|
||||
signal output xout;
|
||||
signal output yout;
|
||||
|
||||
component adder = JubjubAdd();
|
||||
adder.x1 <== x;
|
||||
adder.y1 <== y;
|
||||
adder.x2 <== x;
|
||||
adder.y2 <== y;
|
||||
|
||||
adder.xout ==> xout;
|
||||
adder.yout ==> yout;
|
||||
}
|
142
circom_circuits/Jubjub/montgomeryJubjub.circom
Normal file
142
circom_circuits/Jubjub/montgomeryJubjub.circom
Normal file
@ -0,0 +1,142 @@
|
||||
/*
|
||||
Copyright 2018 0KIMS association.
|
||||
|
||||
This file is part of circom (Zero Knowledge Circuit Compiler).
|
||||
|
||||
circom is a free software: you can redistribute it and/or modify it
|
||||
under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
circom is distributed in the hope that it will be useful, but WITHOUT
|
||||
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
/*
|
||||
Source: https://en.wikipedia.org/wiki/Montgomery_curve
|
||||
|
||||
1 + y 1 + y
|
||||
[u, v] = [ ------- , ---------- ]
|
||||
1 - y (1 - y)x
|
||||
|
||||
*/
|
||||
pragma circom 2.0.0;
|
||||
|
||||
template Edwards2Montgomery() {
|
||||
signal input in[2];
|
||||
signal output out[2];
|
||||
|
||||
out[0] <-- (1 + in[1]) / (1 - in[1]);
|
||||
out[1] <-- out[0] / in[0];
|
||||
|
||||
|
||||
out[0] * (1-in[1]) === (1 + in[1]);
|
||||
out[1] * in[0] === out[0];
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
u u - 1
|
||||
[x, y] = [ ---, ------- ]
|
||||
v u + 1
|
||||
|
||||
*/
|
||||
template Montgomery2Edwards() {
|
||||
signal input in[2];
|
||||
signal output out[2];
|
||||
|
||||
out[0] <-- in[0] / in[1];
|
||||
out[1] <-- (in[0] - 1) / (in[0] + 1);
|
||||
|
||||
out[0] * in[1] === in[0];
|
||||
out[1] * (in[0] + 1) === in[0] - 1;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
x2 - x1
|
||||
lamda = ---------
|
||||
y2 - y1
|
||||
|
||||
x3 + A + x1 + x2
|
||||
x3 = B * lamda^2 - A - x1 -x2 => lamda^2 = ------------------
|
||||
B
|
||||
|
||||
y3 = (2*x1 + x2 + A)*lamda - B*lamda^3 - y1 =>
|
||||
|
||||
|
||||
=> y3 = lamda * ( 2*x1 + x2 + A - x3 - A - x1 - x2) - y1 =>
|
||||
|
||||
=> y3 = lamda * ( x1 - x3 ) - y1
|
||||
|
||||
----------
|
||||
|
||||
y2 - y1
|
||||
lamda = ---------
|
||||
x2 - x1
|
||||
|
||||
x3 = B * lamda^2 - A - x1 -x2
|
||||
|
||||
y3 = lamda * ( x1 - x3 ) - y1
|
||||
|
||||
*/
|
||||
|
||||
template MontgomeryAdd() {
|
||||
signal input in1[2];
|
||||
signal input in2[2];
|
||||
signal output out[2];
|
||||
|
||||
var a = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000;
|
||||
var d = 0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1;
|
||||
|
||||
var A = (2 * (a + d)) / (a - d);
|
||||
var B = 4 / (a - d);
|
||||
|
||||
signal lamda;
|
||||
|
||||
lamda <-- (in2[1] - in1[1]) / (in2[0] - in1[0]);
|
||||
lamda * (in2[0] - in1[0]) === (in2[1] - in1[1]);
|
||||
|
||||
out[0] <== B*lamda*lamda - A - in1[0] -in2[0];
|
||||
out[1] <== lamda * (in1[0] - out[0]) - in1[1];
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
x1_2 = x1*x1
|
||||
|
||||
3*x1_2 + 2*A*x1 + 1
|
||||
lamda = ---------------------
|
||||
2*B*y1
|
||||
|
||||
x3 = B * lamda^2 - A - x1 -x1
|
||||
|
||||
y3 = lamda * ( x1 - x3 ) - y1
|
||||
|
||||
*/
|
||||
template MontgomeryDouble() {
|
||||
signal input in[2];
|
||||
signal output out[2];
|
||||
|
||||
var a = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000;
|
||||
var d = 0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1;
|
||||
|
||||
var A = (2 * (a + d)) / (a - d);
|
||||
var B = 4 / (a - d);
|
||||
|
||||
signal lamda;
|
||||
signal x1_2;
|
||||
|
||||
x1_2 <== in[0] * in[0];
|
||||
|
||||
lamda <-- (3*x1_2 + 2*A*in[0] + 1 ) / (2*B*in[1]);
|
||||
lamda * (2*B*in[1]) === (3*x1_2 + 2*A*in[0] + 1 );
|
||||
|
||||
out[0] <== B*lamda*lamda - A - 2*in[0];
|
||||
out[1] <== lamda * (in[0] - out[0]) - in[1];
|
||||
}
|
@ -1,10 +1,10 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "anemoi/anemoi_2_to_1_Jubjub.circom";
|
||||
include "anemoi/anemoi_4_to_1_Jubjub.circom";
|
||||
include "anemoi/anemoi_16_to_1_Jubjub.circom";
|
||||
include "../../circomlib-master/circuits/bitify.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
@ -158,7 +158,7 @@ template nullifier_computer(){
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
template commitment_computer(){ // TODO: ensure all field are hash
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
|
@ -1,11 +1,11 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "anemoi/anemoi_2_to_1_Jubjub.circom";
|
||||
include "anemoi/anemoi_4_to_1_Jubjub.circom";
|
||||
include "anemoi/anemoi_16_to_1_Jubjub.circom";
|
||||
include "../../circomlib-master/circuits/bitify.circom";
|
||||
include "../../circomlib-master/circuits/sha256/sha256.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/sha256/sha256.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
@ -174,7 +174,7 @@ template nullifier_computer(){
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
template commitment_computer(){ // TODO: ensure all field are hash
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
|
@ -1,10 +1,10 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "poseidon/poseidon_2_to_1_Jubjub.circom";
|
||||
include "poseidon/poseidon_4_to_1_Jubjub.circom";
|
||||
include "poseidon/poseidon_16_to_1_Jubjub.circom";
|
||||
include "../../circomlib-master/circuits/bitify.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
@ -158,7 +158,7 @@ template nullifier_computer(){
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
template commitment_computer(){ // TODO: ensure all field are hash
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
|
@ -1,11 +1,11 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "poseidon/poseidon_2_to_1_Jubjub.circom";
|
||||
include "poseidon/poseidon_4_to_1_Jubjub.circom";
|
||||
include "poseidon/poseidon_16_to_1_Jubjub.circom";
|
||||
include "../../circomlib-master/circuits/bitify.circom";
|
||||
include "../../circomlib-master/circuits/sha256/sha256.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/sha256/sha256.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
@ -175,7 +175,7 @@ template nullifier_computer(){
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
template commitment_computer(){ // TODO: ensure all field are hash
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
|
@ -1,8 +1,8 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "../../circomlib-master/circuits/sha256/sha256.circom";
|
||||
include "../../circomlib-master/circuits/bitify.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/sha256/sha256.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
@ -236,7 +236,7 @@ template nullifier_computer(){
|
||||
}
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
template commitment_computer(){ // TODO: ensure all field are hash
|
||||
signal input note_nonce[256];
|
||||
signal input nullifier_public_key[256];
|
||||
signal input v[256];
|
||||
|
@ -0,0 +1,6 @@
|
||||
{
|
||||
"cells": [],
|
||||
"metadata": {},
|
||||
"nbformat": 4,
|
||||
"nbformat_minor": 5
|
||||
}
|
1383
proof_of_validator/circom/generate_inputs.py
Executable file
1383
proof_of_validator/circom/generate_inputs.py
Executable file
File diff suppressed because it is too large
Load Diff
209
proof_of_validator/circom/validator_Caulk.circom
Normal file
209
proof_of_validator/circom/validator_Caulk.circom
Normal file
@ -0,0 +1,209 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/comparators.circom";
|
||||
include "../../circom_circuits/Jubjub/escalarmulanyJubjub.circom";
|
||||
include "../../circom_circuits/Jubjub/jubjub.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
signal input in[2];
|
||||
signal output out;
|
||||
|
||||
component n2b = Num2Bits(n+1);
|
||||
|
||||
n2b.in <== in[0]+ (1<<n) - in[1];
|
||||
|
||||
out <== 1-n2b.out[n];
|
||||
}
|
||||
|
||||
template BLSNum2Bits_strict() {
|
||||
signal input in;
|
||||
signal output out[255];
|
||||
|
||||
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); // -1 - 2**254 (p-1 without its first bit)
|
||||
component n2b = Num2Bits(255);
|
||||
in ==> n2b.in;
|
||||
|
||||
for (var i=0; i<255; i++) {
|
||||
n2b.out[i] ==> out[i];
|
||||
if(i != 0){
|
||||
n2b.out[i] ==> check_range.in[i-1];
|
||||
}
|
||||
}
|
||||
|
||||
check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255
|
||||
}
|
||||
|
||||
template check_bits(n){
|
||||
signal input bits[n];
|
||||
for(var i=0; i<n; i++){
|
||||
bits[i] * (1-bits[i]) === 0;
|
||||
}
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
signal input constraints;
|
||||
signal input unit;
|
||||
signal input state;
|
||||
signal output commitment;
|
||||
|
||||
component hash = hash_16_to_1();
|
||||
|
||||
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 516297089516239580383111224192495220;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_public_key;
|
||||
hash.in[3] <== value;
|
||||
hash.in[4] <== constraints;
|
||||
hash.in[5] <== unit;
|
||||
hash.in[6] <== state;
|
||||
for(var i=7; i<16; i++){
|
||||
hash.in[i] <== 0;
|
||||
}
|
||||
|
||||
commitment <== hash.out;
|
||||
}
|
||||
|
||||
template nonce_updater(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
signal output updated_nonce;
|
||||
|
||||
component hash = hash_4_to_1();
|
||||
|
||||
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 120209783668687835891529317;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_secret_key;
|
||||
hash.in[3] <== 0;
|
||||
|
||||
updated_nonce <== hash.out;
|
||||
}
|
||||
|
||||
template nullifier_computer(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
signal input value;
|
||||
signal output nullifier;
|
||||
|
||||
component hash = hash_4_to_1();
|
||||
|
||||
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 2016785505923014207119328528655730;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_secret_key;
|
||||
hash.in[3] <== value;
|
||||
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template membership_checker(){
|
||||
signal input note_commitment;
|
||||
signal input pedersen_randomness;
|
||||
signal input pedersen_commitment[2];
|
||||
signal input h_curve_point[2];
|
||||
|
||||
component note_commitment_bitifier = Num2Bits(255);
|
||||
component pedersen_randomness_bitifier = BLSNum2Bits_strict();
|
||||
note_commitment_bitifier.in <== note_commitment;
|
||||
pedersen_randomness_bitifier.in <== pedersen_randomness;
|
||||
|
||||
// A is note_cm * G and B is r * H
|
||||
component A = EscalarMulAny(255);
|
||||
component B = EscalarMulAny(255);
|
||||
|
||||
A.p[0] <== 0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b;
|
||||
A.p[1] <== 0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa;
|
||||
B.p[0] <== h_curve_point[0];
|
||||
B.p[1] <== h_curve_point[1];
|
||||
for(var i =0; i<255; i++){
|
||||
A.e[i] <== note_commitment_bitifier.out[i];
|
||||
B.e[i] <== pedersen_randomness_bitifier.out[i];
|
||||
}
|
||||
|
||||
component pedersen = JubjubAdd();
|
||||
pedersen.x1 <== A.out[0];
|
||||
pedersen.y1 <== A.out[1];
|
||||
pedersen.x2 <== B.out[0];
|
||||
pedersen.y2 <== B.out[1];
|
||||
|
||||
pedersen.xout === pedersen_commitment[0];
|
||||
pedersen.yout === pedersen_commitment[1];
|
||||
|
||||
}
|
||||
|
||||
template caulk_proof_of_validator(minimum_stake){ //TODO: put minimum_stake in the input to change it dynamically
|
||||
signal input pedersen_commitment[2];
|
||||
signal input h_curve_point[2];
|
||||
|
||||
// Note variables
|
||||
signal input constraints; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
|
||||
signal input value; // 0 if no more notes needed
|
||||
signal input unit;
|
||||
signal input state; // This field hold the identity of the owner (its public key or ID) and is revealed
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
|
||||
signal input pedersen_randomness;
|
||||
|
||||
signal output nullifiers;
|
||||
signal output updated_commiments;
|
||||
|
||||
// Compute the note commitments
|
||||
component note_committer = commitment_computer();
|
||||
note_committer.note_nonce <== note_nonce;
|
||||
note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
|
||||
note_committer.value <== value;
|
||||
note_committer.constraints <== constraints;
|
||||
note_committer.unit <== unit;
|
||||
note_committer.state <== state;
|
||||
|
||||
// Check the commitments membership
|
||||
component membership_checker = membership_checker();
|
||||
membership_checker.note_commitment <== note_committer.commitment;
|
||||
membership_checker.pedersen_randomness <== pedersen_randomness;
|
||||
membership_checker.pedersen_commitment[0] <== pedersen_commitment[0];
|
||||
membership_checker.pedersen_commitment[1] <== pedersen_commitment[1];
|
||||
membership_checker.h_curve_point[0] <== h_curve_point[0];
|
||||
membership_checker.h_curve_point[1] <== h_curve_point[1];
|
||||
|
||||
// Check that the value exceed the minimum stake
|
||||
component isLess = BLSLessThan(253);
|
||||
isLess.in[0] <== minimum_stake;
|
||||
isLess.in[1] <== value;
|
||||
isLess.out === 1;
|
||||
|
||||
// Compute the note nullifiers
|
||||
component nullifier_computer = nullifier_computer();
|
||||
nullifier_computer.note_nonce <== note_nonce;
|
||||
nullifier_computer.nullifier_secret_key <== nullifier_secret_key;
|
||||
nullifier_computer.value <== value;
|
||||
nullifiers <== nullifier_computer.nullifier;
|
||||
|
||||
// Compute the evolved nonces
|
||||
component nonce_updater = nonce_updater();
|
||||
nonce_updater.note_nonce <== note_nonce;
|
||||
nonce_updater.nullifier_secret_key <== nullifier_secret_key;
|
||||
|
||||
// Compute the new note commitments
|
||||
component updated_note_committer = commitment_computer();
|
||||
updated_note_committer.note_nonce <== nonce_updater.updated_nonce;
|
||||
updated_note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
|
||||
updated_note_committer.value <== value;
|
||||
updated_note_committer.constraints <== constraints;
|
||||
updated_note_committer.unit <== unit;
|
||||
updated_note_committer.state <== state;
|
||||
updated_commiments <== updated_note_committer.commitment;
|
||||
|
||||
}
|
||||
|
||||
|
||||
component main {public [state,pedersen_commitment,h_curve_point]} = caulk_proof_of_validator(10000);
|
226
proof_of_validator/circom/validator_anemoi.circom
Normal file
226
proof_of_validator/circom/validator_anemoi.circom
Normal file
@ -0,0 +1,226 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/anemoi/anemoi_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/comparators.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
signal input in[2];
|
||||
signal output out;
|
||||
|
||||
component n2b = Num2Bits(n+1);
|
||||
|
||||
n2b.in <== in[0]+ (1<<n) - in[1];
|
||||
|
||||
out <== 1-n2b.out[n];
|
||||
}
|
||||
|
||||
template check_bits(n){
|
||||
signal input bits[n];
|
||||
for(var i=0; i<n; i++){
|
||||
bits[i] * (1-bits[i]) === 0;
|
||||
}
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
signal input constraints;
|
||||
signal input unit;
|
||||
signal input state;
|
||||
signal output commitment;
|
||||
|
||||
component hash = hash_16_to_1();
|
||||
|
||||
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 516297089516239580383111224192495220;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_public_key;
|
||||
hash.in[3] <== value;
|
||||
hash.in[4] <== constraints;
|
||||
hash.in[5] <== unit;
|
||||
hash.in[6] <== state;
|
||||
for(var i=7; i<16; i++){
|
||||
hash.in[i] <== 0;
|
||||
}
|
||||
|
||||
commitment <== hash.out;
|
||||
}
|
||||
|
||||
template nonce_updater(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
signal output updated_nonce;
|
||||
|
||||
component hash = hash_4_to_1();
|
||||
|
||||
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 120209783668687835891529317;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_secret_key;
|
||||
hash.in[3] <== 0;
|
||||
|
||||
updated_nonce <== hash.out;
|
||||
}
|
||||
|
||||
template nullifier_computer(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
signal input value;
|
||||
signal output nullifier;
|
||||
|
||||
component hash = hash_4_to_1();
|
||||
|
||||
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 2016785505923014207119328528655730;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_secret_key;
|
||||
hash.in[3] <== value;
|
||||
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template membership_checker(){
|
||||
signal input leaf; //The note commitment
|
||||
signal input root; //The root of the Merkle Tree (of depth 32)
|
||||
signal input index[32]; //Position of the note commitment in bits in big endian
|
||||
signal input node[32]; //Complementary hashes
|
||||
signal input is_null; //If is_null is 1 we don't check the membership (any value of node and index will be correct)
|
||||
|
||||
component hash[32];
|
||||
|
||||
for(var i=0; i<32; i++){
|
||||
hash[i] = hash_2_to_1();
|
||||
}
|
||||
|
||||
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
|
||||
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
|
||||
|
||||
for(var i=1; i<32; i++){
|
||||
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
|
||||
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
|
||||
}
|
||||
|
||||
root === hash[31].out * (1 - is_null);
|
||||
|
||||
}
|
||||
|
||||
template anemoi_proof_of_validator(max_notes){
|
||||
signal input commitments_root;
|
||||
signal input minimum_stake;
|
||||
|
||||
// Note variables
|
||||
signal input constraints[max_notes]; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
|
||||
signal input value[max_notes]; // 0 if no more notes needed
|
||||
signal input unit[max_notes];
|
||||
signal input state[max_notes]; // This field hold the identity of the owner (its public key or ID)
|
||||
signal input note_nonce[max_notes];
|
||||
signal input nullifier_secret_key[max_notes];
|
||||
signal input index[max_notes][32]; //Position of the note commitment in bits in big endian
|
||||
signal input nodes[max_notes][32]; //Merkle proof of the commitment
|
||||
|
||||
signal output identity;
|
||||
signal output nullifiers[max_notes];
|
||||
signal output updated_commiments[max_notes];
|
||||
|
||||
|
||||
// Check that index inputs are indeed bits
|
||||
component bit_checker[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
bit_checker[i] = check_bits(32);
|
||||
for(var j=0; j<32; j++){
|
||||
bit_checker[i].bits[j] <== index[i][j];
|
||||
}
|
||||
}
|
||||
|
||||
// Compute the note commitments
|
||||
component note_committer[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
note_committer[i] = commitment_computer();
|
||||
note_committer[i].note_nonce <== note_nonce[i];
|
||||
note_committer[i].nullifier_public_key <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
|
||||
note_committer[i].value <== value[i];
|
||||
note_committer[i].constraints <== constraints[i];
|
||||
note_committer[i].unit <== unit[i];
|
||||
note_committer[i].state <== state[i];
|
||||
}
|
||||
|
||||
//check the identity between the notes
|
||||
identity <== state[0]; // The first note must not be null
|
||||
component is_null[max_notes];
|
||||
is_null[0] = IsZero();
|
||||
is_null[0].in <== value[0];
|
||||
is_null[0].out === 0;
|
||||
signal intermediate[max_notes-1];
|
||||
for(var i=1; i<max_notes; i++){
|
||||
is_null[i] = IsZero();
|
||||
is_null[i].in <== value[i];
|
||||
intermediate[i-1] <== identity * (1 - is_null[i].out);
|
||||
intermediate[i-1] === state[i] * (1 - is_null[i].out);
|
||||
}
|
||||
|
||||
// Check the commitments membership
|
||||
component membership_checker[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
membership_checker[i] = membership_checker();
|
||||
membership_checker[i].leaf <== note_committer[i].commitment;
|
||||
membership_checker[i].root <== commitments_root * (1- is_null[i].out); // Set the root at 0 is note is null
|
||||
membership_checker[i].is_null <== is_null[i].out;
|
||||
for(var j =0; j<32; j++){
|
||||
membership_checker[i].index[j] <== index[i][j];
|
||||
membership_checker[i].node[j] <== nodes[i][j];
|
||||
}
|
||||
}
|
||||
|
||||
// Check that the value exceed the minimum stake
|
||||
signal sum[max_notes-1];
|
||||
sum[0] <== value[0] + value[1];
|
||||
for(var i = 1; i<max_notes-1; i++){
|
||||
sum[i] <== sum[i-1] + value[i+1];
|
||||
}
|
||||
component isLess = BLSLessThan(253);
|
||||
isLess.in[0] <== minimum_stake;
|
||||
isLess.in[1] <== sum[max_notes-2];
|
||||
isLess.out === 1;
|
||||
|
||||
|
||||
// Compute the note nullifiers
|
||||
component nullifier_computer[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
nullifier_computer[i] = nullifier_computer();
|
||||
nullifier_computer[i].note_nonce <== note_nonce[i];
|
||||
nullifier_computer[i].nullifier_secret_key <== nullifier_secret_key[i];
|
||||
nullifier_computer[i].value <== value[i];
|
||||
nullifiers[i] <== nullifier_computer[i].nullifier;
|
||||
}
|
||||
|
||||
// Compute the evolved nonces
|
||||
component nonce_updater[max_notes];
|
||||
for(var i=0; i<max_notes; i++) {
|
||||
nonce_updater[i] = nonce_updater();
|
||||
nonce_updater[i].note_nonce <== note_nonce[i];
|
||||
nonce_updater[i].nullifier_secret_key <== nullifier_secret_key[i];
|
||||
}
|
||||
|
||||
|
||||
// Compute the new note commitments
|
||||
component updated_note_committer[max_notes];
|
||||
for(var i=0; i<max_notes; i++) {
|
||||
updated_note_committer[i] = commitment_computer();
|
||||
updated_note_committer[i].note_nonce <== nonce_updater[i].updated_nonce;
|
||||
updated_note_committer[i].nullifier_public_key <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
|
||||
updated_note_committer[i].value <== value[i];
|
||||
updated_note_committer[i].constraints <== constraints[i];
|
||||
updated_note_committer[i].unit <== unit[i];
|
||||
updated_note_committer[i].state <== state[i];
|
||||
updated_commiments[i] <== updated_note_committer[i].commitment;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
component main {public [commitments_root, minimum_stake]} = anemoi_proof_of_validator(50);
|
227
proof_of_validator/circom/validator_poseidon.circom
Normal file
227
proof_of_validator/circom/validator_poseidon.circom
Normal file
@ -0,0 +1,227 @@
|
||||
//test
|
||||
pragma circom 2.1.9;
|
||||
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_2_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_4_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/hash/poseidon/poseidon_16_to_1_Jubjub.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/bitify.circom";
|
||||
include "../../circom_circuits/circomlib/circuits/comparators.circom";
|
||||
|
||||
template BLSLessThan(n) {
|
||||
assert(n <= 253);
|
||||
signal input in[2];
|
||||
signal output out;
|
||||
|
||||
component n2b = Num2Bits(n+1);
|
||||
|
||||
n2b.in <== in[0]+ (1<<n) - in[1];
|
||||
|
||||
out <== 1-n2b.out[n];
|
||||
}
|
||||
|
||||
template check_bits(n){
|
||||
signal input bits[n];
|
||||
for(var i=0; i<n; i++){
|
||||
bits[i] * (1-bits[i]) === 0;
|
||||
}
|
||||
}
|
||||
|
||||
template commitment_computer(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_public_key;
|
||||
signal input value;
|
||||
signal input constraints;
|
||||
signal input unit;
|
||||
signal input state;
|
||||
signal output commitment;
|
||||
|
||||
component hash = hash_16_to_1();
|
||||
|
||||
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 516297089516239580383111224192495220;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_public_key;
|
||||
hash.in[3] <== value;
|
||||
hash.in[4] <== constraints;
|
||||
hash.in[5] <== unit;
|
||||
hash.in[6] <== state;
|
||||
for(var i=7; i<16; i++){
|
||||
hash.in[i] <== 0;
|
||||
}
|
||||
|
||||
commitment <== hash.out;
|
||||
}
|
||||
|
||||
template nullifier_computer(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
signal input value;
|
||||
signal output nullifier;
|
||||
|
||||
component hash = hash_4_to_1();
|
||||
|
||||
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 2016785505923014207119328528655730;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_secret_key;
|
||||
hash.in[3] <== value;
|
||||
|
||||
nullifier <== hash.out;
|
||||
}
|
||||
|
||||
template nonce_updater(){
|
||||
signal input note_nonce;
|
||||
signal input nullifier_secret_key;
|
||||
signal output updated_nonce;
|
||||
|
||||
component hash = hash_4_to_1();
|
||||
|
||||
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
|
||||
hash.in[0] <== 120209783668687835891529317;
|
||||
hash.in[1] <== note_nonce;
|
||||
hash.in[2] <== nullifier_secret_key;
|
||||
hash.in[3] <== 0;
|
||||
|
||||
updated_nonce <== hash.out;
|
||||
}
|
||||
|
||||
template membership_checker(){
|
||||
signal input leaf; //The note commitment
|
||||
signal input root; //The root of the Merkle Tree (of depth 32)
|
||||
signal input index[32]; //Position of the note commitment in bits in big endian
|
||||
signal input node[32]; //Complementary hashes
|
||||
signal input is_null; //If is_null is 1 we don't check the membership (any value of node and index will be correct)
|
||||
|
||||
component hash[32];
|
||||
|
||||
for(var i=0; i<32; i++){
|
||||
hash[i] = hash_2_to_1();
|
||||
}
|
||||
|
||||
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
|
||||
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
|
||||
|
||||
for(var i=1; i<32; i++){
|
||||
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
|
||||
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
|
||||
}
|
||||
|
||||
root === hash[31].out * (1 - is_null);
|
||||
|
||||
}
|
||||
|
||||
template poseidon_proof_of_validator(max_notes){
|
||||
signal input commitments_root;
|
||||
signal input minimum_stake;
|
||||
|
||||
// Note variables
|
||||
signal input constraints[max_notes]; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
|
||||
signal input value[max_notes]; // 0 if no more notes needed
|
||||
signal input unit[max_notes];
|
||||
signal input state[max_notes]; // This field hold the identity of the owner (its public key or ID)
|
||||
signal input note_nonce[max_notes];
|
||||
signal input nullifier_secret_key[max_notes];
|
||||
signal input index[max_notes][32]; //Position of the note commitment in bits in big endian
|
||||
signal input nodes[max_notes][32]; //Merkle proof of the commitment
|
||||
|
||||
signal output identity;
|
||||
signal output nullifiers[max_notes];
|
||||
signal output updated_commiments[max_notes];
|
||||
|
||||
|
||||
// Check that index inputs are indeed bits
|
||||
component bit_checker[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
bit_checker[i] = check_bits(32);
|
||||
for(var j=0; j<32; j++){
|
||||
bit_checker[i].bits[j] <== index[i][j];
|
||||
}
|
||||
}
|
||||
|
||||
// Compute the note commitments
|
||||
component note_committer[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
note_committer[i] = commitment_computer();
|
||||
note_committer[i].note_nonce <== note_nonce[i];
|
||||
note_committer[i].nullifier_public_key <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
|
||||
note_committer[i].value <== value[i];
|
||||
note_committer[i].constraints <== constraints[i];
|
||||
note_committer[i].unit <== unit[i];
|
||||
note_committer[i].state <== state[i];
|
||||
}
|
||||
|
||||
//check the identity between the notes
|
||||
identity <== state[0]; // The first note must not be null
|
||||
component is_null[max_notes];
|
||||
is_null[0] = IsZero();
|
||||
is_null[0].in <== value[0];
|
||||
is_null[0].out === 0;
|
||||
signal intermediate[max_notes-1];
|
||||
for(var i=1; i<max_notes; i++){
|
||||
is_null[i] = IsZero();
|
||||
is_null[i].in <== value[i];
|
||||
intermediate[i-1] <== identity * (1 - is_null[i].out);
|
||||
intermediate[i-1] === state[i] * (1 - is_null[i].out);
|
||||
}
|
||||
|
||||
// Check the commitments membership
|
||||
component membership_checker[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
membership_checker[i] = membership_checker();
|
||||
membership_checker[i].leaf <== note_committer[i].commitment;
|
||||
membership_checker[i].root <== commitments_root * (1- is_null[i].out); // Set the root at 0 is note is null
|
||||
membership_checker[i].is_null <== is_null[i].out;
|
||||
for(var j =0; j<32; j++){
|
||||
membership_checker[i].index[j] <== index[i][j];
|
||||
membership_checker[i].node[j] <== nodes[i][j];
|
||||
}
|
||||
}
|
||||
|
||||
// Check that the value exceed the minimum stake
|
||||
signal sum[max_notes-1];
|
||||
sum[0] <== value[0] + value[1];
|
||||
for(var i = 1; i<max_notes-1; i++){
|
||||
sum[i] <== sum[i-1] + value[i+1];
|
||||
}
|
||||
component isLess = BLSLessThan(253);
|
||||
isLess.in[0] <== minimum_stake;
|
||||
isLess.in[1] <== sum[max_notes-2];
|
||||
isLess.out === 1;
|
||||
|
||||
|
||||
// Compute the note nullifiers
|
||||
component nullifier_computer[max_notes];
|
||||
for(var i=0; i<max_notes; i++){
|
||||
nullifier_computer[i] = nullifier_computer();
|
||||
nullifier_computer[i].note_nonce <== note_nonce[i];
|
||||
nullifier_computer[i].nullifier_secret_key <== nullifier_secret_key[i];
|
||||
nullifier_computer[i].value <== value[i];
|
||||
nullifiers[i] <== nullifier_computer[i].nullifier;
|
||||
}
|
||||
|
||||
// Compute the evolved nonces
|
||||
component nonce_updater[max_notes];
|
||||
for(var i=0; i<max_notes; i++) {
|
||||
nonce_updater[i] = nonce_updater();
|
||||
nonce_updater[i].note_nonce <== note_nonce[i];
|
||||
nonce_updater[i].nullifier_secret_key <== nullifier_secret_key[i];
|
||||
}
|
||||
|
||||
|
||||
// Compute the new note commitments
|
||||
component updated_note_committer[max_notes];
|
||||
for(var i=0; i<max_notes; i++) {
|
||||
updated_note_committer[i] = commitment_computer();
|
||||
updated_note_committer[i].note_nonce <== nonce_updater[i].updated_nonce;
|
||||
updated_note_committer[i].nullifier_public_key <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
|
||||
updated_note_committer[i].value <== value[i];
|
||||
updated_note_committer[i].constraints <== constraints[i];
|
||||
updated_note_committer[i].unit <== unit[i];
|
||||
updated_note_committer[i].state <== state[i];
|
||||
updated_commiments[i] <== updated_note_committer[i].commitment;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
component main {public [commitments_root, minimum_stake]} = poseidon_proof_of_validator(50);
|
Loading…
x
Reference in New Issue
Block a user