nomos-pocs/proof_of_leadership/circom/leadership_poseidon_sha.circom

318 lines
9.7 KiB
Plaintext

//test
pragma circom 2.1.9;
include "../../circom_circuits/hash/poseidon/poseidon_2_to_1_Jubjub.circom";
include "../../circom_circuits/hash/poseidon/poseidon_4_to_1_Jubjub.circom";
include "../../circom_circuits/hash/poseidon/poseidon_16_to_1_Jubjub.circom";
include "../../circom_circuits/circomlib/circuits/bitify.circom";
include "../../circom_circuits/circomlib/circuits/sha256/sha256.circom";
template BLSLessThan(n) {
assert(n <= 253);
signal input in[2];
signal output out;
component n2b = Num2Bits(n+1);
n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];
}
template BLSNum2Bits_strict() {
signal input in;
signal output out[255];
// Ensure that out is lower than p
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); // -1 - 2**254 (p-1 without its first bit)
component n2b = Num2Bits(255);
in ==> n2b.in;
for (var i=0; i<255; i++) {
n2b.out[i] ==> out[i];
if(i != 0){
n2b.out[i] ==> check_range.in[i-1];
}
}
check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255
}
template BLSBits2Num_strict() {
signal input in[255];
signal output out;
//ensure that in is not greater than p
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528);
component b2n = Bits2Num(255);
for (var i=0; i<255; i++) {
in[i] ==> b2n.in[i];
if(i != 0){
in[i] ==> check_range.in[i-1];
}
}
check_range.out * in[0] === 0;
b2n.out ==> out;
}
template check_bits(n){
signal input bits[n];
for(var i=0; i<n; i++){
bits[i] * (1-bits[i]) === 0;
}
}
template check_lottery(){
signal input epoch_nonce;
signal input slot_number;
signal input t0;
signal input t1; // The precomputed threshold values
signal input constraints;
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
component hash = Sha256(2336);
component bitifier[9];
for(var i=0; i<9; i++){
bitifier[i] = BLSNum2Bits_strict();
}
bitifier[0].in <== epoch_nonce;
bitifier[1].in <== slot_number;
bitifier[2].in <== constraints;
bitifier[3].in <== value;
bitifier[4].in <== unit;
bitifier[5].in <== state;
bitifier[6].in <== note_nonce;
bitifier[7].in <== nullifier_secret_key;
bitifier[8].in <== randomness;
//The b"lead" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 1;
hash.in[5] <== 1;
hash.in[6] <== 0;
hash.in[7] <== 0;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 0;
hash.in[13] <== 1;
hash.in[14] <== 0;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 0;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 0;
hash.in[29] <== 1;
hash.in[30] <== 0;
hash.in[31] <== 0;
for(var i=0; i<256; i++){
for(var j=0; j<9; j++){
if(i != 0){
hash.in[32+256*j+i] <== bitifier[j].out[255-i];
} else {
hash.in[32+256*j] <== 0;
}
}
}
component intifier = Bits2Num(253); //Because if the scalar field is 255 bits, we support every number of 254 bits (not all of 255) and we can only compare numbers of 253 bits since we need 1 bit for sign.
for(var i=0; i<253; i++){
intifier.in[i] <== hash.out[253-i];
}
// Compute the threshold
signal intermediate_value;
signal threshold;
intermediate_value <== t0 + t1 * value;
threshold <== intermediate_value * value;
// Ensure that the ticket is winning
component isLess2 = BLSLessThan(253);
isLess2.in[0] <== intifier.out;
isLess2.in[1] <== threshold;
//isLess2.out === 1;
}
template nullifier_computer(){
signal input note_nonce;
signal input nullifier_secret_key;
signal input value;
signal output nullifier;
component hash = hash_4_to_1();
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 2016785505923014207119328528655730;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== value;
nullifier <== hash.out;
}
template commitment_computer(){ // TODO: ensure all field are hash
signal input note_nonce;
signal input nullifier_public_key;
signal input value;
signal output commitment;
component hash = hash_4_to_1();
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 516297089516239580383111224192495220;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_public_key;
hash.in[3] <== value;
commitment <== hash.out;
}
template nonce_updater(){
signal input note_nonce;
signal input nullifier_secret_key;
signal output updated_nonce;
component hash = hash_4_to_1();
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 120209783668687835891529317;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== 0;
updated_nonce <== hash.out;
}
template membership_checker(){
signal input leaf; //The note commitment
signal input root; //The root of the Merkle Tree (of depth 32)
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32]; //Complementary hashes
component hash[32];
for(var i=0; i<32; i++){
hash[i] = hash_2_to_1();
}
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
for(var i=1; i<32; i++){
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
}
//root === hash[31].out;
}
template poseidon_sha_proof_of_leadership(){
signal input epoch_nonce; //F_p (BLS12-381 scalar field)
signal input slot_number; //F_p (BLS12-381 scalar field)
signal input t0; // Precomputed threshold elements in F_p
signal input t1;
signal input commitments_root;
// Note variables
signal input constraints; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
signal input index[32]; //Position of the note commitment in bits in big endian
signal input nodes[32]; //Merkle proof of the commitment
signal output nullifier;
signal output updated_commiment;
// Check that index inputs are indeed bits
component bit_checker = check_bits(32);
for(var i=0; i<32; i++){
bit_checker.bits[i] <== index[i];
}
// Check that r < threshold
component lottery_checker = check_lottery();
lottery_checker.epoch_nonce <== epoch_nonce;
lottery_checker.slot_number <== slot_number;
lottery_checker.t0 <== t0;
lottery_checker.t1 <== t1;
lottery_checker.constraints <== constraints;
lottery_checker.value <== value;
lottery_checker.unit <== unit;
lottery_checker.state <== state;
lottery_checker.note_nonce <== note_nonce;
lottery_checker.nullifier_secret_key <== nullifier_secret_key;
lottery_checker.randomness <== randomness;
// Compute the note commitment
component note_committer = commitment_computer();
note_committer.note_nonce <== note_nonce;
note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
note_committer.value <== value;
// Check the commitment membership
component membership_checker = membership_checker();
membership_checker.leaf <== note_committer.commitment;
membership_checker.root <== commitments_root;
for(var i =0; i<32; i++){
membership_checker.index[i] <== index[i];
membership_checker.node[i] <== nodes[i];
}
// Compute the note nullifier
component nullifier_computer = nullifier_computer();
nullifier_computer.note_nonce <== note_nonce;
nullifier_computer.nullifier_secret_key <== nullifier_secret_key;
nullifier_computer.value <== value;
nullifier <== nullifier_computer.nullifier;
// Compute the evolved nonce
component nonce_updater = nonce_updater();
nonce_updater.note_nonce <== note_nonce;
nonce_updater.nullifier_secret_key <== nullifier_secret_key;
// Compute the new note commitment
component updated_note_committer = commitment_computer();
updated_note_committer.note_nonce <== nonce_updater.updated_nonce;
updated_note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
updated_note_committer.value <== value;
updated_commiment <== updated_note_committer.commitment;
}
component main {public [epoch_nonce, slot_number, t0, t1, commitments_root]} = poseidon_sha_proof_of_leadership();