Refactor circom files to maximize re-use

Signed-off-by: Jim Zhang <[email protected]>
hyperledger-labs · Jul 31, 2024 · 537bce6 · 537bce6
1 parent 4639313
commit 537bce6
Show file tree

Hide file tree

Showing 61 changed files with 665,483 additions and 651,039 deletions.
diff --git a/solidity/contracts/lib/verifier_anon_enc_nullifier.sol b/solidity/contracts/lib/verifier_anon_enc_nullifier.sol
@@ -43,8 +43,8 @@ contract Groth16Verifier_AnonEncNullifier {
     uint256 constant deltay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
 
 
-    uint256 constant IC0x = 1132180179491441538738452273651946883461412832203743112811118844473379442028;
-    uint256 constant IC0y = 5390783026485963433523207720053244289587838204839623860596474298081543088585;
+    uint256 constant IC0x = 4568570755632788643394533153911199637393845847987729293464981238980340214701;
+    uint256 constant IC0y = 15128319276870423050909157626275409799208340368213199411576816383311184129195;
 
     uint256 constant IC1x = 9479671548635182258434953602646699552143280379254562789430654117067623065154;
     uint256 constant IC1y = 4513875910577591187417669244456597493215594361393034699197432847781635817944;
@@ -58,23 +58,23 @@ contract Groth16Verifier_AnonEncNullifier {
     uint256 constant IC4x = 8045706817285648122335493621835686579889910526627484670178299244569350873337;
     uint256 constant IC4y = 14703212748037329834343212171120394526601085625912333793516662767512116840031;
 
-    uint256 constant IC5x = 17557824284863559227631182945646272910505435334053056722808626217521393289128;
-    uint256 constant IC5y = 16307615047799173365519895850598694329138770383868524034358007080013608669085;
+    uint256 constant IC5x = 12289213637181054892282624823702301699573523320936692431552214952203040411410;
+    uint256 constant IC5y = 16455438753606683924006591564176938596063251993144033301210430323087499194482;
 
-    uint256 constant IC6x = 5415585987138244191813990034208825389253432804629600554497141813191469438492;
-    uint256 constant IC6y = 17755870055831490788712008393346742047905432267237159229825629073030204324527;
+    uint256 constant IC6x = 14303047076752096755721879884111868337074094864491631063458708071696569838284;
+    uint256 constant IC6y = 5911949370715042191384217137312039273992455050421022652157649670332806294542;
 
-    uint256 constant IC7x = 8677981225322796966854381897381189421248711504209293881165286829150524884164;
-    uint256 constant IC7y = 12816796872832476519349268616267285968398279397067849918595558738184610770874;
+    uint256 constant IC7x = 15841884851029529902011697322996410384031024289464678913047883869169350568208;
+    uint256 constant IC7y = 21520807340471527261351700326658280597567437458476043915147723227393128763810;
 
     uint256 constant IC8x = 15740540576184573386354609430256689221677491143833514512062380094508866796269;
     uint256 constant IC8y = 2340484610103666557078136629597674107756904443534921271417989072923691667449;
 
     uint256 constant IC9x = 3726988392811514450533313378412430039053796082573590843909105394276411441536;
     uint256 constant IC9y = 7347033125306979340056255923745117502907380131073815888051201665421460725544;
 
-    uint256 constant IC10x = 6619094542081504921297870625144079235409984730673107107299279901988791810356;
-    uint256 constant IC10y = 10549347737329626943980590291223696927409993218357923512265036708353601601743;
+    uint256 constant IC10x = 4371277742931522011055134703913097482787808225431324421232573076499659150767;
+    uint256 constant IC10y = 11516411764009653445050545510250621675398241508987088025760029722333645258716;
 
 
     // Memory data

diff --git a/solidity/contracts/lib/verifier_anon_nullifier.sol b/solidity/contracts/lib/verifier_anon_nullifier.sol
@@ -43,23 +43,23 @@ contract Groth16Verifier_AnonNullifier {
     uint256 constant deltay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
 
 
-    uint256 constant IC0x = 7831194482890201907912813708954693484499937202778946556314791150355497052838;
-    uint256 constant IC0y = 17214367048578530654688121231520081865319465732684236954806278278486355045687;
+    uint256 constant IC0x = 5484373638915608486871020804166539520782909040345505335019959652136228862082;
+    uint256 constant IC0y = 16138277411069907720477228076440687453311854575356818231417756272310801661588;
 
     uint256 constant IC1x = 657611904883114148980717005767820105315776575523580933462233892133390721686;
     uint256 constant IC1y = 3690011531716382218745803104163270083920150842903711282044842015835943598950;
 
     uint256 constant IC2x = 13247301284400305330080530887135251465329343308345822132754291671475418335661;
     uint256 constant IC2y = 6878027108417593313264947615215679812389458074470859941986417727720332868266;
 
-    uint256 constant IC3x = 4393308877038816112044751113703161046884042023529143670482606285253407357318;
-    uint256 constant IC3y = 10861402902194208967056892862272521752290820790123718158389295013478034329376;
+    uint256 constant IC3x = 12122806794972194128212202542170444918567562037253242662728390689220136089417;
+    uint256 constant IC3y = 9885901744875470674355026551458972605308247499314156850898233682886130241050;
 
-    uint256 constant IC4x = 20567726645522252344842011251254616164566067019107949894642154009522868698126;
-    uint256 constant IC4y = 13058332362792856027058697122630683468388748189437006630731046361022666962675;
+    uint256 constant IC4x = 14497189114754949587485834175427788983830001040470111882678218991459557006481;
+    uint256 constant IC4y = 20830021231156123029529082857782030827870844726616623033674403796120242993032;
 
-    uint256 constant IC5x = 11519149396981714918708162608439765519813165816162067214356117934500928163278;
-    uint256 constant IC5y = 4896357293383145162082835572689841388496488666220683242957098534343617845489;
+    uint256 constant IC5x = 15185920369074896375657194229340428184369591270326493422044278017722304487940;
+    uint256 constant IC5y = 19431411716277310851795675028059565579151437630225658811235304233499648067653;
 
     uint256 constant IC6x = 13045447923950887968308059891638935794209679677588887793771333234932902547512;
     uint256 constant IC6y = 1960124371120172285328335936511540489447355418368729402128803121783956301995;

diff --git a/solidity/contracts/lib/verifier_check_nullifier_value.sol b/solidity/contracts/lib/verifier_check_nullifier_value.sol
@@ -43,8 +43,8 @@ contract Groth16Verifier_CheckNullifierValue {
     uint256 constant deltay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
 
 
-    uint256 constant IC0x = 15492418976489076016744712039228991049119912955688524102804299454656267186009;
-    uint256 constant IC0y = 6683516575201125125993199841635988477061644803076780133772345536623987263585;
+    uint256 constant IC0x = 17689341276400528038881094913477316584601794141371778409863013039635850173207;
+    uint256 constant IC0y = 2558369427026425384949906416503547088831210779110621106606440952169504206690;
 
     uint256 constant IC1x = 20388809982110581159758837462045964857853052490510219178487821131497955197485;
     uint256 constant IC1y = 11559017693629947025935312317037014128873998602028720842466005215803981949488;
@@ -55,14 +55,14 @@ contract Groth16Verifier_CheckNullifierValue {
     uint256 constant IC3x = 9101308846546712061385480237991349242785040605257963609786960558441532043575;
     uint256 constant IC3y = 20162065319211808084372980649366363483528315362920428034950134764348551061576;
 
-    uint256 constant IC4x = 1862728518597969644991754874217991793768978626842292905952230489753317456943;
-    uint256 constant IC4y = 13827959089691652056820043159766605451401208772931308660944601538220427688001;
+    uint256 constant IC4x = 18501642606042950780794159845742882415192620379623303973226676116663683279831;
+    uint256 constant IC4y = 4035817123127101809036107026908494398248571792522913686551956478049624862954;
 
-    uint256 constant IC5x = 12595562902478113608580909807915007505100194716952840137066159851175855515947;
-    uint256 constant IC5y = 20219788329832744328203670585885257301041964037877146487338583938337874848685;
+    uint256 constant IC5x = 9901268858925160759276937645092909569288103654642798134621446572955859297610;
+    uint256 constant IC5y = 17808153853093791337220101848650791727823424169638249340100930096702897113053;
 
-    uint256 constant IC6x = 15493536898701008011127294879458488796153705332302588952751125522877852961647;
-    uint256 constant IC6y = 1788009749667942434387844456635362080454534277559959103723491751055982698041;
+    uint256 constant IC6x = 9156914356337812564179538349866550161346357705322438631065343069946111924902;
+    uint256 constant IC6y = 16282373888516307308471083478224742458495059270728361213537123807614765466293;
 
     uint256 constant IC7x = 2534369505154061360258866279946256857360053453543228810913826185688221321445;
     uint256 constant IC7y = 15777401174389130350272102012636311458122823507269563590772434670217407958669;

diff --git a/solidity/contracts/lib/verifier_nf_anon_nullifier.sol b/solidity/contracts/lib/verifier_nf_anon_nullifier.sol
@@ -43,14 +43,14 @@ contract Groth16Verifier_NFAnonNullifier {
     uint256 constant deltay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
 
 
-    uint256 constant IC0x = 16298217177298853136975263265087622535694857065890081137859588777856259450521;
-    uint256 constant IC0y = 16369221670251381878267929713507307612705301219879321756086546304423142981642;
+    uint256 constant IC0x = 17063916472897219906499013602609563773459699022961611964268189063314041965585;
+    uint256 constant IC0y = 7113914571678201962802800890880199872761004856366564528043813710380448639160;
 
     uint256 constant IC1x = 15394462220807272608052136227081282223595149712428374547831710534920733043919;
     uint256 constant IC1y = 19327226410606568245065707523771012300596341916719815049742062724996282552116;
 
-    uint256 constant IC2x = 7537065727208370519587176072529046541955614088903122341221970362151100973958;
-    uint256 constant IC2y = 3493434488408099877526106182878738719245353917107316371966229877467010284715;
+    uint256 constant IC2x = 2979059918714837991520229486044942728645953928301289793610170432062103873029;
+    uint256 constant IC2y = 6487742855150925877601255115745638440865210203580556432863401660227192993190;
 
     uint256 constant IC3x = 21134802089204916535108610615539521390582570772406201504265803749640245800209;
     uint256 constant IC3y = 5760026545779218525110347831373198179812011736302341060824625698975753169974;

diff --git a/solidity/test/lib/registry.ts b/solidity/test/lib/registry.ts
@@ -131,7 +131,7 @@ describe('Registry tests', function () {
     const inputObj = {
       root,
       merkleProof,
-      keys: [senderKeyHash, receiverKeyHash],
+      leafNodeIndexes: [senderKeyHash, receiverKeyHash],
     };
     const witness = await circuit.calculateWTNSBin(
       inputObj,

diff --git a/solidity/test/zeto_nf_anon.ts b/solidity/test/zeto_nf_anon.ts
@@ -138,7 +138,6 @@ async function prepareProof(circuit: any, provingKey: any, signer: User, input:
       tokenUris: [hashTokenUri(input.uri)],
       inputCommitments: [inputCommitment],
       inputSalts: [inputSalt],
-      inputOwnerPublicKey: signer.babyJubPublicKey as [BigNumberish, BigNumberish],
       outputCommitments: [outputCommitment],
       outputSalts: [output.salt],
       outputOwnerPublicKeys: [outputOwnerPublicKey],

diff --git a/zkp/circuits/anon.circom b/zkp/circuits/anon.circom
@@ -15,9 +15,9 @@
 // limitations under the License.
 pragma circom 2.1.4;
 
-include "./lib/check-hashes-sum.circom";
-include "./lib/ecdh.circom";
-include "./lib/encrypt.circom";
+include "./lib/check-positive.circom";
+include "./lib/check-hashes.circom";
+include "./lib/check-sum.circom";
 include "./node_modules/circomlib/circuits/babyjub.circom";
 
 // This version of the circuit performs the following operations:
@@ -40,23 +40,35 @@ template Zeto(nInputs, nOutputs) {
   // for the sender's private key. This step demonstrates
   // the sender really owns the private key for the input
   // UTXOs
-  var senderPublicKey[2];
+  var inputOwnerPublicKey[2];
   component pub = BabyPbk();
   pub.in <== senderPrivateKey;
-  senderPublicKey[0] = pub.Ax;
-  senderPublicKey[1] = pub.Ay;
-
-  component checkHashesSum = CheckHashesAndSum(nInputs, nOutputs);
-  checkHashesSum.inputCommitments <== inputCommitments;
-  checkHashesSum.inputValues <== inputValues;
-  checkHashesSum.inputSalts <== inputSalts;
-  checkHashesSum.inputOwnerPublicKey <== senderPublicKey;
-  checkHashesSum.outputCommitments <== outputCommitments;
-  checkHashesSum.outputValues <== outputValues;
-  checkHashesSum.outputSalts <== outputSalts;
-  checkHashesSum.outputOwnerPublicKeys <== outputOwnerPublicKeys;
-  // assert successful output
-  checkHashesSum.out === 1;
+  inputOwnerPublicKey[0] = pub.Ax;
+  inputOwnerPublicKey[1] = pub.Ay;
+  var inputOwnerPublicKeys[nInputs][2];
+  for (var i = 0; i < nInputs; i++) {
+    inputOwnerPublicKeys[i][0] = inputOwnerPublicKey[0];
+    inputOwnerPublicKeys[i][1] = inputOwnerPublicKey[1];
+  }
+
+  component checkPositives = CheckPositive(nOutputs);
+  checkPositives.outputValues <== outputValues;
+
+  component checkInputHashes = CheckHashes(nInputs);
+  checkInputHashes.commitments <== inputCommitments;
+  checkInputHashes.values <== inputValues;
+  checkInputHashes.salts <== inputSalts;
+  checkInputHashes.ownerPublicKeys <== inputOwnerPublicKeys;
+
+  component checkOutputHashes = CheckHashes(nOutputs);
+  checkOutputHashes.commitments <== outputCommitments;
+  checkOutputHashes.values <== outputValues;
+  checkOutputHashes.salts <== outputSalts;
+  checkOutputHashes.ownerPublicKeys <== outputOwnerPublicKeys;
+
+  component checkSum = CheckSum(nInputs, nOutputs);
+  checkSum.inputValues <== inputValues;
+  checkSum.outputValues <== outputValues;
 }
 
 component main { public [ inputCommitments, outputCommitments ] } = Zeto(2, 2);
diff --git a/zkp/circuits/anon_enc.circom b/zkp/circuits/anon_enc.circom
@@ -15,7 +15,9 @@
 // limitations under the License.
 pragma circom 2.1.4;
 
-include "./lib/check-hashes-sum.circom";
+include "./lib/check-positive.circom";
+include "./lib/check-hashes.circom";
+include "./lib/check-sum.circom";
 include "./lib/ecdh.circom";
 include "./lib/encrypt.circom";
 include "./node_modules/circomlib/circuits/babyjub.circom";
@@ -44,23 +46,35 @@ template Zeto(nInputs, nOutputs) {
   // for the sender's private key. This step demonstrates
   // the sender really owns the private key for the input
   // UTXOs
-  var senderPublicKey[2];
+  var inputOwnerPublicKey[2];
   component pub = BabyPbk();
   pub.in <== senderPrivateKey;
-  senderPublicKey[0] = pub.Ax;
-  senderPublicKey[1] = pub.Ay;
+  inputOwnerPublicKey[0] = pub.Ax;
+  inputOwnerPublicKey[1] = pub.Ay;
+  var inputOwnerPublicKeys[nInputs][2];
+  for (var i = 0; i < nInputs; i++) {
+    inputOwnerPublicKeys[i][0] = inputOwnerPublicKey[0];
+    inputOwnerPublicKeys[i][1] = inputOwnerPublicKey[1];
+  }
 
-  component checkHashesSum = CheckHashesAndSum(nInputs, nOutputs);
-  checkHashesSum.inputCommitments <== inputCommitments;
-  checkHashesSum.inputValues <== inputValues;
-  checkHashesSum.inputSalts <== inputSalts;
-  checkHashesSum.inputOwnerPublicKey <== senderPublicKey;
-  checkHashesSum.outputCommitments <== outputCommitments;
-  checkHashesSum.outputValues <== outputValues;
-  checkHashesSum.outputSalts <== outputSalts;
-  checkHashesSum.outputOwnerPublicKeys <== outputOwnerPublicKeys;
-  // assert successful output
-  checkHashesSum.out === 1;
+  component checkPositives = CheckPositive(nOutputs);
+  checkPositives.outputValues <== outputValues;
+
+  component checkInputHashes = CheckHashes(nInputs);
+  checkInputHashes.commitments <== inputCommitments;
+  checkInputHashes.values <== inputValues;
+  checkInputHashes.salts <== inputSalts;
+  checkInputHashes.ownerPublicKeys <== inputOwnerPublicKeys;
+
+  component checkOutputHashes = CheckHashes(nOutputs);
+  checkOutputHashes.commitments <== outputCommitments;
+  checkOutputHashes.values <== outputValues;
+  checkOutputHashes.salts <== outputSalts;
+  checkOutputHashes.ownerPublicKeys <== outputOwnerPublicKeys;
+
+  component checkSum = CheckSum(nInputs, nOutputs);
+  checkSum.inputValues <== inputValues;
+  checkSum.outputValues <== outputValues;
 
   // generate shared secret
   var sharedSecret[2];

diff --git a/zkp/circuits/anon_enc_nullifier.circom b/zkp/circuits/anon_enc_nullifier.circom
@@ -15,7 +15,11 @@
 // limitations under the License.
 pragma circom 2.1.4;
 
-include "./lib/check-nullifier-hashes-sum.circom";
+include "./lib/check-positive.circom";
+include "./lib/check-hashes.circom";
+include "./lib/check-sum.circom";
+include "./lib/check-nullifiers.circom";
+include "./lib/check-smt-proof.circom";
 include "./lib/ecdh.circom";
 include "./lib/encrypt.circom";
 include "./node_modules/circomlib/circuits/babyjub.circom";
@@ -46,21 +50,55 @@ template Zeto(nInputs, nOutputs, nSMTLevels) {
 
   signal output cipherText[2];
 
-  component checkHashesSum = CheckNullifierHashesAndSum(nInputs, nOutputs, nSMTLevels);
-  checkHashesSum.nullifiers <== nullifiers;
-  checkHashesSum.inputCommitments <== inputCommitments;
-  checkHashesSum.inputValues <== inputValues;
-  checkHashesSum.inputSalts <== inputSalts;
-  checkHashesSum.inputOwnerPrivateKey <== inputOwnerPrivateKey;
-  checkHashesSum.root <== root;
-  checkHashesSum.merkleProof <== merkleProof;
-  checkHashesSum.enabled <== enabled;
-  checkHashesSum.outputCommitments <== outputCommitments;
-  checkHashesSum.outputValues <== outputValues;
-  checkHashesSum.outputSalts <== outputSalts;
-  checkHashesSum.outputOwnerPublicKeys <== outputOwnerPublicKeys;
-  // assert successful output
-  checkHashesSum.out === 1;
+  // derive the sender's public key from the secret input
+  // for the sender's private key. This step demonstrates
+  // the sender really owns the private key for the input
+  // UTXOs
+  var inputOwnerPublicKey[2];
+  component pub = BabyPbk();
+  pub.in <== inputOwnerPrivateKey;
+  inputOwnerPublicKey[0] = pub.Ax;
+  inputOwnerPublicKey[1] = pub.Ay;
+  var inputOwnerPublicKeys[nInputs][2];
+  for (var i = 0; i < nInputs; i++) {
+    inputOwnerPublicKeys[i][0] = inputOwnerPublicKey[0];
+    inputOwnerPublicKeys[i][1] = inputOwnerPublicKey[1];
+  }
+
+  component checkPositives = CheckPositive(nOutputs);
+  checkPositives.outputValues <== outputValues;
+
+  component checkInputHashes = CheckHashes(nInputs);
+  checkInputHashes.commitments <== inputCommitments;
+  checkInputHashes.values <== inputValues;
+  checkInputHashes.salts <== inputSalts;
+  checkInputHashes.ownerPublicKeys <== inputOwnerPublicKeys;
+
+  component checkOutputHashes = CheckHashes(nOutputs);
+  checkOutputHashes.commitments <== outputCommitments;
+  checkOutputHashes.values <== outputValues;
+  checkOutputHashes.salts <== outputSalts;
+  checkOutputHashes.ownerPublicKeys <== outputOwnerPublicKeys;
+
+  component checkNullifiers = CheckNullifiers(nInputs);
+  checkNullifiers.nullifiers <== nullifiers;
+  checkNullifiers.values <== inputValues;
+  checkNullifiers.salts <== inputSalts;
+  checkNullifiers.ownerPrivateKey <== inputOwnerPrivateKey;
+
+  component checkSum = CheckSum(nInputs, nOutputs);
+  checkSum.inputValues <== inputValues;
+  checkSum.outputValues <== outputValues;
+
+  // With the above steps, we demonstrated that the nullifiers
+  // are securely bound to the input commitments. Now we need to
+  // demonstrate that the input commitments belong to the Sparse
+  // Merkle Tree with the root `root`.
+  component checkSMTProof = CheckSMTProof(nInputs, nSMTLevels);
+  checkSMTProof.root <== root;
+  checkSMTProof.merkleProof <== merkleProof;
+  checkSMTProof.enabled <== enabled;
+  checkSMTProof.leafNodeIndexes <== inputCommitments;
 
   // generate shared secret
   var sharedSecret[2];