Zeth - Zerocash on Ethereum  0.8
Reference implementation of the Zeth protocol by Clearmatics
note.hpp
Go to the documentation of this file.
1 #ifndef __ZETH_CIRCUITS_NOTE_HPP__
2 #define __ZETH_CIRCUITS_NOTE_HPP__
3 
4 // DISCLAIMER:
5 // Content Taken and adapted from Zcash
6 // https://github.com/zcash/zcash/blob/master/src/zcash/circuit/note.tcc
7 
8 #include "libzeth/circuits/circuit_utils.hpp"
9 #include "libzeth/circuits/commitments/commitment.hpp"
10 #include "libzeth/circuits/merkle_tree/merkle_path_authenticator.hpp"
11 #include "libzeth/circuits/prfs/prf.hpp"
12 #include "libzeth/core/bits.hpp"
13 #include "libzeth/core/note.hpp"
14 
15 namespace libzeth
16 {
17 
21 template<typename FieldT> class note_gadget : public libsnark::gadget<FieldT>
22 {
23 public:
24  // Binary value of the note (64 bits)
25  libsnark::pb_variable_array<FieldT> value;
26  // Trapdoor r of the note (256 bits)
27  libsnark::pb_variable_array<FieldT> r;
28 
29  explicit note_gadget(
30  libsnark::protoboard<FieldT> &pb,
31  const std::string &annotation_prefix = "note_gadget");
32  void generate_r1cs_constraints();
33  void generate_r1cs_witness(const zeth_note &note);
34 };
35 
40 template<typename FieldT, typename HashT, typename HashTreeT, size_t TreeDepth>
41 class input_note_gadget : public note_gadget<FieldT>
42 {
43 private:
44  // Output of a PRF (digest_variable)
45  std::shared_ptr<libsnark::digest_variable<FieldT>> a_pk;
46  // Nullifier seed (256 bits)
47  libsnark::pb_variable_array<FieldT> rho;
48 
49  std::shared_ptr<COMM_cm_gadget<FieldT, HashT>> commit_to_inputs_cm;
50  // Note commitment (bits), output of COMMIT gadget
51  libsnark::pb_variable<FieldT> commitment;
52 
53  // Bit that checks whether the commitment (leaf) has to be found in the
54  // merkle tree (Necessary to support dummy notes of value 0)
55  libsnark::pb_variable<FieldT> value_enforce;
56  // Address of the commitment on the tree as Field
57  libsnark::pb_variable_array<FieldT> address_bits_va;
58  // Authentication pass comprising of all the intermediary hash siblings from
59  // the leaf to root
60  std::shared_ptr<libsnark::pb_variable_array<FieldT>> auth_path;
61  // Gadget computing the merkle root from a commitment and merkle path, and
62  // checking whether it is the expected (i.e. current) merkle root value if
63  // value_enforce=1,
64  std::shared_ptr<merkle_path_authenticator<FieldT, HashTreeT>>
65  check_membership;
66 
67  // Makes sure the a_pk is computed correctly from a_sk
68  std::shared_ptr<PRF_addr_a_pk_gadget<FieldT, HashT>> spend_authority;
69  // Makes sure the nullifiers are computed correctly from rho and a_sk
70  std::shared_ptr<PRF_nf_gadget<FieldT, HashT>> expose_nullifiers;
71 
72  std::shared_ptr<libsnark::digest_variable<FieldT>> nullifier;
73 
74 public:
75  input_note_gadget(
76  libsnark::protoboard<FieldT> &pb,
77  const libsnark::pb_variable<FieldT> &ZERO,
78  std::shared_ptr<libsnark::digest_variable<FieldT>> a_sk,
79  // Input note Nullifier
80  std::shared_ptr<libsnark::digest_variable<FieldT>> nullifier,
81  // Current Merkle root
82  const libsnark::pb_variable<FieldT> &rt,
83  const std::string &annotation_prefix = "input_note_gadget");
84 
85  // Check the booleaness of the rho
86  // Check that a_pk, nf and cm are correctly computed
87  // Check cm is in the merkle tree of root rt
88  void generate_r1cs_constraints();
89 
90  void generate_r1cs_witness(
91  const std::vector<FieldT> &merkle_path,
92  const bits_addr<TreeDepth> &address_bits,
93  const zeth_note &note);
94 };
95 
97 template<typename FieldT, typename HashT>
98 class output_note_gadget : public note_gadget<FieldT>
99 {
100 private:
101  std::shared_ptr<libsnark::digest_variable<FieldT>> a_pk;
102  std::shared_ptr<COMM_cm_gadget<FieldT, HashT>> commit_to_outputs_cm;
103 
104 public:
105  output_note_gadget(
106  libsnark::protoboard<FieldT> &pb,
107  std::shared_ptr<libsnark::digest_variable<FieldT>> rho,
108  const libsnark::pb_variable<FieldT> &commitment,
109  const std::string &annotation_prefix = "output_note_gadget");
110 
111  // Check the booleaness of the a_pk
112  // Check that cm is correctly computed
113  void generate_r1cs_constraints();
114 
115  void generate_r1cs_witness(const zeth_note &note);
116 };
117 
118 } // namespace libzeth
119 
120 #include "libzeth/circuits/notes/note.tcc"
121 
122 #endif // __ZETH_CIRCUITS_NOTE_HPP__
libzeth::output_note_gadget::generate_r1cs_witness
void generate_r1cs_witness(const zeth_note &note)
libzeth::note_gadget::value
libsnark::pb_variable_array< FieldT > value
Definition: note.hpp:25
note.tcc
libzeth
Definition: binary_operation.hpp:15
libzeth::note_gadget::r
libsnark::pb_variable_array< FieldT > r
Definition: note.hpp:27
prf.hpp
libzeth::input_note_gadget::generate_r1cs_witness
void generate_r1cs_witness(const std::vector< FieldT > &merkle_path, const bits_addr< TreeDepth > &address_bits, const zeth_note &note)
libzeth::bits< TreeDepth >
note.hpp
merkle_path_authenticator.hpp
libzeth::input_note_gadget
Definition: note.hpp:41
circuit_utils.hpp
libzeth::output_note_gadget::output_note_gadget
output_note_gadget(libsnark::protoboard< FieldT > &pb, std::shared_ptr< libsnark::digest_variable< FieldT >> rho, const libsnark::pb_variable< FieldT > &commitment, const std::string &annotation_prefix="output_note_gadget")
libzeth::note_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libzeth::note_gadget::note_gadget
note_gadget(libsnark::protoboard< FieldT > &pb, const std::string &annotation_prefix="note_gadget")
libzeth::input_note_gadget::input_note_gadget
input_note_gadget(libsnark::protoboard< FieldT > &pb, const libsnark::pb_variable< FieldT > &ZERO, std::shared_ptr< libsnark::digest_variable< FieldT >> a_sk, std::shared_ptr< libsnark::digest_variable< FieldT >> nullifier, const libsnark::pb_variable< FieldT > &rt, const std::string &annotation_prefix="input_note_gadget")
commitment.hpp
libzeth::note_gadget
Definition: note.hpp:21
libzeth::input_note_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libzeth::zeth_note
Definition: note.hpp:15
libzeth::output_note_gadget
Commit to the output notes of the Joinsplit.
Definition: note.hpp:98
bits.hpp
libzeth::note_gadget::generate_r1cs_witness
void generate_r1cs_witness(const zeth_note &note)
libzeth::output_note_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
Generated on Mon Nov 28 2022 10:29:03 for Zeth - Zerocash on Ethereum by   doxygen 1.8.17