|
| 1 | +pragma circom 2.0.0; |
| 2 | + |
| 3 | +include "../../node_modules/circomlib/circuits/poseidon.circom"; |
| 4 | +include "../set/membership.circom"; |
| 5 | +include "../merkle-tree/merkleForest.circom"; |
| 6 | +include "./keypair.circom"; |
| 7 | + |
| 8 | +/* |
| 9 | +UTXO structure: |
| 10 | +{ |
| 11 | + chainID, // destination chain identifier |
| 12 | + amount, |
| 13 | + pubkey, |
| 14 | + blinding, // random number |
| 15 | +} |
| 16 | +
|
| 17 | +commitment = hash(chainID, amount, pubKey, blinding) |
| 18 | +nullifier = hash(commitment, merklePath, sign(privKey, commitment, merklePath)) |
| 19 | +*/ |
| 20 | + |
| 21 | +// Universal JoinSplit transaction with nIns inputs and 2 outputs (2-2 & 16-2) |
| 22 | +template TransactionForest(forestLevels, subtreeLevels, nIns, nOuts, zeroLeaf, length) { |
| 23 | + // extAmount = external amount used for deposits and withdrawals |
| 24 | + // correct extAmount range is enforced on the smart contract |
| 25 | + // publicAmount = extAmount - fee |
| 26 | + signal input publicAmount; |
| 27 | + signal input extDataHash; // arbitrary |
| 28 | + |
| 29 | + // data for transaction inputs |
| 30 | + signal input inputNullifier[nIns]; |
| 31 | + signal input inAmount[nIns]; |
| 32 | + signal input inPrivateKey[nIns]; |
| 33 | + signal input inBlinding[nIns]; |
| 34 | + signal input subtreePathIndices[nIns]; |
| 35 | + signal input subtreePathElements[nIns][subtreeLevels]; |
| 36 | + signal input forestPathIndices[nIns]; |
| 37 | + signal input forestPathElements[nIns][forestLevels]; |
| 38 | + |
| 39 | + // data for transaction outputs |
| 40 | + signal input outputCommitment[nOuts]; |
| 41 | + signal input outChainID[nOuts]; |
| 42 | + signal input outAmount[nOuts]; |
| 43 | + signal input outPubkey[nOuts]; |
| 44 | + signal input outBlinding[nOuts]; |
| 45 | + |
| 46 | + // roots for interoperability, one-of-many merkle membership proof |
| 47 | + signal input chainID; |
| 48 | + signal input roots[length]; |
| 49 | + |
| 50 | + component inKeypair[nIns]; |
| 51 | + component inSignature[nIns]; |
| 52 | + component inCommitmentHasher[nIns]; |
| 53 | + component inNullifierHasher[nIns]; |
| 54 | + component inTree[nIns]; |
| 55 | + component inCheckRoot[nIns]; |
| 56 | + var sumIns = 0; |
| 57 | + |
| 58 | + // verify correctness of transaction inputs |
| 59 | + for (var tx = 0; tx < nIns; tx++) { |
| 60 | + inKeypair[tx] = Keypair(); |
| 61 | + inKeypair[tx].privateKey <== inPrivateKey[tx]; |
| 62 | + |
| 63 | + inCommitmentHasher[tx] = Poseidon(4); |
| 64 | + inCommitmentHasher[tx].inputs[0] <== chainID; |
| 65 | + inCommitmentHasher[tx].inputs[1] <== inAmount[tx]; |
| 66 | + inCommitmentHasher[tx].inputs[2] <== inKeypair[tx].publicKey; |
| 67 | + inCommitmentHasher[tx].inputs[3] <== inBlinding[tx]; |
| 68 | + |
| 69 | + inSignature[tx] = Signature(); |
| 70 | + inSignature[tx].privateKey <== inPrivateKey[tx]; |
| 71 | + inSignature[tx].commitment <== inCommitmentHasher[tx].out; |
| 72 | + inSignature[tx].merklePath <== subtreePathIndices[tx]; |
| 73 | + |
| 74 | + inNullifierHasher[tx] = Poseidon(3); |
| 75 | + inNullifierHasher[tx].inputs[0] <== inCommitmentHasher[tx].out; |
| 76 | + inNullifierHasher[tx].inputs[1] <== subtreePathIndices[tx]; |
| 77 | + inNullifierHasher[tx].inputs[2] <== inSignature[tx].out; |
| 78 | + inNullifierHasher[tx].out === inputNullifier[tx]; |
| 79 | + |
| 80 | + inTree[tx] = MerkleForest(forestLevels, subtreeLevels, length); |
| 81 | + inTree[tx].leaf <== inCommitmentHasher[tx].out; |
| 82 | + inTree[tx].subtreePathIndices <== subtreePathIndices[tx]; |
| 83 | + inTree[tx].pathIndices <== forestPathIndices[tx]; |
| 84 | + |
| 85 | + // add the roots and diffs signals to the bridge circuit |
| 86 | + for (var i = 0; i < length; i++) { |
| 87 | + inTree[tx].roots[i] <== roots[i]; |
| 88 | + } |
| 89 | + |
| 90 | + inTree[tx].isEnabled <== inAmount[tx]; |
| 91 | + for (var i = 0; i < subtreeLevels; i++) { |
| 92 | + inTree[tx].subtreePathElements[i] <== subtreePathElements[tx][i]; |
| 93 | + } |
| 94 | + for (var i = 0; i < forestLevels; i++) { |
| 95 | + inTree[tx].pathElements[i] <== forestPathElements[tx][i]; |
| 96 | + } |
| 97 | + |
| 98 | + // We don't need to range check input amounts, since all inputs are valid UTXOs that |
| 99 | + // were already checked as outputs in the previous transaction (or zero amount UTXOs that don't |
| 100 | + // need to be checked either). |
| 101 | + sumIns += inAmount[tx]; |
| 102 | + } |
| 103 | + |
| 104 | + component outCommitmentHasher[nOuts]; |
| 105 | + component outAmountCheck[nOuts]; |
| 106 | + var sumOuts = 0; |
| 107 | + |
| 108 | + // verify correctness of transaction outputs |
| 109 | + for (var tx = 0; tx < nOuts; tx++) { |
| 110 | + outCommitmentHasher[tx] = Poseidon(4); |
| 111 | + outCommitmentHasher[tx].inputs[0] <== outChainID[tx]; |
| 112 | + outCommitmentHasher[tx].inputs[1] <== outAmount[tx]; |
| 113 | + outCommitmentHasher[tx].inputs[2] <== outPubkey[tx]; |
| 114 | + outCommitmentHasher[tx].inputs[3] <== outBlinding[tx]; |
| 115 | + outCommitmentHasher[tx].out === outputCommitment[tx]; |
| 116 | + |
| 117 | + // Check that amount fits into 248 bits to prevent overflow |
| 118 | + outAmountCheck[tx] = Num2Bits(248); |
| 119 | + outAmountCheck[tx].in <== outAmount[tx]; |
| 120 | + |
| 121 | + sumOuts += outAmount[tx]; |
| 122 | + } |
| 123 | + |
| 124 | + // check that there are no same nullifiers among all inputs |
| 125 | + component sameNullifiers[nIns * (nIns - 1) / 2]; |
| 126 | + var index = 0; |
| 127 | + for (var i = 0; i < nIns - 1; i++) { |
| 128 | + for (var j = i + 1; j < nIns; j++) { |
| 129 | + sameNullifiers[index] = IsEqual(); |
| 130 | + sameNullifiers[index].in[0] <== inputNullifier[i]; |
| 131 | + sameNullifiers[index].in[1] <== inputNullifier[j]; |
| 132 | + sameNullifiers[index].out === 0; |
| 133 | + index++; |
| 134 | + } |
| 135 | + } |
| 136 | + |
| 137 | + // verify amount invariant |
| 138 | + sumIns + publicAmount === sumOuts; |
| 139 | + |
| 140 | + // optional safety constraint to make sure extDataHash cannot be changed |
| 141 | + signal extDataSquare; |
| 142 | + extDataSquare <== extDataHash * extDataHash; |
| 143 | +} |
0 commit comments