Adds VAnchorForest (#212)

Author: semaraugusto

circuits/merkle-tree/merkleForest.circom

@@ -0,0 +1,68 @@
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/bitify.circom";
+include "../../node_modules/circomlib/circuits/poseidon.circom";
+include "../../node_modules/circomlib/circuits/switcher.circom";
+include "../set/membership_if_enabled.circom";
+
+
+// Verifies that merkle proof is correct for given merkle root and a leaf
+// pathIndices bits is an array of 0/1 selectors telling whether given pathElement is on the left or right side of merkle path
+template GetMerkleRoot(levels) {
+    signal input leaf;
+    signal input pathElements[levels];
+    signal input pathIndices;
+    signal output root;
+
+    component switcher[levels];
+    component hasher[levels];
+
+    component indexBits = Num2Bits(levels);
+    indexBits.in <== pathIndices;
+
+    for (var i = 0; i < levels; i++) {
+        switcher[i] = Switcher();
+        switcher[i].L <== i == 0 ? leaf : hasher[i - 1].out;
+        switcher[i].R <== pathElements[i];
+        switcher[i].sel <== indexBits.out[i];
+
+        hasher[i] = Poseidon(2);
+        hasher[i].inputs[0] <== switcher[i].outL;
+        hasher[i].inputs[1] <== switcher[i].outR;
+    }
+
+    // verify that the resultant hash (computed merkle root)
+    // is in the set of roots
+    root <== hasher[levels - 1].out;
+}
+
+template MerkleForest(groupLevels, subtreeLevels, length) {
+    signal input leaf;
+    signal input pathElements[groupLevels];
+    signal input pathIndices;
+    signal input subtreePathElements[subtreeLevels];
+    signal input subtreePathIndices;
+    signal input roots[length];
+    signal input isEnabled;
+
+    component getSubtreeMerkleRoot = GetMerkleRoot(subtreeLevels);
+    getSubtreeMerkleRoot.leaf <== leaf;
+    getSubtreeMerkleRoot.pathIndices <== subtreePathIndices;
+    for (var i = 0; i < subtreeLevels; i++) {
+        getSubtreeMerkleRoot.pathElements[i] <== subtreePathElements[i];
+    }
+    component getMerkleRoot = GetMerkleRoot(groupLevels);
+    getMerkleRoot.leaf <== getSubtreeMerkleRoot.root;
+    getMerkleRoot.pathIndices <== pathIndices;
+    for (var i = 0; i < groupLevels; i++) {
+        getMerkleRoot.pathElements[i] <== pathElements[i];
+    }
+
+    component set = ForceSetMembershipIfEnabled(length);
+    set.enabled <== isEnabled;
+    for (var i = 0; i < length; i++) {
+        set.set[i] <== roots[i];
+    }
+    set.element <== getMerkleRoot.root;
+}
+

circuits/test/vanchor_forest_16_2.circom

@@ -0,0 +1,7 @@
+pragma circom 2.0.0;  
+
+include "../vanchor/transactionForest.circom";
+
+// zeroLeaf = Poseidon(zero, zero)
+// default `zero` value is keccak256("tornado") % FIELD_SIZE = 21663839004416932945382355908790599225266501822907911457504978515578255421292
+component main {public [publicAmount, extDataHash, inputNullifier, outputCommitment, chainID, roots]} = TransactionForest(5, 30, 16, 2, 11850551329423159860688778991827824730037759162201783566284850822760196767874, 2);

circuits/test/vanchor_forest_16_8.circom

@@ -0,0 +1,7 @@
+pragma circom 2.0.0;  
+
+include "../vanchor/transactionForest.circom";
+
+// zeroLeaf = Poseidon(zero, zero)
+// default `zero` value is keccak256("tornado") % FIELD_SIZE = 21663839004416932945382355908790599225266501822907911457504978515578255421292
+component main {public [publicAmount, extDataHash, inputNullifier, outputCommitment, chainID, roots]} = TransactionForest(5, 30, 16, 2, 11850551329423159860688778991827824730037759162201783566284850822760196767874, 8);

circuits/test/vanchor_forest_2_2.circom

@@ -0,0 +1,7 @@
+pragma circom 2.0.0;  
+
+include "../vanchor/transactionForest.circom";
+
+// zeroLeaf = Poseidon(zero, zero)
+// default `zero` value is keccak256("tornado") % FIELD_SIZE = 21663839004416932945382355908790599225266501822907911457504978515578255421292
+component main {public [publicAmount, extDataHash, inputNullifier, outputCommitment, chainID, roots]} = TransactionForest(5, 30, 2, 2, 11850551329423159860688778991827824730037759162201783566284850822760196767874, 2);

circuits/test/vanchor_forest_2_8.circom

@@ -0,0 +1,7 @@
+pragma circom 2.0.0;  
+
+include "../vanchor/transactionForest.circom";
+
+// zeroLeaf = Poseidon(zero, zero)
+// default `zero` value is keccak256("tornado") % FIELD_SIZE = 21663839004416932945382355908790599225266501822907911457504978515578255421292
+component main {public [publicAmount, extDataHash, inputNullifier, outputCommitment, chainID, roots]} = TransactionForest(5, 30, 2, 2, 11850551329423159860688778991827824730037759162201783566284850822760196767874, 8);

circuits/vanchor/transactionForest.circom

@@ -0,0 +1,143 @@
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/poseidon.circom";
+include "../set/membership.circom";
+include "../merkle-tree/merkleForest.circom";
+include "./keypair.circom";
+
+/*
+UTXO structure:
+{
+    chainID, // destination chain identifier
+    amount,
+    pubkey,
+    blinding, // random number
+}
+
+commitment = hash(chainID, amount, pubKey, blinding)
+nullifier = hash(commitment, merklePath, sign(privKey, commitment, merklePath))
+*/
+
+// Universal JoinSplit transaction with nIns inputs and 2 outputs (2-2 & 16-2)
+template TransactionForest(forestLevels, subtreeLevels, nIns, nOuts, zeroLeaf, length) {
+    // extAmount = external amount used for deposits and withdrawals
+    // correct extAmount range is enforced on the smart contract
+    // publicAmount = extAmount - fee
+    signal input publicAmount;
+    signal input extDataHash; // arbitrary
+
+    // data for transaction inputs
+    signal input inputNullifier[nIns];
+    signal input inAmount[nIns];
+    signal input inPrivateKey[nIns];
+    signal input inBlinding[nIns];
+    signal input subtreePathIndices[nIns];
+    signal input subtreePathElements[nIns][subtreeLevels];
+    signal input forestPathIndices[nIns];
+    signal input forestPathElements[nIns][forestLevels];
+
+    // data for transaction outputs
+    signal input outputCommitment[nOuts];
+    signal input outChainID[nOuts];
+    signal input outAmount[nOuts];
+    signal input outPubkey[nOuts];
+    signal input outBlinding[nOuts];
+
+    // roots for interoperability, one-of-many merkle membership proof
+    signal input chainID;
+    signal input roots[length];
+
+    component inKeypair[nIns];
+    component inSignature[nIns];
+    component inCommitmentHasher[nIns];
+    component inNullifierHasher[nIns];
+    component inTree[nIns];
+    component inCheckRoot[nIns];
+    var sumIns = 0;
+
+    // verify correctness of transaction inputs
+    for (var tx = 0; tx < nIns; tx++) {
+        inKeypair[tx] = Keypair();
+        inKeypair[tx].privateKey <== inPrivateKey[tx];
+
+        inCommitmentHasher[tx] = Poseidon(4);
+        inCommitmentHasher[tx].inputs[0] <== chainID;
+        inCommitmentHasher[tx].inputs[1] <== inAmount[tx];
+        inCommitmentHasher[tx].inputs[2] <== inKeypair[tx].publicKey;
+        inCommitmentHasher[tx].inputs[3] <== inBlinding[tx];
+
+        inSignature[tx] = Signature();
+        inSignature[tx].privateKey <== inPrivateKey[tx];
+        inSignature[tx].commitment <== inCommitmentHasher[tx].out;
+        inSignature[tx].merklePath <== subtreePathIndices[tx];
+
+        inNullifierHasher[tx] = Poseidon(3);
+        inNullifierHasher[tx].inputs[0] <== inCommitmentHasher[tx].out;
+        inNullifierHasher[tx].inputs[1] <== subtreePathIndices[tx];
+        inNullifierHasher[tx].inputs[2] <== inSignature[tx].out;
+        inNullifierHasher[tx].out === inputNullifier[tx];
+
+        inTree[tx] = MerkleForest(forestLevels, subtreeLevels, length);
+        inTree[tx].leaf <== inCommitmentHasher[tx].out;
+        inTree[tx].subtreePathIndices <== subtreePathIndices[tx];
+        inTree[tx].pathIndices <== forestPathIndices[tx];
+
+        // add the roots and diffs signals to the bridge circuit
+        for (var i = 0; i < length; i++) {
+            inTree[tx].roots[i] <== roots[i];
+        }
+
+        inTree[tx].isEnabled <== inAmount[tx];
+        for (var i = 0; i < subtreeLevels; i++) {
+            inTree[tx].subtreePathElements[i] <== subtreePathElements[tx][i];
+        }
+        for (var i = 0; i < forestLevels; i++) {
+            inTree[tx].pathElements[i] <== forestPathElements[tx][i];
+        }
+
+        // We don't need to range check input amounts, since all inputs are valid UTXOs that
+        // were already checked as outputs in the previous transaction (or zero amount UTXOs that don't
+        // need to be checked either).
+        sumIns += inAmount[tx];
+    }
+
+    component outCommitmentHasher[nOuts];
+    component outAmountCheck[nOuts];
+    var sumOuts = 0;
+
+    // verify correctness of transaction outputs
+    for (var tx = 0; tx < nOuts; tx++) {
+        outCommitmentHasher[tx] = Poseidon(4);
+        outCommitmentHasher[tx].inputs[0] <== outChainID[tx];
+        outCommitmentHasher[tx].inputs[1] <== outAmount[tx];
+        outCommitmentHasher[tx].inputs[2] <== outPubkey[tx];
+        outCommitmentHasher[tx].inputs[3] <== outBlinding[tx];
+        outCommitmentHasher[tx].out === outputCommitment[tx];
+
+        // Check that amount fits into 248 bits to prevent overflow
+        outAmountCheck[tx] = Num2Bits(248);
+        outAmountCheck[tx].in <== outAmount[tx];
+
+        sumOuts += outAmount[tx];
+    }
+
+    // check that there are no same nullifiers among all inputs
+    component sameNullifiers[nIns * (nIns - 1) / 2];
+    var index = 0;
+    for (var i = 0; i < nIns - 1; i++) {
+      for (var j = i + 1; j < nIns; j++) {
+          sameNullifiers[index] = IsEqual();
+          sameNullifiers[index].in[0] <== inputNullifier[i];
+          sameNullifiers[index].in[1] <== inputNullifier[j];
+          sameNullifiers[index].out === 0;
+          index++;
+      }
+    }
+
+    // verify amount invariant
+    sumIns + publicAmount === sumOuts;
+
+    // optional safety constraint to make sure extDataHash cannot be changed
+    signal extDataSquare;
+    extDataSquare <== extDataHash * extDataHash;
+}

packages/anchors/src/IdentityVAnchor.ts

@@ -502,7 +502,6 @@ export class IdentityVAnchor implements IAnchor {
     };
   }
 
-  // TODO parameterize this better
   public generatePublicInputs(
     proof: any,
     byte_calldata: any,