proof/tx.zk created

proof/lead.zk

@@ -22,13 +22,13 @@ Base c1_rho,
 Scalar c1_opening,
 Base value,
 Scalar c2_opening,
-Scalar rho_mu,
-Scalar y_mu,
+Scalar rho_opening,
+Scalar y_opening,
 Base sigam1,
 Base sigma2
 }
 
-Circuit "Lead" {
+circuit "Lead" {
 # coin (1) pk
 pk = poseidon_hash(PREFIX_PK, c1_sk_root, c1_tau, ZERO);
 constrain_instance(pk);
@@ -66,7 +66,7 @@ constrain_instance(sn);
 seed = poseidon_hash(PREFIX_SEED, c1_sk_root, c1_rho, ZERO);
 # y
 y_v = ec_mul_short(seed, VALUE_COMMIT_VALUE);
-y_r = ec_mul(y_mu, VALUE_COMMIT_RANDOM);
+y_r = ec_mul(y_opening, VALUE_COMMIT_RANDOM);
 y = ec_add(y_v, y_r);
 y_x = ec_get_x(y);
 y_y = ec_get_y(y);
@@ -74,7 +74,7 @@ constrain_instance(y_x);
 constrain_instance(y_y);
 # rho
 rho_v = ec_mul_short(seed, VALUE_COMMIT_VALUE);
-rho_r = ec_mul(rho_mu, VALUE_COMMIT_RANDOM);
+rho_r = ec_mul(rho_opening, VALUE_COMMIT_RANDOM);
 rho = ec_add(rho_v, rho_r);
 rho_x = ec_get_x(rho);
 rho_y = ec_get_y(rho);

proof/tx.zk

@@ -0,0 +1,116 @@
+constant "tx" {
+EcFixedPointShort VALUE_COMMIT_VALUE,
+EcFixedPoint VALUE_COMMIT_RANDOM,
+EcFixedPointBase NULLIFIER_K,
+Base PREFIX_CM,
+Base PREFIX_PK,
+Base PREFIX_EVL,
+BASE PREFIX_SEED,
+Base ONE,
+Base ZERO,
+}
+
+contract "tx" {
+Base root,
+Base c1_root_sk,
+Base c1_sk,
+Base c1_sk_path,
+Base c1_sk_pos,
+Base c1_rho,
+Scalar c1_opening,
+Base c1_value,
+MerklePath c1_cm_path,
+Uint32 c1_cm_pos,
+Base c1_sn,
+
+Base c2_root_sk,
+Base c2_sk,
+MerklePath c2_sk_path,
+Uint32 c2_sk_pos,
+Base c2_rho,
+Scalar c2_opening,
+Base c2_value,
+MerklePath c2_cm_path,
+Uint32 c2_cm_pos,
+Base c2_sn,
+
+Base c3_pk,
+Base c3_rho,
+Scalar c3_opening,
+Base c3_value,
+EcPoint c3_cm,
+
+Base c4_pk,
+Base c4_rho,
+Scalar c4_opening,
+Base c4_value,
+EcPoint c4_cm,
+}
+
+circuit "tx {
+# coin (1) pk/public key
+c1_pk = poseidon_hash(PREFIX_PK, c1_root_sk);
+constrain_instance(c1_pk);
+# coin (2) pk/public key
+c2_pk = poseidon_hash(PREFIX_PK, c2_root_sk);
+constrain_instance(c2_pk);
+# coin (1) cm/commitment
+c1_cm_msg = poseidon_hash(PREFIX_CM, c1_pk, c1_value, c1_rho);
+c1_cm_v = ec_mul_short(c1_cm_msg, VALUE_COMMIT_VALUE);
+c1_cm_r = ec_mul(c1_opening, VALUE_COMMIT_RANDOM);
+c1_cm = ec_add(c1_cm_v, c1_cm_r);
+c1_cm_x = ec_get_x(c1_cm);
+c1_cm_y = ec_get_y(c1_cm);
+c1_cm_hash = poseidon_hash(c1_cm_x, c1_cm_y);
+constrain_instance(c1_cm_x);
+constrain_instance(c1_cm_y);
+# coin (2) cm/commitment
+c2_cm_msg = poseidon_hash(PREFIX_CM, c2_pk, c2_value, c2_rho);
+c2_cm_v = ec_mul_short(c2_cm_msg, VALUE_COMMIT_VALUE);
+c2_cm_r = ec_mul(c2_opening, VALUE_COMMIT_RANDOM);
+c2_cm = ec_add(c2_cm_v, c2_cm_r);
+c2_cm_x = ec_get_x(c2_cm);
+c2_cm_y = ec_get_y(c2_cm);
+c2_cm_hash = poseidon_hash(c2_cm_x, c2_cm_y);
+constrain_instance(c2_cm_x);
+constrain_instance(c2_cm_y);
+# coin (3) cm/commitment
+c3_cm_msg = poseidon_hash(PREFIX_CM, c3_pk, c3_value, c3_rho);
+c3_cm_v = ec_mul_short(c3_cm_msg, VALUE_COMMIT_VALUE);
+c3_cm_r = ec_mul(c3_opening, VALUE_COMMIT_RANDOM);
+c3_cm = ec_add(c3_cm_v, c3_cm_r);
+c3_cm_x = ec_get_x(c3_cm);
+constrain_instance(c3_cm_x);
+c3_cm_y = ec_get_y(c3_cm);
+constrain_instance(c3_cm_y);
+# coin (4) cm/commitment
+c4_cm_msg = poseidon_hash(PREFIX_CM, c4_pk, c4_value, c4_rho);
+c4_cm_v = ec_mul_short(c4_cm_msg, VALUE_COMMIT_VALUE);
+c4_cm_r = ec_mul(c4_opening, VALUE_COMMIT_RANDOM);
+c4_cm = ec_add(c4_cm_v, c4_cm_r);
+c4_cm_x = ec_get_x(c4_cm);
+constrain_instance(c4_cm_x);
+c4_cm_y = ec_get_y(c4_cm);
+constrain_instance(c4_cm_y);
+v1v2 = base_add(c1_value, c2_value);
+v2v3 = base_add(v3_value, v4_value);
+constrain_equal(v1v2, v2v3);
+# root of path to coin1 commitment at given position
+c1_root = merkle_root(c1_cm_pos, c1_cm_path, c1_cm_hash);
+constrain_instance(c1_root);
+# root of path to coin2n commitment at given position
+c2_root = merkle_root(c2_cm_pos, c2_cm_path, c2_cm_hash);
+constrain_instance(c2_root);
+# root of path to coin(1) sk at given position
+c1_sk_root = merkle_root_c1_sk_pos, c1_sk_path, c1_sk);
+constrain_instance(c1_sk_root);
+# root of path to coin(2) sk at given position
+c2_sk_root = merkle_root_c2_sk_pos, c2_sk_path, c2_sk);
+constrain_instance(c2_sk_root);
+# coin (1) sn/nullifier
+c1_sn = PRF(PREFIX_SN, c1_root_sk, c1_rho, ZERO);
+constrain_instance(c1_sn);
+# coin (2) sn/nullifier
+c2_sn = PRF(PREFIX_SN, c1_root_sk, c2_rho, ZERO);
+constrain_instance(c2_sn);
+}