move out old schemas

proofs/old/sapling.prf

@@ -0,0 +1,175 @@
+# You will need this repo:
+# https://github.com/zcash/librustzcash/
+# Then compare this code to the file:
+# librustzcash/zcash_proofs/src/circuit/sapling.rs
+
+# What is the LC stuff?
+# Difference between AllocatedNum and Num
+# Why BlsScalar vs JJScalar?
+const:
+    G_VCV: Point
+    G_VCR: Point
+    G_SPEND: Point
+    G_PROOF: Point
+    G_NOTE_COMMIT_R: Point
+    G_NULL: Point
+
+    CRH_IVK: Blake2sPersonalization
+    NOTE_COMMIT: PedersenPersonalization
+    MERKLE: list<PedersenPersonalization>
+    PRF_NF: Blake2sPersonalization
+
+def value_commit(value: u64, randomness: Scalar) -> (Point, list<bool>):
+    let value_bits: list<bool> = value as list<bool>
+    let value: Point = value * G_VCV
+
+    let rcv: list<bool> = randomness as list<bool>
+    let rcv: Point = rcv * G_VCR
+
+    let cv: Point = value + rcv
+    return cv, value_bits
+
+# The parameters to this function are the same as in:
+#   struct Spend
+def input_burn(
+    value: u64,                 # ValueCommitment.value
+    randomness: Scalar,         # ValueCommitment.randomness
+
+    ak: Point,                  # from ProofGenerationKey
+    ar: Scalar,
+
+    nsk: Scalar,                # from ProofGenerationKey
+
+    g_d: Point,                 # Computed from payment_address
+
+    commitment_randomness: Scalar,
+
+    auth_path: list<(Scalar, bool)>,
+
+    anchor: Scalar
+) -> (Point, Point, Point, list<bool>):
+    let ak = witness(ak)
+    ak.assert_not_small_order()
+
+    let ar: list<bool> = ar as list<bool>
+    let ar: Point = ar * G_SPEND
+
+    let rk: Point = ak + ar
+
+    let nsk: list<bool> = nsk as list<bool>
+    let nk: Point = nsk * G_PROOF
+
+    let mut ivk_preimage: list<bool> = []
+    # Must be list<bool> as well
+    ivk_preimage.extend(ak.repr())
+
+    let mut nf_preimage: list<bool> = []
+    let nk_repr: list<bool> = nk.repr()
+    ivk_preimage.extend(nk_repr)
+    nf_preimage.extend(nk_repr)
+
+    assert len(ivk_preimage) == 512
+    assert len(nf_preimage) == 256
+
+    let mut ivk: list<bool> = blake2s(ivk_preimage, CRH_IVK)
+    ivk.truncate(Scalar::CAPACITY)
+
+    let g_d: Point = witness g_d
+    g_d.assert_not_small_order()
+
+    let pk_d: Point = ivk * g_d
+
+    let mut note_contents: list<bool> = []
+
+    let (cv: Point, value_bits: list<bool>) = value_commit(value, randomness)
+
+    let mut value_num: Num = Num.zero()
+    let mut coeff: Scalar = Scalar.one()
+    for bit in value_bits:
+        value_num = value_num.add_bool_with_coeff(bit, coeff)
+        coeff = coeff.double()
+    # Is this equivalent?
+    let value_num = value_bits as Num
+
+    note_contents.extend(value_bits)
+    note_contents.extend(g_d)
+    note_contents.extend(pk_d)
+
+    assert len(note_contents) == 64 + 256 + 256
+
+    let mut cm: Point = pedersen_hash(NOTE_COMMIT, note_contents)
+    let rcm: list<bool> = commitment_randomness as list<bool>
+    let rcm: Point = rcm * G_NOTE_COMMIT_R
+    cm += rcm
+
+    let mut position_bits: list<bool> = []
+    let mut cur: Scalar = cm.u
+
+    for i, (node, is_right) in enumerate(auth_path):
+        position_bits.push(is_right)
+
+        let node: EncryptedNum = EncryptedNum.from(node)
+        print(node)
+        let (left: list<bool>, right: list<bool>) = Num.swap_if(is_right, cur, node)
+
+        let mut preimage: list<bool> = []
+        preimage.extend(left)
+        preimage.extend(right)
+
+        cur = pedersen_hash(MERKLE_TREE[i], preimage).u
+
+    let rt: Point = EncryptedNum.from(anchor)
+
+    enforce (cur - rt) * value_num == 0
+
+    let position: Point = position_bits * G_NULL
+    let rho: Point = cm + position
+
+    nf_preimage.extend(rho)
+    assert len(nf_preimage) == 512
+    let nf: list<bool> = blake2s(nf_preimage, PRF_NF)
+
+    return (rk, cv, rt, nf)
+
+def output_mint(
+    value: u64,
+    randomness: Scalar,
+
+    g_d: Point,
+
+    esk: Scalar,
+    pk_d: Point,
+
+    commitment_randomness: Scalar
+) -> (Point, Point, Scalar):
+    let (cv: Point, value_bits: list<bool>) = value_commit(value, randomness)
+
+    let mut note_contents: list<bool> = []
+    note_contents.extend(value_bits)
+
+    let g_d: Point = witness g_d
+    assert is_not_small_order(g_d)
+
+    let esk: list<bool> = esk as list<bool>
+    let epk: Point = esk * g_d
+
+    let v_contents: list<bool> = pk_d.v as list<bool>
+
+    let sign_bit: bool = pk_d.u.is_odd() as bool
+
+    note_contents.extend(v_contents)
+    note_contents.push(sign_bit)
+
+    assert len(note_contents) == 64 + 256 + 256
+
+    let mut cm: Point = pedersen_hash(NOTE_COMMIT, note_contents)
+
+    let rcm: list<bool> = commitment_randomness as list<bool>
+    let rcm: Point = rcm * G_NOTE_COMMIT_R
+
+    cm += rcm
+
+    let cmu: Scalar = cm.u
+
+    return (cv, epk, cmu)
+

proofs/sapling.prf

@@ -1,175 +1,120 @@
-# You will need this repo:
-# https://github.com/zcash/librustzcash/
-# Then compare this code to the file:
-# librustzcash/zcash_proofs/src/circuit/sapling.rs
-
-# What is the LC stuff?
-# Difference between AllocatedNum and Num
-# Why BlsScalar vs JJScalar?
+# :set syntax=sapvi
+# :source ../scripts/sapvi.vim
 const:
-    G_VCV: Point
-    G_VCR: Point
-    G_SPEND: Point
-    G_PROOF: Point
-    G_NOTE_COMMIT_R: Point
-    G_NULL: Point
+    G_VCV: SubgroupPoint
+    G_VCR: SubgroupPoint
+    G_SPEND: SubgroupPoint
+    G_PROOF: SubgroupPoint
+    G_NOTE_COMMIT_R: SubgroupPoint
+    G_NULL: SubgroupPoint
 
     CRH_IVK: Blake2sPersonalization
     NOTE_COMMIT: PedersenPersonalization
     MERKLE: list<PedersenPersonalization>
     PRF_NF: Blake2sPersonalization
 
-def value_commit(value: u64, randomness: Scalar) -> (Point, list<bool>):
-    let value_bits: list<bool> = value as list<bool>
-    let value: Point = value * G_VCV
-
-    let rcv: list<bool> = randomness as list<bool>
-    let rcv: Point = rcv * G_VCR
-
-    let cv: Point = value + rcv
-    return cv, value_bits
-
-# The parameters to this function are the same as in:
-#   struct Spend
-def input_burn(
-    value: u64,                 # ValueCommitment.value
-    randomness: Scalar,         # ValueCommitment.randomness
-
-    ak: Point,                  # from ProofGenerationKey
-    ar: Scalar,
-
-    nsk: Scalar,                # from ProofGenerationKey
-
-    g_d: Point,                 # Computed from payment_address
-
-    commitment_randomness: Scalar,
-
-    auth_path: list<(Scalar, bool)>,
-
+contract input_spend(
+    value: U64 -> BinaryNumber
+    randomness: Fr -> BinaryNumber
+    ak: Point
+    ar: Fr -> BinaryNumber
+    nsk: Fr -> BinaryNumber
+    g_d: Point
+    commitment_randomness: Fr -> BinaryNumber
+    auth_path: [(Scalar, Bool)]
     anchor: Scalar
-) -> (Point, Point, Point, list<bool>):
-    let ak = witness(ak)
-    ak.assert_not_small_order()
+) -> (Point, Point, Scalar, BinaryNumber):
+    let rk: Point = ak + ar * G_SPEND
+    emit rk
 
-    let ar: list<bool> = ar as list<bool>
-    let ar: Point = ar * G_SPEND
-
-    let rk: Point = ak + ar
-
-    let nsk: list<bool> = nsk as list<bool>
     let nk: Point = nsk * G_PROOF
 
-    let mut ivk_preimage: list<bool> = []
-    # Must be list<bool> as well
-    ivk_preimage.extend(ak.repr())
+    let mut ivk_preimage: BinaryNumber = []
+    ivk_preimage.put(ak)
 
-    let mut nf_preimage: list<bool> = []
-    let nk_repr: list<bool> = nk.repr()
-    ivk_preimage.extend(nk_repr)
-    nf_preimage.extend(nk_repr)
+    let mut nf_preimage: BinaryNumber = []
 
-    assert len(ivk_preimage) == 512
-    assert len(nf_preimage) == 256
+    ivk_preimage.put(nk)
+    nf_preimage.put(nk)
 
-    let mut ivk: list<bool> = blake2s(ivk_preimage, CRH_IVK)
-    ivk.truncate(Scalar::CAPACITY)
-
-    let g_d: Point = witness g_d
-    g_d.assert_not_small_order()
+    assert ivk_preimage.len() == 512
+    assert nf_preimage.len() == 256
 
+    let mut ivk = blake2s(ivk_preimage, CRH_IVK)
+    ivk.truncate(JUBJUB_FR_CAPACITY)
+    # This will error if ivk.len() != 256
+    #let ivk: Fr = ivk as Fr
     let pk_d: Point = ivk * g_d
 
-    let mut note_contents: list<bool> = []
+    let cv: Point = value * G_VCV + rcv * G_VCR
+    emit cv
 
-    let (cv: Point, value_bits: list<bool>) = value_commit(value, randomness)
+    let mut note_contents: BinaryNumber = []
+    note_contents.put(value)
+    note_contents.put(g_d)
+    note_contents.put(p_k)
+    assert note_contents.len() == 64 + 256 + 256
 
-    let mut value_num: Num = Num.zero()
-    let mut coeff: Scalar = Scalar.one()
-    for bit in value_bits:
-        value_num = value_num.add_bool_with_coeff(bit, coeff)
-        coeff = coeff.double()
-    # Is this equivalent?
-    let value_num = value_bits as Num
+    let mut cm = pedersen_hash(note_contents, NOTE_COMMIT)
+    cm += commitment_randomness * G_NOTE_COMMIT_R
 
-    note_contents.extend(value_bits)
-    note_contents.extend(g_d)
-    note_contents.extend(pk_d)
-
-    assert len(note_contents) == 64 + 256 + 256
-
-    let mut cm: Point = pedersen_hash(NOTE_COMMIT, note_contents)
-    let rcm: list<bool> = commitment_randomness as list<bool>
-    let rcm: Point = rcm * G_NOTE_COMMIT_R
-    cm += rcm
-
-    let mut position_bits: list<bool> = []
+    let mut position = []
     let mut cur: Scalar = cm.u
 
-    for i, (node, is_right) in enumerate(auth_path):
-        position_bits.push(is_right)
+    for i in range(auth_path.size()):
+        let (node: Scalar, is_right: Bool) = auth_path[i]
 
-        let node: EncryptedNum = EncryptedNum.from(node)
-        print(node)
-        let (left: list<bool>, right: list<bool>) = Num.swap_if(is_right, cur, node)
+        position.push(is_right)
 
-        let mut preimage: list<bool> = []
-        preimage.extend(left)
-        preimage.extend(right)
+        # Scalar -> AllocatedNum
+        let (left: Scalar, right: Scalar) = swap_if(is_right, cur, node)
+
+        let mut preimage: BinaryNumber = []
+        preimage.put(left)
+        preimage.put(right)
 
         cur = pedersen_hash(MERKLE_TREE[i], preimage).u
 
-    let rt: Point = EncryptedNum.from(anchor)
+    enforce cur == rt
+    emit rt
 
-    enforce (cur - rt) * value_num == 0
+    let rho: Point = rho + position * G_NULL
 
-    let position: Point = position_bits * G_NULL
-    let rho: Point = cm + position
+    nf_preimage.put(rho)
+    assert nf_preimage.len() == 512
 
-    nf_preimage.extend(rho)
-    assert len(nf_preimage) == 512
-    let nf: list<bool> = blake2s(nf_preimage, PRF_NF)
+    let nf: BinaryNumber = blake2s(nf_preimage, PRF_NF)
+    emit nf
 
-    return (rk, cv, rt, nf)
-
-def output_mint(
-    value: u64,
-    randomness: Scalar,
-
-    g_d: Point,
-
-    esk: Scalar,
-    pk_d: Point,
-
-    commitment_randomness: Scalar
+contract output_mint(
+    value: U64 -> BinaryNumber
+    randomness: Fr -> BinaryNumber
+    g_d: Point
+    esk: Fr -> BinaryNumber
+    pk_d: Point
+    commitment_randomness: Fr -> BinaryNumber
 ) -> (Point, Point, Scalar):
-    let (cv: Point, value_bits: list<bool>) = value_commit(value, randomness)
+    let cv: Point = value * G_VCV + rcv * G_VCR
+    emit cv
 
-    let mut note_contents: list<bool> = []
-    note_contents.extend(value_bits)
+    let mut note_contents: Binary = []
+    note_contents.put(value)
 
-    let g_d: Point = witness g_d
-    assert is_not_small_order(g_d)
-
-    let esk: list<bool> = esk as list<bool>
     let epk: Point = esk * g_d
+    emit epk
 
-    let v_contents: list<bool> = pk_d.v as list<bool>
+    let v_contents: Scalar = pk_d.v
+    let sign_bit: Bool = pk_d.u.is_odd()
 
-    let sign_bit: bool = pk_d.u.is_odd() as bool
-
-    note_contents.extend(v_contents)
-    note_contents.push(sign_bit)
+    note_contents.put(v_contents)
+    note_contents.put(sign_bit)
 
     assert len(note_contents) == 64 + 256 + 256
 
-    let mut cm: Point = pedersen_hash(NOTE_COMMIT, note_contents)
-
-    let rcm: list<bool> = commitment_randomness as list<bool>
-    let rcm: Point = rcm * G_NOTE_COMMIT_R
-
+    let mut cm: Point = pedersen_hash(note_contents, NOTE_COMMIT)
+    let rcm: Point = commitment_randomness * G_NOTE_COMMIT_R
     cm += rcm
 
     let cmu: Scalar = cm.u
-
-    return (cv, epk, cmu)
+    emit cmu
 

proofs/sapling.pseudocode

@@ -1,120 +0,0 @@
-# :set syntax=sapvi
-# :source ../scripts/sapvi.vim
-const:
-    G_VCV: SubgroupPoint
-    G_VCR: SubgroupPoint
-    G_SPEND: SubgroupPoint
-    G_PROOF: SubgroupPoint
-    G_NOTE_COMMIT_R: SubgroupPoint
-    G_NULL: SubgroupPoint
-
-    CRH_IVK: Blake2sPersonalization
-    NOTE_COMMIT: PedersenPersonalization
-    MERKLE: list<PedersenPersonalization>
-    PRF_NF: Blake2sPersonalization
-
-contract input_spend(
-    value: U64 -> BinaryNumber
-    randomness: Fr -> BinaryNumber
-    ak: Point
-    ar: Fr -> BinaryNumber
-    nsk: Fr -> BinaryNumber
-    g_d: Point
-    commitment_randomness: Fr -> BinaryNumber
-    auth_path: [(Scalar, Bool)]
-    anchor: Scalar
-) -> (Point, Point, Scalar, BinaryNumber):
-    let rk: Point = ak + ar * G_SPEND
-    emit rk
-
-    let nk: Point = nsk * G_PROOF
-
-    let mut ivk_preimage: BinaryNumber = []
-    ivk_preimage.put(ak)
-
-    let mut nf_preimage: BinaryNumber = []
-
-    ivk_preimage.put(nk)
-    nf_preimage.put(nk)
-
-    assert ivk_preimage.len() == 512
-    assert nf_preimage.len() == 256
-
-    let mut ivk = blake2s(ivk_preimage, CRH_IVK)
-    ivk.truncate(JUBJUB_FR_CAPACITY)
-    # This will error if ivk.len() != 256
-    #let ivk: Fr = ivk as Fr
-    let pk_d: Point = ivk * g_d
-
-    let cv: Point = value * G_VCV + rcv * G_VCR
-    emit cv
-
-    let mut note_contents: BinaryNumber = []
-    note_contents.put(value)
-    note_contents.put(g_d)
-    note_contents.put(p_k)
-    assert note_contents.len() == 64 + 256 + 256
-
-    let mut cm = pedersen_hash(note_contents, NOTE_COMMIT)
-    cm += commitment_randomness * G_NOTE_COMMIT_R
-
-    let mut position = []
-    let mut cur: Scalar = cm.u
-
-    for i in range(auth_path.size()):
-        let (node: Scalar, is_right: Bool) = auth_path[i]
-
-        position.push(is_right)
-
-        # Scalar -> AllocatedNum
-        let (left: Scalar, right: Scalar) = swap_if(is_right, cur, node)
-
-        let mut preimage: BinaryNumber = []
-        preimage.put(left)
-        preimage.put(right)
-
-        cur = pedersen_hash(MERKLE_TREE[i], preimage).u
-
-    enforce cur == rt
-    emit rt
-
-    let rho: Point = rho + position * G_NULL
-
-    nf_preimage.put(rho)
-    assert nf_preimage.len() == 512
-
-    let nf: BinaryNumber = blake2s(nf_preimage, PRF_NF)
-    emit nf
-
-contract output_mint(
-    value: U64 -> BinaryNumber
-    randomness: Fr -> BinaryNumber
-    g_d: Point
-    esk: Fr -> BinaryNumber
-    pk_d: Point
-    commitment_randomness: Fr -> BinaryNumber
-) -> (Point, Point, Scalar):
-    let cv: Point = value * G_VCV + rcv * G_VCR
-    emit cv
-
-    let mut note_contents: Binary = []
-    note_contents.put(value)
-
-    let epk: Point = esk * g_d
-    emit epk
-
-    let v_contents: Scalar = pk_d.v
-    let sign_bit: Bool = pk_d.u.is_odd()
-
-    note_contents.put(v_contents)
-    note_contents.put(sign_bit)
-
-    assert len(note_contents) == 64 + 256 + 256
-
-    let mut cm: Point = pedersen_hash(note_contents, NOTE_COMMIT)
-    let rcm: Point = commitment_randomness * G_NOTE_COMMIT_R
-    cm += rcm
-
-    let cmu: Scalar = cm.u
-    emit cmu
-