diff --git a/Makefile b/Makefile index 09feefc5b..9b2d58abb 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ PREFIX = /usr/local CARGO = cargo # Binaries to be built -BINS = drk darkfid gatewayd zkas +BINS = zkas drk darkfid gatewayd # Common dependencies which should force the binaries to be rebuilt BINDEPS = \ @@ -40,8 +40,8 @@ test-tx: $(CARGO) run --release --features=node --example tx test-vm: zkas - ./zkas proofs/mint.zk - ./zkas proofs/burn.zk + ./zkas proof/mint.zk + ./zkas proof/burn.zk $(CARGO) run --release --features=cli,zkvm --example vm2 clean: diff --git a/book/src/zkas/examples/sapling.md b/book/src/zkas/examples/sapling.md index 53d4a13b0..a7e7fc94e 100644 --- a/book/src/zkas/examples/sapling.md +++ b/book/src/zkas/examples/sapling.md @@ -11,7 +11,7 @@ $C$, and we use the burn proof to spend a previously minted _coin_. ## Mint proof ``` -{{#include ../../../../proofs/mint.zk}} +{{#include ../../../../proof/mint.zk}} ``` As you can see, the `Mint` proof basically consists of three @@ -120,7 +120,7 @@ let public_inputs = vec![ ## Burn ``` -{{#include ../../../../proofs/burn.zk}} +{{#include ../../../../proof/burn.zk}} ``` The `Burn` proof consists of operations similar to the `Mint` proof, diff --git a/book/src/zkas/examples/voting.md b/book/src/zkas/examples/voting.md index 78703fc8e..4b1ba84fd 100644 --- a/book/src/zkas/examples/voting.md +++ b/book/src/zkas/examples/voting.md @@ -15,7 +15,7 @@ with its voter's key on the database, so votes wouldn't be secret. ## Vote proof ``` -{{#include ../../../../proofs/voting.zk}} +{{#include ../../../../proof/voting.zk}} ``` Our proof consists of four main operation. First we are hashing the diff --git a/proof/burn.zk b/proof/burn.zk index 5826271af..c7e4487aa 100644 --- a/proof/burn.zk +++ b/proof/burn.zk @@ -1,56 +1,66 @@ -# :set syntax=zk -# :source scripts/zk.vim -constant EcFixedPoint VALUE_COMMIT_VALUE -constant EcFixedPoint VALUE_COMMIT_RANDOM -constant EcFixedPoint SPEND_AUTH_G - -contract Burn { - Base secret - Base serial - MerklePath path - Base leaf - - Base value - Base asset - Scalar value_blind - Scalar asset_blind - Scalar sig_secret +constant "Burn" { + EcFixedPoint VALUE_COMMIT_VALUE, + EcFixedPoint VALUE_COMMIT_RANDOM, + EcFixedPoint NULLIFIER_K, } -circuit Burn { - # nullifier = Hash(secret, serial) - poseidon_hash nullifier secret serial - constrain_instance nullifier - - # root = calculate_root(path, leaf) - calculate_merkle_root root path leaf - constrain_instance root - - # value_commit = PedersenCommit(value, value_blind); - ec_mul_short vcv value VALUE_COMMIT_VALUE - ec_mul vcr value_blind VALUE_COMMIT_RANDOM - ec_add value_commit vcv vcr - ec_get_x x value_commit - ec_get_y y value_commit - constrain_instance x - constrain_instance y - - # asset_commit = PedersenCommit(asset, asset_blind); - ec_mul_short acv asset VALUE_COMMIT_VALUE - ec_mul acr asset_blind VALUE_COMMIT_RANDOM - ec_add asset_commit acv acr - ec_get_x x asset_commit - ec_get_y y asset_commit - constrain_instance x - constrain_instance y - - # spend_auth_public = sig_secret * SPEND_AUTH_G - ec_mul spend_auth_public sig_secret SPEND_AUTH_G - ec_get_x sx spend_auth_public - ec_get_y sy spend_auth_public - constrain_instance sx - constrain_instance sy - - # return (nullifier, root, value_commit, value_blind); +contract "Burn" { + Base secret, + Base serial, + Base value, + Base token, + Base coin_blind, + Scalar value_blind, + Scalar token_blind, + Uint32 leaf_pos, + MerklePath path, + Base signature_secret, } +circuit "Burn" { + # Poseidon hash of the nullifier + nullifier = poseidon_hash(secret, serial); + constrain_instance(nullifier); + + # Pedersen commitment for coin's value + vcv = ec_mul_short(value, VALUE_COMMIT_VALUE); + vcr = ec_mul(value_blind, VALUE_COMMIT_RANDOM); + value_commit = ec_add(vcv, vcr); + # Since value_commit is a curve point, we fetch its coordinates + # and constrain them: + value_commit_x = ec_get_x(value_commit); + value_commit_y = ec_get_y(value_commit); + constrain_instance(value_commit_x); + constrain_instance(value_commit_y); + + # Pedersen commitment for coin's token ID + tcv = ec_mul_short(token, VALUE_COMMIT_VALUE); + tcr = ec_mul(token_blind, VALUE_COMMIT_RANDOM); + token_commit = ec_add(tcv, tcr); + # Since token_commit is also a curve point, we'll do the same + # coordinate dance: + token_commit_x = ec_get_x(token_commit); + token_commit_y = ec_get_y(token_commit); + constrain_instance(token_commit_x); + constrain_instance(token_commit_y); + + # Coin hash + pub = ec_mul_base(secret, NULLIFIER_K); + pub_x = ec_get_x(pub); + pub_y = ec_get_y(pub); + C = poseidon_hash(pub_x, pub_y, value, token, serial, coin_blind); + + # Merkle root + root = calculate_merkle_root(leaf_pos, path, C); + constrain_instance(root); + + # Finally, we derive a public key for the signature and + # constrain its coordinates: + signature_public = ec_mul_base(signature_secret, NULLIFIER_K); + signature_x = ec_get_x(signature_public); + signature_y = ec_get_y(signature_public); + constrain_instance(signature_x); + constrain_instance(signature_y); + + # At this point we've enforced all of our public inputs. +} diff --git a/proof/mint.zk b/proof/mint.zk index 58a4c70db..4c25f47f3 100644 --- a/proof/mint.zk +++ b/proof/mint.zk @@ -1,46 +1,45 @@ -# :set syntax=zk -# :source scripts/zk.vim -constant EcFixedPoint VALUE_COMMIT_VALUE -constant EcFixedPoint VALUE_COMMIT_RANDOM - -contract Mint { - Base pub_x - Base pub_y - Base value - Base asset - Base serial - Base coin_blind - Scalar value_blind - Scalar asset_blind +constant "Mint" { + EcFixedPoint VALUE_COMMIT_VALUE, + EcFixedPoint VALUE_COMMIT_RANDOM, } -circuit Mint { - # coin = Hash(pub_x, pub_y, value, asset, serial, coin_blind); - poseidon_hash C1 pub_x pub_y - poseidon_hash C2 value asset - poseidon_hash C3 serial coin_blind - add C12 C1 C2 - add C C12 C3 - constrain_instance C - - # value_commit = PedersenCommit(value, value_blind); - ec_mul_short vcv value VALUE_COMMIT_VALUE - ec_mul vcr value_blind VALUE_COMMIT_RANDOM - ec_add value_commit vcv vcr - ec_get_x x value_commit - ec_get_y y value_commit - constrain_instance x - constrain_instance y - - # asset_commit = PedersenCommit(asset, asset_blind); - ec_mul_short acv asset VALUE_COMMIT_VALUE - ec_mul acr asset_blind VALUE_COMMIT_RANDOM - ec_add asset_commit acv acr - ec_get_x x asset_commit - ec_get_y y asset_commit - constrain_instance x - constrain_instance y - - # return (coin, value_commit, asset_commit); +contract "Mint" { + Base pub_x, + Base pub_y, + Base value, + Base token, + Base serial, + Base coin_blind, + Scalar value_blind, + Scalar token_blind, } +circuit "Mint" { + # Poseidon hash of the coin + C = poseidon_hash(pub_x, pub_y, value, token, serial, coin_blind); + constrain_instance(C); + + # Pedersen commitment for coin's value + vcv = ec_mul_short(value, VALUE_COMMIT_VALUE); + vcr = ec_mul(value_blind, VALUE_COMMIT_RANDOM); + value_commit = ec_add(vcv, vcr); + # Since the value commit is a curve point, we fetch its coordinates + # and constrain them: + value_commit_x = ec_get_x(value_commit); + value_commit_y = ec_get_y(value_commit); + constrain_instance(value_commit_x); + constrain_instance(value_commit_y); + + # Pedersen commitment for coin's token ID + tcv = ec_mul_short(token, VALUE_COMMIT_VALUE); + tcr = ec_mul(token_blind, VALUE_COMMIT_RANDOM); + token_commit = ec_add(tcv, tcr); + # Since token_commit is also a curve point, we'll do the same + # coordinate dance: + token_commit_x = ec_get_x(token_commit); + token_commit_y = ec_get_y(token_commit); + constrain_instance(token_commit_x); + constrain_instance(token_commit_y); + + # At this point we've enforced all of our public inputs. +} diff --git a/proofs/voting.zk b/proof/voting.zk similarity index 100% rename from proofs/voting.zk rename to proof/voting.zk diff --git a/proofs/burn.zk b/proofs/burn.zk deleted file mode 100644 index c7e4487aa..000000000 --- a/proofs/burn.zk +++ /dev/null @@ -1,66 +0,0 @@ -constant "Burn" { - EcFixedPoint VALUE_COMMIT_VALUE, - EcFixedPoint VALUE_COMMIT_RANDOM, - EcFixedPoint NULLIFIER_K, -} - -contract "Burn" { - Base secret, - Base serial, - Base value, - Base token, - Base coin_blind, - Scalar value_blind, - Scalar token_blind, - Uint32 leaf_pos, - MerklePath path, - Base signature_secret, -} - -circuit "Burn" { - # Poseidon hash of the nullifier - nullifier = poseidon_hash(secret, serial); - constrain_instance(nullifier); - - # Pedersen commitment for coin's value - vcv = ec_mul_short(value, VALUE_COMMIT_VALUE); - vcr = ec_mul(value_blind, VALUE_COMMIT_RANDOM); - value_commit = ec_add(vcv, vcr); - # Since value_commit is a curve point, we fetch its coordinates - # and constrain them: - value_commit_x = ec_get_x(value_commit); - value_commit_y = ec_get_y(value_commit); - constrain_instance(value_commit_x); - constrain_instance(value_commit_y); - - # Pedersen commitment for coin's token ID - tcv = ec_mul_short(token, VALUE_COMMIT_VALUE); - tcr = ec_mul(token_blind, VALUE_COMMIT_RANDOM); - token_commit = ec_add(tcv, tcr); - # Since token_commit is also a curve point, we'll do the same - # coordinate dance: - token_commit_x = ec_get_x(token_commit); - token_commit_y = ec_get_y(token_commit); - constrain_instance(token_commit_x); - constrain_instance(token_commit_y); - - # Coin hash - pub = ec_mul_base(secret, NULLIFIER_K); - pub_x = ec_get_x(pub); - pub_y = ec_get_y(pub); - C = poseidon_hash(pub_x, pub_y, value, token, serial, coin_blind); - - # Merkle root - root = calculate_merkle_root(leaf_pos, path, C); - constrain_instance(root); - - # Finally, we derive a public key for the signature and - # constrain its coordinates: - signature_public = ec_mul_base(signature_secret, NULLIFIER_K); - signature_x = ec_get_x(signature_public); - signature_y = ec_get_y(signature_public); - constrain_instance(signature_x); - constrain_instance(signature_y); - - # At this point we've enforced all of our public inputs. -} diff --git a/proofs/mint.zk b/proofs/mint.zk deleted file mode 100644 index 4c25f47f3..000000000 --- a/proofs/mint.zk +++ /dev/null @@ -1,45 +0,0 @@ -constant "Mint" { - EcFixedPoint VALUE_COMMIT_VALUE, - EcFixedPoint VALUE_COMMIT_RANDOM, -} - -contract "Mint" { - Base pub_x, - Base pub_y, - Base value, - Base token, - Base serial, - Base coin_blind, - Scalar value_blind, - Scalar token_blind, -} - -circuit "Mint" { - # Poseidon hash of the coin - C = poseidon_hash(pub_x, pub_y, value, token, serial, coin_blind); - constrain_instance(C); - - # Pedersen commitment for coin's value - vcv = ec_mul_short(value, VALUE_COMMIT_VALUE); - vcr = ec_mul(value_blind, VALUE_COMMIT_RANDOM); - value_commit = ec_add(vcv, vcr); - # Since the value commit is a curve point, we fetch its coordinates - # and constrain them: - value_commit_x = ec_get_x(value_commit); - value_commit_y = ec_get_y(value_commit); - constrain_instance(value_commit_x); - constrain_instance(value_commit_y); - - # Pedersen commitment for coin's token ID - tcv = ec_mul_short(token, VALUE_COMMIT_VALUE); - tcr = ec_mul(token_blind, VALUE_COMMIT_RANDOM); - token_commit = ec_add(tcv, tcr); - # Since token_commit is also a curve point, we'll do the same - # coordinate dance: - token_commit_x = ec_get_x(token_commit); - token_commit_y = ec_get_y(token_commit); - constrain_instance(token_commit_x); - constrain_instance(token_commit_y); - - # At this point we've enforced all of our public inputs. -} diff --git a/proofs/poseidonhash.zk b/proofs/poseidonhash.zk deleted file mode 100644 index 5a90cd9b8..000000000 --- a/proofs/poseidonhash.zk +++ /dev/null @@ -1,15 +0,0 @@ -constant "Poseidon" { - EcFixedPoint VALUE_COMMIT_VALUE, - EcFixedPoint VALUE_COMMIT_RANDOM, -} - -contract "Poseidon" { - Base foo, - Base bar, -} - -circuit "Poseidon" { - # Poseidon hash of the coin - C = poseidon_hash(foo, bar); - constrain_instance(C); -}