github/darkfi
1
1
Fork 0
mirror of https://github.com/darkrenaissance/darkfi.git synced 2026-01-09 22:57:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

lead circuit in zkas

Browse Source
This commit is contained in:
mohab metwally
2022-11-17 17:41:24 +02:00
parent 3049839993
commit b94c3e3413
4 changed files with 181 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
proof/lead.zk Normal file
View File

@@ -0,0 +1,90 @@
constant "Lead" {
EcFixedPointShort VALUE_COMMIT_VALUE,
EcFixedPoint VALUE_COMMIT_RANDOM,
EcFixedPointBase NULLIFIER_K,
Base PREFIX_CM,
Base PREFIX_PK,
Base PREFIX_EVL,
BASE PREFIX_SEED,
Base ONE,
Base ZERO,
}
contract "Lead" {
MerklePath c1_cm_path,
Uint32 c1_cm_pos,
Unit32 c1_sk_pos,
Base c1_sk,
Base c1_sk_root,
MerklePath c1_sk_path,
Base c1_tau,
Base c1_rho,
Scalar c1_opening,
Base value,
Scalar c2_opening,
Scalar rho_mu,
Scalar y_mu,
Base sigam1,
Base sigma2
}
Circuit "Lead" {
# coin (1) pk
pk = poseidon_hash(PREFIX_PK, c1_sk_root, c1_tau, ZERO);
constrain_instance(pk);
# coin (2) rho/nonce
c2_rho = poseidon_hash(PREFIX_EVL, c1_sk_root, c1_rho, ZERO);
constrain_instance(c2_rho);
# coin (1) cm/commitment
c1_cm_msg = poseidon_hash(PREFIX_CM, pk, value, c1_rho);
c1_cm_v = ec_mul_short(c1_cm_msg, VALUE_COMMIT_VALUE);
c1_cm_r = ec_mul(c1_opening, VALUE_COMMIT_RANDOM);
c1_cm = ec_add(c1_cm_v, c1_cm_r);
c1_cm_x = ec_get_x(c1_cm);
c1_cm_y = ec_get_y(c1_cm);
constrain_instance(c1_cm_x);
constrain_instance(c1_cm_y);
# coin (2) cm/commitment
c2_cm_msg = poseidon_hash(PREFIX_CM, pk, value, c2_rho);
c2_cm_v = ec_mul_short(c2_cm_msg, VALUE_COMMIT_VALUE);
c2_cm_r = ec_mul(c2_opening, VALUE_COMMIT_RANDOM);
c2_cm = ec_add(c2_cm_v, c2_cm_r);
c2_cm_x = ec_get_x(c2_cm);
c2_cm_y = ec_get_y(c2_cm);
constrain_instance(c2_cm_x);
constrain_instance(c2_cm_y);
# root of path to burnt coin commitment at given pos
root = merkle_root(c1_cm_pos, c1_cm_path, c1_cm);
constrain_instance(root);
# root of path at c1_sk_pos
root_sk = merkle_root(c1_sk_pos, c1_sk_path, c1_sk);
constrain_instance(root_sk);
# coin (1) sn/nullifier
sn = poseidon_hash(PREFIX_SN, c1_sk_root, c1_rho, ZERO);
constrain_instance(sn);
# lottery seed
seed = poseidon_hash(PREFIX_SEED, c1_sk_root, c1_rho, ZERO);
# y
y_v = ec_mul_short(seed, VALUE_COMMIT_VALUE);
y_r = ec_mul(y_mu, VALUE_COMMIT_RANDOM);
y = ec_add(y_v, y_r);
y_x = ec_get_x(y);
y_y = ec_get_y(y);
constrain_instance(y_x);
constrain_instance(y_y);
# rho
rho_v = ec_mul_short(seed, VALUE_COMMIT_VALUE);
rho_r = ec_mul(rho_mu, VALUE_COMMIT_RANDOM);
rho = ec_add(rho_v, rho_r);
rho_x = ec_get_x(rho);
rho_y = ec_get_y(rho);
constrain_instance(rho_x);
constrain_instance(rho_y);
# target
term1 = base_mul(sigma1, value);
term2_1 = base_mul(sigam2, value);
term2 = base_mul(term_2_1, value);
target = base_add(term1, term2);
# lottery
less_than(y, target)
}

25
src/consensus/leadcoin.rs
View File

@@ -239,20 +239,29 @@ impl LeadCoin {
let pubkey = PublicKey::from_secret(self.secret_key); let pubkey = PublicKey::from_secret(self.secret_key);
let (pub_x, pub_y) = pubkey.xy(); let (pub_x, pub_y) = pubkey.xy();
let c2_cm = self.coin2_commitment.coordinates().unwrap();
vec![self.nonce_cm, pub_x, pub_y, y] // rho
}
/// Try to create a ZK proof of consensus leadership
pub fn create_lead_proof(&self, pk: &ProvingKey) -> Result<Proof> {
// Initialize circuit with witnesses // Initialize circuit with witnesses
let lottery_msg_input = [self.coin1_sk_root.inner(), self.nonce]; let lottery_msg_input = [self.coin1_sk_root.inner(), self.nonce];
let lottery_msg = poseidon_hash(lottery_msg_input); let lottery_msg = poseidon_hash(lottery_msg_input);
let rho = pedersen_commitment_base(lottery_msg, mod_r_p(self.rho_mu)); let rho = pedersen_commitment_base(lottery_msg, mod_r_p(self.rho_mu));
let rho_coord = rho.coordinates().unwrap();
vec![
self.coin1_commitment_root.inner(),
self.sn,
*c2_cm.x(), *c2_cm.y(),
*rho_coord.x(), *rho_coord.y(),
self.nonce_cm,
pub_x, pub_y,
y
]
}
/// Try to create a ZK proof of consensus leadership
pub fn create_lead_proof(&self, pk: &ProvingKey) -> Result<Proof> {
let circuit = LeadContract { let circuit = LeadContract {
coin1_commit_merkle_path: Value::known(self.coin1_commitment_merkle_path), coin1_commit_merkle_path: Value::known(self.coin1_commitment_merkle_path),
coin1_commit_root: Value::known(self.coin1_commitment_root.inner()),
coin1_commit_leaf_pos: Value::known(self.idx), coin1_commit_leaf_pos: Value::known(self.idx),
coin1_sk: Value::known(self.secret_key.inner()), coin1_sk: Value::known(self.secret_key.inner()),
coin1_sk_root: Value::known(self.coin1_sk_root.inner()), coin1_sk_root: Value::known(self.coin1_sk_root.inner()),
@@ -260,7 +269,6 @@ impl LeadCoin {
coin1_timestamp: Value::known(self.tau), coin1_timestamp: Value::known(self.tau),
coin1_nonce: Value::known(self.nonce), coin1_nonce: Value::known(self.nonce),
coin1_blind: Value::known(self.coin1_blind), coin1_blind: Value::known(self.coin1_blind),
coin1_serial: Value::known(self.sn),
coin1_value: Value::known(pallas::Base::from(self.value)), coin1_value: Value::known(pallas::Base::from(self.value)),
coin2_blind: Value::known(self.coin2_blind), coin2_blind: Value::known(self.coin2_blind),
coin2_commit: Value::known(self.coin2_commitment), coin2_commit: Value::known(self.coin2_commitment),
@@ -268,7 +276,6 @@ impl LeadCoin {
y_mu: Value::known(mod_r_p(self.y_mu)), y_mu: Value::known(mod_r_p(self.y_mu)),
sigma1: Value::known(self.sigma1), sigma1: Value::known(self.sigma1),
sigma2: Value::known(self.sigma2), sigma2: Value::known(self.sigma2),
rho: Value::known(rho),
}; };
Ok(Proof::create(pk, &[circuit], &self.public_inputs(), &mut OsRng)?) Ok(Proof::create(pk, &[circuit], &self.public_inputs(), &mut OsRng)?)

2
src/consensus/mod.rs
View File

@@ -53,3 +53,5 @@ pub mod utils;
/// Wallet functions /// Wallet functions
pub mod wallet; pub mod wallet;
pub mod ouroboros;

96
src/zk/circuit/lead_contract.rs
View File

@@ -61,14 +61,26 @@ use crate::zk::{
}; };
use log::info; use log::info;
/// public input offset for lead coin 1 commitment root.
const LEADCOIN_COIN1_COMMIT_ROOT_OFFSET: usize = 0;
/// public input offset for lead coin 1 nullifier.
const LEADCOIN_COIN1_NULLIFIER_ROOT_OFFSET: usize = 1;
/// public input offset for coin2 commitment x coordinate.
const LEADCOIN_COIN2_COMMITMENT_X_OFFSET: usize = 2;
/// public input offset for coin2 commitment y coordinate.
const LEADCOIN_COIN2_COMMITMENT_Y_OFFSET: usize = 3;
/// public input offset for rho commitment x coordinate.
const LEADCOIN_RHO_COMMITMENT_X_OFFSET: usize = 4;
/// public input offset for rho commitment y coordinate.
const LEADCOIN_RHO_COMMITMENT_Y_OFFSET: usize = 5;
/// Public input offset for the lead coin C2 nonce /// Public input offset for the lead coin C2 nonce
const LEADCOIN_C2_NONCE_OFFSET: usize = 0; const LEADCOIN_C2_NONCE_OFFSET: usize = 6;
/// Public input offset for lead coin public key X coordinate /// Public input offset for lead coin public key X coordinate
const LEADCOIN_PK_X_OFFSET: usize = 1; const LEADCOIN_PK_X_OFFSET: usize = 7;
/// Public input offset for lead coin public key Y coordinate /// Public input offset for lead coin public key Y coordinate
const LEADCOIN_PK_Y_OFFSET: usize = 2; const LEADCOIN_PK_Y_OFFSET: usize = 8;
/// Public input offset for the lottery target lhs /// Public input offset for the lottery target lhs
const LEADCOIN_Y_BASE_OFFSET: usize = 3; const LEADCOIN_Y_BASE_OFFSET: usize = 9;
/// Derivation prefix for the nullifier PRF /// Derivation prefix for the nullifier PRF
const PRF_NULLIFIER_PREFIX: u64 = 0; const PRF_NULLIFIER_PREFIX: u64 = 0;
@@ -124,8 +136,6 @@ impl LeadConfig {
pub struct LeadContract { pub struct LeadContract {
/// Merkle path to the commitment for `coin_1` /// Merkle path to the commitment for `coin_1`
pub coin1_commit_merkle_path: Value<[MerkleNode; MERKLE_DEPTH_ORCHARD]>, pub coin1_commit_merkle_path: Value<[MerkleNode; MERKLE_DEPTH_ORCHARD]>,
/// Merkle root to the commitment of `coin_1` in the Merkle tree of commitments
pub coin1_commit_root: Value<pallas::Base>,
/// `coin_1` leaf position in the Merkle tree of coin commitments /// `coin_1` leaf position in the Merkle tree of coin commitments
pub coin1_commit_leaf_pos: Value<u32>, pub coin1_commit_leaf_pos: Value<u32>,
/// `coin_1` secret key. /// `coin_1` secret key.
@@ -143,14 +153,10 @@ pub struct LeadContract {
pub coin1_nonce: Value<pallas::Base>, pub coin1_nonce: Value<pallas::Base>,
/// Blinding factor for the commitment of `coin_1` /// Blinding factor for the commitment of `coin_1`
pub coin1_blind: Value<pallas::Scalar>, pub coin1_blind: Value<pallas::Scalar>,
/// Serial number for `coin_1`
pub coin1_serial: Value<pallas::Base>,
/// Value of `coin_1` /// Value of `coin_1`
pub coin1_value: Value<pallas::Base>, pub coin1_value: Value<pallas::Base>,
/// Blinding factor for the commitment of `coin_2` /// Blinding factor for the commitment of `coin_2`
pub coin2_blind: Value<pallas::Scalar>, pub coin2_blind: Value<pallas::Scalar>,
/// `coin_2` pedersen commitment point
pub coin2_commit: Value<pallas::Point>,
/// Random value derived from `eta` used for constraining `rho` /// Random value derived from `eta` used for constraining `rho`
pub rho_mu: Value<pallas::Scalar>, pub rho_mu: Value<pallas::Scalar>,
/// Random value derived from `eta` used for calculating `y`. /// Random value derived from `eta` used for calculating `y`.
@@ -161,8 +167,6 @@ pub struct LeadContract {
pub sigma1: Value<pallas::Base>, pub sigma1: Value<pallas::Base>,
/// Second coefficient in 2-term T (target function) approximation /// Second coefficient in 2-term T (target function) approximation
pub sigma2: Value<pallas::Base>, pub sigma2: Value<pallas::Base>,
/// Constrained nonce `rho`.
pub rho: Value<pallas::Point>,
} }
impl Circuit<pallas::Base> for LeadContract { impl Circuit<pallas::Base> for LeadContract {
@@ -339,11 +343,13 @@ impl Circuit<pallas::Base> for LeadContract {
.coin1_commit_merkle_path .coin1_commit_merkle_path
.map(|typed_path| gen_const_array(|i| typed_path[i].inner())); .map(|typed_path| gen_const_array(|i| typed_path[i].inner()));
/*
let coin1_commit_root = assign_free_advice( let coin1_commit_root = assign_free_advice(
layouter.namespace(|| "witness coin_commitment_root"), layouter.namespace(|| "witness coin_commitment_root"),
config.advices[8], config.advices[8],
self.coin1_commit_root, self.coin1_commit_root,
)?; )?;
*/
let coin1_sk = assign_free_advice( let coin1_sk = assign_free_advice(
layouter.namespace(|| "witness coin1_sk"), layouter.namespace(|| "witness coin1_sk"),
@@ -378,11 +384,13 @@ impl Circuit<pallas::Base> for LeadContract {
self.coin1_blind, self.coin1_blind,
)?; )?;
/*
let coin1_serial = assign_free_advice( let coin1_serial = assign_free_advice(
layouter.namespace(|| "witness coin1_serial"), layouter.namespace(|| "witness coin1_serial"),
config.advices[8], config.advices[8],
self.coin1_serial, self.coin1_serial,
)?; )?;
*/
let coin1_value = assign_free_advice( let coin1_value = assign_free_advice(
layouter.namespace(|| "witness coin1_value"), layouter.namespace(|| "witness coin1_value"),
@@ -396,11 +404,13 @@ impl Circuit<pallas::Base> for LeadContract {
self.coin2_blind, self.coin2_blind,
)?; )?;
/*
let coin2_commit = NonIdentityPoint::new( let coin2_commit = NonIdentityPoint::new(
ecc_chip.clone(), ecc_chip.clone(),
layouter.namespace(|| "witness coin2_commit"), layouter.namespace(|| "witness coin2_commit"),
self.coin2_commit.as_ref().map(|cm| cm.to_affine()), self.coin2_commit.as_ref().map(|cm| cm.to_affine()),
)?; )?;
*/
let rho_mu = ScalarFixed::new( let rho_mu = ScalarFixed::new(
ecc_chip.clone(), ecc_chip.clone(),
@@ -423,11 +433,13 @@ impl Circuit<pallas::Base> for LeadContract {
self.sigma2, self.sigma2,
)?; )?;
/*
let rho = NonIdentityPoint::new( let rho = NonIdentityPoint::new(
ecc_chip.clone(), ecc_chip.clone(),
layouter.namespace(|| "witness rho"), layouter.namespace(|| "witness rho"),
self.rho.as_ref().map(|cm| cm.to_affine()), self.rho.as_ref().map(|cm| cm.to_affine()),
)?; )?;
*/
let zero = assign_free_advice( let zero = assign_free_advice(
layouter.namespace(|| "witness constant zero"), layouter.namespace(|| "witness constant zero"),
@@ -670,33 +682,71 @@ impl Circuit<pallas::Base> for LeadContract {
// Constrain derived `sn_commit` to be equal to witnessed `coin1_serial`. // Constrain derived `sn_commit` to be equal to witnessed `coin1_serial`.
info!("coin1 cm root LHS: {:?}", coin1_cm_root.value()); info!("coin1 cm root LHS: {:?}", coin1_cm_root.value());
/*
info!("coin1 cm root RHS: {:?}", coin1_commit_root.value()); info!("coin1 cm root RHS: {:?}", coin1_commit_root.value());
layouter.assign_region( layouter.assign_region(
|| "coin1_cm_root equality", || "coin1_cm_root equality",
|mut region| region.constrain_equal(coin1_cm_root.cell(), coin1_commit_root.cell()), |mut region| region.constrain_equal(coin1_cm_root.cell(), coin1_commit_root.cell()),
)?;
*/
layouter.constrain_instance(
coin1_cm_root.cell(),
config.primary,
LEADCOIN_COIN1_COMMIT_ROOT_OFFSET,
)?; )?;
info!("coin1 serial commit LHS: {:?}", sn_commit.value()); info!("coin1 serial commit LHS: {:?}", sn_commit.value());
/*
info!("coin1 serial commit RHS: {:?}", coin1_serial.value()); info!("coin1 serial commit RHS: {:?}", coin1_serial.value());
layouter.assign_region( layouter.assign_region(
|| "sn_commit equality", || "sn_commit equality",
|mut region| region.constrain_equal(sn_commit.cell(), coin1_serial.cell()), |mut region| region.constrain_equal(sn_commit.cell(), coin1_serial.cell()),
)?;
*/
layouter.constrain_instance(
sn_commit.cell(),
config.primary,
LEADCOIN_COIN1_NULLIFIER_ROOT_OFFSET,
)?; )?;
info!("coin2_commit LHS: x {:?}", coin2_commitment.inner().x()); info!("coin2_commit LHS: x {:?}", coin2_commitment.inner().x());
info!("coin2_commit LHS: y {:?}", coin2_commitment.inner().y()); info!("coin2_commit LHS: y {:?}", coin2_commitment.inner().y());
// Constrain equality between witnessed and derived commitment
/*
info!("coin2_commit RHS: x {:?}", coin2_commit.inner().x()); info!("coin2_commit RHS: x {:?}", coin2_commit.inner().x());
info!("coin2_commit RHS: y {:?}", coin2_commit.inner().y()); info!("coin2_commit RHS: y {:?}", coin2_commit.inner().y());
// Constrain equality between witnessed and derived commitment
coin2_commitment coin2_commitment
.constrain_equal(layouter.namespace(|| "coin2_commit equality"), &coin2_commit)?; .constrain_equal(layouter.namespace(|| "coin2_commit equality"), &coin2_commit)?;
*/
layouter.constrain_instance(
coin2_commitment.inner().x().cell(),
config.primary,
LEADCOIN_COIN2_COMMITMENT_X_OFFSET,
)?;
layouter.constrain_instance(
coin2_commitment.inner().y().cell(),
config.primary,
LEADCOIN_COIN2_COMMITMENT_Y_OFFSET,
)?;
info!("rho commit LHS: x {:?}", rho_commit.inner().x()); info!("rho commit LHS: x {:?}", rho_commit.inner().x());
info!("rho commit LHS: y {:?}", rho_commit.inner().y()); info!("rho commit LHS: y {:?}", rho_commit.inner().y());
// Constrain derived rho_commit to witnessed rho
/*
info!("rho commit RHS: x {:?}", rho.inner().x()); info!("rho commit RHS: x {:?}", rho.inner().x());
info!("rho commit RHS: y {:?}", rho.inner().y()); info!("rho commit RHS: y {:?}", rho.inner().y());
// Constrain derived rho_commit to witnessed rho
rho_commit.constrain_equal(layouter.namespace(|| "rho equality"), &rho)?; rho_commit.constrain_equal(layouter.namespace(|| "rho equality"), &rho)?;
*/
layouter.constrain_instance(
rho_commit.inner().x().cell(),
config.primary,
LEADCOIN_RHO_COMMITMENT_X_OFFSET,
)?;
layouter.constrain_instance(
rho_commit.inner().y().cell(),
config.primary,
LEADCOIN_RHO_COMMITMENT_Y_OFFSET,
)?;
info!("coin pk: x {:?}", coin_pk.inner().x()); info!("coin pk: x {:?}", coin_pk.inner().x());
info!("coin pk: y {:?}", coin_pk.inner().y()); info!("coin pk: y {:?}", coin_pk.inner().y());
// Constrain coin's public key coordinates with public inputs // Constrain coin's public key coordinates with public inputs