diff --git a/proof/lead.zk b/proof/lead.zk index 66cc21132..5ffc6dde5 100644 --- a/proof/lead.zk +++ b/proof/lead.zk @@ -34,60 +34,60 @@ circuit "Lead" { pk = poseidon_hash(PREFIX_PK, c1_sk_root, c1_tau, ZERO); constrain_instance(pk); # coin (2) rho/nonce - #c2_rho = poseidon_hash(PREFIX_EVL, c1_sk_root, c1_rho, ZERO); - #constrain_instance(c2_rho); + c2_rho = poseidon_hash(PREFIX_EVL, c1_sk_root, c1_rho, ZERO); + constrain_instance(c2_rho); # coin (1) cm/commitment - #c1_cm_msg = poseidon_hash(PREFIX_CM, pk, value, c1_rho); - #c1_cm_v = ec_mul_short(c1_cm_msg, VALUE_COMMIT_VALUE); - #c1_cm_r = ec_mul(c1_opening, VALUE_COMMIT_RANDOM); - #c1_cm = ec_add(c1_cm_v, c1_cm_r); - #c1_cm_x = ec_get_x(c1_cm); - #c1_cm_y = ec_get_y(c1_cm); - #c1_cm_hash = poseidon_hash(c1_cm_x, c1_cm_y); - #constrain_instance(c1_cm_x); - #constrain_instance(c1_cm_y); + c1_cm_msg = poseidon_hash(PREFIX_CM, pk, value, c1_rho); + c1_cm_v = ec_mul_base(c1_cm_msg, NULLIFIER_K); + c1_cm_r = ec_mul(c1_opening, VALUE_COMMIT_RANDOM); + c1_cm = ec_add(c1_cm_v, c1_cm_r); + c1_cm_x = ec_get_x(c1_cm); + c1_cm_y = ec_get_y(c1_cm); + c1_cm_hash = poseidon_hash(c1_cm_x, c1_cm_y); + constrain_instance(c1_cm_x); + constrain_instance(c1_cm_y); # coin (2) cm/commitment - #c2_cm_msg = poseidon_hash(PREFIX_CM, pk, value, c2_rho); - #c2_cm_v = ec_mul_short(c2_cm_msg, VALUE_COMMIT_VALUE); - #c2_cm_r = ec_mul(c2_opening, VALUE_COMMIT_RANDOM); - #c2_cm = ec_add(c2_cm_v, c2_cm_r); - #c2_cm_x = ec_get_x(c2_cm); - #c2_cm_y = ec_get_y(c2_cm); - #constrain_instance(c2_cm_x); - #constrain_instance(c2_cm_y); + c2_cm_msg = poseidon_hash(PREFIX_CM, pk, value, c2_rho); + c2_cm_v = ec_mul_base(c2_cm_msg, NULLIFIER_K); + c2_cm_r = ec_mul(c2_opening, VALUE_COMMIT_RANDOM); + c2_cm = ec_add(c2_cm_v, c2_cm_r); + c2_cm_x = ec_get_x(c2_cm); + c2_cm_y = ec_get_y(c2_cm); + constrain_instance(c2_cm_x); + constrain_instance(c2_cm_y); # root of path to burnt coin commitment at given pos - #root = merkle_root(c1_cm_pos, c1_cm_path, c1_cm_hash); - #constrain_instance(root); + root = merkle_root(c1_cm_pos, c1_cm_path, c1_cm_hash); + constrain_instance(root); # root of path at c1_sk_pos - #root_sk = merkle_root(c1_sk_pos, c1_sk_path, c1_sk); - #constrain_instance(root_sk); + root_sk = merkle_root(c1_sk_pos, c1_sk_path, c1_sk); + constrain_instance(root_sk); # coin (1) sn/nullifier - #sn = poseidon_hash(PREFIX_SN, c1_sk_root, c1_rho, ZERO); - #constrain_instance(sn); + sn = poseidon_hash(PREFIX_SN, c1_sk_root, c1_rho, ZERO); + constrain_instance(sn); # lottery seed - #seed = poseidon_hash(PREFIX_SEED, c1_sk_root, c1_rho, ZERO); + seed = poseidon_hash(PREFIX_SEED, c1_sk_root, c1_rho, ZERO); # y - #y_v = ec_mul_short(seed, VALUE_COMMIT_VALUE); - #y_r = ec_mul(y_opening, VALUE_COMMIT_RANDOM); - #y = ec_add(y_v, y_r); - #y_x = ec_get_x(y); - #y_y = ec_get_y(y); - #y_hash = poseidon_hash(y_x, y_y); - #constrain_instance(y_x); - #constrain_instance(y_y); + y_v = ec_mul_base(seed, NULLIFIER_K); + y_r = ec_mul(y_opening, VALUE_COMMIT_RANDOM); + y = ec_add(y_v, y_r); + y_x = ec_get_x(y); + y_y = ec_get_y(y); + y_hash = poseidon_hash(y_x, y_y); + constrain_instance(y_x); + constrain_instance(y_y); # rho - #rho_v = ec_mul_short(seed, VALUE_COMMIT_VALUE); - #rho_r = ec_mul(rho_opening, VALUE_COMMIT_RANDOM); - #rho = ec_add(rho_v, rho_r); - #rho_x = ec_get_x(rho); - #rho_y = ec_get_y(rho); - #constrain_instance(rho_x); - #constrain_instance(rho_y); + rho_v = ec_mul_base(seed, NULLIFIER_K); + rho_r = ec_mul(rho_opening, VALUE_COMMIT_RANDOM); + rho = ec_add(rho_v, rho_r); + rho_x = ec_get_x(rho); + rho_y = ec_get_y(rho); + constrain_instance(rho_x); + constrain_instance(rho_y); # target - #term1 = base_mul(sigma1, value); - #term2_1 = base_mul(sigma2, value); - #term2 = base_mul(term2_1, value); - #target = base_add(term1, term2); - # lottery - #less_than(y_hash, target); + term1 = base_mul(sigma1, value); + term2_1 = base_mul(sigma2, value); + term2 = base_mul(term2_1, value); + target = base_add(term1, term2); + #lottery + less_than(y_hash, target); } diff --git a/src/consensus/leadcoin.rs b/src/consensus/leadcoin.rs index 5aca51498..5acf68455 100644 --- a/src/consensus/leadcoin.rs +++ b/src/consensus/leadcoin.rs @@ -151,76 +151,69 @@ impl LeadCoin { // Merkle tree of coin commitments coin_commitment_tree: &mut BridgeTree, ) -> Self { + let zero = pallas::Base::zero(); + let one = pallas::Base::one(); + let prefix_evl = pallas::Base::from(2); + let prefix_seed = pallas::Base::from(3); + let prefix_cm = pallas::Base::from(4); + let prefix_pk = pallas::Base::from(5); + let prefix_sn = pallas::Base::from(6); // Generate random blinding values for commitments: let coin1_blind = pallas::Scalar::random(&mut OsRng); let coin2_blind = pallas::Scalar::random(&mut OsRng); - - // Derive a public key from the secret key - let public_key = PublicKey::from_secret(secret_key); - let (coin_pk_x, coin_pk_y) = public_key.xy(); - debug!("coin_pk[{}] x: {:?}", slot_index, coin_pk_x); - debug!("coin_pk[{}] y: {:?}", slot_index, coin_pk_y); - - // Derive a nullifier - let sn_msg = [ - pallas::Base::from(seed), + let tau = pallas::Base::from(slot_index as u64); + // pk + let pk_msg = [prefix_pk, coin1_sk_root.inner(), tau, zero]; + let pk = poseidon_hash(pk_msg); + // Derive the nonce for coin2 + let coin2_nonce_msg = [ + prefix_evl, coin1_sk_root.inner(), - pallas::Base::zero(), - pallas::Base::one(), + pallas::Base::from(seed), + zero, ]; - let c_sn = poseidon_hash(sn_msg); - + let coin2_seed = poseidon_hash(coin2_nonce_msg); + debug!("coin2_seed[{}]: {:?}", slot_index, coin2_seed); // Derive input for the commitment of coin1 let coin1_commit_msg = [ - pallas::Base::from(PRF_NULLIFIER_PREFIX), - coin_pk_x, - coin_pk_y, + prefix_cm, + pk, pallas::Base::from(value), pallas::Base::from(seed), - pallas::Base::one(), ]; - let coin1_commit_v = poseidon_hash(coin1_commit_msg); - // Create commitment to coin1 + let coin1_commit_v = poseidon_hash(coin1_commit_msg); let coin1_commitment = pedersen_commitment_base(coin1_commit_v, coin1_blind); // Hash its coordinates to get a base field element let c1_cm_coords = coin1_commitment.to_affine().coordinates().unwrap(); let c1_base_msg = [*c1_cm_coords.x(), *c1_cm_coords.y()]; let coin1_commitment_base = poseidon_hash(c1_base_msg); - // Append the element to the Merkle tree coin_commitment_tree.append(&MerkleNode::from(coin1_commitment_base)); let leaf_pos = coin_commitment_tree.witness().unwrap(); let coin1_commitment_root = coin_commitment_tree.root(0).unwrap(); let coin1_commitment_merkle_path = coin_commitment_tree.authentication_path(leaf_pos, &coin1_commitment_root).unwrap(); - - // Derive the nonce for coin2 - let coin2_nonce_msg = [ - pallas::Base::from(seed), - coin1_sk_root.inner(), - pallas::Base::one(), - pallas::Base::one(), - ]; - let coin2_seed = poseidon_hash(coin2_nonce_msg); - debug!("coin2_seed[{}]: {:?}", slot_index, coin2_seed); - // Derive input for the commitment of coin2 let coin2_commit_msg = [ - pallas::Base::from(PRF_NULLIFIER_PREFIX), - coin_pk_x, - coin_pk_y, + prefix_cm, + pk, pallas::Base::from(value), - coin2_seed, - pallas::Base::one(), + pallas::Base::from(coin2_seed), ]; let coin2_commit_v = poseidon_hash(coin2_commit_msg); - // Create commitment to coin2 let coin2_commitment = pedersen_commitment_base(coin2_commit_v, coin2_blind); - // Derive election seeds let (y_mu, rho_mu) = Self::election_seeds(eta, pallas::Base::from(slot_index as u64)); + // Derive a nullifier + let sn_msg = [ + prefix_sn, + coin1_sk_root.inner(), + pallas::Base::from(seed), + zero + ]; + let c_sn = poseidon_hash(sn_msg); // Return the object Self { @@ -231,7 +224,7 @@ impl LeadCoin { idx: u32::try_from(usize::from(leaf_pos)).unwrap(), sl: pallas::Base::from(slot_index as u64), // Assume tau is sl for simplicity - tau: pallas::Base::from(slot_index as u64), + tau: tau, nonce: pallas::Base::from(seed), nonce_cm: coin2_seed, sn: c_sn, @@ -270,10 +263,11 @@ impl LeadCoin { /// Create a vector of `pallas::Base` elements from the `LeadCoin` to be /// used as public inputs for the ZK proof. pub fn public_inputs(&self) -> Vec { - let prefix_evl = pallas::Base::from(2); - let prefix_pk = pallas::Base::from(4); - let prefix_pk = pallas::Base::from(5); let zero = pallas::Base::zero(); + let prefix_evl = pallas::Base::from(2); + let prefix_seed = pallas::Base::from(3); + let prefix_pk = pallas::Base::from(5); + // pk let pk_msg = [prefix_pk, self.coin1_sk_root.inner(), self.tau, zero]; let pk = poseidon_hash(pk_msg); @@ -284,7 +278,7 @@ impl LeadCoin { let c1_cm = self.coin1_commitment.to_affine().coordinates().unwrap(); let c2_cm = self.coin2_commitment.to_affine().coordinates().unwrap(); // lottery seed - let seed_msg = [self.coin1_sk_root.inner(), self.nonce]; + let seed_msg = [prefix_seed, self.coin1_sk_root.inner(), self.nonce, zero]; let seed = poseidon_hash(seed_msg); // y let y = pedersen_commitment_base(seed, mod_r_p(self.y_mu)); @@ -294,18 +288,18 @@ impl LeadCoin { let rho_coord = rho.to_affine().coordinates().unwrap(); vec![ pk, - //c2_rho, - //*c1_cm.x(), - //*c1_cm.y(), - //*c2_cm.x(), - //*c2_cm.y(), - //self.coin1_commitment_root.inner(), - //self.coin1_sk_root.inner(), - //self.sn, - //*y_coords.x(), - //*y_coords.y(), - //*rho_coord.x(), - //*rho_coord.y(), + c2_rho, + *c1_cm.x(), + *c1_cm.y(), + *c2_cm.x(), + *c2_cm.y(), + self.coin1_commitment_root.inner(), + self.coin1_sk_root.inner(), + self.sn, + *y_coords.x(), + *y_coords.y(), + *rho_coord.x(), + *rho_coord.y(), ] } diff --git a/src/zk/vm.rs b/src/zk/vm.rs index e78c8f0f7..e3d05f2b5 100644 --- a/src/zk/vm.rs +++ b/src/zk/vm.rs @@ -730,7 +730,7 @@ impl Circuit for ZkCircuit { a, b, 0, - true, + false, )?; }