blockworks-foundation
/
solana
mirror of https://github.com/blockworks-foundation/solana.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zk-token-sdk] Add aggregate range proof instructions (#31793) 

* add aggregate range proof instructions data

* add aggregate range proof instruction

* update proof program processor for aggregate range proof instructions

* cargo fmt

* Update zk-token-sdk/src/instruction/aggregate_range_proof/aggregate_range_proof_256.rs

Co-authored-by: mvines <mvines@gmail.com>

* add remark in instruction description that context state account must be pre-allocated

* use `u64::BITS` and `u128::BITS`

* add proof description in `zk_token_proof_instruction.rs`

* rename instruction names to `VerifyBatchedRangeProofU{N}`

* rename module names from `aggregate` to `batched`

* add `tokio::test` that was lost in rebase

---------

Co-authored-by: mvines <mvines@gmail.com>
This commit is contained in:
samkim-crypto 2023-05-27 05:46:11 +09:00 committed by GitHub
parent d4baddf8e8
commit ad4d1e5ff2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 1008 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
programs/zk-token-proof-tests/tests/process_transaction.rs
View File

@ -21,7 +21,7 @@ use {
std::mem::size_of,
};
const VERIFY_INSTRUCTION_TYPES: [ProofInstruction; 7] = [
const VERIFY_INSTRUCTION_TYPES: [ProofInstruction; 10] = [
ProofInstruction::VerifyZeroBalance,
ProofInstruction::VerifyWithdraw,
ProofInstruction::VerifyCiphertextCiphertextEquality,
@ -29,6 +29,9 @@ const VERIFY_INSTRUCTION_TYPES: [ProofInstruction; 7] = [
ProofInstruction::VerifyTransferWithFee,
ProofInstruction::VerifyPubkeyValidity,
ProofInstruction::VerifyRangeProofU64,
ProofInstruction::VerifyBatchedRangeProofU64,
ProofInstruction::VerifyBatchedRangeProofU128,
ProofInstruction::VerifyBatchedRangeProofU256,
];
#[tokio::test]
@ -367,6 +370,154 @@ async fn test_range_proof_u64() {
.await;
}
#[tokio::test]
async fn test_batched_range_proof_u64() {
let amount_1 = 23_u64;
let amount_2 = 24_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let success_proof_data = BatchedRangeProofU64Data::new(
vec![&commitment_1, &commitment_2],
vec![amount_1, amount_2],
vec![32, 32],
vec![&opening_1, &opening_2],
)
.unwrap();
let incorrect_opening = PedersenOpening::new_rand();
let fail_proof_data = BatchedRangeProofU64Data::new(
vec![&commitment_1, &commitment_2],
vec![amount_1, amount_2],
vec![32, 32],
vec![&opening_1, &incorrect_opening],
)
.unwrap();
test_verify_proof_without_context(
ProofInstruction::VerifyBatchedRangeProofU64,
&success_proof_data,
&fail_proof_data,
)
.await;
test_verify_proof_with_context(
ProofInstruction::VerifyBatchedRangeProofU64,
size_of::<ProofContextState<BatchedRangeProofContext>>(),
&success_proof_data,
&fail_proof_data,
)
.await;
test_close_context_state(
ProofInstruction::VerifyBatchedRangeProofU64,
size_of::<ProofContextState<BatchedRangeProofContext>>(),
&success_proof_data,
)
.await;
}
#[tokio::test]
async fn test_batched_range_proof_u128() {
let amount_1 = 23_u64;
let amount_2 = 24_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let success_proof_data = BatchedRangeProofU128Data::new(
vec![&commitment_1, &commitment_2],
vec![amount_1, amount_2],
vec![64, 64],
vec![&opening_1, &opening_2],
)
.unwrap();
let incorrect_opening = PedersenOpening::new_rand();
let fail_proof_data = BatchedRangeProofU128Data::new(
vec![&commitment_1, &commitment_2],
vec![amount_1, amount_2],
vec![64, 64],
vec![&opening_1, &incorrect_opening],
)
.unwrap();
test_verify_proof_without_context(
ProofInstruction::VerifyBatchedRangeProofU128,
&success_proof_data,
&fail_proof_data,
)
.await;
test_verify_proof_with_context(
ProofInstruction::VerifyBatchedRangeProofU128,
size_of::<ProofContextState<BatchedRangeProofContext>>(),
&success_proof_data,
&fail_proof_data,
)
.await;
test_close_context_state(
ProofInstruction::VerifyBatchedRangeProofU128,
size_of::<ProofContextState<BatchedRangeProofContext>>(),
&success_proof_data,
)
.await;
}
#[tokio::test]
async fn test_batched_range_proof_u256() {
let amount_1 = 23_u64;
let amount_2 = 24_u64;
let amount_3 = 25_u64;
let amount_4 = 26_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let success_proof_data = BatchedRangeProofU256Data::new(
vec![&commitment_1, &commitment_2, &commitment_3, &commitment_4],
vec![amount_1, amount_2, amount_3, amount_4],
vec![64, 64, 64, 64],
vec![&opening_1, &opening_2, &opening_3, &opening_4],
)
.unwrap();
let incorrect_opening = PedersenOpening::new_rand();
let fail_proof_data = BatchedRangeProofU256Data::new(
vec![&commitment_1, &commitment_2, &commitment_3, &commitment_4],
vec![amount_1, amount_2, amount_3, amount_4],
vec![64, 64, 64, 64],
vec![&opening_1, &opening_2, &opening_3, &incorrect_opening],
)
.unwrap();
test_verify_proof_without_context(
ProofInstruction::VerifyBatchedRangeProofU256,
&success_proof_data,
&fail_proof_data,
)
.await;
test_verify_proof_with_context(
ProofInstruction::VerifyBatchedRangeProofU256,
size_of::<ProofContextState<BatchedRangeProofContext>>(),
&success_proof_data,
&fail_proof_data,
)
.await;
test_close_context_state(
ProofInstruction::VerifyBatchedRangeProofU256,
size_of::<ProofContextState<BatchedRangeProofContext>>(),
&success_proof_data,
)
.await;
}
async fn test_verify_proof_without_context<T, U>(
proof_instruction: ProofInstruction,
success_proof_data: &T,

33
programs/zk-token-proof/src/lib.rs
View File

@ -201,5 +201,38 @@ declare_process_instruction!(process_instruction, 0, |invoke_context| {
ic_msg!(invoke_context, "VerifyRangeProof");
process_verify_proof::<RangeProofU64Data, RangeProofContext>(invoke_context)
}
ProofInstruction::VerifyBatchedRangeProofU64 => {
if native_programs_consume_cu {
invoke_context
.consume_checked(111_478)
.map_err(|_| InstructionError::ComputationalBudgetExceeded)?;
}
ic_msg!(invoke_context, "VerifyBatchedRangeProof64");
process_verify_proof::<BatchedRangeProofU64Data, BatchedRangeProofContext>(
invoke_context,
)
}
ProofInstruction::VerifyBatchedRangeProofU128 => {
if native_programs_consume_cu {
invoke_context
.consume_checked(204_512)
.map_err(|_| InstructionError::ComputationalBudgetExceeded)?;
}
ic_msg!(invoke_context, "VerifyBatchedRangeProof128");
process_verify_proof::<BatchedRangeProofU128Data, BatchedRangeProofContext>(
invoke_context,
)
}
ProofInstruction::VerifyBatchedRangeProofU256 => {
if native_programs_consume_cu {
invoke_context
.consume_checked(368_000)
.map_err(|_| InstructionError::ComputationalBudgetExceeded)?;
}
ic_msg!(invoke_context, "VerifyBatchedRangeProof256");
process_verify_proof::<BatchedRangeProofU256Data, BatchedRangeProofContext>(
invoke_context,
)
}
}
});

188
zk-token-sdk/src/instruction/batched_range_proof/batched_range_proof_u128.rs Normal file
View File

@ -0,0 +1,188 @@
//! The 128-bit batched range proof instruction.
#[cfg(not(target_os = "solana"))]
use {
crate::{
encryption::pedersen::{PedersenCommitment, PedersenOpening},
errors::ProofError,
range_proof::RangeProof,
},
std::convert::TryInto,
};
use {
crate::{
instruction::{batched_range_proof::BatchedRangeProofContext, ProofType, ZkProofData},
zk_token_elgamal::pod,
},
bytemuck::{Pod, Zeroable},
};
/// The instruction data that is needed for the
/// `ProofInstruction::VerifyBatchedRangeProof128` instruction.
///
/// It includes the cryptographic proof as well as the context data information needed to verify
/// the proof.
#[derive(Clone, Copy, Pod, Zeroable)]
#[repr(C)]
pub struct BatchedRangeProofU128Data {
/// The context data for a batched range proof
pub context: BatchedRangeProofContext,
/// The batched range proof
pub proof: pod::RangeProof128,
}
#[cfg(not(target_os = "solana"))]
impl BatchedRangeProofU128Data {
pub fn new(
commitments: Vec<&PedersenCommitment>,
amounts: Vec<u64>,
bit_lengths: Vec<usize>,
openings: Vec<&PedersenOpening>,
) -> Result<Self, ProofError> {
// the sum of the bit lengths must be 64
let batched_bit_length = bit_lengths
.iter()
.try_fold(0_usize, |acc, &x| acc.checked_add(x))
.ok_or(ProofError::Generation)?;
// `u64::BITS` is 128, which fits in a single byte and should not overflow to `usize` for
// an overwhelming number of platforms. However, to be extra cautious, use `try_from` and
// `unwrap` here. A simple case `u128::BITS as usize` can silently overflow.
let expected_bit_length = usize::try_from(u128::BITS).unwrap();
if batched_bit_length != expected_bit_length {
return Err(ProofError::Generation);
}
let context =
BatchedRangeProofContext::new(&commitments, &amounts, &bit_lengths, &openings)?;
let mut transcript = context.new_transcript();
let proof = RangeProof::new(amounts, bit_lengths, openings, &mut transcript).try_into()?;
Ok(Self { context, proof })
}
}
impl ZkProofData<BatchedRangeProofContext> for BatchedRangeProofU128Data {
const PROOF_TYPE: ProofType = ProofType::BatchedRangeProofU128;
fn context_data(&self) -> &BatchedRangeProofContext {
&self.context
}
#[cfg(not(target_os = "solana"))]
fn verify_proof(&self) -> Result<(), ProofError> {
let (commitments, bit_lengths) = self.context.try_into()?;
let mut transcript = self.context_data().new_transcript();
let proof: RangeProof = self.proof.try_into()?;
proof
.verify(commitments.iter().collect(), bit_lengths, &mut transcript)
.map_err(|e| e.into())
}
}
#[cfg(test)]
mod test {
use {
super::*,
crate::{
encryption::pedersen::Pedersen,
errors::{ProofType, ProofVerificationError},
},
};
#[test]
fn test_batched_range_proof_u128_instruction_correctness() {
let amount_1 = 65535_u64;
let amount_2 = 77_u64;
let amount_3 = 99_u64;
let amount_4 = 99_u64;
let amount_5 = 11_u64;
let amount_6 = 33_u64;
let amount_7 = 99_u64;
let amount_8 = 99_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let (commitment_5, opening_5) = Pedersen::new(amount_5);
let (commitment_6, opening_6) = Pedersen::new(amount_6);
let (commitment_7, opening_7) = Pedersen::new(amount_7);
let (commitment_8, opening_8) = Pedersen::new(amount_8);
let proof_data = BatchedRangeProofU128Data::new(
vec![
&commitment_1,
&commitment_2,
&commitment_3,
&commitment_4,
&commitment_5,
&commitment_6,
&commitment_7,
&commitment_8,
],
vec![
amount_1, amount_2, amount_3, amount_4, amount_5, amount_6, amount_7, amount_8,
],
vec![16, 16, 16, 16, 16, 16, 16, 16],
vec![
&opening_1, &opening_2, &opening_3, &opening_4, &opening_5, &opening_6, &opening_7,
&opening_8,
],
)
.unwrap();
assert!(proof_data.verify_proof().is_ok());
let amount_1 = 65536_u64; // not representable as an 8-bit number
let amount_2 = 77_u64;
let amount_3 = 99_u64;
let amount_4 = 99_u64;
let amount_5 = 11_u64;
let amount_6 = 33_u64;
let amount_7 = 99_u64;
let amount_8 = 99_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let (commitment_5, opening_5) = Pedersen::new(amount_5);
let (commitment_6, opening_6) = Pedersen::new(amount_6);
let (commitment_7, opening_7) = Pedersen::new(amount_7);
let (commitment_8, opening_8) = Pedersen::new(amount_8);
let proof_data = BatchedRangeProofU128Data::new(
vec![
&commitment_1,
&commitment_2,
&commitment_3,
&commitment_4,
&commitment_5,
&commitment_6,
&commitment_7,
&commitment_8,
],
vec![
amount_1, amount_2, amount_3, amount_4, amount_5, amount_6, amount_7, amount_8,
],
vec![16, 16, 16, 16, 16, 16, 16, 16],
vec![
&opening_1, &opening_2, &opening_3, &opening_4, &opening_5, &opening_6, &opening_7,
&opening_8,
],
)
.unwrap();
assert_eq!(
proof_data.verify_proof().unwrap_err(),
ProofError::VerificationError(
ProofType::RangeProof,
ProofVerificationError::AlgebraicRelation
),
);
}
}

186
zk-token-sdk/src/instruction/batched_range_proof/batched_range_proof_u256.rs Normal file
View File

@ -0,0 +1,186 @@
//! The 256-bit batched range proof instruction.
#[cfg(not(target_os = "solana"))]
use {
crate::{
encryption::pedersen::{PedersenCommitment, PedersenOpening},
errors::ProofError,
range_proof::RangeProof,
},
std::convert::TryInto,
};
use {
crate::{
instruction::{batched_range_proof::BatchedRangeProofContext, ProofType, ZkProofData},
zk_token_elgamal::pod,
},
bytemuck::{Pod, Zeroable},
};
#[cfg(not(target_os = "solana"))]
const BATCHED_RANGE_PROOF_U256_BIT_LENGTH: usize = 256;
/// The instruction data that is needed for the
/// `ProofInstruction::BatchedRangeProofU256Data` instruction.
///
/// It includes the cryptographic proof as well as the context data information needed to verify
/// the proof.
#[derive(Clone, Copy, Pod, Zeroable)]
#[repr(C)]
pub struct BatchedRangeProofU256Data {
/// The context data for a batched range proof
pub context: BatchedRangeProofContext,
/// The batched range proof
pub proof: pod::RangeProof256,
}
#[cfg(not(target_os = "solana"))]
impl BatchedRangeProofU256Data {
pub fn new(
commitments: Vec<&PedersenCommitment>,
amounts: Vec<u64>,
bit_lengths: Vec<usize>,
openings: Vec<&PedersenOpening>,
) -> Result<Self, ProofError> {
// the sum of the bit lengths must be 64
let batched_bit_length = bit_lengths
.iter()
.try_fold(0_usize, |acc, &x| acc.checked_add(x))
.ok_or(ProofError::Generation)?;
if batched_bit_length != BATCHED_RANGE_PROOF_U256_BIT_LENGTH {
return Err(ProofError::Generation);
}
let context =
BatchedRangeProofContext::new(&commitments, &amounts, &bit_lengths, &openings)?;
let mut transcript = context.new_transcript();
let proof = RangeProof::new(amounts, bit_lengths, openings, &mut transcript).try_into()?;
Ok(Self { context, proof })
}
}
impl ZkProofData<BatchedRangeProofContext> for BatchedRangeProofU256Data {
const PROOF_TYPE: ProofType = ProofType::BatchedRangeProofU256;
fn context_data(&self) -> &BatchedRangeProofContext {
&self.context
}
#[cfg(not(target_os = "solana"))]
fn verify_proof(&self) -> Result<(), ProofError> {
let (commitments, bit_lengths) = self.context.try_into()?;
let mut transcript = self.context_data().new_transcript();
let proof: RangeProof = self.proof.try_into()?;
proof
.verify(commitments.iter().collect(), bit_lengths, &mut transcript)
.map_err(|e| e.into())
}
}
#[cfg(test)]
mod test {
use {
super::*,
crate::{
encryption::pedersen::Pedersen,
errors::{ProofType, ProofVerificationError},
},
};
#[test]
fn test_batched_range_proof_256_instruction_correctness() {
let amount_1 = 4294967295_u64;
let amount_2 = 77_u64;
let amount_3 = 99_u64;
let amount_4 = 99_u64;
let amount_5 = 11_u64;
let amount_6 = 33_u64;
let amount_7 = 99_u64;
let amount_8 = 99_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let (commitment_5, opening_5) = Pedersen::new(amount_5);
let (commitment_6, opening_6) = Pedersen::new(amount_6);
let (commitment_7, opening_7) = Pedersen::new(amount_7);
let (commitment_8, opening_8) = Pedersen::new(amount_8);
let proof_data = BatchedRangeProofU256Data::new(
vec![
&commitment_1,
&commitment_2,
&commitment_3,
&commitment_4,
&commitment_5,
&commitment_6,
&commitment_7,
&commitment_8,
],
vec![
amount_1, amount_2, amount_3, amount_4, amount_5, amount_6, amount_7, amount_8,
],
vec![32, 32, 32, 32, 32, 32, 32, 32],
vec![
&opening_1, &opening_2, &opening_3, &opening_4, &opening_5, &opening_6, &opening_7,
&opening_8,
],
)
.unwrap();
assert!(proof_data.verify_proof().is_ok());
let amount_1 = 4294967296_u64; // not representable as an 8-bit number
let amount_2 = 77_u64;
let amount_3 = 99_u64;
let amount_4 = 99_u64;
let amount_5 = 11_u64;
let amount_6 = 33_u64;
let amount_7 = 99_u64;
let amount_8 = 99_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let (commitment_5, opening_5) = Pedersen::new(amount_5);
let (commitment_6, opening_6) = Pedersen::new(amount_6);
let (commitment_7, opening_7) = Pedersen::new(amount_7);
let (commitment_8, opening_8) = Pedersen::new(amount_8);
let proof_data = BatchedRangeProofU256Data::new(
vec![
&commitment_1,
&commitment_2,
&commitment_3,
&commitment_4,
&commitment_5,
&commitment_6,
&commitment_7,
&commitment_8,
],
vec![
amount_1, amount_2, amount_3, amount_4, amount_5, amount_6, amount_7, amount_8,
],
vec![32, 32, 32, 32, 32, 32, 32, 32],
vec![
&opening_1, &opening_2, &opening_3, &opening_4, &opening_5, &opening_6, &opening_7,
&opening_8,
],
)
.unwrap();
assert_eq!(
proof_data.verify_proof().unwrap_err(),
ProofError::VerificationError(
ProofType::RangeProof,
ProofVerificationError::AlgebraicRelation
),
);
}
}

188
zk-token-sdk/src/instruction/batched_range_proof/batched_range_proof_u64.rs Normal file
View File

@ -0,0 +1,188 @@
//! The 64-bit batched range proof instruction.
#[cfg(not(target_os = "solana"))]
use {
crate::{
encryption::pedersen::{PedersenCommitment, PedersenOpening},
errors::ProofError,
range_proof::RangeProof,
},
std::convert::TryInto,
};
use {
crate::{
instruction::{batched_range_proof::BatchedRangeProofContext, ProofType, ZkProofData},
zk_token_elgamal::pod,
},
bytemuck::{Pod, Zeroable},
};
/// The instruction data that is needed for the
/// `ProofInstruction::VerifyBatchedRangeProof64` instruction.
///
/// It includes the cryptographic proof as well as the context data information needed to verify
/// the proof.
#[derive(Clone, Copy, Pod, Zeroable)]
#[repr(C)]
pub struct BatchedRangeProofU64Data {
/// The context data for a batched range proof
pub context: BatchedRangeProofContext,
/// The batched range proof
pub proof: pod::RangeProof64,
}
#[cfg(not(target_os = "solana"))]
impl BatchedRangeProofU64Data {
pub fn new(
commitments: Vec<&PedersenCommitment>,
amounts: Vec<u64>,
bit_lengths: Vec<usize>,
openings: Vec<&PedersenOpening>,
) -> Result<Self, ProofError> {
// the sum of the bit lengths must be 64
let batched_bit_length = bit_lengths
.iter()
.try_fold(0_usize, |acc, &x| acc.checked_add(x))
.ok_or(ProofError::Generation)?;
// `u64::BITS` is 64, which fits in a single byte and should not overflow to `usize` for an
// overwhelming number of platforms. However, to be extra cautious, use `try_from` and
// `unwrap` here. A simple case `u64::BITS as usize` can silently overflow.
let expected_bit_length = usize::try_from(u64::BITS).unwrap();
if batched_bit_length != expected_bit_length {
return Err(ProofError::Generation);
}
let context =
BatchedRangeProofContext::new(&commitments, &amounts, &bit_lengths, &openings)?;
let mut transcript = context.new_transcript();
let proof = RangeProof::new(amounts, bit_lengths, openings, &mut transcript).try_into()?;
Ok(Self { context, proof })
}
}
impl ZkProofData<BatchedRangeProofContext> for BatchedRangeProofU64Data {
const PROOF_TYPE: ProofType = ProofType::BatchedRangeProofU64;
fn context_data(&self) -> &BatchedRangeProofContext {
&self.context
}
#[cfg(not(target_os = "solana"))]
fn verify_proof(&self) -> Result<(), ProofError> {
let (commitments, bit_lengths) = self.context.try_into()?;
let mut transcript = self.context_data().new_transcript();
let proof: RangeProof = self.proof.try_into()?;
proof
.verify(commitments.iter().collect(), bit_lengths, &mut transcript)
.map_err(|e| e.into())
}
}
#[cfg(test)]
mod test {
use {
super::*,
crate::{
encryption::pedersen::Pedersen,
errors::{ProofType, ProofVerificationError},
},
};
#[test]
fn test_batched_range_proof_u64_instruction_correctness() {
let amount_1 = 255_u64;
let amount_2 = 77_u64;
let amount_3 = 99_u64;
let amount_4 = 99_u64;
let amount_5 = 11_u64;
let amount_6 = 33_u64;
let amount_7 = 99_u64;
let amount_8 = 99_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let (commitment_5, opening_5) = Pedersen::new(amount_5);
let (commitment_6, opening_6) = Pedersen::new(amount_6);
let (commitment_7, opening_7) = Pedersen::new(amount_7);
let (commitment_8, opening_8) = Pedersen::new(amount_8);
let proof_data = BatchedRangeProofU64Data::new(
vec![
&commitment_1,
&commitment_2,
&commitment_3,
&commitment_4,
&commitment_5,
&commitment_6,
&commitment_7,
&commitment_8,
],
vec![
amount_1, amount_2, amount_3, amount_4, amount_5, amount_6, amount_7, amount_8,
],
vec![8, 8, 8, 8, 8, 8, 8, 8],
vec![
&opening_1, &opening_2, &opening_3, &opening_4, &opening_5, &opening_6, &opening_7,
&opening_8,
],
)
.unwrap();
assert!(proof_data.verify_proof().is_ok());
let amount_1 = 256_u64; // not representable as an 8-bit number
let amount_2 = 77_u64;
let amount_3 = 99_u64;
let amount_4 = 99_u64;
let amount_5 = 11_u64;
let amount_6 = 33_u64;
let amount_7 = 99_u64;
let amount_8 = 99_u64;
let (commitment_1, opening_1) = Pedersen::new(amount_1);
let (commitment_2, opening_2) = Pedersen::new(amount_2);
let (commitment_3, opening_3) = Pedersen::new(amount_3);
let (commitment_4, opening_4) = Pedersen::new(amount_4);
let (commitment_5, opening_5) = Pedersen::new(amount_5);
let (commitment_6, opening_6) = Pedersen::new(amount_6);
let (commitment_7, opening_7) = Pedersen::new(amount_7);
let (commitment_8, opening_8) = Pedersen::new(amount_8);
let proof_data = BatchedRangeProofU64Data::new(
vec![
&commitment_1,
&commitment_2,
&commitment_3,
&commitment_4,
&commitment_5,
&commitment_6,
&commitment_7,
&commitment_8,
],
vec![
amount_1, amount_2, amount_3, amount_4, amount_5, amount_6, amount_7, amount_8,
],
vec![8, 8, 8, 8, 8, 8, 8, 8],
vec![
&opening_1, &opening_2, &opening_3, &opening_4, &opening_5, &opening_6, &opening_7,
&opening_8,
],
)
.unwrap();
assert_eq!(
proof_data.verify_proof().unwrap_err(),
ProofError::VerificationError(
ProofType::RangeProof,
ProofVerificationError::AlgebraicRelation
),
);
}
}

121
zk-token-sdk/src/instruction/batched_range_proof/mod.rs Normal file
View File

@ -0,0 +1,121 @@
//! The batched range proof instructions.
//!
//! A batched range proof is defined with respect to a sequence of commitments `[C_1, ..., C_N]`
//! and bit-lengths `[n_1, ..., n_N]`. It certifies that each `C_i` is a commitment to a number of
//! bit-length `n_i`.
//!
//! There are three batched range proof instructions: `VerifyBatchedRangeProof64`,
//! `VerifyBatchedRangeProof128`, and `VerifyBatchedRangeProof256`. The value `N` in
//! `VerifyBatchedRangeProof{N}` specifies the sum of the bit-lengths that the proof is certifying
//! for a sequence of commitments.
//!
//! For example to generate a batched range proof on a sequence of commitments `[C_1, C_2, C_3]` on
//! a sequence of bit-lengths `[32, 32, 64]`, one must use `VerifyBatchedRangeProof128` as 128 is
//! the sum of all bit-lengths.
//!
//! The maximum number of commitments is fixed at 8. Each bit-length in `[n_1, ..., n_N]` must be a
//! power-of-two positive integer less than 256.
pub mod batched_range_proof_u128;
pub mod batched_range_proof_u256;
pub mod batched_range_proof_u64;
use {
crate::zk_token_elgamal::pod,
bytemuck::{Pod, Zeroable},
};
#[cfg(not(target_os = "solana"))]
use {
crate::{
encryption::pedersen::{PedersenCommitment, PedersenOpening},
errors::ProofError,
},
bytemuck::bytes_of,
curve25519_dalek::traits::IsIdentity,
merlin::Transcript,
std::convert::TryInto,
};
const MAX_COMMITMENTS: usize = 8;
/// The context data needed to verify a range-proof for a Pedersen committed value.
///
/// The context data is shared by all `VerifyBatchedRangeProof{N}` instructions.
#[derive(Clone, Copy, Pod, Zeroable)]
#[repr(C)]
pub struct BatchedRangeProofContext {
pub commitments: [pod::PedersenCommitment; MAX_COMMITMENTS],
pub bit_lengths: [u8; MAX_COMMITMENTS],
}
#[allow(non_snake_case)]
#[cfg(not(target_os = "solana"))]
impl BatchedRangeProofContext {
fn new_transcript(&self) -> Transcript {
let mut transcript = Transcript::new(b"BatchedRangeProof");
transcript.append_message(b"commitments", bytes_of(&self.commitments));
transcript.append_message(b"bit-legnths", bytes_of(&self.bit_lengths));
transcript
}
fn new(
commitments: &Vec<&PedersenCommitment>,
amounts: &Vec<u64>,
bit_lengths: &Vec<usize>,
openings: &Vec<&PedersenOpening>,
) -> Result<Self, ProofError> {
// the number of commitments is capped at 8
let num_commitments = commitments.len();
if num_commitments > MAX_COMMITMENTS
|| num_commitments != amounts.len()
|| num_commitments != bit_lengths.len()
|| num_commitments != openings.len()
{
return Err(ProofError::Generation);
}
let mut pod_commitments = [pod::PedersenCommitment::zeroed(); MAX_COMMITMENTS];
for (i, commitment) in commitments.iter().enumerate() {
// all-zero commitment is invalid
if commitment.get_point().is_identity() {
return Err(ProofError::Generation);
}
pod_commitments[i] = pod::PedersenCommitment(commitment.to_bytes());
}
let mut pod_bit_lengths = [0; MAX_COMMITMENTS];
for (i, bit_length) in bit_lengths.iter().enumerate() {
pod_bit_lengths[i] = (*bit_length)
.try_into()
.map_err(|_| ProofError::Generation)?;
}
Ok(BatchedRangeProofContext {
commitments: pod_commitments,
bit_lengths: pod_bit_lengths,
})
}
}
#[cfg(not(target_os = "solana"))]
impl TryInto<(Vec<PedersenCommitment>, Vec<usize>)> for BatchedRangeProofContext {
type Error = ProofError;
fn try_into(self) -> Result<(Vec<PedersenCommitment>, Vec<usize>), Self::Error> {
let commitments = self
.commitments
.into_iter()
.take_while(|commitment| *commitment != pod::PedersenCommitment::zeroed())
.map(|commitment| commitment.try_into())
.collect::<Result<Vec<PedersenCommitment>, _>>()?;
let bit_lengths: Vec<_> = self
.bit_lengths
.into_iter()
.take(commitments.len())
.map(|bit_length| bit_length as usize)
.collect();
Ok((commitments, bit_lengths))
}
}

9
zk-token-sdk/src/instruction/mod.rs
View File

@ -1,3 +1,4 @@
pub mod batched_range_proof;
pub mod ctxt_ctxt_equality;
pub mod pubkey_validity;
pub mod range_proof;
@ -19,6 +20,11 @@ use {
curve25519_dalek::scalar::Scalar,
};
pub use {
batched_range_proof::{
batched_range_proof_u128::BatchedRangeProofU128Data,
batched_range_proof_u256::BatchedRangeProofU256Data,
batched_range_proof_u64::BatchedRangeProofU64Data, BatchedRangeProofContext,
},
bytemuck::Pod,
ctxt_ctxt_equality::{
CiphertextCiphertextEqualityProofContext, CiphertextCiphertextEqualityProofData,
@ -43,6 +49,9 @@ pub enum ProofType {
TransferWithFee,
PubkeyValidity,
RangeProofU64,
BatchedRangeProofU64,
BatchedRangeProofU128,
BatchedRangeProofU256,
}
pub trait ZkProofData<T: Pod> {

137
zk-token-sdk/src/zk_token_proof_instruction.rs
View File

@ -27,7 +27,10 @@ pub enum ProofInstruction {
/// Verify a zero-balance proof.
///
/// This instruction can be configured to optionally create a proof context state account.
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<ZeroBalanceProofContext>` and assigned to the ZkToken proof program
/// prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
@ -45,7 +48,10 @@ pub enum ProofInstruction {
/// Verify a withdraw zero-knowledge proof.
///
/// This instruction can be configured to optionally create a proof context state account.
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<WithdrawProofContext>` and assigned to the ZkToken proof program prior
/// to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
@ -63,7 +69,10 @@ pub enum ProofInstruction {
/// Verify a ciphertext-ciphertext equality proof.
///
/// This instruction can be configured to optionally create a proof context state account.
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<CiphertextCiphertextEqualityProofContext>` and assigned to the ZkToken
/// proof program prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
@ -81,7 +90,10 @@ pub enum ProofInstruction {
/// Verify a transfer zero-knowledge proof.
///
/// This instruction can be configured to optionally create a proof context state account.
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<TransferProofContext>` and assigned to the ZkToken proof program prior
/// to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
@ -99,7 +111,10 @@ pub enum ProofInstruction {
/// Verify a transfer with fee zero-knowledge proof.
///
/// This instruction can be configured to optionally create a proof context state account.
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<TransferWithFeeProofContext>` and assigned to the ZkToken proof program
/// prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
@ -117,7 +132,10 @@ pub enum ProofInstruction {
/// Verify a pubkey validity zero-knowledge proof.
///
/// This instruction can be configured to optionally create a proof context state account.
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<PubkeyValidityProofContext>` and assigned to the ZkToken proof program
/// prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
@ -156,6 +174,87 @@ pub enum ProofInstruction {
/// `RangeProofU64Data`
///
VerifyRangeProofU64,
/// Verify a 64-bit batched range proof.
///
/// A batched range proof is defined with respect to a sequence of Pedersen commitments `[C_1,
/// ..., C_N]` and bit-lengths `[n_1, ..., n_N]`. It certifies that each commitment `C_i` is a
/// commitment to a positive number of bit-length `n_i`. Batch verifying range proofs is more
/// efficient than verifying independent range proofs on commitments `C_1, ..., C_N`
/// separately.
///
/// The bit-length of a batched range proof specifies the sum of the individual bit-lengths
/// `n_1, ..., n_N`. For example, this instruction can be used to certify that two commitments
/// `C_1` and `C_2` each hold positive 32-bit numbers.
///
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<BatchedRangeProofContext>` and assigned to the ZkToken proof program
/// prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
/// * Creating a proof context account
/// 0. `[writable]` The proof context account
/// 1. `[]` The proof context account owner
///
/// * Otherwise
/// None
///
/// Data expected by this instruction:
/// `BatchedRangeProof64Data`
///
VerifyBatchedRangeProofU64,
/// Verify 128-bit batched range proof.
///
/// The bit-length of a batched range proof specifies the sum of the individual bit-lengths
/// `n_1, ..., n_N`. For example, this instruction can be used to certify that two commitments
/// `C_1` and `C_2` each hold positive 64-bit numbers.
///
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<BatchedRangeProofContext>` and assigned to the ZkToken proof program
/// prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
/// * Creating a proof context account
/// 0. `[writable]` The proof context account
/// 1. `[]` The proof context account owner
///
/// * Otherwise
/// None
///
/// Data expected by this instruction:
/// `BatchedRangeProof128Data`
///
VerifyBatchedRangeProofU128,
/// Verify 256-bit batched range proof.
///
/// The bit-length of a batched range proof specifies the sum of the individual bit-lengths
/// `n_1, ..., n_N`. For example, this instruction can be used to certify that four commitments
/// `[C_1, C_2, C_3, C_4]` each hold positive 64-bit numbers.
///
/// This instruction can be configured to optionally initialize a proof context state account.
/// If creating a context state account, an account must be pre-allocated to the exact size of
/// `ProofContextState<BatchedRangeProofContext>` and assigned to the ZkToken proof program
/// prior to the execution of this instruction.
///
/// Accounts expected by this instruction:
///
/// * Creating a proof context account
/// 0. `[writable]` The proof context account
/// 1. `[]` The proof context account owner
///
/// * Otherwise
/// None
///
/// Data expected by this instruction:
/// `BatchedRangeProof256Data`
///
VerifyBatchedRangeProofU256,
}
/// Pubkeys associated with a context state account to be used as parameters to functions.
@ -242,6 +341,32 @@ pub fn verify_range_proof_u64(
ProofInstruction::VerifyRangeProofU64.encode_verify_proof(context_state_info, proof_data)
}
/// Create a `VerifyBatchedRangeProofU64` instruction.
pub fn verify_batched_verify_range_proof_u64(
context_state_info: Option<ContextStateInfo>,
proof_data: &BatchedRangeProofU64Data,
) -> Instruction {
ProofInstruction::VerifyBatchedRangeProofU64.encode_verify_proof(context_state_info, proof_data)
}
/// Create a `VerifyBatchedRangeProofU128` instruction.
pub fn verify_batched_verify_range_proof_u128(
context_state_info: Option<ContextStateInfo>,
proof_data: &BatchedRangeProofU128Data,
) -> Instruction {
ProofInstruction::VerifyBatchedRangeProofU128
.encode_verify_proof(context_state_info, proof_data)
}
/// Create a `VerifyBatchedRangeProofU256` instruction.
pub fn verify_batched_verify_range_proof_u256(
context_state_info: Option<ContextStateInfo>,
proof_data: &BatchedRangeProofU256Data,
) -> Instruction {
ProofInstruction::VerifyBatchedRangeProofU256
.encode_verify_proof(context_state_info, proof_data)
}
impl ProofInstruction {
pub fn encode_verify_proof<T, U>(
&self,