Simplify witness for Spend statement.
This commit is contained in:
Sean Bowe
parent
3fbbd933cf
commit
512a394b30
|
|
@ -30,7 +30,9 @@ use jubjub::{
|
||||||
use constants;
|
use constants;
|
||||||
|
|
||||||
use primitives::{
|
use primitives::{
|
||||||
ValueCommitment
|
ValueCommitment,
|
||||||
|
ProofGenerationKey,
|
||||||
|
PaymentAddress
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -113,21 +115,14 @@ pub struct Spend<'a, E: JubjubEngine> {
|
||||||
/// Pedersen commitment to the value being spent
|
/// Pedersen commitment to the value being spent
|
||||||
pub value_commitment: Option<ValueCommitment<E>>,
|
pub value_commitment: Option<ValueCommitment<E>>,
|
||||||
|
|
||||||
/// Key which allows the proof to be constructed
|
/// Key required to construct proofs for spending notes
|
||||||
/// as defense-in-depth against a flaw in the
|
/// for a particular spending key
|
||||||
/// protocol that would otherwise be exploitable
|
pub proof_generation_key: Option<ProofGenerationKey<E>>,
|
||||||
/// by a holder of a viewing key.
|
|
||||||
pub rsk: Option<E::Fs>,
|
|
||||||
|
|
||||||
/// The public key that will be re-randomized for
|
/// The payment address associated with the note
|
||||||
/// use as a nullifier and signing key for the
|
pub payment_address: Option<PaymentAddress<E>>,
|
||||||
/// transaction.
|
|
||||||
pub ak: Option<edwards::Point<E, PrimeOrder>>,
|
|
||||||
|
|
||||||
/// The diversified base used to compute pk_d.
|
/// The randomness of the note commitment
|
||||||
pub g_d: Option<edwards::Point<E, PrimeOrder>>,
|
|
||||||
|
|
||||||
/// The randomness used to hide the note commitment data
|
|
||||||
pub commitment_randomness: Option<E::Fs>,
|
pub commitment_randomness: Option<E::Fs>,
|
||||||
|
|
||||||
/// The authentication path of the commitment in the tree
|
/// The authentication path of the commitment in the tree
|
||||||
|
|
@ -149,7 +144,7 @@ impl<'a, E: JubjubEngine> Circuit<E> for Spend<'a, E> {
|
||||||
// Witness rsk as bits
|
// Witness rsk as bits
|
||||||
let rsk = boolean::field_into_boolean_vec_le(
|
let rsk = boolean::field_into_boolean_vec_le(
|
||||||
cs.namespace(|| "rsk"),
|
cs.namespace(|| "rsk"),
|
||||||
self.rsk
|
self.proof_generation_key.as_ref().map(|k| k.rsk.clone())
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
// NB: We don't ensure that the bit representation of rsk
|
// NB: We don't ensure that the bit representation of rsk
|
||||||
|
|
@ -169,7 +164,7 @@ impl<'a, E: JubjubEngine> Circuit<E> for Spend<'a, E> {
|
||||||
// Prover witnesses ak (ensures that it's on the curve)
|
// Prover witnesses ak (ensures that it's on the curve)
|
||||||
let ak = ecc::EdwardsPoint::witness(
|
let ak = ecc::EdwardsPoint::witness(
|
||||||
cs.namespace(|| "ak"),
|
cs.namespace(|| "ak"),
|
||||||
self.ak,
|
self.proof_generation_key.as_ref().map(|k| k.ak.clone()),
|
||||||
self.params
|
self.params
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
|
|
@ -226,11 +221,20 @@ impl<'a, E: JubjubEngine> Circuit<E> for Spend<'a, E> {
|
||||||
// already guaranteed this.
|
// already guaranteed this.
|
||||||
// TODO: We might as well just perform the
|
// TODO: We might as well just perform the
|
||||||
// check again here, since it's not expensive.
|
// check again here, since it's not expensive.
|
||||||
let g_d = ecc::EdwardsPoint::witness(
|
let g_d = {
|
||||||
|
// This binding is to avoid a weird edge case in Rust's
|
||||||
|
// ownership/borrowing rules. self is partially moved
|
||||||
|
// above, but the closure for and_then will have to
|
||||||
|
// move self (or a reference to self) to reference
|
||||||
|
// self.params, so we have to copy self.params here.
|
||||||
|
let params = self.params;
|
||||||
|
|
||||||
|
ecc::EdwardsPoint::witness(
|
||||||
cs.namespace(|| "witness g_d"),
|
cs.namespace(|| "witness g_d"),
|
||||||
self.g_d,
|
self.payment_address.as_ref().and_then(|a| a.g_d(params)),
|
||||||
self.params
|
self.params
|
||||||
)?;
|
)?
|
||||||
|
};
|
||||||
|
|
||||||
// Compute pk_d = g_d^ivk
|
// Compute pk_d = g_d^ivk
|
||||||
let pk_d = g_d.mul(
|
let pk_d = g_d.mul(
|
||||||
|
|
@ -614,9 +618,8 @@ fn test_input_circuit_with_bls12_381() {
|
||||||
let instance = Spend {
|
let instance = Spend {
|
||||||
params: params,
|
params: params,
|
||||||
value_commitment: Some(value_commitment.clone()),
|
value_commitment: Some(value_commitment.clone()),
|
||||||
rsk: Some(rsk),
|
proof_generation_key: Some(proof_generation_key.clone()),
|
||||||
ak: Some(ak),
|
payment_address: Some(payment_address.clone()),
|
||||||
g_d: Some(g_d.clone()),
|
|
||||||
commitment_randomness: Some(commitment_randomness),
|
commitment_randomness: Some(commitment_randomness),
|
||||||
auth_path: auth_path.clone()
|
auth_path: auth_path.clone()
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@ impl<E: JubjubEngine> ValueCommitment<E> {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Clone)]
|
||||||
pub struct ProofGenerationKey<E: JubjubEngine> {
|
pub struct ProofGenerationKey<E: JubjubEngine> {
|
||||||
pub ak: edwards::Point<E, PrimeOrder>,
|
pub ak: edwards::Point<E, PrimeOrder>,
|
||||||
pub rsk: E::Fs
|
pub rsk: E::Fs
|
||||||
|
|
@ -119,11 +120,22 @@ impl Diversifier {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Clone)]
|
||||||
pub struct PaymentAddress<E: JubjubEngine> {
|
pub struct PaymentAddress<E: JubjubEngine> {
|
||||||
pub pk_d: edwards::Point<E, PrimeOrder>,
|
pub pk_d: edwards::Point<E, PrimeOrder>,
|
||||||
pub diversifier: Diversifier
|
pub diversifier: Diversifier
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl<E: JubjubEngine> PaymentAddress<E> {
|
||||||
|
pub fn g_d(
|
||||||
|
&self,
|
||||||
|
params: &E::Params
|
||||||
|
) -> Option<edwards::Point<E, PrimeOrder>>
|
||||||
|
{
|
||||||
|
self.diversifier.g_d(params)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub struct Note<E: JubjubEngine> {
|
pub struct Note<E: JubjubEngine> {
|
||||||
/// The value of the note
|
/// The value of the note
|
||||||
pub value: u64,
|
pub value: u64,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue