include "../node_modules/circomlib/circuits/bitify.circom"; include "../node_modules/circomlib/circuits/pedersen.circom"; include "merkleTree.circom"; // computes Pedersen(nullifier + secret) template CommitmentHasher() { signal private input nullifier; signal private input secret; signal output commitment; signal output nullifierHash; component commitmentHasher = Pedersen(496); component nullifierHasher = Pedersen(248); component nullifierBits = Num2Bits(248); component secretBits = Num2Bits(248); nullifierBits.in <== nullifier; secretBits.in <== secret; for (var i = 0; i < 248; i++) { nullifierHasher.in[i] <== nullifierBits.out[i]; commitmentHasher.in[i] <== nullifierBits.out[i]; commitmentHasher.in[i + 248] <== secretBits.out[i]; } commitment <== commitmentHasher.out[0]; nullifierHash <== nullifierHasher.out[0]; } // Verifies that commitment that corresponds to given secret and nullifier is included in the merkle tree of deposits template Withdraw(levels, rounds) { signal input root; signal input nullifierHash; signal input receiver; // not taking part in any computations signal input fee; // not taking part in any computations signal private input nullifier; signal private input secret; signal private input pathElements[levels]; signal private input pathIndex[levels]; component hasher = CommitmentHasher(); hasher.nullifier <== nullifier; hasher.secret <== secret; nullifierHash === hasher.nullifierHash; component tree = MerkleTree(levels, rounds); tree.leaf <== hasher.commitment; tree.root <== root; for (var i = 0; i < levels; i++) { tree.pathElements[i] <== pathElements[i]; tree.pathIndex[i] <== pathIndex[i]; } // Add hidden signals to make sure that tampering with receiver or fee will invalidate the snark proof // Most likely it is not required, but it's better to stay on the safe side and it only takes 2 constraints // Squares are used to prevent optimizer from removing those constraints signal receiverSquare; signal feeSquare; receiverSquare <== receiver * receiver; feeSquare <== fee * fee; } component main = Withdraw(16, 220);