tornado-nova/circuits/transaction.circom

126 lines
4.3 KiB
Plaintext
Raw Normal View History

include "../node_modules/circomlib/circuits/poseidon.circom";
include "./merkleProof.circom"
2021-10-17 13:05:01 +02:00
include "./keypair.circom"
2020-04-08 11:41:12 +02:00
/*
Utxo structure:
{
amount,
pubkey,
2021-10-30 21:14:47 +02:00
blinding, // random number
2020-04-08 11:41:12 +02:00
}
2021-10-30 21:14:47 +02:00
commitment = hash(amount, pubKey, blinding)
2021-11-01 16:14:03 +01:00
nullifier = hash(commitment, merklePath, sign(merklePath, privKey))
2020-04-08 11:41:12 +02:00
*/
// Universal JoinSplit transaction with nIns inputs and 2 outputs
2021-06-09 12:58:57 +02:00
template Transaction(levels, nIns, nOuts, zeroLeaf) {
2020-04-08 11:41:12 +02:00
signal input root;
// extAmount = external amount used for deposits and withdrawals
2020-04-08 11:41:12 +02:00
// correct extAmount range is enforced on the smart contract
2021-08-19 09:58:29 +02:00
// publicAmount = extAmount - fee
signal input publicAmount;
2021-06-07 12:12:15 +02:00
signal input extDataHash;
2020-04-08 11:41:12 +02:00
2021-06-09 12:58:57 +02:00
// data for transaction inputs
2021-06-16 13:01:29 +02:00
signal input inputNullifier[nIns];
2021-06-09 12:58:57 +02:00
signal private input inAmount[nIns];
signal private input inPrivateKey[nIns];
2021-10-30 21:14:47 +02:00
signal private input inBlinding[nIns];
2021-06-09 12:58:57 +02:00
signal private input inPathIndices[nIns];
signal private input inPathElements[nIns][levels];
// data for transaction outputs
2021-06-16 13:01:29 +02:00
signal input outputCommitment[nOuts];
2021-06-09 12:58:57 +02:00
signal private input outAmount[nOuts];
signal private input outPubkey[nOuts];
2021-10-30 21:14:47 +02:00
signal private input outBlinding[nOuts];
2020-04-08 11:41:12 +02:00
2021-06-09 12:58:57 +02:00
component inKeypair[nIns];
2021-10-30 21:35:35 +02:00
component inSignature[nIns];
2021-06-09 12:58:57 +02:00
component inUtxoHasher[nIns];
component nullifierHasher[nIns];
component tree[nIns];
component checkRoot[nIns];
var sumIns = 0;
2020-04-09 11:04:06 +02:00
2020-04-08 11:41:12 +02:00
// verify correctness of transaction inputs
2021-06-09 12:58:57 +02:00
for (var tx = 0; tx < nIns; tx++) {
inKeypair[tx] = Keypair();
inKeypair[tx].privateKey <== inPrivateKey[tx];
inUtxoHasher[tx] = Poseidon(3);
inUtxoHasher[tx].inputs[0] <== inAmount[tx];
2021-10-30 21:14:47 +02:00
inUtxoHasher[tx].inputs[1] <== inKeypair[tx].publicKey;
inUtxoHasher[tx].inputs[2] <== inBlinding[tx];
2020-04-08 11:41:12 +02:00
2021-10-30 21:35:35 +02:00
inSignature[tx] = Signature();
inSignature[tx].privateKey <== inPrivateKey[tx];
inSignature[tx].merklePath <== inPathIndices[tx];
nullifierHasher[tx] = Poseidon(3);
nullifierHasher[tx].inputs[0] <== inUtxoHasher[tx].out;
nullifierHasher[tx].inputs[1] <== inPathIndices[tx];
2021-10-30 21:35:35 +02:00
nullifierHasher[tx].inputs[2] <== inSignature[tx].out;
nullifierHasher[tx].out === inputNullifier[tx];
2020-04-08 11:41:12 +02:00
tree[tx] = MerkleProof(levels);
tree[tx].leaf <== inUtxoHasher[tx].out;
2020-04-08 11:41:12 +02:00
tree[tx].pathIndices <== inPathIndices[tx];
for (var i = 0; i < levels; i++) {
tree[tx].pathElements[i] <== inPathElements[tx][i];
}
2020-04-09 11:04:06 +02:00
2020-04-08 11:41:12 +02:00
// check merkle proof only if amount is non-zero
checkRoot[tx] = ForceEqualIfEnabled();
checkRoot[tx].in[0] <== root;
checkRoot[tx].in[1] <== tree[tx].root;
checkRoot[tx].enabled <== inAmount[tx];
2021-10-30 21:14:47 +02:00
// We don't need to range check input amounts, since all inputs are valid UTXOs that
// were already checked as outputs in the previous transaction (or zero amount UTXOs that don't
2021-08-25 12:20:48 +02:00
// need to be checked either).
2021-06-09 12:58:57 +02:00
sumIns += inAmount[tx];
2020-04-08 11:41:12 +02:00
}
2021-06-09 12:58:57 +02:00
component outUtxoHasher[nOuts];
component outAmountCheck[nOuts];
var sumOuts = 0;
2020-04-08 11:41:12 +02:00
// verify correctness of transaction outputs
2021-06-09 12:58:57 +02:00
for (var tx = 0; tx < nOuts; tx++) {
outUtxoHasher[tx] = Poseidon(3);
outUtxoHasher[tx].inputs[0] <== outAmount[tx];
2021-10-30 21:14:47 +02:00
outUtxoHasher[tx].inputs[1] <== outPubkey[tx];
outUtxoHasher[tx].inputs[2] <== outBlinding[tx];
outUtxoHasher[tx].out === outputCommitment[tx];
2020-04-08 11:41:12 +02:00
// Check that amount fits into 248 bits to prevent overflow
outAmountCheck[tx] = Num2Bits(248);
outAmountCheck[tx].in <== outAmount[tx];
2021-06-09 12:58:57 +02:00
sumOuts += outAmount[tx];
2020-04-08 11:41:12 +02:00
}
// check that there are no same nullifiers among all inputs
component sameNullifiers[nIns * (nIns - 1) / 2];
var index = 0;
for (var i = 0; i < nIns - 1; i++) {
for (var j = i + 1; j < nIns; j++) {
sameNullifiers[index] = IsEqual();
sameNullifiers[index].in[0] <== inputNullifier[i];
sameNullifiers[index].in[1] <== inputNullifier[j];
sameNullifiers[index].out === 0;
index++;
}
}
2020-04-08 11:41:12 +02:00
// verify amount invariant
2021-08-16 21:17:07 +02:00
sumIns + publicAmount === sumOuts;
2020-04-08 11:41:12 +02:00
2021-09-26 18:14:05 +02:00
// optional safety constraint to make sure extDataHash cannot be changed
2021-08-19 18:20:02 +02:00
signal extDataSquare <== extDataHash * extDataHash;
2020-04-08 11:41:12 +02:00
}