include "./merkleTree.circom" include "./treeUpdater.circom" include "./utils.circom" /* Utxo structure: { amount, blinding, // random number pubkey, } commitment = hash(amount, blinding, pubKey) nullifier = hash(commitment, privKey, merklePath) */ // Universal JoinSplit transaction with 2 inputs and 2 outputs template Transaction(levels, zeroLeaf) { signal input root; signal input newRoot; signal input inputNullifier[2]; signal input outputCommitment[2]; // external amount used for deposits and withdrawals // correct extAmount range is enforced on the smart contract signal input extAmount; signal input fee; signal input extDataHash; // data for 2 transaction inputs signal private input inAmount[2]; signal private input inBlinding[2]; signal private input inPrivateKey[2]; signal private input inPathIndices[2]; signal private input inPathElements[2][levels]; // data for 2 transaction outputs signal private input outAmount[2]; signal private input outBlinding[2]; signal private input outPubkey[2]; signal private input outPathIndices; signal private input outPathElements[levels - 1]; component inUtxoHasher[2]; component inKeypair[2]; component outUtxoHasher[2]; component nullifierHasher[2]; component checkRoot[2] component tree[2]; component inAmountCheck[2]; component outAmountCheck[2]; // verify correctness of transaction inputs for (var tx = 0; tx < 2; tx++) { inKeypair[tx] = Keypair(); inKeypair[tx].privateKey <== inPrivateKey[tx]; inUtxoHasher[tx] = TransactionHasher(); inUtxoHasher[tx].amount <== inAmount[tx]; inUtxoHasher[tx].blinding <== inBlinding[tx]; inUtxoHasher[tx].publicKey <== inKeypair[tx].publicKey; nullifierHasher[tx] = NullifierHasher(); nullifierHasher[tx].commitment <== inUtxoHasher[tx].commitment; nullifierHasher[tx].merklePath <== inPathIndices[tx]; nullifierHasher[tx].privateKey <== inPrivateKey[tx]; nullifierHasher[tx].nullifier === inputNullifier[tx]; tree[tx] = MerkleTree(levels); tree[tx].leaf <== inUtxoHasher[tx].commitment; tree[tx].pathIndices <== inPathIndices[tx]; for (var i = 0; i < levels; i++) { tree[tx].pathElements[i] <== inPathElements[tx][i]; } // check merkle proof only if amount is non-zero checkRoot[tx] = ForceEqualIfEnabled(); checkRoot[tx].in[0] <== root; checkRoot[tx].in[1] <== tree[tx].root; checkRoot[tx].enabled <== inAmount[tx]; // Check that amount fits into 248 bits to prevent overflow inAmountCheck[tx] = Num2Bits(248); inAmountCheck[tx].in <== inAmount[tx]; } // verify correctness of transaction outputs for (var tx = 0; tx < 2; tx++) { outUtxoHasher[tx] = TransactionHasher(); outUtxoHasher[tx].amount <== outAmount[tx]; outUtxoHasher[tx].blinding <== outBlinding[tx]; outUtxoHasher[tx].publicKey <== outPubkey[tx]; outUtxoHasher[tx].commitment === outputCommitment[tx]; // Check that amount fits into 248 bits to prevent overflow outAmountCheck[tx] = Num2Bits(248); outAmountCheck[tx].in <== outAmount[tx]; } // Check that fee fits into 248 bits to prevent overflow component feeCheck = Num2Bits(248); <== fee; component sameNullifiers = IsEqual();[0] <== inputNullifier[0];[1] <== inputNullifier[1]; sameNullifiers.out === 0; // verify amount invariant inAmount[0] + inAmount[1] + extAmount === outAmount[0] + outAmount[1] + fee; // Check merkle tree update with inserted transaction outputs component treeUpdater = TreeUpdater(levels, zeroLeaf); treeUpdater.oldRoot <== root; treeUpdater.newRoot <== newRoot; treeUpdater.leaf[0] <== outputCommitment[0]; treeUpdater.leaf[1] <== outputCommitment[1]; treeUpdater.pathIndices <== outPathIndices; for (var i = 0; i < levels - 1; i++) { treeUpdater.pathElements[i] <== outPathElements[i]; } } // zeroLeaf = Poseidon(zero, zero) // default `zero` value is keccak256("tornado") % FIELD_SIZE = 21663839004416932945382355908790599225266501822907911457504978515578255421292 component main = Transaction(5, 11850551329423159860688778991827824730037759162201783566284850822760196767874);