arcis-compiler 0.9.4

A framework for writing secure multi-party computation (MPC) circuits to be executed on the Arcium network.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

//! Arcis implementation of <https://github.com/solana-program/zk-elgamal-proof/blob/main/zk-sdk/src/zk_elgamal_proof_program/proof_data/batched_range_proof/mod.rs>

use crate::{
    core::{
        circuits::boolean::{boolean_value::BooleanValue, byte::Byte},
        global_value::{curve_value::CurveValue, value::FieldValue},
    },
    utils::{
        field::ScalarField,
        zkp::{
            pedersen::{PedersenCommitment, PedersenOpening},
            transcript::Transcript,
        },
    },
};
use zk_elgamal_proof::encryption::PEDERSEN_COMMITMENT_LEN;

// same as zk_elgamal_proof_program::proof_data::batched_range_proof::MAX_COMMITMENTS,
// but currently not public
const MAX_COMMITMENTS: usize = 8;

pub const BATCHED_RANGE_PROOF_CONTEXT_LEN: usize =
    MAX_COMMITMENTS * PEDERSEN_COMMITMENT_LEN + MAX_COMMITMENTS;

/// A bit length in a batched range proof must be at most 64.
pub const MAX_SINGLE_BIT_LENGTH: usize = 64;

/// The context data needed to verify a range-proof for a Pedersen committed value.
///
/// The context data is shared by all `VerifyBatchedRangeProof{N}` instructions.
#[derive(Clone, Copy)]
pub struct BatchedRangeProofContext {
    pub commitments: [PedersenCommitment; MAX_COMMITMENTS],
    pub bit_lengths: [u8; MAX_COMMITMENTS],
}

impl BatchedRangeProofContext {
    pub(crate) fn new_transcript(&self) -> Transcript<BooleanValue> {
        let mut transcript = Transcript::new(b"batched-range-proof-instruction");
        transcript.append_message(
            b"commitments",
            &self
                .commitments
                .iter()
                .flat_map(|commitment| commitment.get_point().compress().to_bytes().to_vec())
                .collect::<Vec<Byte<BooleanValue>>>(),
        );
        transcript.append_message(
            b"bit-lengths",
            &self
                .bit_lengths
                .iter()
                .copied()
                .map(Byte::from)
                .collect::<Vec<Byte<BooleanValue>>>(),
        );
        transcript
    }

    // TODO: the nodes must check that none of commitments is the identity
    pub(crate) fn new(
        commitments: &[&PedersenCommitment],
        amounts: &[FieldValue<ScalarField>],
        bit_lengths: &[usize],
        openings: &[&PedersenOpening],
    ) -> Self {
        // the number of commitments is capped at 8
        let num_commitments = commitments.len();
        assert!(
            num_commitments <= MAX_COMMITMENTS
                && num_commitments == amounts.len()
                && num_commitments == bit_lengths.len()
                && num_commitments == openings.len()
        );

        let mut all_commitments = [PedersenCommitment::new(CurveValue::default()); MAX_COMMITMENTS];
        all_commitments[0..commitments.len()].copy_from_slice(
            &commitments
                .iter()
                .map(|&commitment| *commitment)
                .collect::<Vec<PedersenCommitment>>(),
        );

        let mut all_bit_lengths = [0; MAX_COMMITMENTS];
        all_bit_lengths[..bit_lengths.len()]
            .copy_from_slice(&bit_lengths.iter().map(|&b| b as u8).collect::<Vec<u8>>());

        BatchedRangeProofContext {
            commitments: all_commitments,
            bit_lengths: all_bit_lengths,
        }
    }

    pub fn to_bytes(&self) -> [Byte<BooleanValue>; BATCHED_RANGE_PROOF_CONTEXT_LEN] {
        let mut bytes = [Byte::<BooleanValue>::from(0); BATCHED_RANGE_PROOF_CONTEXT_LEN];
        bytes[..MAX_COMMITMENTS * PEDERSEN_COMMITMENT_LEN].copy_from_slice(
            &self
                .commitments
                .iter()
                .flat_map(|commitment| commitment.get_point().compress().to_bytes().to_vec())
                .collect::<Vec<Byte<BooleanValue>>>(),
        );
        bytes[MAX_COMMITMENTS * PEDERSEN_COMMITMENT_LEN..].copy_from_slice(
            &self
                .bit_lengths
                .iter()
                .copied()
                .map(Byte::from)
                .collect::<Vec<Byte<BooleanValue>>>(),
        );
        bytes
    }
}