kontor-crypto 0.1.1

Kontor Proof-of-Retrievability system for decentralized storage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

//! Circuit witness generation functionality.
//!
//! This module contains all the logic for creating properly structured
//! circuit witnesses for both real files and padding.

use super::types::{Challenge, FieldElement, PreparedFile};
use crate::{
    circuit::{CircuitWitness, FileProofWitness},
    commitment::{domain_tags, poseidon_hash_tagged},
    config, get_padded_proof_for_leaf,
    ledger::FileLedger,
    NovaPoRError, Result,
};
use ff::Field;
use std::collections::BTreeMap;
use tracing::{debug, debug_span};

/// Generates a properly structured CircuitWitness with guaranteed padding.
///
/// This is the SINGLE SOURCE OF TRUTH for creating circuit witness data.
/// It ensures that the witness structure is always correct, with exactly
/// the required number of witnesses (real files + padding to next power of two).
///
/// ## Guarantees
///
/// - Returns exactly `next_power_of_two(num_files)` witnesses
/// - Real file witnesses come first, followed by padding witnesses
/// - All padding witnesses have `actual_depth: 0`
/// - The structure is uniform and suitable for Nova's folding requirements
///
/// ## Special Cases
///
/// - Single-file proofs (aggregated_tree_depth == 0): Returns 1 witness
/// - Multi-file proofs: Returns next_power_of_two(num_files) witnesses
///
/// # Arguments
///
/// * `sorted_challenges` - Challenges sorted by file hash for deterministic ordering
/// * `files` - Map of file hashes to PreparedFile data (None for dummy witnesses)
/// * `ledger` - Optional file ledger containing the aggregated tree
/// * `params` - The public parameters
/// * `current_state` - The current state in the hash chain
/// * `aggregated_tree_depth` - Depth of the aggregated tree (0 for single-file)
/// * `step_num` - The current step number (for debugging)
///
/// # Returns
///
/// Returns a tuple of (CircuitWitness, new_state) where:
/// - `CircuitWitness` is the properly structured witness data
/// - `new_state` is the updated state after processing all files
#[allow(clippy::too_many_arguments)]
pub fn generate_circuit_witness(
    sorted_challenges: &[&Challenge],
    files: Option<&BTreeMap<String, &PreparedFile>>,
    ledger: &FileLedger,
    file_tree_depth: usize,     // Shape depth for uniform structure
    max_supported_depth: usize, // Maximum actual depth supported
    current_state: FieldElement,
    aggregated_tree_depth: usize,
    step_num: usize,
    precomputed_ledger_indices: &[usize], // Pass precomputed indices to ensure consistency
) -> Result<(CircuitWitness<FieldElement>, FieldElement)> {
    let _span = debug_span!(
        "generate_circuit_witness",
        step_num,
        num_challenges = sorted_challenges.len(),
        has_files = files.is_some()
    )
    .entered();

    let mut file_witnesses = Vec::new();
    let mut local_state = current_state;

    debug!("generate_circuit_witness - Step {}:", step_num);
    debug!("  - Input state: {:?}", current_state);
    debug!("  - Processing {} challenges", sorted_challenges.len());
    debug!("  - Aggregated tree depth: {}", aggregated_tree_depth);

    // Process real file challenges
    if let Some(files) = files {
        for (file_idx, challenge) in sorted_challenges.iter().enumerate() {
            let file = files.get(&challenge.file_metadata.file_id).ok_or_else(|| {
                NovaPoRError::InvalidInput(format!(
                    "File {} not found",
                    challenge.file_metadata.file_id
                ))
            })?;

            let (witness, new_state) = create_single_file_witness(
                challenge,
                file,
                file_idx,
                local_state,
                file_tree_depth,
                aggregated_tree_depth,
                ledger,
                precomputed_ledger_indices,
            )?;

            file_witnesses.push(witness);
            local_state = new_state;
        }
    } else {
        // Dummy witnesses for parameter generation
        // Create "worst-case" dummy witnesses with varied depths
        let num_dummies = sorted_challenges.len().max(1);
        for i in 0..num_dummies {
            let mut dummy_witness = create_padding_witness(file_tree_depth, aggregated_tree_depth);
            // Alternate between max depth and 0 for robustness testing
            if i == 0 {
                dummy_witness.actual_depth = max_supported_depth;
            }
            file_witnesses.push(dummy_witness);
        }
    }

    // Count real files as the original number of challenges (before padding)
    // Note: Minimal depth files (depth 1 with erasure (1,1)) are still real files
    let num_real_files = if let Some(_files) = files {
        sorted_challenges.len() // All challenges represent real files
    } else {
        // For parameter generation, count dummy witnesses with depth > 0
        file_witnesses.iter().filter(|w| w.actual_depth > 0).count()
    };

    // Determine target witness count based on exact shape
    // For exact shape, we use derive_shape to get the right count
    let (target_witness_count, _) =
        config::derive_shape(sorted_challenges.len(), max_supported_depth);

    // Pad with null witnesses to reach target count
    while file_witnesses.len() < target_witness_count {
        file_witnesses.push(create_padding_witness(
            file_tree_depth,
            aggregated_tree_depth,
        ));
    }

    // Ensure we have exactly the expected number of witnesses
    assert_eq!(
        file_witnesses.len(),
        target_witness_count,
        "CircuitWitness must have exactly {} witnesses, got {}",
        target_witness_count,
        file_witnesses.len()
    );

    debug!("generate_circuit_witness complete:");
    debug!("  - Real files: {}", num_real_files);
    debug!("  - Total witnesses: {}", file_witnesses.len());
    debug!("  - Output state: {:?}", local_state);

    // Create the CircuitWitness with guaranteed structure
    let circuit_witness = CircuitWitness {
        witnesses: file_witnesses,
        num_real_files,
    };

    Ok((circuit_witness, local_state))
}

/// Create a witness for a single file challenge.
#[allow(clippy::too_many_arguments)]
fn create_single_file_witness(
    challenge: &Challenge,
    file: &PreparedFile,
    file_idx: usize,
    current_state: FieldElement,
    file_tree_depth: usize,
    aggregated_tree_depth: usize,
    ledger: &FileLedger,
    precomputed_ledger_indices: &[usize],
) -> Result<(FileProofWitness<FieldElement>, FieldElement)> {
    let file_depth = file.tree.layers.len() - 1;

    // Calculate leaf index with proper domain separation
    let challenge_hash =
        poseidon_hash_tagged(domain_tags::challenge(), challenge.seed, current_state);
    let hash = if aggregated_tree_depth > 0 {
        // Multi-file: use domain-separated hash to combine challenge with file_idx
        poseidon_hash_tagged(
            domain_tags::challenge_per_file(),
            challenge_hash,
            FieldElement::from(file_idx as u64),
        )
    } else {
        // Single-file: use challenge directly
        challenge_hash
    };
    let leaf_index = crate::utils::derive_index_unbiased(hash, 1usize << file_depth);

    // Get proof padded to MAX depth for circuit uniformity
    let merkle_proof = get_padded_proof_for_leaf(&file.tree, leaf_index, file_tree_depth)?;

    // Get aggregation proof for this file
    let agg_proof = if aggregated_tree_depth > 0 {
        // Multi-file case: get actual aggregation proof
        ledger
            .get_aggregation_proof(&challenge.file_metadata.file_id)
            .ok_or_else(|| NovaPoRError::InvalidInput("File not found in ledger".to_string()))?
    } else {
        // Single-file case: empty aggregation proof
        crate::merkle::CircuitMerkleProof {
            leaf: FieldElement::ZERO,
            siblings: vec![],
            path_indices: vec![],
        }
    };

    // Use precomputed ledger index
    let ledger_index = precomputed_ledger_indices[file_idx];

    let witness = FileProofWitness {
        leaf: merkle_proof.leaf,
        file_siblings: merkle_proof.siblings,
        file_root: challenge.file_metadata.root,
        actual_depth: file_depth,
        agg_siblings: agg_proof.siblings,
        ledger_index,
    };

    // Update state for next file with domain separation
    let new_state = poseidon_hash_tagged(
        domain_tags::state_update(),
        current_state,
        merkle_proof.leaf,
    );

    Ok((witness, new_state))
}

/// Create a padding witness for circuit uniformity.
fn create_padding_witness(
    file_tree_depth: usize,
    aggregated_tree_depth: usize,
) -> FileProofWitness<FieldElement> {
    FileProofWitness {
        leaf: FieldElement::ZERO,
        file_siblings: vec![FieldElement::ZERO; file_tree_depth],
        file_root: FieldElement::ZERO,
        actual_depth: 0, // Padding witnesses have no depth
        agg_siblings: vec![FieldElement::ZERO; aggregated_tree_depth],
        ledger_index: 0,
    }
}