kontor-crypto 0.1.3

Kontor Proof-of-Retrievability system for decentralized storage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

//! Merkle path verification gadgets for circuits.
//!
//! This module provides gated Merkle path verification for both file trees
//! and aggregation trees within the Nova circuit.

use ff::PrimeField;
use ff::PrimeFieldBits;
use nova_snark::frontend::{
    gadgets::{boolean::Boolean, num::AllocatedNum},
    ConstraintSystem, SynthesisError,
};

use super::poseidon::poseidon_hash_tagged_gadget;
use super::select::conditional_select;
use crate::poseidon::domain_tags;

/// Generic Merkle path verification with gating support for uniform circuit structure.
/// This unified function handles both file tree and aggregation tree verification.
///
/// # Arguments
/// * `namespace_prefix` - Prefix for constraint namespaces ("merkle" or "agg_merkle")
/// * `is_active_flags` - Optional flags for gating (None creates always-active flags)
/// * `max_depth` - Maximum depth to process for uniform circuit structure
pub fn verify_gated_merkle_path<F: PrimeField + PrimeFieldBits, CS: ConstraintSystem<F>>(
    mut cs: CS,
    leaf: &AllocatedNum<F>,
    siblings: &[AllocatedNum<F>],
    path_indices: &[Boolean],
    is_active_flags: Option<&[Boolean]>,
    max_depth: usize,
    namespace_prefix: &str,
) -> Result<AllocatedNum<F>, SynthesisError> {
    let mut current_hash = leaf.clone();

    // Process exactly max_depth levels for uniform structure
    for i in 0..max_depth {
        let mut step_cs = cs.namespace(|| format!("{}_step_{}", namespace_prefix, i));

        // Get the activity flag for this level
        // If is_active_flags is None, all levels are active (for aggregation)
        // If is_active_flags is Some, use the provided flags (for file trees)
        let is_active = if let Some(flags) = is_active_flags {
            // File tree case: use provided gating flags with fallback
            flags.get(i).cloned().unwrap_or(Boolean::constant(false))
        } else {
            // Aggregation tree case: all levels within depth are active
            Boolean::constant(i < max_depth)
        };

        // Get sibling and path bit (use dummy values if needed)
        let sibling = if i < siblings.len() {
            siblings[i].clone()
        } else {
            // Allocate dummy sibling for padding
            AllocatedNum::alloc(step_cs.namespace(|| "dummy_sibling"), || Ok(F::ZERO))?
        };

        let path_bit = if i < path_indices.len() {
            path_indices[i].clone()
        } else {
            // Dummy path bit
            Boolean::constant(false)
        };

        // Compute hash for this level
        let left = conditional_select(
            step_cs.namespace(|| "select_left"),
            &path_bit,
            &current_hash,
            &sibling,
        )?;
        let right = conditional_select(
            step_cs.namespace(|| "select_right"),
            &path_bit,
            &sibling,
            &current_hash,
        )?;

        // Use domain-separated hashing for Merkle nodes
        let level_hash = poseidon_hash_tagged_gadget(
            step_cs.namespace(|| "hash_nodes"),
            domain_tags::node(),
            &left,
            &right,
        )?;

        // Conditionally update current_hash based on is_active
        // If active: current_hash = level_hash (update with new hash)
        // If inactive: current_hash = current_hash (keep unchanged)
        current_hash = conditional_select(
            step_cs.namespace(|| "select_output"),
            &is_active,
            &current_hash, // if_false: when inactive, keep current
            &level_hash,   // if_true: when active, use new hash
        )?;
    }

    Ok(current_hash)
}

/// File tree Merkle path verification with gating support.
/// This is a wrapper around the generic verification function.
pub fn verify_merkle_path_gated<F: PrimeField + PrimeFieldBits, CS: ConstraintSystem<F>>(
    cs: CS,
    leaf: &AllocatedNum<F>,
    siblings: &[AllocatedNum<F>],
    path_indices: &[Boolean],
    is_active_flags: Option<&[Boolean]>,
    max_depth: usize,
) -> Result<AllocatedNum<F>, SynthesisError> {
    verify_gated_merkle_path(
        cs,
        leaf,
        siblings,
        path_indices,
        is_active_flags,
        max_depth,
        "merkle",
    )
}

/// Aggregation tree Merkle path verification with uniform structure.
/// This is a wrapper around the generic verification function.
pub fn verify_aggregation_path_gated<F: PrimeField + PrimeFieldBits, CS: ConstraintSystem<F>>(
    cs: CS,
    leaf: &AllocatedNum<F>,
    siblings: &[AllocatedNum<F>],
    path_indices: &[Boolean],
    depth: usize,
) -> Result<AllocatedNum<F>, SynthesisError> {
    verify_gated_merkle_path(
        cs,
        leaf,
        siblings,
        path_indices,
        None, // No gating flags - all levels within depth are active
        depth,
        "agg_merkle",
    )
}