r14-circuit 0.1.0

Transfer circuit (Groth16/BLS12-381) for Root14
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269

pub mod merkle_gadget;
pub mod poseidon_gadget;
pub mod transfer;

use ark_bls12_381::{Bls12_381, Fr};
use ark_groth16::{Groth16, PreparedVerifyingKey, ProvingKey, VerifyingKey};
use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystem};
use ark_snark::SNARK;
use ark_std::rand::{CryptoRng, RngCore};
use r14_types::{MerklePath, Note};

pub use transfer::TransferCircuit;

/// Public inputs for a transfer proof
pub struct PublicInputs {
    pub old_root: Fr,
    pub nullifier: Fr,
    pub out_commitment_0: Fr,
    pub out_commitment_1: Fr,
}

impl PublicInputs {
    pub fn to_vec(&self) -> Vec<Fr> {
        vec![self.old_root, self.nullifier, self.out_commitment_0, self.out_commitment_1]
    }
}

/// Run Groth16 trusted setup for the transfer circuit
pub fn setup<R: RngCore + CryptoRng>(rng: &mut R) -> (ProvingKey<Bls12_381>, VerifyingKey<Bls12_381>) {
    let circuit = TransferCircuit::empty();
    Groth16::<Bls12_381>::circuit_specific_setup(circuit, rng).expect("setup failed")
}

/// Generate a Groth16 proof for a private transfer
pub fn prove<R: RngCore + CryptoRng>(
    pk: &ProvingKey<Bls12_381>,
    secret_key: Fr,
    consumed_note: Note,
    merkle_path: MerklePath,
    created_notes: [Note; 2],
    rng: &mut R,
) -> (ark_groth16::Proof<Bls12_381>, PublicInputs) {
    // Compute public inputs natively
    let cm = r14_poseidon::commitment(&consumed_note);

    let mut current = cm;
    for i in 0..merkle_path.siblings.len() {
        if merkle_path.indices[i] {
            current = r14_poseidon::hash2(merkle_path.siblings[i], current);
        } else {
            current = r14_poseidon::hash2(current, merkle_path.siblings[i]);
        }
    }
    let old_root = current;

    let nullifier = r14_poseidon::poseidon_hash(&[secret_key, consumed_note.nonce]);
    let out_cm_0 = r14_poseidon::commitment(&created_notes[0]);
    let out_cm_1 = r14_poseidon::commitment(&created_notes[1]);

    let circuit = TransferCircuit {
        secret_key: Some(secret_key),
        consumed_note: Some(consumed_note),
        merkle_path: Some(merkle_path),
        created_notes: Some(created_notes),
    };

    let proof = Groth16::<Bls12_381>::prove(pk, circuit, rng).expect("proving failed");

    let public_inputs = PublicInputs {
        old_root,
        nullifier,
        out_commitment_0: out_cm_0,
        out_commitment_1: out_cm_1,
    };

    (proof, public_inputs)
}

/// Verify a proof off-chain
pub fn verify_offchain(
    vk: &VerifyingKey<Bls12_381>,
    proof: &ark_groth16::Proof<Bls12_381>,
    public_inputs: &PublicInputs,
) -> bool {
    let pvk = PreparedVerifyingKey::from(vk.clone());
    Groth16::<Bls12_381>::verify_with_processed_vk(&pvk, &public_inputs.to_vec(), proof)
        .unwrap_or(false)
}

/// Count constraints in the transfer circuit
pub fn constraint_count() -> usize {
    let cs = ConstraintSystem::<Fr>::new_ref();
    cs.set_optimization_goal(ark_relations::r1cs::OptimizationGoal::Constraints);
    cs.set_mode(ark_relations::r1cs::SynthesisMode::Setup);
    let circuit = TransferCircuit::empty();
    circuit.generate_constraints(cs.clone()).expect("constraint generation failed");
    cs.num_constraints()
}

#[cfg(test)]
mod tests {
    use super::*;
    use ark_ff::UniformRand;
    use ark_relations::r1cs::ConstraintSynthesizer;
    use ark_std::rand::{rngs::StdRng, SeedableRng};
    use r14_types::{MerklePath, Note, SecretKey, MERKLE_DEPTH};

    fn test_rng() -> StdRng {
        StdRng::seed_from_u64(42)
    }

    fn build_dummy_merkle_path(rng: &mut impl RngCore) -> MerklePath {
        let siblings: Vec<Fr> = (0..MERKLE_DEPTH).map(|_| Fr::rand(rng)).collect();
        let indices: Vec<bool> = (0..MERKLE_DEPTH).map(|i| i % 2 == 0).collect();
        MerklePath { siblings, indices }
    }

    fn test_scenario(rng: &mut impl RngCore) -> (Fr, Note, MerklePath, [Note; 2]) {
        let sk = SecretKey::random(rng);
        let owner = r14_poseidon::owner_hash(&sk);
        let consumed = Note::new(1000, 1, owner.0, rng);
        let path = build_dummy_merkle_path(rng);

        let recipient_sk = SecretKey::random(rng);
        let recipient_owner = r14_poseidon::owner_hash(&recipient_sk);
        let note_0 = Note::new(700, 1, recipient_owner.0, rng);
        let note_1 = Note::new(300, 1, owner.0, rng); // change back to sender

        (sk.0, consumed, path, [note_0, note_1])
    }

    #[test]
    fn test_valid_transfer() {
        let mut rng = test_rng();
        let (sk, consumed, path, created) = test_scenario(&mut rng);

        let (pk, vk) = setup(&mut rng);
        let (proof, pi) = prove(&pk, sk, consumed, path, created, &mut rng);
        assert!(verify_offchain(&vk, &proof, &pi));
    }

    #[test]
    fn test_wrong_secret_key() {
        let mut rng = test_rng();
        let (_, consumed, path, created) = test_scenario(&mut rng);
        let wrong_sk = Fr::rand(&mut rng); // wrong key

        let circuit = TransferCircuit {
            secret_key: Some(wrong_sk),
            consumed_note: Some(consumed),
            merkle_path: Some(path),
            created_notes: Some(created),
        };

        let cs = ConstraintSystem::<Fr>::new_ref();
        circuit.generate_constraints(cs.clone()).unwrap();
        assert!(!cs.is_satisfied().unwrap(), "should fail: wrong secret key");
    }

    #[test]
    fn test_wrong_merkle_path() {
        let mut rng = test_rng();
        let (sk, consumed, mut path, created) = test_scenario(&mut rng);
        // Corrupt one sibling
        path.siblings[0] = Fr::rand(&mut rng);

        // The circuit will compute a different root than what gets set as public input
        // We need to test at the proof level — the circuit itself always computes consistently
        // So instead: use prove() which computes root from the bad path, then tamper the root
        let (pk, vk) = setup(&mut rng);
        let (proof, mut pi) = prove(&pk, sk, consumed, path, created, &mut rng);
        // Tamper with root to simulate inclusion failure
        pi.old_root = Fr::rand(&mut rng);
        assert!(!verify_offchain(&vk, &proof, &pi), "should fail: wrong root");
    }

    #[test]
    fn test_value_mismatch() {
        let mut rng = test_rng();
        let sk = SecretKey::random(&mut rng);
        let owner = r14_poseidon::owner_hash(&sk);
        let consumed = Note::new(1000, 1, owner.0, &mut rng);
        let path = build_dummy_merkle_path(&mut rng);

        let recipient_sk = SecretKey::random(&mut rng);
        let recipient_owner = r14_poseidon::owner_hash(&recipient_sk);
        // Values don't sum to 1000
        let note_0 = Note::new(600, 1, recipient_owner.0, &mut rng);
        let note_1 = Note::new(300, 1, owner.0, &mut rng);

        let circuit = TransferCircuit {
            secret_key: Some(sk.0),
            consumed_note: Some(consumed),
            merkle_path: Some(path),
            created_notes: Some([note_0, note_1]),
        };

        let cs = ConstraintSystem::<Fr>::new_ref();
        circuit.generate_constraints(cs.clone()).unwrap();
        assert!(!cs.is_satisfied().unwrap(), "should fail: value mismatch");
    }

    #[test]
    fn test_constraint_count() {
        let count = constraint_count();
        println!("Transfer circuit constraint count: {}", count);
        assert!(count < 20_000, "constraint count {} exceeds 20K limit", count);
        assert!(count > 1_000, "constraint count {} suspiciously low", count);
    }

    #[test]
    fn test_serialization_roundtrip() {
        let mut rng = test_rng();
        let (sk, consumed, path, created) = test_scenario(&mut rng);

        let (pk, vk) = setup(&mut rng);
        let (proof, pi) = prove(&pk, sk, consumed, path, created, &mut rng);

        let svk = r14_sdk::serialize::serialize_vk_for_soroban(&vk);
        let (sp, spi) = r14_sdk::serialize::serialize_proof_for_soroban(&proof, &pi.to_vec());

        // IC length = 5 (1 constant + 4 public inputs)
        assert_eq!(svk.ic.len(), 5, "IC length should be 5 for 4 public inputs");

        // G1 = 96 bytes = 192 hex chars
        assert_eq!(svk.alpha_g1.len(), 192);
        assert_eq!(sp.a.len(), 192);
        assert_eq!(sp.c.len(), 192);
        for ic in &svk.ic {
            assert_eq!(ic.len(), 192);
        }

        // G2 = 192 bytes = 384 hex chars
        assert_eq!(svk.beta_g2.len(), 384);
        assert_eq!(sp.b.len(), 384);

        // Fr = 32 bytes = 64 hex chars
        assert_eq!(spi.len(), 4);
        for pi_hex in &spi {
            assert_eq!(pi_hex.len(), 64);
        }
    }

    #[test]
    fn test_app_tag_mismatch() {
        let mut rng = test_rng();
        let sk = SecretKey::random(&mut rng);
        let owner = r14_poseidon::owner_hash(&sk);
        let consumed = Note::new(1000, 1, owner.0, &mut rng);
        let path = build_dummy_merkle_path(&mut rng);

        let recipient_sk = SecretKey::random(&mut rng);
        let recipient_owner = r14_poseidon::owner_hash(&recipient_sk);
        // app_tag mismatch: consumed=1, created=2
        let note_0 = Note::new(700, 2, recipient_owner.0, &mut rng);
        let note_1 = Note::new(300, 1, owner.0, &mut rng);

        let circuit = TransferCircuit {
            secret_key: Some(sk.0),
            consumed_note: Some(consumed),
            merkle_path: Some(path),
            created_notes: Some([note_0, note_1]),
        };

        let cs = ConstraintSystem::<Fr>::new_ref();
        circuit.generate_constraints(cs.clone()).unwrap();
        assert!(!cs.is_satisfied().unwrap(), "should fail: app tag mismatch");
    }
}