world-id-primitives 0.9.0

Contains the raw base primitives (without implementations) for the World ID Protocol.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

use std::{fmt::Display, ops::Deref, str::FromStr};

use ark_babyjubjub::Fq;
use ruint::aliases::U256;
use serde::{Deserialize, Deserializer, Serialize, Serializer, de::Error as _};

use crate::{FieldElement, PrimitiveError};

/// A nullifier is a unique, one-time identifier derived from (user, rpId, action) that lets RPs detect
/// duplicate actions without learning who the user is. Used with the contract's `verify()` function.
///
/// Internally, this is a thin wrapper to identify explicitly a single _nullifier_. This wrapper is
/// used to expose explicit canonical serialization which is critical for uniqueness.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct Nullifier {
    /// The `FieldElement` representing the nullifier.
    pub inner: FieldElement,
}

impl Nullifier {
    const PREFIX: &str = "nil_";
    const ENCODING_LENGTH: usize = 64;

    /// Initializes a new [`Nullifier`] from a [`FieldElement`]
    pub const fn new(nullifier: FieldElement) -> Self {
        Self { inner: nullifier }
    }

    /// Outputs the nullifier as a number. This is the **recommended way of enforcing nullifier uniqueness**.
    ///
    /// Store this number directly to enforce uniqueness.
    pub fn as_number(&self) -> U256 {
        self.inner.into()
    }

    /// Serializes a nullifier in a canonical string representation.
    ///
    /// It is generally safe to do uniqueness on nullifiers treating them as strings if you always serialize
    /// them with this method. However, storing nullifiers as numbers instead is recommended.
    ///
    /// # Warning
    /// Using a canonical representation is particularly important for nullifiers. Otherwise, different strings
    /// may actually represent the same field elements, which could result in a compromise of uniqueness.
    ///
    /// # Details
    /// In particular, this method adds an explicit prefix, serializes the field element to a 32-byte hex padded
    /// string with only lowercase characters.
    pub fn to_canonical_string(&self) -> String {
        let value = self
            .inner
            .to_string()
            .trim_start_matches("0x")
            .to_lowercase();
        // len is safe because for all the hex charset, each uses 1 byte
        format!(
            "{}{}{value}",
            Self::PREFIX,
            "0".repeat(Self::ENCODING_LENGTH - value.len())
        )
    }

    /// Deserializes a nullifier from a canonical string representation. In particular,
    /// this method will enforce all the required rules to ensure the value was canonically serialized.
    ///
    /// For example, the following string representations are equivalently the same field element: `0xa`, `0xA`, `0x0A`,
    /// this method will ensure a single representation exists for each field element.
    ///
    /// # Errors
    /// Will return an error if any of the encoding conditions failed (e.g. invalid characters, invalid length, etc.)
    pub fn from_canonical_string(nullifier: String) -> Result<Self, PrimitiveError> {
        let nullifier = nullifier.strip_prefix(Self::PREFIX).ok_or_else(|| {
            PrimitiveError::Deserialization(format!(
                "nullifier must start with the {}",
                Self::PREFIX
            ))
        })?;

        if nullifier
            .chars()
            .any(|c| !c.is_ascii_hexdigit() || c.is_ascii_uppercase())
        {
            return Err(PrimitiveError::Deserialization(
                "nullifier has invalid characters. only lowercase hex characters allowed."
                    .to_string(),
            ));
        }

        if nullifier.len() != Self::ENCODING_LENGTH {
            return Err(PrimitiveError::Deserialization(format!(
                "nullifier does not have the right length. length: {}",
                nullifier.len()
            )));
        }

        let nullifier = FieldElement::from_str(nullifier)?;

        Ok(Self { inner: nullifier })
    }
}

impl Serialize for Nullifier {
    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
    where
        S: Serializer,
    {
        if serializer.is_human_readable() {
            serializer.serialize_str(&self.to_canonical_string())
        } else {
            // `to_be_bytes()` is guaranteed to return 32 bytes
            serializer.serialize_bytes(&self.inner.to_be_bytes())
        }
    }
}

impl<'de> Deserialize<'de> for Nullifier {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
        D: Deserializer<'de>,
    {
        if deserializer.is_human_readable() {
            let value = String::deserialize(deserializer)?;
            Self::from_canonical_string(value).map_err(|e| D::Error::custom(e.to_string()))
        } else {
            let bytes = Vec::deserialize(deserializer)?;
            let bytes: [u8; 32] = bytes
                .try_into()
                .map_err(|_| D::Error::custom("expected 32 bytes"))?;
            let nullifier = FieldElement::from_be_bytes(&bytes)
                .map_err(|_| D::Error::custom("invalid field element"))?;
            Ok(Self { inner: nullifier })
        }
    }
}

impl Display for Nullifier {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        self.to_canonical_string().fmt(f)
    }
}

impl From<Nullifier> for FieldElement {
    fn from(value: Nullifier) -> Self {
        value.inner
    }
}

impl From<FieldElement> for Nullifier {
    fn from(value: FieldElement) -> Self {
        Self { inner: value }
    }
}

impl From<Fq> for Nullifier {
    fn from(value: Fq) -> Self {
        Self {
            inner: FieldElement::from(value),
        }
    }
}

impl From<Nullifier> for U256 {
    fn from(value: Nullifier) -> Self {
        value.as_number()
    }
}

impl Deref for Nullifier {
    type Target = FieldElement;
    fn deref(&self) -> &Self::Target {
        &self.inner
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use ruint::uint;

    fn nil(value: u64) -> Nullifier {
        Nullifier::new(FieldElement::from(value))
    }

    #[test]
    fn canonical_string_roundtrip() {
        let nullifier = nil(42);
        let canonical = nullifier.to_canonical_string();
        let recovered = Nullifier::from_canonical_string(canonical.clone()).unwrap();
        assert_eq!(nullifier, recovered);

        let to_string_representation = nullifier.to_string();
        assert_eq!(to_string_representation, canonical);
    }

    #[test]
    fn canonical_string_roundtrip_zero() {
        let nullifier = nil(0);
        let canonical = nullifier.to_canonical_string();
        assert_eq!(
            canonical,
            "nil_0000000000000000000000000000000000000000000000000000000000000000"
        );
        let recovered = Nullifier::from_canonical_string(canonical).unwrap();
        assert_eq!(nullifier, recovered);
    }

    #[test]
    fn canonical_string_roundtrip_large_value() {
        let fe = FieldElement::try_from(uint!(
            0x11d223ce7b91ac212f42cf50f0a3439ae3fcdba4ea32acb7f194d1051ed324c2_U256
        ))
        .unwrap();
        let nullifier = Nullifier::new(fe);
        let canonical = nullifier.to_canonical_string();
        assert_eq!(
            canonical,
            "nil_11d223ce7b91ac212f42cf50f0a3439ae3fcdba4ea32acb7f194d1051ed324c2"
        );
        let recovered = Nullifier::from_canonical_string(canonical).unwrap();
        assert_eq!(nullifier, recovered);
    }

    #[test]
    fn canonical_string_is_lowercase_and_zero_padded() {
        let canonical = nil(0xff).to_canonical_string();
        let hex_part = canonical.strip_prefix("nil_").unwrap();
        assert!(
            hex_part
                .chars()
                .all(|c| c.is_ascii_digit() || matches!(c, 'a'..='f'))
        );
        assert_eq!(hex_part.len(), 64);
        assert!(
            hex_part.starts_with("000000000000000000000000000000000000000000000000000000000000")
        );
        assert!(hex_part.ends_with("ff"));
    }

    #[test]
    fn rejects_missing_prefix() {
        let s = "0000000000000000000000000000000000000000000000000000000000000001";
        let err = Nullifier::from_canonical_string(s.to_string()).unwrap_err();
        assert_eq!(
            err.to_string(),
            "Deserialization error: nullifier must start with the nil_".to_string()
        );
    }

    #[test]
    fn rejects_wrong_prefix() {
        let s = "nul_0000000000000000000000000000000000000000000000000000000000000001";
        let err = Nullifier::from_canonical_string(s.to_string()).unwrap_err();
        assert_eq!(
            err.to_string(),
            "Deserialization error: nullifier must start with the nil_".to_string()
        );
    }

    #[test]
    fn rejects_uppercase_hex() {
        let s = "nil_000000000000000000000000000000000000000000000000000000000000000A";
        let err = Nullifier::from_canonical_string(s.to_string()).unwrap_err();
        assert_eq!(
            err.to_string(),
            "Deserialization error: nullifier has invalid characters. only lowercase hex characters allowed.".to_string()
        );
    }

    #[test]
    fn rejects_mixed_case() {
        let s = "nil_000000000000000000000000000000000000000000000000000000000000aAbB";
        let err = Nullifier::from_canonical_string(s.to_string()).unwrap_err();
        assert_eq!(
            err.to_string(),
            "Deserialization error: nullifier has invalid characters. only lowercase hex characters allowed.".to_string()
        );
    }

    #[test]
    fn rejects_unpadded_short() {
        // Valid field element but not zero-padded to 64 chars
        let s = "nil_a";
        let err = Nullifier::from_canonical_string(s.to_string()).unwrap_err();
        assert_eq!(
            err.to_string(),
            "Deserialization error: nullifier does not have the right length. length: 1"
                .to_string()
        );
    }

    #[test]
    fn rejects_too_long() {
        let s = "nil_00000000000000000000000000000000000000000000000000000000000000001";
        assert!(Nullifier::from_canonical_string(s.to_string()).is_err());
    }

    #[test]
    fn rejects_non_hex_characters() {
        let s = "nil_000000000000000000000000000000000000000000000000000000000000gggg";
        assert!(Nullifier::from_canonical_string(s.to_string()).is_err());
    }

    #[test]
    fn rejects_0x_prefix_inside_canonical() {
        let s = "nil_0x0000000000000000000000000000000000000000000000000000000000000a";
        assert!(Nullifier::from_canonical_string(s.to_string()).is_err());
    }

    #[test]
    fn non_canonical_representations_of_same_value_rejected() {
        // All of these represent field element 10, but only the canonical form is accepted.
        let non_canonical = [
            "nil_000000000000000000000000000000000000000000000000000000000000000A", // uppercase
            "nil_a",                                                                // unpadded
            "nil_0a", // partially padded
            "nil_0A", // uppercase + unpadded
            "nil_00000000000000000000000000000000000000000000000000000000000000a", // 63 chars
            "nil_0000000000000000000000000000000000000000000000000000000000000000a", // 65 chars
        ];

        for s in non_canonical {
            assert!(
                Nullifier::from_canonical_string(s.to_string()).is_err(),
                "should reject non-canonical: {s}"
            );
        }
    }

    #[test]
    fn as_number_returns_inner_u256() {
        let nullifier = nil(12345);
        assert_eq!(nullifier.as_number(), U256::from(12345));
    }

    #[test]
    fn json_roundtrip() {
        let nullifier = nil(42);
        let json = serde_json::to_string(&nullifier).unwrap();
        let recovered: Nullifier = serde_json::from_str(&json).unwrap();
        assert_eq!(nullifier, recovered);
    }

    #[test]
    fn json_uses_canonical_format() {
        let nullifier = nil(255);
        let json = serde_json::to_string(&nullifier).unwrap();
        let expected = format!("\"{}\"", nullifier.to_canonical_string());
        assert_eq!(json, expected);
    }

    #[test]
    fn json_rejects_non_canonical_input() {
        // Valid field element, but uppercase hex
        let json = "\"nil_000000000000000000000000000000000000000000000000000000000000000A\"";
        assert!(serde_json::from_str::<Nullifier>(json).is_err());

        // Valid field element, but no prefix
        let json = "\"0000000000000000000000000000000000000000000000000000000000000001\"";
        assert!(serde_json::from_str::<Nullifier>(json).is_err());
    }

    #[test]
    fn cbor_roundtrip() {
        let nullifier = nil(42);
        let mut buf = Vec::new();
        ciborium::into_writer(&nullifier, &mut buf).unwrap();
        let recovered: Nullifier = ciborium::from_reader(&buf[..]).unwrap();
        assert_eq!(nullifier, recovered);
    }

    #[test]
    fn json_and_cbor_decode_to_same_value() {
        let nullifier = nil(999);

        let json = serde_json::to_string(&nullifier).unwrap();
        let from_json: Nullifier = serde_json::from_str(&json).unwrap();

        let mut cbor_buf = Vec::new();
        ciborium::into_writer(&nullifier, &mut cbor_buf).unwrap();
        let from_cbor: Nullifier = ciborium::from_reader(&cbor_buf[..]).unwrap();

        assert_eq!(from_json, from_cbor);
    }
}