Line data    Source code

       1             : #ifndef HEADER_fd_zksdk_batched_range_proofs_h
       2             : #define HEADER_fd_zksdk_batched_range_proofs_h
       3             : 
       4             : #include "../../../../fd_flamenco_base.h"
       5             : 
       6             : struct __attribute__((packed)) fd_zksdk_range_proof_u64_proof {
       7             :   fd_rangeproofs_range_proof_t range_proof;
       8             :   fd_rangeproofs_ipp_vecs_t    ipp_lr_vec[ 6 ]; // log(bit_length) points
       9             :   uchar                        ipp_a[ 32 ];     // scalar
      10             :   uchar                        ipp_b[ 32 ];     // scalar
      11             : };
      12             : typedef struct fd_zksdk_range_proof_u64_proof fd_zksdk_range_proof_u64_proof_t;
      13             : 
      14             : struct __attribute__((packed)) fd_zksdk_range_proof_u128_proof {
      15             :   fd_rangeproofs_range_proof_t range_proof;
      16             :   fd_rangeproofs_ipp_vecs_t    ipp_lr_vec[ 7 ]; // log(bit_length) points
      17             :   uchar                        ipp_a[ 32 ];     // scalar
      18             :   uchar                        ipp_b[ 32 ];     // scalar
      19             : };
      20             : typedef struct fd_zksdk_range_proof_u128_proof fd_zksdk_range_proof_u128_proof_t;
      21             : 
      22             : struct __attribute__((packed)) fd_zksdk_range_proof_u256_proof {
      23             :   fd_rangeproofs_range_proof_t range_proof;
      24             :   fd_rangeproofs_ipp_vecs_t    ipp_lr_vec[ 8 ]; // log(bit_length) points
      25             :   uchar                        ipp_a[ 32 ];     // scalar
      26             :   uchar                        ipp_b[ 32 ];     // scalar
      27             : };
      28             : typedef struct fd_zksdk_range_proof_u256_proof fd_zksdk_range_proof_u256_proof_t;
      29             : 
      30        1551 : #define FD_ZKSDK_MAX_COMMITMENTS FD_RANGEPROOFS_MAX_COMMITMENTS
      31             : struct __attribute__((packed)) fd_zksdk_batched_range_proof_context {
      32             :   uchar commitments[ FD_ZKSDK_MAX_COMMITMENTS * 32 ]; // points
      33             :   uchar bit_lengths[ FD_ZKSDK_MAX_COMMITMENTS ];
      34             : };
      35             : typedef struct fd_zksdk_batched_range_proof_context fd_zksdk_batched_range_proof_context_t;
      36             : 
      37             : static inline void
      38             : batched_range_proof_transcript_init( fd_zksdk_transcript_t *                        transcript,
      39         141 :                                      fd_zksdk_batched_range_proof_context_t const * context) {
      40         141 :   fd_zksdk_transcript_init( transcript, FD_TRANSCRIPT_LITERAL("batched-range-proof-instruction") );
      41         141 :   fd_merlin_transcript_append_message( transcript, FD_TRANSCRIPT_LITERAL("commitments"), context->commitments, FD_ZKSDK_MAX_COMMITMENTS * 32 );
      42         141 :   fd_merlin_transcript_append_message( transcript, FD_TRANSCRIPT_LITERAL("bit-lengths"), context->bit_lengths, FD_ZKSDK_MAX_COMMITMENTS );
      43         141 : }
      44             : 
      45             : /* batched_range_proof_init_and_validate implements verify_proof() for range proofs:
      46             :    https://github.com/anza-xyz/agave/blob/v2.0.1/zk-sdk/src/zk_elgamal_proof_program/proof_data/batched_range_proof/batched_range_proof_u64.rs#L82
      47             :    It validates context, initializes the transcript, and returns the length of
      48             :    commitments / bit_lenghts, i.e. the size of the batch in the batch proof, aka m.
      49             :    For compatibility with Agave, this is the critical rule:
      50             :    https://github.com/anza-xyz/agave/blob/v2.0.1/zk-sdk/src/zk_elgamal_proof_program/proof_data/batched_range_proof/mod.rs#L112
      51             :    i.e., the length is determined by the first all-zero commitment.
      52             :    Note that Agave is decompressing points while parsing the context, we don't do
      53             :    that here but at the very beginning of the ZKP verify, e.g. fd_zksdk_verify_proof_range_u128(). */
      54             : static inline int
      55             : batched_range_proof_init_and_validate( uchar *                                        len,
      56             :                                        fd_zksdk_batched_range_proof_context_t const * context,
      57         141 :                                        fd_zksdk_transcript_t *                        transcript ) {
      58             : 
      59         141 :   uchar i = 0;
      60        1269 :   for( ; i < FD_ZKSDK_MAX_COMMITMENTS; i++ ) {
      61        1128 :     if( fd_memeq( &context->commitments[ i*32 ], fd_ristretto255_compressed_zero, 32 ) ) {
      62           0 :       break;
      63           0 :     }
      64        1128 :   }
      65         141 :   *len = i;
      66             : 
      67             :   //TODO: https://github.com/anza-xyz/agave/blob/v2.0.1/zk-sdk/src/zk_elgamal_proof_program/proof_data/batched_range_proof/batched_range_proof_u64.rs#L87
      68             : 
      69         141 :   batched_range_proof_transcript_init( transcript, context );
      70         141 :   return FD_EXECUTOR_INSTR_SUCCESS;
      71         141 : }
      72             : 
      73             : #endif /* HEADER_fd_zksdk_batched_range_proofs_h */