Merge pull request #50 from webb-tools/akilesh-tornPoolCircuits

Joinsplit - Pool circuits and contracts

Author: drewstone

.github/workflows/node.js.yml

@@ -26,6 +26,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'yarn'
+      - run: git submodule update --init --recursive
       - run: yarn install --production=false
       - run: yarn compile
       - run: yarn build:hashers

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "protocol-solidity-fixtures"]
+	path = protocol-solidity-fixtures
+	url = https://github.com/webb-tools/protocol-solidity-fixtures

circuits/bridge/manyMerkleTree.circom

@@ -1,30 +1,7 @@
 pragma circom 2.0.0;
 
 include "../poseidon/hasher.circom";
-
-// Set membership gadget is handled with a multiplicative trick.
-//
-// For a given set of elements, a prover first computes the difference between
-// each element in the set and the element they are proving knowledge of. We
-// constrain this operation accordingly. We then multiply all differences and constrain
-// this value by zero. If the prover actually knows an element in the set then for that
-// element, it must hold that the difference is 0. Therefore, the product of 0 and
-// anything else should be 0. The prove can't lie by adding a zero into the diffs set
-// because we constrain those to match all elements in the set respectively.
-template SetMembership(length) {
-  signal input element;
-  signal input set[length];
-  signal input diffs[length];
-
-  signal product[length + 1];
-  product[0] <== element;
-  for (var i = 0; i < length; i++) {
-    set[i] === diffs[i] + element;
-    product[i + 1] <== product[i] * diffs[i];
-  }
-
-  product[length] === 0;
-}
+include "../set/membership.circom";
 
 // if s == 0 returns [in[0], in[1]]
 // if s == 1 returns [in[1], in[0]]

circuits/semaphore/semaphore-base.circom

@@ -2,6 +2,7 @@ pragma circom 2.0.0;
 
 include "../../node_modules/circomlib/circuits/poseidon.circom";
 include "../../node_modules/circomlib/circuits/babyjub.circom";
+include "../set/membership.circom";
 include "./tree.circom";
 
 
@@ -41,30 +42,6 @@ template CalculateNullifierHash() {
     out <== hasher.out;
 }
 
-// Set membership gadget is handled with a multiplicative trick.
-//
-// For a given set of elements, a prover first computes the difference between
-// each element in the set and the element they are proving knowledge of. We
-// constrain this operation accordingly. We then multiply all differences and constrain
-// this value by zero. If the prover actually knows an element in the set then for that
-// element, it must hold that the difference is 0. Therefore, the product of 0 and
-// anything else should be 0. The prove can't lie by adding a zero into the diffs set
-// because we constrain those to match all elements in the set respectively.
-template SetMembership(length) {
-  signal input element;
-  signal input set[length];
-  signal input diffs[length];
-
-  signal product[length + 1];
-  product[0] <== element;
-  for (var i = 0; i < length; i++) {
-    set[i] === diffs[i] + element;
-    product[i + 1] <== product[i] * diffs[i];
-  }
-
-  product[length] === 0;
-}
-
 // n_levels must be < 32
 template Semaphore(n_levels, length) {
 

circuits/set/membership.circom

@@ -2,27 +2,26 @@ pragma circom 2.0.0;
 
 include "../../node_modules/circomlib/circuits/comparators.circom";
 
+// Set membership gadget is handled with a multiplicative trick.
+//
+// For a given set of elements, a prover first computes the difference between
+// each element in the set and the element they are proving knowledge of. We
+// constrain this operation accordingly. We then multiply all differences and constrain
+// this value by zero. If the prover actually knows an element in the set then for that
+// element, it must hold that the difference is 0. Therefore, the product of 0 and
+// anything else should be 0. The prove can't lie by adding a zero into the diffs set
+// because we constrain those to match all elements in the set respectively.
 template SetMembership(length) {
-    signal input element;
-    signal input set[length];
-
-    signal product[length + 1];
-    product[0] <== 1;
-
-    component isEqualChecker[length];
-    component isZeroChecker[length];
-
-    for(var i = 0; i < length; i++) {
-     isEqualChecker[i] = IsEqual();
-     isZeroChecker[i] = IsZero();
-
-     isEqualChecker[i].in[0] <== element;
-     isEqualChecker[i].in[1] <== set[i];
-
-     isZeroChecker[i].in <== isEqualChecker[i].out;
-
-     product[i + 1] <== product[i] * isZeroChecker[i].out;
-    }
-
-    product[length] === 0;
-}
+  signal input element;
+  signal input set[length];
+  signal input diffs[length];
+
+  signal product[length + 1];
+  product[0] <== element;
+  for (var i = 0; i < length; i++) {
+    set[i] === diffs[i] + element;
+    product[i + 1] <== product[i] * diffs[i];
+  }
+
+  product[length] === 0;
+}

circuits/set/membership_if_enabled.circom

@@ -0,0 +1,30 @@
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/comparators.circom";
+
+// Set membership gadget is handled with a multiplicative trick.
+//
+// For a given set of elements, a prover first computes the difference between
+// each element in the set and the element they are proving knowledge of. We
+// constrain this operation accordingly. We then multiply all differences and constrain
+// this value by zero. If the prover actually knows an element in the set then for that
+// element, it must hold that the difference is 0. Therefore, the product of 0 and
+// anything else should be 0. The prove can't lie by adding a zero into the diffs set
+// because we constrain those to match all elements in the set respectively.
+template ForceSetMembershipIfEnabled(length) {
+  signal input element;
+  signal input set[length];
+  signal input diffs[length];
+  signal input enabled;
+
+  signal product[length + 1];
+  
+  product[0] <== element;
+  
+  for (var i = 0; i < length; i++) { 
+    (set[i] - diffs[i] - element) * enabled === 0;
+    product[i + 1] <== product[i] * diffs[i];
+  }
+
+  product[length]*enabled === 0;
+}

circuits/set/membership_wo_diffs.circom

@@ -0,0 +1,28 @@
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/comparators.circom";
+
+template SetMembership(length) {
+    signal input element;
+    signal input set[length];
+
+    signal product[length + 1];
+    product[0] <== 1;
+
+    component isEqualChecker[length];
+    component isZeroChecker[length];
+
+    for(var i = 0; i < length; i++) {
+     isEqualChecker[i] = IsEqual();
+     isZeroChecker[i] = IsZero();
+
+     isEqualChecker[i].in[0] <== element;
+     isEqualChecker[i].in[1] <== set[i];
+
+     isZeroChecker[i].in <== isEqualChecker[i].out;
+
+     product[i + 1] <== product[i] * isZeroChecker[i].out;
+    }
+
+    product[length] === 0;
+}

circuits/test/poseidon4_test.circom

@@ -0,0 +1,21 @@
+pragma circom 2.0.0;
+
+include "../../node_modules/circomlib/circuits/poseidon.circom";
+
+template Poseidon4Gadget() {
+    signal input outChainID;
+    signal input outAmount;
+    signal input outPubkey;
+    signal input outBlinding;
+    signal input outputCommitment;
+
+    component outUtxoHasher = Poseidon(4);
+    outUtxoHasher.inputs[0] <== outChainID;
+    outUtxoHasher.inputs[1] <== outAmount;
+    outUtxoHasher.inputs[2] <== outPubkey;
+    outUtxoHasher.inputs[3] <== outBlinding;
+    outUtxoHasher.out === outputCommitment;
+}
+
+component main {public [outputCommitment]} = Poseidon4Gadget();
+

circuits/test/poseidon_bridge_2.circom

@@ -3,5 +3,5 @@ pragma circom 2.0.0;
 include "../bridge/withdraw.circom";
 
 component main {public [nullifierHash, recipient, relayer, fee, 
-    refund, chainID, roots, refreshCommitment]} = Withdraw(30, 2);
+    refund, refreshCommitment, chainID, roots]} = Withdraw(30, 2);
 

circuits/test/poseidon_bridge_3.circom

@@ -3,4 +3,4 @@ pragma circom 2.0.0;
 include "../bridge/withdraw.circom";
 
 component main {public [nullifierHash, recipient, relayer, fee, 
-    refund, chainID, roots, refreshCommitment]} = Withdraw(30, 3);
+    refund, refreshCommitment, chainID, roots]} = Withdraw(30, 3);