feat(confidential): Noir revoke_operator circuit#732
Merged
Conversation
Replaces the per-plaintext encrypt_auditor_tx / encrypt_auditor_bal
helpers with the per-channel Poseidon2 sponge described in design doc
v0.5 -> v0.6 (Section 2.5, Section 8.1). One absorb of
(delta_channel, S.x, sigma) is followed by N squeezes from the same
permutation; rate=3 lets every current call serve all squeezes without
a second permutation. AUDITOR_TX and AUDITOR_BALANCE domain tags are
dropped in favour of AUDITOR_SENDER (delta_aud_s) and AUDITOR_RECIPIENT
(delta_aud_r) at the same numeric slots (10, 11).
Adds the sponge_squeeze_2 gadget for nargo info accounting and pins
the new sponge outputs in testdata/sponge_squeeze_{1,2}.json. The
constraints baseline gains one row; no existing primitive's output
changed.
Implements the spend-side block of the Withdraw circuit from design doc Section 7.5: owner key ownership (W1), wrapper-bound viewing key (W2), spendable balance opening (W3), range validity on v, a, and v - a (W4), deterministic randomness for the new commitment (W5), the refreshed spendable commitment (W6), and the encrypted balance scalar (W7). The auditor block (W_a1-W_a5, K_aud_s + r_e + R_e + b_tilde_aud_s) lands in a follow-up commit so this one stays focused on balance conservation and key ownership; once that lands the public input signature grows from 10 to the design doc's frozen 15 fields. Tests reuse the lib's pinned (sk, wrap, sigma, v, r) fixtures so any drift in commit / vk_from_sk / encrypt_balance / derive_spend_r is caught by `withdraw_fixtures_match_lib` before the rest of the harness runs. Negative coverage: under-funded withdrawal (W4), v or a out of range, wrong sk (W1), wrong balance opening (W3), wrong wrap (W2/W6/W7 chain), tampered b_tilde (W7), tampered C_spend' (W6). VK extraction script and constraints baseline updated.
Adds the sender-auditor visibility block to the Withdraw circuit
(design doc Section 7.5, Section 8.1): the ephemeral key R_e = r_e * H
(W_a1), the sender-auditor ECDH shared secret S_{a,s} = r_e * K_{aud,s}
(W_a2), the single-squeeze sender-channel sponge mask m_b (W_a3), the
sender-auditor balance checkpoint ciphertext b_tilde_aud_s = (v - a) +
m_b (W_a4), and the r_e != 0 non-collapse constraint (W_a5).
The public input signature grows from 10 to the design-doc-frozen 15
fields, in canonical order (C_spend, Y, wrap, K_aud_s, a, C_spend',
sigma, b_tilde, R_e, b_tilde_aud_s). K_aud_s carries an explicit
on-curve + non-identity check at the entrypoint because the verifier
doesn't check curve membership and an off-curve K_aud_s would break the
soundness of W_a2 (Section 10.8).
`encrypt_auditor_sender_balance` lands in the lib as the canonical
W_a3+W_a4 composition; the same helper covers RevokeOperator V_a3/V_a5
and SetOperator S_a3/S_a5 when those circuits land. Pinned via testdata
and a lib round-trip test that ties it back to sponge_squeeze_1.
Auditor-side negative coverage: r_e = 0 (W_a5), wrong r_e (W_a1),
off-curve K_aud_s, identity K_aud_s, valid-but-wrong K_aud_s, tampered
b_tilde_aud_s (W_a4). Closes the under-funded-withdrawal + tampered-
ciphertext criteria from issue #705.
VK extracted via `bash scripts/extract_vks.sh` after the Withdraw circuit landed in the workspace. Same UltraHonk universal-SRS pipeline as the register VK -- no new trusted-setup contribution required. The committed JSON is the integration contract with the on-chain verifier (#701); CI re-runs the extraction script and diffs against this copy.
Aligns W4 with design doc §7.5 / §2.6 / §3.4: the value domain is the SEP-41 non-negative i128 range [0, 2^127), not [0, 2^128). The circuit now uses Noir stdlib's `Field::assert_max_bit_size::<127>()` directly (the 127-bit decomposition spelled out in §2.6) instead of the lib's u128-cast helper. Doc comments for W4 and the public-input table for `a` are restated against the tighter bound and reference §3.4 for the entrypoint-level `a >= 0` check. Test boundaries retarget to 2^127 (the smallest value W4 must reject), not 2^128. Withdraw VK regenerated; constraint count drops from 130 to 92 ACIR opcodes (stdlib's assert_max_bit_size is cheaper than the u128 round-trip). The lib's `assert_range_128` primitive is now unused by Withdraw but stays in place for backwards compat -- a separate cleanup can remove it once no callers reference it.
The test previously fired W3 (commit(v_huge, R) != stale C_SPEND) before W4 ever ran, so the range check was never the load-bearing assertion. Recompute C_spend from v_huge so W3 passes and the very first W4 line (v.assert_max_bit_size::<127>()) becomes the failing constraint. rejects_a_out_of_range already isolates W4 (V is unchanged, W3 passes, W4 hits a.assert_max_bit_size::<127>() on a_huge = 2^127) so it is left as-is.
The design doc added delta_addr = 1 (§2.7), shifting every other tag up by one. Realign the lib constants, re-pin all Poseidon-derived fixtures and testdata, regenerate VKs, and fix a stale W_a5 label in the withdraw test (now W8).
Implements the RevokeOperator circuit from design doc Section 7.9: owner key ownership (V1), wrapper-bound viewing key (V2), delegation viewing key derivation (V3), opening of the on-chain allowance commitment with r_a bound to (dvk_i, sigma_a) (V4, mirrors O3), spendable balance opening (V5), range validity on v_s, v_a, and v_s + v_a (V9), new spendable commitment folding the reclaimed allowance back in (V6/V7), encrypted balance scalar (V8), non-zero ephemeral scalar (V10), and the owner-auditor channel block (V_a1-V_a5) with the two-squeeze sponge over delta_aud_s emitting both the reclaimed amount and the post-reclaim balance checkpoint (Section 8.5). The v_s + v_a sum range check is the soundness-critical line of defense against a field overflow that would let the owner mint tokens on the reclaim path; `rejects_v_sum_overflow` pins v_s = 2^127 - 1 and v_a = 1 so the individual range checks pass and the sum check is the sole guard. Tests reuse the lib's pinned (sk, wrap, sigma, sigma_a, op_i, v_s, r_s, v_a, r_e) fixtures so drift in commit / dvk_from_vk_op / derive_allow_r / sponge_squeeze_2 is caught by `revoke_operator_fixtures_match_lib` before the rest of the harness runs. Negative coverage spans every constraint (see test docstrings for the constraint-to-test mapping). Closes #709.
VK extracted via `bash scripts/extract_vks.sh` after the RevokeOperator circuit landed in the workspace. Same UltraHonk universal-SRS pipeline as the register and withdraw VKs -- no new trusted-setup contribution required. The committed JSON is the integration contract with the on-chain verifier (#701); CI re-runs the extraction script and diffs against this copy.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #732 +/- ##
=======================================
Coverage 96.71% 96.71%
=======================================
Files 67 67
Lines 6798 6798
=======================================
Hits 6575 6575
Misses 223 223 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
121 ACIR opcodes (vs withdraw's 92): the extra ~29 rows come from the delegation viewing key derivation (V3), the allowance commitment opening (V4), the second sponge squeeze for the post-reclaim balance checkpoint (V_a5), and the v_s + v_a sum range check (V9).
Contributor
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughA new Noir circuit named ChangesRevokeOperator Circuit
🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly Related PRs
Suggested Reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…oke-operator-circuit # Conflicts: # packages/tokens/src/confidential/circuits/Nargo.toml # packages/tokens/src/confidential/circuits/constraints.baseline # packages/tokens/src/confidential/circuits/scripts/extract_vks.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the RevokeOperator Noir circuit from design doc §7.9, closing issue #709. The circuit lets an owner reclaim a previously-allowed amount
v_afrom an operator's allowance commitmentC_aback into the owner's spendable commitmentC_spend, proves ownership of the spending key, opens both commitments, range-checks the reclaim and the resulting balance, and produces the owner-auditor visibility block (δ_aud_schannel with the two-squeeze sponge masking both the reclaimed amount and the post-reclaim balance checkpoint per §8.5).Commits
r_abound to(dvk_i, σ_a)(V4, mirrors O3), spendable balance opening (V5), range validity onv_s,v_a, andv_s + v_a(V9), new spendable commitment folding the reclaimed allowance back in (V6/V7), encrypted balance scalar (V8), non-zero ephemeral scalar (V10), and the owner-auditor channel block (V_a1–V_a5) with the two-squeeze sponge overδ_aud_semitting both the reclaimed amount and the post-reclaim balance checkpoint (§8.5).vks/revoke_operator.vk.jsonextracted viascripts/extract_vks.sh; the script now iterates overregister,withdraw, andrevoke_operator.Soundness-critical guard
The
v_s + v_arange check in V9 is the line of defense against a field overflow that would let the owner mint tokens on the reclaim path;rejects_v_sum_overflowpinsv_s = 2^127 - 1andv_a = 1so the individual range checks pass and the sum check is the sole guard.Acceptance criteria
v_s + v_aoverflow path isolated byrejects_v_sum_overflowrevoke_operator_fixtures_match_libto catch drift incommit/dvk_from_vk_op/derive_allow_r/sponge_squeeze_2before the rest of the harness runsTest plan
nargo test— revoke_operator + register + withdraw + lib all passcargo check --package stellar-tokens— Rust side unaffectedLC_ALL=C nargo info | grep '^|' | LC_ALL=C sortmatchesconstraints.baselinebash scripts/extract_vks.shregeneratesvks/register.vk.jsonandvks/withdraw.vk.jsonbyte-identical and producesvks/revoke_operator.vk.jsonCloses #709.
Summary by CodeRabbit
New Features
Tests
Chores