Protocol 3.5 implementation (#36)

* Changes for mcl support

* Extra info printing

* Added server mode + misc optimizations

* Changes for optimizations

* Reserve the necessary number of sha256 hashers for deposits/withdrawals

* Multi-threading fix for gcc

* Fixed problem with swapping between different sized buffers

* Fixed cli docs for pk_alt2mcl

* Initial commit protocol 3.5

* Remove label functionality

* Increased max number of tokens to 1024

* Re-enable parallel witness calculation of transfers in circuits

* Removed debug prints

Author: Brechtpd

Circuits/DepositCircuit.h

@@ -19,6 +19,8 @@ class DepositGadget : public GadgetT
 {
 public:
 
+    const Constants& constants;
+
     // User state
     BalanceGadget balanceBefore;
     AccountGadget accountBefore;
@@ -40,12 +42,14 @@ class DepositGadget : public GadgetT
 
     DepositGadget(
         ProtoboardT& pb,
-        const Constants& constants,
+        const Constants& _constants,
         const VariableT& root,
         const std::string& prefix
     ) :
         GadgetT(pb, prefix),
 
+        constants(_constants),
+
         // User state
         balanceBefore(pb, FMT(prefix, ".balanceBefore")),
         accountBefore(pb, FMT(prefix, ".accountBefore")),
@@ -117,11 +121,11 @@ class DepositGadget : public GadgetT
         updateAccount.generate_r1cs_constraints();
     }
 
-    const std::vector<VariableArrayT> getOnchainData(const Constants& constants) const
+    const std::vector<VariableArrayT> getOnchainData() const
     {
-        return {constants.padding_0000, accountID.bits,
+        return {accountID.bits,
                 publicKeyX.bits, publicKeyY.bits,
-                tokenID.bits,
+                VariableArrayT(6, constants.zero), tokenID.bits,
                 amount.bits};
     }
 
@@ -197,7 +201,7 @@ class DepositCircuit : public Circuit
             deposits.back().generate_r1cs_constraints();
 
             // Hash data from deposit
-            std::vector<VariableArrayT> depositData = deposits.back().getOnchainData(constants);
+            std::vector<VariableArrayT> depositData = deposits.back().getOnchainData();
             std::vector<VariableArrayT> hashBits;
             hashBits.push_back(reverse((j == 0) ? depositBlockHashStart.bits : hashers.back().result().bits));
             hashBits.insert(hashBits.end(), depositData.begin(), depositData.end());

Circuits/InternalTransferCircuit.h

@@ -19,6 +19,8 @@ class InternalTransferGadget : public GadgetT
 {
 public:
 
+    const Constants& constants;
+
     // User From state
     BalanceGadget balanceFBefore_From;
     BalanceGadget balanceTBefore_From;
@@ -36,7 +38,16 @@ class InternalTransferGadget : public GadgetT
     DualVariableGadget amount;
     DualVariableGadget feeTokenID;
     DualVariableGadget fee;
-    VariableT label;
+    DualVariableGadget type;
+
+    // Signature
+    Poseidon_gadget_T<9, 1, 6, 53, 8, 1> hash;
+    SignatureVerifier signatureVerifier;
+
+    // Type
+    NotGadget signatureInvalid;
+    UnsafeAddGadget numConditionalTransfersAfter;
+    RequireEqualGadget type_eq_signatureInvalid;
 
     // User To account check
     RequireNotZeroGadget publicKeyX_notZero;
@@ -68,21 +79,20 @@ class InternalTransferGadget : public GadgetT
     // Update Operator
     UpdateBalanceGadget updateBalanceF_O;
 
-    // Signature
-    Poseidon_gadget_T<10, 1, 6, 53, 9, 1> hash;
-    SignatureVerifier signatureVerifier;
-
     InternalTransferGadget(
         ProtoboardT &pb,
         const jubjub::Params& params,
-        const Constants& constants,
+        const Constants& _constants,
         const VariableT& accountsMerkleRoot,
         const VariableT& operatorBalancesRoot,
         const VariableT& blockExchangeID,
+        const VariableT& numConditionalTransfersBefore,
         const std::string &prefix
     ) :
         GadgetT(pb, prefix),
 
+        constants(_constants),
+
         // User From state
         balanceFBefore_From(pb, FMT(prefix, "balanceFBefore_From")),
         balanceTBefore_From(pb, FMT(prefix, "balanceTBefore_From")),
@@ -100,7 +110,16 @@ class InternalTransferGadget : public GadgetT
         amount(pb, NUM_BITS_AMOUNT, FMT(prefix, ".amount")),
         feeTokenID(pb, NUM_BITS_TOKEN, FMT(prefix, ".feeTokenID")),
         fee(pb, NUM_BITS_AMOUNT, FMT(prefix, ".fee")),
-        label(make_variable(pb, FMT(prefix, ".label"))),
+        type(pb, NUM_BITS_TYPE, FMT(prefix, ".type")),
+
+        // Signature
+        hash(pb, var_array({blockExchangeID, accountID_From.packed, accountID_To.packed, tokenID.packed, amount.packed, feeTokenID.packed, fee.packed, accountBefore_From.nonce}), FMT(this->annotation_prefix, ".hash")),
+        signatureVerifier(pb, params, constants, accountBefore_From.publicKey, hash.result(), FMT(prefix, ".signatureVerifier"), false),
+
+        // Type
+        signatureInvalid(pb, signatureVerifier.result(), ".signatureInvalid"),
+        numConditionalTransfersAfter(pb, numConditionalTransfersBefore, signatureInvalid.result(), ".numConditionalTransfersAfter"),
+        type_eq_signatureInvalid(pb, type.packed, signatureInvalid.result(), ".type_eq_signatureInvalid"),
 
         // User To account check
         publicKeyX_notZero(pb, accountBefore_To.publicKey.x, FMT(prefix, ".publicKeyX_notZero")),
@@ -117,8 +136,8 @@ class InternalTransferGadget : public GadgetT
         // Transfer from From to To
         transferPayment(pb, NUM_BITS_AMOUNT, balanceTBefore_From.balance, balanceTBefore_To.balance, fAmount.value(), FMT(prefix, ".transferPayment")),
 
-        // Increase the nonce of From by 1
-        nonce_From_after(pb, accountBefore_From.nonce, constants.one, NUM_BITS_NONCE, FMT(prefix, ".nonce_From_after")),
+        // Increase the nonce of From by 1 (unless it's a conditional transfer)
+        nonce_From_after(pb, accountBefore_From.nonce, signatureVerifier.result(), NUM_BITS_NONCE, FMT(prefix, ".nonce_From_after")),
 
         // Update User From
         updateBalanceF_From(pb, accountBefore_From.balancesRoot, feeTokenID.bits,
@@ -148,11 +167,7 @@ class InternalTransferGadget : public GadgetT
         updateBalanceF_O(pb, operatorBalancesRoot, feeTokenID.bits,
                          {balanceBefore_O.balance, balanceBefore_O.tradingHistory},
                          {feePayment.Y, balanceBefore_O.tradingHistory},
-                         FMT(prefix, ".updateBalanceF_O")),
-
-        // Signature
-        hash(pb, var_array({blockExchangeID, accountID_From.packed, accountID_To.packed, tokenID.packed, amount.packed, feeTokenID.packed, fee.packed, label, accountBefore_From.nonce}), FMT(this->annotation_prefix, ".hash")),
-        signatureVerifier(pb, params, accountBefore_From.publicKey, hash.result(), FMT(prefix, ".signatureVerifier"))
+                         FMT(prefix, ".updateBalanceF_O"))
     {
 
     }
@@ -176,7 +191,16 @@ class InternalTransferGadget : public GadgetT
         amount.generate_r1cs_witness(pb, transfer.amount);
         feeTokenID.generate_r1cs_witness(pb, transfer.balanceUpdateF_From.tokenID);
         fee.generate_r1cs_witness(pb, transfer.fee);
-        pb.val(label) = transfer.label;
+        type.generate_r1cs_witness(pb, transfer.type);
+
+        // Signature
+        hash.generate_r1cs_witness();
+        signatureVerifier.generate_r1cs_witness(transfer.signature);
+
+        // Type
+        signatureInvalid.generate_r1cs_witness();
+        pb.val(numConditionalTransfersAfter.sum) = transfer.numConditionalTransfersAfter;
+        type_eq_signatureInvalid.generate_r1cs_witness();
 
         // User To account check
         publicKeyX_notZero.generate_r1cs_witness();
@@ -207,10 +231,6 @@ class InternalTransferGadget : public GadgetT
 
         // Update Operator
         updateBalanceF_O.generate_r1cs_witness(transfer.balanceUpdateF_O.proof);
-
-        // Signature
-        hash.generate_r1cs_witness();
-        signatureVerifier.generate_r1cs_witness(transfer.signature);
     }
 
     void generate_r1cs_constraints()
@@ -222,7 +242,16 @@ class InternalTransferGadget : public GadgetT
         amount.generate_r1cs_constraints(true);
         feeTokenID.generate_r1cs_constraints(true);
         fee.generate_r1cs_constraints(true);
-        // label has no limit
+        type.generate_r1cs_constraints(true);
+
+        // Signature
+        hash.generate_r1cs_constraints();
+        signatureVerifier.generate_r1cs_constraints();
+
+        // Type
+        signatureInvalid.generate_r1cs_constraints();
+        numConditionalTransfersAfter.generate_r1cs_constraints();
+        type_eq_signatureInvalid.generate_r1cs_constraints();
 
         // User To account check
         publicKeyX_notZero.generate_r1cs_constraints();
@@ -254,19 +283,16 @@ class InternalTransferGadget : public GadgetT
 
         // Update Operator
         updateBalanceF_O.generate_r1cs_constraints();
-
-        // Signature
-        hash.generate_r1cs_constraints();
-        signatureVerifier.generate_r1cs_constraints();
     }
 
     const std::vector<VariableArrayT> getPublicData() const
     {
-        return {accountID_From.bits,
+        return {type.bits,
+                accountID_From.bits,
                 accountID_To.bits,
-                tokenID.bits,
+                VariableArrayT(2, constants.zero), tokenID.bits,
+                VariableArrayT(2, constants.zero), feeTokenID.bits,
                 fAmount.bits(),
-                feeTokenID.bits,
                 fFee.bits()};
     }
 
@@ -279,6 +305,11 @@ class InternalTransferGadget : public GadgetT
     {
         return updateBalanceF_O.result();
     }
+
+    const VariableT& getNewNumConditionalTransfers() const
+    {
+        return numConditionalTransfersAfter.result();
+    }
 };
 
 class InternalTransferCircuit : public Circuit
@@ -295,6 +326,7 @@ class InternalTransferCircuit : public Circuit
     DualVariableGadget exchangeID;
     DualVariableGadget merkleRootBefore;
     DualVariableGadget merkleRootAfter;
+    std::unique_ptr<libsnark::dual_variable_gadget<FieldT>> numConditionalTransfers;
     DualVariableGadget operatorAccountID;
 
     // Operator account check
@@ -308,10 +340,6 @@ class InternalTransferCircuit : public Circuit
     // Update Operator
     std::unique_ptr<UpdateAccountGadget> updateAccount_O;
 
-    // Labels
-    std::vector<VariableT> labels;
-    std::unique_ptr<LabelHasher> labelHasher;
-
     InternalTransferCircuit(ProtoboardT &pb, const std::string &prefix)
         : Circuit(pb, prefix),
 
@@ -362,9 +390,9 @@ class InternalTransferCircuit : public Circuit
                 transAccountsRoot,
                 transOperatorBalancesRoot,
                 exchangeID.packed,
+                (j == 0) ? constants.zero : transfers.back().getNewNumConditionalTransfers(),
                 std::string("transfer_") + std::to_string(j));
             transfers.back().generate_r1cs_constraints();
-            labels.push_back(transfers.back().label);
         }
 
         // Update Operator
@@ -374,18 +402,19 @@ class InternalTransferCircuit : public Circuit
             FMT(annotation_prefix, ".updateAccount_O")));
         updateAccount_O->generate_r1cs_constraints();
 
-        // Labels
-        labelHasher.reset(new LabelHasher(pb, constants, labels, FMT(annotation_prefix, ".labelHash")));
-        labelHasher->generate_r1cs_constraints();
+        // Num conditional transfers
+        numConditionalTransfers.reset(new libsnark::dual_variable_gadget<FieldT>(
+            pb, transfers.back().getNewNumConditionalTransfers(), 32, ".numConditionalTransfers")
+        );
+        numConditionalTransfers->generate_r1cs_constraints(true);
 
         // Public data
         publicData.add(exchangeID.bits);
         publicData.add(merkleRootBefore.bits);
         publicData.add(merkleRootAfter.bits);
-        publicData.add(labelHasher->result()->bits);
+        publicData.add(numConditionalTransfers->bits);
         if (onchainDataAvailability)
         {
-            publicData.add(constants.padding_0000);
             publicData.add(operatorAccountID.bits);
             for (const InternalTransferGadget& transfer : transfers)
             {
@@ -426,8 +455,8 @@ class InternalTransferCircuit : public Circuit
         // Update operator
         updateAccount_O->generate_r1cs_witness(block.accountUpdate_O.proof);
 
-        // Labels
-        labelHasher->generate_r1cs_witness();
+        // Num conditional transfers
+        numConditionalTransfers->generate_r1cs_witness_from_packed();
 
         // Public data
         publicData.generate_r1cs_witness();