You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

355 lines
13 KiB

  1. // Package common contains all the common data structures used at the
  2. // hermez-node, zk.go contains the zkSnark inputs used to generate the proof
  3. //nolint:deadcode,structcheck,unused
  4. package common
  5. import (
  6. "encoding/json"
  7. "math/big"
  8. "github.com/hermeznetwork/hermez-node/log"
  9. "github.com/mitchellh/mapstructure"
  10. )
  11. // circuit parameters
  12. // absolute maximum of L1 or L2 transactions allowed
  13. type nTx uint32
  14. // merkle tree depth
  15. type nLevels uint32
  16. // absolute maximum of L1 transaction allowed
  17. type maxL1Tx uint32
  18. //absolute maximum of fee transactions allowed
  19. type maxFeeTx uint32
  20. // ZKInputs represents the inputs that will be used to generate the zkSNARK proof
  21. type ZKInputs struct {
  22. //
  23. // General
  24. //
  25. // inputs for final `hashGlobalInputs`
  26. // OldLastIdx is the last index assigned to an account
  27. OldLastIdx *big.Int `json:"oldLastIdx"` // uint64 (max nLevels bits)
  28. // OldStateRoot is the current state merkle tree root
  29. OldStateRoot *big.Int `json:"oldStateRoot"` // Hash
  30. // GlobalChainID is the blockchain ID (0 for Ethereum mainnet). This value can be get from the smart contract.
  31. GlobalChainID *big.Int `json:"globalChainID"` // uint16
  32. // FeeIdxs is an array of merkle tree indexes where the coordinator will receive the accumulated fees
  33. FeeIdxs []*big.Int `json:"feeIdxs"` // uint64 (max nLevels bits), len: [maxFeeTx]
  34. // accumulate fees
  35. // FeePlanTokens contains all the tokenIDs for which the fees are being accumulated
  36. FeePlanTokens []*big.Int `json:"feePlanTokens"` // uint32 (max 32 bits), len: [maxFeeTx]
  37. //
  38. // Txs (L1&L2)
  39. //
  40. // transaction L1-L2
  41. // TxCompressedData
  42. TxCompressedData []*big.Int `json:"txCompressedData"` // big.Int (max 251 bits), len: [nTx]
  43. // TxCompressedDataV2, only used in L2Txs, in L1Txs is set to 0
  44. TxCompressedDataV2 []*big.Int `json:"txCompressedDataV2"` // big.Int (max 193 bits), len: [nTx]
  45. // FromIdx
  46. FromIdx []*big.Int `json:"fromIdx"` // uint64 (max nLevels bits), len: [nTx]
  47. // AuxFromIdx is the Idx of the new created account which is consequence of a L1CreateAccountTx
  48. AuxFromIdx []*big.Int `json:"auxFromIdx"` // uint64 (max nLevels bits), len: [nTx]
  49. // ToIdx
  50. ToIdx []*big.Int `json:"toIdx"` // uint64 (max nLevels bits), len: [nTx]
  51. // AuxToIdx is the Idx of the Tx that has 'toIdx==0', is the coordinator who will find which Idx corresponds to the 'toBJJAy' or 'toEthAddr'
  52. AuxToIdx []*big.Int `json:"auxToIdx"` // uint64 (max nLevels bits), len: [nTx]
  53. // ToBJJAy
  54. ToBJJAy []*big.Int `json:"toBjjAy"` // big.Int, len: [nTx]
  55. // ToEthAddr
  56. ToEthAddr []*big.Int `json:"toEthAddr"` // ethCommon.Address, len: [nTx]
  57. // OnChain determines if is L1 (1/true) or L2 (0/false)
  58. OnChain []*big.Int `json:"onChain"` // bool, len: [nTx]
  59. //
  60. // Txs/L1Txs
  61. //
  62. // NewAccount boolean (0/1) flag set 'true' when L1 tx creates a new account (fromIdx==0)
  63. NewAccount []*big.Int `json:"newAccount"` // bool, len: [nTx]
  64. // LoadAmountF encoded as float16
  65. LoadAmountF []*big.Int `json:"loadAmountF"` // uint16, len: [nTx]
  66. // FromEthAddr
  67. FromEthAddr []*big.Int `json:"fromEthAddr"` // ethCommon.Address, len: [nTx]
  68. // FromBJJCompressed boolean encoded where each value is a *big.Int
  69. FromBJJCompressed [][256]*big.Int `json:"fromBjjCompressed"` // bool array, len: [nTx][256]
  70. //
  71. // Txs/L2Txs
  72. //
  73. // RqOffset relative transaction position to be linked. Used to perform atomic transactions.
  74. RqOffset []*big.Int `json:"rqOffset"` // uint8 (max 3 bits), len: [nTx]
  75. // transaction L2 request data
  76. // RqTxCompressedDataV2
  77. RqTxCompressedDataV2 []*big.Int `json:"rqTxCompressedDataV2"` // big.Int (max 251 bits), len: [nTx]
  78. // RqToEthAddr
  79. RqToEthAddr []*big.Int `json:"rqToEthAddr"` // ethCommon.Address, len: [nTx]
  80. // RqToBJJAy
  81. RqToBJJAy []*big.Int `json:"rqToBjjAy"` // big.Int, len: [nTx]
  82. // transaction L2 signature
  83. // S
  84. S []*big.Int `json:"s"` // big.Int, len: [nTx]
  85. // R8x
  86. R8x []*big.Int `json:"r8x"` // big.Int, len: [nTx]
  87. // R8y
  88. R8y []*big.Int `json:"r8y"` // big.Int, len: [nTx]
  89. //
  90. // State MerkleTree Leafs transitions
  91. //
  92. // state 1, value of the sender (from) account leaf
  93. TokenID1 []*big.Int `json:"tokenID1"` // uint32, len: [nTx]
  94. Nonce1 []*big.Int `json:"nonce1"` // uint64 (max 40 bits), len: [nTx]
  95. Sign1 []*big.Int `json:"sign1"` // bool, len: [nTx]
  96. Ay1 []*big.Int `json:"ay1"` // big.Int, len: [nTx]
  97. Balance1 []*big.Int `json:"balance1"` // big.Int (max 192 bits), len: [nTx]
  98. EthAddr1 []*big.Int `json:"ethAddr1"` // ethCommon.Address, len: [nTx]
  99. Siblings1 [][]*big.Int `json:"siblings1"` // big.Int, len: [nTx][nLevels + 1]
  100. // Required for inserts and deletes, values of the CircomProcessorProof (smt insert proof)
  101. IsOld0_1 []*big.Int `json:"isOld0_1"` // bool, len: [nTx]
  102. OldKey1 []*big.Int `json:"oldKey1"` // uint64 (max 40 bits), len: [nTx]
  103. OldValue1 []*big.Int `json:"oldValue1"` // Hash, len: [nTx]
  104. // state 2, value of the receiver (to) account leaf
  105. // if Tx is an Exit, state 2 is used for the Exit Merkle Proof
  106. TokenID2 []*big.Int `json:"tokenID2"` // uint32, len: [nTx]
  107. Nonce2 []*big.Int `json:"nonce2"` // uint64 (max 40 bits), len: [nTx]
  108. Sign2 []*big.Int `json:"sign2"` // bool, len: [nTx]
  109. Ay2 []*big.Int `json:"ay2"` // big.Int, len: [nTx]
  110. Balance2 []*big.Int `json:"balance2"` // big.Int (max 192 bits), len: [nTx]
  111. EthAddr2 []*big.Int `json:"ethAddr2"` // ethCommon.Address, len: [nTx]
  112. Siblings2 [][]*big.Int `json:"siblings2"` // big.Int, len: [nTx][nLevels + 1]
  113. // newExit determines if an exit transaction has to create a new leaf in the exit tree
  114. NewExit []*big.Int `json:"newExit"` // bool, len: [nTx]
  115. // Required for inserts and deletes, values of the CircomProcessorProof (smt insert proof)
  116. IsOld0_2 []*big.Int `json:"isOld0_2"` // bool, len: [nTx]
  117. OldKey2 []*big.Int `json:"oldKey2"` // uint64 (max 40 bits), len: [nTx]
  118. OldValue2 []*big.Int `json:"oldValue2"` // Hash, len: [nTx]
  119. // state 3, value of the account leaf receiver of the Fees
  120. // fee tx
  121. // State fees
  122. TokenID3 []*big.Int `json:"tokenID3"` // uint32, len: [maxFeeTx]
  123. Nonce3 []*big.Int `json:"nonce3"` // uint64 (max 40 bits), len: [maxFeeTx]
  124. Sign3 []*big.Int `json:"sign3"` // bool, len: [maxFeeTx]
  125. Ay3 []*big.Int `json:"ay3"` // big.Int, len: [maxFeeTx]
  126. Balance3 []*big.Int `json:"balance3"` // big.Int (max 192 bits), len: [maxFeeTx]
  127. EthAddr3 []*big.Int `json:"ethAddr3"` // ethCommon.Address, len: [maxFeeTx]
  128. Siblings3 [][]*big.Int `json:"siblings3"` // Hash, len: [maxFeeTx][nLevels + 1]
  129. //
  130. // Intermediate States
  131. //
  132. // Intermediate States to parallelize witness computation
  133. // Note: the Intermediate States (IS) of the last transaction does not
  134. // exist. Meaning that transaction 3 (4th) will fill the parameters
  135. // FromIdx[3] and ISOnChain[3], but last transaction (nTx-1) will fill
  136. // FromIdx[nTx-1] but will not fill ISOnChain. That's why IS have
  137. // length of nTx-1, while the other parameters have length of nTx.
  138. // Last transaction does not need intermediate state since its output
  139. // will not be used.
  140. // decode-tx
  141. // ISOnChain indicates if tx is L1 (true) or L2 (false)
  142. ISOnChain []*big.Int `json:"imOnChain"` // bool, len: [nTx - 1]
  143. // ISOutIdx current index account for each Tx
  144. ISOutIdx []*big.Int `json:"imOutIdx"` // uint64 (max nLevels bits), len: [nTx - 1]
  145. // rollup-tx
  146. // ISStateRoot root at the moment of the Tx, the state root value once the Tx is processed into the state tree
  147. ISStateRoot []*big.Int `json:"imStateRoot"` // Hash, len: [nTx - 1]
  148. // ISExitTree root at the moment of the Tx the value once the Tx is processed into the exit tree
  149. ISExitRoot []*big.Int `json:"imExitRoot"` // Hash, len: [nTx - 1]
  150. // ISAccFeeOut accumulated fees once the Tx is processed
  151. ISAccFeeOut [][]*big.Int `json:"imAccFeeOut"` // big.Int, len: [nTx - 1][maxFeeTx]
  152. // fee-tx
  153. // ISStateRootFee root at the moment of the Tx, the state root value once the Tx is processed into the state tree
  154. ISStateRootFee []*big.Int `json:"imStateRootFee"` // Hash, len: [maxFeeTx - 1]
  155. // ISInitStateRootFee state root once all L1-L2 tx are processed (before computing the fees-tx)
  156. ISInitStateRootFee *big.Int `json:"imInitStateRootFee"` // Hash
  157. // ISFinalAccFee final accumulated fees (before computing the fees-tx)
  158. ISFinalAccFee []*big.Int `json:"imFinalAccFee"` // big.Int, len: [maxFeeTx - 1]
  159. }
  160. func bigIntsToStrings(v interface{}) interface{} {
  161. switch c := v.(type) {
  162. case *big.Int:
  163. return c.String()
  164. case []*big.Int:
  165. r := make([]interface{}, len(c))
  166. for i := range c {
  167. r[i] = bigIntsToStrings(c[i])
  168. }
  169. return r
  170. case [256]*big.Int:
  171. r := make([]interface{}, len(c))
  172. for i := range c {
  173. r[i] = bigIntsToStrings(c[i])
  174. }
  175. return r
  176. case [][]*big.Int:
  177. r := make([]interface{}, len(c))
  178. for i := range c {
  179. r[i] = bigIntsToStrings(c[i])
  180. }
  181. return r
  182. case [][256]*big.Int:
  183. r := make([]interface{}, len(c))
  184. for i := range c {
  185. r[i] = bigIntsToStrings(c[i])
  186. }
  187. return r
  188. default:
  189. log.Warnf("bigIntsToStrings unexpected type: %T\n", v)
  190. }
  191. return nil
  192. }
  193. // MarshalJSON implements the json marshaler for ZKInputs
  194. func (z ZKInputs) MarshalJSON() ([]byte, error) {
  195. var m map[string]interface{}
  196. dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
  197. TagName: "json",
  198. Result: &m,
  199. })
  200. if err != nil {
  201. return nil, err
  202. }
  203. err = dec.Decode(z)
  204. if err != nil {
  205. return nil, err
  206. }
  207. for k, v := range m {
  208. m[k] = bigIntsToStrings(v)
  209. }
  210. return json.Marshal(m)
  211. }
  212. // NewZKInputs returns a pointer to an initialized struct of ZKInputs
  213. func NewZKInputs(nTx, maxFeeTx, nLevels int) *ZKInputs {
  214. zki := &ZKInputs{}
  215. // General
  216. zki.OldLastIdx = big.NewInt(0)
  217. zki.OldStateRoot = big.NewInt(0)
  218. zki.GlobalChainID = big.NewInt(0)
  219. zki.FeeIdxs = newSlice(maxFeeTx)
  220. zki.FeePlanTokens = newSlice(maxFeeTx)
  221. // Txs
  222. zki.TxCompressedData = newSlice(nTx)
  223. zki.TxCompressedDataV2 = newSlice(nTx)
  224. zki.FromIdx = newSlice(nTx)
  225. zki.AuxFromIdx = newSlice(nTx)
  226. zki.ToIdx = newSlice(nTx)
  227. zki.AuxToIdx = newSlice(nTx)
  228. zki.ToBJJAy = newSlice(nTx)
  229. zki.ToEthAddr = newSlice(nTx)
  230. zki.OnChain = newSlice(nTx)
  231. zki.NewAccount = newSlice(nTx)
  232. // L1
  233. zki.LoadAmountF = newSlice(nTx)
  234. zki.FromEthAddr = newSlice(nTx)
  235. zki.FromBJJCompressed = make([][256]*big.Int, nTx)
  236. for i := 0; i < len(zki.FromBJJCompressed); i++ {
  237. // zki.FromBJJCompressed[i] = newSlice(256)
  238. for j := 0; j < 256; j++ {
  239. zki.FromBJJCompressed[i][j] = big.NewInt(0)
  240. }
  241. }
  242. // L2
  243. zki.RqOffset = newSlice(nTx)
  244. zki.RqTxCompressedDataV2 = newSlice(nTx)
  245. zki.RqToEthAddr = newSlice(nTx)
  246. zki.RqToBJJAy = newSlice(nTx)
  247. zki.S = newSlice(nTx)
  248. zki.R8x = newSlice(nTx)
  249. zki.R8y = newSlice(nTx)
  250. // State MerkleTree Leafs transitions
  251. zki.TokenID1 = newSlice(nTx)
  252. zki.Nonce1 = newSlice(nTx)
  253. zki.Sign1 = newSlice(nTx)
  254. zki.Ay1 = newSlice(nTx)
  255. zki.Balance1 = newSlice(nTx)
  256. zki.EthAddr1 = newSlice(nTx)
  257. zki.Siblings1 = make([][]*big.Int, nTx)
  258. for i := 0; i < len(zki.Siblings1); i++ {
  259. zki.Siblings1[i] = newSlice(nLevels + 1)
  260. }
  261. zki.IsOld0_1 = newSlice(nTx)
  262. zki.OldKey1 = newSlice(nTx)
  263. zki.OldValue1 = newSlice(nTx)
  264. zki.TokenID2 = newSlice(nTx)
  265. zki.Nonce2 = newSlice(nTx)
  266. zki.Sign2 = newSlice(nTx)
  267. zki.Ay2 = newSlice(nTx)
  268. zki.Balance2 = newSlice(nTx)
  269. zki.EthAddr2 = newSlice(nTx)
  270. zki.Siblings2 = make([][]*big.Int, nTx)
  271. for i := 0; i < len(zki.Siblings2); i++ {
  272. zki.Siblings2[i] = newSlice(nLevels + 1)
  273. }
  274. zki.NewExit = newSlice(nTx)
  275. zki.IsOld0_2 = newSlice(nTx)
  276. zki.OldKey2 = newSlice(nTx)
  277. zki.OldValue2 = newSlice(nTx)
  278. zki.TokenID3 = newSlice(maxFeeTx)
  279. zki.Nonce3 = newSlice(maxFeeTx)
  280. zki.Sign3 = newSlice(maxFeeTx)
  281. zki.Ay3 = newSlice(maxFeeTx)
  282. zki.Balance3 = newSlice(maxFeeTx)
  283. zki.EthAddr3 = newSlice(maxFeeTx)
  284. zki.Siblings3 = make([][]*big.Int, maxFeeTx)
  285. for i := 0; i < len(zki.Siblings3); i++ {
  286. zki.Siblings3[i] = newSlice(nLevels + 1)
  287. }
  288. // Intermediate States
  289. zki.ISOnChain = newSlice(nTx - 1)
  290. zki.ISOutIdx = newSlice(nTx - 1)
  291. zki.ISStateRoot = newSlice(nTx - 1)
  292. zki.ISExitRoot = newSlice(nTx - 1)
  293. zki.ISAccFeeOut = make([][]*big.Int, nTx-1)
  294. for i := 0; i < len(zki.ISAccFeeOut); i++ {
  295. zki.ISAccFeeOut[i] = newSlice(maxFeeTx)
  296. }
  297. zki.ISStateRootFee = newSlice(maxFeeTx - 1)
  298. zki.ISInitStateRootFee = big.NewInt(0)
  299. zki.ISFinalAccFee = newSlice(maxFeeTx - 1)
  300. return zki
  301. }
  302. // newSlice returns a []*big.Int slice of length n with values initialized at
  303. // 0.
  304. // Is used to initialize all *big.Ints of the ZKInputs data structure, so when
  305. // the transactions are processed and the ZKInputs filled, there is no need to
  306. // set all the elements, and if a transaction does not use a parameter, can be
  307. // leaved as it is in the ZKInputs, as will be 0, so later when using the
  308. // ZKInputs to generate the zkSnark proof there is no 'nil'/'null' values.
  309. func newSlice(n int) []*big.Int {
  310. s := make([]*big.Int, n)
  311. for i := 0; i < len(s); i++ {
  312. s[i] = big.NewInt(0)
  313. }
  314. return s
  315. }