forked from tokamak-network/zk-ERC20
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzk-circuit.code
44 lines (34 loc) · 1.99 KB
/
zk-circuit.code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import "hashes/sha256/512bitPacked.code" as sha256packed
// https://zokrates.github.io/sha256example.html#computing-a-hash-using-zokrates
// A field value can only hold 254 bits due to the size of the underlying prime field used by zokrates. Therefore, 256 bit values need to be passed as 2 params of 128 bit values.
// https://zokrates.github.io/concepts/stdlib.html?highlight=sha256#sha256packed
// At the time of writing sha256packed takes 4 field elements as inputs, unpacks each of them to 128 bits (big endian), concatenates them and applies sha256. It then returns two field elements, each representing 128 bits of the result.
// Public inputs
// onh0 + onh1: Hash of the note (secret note)
// nn1h0 + nn1h1: Hash of the new note 1
// nn2h0 + nn1h1: Hash of the new note 2
// Private inputs
// ona + onb: secret key of the sender
// onc + ond: (256 bits) representing the value of the note to be spent
// nn1a + nn1b: public key of the receiver
// nn1c + nn1d: the value of the note to be sent
// nn2c + nn2d: leftover change
def main(field onh0, field onh1, private field ona, private field onb, private field onc, private field ond, field nn1h0, field nn1h1, private field nn1a, private field nn1b, private field nn1c, private field nn1d, field nn2h0, field nn2h1, private field nn2c, private field nn2d) -> (field):
// get public key corresponding to private key
// too complex to implement for the hackathon :p - so sending in the public key instead
field pka = ona
field pkb = onb
// old note
h = sha256packed([pka, pkb, onc, ond])
h[0] == onh0 // verify with public input (hash of the note)
h[1] == onh1
// new note 1 that goes to pkreciever
h = sha256packed([nn1a, nn1b, nn1c, nn1d])
h[0] == nn1h0
h[1] == nn1h1
// new note (left over change) that goes back to sender (pk)
h = sha256packed([pka, pkb, nn2c, nn2d])
h[0] == nn2h0
h[1] == nn2h1
ond == nn1d + nn2d // assuming the values fit in 128 bit nums - hence onc, nn1c, nn2c are 0
return 1