Confidential mint burn extension: Token program changes

libraries/pod/src/optional_keys.rs

@@ -162,6 +162,14 @@ impl From<OptionalNonZeroElGamalPubkey> for Option<PodElGamalPubkey> {
         }
     }
 }
+impl OptionalNonZeroElGamalPubkey {
+    pub fn is_none(&self) -> bool {
+        self.0 == PodElGamalPubkey::default()
+    }
+    pub fn is_some(&self) -> bool {
+        self.0 != PodElGamalPubkey::default()
+    }
+}
 
 #[cfg(feature = "serde-traits")]
 impl Serialize for OptionalNonZeroElGamalPubkey {

token/cli/src/command.rs

@@ -73,7 +73,14 @@ use {
     },
     spl_token_group_interface::state::TokenGroup,
     spl_token_metadata_interface::state::{Field, TokenMetadata},
-    std::{collections::HashMap, fmt::Display, process::exit, rc::Rc, str::FromStr, sync::Arc},
+    std::{
+        collections::HashMap,
+        fmt::Display,
+        process::exit,
+        rc::Rc,
+        str::{self, FromStr},
+        sync::Arc,
+    },
 };
 
 fn print_error_and_exit<T, E: Display>(e: E) -> T {

token/client/src/token.rs

@@ -36,6 +36,7 @@ use {
                     ApplyPendingBalanceAccountInfo, EmptyAccountAccountInfo, TransferAccountInfo,
                     WithdrawAccountInfo,
                 },
+                instruction::{ProofContextState, ZkProofData},
                 ConfidentialTransferAccount, DecryptableBalance,
             },
             confidential_transfer_fee::{
@@ -57,8 +58,6 @@ use {
             zk_elgamal_proof_program::{
                 self,
                 instruction::{close_context_state, ContextStateInfo},
-                proof_data::*,
-                state::ProofContextState,
             },
         },
         state::{Account, AccountState, Mint, Multisig},
@@ -111,6 +110,7 @@ pub enum TokenError {
     #[error("decimals specified, but incorrect")]
     InvalidDecimals,
 }
+
 impl PartialEq for TokenError {
     fn eq(&self, other: &Self) -> bool {
         match (self, other) {

token/confidential-transfer/proof-extraction/src/encryption.rs

@@ -51,6 +51,36 @@ impl PodFeeCiphertext {
 #[repr(C)]
 pub struct PodBurnAmountCiphertext(pub(crate) PodGroupedElGamalCiphertext3Handles);
 
+impl PodBurnAmountCiphertext {
+    pub fn extract_commitment(&self) -> PodPedersenCommitment {
+        self.0.extract_commitment()
+    }
+
+    pub fn try_extract_ciphertext(
+        &self,
+        index: usize,
+    ) -> Result<PodElGamalCiphertext, TokenProofExtractionError> {
+        self.0
+            .try_extract_ciphertext(index)
+            .map_err(|_| TokenProofExtractionError::CiphertextExtraction)
+    }
+}
+
 #[derive(Clone, Copy, Debug, Eq, PartialEq)]
 #[repr(C)]
 pub struct PodMintAmountCiphertext(pub(crate) PodGroupedElGamalCiphertext3Handles);
+
+impl PodMintAmountCiphertext {
+    pub fn extract_commitment(&self) -> PodPedersenCommitment {
+        self.0.extract_commitment()
+    }
+
+    pub fn try_extract_ciphertext(
+        &self,
+        index: usize,
+    ) -> Result<PodElGamalCiphertext, TokenProofExtractionError> {
+        self.0
+            .try_extract_ciphertext(index)
+            .map_err(|_| TokenProofExtractionError::CiphertextExtraction)
+    }
+}

token/confidential-transfer/proof-generation/src/errors.rs

@@ -10,4 +10,6 @@ pub enum TokenProofGenerationError {
     IllegalAmountBitLength,
     #[error("fee calculation failed")]
     FeeCalculation,
+    #[error("supply decryption failed")]
+    SupplyDecryption,
 }

token/confidential-transfer/proof-generation/src/lib.rs

@@ -10,6 +10,7 @@ pub mod burn;
 pub mod encryption;
 pub mod errors;
 pub mod mint;
+pub mod supply;
 pub mod transfer;
 pub mod transfer_with_fee;
 pub mod withdraw;

token/confidential-transfer/proof-generation/src/mint.rs

@@ -8,6 +8,7 @@ use {
             auth_encryption::{AeCiphertext, AeKey},
             elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey},
             pedersen::Pedersen,
+            pod::auth_encryption::PodAeCiphertext,
         },
         zk_elgamal_proof_program::proof_data::{
             BatchedGroupedCiphertext3HandlesValidityProofData, BatchedRangeProofU128Data,
@@ -27,6 +28,7 @@ pub struct MintProofData {
     pub equality_proof_data: CiphertextCommitmentEqualityProofData,
     pub ciphertext_validity_proof_data: BatchedGroupedCiphertext3HandlesValidityProofData,
     pub range_proof_data: BatchedRangeProofU128Data,
+    pub new_decryptable_supply: AeCiphertext,
 }
 
 pub fn mint_split_proof_data(
@@ -77,13 +79,34 @@ pub fn mint_split_proof_data(
         )
         .ok_or(TokenProofGenerationError::IllegalAmountBitLength)?;
 
-    // decrypt the current supply
-    let current_supply = current_decryptable_supply
-        .decrypt(supply_aes_key)
-        .ok_or(TokenProofGenerationError::IllegalAmountBitLength)?;
+    // fresh mints are initialized with a zeroed decryptable_supply
+    // TODO: don't clone here once AeCiphertext implement Copy in the zk-sdk
+    let pod_decryptable_supply: PodAeCiphertext = current_decryptable_supply.clone().into();
+    let current_decyptable_supply = if pod_decryptable_supply != PodAeCiphertext::default() {
+        // decrypt the current supply
+        current_decryptable_supply
+            .decrypt(supply_aes_key)
+            .ok_or(TokenProofGenerationError::IllegalAmountBitLength)?
+    } else {
+        0
+    };
+
+    // get the difference between the supply ciphertext and the decryptable supply
+    // explanation see https://github.com/solana-labs/solana-program-library/pull/6881#issuecomment-2385579058
+    let decryptable_supply_ciphertext = supply_elgamal_keypair
+        .pubkey()
+        .encrypt(current_decyptable_supply);
+    #[allow(clippy::arithmetic_side_effects)]
+    let ct_decryptable_to_current_diff = decryptable_supply_ciphertext - current_supply_ciphertext;
+    let decryptable_to_current_diff = supply_elgamal_keypair
+        .secret()
+        .decrypt_u32(&ct_decryptable_to_current_diff)
+        .ok_or(TokenProofGenerationError::SupplyDecryption)?;
 
     // compute the new supply
-    let new_supply = current_supply
+    let new_supply = current_decyptable_supply
+        .checked_sub(decryptable_to_current_diff)
+        .ok_or(TokenProofGenerationError::IllegalAmountBitLength)?
         .checked_add(mint_amount)
         .ok_or(TokenProofGenerationError::IllegalAmountBitLength)?;
 
@@ -142,5 +165,6 @@ pub fn mint_split_proof_data(
         equality_proof_data,
         ciphertext_validity_proof_data,
         range_proof_data,
+        new_decryptable_supply: supply_aes_key.encrypt(new_supply),
     })
 }

token/confidential-transfer/proof-generation/src/supply.rs

@@ -0,0 +1,31 @@
+use {
+    crate::errors::TokenProofGenerationError,
+    solana_zk_sdk::{
+        encryption::{
+            elgamal::{ElGamalCiphertext, ElGamalKeypair},
+            pedersen::PedersenOpening,
+        },
+        zk_elgamal_proof_program::proof_data::CiphertextCiphertextEqualityProofData,
+    },
+};
+
+pub fn supply_elgamal_pubkey_rotation_proof(
+    current_supply: u64,
+    supply_elgamal_keypair: &ElGamalKeypair,
+    new_supply_elgamal_keypair: &ElGamalKeypair,
+    current_supply_ciphertext: ElGamalCiphertext,
+) -> Result<CiphertextCiphertextEqualityProofData, TokenProofGenerationError> {
+    let new_supply_opening = PedersenOpening::new_rand();
+    let new_supply_ciphertext = new_supply_elgamal_keypair
+        .pubkey()
+        .encrypt_with(current_supply, &new_supply_opening);
+
+    Ok(CiphertextCiphertextEqualityProofData::new(
+        supply_elgamal_keypair,
+        new_supply_elgamal_keypair.pubkey(),
+        &current_supply_ciphertext,
+        &new_supply_ciphertext,
+        &new_supply_opening,
+        current_supply,
+    )?)
+}

token/confidential-transfer/proof-tests/tests/proof_test.rs

@@ -223,6 +223,7 @@ fn test_mint_validity(mint_amount: u64, supply: u64) {
         equality_proof_data,
         ciphertext_validity_proof_data,
         range_proof_data,
+        new_decryptable_supply: _,
     } = mint_split_proof_data(
         &supply_ciphertext,
         &decryptable_supply,

token/program-2022/src/error.rs

@@ -258,6 +258,14 @@ pub enum TokenError {
     /// Fee calculation failed
     #[error("Fee calculation failed")]
     FeeCalculation,
+
+    //65
+    /// Withdraw / Deposit not allowed for confidential-mint-burn
+    #[error("When the confidential-mint-burn extension is enabled, mints are only allowed into the confidential balance. Likewise conversions confidential token balance to normal balance and vice versa are illegal.")]
+    IllegalMintBurnConversion,
+    /// Undecryptable supply when trying to generate confidential-mint proofs
+    #[error("Could not decrypt difference between current supply and decryptable supply when generating mint proofs")]
+    SupplyDecryption,
 }
 impl From<TokenError> for ProgramError {
     fn from(e: TokenError) -> Self {
@@ -445,6 +453,12 @@ impl PrintProgramError for TokenError {
             TokenError::FeeCalculation => {
                 msg!("Transfer fee calculation failed")
             }
+            TokenError::IllegalMintBurnConversion => {
+                msg!("Conversions from normal to confidential token balance and vice versa are illegal if the confidential-mint-burn extension is enabled")
+            }
+            TokenError::SupplyDecryption => {
+                msg!("Could not decrypt difference between current supply and decryptable supply when generating mint proofs")
+            }
         }
     }
 }
@@ -457,6 +471,7 @@ impl From<TokenProofGenerationError> for TokenError {
             TokenProofGenerationError::NotEnoughFunds => TokenError::InsufficientFunds,
             TokenProofGenerationError::IllegalAmountBitLength => TokenError::IllegalBitLength,
             TokenProofGenerationError::FeeCalculation => TokenError::FeeCalculation,
+            TokenProofGenerationError::SupplyDecryption => TokenError::SupplyDecryption,
         }
     }
 }