Barretenberg: src/barretenberg/vm2/simulation/gadgets/address_derivation.cpp Source File

#include "barretenberg/vm2/simulation/gadgets/address_derivation.hpp"


#include <cassert>


#include "barretenberg/aztec/aztec_constants.hpp"

#include "barretenberg/vm2/common/field.hpp"

#include "barretenberg/vm2/simulation/lib/contract_crypto.hpp"


namespace bb::avm2::simulation {


void AddressDerivation::assert_derivation(const AztecAddress& address, const ContractInstance& instance)

{

    // Check if we've already derived this address.

    if (cached_derivations.contains(address)) {

        // Note: it is likely safe to skip this recalculation, but if we do, then a mismatch will throw in the

        // non-cache case and return in the cache case for the same input. No events are emitted either way, so

        // circuit and tracegen behave the same. The below exists just to unify simulation behaviour (#21374).

        BB_ASSERT_EQ(address, simulation::compute_contract_address(instance), "Address derivation mismatch");

        // Already processed this address - cache hit, don't emit event.

        return;

    }


    // First time seeing this address - do the actual derivation.

    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[SALTED_INITIALIZATION_HASH_POSEIDON2_i] in

    // address_derivation.pil.

    FF salted_initialization_hash = poseidon2.hash({ DOM_SEP__SALTED_INITIALIZATION_HASH,

                                                     instance.salt,

                                                     instance.initialization_hash,

                                                     instance.deployer,

                                                     instance.immutables_hash });


    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[PARTIAL_ADDRESS_POSEIDON2] in

    // address_derivation.pil.

    FF partial_address =

        poseidon2.hash({ DOM_SEP__PARTIAL_ADDRESS, instance.original_contract_class_id, salted_initialization_hash });


    // incoming_viewing_key_hash is the only single-key hash computed in-circuit (see #[IVPK_M_HASH_POSEIDON2]).

    FF incoming_viewing_key_hash = poseidon2.hash({ DOM_SEP__SINGLE_PUBLIC_KEY_HASH,

                                                    instance.public_keys.incoming_viewing_key.x,

                                                    instance.public_keys.incoming_viewing_key.y });


    // public_keys_hash combines the six single-key hashes (see #[PUBLIC_KEYS_HASH_POSEIDON2_0..2]).

    FF public_keys_hash = poseidon2.hash({ DOM_SEP__PUBLIC_KEYS_HASH,

                                           instance.public_keys.nullifier_key_hash,

                                           incoming_viewing_key_hash,

                                           instance.public_keys.outgoing_viewing_key_hash,

                                           instance.public_keys.tagging_key_hash,

                                           instance.public_keys.message_signing_key_hash,

                                           instance.public_keys.fallback_key_hash });


    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[PREADDRESS_POSEIDON2] in address_derivation.pil.

    FF preaddress = poseidon2.hash({ DOM_SEP__CONTRACT_ADDRESS_V2, public_keys_hash, partial_address });


    // Note: the below ecc calls assume points are on the curve. We know preaddress_public_key is (by definition),

    // but it may be possible that incoming_viewing_key is not.

    // The circuit enforces that the point is on the curve to meet ecc's precondition and we replicate this here.

    BB_ASSERT(instance.public_keys.incoming_viewing_key.on_curve(),

              "Incoming viewing key is not on the curve when asserting contract address derivation");


    // Emits ScalarMulEvent and EccAddEvents, see #[PREADDRESS_SCALAR_MUL] in address_derivation.pil.

    EmbeddedCurvePoint preaddress_public_key = ecc.scalar_mul(EmbeddedCurvePoint::one(), preaddress);

    // Emits EccAddEvent, see #[ADDRESS_ECADD] in address_derivation.pil.

    EmbeddedCurvePoint address_point = ecc.add(preaddress_public_key, instance.public_keys.incoming_viewing_key);


    // This will throw an unexpected exception if it fails. If we have reached this point,

    // the contract instance retrieval should have enforced this.

    BB_ASSERT_EQ(address, address_point.x(), "Address derivation mismatch");


    // Cache this derivation so we don't repeat it

    cached_derivations.insert(address);


    // Emits AddressDerivationEvent.

    events.emit({

        .address = address,

        .instance = instance,

        .salted_initialization_hash = salted_initialization_hash,

        .partial_address = partial_address,

        .incoming_viewing_key_hash = incoming_viewing_key_hash,

        .public_keys_hash = public_keys_hash,

        .preaddress = preaddress,

        .preaddress_public_key = preaddress_public_key,

        .address_point = address_point,

    });

}


} // namespace bb::avm2::simulation

BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83

instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128

aztec_constants.hpp

DOM_SEP__SALTED_INITIALIZATION_HASH
#define DOM_SEP__SALTED_INITIALIZATION_HASH
Definition aztec_constants.hpp:270

DOM_SEP__SINGLE_PUBLIC_KEY_HASH
#define DOM_SEP__SINGLE_PUBLIC_KEY_HASH
Definition aztec_constants.hpp:272

DOM_SEP__CONTRACT_ADDRESS_V2
#define DOM_SEP__CONTRACT_ADDRESS_V2
Definition aztec_constants.hpp:274

DOM_SEP__PARTIAL_ADDRESS
#define DOM_SEP__PARTIAL_ADDRESS
Definition aztec_constants.hpp:273

DOM_SEP__PUBLIC_KEYS_HASH
#define DOM_SEP__PUBLIC_KEYS_HASH
Definition aztec_constants.hpp:271

bb::avm2::StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement >

bb::avm2::StandardAffinePoint::x
constexpr const BaseField & x() const noexcept
Definition standard_affine_point.hpp:78

bb::avm2::StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement >::one
static const StandardAffinePoint & one()
Definition standard_affine_point.hpp:88

bb::avm2::ecc
Definition ecc.hpp:34

bb::avm2::simulation::AddressDerivation::cached_derivations
unordered_flat_set< AztecAddress > cached_derivations
Definition address_derivation.hpp:31

bb::avm2::simulation::AddressDerivation::assert_derivation
void assert_derivation(const AztecAddress &address, const ContractInstance &instance) override
Verifies a contract instance's address derivation and emits an AddressDerivationEvent....
Definition address_derivation.cpp:34

bb::avm2::simulation::AddressDerivation::events
EventEmitterInterface< AddressDerivationEvent > & events
Definition address_derivation.hpp:26

bb::crypto::Poseidon2< crypto::Poseidon2Bn254ScalarFieldParams >

bb::crypto::Poseidon2::hash
static FF hash(const std::vector< FF > &input)
Hashes a vector of field elements.

AddressRefMutationOptions::address
@ address

contract_crypto.hpp

bb::avm2::simulation
AVM range check gadget for witness generation.
Definition address_derivation_event.hpp:6

bb::avm2::simulation::compute_contract_address
FF compute_contract_address(const ContractInstance &contract_instance)
Definition contract_crypto.cpp:94

bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10

bb::avm2::AztecAddress
FF AztecAddress
Definition aztec_types.hpp:16

address_derivation.hpp

bb::avm2::ContractInstance
Definition aztec_types.hpp:125

field.hpp