AztecProtocol
diff --git a/‎docs/docs-developers/docs/aztec-nr/framework-description/authentication_witnesses.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/docs-developers/docs/aztec-nr/framework-description/authentication_witnesses.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/examples/contracts/example_uniswap/src/main.nr‎
Lines changed: 3 additions & 3 deletions b/‎docs/examples/contracts/example_uniswap/src/main.nr‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/authwit/account.nr‎
Lines changed: 1 addition & 1 deletion b/‎noir-projects/aztec-nr/aztec/src/authwit/account.nr‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎noir-projects/aztec-nr/aztec/src/authwit/auth.nr‎
Lines changed: 0 additions & 423 deletions b/‎noir-projects/aztec-nr/aztec/src/authwit/auth.nr‎
Lines changed: 0 additions & 423 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/authwit/common.nr‎
Lines changed: 183 additions & 0 deletions b/‎noir-projects/aztec-nr/aztec/src/authwit/common.nr‎
Lines changed: 183 additions & 0 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/authwit/mod.nr‎
Lines changed: 3 additions & 1 deletion b/‎noir-projects/aztec-nr/aztec/src/authwit/mod.nr‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎noir-projects/aztec-nr/aztec/src/authwit/private.nr‎
Lines changed: 117 additions & 0 deletions b/‎noir-projects/aztec-nr/aztec/src/authwit/private.nr‎
Lines changed: 117 additions & 0 deletions
@@ -21,7 +21,7 @@ The `aztec` library includes authwit functionality. Import the necessary compone
 
 ```rust
 use aztec::{
-    authwit::auth::{compute_authwit_message_hash_from_call, set_authorized},
+    authwit::{common::compute_authwit_message_hash_from_call, public::set_authorized},
     macros::functions::authorize_once,
 };
 ```
 
@@ -9,9 +9,9 @@ use aztec::macros::aztec;
 #[aztec]
 pub contract ExampleUniswap {
     use aztec::{
-        authwit::auth::{
-            assert_current_call_valid_authwit_public, compute_authwit_message_hash_from_call,
-            set_authorized,
+        authwit::{
+            common::compute_authwit_message_hash_from_call,
+            public::{assert_current_call_valid_authwit_public, set_authorized},
         },
         macros::{functions::{external, initializer, only_self}, storage::storage},
         protocol::{
 
@@ -2,7 +2,7 @@ use crate::context::PrivateContext;
 
 use crate::protocol::{constants::DOM_SEP__TX_NULLIFIER, hash::poseidon2_hash_with_separator, traits::Hash};
 
-use crate::authwit::auth::{compute_authwit_message_hash, IS_VALID_SELECTOR};
+use crate::authwit::common::{compute_authwit_message_hash, IS_VALID_SELECTOR};
 use crate::authwit::entrypoint::app::AppPayload;
 
 pub struct AccountActions<Context> {
 
@@ -0,0 +1,183 @@
+use crate::{
+    authwit::{authorization_interface::AuthorizationInterface, AuthorizationSelector},
+    hash::hash_args,
+    macros::authorization::authorization,
+    oracle::{execution_cache::load, offchain_effect::emit_offchain_effect},
+};
+use crate::protocol::{
+    abis::function_selector::FunctionSelector,
+    address::AztecAddress,
+    constants::{DOM_SEP__AUTHWIT_INNER, DOM_SEP__AUTHWIT_NULLIFIER, DOM_SEP__AUTHWIT_OUTER},
+    hash::poseidon2_hash_with_separator,
+    traits::{Serialize, ToField},
+};
+
+/// Authentication witness helper library
+///
+/// Authentication Witness is a scheme for authenticating actions on Aztec, so users can allow third-parties (e.g.
+/// protocols or other users) to execute an action on their behalf.
+///
+/// This library provides helper functions to manage such witnesses. The authentication witness, is some "witness"
+/// (data) that authenticates a `message_hash`. The simplest example of an authentication witness, is a signature. The
+/// signature is the "evidence", that the signer has seen the message, agrees with it, and has allowed it. It does not
+/// need to be a signature. It could be any kind of "proof" that the message is allowed. Another proof could be knowing
+/// some kind of secret, or having some kind of "token" that allows the message.
+///
+/// The `message_hash` is a hash of the following structure: hash(consumer, chain_id, version, inner_hash)
+/// - consumer: the address of the contract that is "consuming" the message,
+/// - chain_id: the chain id of the chain that the message is being consumed on,
+/// - version: the version of the chain that the message is being consumed on,
+/// - inner_hash: the hash of the "inner" message that is being consumed, this is the "actual" message or action.
+///
+/// While the `inner_hash` could be anything, such as showing you signed a specific message, it will often be a hash of
+/// the "action" to approve, along with who made the call. As part of this library, we provide a few helper functions
+/// to deal with such messages.
+///
+/// For example, we provide helper function that is used for checking that the message is an encoding of the current
+/// call. This can be used to let some contract "allow" another contract to act on its behalf, as long as it can show
+/// that it is acting on behalf of the contract.
+///
+/// If we take a case of allowing a contract to transfer tokens on behalf of an account, the `inner_hash` can be
+/// derived as: inner_hash = hash(caller, "transfer", hash(to, amount))
+///
+/// Where the `caller` would be the address of the contract that is trying to transfer the tokens, and `to` and
+/// `amount` the arguments for the transfer.
+///
+/// Note that we have both a `caller` and a `consumer`, the `consumer` will be the contract that is consuming the
+/// message, in the case of the transfer, it would be the `Token` contract itself, while the caller, will be the actor
+/// that is allowed to transfer the tokens.
+///
+/// The authentication mechanism works differently in public and private contexts. In private, we recall that
+/// everything is executed on the user's device, so we can use `oracles` to "ask" the user (not contract) for
+/// information. In public we cannot do this, since it is executed by the sequencer (someone else). Therefore we can
+/// instead use a "registry" to store the messages that we have approved. See `authwit::private` and `authwit::public`
+/// for the corresponding flow-specific helpers; the symbols defined here are address-independent crypto utilities
+/// shared by both paths.
+///
+/// --- FAQ ---
+/// Q:   Why are we using a success flag of `poseidon2_hash_bytes("IS_VALID()")` instead of just returning a boolean?
+/// A:   We want to make sure that we don't accidentally return `true` if there is a collision in the function
+/// selector. By returning a hash of `IS_VALID()`, it becomes very unlikely that there is both a collision and we
+/// return a success flag.
+///
+/// Q:   Why are we using static calls?
+/// A:   We are using static calls to ensure that the account contract cannot re-enter. If it was a normal call, it
+/// could make a new call and do a re-entry attack. Using a static ensures that it cannot update any state.
+///
+/// Q:   Would it not be cheaper to use a nullifier instead of updating state in public?
+/// A:   At a quick glance, a public state update + nullifier is 96 bytes, but two state updates are 128, so it would
+/// be cheaper to use a nullifier, if this is the way it would always be done. However, if both the approval and the
+/// consumption is done in the same transaction, then we will be able to squash the updates (only final tx state diff
+/// is posted to DA), and now it is cheaper.
+///
+/// Q:   Why is the chain id and the version part of the message hash?
+/// A:   The chain id and the version is part of the message hash to ensure that the message is only valid on a
+/// specific chain to avoid a case where the same message could be used across multiple chains.
+
+pub global IS_VALID_SELECTOR: Field = 0x47dacd73; // 4 last bytes of
+// poseidon2_hash_bytes("IS_VALID()")
+
+/// A struct that represents a contract call the user can authorize. It's associated identifier is generated by
+/// serializing and hashing it. The user is expected to sign this hash to signal the contract call can be performed on
+/// their behalf
+#[authorization]
+pub struct CallAuthorization {
+    pub msg_sender: AztecAddress,
+    pub selector: FunctionSelector,
+    pub args_hash: Field,
+}
+
+/// A struct that represents a request to authorize a call, which is used to emit an offchain effect so the user/wallet
+/// can understand what they are being asked to sign. It is generated from a CallAuthorization by adding metadata to
+/// it, such as the selector for the authorization, the inner hash, and the actual arguments that are being passed to
+/// the function call.
+#[derive(Serialize)]
+pub struct CallAuthorizationRequest {
+    pub selector: AuthorizationSelector,
+    pub inner_hash: Field,
+    pub on_behalf_of: AztecAddress,
+    pub msg_sender: AztecAddress,
+    pub fn_selector: FunctionSelector,
+    pub args_hash: Field,
+}
+
+pub(crate) unconstrained fn emit_authorization_as_offchain_effect<let N: u32>(
+    authorization: CallAuthorization,
+    inner_hash: Field,
+    on_behalf_of: AztecAddress,
+) {
+    let args: [Field; N] = load(authorization.args_hash);
+    let authorization_request = CallAuthorizationRequest {
+        selector: authorization.get_authorization_selector(),
+        inner_hash: inner_hash,
+        on_behalf_of: on_behalf_of,
+        msg_sender: authorization.msg_sender,
+        fn_selector: authorization.selector,
+        args_hash: authorization.args_hash,
+    };
+    emit_offchain_effect(authorization_request.serialize().concat(args))
+}
+
+/// Compute the `message_hash` from a function call to be used by an authentication witness
+///
+/// Useful for when you need a non-account contract to approve during execution. For example if you need a contract to
+/// make a call to nested contract, e.g., contract A wants to exit token T to L1 using bridge B, so it needs to allow B
+/// to transfer T on its behalf.
+///
+/// @param caller The address of the contract that is calling the function, in the example above, this would be B
+/// @param consumer The address of the contract that is consuming the message, in the example above, this would be T
+/// @param chain_id The chain id of the chain that the message is being consumed on @param version The version of the
+/// chain that the message is being consumed on @param selector The function selector of the function that is being
+/// called @param args The arguments of the function that is being called
+pub fn compute_authwit_message_hash_from_call<let N: u32>(
+    caller: AztecAddress,
+    consumer: AztecAddress,
+    chain_id: Field,
+    version: Field,
+    selector: FunctionSelector,
+    args: [Field; N],
+) -> Field {
+    let args_hash = hash_args(args);
+    let inner_hash = compute_inner_authwit_hash([caller.to_field(), selector.to_field(), args_hash]);
+    compute_authwit_message_hash(consumer, chain_id, version, inner_hash)
+}
+
+/// Computes the `inner_hash` of the authentication witness
+///
+/// This is used internally, but also useful in cases where you want to compute the `inner_hash` for a specific message
+/// that is not necessarily a call, but just some "bytes" or text.
+///
+/// @param args The arguments to hash
+pub fn compute_inner_authwit_hash<let N: u32>(args: [Field; N]) -> Field {
+    poseidon2_hash_with_separator(args, DOM_SEP__AUTHWIT_INNER)
+}
+
+/// Computes the `authwit_nullifier` for a specific `on_behalf_of` and `inner_hash`
+///
+/// Using the `on_behalf_of` and the `inner_hash` to ensure that the nullifier is siloed for a specific `on_behalf_of`.
+///
+/// @param on_behalf_of The address that has authorized the `inner_hash` @param inner_hash The hash of the message to
+/// authorize
+pub fn compute_authwit_nullifier(on_behalf_of: AztecAddress, inner_hash: Field) -> Field {
+    poseidon2_hash_with_separator(
+        [on_behalf_of.to_field(), inner_hash],
+        DOM_SEP__AUTHWIT_NULLIFIER,
+    )
+}
+
+/// Computes the `message_hash` for the authentication witness
+///
+/// @param consumer The address of the contract that is consuming the message @param chain_id The chain id of the chain
+/// that the message is being consumed on @param version The version of the chain that the message is being consumed on
+/// @param inner_hash The hash of the "inner" message that is being consumed
+pub fn compute_authwit_message_hash(
+    consumer: AztecAddress,
+    chain_id: Field,
+    version: Field,
+    inner_hash: Field,
+) -> Field {
+    poseidon2_hash_with_separator(
+        [consumer.to_field(), chain_id, version, inner_hash],
+        DOM_SEP__AUTHWIT_OUTER,
+    )
+}
@@ -4,5 +4,7 @@ pub mod account;
 pub mod authorization_interface;
 mod authorization_selector;
 pub use authorization_selector::AuthorizationSelector;
-pub mod auth;
+pub mod common;
+pub mod private;
+pub mod public;
 pub mod entrypoint;
@@ -0,0 +1,117 @@
+use crate::{
+    authwit::common::{
+        CallAuthorization, compute_authwit_nullifier, compute_inner_authwit_hash, emit_authorization_as_offchain_effect,
+        IS_VALID_SELECTOR,
+    },
+    context::PrivateContext,
+};
+use crate::protocol::{abis::function_selector::FunctionSelector, address::AztecAddress, traits::Serialize};
+
+/// Private-flow authwit helpers.
+///
+/// Say that a user `Alice` wants to deposit some tokens into a DeFi protocol (say a DEX). `Alice` would make a
+/// `deposit` transaction, that she is executing using her account contract. The account would call the `DeFi`
+/// contract to execute `deposit`, which would try to pull funds from the `Token` contract. Since the `DeFi` contract
+/// is trying to pull funds from an account that is not its own, it needs to convince the `Token` contract that it is
+/// allowed to do so.
+///
+/// This is where the authentication witness comes in. The `Token` contract computes a `message_hash` from the
+/// `transfer` call, and then asks `Alice Account` contract to verify that the `DeFi` contract is allowed to execute
+/// that call.
+///
+/// `Alice Account` contract can then ask `Alice` if she wants to allow the `DeFi` contract to pull funds from her
+/// account. If she does, she will sign the `message_hash` and return the signature to the `Alice Account` which will
+/// validate it and return success to the `Token` contract which will then allow the `DeFi` contract to pull funds
+/// from `Alice`.
+///
+/// To ensure that the same "approval" cannot be used multiple times, we also compute a `nullifier` for the
+/// authentication witness, and emit it from the `Token` contract (consumer).
+///
+/// Note that we can do this flow as we are in private where we can do oracle calls out from contracts.
+///
+///  Person          Contract              Contract               Contract
+///  Alice          Alice Account          Token                   DeFi
+///   |                  |                  |                      |
+///   | Defi.deposit(Token, 1000)           |                      |
+///   |----------------->|                  |                      |
+///   |                  | deposit(Token, 1000)                    |
+///   |                  |---------------------------------------->|
+///   |                  |                  |                      |
+///   |                  |                  | transfer(Alice, Defi, 1000)
+///   |                  |                  |<---------------------|
+///   |                  |                  |                      |
+///   |                  | Check if Defi may call transfer(Alice, Defi, 1000)
+///   |                  |<-----------------|                      |
+///   |                  |                  |                      |
+///   | Please give me AuthWit for DeFi     |                      |
+///   | calling transfer(Alice, Defi, 1000) |                      |
+///   |<-----------------|                  |                      |
+///   |                  |                  |                      |
+///   |                  |                  |                      |
+///   | AuthWit for transfer(Alice, Defi, 1000)                    |
+///   |----------------->|                  |                      |
+///   |                  | AuthWit validity |                      |
+///   |                  |----------------->|                      |
+///   |                  |                  |                      |
+///   |                  |       throw if invalid AuthWit          |
+///   |                  |                  |                      |
+///   |                  |       emit AuthWit nullifier            |
+///   |                  |                  |                      |
+///   |                  |       transfer(Alice, Defi, 1000)       |
+///   |                  |                  |                      |
+///   |                  |                  |                      |
+///   |                  |                  | success              |
+///   |                  |                  |--------------------->|
+///   |                  |                  |                      |
+///   |                  |                  |                      |
+///   |                  |                  |           deposit(Token, 1000)
+///   |                  |                  |                      |
+
+/// Assert that `on_behalf_of` has authorized the current call with a valid authentication witness
+///
+/// Compute the `inner_hash` using the `msg_sender`, `selector` and `args_hash` and then make a call out to the
+/// `on_behalf_of` contract to verify that the `inner_hash` is valid.
+///
+/// Additionally, this function emits the identifying information of the call as an offchain effect so PXE can rely the
+/// information to the user/wallet in a readable way. To that effect, it is generic over N, where N is the number of
+/// arguments the authorized functions takes. This is used to load the arguments from the execution cache. This
+/// function is intended to be called via a macro, which will use the turbofish operator to specify the number of
+/// arguments.
+///
+/// @param on_behalf_of The address that has allegedly authorized the current call
+pub fn assert_current_call_valid_authwit<let N: u32>(context: &mut PrivateContext, on_behalf_of: AztecAddress) {
+    let args_hash: Field = context.get_args_hash();
+
+    let authorization =
+        CallAuthorization { msg_sender: context.maybe_msg_sender().unwrap(), selector: context.selector(), args_hash };
+    let inner_hash = compute_inner_authwit_hash(authorization.serialize());
+    // Safety: Offchain effects are by definition unconstrained. They are emitted via an oracle which we don't use for
+    // anything besides its side effects, therefore this is safe to call.
+    unsafe { emit_authorization_as_offchain_effect::<N>(authorization, inner_hash, on_behalf_of) };
+
+    assert_inner_hash_valid_authwit(context, on_behalf_of, inner_hash);
+}
+
+/// Assert that a specific `inner_hash` is valid for the `on_behalf_of` address
+///
+/// Used as an internal function for `assert_current_call_valid_authwit` and can be used as a standalone function when
+/// the `inner_hash` is from a different source, e.g., say a block of text etc.
+///
+/// @param on_behalf_of The address that has allegedly authorized the current call @param inner_hash The hash of the
+/// message to authorize
+pub fn assert_inner_hash_valid_authwit(context: &mut PrivateContext, on_behalf_of: AztecAddress, inner_hash: Field) {
+    // We perform a static call here and not a standard one to ensure that the account contract cannot re-enter.
+    let result: Field = context
+        .static_call_private_function(
+            on_behalf_of,
+            comptime { FunctionSelector::from_signature("verify_private_authwit(Field)") },
+            [inner_hash],
+        )
+        .get_preimage();
+    assert(result == IS_VALID_SELECTOR, "Message not authorized by account");
+    // Compute the nullifier, similar computation to the outer hash, but without the chain_id and version. Those should
+    // already be handled in the verification, so we just need something to nullify, that allows the same inner_hash
+    // for multiple actors.
+    let nullifier = compute_authwit_nullifier(on_behalf_of, inner_hash);
+    context.push_nullifier(nullifier);
+}