initial integration into private msg delivery flow and tests for constrained tags

Author: vezenovm

noir-projects/aztec-nr/aztec/src/event/event_message.nr

@@ -61,6 +61,7 @@ where
             Option::none(),
             recipient,
             delivery_mode,
+            Option::none(),
         );
     }
 }

noir-projects/aztec-nr/aztec/src/messages/delivery/constrained_delivery.nr

@@ -7,8 +7,8 @@ use crate::oracle::{call_utility_function::call_utility_function, notes::get_nex
 use crate::protocol::{
     abis::function_selector::FunctionSelector,
     address::AztecAddress,
-    constants::DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
-    hash::poseidon2_hash_with_separator,
+    constants::{DOM_SEP__CONSTRAINED_MSG_LOG_TAG, DOM_SEP__CONSTRAINED_MSG_NULLIFIER},
+    hash::{compute_log_tag, poseidon2_hash, poseidon2_hash_with_separator},
     traits::{Deserialize, ToField},
 };
 
@@ -32,7 +32,8 @@ use crate::protocol::{
 ///      note.
 ///    - `index > 0`: asserts the prior nullifier
 ///      `poseidon2_hash_with_separator([sender, recipient, secret, index - 1], DOM_SEP__CONSTRAINED_MSG_NULLIFIER)`
-///      exists via [`compute_nullifier_existence_request`](crate::nullifier::utils::compute_nullifier_existence_request).
+///      exists via
+/// [`compute_nullifier_existence_request`](crate::nullifier::utils::compute_nullifier_existence_request).
 ///      The chain transitively constrains back to the index-0 `validate_handshake`. The caller is expected
 ///      to emit the matching nullifier alongside each constrained send so subsequent calls can prove the
 ///      chain.
@@ -47,9 +48,7 @@ pub fn calculate_secret_and_index(
     // Safety: the returned `Option<Field>` is untrusted and is constrained below before being returned to the
     // caller, either by performing a new handshake or by constraining the prior handshake's existence.
     let maybe_secret: Option<Field> = unsafe {
-        let selector = comptime {
-            FunctionSelector::from_signature("get_app_siloed_secret((Field),(Field),(Field))")
-        };
+        let selector = comptime { FunctionSelector::from_signature("get_app_siloed_secret((Field),(Field),(Field))") };
         let returns = call_utility_function(
             registry,
             selector,
@@ -86,23 +85,51 @@ pub fn calculate_secret_and_index(
         let index = unsafe { get_next_constrained_tagging_index(secret) };
 
         if index == 0 {
-            let selector = comptime {
-                FunctionSelector::from_signature("validate_handshake((Field),(Field),Field)")
-            };
-            let _ = context.call_private_function(
-                registry,
-                selector,
-                [sender.to_field(), recipient.to_field(), secret],
-            );
+            let selector = comptime { FunctionSelector::from_signature("validate_handshake((Field),(Field),Field)") };
+            let _ =
+                context.call_private_function(registry, selector, [sender.to_field(), recipient.to_field(), secret]);
         } else {
             let prev_nullifier = poseidon2_hash_with_separator(
                 [sender.to_field(), recipient.to_field(), secret, (index - 1) as Field],
                 DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
             );
-            // TODO(F-670): exercise the index > 0 path end-to-end once send_constrained_msg emits nullifiers.
             context.assert_nullifier_exists(compute_nullifier_existence_request(prev_nullifier, caller));
         }
 
         (secret, index)
     }
 }
+
+/// Computes the constrained-delivery discovery log tag for an `(app_siloed_secret, index)` pair.
+///
+/// Collapses the secret and index into a single raw tag and domain-separates it with
+/// `DOM_SEP__CONSTRAINED_MSG_LOG_TAG`. This mirrors the recipient-side derivation in the PXE (`siloedTagFor`): the
+/// recipient recomputes the same tag to discover the message, and the protocol silos the emitted log's first field by
+/// the emitting contract address, completing the match.
+pub fn compute_constrained_log_tag(app_siloed_secret: Field, index: u32) -> Field {
+    compute_log_tag(poseidon2_hash([app_siloed_secret, index as Field]), DOM_SEP__CONSTRAINED_MSG_LOG_TAG)
+}
+
+/// Emits the per-send chain nullifier for a constrained message and returns its discovery log tag.
+///
+/// Used by [`crate::messages::delivery::do_private_message_delivery`] on the constrained-delivery path. It wraps
+/// [`calculate_secret_and_index`] to resolve the `(app_siloed_secret, index)` pair, then:
+/// 1. Emits the chain nullifier. A subsequent send at `index + 1` proves this nullifier exists, transitively constraining
+///    the chain back to the `index == 0` handshake validation in [`calculate_secret_and_index`].
+/// 2. Returns the log tag. The recipient recomputes the same tag from the handshake secret to discover the message.
+pub(crate) fn emit_nullifier_and_compute_constrained_tag(
+    context: &mut PrivateContext,
+    registry: AztecAddress,
+    sender: AztecAddress,
+    recipient: AztecAddress,
+) -> Field {
+    let (secret, index) = calculate_secret_and_index(context, registry, sender, recipient);
+
+    let nullifier = poseidon2_hash_with_separator(
+        [sender.to_field(), recipient.to_field(), secret, index as Field],
+        DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
+    );
+    context.push_nullifier_unsafe(nullifier);
+
+    compute_constrained_log_tag(secret, index)
+}

noir-projects/aztec-nr/aztec/src/messages/delivery/mod.nr

@@ -46,19 +46,36 @@ impl MessageDelivery {
     }
 }
 
+/// Handshake inputs that opt a message delivery into constrained tagging.
+///
+/// Pass `Some` to [`do_private_message_delivery`] alongside [`MessageDelivery::onchain_constrained`] to derive
+/// the log tag from a handshake-registry secret and emit the per-send chain nullifier (see
+/// [`crate::messages::delivery::constrained_delivery`]). Pass `None` for the wallet-driven unconstrained tag.
+pub struct ConstrainedDelivery {
+    /// Handshake registry to resolve the app-siloed shared secret from.
+    pub registry: AztecAddress,
+    /// Account the message is sent on behalf of, bound into both the secret/index resolution and the chain nullifier.
+    pub sender: AztecAddress,
+}
+
 /// Performs private delivery of a message to `recipient` according to `delivery_mode`.
 ///
 /// The message is encoded into plaintext and then encrypted for `recipient`. This function takes a _function_ that
 /// returns the plaintext instead of taking the plaintext directly in order to not waste constraints encoding the
 /// message in scenarios where the plaintext will be encrypted with unconstrained encryption.
 ///
 /// `maybe_note_hash_counter` is only relevant for on-chain delivery modes (i.e. via protocol logs): if a newly created
-/// note hash's side effect counter is passed, then the log will be squashed alongside the note should its nullifier be
-/// emitted in the current transaction. This is typically only used for note messages: since the note will not actually
-/// be created, there is no point in delivering the message.
+/// note hash's side effect counter is passed and constrained tagging is not requested, then the log will be squashed
+/// alongside the note should its nullifier be emitted in the current transaction. Constrained-tagged logs are not tied
+/// to note squashing because recipient discovery scans those tags sequentially.
 ///
 /// `delivery_mode` must be a [`MessageDelivery`] value.
 ///
+/// `maybe_constrained_delivery` opts into constrained tagging: when `Some` (only valid with
+/// [`MessageDelivery::onchain_constrained`]) the log tag is derived from a handshake-registry secret and a chain
+/// nullifier is emitted. When `None` the wallet-driven unconstrained tag is used. Its some-ness must be a
+/// compile-time constant.
+///
 /// ## Privacy
 ///
 /// The emitted log always has the same length regardless of `MESSAGE_PLAINTEXT_LEN`, because all message ciphertexts
@@ -69,17 +86,25 @@ pub fn do_private_message_delivery<Env, let MESSAGE_PLAINTEXT_LEN: u32>(
     maybe_note_hash_counter: Option<u32>,
     recipient: AztecAddress,
     delivery_mode: MessageDelivery,
+    maybe_constrained_delivery: Option<ConstrainedDelivery>,
 ) {
     // This function relies on `delivery_mode` being a constant in order to reduce circuit constraints when
     // unconstrained usage is requested. If `delivery_mode` were a runtime value the compiler would be unable to
     // perform dead-code elimination.
     assert_constant(delivery_mode);
 
-    // The following maps out the 3 dimensions across which we configure message delivery.
+    // The following maps out the dimensions across which we configure message delivery.
     let constrained_encryption = delivery_mode == MessageDelivery::onchain_constrained();
     let deliver_as_offchain_message = delivery_mode == MessageDelivery::offchain();
-    // TODO(#14565): Add constrained tagging
-    let _constrained_tagging = delivery_mode == MessageDelivery::onchain_constrained();
+
+    // Constrained tagging is opt-in via `maybe_constrained_delivery`. Its some-ness must be a compile-time constant.
+    assert_constant(maybe_constrained_delivery.is_some());
+    let constrained_tagging = maybe_constrained_delivery.is_some();
+    if constrained_tagging {
+        // Constrained tagging requires the constrained encryption that `ONCHAIN_CONSTRAINED` selects, otherwise the
+        // sender could pair a correct tag with forge-able (unconstrained) ciphertext.
+        assert(constrained_encryption, "constrained tagging requires ONCHAIN_CONSTRAINED delivery");
+    }
 
     let contract_address = context.this_address();
 
@@ -91,20 +116,33 @@ pub fn do_private_message_delivery<Env, let MESSAGE_PLAINTEXT_LEN: u32>(
     if deliver_as_offchain_message {
         deliver_offchain_message(ciphertext, recipient);
     } else {
-        // TODO(#14565): constrained tagging is not yet implemented. Both modes currently use the unconstrained
-        // domain separator because the discovery tag always comes from an oracle. Once constrained tagging lands,
-        // this should branch on `constrained_tagging` to select the appropriate separator.
-        let discovery_tag = compute_discovery_tag(recipient);
-        let log_tag = compute_log_tag(discovery_tag, DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG);
+        let log_tag = if constrained_tagging {
+            let delivery_info = maybe_constrained_delivery.unwrap_unchecked();
+            constrained_delivery::emit_nullifier_and_compute_constrained_tag(
+                context,
+                delivery_info.registry,
+                delivery_info.sender,
+                recipient,
+            )
+        } else {
+            // TODO(#14565): Thread constrained tagging through high-level note/event delivery APIs so that
+            // `ONCHAIN_CONSTRAINED` callers supply handshake info instead of taking this fallback.
+            // `ONCHAIN_UNCONSTRAINED` deliveries are expected to derive the wallet-driven tag here.
+            let discovery_tag = compute_discovery_tag(recipient);
+            compute_log_tag(discovery_tag, DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG)
+        };
 
         // We forbid this value not being constant to avoid predicating the context calls below, which might result in
         // the context's arrays having unknown compile time write indices and hence dramatically increasing constraints
         // when accessing them. In practice this restriction is not a problem as we always know at compile time whether
         // we're emitting a note or non-note message.
         assert_constant(maybe_note_hash_counter.is_some());
 
+        // TODO(F-664): Add e2e coverage for constrained note delivery through kernel squashing and recipient sync.
+        let squashable_note_log = maybe_note_hash_counter.is_some() & !constrained_tagging;
+
         let log = BoundedVec::from_array(ciphertext);
-        if maybe_note_hash_counter.is_some() {
+        if squashable_note_log {
             // We associate the log with the note's side effect counter, so that if the note ends up being squashed in
             // the current transaction, the log will be removed as well.
             context.emit_raw_note_log_unsafe(log_tag, log, maybe_note_hash_counter.unwrap());

noir-projects/aztec-nr/aztec/src/messages/message_delivery.nr

@@ -1,6 +1,7 @@
 //! Compatibility wrapper for the legacy `messages::message_delivery` path.
 
 pub use crate::messages::delivery::{
+    ConstrainedDelivery,
     MessageDelivery,
     do_private_message_delivery,
 };

noir-projects/aztec-nr/aztec/src/note/note_message.nr

@@ -84,6 +84,7 @@ where
             Option::some(self.new_note.note_hash_counter),
             recipient,
             delivery_mode,
+            Option::none(),
         );
     }
 

noir-projects/aztec-nr/uint-note/src/uint_note.nr

@@ -125,6 +125,7 @@ impl UintNote {
             Option::none(),
             recipient,
             MessageDelivery::onchain_unconstrained(),
+            Option::none(),
         );
 
         let partial_note = PartialUintNote { commitment };

noir-projects/noir-contracts/contracts/app/nft_contract/src/types/nft_note.nr

@@ -121,6 +121,7 @@ impl NFTNote {
             Option::none(),
             recipient,
             MessageDelivery::onchain_unconstrained(),
+            Option::none(),
         );
 
         let partial_note = PartialNFTNote { commitment };

noir-projects/noir-contracts/contracts/test/constrained_delivery_test_contract/src/main.nr

@@ -1,4 +1,4 @@
-//! Thin wrapper around the `calculate_secret_and_index` helper for TXE tests.
+//! Thin wrappers around the constrained-delivery helpers for TXE tests.
 use aztec::macros::aztec;
 
 mod test;
@@ -7,7 +7,12 @@ mod test;
 pub contract ConstrainedDeliveryTest {
     use aztec::{
         macros::functions::external,
-        messages::delivery::constrained_delivery::calculate_secret_and_index,
+        messages::delivery::{
+            constrained_delivery::{calculate_secret_and_index, compute_constrained_log_tag},
+            ConstrainedDelivery,
+            do_private_message_delivery,
+            MessageDelivery,
+        },
         oracle::notes::get_next_constrained_tagging_index,
         protocol::address::AztecAddress,
     };
@@ -34,4 +39,29 @@ pub contract ConstrainedDeliveryTest {
         let second_index = unsafe { get_next_constrained_tagging_index(secret) };
         (secret, first_index, second_index)
     }
+
+    /// Delivers a constrained message to `recipient`: resolves `(secret, index)`, emits the chain nullifier, and
+    /// emits the encrypted log under the constrained tag. Routes through `do_private_message_delivery` with
+    /// `MessageDelivery::onchain_constrained()` and the opt-in constrained-delivery info.
+    #[external("private")]
+    fn emit(registry: AztecAddress, sender: AztecAddress, recipient: AztecAddress) {
+        let payload: [Field; 3] = [1, 2, 3];
+        do_private_message_delivery(
+            self.context,
+            || payload,
+            Option::none(),
+            recipient,
+            MessageDelivery::onchain_constrained(),
+            Option::some(ConstrainedDelivery { registry, sender }),
+        );
+    }
+
+    /// Test-only: emits a log under the constrained tag for `(secret, index)` WITHOUT the chain nullifier. This
+    /// advances the PXE's per-secret index (the recipient discovers the log by tag) while deliberately leaving the
+    /// nullifier chain broken, which drives the negative `index > 0` test.
+    #[external("private")]
+    fn emit_constrained_log_without_nullifier(secret: Field, index: u32) {
+        let log_tag = compute_constrained_log_tag(secret, index);
+        self.context.emit_private_log_unsafe(log_tag, BoundedVec::from_array([secret]));
+    }
 }

noir-projects/noir-contracts/contracts/test/constrained_delivery_test_contract/src/test.nr

@@ -1,13 +1,9 @@
-//! Tests for `calculate_secret_and_index`.
+//! Tests for the constrained-delivery sender helpers.
 //!
-//! TODO(F-670): Coverage here is limited to the bootstrap branch and the `Some(secret)` branch with `index == 0` (which
-//! constrains via `HandshakeRegistry::validate_handshake`). The `index > 0` branch of the helper is reachable
-//! only after the per-secret index has been advanced in the PXE, which requires a tx to land a private log
-//! tagged with `compute_log_tag(poseidon2_hash([secret, index]), DOM_SEP__CONSTRAINED_MSG_LOG_TAG)` AND emit
-//! the chained constrained-message nullifier. Both are produced by the forthcoming `emit_constrained_message`
-//! helper, so positive and negative `index > 0` tests live with that helper. Add
-//! `advances_index_above_zero_when_prior_message_was_emitted` and
-//! `fails_at_index_above_zero_without_prior_nullifier` alongside `emit_constrained_message`.
+//! `calculate_and_return` exercises `calculate_secret_and_index` directly; `emit` exercises the full delivery path
+//! (`do_private_message_delivery` with `ONCHAIN_CONSTRAINED`), which emits the chain nullifier and a
+//! constrained-tagged log. The `index > 0` branch of `calculate_secret_and_index` is reachable only once a
+//! constrained log has advanced the PXE's per-secret index, so the two `index > 0` tests land such a log first.
 use crate::ConstrainedDeliveryTest;
 
 use aztec::{protocol::address::AztecAddress, test::helpers::test_environment::{CallPrivateOptions, TestEnvironment}};
@@ -138,3 +134,56 @@ unconstrained fn distinct_pairs_have_independent_indexes() {
     assert_eq(index_b, 0);
     assert(secret_a != secret_b, "different recipients should yield distinct siloed secrets");
 }
+
+// After a constrained `emit` lands a tagged log and the chain nullifier in a block, the per-secret index advances in
+// the PXE. The next resolution takes the `index > 0` branch, which proves the prior (now settled) nullifier exists
+// via `compute_nullifier_existence_request`, and returns index 1.
+#[test]
+unconstrained fn advances_index_above_zero_when_prior_message_was_emitted() {
+    let (env, registry_address, test_address, sender, recipient) = setup();
+    let test_contract = ConstrainedDeliveryTest::at(test_address);
+
+    // tx1: bootstraps the handshake (index 0), emits the chain nullifier and the constrained log.
+    env.call_private_opts(
+        sender,
+        helper_options(registry_address),
+        test_contract.emit(registry_address, sender, recipient),
+    );
+
+    // tx2: the emitted log advanced the per-secret index, so resolution returns index 1 and proves the now-settled
+    // predecessor nullifier.
+    let (_secret, index) = env.call_private_opts(
+        sender,
+        helper_options(registry_address),
+        test_contract.calculate_and_return(registry_address, sender, recipient),
+    );
+
+    assert_eq(index, 1);
+}
+
+// Without a prior chain nullifier the `index > 0` branch cannot prove its predecessor. We advance the per-secret
+// index by landing a constrained-tagged log at index 0 without the nullifier, then a resolution at an index above 0
+// fails because a preceding nullifier is neither pending nor settled.
+#[test(should_fail_with = "reading an unknown nullifier")]
+unconstrained fn fails_at_index_above_zero_without_prior_nullifier() {
+    let (env, registry_address, test_address, sender, recipient) = setup();
+    let test_contract = ConstrainedDeliveryTest::at(test_address);
+    let registry = HandshakeRegistry::at(registry_address);
+
+    // Establish a handshake so resolution takes the `Some(secret)` branch. This emits no constrained nullifier.
+    let _ = env.call_private(sender, registry.non_interactive_handshake(sender, recipient));
+    let secret = env.execute_utility(registry.get_app_siloed_secret(sender, recipient, test_address)).expect(
+        f"handshake should be siloed for the test contract",
+    );
+
+    // Advance the per-secret index above 0 by landing a constrained-tagged log at index 0, deliberately skipping the
+    // chain nullifier.
+    env.call_private(sender, test_contract.emit_constrained_log_without_nullifier(secret, 0));
+
+    // Resolution now takes the `index > 0` branch and fails: the predecessor nullifier was never emitted.
+    let _ = env.call_private_opts(
+        sender,
+        helper_options(registry_address),
+        test_contract.calculate_and_return(registry_address, sender, recipient),
+    );
+}

noir-projects/noir-contracts/contracts/test/custom_message_contract/src/main.nr

@@ -163,6 +163,7 @@ contract CustomMessage {
             Option::none(),
             recipient,
             MessageDelivery::onchain_unconstrained(),
+            Option::none(),
         );
 
         // Part 1: randomness (message_id) and remaining event fields
@@ -177,6 +178,7 @@ contract CustomMessage {
             Option::none(),
             recipient,
             MessageDelivery::onchain_unconstrained(),
+            Option::none(),
         );
     }
 }