@@ -9,7 +9,7 @@ include "../scalar_mul.pil";
99 * during contract instance retrieval (contract_instance_retrieval.pil) in our execution flow.
1010 * The address is defined by the following flow, where the hash function H() is Poseidon2, and G1
1111 * is the Grumpkin curve's generator point:
12- * 1. salted_init_hash = H(DOM_SEP__PARTIAL_ADDRESS , salt, init_hash, deployer_addr)
12+ * 1. salted_init_hash = H(DOM_SEP__SALTED_INITIALIZATION_HASH , salt, init_hash, deployer_addr)
1313 * 2. partial_address = H(DOM_SEP__PARTIAL_ADDRESS, class_id, salted_init_hash)
1414 * 3. public_keys_hash = H(DOM_SEP__PUBLIC_KEYS_HASH,
1515 * nullifier_key_x, nullifier_key_y, nullifier_key_is_infinity,
@@ -24,10 +24,6 @@ include "../scalar_mul.pil";
2424 * curve. See the 'Hash Computations', 'Elliptic Curve Operations', and 'INTERACTIONS' sections
2525 * for details on how we enforce each step. This process follows Noir's AztecAddress::compute().
2626 *
27- * Note: DOM_SEP__PARTIAL_ADDRESS is reused for both the salted initialization hash and the partial
28- * address computations (steps 1 and 2). This cannot lead to a collision since the preimages are of
29- * different lengths, hence will have different IV values. Unfortunately, why this is the case is not
30- * documented in the protocol.
3127 *
3228 * PRECONDITIONS: The correctness of the preimage members is not constrained here and must be
3329 * enforced by the calling circuits. Like class_id_derivation, this trace can be seen
@@ -121,7 +117,7 @@ namespace address_derivation;
121117 ///////////////////////////////
122118 //
123119 // This trace constrains the result of four Poseidon2 hashes:
124- // 1. salted_init_hash = H(DOM_SEP__PARTIAL_ADDRESS , salt, init_hash, deployer_addr)
120+ // 1. salted_init_hash = H(DOM_SEP__SALTED_INITIALIZATION_HASH , salt, init_hash, deployer_addr)
125121 // 2. partial_address = H(DOM_SEP__PARTIAL_ADDRESS, class_id, salted_init_hash)
126122 // 3. public_keys_hash = H(DOM_SEP__PUBLIC_KEYS_HASH,
127123 // nullifier_key_x, nullifier_key_y, 0,
@@ -140,6 +136,8 @@ namespace address_derivation;
140136 sel * (const_four - 4) = 0;
141137 pol commit const_thirteen;
142138 sel * (const_thirteen - 13) = 0;
139+ pol commit salted_init_hash_domain_separator;
140+ sel * (salted_init_hash_domain_separator - constants.DOM_SEP__SALTED_INITIALIZATION_HASH) = 0;
143141 pol commit partial_address_domain_separator;
144142 sel * (partial_address_domain_separator - constants.DOM_SEP__PARTIAL_ADDRESS) = 0;
145143 pol commit public_keys_hash_domain_separator;
@@ -151,14 +149,14 @@ namespace address_derivation;
151149 pol commit salted_init_hash;
152150
153151 // Since Poseidon2 processes inputs in chunks of 3, we need 2 permutation rounds to cover our 4 inputs:
154- // salted_init_hash = H(DOM_SEP__PARTIAL_ADDRESS , salt, init_hash, deployer_addr)
155- // Round 1 (start, input_len=4): (DOM_SEP__PARTIAL_ADDRESS , salt, init_hash)
152+ // salted_init_hash = H(DOM_SEP__SALTED_INITIALIZATION_HASH , salt, init_hash, deployer_addr)
153+ // Round 1 (start, input_len=4): (DOM_SEP__SALTED_INITIALIZATION_HASH , salt, init_hash)
156154 // Round 2 (end): (deployer_addr, 0, 0)
157155
158156 // Enforces the first round of salted_init_hash. Note that we must lookup poseidon2_hash.input_len == 4
159157 // here since it is constrained in the poseidon trace on the start row.
160158 #[SALTED_INITIALIZATION_HASH_POSEIDON2_0]
161- sel { partial_address_domain_separator , salt, init_hash, salted_init_hash, const_four }
159+ sel { salted_init_hash_domain_separator , salt, init_hash, salted_init_hash, const_four }
162160 in poseidon2_hash.start { poseidon2_hash.input_0, poseidon2_hash.input_1, poseidon2_hash.input_2, poseidon2_hash.output, poseidon2_hash.input_len };
163161
164162 // Enforces the second and final round of salted_init_hash. Note that we must enforce the padded values are zero here.
0 commit comments