chore: backport handshake registry contract (#22854) to v4-next (#23063)

Cherry-picks #22854 (`feat(aztec-nr): Initial handshake registry
contract with non interactive handshake function`) to
`backport-to-v4-next-staging`.

## Conflict resolution

The only conflict was in
`noir-projects/noir-protocol-circuits/crates/types/src/constants_tests.nr`.
`next` has accumulated a number of new merkle/partial-note dom seps
(`DOM_SEP__MERKLE_HASH`, `DOM_SEP__NULLIFIER_MERKLE`,
`DOM_SEP__PARTIAL_NOTE_COMMITMENT`, `DOM_SEP__PUBLIC_DATA_MERKLE`) that
don't exist on `v4-next`, so the upstream version of this file imports
symbols that aren't defined here.

Resolution: drop the imports/assertions for those non-existent
constants, but keep the two new ones added by this PR
(`DOM_SEP__HANDSHAKE_SECRET_HASH`,
`DOM_SEP__NON_INTERACTIVE_HANDSHAKE_LOG_TAG`). `HashedValueTester` sized
`<58, 51>` = v4-next baseline `<56, 49>` plus the two new dom seps.

Validated:
- Imports list matches the symbols actually referenced inside
`hashed_values_match_derived` (no orphan imports / no missing imports).
- Assertion counts inside the test match the tester generics: `48`
`assert_dom_sep_matches_derived` + `3`
`assert_blob_prefixes_match_derived` = 51 u32 values; plus `1`
protocol-circuit value + `6` aztec-nr values = 58 total field values.
- All aztec-nr APIs the new contract uses (`derive_ecdh_shared_secret`,
`generate_positive_ephemeral_key_pair`, `set_sender_for_tags`,
`compute_log_tag`, `MessageDelivery.ONCHAIN_UNCONSTRAINED`, `Owned`,
`emit_private_log_vec_unsafe`, `to_address_point`,
`compute_siloed_private_log_first_field`,
`poseidon2_hash_with_separator`) exist on `v4-next` — the contract uses
the `aztec::protocol` re-export of `protocol_types`.

## Commit structure

Per the backport convention, history is preserved as:
1. Cherry-pick with conflicts (markers in tree, recorded in history).
2. Conflict resolution commit (this PR's tip).

No separate build-fixes commit was needed — the conflict was
metadata-only.

## Build verification

The container does not ship a prebuilt `nargo`, and Docker is
unavailable, so `noir-contracts/bootstrap.sh` cannot run locally.
Relying on CI for end-to-end build validation.

Original PR: #22854

ClaudeBox log: https://claudebox.work/s/096af9ddd4f770c8?run=4

Author: vezenovm

noir-projects/noir-contracts/Nargo.toml

@@ -26,6 +26,7 @@ members = [
     "contracts/app/simple_token_contract",
     "contracts/fees/fpc_contract",
     "contracts/fees/sponsored_fpc_contract",
+    "contracts/message_discovery/handshake_registry_contract",
     "contracts/protocol/auth_registry_contract",
     "contracts/protocol/contract_class_registry_contract",
     "contracts/protocol/contract_instance_registry_contract",

noir-projects/noir-contracts/contracts/message_discovery/handshake_registry_contract/Nargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "handshake_registry_contract"
+authors = [""]
+compiler_version = ">=0.25.0"
+type = "contract"
+
+[dependencies]
+aztec = { path = "../../../../aztec-nr/aztec" }

noir-projects/noir-contracts/contracts/message_discovery/handshake_registry_contract/src/handshake_note.nr

@@ -0,0 +1,43 @@
+use aztec::{
+    macros::notes::note,
+    protocol::{
+        address::AztecAddress,
+        constants::DOM_SEP__HANDSHAKE_SECRET_HASH,
+        hash::poseidon2_hash_with_separator,
+        point::Point,
+        traits::{Deserialize, Packable, Serialize},
+    },
+};
+
+/// A record of a handshake established by the note's owner (the sender).
+///
+/// Stored in [`crate::HandshakeRegistry`]'s `handshakes` set. Holds the **hash** of the master shared secret.
+/// A contract that wants to use this handshake will later prove the note's existence and
+/// use the kernel key-validation mechanism to derive its own app-siloed secret from the master, so
+/// the master is never exposed to dependent contracts.
+#[derive(Deserialize, Eq, Packable, Serialize)]
+#[note]
+pub struct HandshakeNote {
+    /// Hash of the master shared secret: `poseidon2_hash_with_separator([S.x, S.y], DOM_SEP__HANDSHAKE_SECRET_HASH)`
+    /// over the raw ECDH point `S = eph_sk * recipient_address_point`.
+    pub secret_hash: Field,
+    /// Stored so contracts can constrain the kind of handshake they accept (e.g. an app may want to require interactive
+    /// handshakes only).
+    pub handshake_type: u8,
+    /// The recipient this handshake authorizes. Part of the note preimage so a contract proving note
+    /// existence can bind the proof to the intended recipient.
+    pub recipient: AztecAddress,
+}
+
+impl HandshakeNote {
+    pub fn new(shared_secret: Point, handshake_type: u8, recipient: AztecAddress) -> Self {
+        Self {
+            secret_hash: poseidon2_hash_with_separator(
+                [shared_secret.x, shared_secret.y],
+                DOM_SEP__HANDSHAKE_SECRET_HASH,
+            ),
+            handshake_type,
+            recipient,
+        }
+    }
+}

noir-projects/noir-contracts/contracts/message_discovery/handshake_registry_contract/src/main.nr

@@ -0,0 +1,111 @@
+use aztec::macros::aztec;
+mod handshake_note;
+mod test;
+
+/// Handshake type identifier for non-interactive handshakes (sender-generated random shared secret, no recipient
+/// signature). See [`HandshakeRegistry::non_interactive_handshake`].
+pub(crate) global NON_INTERACTIVE_HANDSHAKE: u8 = 1;
+
+/// Registry for the constrained-delivery shared-secret handshake protocol.
+///
+/// The registry's job is to establish a master shared secret between a sender and a recipient, and to store a
+/// per-sender note recording that the handshake happened. A contract that later wants to use this
+/// handshake retrieves the note via the [`HandshakeRegistry::get_handshake`] utility, asserts it exists in the
+/// registry,
+/// and uses the kernel key-validation mechanism to derive its own app-siloed shared secret from the master hash stored
+/// in the note.
+///
+/// Currently only implements the non-interactive flow (see [`HandshakeRegistry::non_interactive_handshake`]).
+#[aztec]
+pub contract HandshakeRegistry {
+    use crate::handshake_note::HandshakeNote;
+    use crate::NON_INTERACTIVE_HANDSHAKE;
+    use aztec::{
+        keys::{ecdh_shared_secret::derive_ecdh_shared_secret, ephemeral::generate_positive_ephemeral_key_pair},
+        macros::{functions::external, storage::storage},
+        messages::message_delivery::MessageDelivery,
+        note::note_viewer_options::NoteViewerOptions,
+        oracle::notes::set_sender_for_tags,
+        protocol::{
+            address::AztecAddress, constants::DOM_SEP__NON_INTERACTIVE_HANDSHAKE_LOG_TAG, hash::compute_log_tag,
+            traits::ToField,
+        },
+        state_vars::{Owned, PrivateSet},
+    };
+
+    #[storage]
+    struct Storage<Context> {
+        /// Per-sender set of [`HandshakeNote`]s. The sender is chosen by the caller and is unconstrained throughout the
+        /// constrained-delivery protocol.
+        handshakes: Owned<PrivateSet<HandshakeNote, Context>, Context>,
+    }
+
+    /// Performs a non-interactive handshake from `sender` to `recipient`.
+    ///
+    /// Generates a fresh ephemeral key pair `(eph_sk, eph_pk)`, computes the raw ECDH shared secret point
+    /// `S = eph_sk * recipient_address_point`, and produces two effects:
+    ///
+    /// 1. Inserts a [`HandshakeNote`] owned by `sender`.
+    /// 2. Emits a 1-field private log under a recipient-keyed tag with payload `[eph_pk.x]`. The recipient
+    ///    discovers handshakes addressed to them by scanning their tag and recovers the master shared secret
+    ///    from `eph_pk` via their own ECDH (`recipient_isk * eph_pk`). `eph_pk.y` is fixed positive by the
+    ///    [`generate_positive_ephemeral_key_pair`] convention, so only `eph_pk.x` is transmitted.
+    ///
+    /// # Panics
+    /// If `recipient` is not a valid curve point. There are no upstream side effects in this call frame to
+    /// protect, and a fallback would insert a permanent note recording a handshake with an invalid recipient,
+    /// polluting registry state.
+    #[external("private")]
+    fn non_interactive_handshake(sender: AztecAddress, recipient: AztecAddress) {
+        let recipient_point = recipient.to_address_point().expect(f"recipient address is not on the curve");
+
+        let (eph_sk, eph_pk) = generate_positive_ephemeral_key_pair();
+        let s_raw = derive_ecdh_shared_secret(eph_sk, recipient_point.inner);
+
+        let note = HandshakeNote::new(s_raw, NON_INTERACTIVE_HANDSHAKE, recipient);
+
+        // Safety: The sender for tags is only used to compute unconstrained shared secrets for emitting logs, so it
+        // is safe to set from a constrained context.
+        unsafe { set_sender_for_tags(sender) };
+        // Delivery is `ONCHAIN_UNCONSTRAINED`. The recipient is not involved in this note's delivery. They
+        // discover the handshake via the recipient-keyed log emitted below, not via the sender's note.
+        // We use onchain unconstrained delivery rather than `OFFCHAIN` so the note is
+        // discoverable via normal PXE sync.
+        self.storage.handshakes.at(sender).insert(note).deliver(MessageDelivery.ONCHAIN_UNCONSTRAINED);
+
+        let log_tag = compute_log_tag(
+            recipient.to_field(),
+            DOM_SEP__NON_INTERACTIVE_HANDSHAKE_LOG_TAG,
+        );
+        self.context.emit_private_log_vec_unsafe(log_tag, BoundedVec::from_array([eph_pk.x]));
+    }
+
+    /// Returns the most recently inserted [`HandshakeNote`] held for `sender` matching
+    /// `(recipient, handshake_type)`, or `None` if no such note exists.
+    ///
+    /// Returning the latest (rather than the first) lets a sender re-initiate by issuing a fresh handshake; e.g.
+    /// if the previous secret was leaked.
+    ///
+    /// This is the discovery surface a contract uses to obtain a note hint before asserting existence
+    /// of the note at this registry's address.
+    #[external("utility")]
+    unconstrained fn get_handshake(
+        sender: AztecAddress,
+        recipient: AztecAddress,
+        handshake_type: u8,
+    ) -> Option<HandshakeNote> {
+        // We pull all notes for `sender` and filter (recipient, handshake_type) below, walking from the end so the
+        // first hit is the most recently inserted match.
+        let notes = self.storage.handshakes.at(sender).view_notes(NoteViewerOptions::new());
+        let mut found = Option::none();
+        let len = notes.len();
+        for i in 0..len {
+            let note = notes.get(len - 1 - i);
+            if (note.recipient == recipient) & (note.handshake_type == handshake_type) {
+                found = Option::some(note);
+                break;
+            }
+        }
+        found
+    }
+}