initial integration into private msg delivery flow and tests for constrained tags

Author: vezenovm

noir-projects/aztec-nr/aztec/src/event/event_message.nr

@@ -58,6 +58,7 @@ where
             Option::none(),
             recipient,
             delivery_mode,
+            Option::none(),
         );
     }
 }

noir-projects/aztec-nr/aztec/src/macros/aztec.nr

@@ -157,8 +157,11 @@ pub comptime fn aztec(m: Module, args: [AztecConfig]) -> Quoted {
         Option::none()
     };
 
-    let sync_state_fn_and_abi_export =
-        generate_sync_state(process_custom_message_option, offchain_inbox_sync_option, custom_sync_handler);
+    let sync_state_fn_and_abi_export = generate_sync_state(
+        process_custom_message_option,
+        offchain_inbox_sync_option,
+        custom_sync_handler,
+    );
 
     if m.functions().any(|f| f.name() == quote { offchain_receive }) {
         panic(

noir-projects/aztec-nr/aztec/src/messages/delivery/constrained_delivery.nr

@@ -7,8 +7,8 @@ use crate::oracle::{call_utility_function::call_utility_function, notes::get_nex
 use crate::protocol::{
     abis::function_selector::FunctionSelector,
     address::AztecAddress,
-    constants::DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
-    hash::poseidon2_hash_with_separator,
+    constants::{DOM_SEP__CONSTRAINED_MSG_LOG_TAG, DOM_SEP__CONSTRAINED_MSG_NULLIFIER},
+    hash::{compute_log_tag, poseidon2_hash, poseidon2_hash_with_separator},
     traits::{Deserialize, ToField},
 };
 
@@ -32,7 +32,8 @@ use crate::protocol::{
 ///      note.
 ///    - `index > 0`: asserts the prior nullifier
 ///      `poseidon2_hash_with_separator([sender, recipient, secret, index - 1], DOM_SEP__CONSTRAINED_MSG_NULLIFIER)`
-///      exists via [`compute_nullifier_existence_request`](crate::nullifier::utils::compute_nullifier_existence_request).
+///      exists via
+/// [`compute_nullifier_existence_request`](crate::nullifier::utils::compute_nullifier_existence_request).
 ///      The chain transitively constrains back to the index-0 `validate_handshake`. The caller is expected
 ///      to emit the matching nullifier alongside each constrained send so subsequent calls can prove the
 ///      chain.
@@ -47,9 +48,7 @@ pub fn calculate_secret_and_index(
     // Safety: the returned `Option<Field>` is untrusted and is constrained below before being returned to the
     // caller, either by performing a new handshake or by constraining the prior handshake's existence.
     let maybe_secret: Option<Field> = unsafe {
-        let selector = comptime {
-            FunctionSelector::from_signature("get_app_siloed_secret((Field),(Field),(Field))")
-        };
+        let selector = comptime { FunctionSelector::from_signature("get_app_siloed_secret((Field),(Field),(Field))") };
         let returns = call_utility_function(
             registry,
             selector,
@@ -64,12 +63,9 @@ pub fn calculate_secret_and_index(
         // `validate_handshake` is needed.
         // TODO(F-660): dispatch to `perform_handshake(sender, recipient, handshake_type)` once interactive
         // handshakes are supported.
-        let selector = comptime {
-            FunctionSelector::from_signature("non_interactive_handshake((Field),(Field))")
-        };
-        let secret: Field = context
-            .call_private_function(registry, selector, [sender.to_field(), recipient.to_field()])
-            .get_preimage();
+        let selector = comptime { FunctionSelector::from_signature("non_interactive_handshake((Field),(Field))") };
+        let secret: Field =
+            context.call_private_function(registry, selector, [sender.to_field(), recipient.to_field()]).get_preimage();
         (secret, 0)
     } else {
         let secret = maybe_secret.unwrap_unchecked();
@@ -79,23 +75,51 @@ pub fn calculate_secret_and_index(
         let index = unsafe { get_next_constrained_index(secret) };
 
         if index == 0 {
-            let selector = comptime {
-                FunctionSelector::from_signature("validate_handshake((Field),(Field),Field)")
-            };
-            let _ = context.call_private_function(
-                registry,
-                selector,
-                [sender.to_field(), recipient.to_field(), secret],
-            );
+            let selector = comptime { FunctionSelector::from_signature("validate_handshake((Field),(Field),Field)") };
+            let _ =
+                context.call_private_function(registry, selector, [sender.to_field(), recipient.to_field(), secret]);
         } else {
             let prev_nullifier = poseidon2_hash_with_separator(
                 [sender.to_field(), recipient.to_field(), secret, (index - 1) as Field],
                 DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
             );
-            // TODO(F-670): exercise the index > 0 path end-to-end once send_constrained_msg emits nullifiers.
             context.assert_nullifier_exists(compute_nullifier_existence_request(prev_nullifier, caller));
         }
 
         (secret, index)
     }
 }
+
+/// Computes the constrained-delivery discovery log tag for an `(app_siloed_secret, index)` pair.
+///
+/// Collapses the secret and index into a single raw tag and domain-separates it with
+/// `DOM_SEP__CONSTRAINED_MSG_LOG_TAG`. This mirrors the recipient-side derivation in the PXE (`siloedTagFor`): the
+/// recipient recomputes the same tag to discover the message, and the protocol silos the emitted log's first field by
+/// the emitting contract address, completing the match.
+pub fn compute_constrained_log_tag(app_siloed_secret: Field, index: u32) -> Field {
+    compute_log_tag(poseidon2_hash([app_siloed_secret, index as Field]), DOM_SEP__CONSTRAINED_MSG_LOG_TAG)
+}
+
+/// Emits the per-send chain nullifier for a constrained message and returns its discovery log tag.
+///
+/// Used by [`crate::messages::delivery::do_private_message_delivery`] on the constrained-delivery path. It wraps
+/// [`calculate_secret_and_index`] to resolve the `(app_siloed_secret, index)` pair, then:
+/// 1. Emits the chain nullifier. A subsequent send at `index + 1` proves this nullifier exists, transitively constraining
+///    the chain back to the `index == 0` handshake validation in [`calculate_secret_and_index`].
+/// 2. Returns the log tag. The recipient recomputes the same tag from the handshake secret to discover the message.
+pub(crate) fn emit_nullifier_and_compute_constrained_tag(
+    context: &mut PrivateContext,
+    registry: AztecAddress,
+    sender: AztecAddress,
+    recipient: AztecAddress,
+) -> Field {
+    let (secret, index) = calculate_secret_and_index(context, registry, sender, recipient);
+
+    let nullifier = poseidon2_hash_with_separator(
+        [sender.to_field(), recipient.to_field(), secret, index as Field],
+        DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
+    );
+    context.push_nullifier_unsafe(nullifier);
+
+    compute_constrained_log_tag(secret, index)
+}

noir-projects/aztec-nr/aztec/src/messages/delivery/mod.nr

@@ -182,19 +182,36 @@ pub struct MessageDeliveryEnum {
 pub global MessageDelivery: MessageDeliveryEnum =
     MessageDeliveryEnum { OFFCHAIN: 1, ONCHAIN_UNCONSTRAINED: 2, ONCHAIN_CONSTRAINED: 3 };
 
+/// Handshake inputs that opt a message delivery into constrained tagging.
+///
+/// Pass `Some` to [`do_private_message_delivery`] alongside [`MessageDeliveryEnum::ONCHAIN_CONSTRAINED`] to derive
+/// the log tag from a handshake-registry secret and emit the per-send chain nullifier (see
+/// [`crate::messages::delivery::constrained_delivery`]). Pass `None` for the wallet-driven unconstrained tag.
+pub struct ConstrainedDelivery {
+    /// Handshake registry to resolve the app-siloed shared secret from.
+    pub registry: AztecAddress,
+    /// Account the message is sent on behalf of, bound into both the secret/index resolution and the chain nullifier.
+    pub sender: AztecAddress,
+}
+
 /// Performs private delivery of a message to `recipient` according to `delivery_mode`.
 ///
 /// The message is encoded into plaintext and then encrypted for `recipient`. This function takes a _function_ that
 /// returns the plaintext instead of taking the plaintext directly in order to not waste constraints encoding the
 /// message in scenarios where the plaintext will be encrypted with unconstrained encryption.
 ///
 /// `maybe_note_hash_counter` is only relevant for on-chain delivery modes (i.e. via protocol logs): if a newly created
-/// note hash's side effect counter is passed, then the log will be squashed alongside the note should its nullifier be
-/// emitted in the current transaction. This is typically only used for note messages: since the note will not actually
-/// be created, there is no point in delivering the message.
+/// note hash's side effect counter is passed and constrained tagging is not requested, then the log will be squashed
+/// alongside the note should its nullifier be emitted in the current transaction. Constrained-tagged logs are not tied
+/// to note squashing because recipient discovery scans those tags sequentially.
 ///
 /// `delivery_mode` must be one of [`MessageDeliveryEnum`].
 ///
+/// `maybe_constrained_delivery` opts into constrained tagging: when `Some` (only valid with
+/// [`MessageDeliveryEnum::ONCHAIN_CONSTRAINED`]) the log tag is derived from a handshake-registry secret and a chain
+/// nullifier is emitted. When `None` the wallet-driven unconstrained tag is used. Its some-ness must be a
+/// compile-time constant.
+///
 /// ## Privacy
 ///
 /// The emitted log always has the same length regardless of `MESSAGE_PLAINTEXT_LEN`, because all message ciphertexts
@@ -205,17 +222,25 @@ pub fn do_private_message_delivery<Env, let MESSAGE_PLAINTEXT_LEN: u32>(
     maybe_note_hash_counter: Option<u32>,
     recipient: AztecAddress,
     delivery_mode: u8,
+    maybe_constrained_delivery: Option<ConstrainedDelivery>,
 ) {
     // This function relies on `delivery_mode` being a constant in order to reduce circuit constraints when
     // unconstrained usage is requested. If `delivery_mode` were a runtime value the compiler would be unable to
     // perform dead-code elimination.
     assert_constant(delivery_mode);
 
-    // The following maps out the 3 dimensions across which we configure message delivery.
+    // The following maps out the dimensions across which we configure message delivery.
     let constrained_encryption = delivery_mode == MessageDelivery.ONCHAIN_CONSTRAINED;
     let deliver_as_offchain_message = delivery_mode == MessageDelivery.OFFCHAIN;
-    // TODO(#14565): Add constrained tagging
-    let _constrained_tagging = delivery_mode == MessageDelivery.ONCHAIN_CONSTRAINED;
+
+    // Constrained tagging is opt-in via `maybe_constrained_delivery`. Its some-ness must be a compile-time constant.
+    assert_constant(maybe_constrained_delivery.is_some());
+    let constrained_tagging = maybe_constrained_delivery.is_some();
+    if constrained_tagging {
+        // Constrained tagging requires the constrained encryption that `ONCHAIN_CONSTRAINED` selects, otherwise the
+        // sender could pair a correct tag with forge-able (unconstrained) ciphertext.
+        assert(constrained_encryption, "constrained tagging requires ONCHAIN_CONSTRAINED delivery");
+    }
 
     let contract_address = context.this_address();
 
@@ -227,20 +252,33 @@ pub fn do_private_message_delivery<Env, let MESSAGE_PLAINTEXT_LEN: u32>(
     if deliver_as_offchain_message {
         deliver_offchain_message(ciphertext, recipient);
     } else {
-        // TODO(#14565): constrained tagging is not yet implemented. Both modes currently use the unconstrained
-        // domain separator because the discovery tag always comes from an oracle. Once constrained tagging lands,
-        // this should branch on `constrained_tagging` to select the appropriate separator.
-        let discovery_tag = compute_discovery_tag(recipient);
-        let log_tag = compute_log_tag(discovery_tag, DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG);
+        let log_tag = if constrained_tagging {
+            let delivery_info = maybe_constrained_delivery.unwrap_unchecked();
+            constrained_delivery::emit_nullifier_and_compute_constrained_tag(
+                context,
+                delivery_info.registry,
+                delivery_info.sender,
+                recipient,
+            )
+        } else {
+            // TODO(#14565): Thread constrained tagging through high-level note/event delivery APIs so that
+            // `ONCHAIN_CONSTRAINED` callers supply handshake info instead of taking this fallback.
+            // `ONCHAIN_UNCONSTRAINED` deliveries are expected to derive the wallet-driven tag here.
+            let discovery_tag = compute_discovery_tag(recipient);
+            compute_log_tag(discovery_tag, DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG)
+        };
 
         // We forbid this value not being constant to avoid predicating the context calls below, which might result in
         // the context's arrays having unknown compile time write indices and hence dramatically increasing constraints
         // when accessing them. In practice this restriction is not a problem as we always know at compile time whether
         // we're emitting a note or non-note message.
         assert_constant(maybe_note_hash_counter.is_some());
 
+        // TODO(F-664): Add e2e coverage for constrained note delivery through kernel squashing and recipient sync.
+        let squashable_note_log = maybe_note_hash_counter.is_some() & !constrained_tagging;
+
         let log = BoundedVec::from_array(ciphertext);
-        if maybe_note_hash_counter.is_some() {
+        if squashable_note_log {
             // We associate the log with the note's side effect counter, so that if the note ends up being squashed in
             // the current transaction, the log will be removed as well.
             context.emit_raw_note_log_unsafe(log_tag, log, maybe_note_hash_counter.unwrap());

noir-projects/aztec-nr/aztec/src/messages/discovery/mod.nr

@@ -112,13 +112,12 @@ pub type CustomMessageHandler = unconstrained fn(
 /// this handler instead of [`do_sync_state`]. It receives all of the same parameters, so it can run custom logic
 /// (e.g. fetching and decrypting custom logs) before, after, or instead of calling [`do_sync_state`].
 pub type CustomSyncHandler = unconstrained fn(
-    /* contract_address */ AztecAddress,
-    /* compute_note_hash */ ComputeNoteHash,
-    /* compute_note_nullifier */ ComputeNoteNullifier,
-    /* process_custom_message */ Option<CustomMessageHandler>,
-    /* offchain_inbox_sync */ Option<OffchainInboxSync>,
-    /* scope */ AztecAddress,
-);
+/* contract_address */AztecAddress,
+/* compute_note_hash */ ComputeNoteHash,
+/* compute_note_nullifier */ ComputeNoteNullifier,
+/* process_custom_message */ Option<CustomMessageHandler>,
+/* offchain_inbox_sync */ Option<OffchainInboxSync>,
+/* scope */ AztecAddress);
 
 /// Synchronizes the contract's private state with the network.
 ///

noir-projects/aztec-nr/aztec/src/messages/discovery/partial_notes.nr

@@ -108,10 +108,7 @@ pub(crate) unconstrained fn fetch_and_process_partial_note_completion_logs(
             // searching for this tagged log when performing message discovery in the future until we either find it or
             // the entry is somehow removed from the array.
         } else {
-            assert(
-                num_logs == 1,
-                f"Expected at most 1 completion log per partial note, got {num_logs}",
-            );
+            assert(num_logs == 1, f"Expected at most 1 completion log per partial note, got {num_logs}");
 
             aztecnr_debug_log_format!("Completion log found for partial note with tag {}")([
                 pending_partial_note.note_completion_log_tag,

noir-projects/aztec-nr/aztec/src/messages/message_delivery.nr

@@ -1,7 +1,5 @@
 //! Compatibility wrapper for the legacy `messages::message_delivery` path.
 
 pub use crate::messages::delivery::{
-    MessageDelivery,
-    MessageDeliveryEnum,
-    do_private_message_delivery,
+    ConstrainedDelivery, do_private_message_delivery, MessageDelivery, MessageDeliveryEnum,
 };

noir-projects/aztec-nr/aztec/src/messages/processing/log_retrieval_request.nr

@@ -6,8 +6,7 @@ pub(crate) struct LogSourceEnum {
     pub PUBLIC_AND_PRIVATE: Field,
 }
 
-pub(crate) global LogSource: LogSourceEnum =
-    LogSourceEnum { PRIVATE: 0, PUBLIC: 1, PUBLIC_AND_PRIVATE: 2 };
+pub(crate) global LogSource: LogSourceEnum = LogSourceEnum { PRIVATE: 0, PUBLIC: 1, PUBLIC_AND_PRIVATE: 2 };
 
 /// A request for the `bulk_retrieve_logs` oracle to fetch all logs matching a tag.
 #[derive(Serialize)]

noir-projects/aztec-nr/aztec/src/messages/processing/mod.nr

@@ -19,10 +19,7 @@ use crate::{
         discovery::partial_notes::DeliveredPendingPartialNote,
         encoding::MESSAGE_CIPHERTEXT_LEN,
         logs::{event::MAX_EVENT_SERIALIZED_LEN, note::MAX_NOTE_PACKED_LEN},
-        processing::{
-            log_retrieval_request::LogRetrievalRequest,
-            log_retrieval_response::LogRetrievalResponse,
-        },
+        processing::{log_retrieval_request::LogRetrievalRequest, log_retrieval_response::LogRetrievalResponse},
     },
     oracle::message_processing,
 };

noir-projects/aztec-nr/aztec/src/note/note_message.nr

@@ -81,6 +81,7 @@ where
             Option::some(self.new_note.note_hash_counter),
             recipient,
             delivery_mode,
+            Option::none(),
         );
     }