fix: salted initialization hash separator (#22632)

Copied from #20969

-------------------------

When writing an address spec I noticed the same domain separator is
being used in two places when deriving an address.

This PR introduces DOM_SEP__SALTED_INITIALIZATION_HASH to replace the
incorrect usage of DOM_SEP__PARTIAL_ADDRESS.

Author: AztecBot

barretenberg/cpp/pil/vm2/bytecode/address_derivation.pil

@@ -9,7 +9,7 @@ include "../scalar_mul.pil";
  * during contract instance retrieval (contract_instance_retrieval.pil) in our execution flow.
  * The address is defined by the following flow, where the hash function H() is Poseidon2, and G1
  * is the Grumpkin curve's generator point:
- *   1. salted_init_hash  = H(DOM_SEP__PARTIAL_ADDRESS, salt, init_hash, deployer_addr)
+ *   1. salted_init_hash  = H(DOM_SEP__SALTED_INITIALIZATION_HASH, salt, init_hash, deployer_addr)
  *   2. partial_address   = H(DOM_SEP__PARTIAL_ADDRESS, class_id, salted_init_hash)
  *   3. public_keys_hash  = H(DOM_SEP__PUBLIC_KEYS_HASH,
  *                             nullifier_key_x, nullifier_key_y, nullifier_key_is_infinity,
@@ -24,10 +24,6 @@ include "../scalar_mul.pil";
  * curve. See the 'Hash Computations', 'Elliptic Curve Operations', and 'INTERACTIONS' sections
  * for details on how we enforce each step. This process follows Noir's AztecAddress::compute().
  *
- * Note: DOM_SEP__PARTIAL_ADDRESS is reused for both the salted initialization hash and the partial
- * address computations (steps 1 and 2). This cannot lead to a collision since the preimages are of
- * different lengths, hence will have different IV values. Unfortunately, why this is the case is not
- * documented in the protocol.
  *
  * PRECONDITIONS: The correctness of the preimage members is not constrained here and must be
  *               enforced by the calling circuits. Like class_id_derivation, this trace can be seen
@@ -121,7 +117,7 @@ namespace address_derivation;
     ///////////////////////////////
     //
     // This trace constrains the result of four Poseidon2 hashes:
-    //   1. salted_init_hash  = H(DOM_SEP__PARTIAL_ADDRESS, salt, init_hash, deployer_addr)
+    //   1. salted_init_hash  = H(DOM_SEP__SALTED_INITIALIZATION_HASH, salt, init_hash, deployer_addr)
     //   2. partial_address   = H(DOM_SEP__PARTIAL_ADDRESS, class_id, salted_init_hash)
     //   3. public_keys_hash  = H(DOM_SEP__PUBLIC_KEYS_HASH,
     //                             nullifier_key_x, nullifier_key_y, 0,
@@ -140,6 +136,8 @@ namespace address_derivation;
     sel * (const_four - 4) = 0;
     pol commit const_thirteen;
     sel * (const_thirteen - 13) = 0;
+    pol commit salted_init_hash_domain_separator;
+    sel * (salted_init_hash_domain_separator - constants.DOM_SEP__SALTED_INITIALIZATION_HASH) = 0;
     pol commit partial_address_domain_separator;
     sel * (partial_address_domain_separator - constants.DOM_SEP__PARTIAL_ADDRESS) = 0;
     pol commit public_keys_hash_domain_separator;
@@ -151,14 +149,14 @@ namespace address_derivation;
     pol commit salted_init_hash;
 
     // Since Poseidon2 processes inputs in chunks of 3, we need 2 permutation rounds to cover our 4 inputs:
-    //  salted_init_hash = H(DOM_SEP__PARTIAL_ADDRESS, salt, init_hash, deployer_addr)
-    //   Round 1 (start, input_len=4): (DOM_SEP__PARTIAL_ADDRESS, salt, init_hash)
+    //  salted_init_hash = H(DOM_SEP__SALTED_INITIALIZATION_HASH, salt, init_hash, deployer_addr)
+    //   Round 1 (start, input_len=4): (DOM_SEP__SALTED_INITIALIZATION_HASH, salt, init_hash)
     //   Round 2 (end):                (deployer_addr, 0, 0)
 
     // Enforces the first round of salted_init_hash. Note that we must lookup poseidon2_hash.input_len == 4
     // here since it is constrained in the poseidon trace on the start row.
     #[SALTED_INITIALIZATION_HASH_POSEIDON2_0]
-    sel { partial_address_domain_separator, salt, init_hash, salted_init_hash, const_four }
+    sel { salted_init_hash_domain_separator, salt, init_hash, salted_init_hash, const_four }
     in poseidon2_hash.start { poseidon2_hash.input_0, poseidon2_hash.input_1, poseidon2_hash.input_2, poseidon2_hash.output, poseidon2_hash.input_len };
 
     // Enforces the second and final round of salted_init_hash. Note that we must enforce the padded values are zero here.

barretenberg/cpp/pil/vm2/constants_gen.pil

@@ -178,6 +178,7 @@ namespace constants;
     pol DOM_SEP__RETRIEVED_BYTECODES_MERKLE = 2789215184;
     pol DOM_SEP__PUBLIC_BYTECODE = 260313585;
     pol DOM_SEP__CONTRACT_CLASS_ID = 3923495515;
+    pol DOM_SEP__SALTED_INITIALIZATION_HASH = 2763052992;
     pol DOM_SEP__PUBLIC_KEYS_HASH = 777457226;
     pol DOM_SEP__PARTIAL_ADDRESS = 2103633018;
     pol DOM_SEP__CONTRACT_ADDRESS_V1 = 1788365517;

barretenberg/cpp/src/barretenberg/aztec/aztec_constants.hpp

@@ -270,6 +270,7 @@
 #define DOM_SEP__RETRIEVED_BYTECODES_MERKLE 2789215184UL
 #define DOM_SEP__PUBLIC_BYTECODE 260313585UL
 #define DOM_SEP__CONTRACT_CLASS_ID 3923495515UL
+#define DOM_SEP__SALTED_INITIALIZATION_HASH 2763052992UL
 #define DOM_SEP__PUBLIC_KEYS_HASH 777457226UL
 #define DOM_SEP__PARTIAL_ADDRESS 2103633018UL
 #define DOM_SEP__CONTRACT_ADDRESS_V1 1788365517UL

barretenberg/cpp/src/barretenberg/vm2/constraining/relations/address_derivation.test.cpp

@@ -72,8 +72,8 @@ TEST(AddressDerivationConstrainingTest, Basic)
 
     auto instance = testing::random_contract_instance();
 
-    FF salted_initialization_hash =
-        poseidon2::hash({ DOM_SEP__PARTIAL_ADDRESS, instance.salt, instance.initialization_hash, instance.deployer });
+    FF salted_initialization_hash = poseidon2::hash(
+        { DOM_SEP__SALTED_INITIALIZATION_HASH, instance.salt, instance.initialization_hash, instance.deployer });
 
     FF partial_address =
         poseidon2::hash({ DOM_SEP__PARTIAL_ADDRESS, instance.original_contract_class_id, salted_initialization_hash });
@@ -225,8 +225,8 @@ TEST(AddressDerivationConstrainingTest, NegativeIVKNotOnCurve)
     // Mutate ivk to a point not on the curve.
     instance.public_keys.incoming_viewing_key = AffinePoint(1, 2);
 
-    FF salted_initialization_hash =
-        poseidon2::hash({ DOM_SEP__PARTIAL_ADDRESS, instance.salt, instance.initialization_hash, instance.deployer });
+    FF salted_initialization_hash = poseidon2::hash(
+        { DOM_SEP__SALTED_INITIALIZATION_HASH, instance.salt, instance.initialization_hash, instance.deployer });
 
     FF partial_address =
         poseidon2::hash({ DOM_SEP__PARTIAL_ADDRESS, instance.original_contract_class_id, salted_initialization_hash });

barretenberg/cpp/src/barretenberg/vm2/generated/columns.hpp

@@ -141,10 +141,10 @@ namespace bb::avm2 {
 
 struct AvmFlavorVariables {
     static constexpr size_t NUM_PRECOMPUTED_ENTITIES = 122;
-    static constexpr size_t NUM_WITNESS_ENTITIES = 2957;
+    static constexpr size_t NUM_WITNESS_ENTITIES = 2958;
     static constexpr size_t NUM_SHIFTED_ENTITIES = 364;
-    static constexpr size_t NUM_WIRES = 2513;
-    static constexpr size_t NUM_ALL_ENTITIES = 3443;
+    static constexpr size_t NUM_WIRES = 2514;
+    static constexpr size_t NUM_ALL_ENTITIES = 3444;
 
     // Need to be templated for recursive verifier
     template <typename FF_>

barretenberg/cpp/src/barretenberg/vm2/generated/flavor_variables.hpp

@@ -14,7 +14,7 @@ template <typename FF_> class address_derivationImpl {
   public:
     using FF = FF_;
 
-    static constexpr std::array<size_t, 11> SUBRELATION_PARTIAL_LENGTHS = { 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5 };
+    static constexpr std::array<size_t, 12> SUBRELATION_PARTIAL_LENGTHS = { 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5 };
 
     template <typename AllEntities> inline static bool skip(const AllEntities& in)
     {
@@ -35,7 +35,7 @@ template <typename FF> class address_derivation : public Relation<address_deriva
     static constexpr const std::string_view NAME = "address_derivation";
 
     // Subrelation indices constants, to be used in tests.
-    static constexpr size_t SR_IVK_ON_CURVE_CHECK = 10;
+    static constexpr size_t SR_IVK_ON_CURVE_CHECK = 11;
 
     static std::string get_subrelation_label(size_t index)
     {

barretenberg/cpp/src/barretenberg/vm2/generated/relations/address_derivation.hpp

@@ -18,6 +18,7 @@ void address_derivationImpl<FF_>::accumulate(ContainerOverSubrelations& evals,
     const auto constants_GRUMPKIN_ONE_X = FF(1);
     const auto constants_GRUMPKIN_ONE_Y =
         FF(uint256_t{ 9457493854555940652UL, 3253583849847263892UL, 14921373847124204899UL, 2UL });
+    const auto constants_DOM_SEP__SALTED_INITIALIZATION_HASH = FF(2763052992UL);
     const auto constants_DOM_SEP__PUBLIC_KEYS_HASH = FF(777457226);
     const auto constants_DOM_SEP__PARTIAL_ADDRESS = FF(2103633018);
     const auto constants_DOM_SEP__CONTRACT_ADDRESS_V1 = FF(1788365517);
@@ -60,42 +61,49 @@ void address_derivationImpl<FF_>::accumulate(ContainerOverSubrelations& evals,
     {
         using View = typename std::tuple_element_t<5, ContainerOverSubrelations>::View;
         auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
-                   (static_cast<View>(in.get(C::address_derivation_partial_address_domain_separator)) -
-                    CView(constants_DOM_SEP__PARTIAL_ADDRESS));
+                   (static_cast<View>(in.get(C::address_derivation_salted_init_hash_domain_separator)) -
+                    CView(constants_DOM_SEP__SALTED_INITIALIZATION_HASH));
         std::get<5>(evals) += (tmp * scaling_factor);
     }
     {
         using View = typename std::tuple_element_t<6, ContainerOverSubrelations>::View;
         auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
-                   (static_cast<View>(in.get(C::address_derivation_public_keys_hash_domain_separator)) -
-                    CView(constants_DOM_SEP__PUBLIC_KEYS_HASH));
+                   (static_cast<View>(in.get(C::address_derivation_partial_address_domain_separator)) -
+                    CView(constants_DOM_SEP__PARTIAL_ADDRESS));
         std::get<6>(evals) += (tmp * scaling_factor);
     }
     {
         using View = typename std::tuple_element_t<7, ContainerOverSubrelations>::View;
         auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
-                   (static_cast<View>(in.get(C::address_derivation_preaddress_domain_separator)) -
-                    CView(constants_DOM_SEP__CONTRACT_ADDRESS_V1));
+                   (static_cast<View>(in.get(C::address_derivation_public_keys_hash_domain_separator)) -
+                    CView(constants_DOM_SEP__PUBLIC_KEYS_HASH));
         std::get<7>(evals) += (tmp * scaling_factor);
     }
     {
         using View = typename std::tuple_element_t<8, ContainerOverSubrelations>::View;
         auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
-                   (static_cast<View>(in.get(C::address_derivation_g1_x)) - CView(constants_GRUMPKIN_ONE_X));
+                   (static_cast<View>(in.get(C::address_derivation_preaddress_domain_separator)) -
+                    CView(constants_DOM_SEP__CONTRACT_ADDRESS_V1));
         std::get<8>(evals) += (tmp * scaling_factor);
     }
     {
         using View = typename std::tuple_element_t<9, ContainerOverSubrelations>::View;
         auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
-                   (static_cast<View>(in.get(C::address_derivation_g1_y)) - CView(constants_GRUMPKIN_ONE_Y));
+                   (static_cast<View>(in.get(C::address_derivation_g1_x)) - CView(constants_GRUMPKIN_ONE_X));
         std::get<9>(evals) += (tmp * scaling_factor);
     }
-    { // IVK_ON_CURVE_CHECK
+    {
         using View = typename std::tuple_element_t<10, ContainerOverSubrelations>::View;
         auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
-                   (CView(address_derivation_Y2) - (CView(address_derivation_X3) - FF(17)));
+                   (static_cast<View>(in.get(C::address_derivation_g1_y)) - CView(constants_GRUMPKIN_ONE_Y));
         std::get<10>(evals) += (tmp * scaling_factor);
     }
+    { // IVK_ON_CURVE_CHECK
+        using View = typename std::tuple_element_t<11, ContainerOverSubrelations>::View;
+        auto tmp = static_cast<View>(in.get(C::address_derivation_sel)) *
+                   (CView(address_derivation_Y2) - (CView(address_derivation_X3) - FF(17)));
+        std::get<11>(evals) += (tmp * scaling_factor);
+    }
 }
 
 } // namespace bb::avm2

barretenberg/cpp/src/barretenberg/vm2/generated/relations/address_derivation_impl.hpp

@@ -22,7 +22,7 @@ struct lookup_address_derivation_salted_initialization_hash_poseidon2_0_settings
     static constexpr Column COUNTS = Column::lookup_address_derivation_salted_initialization_hash_poseidon2_0_counts;
     static constexpr Column INVERSES = Column::lookup_address_derivation_salted_initialization_hash_poseidon2_0_inv;
     static constexpr std::array<ColumnAndShifts, LOOKUP_TUPLE_SIZE> SRC_COLUMNS = {
-        ColumnAndShifts::address_derivation_partial_address_domain_separator,
+        ColumnAndShifts::address_derivation_salted_init_hash_domain_separator,
         ColumnAndShifts::address_derivation_salt,
         ColumnAndShifts::address_derivation_init_hash,
         ColumnAndShifts::address_derivation_salted_init_hash,

barretenberg/cpp/src/barretenberg/vm2/generated/relations/lookups_address_derivation.hpp

@@ -15,7 +15,7 @@ namespace bb::avm2::simulation {
  * If the address has already been derived, an event has already been emitted and we skip
  * repeating the computation and emission. Otherwise, we compute the address from the instance
  * members using the poseidon2, scalar_mul, and ecc traces, which is given as:
- *   1. salted_init_hash  = Poseidon2(DOM_SEP__PARTIAL_ADDRESS, salt, init_hash, deployer_addr)
+ *   1. salted_init_hash  = Poseidon2(DOM_SEP__SALTED_INITIALIZATION_HASH, salt, init_hash, deployer_addr)
  *   2. partial_address   = Poseidon2(DOM_SEP__PARTIAL_ADDRESS, class_id, salted_init_hash)
  *   3. public_keys_hash  = Poseidon2(DOM_SEP__PUBLIC_KEYS_HASH, [...public_keys.to_fields()])
  *   4. preaddress        = Poseidon2(DOM_SEP__CONTRACT_ADDRESS_V1, public_keys_hash, partial_address)
@@ -44,8 +44,8 @@ void AddressDerivation::assert_derivation(const AztecAddress& address, const Con
     // First time seeing this address - do the actual derivation.
     // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[SALTED_INITIALIZATION_HASH_POSEIDON2_i] in
     // address_derivation.pil.
-    FF salted_initialization_hash =
-        poseidon2.hash({ DOM_SEP__PARTIAL_ADDRESS, instance.salt, instance.initialization_hash, instance.deployer });
+    FF salted_initialization_hash = poseidon2.hash(
+        { DOM_SEP__SALTED_INITIALIZATION_HASH, instance.salt, instance.initialization_hash, instance.deployer });
     // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[PARTIAL_ADDRESS_POSEIDON2] in
     // address_derivation.pil.
     FF partial_address =