Add nonce to tx

osuketh · osuketh · commit 553e7e0f0b38 · 2019-08-10T23:11:40.000+09:00
diff --git a/core/primitives/src/g_epoch.rs b/core/primitives/src/g_epoch.rs
@@ -10,7 +10,7 @@ use pairing::bls12_381::Bls12;
 use pairing::io;
 use parity_codec::{Encode, Decode, Input};
 use byteorder::{ByteOrder, LittleEndian};
-use std::convert::TryFrom;
+use core::convert::TryFrom;
 
 const SIZE: usize = 32;
 const GEPOCH_PERSONALIZATION: &[u8; 8] = b"zcgepoch";
diff --git a/core/primitives/src/nonce.rs b/core/primitives/src/nonce.rs
@@ -8,7 +8,7 @@ use pairing::bls12_381::Bls12;
 use jubjub::curve::{edwards, PrimeOrder, Unknown};
 use pairing::io;
 use parity_codec::{Encode, Decode, Input};
-use std::convert::TryFrom;
+use core::convert::TryFrom;
 
 const SIZE: usize = 32;
 
diff --git a/core/proofs/src/circuit/transfer.rs b/core/proofs/src/circuit/transfer.rs
@@ -378,7 +378,8 @@ impl<'a, E: JubjubEngine> Circuit<E> for Transfer<'a, E> {
                 params
             )?;
 
-            nonce.inputize(cs.namespace(|| "nonce"))?;
+            g_epoch.inputize(cs.namespace(|| "inputize g_epoch"))?;
+            nonce.inputize(cs.namespace(|| "inputize nonce"))?;
         }
 
         Ok(())
@@ -436,6 +437,7 @@ mod tests {
 
         let rvk = proof_gen_key.into_rvk(alpha, params).0.into_xy();
         let g_epoch = edwards::Point::rand(rng, params).mul_by_cofactor(params);
+        let g_epoch_xy = g_epoch.into_xy();
         let nonce = g_epoch.mul(dec_key.0, params).into_xy();
 
         let mut cs = TestConstraintSystem::<Bls12>::new();
@@ -457,10 +459,10 @@ mod tests {
         instance.synthesize(&mut cs).unwrap();
 
         assert!(cs.is_satisfied());
-        assert_eq!(cs.num_constraints(), 25051);
-        assert_eq!(cs.hash(), "d429836034d9816ffd3e157e5de055450c00ad6027e1cb0b8ecb06e390a60adc");
+        assert_eq!(cs.num_constraints(), 25053);
+        assert_eq!(cs.hash(), "fabd4cb7d2ebbdb643eefe54b21a4c2d802544ea860c485a14532b2cd1194b4f");
 
-        assert_eq!(cs.num_inputs(), 21);
+        assert_eq!(cs.num_inputs(), 23);
         assert_eq!(cs.get_input(0, "ONE"), Fr::one());
         assert_eq!(cs.get_input(1, "inputize enc_key_sender/x/input variable"), address_sender_xy.0);
         assert_eq!(cs.get_input(2, "inputize enc_key_sender/y/input variable"), address_sender_xy.1);
@@ -480,8 +482,10 @@ mod tests {
         assert_eq!(cs.get_input(16, "inputize pointr/y/input variable"), c_bal_right.1);
         assert_eq!(cs.get_input(17, "rvk/x/input variable"), rvk.0);
         assert_eq!(cs.get_input(18, "rvk/y/input variable"), rvk.1);
-        assert_eq!(cs.get_input(19, "nonce/x/input variable"), nonce.0);
-        assert_eq!(cs.get_input(20, "nonce/y/input variable"), nonce.1);
+        assert_eq!(cs.get_input(19, "inputize g_epoch/x/input variable"), g_epoch_xy.0);
+        assert_eq!(cs.get_input(20, "inputize g_epoch/y/input variable"), g_epoch_xy.1);
+        assert_eq!(cs.get_input(21, "inputize nonce/x/input variable"), nonce.0);
+        assert_eq!(cs.get_input(22, "inputize nonce/y/input variable"), nonce.1);
     }
 
     #[test]
diff --git a/core/proofs/src/prover.rs b/core/proofs/src/prover.rs
@@ -128,6 +128,7 @@ pub struct ConfidentialProof<E: JubjubEngine> {
     pub enc_keys: MultiEncKeys<E>,
     pub multi_ciphertexts: MultiCiphertexts<E>,
     pub cipher_balance: Ciphertext<E>,
+    pub nonce: edwards::Point<E, PrimeOrder>,
 }
 
 impl<E: JubjubEngine> ConfidentialProof<E> {
@@ -157,6 +158,7 @@ impl<E: JubjubEngine> ConfidentialProof<E> {
                 FixedGenerators::NoteCommitmentRandomness,
                 params,
         );
+        let nonce = g_epoch.mul(dec_key_sender.0, params);
 
         let instance = Transfer {
             params: params,
@@ -175,7 +177,7 @@ impl<E: JubjubEngine> ConfidentialProof<E> {
         // Crate proof
         let proof = create_random_proof(instance, proving_key, rng)?;
 
-        let mut public_input = [E::Fr::zero(); 18];
+        let mut public_input = [E::Fr::zero(); 22];
         let p_g = FixedGenerators::NoteCommitmentRandomness;
 
         let cipher_sender = Ciphertext::encrypt(
@@ -244,8 +246,18 @@ impl<E: JubjubEngine> ConfidentialProof<E> {
         }
         {
             let (x, y) = rvk.0.into_xy();
-            public_input[12] = x;
-            public_input[13] = y;
+            public_input[16] = x;
+            public_input[17] = y;
+        }
+        {
+            let (x, y) = g_epoch.into_xy();
+            public_input[18] = x;
+            public_input[19] = y;
+        }
+        {
+            let (x, y) = nonce.into_xy();
+            public_input[20] = x;
+            public_input[21] = y;
         }
 
         // This verification is just an error handling, not validate if it returns `true`,
@@ -261,6 +273,7 @@ impl<E: JubjubEngine> ConfidentialProof<E> {
             enc_keys: MultiEncKeys::new_for_confidential(enc_keys.recipient.clone()),
             multi_ciphertexts: MultiCiphertexts::new_for_confidential(cipher_sender, cipher_recipient, cipher_fee),
             cipher_balance: cipher_balance.clone(),
+            nonce,
         };
 
         Ok(proof)
diff --git a/core/proofs/src/transaction.rs b/core/proofs/src/transaction.rs
@@ -24,6 +24,7 @@ pub struct Transaction{
 	pub rsk: [u8; 32],                   // 32 bytes
 	pub rvk: [u8; 32],                   // 32 bytes
 	pub enc_balance: [u8; 64],           // 32 bytes
+	pub nonce: [u8; 32],
 }
 
 impl Transaction {
@@ -64,6 +65,8 @@ impl Transaction {
 			&PARAMS,
 		).expect("Should not be faild to generate a proof.");
 
+		// TODO: Creating bridge_convert traits between std and no_std.
+
 		// Generate the re-randomized sign key
 		let mut rsk_bytes = [0u8; 32];
 		spending_key
@@ -118,6 +121,12 @@ impl Transaction {
 			.write(&mut enc_balance[..])
 			.map_err(|_| io::Error::InvalidData)?;
 
+		let mut nonce = [0u8; 32];
+		proof_output
+			.nonce
+			.write(&mut nonce[..])
+			.map_err(|_| io::Error::InvalidData)?;
+
 		let tx = Transaction {
 			proof: proof_bytes,
 			rvk: rvk_bytes,
@@ -128,6 +137,7 @@ impl Transaction {
 			rsk: rsk_bytes,
 			enc_fee,
 			enc_balance,
+			nonce,
 		};
 
 		Ok(tx)
diff --git a/modules/encrypted-balances/src/lib.rs b/modules/encrypted-balances/src/lib.rs
@@ -4,16 +4,15 @@
 use support::{decl_module, decl_storage, decl_event, StorageValue, StorageMap, dispatch::Result, Parameter};
 use rstd::prelude::*;
 use rstd::result;
+use rstd::convert::TryFrom;
 use bellman_verifier::verify_proof;
 use pairing::{
-    bls12_381::{
-        Bls12,
-        Fr,
-    },
+    bls12_381::{Bls12,Fr},
     Field,
 };
 use runtime_primitives::traits::{Member, Zero, MaybeSerializeDebug, As};
 use jubjub::redjubjub::PublicKey;
+use jubjub::curve::{edwards, PrimeOrder};
 use zprimitives::{
     EncKey, Proof, PreparedVk, ElgamalCiphertext,
     SigVk, Nonce, GEpoch,
@@ -29,6 +28,8 @@ pub trait Trait: system::Trait {
 
     /// The units in which we record encrypted balances.
     type EncryptedBalance: ElgamalCiphertext + Parameter + Member + Default + MaybeSerializeDebug + Codec;
+
+    type Nonce: TryFrom<edwards::Point<Bls12, PrimeOrder>> + Parameter + Member + Default + MaybeSerializeDebug + Codec;
 }
 
 pub struct TypedParams {
@@ -56,7 +57,8 @@ decl_module! {
             address_recipient: EncKey,
             amount_sender: T::EncryptedBalance,
             amount_recipient: T::EncryptedBalance,
-            fee_sender: T::EncryptedBalance
+            fee_sender: T::EncryptedBalance,
+            nonce: T::Nonce
         ) -> Result {
 			let rvk = ensure_signed(origin)?;
 
@@ -86,6 +88,9 @@ decl_module! {
             let typed_balance_recipient = Self::rollover(&address_recipient)
                 .map_err(|_| "Invalid ciphertext of recipient balance.")?;
 
+            // Veridate the provided nonce isn't included in the nonce pool.
+            assert!(Self::nonce_pool().contains(&nonce));
+
             // Verify the zk proof
             if !Self::validate_proof(
                     &typed.zkproof,
@@ -99,7 +104,10 @@ decl_module! {
                 )? {
                     Self::deposit_event(RawEvent::InvalidZkProof());
                     return Err("Invalid zkproof");
-                }
+            }
+
+            // Add a nonce into the nonce pool
+            Self::nonce_pool().push(nonce);
 
             // Subtracting transferred amount and fee from the sender's encrypted balances.
             // This function causes a storage mutation.
@@ -157,7 +165,7 @@ decl_storage! {
 
         /// A nonce pool. All nonces are erasured at the time of starting each epochs.
         // Consider chainging Vec to BtreeMap
-        pub NoncePool get(nonce_pool): Vec<Nonce>;
+        pub NoncePool get(nonce_pool): Vec<T::Nonce>;
     }
 }
 
diff --git a/zface/src/transaction/commands.rs b/zface/src/transaction/commands.rs
@@ -15,7 +15,7 @@ use zjubjub::{
     redjubjub::PrivateKey as zPrivateKey
     };
 use zpairing::{bls12_381::Bls12 as zBls12, PrimeField as zPrimeField, PrimeFieldRepr as zPrimeFieldRepr};
-use zprimitives::{PARAMS as ZPARAMS, Proof, Ciphertext as zCiphertext, EncKey, SigVerificationKey, RedjubjubSignature, SigVk};
+use zprimitives::{PARAMS as ZPARAMS, Proof, Ciphertext as zCiphertext, EncKey, SigVerificationKey, RedjubjubSignature, SigVk, Nonce};
 use zerochain_runtime::{UncheckedExtrinsic, Call, EncryptedBalancesCall, EncryptedAssetsCall};
 use runtime_primitives::generic::Era;
 use parity_codec::{Compact, Encode, Decode};
