penumbra_shielded_pool/
convert.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
use anyhow::{anyhow, Result};
use ark_ff::ToConstraintField;
use ark_groth16::{
    r1cs_to_qap::LibsnarkReduction, Groth16, PreparedVerifyingKey, Proof, ProvingKey,
};
use ark_relations::r1cs;
use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
use ark_snark::SNARK;
use base64::prelude::*;
use decaf377::{Bls12_377, Fq, Fr};
use penumbra_asset::{
    asset::{self, AssetIdVar},
    balance::{self, commitment::BalanceCommitmentVar, BalanceVar},
    Balance, Value, ValueVar, STAKING_TOKEN_ASSET_ID,
};
use penumbra_num::{
    fixpoint::{U128x128, U128x128Var},
    Amount, AmountVar,
};
use penumbra_proof_params::{DummyWitness, VerifyingKeyExt, GROTH16_PROOF_LENGTH_BYTES};

/// The public input for a [`ConvertProof`].
#[derive(Clone, Debug)]
pub struct ConvertProofPublic {
    /// The source asset being consumed.
    pub from: asset::Id,
    /// The destination asset being produced.
    pub to: asset::Id,
    /// The exchange rate: how many units of `to` we get for each unit of `from`.
    pub rate: U128x128,
    /// A commitment to the balance of this transaction: what assets were consumed and produced.
    pub balance_commitment: balance::Commitment,
}

/// The private input for a [`ConvertProof`].
#[derive(Clone, Debug)]
pub struct ConvertProofPrivate {
    /// The private amount of the source asset we're converting.
    pub amount: Amount,
    /// The blinding we used to create the public commitment.
    pub balance_blinding: Fr,
}

#[cfg(test)]
fn check_satisfaction(public: &ConvertProofPublic, private: &ConvertProofPrivate) -> Result<()> {
    let consumed = Value {
        amount: private.amount,
        asset_id: public.from,
    };
    let produced = Value {
        amount: public.rate.apply_to_amount(&private.amount)?,
        asset_id: public.to,
    };
    let balance: Balance = Balance::from(produced) - consumed;
    let commitment = balance.commit(private.balance_blinding);
    if commitment != public.balance_commitment {
        anyhow::bail!("balance commitment did not match public input");
    }
    Ok(())
}

#[cfg(test)]
fn check_circuit_satisfaction(
    public: ConvertProofPublic,
    private: ConvertProofPrivate,
) -> Result<()> {
    use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystem};

    let cs = ConstraintSystem::new_ref();
    let circuit = ConvertCircuit::new(public, private);
    cs.set_optimization_goal(r1cs::OptimizationGoal::Constraints);
    // For why this is ok, see `generate_test_parameters`.
    circuit
        .generate_constraints(cs.clone())
        .expect("can generate constraints from circuit");
    cs.finalize();
    if !cs.is_satisfied()? {
        anyhow::bail!("constraints are not satisfied");
    }
    Ok(())
}

/// A circuit that converts a private amount of one asset into another, by some rate.
#[derive(Clone, Debug)]
pub struct ConvertCircuit {
    /// The amount of the source token being converted.
    amount: Amount,
    /// A randomizer for the commitment.
    balance_blinding: Fr,
    /// The source asset.
    from: asset::Id,
    /// The target asset
    to: asset::Id,
    /// The conversion rate from source to target.
    rate: U128x128,
    /// A commitment to a balance of `-amount[from] + (rate * amount)[to]`.
    balance_commitment: balance::Commitment,
}

impl ConvertCircuit {
    fn new(
        ConvertProofPublic {
            from,
            to,
            rate,
            balance_commitment,
        }: ConvertProofPublic,
        ConvertProofPrivate {
            amount,
            balance_blinding,
        }: ConvertProofPrivate,
    ) -> Self {
        Self {
            amount,
            balance_blinding,
            balance_commitment,
            from,
            to,
            rate,
        }
    }
}

impl r1cs::ConstraintSynthesizer<Fq> for ConvertCircuit {
    fn generate_constraints(self, cs: r1cs::ConstraintSystemRef<Fq>) -> r1cs::Result<()> {
        use ark_r1cs_std::prelude::*;

        // Witnesses
        let amount_var = AmountVar::new_witness(cs.clone(), || Ok(self.amount))?;
        let balance_blinding_var = {
            let balance_blinding_arr: [u8; 32] = self.balance_blinding.to_bytes();
            UInt8::new_witness_vec(cs.clone(), &balance_blinding_arr)?
        };

        // Public Inputs
        let from = AssetIdVar::new_input(cs.clone(), || Ok(self.from))?;
        let to = AssetIdVar::new_input(cs.clone(), || Ok(self.to))?;
        let rate = U128x128Var::new_input(cs.clone(), || Ok(self.rate))?;
        let balance_commitment =
            BalanceCommitmentVar::new_input(cs.clone(), || Ok(self.balance_commitment))?;

        // Constraints
        let expected_balance = {
            let taken = BalanceVar::from_negative_value_var(ValueVar {
                amount: amount_var.clone(),
                asset_id: from,
            });

            let produced = BalanceVar::from_positive_value_var(ValueVar {
                amount: rate.apply_to_amount(amount_var)?,
                asset_id: to,
            });

            taken + produced
        };
        let expected_commitment = expected_balance.commit(balance_blinding_var)?;
        expected_commitment.enforce_equal(&balance_commitment)?;

        Ok(())
    }
}

impl DummyWitness for ConvertCircuit {
    fn with_dummy_witness() -> Self {
        let amount = Amount::from(1u64);
        let balance_blinding = Fr::from(1u64);
        let from = *STAKING_TOKEN_ASSET_ID;
        let to = *STAKING_TOKEN_ASSET_ID;
        let rate = U128x128::from(1u64);
        let balance = Balance::from(Value {
            asset_id: to,
            amount,
        }) - Balance::from(Value {
            asset_id: from,
            amount,
        });
        let balance_commitment = balance.commit(balance_blinding);
        Self {
            amount,
            balance_blinding,
            from,
            to,
            rate,
            balance_commitment,
        }
    }
}

/// A proof that one asset was correctly converted into another.
///
/// This checks that: `COMMITMENT = COMMIT(-amount[FROM] + (RATE * amount)[TO])`,
/// where `amount` is private, and other variables are public.
#[derive(Clone, Debug)]
pub struct ConvertProof([u8; GROTH16_PROOF_LENGTH_BYTES]);

impl ConvertProof {
    /// Generate a [`ConvertProof`]
    pub fn prove(
        blinding_r: Fq,
        blinding_s: Fq,
        pk: &ProvingKey<Bls12_377>,
        public: ConvertProofPublic,
        private: ConvertProofPrivate,
    ) -> Result<Self> {
        let circuit = ConvertCircuit::new(public, private);
        let proof = Groth16::<Bls12_377, LibsnarkReduction>::create_proof_with_reduction(
            circuit, pk, blinding_r, blinding_s,
        )?;
        let mut proof_bytes = [0u8; GROTH16_PROOF_LENGTH_BYTES];
        Proof::serialize_compressed(&proof, &mut proof_bytes[..]).expect("can serialize Proof");
        Ok(Self(proof_bytes))
    }

    #[tracing::instrument(level="debug", skip(self, vk), fields(self = ?BASE64_STANDARD.encode(&self.0), vk = ?vk.debug_id()))]
    pub fn verify(
        &self,
        vk: &PreparedVerifyingKey<Bls12_377>,
        public: ConvertProofPublic,
    ) -> Result<()> {
        let proof = Proof::deserialize_compressed_unchecked(&self.0[..]).map_err(|e| anyhow!(e))?;

        let mut public_inputs = Vec::new();
        public_inputs.extend(
            public
                .from
                .to_field_elements()
                .ok_or_else(|| anyhow!("could not convert `from` asset ID to field elements"))?,
        );
        public_inputs.extend(
            public
                .to
                .to_field_elements()
                .ok_or_else(|| anyhow!("could not convert `to` asset ID to field elements"))?,
        );
        public_inputs.extend(
            public
                .rate
                .to_field_elements()
                .ok_or_else(|| anyhow!("could not convert exchange rate to field elements"))?,
        );
        public_inputs.extend(
            public
                .balance_commitment
                .0
                .to_field_elements()
                .ok_or_else(|| anyhow!("could not convert balance commitment to field elements"))?,
        );

        tracing::trace!(?public_inputs);
        let start = std::time::Instant::now();
        let proof_result = Groth16::<Bls12_377, LibsnarkReduction>::verify_with_processed_vk(
            vk,
            public_inputs.as_slice(),
            &proof,
        )?;
        tracing::debug!(?proof_result, elapsed = ?start.elapsed());
        proof_result
            .then_some(())
            .ok_or_else(|| anyhow!("undelegate claim proof did not verify"))
    }

    pub fn to_vec(&self) -> Vec<u8> {
        self.0.to_vec()
    }
}

impl TryFrom<&[u8]> for ConvertProof {
    type Error = anyhow::Error;

    fn try_from(value: &[u8]) -> Result<Self> {
        Ok(Self(value.try_into()?))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use proptest::prelude::*;

    prop_compose! {
        fn arb_valid_convert_statement(balance_blinding: Fr)(amount in any::<u64>(), from_asset_id64 in any::<u64>(), to_asset_id64 in any::<u64>(), rate in any::<(u64, u128)>()) -> (ConvertProofPublic, ConvertProofPrivate) {
            let rate = U128x128::ratio(u128::from(rate.0), rate.1).expect("the bounds will make this not overflow");
            let from = asset::Id(Fq::from(from_asset_id64));
            let to = asset::Id(Fq::from(to_asset_id64));
            let amount = Amount::from(amount);
            let balance = Balance::from(Value { asset_id: to, amount: rate.apply_to_amount(&amount).expect("the bounds will make this not overflow")}) - Value {asset_id: from, amount};
            let public = ConvertProofPublic { from, to, rate, balance_commitment: balance.commit(balance_blinding) };
            let private = ConvertProofPrivate { amount, balance_blinding };
            (public, private)
        }
    }

    proptest! {
        #[test]
        fn convert_proof_happy_path((public, private) in arb_valid_convert_statement(Fr::from(1u64))) {
            assert!(check_satisfaction(&public, &private).is_ok());
            assert!(check_circuit_satisfaction(public, private).is_ok());
        }
    }

    fn nonzero_u128() -> impl Strategy<Value = u128> {
        prop::num::u128::ANY.prop_filter("nonzero", |x| *x != 0)
    }

    fn nonzero_u64() -> impl Strategy<Value = u64> {
        prop::num::u64::ANY.prop_filter("nonzero", |x| *x != 0)
    }

    prop_compose! {
        // The circuit should be unsatisfiable if the rate used by the prover is incorrect.
        // We generate a random rate, filtering out non-zero denominators to avoid division by zero.
        // This is the "true" rate.
        // Next, we add a (u64) random value to the true rate, and the prover generates the balance
        // using this incorrect rate.
        fn arb_invalid_convert_statement_wrong_rate(balance_blinding: Fr)(amount in any::<u64>(), from_asset_id64 in any::<u64>(), to_asset_id64 in any::<u64>(), rate_num in nonzero_u64(), rate_denom in nonzero_u128(), random_rate_num in nonzero_u64()) -> (ConvertProofPublic, ConvertProofPrivate) {
            let rate = U128x128::ratio(u128::from(rate_num), rate_denom).expect("the bounds will make this not overflow");
            let incorrect_rate = rate.checked_add(&U128x128::ratio(random_rate_num, 1u64).expect("should not overflow")).expect("should not overflow");
            let from = asset::Id(Fq::from(from_asset_id64));
            let to = asset::Id(Fq::from(to_asset_id64));
            let amount = Amount::from(amount);
            let balance = Balance::from(Value { asset_id: to, amount: incorrect_rate.apply_to_amount(&amount).expect("the bounds will make this not overflow")}) - Value {asset_id: from, amount};
            let public = ConvertProofPublic { from, to, rate, balance_commitment: balance.commit(balance_blinding) };
            let private = ConvertProofPrivate { amount, balance_blinding };
            (public, private)
        }
    }

    proptest! {
        #[test]
        fn convert_proof_invalid_convert_statement_wrong_rate((public, private) in arb_invalid_convert_statement_wrong_rate(Fr::from(1u64))) {
            assert!(check_satisfaction(&public, &private).is_err());
            assert!(check_circuit_satisfaction(public, private).is_err());
        }
    }
}