Barretenberg: src/barretenberg/vm2/simulation/gadgets/address_derivation.cpp Source File

#include "barretenberg/vm2/simulation/gadgets/address_derivation.hpp"


#include <cassert>


#include "barretenberg/aztec/aztec_constants.hpp"

#include "barretenberg/vm2/common/field.hpp"

#include "barretenberg/vm2/simulation/lib/contract_crypto.hpp"


namespace bb::avm2::simulation {


void AddressDerivation::assert_derivation(const AztecAddress& address, const ContractInstance& instance)

{

    // Check if we've already derived this address.

    if (cached_derivations.contains(address)) {

        // Note: it is likely safe to skip this recalculation, but if we do, then a mismatch will throw in the

        // non-cache case and return in the cache case for the same input. No events are emitted either way, so

        // circuit and tracegen behave the same. The below exists just to unify simulation behaviour (#21374).

        BB_ASSERT_EQ(address, simulation::compute_contract_address(instance), "Address derivation mismatch");

        // Already processed this address - cache hit, don't emit event.

        return;

    }


    // First time seeing this address - do the actual derivation.

    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[SALTED_INITIALIZATION_HASH_POSEIDON2_i] in

    // address_derivation.pil.

    FF salted_initialization_hash = poseidon2.hash(

        { DOM_SEP__SALTED_INITIALIZATION_HASH, instance.salt, instance.initialization_hash, instance.deployer });

    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[PARTIAL_ADDRESS_POSEIDON2] in

    // address_derivation.pil.

    FF partial_address =

        poseidon2.hash({ DOM_SEP__PARTIAL_ADDRESS, instance.original_contract_class_id, salted_initialization_hash });


    std::vector<FF> public_keys_hash_fields = instance.public_keys.to_fields();

    std::vector<FF> public_key_hash_vec{ DOM_SEP__PUBLIC_KEYS_HASH };

    for (size_t i = 0; i < public_keys_hash_fields.size(); i += 2) {

        // Public key x coordinate.

        public_key_hash_vec.push_back(public_keys_hash_fields[i]);

        // Public key y coordinate.

        public_key_hash_vec.push_back(public_keys_hash_fields[i + 1]);

        // TODO(#7529): Public key is_infinity will be removed from address preimage, assuming false.

        public_key_hash_vec.push_back(FF::zero());

    }

    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[PUBLIC_KEYS_HASH_POSEIDON2_i] in

    // address_derivation.pil.

    FF public_keys_hash = poseidon2.hash(public_key_hash_vec);

    // Emits Poseidon2HashEvents and Poseidon2PermutationEvents, see #[PREADDRESS_POSEIDON2] in address_derivation.pil.

    FF preaddress = poseidon2.hash({ DOM_SEP__CONTRACT_ADDRESS_V1, public_keys_hash, partial_address });


    // Note: the below ecc calls assume points are on the curve. We know preaddress_public_key is (by definition),

    // but it may be possible that incoming_viewing_key is not.

    // The circuit enforces that the point is on the curve to meet ecc's precondition and we replicate this here.

    BB_ASSERT(instance.public_keys.incoming_viewing_key.on_curve(),

              "Incoming viewing key is not on the curve when asserting contract address derivation");


    // Emits ScalarMulEvent and EccAddEvents, see #[PREADDRESS_SCALAR_MUL] in address_derivation.pil.

    EmbeddedCurvePoint preaddress_public_key = ecc.scalar_mul(EmbeddedCurvePoint::one(), preaddress);

    // Emits EccAddEvent, see #[ADDRESS_ECADD] in address_derivation.pil.

    EmbeddedCurvePoint address_point = ecc.add(preaddress_public_key, instance.public_keys.incoming_viewing_key);


    // This will throw an unexpected exception if it fails. If we have reached this point,

    // the contract instance retrieval should have enforced this.

    BB_ASSERT_EQ(address, address_point.x(), "Address derivation mismatch");


    // Cache this derivation so we don't repeat it

    cached_derivations.insert(address);


    // Emits AddressDerivationEvent.

    events.emit({

        .address = address,

        .instance = instance,

        .salted_initialization_hash = salted_initialization_hash,

        .partial_address = partial_address,

        .public_keys_hash = public_keys_hash,

        .preaddress = preaddress,

        .preaddress_public_key = preaddress_public_key,

        .address_point = address_point,

    });

}


} // namespace bb::avm2::simulation

BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83

aztec_constants.hpp

DOM_SEP__SALTED_INITIALIZATION_HASH
#define DOM_SEP__SALTED_INITIALIZATION_HASH
Definition aztec_constants.hpp:273

DOM_SEP__PARTIAL_ADDRESS
#define DOM_SEP__PARTIAL_ADDRESS
Definition aztec_constants.hpp:275

DOM_SEP__PUBLIC_KEYS_HASH
#define DOM_SEP__PUBLIC_KEYS_HASH
Definition aztec_constants.hpp:274

DOM_SEP__CONTRACT_ADDRESS_V1
#define DOM_SEP__CONTRACT_ADDRESS_V1
Definition aztec_constants.hpp:276

bb::avm2::StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement >

bb::avm2::StandardAffinePoint::x
constexpr const BaseField & x() const noexcept
Definition standard_affine_point.hpp:79

bb::avm2::StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement >::one
static const StandardAffinePoint & one()
Definition standard_affine_point.hpp:89

bb::avm2::ecc
Definition ecc.hpp:34

bb::avm2::simulation::AddressDerivation::cached_derivations
unordered_flat_set< AztecAddress > cached_derivations
Definition address_derivation.hpp:31

bb::avm2::simulation::AddressDerivation::assert_derivation
void assert_derivation(const AztecAddress &address, const ContractInstance &instance) override
Verifies a contract instance's address derivation and emits an AddressDerivationEvent....
Definition address_derivation.cpp:32

bb::avm2::simulation::AddressDerivation::events
EventEmitterInterface< AddressDerivationEvent > & events
Definition address_derivation.hpp:26

bb::crypto::Poseidon2< crypto::Poseidon2Bn254ScalarFieldParams >

bb::crypto::Poseidon2::hash
static FF hash(const std::vector< FF > &input)
Hashes a vector of field elements.

bb::group_elements::affine_element::on_curve
constexpr bool on_curve() const noexcept
Definition affine_element_impl.hpp:122

AddressRefMutationOptions::address
@ address

contract_crypto.hpp

bb::avm2::simulation
AVM range check gadget for witness generation.
Definition address_derivation_event.hpp:6

bb::avm2::simulation::compute_contract_address
FF compute_contract_address(const ContractInstance &contract_instance)
Definition contract_crypto.cpp:93

bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10

bb::avm2::AztecAddress
FF AztecAddress
Definition aztec_types.hpp:16

address_derivation.hpp

bb::avm2::ContractInstance
Definition aztec_types.hpp:116

bb::avm2::ContractInstance::initialization_hash
FF initialization_hash
Definition aztec_types.hpp:121

bb::avm2::ContractInstance::deployer
AztecAddress deployer
Definition aztec_types.hpp:118

bb::avm2::ContractInstance::public_keys
PublicKeys public_keys
Definition aztec_types.hpp:122

bb::avm2::ContractInstance::original_contract_class_id
ContractClassId original_contract_class_id
Definition aztec_types.hpp:120

bb::avm2::ContractInstance::salt
FF salt
Definition aztec_types.hpp:117

bb::avm2::PublicKeys::incoming_viewing_key
AffinePoint incoming_viewing_key
Definition aztec_types.hpp:89

bb::avm2::PublicKeys::to_fields
std::vector< FF > to_fields() const
Definition aztec_types.hpp:93

bb::field< bb::Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:277

field.hpp