From 78e526fd2c49dc4091d54c5548a704436d1f5977 Mon Sep 17 00:00:00 2001 From: benesjan Date: Fri, 26 Jul 2024 14:18:10 +0000 Subject: [PATCH] refactor:TokenWithRefunds optimizations --- .../src/types/token_note.nr | 63 ++++++------------- 1 file changed, 19 insertions(+), 44 deletions(-) diff --git a/noir-projects/noir-contracts/contracts/token_with_refunds_contract/src/types/token_note.nr b/noir-projects/noir-contracts/contracts/token_with_refunds_contract/src/types/token_note.nr index 951caecdce9f..c5251008c0f3 100644 --- a/noir-projects/noir-contracts/contracts/token_with_refunds_contract/src/types/token_note.nr +++ b/noir-projects/noir-contracts/contracts/token_with_refunds_contract/src/types/token_note.nr @@ -1,12 +1,11 @@ use dep::aztec::{ generators::{Ga1 as G_amt, Ga2 as G_npk, Ga3 as G_rnd}, - prelude::{AztecAddress, NoteHeader, NoteInterface, PrivateContext}, + prelude::{NoteHeader, NoteInterface, PrivateContext}, protocol_types::{constants::GENERATOR_INDEX__NOTE_NULLIFIER, point::Point, scalar::Scalar, hash::poseidon2_hash}, note::utils::compute_note_hash_for_consumption, oracle::unsafe_rand::unsafe_rand, keys::getters::get_nsk_app, note::note_getter_options::PropertySelector }; -use dep::std::field::bn254::decompose; -use dep::std::embedded_curve_ops::multi_scalar_mul; +use dep::std::{embedded_curve_ops::multi_scalar_mul, hash::from_field_unsafe}; trait OwnedNote { fn new(amount: U128, owner_npk_m_hash: Field) -> Self; @@ -72,8 +71,9 @@ impl NoteInterface for TokenNote { fn compute_note_hiding_point(self) -> Point { - let (npk_lo, npk_hi) = decompose(self.npk_m_hash); - let (random_lo, random_hi) = decompose(self.randomness); + // We use the unsafe version because the multi_scalar_mul will constrain the scalars. + let npk_m_hash_scalar = from_field_unsafe(self.npk_m_hash); + let randomness_scalar = from_field_unsafe(self.randomness); // We compute the note hiding point as `G_amt * amount + G_npk * npk_m_hash + G_rnd * randomness` instead // of using pedersen or poseidon2 because it allows us to privately add and subtract from amount in public // by leveraging homomorphism. @@ -83,14 +83,8 @@ impl NoteInterface for TokenNote { lo: self.amount.to_integer(), hi: 0 }, - Scalar { - lo: npk_lo, - hi: npk_hi - }, - Scalar { - lo: random_lo, - hi: random_hi, - }] + npk_m_hash_scalar, + randomness_scalar] ) } } @@ -208,45 +202,28 @@ impl PrivatelyRefundable for TokenNote { fn generate_refund_points(fee_payer_npk_m_hash: Field, user_npk_m_hash: Field, funded_amount: Field, user_randomness: Field, fee_payer_randomness: Field) -> (Point, Point) { // 1. To be able to multiply generators with randomness and npk_m_hash using barretneberg's (BB) blackbox // function we first need to convert the fields to high and low limbs. - // TODO(#7606): replace decompose with from_field_unsafe - let (fee_payer_randomness_lo, fee_payer_randomness_hi) = decompose(fee_payer_randomness); - let (fee_payer_npk_m_hash_lo, fee_payer_npk_m_hash_hi) = decompose(fee_payer_npk_m_hash); + // We use the unsafe version because the multi_scalar_mul will constrain the scalars. + let fee_payer_randomness_scalar = from_field_unsafe(fee_payer_randomness); + let fee_payer_npk_m_hash_scalar = from_field_unsafe(fee_payer_npk_m_hash); // 2. Now that we have correct representationsn of fee payer and randomness we can compute // `G_npk * fee_payer_npk + G_rnd * randomness`. let incomplete_fee_payer_point = multi_scalar_mul( [G_npk, G_rnd], - [Scalar { - lo: fee_payer_npk_m_hash_lo, - hi: fee_payer_npk_m_hash_hi - }, - Scalar { - lo: fee_payer_randomness_lo, - hi: fee_payer_randomness_hi - }] + [fee_payer_npk_m_hash_scalar, fee_payer_randomness_scalar] ); // 3. We do the necessary conversion for values relevant for the sponsored user point. - let (user_randomness_lo, user_randomness_hi) = decompose(user_randomness); + // We use the unsafe version because the multi_scalar_mul will constrain the scalars. + let funded_amount_scalar = from_field_unsafe(funded_amount); // TODO(#7324), TODO(#7323): using npk_m_hash here is vulnerable in 2 ways described in the linked issues. - let (user_npk_lo, user_npk_hi) = decompose(user_npk_m_hash); - let (funded_amount_lo, funded_amount_hi) = decompose(funded_amount); + let user_npk_m_hash_scalar = from_field_unsafe(user_npk_m_hash); + let user_randomness_scalar = from_field_unsafe(user_randomness); // 4. We compute `G_amt * funded_amount + G_npk * user_npk_m_hash + G_rnd * randomness`. let incomplete_user_point = multi_scalar_mul( [G_amt, G_npk, G_rnd], - [Scalar { - lo: funded_amount_lo, - hi: funded_amount_hi - }, - Scalar { - lo: user_npk_lo, - hi: user_npk_hi - }, - Scalar { - lo: user_randomness_lo, - hi: user_randomness_hi - }] + [funded_amount_scalar, user_npk_m_hash_scalar, user_randomness_scalar] ); // 5. At last we return the points. @@ -255,15 +232,13 @@ impl PrivatelyRefundable for TokenNote { fn complete_refund(incomplete_fee_payer_point: Point, incomplete_user_point: Point, transaction_fee: Field) -> (Point, Point) { // 1. We convert the transaction fee to high and low limbs to be able to use BB API. - let (transaction_fee_lo, transaction_fee_hi) = decompose(transaction_fee); + // We use the unsafe version because the multi_scalar_mul will constrain the scalars. + let transaction_fee_scalar = from_field_unsafe(transaction_fee); // 2. We compute the fee point as `G_amt * transaction_fee` let fee_point = multi_scalar_mul( [G_amt], - [Scalar { - lo: transaction_fee_lo, - hi: transaction_fee_hi, - }] + [transaction_fee_scalar] ); // 3. Now we leverage homomorphism to privately add the fee to fee payer point and subtract it from