Use the CRYPTO 2023 version of Anemoi (#313)

* push

* test

---------

Co-authored-by: confuseSUN <778398626@qq.com>

accumulators/src/merkle_tree.rs

@@ -9,15 +9,15 @@ use noah_crypto::anemoi_jive::{AnemoiJive, AnemoiJive254, ANEMOI_JIVE_BN254_SALT
 use storage::db::MerkleDB;
 use storage::store::{ImmutablePrefixedStore, PrefixedStore, Stated, Store};
 
-// 3^0 + 3^1 + 3^2 + ... 3^30 < 2^64 (u64 can include all leaf & ancestor)
-// store max num is 3^30 = 205891132094649 (max uid = 3^30 - 1)
+// 3^0 + 3^1 + 3^2 + ... 3^25 < 2^64 (u64 can include all leaf & ancestor)
+// store max num is 3^25 = 847288609443 (max uid = 3^25 - 1)
 // sid   max num is 2^64 = 18446744073709551616 (max uid = 2^64 - 1)
 
 /// default merkle tree depth.
-pub const TREE_DEPTH: usize = 30;
+pub const TREE_DEPTH: usize = 25;
 
-// 102945566047324 = 3^0 + 3^1 + 3^2 + ... 3^29, if change TREE_DEPTH, MUST update.
-const LEAF_START: u64 = 102945566047324;
+// 423644304721 = 3^0 + 3^1 + 3^2 + ... 3^24, if change TREE_DEPTH, MUST update.
+const LEAF_START: u64 = 423644304721;
 
 const KEY_PAD: [u8; 4] = [0, 0, 0, 0];
 const ROOT_KEY: [u8; 12] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
@@ -821,16 +821,11 @@ mod tests {
             TreePath::Middle,
             TreePath::Middle,
             TreePath::Left,
-            TreePath::Middle,
-            TreePath::Left,
-            TreePath::Left,
             TreePath::Left,
-            TreePath::Left,
-            TreePath::Right,
         ];
         assert_eq!(tmp_path, tmp_right);
 
-        let last_keys = get_path_keys(3u64.pow(30) - 1);
+        let last_keys = get_path_keys(3u64.pow(25) - 1);
         let mut last_sum = 0u64;
         for (i, (key, path)) in last_keys.iter().rev().enumerate() {
             last_sum += 3u64.pow(i as u32);

algebra/src/baby_jubjub/fr.rs

@@ -251,4 +251,9 @@ impl Scalar for BabyJubjubScalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }

algebra/src/bls12_381/fq.rs

@@ -290,4 +290,9 @@ impl Scalar for BLSFq {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }

algebra/src/bls12_381/fr.rs

@@ -303,6 +303,11 @@ impl Scalar for BLSScalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }
 
 impl Domain for BLSScalar {

algebra/src/bn254/fq.rs

@@ -287,4 +287,9 @@ impl Scalar for BN254Fq {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }

algebra/src/bn254/fr.rs

@@ -303,6 +303,11 @@ impl Scalar for BN254Scalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }
 
 impl Domain for BN254Scalar {

algebra/src/ed25519/fr.rs

@@ -253,6 +253,11 @@ impl Scalar for Ed25519Scalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }
 
 impl Ed25519Scalar {

algebra/src/jubjub/fr.rs

@@ -251,4 +251,9 @@ impl Scalar for JubjubScalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }

algebra/src/ristretto/mod.rs

@@ -288,6 +288,11 @@ impl Scalar for RistrettoScalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        *self + self
+    }
 }
 
 impl RistrettoScalar {

algebra/src/secp256k1/fr.rs

@@ -303,6 +303,11 @@ impl Scalar for SECP256K1Scalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }
 
 impl SECP256K1Scalar {

algebra/src/secq256k1/fr.rs

@@ -276,6 +276,11 @@ impl Scalar for SECQ256K1Scalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }
 
 impl SECQ256K1Scalar {

algebra/src/traits.rs

@@ -85,6 +85,9 @@ pub trait Scalar:
     /// Return the square of the field element
     fn square(&self) -> Self;
 
+    /// Return the double of the field element
+    fn double(&self) -> Self;
+
     /// Return the square root.
     fn sqrt(&self) -> Option<Self>;
 

algebra/src/zorro/fq.rs

@@ -251,4 +251,9 @@ impl Scalar for ZorroFq {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }

algebra/src/zorro/fr.rs

@@ -281,4 +281,9 @@ impl Scalar for ZorroScalar {
             None
         }
     }
+
+    #[inline]
+    fn double(&self) -> Self {
+        Self(self.0.double())
+    }
 }

api/benches/merkle_tree.rs

@@ -129,8 +129,8 @@ pub fn compute_merkle_root_variables_2_20(
     cs: &mut TurboPlonkCS,
     elem: AccElemVars,
     path_vars: &MerklePathVars,
-    leaf_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
-    traces: &Vec<JiveTrace<BN254Scalar, 2, 12>>,
+    leaf_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
+    traces: &Vec<JiveTrace<BN254Scalar, 2, 14>>,
 ) -> VarIndex {
     let (uid, commitment) = (elem.uid, elem.commitment);
 

api/src/anon_xfr/abar_to_abar.rs

@@ -67,11 +67,11 @@ pub struct AXfrPreNote {
     /// Witness.
     pub witness: AXfrWitness,
     /// The traces of the input commitments.
-    pub input_commitments_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 12>>,
+    pub input_commitments_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 14>>,
     /// The traces of the output commitments.
-    pub output_commitments_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 12>>,
+    pub output_commitments_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 14>>,
     /// The traces of the nullifiers.
-    pub nullifiers_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 12>>,
+    pub nullifiers_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 14>>,
     /// Input key pair.
     pub input_keypair: KeyPair,
 }
@@ -177,7 +177,7 @@ pub fn init_anon_xfr_note(
         .map(|output| output.owner_memo.clone().ok_or(NoahError::ParameterError))
         .collect();
 
-    let output_commitments_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 12>> = outputs
+    let output_commitments_traces: Vec<AnemoiVLHTrace<BN254Scalar, 2, 14>> = outputs
         .iter()
         .map(|output| {
             let (_, commitment_trace) = commit(
@@ -430,9 +430,9 @@ pub(crate) fn prove_xfr<R: CryptoRng + RngCore>(
     rng: &mut R,
     params: &ProverParams,
     secret_inputs: &AXfrWitness,
-    nullifiers_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 12>],
-    input_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 12>],
-    output_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 12>],
+    nullifiers_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 14>],
+    input_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 14>],
+    output_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 14>],
     folding_witness: &AXfrAddressFoldingWitness,
 ) -> Result<AXfrPlonkPf> {
     let mut transcript = Transcript::new(ANON_XFR_PLONK_PROOF_TRANSCRIPT);
@@ -627,9 +627,9 @@ impl AXfrPubInputs {
 pub(crate) fn build_multi_xfr_cs(
     witness: &AXfrWitness,
     fee_type: BN254Scalar,
-    nullifiers_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 12>],
-    input_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 12>],
-    output_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 12>],
+    nullifiers_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 14>],
+    input_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 14>],
+    output_commitments_traces: &[AnemoiVLHTrace<BN254Scalar, 2, 14>],
     folding_witness: &AXfrAddressFoldingWitness,
 ) -> (TurboPlonkCS, usize) {
     assert_ne!(witness.payers_witnesses.len(), 0);
@@ -2182,8 +2182,8 @@ mod tests {
         )
         .unwrap();
 
-        let mut nullifiers_traces = Vec::<AnemoiVLHTrace<BN254Scalar, 2, 12>>::new();
-        let mut input_commitments_traces = Vec::<AnemoiVLHTrace<BN254Scalar, 2, 12>>::new();
+        let mut nullifiers_traces = Vec::<AnemoiVLHTrace<BN254Scalar, 2, 14>>::new();
+        let mut input_commitments_traces = Vec::<AnemoiVLHTrace<BN254Scalar, 2, 14>>::new();
         for payer_witness in secret_inputs.payers_witnesses.iter() {
             let (_, nullifier_trace) = nullify(
                 &payer_witness.secret_key.clone().into_keypair(),
@@ -2204,7 +2204,7 @@ mod tests {
             input_commitments_traces.push(input_commitment_trace);
         }
 
-        let mut output_commitments_traces = Vec::<AnemoiVLHTrace<BN254Scalar, 2, 12>>::new();
+        let mut output_commitments_traces = Vec::<AnemoiVLHTrace<BN254Scalar, 2, 14>>::new();
         for payee_witness in secret_inputs.payees_witnesses.iter() {
             let (_, output_commitment_trace) = commit(
                 &payee_witness.public_key,

api/src/anon_xfr/abar_to_ar.rs

@@ -61,9 +61,9 @@ pub struct AbarToArPreNote {
     /// Witness.
     pub witness: PayerWitness,
     /// The trace of the input commitment.
-    pub input_commitment_trace: AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    pub input_commitment_trace: AnemoiVLHTrace<BN254Scalar, 2, 14>,
     /// The trace of the nullifier.
-    pub nullifier_trace: AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    pub nullifier_trace: AnemoiVLHTrace<BN254Scalar, 2, 14>,
     /// Input key pair.
     pub input_keypair: KeyPair,
 }
@@ -339,8 +339,8 @@ fn prove_abar_to_ar<R: CryptoRng + RngCore>(
     rng: &mut R,
     params: &ProverParams,
     payers_witness: &PayerWitness,
-    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
-    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
+    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
     folding_witness: &AXfrAddressFoldingWitness,
 ) -> Result<AXfrPlonkPf> {
     let mut transcript = Transcript::new(ABAR_TO_AR_PLONK_PROOF_TRANSCRIPT);
@@ -367,8 +367,8 @@ fn prove_abar_to_ar<R: CryptoRng + RngCore>(
 /// Construct the anonymous-to-transparent constraint system.
 pub fn build_abar_to_ar_cs(
     payer_witness: &PayerWitness,
-    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
-    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
+    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
     folding_witness: &AXfrAddressFoldingWitness,
 ) -> (TurboPlonkCS, usize) {
     let mut cs = TurboCS::new();

api/src/anon_xfr/abar_to_bar.rs

@@ -69,9 +69,9 @@ pub struct AbarToBarPreNote {
     /// Witness.
     pub witness: PayerWitness,
     /// The trace of the input commitment.
-    pub input_commitment_trace: AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    pub input_commitment_trace: AnemoiVLHTrace<BN254Scalar, 2, 14>,
     /// The trace of the nullifier.
-    pub nullifier_trace: AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    pub nullifier_trace: AnemoiVLHTrace<BN254Scalar, 2, 14>,
     /// Input key pair.
     pub input_keypair: KeyPair,
     /// Inspection data in the delegated Schnorr proof on Ristretto.
@@ -536,8 +536,8 @@ fn prove_abar_to_bar<R: CryptoRng + RngCore>(
     rng: &mut R,
     params: &ProverParams,
     payers_witness: &PayerWitness,
-    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
-    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
+    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
     proof: &DSProof<BN254Scalar, RistrettoScalar, RistrettoPoint>,
     inspection: &DSInspection<BN254Scalar, RistrettoScalar, RistrettoPoint>,
     beta: &RistrettoScalar,
@@ -572,8 +572,8 @@ fn prove_abar_to_bar<R: CryptoRng + RngCore>(
 /// Construct the anonymous-to-confidential constraint system.
 pub fn build_abar_to_bar_cs(
     payer_witness: &PayerWitness,
-    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
-    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    nullifier_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
+    input_commitment_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
     proof: &DSProof<BN254Scalar, RistrettoScalar, RistrettoPoint>,
     inspection: &DSInspection<BN254Scalar, RistrettoScalar, RistrettoPoint>,
     beta: &RistrettoScalar,

api/src/anon_xfr/ar_to_abar.rs

@@ -188,7 +188,7 @@ pub fn verify_ar_to_abar_body(params: &VerifierParams, body: &ArToAbarBody) -> R
 /// Construct the transparent-to-anonymous constraint system.
 pub fn build_ar_to_abar_cs(
     payee_data: PayeeWitness,
-    output_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    output_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
 ) -> (TurboPlonkCS, usize) {
     let mut cs = TurboCS::new();
     cs.load_anemoi_jive_parameters::<AnemoiJive254>();

api/src/anon_xfr/bar_to_abar.rs

@@ -302,7 +302,7 @@ pub(crate) fn prove_bar_to_abar_cs<R: CryptoRng + RngCore>(
     inspection: &DSInspection<BN254Scalar, RistrettoScalar, RistrettoPoint>,
     beta: &RistrettoScalar,
     lambda: &RistrettoScalar,
-    comm_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    comm_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
 ) -> Result<AXfrPlonkPf> {
     let mut transcript = Transcript::new(BAR_TO_ABAR_PLONK_PROOF_TRANSCRIPT);
     let (mut cs, _) = build_bar_to_abar_cs(
@@ -385,7 +385,7 @@ pub(crate) fn build_bar_to_abar_cs(
     non_zk_state: &DSInspection<BN254Scalar, RistrettoScalar, RistrettoPoint>,
     beta: &RistrettoScalar,
     lambda: &RistrettoScalar,
-    comm_trace: &AnemoiVLHTrace<BN254Scalar, 2, 12>,
+    comm_trace: &AnemoiVLHTrace<BN254Scalar, 2, 14>,
 ) -> (TurboPlonkCS, usize) {
     let mut cs = TurboCS::new();
     cs.load_anemoi_jive_parameters::<AnemoiJive254>();