Merge pull request #110 from iden3/feature/optimization-after-archive

Nullifier & ProofType changes. Archive old circuits. Optimizations

archive_circuits_V2/test/offchain/credentialAtomicQueryMTPOffChain.test.ts

@@ -17,7 +17,6 @@ describe("Test credentialAtomicQueryMTPOffChain.circom", function () {
       {
         output: path.join(__dirname, "circuits", "build"),
         recompile: true,
-        reduceConstraints: false,
       },
     );
 

archive_circuits_V2/test/offchain/credentialAtomicQuerySigOffChain.test.ts

@@ -17,7 +17,6 @@ describe("Test credentialAtomicQuerySigOffChain.circom", function () {
             {
                 output: path.join(__dirname, "circuits", "build"),
                 recompile: true,
-                reduceConstraints: false,
             },
         );
 

archive_circuits_V2/test/onchain/credentialAtomicQueryMTPOnChain.test.ts

@@ -15,9 +15,8 @@ describe("Test On Chain credentialAtomicQueryMTPOnChain.circom", function () {
         circuit = await wasm(
             path.join(__dirname, "../../circuits/", "credentialAtomicQueryMTPV2OnChain.circom"),
             {
-                // output: path.join(__dirname, "circuits", "build"),
-                // recompile: true,
-                // reduceConstraints: false,
+                output: path.join(__dirname, "circuits", "build"),
+                recompile: true,
             },
         );
 

archive_circuits_V2/test/onchain/credentialAtomicQuerySigOnChain.test.ts

@@ -14,7 +14,6 @@ describe("On Chain: Test credentialAtomicQuerySigOnChain.circom", function () {
             {
                 output: path.join(__dirname, "circuits", "build"),
                 recompile: true,
-                reduceConstraints: false,
             },
         );
 

archive_circuits_V2/test/sybil/sybil.test.ts

@@ -21,7 +21,6 @@ describe("sybilTestMTP.circom:", async function() {
             {
                 output: path.join(__dirname, "../circuits", "build/sybil"),
                 recompile: true,
-                reduceConstraints: false,
             },
         );
     });
@@ -74,7 +73,6 @@ describe("sybilTestSig.circom:", async function() {
             {
                 output: path.join(__dirname, "../circuits", "build/sybilSig"),
                 recompile: true,
-                reduceConstraints: false,
             },
         );
     });

circuits/auth/authV2.circom

@@ -48,10 +48,21 @@ template AuthV2(IdOwnershipLevels, onChainLevels) {
     // unless nonce == 0, in which case userID will be assigned with userGenesisID
     signal output userID;
 
+    /////////////////////////////////////////////////////////////////
+    // FIXME: `===` without multiplications gives 0 constraints!!!
+    // because compiler removes all linear constraints during optimization pass
+    // ForceEqualIfEnabled(1, [x, y]) gives 0 too, so we need to do a workaround:
+    // calculate signal with value 1 and pass it to ForceEqualIfEnabled as an enabled signal
+    /////////////////////////////////////////////////////////////////
+    signal tmp <== IsZero()(genesisID);
+    signal tmp2 <== NOT()(tmp);
+    signal zero <== IsEqual()([tmp, tmp2]);
+    signal one <== IsZero()(zero);
+    zero * one === 0;
+
     checkAuthV2(IdOwnershipLevels, onChainLevels)(
-        1,
+        one,
         genesisID,
-        profileNonce,
         state,
         claimsTreeRoot,
         revTreeRoot,
@@ -81,9 +92,6 @@ template checkAuthV2(IdOwnershipLevels, onChainLevels) {
     signal input enabled;
 
     signal input genesisID;
-    // random number, which should be stored by user
-    // if there is a need to generate the same userID (ProfileID) output for different proofs
-    signal input profileNonce;
 
     // user state
     signal input state;

circuits/credentialAtomicQueryV3.circom

@@ -3,11 +3,12 @@ pragma circom 2.1.1;
 include "offchain/credentialAtomicQueryV3OffChain.circom";
 
 /*
- public signals:
+ public output signals:
  userID - user profile id
  merklized - `1` if claim is merklized
- issuerAuthState // for sig
- issuerClaimIdenState // for mtp
+ issuerState - equals to issuerAuthState for sig, and to issuerClaimIdenState for mtp
+ nullifier - sybil resistant user identifier for session id
+ linkID - linked proof identifier
 */
 component main{public [requestID,
                        issuerID,
@@ -20,7 +21,7 @@ component main{public [requestID,
                        value,
                        timestamp, 
                        isRevocationChecked,
-                       issuerClaimIdenState, // MTP specific
                        proofType,
-                       verifierID
+                       verifierID,
+                       verifierSessionID
                        ]} = credentialAtomicQueryV3OffChain(40, 32, 64);

circuits/credentialAtomicQueryV3OnChain.circom

@@ -2,14 +2,22 @@ pragma circom 2.1.1;
 
 include "./onchain/credentialAtomicQueryV3OnChain.circom";
 
+/*
+ public output signals:
+ userID - user profile id
+ merklized - `1` if claim is merklized
+ issuerState - equals to issuerAuthState for sig, and to issuerClaimIdenState for mtp
+ nullifier - sybil resistant user identifier for session id
+ linkID - linked proof identifier
+*/
 component main{public [requestID,
                        issuerID,
-                       issuerClaimIdenState,
                        issuerClaimNonRevState,
                        timestamp,
                        isRevocationChecked,
                        challenge,
                        gistRoot,
                        proofType,
-                       verifierID
+                       verifierID,
+                       verifierSessionID
                        ]} = credentialAtomicQueryV3OnChain(40, 32, 64, 40, 64);

circuits/lib/idOwnership.circom

@@ -49,5 +49,5 @@ template IdOwnership(nLevels) {
         challengeSignatureS
     );
 
-    checkIdenStateMatchesRoots()(1, userClaimsTreeRoot, userRevTreeRoot, userRootsTreeRoot, userState);
+    checkIdenStateMatchesRoots()(enabled, userClaimsTreeRoot, userRevTreeRoot, userRootsTreeRoot, userState);
 }

circuits/lib/linked/linkId.circom

@@ -1,20 +1,17 @@
 pragma circom 2.1.5;
 
 include "../../../node_modules/circomlib/circuits/poseidon.circom";
-include "../utils/claimUtils.circom";
+include "../../../node_modules/circomlib/circuits/comparators.circom";
 
 template LinkID() {
-    signal input claim[8];
+    signal input claimHash;
     signal input linkNonce;
 
     signal output out;
 
     signal isNonceZero <== IsZero()(linkNonce);
 
-    component claimHash = getClaimHash();
-    claimHash.claim <== claim;
-
-    signal linkID <== Poseidon(2)([claimHash.hash, linkNonce]);
+    signal linkID <== Poseidon(2)([claimHash, linkNonce]);
 
     out <== Mux1()(
         [linkID, 0],

circuits/lib/query/comparators.circom

@@ -21,7 +21,7 @@ template IN (valueArraySize){
         }
 
         // Greater than
-        component gt = GreaterThan(252);
+        component gt = GreaterThan(16);
         gt.in[0] <== count[valueArraySize];
         gt.in[1] <== 0;
 
@@ -47,15 +47,12 @@ template LessThan254() {
         h1.in[i-252] <== n1b.out[i];
     }
 
-    component hiBitLt = LessThan(4);
+    component hiBitLt = LessThan(2);
     hiBitLt.in[0] <== h0.out;
     hiBitLt.in[1] <== h1.out;
     component hiBitEq = IsEqual();
     hiBitEq.in[0] <== h0.out;
     hiBitEq.in[1] <== h1.out;
-    component hiBitGt = GreaterThan(4);
-    hiBitGt.in[0] <== h0.out;
-    hiBitGt.in[1] <== h1.out;
 
     // number for lower 252 bits
     component n0  = Bits2Num(252);
@@ -69,7 +66,7 @@ template LessThan254() {
     lt.in[0] <== n0.out;
     lt.in[1] <== n1.out;
 
-    out <== (hiBitEq.out * lt.out) + (hiBitLt.out * 1) + (hiBitGt.out * 0);
+    out <== (hiBitEq.out * lt.out) + (hiBitLt.out * 1);
 }
 
 template GreaterThan254() {

circuits/lib/query/modifiers.circom

@@ -7,7 +7,6 @@ include "../../../node_modules/circomlib/circuits/mux4.circom";
 /*
     Modifier/computation operators:
       16 - selective disclosure (16 = 10000 binary)
-      17 - nullify (17 = 10001 binary)
 */
 
 // modifierValidatorOutputSelector validates modifier operation and selects output value
@@ -25,8 +24,7 @@ template modifierValidatorOutputSelector() {
     modifierOpValid.s <== [opBits[0], opBits[1], opBits[2], opBits[3]];
     modifierOpValid.c <== [
         1, // valid operator: 16 - selective disclosure (16-16 = index 0)
-        1, // valid operator: 17 - nullify (17-16 = index 1)
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
     ];
 
     ForceEqualIfEnabled()(

circuits/lib/query/nullify.circom

@@ -1,26 +1,30 @@
 pragma circom 2.1.1;
 
 include "../../../node_modules/circomlib/circuits/comparators.circom";
-include "../../../node_modules/circomlib/circuits/mux2.circom";
+include "../../../node_modules/circomlib/circuits/gates.circom";
+include "../../../node_modules/circomlib/circuits/mux1.circom";
 include "../../../node_modules/circomlib/circuits/poseidon.circom";
 
 template Nullify() {
     signal input genesisID;
     signal input claimSubjectProfileNonce;
     signal input claimSchema;
-    signal input fieldValue;
     signal input verifierID;
-    signal input crs;
+    signal input verifierSessionID;
 
     signal output nullifier;
 
     signal isZeroNonce <== IsZero()(claimSubjectProfileNonce);
     signal isZeroVerifierID <== IsZero()(verifierID);
+    signal isZeroVerifierSessionID <== IsZero()(verifierSessionID);
 
-    signal hash <== Poseidon(6)([genesisID, claimSubjectProfileNonce, claimSchema, fieldValue, verifierID, crs]);
+    signal hash <== Poseidon(5)([genesisID, claimSubjectProfileNonce, claimSchema, verifierID, verifierSessionID]);
 
-    nullifier <== Mux2()(
-        [hash, 0, 0, 0],
-        [isZeroNonce, isZeroVerifierID]
+    signal isZero1 <== OR()(isZeroNonce, isZeroVerifierID);
+    signal isZero2 <== OR()(isZero1, isZeroVerifierSessionID);
+
+    nullifier <== Mux1()(
+        [hash, 0],
+        isZero2
     );
 }

circuits/lib/query/query.circom

@@ -21,7 +21,6 @@ include "comparators.circom";
       9 - between
     Modifier/computation operators:
       16 - selective disclosure (16 = 10000 binary)
-      17 - nullify (17 = 10001 binary)
 */
 
 // Query template works only with Query operators (0-15), for the rest returns 0

circuits/lib/stateTransition.circom

@@ -36,6 +36,10 @@ template StateTransition(IdOwnershipLevels) {
     signal input newRevTreeRoot;
     signal input newRootsTreeRoot;
 
+    signal zero <== IsZero()(userID); // comparing to zero something that can't be zero to get zero as an output
+    signal one <== 1 - zero;
+    zero * one === 0;
+
     signal cutId <== cutId()(userID);
 
     signal cutState <== cutState()(oldUserState);
@@ -48,17 +52,17 @@ template StateTransition(IdOwnershipLevels) {
 
     // check newUserState is not zero
     signal stateIsNotZero <== IsZero()(newUserState);
-    stateIsNotZero === 0;
+    ForceEqualIfEnabled()(one, [stateIsNotZero, 0]);
 
     // old & new state checks
     signal oldNewNotEqual <== IsEqual()([oldUserState, newUserState]);
-    oldNewNotEqual === 0;
+    ForceEqualIfEnabled()(one, [oldNewNotEqual, 0]);
 
     // check userID ownership by correct signature of a hash of old state and new state
     signal challenge <== Poseidon(2)([oldUserState, newUserState]);
 
     IdOwnership(IdOwnershipLevels)(
-        1,
+        one,
         oldUserState,
         claimsTreeRoot,
         authClaimMtp,
@@ -75,8 +79,11 @@ template StateTransition(IdOwnershipLevels) {
         signatureS
     );
 
+    signal authClaimHi, authClaimHv;
+	(authClaimHi, authClaimHv) <== getClaimHiHv()(authClaim);
+
     // check auth claim exists in newClaimsTreeRoot and newUserState
-    checkClaimExists(IdOwnershipLevels)(1, authClaim, newAuthClaimMtp, newClaimsTreeRoot);
+    checkClaimExists(IdOwnershipLevels)(one, authClaimHi, authClaimHv, newAuthClaimMtp, newClaimsTreeRoot);
 
-    checkIdenStateMatchesRoots()(1, newClaimsTreeRoot, newRevTreeRoot, newRootsTreeRoot, newUserState);
+    checkIdenStateMatchesRoots()(one, newClaimsTreeRoot, newRevTreeRoot, newRootsTreeRoot, newUserState);
 }