statetransition

package
v0.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2026 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Artifacts = circuits.NewCircuitArtifacts(
	"statetransition",
	params.StateTransitionCurve,
	[]backend.ProverOption{solidity.WithProverTargetSolidityVerifier(backend.GROTH16)},
	[]backend.VerifierOption{solidity.WithVerifierTargetSolidityVerifier(backend.GROTH16)},
	&circuits.Artifact{
		RemoteURL: config.StateTransitionCircuitURL,
		Hash:      types.HexStringToHexBytesMustUnmarshal(config.StateTransitionCircuitHash),
	},
	&circuits.Artifact{
		RemoteURL: config.StateTransitionProvingKeyURL,
		Hash:      types.HexStringToHexBytesMustUnmarshal(config.StateTransitionProvingKeyHash),
	},
	&circuits.Artifact{
		RemoteURL: config.StateTransitionVerificationKeyURL,
		Hash:      types.HexStringToHexBytesMustUnmarshal(config.StateTransitionVerificationKeyHash),
	},
)

Artifacts contains the circuit artifacts for the state transition circuit, which includes the proving and verification keys.

View Source 
var HashFn = poseidon.MultiHash

HashFn is the hash function used in the circuit. It should the equivalent hash function used in the state package (state.HashFn).

Functions

func BallotIndex added in v0.0.2 

func BallotIndex(api frontend.API, voterIndex frontend.Variable) frontend.Variable

BallotIndex returns a BallotIndex on the lower half of the 64 bit space, between BallotMin and BallotMax. 

BallotIndex = BallotMin + voterIndex

func Compile added in v0.0.2 

func Compile(aggregatorCCS constraint.ConstraintSystem, aggregatorVK groth16.VerifyingKey) (constraint.ConstraintSystem, error)

Compile compiles the StateTransition circuit definition from the inner aggregator CCS and verifying key.

func DummyCSPProof 

func DummyCSPProof() csp.CSPProof

DummyCSPProof function returns a dummy CSP public key and signature to fill the vote verifier inputs when the census origin is not CSP.

func DummyMerkleProof 

func DummyMerkleProof() imt.MerkleProof

DummyMerkleProof function returns a dummy Merkle proof to fill the vote verifier inputs when the census origin is not MerkleTreeXXX.

func GenerateAssignment added in v0.0.4 

func GenerateAssignment(
	o *state.State,
	censusRoot *types.BigInt,
	censusProofs CensusProofs,
	kSeed *types.BigInt,
) (*StateTransitionCircuit, *PublicInputs, error)

GenerateAssignment builds the circuit assignment for the state transition circuit from the given state object. It populates the assignment structure with the necessary data, including the root hash before and after the transition, the process information, the votes, and the results. It also returns the public inputs in their original format.

Types

type CensusProofs 

type CensusProofs struct {
	MerkleProofs [params.VotesPerBatch]imt.MerkleProof
	CSPProofs    [params.VotesPerBatch]csp.CSPProof
}

CensusProofs struct contains the Merkle proofs and CSP proofs for the voters of the ballots in the batch. They can be proofs of merkle tree or CSP proofs depending on the census origin.

type ProcessProofs 

type ProcessProofs struct {
	ID            merkleproof.MerkleProof
	CensusOrigin  merkleproof.MerkleProof
	BallotMode    merkleproof.MerkleProof
	EncryptionKey merkleproof.MerkleProof
}

ProcessProofs struct contains the Merkle proofs for the process for the ID CensusOrigin, BallotMode and EncryptionKey.

type PublicInputs 

type PublicInputs struct {
	RootHashBefore        *big.Int
	RootHashAfter         *big.Int
	VotersCount           *big.Int
	OverwrittenVotesCount *big.Int
	CensusRoot            *big.Int
	BlobCommitmentLimbs   [3]*big.Int
}

PublicInputs contains all the public inputs for the state transition circuit in their original format (not Gnark format). This is useful for tests and for creating the storage.StateTransitionBatchProofInputs.

type Results 

type Results struct {
	OldResults circuits.Ballot
	NewResults circuits.Ballot
}

Results struct contains the ballot struct for the net results before and after the aggregation.

type ResultsProofs 

type ResultsProofs struct {
	Results merkleproof.MerkleTransition
}

ResultsProofs struct contains the Merkle transition proof for the results.

type StateTransitionCircuit 

type StateTransitionCircuit struct {
	// Public inputs
	RootHashBefore        frontend.Variable `gnark:",public"`
	RootHashAfter         frontend.Variable `gnark:",public"`
	VotersCount           frontend.Variable `gnark:",public"`
	OverwrittenVotesCount frontend.Variable `gnark:",public"`

	// Census root
	CensusRoot frontend.Variable `gnark:",public"`
	// Private census inclusion proofs
	CensusProofs CensusProofs

	// KZG commitment to the blob (as 3 x 16-byte limbs)
	BlobCommitmentLimbs [3]frontend.Variable `gnark:",public"`

	// Private KZG proof and evaluation result (verified in-circuit)
	BlobProofLimbs        [3]frontend.Variable
	BlobEvaluationResultY emulated.Element[emulated.BLS12381Fr]

	// Private data inputs
	Process       circuits.Process[frontend.Variable]
	Votes         [params.VotesPerBatch]Vote
	Results       Results
	ReencryptionK frontend.Variable

	// Private merkle proofs inputs
	ProcessProofs ProcessProofs
	VotesProofs   VotesProofs
	ResultsProofs ResultsProofs

	// Private recursive proof inputs
	AggregatorProof groth16.Proof[sw_bw6761.G1Affine, sw_bw6761.G2Affine]
	AggregatorVK    groth16.VerifyingKey[sw_bw6761.G1Affine, sw_bw6761.G2Affine, sw_bw6761.GTEl] `gnark:"-"`
}

func (StateTransitionCircuit) CalculateAggregatorWitness 

func (c StateTransitionCircuit) CalculateAggregatorWitness(api frontend.API, isRealVote []frontend.Variable) (groth16.Witness[sw_bw6761.ScalarField], error)

CalculateAggregatorWitness calculates the witness for the Aggregator proof. The Aggregator witness is the hash of the public inputs of the proof of each vote that it aggregates. The public inputs of the proof of each vote are composed by the hash of the public-private inputs of the proof, which is an emulated.Element[sw_bn254.ScalarField]. To calculate the witness we need to calculate each hash of the public inputs of the proof of each vote (it can be done using native Poseidon because this circuit should work in the bn254 curve). But the witness should be an emulated element of the bw6761 curve, that contains the hash as a emulated element of the bn254 curve. So we need to transform the hash, first to an emulated element of the bn254 curve, and then to an emulated element of the bw6761 curve.

func (StateTransitionCircuit) Define 

func (circuit StateTransitionCircuit) Define(api frontend.API) error

Define declares the circuit's constraints

func (StateTransitionCircuit) VerifyAggregatorProof 

func (circuit StateTransitionCircuit) VerifyAggregatorProof(api frontend.API, isRealVote []frontend.Variable)

VerifyAggregatorProof verifies the Aggregator proof using the witness calculated by the CalculateAggregatorWitness function. It uses the groth16 verifier to verify the proof. The proof is verified using the AggregatorVK, which is the verification key of the Aggregator proof.

func (StateTransitionCircuit) VerifyBallots 

func (circuit StateTransitionCircuit) VerifyBallots(api frontend.API)

VerifyBallots sums the ballots using homomorphic encryption and checks that the count of all ballots is equal to VotersCount, as well as the count of overwritten ballots equals OverwrittenVotesCount. It uses the Ballot structure to sum the ballots.

func (StateTransitionCircuit) VerifyBlobs 

func (circuit StateTransitionCircuit) VerifyBlobs(api frontend.API)

VerifyBlobs builds the blob from the state transition data and verifies its KZG commitment using the provided evaluation point and result.

func (StateTransitionCircuit) VerifyCSPCensusProofs 

func (c StateTransitionCircuit) VerifyCSPCensusProofs(api frontend.API, isRealVote []frontend.Variable)

VerifyCSPCensusProofs verifies the CSP proofs of the votes in the batch. It verifies the CSP proof of each vote using its IsValid function but the result is only asserted if the census origin is CSP and the vote is real.

func (StateTransitionCircuit) VerifyIsValidCensusOrigin added in v0.0.4 

func (circuit StateTransitionCircuit) VerifyIsValidCensusOrigin(api frontend.API)

VerifyIsValidCensusOrigin asserts that the census origin is one of the variants currently supported by the circuit.

func (StateTransitionCircuit) VerifyLeafHashes 

func (circuit StateTransitionCircuit) VerifyLeafHashes(api frontend.API, hFn utils.Hasher)

VerifyLeafHashes verifies that the leaf hashes of the process, votes and results are correct. It verifies that the leaf hashes of the process, votes and results are equal to the leaf hashes of the proofs. It uses the VerifyLeafHash function of the MerkleProof structure to verify the leaf hashes.

func (StateTransitionCircuit) VerifyMerkleCensusProofs 

func (c StateTransitionCircuit) VerifyMerkleCensusProofs(api frontend.API, isRealVote []frontend.Variable)

VerifyMerkleCensusProofs verifies the Merkle proofs of the votes in the batch. It verifies the Merkle proof of each vote using its Verify function and that the leaf is correct, but the result is only asserted if the census origin is MerkleTree and the vote is real.

func (StateTransitionCircuit) VerifyMerkleTransitionKeys added in v0.0.4 

func (circuit StateTransitionCircuit) VerifyMerkleTransitionKeys(api frontend.API)

VerifyMerkleTransitionKeys asserts that the merkle transition keys are bound to the canonical state keys or namespaces.

func (StateTransitionCircuit) VerifyMerkleTransitions 

func (circuit StateTransitionCircuit) VerifyMerkleTransitions(api frontend.API, isRealVote []frontend.Variable)

VerifyMerkleTransitions enforces that each MerkleTransition is of the expected type:

  • Ballot transitions must be INSERT or UPDATE
  • VoteID transitions must be INSERT
  • Results transition must be UPDATE
  • all dummy slots must be NOOP

func (StateTransitionCircuit) VerifyProcessProofKeys added in v0.0.4 

func (circuit StateTransitionCircuit) VerifyProcessProofKeys(api frontend.API)

VerifyProcessProofKeys asserts that the process proofs are bound to the canonical state keys for each process parameter.

func (StateTransitionCircuit) VerifyProcessProofs added in v0.0.4 

func (circuit StateTransitionCircuit) VerifyProcessProofs(api frontend.API, hFn utils.Hasher)

VerifyProcessProofs verifies that the ProcessID, CensusOrigin, BallotMode and EncryptionKey belong to the RootHashBefore. It uses the MerkleProof structure to verify the proofs. The proofs are verified using the Verify function of the MerkleProof structure.

func (StateTransitionCircuit) VerifyReencryptedVotes 

func (circuit StateTransitionCircuit) VerifyReencryptedVotes(api frontend.API, isRealVote []frontend.Variable)

VerifyReencryptedVotes reencrypts the votes using the reencryptionK and checks if the result is equal to the reencrypted ballot provided as input. To reencrypt the votes, it adds the encrypted zero ballot to the original ballot. The encrypted zero uses the reencryptionK as the randomness.

func (StateTransitionCircuit) VerifyRootTransition added in v0.0.2 

func (circuit StateTransitionCircuit) VerifyRootTransition(api frontend.API, hFn utils.Hasher)

VerifyRootTransition verifies that the chain of tree transitions is valid. The order of the transitions is fundamental to achieve the final root hash.

func (StateTransitionCircuit) VoteMask 

func (c StateTransitionCircuit) VoteMask(api frontend.API) []frontend.Variable

VoteMask returns the latch-based mask for real votes. Computes a mask where the i-th element is 1 if the vote is real and 0 otherwise. It uses a latch logic to avoid expensive comparisons inside the loops.

type Vote 

type Vote struct {
	circuits.Vote[frontend.Variable]
	BallotIndex       frontend.Variable
	ReencryptedBallot circuits.Ballot
	OverwrittenBallot circuits.Ballot
}

Vote struct contains the circuits.Vote struct and the overwritten ballot.

func (Vote) OverwrittenBallotLeafValues added in v0.0.7 

func (v Vote) OverwrittenBallotLeafValues() []frontend.Variable

OverwrittenBallotLeafValues returns the values stored in the overwritten ballot leaf.

func (Vote) ReencryptedBallotLeafValues added in v0.0.7 

func (v Vote) ReencryptedBallotLeafValues() []frontend.Variable

ReencryptedBallotLeafValues returns the values stored in the new ballot leaf.

type VotesProofs 

type VotesProofs struct {
	Ballot  [params.VotesPerBatch]merkleproof.MerkleTransition
	VoteIDs [params.VotesPerBatch]merkleproof.MerkleTransition
}

VotesProofs struct contains the Merkle transition proofs for the ballots and voteIDs.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.