@aztec/stdlib 3.0.0-nightly.20251013 → 3.0.0-nightly.20251015

package/src/logs/directional_app_tagging_secret.ts

@@ -0,0 +1,78 @@
+import { Grumpkin, poseidon2Hash } from '@aztec/foundation/crypto';
+import { type Fq, Fr, type Point } from '@aztec/foundation/fields';
+
+import { z } from 'zod';
+
+import type { AztecAddress } from '../aztec-address/index.js';
+import type { CompleteAddress } from '../contract/complete_address.js';
+import { computeAddressSecret, computePreaddress } from '../keys/derivation.js';
+
+/**
+ * Directional application tagging secret used for log tagging.
+ *
+ * "Directional" because the derived secret is bound to the recipient
+ * address: A→B differs from B→A even with the same participants and app.
+ *
+ * Note: It's a bit unfortunate that this type resides in `stdlib` as the rest of the tagging functionality resides
+ * in `pxe/src/tagging`. We need to use this type in `IndexedTaggingSecret` that in turn is used by other types
+ * in stdlib hence there doesn't seem to be a good way around this.
+ */
+export class DirectionalAppTaggingSecret {
+  private constructor(public readonly value: Fr) {}
+
+  /**
+   * Derives shared tagging secret and from that, the app address and recipient derives the directional app tagging
+   * secret.
+   *
+   * @param localAddress - The complete address of entity A in the shared tagging secret derivation scheme
+   * @param localIvsk - The incoming viewing secret key of entity A
+   * @param externalAddress - The address of entity B in the shared tagging secret derivation scheme
+   * @param app - Contract address to silo the secret to
+   * @param recipient - Recipient of the log. Defines the "direction of the secret".
+   * @returns The secret that can be used along with an index to compute a tag to be included in a log.
+   */
+  static async compute(
+    localAddress: CompleteAddress,
+    localIvsk: Fq,
+    externalAddress: AztecAddress,
+    app: AztecAddress,
+    recipient: AztecAddress,
+  ): Promise<DirectionalAppTaggingSecret> {
+    const taggingSecretPoint = await computeSharedTaggingSecret(localAddress, localIvsk, externalAddress);
+    const appTaggingSecret = await poseidon2Hash([taggingSecretPoint.x, taggingSecretPoint.y, app]);
+    const directionalAppTaggingSecret = await poseidon2Hash([appTaggingSecret, recipient]);
+
+    return new DirectionalAppTaggingSecret(directionalAppTaggingSecret);
+  }
+
+  toString(): string {
+    return this.value.toString();
+  }
+
+  static fromString(str: string): DirectionalAppTaggingSecret {
+    return new DirectionalAppTaggingSecret(Fr.fromString(str));
+  }
+}
+
+// Returns shared tagging secret computed with Diffie-Hellman key exchange.
+async function computeSharedTaggingSecret(
+  localAddress: CompleteAddress,
+  localIvsk: Fq,
+  externalAddress: AztecAddress,
+): Promise<Point> {
+  const knownPreaddress = await computePreaddress(await localAddress.publicKeys.hash(), localAddress.partialAddress);
+  // TODO: #8970 - Computation of address point from x coordinate might fail
+  const externalAddressPoint = await externalAddress.toAddressPoint();
+  const curve = new Grumpkin();
+  // Given A (local complete address) -> B (external address) and h == preaddress
+  // Compute shared secret as S = (h_A + local_ivsk_A) * Addr_Point_B
+
+  // Beware! h_a + local_ivsk_a (also known as the address secret) can lead to an address point with a negative
+  // y-coordinate, since there's two possible candidates computeAddressSecret takes care of selecting the one that
+  // leads to a positive y-coordinate, which is the only valid address point
+  return curve.mul(externalAddressPoint, await computeAddressSecret(knownPreaddress, localIvsk));
+}
+
+export const DirectionalAppTaggingSecretSchema = z.object({
+  value: Fr.schema,
+});

package/src/logs/index.ts

@@ -1,4 +1,5 @@
 export * from './log_with_tx_data.js';
+export * from './directional_app_tagging_secret.js';
 export * from './indexed_tagging_secret.js';
 export * from './contract_class_log.js';
 export * from './public_log.js';

package/src/logs/indexed_tagging_secret.ts

@@ -1,48 +1,25 @@
-import { poseidon2Hash } from '@aztec/foundation/crypto';
-import { Fr } from '@aztec/foundation/fields';
+import { schemas } from '@aztec/foundation/schemas';
 
-import type { AztecAddress } from '../aztec-address/index.js';
+import { z } from 'zod';
 
-export class IndexedTaggingSecret {
-  constructor(
-    public appTaggingSecret: Fr,
-    public index: number,
-  ) {
-    if (index < 0) {
-      throw new Error('IndexedTaggingSecret index out of bounds');
-    }
-  }
+import {
+  type DirectionalAppTaggingSecret,
+  DirectionalAppTaggingSecretSchema,
+} from './directional_app_tagging_secret.js';
 
-  toFields(): Fr[] {
-    return [this.appTaggingSecret, new Fr(this.index)];
-  }
+/**
+ * Represents a preimage of a private log tag (see `Tag` in `pxe/src/tagging`).
+ *
+ * Note: It's a bit unfortunate that this type resides in `stdlib` as the rest of the tagging functionality resides
+ * in `pxe/src/tagging`. But this type is used by other types in stdlib hence there doesn't seem to be a good way
+ * around this.
+ */
+export type IndexedTaggingSecret = {
+  secret: DirectionalAppTaggingSecret;
+  index: number;
+};
 
-  static fromFields(serialized: Fr[]) {
-    return new this(serialized[0], serialized[1].toNumber());
-  }
-
-  /**
-   * Computes the tag based on the app tagging secret, recipient and index.
-   * @dev By including the recipient we achieve "directionality" of the tag (when sending a note in the other
-   * direction, the tag will be different).
-   * @param recipient The recipient of the note
-   * @returns The tag.
-   */
-  computeTag(recipient: AztecAddress) {
-    return poseidon2Hash([this.appTaggingSecret, recipient, this.index]);
-  }
-
-  /**
-   * Computes the siloed tag.
-   * @dev We do this second layer of siloing (one was already done as the tagging secret is app-siloed) because kernels
-   * do that to protect against contract impersonation attacks. This extra layer of siloing in kernels ensures that
-   * a malicious contract cannot emit a note with a tag corresponding to another contract.
-   * @param recipient The recipient of the note
-   * @param app The app address
-   * @returns The siloed tag.
-   */
-  async computeSiloedTag(recipient: AztecAddress, app: AztecAddress) {
-    const tag = await this.computeTag(recipient);
-    return poseidon2Hash([app, tag]);
-  }
-}
+export const IndexedTaggingSecretSchema = z.object({
+  secret: DirectionalAppTaggingSecretSchema,
+  index: schemas.Integer,
+});

package/src/noir/index.ts

@@ -64,6 +64,8 @@ interface NoirFunctionEntry {
 export interface NoirCompiledContract {
   /** The name of the contract. */
   name: string;
+  /** Is the contract's public bytecode transpiled? */
+  transpiled?: boolean;
   /** The functions of the contract. */
   functions: NoirFunctionEntry[];
   /** The events of the contract */

package/src/rollup/checkpoint_rollup_public_inputs.ts

@@ -118,6 +118,10 @@ export class FeeRecipient {
     return serializeToFields(...FeeRecipient.getFields(this));
   }
 
+  static empty() {
+    return new FeeRecipient(EthAddress.ZERO, Fr.ZERO);
+  }
+
   isEmpty() {
     return this.value.isZero() && this.recipient.isZero();
   }

package/src/tests/factories.ts

@@ -88,6 +88,7 @@ import {
   computeContractClassId,
   computePublicBytecodeCommitment,
 } from '../contract/index.js';
+import { computeEffectiveGasFees } from '../fees/transaction_fee.js';
 import { Gas, GasFees, GasSettings, type GasUsed } from '../gas/index.js';
 import { computeCalldataHash } from '../hash/hash.js';
 import type { MerkleTreeReadOperations } from '../interfaces/merkle_tree_operations.js';
@@ -1544,6 +1545,8 @@ export async function makeBloatedProcessedTx({
   newL1ToL2Snapshot = AppendOnlyTreeSnapshot.empty(),
   feePayer,
   feePaymentPublicDataWrite,
+  // The default gasUsed is the tx overhead.
+  gasUsed = Gas.from({ daGas: FIXED_DA_GAS, l2Gas: FIXED_L2_GAS }),
   privateOnly = false,
 }: {
   seed?: number;
@@ -1558,6 +1561,7 @@ export async function makeBloatedProcessedTx({
   protocolContracts?: ProtocolContracts;
   feePayer?: AztecAddress;
   feePaymentPublicDataWrite?: PublicDataWrite;
+  gasUsed?: Gas;
   privateOnly?: boolean;
 } = {}) {
   seed *= 0x1000; // Avoid clashing with the previous mock values if seed only increases by 1.
@@ -1573,22 +1577,21 @@ export async function makeBloatedProcessedTx({
   txConstantData.protocolContractsHash = await protocolContracts.hash();
 
   const tx = !privateOnly
-    ? await mockTx(seed, { feePayer })
+    ? await mockTx(seed, { feePayer, gasUsed })
     : await mockTx(seed, {
         numberOfNonRevertiblePublicCallRequests: 0,
         numberOfRevertiblePublicCallRequests: 0,
         feePayer,
+        gasUsed,
       });
   tx.data.constants = txConstantData;
 
-  // No side effects were created in mockTx. The default gasUsed is the tx overhead.
-  tx.data.gasUsed = Gas.from({ daGas: FIXED_DA_GAS, l2Gas: FIXED_L2_GAS });
+  const transactionFee = tx.data.gasUsed.computeFee(globalVariables.gasFees);
 
   if (privateOnly) {
     const data = makePrivateToRollupAccumulatedData(seed + 0x1000);
     clearContractClassLogs(data);
 
-    const transactionFee = tx.data.gasUsed.computeFee(globalVariables.gasFees);
     feePaymentPublicDataWrite ??= new PublicDataWrite(Fr.random(), Fr.random());
 
     tx.data.forRollup!.end = data;
@@ -1612,6 +1615,7 @@ export async function makeBloatedProcessedTx({
     avmOutput.protocolContracts = protocolContracts;
     avmOutput.startTreeSnapshots.l1ToL2MessageTree = newL1ToL2Snapshot;
     avmOutput.endTreeSnapshots.l1ToL2MessageTree = newL1ToL2Snapshot;
+    avmOutput.effectiveGasFees = computeEffectiveGasFees(globalVariables.gasFees, gasSettings);
     // Assign data from private.
     avmOutput.globalVariables = globalVariables;
     avmOutput.startGasUsed = tx.data.gasUsed;
@@ -1654,6 +1658,9 @@ export async function makeBloatedProcessedTx({
     );
     avmOutput.accumulatedDataArrayLengths = avmOutput.accumulatedData.getArrayLengths();
     avmOutput.gasSettings = gasSettings;
+    // Note: The fee is computed from the tx's gas used, which only includes the gas used in private. But this shouldn't
+    // be a problem for the tests.
+    avmOutput.transactionFee = transactionFee;
 
     const avmCircuitInputs = await makeAvmCircuitInputs(seed + 0x3000, { publicInputs: avmOutput });
     avmCircuitInputs.hints.startingTreeRoots.l1ToL2MessageTree = newL1ToL2Snapshot;

package/src/tests/mocks.ts

@@ -14,6 +14,7 @@ import { computeContractAddressFromInstance } from '../contract/contract_address
 import { getContractClassFromArtifact } from '../contract/contract_class.js';
 import { SerializableContractInstance } from '../contract/contract_instance.js';
 import type { ContractInstanceWithAddress } from '../contract/index.js';
+import { Gas } from '../gas/gas.js';
 import { GasFees } from '../gas/gas_fees.js';
 import { GasSettings } from '../gas/gas_settings.js';
 import { Nullifier } from '../kernel/nullifier.js';
@@ -84,6 +85,7 @@ export const mockTx = async (
     feePayer,
     clientIvcProof = ClientIvcProof.random(),
     maxPriorityFeesPerGas,
+    gasUsed = Gas.empty(),
     chainId = Fr.ZERO,
     version = Fr.ZERO,
     vkTreeRoot = Fr.ZERO,
@@ -97,6 +99,7 @@ export const mockTx = async (
     feePayer?: AztecAddress;
     clientIvcProof?: ClientIvcProof;
     maxPriorityFeesPerGas?: GasFees;
+    gasUsed?: Gas;
     chainId?: Fr;
     version?: Fr;
     vkTreeRoot?: Fr;
@@ -115,6 +118,7 @@ export const mockTx = async (
     maxPriorityFeesPerGas,
   });
   data.feePayer = feePayer ?? (await AztecAddress.random());
+  data.gasUsed = gasUsed;
   data.constants.txContext.chainId = chainId;
   data.constants.txContext.version = version;
   data.constants.vkTreeRoot = vkTreeRoot;
@@ -184,6 +188,7 @@ const emptyPrivateCallExecutionResult = () =>
     [],
     [],
     [],
+    [],
   );
 
 const emptyPrivateExecutionResult = () => new PrivateExecutionResult(emptyPrivateCallExecutionResult(), Fr.zero(), []);

package/src/tx/private_execution_result.ts

@@ -10,6 +10,7 @@ import { PrivateCircuitPublicInputs } from '../kernel/private_circuit_public_inp
 import type { IsEmpty } from '../kernel/utils/interfaces.js';
 import { sortByCounter } from '../kernel/utils/order_and_comparison.js';
 import { ContractClassLog, ContractClassLogFields } from '../logs/contract_class_log.js';
+import { type IndexedTaggingSecret, IndexedTaggingSecretSchema } from '../logs/indexed_tagging_secret.js';
 import { Note } from '../note/note.js';
 import { type ZodFor, mapSchema, schemas } from '../schemas/index.js';
 import type { UInt32 } from '../types/index.js';
@@ -135,6 +136,8 @@ export class PrivateCallExecutionResult {
     public returnValues: Fr[],
     /** The offchain effects emitted during execution of this function call via the `emit_offchain_effect` oracle. */
     public offchainEffects: { data: Fr[] }[],
+    /** The tagging indexes incremented by this execution along with the directional app tagging secrets. */
+    public indexedTaggingSecrets: IndexedTaggingSecret[],
     /** The nested executions. */
     public nestedExecutionResults: PrivateCallExecutionResult[],
     /**
@@ -158,6 +161,7 @@ export class PrivateCallExecutionResult {
         noteHashNullifierCounterMap: mapSchema(z.coerce.number(), z.number()),
         returnValues: z.array(schemas.Fr),
         offchainEffects: z.array(z.object({ data: z.array(schemas.Fr) })),
+        indexedTaggingSecrets: z.array(IndexedTaggingSecretSchema),
         nestedExecutionResults: z.array(z.lazy(() => PrivateCallExecutionResult.schema)),
         contractClassLogs: z.array(CountedContractClassLog.schema),
       })
@@ -175,6 +179,7 @@ export class PrivateCallExecutionResult {
       fields.noteHashNullifierCounterMap,
       fields.returnValues,
       fields.offchainEffects,
+      fields.indexedTaggingSecrets,
       fields.nestedExecutionResults,
       fields.contractClassLogs,
     );
@@ -195,6 +200,7 @@ export class PrivateCallExecutionResult {
           data: [Fr.random()],
         },
       ],
+      [],
       await timesParallel(nested, () => PrivateCallExecutionResult.random(0)),
       [new CountedContractClassLog(await ContractClassLog.random(), randomInt(10))],
     );