@aztec/stdlib 5.0.0-nightly.20260521 → 5.0.0-nightly.20260522

package/src/keys/public_keys.ts

@@ -1,12 +1,9 @@
 import {
   DEFAULT_IVPK_M_X,
   DEFAULT_IVPK_M_Y,
-  DEFAULT_NPK_M_X,
-  DEFAULT_NPK_M_Y,
-  DEFAULT_OVPK_M_X,
-  DEFAULT_OVPK_M_Y,
-  DEFAULT_TPK_M_X,
-  DEFAULT_TPK_M_Y,
+  DEFAULT_NPK_M_HASH,
+  DEFAULT_OVPK_M_HASH,
+  DEFAULT_TPK_M_HASH,
   DomainSeparator,
 } from '@aztec/constants';
 import { poseidon2HashWithSeparator } from '@aztec/foundation/crypto/poseidon';
@@ -19,189 +16,175 @@ import type { FieldsOf } from '@aztec/foundation/types';
 
 import { z } from 'zod';
 
-import type { PublicKey } from './public_key.js';
+import { type PublicKey, hashPublicKey } from './public_key.js';
 
+/**
+ * A non-owner's view of an account's master public keys.
+ *
+ * Only `ivpkM` is exposed as a point (since address derivation needs the curve
+ * point in-circuit); the other three keys are exposed as their `hashPublicKey` digests.
+ */
 export class PublicKeys {
   public constructor(
-    /** Master nullifier public key */
-    public masterNullifierPublicKey: PublicKey,
+    /** Hash of the master nullifier public key */
+    public npkMHash: Fr,
     /** Master incoming viewing public key */
-    public masterIncomingViewingPublicKey: PublicKey,
-    /** Master outgoing viewing public key */
-    public masterOutgoingViewingPublicKey: PublicKey,
-    /** Master tagging viewing public key */
-    public masterTaggingPublicKey: PublicKey,
+    public ivpkM: PublicKey,
+    /** Hash of the master outgoing viewing public key */
+    public ovpkMHash: Fr,
+    /** Hash of the master tagging public key */
+    public tpkMHash: Fr,
   ) {}
 
   static get schema() {
     return z
       .object({
-        masterNullifierPublicKey: schemas.Point,
-        masterIncomingViewingPublicKey: schemas.Point,
-        masterOutgoingViewingPublicKey: schemas.Point,
-        masterTaggingPublicKey: schemas.Point,
+        npkMHash: schemas.Fr,
+        ivpkM: schemas.Point,
+        ovpkMHash: schemas.Fr,
+        tpkMHash: schemas.Fr,
       })
       .transform(PublicKeys.from);
   }
 
   static from(fields: FieldsOf<PublicKeys>) {
-    return new PublicKeys(
-      fields.masterNullifierPublicKey,
-      fields.masterIncomingViewingPublicKey,
-      fields.masterOutgoingViewingPublicKey,
-      fields.masterTaggingPublicKey,
-    );
+    return new PublicKeys(fields.npkMHash, fields.ivpkM, fields.ovpkMHash, fields.tpkMHash);
   }
 
   /**
    * Creates a PublicKeys from a plain object without Zod validation.
-   * This method is optimized for performance and skips validation, making it suitable
-   * for deserializing trusted data (e.g., from C++ via MessagePack).
-   * @param obj - Plain object containing PublicKeys fields
-   * @returns A PublicKeys instance
+   * Suitable for deserializing trusted data (e.g., from C++ via MessagePack).
    */
   static fromPlainObject(obj: any): PublicKeys {
     if (obj instanceof PublicKeys) {
       return obj;
     }
     return new PublicKeys(
-      Point.fromPlainObject(obj.masterNullifierPublicKey),
-      Point.fromPlainObject(obj.masterIncomingViewingPublicKey),
-      Point.fromPlainObject(obj.masterOutgoingViewingPublicKey),
-      Point.fromPlainObject(obj.masterTaggingPublicKey),
+      Fr.fromPlainObject(obj.npkMHash),
+      Point.fromPlainObject(obj.ivpkM),
+      Fr.fromPlainObject(obj.ovpkMHash),
+      Fr.fromPlainObject(obj.tpkMHash),
     );
   }
 
-  hash() {
-    return this.isEmpty()
-      ? Fr.ZERO
-      : poseidon2HashWithSeparator(
-          [
-            this.masterNullifierPublicKey,
-            this.masterIncomingViewingPublicKey,
-            this.masterOutgoingViewingPublicKey,
-            this.masterTaggingPublicKey,
-          ],
-          DomainSeparator.PUBLIC_KEYS_HASH,
-        );
+  async hash() {
+    if (this.isEmpty()) {
+      return Fr.ZERO;
+    }
+    // Mirror Noir's `PublicKeys::hash`: hash the four single-key digests under
+    // DOM_SEP__PUBLIC_KEYS_HASH. `ivpk_m` must be reduced to its single-key digest first
+    // (Poseidon2 over [x, y]); passing the Point directly would inadvertently include
+    // `is_infinite` and produce a different value.
+    const ivpkMHash = await hashPublicKey(this.ivpkM);
+    return poseidon2HashWithSeparator(
+      [this.npkMHash, ivpkMHash, this.ovpkMHash, this.tpkMHash],
+      DomainSeparator.PUBLIC_KEYS_HASH,
+    );
   }
 
   isEmpty() {
-    return (
-      this.masterNullifierPublicKey.isZero() &&
-      this.masterIncomingViewingPublicKey.isZero() &&
-      this.masterOutgoingViewingPublicKey.isZero() &&
-      this.masterTaggingPublicKey.isZero()
-    );
+    return this.npkMHash.isZero() && this.ivpkM.isZero() && this.ovpkMHash.isZero() && this.tpkMHash.isZero();
   }
 
   static default(): PublicKeys {
+    // Precomputed `hash_public_key(Point { DEFAULT_*_X, DEFAULT_*_Y, false })` for npk/ovpk/tpk.
+    // Sourced from constants.gen.ts (originally defined in
+    // noir-protocol-circuits/crates/types/src/constants.nr); a self-test in public_keys.nr
+    // (`default_hashes_match_default_points`) catches drift between the *_HASH constants and
+    // the underlying X/Y points.
     return new PublicKeys(
-      new Point(new Fr(DEFAULT_NPK_M_X), new Fr(DEFAULT_NPK_M_Y), false),
+      new Fr(DEFAULT_NPK_M_HASH),
       new Point(new Fr(DEFAULT_IVPK_M_X), new Fr(DEFAULT_IVPK_M_Y), false),
-      new Point(new Fr(DEFAULT_OVPK_M_X), new Fr(DEFAULT_OVPK_M_Y), false),
-      new Point(new Fr(DEFAULT_TPK_M_X), new Fr(DEFAULT_TPK_M_Y), false),
+      new Fr(DEFAULT_OVPK_M_HASH),
+      new Fr(DEFAULT_TPK_M_HASH),
     );
   }
 
   static async random(): Promise<PublicKeys> {
-    return new PublicKeys(await Point.random(), await Point.random(), await Point.random(), await Point.random());
+    const npkM = await Point.random();
+    const ovpkM = await Point.random();
+    const tpkM = await Point.random();
+    return new PublicKeys(
+      await hashPublicKey(npkM),
+      await Point.random(),
+      await hashPublicKey(ovpkM),
+      await hashPublicKey(tpkM),
+    );
   }
 
-  /**
-   * Determines if this PublicKeys instance is equal to the given PublicKeys instance.
-   * Equality is based on the content of their respective buffers.
-   *
-   * @param other - The PublicKeys instance to compare against.
-   * @returns True if the buffers of both instances are equal, false otherwise.
-   */
   equals(other: PublicKeys): boolean {
     return (
-      this.masterNullifierPublicKey.equals(other.masterNullifierPublicKey) &&
-      this.masterIncomingViewingPublicKey.equals(other.masterIncomingViewingPublicKey) &&
-      this.masterOutgoingViewingPublicKey.equals(other.masterOutgoingViewingPublicKey) &&
-      this.masterTaggingPublicKey.equals(other.masterTaggingPublicKey)
+      this.npkMHash.equals(other.npkMHash) &&
+      this.ivpkM.equals(other.ivpkM) &&
+      this.ovpkMHash.equals(other.ovpkMHash) &&
+      this.tpkMHash.equals(other.tpkMHash)
     );
   }
 
-  /**
-   * Converts the PublicKeys instance into a Buffer.
-   * This method should be used when encoding the address for storage, transmission or serialization purposes.
-   *
-   * @returns A Buffer representation of the PublicKeys instance.
-   */
   toBuffer(): Buffer {
-    return serializeToBuffer([
-      this.masterNullifierPublicKey,
-      this.masterIncomingViewingPublicKey,
-      this.masterOutgoingViewingPublicKey,
-      this.masterTaggingPublicKey,
-    ]);
+    return serializeToBuffer([this.npkMHash, this.ivpkM, this.ovpkMHash, this.tpkMHash]);
   }
 
-  /**
-   * Creates an PublicKeys instance from a given buffer or BufferReader.
-   * If the input is a Buffer, it wraps it in a BufferReader before processing.
-   * Throws an error if the input length is not equal to the expected size.
-   *
-   * @param buffer - The input buffer or BufferReader containing the address data.
-   * @returns - A new PublicKeys instance with the extracted address data.
-   */
   static fromBuffer(buffer: Buffer | BufferReader): PublicKeys {
     const reader = BufferReader.asReader(buffer);
-    const masterNullifierPublicKey = reader.readObject(Point);
-    const masterIncomingViewingPublicKey = reader.readObject(Point);
-    const masterOutgoingViewingPublicKey = reader.readObject(Point);
-    const masterTaggingPublicKey = reader.readObject(Point);
-    return new PublicKeys(
-      masterNullifierPublicKey,
-      masterIncomingViewingPublicKey,
-      masterOutgoingViewingPublicKey,
-      masterTaggingPublicKey,
-    );
+    const npkMHash = Fr.fromBuffer(reader);
+    const ivpkM = reader.readObject(Point);
+    const ovpkMHash = Fr.fromBuffer(reader);
+    const tpkMHash = Fr.fromBuffer(reader);
+    return new PublicKeys(npkMHash, ivpkM, ovpkMHash, tpkMHash);
   }
 
   toNoirStruct() {
-    // We need to use lowercase identifiers as those are what the noir interface expects
-
+    // We need to use lowercase identifiers as those are what the noir interface expects.
+    /* eslint-disable camelcase */
     return {
-      // TODO(#6337): Directly dump account.publicKeys here
-      /* eslint-disable camelcase */
-      npk_m: this.masterNullifierPublicKey.toWrappedNoirStruct(),
-      ivpk_m: this.masterIncomingViewingPublicKey.toWrappedNoirStruct(),
-      ovpk_m: this.masterOutgoingViewingPublicKey.toWrappedNoirStruct(),
-      tpk_m: this.masterTaggingPublicKey.toWrappedNoirStruct(),
-      /* eslint-enable camelcase */
+      npk_m_hash: this.npkMHash,
+      ivpk_m: this.ivpkM.toWrappedNoirStruct(),
+      ovpk_m_hash: this.ovpkMHash,
+      tpk_m_hash: this.tpkMHash,
     };
+    /* eslint-enable camelcase */
   }
 
   /**
-   * Serializes the payload to an array of fields
-   * @returns The fields of the payload
+   * Wire-format fields matching Noir's struct flattening of `PublicKeys`:
+   * `[npk_m_hash, ivpk_m.x, ivpk_m.y, ivpk_m.is_infinite, ovpk_m_hash, tpk_m_hash]` (6 fields).
+   *
+   * The `is_infinite` slot is `0` for `ivpkM` produced by `deriveKeys` (fixed-base scalar
+   * multiplication on Grumpkin cannot reach infinity for a non-zero scalar, and Poseidon-derived
+   * scalars are non-zero with cryptographically negligible exception). External flows that
+   * import pre-derived keys are responsible for maintaining this invariant (see the AZIP-8
+   * migration note "Security note (PXE side)"). The slot stays on the wire because the Noir
+   * struct's `Point` still carries the flag. AZIP-8's "drop `is_infinite`" goal applies to the
+   * address-derivation hash (via `hash_public_key`, computed elsewhere), not to the
+   * contract-call args wire.
+   * TODO(F-553): drop the `is_infinite` slot once `Point` no longer carries the flag.
    */
   toFields(): Fr[] {
     return [
-      ...this.masterNullifierPublicKey.toFields(),
-      ...this.masterIncomingViewingPublicKey.toFields(),
-      ...this.masterOutgoingViewingPublicKey.toFields(),
-      ...this.masterTaggingPublicKey.toFields(),
+      this.npkMHash,
+      this.ivpkM.x,
+      this.ivpkM.y,
+      new Fr(this.ivpkM.isInfinite ? 1 : 0),
+      this.ovpkMHash,
+      this.tpkMHash,
     ];
   }
 
-  // TOOD: This is used in foundation/src/abi/encoder. This is probably non-optimal but I did not want
-  // to spend too much time on the encoder now. It probably needs a refactor.
+  // Used in foundation/src/abi/encoder. Probably non-optimal but the encoder needs a refactor.
   encodeToNoir(): Fr[] {
     return this.toFields();
   }
 
   static fromFields(fields: Fr[] | FieldReader): PublicKeys {
     const reader = FieldReader.asReader(fields);
-    return new PublicKeys(
-      reader.readObject(Point),
-      reader.readObject(Point),
-      reader.readObject(Point),
-      reader.readObject(Point),
-    );
+    const npkMHash = reader.readField();
+    const ivpkMX = reader.readField();
+    const ivpkMY = reader.readField();
+    const ivpkMIsInfinite = reader.readBoolean();
+    const ovpkMHash = reader.readField();
+    const tpkMHash = reader.readField();
+    return new PublicKeys(npkMHash, new Point(ivpkMX, ivpkMY, ivpkMIsInfinite), ovpkMHash, tpkMHash);
   }
 
   toString() {

package/src/tests/factories.ts

@@ -123,7 +123,7 @@ import {
   PublicCallRequest,
   PublicCallRequestArrayLengths,
 } from '../kernel/public_call_request.js';
-import { PublicKeys, computeAddress } from '../keys/index.js';
+import { PublicKeys, computeAddress, hashPublicKey } from '../keys/index.js';
 import { ExtendedDirectionalAppTaggingSecret } from '../logs/extended_directional_app_tagging_secret.js';
 import { ContractClassLog, ContractClassLogFields } from '../logs/index.js';
 import { PrivateLog } from '../logs/private_log.js';
@@ -252,7 +252,7 @@ function makeScopedReadRequest(n: number): ScopedReadRequest {
  * @returns A KeyValidationRequest.
  */
 function makeKeyValidationRequests(seed: number): KeyValidationRequest {
-  return new KeyValidationRequest(makePoint(seed), fr(seed + 2));
+  return new KeyValidationRequest(fr(seed), fr(seed + 2));
 }
 
 /**
@@ -1220,8 +1220,13 @@ export async function makeMapAsync<T>(size: number, fn: (i: number) => Promise<[
 
 export async function makePublicKeys(seed = 0): Promise<PublicKeys> {
   const f = (offset: number) => Grumpkin.mul(Grumpkin.generator, new Fq(seed + offset));
-
-  return new PublicKeys(await f(0), await f(1), await f(2), await f(3));
+  const ivpkM = await f(1);
+  return new PublicKeys(
+    await hashPublicKey(await f(0)),
+    ivpkM,
+    await hashPublicKey(await f(2)),
+    await hashPublicKey(await f(3)),
+  );
 }
 
 export async function makeContractInstanceFromClassId(
@@ -1230,6 +1235,7 @@ export async function makeContractInstanceFromClassId(
   overrides?: {
     deployer?: AztecAddress;
     initializationHash?: Fr;
+    immutablesHash?: Fr;
     publicKeys?: PublicKeys;
     currentClassId?: Fr;
   },
@@ -1238,21 +1244,24 @@ export async function makeContractInstanceFromClassId(
   const initializationHash = overrides?.initializationHash ?? new Fr(seed + 1);
   const deployer = overrides?.deployer ?? new AztecAddress(new Fr(seed + 2));
   const publicKeys = overrides?.publicKeys ?? (await makePublicKeys(seed + 3));
+  const immutablesHash = overrides?.immutablesHash ?? new Fr(seed + 4);
 
   const partialAddress = await computePartialAddress({
     originalContractClassId: classId,
     salt,
     initializationHash,
+    immutablesHash,
     deployer,
   });
   const address = await computeAddress(publicKeys, partialAddress);
   return new SerializableContractInstance({
-    version: 1,
+    version: 2,
     salt,
     deployer,
     currentContractClassId: overrides?.currentClassId ?? classId,
     originalContractClassId: classId,
     initializationHash,
+    immutablesHash,
     publicKeys,
   }).withAddress(address);
 }
@@ -1430,11 +1439,12 @@ export function makeAvmContractInstanceHint(seed = 0): AvmContractInstanceHint {
     new Fr(seed + 0x4),
     new Fr(seed + 0x5),
     new Fr(seed + 0x6),
+    new Fr(seed + 0x7),
     new PublicKeys(
-      new Point(new Fr(seed + 0x7), new Fr(seed + 0x8), false),
+      new Fr(seed + 0x7),
       new Point(new Fr(seed + 0x9), new Fr(seed + 0x10), false),
-      new Point(new Fr(seed + 0x11), new Fr(seed + 0x12), false),
-      new Point(new Fr(seed + 0x13), new Fr(seed + 0x14), false),
+      new Fr(seed + 0x11),
+      new Fr(seed + 0x13),
     ),
   );
 }