starkshield 1.0.0

package/circomlib/circuits/smt/smtprocessor.circom

@@ -0,0 +1,261 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/***************************************************************************************************
+
+SMTProcessor: Sparse Merkle Tree processor is a component to verify an insert/update/delete elements
+into the Sparse Merkle tree.
+
+
+Insert to an empty leaf
+=======================
+
+  STATE                 OLD STATE                                       NEW STATE
+  =====                 =========                                       =========
+
+                         oldRoot                                          newRoot
+                            ▲                                               ▲
+                            │                                               │
+          ┌───────┐     ┏━━━┻━━━┓                         ┌───────┐     ┏━━━┻━━━┓
+   top    │Sibling├────▶┃ Hash  ┃◀─┐                      │Sibling├────▶┃ Hash  ┃◀─┐
+          └───────┘     ┗━━━━━━━┛  │                      └───────┘     ┗━━━━━━━┛  │
+                                   │                                               │
+                                   │                                               │
+                               ┏━━━┻━━━┓   ┌───────┐                           ┏━━━┻━━━┓   ┌───────┐
+   top                  ┌─────▶┃ Hash  ┃◀──┤Sibling│                    ┌─────▶┃ Hash  ┃◀──┤Sibling│
+                        │      ┗━━━━━━━┛   └───────┘                    │      ┗━━━━━━━┛   └───────┘
+                        │                                               │
+                        │                                               │
+        ┌───────┐   ┏━━━┻━━━┓                           ┌───────┐   ┏━━━┻━━━┓
+   top  │Sibling├──▶┃ Hash  ┃◀─────┐                    │Sibling├──▶┃ Hash  ┃◀─────┐
+        └───────┘   ┗━━━━━━━┛      │                    └───────┘   ┗━━━━━━━┛      │
+                                   │                                               │
+                                   │                                               │
+                              ┌────┴────┐                                     ┌────┴────┐
+  old0                        │    0    │                                     │New1Leaf │
+                              └─────────┘                                     └─────────┘
+
+
+                     ┏━━━━━━━┓                                      ┏━━━━━━━┓
+   na                ┃ Hash  ┃                                      ┃ Hash  ┃
+                     ┗━━━━━━━┛                                      ┗━━━━━━━┛
+
+
+                     ┏━━━━━━━┓                                      ┏━━━━━━━┓
+   na                ┃ Hash  ┃                                      ┃ Hash  ┃
+                     ┗━━━━━━━┛                                      ┗━━━━━━━┛
+
+
+
+Insert to a used leaf.
+=====================
+
+  STATE                 OLD STATE                                       NEW STATE
+  =====                 =========                                       =========
+
+
+                         oldRoot                                          newRoot
+                            ▲                                               ▲
+                            │                                               │
+          ┌───────┐     ┏━━━┻━━━┓                         ┌───────┐     ┏━━━┻━━━┓
+   top    │Sibling├────▶┃ Hash  ┃◀─┐                      │Sibling├────▶┃ Hash  ┃◀─┐
+          └───────┘     ┗━━━━━━━┛  │                      └───────┘     ┗━━━━━━━┛  │
+                                   │                                               │
+                                   │                                               │
+                               ┏━━━┻━━━┓   ┌───────┐                           ┏━━━┻━━━┓   ┌───────┐
+   top                  ┌─────▶┃ Hash  ┃◀──┤Sibling│                    ┌─────▶┃ Hash  ┃◀──┤Sibling│
+                        │      ┗━━━━━━━┛   └───────┘                    │      ┗━━━━━━━┛   └───────┘
+                        │                                               │
+                        │                                               │
+        ┌───────┐   ┏━━━┻━━━┓                           ┌───────┐   ┏━━━┻━━━┓
+   top  │Sibling├──▶┃ Hash  ┃◀─────┐                    │Sibling├──▶┃ Hash  ┃◀─────┐
+        └───────┘   ┗━━━━━━━┛      │                    └───────┘   ┗━━━━━━━┛      │
+                                   │                                               │
+                                   │                                               │
+                              ┌────┴────┐                                      ┏━━━┻━━━┓   ┌───────┐
+   bot                        │Old1Leaf │                               ┌─────▶┃ Hash  ┃◀──┼─  0   │
+                              └─────────┘                               │      ┗━━━━━━━┛   └───────┘
+                                                                        │
+                                                                        │
+                     ┏━━━━━━━┓                          ┌───────┐   ┏━━━┻━━━┓
+   bot               ┃ Hash  ┃                          │   0  ─┼──▶┃ Hash  ┃◀─────┐
+                     ┗━━━━━━━┛                          └───────┘   ┗━━━━━━━┛      │
+                                                                                   │
+                                                                                   │
+                     ┏━━━━━━━┓                                                 ┏━━━┻━━━┓   ┌───────┐
+   bot               ┃ Hash  ┃                                          ┌─────▶┃ Hash  ┃◀──│   0   │
+                     ┗━━━━━━━┛                                          │      ┗━━━━━━━┛   └───────┘
+                                                                        │
+                                                                        │
+                     ┏━━━━━━━┓                        ┌─────────┐   ┏━━━┻━━━┓   ┌─────────┐
+  new1               ┃ Hash  ┃                        │Old1Leaf ├──▶┃ Hash  ┃◀──│New1Leaf │
+                     ┗━━━━━━━┛                        └─────────┘   ┗━━━━━━━┛   └─────────┘
+
+
+                     ┏━━━━━━━┓                                      ┏━━━━━━━┓
+   na                ┃ Hash  ┃                                      ┃ Hash  ┃
+                     ┗━━━━━━━┛                                      ┗━━━━━━━┛
+
+
+                     ┏━━━━━━━┓                                      ┏━━━━━━━┓
+   na                ┃ Hash  ┃                                      ┃ Hash  ┃
+                     ┗━━━━━━━┛                                      ┗━━━━━━━┛
+
+
+Fnction
+fnc[0]  fnc[1]
+0       0             NOP
+0       1             UPDATE
+1       0             INSERT
+1       1             DELETE
+
+
+***************************************************************************************************/
+pragma circom 2.0.0;
+
+include "../gates.circom";
+include "../bitify.circom";
+include "../comparators.circom";
+include "../switcher.circom";
+include "smtlevins.circom";
+include "smtprocessorlevel.circom";
+include "smtprocessorsm.circom";
+include "smthash_poseidon.circom";
+
+template SMTProcessor(nLevels) {
+    signal input oldRoot;
+    signal output newRoot;
+    signal input siblings[nLevels];
+    signal input oldKey;
+    signal input oldValue;
+    signal input isOld0;
+    signal input newKey;
+    signal input newValue;
+    signal input fnc[2];
+
+    signal enabled;
+
+    var i;
+
+    enabled <== fnc[0] + fnc[1] - fnc[0]*fnc[1];
+
+    component hash1Old = SMTHash1();
+    hash1Old.key <== oldKey;
+    hash1Old.value <== oldValue;
+
+    component hash1New = SMTHash1();
+    hash1New.key <== newKey;
+    hash1New.value <== newValue;
+
+    component n2bOld = Num2Bits_strict();
+    component n2bNew = Num2Bits_strict();
+
+    n2bOld.in <== oldKey;
+    n2bNew.in <== newKey;
+
+    component smtLevIns = SMTLevIns(nLevels);
+    for (i=0; i<nLevels; i++) smtLevIns.siblings[i] <== siblings[i];
+    smtLevIns.enabled <== enabled;
+
+    component xors[nLevels];
+    for (i=0; i<nLevels; i++) {
+        xors[i] = XOR();
+        xors[i].a <== n2bOld.out[i];
+        xors[i].b <== n2bNew.out[i];
+    }
+
+    component sm[nLevels];
+    for (i=0; i<nLevels; i++) {
+        sm[i] = SMTProcessorSM();
+        if (i==0) {
+            sm[i].prev_top <== enabled;
+            sm[i].prev_old0 <== 0;
+            sm[i].prev_bot <== 0;
+            sm[i].prev_new1 <== 0;
+            sm[i].prev_na <== 1-enabled;
+            sm[i].prev_upd <== 0;
+        } else {
+            sm[i].prev_top <== sm[i-1].st_top;
+            sm[i].prev_old0 <== sm[i-1].st_old0;
+            sm[i].prev_bot <== sm[i-1].st_bot;
+            sm[i].prev_new1 <== sm[i-1].st_new1;
+            sm[i].prev_na <== sm[i-1].st_na;
+            sm[i].prev_upd <== sm[i-1].st_upd;
+        }
+        sm[i].is0 <== isOld0;
+        sm[i].xor <== xors[i].out;
+        sm[i].fnc[0] <== fnc[0];
+        sm[i].fnc[1] <== fnc[1];
+        sm[i].levIns <== smtLevIns.levIns[i];
+    }
+    sm[nLevels-1].st_na + sm[nLevels-1].st_new1 + sm[nLevels-1].st_old0 +sm[nLevels-1].st_upd === 1;
+
+    component levels[nLevels];
+    for (i=nLevels-1; i != -1; i--) {
+        levels[i] = SMTProcessorLevel();
+
+        levels[i].st_top <== sm[i].st_top;
+        levels[i].st_old0 <== sm[i].st_old0;
+        levels[i].st_bot <== sm[i].st_bot;
+        levels[i].st_new1 <== sm[i].st_new1;
+        levels[i].st_na <== sm[i].st_na;
+        levels[i].st_upd <== sm[i].st_upd;
+
+        levels[i].sibling <== siblings[i];
+        levels[i].old1leaf <== hash1Old.out;
+        levels[i].new1leaf <== hash1New.out;
+
+        levels[i].newlrbit <== n2bNew.out[i];
+        if (i==nLevels-1) {
+            levels[i].oldChild <== 0;
+            levels[i].newChild <== 0;
+        } else {
+            levels[i].oldChild <== levels[i+1].oldRoot;
+            levels[i].newChild <== levels[i+1].newRoot;
+        }
+    }
+
+    component topSwitcher = Switcher();
+
+    topSwitcher.sel <== fnc[0]*fnc[1];
+    topSwitcher.L <== levels[0].oldRoot;
+    topSwitcher.R <== levels[0].newRoot;
+
+    component checkOldInput = ForceEqualIfEnabled();
+    checkOldInput.enabled <== enabled;
+    checkOldInput.in[0] <== oldRoot;
+    checkOldInput.in[1] <== topSwitcher.outL;
+
+    newRoot <== enabled * (topSwitcher.outR - oldRoot) + oldRoot;
+
+//    topSwitcher.outL === oldRoot*enabled;
+//    topSwitcher.outR === newRoot*enabled;
+
+    // Ckeck keys are equal if updating
+    component areKeyEquals = IsEqual();
+    areKeyEquals.in[0] <== oldKey;
+    areKeyEquals.in[1] <== newKey;
+
+    component keysOk = MultiAND(3);
+    keysOk.in[0] <== 1-fnc[0];
+    keysOk.in[1] <== fnc[1];
+    keysOk.in[2] <== 1-areKeyEquals.out;
+
+    keysOk.out === 0;
+}

package/circomlib/circuits/smt/smtprocessorlevel.circom

@@ -0,0 +1,95 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/******
+
+SMTProcessorLevel
+
+This circuit has 2 hash
+
+Outputs according to the state.
+
+State        oldRoot                    newRoot
+=====        =======                    =======
+top          H'(oldChild, sibling)       H'(newChild, sibling)
+old0         0                           new1leaf
+bot          old1leaf                    H'(newChild, 0)
+new1         old1leaf                    H'(new1leaf, old1leaf)
+na           0                           0
+
+upd          old1leaf                    new1leaf
+
+H' is the Hash function with the inputs shifted acordingly.
+
+*****/
+pragma circom 2.0.0;
+
+
+template SMTProcessorLevel() {
+    signal input st_top;
+    signal input st_old0;
+    signal input st_bot;
+    signal input st_new1;
+    signal input st_na;
+    signal input st_upd;
+
+    signal output oldRoot;
+    signal output newRoot;
+    signal input sibling;
+    signal input old1leaf;
+    signal input new1leaf;
+    signal input newlrbit;
+    signal input oldChild;
+    signal input newChild;
+
+    signal aux[4];
+
+    component oldProofHash = SMTHash2();
+    component newProofHash = SMTHash2();
+
+    component oldSwitcher = Switcher();
+    component newSwitcher = Switcher();
+
+    // Old side
+
+    oldSwitcher.L <== oldChild;
+    oldSwitcher.R <== sibling;
+
+    oldSwitcher.sel <== newlrbit;
+    oldProofHash.L <== oldSwitcher.outL;
+    oldProofHash.R <== oldSwitcher.outR;
+
+    aux[0] <== old1leaf * (st_bot + st_new1 + st_upd);
+    oldRoot <== aux[0] +  oldProofHash.out * st_top;
+
+    // New side
+
+    aux[1] <== newChild * ( st_top + st_bot);
+    newSwitcher.L <== aux[1] + new1leaf*st_new1;
+
+    aux[2] <== sibling*st_top;
+    newSwitcher.R <== aux[2] + old1leaf*st_new1;
+
+    newSwitcher.sel <== newlrbit;
+    newProofHash.L <== newSwitcher.outL;
+    newProofHash.R <== newSwitcher.outR;
+
+    aux[3] <== newProofHash.out * (st_top + st_bot + st_new1);
+    newRoot <==  aux[3] + new1leaf * (st_old0 + st_upd);
+}

package/circomlib/circuits/smt/smtprocessorsm.circom

@@ -0,0 +1,165 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/***************************************************************************************************
+Each level on a SMTProcessor has a state.
+
+The state of the level depends on the state of te botom level and on `xor` and
+`is0` signals.
+
+`isOldLev` 1 when is the level where oldLeaf is.
+
+`xor` signal is 0 if the index bit at the current level is the same in the old
+and the new index, and 1 if it is different.
+
+`is0` signal, is 1 if we are inserting/deleting in an empty leaf and 0 if we
+are inserting/deleting in a leaf that contains an element.
+
+The states are:
+
+top: While the index bits of the old and new insex in the top level is the same, whe are in the top state.
+old0: When the we reach insert level,  we go to old0 state
+if `is0`=1.
+btn: Once in insert level and `is0` =0 we go to btn or new1 level if xor=1
+new1: This level is reached when xor=1. Here is where we insert/delete the hash of the
+old and the new trees with just one element.
+na: Not appliable.  After processing it, we go to the na level.
+
+
+Fnction
+fnc[0]  fnc[1]
+0       0             NOP
+0       1             UPDATE
+1       0             INSERT
+1       1             DELETE
+
+
+                                                ###########
+                                               #           #
+                ┌────────────────────────────▶#    upd      #─────────────────────┐
+                │                              ##         ##                      │
+                │                                #########                        │
+      levIns=1  │                                                                 │
+      fnc[0]=0  │                                                                 │  any
+                │                                                                 │
+                │                                                                 │
+                │                                                                 │
+                │                                ###########                      │
+                │        levIns=1               #           #                     │
+   levIns=0     │         is0=1  ┌────────────▶#    old0     #────────┐           │     any
+   ┌─────┐      │        fnc[0]=1│              ##         ##         │           │   ┌──────┐
+   │     │      │                │                #########           │ any       │   │      │
+   │     ▼      │                │                                    │           ▼   ▼      │
+   │    ###########              │                                    │          ########### │
+   │   #           # ────────────┘                                    └────────▶#           #│
+   └──#    top      #                                                          #    na       #
+       ##         ## ───────────────────┐ levIns=1                          ┌──▶##         ##
+         #########                      │  is0=0                            │     #########
+             │                          │ fnc[0]=1                          │
+             │                          │  xor=1             ###########    │ any
+             │                          └──────────────────▶#           #   │
+             │                                             #    new1     #──┘
+             │                                              ##         ##
+             └────────────────────────────────┐               #########
+                  levIns=1                    │                   ▲
+                   is0=0                      │             ┌─────┘
+                  fnc[0]=1                    │  ###########│  xor=1
+                   xor=0                      │ #           #
+                                              ▼#    btn      #
+                                                ##         ##
+                                                  #########◀───────┐
+                                                      │            │
+                                                      │            │
+                                                      └────────────┘
+                                                          xor=0
+
+***************************************************************************************************/
+pragma circom 2.0.0;
+
+template SMTProcessorSM() {
+  signal input xor;
+  signal input is0;
+  signal input levIns;
+  signal input fnc[2];
+
+  signal input prev_top;
+  signal input prev_old0;
+  signal input prev_bot;
+  signal input prev_new1;
+  signal input prev_na;
+  signal input prev_upd;
+
+  signal output st_top;
+  signal output st_old0;
+  signal output st_bot;
+  signal output st_new1;
+  signal output st_na;
+  signal output st_upd;
+
+  signal aux1;
+  signal aux2;
+
+  aux1 <==                  prev_top * levIns;
+  aux2 <== aux1*fnc[0];  // prev_top * levIns * fnc[0]
+
+  // st_top = prev_top*(1-levIns)
+  //    = + prev_top
+  //      - prev_top * levIns            = aux1
+
+  st_top <== prev_top - aux1;
+
+  // st_old0 = prev_top * levIns * is0 * fnc[0]
+  //      = + prev_top * levIns * is0 * fnc[0]            = aux2 * is0
+
+  st_old0 <== aux2 * is0;  // prev_top * levIns * is0 * fnc[0]
+
+  // st_new1 = prev_top * levIns * (1-is0)*fnc[0] * xor   +  prev_bot*xor =
+  //    = + prev_top * levIns *       fnc[0] * xor     = aux2     * xor
+  //      - prev_top * levIns * is0 * fnc[0] * xor     = st_old0  * xor
+  //      + prev_bot *                         xor     = prev_bot * xor
+
+  st_new1 <== (aux2 - st_old0 + prev_bot)*xor;
+
+
+  // st_bot = prev_top * levIns * (1-is0)*fnc[0] * (1-xor) + prev_bot*(1-xor);
+  //    = + prev_top * levIns *       fnc[0]
+  //      - prev_top * levIns * is0 * fnc[0]
+  //      - prev_top * levIns *       fnc[0] * xor
+  //      + prev_top * levIns * is0 * fnc[0] * xor
+  //      + prev_bot
+  //      - prev_bot *                         xor
+
+  st_bot <== (1-xor) * (aux2 - st_old0 + prev_bot);
+
+
+  // st_upd = prev_top * (1-fnc[0]) *levIns;
+  //    = + prev_top * levIns
+  //      - prev_top * levIns * fnc[0]
+
+  st_upd <== aux1 - aux2;
+
+  // st_na = prev_new1 + prev_old0 + prev_na + prev_upd;
+  //    = + prev_new1
+  //      + prev_old0
+  //      + prev_na
+  //      + prev_upd
+
+  st_na <== prev_new1 + prev_old0 + prev_na + prev_upd;
+
+}

package/circomlib/circuits/smt/smtverifier.circom

@@ -0,0 +1,138 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+
+SMTVerifier is a component to verify inclusion/exclusion of an element in the tree
+
+
+fnc:  0 -> VERIFY INCLUSION
+      1 -> VERIFY NOT INCLUSION
+
+ */
+ pragma circom 2.0.0;
+
+
+include "../gates.circom";
+include "../bitify.circom";
+include "../comparators.circom";
+include "../switcher.circom";
+include "smtlevins.circom";
+include "smtverifierlevel.circom";
+include "smtverifiersm.circom";
+include "smthash_poseidon.circom";
+
+template SMTVerifier(nLevels) {
+    signal input enabled;
+    signal input root;
+    signal input siblings[nLevels];
+    signal input oldKey;
+    signal input oldValue;
+    signal input isOld0;
+    signal input key;
+    signal input value;
+    signal input fnc;
+
+    var i;
+
+    component hash1Old = SMTHash1();
+    hash1Old.key <== oldKey;
+    hash1Old.value <== oldValue;
+
+    component hash1New = SMTHash1();
+    hash1New.key <== key;
+    hash1New.value <== value;
+
+    component n2bOld = Num2Bits_strict();
+    component n2bNew = Num2Bits_strict();
+
+    n2bOld.in <== oldKey;
+    n2bNew.in <== key;
+
+    component smtLevIns = SMTLevIns(nLevels);
+    for (i=0; i<nLevels; i++) smtLevIns.siblings[i] <== siblings[i];
+    smtLevIns.enabled <== enabled;
+
+    component sm[nLevels];
+    for (i=0; i<nLevels; i++) {
+        sm[i] = SMTVerifierSM();
+        if (i==0) {
+            sm[i].prev_top <== enabled;
+            sm[i].prev_i0 <== 0;
+            sm[i].prev_inew <== 0;
+            sm[i].prev_iold <== 0;
+            sm[i].prev_na <== 1-enabled;
+        } else {
+            sm[i].prev_top <== sm[i-1].st_top;
+            sm[i].prev_i0 <== sm[i-1].st_i0;
+            sm[i].prev_inew <== sm[i-1].st_inew;
+            sm[i].prev_iold <== sm[i-1].st_iold;
+            sm[i].prev_na <== sm[i-1].st_na;
+        }
+        sm[i].is0 <== isOld0;
+        sm[i].fnc <== fnc;
+        sm[i].levIns <== smtLevIns.levIns[i];
+    }
+    sm[nLevels-1].st_na + sm[nLevels-1].st_iold + sm[nLevels-1].st_inew + sm[nLevels-1].st_i0 === 1;
+
+    component levels[nLevels];
+    for (i=nLevels-1; i != -1; i--) {
+        levels[i] = SMTVerifierLevel();
+
+        levels[i].st_top <== sm[i].st_top;
+        levels[i].st_i0 <== sm[i].st_i0;
+        levels[i].st_inew <== sm[i].st_inew;
+        levels[i].st_iold <== sm[i].st_iold;
+        levels[i].st_na <== sm[i].st_na;
+
+        levels[i].sibling <== siblings[i];
+        levels[i].old1leaf <== hash1Old.out;
+        levels[i].new1leaf <== hash1New.out;
+
+        levels[i].lrbit <== n2bNew.out[i];
+        if (i==nLevels-1) {
+            levels[i].child <== 0;
+        } else {
+            levels[i].child <== levels[i+1].root;
+        }
+    }
+
+
+    // Check that if checking for non inclussuin and isOld0==0 then key!=old
+    component areKeyEquals = IsEqual();
+    areKeyEquals.in[0] <== oldKey;
+    areKeyEquals.in[1] <== key;
+
+    component keysOk = MultiAND(4);
+    keysOk.in[0] <== fnc;
+    keysOk.in[1] <== 1-isOld0;
+    keysOk.in[2] <== areKeyEquals.out;
+    keysOk.in[3] <== enabled;
+
+    keysOk.out === 0;
+
+    // Check the root
+    component checkRoot = ForceEqualIfEnabled();
+    checkRoot.enabled <== enabled;
+    checkRoot.in[0] <== levels[0].root;
+    checkRoot.in[1] <== root;
+
+    // levels[0].root === root;
+
+}