Increase the size of the deposit output to 2 for better tracking-resistance

Signed-off-by: Jim Zhang <[email protected]>

Author: jimthematrix

solidity/contracts/lib/verifier_check_hashes_value.sol

@@ -43,14 +43,17 @@ contract Groth16Verifier_CheckHashesValue {
     uint256 constant deltay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
 
 
-    uint256 constant IC0x = 7451946452627654831087368244416850811848640051585835431774006564787696394579;
-    uint256 constant IC0y = 3335938186741695161920937664249081252546904250712465973121885140080729804559;
+    uint256 constant IC0x = 17792762022125287046321768098607171320071618631211367966788587488825455404458;
+    uint256 constant IC0y = 11155528019403985287117957011181683282276980330791900414761420530701336492839;
 
-    uint256 constant IC1x = 4825167184845404163337490360685409593368334234867416547655377178016060612776;
-    uint256 constant IC1y = 20216917433859335199329194148245717058149862581677751710529776924054717858789;
+    uint256 constant IC1x = 6717605603646218844646921196814073522173739325926307699116887265970061883098;
+    uint256 constant IC1y = 516153472147520123255754218210841627924243470206670179828454953236590121912;
 
-    uint256 constant IC2x = 15958914812085923571729409913935907268381565403173614269925036163982984629903;
-    uint256 constant IC2y = 12537821265017874170836131082487633026846634600904134063136842002739226714069;
+    uint256 constant IC2x = 8087731838810758210112265887449747110390409349987938026778639089761261395232;
+    uint256 constant IC2y = 19857276812072296411781253738593366602790857251698964067504889225833057563826;
+    
+    uint256 constant IC3x = 473105502461913999202734899658281137764286492931790885921074401072316990093;
+    uint256 constant IC3y = 19795449967604900309902005580999588375004713323386672270649013487860620808493;
 
 
     // Memory data
@@ -59,7 +62,7 @@ contract Groth16Verifier_CheckHashesValue {
 
     uint16 constant pLastMem = 896;
 
-    function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[2] calldata _pubSignals) public view returns (bool) {
+    function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[3] calldata _pubSignals) public view returns (bool) {
         assembly {
             function checkField(v) {
                 if iszero(lt(v, r)) {
@@ -107,6 +110,8 @@ contract Groth16Verifier_CheckHashesValue {
 
                 g1_mulAccC(_pVk, IC2x, IC2y, calldataload(add(pubSignals, 32)))
 
+                g1_mulAccC(_pVk, IC3x, IC3y, calldataload(add(pubSignals, 64)))
+                
 
                 // -A
                 mstore(_pPairing, calldataload(pA))
@@ -166,6 +171,8 @@ contract Groth16Verifier_CheckHashesValue {
 
             checkField(calldataload(add(_pubSignals, 64)))
 
+            checkField(calldataload(add(_pubSignals, 96)))
+            
 
             // Validate all evaluations
             let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)

solidity/contracts/lib/zeto_fungible.sol

@@ -45,15 +45,16 @@ abstract contract ZetoFungible is OwnableUpgradeable {
 
     function _deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof
     ) public virtual {
         // verifies that the output UTXOs match the claimed value
         // to be deposited
         // construct the public inputs
-        uint256[2] memory publicInputs;
+        uint256[3] memory publicInputs;
         publicInputs[0] = amount;
-        publicInputs[1] = utxo;
+        publicInputs[1] = outputs[0];
+        publicInputs[2] = outputs[1];
 
         // Check the proof
         require(

solidity/contracts/zeto_anon.sol

@@ -170,14 +170,12 @@ contract Zeto_Anon is IZeto, ZetoBase, ZetoFungibleWithdraw, UUPSUpgradeable {
 
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/contracts/zeto_anon_enc.sol

@@ -208,14 +208,12 @@ contract Zeto_AnonEnc is
 
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/contracts/zeto_anon_enc_nullifier.sol

@@ -223,14 +223,12 @@ contract Zeto_AnonEncNullifier is
 
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/contracts/zeto_anon_enc_nullifier_kyc.sol

@@ -238,14 +238,12 @@ contract Zeto_AnonEncNullifierKyc is
     // Therefore, token circulation from & to parties that are not in the KYC list is prevented
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/contracts/zeto_anon_enc_nullifier_non_repudiation.sol

@@ -274,14 +274,12 @@ contract Zeto_AnonEncNullifierNonRepudiation is
 
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/contracts/zeto_anon_nullifier.sol

@@ -192,14 +192,12 @@ contract Zeto_AnonNullifier is
 
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/contracts/zeto_anon_nullifier_kyc.sol

@@ -202,14 +202,12 @@ contract Zeto_AnonNullifierKyc is
 
     function deposit(
         uint256 amount,
-        uint256 utxo,
+        uint256[] memory outputs,
         Commonlib.Proof calldata proof,
         bytes calldata data
     ) public {
-        _deposit(amount, utxo, proof);
-        uint256[] memory utxos = new uint256[](1);
-        utxos[0] = utxo;
-        _mint(utxos, data);
+        _deposit(amount, outputs, proof);
+        _mint(outputs, data);
     }
 
     function withdraw(

solidity/test/utils.ts

@@ -42,17 +42,27 @@ export function loadProvingKeys(type: string) {
   };
 }
 
-export async function prepareDepositProof(signer: User, output: UTXO) {
-  const outputCommitments: [BigNumberish] = [output.hash] as [BigNumberish];
-  const outputValues = [BigInt(output.value || 0n)];
-  const outputOwnerPublicKeys: [[BigNumberish, BigNumberish]] = [
-    signer.babyJubPublicKey,
-  ] as [[BigNumberish, BigNumberish]];
+export async function prepareDepositProof(signer: User, outputs: [UTXO, UTXO]) {
+  const outputCommitments: [BigNumberish, BigNumberish] = [
+    outputs[0].hash,
+    outputs[1].hash,
+  ] as [BigNumberish, BigNumberish];
+  const outputValues = [
+    BigInt(outputs[0].value || 0n),
+    BigInt(outputs[1].value || 0n),
+  ];
+  const outputOwnerPublicKeys: [
+    [BigNumberish, BigNumberish],
+    [BigNumberish, BigNumberish],
+  ] = [signer.babyJubPublicKey, signer.babyJubPublicKey] as [
+    [BigNumberish, BigNumberish],
+    [BigNumberish, BigNumberish],
+  ];
 
   const inputObj = {
     outputCommitments,
     outputValues,
-    outputSalts: [output.salt],
+    outputSalts: [outputs[0].salt, outputs[1].salt],
     outputOwnerPublicKeys,
   };
 

solidity/test/zeto_anon.ts

@@ -170,13 +170,14 @@ describe("Zeto based fungible token with anonymity without encryption or nullifi
     await tx1.wait();
 
     utxo100 = newUTXO(100, Alice);
+    const utxo0 = newUTXO(0, Alice);
     const { outputCommitments, encodedProof } = await prepareDepositProof(
       Alice,
-      utxo100,
+      [utxo100, utxo0],
     );
     const tx2 = await zeto
       .connect(Alice.signer)
-      .deposit(100, outputCommitments[0], encodedProof, "0x");
+      .deposit(100, outputCommitments, encodedProof, "0x");
     await tx2.wait();
   });
 

solidity/test/zeto_anon_enc.ts

@@ -191,13 +191,14 @@ describe("Zeto based fungible token with anonymity and encryption", function ()
     await tx1.wait();
 
     utxo100 = newUTXO(100, Alice);
+    const utxo0 = newUTXO(0, Alice);
     const { outputCommitments, encodedProof } = await prepareDepositProof(
       Alice,
-      utxo100,
+      [utxo100, utxo0],
     );
     const tx2 = await zeto
       .connect(Alice.signer)
-      .deposit(100, outputCommitments[0], encodedProof, "0x");
+      .deposit(100, outputCommitments, encodedProof, "0x");
     await tx2.wait();
   });
 

solidity/test/zeto_anon_enc_nullifier.ts

@@ -275,17 +275,20 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
     await tx1.wait();
 
     utxo100 = newUTXO(100, Alice);
+    const utxo0 = newUTXO(0, Alice);
     const { outputCommitments, encodedProof } = await prepareDepositProof(
       Alice,
-      utxo100,
+      [utxo100, utxo0],
     );
     const tx2 = await zeto
       .connect(Alice.signer)
-      .deposit(100, outputCommitments[0], encodedProof, "0x");
+      .deposit(100, outputCommitments, encodedProof, "0x");
     await tx2.wait();
 
     await smtAlice.add(utxo100.hash, utxo100.hash);
+    await smtAlice.add(utxo0.hash, utxo0.hash);
     await smtBob.add(utxo100.hash, utxo100.hash);
+    await smtBob.add(utxo0.hash, utxo0.hash);
   });
 
   it("mint to Alice and transfer UTXOs honestly to Bob should succeed", async function () {

solidity/test/zeto_anon_enc_nullifier_kyc.ts

@@ -61,6 +61,7 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
   let erc20: any;
   let zeto: any;
   let utxo100: UTXO;
+  let utxo0: UTXO;
   let utxo1: UTXO;
   let utxo2: UTXO;
   let utxo3: UTXO;
@@ -336,17 +337,20 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
     await tx1.wait();
 
     utxo100 = newUTXO(100, Alice);
+    utxo0 = newUTXO(0, Alice);
     const { outputCommitments, encodedProof } = await prepareDepositProof(
       Alice,
-      utxo100,
+      [utxo100, utxo0],
     );
     const tx2 = await zeto
       .connect(Alice.signer)
-      .deposit(100, outputCommitments[0], encodedProof, "0x");
+      .deposit(100, outputCommitments, encodedProof, "0x");
     await tx2.wait();
 
     await smtAlice.add(utxo100.hash, utxo100.hash);
+    await smtAlice.add(utxo0.hash, utxo0.hash);
     await smtBob.add(utxo100.hash, utxo100.hash);
+    await smtBob.add(utxo0.hash, utxo0.hash);
   });
 
   it("mint to Alice and transfer UTXOs honestly to Bob should succeed", async function () {
@@ -576,6 +580,7 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
 
   describe("unregistered user cases", function () {
     let unregisteredUtxo100: UTXO;
+    let unregisteredUtxo0: UTXO;
 
     it("deposit by an unregistered user should succeed", async function () {
       const tx = await erc20
@@ -588,24 +593,28 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
       await tx1.wait();
 
       unregisteredUtxo100 = newUTXO(100, unregistered);
+      unregisteredUtxo0 = newUTXO(0, unregistered);
       const { outputCommitments, encodedProof } = await prepareDepositProof(
         unregistered,
-        unregisteredUtxo100,
+        [unregisteredUtxo100, unregisteredUtxo0],
       );
       const tx2 = await zeto
         .connect(unregistered.signer)
-        .deposit(100, outputCommitments[0], encodedProof, "0x");
+        .deposit(100, outputCommitments, encodedProof, "0x");
       await tx2.wait();
 
       // Alice tracks the UTXO inside the SMT
       await smtAlice.add(unregisteredUtxo100.hash, unregisteredUtxo100.hash);
+      await smtAlice.add(unregisteredUtxo0.hash, unregisteredUtxo0.hash);
       // Bob also locally tracks the UTXOs inside the SMT
       await smtBob.add(unregisteredUtxo100.hash, unregisteredUtxo100.hash);
+      await smtBob.add(unregisteredUtxo0.hash, unregisteredUtxo0.hash);
     });
 
     it("transfer from an unregistered user should fail", async function () {
       // catch up the local SMT for the unregistered user
       await smtUnregistered.add(utxo100.hash, utxo100.hash);
+      await smtUnregistered.add(utxo0.hash, utxo0.hash);
       await smtUnregistered.add(utxo1.hash, utxo1.hash);
       await smtUnregistered.add(utxo2.hash, utxo2.hash);
       await smtUnregistered.add(_utxo3.hash, _utxo3.hash);
@@ -620,6 +629,7 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
         unregisteredUtxo100.hash,
         unregisteredUtxo100.hash,
       );
+      await smtUnregistered.add(unregisteredUtxo0.hash, unregisteredUtxo0.hash);
       const utxosRoot = await smtUnregistered.root();
 
       const nullifier = newNullifier(unregisteredUtxo100, unregistered);

solidity/test/zeto_anon_enc_nullifier_non_repudiation.ts

@@ -59,6 +59,7 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
   let erc20: any;
   let zeto: any;
   let utxo100: UTXO;
+  let utxo0: UTXO;
   let utxo1: UTXO;
   let utxo2: UTXO;
   let utxo3: UTXO;
@@ -330,17 +331,20 @@ describe("Zeto based fungible token with anonymity using nullifiers and encrypti
     await tx1.wait();
 
     utxo100 = newUTXO(100, Alice);
+    utxo0 = newUTXO(0, Alice);
     const { outputCommitments, encodedProof } = await prepareDepositProof(
       Alice,
-      utxo100,
+      [utxo100, utxo0],
     );
     const tx2 = await zeto
       .connect(Alice.signer)
-      .deposit(100, outputCommitments[0], encodedProof, "0x");
+      .deposit(100, outputCommitments, encodedProof, "0x");
     await tx2.wait();
 
     await smtAlice.add(utxo100.hash, utxo100.hash);
+    await smtAlice.add(utxo0.hash, utxo0.hash);
     await smtBob.add(utxo100.hash, utxo100.hash);
+    await smtBob.add(utxo0.hash, utxo0.hash);
   });
 
   it("mint to Alice and transfer UTXOs honestly to Bob should succeed and verifiable by the regulator", async function () {