Skip to content

Commit

Permalink
feat: initial authwit cancellation support
Browse files Browse the repository at this point in the history
  • Loading branch information
LHerskind committed Feb 27, 2024
1 parent 20e8f60 commit dac5e5c
Show file tree
Hide file tree
Showing 22 changed files with 391 additions and 142 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,13 @@ As part of `AuthWit` we are assuming that the `on_behalf_of` implements the priv

```rust
#[aztec(private)]
fn is_valid(message_hash: Field) -> Field;
fn spend_private_authwit(inner_hash: Field) -> Field;

#[aztec(public)]
fn is_valid_public(message_hash: Field) -> Field;
fn spend_public_authwit(inner_hash: Field) -> Field;
```

Both return the value `0xe86ab4ff` (`is_valid` selector) for a successful authentication, and `0x00000000` for a failed authentication. You might be wondering why we are expecting the return value to be a selector instead of a boolean. This is mainly to account for a case of selector collisions where the same selector is used for different functions, and we don't want an account to mistakenly allow a different function to be called on its behalf - it is hard to return the selector by mistake, but you might have other functions returning a bool.
Both return the value `0xabf64ad4` (`IS_VALID` selector) for a successful authentication, and `0x00000000` for a failed authentication. You might be wondering why we are expecting the return value to be a selector instead of a boolean. This is mainly to account for a case of selector collisions where the same selector is used for different functions, and we don't want an account to mistakenly allow a different function to be called on its behalf - it is hard to return the selector by mistake, but you might have other functions returning a bool.

## The `AuthWit` library.

Expand All @@ -102,11 +102,10 @@ As you can see above, this function takes a `caller` and a `request`. The `reque

For private calls where we allow execution on behalf of others, we generally want to check if the current call is authenticated by `on_behalf_of`. To easily do so, we can use the `assert_current_call_valid_authwit` which fetches information from the current context without us needing to provide much beyond the `on_behalf_of`.

This function computes the message hash, and then forwards the call to the more generic `assert_valid_authwit`. This validating function will then:

- make a call to `on_behalf_of` to validate that the call is authenticated
- emit a nullifier for the action to prevent replay attacks
- throw if the action is not authenticated by `on_behalf_of`
This function will then make a to `on_behalf_of` to execute the `spend_private_authwit` function which validates that the call is authenticated.
The `on_behalf_of` should assert that we are indeed authenticated and then emit a nullifier when we are spending the authwit to prevent replay attacks.
If the return value is not as expected, we throw an error.
This is to cover the case where the `on_behalf_of` might implemented some function with the same selector as the `spend_private_authwit` that could be used to authenticate unintentionally.

#### Example

Expand Down Expand Up @@ -176,7 +175,7 @@ In the snippet below, this is done as a separate contract call, but can also be

We have cases where we need a non-wallet contract to approve an action to be executed by another contract. One of the cases could be when making more complex defi where funds are passed along. When doing so, we need the intermediate contracts to support approving of actions on their behalf.

To support this, we must implement the `is_valid_public` function as seen in the snippet below.
To support this, we must implement the `spend_public_authwit` function as seen in the snippet below.

#include_code authwit_uniswap_get /noir-projects/noir-contracts/contracts/uniswap_contract/src/main.nr rust

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ E.g. you don't want a user to subscribe once they have subscribed already. Or yo

Emit a nullifier in your function. By adding this nullifier into the tree, you prevent another nullifier from being added again. This is also why in authwit, we emit a nullifier, to prevent someone from reusing their approval.

#include_code assert_valid_authwit_public /noir-projects/aztec-nr/authwit/src/auth.nr rust
#include_code spend_private_authwit /noir-projects/aztec-nr/authwit/src/account.nr rust

Note be careful to ensure that the nullifier is not deterministic and that no one could do a preimage analysis attack. More in [the anti pattern section on deterministic nullifiers](#deterministic-nullifiers)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Next, paste this function:

#include_code authwit_uniswap_get noir-projects/noir-contracts/contracts/uniswap_contract/src/main.nr rust

In this function, the token contract calls the Uniswap contract to check if Uniswap has indeed done the approval. The token contract expects a `is_valid()` function to exit for private approvals and `is_valid_public()` for public approvals. If the action is indeed approved, it expects that the contract would return the function selector for `is_valid()`  in both cases. The Aztec.nr library exposes this constant for ease of use. The token contract also emits a nullifier for this message so that this approval (with the nonce) can’t be used again.
In this function, the token contract calls the Uniswap contract to check if Uniswap has indeed done the approval. The token contract expects a `spend_private_authwit()` function to exit for private approvals and `spend_public_authwit()` for public approvals. If the action is indeed approved, it expects that the contract would return the function selector for `IS_VALID()`  in both cases. The Aztec.nr library exposes this constant for ease of use. The token contract also emits a nullifier for this message so that this approval (with the nonce) can’t be used again.

This is similar to the [Authwit flow](../../contracts/resources/common_patterns/authwit.md).

Expand Down
35 changes: 23 additions & 12 deletions noir-projects/aztec-nr/authwit/src/account.nr
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
use dep::aztec::context::{PrivateContext, PublicContext, Context};
use dep::aztec::state_vars::{Map, PublicMutable};
use dep::aztec::protocol_types::{address::AztecAddress, abis::function_selector::FunctionSelector, hash::{pedersen_hash}};

use crate::entrypoint::{app::AppPayload, fee::FeePayload};
use crate::auth::IS_VALID_SELECTOR;
use crate::auth::{IS_VALID_SELECTOR, compute_outer_authwit_hash};

struct AccountActions {
context: Context,
Expand Down Expand Up @@ -69,21 +70,31 @@ impl AccountActions {
}
// docs:end:entrypoint

pub fn is_valid(self, message_hash: Field) -> Field {
// docs:start:spend_private_authwit
pub fn spend_private_authwit(self, inner_hash: Field) -> Field {
let context = self.context.private.unwrap();
let message_hash = compute_outer_authwit_hash(context.msg_sender(), inner_hash);
let valid_fn = self.is_valid_impl;
if (valid_fn(self.context.private.unwrap(), message_hash)) {
IS_VALID_SELECTOR
} else {
0
}
assert(valid_fn(context, message_hash) == true, "Message not authorized by account");
context.push_new_nullifier(message_hash, 0);
IS_VALID_SELECTOR
}
// docs:end:spend_private_authwit

pub fn is_valid_public(self, message_hash: Field) -> Field {
let value = self.approved_action.at(message_hash).read();
if (value) { IS_VALID_SELECTOR } else { 0 }
// docs:start:spend_public_authwit
pub fn spend_public_authwit(self, inner_hash: Field) -> Field {
let context = self.context.public.unwrap();
let message_hash = compute_outer_authwit_hash(context.msg_sender(), inner_hash);
let is_valid = self.approved_action.at(message_hash).read();
assert(is_valid == true, "Message not authorized by account");
context.push_new_nullifier(message_hash, 0);
IS_VALID_SELECTOR
}
// docs:end:spend_public_authwit

pub fn internal_set_is_valid_storage(self, message_hash: Field, value: bool) {
self.approved_action.at(message_hash).write(value);
// docs:start:approve_public_authwit
pub fn approve_public_authwit(self, message_hash: Field) {
self.approved_action.at(message_hash).write(true);
}
// docs:end:approve_public_authwit
}
82 changes: 30 additions & 52 deletions noir-projects/aztec-nr/authwit/src/auth.nr
Original file line number Diff line number Diff line change
@@ -1,78 +1,56 @@
use dep::aztec::protocol_types::{
abis::function_selector::FunctionSelector, address::AztecAddress,
constants::{GENERATOR_INDEX__AUTHWIT}, hash::{hash_args, pedersen_hash}
constants::{GENERATOR_INDEX__AUTHWIT_INNER, GENERATOR_INDEX__AUTHWIT_OUTER},
hash::{hash_args, pedersen_hash}
};
use dep::aztec::context::{PrivateContext, PublicContext, Context};

global IS_VALID_SELECTOR = 0xe86ab4ff;
global IS_VALID_PUBLIC_SELECTOR = 0xf3661153;

// @todo #2676 Should use different generator than the payload to limit probability of collisions.

// docs:start:assert_valid_authwit
// Assert that `on_behalf_of` have authorized `message_hash` with a valid authentication witness
pub fn assert_valid_authwit(
context: &mut PrivateContext,
on_behalf_of: AztecAddress,
message_hash: Field
) {
let is_valid_selector = FunctionSelector::from_field(IS_VALID_SELECTOR);
let result = context.call_private_function(on_behalf_of, is_valid_selector, [message_hash])[0];
context.push_new_nullifier(message_hash, 0);
assert(result == IS_VALID_SELECTOR, "Message not authorized by account");
}
// docs:end:assert_valid_authwit
global IS_VALID_SELECTOR = 0xabf64ad4; // 4 first bytes of keccak256("IS_VALID()")

// docs:start:assert_current_call_valid_authwit
// Assert that `on_behalf_of` have authorized the current call with a valid authentication witness
pub fn assert_current_call_valid_authwit(context: &mut PrivateContext, on_behalf_of: AztecAddress) {
// message_hash = H(caller, contract_this, selector, args_hash)
let message_hash = pedersen_hash(
[
context.msg_sender().to_field(), context.this_address().to_field(), context.selector().to_field(), context.args_hash
],
GENERATOR_INDEX__AUTHWIT
let function_selector = FunctionSelector::from_signature("spend_private_authwit(Field)");
let inner_hash = pedersen_hash(
[context.msg_sender().to_field(), context.selector().to_field(), context.args_hash],
GENERATOR_INDEX__AUTHWIT_INNER
);
assert_valid_authwit(context, on_behalf_of, message_hash);
}
// docs:end:assert_current_call_valid_authwit

// docs:start:assert_valid_authwit_public
// Assert that `on_behalf_of` have authorized `message_hash` in a public context
pub fn assert_valid_authwit_public(context: &mut PublicContext, on_behalf_of: AztecAddress, message_hash: Field) {
let is_valid_public_selector = FunctionSelector::from_field(IS_VALID_PUBLIC_SELECTOR);
let result = context.call_public_function(on_behalf_of, is_valid_public_selector, [message_hash])[0];
context.push_new_nullifier(message_hash, 0);
let result = context.call_private_function(on_behalf_of, function_selector, [inner_hash])[0];
assert(result == IS_VALID_SELECTOR, "Message not authorized by account");
}
// docs:end:assert_valid_authwit_public
// docs:end:assert_current_call_valid_authwit

// docs:start:assert_current_call_valid_authwit_public
// Assert that `on_behalf_of` have authorized the current call in a public context
pub fn assert_current_call_valid_authwit_public(context: &mut PublicContext, on_behalf_of: AztecAddress) {
// message_hash = H(caller, contract_this, selector, args_hash)
let message_hash = pedersen_hash(
[
context.msg_sender().to_field(), context.this_address().to_field(), context.selector().to_field(), context.args_hash
],
GENERATOR_INDEX__AUTHWIT
let function_selector = FunctionSelector::from_signature("spend_public_authwit(Field)");
let inner_hash = pedersen_hash(
[context.msg_sender().to_field(), context.selector().to_field(), context.args_hash],
GENERATOR_INDEX__AUTHWIT_INNER
);
assert_valid_authwit_public(context, on_behalf_of, message_hash);
let result = context.call_public_function(on_behalf_of, function_selector, [inner_hash])[0];
assert(result == IS_VALID_SELECTOR, "Message not authorized by account");
}
// docs:end:assert_current_call_valid_authwit_public

// docs:start:compute_authwit_message_hash
// Compute the message hash to be used by an authentication witness
pub fn compute_authwit_message_hash<N>(
caller: AztecAddress,
target: AztecAddress,
selector: FunctionSelector,
args: [Field; N]
) -> Field {
pub fn compute_call_authwit_hash<N>(caller: AztecAddress, consumer: AztecAddress, selector: FunctionSelector, args: [Field; N]) -> Field {
let args_hash = hash_args(args);
pedersen_hash(
[caller.to_field(), target.to_field(), selector.to_field(), args_hash],
GENERATOR_INDEX__AUTHWIT
compute_outer_authwit_hash(
consumer,
compute_inner_authwit_hash([caller.to_field(), selector.to_field(), args_hash])
)
}
// docs:end:compute_authwit_message_hash

pub fn compute_inner_authwit_hash<N>(args: [Field; N]) -> Field {
pedersen_hash(args, GENERATOR_INDEX__AUTHWIT_OUTER)
}

pub fn compute_outer_authwit_hash(consumer: AztecAddress, msg_hash: Field) -> Field {
pedersen_hash(
[consumer.to_field(), msg_hash],
GENERATOR_INDEX__AUTHWIT_OUTER
)
}
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,16 @@ contract DocsExample {
);
}

#[aztec(private)]
fn spend_private_authwit(inner_hash: Field) -> Field {
1
}

#[aztec(public)]
fn spend_public_authwit(inner_hash: Field) -> Field {
1
}

#[aztec(public)]
internal fn update_leader(account: AztecAddress, points: u8) {
let new_leader = Leader { account, points };
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ mod ecdsa_public_key_note;
// Account contract that uses ECDSA signatures for authentication on the same curve as Ethereum.
// The signing key is stored in an immutable private note and should be different from the signing key.
contract EcdsaAccount {
use dep::aztec::protocol_types::{abis::call_context::CallContext, address::AztecAddress};
use dep::aztec::protocol_types::{abis::{call_context::CallContext, function_selector::FunctionSelector}, address::AztecAddress};
use dep::std;
use dep::std::option::Option;
use dep::aztec::{
Expand Down Expand Up @@ -40,39 +40,44 @@ contract EcdsaAccount {
}

#[aztec(private)]
fn is_valid(message_hash: Field) -> Field {
fn spend_private_authwit(inner_hash: Field) -> Field {
let actions = AccountActions::private(&mut context, ACCOUNT_ACTIONS_STORAGE_SLOT, is_valid_impl);
actions.is_valid(message_hash)
actions.spend_private_authwit(inner_hash)
}

#[aztec(public)]
fn is_valid_public(message_hash: Field) -> Field {
fn spend_public_authwit(inner_hash: Field) -> Field {
let actions = AccountActions::public(&mut context, ACCOUNT_ACTIONS_STORAGE_SLOT, is_valid_impl);
actions.is_valid_public(message_hash)
actions.spend_public_authwit(inner_hash)
}

#[aztec(private)]
internal fn cancel_authwit(outer_hash: Field) {
context.push_new_nullifier(outer_hash, 0);
}

#[aztec(public)]
internal fn set_is_valid_storage(message_hash: Field, value: bool) {
internal fn approve_public_authwit(outer_hash: Field) {
let actions = AccountActions::public(&mut context, ACCOUNT_ACTIONS_STORAGE_SLOT, is_valid_impl);
actions.internal_set_is_valid_storage(message_hash, value)
actions.approve_public_authwit(outer_hash)
}

#[contract_library_method]
fn is_valid_impl(context: &mut PrivateContext, message_field: Field) -> pub bool {
fn is_valid_impl(context: &mut PrivateContext, outer_hash: Field) -> bool {
// Load public key from storage
let storage = Storage::init(Context::private(context));
let public_key = storage.public_key.get_note();

// Load auth witness
let witness: [Field; 64] = get_auth_witness(message_field);
let witness: [Field; 64] = get_auth_witness(outer_hash);
let mut signature: [u8; 64] = [0; 64];
for i in 0..64 {
signature[i] = witness[i] as u8;
}

// Verify payload signature using Ethereum's signing scheme
// Note that noir expects the hash of the message/challenge as input to the ECDSA verification.
let hashed_message: [u8; 32] = std::hash::sha256(message_field.to_be_bytes(32));
let hashed_message: [u8; 32] = std::hash::sha256(outer_hash.to_be_bytes(32));
let verification = std::ecdsa_secp256k1::verify_signature(public_key.x, public_key.y, signature, hashed_message);
assert(verification == true);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ contract SchnorrAccount {
use dep::std;
use dep::std::option::Option;

use dep::aztec::protocol_types::address::AztecAddress;
use dep::aztec::protocol_types::{address::AztecAddress, abis::function_selector::FunctionSelector};

use dep::aztec::{
context::{PrivateContext, Context}, note::{note_header::NoteHeader, utils as note_utils},
Expand Down Expand Up @@ -45,33 +45,38 @@ contract SchnorrAccount {
}

#[aztec(private)]
fn is_valid(message_hash: Field) -> Field {
fn spend_private_authwit(inner_hash: Field) -> Field {
let actions = AccountActions::private(&mut context, ACCOUNT_ACTIONS_STORAGE_SLOT, is_valid_impl);
actions.is_valid(message_hash)
actions.spend_private_authwit(inner_hash)
}

#[aztec(public)]
fn is_valid_public(message_hash: Field) -> Field {
fn spend_public_authwit(inner_hash: Field) -> Field {
let actions = AccountActions::public(&mut context, ACCOUNT_ACTIONS_STORAGE_SLOT, is_valid_impl);
actions.is_valid_public(message_hash)
actions.spend_public_authwit(inner_hash)
}

#[aztec(private)]
internal fn cancel_authwit(outer_hash: Field) {
context.push_new_nullifier(outer_hash, 0);
}

#[aztec(public)]
internal fn set_is_valid_storage(message_hash: Field, value: bool) {
internal fn approve_public_authwit(outer_hash: Field) {
let actions = AccountActions::public(&mut context, ACCOUNT_ACTIONS_STORAGE_SLOT, is_valid_impl);
actions.internal_set_is_valid_storage(message_hash, value)
actions.approve_public_authwit(outer_hash)
}

#[contract_library_method]
fn is_valid_impl(context: &mut PrivateContext, message_hash: Field) -> pub bool {
fn is_valid_impl(context: &mut PrivateContext, outer_hash: Field) -> bool {
// docs:start:entrypoint
// Load public key from storage
let storage = Storage::init(Context::private(context));
// docs:start:get_note
let public_key = storage.signing_public_key.get_note();
// docs:end:get_note
// Load auth witness
let witness: [Field; 64] = get_auth_witness(message_hash);
let witness: [Field; 64] = get_auth_witness(outer_hash);
let mut signature: [u8; 64] = [0; 64];
for i in 0..64 {
signature[i] = witness[i] as u8;
Expand All @@ -82,7 +87,7 @@ contract SchnorrAccount {
public_key.x,
public_key.y,
signature,
message_hash.to_be_bytes(32)
outer_hash.to_be_bytes(32)
);
assert(verification == true);
// docs:end:entrypoint
Expand Down
Loading

0 comments on commit dac5e5c

Please sign in to comment.