feat: log decryption in Noir

[benesjan]

Fixes #10723
Fixes #11634

[benesjan]

Sneaked this unrelated change in. I needed it to orient myself in the structure of the log and AI is perfect for generating these code docs.

[benesjan]

Sneaked this unrelated change in. I needed it to orient myself in the structure of the log and AI is perfect for generating these code docs.

[benesjan]

Same as in the event.nr above - this fixes privacy leak.

[benesjan]

When I had the ephPk input defined only as "ephPk: ACVMField[]" then ephPk was only 1 Field instead of 3. Does the reviewer if it's really necessary to list the components directly here? It's ugly.

[nventuro]

I'm not sure I follow. It's a struct with 3 values so it gets converted to three acvm fields no?

[benesjan]

If I put there ephPk: ACVField[] instead of the 3 components I got just one field.

[benesjan]

When I directly returned Point from the oracle, I got an error with num destination slots. I see that there is not other case that returns a multi-field struct from oracle and e.g. ingetIndexedTaggingSecretAsSender we also return an array of fields and then deserialize. Is it really just unsupported? I would expect Noir to manage to map the struct fields. Is this just a tech debt.

[iAmMichaelConnor]

BoundedVec is an example of a multi-field struct that is being returned by the decryption oracle.

pub struct BoundedVec<T, let MaxLen: u32> {
    storage: [T; MaxLen],
    len: u32,
}

[nventuro]

Yes, this is the same as the decrypt oracle

[benesjan]

Good point. Will investigate what did I do wrong here. Thanks

[benesjan]

Did this change here and in the note.nr because when decrypting we use be_bytes_32_to_fields. And those 2 functions are guaranteed to match.

[benesjan]

The encrypt_log function originally didn't exist but I separated it from compute_log because that is against what I wanted to unit test my decryption functionality.

[benesjan]

I return fields here instead of bytes. This is because that is the natural representation and I think it makes sense to convert it to bytes before calling the aes function.

[iAmMichaelConnor]

I left it as bytes, because we should be packing the note_type_id into much less than a field. Plus, this function is compute_note_plaintext_for_this_strategy and this strategy is specifically for AES, so bytes is the natural output.

[nventuro]

We eventually need to settle on what standard format aztec-nr uses for logs once it considers non-AES flows. In my mind the only sane choice is a field array (since that is what noir deals with, that is what the logs are, and that is the only thing that has no overhead), so this is more beginning to nudge things in that direction. Ultimately the note type id will share the field with some other values, likely in what is today the 'combined type id'.

[benesjan]

This is new here. As for the event I now use this method to have a guraanteed match between encryption and decryption.

[benesjan]

Nuked this function because it was used in a test that was no longer viable to have because of no longer having decryption in Typescript and it was also unnecessary. Will describe details in the test.

[benesjan]

TxScopedL2Log now represents the log as fields and not as a buffer. I did this change because Fields are the natural representation and it results in less conversions in the code.

[nventuro]

Was not able to go through the entire thing yet, leaving some preliminary comments

[nventuro]

Can't we get rid of this entire directory?

[benesjan]

We cannot because there is still l1_event_payload that uses this stuff.

I was thinking about this and I think we should prioritize moving the event decryption to Noir as well once this PR is merged because I currently have it all loaded in my brain and it would allows us to finally purge a lot of this code.

It would require modifying the process_log function such that it stores the logs in capsules and then exposing some event getter on the relevant contracts so it would be quite a bit of work though.

[nventuro]

Is this the first oracle that returns a boundedvec?

[benesjan]

Yes

[nventuro]

I'm not sure I follow. It's a struct with 3 values so it gets converted to three acvm fields no?

[nventuro]

cc @Thunkar

[benesjan]

• feat: log decryption in Noir #12596 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[iAmMichaelConnor]

I've left some comments :)

[iAmMichaelConnor]

I'm surprised git hasn't figured out that this file is a git mv of a file. It's showing as a deleted file, then a new file. How did you move around the files? VScode usually correctly does a git mv.
It's very hard to compare the diff as a result.

[benesjan]

I pointed out in the code where I did changes. Sorry the diff is 💩 but feel like I have an excuse here since I could not really separate this into a different PR because of the branch situation being tricky when I started the PR.

[iAmMichaelConnor]

This probably shouldn't live here; oracle files should focus on the oracle funtionality. A util which makes use of an oracle should live elsewhere.

Re the function name: it's not returning a max byte size, it'll return a value which is this byte size. random_bytes might be clearer?

[benesjan]

Good point. Moved it in 0298842

[benesjan]

Nuked the function in 65377a1 and I just use get_random_bytes there instead.

[iAmMichaelConnor]

BoundedVec is an example of a multi-field struct that is being returned by the decryption oracle.

pub struct BoundedVec<T, let MaxLen: u32> {
    storage: [T; MaxLen],
    len: u32,
}

[iAmMichaelConnor]

We should probably rename the point_from_x_coord to point_from_x_coord_unsafe. It's only being used in tests.

[nventuro]

Why is it unsafe?

[benesjan]

It's not unsafe per se but the the name is bad because you cannot recover a point just from x_coordinate. You can however recover a point corresponding to an address just from x_coordinate.

So I guess it would be better to instead just rename it to address_point_from_x_coord. Will take a note to do this in a separate PR.

[iAmMichaelConnor]

I left it as bytes, because we should be packing the note_type_id into much less than a field. Plus, this function is compute_note_plaintext_for_this_strategy and this strategy is specifically for AES, so bytes is the natural output.

[iAmMichaelConnor]

Why was this function extracted into its own file?
One of my goals when I refactored encryption was for everything to be in one long, flattened file, so that it was easier to see the whole unravelled log assembly process, whilst we did all our other refactoring. Please can we revert this particular change?
The encrypt_log function that's been extracted has a name which isn't descriptive of what the function does: it computes a log (so should live in this compute_log function) (Or actually, it assembles a log, so maybe compute_log should be renamed to assemble_log). A "log" can't be encrypted; a plaintext can be encrypted. And the extracted encrypt_log function also computes a header and encrypts that and then concatenates data according to this log assembly strategy.

[benesjan]

I needed to unit test it against the decryption functionality and during decryption we don't spit out a note but a log plaintext (see process_log function). This is not decided yet but the process_log contract function will most likely process event logs as well and there we will need 1 decryption functionality shared between events and notes. For this reason changing the process_log function to not destructure the log plaintext there seemed like a bad direction to go down.

Agree that the name could be improved but I think it can probably wait for when we handle the events.

[iAmMichaelConnor]

I mentioned in another comment that the encrypted_log fn shouldn't be extracted from the compute_log function.
This function does the process in reverse, so it doesn't just "decrypt" it also decodes the various components of the log. process_log might be a better name (because it's literally processing the log according to this log assembly/disassembly strategy).

[nventuro]

I'm not sure we'd be able to keep that model, given that we'll need to agree on some common encoding that all schemes must follow (or else abstract both encryption and encoding). Given that, the primitive being 'encrypt/decrypt' a field array makes sense (i.e. potato encoding).

[benesjan]

As Mike pointed out, we should keep oracle folder for oracles. For this reason I moved this function to utils/random.nr (didn't do any changes to it).

[nventuro]

Why is it unsafe?

[nventuro]

Is it working correctly now?

[benesjan]

It does not. But felt like it's not a scope of this PR to rework that so I just put there this warning that it's fucked up.

[nventuro]

Please create a tracking issue or address it then

[nventuro]

I'm not sure we'd be able to keep that model, given that we'll need to agree on some common encoding that all schemes must follow (or else abstract both encryption and encoding). Given that, the primitive being 'encrypt/decrypt' a field array makes sense (i.e. potato encoding).