AztecProtocol · LeilaWang · Jan 16, 2023 · Jan 10, 2023 · Jan 10, 2023 · Jan 10, 2023
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ RUN git clone -b release/10.x --depth 1 https://github.com/llvm/llvm-project.git
 Run the bootstrap script. (The bootstrap script will build both the native and wasm versions of barretenberg)
 
 ```
+cd cpp
 ./bootstrap.sh
 ```
 

diff --git a/cpp/src/aztec/rollup/constants.hpp b/cpp/src/aztec/rollup/constants.hpp
@@ -34,8 +34,8 @@ is_circuit_change_expected to zero and change the modified circuit gate counts a
 constexpr bool is_circuit_change_expected = 0;
 /* The below constants are only used for regression testing; to identify accidental changes to circuit
  constraints. They need to be changed when there is a circuit change. */
-constexpr uint32_t ACCOUNT = 23958;
-constexpr uint32_t JOIN_SPLIT = 64000;
+constexpr uint32_t ACCOUNT = 23967;
+constexpr uint32_t JOIN_SPLIT = 64043;
 constexpr uint32_t CLAIM = 22684;
 constexpr uint32_t ROLLUP = 1173221;
 constexpr uint32_t ROOT_ROLLUP = 5481327;
@@ -57,13 +57,13 @@ namespace circuit_vk_hash {
 /* These below constants are only used for regression testing; to identify accidental changes to circuit
  constraints. They need to be changed when there is a circuit change. Note that they are written in the reverse order
  to comply with the from_buffer<>() method. */
-constexpr auto ACCOUNT = uint256_t(0x78ebf096ab73e440, 0xaa1dc7c26a125f6e, 0x488a97e465b96964, 0xf9d3e501b89bf466);
-constexpr auto JOIN_SPLIT = uint256_t(0x5e67a4a4503ebf25, 0xb3c070c061e76d1a, 0xb18c6c6a5bcad5fb, 0xe0d5f46cafb33ecf);
+constexpr auto ACCOUNT = uint256_t(0xcd6d70c733eaf823, 0x6505d3402817ad3d, 0xbf9e2b6a262589cf, 0xafcc546b55cc45e3);
+constexpr auto JOIN_SPLIT = uint256_t(0x7f154a0f7899ffe5, 0xb131200661bf1911, 0x9a0c8cd44c9c087b, 0x1038d50b67f8a5b3);
 constexpr auto CLAIM = uint256_t(0x878301ebba40ab60, 0x931466762c62d661, 0x40aad71ec3496905, 0x9f47aaa109759d0a);
-constexpr auto ROLLUP = uint256_t(0x160731cc44173fdc, 0x6a6d55e46bf198bd, 0x9ce1d4608ae26fb0, 0x865ced5c16cb6152);
-constexpr auto ROOT_ROLLUP = uint256_t(0xd77e82eae9e6efc7, 0x2b5ddf767012a4cf, 0x8b5982bb3d64616f, 0x20b515f5a9c78048);
+constexpr auto ROLLUP = uint256_t(0x10909f6022cbe853, 0x05540f4a6cdd597a, 0x89b7c29dfbfc50e2, 0xa3a335eed6b774d6);
+constexpr auto ROOT_ROLLUP = uint256_t(0x4d135bb2a2aa9ac1, 0xadf2e42748b53e53, 0x501463f9b3207d2b, 0xa0d8b0d4053698ba);
 constexpr auto ROOT_VERIFIER =
-    uint256_t(0x8e8313d6015ca626, 0x62ccf70b81c4e099, 0x33bee0072a20f36a, 0x44bd24daa009cd59);
+    uint256_t(0x85521cebe5e98f46, 0x02141f667a54d17e, 0xd8d43be20eea9560, 0xade9412d8afbb6b9);
 }; // namespace circuit_vk_hash
 
 namespace ProofIds {

diff --git a/cpp/src/aztec/rollup/proofs/account/account.cpp b/cpp/src/aztec/rollup/proofs/account/account.cpp
@@ -105,7 +105,8 @@ void account_circuit(Composer& composer, account_tx const& tx)
                                               nullifier_1,
                                               nullifier_2 };
         const byte_array_ct message = pedersen::compress(to_compress);
-        stdlib::schnorr::verify_signature(message, signer, signature);
+        const bool_ct verified = stdlib::schnorr::verify_signature(message, signer, signature);
+        verified.assert_equal(true, "verify signature failed");
         if (composer.failed && !composerAlreadyFailed) {
             // only assign this error if an error hasn't already been assigned.
             composer.err = "verify signature failed";

diff --git a/cpp/src/aztec/rollup/proofs/join_split/join_split.test.cpp b/cpp/src/aztec/rollup/proofs/join_split/join_split.test.cpp
diff --git a/cpp/src/aztec/rollup/proofs/join_split/join_split_circuit.cpp b/cpp/src/aztec/rollup/proofs/join_split/join_split_circuit.cpp
@@ -254,17 +254,28 @@ join_split_outputs join_split_circuit_component(join_split_inputs const& inputs)
     // A: By passing a signature to the circuit, the 'signing private key' doesn't need to be passed to the proof
     // construction software. This is useful for multisigs, offline signing, etc., so that the proof construction
     // software (or machine) doesn't have access to the signing private key.
-    verify_signature(inputs.public_value.value,
-                     inputs.public_owner,
-                     public_asset_id.value,
-                     output_note_1_commitment,
-                     output_note_2.commitment,
-                     nullifier1,
-                     nullifier2,
-                     signer,
-                     inputs.backward_link,
-                     inputs.allow_chain,
-                     inputs.signature);
+    const bool_ct verified = verify_signature(inputs.public_value.value,
+                                              inputs.public_owner,
+                                              public_asset_id.value,
+                                              output_note_1_commitment,
+                                              output_note_2.commitment,
+                                              nullifier1,
+                                              nullifier2,
+                                              signer,
+                                              inputs.backward_link,
+                                              inputs.allow_chain,
+                                              inputs.signature);
+    // is_same_owner: we rely on input_note_1.owner == input_note_2.owner being checked already
+    const bool_ct is_same_owner =
+        input_note_1.owner == output_note_1.owner && input_note_2.owner == output_note_2.owner;
+    const bool_ct is_same_amount = total_in_value == total_out_value;
+    // is_merge_send: 
+    //   if true, we can elide our signature as this is a same-owner, same-amount send
+    //   where one of the output notes has value 0
+    //   Caveat: A signature of all 0's will still fail basic checks
+    const bool_ct is_merge_send =
+        is_send && (output_note_1_value == 0 || output_note_2_value == 0) && is_same_owner && is_same_amount;
+    (verified || is_merge_send).assert_equal(true, "verify signature failed");
 
     return { nullifier1,      nullifier2, output_note_1_commitment, output_note_2.commitment,
              public_asset_id, tx_fee,     bridge_call_data,         defi_deposit_value };

diff --git a/cpp/src/aztec/rollup/proofs/join_split/verify_signature.hpp b/cpp/src/aztec/rollup/proofs/join_split/verify_signature.hpp
@@ -7,24 +7,24 @@ namespace join_split {
 
 using namespace notes;
 
-inline void verify_signature(field_ct const& public_value,
-                             field_ct const& public_owner,
-                             field_ct const& public_asset_id,
-                             field_ct const& output_note1_commitment,
-                             field_ct const& output_note2_commitment,
-                             field_ct const& nullifier1,
-                             field_ct const& nullifier2,
-                             point_ct const& owner_pub_key,
-                             field_ct const& backward_link,
-                             field_ct const& allow_chain,
-                             schnorr::signature_bits const& signature)
+inline bool_ct verify_signature(field_ct const& public_value,
+                                field_ct const& public_owner,
+                                field_ct const& public_asset_id,
+                                field_ct const& output_note1_commitment,
+                                field_ct const& output_note2_commitment,
+                                field_ct const& nullifier1,
+                                field_ct const& nullifier2,
+                                point_ct const& owner_pub_key,
+                                field_ct const& backward_link,
+                                field_ct const& allow_chain,
+                                schnorr::signature_bits const& signature)
 {
     std::vector<field_ct> to_compress = {
         public_value, public_owner,  public_asset_id, output_note1_commitment, output_note2_commitment, nullifier1,
         nullifier2,   backward_link, allow_chain,
     };
     byte_array_ct message = pedersen::compress(to_compress);
-    verify_signature(message, owner_pub_key, signature);
+    return verify_signature(message, owner_pub_key, signature);
 }
 
 } // namespace join_split

diff --git a/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.cpp b/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.cpp
@@ -271,7 +271,7 @@ point<C> variable_base_mul(const point<C>& pub_key, const point<C>& current_accu
  * @details TurboPlonk: ~10850 gates (~4k for variable_base_mul, ~6k for blake2s) for a string of length < 32.
  */
 template <typename C>
-void verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig)
+bool_t<C> verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig)
 {
     // Compute [s]g, where s = (s_lo, s_hi) and g = G1::one.
     point<C> R_1 = group<C>::fixed_base_scalar_mul(sig.s_lo, sig.s_hi);
@@ -292,11 +292,10 @@ void verify_signature(const byte_array<C>& message, const point<C>& pub_key, con
     // compute  e' = hash(([s]g + [e]pub).x | message)
     byte_array<C> output = blake2s(hash_input);
 
-    // verify that e' == e
     field_t<C> output_hi(output.slice(0, 16));
     field_t<C> output_lo(output.slice(16, 16));
-    output_lo.assert_equal(sig.e_lo, "verify signature failed");
-    output_hi.assert_equal(sig.e_hi, "verify signature failed");
+    // check that e' == e
+    return output_lo == sig.e_lo && output_hi == sig.e_hi;
 }
 
 template wnaf_record<waffle::TurboComposer> convert_field_into_wnaf<waffle::TurboComposer>(
@@ -311,14 +310,15 @@ template point<waffle::TurboComposer> variable_base_mul<waffle::TurboComposer>(
     const point<waffle::TurboComposer>&,
     const wnaf_record<waffle::TurboComposer>&);
 
-template void verify_signature<waffle::TurboComposer>(const byte_array<waffle::TurboComposer>&,
-                                                      const point<waffle::TurboComposer>&,
-                                                      const signature_bits<waffle::TurboComposer>&);
+template bool_t<waffle::TurboComposer> verify_signature<waffle::TurboComposer>(
+    const byte_array<waffle::TurboComposer>&,
+    const point<waffle::TurboComposer>&,
+    const signature_bits<waffle::TurboComposer>&);
 
 template signature_bits<waffle::TurboComposer> convert_signature<waffle::TurboComposer>(
     waffle::TurboComposer*, const crypto::schnorr::signature&);
 template signature_bits<waffle::PlookupComposer> convert_signature<waffle::PlookupComposer>(
     waffle::PlookupComposer*, const crypto::schnorr::signature&);
 } // namespace schnorr
 } // namespace stdlib
-} // namespace plonk
+} // namespace plonk
diff --git a/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.hpp b/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.hpp
@@ -33,7 +33,7 @@ point<C> variable_base_mul(const point<C>& pub_key, const field_t<C>& low_bits,
 template <typename C> signature_bits<C> convert_signature(C* context, const crypto::schnorr::signature& sig);
 
 template <typename C>
-void verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig);
+bool_t<C> verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig);
 
 extern template point<waffle::TurboComposer> variable_base_mul<waffle::TurboComposer>(
     const point<waffle::TurboComposer>&,
@@ -47,12 +47,14 @@ extern template point<waffle::TurboComposer> variable_base_mul(const point<waffl
 extern template wnaf_record<waffle::TurboComposer> convert_field_into_wnaf<waffle::TurboComposer>(
     waffle::TurboComposer* context, const field_t<waffle::TurboComposer>& limb);
 
-extern template void verify_signature<waffle::TurboComposer>(const byte_array<waffle::TurboComposer>&,
-                                                             const point<waffle::TurboComposer>&,
-                                                             const signature_bits<waffle::TurboComposer>&);
-extern template void verify_signature<waffle::PlookupComposer>(const byte_array<waffle::PlookupComposer>&,
-                                                               const point<waffle::PlookupComposer>&,
-                                                               const signature_bits<waffle::PlookupComposer>&);
+extern template bool_t<waffle::TurboComposer> verify_signature<waffle::TurboComposer>(
+    const byte_array<waffle::TurboComposer>&,
+    const point<waffle::TurboComposer>&,
+    const signature_bits<waffle::TurboComposer>&);
+extern template bool_t<waffle::PlookupComposer> verify_signature<waffle::PlookupComposer>(
+    const byte_array<waffle::PlookupComposer>&,
+    const point<waffle::PlookupComposer>&,
+    const signature_bits<waffle::PlookupComposer>&);
 
 extern template signature_bits<waffle::TurboComposer> convert_signature<waffle::TurboComposer>(
     waffle::TurboComposer*, const crypto::schnorr::signature&);

diff --git a/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.test.cpp b/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.test.cpp
@@ -224,7 +224,8 @@ TEST(stdlib_schnorr, verify_signature)
         point_ct pub_key{ witness_ct(&composer, account.public_key.x), witness_ct(&composer, account.public_key.y) };
         stdlib::schnorr::signature_bits sig = stdlib::schnorr::convert_signature(&composer, signature);
         byte_array_ct message(&composer, message_string);
-        stdlib::schnorr::verify_signature(message, pub_key, sig);
+        bool_ct result_ct = stdlib::schnorr::verify_signature(message, pub_key, sig);
+        result_ct.assert_equal(true, "verify signature failed");
 
         Prover prover = composer.create_prover();
         printf("composer gates = %zu\n", composer.get_num_gates());
@@ -268,7 +269,8 @@ TEST(stdlib_schnorr, verify_signature_failure)
     point_ct pub_key2_ct{ witness_ct(&composer, account2.public_key.x), witness_ct(&composer, account2.public_key.y) };
     stdlib::schnorr::signature_bits sig = stdlib::schnorr::convert_signature(&composer, signature);
     byte_array_ct message(&composer, message_string);
-    stdlib::schnorr::verify_signature(message, pub_key2_ct, sig);
+    bool_ct result_ct = stdlib::schnorr::verify_signature(message, pub_key2_ct, sig);
+    result_ct.assert_equal(true, "verify signature failed");
 
     Prover prover = composer.create_prover();
-Original file line number
+Diff line change
@@ Expand Up @@
     Run the bootstrap script. (The bootstrap script will build both the native and wasm versions of barretenberg)
     ```
+    cd cpp
     ./bootstrap.sh
     ```
@@ Expand Down @@