darkfi_dao_contract/client/
vote.rs

1/* This file is part of DarkFi (https://dark.fi)
2 *
3 * Copyright (C) 2020-2025 Dyne.org foundation
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU Affero General Public License as
7 * published by the Free Software Foundation, either version 3 of the
8 * License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 * GNU Affero General Public License for more details.
14 *
15 * You should have received a copy of the GNU Affero General Public License
16 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
17 */
18
19use darkfi_money_contract::model::CoinAttributes;
20use darkfi_sdk::{
21    bridgetree,
22    bridgetree::Hashable,
23    crypto::{
24        note::ElGamalEncryptedNote,
25        pasta_prelude::*,
26        pedersen_commitment_u64, poseidon_hash,
27        smt::{PoseidonFp, SparseMerkleTree, StorageAdapter, SMT_FP_DEPTH},
28        util::fv_mod_fp_unsafe,
29        Blind, MerkleNode, PublicKey, SecretKey,
30    },
31    pasta::pallas,
32};
33use log::debug;
34use rand::rngs::OsRng;
35
36use darkfi::{
37    zk::{halo2::Value, Proof, ProvingKey, Witness, ZkCircuit},
38    zkas::ZkBinary,
39    ClientFailed, Result,
40};
41
42use crate::{
43    error::DaoError,
44    model::{Dao, DaoProposal, DaoVoteParams, DaoVoteParamsInput, VecAuthCallCommit},
45};
46
47pub struct DaoVoteInput {
48    pub secret: SecretKey,
49    pub note: darkfi_money_contract::client::MoneyNote,
50    pub leaf_position: bridgetree::Position,
51    pub merkle_path: Vec<MerkleNode>,
52    pub signature_secret: SecretKey,
53}
54
55// Inside ZK proof, check proposal is correct.
56pub struct DaoVoteCall<'a, T: StorageAdapter<Value = pallas::Base>> {
57    pub money_null_smt:
58        &'a SparseMerkleTree<'a, SMT_FP_DEPTH, { SMT_FP_DEPTH + 1 }, pallas::Base, PoseidonFp, T>,
59    pub inputs: Vec<DaoVoteInput>,
60    pub vote_option: bool,
61    pub proposal: DaoProposal,
62    pub dao: Dao,
63    pub current_blockwindow: u64,
64}
65
66impl<T: StorageAdapter<Value = pallas::Base>> DaoVoteCall<'_, T> {
67    pub fn make(
68        self,
69        burn_zkbin: &ZkBinary,
70        burn_pk: &ProvingKey,
71        main_zkbin: &ZkBinary,
72        main_pk: &ProvingKey,
73    ) -> Result<(DaoVoteParams, Vec<Proof>)> {
74        debug!(target: "contract::dao::client::vote", "make()");
75
76        if self.dao.to_bulla() != self.proposal.dao_bulla {
77            return Err(ClientFailed::VerifyError(DaoError::InvalidCalls.to_string()).into())
78        }
79        let proposal_bulla = self.proposal.to_bulla();
80
81        let mut proofs = vec![];
82
83        let gov_token_blind = pallas::Base::random(&mut OsRng);
84
85        let mut inputs = vec![];
86        let mut all_vote_value = 0;
87        let mut all_vote_blind = pallas::Scalar::from(0);
88
89        let last_input_idx = self.inputs.len() - 1;
90        for (i, input) in self.inputs.into_iter().enumerate() {
91            // Last input
92            // Choose a blinding factor that can be converted to pallas::Base exactly.
93            // We need this so we can verifiably encrypt the sum of input blinds
94            // in the next section.
95            // TODO: make a generalized widget for this, and also picking blinds in money::transfer()
96            let mut value_blind = pallas::Scalar::random(&mut OsRng);
97
98            if i == last_input_idx {
99                // It's near zero chance it ever loops at all.
100                // P(random 𝔽ᵥ ∉ 𝔽ₚ) = (q - p)/q = 2.99 × 10⁻⁵¹
101                loop {
102                    let av_blind = fv_mod_fp_unsafe(all_vote_blind + value_blind);
103
104                    if av_blind.is_none().into() {
105                        value_blind = pallas::Scalar::random(&mut OsRng);
106                        continue
107                    }
108
109                    break
110                }
111            }
112
113            all_vote_value += input.note.value;
114            all_vote_blind += value_blind;
115
116            let signature_public = PublicKey::from_secret(input.signature_secret);
117
118            // Note from the previous output
119            let note = input.note;
120            let leaf_pos: u64 = input.leaf_position.into();
121
122            let public_key = PublicKey::from_secret(input.secret);
123            let coin = CoinAttributes {
124                public_key,
125                value: note.value,
126                token_id: note.token_id,
127                spend_hook: note.spend_hook,
128                user_data: note.user_data,
129                blind: note.coin_blind,
130            }
131            .to_coin();
132            let nullifier = poseidon_hash([input.secret.inner(), coin.inner()]);
133
134            let smt_null_root = self.money_null_smt.root();
135            let smt_null_path = self.money_null_smt.prove_membership(&nullifier);
136            if !smt_null_path.verify(&smt_null_root, &pallas::Base::ZERO, &nullifier) {
137                return Err(
138                    ClientFailed::VerifyError(DaoError::InvalidInputMerkleRoot.to_string()).into()
139                )
140            }
141
142            let prover_witnesses = vec![
143                Witness::Base(Value::known(input.secret.inner())),
144                Witness::Base(Value::known(pallas::Base::from(note.value))),
145                Witness::Base(Value::known(note.token_id.inner())),
146                Witness::Base(Value::known(pallas::Base::ZERO)),
147                Witness::Base(Value::known(pallas::Base::ZERO)),
148                Witness::Base(Value::known(note.coin_blind.inner())),
149                Witness::Base(Value::known(proposal_bulla.inner())),
150                Witness::Scalar(Value::known(value_blind)),
151                Witness::Base(Value::known(gov_token_blind)),
152                Witness::Uint32(Value::known(leaf_pos.try_into().unwrap())),
153                Witness::MerklePath(Value::known(input.merkle_path.clone().try_into().unwrap())),
154                Witness::SparseMerklePath(Value::known(smt_null_path.path)),
155                Witness::Base(Value::known(input.signature_secret.inner())),
156            ];
157
158            let merkle_root = {
159                let position: u64 = input.leaf_position.into();
160                let mut current = MerkleNode::from(coin.inner());
161                for (level, sibling) in input.merkle_path.iter().enumerate() {
162                    let level = level as u8;
163                    current = if position & (1 << level) == 0 {
164                        MerkleNode::combine(level.into(), &current, sibling)
165                    } else {
166                        MerkleNode::combine(level.into(), sibling, &current)
167                    };
168                }
169                current
170            };
171
172            let token_commit = poseidon_hash([note.token_id.inner(), gov_token_blind]);
173            if note.token_id != self.dao.gov_token_id {
174                return Err(ClientFailed::InvalidTokenId(note.token_id.to_string()).into())
175            }
176
177            let vote_commit = pedersen_commitment_u64(note.value, Blind(value_blind));
178            let vote_commit_coords = vote_commit.to_affine().coordinates().unwrap();
179
180            let (sig_x, sig_y) = signature_public.xy();
181
182            let vote_nullifier =
183                poseidon_hash([nullifier, input.secret.inner(), proposal_bulla.inner()]);
184
185            let public_inputs = vec![
186                smt_null_root,
187                proposal_bulla.inner(),
188                vote_nullifier,
189                *vote_commit_coords.x(),
190                *vote_commit_coords.y(),
191                token_commit,
192                merkle_root.inner(),
193                sig_x,
194                sig_y,
195            ];
196
197            //darkfi::zk::export_witness_json("proof/witness/vote-input.json", &prover_witnesses, &public_inputs);
198            let circuit = ZkCircuit::new(prover_witnesses, burn_zkbin);
199            debug!(target: "contract::dao::client::vote", "input_proof Proof::create()");
200            let input_proof = Proof::create(burn_pk, &[circuit], &public_inputs, &mut OsRng)?;
201            proofs.push(input_proof);
202
203            let input = DaoVoteParamsInput {
204                vote_commit,
205                vote_nullifier: vote_nullifier.into(),
206                signature_public,
207            };
208            inputs.push(input);
209        }
210
211        let token_commit = poseidon_hash([self.dao.gov_token_id.inner(), gov_token_blind]);
212
213        let dao_proposer_limit = pallas::Base::from(self.dao.proposer_limit);
214        let dao_quorum = pallas::Base::from(self.dao.quorum);
215        let dao_early_exec_quorum = pallas::Base::from(self.dao.early_exec_quorum);
216        let dao_approval_ratio_quot = pallas::Base::from(self.dao.approval_ratio_quot);
217        let dao_approval_ratio_base = pallas::Base::from(self.dao.approval_ratio_base);
218        let (dao_notes_pub_x, dao_notes_pub_y) = self.dao.notes_public_key.xy();
219        let (dao_proposer_pub_x, dao_proposer_pub_y) = self.dao.proposer_public_key.xy();
220        let (dao_proposals_pub_x, dao_proposals_pub_y) = self.dao.proposals_public_key.xy();
221        let dao_votes_public_key = self.dao.votes_public_key.inner();
222        let (dao_exec_pub_x, dao_exec_pub_y) = self.dao.exec_public_key.xy();
223        let (dao_early_exec_pub_x, dao_early_exec_pub_y) = self.dao.early_exec_public_key.xy();
224
225        let vote_option = self.vote_option as u64;
226        if vote_option != 0 && vote_option != 1 {
227            return Err(ClientFailed::VerifyError(DaoError::VoteInputsEmpty.to_string()).into())
228        }
229
230        // Create a random blind b ∈ 𝔽ᵥ, such that b ∈ 𝔽ₚ
231        let yes_vote_blind = loop {
232            let blind = pallas::Scalar::random(&mut OsRng);
233            if fv_mod_fp_unsafe(blind).is_some().into() {
234                break blind
235            }
236        };
237        let yes_vote_commit =
238            pedersen_commitment_u64(vote_option * all_vote_value, Blind(yes_vote_blind));
239        let yes_vote_commit_coords = yes_vote_commit.to_affine().coordinates().unwrap();
240
241        let all_vote_commit = pedersen_commitment_u64(all_vote_value, Blind(all_vote_blind));
242        if all_vote_commit != inputs.iter().map(|i| i.vote_commit).sum() {
243            return Err(ClientFailed::VerifyError(DaoError::VoteCommitMismatch.to_string()).into())
244        }
245        let all_vote_commit_coords = all_vote_commit.to_affine().coordinates().unwrap();
246
247        // Convert blinds to 𝔽ₚ, which should work fine since we selected them
248        // to be convertable.
249        let yes_vote_blind = Blind(fv_mod_fp_unsafe(yes_vote_blind).unwrap());
250        let all_vote_blind = Blind(fv_mod_fp_unsafe(all_vote_blind).unwrap());
251
252        let vote_option = pallas::Base::from(vote_option);
253        let all_vote_value_fp = pallas::Base::from(all_vote_value);
254        let ephem_secret = SecretKey::random(&mut OsRng);
255        let ephem_pubkey = PublicKey::from_secret(ephem_secret);
256        let (ephem_x, ephem_y) = ephem_pubkey.xy();
257
258        let current_blockwindow = pallas::Base::from(self.current_blockwindow);
259
260        let prover_witnesses = vec![
261            // Proposal params
262            Witness::Base(Value::known(self.proposal.auth_calls.commit())),
263            Witness::Base(Value::known(pallas::Base::from(self.proposal.creation_blockwindow))),
264            Witness::Base(Value::known(pallas::Base::from(self.proposal.duration_blockwindows))),
265            Witness::Base(Value::known(self.proposal.user_data)),
266            Witness::Base(Value::known(self.proposal.blind.inner())),
267            // DAO params
268            Witness::Base(Value::known(dao_proposer_limit)),
269            Witness::Base(Value::known(dao_quorum)),
270            Witness::Base(Value::known(dao_early_exec_quorum)),
271            Witness::Base(Value::known(dao_approval_ratio_quot)),
272            Witness::Base(Value::known(dao_approval_ratio_base)),
273            Witness::Base(Value::known(self.dao.gov_token_id.inner())),
274            Witness::Base(Value::known(dao_notes_pub_x)),
275            Witness::Base(Value::known(dao_notes_pub_y)),
276            Witness::Base(Value::known(dao_proposer_pub_x)),
277            Witness::Base(Value::known(dao_proposer_pub_y)),
278            Witness::Base(Value::known(dao_proposals_pub_x)),
279            Witness::Base(Value::known(dao_proposals_pub_y)),
280            Witness::EcNiPoint(Value::known(dao_votes_public_key)),
281            Witness::Base(Value::known(dao_exec_pub_x)),
282            Witness::Base(Value::known(dao_exec_pub_y)),
283            Witness::Base(Value::known(dao_early_exec_pub_x)),
284            Witness::Base(Value::known(dao_early_exec_pub_y)),
285            Witness::Base(Value::known(self.dao.bulla_blind.inner())),
286            // Vote
287            Witness::Base(Value::known(vote_option)),
288            Witness::Base(Value::known(yes_vote_blind.inner())),
289            // Total number of gov tokens allocated
290            Witness::Base(Value::known(all_vote_value_fp)),
291            Witness::Base(Value::known(all_vote_blind.inner())),
292            // Gov token
293            Witness::Base(Value::known(gov_token_blind)),
294            // Time checks
295            Witness::Base(Value::known(current_blockwindow)),
296            // verifiable encryption
297            Witness::Base(Value::known(ephem_secret.inner())),
298        ];
299
300        let note = [vote_option, yes_vote_blind.inner(), all_vote_value_fp, all_vote_blind.inner()];
301        let enc_note =
302            ElGamalEncryptedNote::encrypt_unsafe(note, &ephem_secret, &self.dao.votes_public_key)?;
303
304        let public_inputs = vec![
305            token_commit,
306            proposal_bulla.inner(),
307            *yes_vote_commit_coords.x(),
308            *yes_vote_commit_coords.y(),
309            *all_vote_commit_coords.x(),
310            *all_vote_commit_coords.y(),
311            current_blockwindow,
312            ephem_x,
313            ephem_y,
314            enc_note.encrypted_values[0],
315            enc_note.encrypted_values[1],
316            enc_note.encrypted_values[2],
317            enc_note.encrypted_values[3],
318        ];
319
320        //darkfi::zk::export_witness_json("proof/witness/vote-main.json", &prover_witnesses, &public_inputs);
321        let circuit = ZkCircuit::new(prover_witnesses, main_zkbin);
322
323        debug!(target: "contract::dao::client::vote", "main_proof = Proof::create()");
324        let main_proof = Proof::create(main_pk, &[circuit], &public_inputs, &mut OsRng)?;
325        proofs.push(main_proof);
326
327        let params =
328            DaoVoteParams { token_commit, proposal_bulla, yes_vote_commit, note: enc_note, inputs };
329
330        Ok((params, proofs))
331    }
332}