Merge pull request #1 from 10d9e/10d9e/discrete-erc20-wrapper

added DiscreteBridge to enable bridging between regular ERC20s and Di…

Author: 10d9e

.gitignore

@@ -147,4 +147,6 @@ node_modules
 # Hardhat Ignition default folder for deployments against a local node
 ignition/deployments/chain-31337
 
-.vscode
+.vscode
+
+ignition/deployments

bun.lock

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.24;
 
-import "../Paillier.sol";
+import "./Paillier.sol";
 
 // Secp256k1Ciphertext struct
 struct Secp256k1Ciphertext {
@@ -81,6 +81,10 @@ contract DiscreteERC20 {
         totalSupply = _initialSupply;
     }
 
+    function getBalance(address account) external view returns (Ciphertext memory) {
+        return balanceOf[account];
+    }
+
     /// @notice Emits an event to request the balance of the sender
     function requestBalance() external {
         emit RequestBalance(msg.sender);
@@ -113,6 +117,30 @@ contract DiscreteERC20 {
         return true;
     }
 
+    /// @notice Transfers encrypted tokens to a specified address
+    /// @param recipient The address to receive the tokens
+    /// @param amount The amount of tokens to transfer, represented as encrypted data
+    /// @return success A boolean value indicating success of the transfer
+    function transfer_proxy(
+        address sender,
+        address recipient,
+        Ciphertext calldata amount
+    ) external returns (bool success) {
+        require(
+            keccak256(abi.encodePacked(balanceOf[sender].value)) != keccak256(bytes("")),
+            "DiscreteERC20: transfer from the zero address"
+        );
+
+        if (keccak256(abi.encodePacked(balanceOf[recipient].value)) == keccak256(bytes(""))) {
+            balanceOf[recipient] = amount;
+        } else {
+            balanceOf[recipient] = this._add(balanceOf[recipient], amount);
+        }
+        balanceOf[sender] = this._sub(balanceOf[sender], amount);
+        emit Transfer(sender, recipient, amount);
+        return true;
+    }
+
     /// @dev Internal function to mint new encrypted tokens
     /// @param to The address to receive the newly minted tokens
     /// @param amount The amount of tokens to mint, represented as encrypted data

contracts/examples/DiscreteERC20.sol contracts/DiscreteERC20.sol

@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.24;
+
+import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import "./DiscreteERC20.sol";
+import "./Paillier.sol";
+import "./PaillierProofVerifier.sol";
+
+/// @title DiscreteERC20Bridge
+/// @dev Wraps a standard ERC20 token, enabling encrypted transactions through the DiscreteERC20 contract.
+contract DiscreteERC20Bridge {
+    IERC20 public immutable underlyingToken;
+    DiscreteERC20 public discreteToken;
+    Paillier private immutable paillier;
+    PublicKey public publicKey;
+    Groth16Verifier public verifier; // zk-SNARK verifier contract
+
+    /// @notice Event emitted when a user deposits ERC20 tokens to mint encrypted tokens.
+    event Deposit(address indexed user, uint256 amount, Ciphertext encryptedAmount);
+
+    /// @notice Event emitted when a user withdraws by burning encrypted tokens.
+    event Withdraw(address indexed user, uint256 amount);
+
+    /// @notice Event emitted when a user transfers encrypted tokens.
+    event TransferEncrypted(address indexed from, address indexed to, Ciphertext amount);
+
+    /// @param _underlyingToken Address of the standard ERC20 token.
+    /// @param _discreteToken Address of the DiscreteERC20 contract.
+    /// @param _paillier Address of the Paillier contract.
+    /// @param _publicKey Public key for Paillier encryption.
+    constructor(
+        address _underlyingToken,
+        address _discreteToken,
+        address _paillier,
+        PublicKey memory _publicKey,
+        address _verifier
+    ) {
+        underlyingToken = IERC20(_underlyingToken);
+        discreteToken = DiscreteERC20(_discreteToken);
+        paillier = Paillier(_paillier);
+        publicKey = _publicKey;
+        verifier = Groth16Verifier(_verifier);
+    }
+
+    function verifyProof(
+        uint256[2] calldata /* a */,
+        uint256[2][2] calldata /*b */,
+        uint256[2] calldata /*c */,
+        uint256[3] calldata /*input */
+    ) public pure returns (bool) {
+        // todo: integrate verifier
+        return true;
+        // return verifier.verifyProof(a, b, c, input);
+    }
+
+    /// @notice Deposit ERC20 tokens and mint encrypted tokens.
+    /// @param amount The amount of ERC20 tokens to deposit.
+    function deposit(uint256 amount) external {
+        require(amount > 0, "Cannot deposit zero tokens");
+        require(underlyingToken.transferFrom(msg.sender, address(this), amount), "Transfer failed");
+
+        bytes memory randomValue = _generateRandomValue();
+        BigNumber memory encryptedAmount = paillier.encrypt(amount, randomValue, publicKey);
+        Ciphertext memory ciphertext = Ciphertext(encryptedAmount.val);
+
+        discreteToken.mint(msg.sender, ciphertext);
+        emit Deposit(msg.sender, amount, ciphertext);
+    }
+
+    /// @notice Transfer encrypted tokens between users.
+    /// @param to The recipient address.
+    /// @param encryptedAmount The encrypted amount to transfer.
+    function transferEncrypted(address to, Ciphertext calldata encryptedAmount) external {
+        discreteToken.transfer_proxy(msg.sender, to, encryptedAmount);
+        emit TransferEncrypted(msg.sender, to, encryptedAmount);
+    }
+
+    /// @notice Withdraw ERC20 tokens by burning encrypted tokens.
+    /// @param amount The amount to withdraw.
+    function withdraw(
+        uint256 amount,
+        uint256[2] calldata pok_a,
+        uint256[2][2] calldata pok_b,
+        uint256[2] calldata pok_c,
+        uint256[3] calldata pok_input
+    ) external {
+        require(verifyProof(pok_a, pok_b, pok_c, pok_input), "zk-pok invalid");
+        require(amount > 0, "Invalid amount");
+        require(underlyingToken.transfer(msg.sender, amount), "Transfer failed");
+
+        bytes memory randomValue = _generateRandomValue();
+        BigNumber memory encryptedAmount = paillier.encrypt(amount, randomValue, publicKey);
+        Ciphertext memory ciphertext = Ciphertext(encryptedAmount.val);
+        discreteToken.burn(msg.sender, ciphertext);
+
+        //discreteToken.burn(msg.sender, discreteToken.getBalance(msg.sender));
+        emit Withdraw(msg.sender, amount);
+    }
+
+    /// @dev Generates a random value for encryption.
+    function _generateRandomValue() internal view returns (bytes memory) {
+        return abi.encodePacked(block.timestamp, msg.sender);
+    }
+
+    /// @dev Converts a BigNumber to uint256.
+    function _bigNumberToUint256(BigNumber memory bn) internal pure returns (uint256) {
+        return abi.decode(bn.val, (uint256));
+    }
+
+    /// @dev Returns the private key (mocked, should be handled off-chain).
+    function _getPrivateKey() internal pure returns (PrivateKey memory) {
+        return PrivateKey("", "");
+    }
+}

contracts/DiscreteERC20Bridge.sol

@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.24;
+
+import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+
+contract ERC20Mock is ERC20 {
+    constructor(string memory name, string memory symbol, uint8 decimals) ERC20(name, symbol) {
+        _mint(msg.sender, 1_000_000 * (10 ** uint256(decimals))); // Mint initial supply
+    }
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}

contracts/ERC20Mock.sol

@@ -0,0 +1,182 @@
+// SPDX-License-Identifier: GPL-3.0
+/*
+    Copyright 2021 0KIMS association.
+
+    This file is generated with [snarkJS](https://github.com/iden3/snarkjs).
+
+    snarkJS is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    snarkJS is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+pragma solidity >=0.7.0 <0.9.0;
+
+contract Groth16Verifier {
+    // Scalar field size
+    uint256 constant r    = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
+    // Base field size
+    uint256 constant q   = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
+
+    // Verification Key data
+    uint256 constant alphax  = 5626737339165458973589599457621328529733563392239816845745153285393308563504;
+    uint256 constant alphay  = 16230467856761692471715032392328021447033402595640524796664100872627369680070;
+    uint256 constant betax1  = 4144428083991626285342649939274849449280404441912827482121791540345299786531;
+    uint256 constant betax2  = 6325433196787304365631895536258959371015671431667950220195827813497107168985;
+    uint256 constant betay1  = 10936661144817015255674518731163444456215109280399110754173599934895271139411;
+    uint256 constant betay2  = 19889497587240439239166766822075868131117808253130075878786112720929398512804;
+    uint256 constant gammax1 = 11559732032986387107991004021392285783925812861821192530917403151452391805634;
+    uint256 constant gammax2 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
+    uint256 constant gammay1 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
+    uint256 constant gammay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
+    uint256 constant deltax1 = 17295485814694150123783000481296321702245813170311037729305904660722399839036;
+    uint256 constant deltax2 = 9953038103920179753358196237980982556490877057040907085330335881158104037356;
+    uint256 constant deltay1 = 6539691989876630411606817978414648636843419931042291769251371916370543524601;
+    uint256 constant deltay2 = 13144314962000242455271345157960851628353417380470981436942002942254462986698;
+
+    
+    uint256 constant IC0x = 18387697014443789242231700969179111271118402915177266877757196673698635297519;
+    uint256 constant IC0y = 12436236940538570506589398884575585672721049376613458579755675085941516075140;
+    
+    uint256 constant IC1x = 4524932351881239948215022805183121776177868798590915616981221083576167527145;
+    uint256 constant IC1y = 15587504486709804185620332672789255104510724034018287661184516721901064633674;
+    
+    uint256 constant IC2x = 14439831487577900683535901946347940295203534376602237241423095901557646925805;
+    uint256 constant IC2y = 10717629512118312536692599889074200105443234230892842440615136924549793591272;
+    
+    uint256 constant IC3x = 10024533475695360204705392683236727525700242453221038868275481275771880537493;
+    uint256 constant IC3y = 4765705996809486869329645343856463186100886171625349210938486327289623735490;
+    
+ 
+    // Memory data
+    uint16 constant pVk = 0;
+    uint16 constant pPairing = 128;
+
+    uint16 constant pLastMem = 896;
+
+    function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[3] calldata _pubSignals) public view returns (bool) {
+        assembly {
+            function checkField(v) {
+                if iszero(lt(v, r)) {
+                    mstore(0, 0)
+                    return(0, 0x20)
+                }
+            }
+            
+            // G1 function to multiply a G1 value(x,y) to value in an address
+            function g1_mulAccC(pR, x, y, s) {
+                let success
+                let mIn := mload(0x40)
+                mstore(mIn, x)
+                mstore(add(mIn, 32), y)
+                mstore(add(mIn, 64), s)
+
+                success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
+
+                if iszero(success) {
+                    mstore(0, 0)
+                    return(0, 0x20)
+                }
+
+                mstore(add(mIn, 64), mload(pR))
+                mstore(add(mIn, 96), mload(add(pR, 32)))
+
+                success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
+
+                if iszero(success) {
+                    mstore(0, 0)
+                    return(0, 0x20)
+                }
+            }
+
+            function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
+                let _pPairing := add(pMem, pPairing)
+                let _pVk := add(pMem, pVk)
+
+                mstore(_pVk, IC0x)
+                mstore(add(_pVk, 32), IC0y)
+
+                // Compute the linear combination vk_x
+                
+                g1_mulAccC(_pVk, IC1x, IC1y, calldataload(add(pubSignals, 0)))
+                
+                g1_mulAccC(_pVk, IC2x, IC2y, calldataload(add(pubSignals, 32)))
+                
+                g1_mulAccC(_pVk, IC3x, IC3y, calldataload(add(pubSignals, 64)))
+                
+
+                // -A
+                mstore(_pPairing, calldataload(pA))
+                mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
+
+                // B
+                mstore(add(_pPairing, 64), calldataload(pB))
+                mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
+                mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
+                mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
+
+                // alpha1
+                mstore(add(_pPairing, 192), alphax)
+                mstore(add(_pPairing, 224), alphay)
+
+                // beta2
+                mstore(add(_pPairing, 256), betax1)
+                mstore(add(_pPairing, 288), betax2)
+                mstore(add(_pPairing, 320), betay1)
+                mstore(add(_pPairing, 352), betay2)
+
+                // vk_x
+                mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
+                mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
+
+
+                // gamma2
+                mstore(add(_pPairing, 448), gammax1)
+                mstore(add(_pPairing, 480), gammax2)
+                mstore(add(_pPairing, 512), gammay1)
+                mstore(add(_pPairing, 544), gammay2)
+
+                // C
+                mstore(add(_pPairing, 576), calldataload(pC))
+                mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
+
+                // delta2
+                mstore(add(_pPairing, 640), deltax1)
+                mstore(add(_pPairing, 672), deltax2)
+                mstore(add(_pPairing, 704), deltay1)
+                mstore(add(_pPairing, 736), deltay2)
+
+
+                let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
+
+                isOk := and(success, mload(_pPairing))
+            }
+
+            let pMem := mload(0x40)
+            mstore(0x40, add(pMem, pLastMem))
+
+            // Validate that all evaluations ∈ F
+            
+            checkField(calldataload(add(_pubSignals, 0)))
+            
+            checkField(calldataload(add(_pubSignals, 32)))
+            
+            checkField(calldataload(add(_pubSignals, 64)))
+            
+
+            // Validate all evaluations
+            let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
+
+            mstore(0, isValid)
+             return(0, 0x20)
+         }
+     }
+ }

contracts/PaillierProofVerifier.sol

@@ -2,6 +2,8 @@ import '@nomicfoundation/hardhat-ethers';
 import '@nomicfoundation/hardhat-toolbox';
 import { HardhatUserConfig } from 'hardhat/config';
 
+//import 'hardhat-circom';
+
 require('@nomicfoundation/hardhat-chai-matchers');
 
 const mnemonic: string =
@@ -16,7 +18,14 @@ const config: HardhatUserConfig = {
         mnemonic,
         path: "m/44'/60'/0'/0",
       },
+      gasPrice: 1000000000,
     },
+    // for testnet
+    //'sepolia': {
+    //  url: 'https://sepolia.base.org',
+    //  accounts: [process.env.WALLET_KEY as string],
+    //gasPrice: 1000000000,
+    //},
   },
 };
 export default config;