Skip to content

Instantly share code, notes, and snippets.

@devfans

devfans/tsp_auth.md

Last active April 8, 2025 07:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save devfans/f59a075ca1efd7ffca493af20b72b592 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save devfans/f59a075ca1efd7ffca493af20b72b592 to your computer and use it in GitHub Desktop.
Download ZIP
tsp_auth
Raw
tsp_auth.md

State Reference

reference nothing

Still availabe when account state is updated

reference group

  • slot: group

Only availabe if the group slot is same as the current one.

example: group(tokens) : 9 proofs with group(tokens) :8, 7, etc will be revoked

reference group and tag

  • slot: group (value 1: unavailable, 0: available)
  • slot: tag (value 1: unavailable, 0: available) tag = hash(callee_account, callee_args, callee_updates_digest)

Only available when if the group slot and the tag slot are marked as available, so it's revokable by a group or singlely.

Replay Prevention

Nonce on target account

// nonce increment
let (nonce_slot, nonce) = Self::slot(builder, targets.from.elements.to_vec());
let nonce_incre = builder.into_inner().constant_biguint(&BigUint::one());
let (nonce, nonce_success) = Self::safe_add(builder, &nonce, &nonce_incre);

Auth Verify

  • check authorizor state meet?
  • check proof is valid?
  • check proof_vk and authorizor address meet?
  • check sign_target is meet? sign_target = hash(callee_account, callee_command, callee_updates_digest)
fn auth_verify(&self, condition: BoolTarget, author: HashOutTarget, command: HashOutTarget, digest: Vec<Target>, builder: &mut Builder) -> BoolTarget {
    let targets = self.targets.as_ref().unwrap();
    assert!(targets.auth_proof.public_inputs.len() == 16);
    let sign_target: Vec<Target> = targets.auth_proof.public_inputs[12..16].to_vec();
    let auth_root: Vec<Target> = targets.auth_proof.public_inputs[4..8].to_vec();
    let signer = builder.hash_vk(&targets.auth_vk);
    let success_0 = builder.equal(&signer, &author.elements);

    let addr = builder.whoami();
    let digest  = builder.hash(&[addr, command.elements.to_vec(), digest].concat());
    let success_1 = builder.equal(&digest, &sign_target);
    let root = builder.sroot();
    let success_2 = builder.equal(&auth_root, &root);
    let success = builder.into_inner().and(success_0, success_1);
    let success = builder.into_inner().and(success, success_2);
    let success = builder.into_inner().and(success, condition);
    let common = PlaceholderProjectNamePlaceholderVerifierOnlyCircuitData::common();
    builder.into_inner().conditionally_verify_proof_or_dummy::<PoseidonGoldilocksConfig>(success, &targets.auth_proof, &targets.auth_vk, common).unwrap();
    success
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment