hyperledger-labs
diff --git a/‎doc-site/docs/images/pqc-dark-100px.png
15.1 KB b/‎doc-site/docs/images/pqc-dark-100px.png
15.1 KB
diff --git a/‎doc-site/docs/implementations/anon_nullifier_qurrency.md
Lines changed: 6 additions & 6 deletions b/‎doc-site/docs/implementations/anon_nullifier_qurrency.md
Lines changed: 6 additions & 6 deletions
diff --git a/‎solidity/contracts/lib/interfaces/izeto.sol
Lines changed: 6 additions & 0 deletions b/‎solidity/contracts/lib/interfaces/izeto.sol
Lines changed: 6 additions & 0 deletions
diff --git a/‎solidity/contracts/lib/interfaces/izeto_initializable.sol
Lines changed: 3 additions & 1 deletion b/‎solidity/contracts/lib/interfaces/izeto_initializable.sol
Lines changed: 3 additions & 1 deletion
diff --git a/‎solidity/contracts/lib/zeto_base.sol
Lines changed: 56 additions & 39 deletions b/‎solidity/contracts/lib/zeto_base.sol
Lines changed: 56 additions & 39 deletions
diff --git a/‎solidity/contracts/lib/zeto_fungible_burn.sol
Lines changed: 86 additions & 0 deletions b/‎solidity/contracts/lib/zeto_fungible_burn.sol
Lines changed: 86 additions & 0 deletions
@@ -4,7 +4,7 @@
 | ------------------ | ------------------ | ------------------ | --- | --------------- | ------------------- |
 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -   | -               | 2,066,430           |
 
-![pqc](../images/pqc-dark.png)
+![pqc](../images/pqc-dark-100px.png)
 
 This implementation builds on top of the `anon_nullifiers` to add post-quantum cryptography inside the circuit to encrypt sensitive information for a designated authority, such as a regulator, for auditing purposes.
 
@@ -13,15 +13,15 @@ To implement post-quantum secure encryption, these circuits use the public key e
 The encryption is performed in the follow step, according to the ML-KEM scheme:
 
 - An AES-256 encryption key is generated for the transaction. This key is used only for this transaction
-  - AES-256 is a quantum-secure block cipher.
+    - AES-256 is a quantum-secure block cipher.
 - The secrets meant for the auditing authority are encrypted with this key, and sent as part of the transaction payload
 - The key is passed into the circuit as a private input and encrypted inside the circuit under the ML-KEM scheme, using the auditing authority's public key
-  - The public key is statically programmed into the circuit. This is to avoid making it a signal which would be very inefficient due to the large size of the public key (1184 bytes)
-  - <span style="color:red">IMPORTANT:</span> This means for a real world deployment, the deployer MUST update the circuit with the auditing authority's public key and re-compile the circuit
+    - The public key is statically programmed into the circuit. This is to avoid making it a signal which would be very inefficient due to the large size of the public key (1184 bytes)
+    - <span style="color:red">IMPORTANT:</span> This means for a real world deployment, the deployer MUST update the circuit with the auditing authority's public key and re-compile the circuit
 - The ciphertext is extracted from the circuit's witness array and sent as a part of the transaction payload
 - The circuit also calculates the SHA256 hash of the ciphertext to use as a public input, instead of using the ciphertext itself as a public input
-  - This is an optimization step. The ciphertext is a large array of 768 numbers (of value 0 or 1), to represent the 768-bit ciphertext, which would make proof verification more expensive
-  - The SHA256 hashing algorithm is picked to make verification inside EVM more efficient, due to the native sha256 support via EVM precompiles.
+    - This is an optimization step. The ciphertext is a large array of 768 numbers (of value 0 or 1), to represent the 768-bit ciphertext, which would make proof verification more expensive
+    - The SHA256 hashing algorithm is picked to make verification inside EVM more efficient, due to the native sha256 support via EVM precompiles.
 - The authority can then use the private key to decrypt the ciphertext to recover the AES encryption key, then use the recovered key to decrypt the AES ciphertext to recover the secrets
 
 The statements in the proof include:
 
@@ -25,6 +25,12 @@ interface IZeto {
     error UTXOAlreadySpent(uint256 utxo);
 
     event UTXOMint(uint256[] outputs, address indexed submitter, bytes data);
+    event UTXOBurn(
+        uint256[] inputs,
+        uint256 output,
+        address indexed submitter,
+        bytes data
+    );
     event UTXOTransfer(
         uint256[] inputs,
         uint256[] outputs,
 
@@ -20,10 +20,12 @@ interface IZetoInitializable {
         address verifier;
         address depositVerifier;
         address withdrawVerifier;
+        address lockVerifier;
+        address burnVerifier;
         address batchVerifier;
         address batchWithdrawVerifier;
-        address lockVerifier;
         address batchLockVerifier;
+        address batchBurnVerifier;
     }
 
     function initialize(
 
@@ -68,10 +68,18 @@ abstract contract ZetoBase is IZeto, IZetoLockable, ZetoCommon {
         for (uint256 i = 0; i < lockedOutputs.length; i++) {
             allOutputs[outputs.length + i] = lockedOutputs[i];
         }
-        // sort the inputs and outputs to detect duplicates
-        uint256[] memory sortedInputs = sortCommitments(inputs);
-        uint256[] memory sortedOutputs = sortCommitments(allOutputs);
+        validateInputs(inputs, inputsLocked);
+        validateOutputs(allOutputs);
+
+        return true;
+    }
 
+    function validateInputs(
+        uint256[] memory inputs,
+        bool inputsLocked
+    ) internal view {
+        // sort the inputs to detect duplicates
+        uint256[] memory sortedInputs = sortCommitments(inputs);
         // Check the inputs are all unspent
         for (uint256 i = 0; i < sortedInputs.length; ++i) {
             if (sortedInputs[i] == 0) {
@@ -111,6 +119,11 @@ abstract contract ZetoBase is IZeto, IZetoLockable, ZetoCommon {
                 );
             }
         }
+    }
+
+    function validateOutputs(uint256[] memory outputs) internal view {
+        // sort the outputs to detect duplicates
+        uint256[] memory sortedOutputs = sortCommitments(outputs);
 
         // Check for duplicate outputs
         for (uint256 i = 0; i < sortedOutputs.length; ++i) {
@@ -137,51 +150,47 @@ abstract contract ZetoBase is IZeto, IZetoLockable, ZetoCommon {
                 revert UTXOAlreadyOwned(outputs[i]);
             }
         }
-
-        // check the locked outputs are all new - looking in the locked and unlocked UTXOs
-        for (uint256 i = 0; i < lockedOutputs.length; ++i) {
-            if (
-                _lockedUtxos[lockedOutputs[i]] == UTXOStatus.SPENT ||
-                _utxos[lockedOutputs[i]] == UTXOStatus.SPENT
-            ) {
-                revert UTXOAlreadySpent(lockedOutputs[i]);
-            } else if (
-                _lockedUtxos[lockedOutputs[i]] == UTXOStatus.UNSPENT ||
-                _utxos[lockedOutputs[i]] == UTXOStatus.UNSPENT
-            ) {
-                revert UTXOAlreadyOwned(lockedOutputs[i]);
-            }
-        }
-        return true;
     }
 
     function processInputsAndOutputs(
         uint256[] memory inputs,
         uint256[] memory outputs,
         uint256[] memory lockedOutputs,
         bool inputsLocked
+    ) internal {
+        processInputs(inputs, inputsLocked);
+        processOutputs(outputs);
+        processLockedOutputs(lockedOutputs);
+    }
+
+    function processInputs(
+        uint256[] memory inputs,
+        bool inputsLocked
     ) internal {
         mapping(uint256 => UTXOStatus) storage utxos = inputsLocked
             ? _lockedUtxos
             : _utxos;
-        // accept the transaction to consume the input UTXOs and produce new UTXOs
+        // consume the input UTXOs
         for (uint256 i = 0; i < inputs.length; ++i) {
-            if (inputs[i] == 0) {
-                continue;
+            if (inputs[i] != 0) {
+                utxos[inputs[i]] = UTXOStatus.SPENT;
             }
-            utxos[inputs[i]] = UTXOStatus.SPENT;
         }
+    }
+
+    function processOutputs(uint256[] memory outputs) internal {
         for (uint256 i = 0; i < outputs.length; ++i) {
-            if (outputs[i] == 0) {
-                continue;
+            if (outputs[i] != 0) {
+                _utxos[outputs[i]] = UTXOStatus.UNSPENT;
             }
-            _utxos[outputs[i]] = UTXOStatus.UNSPENT;
         }
+    }
+
+    function processLockedOutputs(uint256[] memory lockedOutputs) internal {
         for (uint256 i = 0; i < lockedOutputs.length; ++i) {
-            if (lockedOutputs[i] == 0) {
-                continue;
+            if (lockedOutputs[i] != 0) {
+                _lockedUtxos[lockedOutputs[i]] = UTXOStatus.UNSPENT;
             }
-            _lockedUtxos[lockedOutputs[i]] = UTXOStatus.UNSPENT;
         }
     }
 
@@ -191,18 +200,26 @@ abstract contract ZetoBase is IZeto, IZetoLockable, ZetoCommon {
         uint256[] memory utxos,
         bytes calldata data
     ) internal virtual {
-        for (uint256 i = 0; i < utxos.length; ++i) {
-            uint256 utxo = utxos[i];
-            if (_utxos[utxo] == UTXOStatus.UNSPENT) {
-                revert UTXOAlreadyOwned(utxo);
-            } else if (_utxos[utxo] == UTXOStatus.SPENT) {
-                revert UTXOAlreadySpent(utxo);
-            }
-
-            _utxos[utxo] = UTXOStatus.UNSPENT;
-        }
+        validateOutputs(utxos);
+        processOutputs(utxos);
         emit UTXOMint(utxos, msg.sender, data);
     }
+
+    // The caller function must perform the proof verification
+    function _burn(
+        uint256[] memory inputs,
+        uint256 output,
+        bytes calldata data
+    ) internal virtual {
+        validateInputs(inputs, false);
+        uint256[] memory outputStates = new uint256[](1);
+        outputStates[0] = output;
+        validateOutputs(outputStates);
+        processInputs(inputs, false);
+        processOutputs(outputStates);
+        emit UTXOBurn(inputs, output, msg.sender, data);
+    }
+
     // Locks the UTXOs so that they can only be spent by submitting the appropriate
     // proof from the Eth account designated as the "delegate". This function
     // should be called by a participant, to designate an escrow contract as the delegate,
 
@@ -0,0 +1,86 @@
+// Copyright © 2025 Kaleido, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+pragma solidity ^0.8.27;
+
+import {Groth16Verifier_Burn} from "../verifiers/verifier_burn.sol";
+import {Groth16Verifier_BurnBatch} from "../verifiers/verifier_burn_batch.sol";
+import {ZetoBase} from "./zeto_base.sol";
+import {Commonlib} from "./common.sol";
+
+uint256 constant BURN_INPUT_SIZE = 3;
+uint256 constant BATCH_BURN_INPUT_SIZE = 11;
+
+/// @title A feature implementation of a Zeto fungible token burn contract
+/// @author Kaleido, Inc.
+/// @dev Can be added to a Zeto fungible token contract to allow for burning of tokens.
+abstract contract ZetoFungibleBurnable is ZetoBase {
+    Groth16Verifier_Burn internal _burnVerifier;
+    Groth16Verifier_BurnBatch internal _batchBurnVerifier;
+
+    function __ZetoFungibleBurnable_init(
+        Groth16Verifier_Burn burnVerifier,
+        Groth16Verifier_BurnBatch batchBurnVerifier
+    ) public onlyInitializing {
+        _burnVerifier = burnVerifier;
+        _batchBurnVerifier = batchBurnVerifier;
+    }
+
+    function burn(
+        uint256[] memory inputs,
+        uint256 output,
+        Commonlib.Proof calldata proof,
+        bytes calldata data
+    ) public virtual {
+        // Check the proof
+        if (inputs.length > 2) {
+            // construct the public inputs for verifier
+            uint256[BATCH_BURN_INPUT_SIZE] memory fixedSizeInputs;
+            for (uint256 i = 0; i < inputs.length; i++) {
+                fixedSizeInputs[i] = inputs[i];
+            }
+            fixedSizeInputs[BATCH_BURN_INPUT_SIZE - 1] = output;
+            // Check the proof
+            require(
+                _batchBurnVerifier.verifyProof(
+                    proof.pA,
+                    proof.pB,
+                    proof.pC,
+                    fixedSizeInputs
+                ),
+                "Invalid proof"
+            );
+        } else {
+            // construct the public inputs for verifier
+            uint256[BURN_INPUT_SIZE] memory fixedSizeInputs;
+            for (uint256 i = 0; i < inputs.length; i++) {
+                fixedSizeInputs[i] = inputs[i];
+            }
+            fixedSizeInputs[BURN_INPUT_SIZE - 1] = output;
+            // Check the proof
+            require(
+                _burnVerifier.verifyProof(
+                    proof.pA,
+                    proof.pB,
+                    proof.pC,
+                    fixedSizeInputs
+                ),
+                "Invalid proof"
+            );
+        }
+
+        _burn(inputs, output, data);
+    }
+}