Shielded AccessControl

[emnul]

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation Update (if none of the other choices apply)

Closes #88

This pull request introduces a Shielded AccessControl module. Roles are stored as MerkleTree commitments to avoid disclosing information regarding the roles an account may have. Role commitments are created with using the following hashing scheme SHA256 ( SHA256(PublicKey | roleIdentifier | nonce) | index ) where index is the index of the role commitment in the MerkleTree. We track this using a mapping from a role commitment to an index in the MerkleTree. A Counter tracks the next index available in the MerkleTree. The index also enforces uniqueness for all role commitments in the MerkleTree. A Bytes<32> salt value is included in the ledger state that would allow devs to use a public pseudorandom salt value instantiated using the Initializable module to strengthen the underlying HKDF function. A salt value equal to length of the output of the chosen hashing function (SHA256 in our case) is recommended.

The nonce is created locally using HKDF-SHA256(SK, info="role-nonce" || roleId || PK || ContractAddress, length=32) where HKDF refers to HMAC-based Extract-and-Expand Key Derivation Function. Length is set to 32 to allow us to hash the nonce in-circuit with the PublicKey and role identifier (all values must be of type Bytes<32>). Additionally, it's recommended that length of HKDF be set It's important to note that since HKDF is not verifiable on-chain we cannot enforce its use. Users may generate nonce however they want, but we should strongly recommend using the method described above as well as provide an implementation to ensure an attacker cannot break privacy.

PR Checklist

• I have read the Contributing Guide
• I have added tests that prove my fix is effective or that my feature works
• I have added documentation of new methods and any new behavior or changes to existing behavior
• CI Workflows Are Passing

Notes on Contract Design

Why use assertions instead of if statements in _checkMerkleTree?

We're able to reduce circuit size by about 280 rows for each circuit using assertions instead of if statements

Why use SHA256( SHA256(PublicKey | roleIdentifier | nonce) | index) as the hashing scheme for role commitments

We're able to significantly reduce circuit size by about 4000 rows for each circuit using this scheme.

Why not use an Anonymous Role-Based Access Control implementation?

One of the goals of this Shielded Access Control implementation is to keep the API consistent with the Unshielded Access Control module. An Anonymous Role-Based Access Control implementation would require an entirely different design. Please let us know if you'd like to see an Anonymous Role-Based Access Control implementation in the Github Discussions

Why does compilation take so long?

Unfortunately, Compact does not have a ZK friendly hashing function that can be used to derive state at this time, so the SHA256 hash function must be used. The usage of SHA256 incurs a large circuit size penalty on the contract which in turn slows compilation times.

Why include contract address in nonce creation scheme?

Adding the contract address improves domain separation

[andrew-fleming]

Sooo we need to improve the nullifier construction. The purpose of the nullifier set is to track which commitments have been used or spent without revealing which specific commitment was used

[andrew-fleming]

https://docs.midnight.network/develop/how-midnight-works/keeping-data-private#the-commitmentnullifier-pattern

[andrew-fleming]

I'm not sure I understand the purpose of this circuit. The name hasRole implies that anyone can check if account has the roleId role, but the caller would need to have the secret nonce associated with account to calculate the commitment. Only the role grantee would be able to call this on themself then, right?

If the idea is that we're checking if the caller has the role, I'd change the circuit name to callerHasRole and remove account and just use ownPublicKey. If this is meant to check any account has any role, I don't see how this works with the secret nonce witness. Let me know if I'm missing something

[emnul]

I definitely think a callerHasRole circuit is a great addition, but hasRole, in my conceptualization of this system, would be useful for admin users and I think still deserves a place in the contract. The name could probably be improved to make it clear the caller has privileged access to user info.

[andrew-fleming]

This is doing too much IMO. It might be worth keeping describe blocks focused on one circuit at a time. It's a preference, but IMO it's more organized and easier to follow...or maybe have helper assertion functions if there's a lot of repetition

[andrew-fleming]

This def works though if you want to keep it. Let's get everything working first and then we can laser in on the testing deets

[0xisk]

Thank you @emnul, that’s a partial review — I left some comments.

• (From my experince in the client-side) Midnight’s key management has two main keys: ZswapCoinPublicKey and EncPublicKey. Since inside Compact we only deal with ZswapCoinPublicKey, I think it’s best to explicitly call it zcpk or zpk instead of just pk. This should help prevent any confusion for client-side developers who might otherwise mistake it for EncPublicKey.
• If that makes sense, then to avoid further confusion, I’d also suggest unifying the terminology where OwnerId and AccountId are currently used interchangeably. We could instead consistently use zcpk for the raw key and shieldedZcpk for the derived identifier (SHA256(zcpk, nonce)).

[0xisk]

Suggested change

	* @notice Using the SHA256 hashing function comes at a significant performace cost. In the future, we
	* @notice Using the SHA256 hashing function comes at a significant performance cost. In the future, we

[0xisk]

Suggested change

	* ```typescript
	* ```compact

it won't highlight here anyways.

[0xisk]

Suggested change

	* ```typescript
	* ```compact

[0xisk]

Why do we have 10 as a fixed depth for the tree?

[emnul]

It was an arbitrarily large number I thought would be sufficient for most use cases. It's not possible to dynamically determine the tree size nor would that be desirable considering the additional initialization overhead every circuit would need.

[0xisk]

We need to include docs here.

[0xisk]

Suggested change

	* - `pk`: The owner's public key.
	* - `zcpk`: The owner's ZswapCoinPublickey.

[0xisk]

Suggested change

	* @param {Either<ZswapCoinPublicKey, ContractAddress>} account - A ZswapCoinPublicKey or ContractAddress.
	* @param {Either<ZswapCoinPublicKey, ContractAddress>} accountId - A ZswapCoinPublicKey or ContractAddress.

[0xisk]

Suggested change

* @param {Bytes<32>} nonce - A nonce created using SHA256(SK | "role-nonce" | role | PK)

[0xisk]

Suggested change

	* @description Attempts to grant `roleId` to `account` and returns a boolean indicating if `roleId` was granted.
	* @description Attempts to grant `roleId` to `accountId` and returns a boolean indicating if `roleId` was granted.

[0xisk]

I'm curcious are we talking care of cleaning the _operatorRoles MT after this revoke to be storage efficient?

[emnul]

I had thought about doing this initially, but I could not come up with a Merkle tree management solution that wasn't overly complex or did not add significant ledger storage / circuit size overhead.