[TASK] PLONK Anchor circuit

[drewstone]

Anchor circuit should have inputs:

secret: F,
nullifier: F,
chain_id: F,
nullifier_hash: F,
path: Path<..>,
roots: S::Native,
arbitrary_data: F,
tree_hasher: H::Native,
leaf_hasher: H::Native

The secret and the nullifier serve the same function as in Mixer circuit (see #121 ).

path is the Merkle path. It's a private input, which means all the nodes are hidden. We will use it to calculate root, and then check if it exists inside the root set (roots) that was passed as a public input.

Arbitrary data - arbitrary constrains that will be included in the proof.

Out of these, private inputs are:
secret, nullifier, path
Public inputs are:
nullifier_hash, chain_id, roots, arbitrary_data

Higher-level description of how the Anchor circuit works:

// Making the leaf from secret and nullifier and chain_id
let leaf = leaf_hasher_gadget.hash(&[secret, nullifier, chain_id]);
// Making the nullifier hash from nullifier
let calc_nullifier_hash = leaf_hasher_gadget.hash_two(nullifier, nullifier);

// Making sure that passed nullifier hash is the same as calculated one
composer.assert_equal(nullifier_hash, calc_nullifier_hash);

// Calculating the root using the provided path
let calc_root = path_gadget.calculate_root(leaf, &tree_hasher_gadget);

// Making sure that calculated root is inside the set
let is_member = set_gadget.check_membership(&calc_root);

let one_var = composer.add_constant(F::one());
composer.assert_equal(is_member, one_var);

// Constraining arbitrary data
let _ = arbitrary_data * arbitrary_data; // to be discussed

[GhostOfGauss]

I've been studying the anchor more carefully and I have a couple of questions before implementing it with our plonk gadgets.

1. The current version in arkworks_circuits uses a InputVar type for arbitrary_data that consists of recipient, relayer, fee, refund, commitment.  Should I use this struct as well? (adapted to make sense for plonk gadgets, ofc). And should these values be private? 
2. What is commitment in the above arbitrary data?  A hash of something?
3. Should the set of Merkle roots be treated as a public input value?

[lazovicff]

1. We have switched to a new model, so we are just passing arbitrary_data: F. It is created by hashing recipient, relayer, fee, refund, commitment -- using keccak256 or similar. You should not worry about it here, just treat arbitrary_data as some value from the field
2. Commitment is used for refreshing the leaf -- meaning nullifying the current one and inserting a new one (commitment) without touching the deposited funds. This logic is implemented inside the pallet itself: https://github.com/webb-tools/protocol-substrate/blob/main/pallets/anchor/src/lib.rs#L396-L399
3. Yes, the Merkle root set is public