test: add test to showcase private token exploits

[LHerskind]

The PrivateToken that was introduced in #7226 have critical vulnerabilities:

1. It does not take into account key rotation, so if you rotate your keys your entire balance is lost.
2. It does not actually require the signing key to be used to be spend notes, meaning that if the PXE is compromised your funds are gone and it does not matter that your account contract is using a key only on a hardware wallet etc.

This pr showcase how to exploit the two weaknesses.

[LHerskind]

• #7297 👈
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @LHerskind and the rest of your teammates on Graphite

[AztecBot]

Benchmark results

Metrics with a significant change:

• proof_construction_time_sha256_100_ms (16): 5,434 (-18%)
• proof_construction_time_sha256_30_ms (16): 1,411 (-20%)
• avm_simulation_time_ms (Token:mint_public): 491 (+1045%)
• avm_simulation_time_ms (Token:assert_minter_and_mint): 58.1 (-67%)

Detailed results

All benchmarks are run on txs on the `Benchmarking` contract on the repository. Each tx consists of a batch call to `create_note` and `increment_balance`, which guarantees that each tx has a private call, a nested private call, a public call, and a nested public call, as well as an emitted private note, an unencrypted log, and public storage read and write. This benchmark source data is available in JSON format on S3 [here](https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/benchmarks-v1/pulls/7297.json). ### Proof generation Each column represents the number of threads used in proof generation. | Metric | 1 threads | 4 threads | 16 threads | 32 threads | 64 threads | | - | - | - | - | - | - | proof_construction_time_sha256_ms | 5,709 | 1,544 | 706 | 747 (-1%) | 771 (-1%) | proof_construction_time_sha256_30_ms | 11,715 (-2%) | 3,131 (-2%) | :warning: 1,411 (**-20%**) | 1,426 (-11%) | 1,463 (-7%) | proof_construction_time_sha256_100_ms | 43,665 (-1%) | 11,788 (-1%) | :warning: 5,434 (**-18%**) | 5,402 (-7%) | 5,356 (-5%) | proof_construction_time_poseidon_hash_ms | 78.0 | 34.0 | 34.0 (-23%) | 58.0 (-11%) | 87.0 (-4%) | proof_construction_time_poseidon_hash_30_ms | 1,516 | 413 (-1%) | 200 (-1%) | 222 (-4%) | 269 (+1%) | proof_construction_time_poseidon_hash_100_ms | 5,730 (-2%) | 1,562 | 720 (-1%) | 794 (+2%) | 787 (-1%) | ### L2 block published to L1 Each column represents the number of txs on an L2 block published to L1. | Metric | 4 txs | 8 txs | 16 txs | | - | - | - | - | l1_rollup_calldata_size_in_bytes | 1,412 | 1,412 | 1,412 | l1_rollup_calldata_gas | 9,476 | 9,468 | 9,476 | l1_rollup_execution_gas | 611,215 | 611,358 | 611,517 | l2_block_processing_time_in_ms | 760 (-2%) | 1,424 (+1%) | 2,692 (-1%) | l2_block_building_time_in_ms | 20,812 (-1%) | 41,813 (-1%) | 81,579 (-1%) | l2_block_rollup_simulation_time_in_ms | 20,812 (-1%) | 41,812 (-1%) | 81,579 (-1%) | l2_block_public_tx_process_time_in_ms | 17,807 (-1%) | 38,584 | 78,408 (-1%) | ### L2 chain processing Each column represents the number of blocks on the L2 chain where each block has 8 txs. | Metric | 3 blocks | 5 blocks | | - | - | - | node_history_sync_time_in_ms | 7,043 | 10,003 (+1%) | node_database_size_in_bytes | 12,259,408 | 16,207,952 | pxe_database_size_in_bytes | 16,254 | 26,813 | ### Circuits stats Stats on running time and I/O sizes collected for every kernel circuit run across all benchmarks. | Circuit | simulation_time_in_ms | witness_generation_time_in_ms | proving_time_in_ms | input_size_in_bytes | output_size_in_bytes | proof_size_in_bytes | num_public_inputs | size_in_gates | | - | - | - | - | - | - | - | - | - | private-kernel-init | 102 | 390 (+2%) | 12,791 (+1%) | 19,482 | 54,134 | 73,920 | 2,243 | 524,288 | private-kernel-inner | 308 | 769 (-2%) | 52,186 (+6%) | 80,694 | 54,134 | 73,920 | 2,243 | 2,097,152 | private-kernel-tail | 1,086 | 2,605 (+2%) | 48,607 | 61,457 | 62,057 | 14,912 | 399 | 2,097,152 | base-parity | 6.15 | 1,550 (+2%) | 2,720 (+4%) | 128 | 64.0 | 2,208 | 2.00 | 131,072 | root-parity | 49.0 (+1%) | 74.0 (+11%) | 40,025 (-2%) | 27,100 | 64.0 | 2,720 | 18.0 | 2,097,152 | base-rollup | 6,573 | 4,870 | 92,372 (+2%) | 170,330 | 728 | 3,648 | 47.0 | 4,194,304 | root-rollup | 112 (+3%) | 83.0 (+7%) | 23,938 (-3%) | 25,253 | 620 | 3,456 | 41.0 | 1,048,576 | public-kernel-setup | 545 (+1%) | 2,444 (+3%) | 43,606 (+2%) | 102,121 | 80,278 | 106,912 | 3,274 | 2,097,152 | public-kernel-app-logic | 502 | 3,412 (+2%) | 44,890 (+3%) | 102,121 | 80,278 | 106,912 | 3,274 | 2,097,152 | public-kernel-tail | 1,147 | 26,959 | 184,627 (+4%) | 399,014 | 10,014 | 14,912 | 399 | 8,388,608 | private-kernel-reset-small | 467 | 1,081 (+1%) | 31,378 (+2%) | 109,233 | 54,134 | 73,920 | 2,243 | 1,048,576 | public-kernel-teardown | 494 (+1%) | 3,422 (+3%) | 44,215 (+2%) | 102,121 | 80,278 | 106,912 | 3,274 | 2,097,152 | merge-rollup | 29.2 (-1%) | N/A | N/A | 16,486 | 728 | N/A | N/A | N/A | private-kernel-tail-to-public | N/A | 8,802 (+4%) | 53,028 (+4%) | N/A | N/A | 106,912 | 3,274 | 2,097,152 | Stats on running time collected for app circuits | Function | input_size_in_bytes | output_size_in_bytes | witness_generation_time_in_ms | proof_size_in_bytes | proving_time_in_ms | size_in_gates | num_public_inputs | | - | - | - | - | - | - | - | - | ContractClassRegisterer:register | 1,344 | 8,792 | 407 (+1%) | N/A | N/A | N/A | N/A | ContractInstanceDeployer:deploy | 1,408 | 8,792 | 38.8 (+1%) | N/A | N/A | N/A | N/A | MultiCallEntrypoint:entrypoint | 1,920 | 8,792 | 1,195 (+1%) | N/A | N/A | N/A | N/A | GasToken:deploy | 1,376 | 8,792 | 910 (+2%) | N/A | N/A | N/A | N/A | SchnorrAccount:constructor | 1,312 | 8,792 | 489 (+1%) | N/A | N/A | N/A | N/A | SchnorrAccount:entrypoint | 2,304 | 8,792 | 1,628 (+1%) | 14,720 | 54,020 (-1%) | 2,097,152 | 393 | Token:privately_mint_private_note | 1,280 | 8,792 | 628 (+1%) | N/A | N/A | N/A | N/A | FPC:fee_entrypoint_public | 1,344 | 8,792 | 268 (+1%) | 14,720 | 11,870 (+3%) | 524,288 | 393 | Token:transfer | 1,312 | 8,792 | 1,804 (+2%) | 14,720 | 13,526 (+7%) | 524,288 | 393 | AuthRegistry:set_authorized (avm) | 19,226 | N/A | N/A | 91,264 | 1,357 (+2%) | N/A | N/A | FPC:prepare_fee (avm) | 26,668 | N/A | N/A | 91,328 | 3,059 (+3%) | N/A | N/A | Token:transfer_public (avm) | 42,918 | N/A | N/A | 91,328 | 4,107 (+5%) | N/A | N/A | AuthRegistry:consume (avm) | 33,104 | N/A | N/A | 91,264 | 3,017 (+5%) | N/A | N/A | FPC:pay_refund (avm) | 36,833 | N/A | N/A | 91,296 | 23,577 | N/A | N/A | Benchmarking:create_note | 1,344 | 8,792 | 480 | N/A | N/A | N/A | N/A | SchnorrAccount:verify_private_authwit | 1,280 | 8,792 | 72.8 (+2%) | N/A | N/A | N/A | N/A | Token:unshield | 1,376 | 8,792 | 1,541 (+1%) | N/A | N/A | N/A | N/A | FPC:fee_entrypoint_private | 1,376 | 8,792 | 2,132 (+1%) | N/A | N/A | N/A | N/A | ### AVM Simulation Time to simulate various public functions in the AVM. | Function | time_ms | bytecode_size_in_bytes | | - | - | - | GasToken:_increase_public_balance | 67.1 (-2%) | 13,790 | GasToken:set_portal | 16.8 (-4%) | 3,339 | Token:constructor | 92.8 | 23,692 | FPC:constructor | 64.4 (+3%) | 13,592 | GasToken:mint_public | 52.0 (-1%) | 10,158 | Token:mint_public | :warning: 491 (**+1045%**) | 19,034 | Token:assert_minter_and_mint | :warning: 58.1 (**-67%**) | 12,925 | AuthRegistry:set_authorized | 33.1 | 7,812 | FPC:prepare_fee | 108 (-6%) | 15,062 | Token:transfer_public | 43.3 (-17%) | 31,218 | FPC:pay_refund | 129 (-7%) | 25,260 | Benchmarking:increment_balance | 2,196 | 15,267 | Token:_increase_public_balance | 56.2 (+1%) | 15,006 | FPC:pay_refund_with_shielded_rebate | 120 (+3%) | 26,347 | ### Public DB Access Time to access various public DBs. | Function | time_ms | | - | - | get-nullifier-index | 0.161 (+2%) | ### Tree insertion stats The duration to insert a fixed batch of leaves into each tree type. | Metric | 1 leaves | 16 leaves | 64 leaves | 128 leaves | 256 leaves | 512 leaves | 1024 leaves | | - | - | - | - | - | - | - | - | batch_insert_into_append_only_tree_16_depth_ms | 10.3 (-1%) | 16.8 | N/A | N/A | N/A | N/A | N/A | batch_insert_into_append_only_tree_16_depth_hash_count | 16.8 | 31.7 | N/A | N/A | N/A | N/A | N/A | batch_insert_into_append_only_tree_16_depth_hash_ms | 0.598 (-1%) | 0.517 | N/A | N/A | N/A | N/A | N/A | batch_insert_into_append_only_tree_32_depth_ms | N/A | N/A | 48.3 | 75.7 (-1%) | 136 (+3%) | 245 | 470 (-1%) | batch_insert_into_append_only_tree_32_depth_hash_count | N/A | N/A | 95.9 | 159 | 287 | 543 | 1,055 | batch_insert_into_append_only_tree_32_depth_hash_ms | N/A | N/A | 0.494 | 0.465 (-1%) | 0.468 (+3%) | 0.444 | 0.439 (-1%) | batch_insert_into_indexed_tree_20_depth_ms | N/A | N/A | 59.5 (-1%) | 112 | 183 (-1%) | 354 | 693 (-1%) | batch_insert_into_indexed_tree_20_depth_hash_count | N/A | N/A | 109 | 207 | 355 | 691 | 1,363 | batch_insert_into_indexed_tree_20_depth_hash_ms | N/A | N/A | 0.502 (-1%) | 0.501 | 0.484 (-1%) | 0.479 | 0.476 (-1%) | batch_insert_into_indexed_tree_40_depth_ms | N/A | N/A | 73.0 | N/A | N/A | N/A | N/A | batch_insert_into_indexed_tree_40_depth_hash_count | N/A | N/A | 133 | N/A | N/A | N/A | N/A | batch_insert_into_indexed_tree_40_depth_hash_ms | N/A | N/A | 0.519 | N/A | N/A | N/A | N/A | ### Miscellaneous Transaction sizes based on how many contract classes are registered in the tx. | Metric | 0 registered classes | 1 registered classes | | - | - | - | tx_size_in_bytes | 74,057 | 667,850 | Transaction size based on fee payment method | Metric | | | - | |

[just-mitch]

Beautiful illustrations @LHerskind ! I think we should merge this. I created https://github.com/AztecProtocol/aztec-packages/issues/7324 and https://github.com/AztecProtocol/aztec-packages/issues/7323 which should be able to get these tests to fail when they are working.