refactor: optimizing DA cost with new point compression

noir-projects/aztec-nr/aztec/src/encrypted_logs/payload.nr

@@ -43,15 +43,15 @@ pub fn compute_encrypted_event_log<Event, NB, MB, OB>(
     // @todo We ignore the tags for now 
 
     let eph_pk_bytes = pub_key_to_bytes(eph_pk);
-    for i in 0..64 {
+    for i in 0..33 {
         encrypted_bytes[64 + i] = eph_pk_bytes[i];
     }
     for i in 0..48 {
-        encrypted_bytes[128 + i] = incoming_header_ciphertext[i];
-        encrypted_bytes[176 + i] = outgoing_Header_ciphertext[i];
+        encrypted_bytes[97 + i] = incoming_header_ciphertext[i];
+        encrypted_bytes[145 + i] = outgoing_Header_ciphertext[i];
     }
     for i in 0..176 {
-        encrypted_bytes[224 + i] = outgoing_body_ciphertext[i];
+        encrypted_bytes[193 + i] = outgoing_body_ciphertext[i];
     }
     // Then we fill in the rest as the incoming body ciphertext
     let size = OB - 400;
@@ -63,7 +63,7 @@ pub fn compute_encrypted_event_log<Event, NB, MB, OB>(
     // Current unoptimized size of the encrypted log
     // incoming_tag (32 bytes)
     // outgoing_tag (32 bytes)
-    // eph_pk (64 bytes)
+    // eph_pk (33 bytes)
     // incoming_header (48 bytes)
     // outgoing_header (48 bytes)
     // outgoing_body (176 bytes)
@@ -100,15 +100,15 @@ pub fn compute_encrypted_note_log<Note, N, NB, M>(
     // @todo We ignore the tags for now 
 
     let eph_pk_bytes = pub_key_to_bytes(eph_pk);
-    for i in 0..64 {
+    for i in 0..33 {
         encrypted_bytes[64 + i] = eph_pk_bytes[i];
     }
     for i in 0..48 {
-        encrypted_bytes[128 + i] = incoming_header_ciphertext[i];
-        encrypted_bytes[176 + i] = outgoing_Header_ciphertext[i];
+        encrypted_bytes[97 + i] = incoming_header_ciphertext[i];
+        encrypted_bytes[145 + i] = outgoing_Header_ciphertext[i];
     }
     for i in 0..176 {
-        encrypted_bytes[224 + i] = outgoing_body_ciphertext[i];
+        encrypted_bytes[193 + i] = outgoing_body_ciphertext[i];
     }
     // Then we fill in the rest as the incoming body ciphertext
     let size = M - 400;
@@ -120,7 +120,7 @@ pub fn compute_encrypted_note_log<Note, N, NB, M>(
     // Current unoptimized size of the encrypted log
     // incoming_tag (32 bytes)
     // outgoing_tag (32 bytes)
-    // eph_pk (64 bytes)
+    // eph_pk (33 bytes)
     // incoming_header (48 bytes)
     // outgoing_header (48 bytes)
     // outgoing_body (176 bytes)

noir-projects/aztec-nr/aztec/src/keys/point_to_symmetric_key.nr

@@ -10,9 +10,9 @@ pub fn point_to_symmetric_key(secret: Scalar, point: Point) -> [u8; 32] {
     let shared_secret: Point = multi_scalar_mul([point], [secret]);
     // TODO(https://github.com/AztecProtocol/aztec-packages/issues/6061): make the func return Point struct directly
     let shared_secret = pub_key_to_bytes(shared_secret);
-    let mut shared_secret_bytes_with_separator = [0 as u8; 65];
+    let mut shared_secret_bytes_with_separator = [0 as u8; 34];
     shared_secret_bytes_with_separator = arr_copy_slice(shared_secret, shared_secret_bytes_with_separator, 0);
-    shared_secret_bytes_with_separator[64] = GENERATOR_INDEX__SYMMETRIC_KEY;
+    shared_secret_bytes_with_separator[33] = GENERATOR_INDEX__SYMMETRIC_KEY;
     sha256(shared_secret_bytes_with_separator)
 }
 

noir-projects/noir-protocol-circuits/crates/types/src/point.nr

@@ -2,6 +2,9 @@ use dep::std::embedded_curve_ops::EmbeddedCurvePoint as Point;
 use crate::{traits::{Empty, Hash, Serialize}, hash::poseidon2_hash};
 
 global POINT_LENGTH: Field = 3;
+// I am storing the modulus divided by 2 plus 1 here because full modulus would throw "String literal too large" error
+// Full modulus is 21888242871839275222246405745257275088548364400416034343698204186575808495617
+global BN254_FR_MODULUS_DIV_2: Field = 10944121435919637611123202872628637544274182200208017171849102093287904247808;
 
 impl Serialize<POINT_LENGTH> for Point {
     fn serialize(self: Self) -> [Field; POINT_LENGTH] {
@@ -31,14 +34,19 @@ impl Empty for Point {
 ///
 /// We don't serialize the point at infinity flag because this function is used in situations where we do not want
 /// to waste the extra byte (encrypted log).
-pub fn pub_key_to_bytes(pk: Point) -> [u8; 64] {
+pub fn pub_key_to_bytes(pk: Point) -> [u8; 33] {
     assert(!pk.is_infinite, "Point at infinity is not a valid public key.");
-    let mut result = [0 as u8; 64];
+    let mut result = [0 as u8; 33];
     let x_bytes = pk.x.to_be_bytes(32);
-    let y_bytes = pk.y.to_be_bytes(32);
     for i in 0..32 {
         result[i] = x_bytes[i];
-        result[i + 32] = y_bytes[i];
     }
+    // We store only a "sign" of the y coordinate because the rest rest can be derived from the x coordinate. To get
+    // the sign we check if the y coordinate is greater than the curve's order minus 1 divided by 2.
+    if !BN254_FR_MODULUS_DIV_2.lt(pk.y) {
+        // y is <= (modulus - 1) / 2 so we set the byte to 1
+        result[32] = 1;
+    }
+
     result
 }

yarn-project/circuit-types/src/logs/l1_payload/encryption_utils.ts

@@ -24,7 +24,7 @@ export function deriveAESSecret(secretKey: GrumpkinScalar, publicKey: PublicKey)
   }
   const curve = new Grumpkin();
   const sharedSecret = curve.mul(publicKey, secretKey);
-  const secretBuffer = Buffer.concat([sharedSecret.toBuffer(), numToUInt8(GeneratorIndex.SYMMETRIC_KEY)]);
+  const secretBuffer = Buffer.concat([sharedSecret.toCompressedBuffer(), numToUInt8(GeneratorIndex.SYMMETRIC_KEY)]);
   const hash = sha256(secretBuffer);
   return hash;
 }

yarn-project/foundation/src/fields/point.ts

@@ -149,6 +149,14 @@ export class Point {
     return buf;
   }
 
+  /**
+   * Converts the Point instance to a compressed Buffer representation of the coordinates.
+   * @returns A Buffer representation of the Point instance
+   */
+  toCompressedBuffer() {
+    return serializeToBuffer(this.toXAndSign());
+  }
+
   /**
    * Convert the Point instance to a hexadecimal string representation.
    * The output string is prefixed with '0x' and consists of exactly 128 hex characters,