AztecProtocol · vezenovm · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/barretenberg/cpp/src/barretenberg/aztec/aztec_constants.hpp b/barretenberg/cpp/src/barretenberg/aztec/aztec_constants.hpp
@@ -247,8 +247,7 @@
 #define AVM_EMITPUBLICLOG_DYN_DA_GAS 32
 #define AVM_SSTORE_DYN_DA_GAS 64
 #define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_HEIGHT 6
-#define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_ROOT                                                                \
-    "0x13954b76f8ab76c38ab687731f802fc90e5d55e0592fa6f56d0a73024b3f8356"
+#define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_ROOT "0x13954b76f8ab76c38ab687731f802fc90e5d55e0592fa6f56d0a73024b3f8356"
 #define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_SIZE 1
 #define AVM_RETRIEVED_BYTECODES_TREE_HEIGHT 5
 #define AVM_RETRIEVED_BYTECODES_TREE_INITIAL_ROOT "0x0ff65ad321f05745d4c80e2e18e94241093d2e49017ff8cc151df4f207a43c12"

diff --git a/noir-projects/aztec-nr/aztec/src/keys/ecdh_shared_secret.nr b/noir-projects/aztec-nr/aztec/src/keys/ecdh_shared_secret.nr
@@ -25,6 +25,9 @@ pub fn derive_ecdh_shared_secret(secret: Scalar, public_key: EmbeddedCurvePoint)
 /// Computes an app-siloed shared secret from a raw ECDH shared secret point and a contract address.
 ///
 /// `s_app = h(DOM_SEP__APP_SILOED_ECDH_SHARED_SECRET, S.x, S.y, contract_address)`
+///
+/// Public so that contracts holding a raw `EmbeddedCurvePoint` (e.g. the constrained-delivery handshake registry) can
+/// reuse the canonical silo formula rather than re-inlining it and risking drift.
 pub fn compute_app_siloed_shared_secret(shared_secret: EmbeddedCurvePoint, contract_address: AztecAddress) -> Field {
     poseidon2_hash_with_separator(
         [shared_secret.x, shared_secret.y, contract_address.to_field()],

@@ -0,0 +1,101 @@
+//! Sender-side helpers for constrained message delivery.
+
+use crate::context::{NullifierExistenceRequest, PrivateContext};
+use crate::oracle::{call_utility_function::call_utility_function, notes::get_next_constrained_index};
+
+use crate::protocol::{
+    abis::function_selector::FunctionSelector,
+    address::AztecAddress,
+    constants::DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
+    hash::poseidon2_hash_with_separator,
+    traits::{Deserialize, ToField},
+};
+
+/// Resolves the app-siloed shared secret and next per-secret index for a constrained send.
+///
+/// Wraps the registry calls needed by every constrained-delivery app: query the handshake registry for an
+/// existing app-siloed secret, bootstrap a fresh handshake if there isn't  one, and constrain the
-/// existing app-siloed secret, bootstrap a fresh handshake if there isn't  one, and constrain the
+/// existing app-siloed secret, bootstrap a fresh handshake if there isn't one, and constrain the
-/// existing app-siloed secret, bootstrap a fresh handshake if there isn't  one, and constrain the
+/// existing app-siloed secret, bootstrap a fresh handshake if there isn't one, and constrain the
+/// oracle-supplied secret. The returned `(secret, index)` pair is the input for the caller's tag derivation
-/// oracle-supplied secret. The returned `(secret, index)` pair is the input for the caller's tag derivation
+/// oracle-supplied tagging index. The returned `(secret, index)` pair is the input for the caller's tag derivation
-/// oracle-supplied secret. The returned `(secret, index)` pair is the input for the caller's tag derivation
+/// oracle-supplied tagging index. The returned `(secret, index)` pair is the input for the caller's tag derivation
+/// and nullifier emission.
+///
+/// ## Implementation Details
+/// 1. Calls `HandshakeRegistry::get_app_siloed_secret` offchain (untrusted hint).
+/// 2. On `None`, calls `HandshakeRegistry::non_interactive_handshake(sender, recipient)` to bootstrap and
+///    returns `(secret, 0)`. The constrained return value of the private call is the source of truth for the
+///    secret.
+/// 3. On `Some(secret)`, reads the per-secret index hint via [`get_next_constrained_index`] (also untrusted),
+///    then constrains:
+///    - `index == 0`: calls `HandshakeRegistry::validate_handshake` to bind the secret to the registry's
+///      current note. `PrivateMutable::get_note` inside `validate_handshake` nullifies the current handshake
+///      note and emits a fresh one, so this branch already produces a per-call nullifier on the registry
+///      note.
+///    - `index > 0`: asserts the prior nullifier
+///      `poseidon2_hash_with_separator([sender, recipient, secret, index - 1], DOM_SEP__CONSTRAINED_MSG_NULLIFIER)`
+///      exists in the app's pending set / nullifier tree. The chain transitively constrains back to the
+///      index-0 `validate_handshake`. The caller is expected to emit the matching nullifier alongside each
+///      constrained send so subsequent calls can prove the chain.
+pub fn calculate_secret_and_index(
+    context: &mut PrivateContext,
+    registry: AztecAddress,
+    sender: AztecAddress,
+    recipient: AztecAddress,
+) -> (Field, u32) {
+    let caller = context.this_address();
+
+    // Safety: the returned `Option<Field>` is untrusted and is constrained below before being returned to the
+    // caller, either by performing a new handshake or by constraining the prior handshake's existence.
+    let maybe_secret: Option<Field> = unsafe {
+        let selector = comptime {
+            FunctionSelector::from_signature("get_app_siloed_secret((Field),(Field),(Field))")
+        };
+        let returns = call_utility_function(
+            registry,
+            selector,
+            [sender.to_field(), recipient.to_field(), caller.to_field()],
+        );
+        Deserialize::deserialize(returns)
+    };
+
+    if maybe_secret.is_none() {
+        // Bootstrap: no handshake exists yet. The registry inserts a fresh note and returns the app-siloed
+        // secret to the caller. The constrained return is the source of truth for the secret, so no separate
+        // `validate_handshake` is needed.
+        // TODO(F-660): dispatch to `perform_handshake(sender, recipient, handshake_type)` once interactive
+        // handshakes are supported.
+        let selector = comptime {
+            FunctionSelector::from_signature("non_interactive_handshake((Field),(Field))")
+        };
+        let secret: Field = context
+            .call_private_function(registry, selector, [sender.to_field(), recipient.to_field()])
+            .get_preimage();
+        (secret, 0)
+    } else {
+        let secret = maybe_secret.unwrap_unchecked();
+
+        // Safety: the index is untrusted; the anchor branches below ensure the returned `(secret, index)` pair
+        // is bound to a real registry handshake before it leaves the helper.
+        let index = unsafe { get_next_constrained_index(secret) };
+
+        if index == 0 {
+            let selector = comptime {
+                FunctionSelector::from_signature("validate_handshake((Field),(Field),Field)")
+            };
+            let _ = context.call_private_function(
+                registry,
+                selector,
+                [sender.to_field(), recipient.to_field(), secret],
+            );
+        } else {
+            let prev_nullifier = poseidon2_hash_with_separator(
+                [sender.to_field(), recipient.to_field(), secret, (index - 1) as Field],
+                DOM_SEP__CONSTRAINED_MSG_NULLIFIER,
+            );
+            context.assert_nullifier_exists(NullifierExistenceRequest::for_pending(
+                prev_nullifier,
+                caller,
+            ));
+        }
+
+        (secret, index)
+    }
+}