2021-03-05 15:25:45 -08:00
|
|
|
|
//! Helper functions defined in the Zcash Protocol Specification.
|
|
|
|
|
|
|
|
|
|
use std::iter;
|
2021-05-11 00:08:39 -07:00
|
|
|
|
use std::ops::Deref;
|
2021-03-05 15:25:45 -08:00
|
|
|
|
|
2021-06-04 12:38:28 -07:00
|
|
|
|
use ff::{Field, PrimeField, PrimeFieldBits};
|
2021-06-02 14:31:18 -07:00
|
|
|
|
use group::GroupEncoding;
|
2021-03-15 13:33:07 -07:00
|
|
|
|
use group::{Curve, Group};
|
2021-03-17 19:06:16 -07:00
|
|
|
|
use halo2::arithmetic::{CurveAffine, CurveExt, FieldExt};
|
|
|
|
|
use pasta_curves::pallas;
|
2021-06-02 14:31:18 -07:00
|
|
|
|
use subtle::{ConditionallySelectable, CtOption};
|
2021-03-05 15:25:45 -08:00
|
|
|
|
|
2021-03-15 18:27:08 -07:00
|
|
|
|
use crate::{
|
|
|
|
|
constants::L_ORCHARD_BASE,
|
|
|
|
|
primitives::{poseidon, sinsemilla},
|
|
|
|
|
};
|
2021-03-05 15:25:45 -08:00
|
|
|
|
|
2021-05-28 04:42:01 -07:00
|
|
|
|
mod prf_expand;
|
2021-05-28 05:11:54 -07:00
|
|
|
|
pub(crate) use prf_expand::PrfExpand;
|
2021-03-05 15:25:45 -08:00
|
|
|
|
|
2021-05-11 01:06:16 -07:00
|
|
|
|
/// A Pallas point that is guaranteed to not be the identity.
|
2021-06-10 11:16:08 -07:00
|
|
|
|
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
|
2021-05-11 01:06:16 -07:00
|
|
|
|
pub(crate) struct NonIdentityPallasPoint(pallas::Point);
|
|
|
|
|
|
2021-06-10 11:16:08 -07:00
|
|
|
|
impl Default for NonIdentityPallasPoint {
|
|
|
|
|
fn default() -> Self {
|
|
|
|
|
NonIdentityPallasPoint(pallas::Point::generator())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-02 14:31:18 -07:00
|
|
|
|
impl ConditionallySelectable for NonIdentityPallasPoint {
|
|
|
|
|
fn conditional_select(a: &Self, b: &Self, choice: subtle::Choice) -> Self {
|
|
|
|
|
NonIdentityPallasPoint(pallas::Point::conditional_select(&a.0, &b.0, choice))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl NonIdentityPallasPoint {
|
|
|
|
|
pub(crate) fn from_bytes(bytes: &[u8; 32]) -> CtOption<Self> {
|
|
|
|
|
pallas::Point::from_bytes(bytes)
|
|
|
|
|
.and_then(|p| CtOption::new(NonIdentityPallasPoint(p), !p.is_identity()))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 01:06:16 -07:00
|
|
|
|
impl Deref for NonIdentityPallasPoint {
|
|
|
|
|
type Target = pallas::Point;
|
|
|
|
|
|
|
|
|
|
fn deref(&self) -> &pallas::Point {
|
|
|
|
|
&self.0
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 00:08:39 -07:00
|
|
|
|
/// An integer in [1..q_P].
|
2021-06-10 11:16:08 -07:00
|
|
|
|
#[derive(Clone, Copy, Debug)]
|
2021-05-11 00:08:39 -07:00
|
|
|
|
pub(crate) struct NonZeroPallasBase(pallas::Base);
|
|
|
|
|
|
2021-06-10 11:16:08 -07:00
|
|
|
|
impl Default for NonZeroPallasBase {
|
|
|
|
|
fn default() -> Self {
|
|
|
|
|
NonZeroPallasBase(pallas::Base::one())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ConditionallySelectable for NonZeroPallasBase {
|
|
|
|
|
fn conditional_select(a: &Self, b: &Self, choice: subtle::Choice) -> Self {
|
|
|
|
|
NonZeroPallasBase(pallas::Base::conditional_select(&a.0, &b.0, choice))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 00:08:39 -07:00
|
|
|
|
impl NonZeroPallasBase {
|
2021-06-10 11:16:08 -07:00
|
|
|
|
pub(crate) fn from_bytes(bytes: &[u8; 32]) -> CtOption<Self> {
|
|
|
|
|
pallas::Base::from_bytes(bytes).and_then(NonZeroPallasBase::from_base)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub(crate) fn from_base(b: pallas::Base) -> CtOption<Self> {
|
|
|
|
|
CtOption::new(NonZeroPallasBase(b), !b.ct_is_zero())
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 00:08:39 -07:00
|
|
|
|
/// Constructs a wrapper for a base field element that is guaranteed to be non-zero.
|
|
|
|
|
///
|
|
|
|
|
/// # Panics
|
|
|
|
|
///
|
|
|
|
|
/// Panics if `s.is_zero()`.
|
|
|
|
|
fn guaranteed(s: pallas::Base) -> Self {
|
|
|
|
|
assert!(!s.is_zero());
|
|
|
|
|
NonZeroPallasBase(s)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// An integer in [1..r_P].
|
2021-06-10 11:16:08 -07:00
|
|
|
|
#[derive(Clone, Copy, Debug)]
|
2021-05-11 00:08:39 -07:00
|
|
|
|
pub(crate) struct NonZeroPallasScalar(pallas::Scalar);
|
|
|
|
|
|
2021-06-10 11:16:08 -07:00
|
|
|
|
impl Default for NonZeroPallasScalar {
|
|
|
|
|
fn default() -> Self {
|
|
|
|
|
NonZeroPallasScalar(pallas::Scalar::one())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 00:08:39 -07:00
|
|
|
|
impl From<NonZeroPallasBase> for NonZeroPallasScalar {
|
|
|
|
|
fn from(s: NonZeroPallasBase) -> Self {
|
|
|
|
|
NonZeroPallasScalar::guaranteed(mod_r_p(s.0))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-02 14:31:18 -07:00
|
|
|
|
impl ConditionallySelectable for NonZeroPallasScalar {
|
|
|
|
|
fn conditional_select(a: &Self, b: &Self, choice: subtle::Choice) -> Self {
|
|
|
|
|
NonZeroPallasScalar(pallas::Scalar::conditional_select(&a.0, &b.0, choice))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 00:08:39 -07:00
|
|
|
|
impl NonZeroPallasScalar {
|
2021-06-02 14:31:18 -07:00
|
|
|
|
pub(crate) fn from_bytes(bytes: &[u8; 32]) -> CtOption<Self> {
|
|
|
|
|
pallas::Scalar::from_bytes(bytes).and_then(NonZeroPallasScalar::from_scalar)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub(crate) fn from_scalar(s: pallas::Scalar) -> CtOption<Self> {
|
|
|
|
|
CtOption::new(NonZeroPallasScalar(s), !s.ct_is_zero())
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 00:08:39 -07:00
|
|
|
|
/// Constructs a wrapper for a scalar field element that is guaranteed to be non-zero.
|
|
|
|
|
///
|
|
|
|
|
/// # Panics
|
|
|
|
|
///
|
|
|
|
|
/// Panics if `s.is_zero()`.
|
|
|
|
|
fn guaranteed(s: pallas::Scalar) -> Self {
|
|
|
|
|
assert!(!s.is_zero());
|
|
|
|
|
NonZeroPallasScalar(s)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Deref for NonZeroPallasScalar {
|
|
|
|
|
type Target = pallas::Scalar;
|
|
|
|
|
|
|
|
|
|
fn deref(&self) -> &pallas::Scalar {
|
|
|
|
|
&self.0
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-05 15:25:45 -08:00
|
|
|
|
/// $\mathsf{ToBase}^\mathsf{Orchard}(x) := LEOS2IP_{\ell_\mathsf{PRFexpand}}(x) (mod q_P)$
|
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].
|
2021-03-05 15:25:45 -08:00
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
|
2021-03-08 13:33:56 -08:00
|
|
|
|
pub(crate) fn to_base(x: [u8; 64]) -> pallas::Base {
|
|
|
|
|
pallas::Base::from_bytes_wide(&x)
|
2021-03-05 15:25:45 -08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// $\mathsf{ToScalar}^\mathsf{Orchard}(x) := LEOS2IP_{\ell_\mathsf{PRFexpand}}(x) (mod r_P)$
|
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].
|
2021-03-05 15:25:45 -08:00
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
|
2021-03-08 13:33:56 -08:00
|
|
|
|
pub(crate) fn to_scalar(x: [u8; 64]) -> pallas::Scalar {
|
|
|
|
|
pallas::Scalar::from_bytes_wide(&x)
|
2021-03-05 15:25:45 -08:00
|
|
|
|
}
|
|
|
|
|
|
2021-03-15 18:24:50 -07:00
|
|
|
|
/// Converts from pallas::Base to pallas::Scalar (aka $x \pmod{r_\mathbb{P}}$).
|
|
|
|
|
///
|
|
|
|
|
/// This requires no modular reduction because Pallas' base field is smaller than its
|
|
|
|
|
/// scalar field.
|
|
|
|
|
pub(crate) fn mod_r_p(x: pallas::Base) -> pallas::Scalar {
|
|
|
|
|
pallas::Scalar::from_repr(x.to_repr()).unwrap()
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].
|
2021-03-05 15:25:45 -08:00
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
|
2021-03-05 15:25:45 -08:00
|
|
|
|
pub(crate) fn commit_ivk(
|
2021-03-15 13:33:07 -07:00
|
|
|
|
ak: &pallas::Base,
|
2021-03-05 15:25:45 -08:00
|
|
|
|
nk: &pallas::Base,
|
|
|
|
|
rivk: &pallas::Scalar,
|
2021-05-11 00:08:39 -07:00
|
|
|
|
) -> CtOption<NonZeroPallasBase> {
|
2021-03-15 13:33:07 -07:00
|
|
|
|
// We rely on the API contract that to_le_bits() returns at least PrimeField::NUM_BITS
|
|
|
|
|
// bits, which is equal to L_ORCHARD_BASE.
|
2021-03-18 17:43:18 -07:00
|
|
|
|
let domain = sinsemilla::CommitDomain::new(&"z.cash:Orchard-CommitIvk");
|
2021-04-19 15:05:56 -07:00
|
|
|
|
domain
|
|
|
|
|
.short_commit(
|
2021-03-15 18:24:50 -07:00
|
|
|
|
iter::empty()
|
|
|
|
|
.chain(ak.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))
|
|
|
|
|
.chain(nk.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),
|
|
|
|
|
rivk,
|
2021-04-19 15:05:56 -07:00
|
|
|
|
)
|
2021-05-11 00:08:39 -07:00
|
|
|
|
// Commit^ivk.Output is specified as [1..q_P] ∪ {⊥}. We get this from
|
|
|
|
|
// sinsemilla::CommitDomain::short_commit by construction:
|
|
|
|
|
// - 0 is not a valid x-coordinate for any Pallas point.
|
|
|
|
|
// - sinsemilla::CommitDomain::short_commit calls extract_p_bottom, which replaces
|
|
|
|
|
// the identity (which has no affine coordinates) with 0. but Sinsemilla is
|
|
|
|
|
// defined using incomplete addition, and thus will never produce the identity.
|
|
|
|
|
.map(NonZeroPallasBase::guaranteed)
|
2021-03-05 15:25:45 -08:00
|
|
|
|
}
|
|
|
|
|
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// Defined in [Zcash Protocol Spec § 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions][concretediversifyhash].
|
2021-03-05 15:25:45 -08:00
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// [concretediversifyhash]: https://zips.z.cash/protocol/nu5.pdf#concretediversifyhash
|
2021-05-11 01:06:16 -07:00
|
|
|
|
pub(crate) fn diversify_hash(d: &[u8; 11]) -> NonIdentityPallasPoint {
|
2021-03-17 17:39:04 -07:00
|
|
|
|
let hasher = pallas::Point::hash_to_curve("z.cash:Orchard-gd");
|
|
|
|
|
let pk_d = hasher(d);
|
2021-05-11 01:06:16 -07:00
|
|
|
|
// If the identity occurs, we replace it with a different fixed point.
|
2021-05-21 13:24:08 -07:00
|
|
|
|
// TODO: Replace the unwrap_or_else with a cached fixed point.
|
2021-05-11 01:06:16 -07:00
|
|
|
|
NonIdentityPallasPoint(CtOption::new(pk_d, !pk_d.is_identity()).unwrap_or_else(|| hasher(&[])))
|
2021-03-05 15:25:45 -08:00
|
|
|
|
}
|
|
|
|
|
|
2021-03-15 18:27:08 -07:00
|
|
|
|
/// $PRF^\mathsf{nfOrchard}(nk, \rho) := Poseidon(nk, \rho)$
|
|
|
|
|
///
|
|
|
|
|
/// Defined in [Zcash Protocol Spec § 5.4.2: Pseudo Random Functions][concreteprfs].
|
|
|
|
|
///
|
2021-03-29 17:54:23 -07:00
|
|
|
|
/// [concreteprfs]: https://zips.z.cash/protocol/nu5.pdf#concreteprfs
|
2021-03-15 18:27:08 -07:00
|
|
|
|
pub(crate) fn prf_nf(nk: pallas::Base, rho: pallas::Base) -> pallas::Base {
|
2021-03-29 18:13:15 -07:00
|
|
|
|
poseidon::Hash::init(poseidon::OrchardNullifier, poseidon::ConstantLength).hash([nk, rho])
|
2021-03-15 18:27:08 -07:00
|
|
|
|
}
|
|
|
|
|
|
2021-03-17 12:20:40 -07:00
|
|
|
|
/// Defined in [Zcash Protocol Spec § 5.4.5.5: Orchard Key Agreement][concreteorchardkeyagreement].
|
2021-03-05 15:25:45 -08:00
|
|
|
|
///
|
2021-03-05 17:17:51 -08:00
|
|
|
|
/// [concreteorchardkeyagreement]: https://zips.z.cash/protocol/nu5.pdf#concreteorchardkeyagreement
|
2021-05-11 01:06:16 -07:00
|
|
|
|
pub(crate) fn ka_orchard(
|
|
|
|
|
sk: &NonZeroPallasScalar,
|
|
|
|
|
b: &NonIdentityPallasPoint,
|
|
|
|
|
) -> NonIdentityPallasPoint {
|
|
|
|
|
NonIdentityPallasPoint(b.deref() * sk.deref())
|
2021-03-05 15:25:45 -08:00
|
|
|
|
}
|
|
|
|
|
|
2021-03-17 12:20:40 -07:00
|
|
|
|
/// Coordinate extractor for Pallas.
|
2021-03-05 15:25:45 -08:00
|
|
|
|
///
|
2021-03-17 12:20:40 -07:00
|
|
|
|
/// Defined in [Zcash Protocol Spec § 5.4.9.7: Coordinate Extractor for Pallas][concreteextractorpallas].
|
2021-03-05 17:17:51 -08:00
|
|
|
|
///
|
|
|
|
|
/// [concreteextractorpallas]: https://zips.z.cash/protocol/nu5.pdf#concreteextractorpallas
|
2021-03-05 15:25:45 -08:00
|
|
|
|
pub(crate) fn extract_p(point: &pallas::Point) -> pallas::Base {
|
2021-04-19 15:02:59 -07:00
|
|
|
|
point
|
|
|
|
|
.to_affine()
|
|
|
|
|
.coordinates()
|
|
|
|
|
.map(|c| *c.x())
|
|
|
|
|
.unwrap_or_else(pallas::Base::zero)
|
2021-03-05 15:25:45 -08:00
|
|
|
|
}
|
2021-03-17 12:15:55 -07:00
|
|
|
|
|
2021-04-19 15:05:56 -07:00
|
|
|
|
/// Coordinate extractor for Pallas.
|
|
|
|
|
///
|
|
|
|
|
/// Defined in [Zcash Protocol Spec § 5.4.9.7: Coordinate Extractor for Pallas][concreteextractorpallas].
|
|
|
|
|
///
|
|
|
|
|
/// [concreteextractorpallas]: https://zips.z.cash/protocol/nu5.pdf#concreteextractorpallas
|
|
|
|
|
pub(crate) fn extract_p_bottom(point: CtOption<pallas::Point>) -> CtOption<pallas::Base> {
|
|
|
|
|
point.map(|p| extract_p(&p))
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-13 08:19:12 -07:00
|
|
|
|
/// The u64 integer represented by an L-bit little-endian bitstring.
|
|
|
|
|
///
|
2021-06-14 09:16:19 -07:00
|
|
|
|
/// # Panics
|
2021-06-13 08:19:12 -07:00
|
|
|
|
///
|
|
|
|
|
/// Panics if the bitstring is longer than 64 bits.
|
|
|
|
|
pub fn lebs2ip<const L: usize>(bits: &[bool; L]) -> u64 {
|
|
|
|
|
assert!(L <= 64);
|
|
|
|
|
bits.iter()
|
|
|
|
|
.enumerate()
|
|
|
|
|
.fold(0u64, |acc, (i, b)| acc + if *b { 1 << i } else { 0 })
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-17 12:15:55 -07:00
|
|
|
|
#[cfg(test)]
|
|
|
|
|
mod tests {
|
|
|
|
|
use group::Group;
|
2021-03-17 19:06:16 -07:00
|
|
|
|
use halo2::arithmetic::CurveExt;
|
|
|
|
|
use pasta_curves::pallas;
|
2021-03-17 12:15:55 -07:00
|
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
|
fn diversify_hash_substitution() {
|
|
|
|
|
assert!(!bool::from(
|
|
|
|
|
pallas::Point::hash_to_curve("z.cash:Orchard-gd")(&[]).is_identity()
|
|
|
|
|
));
|
|
|
|
|
}
|
|
|
|
|
}
|