Jack Grigg
5646ada113
Make nk the first argument to Nullifier::derive
...
This more closely matches DeriveNullifier in the spec.
2021-03-30 13:52:20 +13:00
Jack Grigg
0f6eb9ca6c
Nullifier derivation
2021-03-26 07:51:05 +13:00
Jack Grigg
1a37ca492d
Extract spec::mod_r_p helper from spec::commit_ivk
2021-03-26 07:51:05 +13:00
Jack Grigg
680c917ce6
Note commitment derivation
2021-03-26 07:51:05 +13:00
str4d
ee2bfa7f43
Merge pull request #41 from zcash/poseidon-primitive
...
Poseidon primitive
2021-03-26 07:36:45 +13:00
str4d
df5e0d92f3
Merge pull request #46 from zcash/sinsemilla-api
...
Generalise Sinsemilla API
2021-03-24 17:37:36 +13:00
therealyingtong
a2c1bfb52a
Remove unnecessary clone()
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:30:03 +08:00
therealyingtong
9c75839e62
Minor changes
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:25:28 +08:00
therealyingtong
7a210fabf3
Store HashDomain in CommitDomain
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:11:13 +08:00
therealyingtong
18fba2a62e
Add getters for Q() and R()
2021-03-24 12:10:37 +08:00
therealyingtong
873e1b7d7e
Call hash_to_curve() only when constructing new domain
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:10:37 +08:00
ying tong
946b50ebfe
Add documentation
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-03-24 12:09:11 +08:00
therealyingtong
a3134e34c5
Introduce HashDomain and CommitDomain traits
...
Co-authored-by: Jack Grigg <thestr4d@gmail.com>
2021-03-24 12:09:11 +08:00
therealyingtong
ee969a64a8
Add Sinsemilla constants
2021-03-24 12:09:11 +08:00
str4d
7c8098ad43
Merge pull request #50 from zcash/key-derivation-benchmark
...
Add small key derivation benchmarks
2021-03-24 17:05:36 +13:00
Jack Grigg
b8f02c3b32
Temporarily allow dead code
...
This will make the lints more useful while we are implementing the
Orchard protocol.
2021-03-20 18:31:22 +13:00
Jack Grigg
f18ffa63d5
Add small key derivation benchmarks
2021-03-20 18:19:51 +13:00
str4d
e0a2141888
Merge pull request #48 from zcash/pasta-curves
...
Use the pasta_curves crate directly
2021-03-19 08:35:00 +13:00
Jack Grigg
1ceb60379f
poseidon: Clarify that R_F must be even
2021-03-18 16:47:06 +13:00
Jack Grigg
4c3e20535d
poseidon: s/arity/width
...
To match the paper more closely (arity specifically refers to Merkle
tree instantiations).
2021-03-18 16:47:04 +13:00
Jack Grigg
2beb6c3e82
Invert the Poseidon test vectors for Orchard
...
We now hard-code the Poseidon round constants and MDS for the Poseidon
specification used for Orchard nullifiers, as produced by the reference
implementation, and test that our constant generation can recreate them.
2021-03-18 16:47:01 +13:00
Jack Grigg
872471af17
Fix Poseidon instance definition
...
For Orchard, we want a Poseidon instance with a width of 3 field
elements and an output of one field element. The Poseidon instances
defined in the Poseidon paper have their output size equal to their
capacity size; with a capacity of 1 and pallas::Base as the field,
Poseidon-128 has the corresponding security level.
We do deviate from the paper's instance by adding a single partial
round, which makes the circuit easier to implement in Halo 2.
2021-03-18 16:39:09 +13:00
Jack Grigg
761dea6cc1
Implement domain separation for poseidon::Hash
...
Domain separation is implemented as specified in the Poseidon paper.
We only require constant-input-length hashing.
2021-03-18 16:38:59 +13:00
Jack Grigg
c578c22fe8
Silence clippy needless_range_loop warnings
...
I'm using range loops explicitly to make certain logic clearer.
2021-03-18 16:38:30 +13:00
Jack Grigg
6bcfecd039
Add poseidon::Spec::Rate associated type
...
This removes the need for specifying the rate at runtime, and removes
the remaining heap allocations from Duplex::absorb and Duplex::squeeze.
2021-03-18 16:38:28 +13:00
Jack Grigg
6548666e37
Add poseidon::Spec::State associated type
...
We reuse this type for the per-round round constants, and rows of the
MDS, to provide some type-level same-length guarantees. Once we can use
const generics, these will all be replaced by [F; Spec::ARITY].
2021-03-18 16:38:26 +13:00
Jack Grigg
5c8e9beea7
Simplify poseidon::Spec and remove poseidon::Generic
...
Poseidon specifications are now all concrete, and only generation of
constants at runtime requires an instance of the specification.
2021-03-18 16:38:23 +13:00
Jack Grigg
266705166f
Poseidon duplex sponge and hash function
2021-03-18 16:38:21 +13:00
Jack Grigg
9a2c1b0217
Make poseidon::Generic specific to SboxType::Pow
...
We don't currently require SboxType::Inv, so let's simplify for now.
2021-03-18 16:38:17 +13:00
Jack Grigg
8408f4690c
Rename poseidon::PoseidonSpec trait to poseidon::Spec
2021-03-18 16:38:14 +13:00
Jack Grigg
3fb5bf8344
Modify constant generation to match reference implementation
2021-03-18 16:38:07 +13:00
Jack Grigg
e1719c42bc
Add test vectors from the reference implementation
...
These are generated using v1.1 of the reference implementation.
2021-03-18 16:38:06 +13:00
Jack Grigg
84907c50e1
Poseidon specification and constants
2021-03-18 16:37:36 +13:00
Jack Grigg
3911fb3202
Use Pallas directly from pasta_curves crate
2021-03-18 15:06:16 +13:00
Jack Grigg
0f081c74e9
Bump halo2 dependency to include pasta_curves extraction
2021-03-18 15:04:07 +13:00
str4d
e737b50a25
Merge pull request #40 from zcash/key-components
...
Orchard key components
2021-03-18 13:44:33 +13:00
str4d
05e86a4d98
Reuse the hasher inside diversify_hash
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:39:04 +13:00
str4d
51fd94df72
Fix section numbers after spec changes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:38:11 +13:00
Jack Grigg
861eec1765
Document sinsemilla::Pad
2021-03-18 08:30:22 +13:00
Jack Grigg
42ea809b64
Update protocol spec references
2021-03-18 08:30:22 +13:00
Jack Grigg
e0417268ad
Make address generation infallible again
...
DiversifyHash is altered to replace the identity with another fixed
point that is known to not be the identity.
2021-03-18 08:30:22 +13:00
Jack Grigg
8e55b46dbf
Deduplicate default address generation
2021-03-16 10:01:50 +13:00
Jack Grigg
3c8befa0f3
Remove TODO from extract_p
...
The protocol spec now returns \mathbb{P}_x instead of a bit sequence,
matching what we do here.
2021-03-16 09:36:59 +13:00
Jack Grigg
46bf89c122
Update ivk derivation to match latest protocol spec draft
2021-03-16 09:33:07 +13:00
Jack Grigg
e0b40cb3cb
FullViewingKey::address_at(impl Into<DiversifierIndex>)
...
This is a more usable API, which we can use when we have the full
viewing key and can obtain the DiversifierKey.
2021-03-16 09:20:45 +13:00
Jack Grigg
e98f324d7d
Ensure diversify_hash does not return the identity
...
This makes diversified address generation fallible (though with
negligible probability). We expose this to users, so they can decide how
to handle it (either just unwrapping, or incrementing the diversifier
index).
We alter spending key construction to reject spending keys that would
not result in a default address (with diversifier index 0).
2021-03-16 09:03:44 +13:00
Jack Grigg
f7cad7762a
Add clarifying note about nomenclature
...
There's no point in documenting everything as being an Orchard whizzbang.
We are in the `orchard` crate, so the context should be obvious. This
also fits with the standard Rust naming guideline of not duplicating
module names in type name prefixes (`foo::bar::BarThing`).
2021-03-09 10:39:02 +13:00
Jack Grigg
2462bb219b
Use [u8; 64] as the output of prf_expand to match the spec
2021-03-09 10:33:56 +13:00
Jack Grigg
cef44f5f53
Fix intra-crate doc links
2021-03-09 09:27:34 +13:00
Jack Grigg
bf5fb7a668
Add missing spec links to key docs
2021-03-09 09:22:38 +13:00