zec
/
librustzcash
mirror of https://github.com/zcash/librustzcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #276 from daira/edwards-naming-cleanups 

Edwards naming cleanups
This commit is contained in:
str4d 2020-08-22 19:26:04 +12:00 committed by GitHub
parent 436717cf65 74abb88dce
commit 8b6c8143a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 372 additions and 364 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
zcash_primitives/src/merkle_tree.rs
View File

@ -1005,19 +1005,19 @@ mod tests {
assert_eq!(tree.size(), 0);
let mut witnesses = vec![];
let mut last_cm = None;
let mut last_cmu = None;
let mut paths_i = 0;
let mut witness_ser_i = 0;
for i in 0..16 {
let cm = hex::decode(commitments[i]).unwrap();
let cmu = hex::decode(commitments[i]).unwrap();
let cm = Node::new(cm[..].try_into().unwrap());
let cmu = Node::new(cmu[..].try_into().unwrap());
// Witness here
witnesses.push((TestIncrementalWitness::from_tree(&tree), last_cm));
witnesses.push((TestIncrementalWitness::from_tree(&tree), last_cmu));
// Now append a commitment to the tree
assert!(tree.append(cm).is_ok());
assert!(tree.append(cmu).is_ok());
// Size incremented by one.
assert_eq!(tree.size(), i + 1);
@ -1030,7 +1030,7 @@ mod tests {
for (witness, leaf) in witnesses.as_mut_slice() {
// Append the same commitment to all the witnesses
assert!(witness.append(cm).is_ok());
assert!(witness.append(cmu).is_ok());
if let Some(leaf) = leaf {
let path = witness.path().expect("should be able to create a path");
@ -1054,7 +1054,7 @@ mod tests {
assert_eq!(witness.root(), tree.root());
}
last_cm = Some(cm);
last_cmu = Some(cmu);
}
// Tree should be full now

4
zcash_primitives/src/note_encryption.rs
View File

@ -216,7 +216,7 @@ pub fn prf_ock(
///
/// let enc = SaplingNoteEncryption::new(ovk, note, to, Memo::default(), &mut rng);
/// let encCiphertext = enc.encrypt_note_plaintext();
/// let outCiphertext = enc.encrypt_outgoing_plaintext(&cv.cm().into(), &cmu);
/// let outCiphertext = enc.encrypt_outgoing_plaintext(&cv.commitment().into(), &cmu);
/// ```
pub struct SaplingNoteEncryption {
epk: jubjub::SubgroupPoint,
@ -820,7 +820,7 @@ mod tests {
value,
randomness: jubjub::Fr::random(&mut rng),
};
let cv = value_commitment.cm().into();
let cv = value_commitment.commitment().into();
let rseed = generate_random_rseed::<TestNetwork, R>(height, &mut rng);

8
zcash_primitives/src/pedersen_hash.rs
View File

@ -129,8 +129,8 @@ pub mod test {
pub struct TestVector<'a> {
pub personalization: Personalization,
pub input_bits: Vec<u8>,
pub hash_x: &'a str,
pub hash_y: &'a str,
pub hash_u: &'a str,
pub hash_v: &'a str,
}
#[test]
@ -151,8 +151,8 @@ pub mod test {
))
.to_affine();
assert_eq!(p.get_u().to_string(), v.hash_x);
assert_eq!(p.get_v().to_string(), v.hash_y);
assert_eq!(p.get_u().to_string(), v.hash_u);
assert_eq!(p.get_v().to_string(), v.hash_v);
}
}
}

2
zcash_primitives/src/primitives.rs
View File

@ -25,7 +25,7 @@ pub struct ValueCommitment {
}
impl ValueCommitment {
pub fn cm(&self) -> jubjub::SubgroupPoint {
pub fn commitment(&self) -> jubjub::SubgroupPoint {
(constants::VALUE_COMMITMENT_VALUE_GENERATOR * jubjub::Fr::from(self.value))
+ (constants::VALUE_COMMITMENT_RANDOMNESS_GENERATOR * self.randomness)
}

4
zcash_primitives/src/prover.rs
View File

@ -103,7 +103,7 @@ pub(crate) mod mock {
value,
randomness: jubjub::Fr::random(&mut rng),
}
.cm()
.commitment()
.into();
let rk = PublicKey(proof_generation_key.ak.clone().into())
@ -126,7 +126,7 @@ pub(crate) mod mock {
value,
randomness: jubjub::Fr::random(&mut rng),
}
.cm()
.commitment()
.into();
([0u8; GROTH_PROOF_SIZE], cv)

148
zcash_primitives/src/test_vectors/pedersen_hash_vectors.rs
View File

@ -7,26 +7,26 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
TestVector {
personalization: Personalization::NoteCommitment,
input_bits: vec![1, 1, 1, 1, 1, 1],
hash_x: "0x06b1187c11ca4fb4383b2e0d0dbbde3ad3617338b5029187ec65a5eaed5e4d0b",
hash_y: "0x3ce70f536652f0dea496393a1e55c4e08b9d55508e16d11e5db40d4810cbc982",
hash_u: "0x06b1187c11ca4fb4383b2e0d0dbbde3ad3617338b5029187ec65a5eaed5e4d0b",
hash_v: "0x3ce70f536652f0dea496393a1e55c4e08b9d55508e16d11e5db40d4810cbc982",
},
TestVector {
personalization: Personalization::NoteCommitment,
input_bits: vec![1, 1, 1, 1, 1, 1, 0],
hash_x: "0x2fc3bc454c337f71d4f04f86304262fcbfc9ecd808716b92fc42cbe6827f7f1a",
hash_y: "0x46d0d25bf1a654eedc6a9b1e5af398925113959feac31b7a2c036ff9b9ec0638",
hash_u: "0x2fc3bc454c337f71d4f04f86304262fcbfc9ecd808716b92fc42cbe6827f7f1a",
hash_v: "0x46d0d25bf1a654eedc6a9b1e5af398925113959feac31b7a2c036ff9b9ec0638",
},
TestVector {
personalization: Personalization::NoteCommitment,
input_bits: vec![1, 1, 1, 1, 1, 1, 1],
hash_x: "0x4f8ce0e0a9e674b3ab9606a7d7aefba386e81583d81918127814cde41d209d97",
hash_y: "0x312b5ab93b14c9b9af334fe1fe3c50fffb53fbd074fa40ca600febde7c97e346",
hash_u: "0x4f8ce0e0a9e674b3ab9606a7d7aefba386e81583d81918127814cde41d209d97",
hash_v: "0x312b5ab93b14c9b9af334fe1fe3c50fffb53fbd074fa40ca600febde7c97e346",
},
TestVector {
personalization: Personalization::NoteCommitment,
input_bits: vec![1, 1, 1, 1, 1, 1, 1, 0, 0],
hash_x: "0x4f8ce0e0a9e674b3ab9606a7d7aefba386e81583d81918127814cde41d209d97",
hash_y: "0x312b5ab93b14c9b9af334fe1fe3c50fffb53fbd074fa40ca600febde7c97e346",
hash_u: "0x4f8ce0e0a9e674b3ab9606a7d7aefba386e81583d81918127814cde41d209d97",
hash_v: "0x312b5ab93b14c9b9af334fe1fe3c50fffb53fbd074fa40ca600febde7c97e346",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -39,8 +39,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1,
0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0,
],
hash_x: "0x599ab788360ae8c6d5bb7618aec37056d6227408d857fdc394078a3d7afdfe0f",
hash_y: "0x4320c373da670e28d168f4ffd72b43208e8c815f40841682c57a3ee1d005a527",
hash_u: "0x599ab788360ae8c6d5bb7618aec37056d6227408d857fdc394078a3d7afdfe0f",
hash_v: "0x4320c373da670e28d168f4ffd72b43208e8c815f40841682c57a3ee1d005a527",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -53,8 +53,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0,
1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0,
],
hash_x: "0x2da510317620f5dfdce1f31db6019f947eedcf02ff2972cff597a5c3ad21f5dd",
hash_y: "0x198789969c0c33e6c359b9da4a51771f4d50863f36beef90436944fe568399f2",
hash_u: "0x2da510317620f5dfdce1f31db6019f947eedcf02ff2972cff597a5c3ad21f5dd",
hash_v: "0x198789969c0c33e6c359b9da4a51771f4d50863f36beef90436944fe568399f2",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -67,8 +67,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0,
0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1,
],
hash_x: "0x601247c7e640992d193dfb51df6ed93446687a7f2bcd0e4a598e6feb1ef20c40",
hash_y: "0x371931733b73e7b95c2cad55a6cebd15c83619f697c64283e54e5ef61442a743",
hash_u: "0x601247c7e640992d193dfb51df6ed93446687a7f2bcd0e4a598e6feb1ef20c40",
hash_v: "0x371931733b73e7b95c2cad55a6cebd15c83619f697c64283e54e5ef61442a743",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -101,8 +101,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1,
1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1,
],
hash_x: "0x314192ecb1f2d8806a8108704c875a25d9fb7e444f9f373919adedebe8f2ae27",
hash_y: "0x6b12b32f1372ad574799dee9eb591d961b704bf611f55fcc71f7e82cd3330b74",
hash_u: "0x314192ecb1f2d8806a8108704c875a25d9fb7e444f9f373919adedebe8f2ae27",
hash_v: "0x6b12b32f1372ad574799dee9eb591d961b704bf611f55fcc71f7e82cd3330b74",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -136,8 +136,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1,
0,
],
hash_x: "0x0666c2bce7f362a2b807d212e9a577f116891a932affd7addec39fbf372c494e",
hash_y: "0x6758bccfaf2e47c07756b96edea23aa8d10c33b38220bd1c411af612eeec18ab",
hash_u: "0x0666c2bce7f362a2b807d212e9a577f116891a932affd7addec39fbf372c494e",
hash_v: "0x6758bccfaf2e47c07756b96edea23aa8d10c33b38220bd1c411af612eeec18ab",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -177,8 +177,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0,
1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1,
],
hash_x: "0x130afe02b99375484efb0998f5331d2178e1d00e803049bb0769099420624f5f",
hash_y: "0x5e2fc6970554ffe358652aa7968ac4fcf3de0c830e6ea492e01a38fafb68cd71",
hash_u: "0x130afe02b99375484efb0998f5331d2178e1d00e803049bb0769099420624f5f",
hash_v: "0x5e2fc6970554ffe358652aa7968ac4fcf3de0c830e6ea492e01a38fafb68cd71",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -218,32 +218,32 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1,
1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1,
],
hash_x: "0x67914ebd539961b70f468fa23d4cb42133693a8ac57cd35a1e6369fe34fbedf7",
hash_y: "0x44770870c0f0cfe59a10df95d6c21e6f1514a2f464b66377599438c126052d9f",
hash_u: "0x67914ebd539961b70f468fa23d4cb42133693a8ac57cd35a1e6369fe34fbedf7",
hash_v: "0x44770870c0f0cfe59a10df95d6c21e6f1514a2f464b66377599438c126052d9f",
},
TestVector {
personalization: Personalization::MerkleTree(0),
input_bits: vec![0, 0, 0, 0, 0, 0],
hash_x: "0x62454a957289b3930d10f3def0d512cfe0ef3de06421321221af3558de9d481d",
hash_y: "0x0279f0aebfb66e53ff69fba16b6608dbf4319b944432f45c6e69a3dbd1f7b330",
hash_u: "0x62454a957289b3930d10f3def0d512cfe0ef3de06421321221af3558de9d481d",
hash_v: "0x0279f0aebfb66e53ff69fba16b6608dbf4319b944432f45c6e69a3dbd1f7b330",
},
TestVector {
personalization: Personalization::MerkleTree(0),
input_bits: vec![0, 0, 0, 0, 0, 0, 0],
hash_x: "0x283c7880f35179e201161402d9c4556b255917dbbf0142ae60519787d36d4dea",
hash_y: "0x648224408b4b83297cd0feb4cdc4eeb224237734931145432793bcd414228dc4",
hash_u: "0x283c7880f35179e201161402d9c4556b255917dbbf0142ae60519787d36d4dea",
hash_v: "0x648224408b4b83297cd0feb4cdc4eeb224237734931145432793bcd414228dc4",
},
TestVector {
personalization: Personalization::MerkleTree(0),
input_bits: vec![0, 0, 0, 0, 0, 0, 1],
hash_x: "0x1f1086b287636a20063c9614db2de66bb7d49242e88060956a5e5845057f6f5d",
hash_y: "0x6b1b395421dde74d53341caa9e01f39d7a3138efb9b57fc0381f98f4868df622",
hash_u: "0x1f1086b287636a20063c9614db2de66bb7d49242e88060956a5e5845057f6f5d",
hash_v: "0x6b1b395421dde74d53341caa9e01f39d7a3138efb9b57fc0381f98f4868df622",
},
TestVector {
personalization: Personalization::MerkleTree(0),
input_bits: vec![0, 0, 0, 0, 0, 0, 1, 0, 0],
hash_x: "0x1f1086b287636a20063c9614db2de66bb7d49242e88060956a5e5845057f6f5d",
hash_y: "0x6b1b395421dde74d53341caa9e01f39d7a3138efb9b57fc0381f98f4868df622",
hash_u: "0x1f1086b287636a20063c9614db2de66bb7d49242e88060956a5e5845057f6f5d",
hash_v: "0x6b1b395421dde74d53341caa9e01f39d7a3138efb9b57fc0381f98f4868df622",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -256,8 +256,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1,
1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0,
],
hash_x: "0x20d2b1b0551efe511755d564f8da4f5bf285fd6051331fa5f129ad95b318f6cd",
hash_y: "0x2834d96950de67ae80e85545f8333c6e14b5cf5be7325dac768f401e6edd9544",
hash_u: "0x20d2b1b0551efe511755d564f8da4f5bf285fd6051331fa5f129ad95b318f6cd",
hash_v: "0x2834d96950de67ae80e85545f8333c6e14b5cf5be7325dac768f401e6edd9544",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -270,8 +270,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0,
0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0,
],
hash_x: "0x01f4850a0f40e07186fee1f0a276f52fb12cffe05c18eb2aa18170330a93c555",
hash_y: "0x19b0807358e7c8cba9168815ec54c4cd76997c34c592607d172151c48d5377cb",
hash_u: "0x01f4850a0f40e07186fee1f0a276f52fb12cffe05c18eb2aa18170330a93c555",
hash_v: "0x19b0807358e7c8cba9168815ec54c4cd76997c34c592607d172151c48d5377cb",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -284,8 +284,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1,
0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0,
],
hash_x: "0x26dd81a3ffa37452c6a932d41eb4f2e0fedd531e9af8c2a7935b91dff653879d",
hash_y: "0x2fc7aebb729ef5cabf0fb3f883bc2eb2603093850b0ec19c1a3c08b653e7f27f",
hash_u: "0x26dd81a3ffa37452c6a932d41eb4f2e0fedd531e9af8c2a7935b91dff653879d",
hash_v: "0x2fc7aebb729ef5cabf0fb3f883bc2eb2603093850b0ec19c1a3c08b653e7f27f",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -318,8 +318,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 1,
1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 0, 1,
],
hash_x: "0x1111740552773b00aa6a2334575aa94102cfbd084290a430c90eb56d6db65b85",
hash_y: "0x6560c44b11683c20030626f89456f78a53ae8a89f565956a98ffc554b48fbb1a",
hash_u: "0x1111740552773b00aa6a2334575aa94102cfbd084290a430c90eb56d6db65b85",
hash_v: "0x6560c44b11683c20030626f89456f78a53ae8a89f565956a98ffc554b48fbb1a",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -353,8 +353,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0,
0,
],
hash_x: "0x429349ea9b5f8163bcda3014b3e15554df5173353fd73f315a49360c97265f68",
hash_y: "0x188774bb6de41eba669be5d368942783f937acf2f418385fc5c78479b0a405ee",
hash_u: "0x429349ea9b5f8163bcda3014b3e15554df5173353fd73f315a49360c97265f68",
hash_v: "0x188774bb6de41eba669be5d368942783f937acf2f418385fc5c78479b0a405ee",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -394,8 +394,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0,
0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0,
],
hash_x: "0x00e827f3ed136f3c91c61c97ab9b7cca0ea53c20e47abb5e226ede297bdd5f37",
hash_y: "0x315cc00a54972df6a19f650d3fab5f2ad0fb07397bacb6944568618f2aa76bf6",
hash_u: "0x00e827f3ed136f3c91c61c97ab9b7cca0ea53c20e47abb5e226ede297bdd5f37",
hash_v: "0x315cc00a54972df6a19f650d3fab5f2ad0fb07397bacb6944568618f2aa76bf6",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -435,32 +435,32 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1,
1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0,
],
hash_x: "0x3ee50557c4aa9158c4bb9d5961208e6c62f55c73ad7c7695a0eba0bcb6d83d05",
hash_y: "0x1b1a2be6e47688828aeadf2d37db298eac0c2736c2722b227871fdeeee29de33",
hash_u: "0x3ee50557c4aa9158c4bb9d5961208e6c62f55c73ad7c7695a0eba0bcb6d83d05",
hash_v: "0x1b1a2be6e47688828aeadf2d37db298eac0c2736c2722b227871fdeeee29de33",
},
TestVector {
personalization: Personalization::MerkleTree(34),
input_bits: vec![0, 1, 0, 0, 0, 1],
hash_x: "0x61f8e2cb8e945631677b450d5e5669bc6b5f2ec69b321ac550dbe74525d7ac9a",
hash_y: "0x4e11951ab9c9400ee38a18bd98cdb9453f1f67141ee9d9bf0c1c157d4fb34f9a",
hash_u: "0x61f8e2cb8e945631677b450d5e5669bc6b5f2ec69b321ac550dbe74525d7ac9a",
hash_v: "0x4e11951ab9c9400ee38a18bd98cdb9453f1f67141ee9d9bf0c1c157d4fb34f9a",
},
TestVector {
personalization: Personalization::MerkleTree(34),
input_bits: vec![0, 1, 0, 0, 0, 1, 0],
hash_x: "0x27fa1e296c37dde8448483ce5485c2604d1d830e53812246299773a02ecd519c",
hash_y: "0x08e499113675202cb42b4b681a31430814edebd72c5bb3bc3bfedf91fb0605df",
hash_u: "0x27fa1e296c37dde8448483ce5485c2604d1d830e53812246299773a02ecd519c",
hash_v: "0x08e499113675202cb42b4b681a31430814edebd72c5bb3bc3bfedf91fb0605df",
},
TestVector {
personalization: Personalization::MerkleTree(34),
input_bits: vec![0, 1, 0, 0, 0, 1, 1],
hash_x: "0x52112dd7a4293d049bb011683244a0f957e6ba95e1d1cf2fb6654d449a6d3fbc",
hash_y: "0x2ae14ecd81bb5b4489d2d64b5d2eb92a684087b28dd9a4950ecdb78c014e178c",
hash_u: "0x52112dd7a4293d049bb011683244a0f957e6ba95e1d1cf2fb6654d449a6d3fbc",
hash_v: "0x2ae14ecd81bb5b4489d2d64b5d2eb92a684087b28dd9a4950ecdb78c014e178c",
},
TestVector {
personalization: Personalization::MerkleTree(34),
input_bits: vec![0, 1, 0, 0, 0, 1, 1, 0, 0],
hash_x: "0x52112dd7a4293d049bb011683244a0f957e6ba95e1d1cf2fb6654d449a6d3fbc",
hash_y: "0x2ae14ecd81bb5b4489d2d64b5d2eb92a684087b28dd9a4950ecdb78c014e178c",
hash_u: "0x52112dd7a4293d049bb011683244a0f957e6ba95e1d1cf2fb6654d449a6d3fbc",
hash_v: "0x2ae14ecd81bb5b4489d2d64b5d2eb92a684087b28dd9a4950ecdb78c014e178c",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -473,8 +473,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0,
0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0,
],
hash_x: "0x544a0b44c35dca64ee806d1af70b7c44134e5d86efed413947657ffd71adf9b2",
hash_y: "0x5ddc5dbf12abbbc5561defd3782a32f450b3c398f52ff4629677e59e86e3ab31",
hash_u: "0x544a0b44c35dca64ee806d1af70b7c44134e5d86efed413947657ffd71adf9b2",
hash_v: "0x5ddc5dbf12abbbc5561defd3782a32f450b3c398f52ff4629677e59e86e3ab31",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -487,8 +487,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1,
1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1,
],
hash_x: "0x6cb6490ccb0ca9ccd657146f58a7b800bc4fb2556ee37861227ee8fda724acfb",
hash_y: "0x05c6fe100926f5cc441e54e72f024b6b12c907f2ec5680335057896411984c9f",
hash_u: "0x6cb6490ccb0ca9ccd657146f58a7b800bc4fb2556ee37861227ee8fda724acfb",
hash_v: "0x05c6fe100926f5cc441e54e72f024b6b12c907f2ec5680335057896411984c9f",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -501,8 +501,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1,
0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0,
],
hash_x: "0x40901e2175cb7f06a00c676d54d90e59fd448f11cbbc5eb517f9fea74b795ce2",
hash_y: "0x42d512891f91087310c9bc630c8d0ecc014596f884fd6df55dada8195ed726de",
hash_u: "0x40901e2175cb7f06a00c676d54d90e59fd448f11cbbc5eb517f9fea74b795ce2",
hash_v: "0x42d512891f91087310c9bc630c8d0ecc014596f884fd6df55dada8195ed726de",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -535,8 +535,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1,
0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1,
],
hash_x: "0x66a433542419f1a086ed0663b0e8df2ece9a04065f147896976baba1a916b6dc",
hash_y: "0x203bd3672522e1d3c86fa6b9f3b58f20199a4216adfd40982add13a856f6f3de",
hash_u: "0x66a433542419f1a086ed0663b0e8df2ece9a04065f147896976baba1a916b6dc",
hash_v: "0x203bd3672522e1d3c86fa6b9f3b58f20199a4216adfd40982add13a856f6f3de",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -570,8 +570,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0,
1,
],
hash_x: "0x119db3b38086c1a3c6c6f53c529ee62d9311d69c2d8aeeafa6e172e650d3afda",
hash_y: "0x72287540be7d2b0f58f5c73eaa53c55bea6b79dd79873b4e47cc11787bb9a15d",
hash_u: "0x119db3b38086c1a3c6c6f53c529ee62d9311d69c2d8aeeafa6e172e650d3afda",
hash_v: "0x72287540be7d2b0f58f5c73eaa53c55bea6b79dd79873b4e47cc11787bb9a15d",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -611,8 +611,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1,
1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0,
],
hash_x: "0x446efdcf89b70ba2b03427a0893008181d0fc4e76b84b1a500d7ee523c8e3666",
hash_y: "0x125ee0048efb0372b92c3c15d51a7c5c77a712054cc4fdd0774563da46ec7289",
hash_u: "0x446efdcf89b70ba2b03427a0893008181d0fc4e76b84b1a500d7ee523c8e3666",
hash_v: "0x125ee0048efb0372b92c3c15d51a7c5c77a712054cc4fdd0774563da46ec7289",
},
TestVector {
personalization: Personalization::MerkleTree(34),
@ -652,8 +652,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1,
],
hash_x: "0x72723bf0573bcb4b72d4184cfeb707d9556b7f705f56a4652707a36f2edf10f7",
hash_y: "0x3a7f0999a6a1393bd49fc82302e7352e01176fbebb0192bf5e6ef39eb8c585ad",
hash_u: "0x72723bf0573bcb4b72d4184cfeb707d9556b7f705f56a4652707a36f2edf10f7",
hash_v: "0x3a7f0999a6a1393bd49fc82302e7352e01176fbebb0192bf5e6ef39eb8c585ad",
},
TestVector {
personalization: Personalization::MerkleTree(27),
@ -666,8 +666,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0,
1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0,
],
hash_x: "0x414f6ba05f6b92da1f9051950769e1083d05615def32b016ae424309828a11f4",
hash_y: "0x471d2109656afcb96d0609b371b132b97efcf72c6051064dd19fdc004799bfa9",
hash_u: "0x414f6ba05f6b92da1f9051950769e1083d05615def32b016ae424309828a11f4",
hash_v: "0x471d2109656afcb96d0609b371b132b97efcf72c6051064dd19fdc004799bfa9",
},
TestVector {
personalization: Personalization::MerkleTree(36),
@ -680,8 +680,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1,
0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1,
],
hash_x: "0x62d6fe1e373225a5695f3115aed8265c59e2d6275ceef6bbc53fde3fc6594024",
hash_y: "0x407275be7d5a4c48204c8d83f5b211d09a2f285d4f0f87a928d4de9a6338e1d1",
hash_u: "0x62d6fe1e373225a5695f3115aed8265c59e2d6275ceef6bbc53fde3fc6594024",
hash_v: "0x407275be7d5a4c48204c8d83f5b211d09a2f285d4f0f87a928d4de9a6338e1d1",
},
TestVector {
personalization: Personalization::MerkleTree(0),
@ -694,8 +694,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
],
hash_x: "0x1116a934f26b57a2c9daa6f25ac9b1a8f9dacddba30f65433ac021bf39a6bfdd",
hash_y: "0x407275be7d5a4c48204c8d83f5b211d09a2f285d4f0f87a928d4de9a6338e1d1",
hash_u: "0x1116a934f26b57a2c9daa6f25ac9b1a8f9dacddba30f65433ac021bf39a6bfdd",
hash_v: "0x407275be7d5a4c48204c8d83f5b211d09a2f285d4f0f87a928d4de9a6338e1d1",
},
TestVector {
personalization: Personalization::NoteCommitment,
@ -708,8 +708,8 @@ pub fn get_vectors<'a>() -> Vec<TestVector<'a>> {
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
],
hash_x: "0x329e3bb2ca31ea6e13a986730237f6fd16b842a510cbabe851bdbcf57d75ee0d",
hash_y: "0x471d2109656afcb96d0609b371b132b97efcf72c6051064dd19fdc004799bfa9",
hash_u: "0x329e3bb2ca31ea6e13a986730237f6fd16b842a510cbabe851bdbcf57d75ee0d",
hash_v: "0x471d2109656afcb96d0609b371b132b97efcf72c6051064dd19fdc004799bfa9",
},
];
}

6
zcash_primitives/src/transaction/builder.rs
View File

@ -368,14 +368,14 @@ impl<P: consensus::Parameters, R: RngCore + CryptoRng> Builder<P, R> {
merkle_path: MerklePath<Node>,
) -> Result<(), Error> {
// Consistency check: all anchors must equal the first one
let cm = Node::new(note.cmu().into());
let cmu = Node::new(note.cmu().into());
if let Some(anchor) = self.anchor {
let path_root: bls12_381::Scalar = merkle_path.root(cm).into();
let path_root: bls12_381::Scalar = merkle_path.root(cmu).into();
if path_root != anchor {
return Err(Error::AnchorMismatch);
}
} else {
self.anchor = Some(merkle_path.root(cm).into())
self.anchor = Some(merkle_path.root(cmu).into())
}
let alpha = jubjub::Fr::random(&mut self.rng);

377
zcash_proofs/src/circuit/ecc.rs
View File

@ -18,8 +18,8 @@ use crate::constants::{FixedGenerator, EDWARDS_D, MONTGOMERY_A, MONTGOMERY_SCALE
#[derive(Clone)]
pub struct EdwardsPoint {
x: AllocatedNum<bls12_381::Scalar>,
y: AllocatedNum<bls12_381::Scalar>,
u: AllocatedNum<bls12_381::Scalar>,
v: AllocatedNum<bls12_381::Scalar>,
}
/// Perform a fixed-base scalar multiplication with
@ -49,13 +49,14 @@ where
.cloned()
.unwrap_or_else(|| Boolean::constant(false));
let (x, y) = lookup3_xy(
// TODO: rename to lookup3_uv
let (u, v) = lookup3_xy(
cs.namespace(|| format!("window table lookup {}", i)),
&[chunk_a, chunk_b, chunk_c],
window,
)?;
let p = EdwardsPoint { x, y };
let p = EdwardsPoint { u, v };
if result.is_none() {
result = Some(p);
@ -72,12 +73,12 @@ where
}
impl EdwardsPoint {
pub fn get_x(&self) -> &AllocatedNum<bls12_381::Scalar> {
&self.x
pub fn get_u(&self) -> &AllocatedNum<bls12_381::Scalar> {
&self.u
}
pub fn get_y(&self) -> &AllocatedNum<bls12_381::Scalar> {
&self.y
pub fn get_v(&self) -> &AllocatedNum<bls12_381::Scalar> {
&self.v
}
pub fn assert_not_small_order<CS>(&self, mut cs: CS) -> Result<(), SynthesisError>
@ -90,9 +91,9 @@ impl EdwardsPoint {
// (0, -1) is a small order point, but won't ever appear here
// because cofactor is 2^3, and we performed three doublings.
// (0, 1) is the neutral element, so checking if x is nonzero
// (0, 1) is the neutral element, so checking if u is nonzero
// is sufficient to prevent small order points here.
tmp.x.assert_nonzero(cs.namespace(|| "check x != 0"))?;
tmp.u.assert_nonzero(cs.namespace(|| "check u != 0"))?;
Ok(())
}
@ -101,8 +102,8 @@ impl EdwardsPoint {
where
CS: ConstraintSystem<bls12_381::Scalar>,
{
self.x.inputize(cs.namespace(|| "x"))?;
self.y.inputize(cs.namespace(|| "y"))?;
self.u.inputize(cs.namespace(|| "u"))?;
self.v.inputize(cs.namespace(|| "v"))?;
Ok(())
}
@ -114,12 +115,12 @@ impl EdwardsPoint {
{
let mut tmp = vec![];
let x = self.x.to_bits_le_strict(cs.namespace(|| "unpack x"))?;
let u = self.u.to_bits_le_strict(cs.namespace(|| "unpack u"))?;
let y = self.y.to_bits_le_strict(cs.namespace(|| "unpack y"))?;
let v = self.v.to_bits_le_strict(cs.namespace(|| "unpack v"))?;
tmp.extend(y);
tmp.push(x[0].clone());
tmp.extend(v);
tmp.push(u[0].clone());
Ok(tmp)
}
@ -132,13 +133,13 @@ impl EdwardsPoint {
{
let p = p.map(|p| p.to_affine());
// Allocate x
let x = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(p.get()?.get_u()))?;
// Allocate u
let u = AllocatedNum::alloc(cs.namespace(|| "u"), || Ok(p.get()?.get_u()))?;
// Allocate y
let y = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(p.get()?.get_v()))?;
// Allocate v
let v = AllocatedNum::alloc(cs.namespace(|| "v"), || Ok(p.get()?.get_v()))?;
Self::interpret(cs.namespace(|| "point interpretation"), &x, &y)
Self::interpret(cs.namespace(|| "point interpretation"), &u, &v)
}
/// Returns `self` if condition is true, and the neutral
@ -151,48 +152,48 @@ impl EdwardsPoint {
where
CS: ConstraintSystem<bls12_381::Scalar>,
{
// Compute x' = self.x if condition, and 0 otherwise
let x_prime = AllocatedNum::alloc(cs.namespace(|| "x'"), || {
// Compute u' = self.u if condition, and 0 otherwise
let u_prime = AllocatedNum::alloc(cs.namespace(|| "u'"), || {
if *condition.get_value().get()? {
Ok(*self.x.get_value().get()?)
Ok(*self.u.get_value().get()?)
} else {
Ok(bls12_381::Scalar::zero())
}
})?;
// condition * x = x'
// if condition is 0, x' must be 0
// if condition is 1, x' must be x
// condition * u = u'
// if condition is 0, u' must be 0
// if condition is 1, u' must be u
let one = CS::one();
cs.enforce(
|| "x' computation",
|lc| lc + self.x.get_variable(),
|| "u' computation",
|lc| lc + self.u.get_variable(),
|_| condition.lc(one, bls12_381::Scalar::one()),
|lc| lc + x_prime.get_variable(),
|lc| lc + u_prime.get_variable(),
);
// Compute y' = self.y if condition, and 1 otherwise
let y_prime = AllocatedNum::alloc(cs.namespace(|| "y'"), || {
// Compute v' = self.v if condition, and 1 otherwise
let v_prime = AllocatedNum::alloc(cs.namespace(|| "v'"), || {
if *condition.get_value().get()? {
Ok(*self.y.get_value().get()?)
Ok(*self.v.get_value().get()?)
} else {
Ok(bls12_381::Scalar::one())
}
})?;
// condition * y = y' - (1 - condition)
// if condition is 0, y' must be 1
// if condition is 1, y' must be y
// condition * v = v' - (1 - condition)
// if condition is 0, v' must be 1
// if condition is 1, v' must be v
cs.enforce(
|| "y' computation",
|lc| lc + self.y.get_variable(),
|| "v' computation",
|lc| lc + self.v.get_variable(),
|_| condition.lc(one, bls12_381::Scalar::one()),
|lc| lc + y_prime.get_variable() - &condition.not().lc(one, bls12_381::Scalar::one()),
|lc| lc + v_prime.get_variable() - &condition.not().lc(one, bls12_381::Scalar::one()),
);
Ok(EdwardsPoint {
x: x_prime,
y: y_prime,
u: u_prime,
v: v_prime,
})
}
@ -248,29 +249,29 @@ impl EdwardsPoint {
pub fn interpret<CS>(
mut cs: CS,
x: &AllocatedNum<bls12_381::Scalar>,
y: &AllocatedNum<bls12_381::Scalar>,
u: &AllocatedNum<bls12_381::Scalar>,
v: &AllocatedNum<bls12_381::Scalar>,
) -> Result<Self, SynthesisError>
where
CS: ConstraintSystem<bls12_381::Scalar>,
{
// -x^2 + y^2 = 1 + dx^2y^2
// -u^2 + v^2 = 1 + du^2v^2
let x2 = x.square(cs.namespace(|| "x^2"))?;
let y2 = y.square(cs.namespace(|| "y^2"))?;
let x2y2 = x2.mul(cs.namespace(|| "x^2 y^2"), &y2)?;
let u2 = u.square(cs.namespace(|| "u^2"))?;
let v2 = v.square(cs.namespace(|| "v^2"))?;
let u2v2 = u2.mul(cs.namespace(|| "u^2 v^2"), &v2)?;
let one = CS::one();
cs.enforce(
|| "on curve check",
|lc| lc - x2.get_variable() + y2.get_variable(),
|lc| lc - u2.get_variable() + v2.get_variable(),
|lc| lc + one,
|lc| lc + one + (EDWARDS_D, x2y2.get_variable()),
|lc| lc + one + (EDWARDS_D, u2v2.get_variable()),
);
Ok(EdwardsPoint {
x: x.clone(),
y: y.clone(),
u: u.clone(),
v: v.clone(),
})
}
@ -278,13 +279,14 @@ impl EdwardsPoint {
where
CS: ConstraintSystem<bls12_381::Scalar>,
{
// Compute T = (x1 + y1) * (x1 + y1)
// Compute T = (u + v) * (v - EDWARDS_A*u)
// = (u + v) * (u + v)
let t = AllocatedNum::alloc(cs.namespace(|| "T"), || {
let mut t0 = *self.x.get_value().get()?;
t0.add_assign(self.y.get_value().get()?);
let mut t0 = *self.u.get_value().get()?;
t0.add_assign(self.v.get_value().get()?);
let mut t1 = *self.x.get_value().get()?;
t1.add_assign(self.y.get_value().get()?);
let mut t1 = *self.u.get_value().get()?;
t1.add_assign(self.v.get_value().get()?);
t0.mul_assign(&t1);
@ -293,13 +295,13 @@ impl EdwardsPoint {
cs.enforce(
|| "T computation",
|lc| lc + self.x.get_variable() + self.y.get_variable(),
|lc| lc + self.x.get_variable() + self.y.get_variable(),
|lc| lc + self.u.get_variable() + self.v.get_variable(),
|lc| lc + self.u.get_variable() + self.v.get_variable(),
|lc| lc + t.get_variable(),
);
// Compute A = x1 * y1
let a = self.x.mul(cs.namespace(|| "A computation"), &self.y)?;
// Compute A = u * v
let a = self.u.mul(cs.namespace(|| "A computation"), &self.v)?;
// Compute C = d*A*A
let c = AllocatedNum::alloc(cs.namespace(|| "C"), || {
@ -316,8 +318,8 @@ impl EdwardsPoint {
|lc| lc + c.get_variable(),
);
// Compute x3 = (2.A) / (1 + C)
let x3 = AllocatedNum::alloc(cs.namespace(|| "x3"), || {
// Compute u3 = (2.A) / (1 + C)
let u3 = AllocatedNum::alloc(cs.namespace(|| "u3"), || {
let mut t0 = *a.get_value().get()?;
t0 = t0.double();
@ -334,14 +336,15 @@ impl EdwardsPoint {
let one = CS::one();
cs.enforce(
|| "x3 computation",
|| "u3 computation",
|lc| lc + one + c.get_variable(),
|lc| lc + x3.get_variable(),
|lc| lc + u3.get_variable(),
|lc| lc + a.get_variable() + a.get_variable(),
);
// Compute y3 = (U - 2.A) / (1 - C)
let y3 = AllocatedNum::alloc(cs.namespace(|| "y3"), || {
// Compute v3 = (T + (EDWARDS_A-1)*A) / (1 - C)
// = (T - 2.A) / (1 - C)
let v3 = AllocatedNum::alloc(cs.namespace(|| "v3"), || {
let mut t0 = *a.get_value().get()?;
t0 = t0.double().neg();
t0.add_assign(t.get_value().get()?);
@ -358,13 +361,13 @@ impl EdwardsPoint {
})?;
cs.enforce(
|| "y3 computation",
|| "v3 computation",
|lc| lc + one - c.get_variable(),
|lc| lc + y3.get_variable(),
|lc| lc + v3.get_variable(),
|lc| lc + t.get_variable() - a.get_variable() - a.get_variable(),
);
Ok(EdwardsPoint { x: x3, y: y3 })
Ok(EdwardsPoint { u: u3, v: v3 })
}
/// Perform addition between any two points
@ -372,13 +375,15 @@ impl EdwardsPoint {
where
CS: ConstraintSystem<bls12_381::Scalar>,
{
// Compute U = (x1 + y1) * (x2 + y2)
let u = AllocatedNum::alloc(cs.namespace(|| "U"), || {
let mut t0 = *self.x.get_value().get()?;
t0.add_assign(self.y.get_value().get()?);
// Compute U = (u1 + v1) * (v2 - EDWARDS_A*u2)
// = (u1 + v1) * (u2 + v2)
// (In hindsight, U was a poor choice of name.)
let uppercase_u = AllocatedNum::alloc(cs.namespace(|| "U"), || {
let mut t0 = *self.u.get_value().get()?;
t0.add_assign(self.v.get_value().get()?);
let mut t1 = *other.x.get_value().get()?;
t1.add_assign(other.y.get_value().get()?);
let mut t1 = *other.u.get_value().get()?;
t1.add_assign(other.v.get_value().get()?);
t0.mul_assign(&t1);
@ -387,16 +392,16 @@ impl EdwardsPoint {
cs.enforce(
|| "U computation",
|lc| lc + self.x.get_variable() + self.y.get_variable(),
|lc| lc + other.x.get_variable() + other.y.get_variable(),
|lc| lc + u.get_variable(),
|lc| lc + self.u.get_variable() + self.v.get_variable(),
|lc| lc + other.u.get_variable() + other.v.get_variable(),
|lc| lc + uppercase_u.get_variable(),
);
// Compute A = y2 * x1
let a = other.y.mul(cs.namespace(|| "A computation"), &self.x)?;
// Compute A = v2 * u1
let a = other.v.mul(cs.namespace(|| "A computation"), &self.u)?;
// Compute B = x2 * y1
let b = other.x.mul(cs.namespace(|| "B computation"), &self.y)?;
// Compute B = u2 * v1
let b = other.u.mul(cs.namespace(|| "B computation"), &self.v)?;
// Compute C = d*A*B
let c = AllocatedNum::alloc(cs.namespace(|| "C"), || {
@ -414,8 +419,8 @@ impl EdwardsPoint {
|lc| lc + c.get_variable(),
);
// Compute x3 = (A + B) / (1 + C)
let x3 = AllocatedNum::alloc(cs.namespace(|| "x3"), || {
// Compute u3 = (A + B) / (1 + C)
let u3 = AllocatedNum::alloc(cs.namespace(|| "u3"), || {
let mut t0 = *a.get_value().get()?;
t0.add_assign(b.get_value().get()?);
@ -432,15 +437,15 @@ impl EdwardsPoint {
let one = CS::one();
cs.enforce(
|| "x3 computation",
|| "u3 computation",
|lc| lc + one + c.get_variable(),
|lc| lc + x3.get_variable(),
|lc| lc + u3.get_variable(),
|lc| lc + a.get_variable() + b.get_variable(),
);
// Compute y3 = (U - A - B) / (1 - C)
let y3 = AllocatedNum::alloc(cs.namespace(|| "y3"), || {
let mut t0 = *u.get_value().get()?;
// Compute v3 = (U - A - B) / (1 - C)
let v3 = AllocatedNum::alloc(cs.namespace(|| "v3"), || {
let mut t0 = *uppercase_u.get_value().get()?;
t0.sub_assign(a.get_value().get()?);
t0.sub_assign(b.get_value().get()?);
@ -456,13 +461,13 @@ impl EdwardsPoint {
})?;
cs.enforce(
|| "y3 computation",
|| "v3 computation",
|lc| lc + one - c.get_variable(),
|lc| lc + y3.get_variable(),
|lc| lc + u.get_variable() - a.get_variable() - b.get_variable(),
|lc| lc + v3.get_variable(),
|lc| lc + uppercase_u.get_variable() - a.get_variable() - b.get_variable(),
);
Ok(EdwardsPoint { x: x3, y: y3 })
Ok(EdwardsPoint { u: u3, v: v3 })
}
}
@ -522,7 +527,7 @@ impl MontgomeryPoint {
|lc| lc + &self.x.lc(bls12_381::Scalar::one()) - one,
);
Ok(EdwardsPoint { x: u, y: v })
Ok(EdwardsPoint { u, v })
}
/// Interprets an (x, y) pair as a point
@ -534,7 +539,7 @@ impl MontgomeryPoint {
}
/// Performs an affine point addition, not defined for
/// coincident points.
/// points with the same x-coordinate.
pub fn add<CS>(&self, mut cs: CS, other: &Self) -> Result<Self, SynthesisError>
where
CS: ConstraintSystem<bls12_381::Scalar>,
@ -649,8 +654,8 @@ mod test {
let q = p.into_edwards(&mut cs).unwrap();
assert!(cs.is_satisfied());
assert!(q.x.get_value().unwrap() == u);
assert!(q.y.get_value().unwrap() == v);
assert!(q.u.get_value().unwrap() == u);
assert!(q.v.get_value().unwrap() == v);
cs.set("u/num", bls12_381::Scalar::random(rng));
assert_eq!(cs.which_is_unsatisfied().unwrap(), "u computation");
@ -680,35 +685,35 @@ mod test {
let p = p.to_affine();
assert!(cs.is_satisfied());
assert_eq!(q.x.get_value().unwrap(), p.get_u());
assert_eq!(q.y.get_value().unwrap(), p.get_v());
assert_eq!(q.u.get_value().unwrap(), p.get_u());
assert_eq!(q.v.get_value().unwrap(), p.get_v());
}
for _ in 0..100 {
let p = jubjub::ExtendedPoint::random(rng).to_affine();
let (x, y) = (p.get_u(), p.get_v());
let (u, v) = (p.get_u(), p.get_v());
let mut cs = TestConstraintSystem::new();
let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(x)).unwrap();
let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(y)).unwrap();
let numu = AllocatedNum::alloc(cs.namespace(|| "u"), || Ok(u)).unwrap();
let numv = AllocatedNum::alloc(cs.namespace(|| "v"), || Ok(v)).unwrap();
let p = EdwardsPoint::interpret(&mut cs, &numx, &numy).unwrap();
let p = EdwardsPoint::interpret(&mut cs, &numu, &numv).unwrap();
assert!(cs.is_satisfied());
assert_eq!(p.x.get_value().unwrap(), x);
assert_eq!(p.y.get_value().unwrap(), y);
assert_eq!(p.u.get_value().unwrap(), u);
assert_eq!(p.v.get_value().unwrap(), v);
}
// Random (x, y) are unlikely to be on the curve.
// Random (u, v) are unlikely to be on the curve.
for _ in 0..100 {
let x = bls12_381::Scalar::random(rng);
let y = bls12_381::Scalar::random(rng);
let u = bls12_381::Scalar::random(rng);
let v = bls12_381::Scalar::random(rng);
let mut cs = TestConstraintSystem::new();
let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(x)).unwrap();
let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(y)).unwrap();
let numu = AllocatedNum::alloc(cs.namespace(|| "u"), || Ok(u)).unwrap();
let numv = AllocatedNum::alloc(cs.namespace(|| "v"), || Ok(v)).unwrap();
EdwardsPoint::interpret(&mut cs, &numx, &numy).unwrap();
EdwardsPoint::interpret(&mut cs, &numu, &numv).unwrap();
assert_eq!(cs.which_is_unsatisfied().unwrap(), "on curve check");
}
@ -727,7 +732,7 @@ mod test {
let p = zcash_primitives::constants::NOTE_COMMITMENT_RANDOMNESS_GENERATOR;
let s = jubjub::Fr::random(rng);
let q = jubjub::ExtendedPoint::from(p * s).to_affine();
let (x1, y1) = (q.get_u(), q.get_v());
let (u1, v1) = (q.get_u(), q.get_v());
let mut s_bits = BitIterator::<u8, _>::new(s.to_repr()).collect::<Vec<_>>();
s_bits.reverse();
@ -750,8 +755,8 @@ mod test {
)
.unwrap();
assert_eq!(q.x.get_value().unwrap(), x1);
assert_eq!(q.y.get_value().unwrap(), y1);
assert_eq!(q.u.get_value().unwrap(), u1);
assert_eq!(q.v.get_value().unwrap(), v1);
}
}
@ -770,15 +775,15 @@ mod test {
let q = (p * s).to_affine();
let p = p.to_affine();
let (x0, y0) = (p.get_u(), p.get_v());
let (x1, y1) = (q.get_u(), q.get_v());
let (u0, v0) = (p.get_u(), p.get_v());
let (u1, v1) = (q.get_u(), q.get_v());
let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap();
let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap();
let num_u0 = AllocatedNum::alloc(cs.namespace(|| "u0"), || Ok(u0)).unwrap();
let num_v0 = AllocatedNum::alloc(cs.namespace(|| "v0"), || Ok(v0)).unwrap();
let p = EdwardsPoint {
x: num_x0,
y: num_y0,
u: num_u0,
v: num_v0,
};
let mut s_bits = BitIterator::<u8, _>::new(s.to_repr()).collect::<Vec<_>>();
@ -799,9 +804,9 @@ mod test {
assert!(cs.is_satisfied());
assert_eq!(q.x.get_value().unwrap(), x1);
assert_eq!(q.u.get_value().unwrap(), u1);
assert_eq!(q.y.get_value().unwrap(), y1);
assert_eq!(q.v.get_value().unwrap(), v1);
}
}
@ -817,14 +822,14 @@ mod test {
let p = jubjub::ExtendedPoint::random(rng).to_affine();
let (x0, y0) = (p.get_u(), p.get_v());
let (u0, v0) = (p.get_u(), p.get_v());
let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap();
let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap();
let num_u0 = AllocatedNum::alloc(cs.namespace(|| "u0"), || Ok(u0)).unwrap();
let num_v0 = AllocatedNum::alloc(cs.namespace(|| "v0"), || Ok(v0)).unwrap();
let p = EdwardsPoint {
x: num_x0,
y: num_y0,
u: num_u0,
v: num_v0,
};
let mut should_we_select = rng.next_u32() % 2 != 0;
@ -852,21 +857,21 @@ mod test {
assert!(cs.is_satisfied());
if should_we_select {
assert_eq!(q.x.get_value().unwrap(), x0);
assert_eq!(q.y.get_value().unwrap(), y0);
assert_eq!(q.u.get_value().unwrap(), u0);
assert_eq!(q.v.get_value().unwrap(), v0);
cs.set("select/y'/num", bls12_381::Scalar::one());
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/y' computation");
cs.set("select/x'/num", bls12_381::Scalar::zero());
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/x' computation");
cs.set("select/v'/num", bls12_381::Scalar::one());
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/v' computation");
cs.set("select/u'/num", bls12_381::Scalar::zero());
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/u' computation");
} else {
assert_eq!(q.x.get_value().unwrap(), bls12_381::Scalar::zero());
assert_eq!(q.y.get_value().unwrap(), bls12_381::Scalar::one());
assert_eq!(q.u.get_value().unwrap(), bls12_381::Scalar::zero());
assert_eq!(q.v.get_value().unwrap(), bls12_381::Scalar::one());
cs.set("select/y'/num", x0);
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/y' computation");
cs.set("select/x'/num", y0);
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/x' computation");
cs.set("select/v'/num", u0);
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/v' computation");
cs.set("select/u'/num", v0);
assert_eq!(cs.which_is_unsatisfied().unwrap(), "select/u' computation");
}
}
}
@ -888,51 +893,51 @@ mod test {
let p2 = p2.to_affine();
let p3 = p3.to_affine();
let (x0, y0) = (p1.get_u(), p1.get_v());
let (x1, y1) = (p2.get_u(), p2.get_v());
let (x2, y2) = (p3.get_u(), p3.get_v());
let (u0, v0) = (p1.get_u(), p1.get_v());
let (u1, v1) = (p2.get_u(), p2.get_v());
let (u2, v2) = (p3.get_u(), p3.get_v());
let mut cs = TestConstraintSystem::new();
let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap();
let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap();
let num_u0 = AllocatedNum::alloc(cs.namespace(|| "u0"), || Ok(u0)).unwrap();
let num_v0 = AllocatedNum::alloc(cs.namespace(|| "v0"), || Ok(v0)).unwrap();
let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || Ok(x1)).unwrap();
let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || Ok(y1)).unwrap();
let num_u1 = AllocatedNum::alloc(cs.namespace(|| "u1"), || Ok(u1)).unwrap();
let num_v1 = AllocatedNum::alloc(cs.namespace(|| "v1"), || Ok(v1)).unwrap();
let p1 = EdwardsPoint {
x: num_x0,
y: num_y0,
u: num_u0,
v: num_v0,
};
let p2 = EdwardsPoint {
x: num_x1,
y: num_y1,
u: num_u1,
v: num_v1,
};
let p3 = p1.add(cs.namespace(|| "addition"), &p2).unwrap();
assert!(cs.is_satisfied());
assert!(p3.x.get_value().unwrap() == x2);
assert!(p3.y.get_value().unwrap() == y2);
assert!(p3.u.get_value().unwrap() == u2);
assert!(p3.v.get_value().unwrap() == v2);
let u = cs.get("addition/U/num");
let uppercase_u = cs.get("addition/U/num");
cs.set("addition/U/num", bls12_381::Scalar::random(rng));
assert_eq!(cs.which_is_unsatisfied(), Some("addition/U computation"));
cs.set("addition/U/num", u);
cs.set("addition/U/num", uppercase_u);
assert!(cs.is_satisfied());
let x3 = cs.get("addition/x3/num");
cs.set("addition/x3/num", bls12_381::Scalar::random(rng));
assert_eq!(cs.which_is_unsatisfied(), Some("addition/x3 computation"));
cs.set("addition/x3/num", x3);
let u3 = cs.get("addition/u3/num");
cs.set("addition/u3/num", bls12_381::Scalar::random(rng));
assert_eq!(cs.which_is_unsatisfied(), Some("addition/u3 computation"));
cs.set("addition/u3/num", u3);
assert!(cs.is_satisfied());
let y3 = cs.get("addition/y3/num");
cs.set("addition/y3/num", bls12_381::Scalar::random(rng));
assert_eq!(cs.which_is_unsatisfied(), Some("addition/y3 computation"));
cs.set("addition/y3/num", y3);
let v3 = cs.get("addition/v3/num");
cs.set("addition/v3/num", bls12_381::Scalar::random(rng));
assert_eq!(cs.which_is_unsatisfied(), Some("addition/v3 computation"));
cs.set("addition/v3/num", v3);
assert!(cs.is_satisfied());
}
}
@ -951,25 +956,25 @@ mod test {
let p1 = p1.to_affine();
let p2 = p2.to_affine();
let (x0, y0) = (p1.get_u(), p1.get_v());
let (x1, y1) = (p2.get_u(), p2.get_v());
let (u0, v0) = (p1.get_u(), p1.get_v());
let (u1, v1) = (p2.get_u(), p2.get_v());
let mut cs = TestConstraintSystem::new();
let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap();
let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap();
let num_u0 = AllocatedNum::alloc(cs.namespace(|| "u0"), || Ok(u0)).unwrap();
let num_v0 = AllocatedNum::alloc(cs.namespace(|| "v0"), || Ok(v0)).unwrap();
let p1 = EdwardsPoint {
x: num_x0,
y: num_y0,
u: num_u0,
v: num_v0,
};
let p2 = p1.double(cs.namespace(|| "doubling")).unwrap();
assert!(cs.is_satisfied());
assert!(p2.x.get_value().unwrap() == x1);
assert!(p2.y.get_value().unwrap() == y1);
assert!(p2.u.get_value().unwrap() == u1);
assert!(p2.v.get_value().unwrap() == v1);
}
}
@ -1039,12 +1044,12 @@ mod test {
assert!(p.assert_not_small_order(&mut cs).is_err() == is_small_order);
};
let check_small_order_from_strs = |x, y| {
let (x, y) = (
bls12_381::Scalar::from_str(x).unwrap(),
bls12_381::Scalar::from_str(y).unwrap(),
let check_small_order_from_strs = |u, v| {
let (u, v) = (
bls12_381::Scalar::from_str(u).unwrap(),
bls12_381::Scalar::from_str(v).unwrap(),
);
let p = jubjub::AffinePoint::from_raw_unchecked(x, y);
let p = jubjub::AffinePoint::from_raw_unchecked(u, v);
check_small_order_from_p(p.into(), true);
};
@ -1059,10 +1064,10 @@ mod test {
.unwrap();
let largest_small_subgroup_order = jubjub::Fr::from_str("8").unwrap();
let (zero_x, zero_y) = (bls12_381::Scalar::zero(), bls12_381::Scalar::one());
let (zero_u, zero_v) = (bls12_381::Scalar::zero(), bls12_381::Scalar::one());
// generator for jubjub
let (x, y) = (
let (u, v) = (
bls12_381::Scalar::from_str(
"11076627216317271660298050606127911965867021807910416450833192264015104452986",
)
@ -1072,7 +1077,7 @@ mod test {
)
.unwrap(),
);
let g = jubjub::AffinePoint::from_raw_unchecked(x, y).into();
let g = jubjub::AffinePoint::from_raw_unchecked(u, v).into();
check_small_order_from_p(g, false);
// generator for the prime subgroup
@ -1081,11 +1086,11 @@ mod test {
let prime_subgroup_order_minus_1 = prime_subgroup_order - jubjub::Fr::one();
let should_not_be_zero = g_prime * prime_subgroup_order_minus_1;
assert_ne!(zero_x, should_not_be_zero.to_affine().get_u());
assert_ne!(zero_y, should_not_be_zero.to_affine().get_v());
assert_ne!(zero_u, should_not_be_zero.to_affine().get_u());
assert_ne!(zero_v, should_not_be_zero.to_affine().get_v());
let should_be_zero = should_not_be_zero + g_prime;
assert_eq!(zero_x, should_be_zero.to_affine().get_u());
assert_eq!(zero_y, should_be_zero.to_affine().get_v());
assert_eq!(zero_u, should_be_zero.to_affine().get_u());
assert_eq!(zero_v, should_be_zero.to_affine().get_v());
// generator for the small order subgroup
let g_small = g * prime_subgroup_order_minus_1;
@ -1096,12 +1101,12 @@ mod test {
let largest_small_subgroup_order_minus_1 = largest_small_subgroup_order - jubjub::Fr::one();
let should_not_be_zero = g_small * largest_small_subgroup_order_minus_1;
assert_ne!(zero_x, should_not_be_zero.to_affine().get_u());
assert_ne!(zero_y, should_not_be_zero.to_affine().get_v());
assert_ne!(zero_u, should_not_be_zero.to_affine().get_u());
assert_ne!(zero_v, should_not_be_zero.to_affine().get_v());
let should_be_zero = should_not_be_zero + g_small;
assert_eq!(zero_x, should_be_zero.to_affine().get_u());
assert_eq!(zero_y, should_be_zero.to_affine().get_v());
assert_eq!(zero_u, should_be_zero.to_affine().get_u());
assert_eq!(zero_v, should_be_zero.to_affine().get_v());
// take all the points from the script
// assert should be different than multiplying by cofactor, which is the solution

20
zcash_proofs/src/circuit/pedersen_hash.rs
View File

@ -234,8 +234,8 @@ mod test {
))
.to_affine();
assert_eq!(res.get_x().get_value().unwrap(), expected.get_u());
assert_eq!(res.get_y().get_value().unwrap(), expected.get_v());
assert_eq!(res.get_u().get_value().unwrap(), expected.get_u());
assert_eq!(res.get_v().get_value().unwrap(), expected.get_v());
// Test against the output of a different personalization
let unexpected = jubjub::ExtendedPoint::from(pedersen_hash::pedersen_hash(
@ -244,8 +244,8 @@ mod test {
))
.to_affine();
assert!(res.get_x().get_value().unwrap() != unexpected.get_u());
assert!(res.get_y().get_value().unwrap() != unexpected.get_v());
assert!(res.get_u().get_value().unwrap() != unexpected.get_u());
assert!(res.get_v().get_value().unwrap() != unexpected.get_v());
}
}
}
@ -257,11 +257,11 @@ mod test {
0xbc, 0xe5,
]);
let expected_xs = [
let expected_us = [
"28161926966428986673895580777285905189725480206811328272001879986576840909576",
"39669831794597628158501766225645040955899576179071014703006420393381978263045",
];
let expected_ys = [
let expected_vs = [
"26869991781071974894722407757894142583682396277979904369818887810555917099932",
"2112827187110048608327330788910224944044097981650120385961435904443901436107",
];
@ -291,12 +291,12 @@ mod test {
assert!(cs.is_satisfied());
assert_eq!(
res.get_x().get_value().unwrap(),
bls12_381::Scalar::from_str(expected_xs[length - 300]).unwrap()
res.get_u().get_value().unwrap(),
bls12_381::Scalar::from_str(expected_us[length - 300]).unwrap()
);
assert_eq!(
res.get_y().get_value().unwrap(),
bls12_381::Scalar::from_str(expected_ys[length - 300]).unwrap()
res.get_v().get_value().unwrap(),
bls12_381::Scalar::from_str(expected_vs[length - 300]).unwrap()
);
}
}

107
zcash_proofs/src/circuit/sapling.rs
View File

@ -153,9 +153,9 @@ impl Circuit<bls12_381::Scalar> for Spend {
)?;
// NB: We don't ensure that the bit representation of nsk
// is "in the field" (Fs) because it's not used except to
// demonstrate the prover knows it. If they know a
// congruency then that's equivalent.
// is "in the field" (jubjub::Fr) because it's not used
// except to demonstrate the prover knows it. If they know
// a congruency then that's equivalent.
// Compute nk = [nsk] ProvingPublicKey
nk = ecc::fixed_base_multiplication(
@ -287,7 +287,7 @@ impl Circuit<bls12_381::Scalar> for Spend {
// This is an injective encoding, as cur is a
// point in the prime order subgroup.
let mut cur = cm.get_x().clone();
let mut cur = cm.get_u().clone();
// Ascend the merkle tree authentication path
for (i, e) in self.auth_path.into_iter().enumerate() {
@ -309,7 +309,7 @@ impl Circuit<bls12_381::Scalar> for Spend {
num::AllocatedNum::alloc(cs.namespace(|| "path element"), || Ok(e.get()?.0))?;
// Swap the two if the current subtree is on the right
let (xl, xr) = num::AllocatedNum::conditionally_reverse(
let (ul, ur) = num::AllocatedNum::conditionally_reverse(
cs.namespace(|| "conditional reversal of preimage"),
&cur,
&path_element,
@ -321,8 +321,8 @@ impl Circuit<bls12_381::Scalar> for Spend {
// they will be unable to find an authentication path in the
// tree with high probability.
let mut preimage = vec![];
preimage.extend(xl.to_bits_le(cs.namespace(|| "xl into bits"))?);
preimage.extend(xr.to_bits_le(cs.namespace(|| "xr into bits"))?);
preimage.extend(ul.to_bits_le(cs.namespace(|| "ul into bits"))?);
preimage.extend(ur.to_bits_le(cs.namespace(|| "ur into bits"))?);
// Compute the new subtree value
cur = pedersen_hash::pedersen_hash(
@ -330,7 +330,7 @@ impl Circuit<bls12_381::Scalar> for Spend {
pedersen_hash::Personalization::MerkleTree(i),
&preimage,
)?
.get_x()
.get_u()
.clone(); // Injective encoding
}
@ -449,21 +449,21 @@ impl Circuit<bls12_381::Scalar> for Output {
.as_ref()
.map(|e| jubjub::ExtendedPoint::from(*e.pk_d()).to_affine());
// Witness the y-coordinate, encoded as little
// Witness the v-coordinate, encoded as little
// endian bits (to match the representation)
let y_contents = boolean::field_into_boolean_vec_le(
cs.namespace(|| "pk_d bits of y"),
let v_contents = boolean::field_into_boolean_vec_le(
cs.namespace(|| "pk_d bits of v"),
pk_d.map(|e| e.get_v()),
)?;
// Witness the sign bit
let sign_bit = boolean::Boolean::from(boolean::AllocatedBit::alloc(
cs.namespace(|| "pk_d bit of x"),
cs.namespace(|| "pk_d bit of u"),
pk_d.map(|e| e.get_u().is_odd()),
)?);
// Extend the note with pk_d representation
note_contents.extend(y_contents);
note_contents.extend(v_contents);
note_contents.push(sign_bit);
}
@ -499,11 +499,11 @@ impl Circuit<bls12_381::Scalar> for Output {
cm = cm.add(cs.namespace(|| "randomization of note commitment"), &rcm)?;
}
// Only the x-coordinate of the output is revealed,
// Only the u-coordinate of the output is revealed,
// since we know it is prime order, and we know that
// the x-coordinate is an injective encoding for
// prime-order elements.
cm.get_x().inputize(cs.namespace(|| "commitment"))?;
// the u-coordinate is an injective encoding for
// elements in the prime-order subgroup.
cm.get_u().inputize(cs.namespace(|| "commitment"))?;
Ok(())
}
@ -567,7 +567,8 @@ fn test_input_circuit_with_bls12_381() {
{
let rk = jubjub::ExtendedPoint::from(viewing_key.rk(ar)).to_affine();
let expected_value_cm = jubjub::ExtendedPoint::from(value_commitment.cm()).to_affine();
let expected_value_commitment =
jubjub::ExtendedPoint::from(value_commitment.commitment()).to_affine();
let note = Note {
value: value_commitment.value,
g_d: g_d.clone(),
@ -576,8 +577,8 @@ fn test_input_circuit_with_bls12_381() {
};
let mut position = 0u64;
let cm = note.cmu();
let mut cur = cm.clone();
let cmu = note.cmu();
let mut cur = cmu.clone();
for (i, val) in auth_path.clone().into_iter().enumerate() {
let (uncle, b) = val.unwrap();
@ -635,19 +636,19 @@ fn test_input_circuit_with_bls12_381() {
"d37c738e83df5d9b0bb6495ac96abf21bcb2697477e2c15c2c7916ff7a3b6a89"
);
assert_eq!(cs.get("randomization of note commitment/x3/num"), cm);
assert_eq!(cs.get("randomization of note commitment/u3/num"), cmu);
assert_eq!(cs.num_inputs(), 8);
assert_eq!(cs.get_input(0, "ONE"), bls12_381::Scalar::one());
assert_eq!(cs.get_input(1, "rk/x/input variable"), rk.get_u());
assert_eq!(cs.get_input(2, "rk/y/input variable"), rk.get_v());
assert_eq!(cs.get_input(1, "rk/u/input variable"), rk.get_u());
assert_eq!(cs.get_input(2, "rk/v/input variable"), rk.get_v());
assert_eq!(
cs.get_input(3, "value commitment/commitment point/x/input variable"),
expected_value_cm.get_u()
cs.get_input(3, "value commitment/commitment point/u/input variable"),
expected_value_commitment.get_u()
);
assert_eq!(
cs.get_input(4, "value commitment/commitment point/y/input variable"),
expected_value_cm.get_v()
cs.get_input(4, "value commitment/commitment point/v/input variable"),
expected_value_commitment.get_v()
);
assert_eq!(cs.get_input(5, "anchor/input variable"), cur);
assert_eq!(cs.get_input(6, "pack nullifier/input 0"), expected_nf[0]);
@ -675,7 +676,7 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
let tree_depth = 32;
let expected_cm_xs = vec![
let expected_commitment_us = vec![
"43821661663052659750276289184181083197337192946256245809816728673021647664276",
"7220807656052227578299730541645543434083158611414003423211850718229633594616",
"13239753550660714843257636471668037031928211668773449453628093339627668081697",
@ -688,7 +689,7 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
"18269767207277008186871145355531741929166733260352590789136389380124992250945",
];
let expected_cm_ys = vec![
let expected_commitment_vs = vec![
"27630722367128086497290371604583225252915685718989450292520883698391703910",
"23310648738313092772044712773481584369462075017189681529702825235349449805260",
"25709635353183537915646348052945798827495141780341329896098121888376871589480",
@ -740,14 +741,15 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
{
let rk = jubjub::ExtendedPoint::from(viewing_key.rk(ar)).to_affine();
let expected_value_cm = jubjub::ExtendedPoint::from(value_commitment.cm()).to_affine();
let expected_value_commitment =
jubjub::ExtendedPoint::from(value_commitment.commitment()).to_affine();
assert_eq!(
expected_value_cm.get_u(),
bls12_381::Scalar::from_str(&expected_cm_xs[i as usize]).unwrap()
expected_value_commitment.get_u(),
bls12_381::Scalar::from_str(&expected_commitment_us[i as usize]).unwrap()
);
assert_eq!(
expected_value_cm.get_v(),
bls12_381::Scalar::from_str(&expected_cm_ys[i as usize]).unwrap()
expected_value_commitment.get_v(),
bls12_381::Scalar::from_str(&expected_commitment_vs[i as usize]).unwrap()
);
let note = Note {
value: value_commitment.value,
@ -757,8 +759,8 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
};
let mut position = 0u64;
let cm = note.cmu();
let mut cur = cm.clone();
let cmu = note.cmu();
let mut cur = cmu.clone();
for (i, val) in auth_path.clone().into_iter().enumerate() {
let (uncle, b) = val.unwrap();
@ -816,19 +818,19 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
"d37c738e83df5d9b0bb6495ac96abf21bcb2697477e2c15c2c7916ff7a3b6a89"
);
assert_eq!(cs.get("randomization of note commitment/x3/num"), cm);
assert_eq!(cs.get("randomization of note commitment/u3/num"), cmu);
assert_eq!(cs.num_inputs(), 8);
assert_eq!(cs.get_input(0, "ONE"), bls12_381::Scalar::one());
assert_eq!(cs.get_input(1, "rk/x/input variable"), rk.get_u());
assert_eq!(cs.get_input(2, "rk/y/input variable"), rk.get_v());
assert_eq!(cs.get_input(1, "rk/u/input variable"), rk.get_u());
assert_eq!(cs.get_input(2, "rk/v/input variable"), rk.get_v());
assert_eq!(
cs.get_input(3, "value commitment/commitment point/x/input variable"),
expected_value_cm.get_u()
cs.get_input(3, "value commitment/commitment point/u/input variable"),
expected_value_commitment.get_u()
);
assert_eq!(
cs.get_input(4, "value commitment/commitment point/y/input variable"),
expected_value_cm.get_v()
cs.get_input(4, "value commitment/commitment point/v/input variable"),
expected_value_commitment.get_v()
);
assert_eq!(cs.get_input(5, "anchor/input variable"), cur);
assert_eq!(cs.get_input(6, "pack nullifier/input 0"), expected_nf[0]);
@ -904,7 +906,7 @@ fn test_output_circuit_with_bls12_381() {
"c26d5cdfe6ccd65c03390902c02e11393ea6bb96aae32a7f2ecb12eb9103faee"
);
let expected_cm = payment_address
let expected_cmu = payment_address
.create_note(
value_commitment.value,
Rseed::BeforeZip212(commitment_randomness),
@ -912,7 +914,8 @@ fn test_output_circuit_with_bls12_381() {
.expect("should be valid")
.cmu();
let expected_value_cm = jubjub::ExtendedPoint::from(value_commitment.cm()).to_affine();
let expected_value_commitment =
jubjub::ExtendedPoint::from(value_commitment.commitment()).to_affine();
let expected_epk =
jubjub::ExtendedPoint::from(payment_address.g_d().expect("should be valid") * esk)
@ -921,22 +924,22 @@ fn test_output_circuit_with_bls12_381() {
assert_eq!(cs.num_inputs(), 6);
assert_eq!(cs.get_input(0, "ONE"), bls12_381::Scalar::one());
assert_eq!(
cs.get_input(1, "value commitment/commitment point/x/input variable"),
expected_value_cm.get_u()
cs.get_input(1, "value commitment/commitment point/u/input variable"),
expected_value_commitment.get_u()
);
assert_eq!(
cs.get_input(2, "value commitment/commitment point/y/input variable"),
expected_value_cm.get_v()
cs.get_input(2, "value commitment/commitment point/v/input variable"),
expected_value_commitment.get_v()
);
assert_eq!(
cs.get_input(3, "epk/x/input variable"),
cs.get_input(3, "epk/u/input variable"),
expected_epk.get_u()
);
assert_eq!(
cs.get_input(4, "epk/y/input variable"),
cs.get_input(4, "epk/v/input variable"),
expected_epk.get_v()
);
assert_eq!(cs.get_input(5, "commitment/input variable"), expected_cm);
assert_eq!(cs.get_input(5, "commitment/input variable"), expected_cmu);
}
}
}

18
zcash_proofs/src/sapling/prover.rs
View File

@ -115,15 +115,15 @@ impl SaplingProvingContext {
let mut public_input = [bls12_381::Scalar::zero(); 7];
{
let affine = rk.0.to_affine();
let (x, y) = (affine.get_u(), affine.get_v());
public_input[0] = x;
public_input[1] = y;
let (u, v) = (affine.get_u(), affine.get_v());
public_input[0] = u;
public_input[1] = v;
}
{
let affine = jubjub::ExtendedPoint::from(value_commitment.cm()).to_affine();
let (x, y) = (affine.get_u(), affine.get_v());
public_input[2] = x;
public_input[3] = y;
let affine = jubjub::ExtendedPoint::from(value_commitment.commitment()).to_affine();
let (u, v) = (affine.get_u(), affine.get_v());
public_input[2] = u;
public_input[3] = v;
}
public_input[4] = anchor;
@ -142,7 +142,7 @@ impl SaplingProvingContext {
verify_proof(verifying_key, &proof, &public_input[..]).map_err(|_| ())?;
// Compute value commitment
let value_commitment: jubjub::ExtendedPoint = value_commitment.cm().into();
let value_commitment: jubjub::ExtendedPoint = value_commitment.commitment().into();
// Accumulate the value commitment in the context
self.cv_sum += value_commitment;
@ -197,7 +197,7 @@ impl SaplingProvingContext {
create_random_proof(instance, proving_key, &mut rng).expect("proving should not fail");
// Compute the actual value commitment
let value_commitment: jubjub::ExtendedPoint = value_commitment.cm().into();
let value_commitment: jubjub::ExtendedPoint = value_commitment.commitment().into();
// Accumulate the value commitment in the context. We do this to check internal consistency.
self.cv_sum -= value_commitment; // Outputs subtract from the total.

28
zcash_proofs/src/sapling/verifier.rs
View File

@ -63,15 +63,15 @@ impl SaplingVerificationContext {
let mut public_input = [bls12_381::Scalar::zero(); 7];
{
let affine = rk.0.to_affine();
let (x, y) = (affine.get_u(), affine.get_v());
public_input[0] = x;
public_input[1] = y;
let (u, v) = (affine.get_u(), affine.get_v());
public_input[0] = u;
public_input[1] = v;
}
{
let affine = cv.to_affine();
let (x, y) = (affine.get_u(), affine.get_v());
public_input[2] = x;
public_input[3] = y;
let (u, v) = (affine.get_u(), affine.get_v());
public_input[2] = u;
public_input[3] = v;
}
public_input[4] = anchor;
@ -95,7 +95,7 @@ impl SaplingVerificationContext {
pub fn check_output(
&mut self,
cv: jubjub::ExtendedPoint,
cm: bls12_381::Scalar,
cmu: bls12_381::Scalar,
epk: jubjub::ExtendedPoint,
zkproof: Proof<Bls12>,
verifying_key: &PreparedVerifyingKey<Bls12>,
@ -111,17 +111,17 @@ impl SaplingVerificationContext {
let mut public_input = [bls12_381::Scalar::zero(); 5];
{
let affine = cv.to_affine();
let (x, y) = (affine.get_u(), affine.get_v());
public_input[0] = x;
public_input[1] = y;
let (u, v) = (affine.get_u(), affine.get_v());
public_input[0] = u;
public_input[1] = v;
}
{
let affine = epk.to_affine();
let (x, y) = (affine.get_u(), affine.get_v());
public_input[2] = x;
public_input[3] = y;
let (u, v) = (affine.get_u(), affine.get_v());
public_input[2] = u;
public_input[3] = v;
}
public_input[4] = cm;
public_input[4] = cmu;
// Verify the proof
verify_proof(verifying_key, &zkproof, &public_input[..]).is_ok()