This method is only called from `try_output_recovery_with_ock`, and we
can instead rely on the check performed in `check_note_validity`,
reducing the number of checks that `Domain` implementations need to
perform.
The `esk` and `ephemeral_key` parameters become unused, and will be
removed in a subsequent commit (as this change needs to be synchronized
with the `orchard` crate).
The `Domain::Note` type is now expected to contain information about the
recipient of the note, eliminating the need to pass this information in
via the encryption context.
This was only used to provide example code for Sapling usage of
the `NoteEncryption` struct; this example code has been moved
to `sapling::note_encryption`.
This modifies wallet scanning to perform per-block batched
decryption. It also alters the structure of the `ScanningKey`
trait to correctly include internal (change) keys in the scan
process.
While it is necessary in the worst case to perform `m * n` decryptions,
where `m` is the number of outputs being decrypted and `n` is the number
of IVKs, it is possible to stop performing trial decryptions when the
first successful decryption is performed. Also, it's inconvenient and
unnecessary to return the full cartesian product of these results, as
only one IVK will decrypt a given output. This commit modifies batch
trial decryption to stop on the first successful decryption, and instead
of returning the cartesian product of results we return the index of the
input IVK along with the output it decrypted. Note that this means that
trial decryption is not constant-time with respect to the number and/or
order of IVKs.
Previously we were returning the ciphertext as a slice, and then
asserting its length within the APIs the caller passed it into. Now
instead we require the caller to define whether or not the output is
compact, to make the API more predictable.
This doesn't place any additional constraints on users of this trait,
because the assertions already prevented a full output from being passed
to a compact trial decryption API.
`Domain::derive_esk` provides sufficient information to determine
whether or not we need to enforce `EphemeralSecretKey`-specific
decryption checks, as it returns `None` for pre-ZIP 212 notes.
`Domain::parse_note_plaintext_without_memo_ivk` is used with both full
note plaintexts and compact notes, so continues to accept a slice. For
all other `Domain` APIs, we constrain the input to `NotePlaintextBytes`
or `OutPlaintextBytes` as appropriate.
Decrypted output size is `OUT_PLAINTEXT_BYTES`, which the decryptor
can always provide (either by decrypting into the correct size array
as now, or truncating the buffer before passing it to the domain).
This was left over from an earlier refactor where we could call a domain
API to extract cmstar from a note commitment (which could fail for
Orchard). This part of extraction was subsequently refactored into the
domain logic (and is rejected earlier for Orchard). The resulting bound
is wrong because it's always possible to serialize a scalar.
This change modifies note encryption and decryption functions
to treat a shielded output as a single value instead of handling
the parts of an output as independent arguments.