orchard/src/note.rs

use group::GroupEncoding;
use pasta_curves::pallas;
use rand::RngCore;

use crate::{
    keys::{FullViewingKey, SpendingKey},
    spec::{prf_expand, to_base, to_scalar},
    value::NoteValue,
    Address,
};

mod commitment;
pub use self::commitment::{ExtractedNoteCommitment, NoteCommitment};

mod nullifier;
pub use self::nullifier::Nullifier;

/// The ZIP 212 seed randomness for a note.
#[derive(Debug)]
struct RandomSeed([u8; 32]);

impl RandomSeed {
    pub(crate) fn random(rng: &mut impl RngCore) -> Self {
        let mut bytes = [0; 32];
        rng.fill_bytes(&mut bytes);
        RandomSeed(bytes)
    }

    /// Defined in [Zcash Protocol Spec § 4.7.3: Sending Notes (Orchard)][orchardsend].
    ///
    /// [orchardsend]: https://zips.z.cash/protocol/nu5.pdf#orchardsend
    fn psi(&self) -> pallas::Base {
        to_base(prf_expand(&self.0, &[0x09]))
    }

    /// Defined in [Zcash Protocol Spec § 4.7.3: Sending Notes (Orchard)][orchardsend].
    ///
    /// [orchardsend]: https://zips.z.cash/protocol/nu5.pdf#orchardsend
    fn esk(&self) -> pallas::Scalar {
        to_scalar(prf_expand(&self.0, &[0x04]))
    }
}

/// A discrete amount of funds received by an address.
#[derive(Debug)]
pub struct Note {
    /// The recipient of the funds.
    recipient: Address,
    /// The value of this note.
    value: NoteValue,
    /// A unique creation ID for this note.
    ///
    /// This is set to the nullifier of the note that was spent in the [`Action`] that
    /// created this note.
    ///
    /// [`Action`]: crate::bundle::Action
    rho: Nullifier,
    /// The seed randomness for various note components.
    rseed: RandomSeed,
}

impl Note {
    /// Generates a dummy spent note.
    ///
    /// Defined in [Zcash Protocol Spec § 4.8.3: Dummy Notes (Orchard)][orcharddummynotes].
    ///
    /// [orcharddummynotes]: https://zips.z.cash/protocol/nu5.pdf#orcharddummynotes
    pub(crate) fn dummy(
        rng: &mut impl RngCore,
        rho: Option<Nullifier>,
    ) -> (SpendingKey, FullViewingKey, Self) {
        let sk = SpendingKey::random(rng);
        let fvk: FullViewingKey = (&sk).into();
        let recipient = fvk.default_address();

        let note = Note {
            recipient,
            value: NoteValue::zero(),
            rho: rho.unwrap_or_else(|| Nullifier::dummy(rng)),
            rseed: RandomSeed::random(rng),
        };

        (sk, fvk, note)
    }

    /// Returns the value of this note.
    pub fn value(&self) -> NoteValue {
        self.value
    }

    /// Derives the commitment to this note.
    ///
    /// Defined in [Zcash Protocol Spec § 3.2: Notes][notes].
    ///
    /// [notes]: https://zips.z.cash/protocol/nu5.pdf#notes
    pub fn commitment(&self) -> NoteCommitment {
        let g_d = self.recipient.g_d();

        // `Note` will always have a note commitment by construction.
        NoteCommitment::derive(
            g_d.to_bytes(),
            self.recipient.pk_d().to_bytes(),
            self.value,
            self.rho.0,
            self.rseed.psi(),
            (&self.rseed).into(),
        )
        .unwrap()
    }

    /// Derives the nullifier for this note.
    pub fn nullifier(&self, fvk: &FullViewingKey) -> Nullifier {
        Nullifier::derive(fvk.nk(), self.rho.0, self.rseed.psi(), self.commitment())
    }
}

/// An encrypted note.
#[derive(Debug)]
pub struct EncryptedNote;
Note commitment derivation 2021-03-12 16:04:13 -08:00			`use group::GroupEncoding;`
			`use pasta_curves::pallas;`
Dummy note generation 2021-04-14 21:14:34 -07:00			`use rand::RngCore;`
Note commitment derivation 2021-03-12 16:04:13 -08:00
			`use crate::{`
Dummy note generation 2021-04-14 21:14:34 -07:00			`keys::{FullViewingKey, SpendingKey},`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`spec::{prf_expand, to_base, to_scalar},`
			`value::NoteValue,`
			`Address,`
			`};`

			`mod commitment;`
Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00			`pub use self::commitment::{ExtractedNoteCommitment, NoteCommitment};`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00
Nullifier derivation 2021-03-15 18:27:08 -07:00			`mod nullifier;`
			`pub use self::nullifier::Nullifier;`

Fill out note components 2021-02-08 07:21:04 -08:00			`/// The ZIP 212 seed randomness for a note.`
			`#[derive(Debug)]`
			`struct RandomSeed([u8; 32]);`

			`impl RandomSeed {`
Dummy note generation 2021-04-14 21:14:34 -07:00			`pub(crate) fn random(rng: &mut impl RngCore) -> Self {`
			`let mut bytes = [0; 32];`
			`rng.fill_bytes(&mut bytes);`
			`RandomSeed(bytes)`
			`}`

Note commitment derivation 2021-03-12 16:04:13 -08:00			`/// Defined in [Zcash Protocol Spec § 4.7.3: Sending Notes (Orchard)][orchardsend].`
			`///`
			`/// [orchardsend]: https://zips.z.cash/protocol/nu5.pdf#orchardsend`
			`fn psi(&self) -> pallas::Base {`
			`to_base(prf_expand(&self.0, &[0x09]))`
Fill out note components 2021-02-08 07:21:04 -08:00			`}`

Note commitment derivation 2021-03-12 16:04:13 -08:00			`/// Defined in [Zcash Protocol Spec § 4.7.3: Sending Notes (Orchard)][orchardsend].`
			`///`
			`/// [orchardsend]: https://zips.z.cash/protocol/nu5.pdf#orchardsend`
			`fn esk(&self) -> pallas::Scalar {`
			`to_scalar(prf_expand(&self.0, &[0x04]))`
Fill out note components 2021-02-08 07:21:04 -08:00			`}`
			`}`

Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`/// A discrete amount of funds received by an address.`
			`#[derive(Debug)]`
Remove Chain and value::Constraint traits There was push-back on having this crate require these traits, due to the additional complexity within this crate. My rationale for including them was to make it simpler to reason about what is responsible for enforcing chain-specific constraints, and to reduce duplication (by enabling the wrapping chain implementation to use type definitions and leverage all built-in behaviour, instead of newtypes and needing to add a bunch of wrapping logic and boilerplate, some of which would encode chain-specific logic). We'll try working within the requirement that this crate enforces minimal base constraints and hard-codes any constants, and then have the wrapping chain provide encoding prefixes and additional value constraints where necessary. 2021-01-21 04:16:50 -08:00			`pub struct Note {`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`/// The recipient of the funds.`
Remove Chain and value::Constraint traits There was push-back on having this crate require these traits, due to the additional complexity within this crate. My rationale for including them was to make it simpler to reason about what is responsible for enforcing chain-specific constraints, and to reduce duplication (by enabling the wrapping chain implementation to use type definitions and leverage all built-in behaviour, instead of newtypes and needing to add a bunch of wrapping logic and boilerplate, some of which would encode chain-specific logic). We'll try working within the requirement that this crate enforces minimal base constraints and hard-codes any constants, and then have the wrapping chain provide encoding prefixes and additional value constraints where necessary. 2021-01-21 04:16:50 -08:00			`recipient: Address,`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`/// The value of this note.`
Remove Chain and value::Constraint traits There was push-back on having this crate require these traits, due to the additional complexity within this crate. My rationale for including them was to make it simpler to reason about what is responsible for enforcing chain-specific constraints, and to reduce duplication (by enabling the wrapping chain implementation to use type definitions and leverage all built-in behaviour, instead of newtypes and needing to add a bunch of wrapping logic and boilerplate, some of which would encode chain-specific logic). We'll try working within the requirement that this crate enforces minimal base constraints and hard-codes any constants, and then have the wrapping chain provide encoding prefixes and additional value constraints where necessary. 2021-01-21 04:16:50 -08:00			`value: NoteValue,`
Fill out note components 2021-02-08 07:21:04 -08:00			`/// A unique creation ID for this note.`
			`///`
			/// This is set to the nullifier of the note that was spent in the [`Action`] that
			`/// created this note.`
			`///`
			/// [`Action`]: crate::bundle::Action
			`rho: Nullifier,`
			`/// The seed randomness for various note components.`
			`rseed: RandomSeed,`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`}`

Remove Chain and value::Constraint traits There was push-back on having this crate require these traits, due to the additional complexity within this crate. My rationale for including them was to make it simpler to reason about what is responsible for enforcing chain-specific constraints, and to reduce duplication (by enabling the wrapping chain implementation to use type definitions and leverage all built-in behaviour, instead of newtypes and needing to add a bunch of wrapping logic and boilerplate, some of which would encode chain-specific logic). We'll try working within the requirement that this crate enforces minimal base constraints and hard-codes any constants, and then have the wrapping chain provide encoding prefixes and additional value constraints where necessary. 2021-01-21 04:16:50 -08:00			`impl Note {`
Dummy note generation 2021-04-14 21:14:34 -07:00			`/// Generates a dummy spent note.`
			`///`
			`/// Defined in [Zcash Protocol Spec § 4.8.3: Dummy Notes (Orchard)][orcharddummynotes].`
			`///`
			`/// [orcharddummynotes]: https://zips.z.cash/protocol/nu5.pdf#orcharddummynotes`
Return SpendingKey from Note::dummy We need the spending keys to create valid spendAuth signatures for Actions containing dummy spent notes. 2021-04-26 17:25:03 -07:00			`pub(crate) fn dummy(`
			`rng: &mut impl RngCore,`
			`rho: Option<Nullifier>,`
			`) -> (SpendingKey, FullViewingKey, Self) {`
			`let sk = SpendingKey::random(rng);`
			`let fvk: FullViewingKey = (&sk).into();`
Dummy note generation 2021-04-14 21:14:34 -07:00			`let recipient = fvk.default_address();`

			`let note = Note {`
			`recipient,`
Add NoteValue::zero as an alias for NoteValue::default 2021-04-20 16:00:19 -07:00			`value: NoteValue::zero(),`
Dummy note generation 2021-04-14 21:14:34 -07:00			`rho: rho.unwrap_or_else(\|\| Nullifier::dummy(rng)),`
			`rseed: RandomSeed::random(rng),`
			`};`

Return SpendingKey from Note::dummy We need the spending keys to create valid spendAuth signatures for Actions containing dummy spent notes. 2021-04-26 17:25:03 -07:00			`(sk, fvk, note)`
Dummy note generation 2021-04-14 21:14:34 -07:00			`}`

Small conversion helpers 2021-04-14 21:34:51 -07:00			`/// Returns the value of this note.`
			`pub fn value(&self) -> NoteValue {`
			`self.value`
			`}`

Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`/// Derives the commitment to this note.`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`///`
			`/// Defined in [Zcash Protocol Spec § 3.2: Notes][notes].`
			`///`
			`/// [notes]: https://zips.z.cash/protocol/nu5.pdf#notes`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`pub fn commitment(&self) -> NoteCommitment {`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`let g_d = self.recipient.g_d();`

Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			// `Note` will always have a note commitment by construction.
Note commitment derivation 2021-03-12 16:04:13 -08:00			`NoteCommitment::derive(`
			`g_d.to_bytes(),`
			`self.recipient.pk_d().to_bytes(),`
			`self.value,`
			`self.rho.0,`
			`self.rseed.psi(),`
			`(&self.rseed).into(),`
			`)`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`.unwrap()`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`}`

			`/// Derives the nullifier for this note.`
Nullifier derivation 2021-03-15 18:27:08 -07:00			`pub fn nullifier(&self, fvk: &FullViewingKey) -> Nullifier {`
Make nk the first argument to Nullifier::derive This more closely matches DeriveNullifier in the spec. 2021-03-29 17:52:20 -07:00			`Nullifier::derive(fvk.nk(), self.rho.0, self.rseed.psi(), self.commitment())`
Skeleton for notes and values 2021-01-20 12:09:09 -08:00			`}`
			`}`

			`/// An encrypted note.`
			`#[derive(Debug)]`
			`pub struct EncryptedNote;`