orchard/src/spec.rs

//! Helper functions defined in the Zcash Protocol Specification.

use std::iter;

use blake2b_simd::Params;
use ff::PrimeField;
use group::{Curve, Group};
use halo2::arithmetic::{CurveAffine, CurveExt, FieldExt};
use pasta_curves::pallas;

use crate::{constants::L_ORCHARD_BASE, primitives::sinsemilla};

const PRF_EXPAND_PERSONALIZATION: &[u8; 16] = b"Zcash_ExpandSeed";

/// $\mathsf{ToBase}^\mathsf{Orchard}(x) := LEOS2IP_{\ell_\mathsf{PRFexpand}}(x) (mod q_P)$
///
/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].
///
/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
pub(crate) fn to_base(x: [u8; 64]) -> pallas::Base {
    pallas::Base::from_bytes_wide(&x)
}

/// $\mathsf{ToScalar}^\mathsf{Orchard}(x) := LEOS2IP_{\ell_\mathsf{PRFexpand}}(x) (mod r_P)$
///
/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].
///
/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
pub(crate) fn to_scalar(x: [u8; 64]) -> pallas::Scalar {
    pallas::Scalar::from_bytes_wide(&x)
}

/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].
///
/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
pub(crate) fn commit_ivk(
    ak: &pallas::Base,
    nk: &pallas::Base,
    rivk: &pallas::Scalar,
) -> pallas::Scalar {
    // We rely on the API contract that to_le_bits() returns at least PrimeField::NUM_BITS
    // bits, which is equal to L_ORCHARD_BASE.
    let domain = sinsemilla::CommitDomain::new(&"z.cash:Orchard-CommitIvk");
    let ivk = domain.short_commit(
        iter::empty()
            .chain(ak.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))
            .chain(nk.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),
        rivk,
    );

    // Convert from pallas::Base to pallas::Scalar. This requires no modular reduction
    // because Pallas' base field is smaller than its scalar field.
    pallas::Scalar::from_repr(ivk.to_repr()).unwrap()
}

/// Defined in [Zcash Protocol Spec § 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions][concretediversifyhash].
///
/// [concretediversifyhash]: https://zips.z.cash/protocol/nu5.pdf#concretediversifyhash
pub(crate) fn diversify_hash(d: &[u8; 11]) -> pallas::Point {
    let hasher = pallas::Point::hash_to_curve("z.cash:Orchard-gd");
    let pk_d = hasher(d);
    if pk_d.is_identity().into() {
        // If the identity occurs, we replace it with a different fixed point.
        hasher(&[])
    } else {
        pk_d
    }
}

/// $PRF^\mathsf{expand}(sk, t) := BLAKE2b-512("Zcash_ExpandSeed", sk || t)$
///
/// Defined in [Zcash Protocol Spec § 5.4.2: Pseudo Random Functions][concreteprfs].
///
/// [concreteprfs]: https://zips.z.cash/protocol/nu5.pdf#concreteprfs
pub(crate) fn prf_expand(sk: &[u8], t: &[u8]) -> [u8; 64] {
    prf_expand_vec(sk, &[t])
}

pub(crate) fn prf_expand_vec(sk: &[u8], ts: &[&[u8]]) -> [u8; 64] {
    let mut h = Params::new()
        .hash_length(64)
        .personal(PRF_EXPAND_PERSONALIZATION)
        .to_state();
    h.update(sk);
    for t in ts {
        h.update(t);
    }
    *h.finalize().as_array()
}

/// Defined in [Zcash Protocol Spec § 5.4.5.5: Orchard Key Agreement][concreteorchardkeyagreement].
///
/// [concreteorchardkeyagreement]: https://zips.z.cash/protocol/nu5.pdf#concreteorchardkeyagreement
pub(crate) fn ka_orchard(sk: &pallas::Scalar, b: &pallas::Point) -> pallas::Point {
    b * sk
}

/// Coordinate extractor for Pallas.
///
/// Defined in [Zcash Protocol Spec § 5.4.9.7: Coordinate Extractor for Pallas][concreteextractorpallas].
///
/// [concreteextractorpallas]: https://zips.z.cash/protocol/nu5.pdf#concreteextractorpallas
pub(crate) fn extract_p(point: &pallas::Point) -> pallas::Base {
    if let Some((x, _)) = point.to_affine().get_xy().into() {
        x
    } else {
        pallas::Base::zero()
    }
}

#[cfg(test)]
mod tests {
    use group::Group;
    use halo2::arithmetic::CurveExt;
    use pasta_curves::pallas;

    #[test]
    fn diversify_hash_substitution() {
        assert!(!bool::from(
            pallas::Point::hash_to_curve("z.cash:Orchard-gd")(&[]).is_identity()
        ));
    }
}
Orchard key components 2021-03-05 15:25:45 -08:00			`//! Helper functions defined in the Zcash Protocol Specification.`

			`use std::iter;`

Use [u8; 64] as the output of prf_expand to match the spec 2021-03-08 13:33:56 -08:00			`use blake2b_simd::Params;`
Orchard key components 2021-03-05 15:25:45 -08:00			`use ff::PrimeField;`
Update ivk derivation to match latest protocol spec draft 2021-03-15 13:33:07 -07:00			`use group::{Curve, Group};`
Use Pallas directly from pasta_curves crate 2021-03-17 19:06:16 -07:00			`use halo2::arithmetic::{CurveAffine, CurveExt, FieldExt};`
			`use pasta_curves::pallas;`
Orchard key components 2021-03-05 15:25:45 -08:00
Update ivk derivation to match latest protocol spec draft 2021-03-15 13:33:07 -07:00			`use crate::{constants::L_ORCHARD_BASE, primitives::sinsemilla};`
Orchard key components 2021-03-05 15:25:45 -08:00
			`const PRF_EXPAND_PERSONALIZATION: &[u8; 16] = b"Zcash_ExpandSeed";`

			`/// $\mathsf{ToBase}^\mathsf{Orchard}(x) := LEOS2IP_{\ell_\mathsf{PRFexpand}}(x) (mod q_P)$`
			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents`
Use [u8; 64] as the output of prf_expand to match the spec 2021-03-08 13:33:56 -08:00			`pub(crate) fn to_base(x: [u8; 64]) -> pallas::Base {`
			`pallas::Base::from_bytes_wide(&x)`
Orchard key components 2021-03-05 15:25:45 -08:00			`}`

			`/// $\mathsf{ToScalar}^\mathsf{Orchard}(x) := LEOS2IP_{\ell_\mathsf{PRFexpand}}(x) (mod r_P)$`
			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents`
Use [u8; 64] as the output of prf_expand to match the spec 2021-03-08 13:33:56 -08:00			`pub(crate) fn to_scalar(x: [u8; 64]) -> pallas::Scalar {`
			`pallas::Scalar::from_bytes_wide(&x)`
Orchard key components 2021-03-05 15:25:45 -08:00			`}`

Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// Defined in [Zcash Protocol Spec § 4.2.3: Orchard Key Components][orchardkeycomponents].`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents`
Orchard key components 2021-03-05 15:25:45 -08:00			`pub(crate) fn commit_ivk(`
Update ivk derivation to match latest protocol spec draft 2021-03-15 13:33:07 -07:00			`ak: &pallas::Base,`
Orchard key components 2021-03-05 15:25:45 -08:00			`nk: &pallas::Base,`
			`rivk: &pallas::Scalar,`
			`) -> pallas::Scalar {`
Update ivk derivation to match latest protocol spec draft 2021-03-15 13:33:07 -07:00			`// We rely on the API contract that to_le_bits() returns at least PrimeField::NUM_BITS`
			`// bits, which is equal to L_ORCHARD_BASE.`
Call hash_to_curve() only when constructing new domain Co-authored-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: Jack Grigg <jack@electriccoin.co> 2021-03-18 17:43:18 -07:00			`let domain = sinsemilla::CommitDomain::new(&"z.cash:Orchard-CommitIvk");`
			`let ivk = domain.short_commit(`
Orchard key components 2021-03-05 15:25:45 -08:00			`iter::empty()`
Update ivk derivation to match latest protocol spec draft 2021-03-15 13:33:07 -07:00			`.chain(ak.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))`
			`.chain(nk.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),`
Orchard key components 2021-03-05 15:25:45 -08:00			`rivk,`
			`);`

			`// Convert from pallas::Base to pallas::Scalar. This requires no modular reduction`
			`// because Pallas' base field is smaller than its scalar field.`
			`pallas::Scalar::from_repr(ivk.to_repr()).unwrap()`
			`}`

Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// Defined in [Zcash Protocol Spec § 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions][concretediversifyhash].`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// [concretediversifyhash]: https://zips.z.cash/protocol/nu5.pdf#concretediversifyhash`
Make address generation infallible again DiversifyHash is altered to replace the identity with another fixed point that is known to not be the identity. 2021-03-17 12:15:55 -07:00			`pub(crate) fn diversify_hash(d: &[u8; 11]) -> pallas::Point {`
Reuse the hasher inside diversify_hash Co-authored-by: Daira Hopwood <daira@jacaranda.org> 2021-03-17 17:39:04 -07:00			`let hasher = pallas::Point::hash_to_curve("z.cash:Orchard-gd");`
			`let pk_d = hasher(d);`
Ensure diversify_hash does not return the identity This makes diversified address generation fallible (though with negligible probability). We expose this to users, so they can decide how to handle it (either just unwrapping, or incrementing the diversifier index). We alter spending key construction to reject spending keys that would not result in a default address (with diversifier index 0). 2021-03-15 12:57:03 -07:00			`if pk_d.is_identity().into() {`
Make address generation infallible again DiversifyHash is altered to replace the identity with another fixed point that is known to not be the identity. 2021-03-17 12:15:55 -07:00			`// If the identity occurs, we replace it with a different fixed point.`
Reuse the hasher inside diversify_hash Co-authored-by: Daira Hopwood <daira@jacaranda.org> 2021-03-17 17:39:04 -07:00			`hasher(&[])`
Ensure diversify_hash does not return the identity This makes diversified address generation fallible (though with negligible probability). We expose this to users, so they can decide how to handle it (either just unwrapping, or incrementing the diversifier index). We alter spending key construction to reject spending keys that would not result in a default address (with diversifier index 0). 2021-03-15 12:57:03 -07:00			`} else {`
Make address generation infallible again DiversifyHash is altered to replace the identity with another fixed point that is known to not be the identity. 2021-03-17 12:15:55 -07:00			`pk_d`
Ensure diversify_hash does not return the identity This makes diversified address generation fallible (though with negligible probability). We expose this to users, so they can decide how to handle it (either just unwrapping, or incrementing the diversifier index). We alter spending key construction to reject spending keys that would not result in a default address (with diversifier index 0). 2021-03-15 12:57:03 -07:00			`}`
Orchard key components 2021-03-05 15:25:45 -08:00			`}`

			`/// $PRF^\mathsf{expand}(sk, t) := BLAKE2b-512("Zcash_ExpandSeed", sk \|\| t)$`
			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// Defined in [Zcash Protocol Spec § 5.4.2: Pseudo Random Functions][concreteprfs].`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Update protocol spec references 2021-03-17 12:20:40 -07:00			`/// [concreteprfs]: https://zips.z.cash/protocol/nu5.pdf#concreteprfs`
Use [u8; 64] as the output of prf_expand to match the spec 2021-03-08 13:33:56 -08:00			`pub(crate) fn prf_expand(sk: &[u8], t: &[u8]) -> [u8; 64] {`
Orchard key components 2021-03-05 15:25:45 -08:00			`prf_expand_vec(sk, &[t])`
			`}`

Use [u8; 64] as the output of prf_expand to match the spec 2021-03-08 13:33:56 -08:00			`pub(crate) fn prf_expand_vec(sk: &[u8], ts: &[&[u8]]) -> [u8; 64] {`
Orchard key components 2021-03-05 15:25:45 -08:00			`let mut h = Params::new()`
			`.hash_length(64)`
			`.personal(PRF_EXPAND_PERSONALIZATION)`
			`.to_state();`
			`h.update(sk);`
			`for t in ts {`
			`h.update(t);`
			`}`
Use [u8; 64] as the output of prf_expand to match the spec 2021-03-08 13:33:56 -08:00			`*h.finalize().as_array()`
Orchard key components 2021-03-05 15:25:45 -08:00			`}`

Update protocol spec references 2021-03-17 12:20:40 -07:00			`/// Defined in [Zcash Protocol Spec § 5.4.5.5: Orchard Key Agreement][concreteorchardkeyagreement].`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`/// [concreteorchardkeyagreement]: https://zips.z.cash/protocol/nu5.pdf#concreteorchardkeyagreement`
Orchard key components 2021-03-05 15:25:45 -08:00			`pub(crate) fn ka_orchard(sk: &pallas::Scalar, b: &pallas::Point) -> pallas::Point {`
			`b * sk`
			`}`

Update protocol spec references 2021-03-17 12:20:40 -07:00			`/// Coordinate extractor for Pallas.`
Orchard key components 2021-03-05 15:25:45 -08:00			`///`
Update protocol spec references 2021-03-17 12:20:40 -07:00			`/// Defined in [Zcash Protocol Spec § 5.4.9.7: Coordinate Extractor for Pallas][concreteextractorpallas].`
Use protocol spec URL anchors as link handles 2021-03-05 17:17:51 -08:00			`///`
			`/// [concreteextractorpallas]: https://zips.z.cash/protocol/nu5.pdf#concreteextractorpallas`
Orchard key components 2021-03-05 15:25:45 -08:00			`pub(crate) fn extract_p(point: &pallas::Point) -> pallas::Base {`
			`if let Some((x, _)) = point.to_affine().get_xy().into() {`
			`x`
			`} else {`
			`pallas::Base::zero()`
			`}`
			`}`
Make address generation infallible again DiversifyHash is altered to replace the identity with another fixed point that is known to not be the identity. 2021-03-17 12:15:55 -07:00
			`#[cfg(test)]`
			`mod tests {`
			`use group::Group;`
Use Pallas directly from pasta_curves crate 2021-03-17 19:06:16 -07:00			`use halo2::arithmetic::CurveExt;`
			`use pasta_curves::pallas;`
Make address generation infallible again DiversifyHash is altered to replace the identity with another fixed point that is known to not be the identity. 2021-03-17 12:15:55 -07:00
			`#[test]`
			`fn diversify_hash_substitution() {`
			`assert!(!bool::from(`
			`pallas::Point::hash_to_curve("z.cash:Orchard-gd")(&[]).is_identity()`
			`));`
			`}`
			`}`