
291 lines
8.6 KiB
Raw Normal View History

2021-01-20 12:09:09 -08:00
//! Monetary values within the Orchard shielded pool.
//! Values are represented in two places within Orchard:
2021-04-14 21:13:41 -07:00
//! - The value of an individual note, which is an unsigned 63-bit integer.
//! - The sum of note values within an Orchard [`Action`] or [`Bundle`], which is a signed
//! 63-bit integer.
2021-01-20 12:09:09 -08:00
//! We give these separate types within this crate. Users should map these types to their
2021-04-14 21:13:41 -07:00
//! own general "amount" type as appropriate, and apply their own bounds checks if smaller
//! than the Orchard protocol supports.
2021-01-20 12:09:09 -08:00
2021-04-14 21:13:41 -07:00
//! Inside the circuit, note values are constrained to be unsigned 64-bit integers.
2021-01-20 12:09:09 -08:00
//! [`Action`]: crate::bundle::Action
//! [`Bundle`]: crate::bundle::Bundle
use std::convert::{TryFrom, TryInto};
use std::fmt::{self, Debug};
2021-04-14 21:13:41 -07:00
use std::iter::Sum;
use std::ops::{Add, Sub};
2021-03-12 16:04:13 -08:00
use bitvec::{array::BitArray, order::Lsb0};
2021-04-14 21:13:41 -07:00
use ff::{Field, PrimeField};
use group::{Group, GroupEncoding};
use pasta_curves::{
arithmetic::{CurveExt, FieldExt},
use rand::RngCore;
use subtle::CtOption;
2021-04-14 21:13:41 -07:00
use crate::primitives::redpallas::{self, Binding};
2021-03-12 16:04:13 -08:00
2021-04-14 21:13:41 -07:00
/// A value operation overflowed.
pub struct OverflowError;
impl fmt::Display for OverflowError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "Orchard value operation overflowed")
impl std::error::Error for OverflowError {}
/// The non-negative value of an individual Orchard note.
#[derive(Clone, Copy, Debug, Default)]
pub struct NoteValue(u64);
2021-01-20 12:09:09 -08:00
2021-03-12 16:04:13 -08:00
impl NoteValue {
pub(crate) fn zero() -> Self {
// Default for u64 is zero.
/// Creates a note value from its raw numeric value.
/// This only enforces that the value is an unsigned 64-bit integer. Callers should
/// enforce any additional constraints on the value's valid range themselves.
pub fn from_raw(value: u64) -> Self {
2021-04-14 21:13:41 -07:00
pub(crate) fn to_le_bits(self) -> BitArray<Lsb0, [u8; 8]> {
2021-03-12 16:04:13 -08:00
BitArray::<Lsb0, _>::new(self.0.to_le_bytes())
2021-04-14 21:13:41 -07:00
impl Sub for NoteValue {
type Output = Option<ValueSum>;
2021-04-14 21:13:41 -07:00
fn sub(self, rhs: Self) -> Self::Output {
let a = self.0 as i128;
let b = rhs.0 as i128;
a.checked_sub(b).filter(|v| v > &(-(std::u64::MAX as i128))).map(ValueSum)
2021-04-14 21:13:41 -07:00
/// A sum of Orchard note values
2021-04-14 21:14:34 -07:00
#[derive(Clone, Copy, Debug, Default, PartialEq)]
pub struct ValueSum(i128);
2021-01-20 12:09:09 -08:00
impl ValueSum {
pub(crate) fn zero() -> Self {
// Default for i64 is zero.
/// Creates a value sum from its raw numeric value.
/// This only enforces that the value is a signed 63-bit integer. Callers should
/// enforce any additional constraints on the value's valid range themselves.
pub fn from_raw(value: i64) -> Self {
ValueSum(value as i128)
2021-04-14 21:13:41 -07:00
impl Add for ValueSum {
type Output = Option<ValueSum>;
2021-04-14 21:13:41 -07:00
fn add(self, rhs: Self) -> Self::Output {
self.0.checked_add(rhs.0).filter(|v| v < &(std::u64::MAX as i128)).map(ValueSum)
2021-04-14 21:13:41 -07:00
impl<'a> Sum<&'a ValueSum> for Result<ValueSum, OverflowError> {
fn sum<I: Iterator<Item = &'a ValueSum>>(iter: I) -> Self {
iter.fold(Ok(ValueSum(0)), |acc, cv| (acc? + *cv).ok_or(OverflowError))
impl TryFrom<ValueSum> for i64 {
type Error = OverflowError;
fn try_from(v: ValueSum) -> Result<i64, Self::Error> {
i64::try_from(v.0).map_err(|_| OverflowError)
2021-04-14 21:13:41 -07:00
/// The blinding factor for a [`ValueCommitment`].
#[derive(Clone, Debug)]
pub struct ValueCommitTrapdoor(pallas::Scalar);
impl Add<&ValueCommitTrapdoor> for ValueCommitTrapdoor {
type Output = ValueCommitTrapdoor;
fn add(self, rhs: &Self) -> Self::Output {
ValueCommitTrapdoor(self.0 + rhs.0)
impl<'a> Sum<&'a ValueCommitTrapdoor> for ValueCommitTrapdoor {
fn sum<I: Iterator<Item = &'a ValueCommitTrapdoor>>(iter: I) -> Self {
iter.fold(ValueCommitTrapdoor::zero(), |acc, cv| acc + cv)
impl ValueCommitTrapdoor {
/// Generates a new value commitment trapdoor.
pub(crate) fn random(rng: impl RngCore) -> Self {
/// Returns the zero trapdoor, which provides no blinding.
pub(crate) fn zero() -> Self {
pub(crate) fn into_bsk(self) -> redpallas::SigningKey<Binding> {
// TODO: impl From<pallas::Scalar> for redpallas::SigningKey.
2021-01-20 12:09:09 -08:00
/// A commitment to a [`ValueSum`].
2021-04-14 21:13:41 -07:00
#[derive(Clone, Debug)]
pub struct ValueCommitment(pallas::Point);
impl Add<&ValueCommitment> for ValueCommitment {
type Output = ValueCommitment;
fn add(self, rhs: &Self) -> Self::Output {
ValueCommitment(self.0 + rhs.0)
impl Sub for ValueCommitment {
type Output = ValueCommitment;
fn sub(self, rhs: Self) -> Self::Output {
ValueCommitment(self.0 - rhs.0)
impl Sum for ValueCommitment {
fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
iter.fold(ValueCommitment(pallas::Point::identity()), |acc, cv| {
acc + &cv
impl<'a> Sum<&'a ValueCommitment> for ValueCommitment {
fn sum<I: Iterator<Item = &'a ValueCommitment>>(iter: I) -> Self {
iter.fold(ValueCommitment(pallas::Point::identity()), |acc, cv| {
acc + cv
impl ValueCommitment {
/// $ValueCommit^Orchard$.
/// Defined in [Zcash Protocol Spec § Homomorphic Pedersen commitments (Sapling and Orchard)][concretehomomorphiccommit].
/// [concretehomomorphiccommit]: https://zips.z.cash/protocol/nu5.pdf#concretehomomorphiccommit
pub(crate) fn derive(value: ValueSum, rcv: ValueCommitTrapdoor) -> Self {
let hasher = pallas::Point::hash_to_curve("z.cash:Orchard-cv");
let V = hasher(b"v");
let R = hasher(b"r");
let value = i64::try_from(value.0).expect("value must be in valid range");
2021-04-14 21:13:41 -07:00
let value = if value.is_negative() {
-pallas::Scalar::from_u64((-value) as u64)
2021-04-14 21:13:41 -07:00
} else {
pallas::Scalar::from_u64(value as u64)
2021-04-14 21:13:41 -07:00
ValueCommitment(V * value + R * rcv.0)
pub(crate) fn into_bvk(self) -> redpallas::VerificationKey<Binding> {
// TODO: impl From<pallas::Point> for redpallas::VerificationKey.
/// Deserialize a value commitment from its byte representation
pub fn from_bytes(bytes: &[u8; 32]) -> CtOption<ValueCommitment> {
/// Serialize this value commitment to its canonical byte representation.
pub fn to_bytes(&self) -> [u8; 32] {
2021-04-14 21:13:41 -07:00
mod tests {
use pasta_curves::{arithmetic::FieldExt, pallas};
use proptest::prelude::*;
use super::{OverflowError, ValueCommitTrapdoor, ValueCommitment, ValueSum};
use crate::primitives::redpallas;
/// Zcash's maximum money amount. Used as a bound in proptests so we don't artifically
/// overflow `ValueSum`'s size.
const MAX_MONEY: i64 = 21_000_000 * 1_0000_0000;
prop_compose! {
fn arb_scalar()(bytes in prop::array::uniform32(0u8..)) -> pallas::Scalar {
// Instead of rejecting out-of-range bytes, let's reduce them.
let mut buf = [0; 64];
prop_compose! {
fn arb_value_sum(bound: i64)(value in -bound..bound) -> ValueSum {
prop_compose! {
fn arb_trapdoor()(rcv in arb_scalar()) -> ValueCommitTrapdoor {
proptest! {
fn bsk_consistent_with_bvk(
values in prop::collection::vec((arb_value_sum(MAX_MONEY), arb_trapdoor()), 1..10),
) {
let value_balance = values
.map(|(value, _)| value)
.sum::<Result<ValueSum, OverflowError>>()
.expect("we generate values that won't overflow");
let bsk = values
.map(|(_, rcv)| rcv)
let bvk = (values
.map(|(value, rcv)| ValueCommitment::derive(value, rcv))
- ValueCommitment::derive(value_balance, ValueCommitTrapdoor::zero()))
assert_eq!(redpallas::VerificationKey::from(&bsk), bvk);