orchard/src/note/commitment.rs

use std::iter;

use bitvec::{array::BitArray, order::Lsb0};
use ff::PrimeFieldBits;
use pasta_curves::{arithmetic::FieldExt, pallas};
use subtle::{ConstantTimeEq, CtOption};

use crate::{constants::L_ORCHARD_BASE, primitives::sinsemilla, spec::extract_p, value::NoteValue};

pub(super) struct NoteCommitTrapdoor(pub(super) pallas::Scalar);

/// A commitment to a note.
#[derive(Debug)]
pub struct NoteCommitment(pub(super) pallas::Point);

impl NoteCommitment {
    /// $NoteCommit^Orchard$.
    ///
    /// Defined in [Zcash Protocol Spec § 5.4.8.4: Sinsemilla commitments][concretesinsemillacommit].
    ///
    /// [concretesinsemillacommit]: https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit
    pub(super) fn derive(
        g_d: [u8; 32],
        pk_d: [u8; 32],
        v: NoteValue,
        rho: pallas::Base,
        psi: pallas::Base,
        rcm: NoteCommitTrapdoor,
    ) -> CtOption<Self> {
        let domain = sinsemilla::CommitDomain::new("z.cash:Orchard-NoteCommit");
        domain
            .commit(
                iter::empty()
                    .chain(BitArray::<Lsb0, _>::new(g_d).iter().by_val())
                    .chain(BitArray::<Lsb0, _>::new(pk_d).iter().by_val())
                    .chain(v.to_le_bits().iter().by_val())
                    .chain(rho.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))
                    .chain(psi.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),
                &rcm.0,
            )
            .map(NoteCommitment)
    }
}

/// The x-coordinate of the commitment to a note.
#[derive(Copy, Clone, Debug)]
pub struct ExtractedNoteCommitment(pub(super) pallas::Base);

impl ExtractedNoteCommitment {
    /// Deserialize the extracted note commitment from a byte array.
    pub fn from_bytes(bytes: &[u8; 32]) -> CtOption<Self> {
        pallas::Base::from_bytes(bytes).map(ExtractedNoteCommitment)
    }

    /// Serialize the value commitment to its canonical byte representation.
    pub fn to_bytes(self) -> [u8; 32] {
        self.0.to_bytes()
    }
}

impl From<NoteCommitment> for ExtractedNoteCommitment {
    fn from(cm: NoteCommitment) -> Self {
        ExtractedNoteCommitment(extract_p(&cm.0))
    }
}

impl std::ops::Deref for ExtractedNoteCommitment {
    type Target = pallas::Base;

    fn deref(&self) -> &pallas::Base {
        &self.0
    }
}

impl From<&ExtractedNoteCommitment> for [u8; 32] {
    fn from(cmx: &ExtractedNoteCommitment) -> Self {
        cmx.to_bytes()
    }
}

impl ConstantTimeEq for ExtractedNoteCommitment {
    fn ct_eq(&self, other: &Self) -> subtle::Choice {
        self.0.ct_eq(&other.0)
    }
}

impl PartialEq for ExtractedNoteCommitment {
    fn eq(&self, other: &Self) -> bool {
        self.ct_eq(other).into()
    }
}

impl Eq for ExtractedNoteCommitment {}
Note commitment derivation 2021-03-12 16:04:13 -08:00			`use std::iter;`

			`use bitvec::{array::BitArray, order::Lsb0};`
Migrate to bitvec 0.22, ff 0.10, group 0.10, pasta_curves 0.1 2021-06-04 12:38:28 -07:00			`use ff::PrimeFieldBits;`
Expose constructors required for ZIP-225 parsing. 2021-04-21 08:57:48 -07:00			`use pasta_curves::{arithmetic::FieldExt, pallas};`
Note encryption test vectors 2021-06-10 11:19:08 -07:00			`use subtle::{ConstantTimeEq, CtOption};`
Note commitment derivation 2021-03-12 16:04:13 -08:00
Include ρ as an input to the derivation of ψ, esk, and rcm This brings the implementation in line with spec version 2021.2.0 and the Orchard book. 2021-05-11 03:50:01 -07:00			`use crate::{constants::L_ORCHARD_BASE, primitives::sinsemilla, spec::extract_p, value::NoteValue};`
Note commitment derivation 2021-03-12 16:04:13 -08:00
Include ρ as an input to the derivation of ψ, esk, and rcm This brings the implementation in line with spec version 2021.2.0 and the Orchard book. 2021-05-11 03:50:01 -07:00			`pub(super) struct NoteCommitTrapdoor(pub(super) pallas::Scalar);`
Note commitment derivation 2021-03-12 16:04:13 -08:00
			`/// A commitment to a note.`
			`#[derive(Debug)]`
Nullifier derivation 2021-03-15 18:27:08 -07:00			`pub struct NoteCommitment(pub(super) pallas::Point);`
Note commitment derivation 2021-03-12 16:04:13 -08:00
			`impl NoteCommitment {`
			`/// $NoteCommit^Orchard$.`
			`///`
			`/// Defined in [Zcash Protocol Spec § 5.4.8.4: Sinsemilla commitments][concretesinsemillacommit].`
			`///`
			`/// [concretesinsemillacommit]: https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit`
			`pub(super) fn derive(`
			`g_d: [u8; 32],`
			`pk_d: [u8; 32],`
			`v: NoteValue,`
			`rho: pallas::Base,`
			`psi: pallas::Base,`
			`rcm: NoteCommitTrapdoor,`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`) -> CtOption<Self> {`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`let domain = sinsemilla::CommitDomain::new("z.cash:Orchard-NoteCommit");`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`domain`
			`.commit(`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`iter::empty()`
			`.chain(BitArray::<Lsb0, _>::new(g_d).iter().by_val())`
			`.chain(BitArray::<Lsb0, _>::new(pk_d).iter().by_val())`
			`.chain(v.to_le_bits().iter().by_val())`
			`.chain(rho.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))`
			`.chain(psi.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),`
			`&rcm.0,`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`)`
			`.map(NoteCommitment)`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`}`
			`}`
Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00
			`/// The x-coordinate of the commitment to a note.`
Update proptests to generate Merkle paths 2021-06-08 00:27:08 -07:00			`#[derive(Copy, Clone, Debug)]`
Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00			`pub struct ExtractedNoteCommitment(pub(super) pallas::Base);`

Expose constructors required for ZIP-225 parsing. 2021-04-21 08:57:48 -07:00			`impl ExtractedNoteCommitment {`
			`/// Deserialize the extracted note commitment from a byte array.`
			`pub fn from_bytes(bytes: &[u8; 32]) -> CtOption<Self> {`
			`pallas::Base::from_bytes(bytes).map(ExtractedNoteCommitment)`
			`}`
Add accessors necessary for zip-225 write. 2021-04-21 13:32:54 -07:00
			`/// Serialize the value commitment to its canonical byte representation.`
Fix clippy lints. Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2021-06-16 11:12:07 -07:00			`pub fn to_bytes(self) -> [u8; 32] {`
Add accessors necessary for zip-225 write. 2021-04-21 13:32:54 -07:00			`self.0.to_bytes()`
			`}`
Expose constructors required for ZIP-225 parsing. 2021-04-21 08:57:48 -07:00			`}`

Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00			`impl From<NoteCommitment> for ExtractedNoteCommitment {`
			`fn from(cm: NoteCommitment) -> Self {`
			`ExtractedNoteCommitment(extract_p(&cm.0))`
			`}`
			`}`
src::tree.rs: Implement MerklePath.root() method. Co-authored-by: Kris Nuttycombe <kris@electriccoin.co> 2021-06-07 22:18:16 -07:00
			`impl std::ops::Deref for ExtractedNoteCommitment {`
			`type Target = pallas::Base;`

			`fn deref(&self) -> &pallas::Base {`
			`&self.0`
			`}`
			`}`
Orchard note encryption 2021-06-02 15:22:22 -07:00
			`impl From<&ExtractedNoteCommitment> for [u8; 32] {`
			`fn from(cmx: &ExtractedNoteCommitment) -> Self {`
			`cmx.to_bytes()`
			`}`
			`}`
Note encryption test vectors 2021-06-10 11:19:08 -07:00
			`impl ConstantTimeEq for ExtractedNoteCommitment {`
			`fn ct_eq(&self, other: &Self) -> subtle::Choice {`
			`self.0.ct_eq(&other.0)`
			`}`
			`}`

			`impl PartialEq for ExtractedNoteCommitment {`
			`fn eq(&self, other: &Self) -> bool {`
			`self.ct_eq(other).into()`
			`}`
			`}`

			`impl Eq for ExtractedNoteCommitment {}`