
84 lines
2.8 KiB
Raw Normal View History

use group::Group;
2021-03-15 18:27:08 -07:00
use halo2::arithmetic::CurveExt;
use pasta_curves::{arithmetic::FieldExt, pallas};
2021-04-14 21:14:34 -07:00
use rand::RngCore;
use subtle::CtOption;
2021-03-15 18:27:08 -07:00
use super::NoteCommitment;
use crate::{
spec::{extract_p, mod_r_p},
/// A unique nullifier for a note.
#[derive(Clone, Copy, Debug)]
pub struct Nullifier(pub(crate) pallas::Base);
2021-03-15 18:27:08 -07:00
impl Nullifier {
2021-04-14 21:14:34 -07:00
/// Generates a dummy nullifier for use as $\rho$ in dummy spent notes.
/// Nullifiers are required by consensus to be unique. For dummy output notes, we get
/// this restriction as intended: the note's $\rho$ value is set to the nullifier of
/// the accompanying spent note within the action, which is constrained by consensus
/// to be unique. In the case of dummy spent notes, we get this restriction by
/// following the chain backwards: the nullifier of the dummy spent note will be
/// constrained by consensus to be unique, and the nullifier's uniqueness is derived
/// from the uniqueness of $\rho$.
/// Instead of explicitly sampling for a unique nullifier, we rely here on the size of
/// the base field to make the chance of sapling a colliding nullifier negligible.
pub(crate) fn dummy(rng: &mut impl RngCore) -> Self {
2021-04-14 21:14:34 -07:00
/// Deserialize the nullifier from a byte array.
pub fn from_bytes(bytes: &[u8; 32]) -> CtOption<Self> {
/// Serialize the nullifier to its canonical byte representation.
pub fn to_bytes(&self) -> [u8; 32] {
2021-03-15 18:27:08 -07:00
/// $DeriveNullifier$.
/// Defined in [Zcash Protocol Spec § 4.16: Note Commitments and Nullifiers][commitmentsandnullifiers].
/// [commitmentsandnullifiers]: https://zips.z.cash/protocol/nu5.pdf#commitmentsandnullifiers
pub(super) fn derive(
nk: &NullifierDerivingKey,
2021-03-15 18:27:08 -07:00
rho: pallas::Base,
psi: pallas::Base,
cm: NoteCommitment,
) -> Self {
let k = pallas::Point::hash_to_curve("z.cash:Orchard")(b"K");
Nullifier(extract_p(&(k * mod_r_p(nk.prf_nf(rho) + psi) + cm.0)))
/// Generators for property testing.
#[cfg(any(test, feature = "test-dependencies"))]
pub mod testing {
use proptest::prelude::*;
use group::GroupEncoding;
use pasta_curves::pallas;
use super::Nullifier;
use crate::spec::extract_p;
prop_compose! {
/// Generate a uniformly distributed nullifier value.
pub fn arb_nullifier()(
coord in prop::array::uniform32(any::<u8>()).prop_map(|b| pallas::Point::from_bytes(&b)).prop_filter(
"Must generate a valid Pallas point",
|p| p.is_some().into()
) -> Nullifier {