orchard/src/note/commitment.rs

use std::iter;

use bitvec::{array::BitArray, order::Lsb0};
use ff::PrimeField;
use pasta_curves::pallas;
use subtle::CtOption;

use crate::{
    constants::L_ORCHARD_BASE,
    primitives::sinsemilla,
    spec::{extract_p, prf_expand, to_scalar},
    value::NoteValue,
};

use super::RandomSeed;

pub(super) struct NoteCommitTrapdoor(pallas::Scalar);

impl From<&RandomSeed> for NoteCommitTrapdoor {
    fn from(rseed: &RandomSeed) -> Self {
        NoteCommitTrapdoor(to_scalar(prf_expand(&rseed.0, &[0x05])))
    }
}

/// A commitment to a note.
#[derive(Debug)]
pub struct NoteCommitment(pub(super) pallas::Point);

impl NoteCommitment {
    /// $NoteCommit^Orchard$.
    ///
    /// Defined in [Zcash Protocol Spec § 5.4.8.4: Sinsemilla commitments][concretesinsemillacommit].
    ///
    /// [concretesinsemillacommit]: https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit
    pub(super) fn derive(
        g_d: [u8; 32],
        pk_d: [u8; 32],
        v: NoteValue,
        rho: pallas::Base,
        psi: pallas::Base,
        rcm: NoteCommitTrapdoor,
    ) -> CtOption<Self> {
        let domain = sinsemilla::CommitDomain::new("z.cash:Orchard-NoteCommit");
        domain
            .commit(
                iter::empty()
                    .chain(BitArray::<Lsb0, _>::new(g_d).iter().by_val())
                    .chain(BitArray::<Lsb0, _>::new(pk_d).iter().by_val())
                    .chain(v.to_le_bits().iter().by_val())
                    .chain(rho.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))
                    .chain(psi.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),
                &rcm.0,
            )
            .map(NoteCommitment)
    }
}

/// The x-coordinate of the commitment to a note.
#[derive(Clone, Debug)]
pub struct ExtractedNoteCommitment(pub(super) pallas::Base);

impl From<NoteCommitment> for ExtractedNoteCommitment {
    fn from(cm: NoteCommitment) -> Self {
        ExtractedNoteCommitment(extract_p(&cm.0))
    }
}
Note commitment derivation 2021-03-12 16:04:13 -08:00			`use std::iter;`

			`use bitvec::{array::BitArray, order::Lsb0};`
			`use ff::PrimeField;`
			`use pasta_curves::pallas;`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`use subtle::CtOption;`
Note commitment derivation 2021-03-12 16:04:13 -08:00
			`use crate::{`
			`constants::L_ORCHARD_BASE,`
			`primitives::sinsemilla,`
Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00			`spec::{extract_p, prf_expand, to_scalar},`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`value::NoteValue,`
			`};`

			`use super::RandomSeed;`

			`pub(super) struct NoteCommitTrapdoor(pallas::Scalar);`

			`impl From<&RandomSeed> for NoteCommitTrapdoor {`
			`fn from(rseed: &RandomSeed) -> Self {`
			`NoteCommitTrapdoor(to_scalar(prf_expand(&rseed.0, &[0x05])))`
			`}`
			`}`

			`/// A commitment to a note.`
			`#[derive(Debug)]`
Nullifier derivation 2021-03-15 18:27:08 -07:00			`pub struct NoteCommitment(pub(super) pallas::Point);`
Note commitment derivation 2021-03-12 16:04:13 -08:00
			`impl NoteCommitment {`
			`/// $NoteCommit^Orchard$.`
			`///`
			`/// Defined in [Zcash Protocol Spec § 5.4.8.4: Sinsemilla commitments][concretesinsemillacommit].`
			`///`
			`/// [concretesinsemillacommit]: https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit`
			`pub(super) fn derive(`
			`g_d: [u8; 32],`
			`pk_d: [u8; 32],`
			`v: NoteValue,`
			`rho: pallas::Base,`
			`psi: pallas::Base,`
			`rcm: NoteCommitTrapdoor,`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`) -> CtOption<Self> {`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`let domain = sinsemilla::CommitDomain::new("z.cash:Orchard-NoteCommit");`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`domain`
			`.commit(`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`iter::empty()`
			`.chain(BitArray::<Lsb0, _>::new(g_d).iter().by_val())`
			`.chain(BitArray::<Lsb0, _>::new(pk_d).iter().by_val())`
			`.chain(v.to_le_bits().iter().by_val())`
			`.chain(rho.to_le_bits().iter().by_val().take(L_ORCHARD_BASE))`
			`.chain(psi.to_le_bits().iter().by_val().take(L_ORCHARD_BASE)),`
			`&rcm.0,`
Use incomplete addition in SinsemillaHashToPoint This requires exposing the ⊥ case throughout the return types. We prevent it from propagating into the Orchard note and key types by ensuring that: - When we generate keys or notes, if we encounter ⊥ we discard and re-generate. - When we construct keys or notes via any other pathway (e.g. parsing from bytes), we check for and reject ⊥. 2021-04-19 15:05:56 -07:00			`)`
			`.map(NoteCommitment)`
Note commitment derivation 2021-03-12 16:04:13 -08:00			`}`
			`}`
Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00
			`/// The x-coordinate of the commitment to a note.`
Bundle builder 2021-04-14 21:14:34 -07:00			`#[derive(Clone, Debug)]`
Fix bundle::Action to hold cmx instead of cm 2021-04-19 15:26:58 -07:00			`pub struct ExtractedNoteCommitment(pub(super) pallas::Base);`

			`impl From<NoteCommitment> for ExtractedNoteCommitment {`
			`fn from(cm: NoteCommitment) -> Self {`
			`ExtractedNoteCommitment(extract_p(&cm.0))`
			`}`
			`}`