From ce301a6aa3f8b3425459d05c3cffe0894be22783 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Mon, 7 Feb 2022 22:33:57 +0000
Subject: [PATCH 1/2] Shuffle spends and recipients before pairing them into
 Actions

Callers cannot assume that any specific output corresponds to a specific
Orchard recipient, and must trial-decrypt all outputs to find the ones
belonging to them. This is consistent with higher-layer semantics like
having Unified Addresses as recipients (where the mapping from recipient
to a specific output would become much more complex).

Closes zcash/orchard#203.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
---
 src/builder.rs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/builder.rs b/src/builder.rs
index 35a9b2f7..e9d7f44a 100644
--- a/src/builder.rs
+++ b/src/builder.rs
@@ -7,7 +7,7 @@ use ff::Field;
 use group::GroupEncoding;
 use nonempty::NonEmpty;
 use pasta_curves::pallas;
-use rand::{CryptoRng, RngCore};
+use rand::{prelude::SliceRandom, CryptoRng, RngCore};
 
 use crate::{
     address::Address,
@@ -286,10 +286,6 @@ impl Builder {
         mut rng: impl RngCore,
     ) -> Result<Bundle<InProgress<Unproven, Unauthorized>, V>, Error> {
         // Pair up the spends and recipients, extending with dummy values as necessary.
-        //
-        // TODO: Do we want to shuffle the order like we do for Sapling? And if we do, do
-        // we need the extra logic for mapping the user-provided input order to the
-        // shuffled order?
         let pre_actions: Vec<_> = {
             let num_spends = self.spends.len();
             let num_recipients = self.recipients.len();
@@ -307,6 +303,12 @@ impl Builder {
                     .take(num_actions - num_recipients),
             );
 
+            // Shuffle the spends and recipients, so that learning the position of a
+            // specific spent note or output note doesn't reveal anything on its own about
+            // the meaning of that note in the transaction context.
+            self.spends.shuffle(&mut rng);
+            self.recipients.shuffle(&mut rng);
+
             self.spends
                 .into_iter()
                 .zip(self.recipients.into_iter())

From c1447d6af2458a6f6c3c2e08d05c2e9f5e548be8 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Tue, 8 Feb 2022 15:19:56 +0000
Subject: [PATCH 2/2] Fix broken main branch

This was a non-code merge conflict between zcash/halo2#217 and main,
that caused CI to break after the PR merged.
---
 src/keys.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/keys.rs b/src/keys.rs
index b814c513..67d9b653 100644
--- a/src/keys.rs
+++ b/src/keys.rs
@@ -12,7 +12,7 @@ use group::{
     prime::PrimeCurveAffine,
     Curve, GroupEncoding,
 };
-use pasta_curves::{arithmetic::FieldExt, pallas};
+use pasta_curves::pallas;
 use rand::RngCore;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 use zcash_note_encryption::EphemeralKeyBytes;
@@ -324,7 +324,7 @@ impl FullViewingKey {
     }
 
     pub(crate) fn rivk_internal(&self) -> CommitIvkRandomness {
-        let k = self.rivk.0.to_bytes();
+        let k = self.rivk.0.to_repr();
         let ak = self.ak.to_bytes();
         let nk = self.nk.to_bytes();
         CommitIvkRandomness(to_scalar(