Minor fixes involving constants.

- document that find_zs_and_us is not meant to be used anywhere
- use F::zero() instead of F::default() in constants/util.rs
- use personalisations from constants in spec.rs

src/constants.rs

@@ -157,6 +157,11 @@ fn compute_lagrange_coeffs<C: CurveAffine>(base: C, num_windows: usize) -> Vec<[
 /// - $z + y = u^2$ (some square in the field); and
 /// - $z - y$ is not a square.
 /// If successful, return a vector of `(z: u64, us: [C::Base; H])` for each window.
+///
+/// This function was used to generate the `z`s and `u`s for the Orchard fixed
+/// bases. The outputs of this function have been stored as constants, and it
+/// is not called anywhere in this codebase. However, we keep this function here
+/// as a utility for those who wish to use it with different parameters.
 fn find_zs_and_us<C: CurveAffine>(base: C, num_windows: usize) -> Option<Vec<(u64, [C::Base; H])>> {
     // Closure to find z and u's for one window
     let find_z_and_us = |window_points: &[C]| {

src/constants/util.rs

@@ -1,4 +1,4 @@
-use ff::PrimeFieldBits;
+use ff::{Field, PrimeFieldBits};
 use halo2::arithmetic::{CurveAffine, FieldExt};
 
 /// Decompose a scalar into `window_num_bits` bits (little-endian)
@@ -37,7 +37,7 @@ pub fn evaluate<C: CurveAffine>(x: u8, coeffs: &[C::Base]) -> C::Base {
     coeffs
         .iter()
         .rev()
-        .fold(C::Base::default(), |acc, coeff| acc * x + coeff)
+        .fold(C::Base::zero(), |acc, coeff| acc * x + coeff)
 }
 
 /// Takes in an FnMut closure and returns a constant-length array with elements of

src/spec.rs

@@ -11,7 +11,10 @@ use pasta_curves::pallas;
 use subtle::{ConditionallySelectable, CtOption};
 
 use crate::{
-    constants::{util::gen_const_array, L_ORCHARD_BASE},
+    constants::{
+        util::gen_const_array, COMMIT_IVK_PERSONALIZATION, KEY_DIVERSIFICATION_PERSONALIZATION,
+        L_ORCHARD_BASE,
+    },
     primitives::{poseidon, sinsemilla},
 };
 
@@ -171,7 +174,7 @@ pub(crate) fn commit_ivk(
 ) -> CtOption<NonZeroPallasBase> {
     // We rely on the API contract that to_le_bits() returns at least PrimeField::NUM_BITS
     // bits, which is equal to L_ORCHARD_BASE.
-    let domain = sinsemilla::CommitDomain::new("z.cash:Orchard-CommitIvk");
+    let domain = sinsemilla::CommitDomain::new(COMMIT_IVK_PERSONALIZATION);
     domain
         .short_commit(
             iter::empty()
@@ -192,7 +195,7 @@ pub(crate) fn commit_ivk(
 ///
 /// [concretediversifyhash]: https://zips.z.cash/protocol/nu5.pdf#concretediversifyhash
 pub(crate) fn diversify_hash(d: &[u8; 11]) -> NonIdentityPallasPoint {
-    let hasher = pallas::Point::hash_to_curve("z.cash:Orchard-gd");
+    let hasher = pallas::Point::hash_to_curve(KEY_DIVERSIFICATION_PERSONALIZATION);
     let pk_d = hasher(d);
     // If the identity occurs, we replace it with a different fixed point.
     // TODO: Replace the unwrap_or_else with a cached fixed point.