zec
/
orchard
mirror of https://github.com/zcash/orchard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
840 Commits 5 Branches 11 Tags 24 MiB
Commit Graph

45 Commits

Author SHA1 Message Date
therealyingtong a997364545 Move fixed bases utils into halo2_ecc crate. 2021-10-12 14:36:08 +02:00
therealyingtong f7e150a81b Create halo2-gadgets workspace. 2021-10-12 14:08:43 +02:00
therealyingtong 5168c0c2bb Refactor src/constants and primitives::sinsemilla::constants. 2021-10-12 12:49:52 +02:00
therealyingtong 764c445a81 Rename poseidon::nullifier -> poseidon::p128pow5t3. 2021-10-12 11:58:27 +02:00
Jack Grigg 8c82ceecbf ff 0.11, group 0.11, pasta_curves 0.2 etc. 2021-09-06 20:39:43 +01:00
Kris Nuttycombe 5d78ab3508 Add Eq and Ord implementations for Orchard keys. 2021-08-23 11:29:06 -06:00
Kris Nuttycombe 77cf4c9831 Implement IncomingViewingKey::to_bytes 2021-08-23 11:27:02 -06:00
Jack Grigg f4a8c082a9 Use w-NAF in `ka_orchard` 
Improves the base-line cost of trial decryption by over 40%.
 2021-08-06 13:43:19 +01:00
Kris Nuttycombe b86967bc57
Merge pull request #135 from zcash/patch-ncc 
Partial fixes from NCC draft report
 2021-07-22 15:25:05 -06:00
therealyingtong 5ae9890913 mul::overflow.rs: Overflow check in variable-base scalar mul 
Simplify the canonicity check for variable-base scalar multiplication,
by range-checking the low 130 bits rather than the low 127 bits.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
 2021-07-07 23:10:59 +08:00
therealyingtong ba7e1892de Minor fixes involving constants. 
- document that find_zs_and_us is not meant to be used anywhere
- use F::zero() instead of F::default() in constants/util.rs
- use personalisations from constants in spec.rs
 2021-06-30 20:00:36 +08:00
therealyingtong 1ac3541505 Add spec::i2lebsp and constants::MERKLE_DEPTH_ORCHARD 2021-06-29 12:07:49 +08:00
Daira Hopwood 81fb944997 Make this crate clippy clean for warnings on nightly. 
One .clone() removal; all of the other changes are removing needless borrows that are immediately
dereferenced: https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-06-21 18:04:00 +01:00
ebfull ee26116fcf
Merge pull request #114 from zcash/util-range-check 
utilities::lookup_range_check: Add LookupRangeCheck helper
 2021-06-14 10:56:52 -06:00
therealyingtong f5bf0c1ef3 lookup_range_check.rs: Docfixes and minor refactors. 2021-06-15 00:18:38 +08:00
therealyingtong b7b8126ccf spec.rs: Add lebs2ip function bounded on const generic L. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-06-13 23:20:59 +08:00
Jack Grigg 37326df1ab spec: Impl more traits for NonZero types 
Also fixes their Default impls to use "1" as the default.
 2021-06-11 23:55:17 +01:00
Jack Grigg 8a7ff1b28a Structs representing note encryption key material 2021-06-11 23:54:35 +01:00
Jack Grigg bea8a9b7ff Migrate to bitvec 0.22, ff 0.10, group 0.10, pasta_curves 0.1 2021-06-04 20:38:52 +01:00
Jack Grigg c4ffb7c617 Rework PRF^expand to use explicit domains 
`prf_expand{_vec}` have been replaced by the `PrfExpand` enum, which
has `PrfExpand::{expand, with_ad, with_ad_slices}` methods for use
within each domain as necessary.
 2021-05-28 13:12:25 +01:00
Jack Grigg cea8a3ab69 Move prf_expand{_vec} into a submodule for clarity 2021-05-28 12:42:01 +01:00
str4d 2bbbc3ec94
Update comments 
Co-authored-by: ying tong <yingtong@z.cash>
 2021-05-21 21:24:08 +01:00
Jack Grigg 736de1156b Ensure that Notes always have valid commitments 
Implements the change from spec version 2021.1.23 to sample a new rseed
if a note is generated without a valid commitment.
 2021-05-11 18:51:57 +08:00
Jack Grigg 76a39d29c1 Change diversify_hash and ka_orchard to use non-zero types 
This matches the changes to KA^Orchard in spec version 2021.1.23.
 2021-05-11 18:51:57 +08:00
Jack Grigg 9a828febd7 Change `commit_ivk` to return a non-zero Pallas base field element 
The type system now enforces that `ivk != 0`.
 2021-05-11 18:51:57 +08:00
Jack Grigg c08d12cc52 Use incomplete addition in SinsemillaHashToPoint 
This requires exposing the ⊥ case throughout the return types. We
prevent it from propagating into the Orchard note and key types by
ensuring that:

- When we generate keys or notes, if we encounter ⊥ we discard and
  re-generate.
- When we construct keys or notes via any other pathway (e.g. parsing
  from bytes), we check for and reject ⊥.
 2021-04-20 10:05:56 +12:00
Jack Grigg 907ff46078 Simulate incomplete addition 
Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.
 2021-04-20 10:04:44 +12:00
Jack Grigg 4c34a61c57 Use const generics for poseidon::ConstantLength 2021-03-30 14:13:15 +13:00
Jack Grigg 0f8c5b7dd3 Document TODO for SinsemillaShortCommit usage 
https://github.com/zcash/orchard/issues/55
 2021-03-30 13:55:29 +13:00
Jack Grigg 3b14cfc133 Fix link to NU5 protocol spec draft 2021-03-30 13:54:23 +13:00
Jack Grigg 0f6eb9ca6c Nullifier derivation 2021-03-26 07:51:05 +13:00
Jack Grigg 1a37ca492d Extract spec::mod_r_p helper from spec::commit_ivk 2021-03-26 07:51:05 +13:00
therealyingtong 873e1b7d7e Call hash_to_curve() only when constructing new domain 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-03-24 12:10:37 +08:00
therealyingtong a3134e34c5 Introduce HashDomain and CommitDomain traits 
Co-authored-by: Jack Grigg <thestr4d@gmail.com>
 2021-03-24 12:09:11 +08:00
Jack Grigg 3911fb3202 Use Pallas directly from pasta_curves crate 2021-03-18 15:06:16 +13:00
str4d 05e86a4d98
Reuse the hasher inside diversify_hash 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-03-18 13:39:04 +13:00
Jack Grigg 42ea809b64 Update protocol spec references 2021-03-18 08:30:22 +13:00
Jack Grigg e0417268ad Make address generation infallible again 
DiversifyHash is altered to replace the identity with another fixed
point that is known to not be the identity.
 2021-03-18 08:30:22 +13:00
Jack Grigg 3c8befa0f3 Remove TODO from extract_p 
The protocol spec now returns \mathbb{P}_x instead of a bit sequence,
matching what we do here.
 2021-03-16 09:36:59 +13:00
Jack Grigg 46bf89c122 Update ivk derivation to match latest protocol spec draft 2021-03-16 09:33:07 +13:00
Jack Grigg e98f324d7d Ensure diversify_hash does not return the identity 
This makes diversified address generation fallible (though with
negligible probability). We expose this to users, so they can decide how
to handle it (either just unwrapping, or incrementing the diversifier
index).

We alter spending key construction to reject spending keys that would
not result in a default address (with diversifier index 0).
 2021-03-16 09:03:44 +13:00
Jack Grigg 2462bb219b Use [u8; 64] as the output of prf_expand to match the spec 2021-03-09 10:33:56 +13:00
Jack Grigg 26701c33af Fix commit_ivk specification 
Commit^ivk takes ak as a point, and commits to its entire serialization
(not just the x coordinate).
 2021-03-09 08:28:53 +13:00
Jack Grigg 9455158190 Use protocol spec URL anchors as link handles 2021-03-06 01:18:58 +00:00
Jack Grigg f0779792bc Orchard key components 2021-03-05 23:28:16 +00:00