This change removes the ability to construct a `Rho` value directly from
the public API, except via deserialization from bytes (which is
necessary in order to be able to serialize a `Note`). Ordinarily, `Rho`
should be obtained either from an already-constructed `Note` or from an
`Action` or `CompactAction`.
This supports downstream users that want more control over how proof
batches are processed, instead of just batch validating Orchard bundles
with `orchard::bundle::BatchValidator`.
This ensures that we are consistent in the circuit in referring to the
public bundle anchor as `anchor`, and the calculated Merkle tree root as
`root`.
This introduces an `AddChip` implementing field element addition on a
single row, precisely matching what the nullifier integrity constraints
were relying on.
`NoteValue - NoteValue` is always guaranteed to produce a valid
`ValueSum`, so we make that infallible and introduce a new helper method
`ValueSum::magnitude_sign` that we use for circuit synthesis.
The initial Action circuit specification indicated that only the byte
encodings of `g_d_new` and `pk_d_new` would be witnessed, but we ended
up witnessing the points directly instead. This commit removes the
leftover (and now redundant) encoding-decoding round trip.
This enables `InProgress<Unproven, Unauthorized>: Clone`, which allows
the bundle returned by `Builder::build` to be cloned. In pure-Rust
wallets this should not be necessary, but it is required for `zcashd`
due to FFI-crossing.
The MSRV is now 1.54.0, because reddsa 0.2.0 included a fix to its
nightly CI that inadvertently bumped its MSRV.
The `halo2` crate is now the `halo2_proofs` crate, but we're avoiding
the cross-repo crate rename until after `halo2_gadgets` is extracted.
This also brings in the 20% prover performance improvement from
zcash/halo2#447.
The sinsemilla submodules note_commit and commit_ivk are tailored
for input lengths specific to Orchard. They have been moved out of
the gadget folder and into the circuit folder.
This also involves changing the visibility of some getter functions
to be usable outside gadget::sinsemilla.
For almost all the sponge constructions defined in the Poseidon paper,
the domain can be defined completely statically. Variable-length hashing
requires knowledge of the message length, but that can be provided to
the fixed padding function in a subsequent commit, and in any case we
can't use variable-length inputs in a circuit.
Kris Nuttycombe
Jack Grigg
Tomas Krnak
therealyingtong
Dimitris Apostolou
Daira Hopwood