Jack Grigg
f18ffa63d5
Add small key derivation benchmarks
2021-03-20 18:19:51 +13:00
str4d
e0a2141888
Merge pull request #48 from zcash/pasta-curves
...
Use the pasta_curves crate directly
2021-03-19 08:35:00 +13:00
Jack Grigg
1ceb60379f
poseidon: Clarify that R_F must be even
2021-03-18 16:47:06 +13:00
Jack Grigg
4c3e20535d
poseidon: s/arity/width
...
To match the paper more closely (arity specifically refers to Merkle
tree instantiations).
2021-03-18 16:47:04 +13:00
Jack Grigg
2beb6c3e82
Invert the Poseidon test vectors for Orchard
...
We now hard-code the Poseidon round constants and MDS for the Poseidon
specification used for Orchard nullifiers, as produced by the reference
implementation, and test that our constant generation can recreate them.
2021-03-18 16:47:01 +13:00
Jack Grigg
872471af17
Fix Poseidon instance definition
...
For Orchard, we want a Poseidon instance with a width of 3 field
elements and an output of one field element. The Poseidon instances
defined in the Poseidon paper have their output size equal to their
capacity size; with a capacity of 1 and pallas::Base as the field,
Poseidon-128 has the corresponding security level.
We do deviate from the paper's instance by adding a single partial
round, which makes the circuit easier to implement in Halo 2.
2021-03-18 16:39:09 +13:00
Jack Grigg
761dea6cc1
Implement domain separation for poseidon::Hash
...
Domain separation is implemented as specified in the Poseidon paper.
We only require constant-input-length hashing.
2021-03-18 16:38:59 +13:00
Jack Grigg
c578c22fe8
Silence clippy needless_range_loop warnings
...
I'm using range loops explicitly to make certain logic clearer.
2021-03-18 16:38:30 +13:00
Jack Grigg
6bcfecd039
Add poseidon::Spec::Rate associated type
...
This removes the need for specifying the rate at runtime, and removes
the remaining heap allocations from Duplex::absorb and Duplex::squeeze.
2021-03-18 16:38:28 +13:00
Jack Grigg
6548666e37
Add poseidon::Spec::State associated type
...
We reuse this type for the per-round round constants, and rows of the
MDS, to provide some type-level same-length guarantees. Once we can use
const generics, these will all be replaced by [F; Spec::ARITY].
2021-03-18 16:38:26 +13:00
Jack Grigg
5c8e9beea7
Simplify poseidon::Spec and remove poseidon::Generic
...
Poseidon specifications are now all concrete, and only generation of
constants at runtime requires an instance of the specification.
2021-03-18 16:38:23 +13:00
Jack Grigg
266705166f
Poseidon duplex sponge and hash function
2021-03-18 16:38:21 +13:00
Jack Grigg
9a2c1b0217
Make poseidon::Generic specific to SboxType::Pow
...
We don't currently require SboxType::Inv, so let's simplify for now.
2021-03-18 16:38:17 +13:00
Jack Grigg
8408f4690c
Rename poseidon::PoseidonSpec trait to poseidon::Spec
2021-03-18 16:38:14 +13:00
Jack Grigg
3fb5bf8344
Modify constant generation to match reference implementation
2021-03-18 16:38:07 +13:00
Jack Grigg
e1719c42bc
Add test vectors from the reference implementation
...
These are generated using v1.1 of the reference implementation.
2021-03-18 16:38:06 +13:00
Jack Grigg
84907c50e1
Poseidon specification and constants
2021-03-18 16:37:36 +13:00
Jack Grigg
3911fb3202
Use Pallas directly from pasta_curves crate
2021-03-18 15:06:16 +13:00
Jack Grigg
0f081c74e9
Bump halo2 dependency to include pasta_curves extraction
2021-03-18 15:04:07 +13:00
str4d
e737b50a25
Merge pull request #40 from zcash/key-components
...
Orchard key components
2021-03-18 13:44:33 +13:00
str4d
05e86a4d98
Reuse the hasher inside diversify_hash
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:39:04 +13:00
str4d
51fd94df72
Fix section numbers after spec changes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:38:11 +13:00
Jack Grigg
861eec1765
Document sinsemilla::Pad
2021-03-18 08:30:22 +13:00
Jack Grigg
42ea809b64
Update protocol spec references
2021-03-18 08:30:22 +13:00
Jack Grigg
e0417268ad
Make address generation infallible again
...
DiversifyHash is altered to replace the identity with another fixed
point that is known to not be the identity.
2021-03-18 08:30:22 +13:00
Jack Grigg
8e55b46dbf
Deduplicate default address generation
2021-03-16 10:01:50 +13:00
Jack Grigg
3c8befa0f3
Remove TODO from extract_p
...
The protocol spec now returns \mathbb{P}_x instead of a bit sequence,
matching what we do here.
2021-03-16 09:36:59 +13:00
Jack Grigg
46bf89c122
Update ivk derivation to match latest protocol spec draft
2021-03-16 09:33:07 +13:00
Jack Grigg
e0b40cb3cb
FullViewingKey::address_at(impl Into<DiversifierIndex>)
...
This is a more usable API, which we can use when we have the full
viewing key and can obtain the DiversifierKey.
2021-03-16 09:20:45 +13:00
Jack Grigg
e98f324d7d
Ensure diversify_hash does not return the identity
...
This makes diversified address generation fallible (though with
negligible probability). We expose this to users, so they can decide how
to handle it (either just unwrapping, or incrementing the diversifier
index).
We alter spending key construction to reject spending keys that would
not result in a default address (with diversifier index 0).
2021-03-16 09:03:44 +13:00
Jack Grigg
f7cad7762a
Add clarifying note about nomenclature
...
There's no point in documenting everything as being an Orchard whizzbang.
We are in the `orchard` crate, so the context should be obvious. This
also fits with the standard Rust naming guideline of not duplicating
module names in type name prefixes (`foo::bar::BarThing`).
2021-03-09 10:39:02 +13:00
Jack Grigg
2462bb219b
Use [u8; 64] as the output of prf_expand to match the spec
2021-03-09 10:33:56 +13:00
Jack Grigg
cef44f5f53
Fix intra-crate doc links
2021-03-09 09:27:34 +13:00
Jack Grigg
bf5fb7a668
Add missing spec links to key docs
2021-03-09 09:22:38 +13:00
Jack Grigg
307787ec17
Use spec name for SpendValidatingKey
2021-03-09 09:20:09 +13:00
Jack Grigg
26701c33af
Fix commit_ivk specification
...
Commit^ivk takes ak as a point, and commits to its entire serialization
(not just the x coordinate).
2021-03-09 08:28:53 +13:00
str4d
cfaa61ab14
Remove unnecessary conversions for DiversifierIndex
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-09 07:40:01 +13:00
Jack Grigg
57c64922f6
Add internal CommitIvkRandomness type
2021-03-09 07:38:15 +13:00
Jack Grigg
9455158190
Use protocol spec URL anchors as link handles
2021-03-06 01:18:58 +00:00
Jack Grigg
71542f7ec2
Add internal DiversifiedTransmissionKey type
2021-03-06 01:03:53 +00:00
str4d
a61be5d58b
Fix typo in documentation
...
Co-authored-by: Deirdre Connolly <durumcrustulum@gmail.com>
2021-03-06 13:58:48 +13:00
Jack Grigg
5772c71a89
Add doctest example to orchard::Address that exercises key derivation
2021-03-06 00:57:30 +00:00
Jack Grigg
27501702d5
Use orchard::redpallas types in orchard::keys implementation
2021-03-06 00:03:26 +00:00
Jack Grigg
eaa7158751
Use reddsa to instantiate orchard::redpallas
2021-03-05 23:46:20 +00:00
Jack Grigg
ceac39d74e
Implement ZIP 32 diversifier derivation
2021-03-05 23:36:38 +00:00
Jack Grigg
f0779792bc
Orchard key components
2021-03-05 23:28:16 +00:00
str4d
35da17944a
Merge pull request #21 from zcash/sinsemilla
...
Implement Sinsemilla primitives
2021-03-06 09:16:08 +13:00
Jack Grigg
d7f8584d20
Fix clippy lint
2021-03-05 20:09:51 +00:00
Jack Grigg
be758de3bb
Fix protocol spec references after PDF rename
2021-03-05 20:00:45 +00:00
str4d
a24c3b1dbc
Merge pull request #27 from zcash/parametric-bundle
...
Make Bundle a parametric type over an Authorization trait
2021-03-05 11:43:30 +13:00