therealyingtong
4f2b4d2935
Address review comments
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-05 20:23:29 +08:00
Kris Nuttycombe
a789b89135
Check both u64 max and min in ValueSum arithemetic.
2021-05-04 16:35:49 -06:00
therealyingtong
4bf6202c35
Modify ECC gadget to work with chip refactor
2021-05-04 12:11:28 +08:00
therealyingtong
b5de8e6c27
Only store Z_SHORT and U_SHORT for value_commit_v
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-04 05:05:32 +08:00
therealyingtong
380ed377de
Fix bug in Sinsemilla S generators and add test
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-04 03:24:11 +08:00
therealyingtong
11d90692e1
Fix bugs in value_commit_v, value_commit_r generators
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-04 02:04:56 +08:00
therealyingtong
119d721ecd
Use ArrayVec
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-03 23:58:41 +08:00
ying tong
1ee5392163
Documentation fixes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-03 22:28:22 +08:00
Kris Nuttycombe
4afdeeeb76
Add mapping over bundle value balance.
2021-04-30 09:43:51 -06:00
Kris Nuttycombe
b1ac90b77a
Fix incorrect generator comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-30 08:02:09 -06:00
Kris Nuttycombe
a119a27ee7
Clean up value balance generation.
2021-04-30 07:59:46 -06:00
Kris Nuttycombe
25c90dda4b
Add fast generation for not-consensus-valid authorized bundles and actions.
2021-04-29 16:14:16 -06:00
Kris Nuttycombe
3c12877f87
Use a deterministic PRNG seeded from arb data for proptests.
2021-04-29 09:55:11 -06:00
Kris Nuttycombe
f91088d35b
Use builder to generate "valid" bundles via proptest.
2021-04-28 18:21:12 -06:00
Kris Nuttycombe
4d89d45332
Add proptest generators for action and bundle types.
2021-04-28 18:04:17 -06:00
Kris Nuttycombe
75573d331a
Add canonical byte conversions for value commitments.
2021-04-28 18:03:50 -06:00
Kris Nuttycombe
fc0f55d82b
Make ValueSum correctly respect the proper specified range.
2021-04-28 18:03:50 -06:00
Kris Nuttycombe
a5c9fb953b
Add accessors necessary for zip-225 write.
2021-04-28 18:02:36 -06:00
Kris Nuttycombe
e743198a50
Expose constructors required for ZIP-225 parsing.
2021-04-28 18:02:36 -06:00
Jack Grigg
d383ff5054
Fix clippy lints
2021-04-29 10:57:53 +12:00
Jack Grigg
223b7ac533
Replace signing metadata tuple with struct
...
This enables the dummy-only first field to be properly documented.
2021-04-29 10:40:23 +12:00
therealyingtong
de75c9538b
Update constants after hash_to_field fix ( zcash/pasta_curves@a119467 )
2021-04-28 20:53:14 +08:00
therealyingtong
13d7da3c45
Replace OrchardFixedBases enum with newtypes
...
Co-authored-by: Kris Nuttycombe <kris@electriccoin.co>
2021-04-28 20:53:14 +08:00
therealyingtong
e26b6c6123
Test every row in test_lagrange_coeffs() instead of using random scalar
2021-04-28 20:53:14 +08:00
therealyingtong
ce6e59bdb8
Address review comments
2021-04-28 20:53:14 +08:00
therealyingtong
17b66e1c6a
Remember u-values
2021-04-28 20:53:14 +08:00
therealyingtong
69d4c4c35a
Round up division for NUM_WINDOWS
2021-04-28 20:53:14 +08:00
therealyingtong
70ce1ca53f
Impl PartialOrd and Ord for OrchardFixedBases
2021-04-28 20:53:14 +08:00
therealyingtong
21060393fe
Remove redundant imports
2021-04-28 20:53:14 +08:00
therealyingtong
6cc957e998
Add constants for short signed scalar mul
2021-04-28 20:53:14 +08:00
therealyingtong
e4d6af620f
Add l_value to constants
2021-04-28 20:53:14 +08:00
therealyingtong
3381b15cd9
Use fixed-size array for windows in tables
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-04-28 20:53:14 +08:00
therealyingtong
d915097407
Implement Hash, PartialEq, Eq for OrchardFixedBases
2021-04-28 20:53:14 +08:00
therealyingtong
2c11f3a048
Add Orchard fixed bases and tests
2021-04-28 20:53:14 +08:00
therealyingtong
4f1f32dab0
Add Sinsemilla constants
2021-04-28 20:53:14 +08:00
therealyingtong
91fd290ffc
Add SWU hash-to-curve personalizations
2021-04-28 20:53:14 +08:00
Jack Grigg
186914166a
Use `zero` instead of `default` for empty values
2021-04-28 09:06:33 +12:00
Jack Grigg
30f01d122c
Bundle builder
2021-04-27 14:31:21 +12:00
Jack Grigg
497f7e0b86
Remove bundle::Unauthorized type
...
It is being replaced by context-specific unauthorized or
partially-authorized types. The only general type we need is Authorized
which is used in transactions.
2021-04-27 12:30:16 +12:00
Jack Grigg
316729302d
cargo fmt
2021-04-27 12:28:42 +12:00
Jack Grigg
a60051c8a2
Add from_raw constructors to NoteValue and ValueSum
...
These might be replaced later with APIs that can provide more useful
bounds checks, but we do need some way to construct these types.
2021-04-27 12:27:23 +12:00
Jack Grigg
52d87e257c
Return SpendingKey from Note::dummy
...
We need the spending keys to create valid spendAuth signatures for
Actions containing dummy spent notes.
2021-04-27 12:26:24 +12:00
Jack Grigg
5ec65c5d2a
Add a mutable context to Bundle::{try_}authorize
...
This enables us to work around lifetime restrictions on e.g. the
randomness source at signing time, where it is needed for both
per-Action and Bundle-level signatures.
2021-04-27 12:24:33 +12:00
Jack Grigg
29b3071c67
Fix doc comments for bundle flags
2021-04-27 09:10:32 +12:00
Kris Nuttycombe
36529629bc
Expose Flags constructor & accessors.
2021-04-27 09:04:03 +12:00
str4d
3dbebbe08b
Merge pull request #58 from zcash/proof-placeholder
...
Proving and verifying keys, and placeholder proof logic
2021-04-26 19:11:56 +01:00
str4d
0f6794f291
Merge pull request #70 from zcash/bundle-apis
...
Bundle APIs
2021-04-22 21:23:14 +01:00
Kris Nuttycombe
7d243ae60a
Apply suggestions from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-22 07:32:20 -06:00
Jack Grigg
4c4400cb63
Proving and verifying keys, and placeholder proof logic
2021-04-23 01:08:43 +12:00
Jack Grigg
f62bbbbb95
Small conversion helpers
2021-04-23 01:08:43 +12:00
Jack Grigg
35f65bb26a
Expose RedPallas rerandomization
2021-04-23 01:06:10 +12:00
str4d
4db3b54c8b
Generate dummy nullifiers with the same distribution as real ones
...
The x-coordinates of Pallas points are not uniformly distributed base field elements.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-22 13:54:17 +01:00
Jack Grigg
dbfbc66ac7
Add NoteValue::zero as an alias for NoteValue::default
2021-04-23 00:46:39 +12:00
Jack Grigg
77121facb7
Dummy note generation
2021-04-23 00:46:39 +12:00
Jack Grigg
3c2e32e156
Add some internal doc comments
2021-04-22 16:39:36 +12:00
Jack Grigg
09cca41ffb
Add getters for bundle and action internals
2021-04-22 16:39:36 +12:00
Jack Grigg
f1ad9d08de
Bundle and action constructors
2021-04-22 16:39:26 +12:00
Jack Grigg
01d241df7c
Rename some bundle and action variables to match the protocol spec
2021-04-22 16:38:17 +12:00
Jack Grigg
5dbcbf28fb
Bundle Authorization transformations
2021-04-22 16:37:31 +12:00
str4d
ea278aafcb
Merge pull request #63 from zcash/note-commitment-updates
...
Note commitment updates
2021-04-22 01:23:05 +01:00
Jack Grigg
bdaf9d06cc
clippy: Allow binary operators in IncompletePoint addition
...
It's not suspicious, it's constant time! :D
2021-04-22 12:09:32 +12:00
Jack Grigg
09e70cb6e3
Improve performance of IncompletePoint addition
...
We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.
2021-04-22 12:01:59 +12:00
str4d
31d1a67837
Expand documentation of conditions on SpendingKeys
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-21 23:28:32 +01:00
Jack Grigg
c7b9ce0ea9
Fix a clippy lint
...
This was leftover after an intermediate refactor that introduced
`hash_to_point_inner`.
2021-04-20 23:57:59 +12:00
Jack Grigg
b1286b4e94
Fix bundle::Action to hold cmx instead of cm
2021-04-20 10:26:58 +12:00
Jack Grigg
c08d12cc52
Use incomplete addition in SinsemillaHashToPoint
...
This requires exposing the ⊥ case throughout the return types. We
prevent it from propagating into the Orchard note and key types by
ensuring that:
- When we generate keys or notes, if we encounter ⊥ we discard and
re-generate.
- When we construct keys or notes via any other pathway (e.g. parsing
from bytes), we check for and reject ⊥.
2021-04-20 10:05:56 +12:00
Jack Grigg
907ff46078
Simulate incomplete addition
...
Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.
2021-04-20 10:04:44 +12:00
Jack Grigg
badaf23f25
Implement ValueCommit^Orchard
2021-04-15 17:08:06 +12:00
Jack Grigg
4c34a61c57
Use const generics for poseidon::ConstantLength
2021-03-30 14:13:15 +13:00
str4d
92cfa372e0
Merge pull request #44 from zcash/note-structure
...
Note structure
2021-03-30 14:01:56 +13:00
Jack Grigg
0f8c5b7dd3
Document TODO for SinsemillaShortCommit usage
...
https://github.com/zcash/orchard/issues/55
2021-03-30 13:55:29 +13:00
Jack Grigg
3b14cfc133
Fix link to NU5 protocol spec draft
2021-03-30 13:54:23 +13:00
Jack Grigg
5646ada113
Make nk the first argument to Nullifier::derive
...
This more closely matches DeriveNullifier in the spec.
2021-03-30 13:52:20 +13:00
Jack Grigg
061ad0656b
Refactor Poseidon primitive to use const generics
2021-03-26 09:07:38 +13:00
Jack Grigg
0f6eb9ca6c
Nullifier derivation
2021-03-26 07:51:05 +13:00
Jack Grigg
1a37ca492d
Extract spec::mod_r_p helper from spec::commit_ivk
2021-03-26 07:51:05 +13:00
Jack Grigg
680c917ce6
Note commitment derivation
2021-03-26 07:51:05 +13:00
str4d
ee2bfa7f43
Merge pull request #41 from zcash/poseidon-primitive
...
Poseidon primitive
2021-03-26 07:36:45 +13:00
therealyingtong
a2c1bfb52a
Remove unnecessary clone()
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:30:03 +08:00
therealyingtong
9c75839e62
Minor changes
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:25:28 +08:00
therealyingtong
7a210fabf3
Store HashDomain in CommitDomain
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:11:13 +08:00
therealyingtong
18fba2a62e
Add getters for Q() and R()
2021-03-24 12:10:37 +08:00
therealyingtong
873e1b7d7e
Call hash_to_curve() only when constructing new domain
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:10:37 +08:00
ying tong
946b50ebfe
Add documentation
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-03-24 12:09:11 +08:00
therealyingtong
a3134e34c5
Introduce HashDomain and CommitDomain traits
...
Co-authored-by: Jack Grigg <thestr4d@gmail.com>
2021-03-24 12:09:11 +08:00
therealyingtong
ee969a64a8
Add Sinsemilla constants
2021-03-24 12:09:11 +08:00
Jack Grigg
b8f02c3b32
Temporarily allow dead code
...
This will make the lints more useful while we are implementing the
Orchard protocol.
2021-03-20 18:31:22 +13:00
Jack Grigg
1ceb60379f
poseidon: Clarify that R_F must be even
2021-03-18 16:47:06 +13:00
Jack Grigg
4c3e20535d
poseidon: s/arity/width
...
To match the paper more closely (arity specifically refers to Merkle
tree instantiations).
2021-03-18 16:47:04 +13:00
Jack Grigg
2beb6c3e82
Invert the Poseidon test vectors for Orchard
...
We now hard-code the Poseidon round constants and MDS for the Poseidon
specification used for Orchard nullifiers, as produced by the reference
implementation, and test that our constant generation can recreate them.
2021-03-18 16:47:01 +13:00
Jack Grigg
872471af17
Fix Poseidon instance definition
...
For Orchard, we want a Poseidon instance with a width of 3 field
elements and an output of one field element. The Poseidon instances
defined in the Poseidon paper have their output size equal to their
capacity size; with a capacity of 1 and pallas::Base as the field,
Poseidon-128 has the corresponding security level.
We do deviate from the paper's instance by adding a single partial
round, which makes the circuit easier to implement in Halo 2.
2021-03-18 16:39:09 +13:00
Jack Grigg
761dea6cc1
Implement domain separation for poseidon::Hash
...
Domain separation is implemented as specified in the Poseidon paper.
We only require constant-input-length hashing.
2021-03-18 16:38:59 +13:00
Jack Grigg
c578c22fe8
Silence clippy needless_range_loop warnings
...
I'm using range loops explicitly to make certain logic clearer.
2021-03-18 16:38:30 +13:00
Jack Grigg
6bcfecd039
Add poseidon::Spec::Rate associated type
...
This removes the need for specifying the rate at runtime, and removes
the remaining heap allocations from Duplex::absorb and Duplex::squeeze.
2021-03-18 16:38:28 +13:00
Jack Grigg
6548666e37
Add poseidon::Spec::State associated type
...
We reuse this type for the per-round round constants, and rows of the
MDS, to provide some type-level same-length guarantees. Once we can use
const generics, these will all be replaced by [F; Spec::ARITY].
2021-03-18 16:38:26 +13:00
Jack Grigg
5c8e9beea7
Simplify poseidon::Spec and remove poseidon::Generic
...
Poseidon specifications are now all concrete, and only generation of
constants at runtime requires an instance of the specification.
2021-03-18 16:38:23 +13:00
Jack Grigg
266705166f
Poseidon duplex sponge and hash function
2021-03-18 16:38:21 +13:00
Jack Grigg
9a2c1b0217
Make poseidon::Generic specific to SboxType::Pow
...
We don't currently require SboxType::Inv, so let's simplify for now.
2021-03-18 16:38:17 +13:00
Jack Grigg
8408f4690c
Rename poseidon::PoseidonSpec trait to poseidon::Spec
2021-03-18 16:38:14 +13:00
Jack Grigg
3fb5bf8344
Modify constant generation to match reference implementation
2021-03-18 16:38:07 +13:00
Jack Grigg
e1719c42bc
Add test vectors from the reference implementation
...
These are generated using v1.1 of the reference implementation.
2021-03-18 16:38:06 +13:00
Jack Grigg
84907c50e1
Poseidon specification and constants
2021-03-18 16:37:36 +13:00
Jack Grigg
3911fb3202
Use Pallas directly from pasta_curves crate
2021-03-18 15:06:16 +13:00
str4d
05e86a4d98
Reuse the hasher inside diversify_hash
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:39:04 +13:00
str4d
51fd94df72
Fix section numbers after spec changes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:38:11 +13:00
Jack Grigg
861eec1765
Document sinsemilla::Pad
2021-03-18 08:30:22 +13:00
Jack Grigg
42ea809b64
Update protocol spec references
2021-03-18 08:30:22 +13:00
Jack Grigg
e0417268ad
Make address generation infallible again
...
DiversifyHash is altered to replace the identity with another fixed
point that is known to not be the identity.
2021-03-18 08:30:22 +13:00
Jack Grigg
8e55b46dbf
Deduplicate default address generation
2021-03-16 10:01:50 +13:00
Jack Grigg
3c8befa0f3
Remove TODO from extract_p
...
The protocol spec now returns \mathbb{P}_x instead of a bit sequence,
matching what we do here.
2021-03-16 09:36:59 +13:00
Jack Grigg
46bf89c122
Update ivk derivation to match latest protocol spec draft
2021-03-16 09:33:07 +13:00
Jack Grigg
e0b40cb3cb
FullViewingKey::address_at(impl Into<DiversifierIndex>)
...
This is a more usable API, which we can use when we have the full
viewing key and can obtain the DiversifierKey.
2021-03-16 09:20:45 +13:00
Jack Grigg
e98f324d7d
Ensure diversify_hash does not return the identity
...
This makes diversified address generation fallible (though with
negligible probability). We expose this to users, so they can decide how
to handle it (either just unwrapping, or incrementing the diversifier
index).
We alter spending key construction to reject spending keys that would
not result in a default address (with diversifier index 0).
2021-03-16 09:03:44 +13:00
Jack Grigg
f7cad7762a
Add clarifying note about nomenclature
...
There's no point in documenting everything as being an Orchard whizzbang.
We are in the `orchard` crate, so the context should be obvious. This
also fits with the standard Rust naming guideline of not duplicating
module names in type name prefixes (`foo::bar::BarThing`).
2021-03-09 10:39:02 +13:00
Jack Grigg
2462bb219b
Use [u8; 64] as the output of prf_expand to match the spec
2021-03-09 10:33:56 +13:00
Jack Grigg
cef44f5f53
Fix intra-crate doc links
2021-03-09 09:27:34 +13:00
Jack Grigg
bf5fb7a668
Add missing spec links to key docs
2021-03-09 09:22:38 +13:00
Jack Grigg
307787ec17
Use spec name for SpendValidatingKey
2021-03-09 09:20:09 +13:00
Jack Grigg
26701c33af
Fix commit_ivk specification
...
Commit^ivk takes ak as a point, and commits to its entire serialization
(not just the x coordinate).
2021-03-09 08:28:53 +13:00
str4d
cfaa61ab14
Remove unnecessary conversions for DiversifierIndex
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-09 07:40:01 +13:00
Jack Grigg
57c64922f6
Add internal CommitIvkRandomness type
2021-03-09 07:38:15 +13:00
Jack Grigg
9455158190
Use protocol spec URL anchors as link handles
2021-03-06 01:18:58 +00:00
Jack Grigg
71542f7ec2
Add internal DiversifiedTransmissionKey type
2021-03-06 01:03:53 +00:00
str4d
a61be5d58b
Fix typo in documentation
...
Co-authored-by: Deirdre Connolly <durumcrustulum@gmail.com>
2021-03-06 13:58:48 +13:00
Jack Grigg
5772c71a89
Add doctest example to orchard::Address that exercises key derivation
2021-03-06 00:57:30 +00:00
Jack Grigg
27501702d5
Use orchard::redpallas types in orchard::keys implementation
2021-03-06 00:03:26 +00:00
Jack Grigg
eaa7158751
Use reddsa to instantiate orchard::redpallas
2021-03-05 23:46:20 +00:00
Jack Grigg
ceac39d74e
Implement ZIP 32 diversifier derivation
2021-03-05 23:36:38 +00:00
Jack Grigg
f0779792bc
Orchard key components
2021-03-05 23:28:16 +00:00
str4d
35da17944a
Merge pull request #21 from zcash/sinsemilla
...
Implement Sinsemilla primitives
2021-03-06 09:16:08 +13:00
Jack Grigg
d7f8584d20
Fix clippy lint
2021-03-05 20:09:51 +00:00
Jack Grigg
be758de3bb
Fix protocol spec references after PDF rename
2021-03-05 20:00:45 +00:00
Jack Grigg
9882373e85
Make Bundle a parametric type over an Authorization trait
...
This enables us to construct Bundles at various stages of
authorization:
- `Bundle<Unauthorized>`: A bundle with all effecting data but no
proofs or signatures.
- `Bundle<Authorized>`: A bundle with all proofs and signatures,
suitable for inclusion in a block.
- `Bundle<Partial>`: Example of some in-progress bundle authorization,
for example during a FROST threshold multisignature protocol.
Also adds the bundle flags field from ZIP 225.
2021-03-03 17:39:53 +00:00
Jack Grigg
22658c3bc4
sinsemilla: Use lebs2ip_K to match protocol spec naming
2021-03-02 01:21:07 +00:00
Jack Grigg
a26e1c7879
sinsemilla: Remove the ExactSizeIterator bound
2021-03-01 23:34:02 +00:00
Jack Grigg
a03ee8797d
Implement Sinsemilla primitives
2021-02-27 17:10:28 +08:00
Jack Grigg
bbf2dc271e
Add ECC gadgets and instructions
...
Migrated from the halo2 crate; we may re-upstream them later (or move
gadgets into their own crate) once we've stabilised them.
2021-02-25 18:11:46 +00:00
Jack Grigg
97d75bab9a
Enforce in type system that a Bundle contains at least one Action
2021-02-24 20:10:10 +00:00
Jack Grigg
693587a402
Rename SignedBundle to AuthorizedBundle and move the proof there
...
Closes zcash/orchard#19 .
2021-02-24 20:10:10 +00:00
Jack Grigg
5bce857569
Fill out note components
2021-02-08 15:21:04 +00:00
Jack Grigg
bf9e77b629
Move ovk to be derived from fvk instead of the spending key
2021-02-08 15:01:34 +00:00
Jack Grigg
1add6a7ef0
Fix FVK doc comment
2021-02-03 14:19:29 +00:00
Jack Grigg
aeddfb64e5
Make Diversifier a newtype around [u8; 11]
2021-02-03 14:16:58 +00:00
Jack Grigg
a564ba76ce
Remove Chain and value::Constraint traits
...
There was push-back on having this crate require these traits, due to the
additional complexity within this crate. My rationale for including them
was to make it simpler to reason about what is responsible for enforcing
chain-specific constraints, and to reduce duplication (by enabling the
wrapping chain implementation to use type definitions and leverage all
built-in behaviour, instead of newtypes and needing to add a bunch of
wrapping logic and boilerplate, some of which would encode chain-specific
logic).
We'll try working within the requirement that this crate enforces minimal
base constraints and hard-codes any constants, and then have the wrapping
chain provide encoding prefixes and additional value constraints where
necessary.
2021-01-21 12:23:08 +00:00
Jack Grigg
ae252f57a8
Add skeleton for RedPallas
2021-01-20 20:35:54 +00:00
Jack Grigg
1b9f6450cb
Add skeleton for actions and bundles
2021-01-20 20:31:09 +00:00
Jack Grigg
d65968ed38
Skeleton for notes and values
2021-01-20 20:31:09 +00:00
Jack Grigg
5285737bf0
Add skeleton of key structure
2021-01-20 19:51:03 +00:00
Jack Grigg
10bae831eb
Rename to Orchard
2021-01-08 16:51:10 +00:00
Jack Grigg
7905a0c80a
Update crate attributes
2020-10-20 22:44:33 +01:00
Sean Bowe
d2fa7fbaf1
Initial commit
2020-10-20 15:12:37 -06:00