Jack Grigg
3badd42d15
nonempty 0.7
...
We can now correctly measure the heap-allocated memory used by a bundle.
2021-06-28 20:57:49 +01:00
str4d
1f861423c2
Merge pull request #122 from nuttycom/incremental_merkle_tree
...
Add Orchard incremental merkle tree digests.
2021-06-28 19:12:13 +01:00
Jack Grigg
9bf066ef8b
rustfmt
2021-06-28 18:48:58 +01:00
str4d
93ab753b8c
Apply string fixes from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-28 18:47:02 +01:00
Kris Nuttycombe
ffafb6308c
Fix clippy complaints.
2021-06-28 10:56:25 -06:00
Kris Nuttycombe
0d078c8a90
Rustfmt
2021-06-28 10:01:13 -06:00
therealyingtong
9b47bd0db4
sinsemilla::tests: Use separate constants columns for chips.
...
To be replaced by the public inputs API.
2021-06-25 15:07:27 +08:00
therealyingtong
2ec30943b3
Configure each Sinsemilla advice column for use with a K-bit lookup.
...
Inputs to Sinsemilla often need to be decomposed and range-constrained.
2021-06-25 15:07:27 +08:00
therealyingtong
bdcdb8ac13
Move witness_message() and witness_message_piece_bitstring() to gadget level
...
These instructions were not making any assignments; instead, they
were calling through to witness_message_piece_field().
This PR also renames the witness_message_piece_field() instruction
to witness_message_piece().
2021-06-25 15:07:27 +08:00
therealyingtong
6fdee71667
Adjustments to APIs in sinsemilla::chip and sinsemilla::message.
2021-06-25 15:07:27 +08:00
therealyingtong
c43c91b796
gadget::utilities: Adjustments to utilities gadgets and helpers.
2021-06-25 15:05:39 +08:00
therealyingtong
3840f280d7
lookup_range_check.rs: Add short range check lookup.
...
Also introduce a "strict" mode for the full-length lookup, where
"true" requires the field element to be within num_words * K bits,
whereas "false" does not.
2021-06-25 15:05:39 +08:00
Kris Nuttycombe
e37cec1e53
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-24 12:39:28 -06:00
Kris Nuttycombe
fc41db1ab5
Add UNCOMMITTED_ORCHARD constant.
2021-06-24 12:33:02 -06:00
Kris Nuttycombe
90d0c254cf
Account for non-canonical base in serde deserialization.
2021-06-24 09:57:35 -06:00
Kris Nuttycombe
78adc9c810
Anchor computation is partial.
2021-06-24 09:43:10 -06:00
Kris Nuttycombe
f22907a4d7
Use constants for value commitment hash-to-curve.
...
Fixes #76
2021-06-23 18:04:17 -06:00
Kris Nuttycombe
52394b8e8d
Add test for incremental Merkle tree root calculation.
...
Fix indexing in perfect subtree computation test for auth paths.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
1b42ae707b
Make proptest bundle size configurable.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
c876f74ab1
Fix level/layer confusion.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
4888f0d16c
Rename Level -> Altitude
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
e3abbf9a42
Add serde support for OrchardIncrementalTreeDigest
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
7e79fd4b1c
Add necessary trait impls for OrchardIncrementalTreeDigest
...
Required to make the wrapper type usable for digests in
a serializable incremental merkle tree.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
ce4697aca5
Add construction of OrchardIncrementalTreeDigest
2021-06-22 18:14:27 -06:00
Kris Nuttycombe
4bb252eb0c
Add Orchard incremental merkle tree digests.
2021-06-22 18:14:27 -06:00
str4d
71756cffda
Merge pull request #128 from zcash/bundle-dynamic-usage
...
Add `Bundle<Authorized, _>::dynamic_usage` method
2021-06-22 17:46:15 +01:00
str4d
66340e2655
Merge pull request #67 from zcash/sinsemilla-chip-config
...
Sinsemilla chip with HashDomain
2021-06-22 16:20:35 +01:00
Jack Grigg
06f7d7fbe0
Add `Bundle<Authorized, _>::dynamic_usage` method
...
This will be used by `zcashd` as part of tracking the memory usage of
transactions.
2021-06-22 16:06:49 +01:00
Daira Hopwood
81fb944997
Make this crate clippy clean for warnings on nightly.
...
One .clone() removal; all of the other changes are removing needless borrows that are immediately
dereferenced: https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 18:04:00 +01:00
Daira Hopwood
8af84479b3
Rename "Sinsemilla gate" constraint to "y check".
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 17:04:47 +01:00
Jack Grigg
62642fd804
Add `Bundle<Authorized, _>::verify_proof` API
2021-06-21 13:38:43 +01:00
therealyingtong
bd08808566
SinsemillaChip::configure(): Merge "Initial y_q" gate with main gate
...
This allows the MockProver to see the fixed_y_q query as semantically
connected to q_sinsemilla1.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 20:56:56 +08:00
Jack Grigg
a01c2ee829
test: Print layout for Sinsemilla test circuit
2021-06-20 11:51:33 +01:00
str4d
5f5238f411
Doc comment fixes
2021-06-20 11:30:43 +01:00
therealyingtong
002596f6cd
Docfixes and cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 12:11:01 +08:00
therealyingtong
744f3d1653
SinsemillaChip::configure(): Combine and label gates.
...
The gates "Secant line" and "Sinsemilla gate" were using the same
selectors and could be combined.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:26:59 +08:00
therealyingtong
eccd72fcd0
hash_piece(): Remove (correct) duplicate assignment of x_a.
...
hash_piece() is an internal API, which means its caller hash_message()
is working in the same region. We rely on the caller to have already
assigned each piece's initial x_a at the correct offset before making
the call to hash_piece().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:14:02 +08:00
therealyingtong
9ce29d9d4d
hash_to_point(): Introduce final_piece boolean flag
...
This toggles the assignment of q_s2 on the last row of each piece.
We assign q_s2 = 2 on the last row of the final piece, and q_s2 = 0
on the last row of other pieces.
This allows us to process the final_piece in the main loop together
with the other pieces.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:00:14 +08:00
therealyingtong
031bb0bc87
SinsemillaChip::configure(): Introduce closures for Y_A and x_r
...
These expressions are derived multiple times in the gates.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:43:24 +08:00
therealyingtong
9072ed437d
generator_table.rs: Fix bug in y_p lookup expression.
...
Also, GeneratorTable::configure() was not being called in the main
SinsemillaChip::configure(), which meant the lookup argument had
not been activated. This has now been fixed.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:34:03 +08:00
therealyingtong
2f6ca9e6de
generator_table.rs: Enforce z_n = 0 for the last message piece.
2021-06-19 22:39:19 +08:00
therealyingtong
158ab865f8
gadget::sinsemilla.rs: Add Sinsemilla test.
2021-06-19 18:17:11 +08:00
therealyingtong
eba2172f4f
chip::hash_to_point.rs: Implement hash_to_point instruction.
2021-06-19 18:17:10 +08:00
therealyingtong
f122e481a7
sinsemilla::chip.rs: Configure Sinsemilla gates.
2021-06-19 18:17:09 +08:00
therealyingtong
7cddc9b587
sinsemilla::chip.rs: Implement witness_message_* APIs.
...
witness_message() witnesses a full message given a bitstring.
The other two APIs, witness_message_piece_bitstring() and
witness_message_piece_field(), both witness a message piece, i.e.
part of a message that fits within a single base field element.
witness_message_piece_bitstring() takes in a bitstring, while
witness_message_piece_field() takes in a field element. In the
latter case, the number of words encoded must be specified.
2021-06-19 18:14:22 +08:00
therealyingtong
74e617b46d
chip::generator_table.rs: Load Sinsemilla generator lookup table.
...
The 2^K table of generators used in the Sinsemilla hash. These
are loaded into a lookup table.
2021-06-19 18:14:22 +08:00
therealyingtong
ebb7dae063
sinsemilla::chip.rs: Add Sinsemilla chip.
...
The chip that will implement SinsemillaInstructions.
2021-06-19 18:14:22 +08:00
therealyingtong
e2859df4eb
sinsemilla::message.rs: Add message module.
...
This defines a Sinsemilla message in terms of pieces and subpieces.
This is useful when decomposing field elements and packing them
into K-bit messages.
2021-06-19 18:14:22 +08:00
therealyingtong
af2ac762f4
gadget::sinsemilla.rs: Add Sinsemilla instructions.
...
SinsemillaInstructions has two const generic parameters: K, which
is the number of bits in each word of the hash, and MAX_WORDS,
which is the maximum number of words the hash can process.
For Orchard, K = 10, MAX_WORDS = 253.
2021-06-19 18:14:22 +08:00
therealyingtong
83eddd8857
ecc::chip.rs: Add Point::from_coordinates_unchecked() API
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-19 18:14:22 +08:00
Daira Hopwood
1c19bea842
Fix clippy lints.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-16 19:13:40 +01:00
Jack Grigg
5264d53498
impl Copy for Anchor
2021-06-15 15:42:06 +01:00
Jack Grigg
019ae7da8e
Anchor::{from_bytes, to_bytes}
2021-06-15 15:41:57 +01:00
Daira Hopwood
e412a5a25b
Merge pull request #115 from zcash/anchor-type
...
Store anchors as pallas::Base instead of [u8; 32]
2021-06-15 14:18:48 +01:00
Jack Grigg
e90a5972f1
redpallas: Expose batch validation API
2021-06-14 21:41:12 +01:00
Jack Grigg
eec17a9174
Add a `Bundle::binding_validating_key` method
...
This derives the `bvk` for validating `Authorized::binding_signature`.
2021-06-14 21:40:28 +01:00
ebfull
ee26116fcf
Merge pull request #114 from zcash/util-range-check
...
utilities::lookup_range_check: Add LookupRangeCheck helper
2021-06-14 10:56:52 -06:00
therealyingtong
f5bf0c1ef3
lookup_range_check.rs: Docfixes and minor refactors.
2021-06-15 00:18:38 +08:00
therealyingtong
60861b7245
sinsemilla::constants.rs: Add INV_TWO_POW_K = 1 / 2^K constant.
2021-06-15 00:18:38 +08:00
str4d
1182d8d5a7
Merge pull request #99 from zcash/note-encryption
...
Note encryption
2021-06-14 17:16:54 +01:00
ebfull
4a52d771b1
Merge pull request #113 from zcash/constants-concrete-type
...
`constants::load.rs`: Use concrete `pallas::Affine` type for generators
2021-06-14 09:25:17 -06:00
therealyingtong
c25526e216
lookup_range_check.rs: Delete wrong comment.
2021-06-14 19:55:51 +08:00
therealyingtong
8a8df98a50
add_incomplete::tests: Constrain output of `P + Q` test.
...
Also minor docfixes and refactors.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-14 00:19:21 +08:00
therealyingtong
70ec5755cf
lookup_range_check.rs: Add documentation and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:24:19 +08:00
therealyingtong
b7b8126ccf
spec.rs: Add lebs2ip function bounded on const generic L.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:20:59 +08:00
therealyingtong
7341996d2c
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction.
...
This allows us to constrain two points to be equal in value at the
gadget level.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 21:26:30 +08:00
therealyingtong
b299a51b31
lookup_range_check.rs: Downgrade from Chip to Config.
...
We need to be able to toggle the lookup on and off on specific
offsets. These offsets are often assigned outside the logic of
the decomposition.
2021-06-13 09:40:50 +08:00
therealyingtong
cdab5bf8c4
gadget::utilities.rs: Remove Chip bound on UtilitiesInstructions.
2021-06-13 09:40:20 +08:00
Jack Grigg
de78186503
Store anchors as pallas::Base instead of [u8; 32]
...
This matches what we store in `MerklePath`, and better enforces the
required type.
2021-06-12 21:35:37 +01:00
therealyingtong
e83880841a
utilities::lookup_range_check: Add LookupRangeCheck chip
...
This decomposes a field element into K-bit words and constrains each
word's range by looking it up in a K-bit lookup table.
The field element is broken down using a running sum. All interstitial
values of the running sum are returned.
2021-06-12 22:46:31 +08:00
therealyingtong
a11c2066ef
chip::add.rs: Use Expression::square() + other minor refactors
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 20:25:12 +08:00
therealyingtong
e259bb3846
ecc::chip.rs: Use concrete pallas::Affine for Chip impl.
...
The EccInstructions trait is still generic over C: CurveAffine;
however, the EccChip implementation is specific to the pasta
curves.
2021-06-12 20:25:09 +08:00
therealyingtong
aec7a7f850
ecc::chip.rs: Stub out scalar-mul-related structs and types.
...
These will be updated or restored in #111 .
2021-06-12 20:24:14 +08:00
ying tong
e1779dab70
Docfixes and minor refactors.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
6dabb16edc
chip::add.rs: Use batch inversion for alpha, beta, gamma, delta
2021-06-12 12:41:27 +08:00
therealyingtong
f655e38e3e
chip::add_incomplete.rs: Remove superfluous check.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
aff56e6763
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields
...
Also add public getters x() and y().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-12 12:41:27 +08:00
therealyingtong
433791fcb0
chip::witness_point.rs: Allow witnessing the identity.
2021-06-12 12:41:27 +08:00
therealyingtong
36d7888c1c
ecc.rs: Add tests for complete and incomplete addition.
2021-06-12 12:41:27 +08:00
therealyingtong
6491ea90dd
ecc::chip.rs: Bound EccConfig on <C: CurveAffine>.
2021-06-12 12:41:27 +08:00
therealyingtong
e802e2917a
chip::add.rs: Implement complete addition instruction.
2021-06-12 12:41:27 +08:00
therealyingtong
7dc11b95d2
chip::add_incomplete.rs: Implement add_incomplete() instruction
2021-06-12 12:41:27 +08:00
therealyingtong
7eb86eb0c2
chip::witness_point.rs: Implement witness_point() instruction.
2021-06-12 12:41:27 +08:00
therealyingtong
6627b2258f
ecc::chip.rs: Add ECC chip.
...
Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-12 12:41:27 +08:00
therealyingtong
e15648cb67
gadget::ecc: Remove representations of fixed points in the circuit
...
Fixed points are represented by precomputed window tables. These
are not "initialized" in the circuit at any single point, but are
loaded into fixed columns at the offsets where the fixed points
are used.
Thus, we don't need FixedPoint and get_fixed() in the circuit.
Similarly, we can remove FixedPointShort and get_fixed_short().
2021-06-12 12:41:27 +08:00
therealyingtong
ddb9500991
constants::load.rs: Use concrete pallas::Affine type for generators
...
The Orchard fixed bases are Pallas curve points and are not generic
over other curves.
2021-06-12 12:36:43 +08:00
Jack Grigg
769be6c080
Note encryption test vectors
2021-06-11 23:55:17 +01:00
Jack Grigg
37326df1ab
spec: Impl more traits for NonZero types
...
Also fixes their Default impls to use "1" as the default.
2021-06-11 23:55:17 +01:00
Jack Grigg
57f84c3eea
builder: Encrypt output notes
2021-06-11 23:55:17 +01:00
Jack Grigg
99665572a2
Orchard note encryption
2021-06-11 23:55:16 +01:00
Jack Grigg
11350339f5
Ensure that derived esk is non-zero
...
There's a (negligble) chance that we could generate (or be sent
adversarially) a RandomSeed which derives esk == 0. It's not hard to
detect and reject, in order to satisfy the type system.
2021-06-11 23:54:35 +01:00
Jack Grigg
8a7ff1b28a
Structs representing note encryption key material
2021-06-11 23:54:35 +01:00
str4d
0ead91a88c
Merge pull request #110 from zcash/tree-logic
...
Implement tree logic in Builder
2021-06-11 21:39:40 +01:00
str4d
bd30783a52
Make `hash_layer` comment a doc comment
...
This way, it renders with `cargo doc --document-private-items`
2021-06-11 20:46:30 +01:00
str4d
d8f2af8983
Simplify `gen_const_array` implementation
...
Also includes a performance improvement to `i2lebsp_k`.
2021-06-11 20:46:30 +01:00
str4d
8464df6e46
Merge pull request #108 from zcash/102-sign-with-rsk
...
builder: Store alpha and use it to derive rsk for signing spends
2021-06-11 14:42:16 +01:00
therealyingtong
0e9726ae69
tree.rs: Use 2 as uncommitted leaf and check against test vectors.
2021-06-11 20:24:55 +08:00
therealyingtong
380128ed49
tree::MerklePath: Add postion() and auth_path() getters.
2021-06-10 16:55:49 +08:00
therealyingtong
b3daeb0861
tree::testing: Fix and test arb_tree().
2021-06-10 13:54:42 +08:00
therealyingtong
2d0afe9357
constants.rs: Introduce L_ORCHARD_MERKLE constant
...
Also test that L_ORCHARD_BASE, L_ORCHARD_SCALAR, L_ORCHARD_MERKLE
are consistent with the Pallas curve.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-10 10:33:06 +08:00
therealyingtong
e8e22886f4
tree.rs: MerklePath.root(): Fix missing bitmask in swap calculation
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-10 10:29:08 +08:00
therealyingtong
18535894d6
constants::util.rs: Factor out gen_fixed_array() method.
2021-06-10 10:03:15 +08:00
therealyingtong
7818291118
primitives::sinsemilla.rs: Optimize and test i2lebsp_k
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-09 23:50:59 +08:00
therealyingtong
8f8eff23d8
Update proptests to generate Merkle paths
2021-06-08 22:38:11 +08:00
therealyingtong
b33248bdb0
src::tree.rs: Implement MerklePath.root() method.
...
Co-authored-by: Kris Nuttycombe <kris@electriccoin.co>
2021-06-08 22:31:24 +08:00
Jack Grigg
94e730ad4c
Migrate to latest version of halo2
...
This brings in:
- Fixes and improvements to `MockProver`.
- Support for annotating constraints within gates.
- Removal of Selector rotations.
2021-06-07 19:49:25 +01:00
str4d
2be13bfa80
Merge pull request #89 from zcash/utils-chip
...
Chip for general utils
2021-06-07 19:40:56 +01:00
str4d
3ff307f946
docs: Clarify EnableFlagInstructions::enable_flag
2021-06-07 19:34:48 +01:00
therealyingtong
54c8cfd1d0
Documentation improvements and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:28:32 +08:00
therealyingtong
0f2dfc5508
Use UtilitiesInstructions::Var instead of internal associated type.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:20:09 +08:00
Jack Grigg
e0e082d265
test: Remove stray dbg!()
2021-06-05 22:39:57 +01:00
Jack Grigg
cbf7c3825f
builder: Store alpha and use it to derive rsk for signing spends
...
This was missed from zcash/orchard#49 , but could not have caused a
consensus failure or loss-of-funds because `alpha` _was_ being sampled
and used to derive `rk`, meaning that the signatures would fail to
validate.
2021-06-05 22:35:52 +01:00
str4d
cd1e72bbcd
Merge pull request #106 from zcash/refactor-constants
...
Refactor `constants` to add `constants::load`
2021-06-05 13:42:16 +01:00
str4d
243f862617
Fix clippy lints
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-05 13:18:14 +01:00
str4d
d3da71a4fd
Merge pull request #105 from zcash/constants-spend-auth-g
...
Add SpendAuthG fixed base
2021-06-05 12:09:51 +01:00
therealyingtong
40599144bf
utilities::plonk: Remove assumption that fixed columns default to 1
2021-06-05 15:33:12 +08:00
therealyingtong
6603e996ed
utilities::cond_swap: Directly witness swap bit
2021-06-05 15:32:43 +08:00
therealyingtong
9f27049c84
Add constants::load.rs
...
This makes it easier to load constants into the ECC chip.
2021-06-05 13:18:24 +08:00
therealyingtong
1d46a2d3e7
Add SpendAuthG fixed base.
...
Used in spend authority randomization where rk = ak + [alpha]SpendAuthG.
2021-06-05 13:16:56 +08:00
therealyingtong
f31b9feba0
utilities::enable_flag: Directly witness flag
2021-06-05 09:42:23 +08:00
Kris Nuttycombe
6f3ac2cdcc
Avoid discards in arbitrary nullifier generation.
2021-06-04 17:36:50 -06:00
Jack Grigg
bea8a9b7ff
Migrate to bitvec 0.22, ff 0.10, group 0.10, pasta_curves 0.1
2021-06-04 20:38:52 +01:00
therealyingtong
fea88c814c
Add enable flag chip
2021-06-04 18:08:59 +08:00
therealyingtong
4b0ea0be15
Add conditional swap chip
2021-06-04 18:08:59 +08:00
therealyingtong
4f87815262
Add standard PLONK chip
2021-06-04 18:08:59 +08:00
therealyingtong
4d8ae89aa9
Add Utilities chip
2021-06-04 18:08:59 +08:00
str4d
c5aa41e2e4
Merge pull request #86 from zcash/patch-fixed-mul
...
Update formula for fixed-base window tables.
2021-06-03 13:33:00 +01:00
str4d
505e003842
Merge pull request #28 from zcash/poseidon
...
Width-3 Poseidon chip
2021-06-03 12:38:16 +01:00
str4d
dc075e7971
Merge pull request #91 from zcash/key-component-test-vectors
...
Add test vectors for key components
2021-06-02 22:23:54 +01:00
therealyingtong
fa9d8a992c
Update constants
2021-06-02 22:51:37 +08:00
therealyingtong
0636a6f2ec
Update window table formula.
...
Previously, the window table M for fixed-base scalar multiplication
computed M[w][k] = [(k+1)*(2^3)^w]B for each window w, where k is a
3-bit chunk in the scalar decomposition in the range [0..8).
However, in the case k_0 = 7, k_1= 0, the window table entries would
evaluate to:
* M[0][k_0] = [(7+1)*(2^3)^0]B = [8]B,
* M[1][k_1] = [(0+1)*(2^3)^1]B = [8]B,
which means the first addition would require complete addition.
To avoid this, we alter the formula to M[w][k] = [(k+2)*(2^3)^w]B.
We make a corresponding change to the formula for the last window
W. Previously, we had:
M[W][k] = [k * (2^3)^W - \sum((2^3)^j)]B, for j in [0..W-1).
Now, we have:
M[W][k] = [k * (2^3)^W - \sum(2^(3j+1))]B, for j in [0..W-1).
2021-06-02 22:51:37 +08:00
Jack Grigg
91db490e20
test: Add Poseidon test vectors
2021-06-01 18:36:11 +01:00
Daira Hopwood
5925852c7d
Add Poseidon test vector generated by the reference code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-01 18:36:11 +01:00
Jack Grigg
f5a4cc3550
poseidon::Hash gadget
2021-06-01 18:36:11 +01:00
Jack Grigg
38dd7b791d
PoseidonDuplexInstructions
2021-06-01 18:36:11 +01:00
Jack Grigg
a69d76113f
test: Rename MyCircuit to PermuteCircuit
2021-06-01 18:36:11 +01:00
Jack Grigg
d1fe466812
Replace PoseidonInstructions::State with PoseidonInstructions::Word
2021-06-01 18:36:11 +01:00
Jack Grigg
01eb431f1f
Remove "final" round logic from poseidon::Pow5T3Chip
...
This was a bug in the Poseidon reference implementation, fixed in v1.1.
2021-06-01 18:36:11 +01:00
Jack Grigg
40a19b429c
Test that poseidon::Pow5T3Chip chip correctly implements Poseidon
2021-06-01 18:36:11 +01:00
Jack Grigg
f1b8abfccb
Arity-3 Poseidon chip
2021-06-01 18:36:11 +01:00
Jack Grigg
363e6944ec
Poseidon instructions
2021-06-01 17:54:37 +01:00
Jack Grigg
dfa3fbb19b
Migrate to latest revision of halo2
2021-06-01 17:37:44 +01:00
str4d
803fc2bea3
Merge pull request #93 from zcash/prf_expand-domains
...
Define explicit domains for PRF^expand
2021-06-01 14:31:04 +01:00
Jack Grigg
c4ffb7c617
Rework PRF^expand to use explicit domains
...
`prf_expand{_vec}` have been replaced by the `PrfExpand` enum, which
has `PrfExpand::{expand, with_ad, with_ad_slices}` methods for use
within each domain as necessary.
2021-05-28 13:12:25 +01:00
Jack Grigg
cea8a3ab69
Move prf_expand{_vec} into a submodule for clarity
2021-05-28 12:42:01 +01:00
Jack Grigg
7f47949b09
Take `self` directly in to_bytes methods where Self: Copy
2021-05-28 12:11:22 +01:00
Jack Grigg
cdfd2ab0f9
Remove clones from types that now impl Copy
2021-05-28 12:10:54 +01:00
Jack Grigg
5af73f7822
Add test vectors for key components
2021-05-28 11:57:21 +01:00
str4d
f82d00e40d
Merge pull request #77 from zcash/remove-rand-0.7
...
Remove rand 0.7 usage
2021-05-21 21:25:34 +01:00
str4d
97710e04d6
Merge pull request #80 from zcash/spec-updates
...
Update implementation to match protocol spec version 2021.2.0
2021-05-21 21:24:39 +01:00
str4d
2bbbc3ec94
Update comments
...
Co-authored-by: ying tong <yingtong@z.cash>
2021-05-21 21:24:08 +01:00
str4d
7109153e88
Merge pull request #43 from zcash/constants
...
Add Orchard constants
2021-05-18 20:44:59 +01:00
str4d
38f1c9e14f
Merge pull request #75 from zcash/ecc-gadget
...
Modify ECC gadget to work with chip refactor
2021-05-18 20:34:28 +01:00
therealyingtong
ff504c1a3f
Address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 17:14:13 +08:00
therealyingtong
2962115aef
Reintroduce point doubling API
2021-05-18 16:54:52 +08:00
therealyingtong
af30f4b141
Add Eq to the EccChip trait
2021-05-18 16:12:06 +08:00
therealyingtong
caa3791562
Documentation fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 16:07:40 +08:00
therealyingtong
edea9bde73
Document incomplete point addition error handling
2021-05-18 13:28:17 +08:00
therealyingtong
c8076c2864
Add FixedPointsShort associated type
2021-05-18 13:28:17 +08:00
therealyingtong
74c797165f
Add range check for short scalar
2021-05-18 13:28:16 +08:00
therealyingtong
fb9da0b1b3
Address review comments.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-18 09:45:03 +08:00
Kris Nuttycombe
800e540875
Make the `Bundle` type implement `Clone`
...
This is required for proptest generation that handles shrinking
correctly in librustzcash.
2021-05-13 15:35:44 -06:00
therealyingtong
81d751d1b6
Add proptest for decompose_scalar_fixed()
2021-05-13 12:52:03 +08:00
therealyingtong
077f809df7
Cleanups from code review
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-13 10:48:10 +08:00
Jack Grigg
4423b50788
Include ρ as an input to the derivation of ψ, esk, and rcm
...
This brings the implementation in line with spec version 2021.2.0 and
the Orchard book.
2021-05-11 18:51:57 +08:00
Jack Grigg
736de1156b
Ensure that Notes always have valid commitments
...
Implements the change from spec version 2021.1.23 to sample a new rseed
if a note is generated without a valid commitment.
2021-05-11 18:51:57 +08:00
Jack Grigg
d8cc596bbe
Create separate types for protocol-level and user-level ivk
...
Spec version 2021.1.24 added the diversifier key to the encoding of an
incoming viewing key (to make them more usable). As a result, we now
have two separate types:
- `KeyAgreementPrivateKey`: what was previously `IncomingViewingKey`,
corresponding to the `ivk` type in the protocol spec. It is now
crate-internal.
- `IncomingViewingKey`: the user-facing type that encompasses `dk` and
`ivk`.
2021-05-11 18:51:57 +08:00
Jack Grigg
76a39d29c1
Change diversify_hash and ka_orchard to use non-zero types
...
This matches the changes to KA^Orchard in spec version 2021.1.23.
2021-05-11 18:51:57 +08:00
Jack Grigg
9a828febd7
Change `commit_ivk` to return a non-zero Pallas base field element
...
The type system now enforces that `ivk != 0`.
2021-05-11 18:51:57 +08:00
Jack Grigg
012d14073d
Remove rand 0.7 usage
...
Upstream redjubjub (on which our reddsa dependency is based) has
migrated to rand 0.8.
2021-05-09 07:51:55 +12:00
therealyingtong
db60fd2262
Add FixedPointShort associated type
2021-05-06 15:55:15 +08:00
therealyingtong
6a64bc1c37
Expose Point.add_incomplete()
2021-05-06 12:54:21 +08:00
therealyingtong
e82a76da2a
Remove unused OrchardFixedBases trait
2021-05-06 12:52:52 +08:00
Kris Nuttycombe
c9f1060bb9
Minor correction to type signature (naming)
2021-05-05 17:44:15 -06:00
Kris Nuttycombe
bf4532fd7d
Properly condition generators on flags.
2021-05-05 17:36:05 -06:00
Kris Nuttycombe
71736433d0
Rename arb_nonnegative_note_value -> arb_note_value_bounded
2021-05-05 17:23:21 -06:00
Kris Nuttycombe
3170096134
Publicly expose `MAX_NOTE_VALUE`
2021-05-05 17:19:42 -06:00
Kris Nuttycombe
6373d3d422
Fix incorrect generation for bsk/bvk consistency test.
2021-05-05 17:12:31 -06:00
Kris Nuttycombe
8f3f4a8479
Make note module public.
2021-05-05 14:05:17 -06:00
Kris Nuttycombe
6c681d0539
Generate uniformly distributed nullifiers.
2021-05-05 13:39:41 -06:00
Kris Nuttycombe
aa11eb1372
Derive the full range of ValueCommitment values.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-05-05 12:02:50 -06:00
Kris Nuttycombe
e72d74ccd6
Remove extraneous pub exports from the root.
2021-05-05 11:46:24 -06:00
Kris Nuttycombe
7ea8900a58
Implement AsRef for Proof
2021-05-05 11:39:07 -06:00
Kris Nuttycombe
a08d060725
Remove unneeded pub(crate)
2021-05-05 11:23:30 -06:00
Kris Nuttycombe
226673938a
Pass flags to arbitrary action generators.
2021-05-05 11:21:45 -06:00
Kris Nuttycombe
88b8265165
Generate both spend and output values for actions.
2021-05-05 11:14:38 -06:00
therealyingtong
4f2b4d2935
Address review comments
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-05 20:23:29 +08:00
Kris Nuttycombe
a789b89135
Check both u64 max and min in ValueSum arithemetic.
2021-05-04 16:35:49 -06:00
therealyingtong
4bf6202c35
Modify ECC gadget to work with chip refactor
2021-05-04 12:11:28 +08:00
therealyingtong
b5de8e6c27
Only store Z_SHORT and U_SHORT for value_commit_v
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-04 05:05:32 +08:00
therealyingtong
380ed377de
Fix bug in Sinsemilla S generators and add test
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-04 03:24:11 +08:00
therealyingtong
11d90692e1
Fix bugs in value_commit_v, value_commit_r generators
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-04 02:04:56 +08:00
therealyingtong
119d721ecd
Use ArrayVec
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-03 23:58:41 +08:00
ying tong
1ee5392163
Documentation fixes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-03 22:28:22 +08:00
Kris Nuttycombe
4afdeeeb76
Add mapping over bundle value balance.
2021-04-30 09:43:51 -06:00
Kris Nuttycombe
b1ac90b77a
Fix incorrect generator comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-30 08:02:09 -06:00
Kris Nuttycombe
a119a27ee7
Clean up value balance generation.
2021-04-30 07:59:46 -06:00
Kris Nuttycombe
25c90dda4b
Add fast generation for not-consensus-valid authorized bundles and actions.
2021-04-29 16:14:16 -06:00
Kris Nuttycombe
3c12877f87
Use a deterministic PRNG seeded from arb data for proptests.
2021-04-29 09:55:11 -06:00
Kris Nuttycombe
f91088d35b
Use builder to generate "valid" bundles via proptest.
2021-04-28 18:21:12 -06:00
Kris Nuttycombe
4d89d45332
Add proptest generators for action and bundle types.
2021-04-28 18:04:17 -06:00
Kris Nuttycombe
75573d331a
Add canonical byte conversions for value commitments.
2021-04-28 18:03:50 -06:00
Kris Nuttycombe
fc0f55d82b
Make ValueSum correctly respect the proper specified range.
2021-04-28 18:03:50 -06:00
Kris Nuttycombe
a5c9fb953b
Add accessors necessary for zip-225 write.
2021-04-28 18:02:36 -06:00
Kris Nuttycombe
e743198a50
Expose constructors required for ZIP-225 parsing.
2021-04-28 18:02:36 -06:00
Jack Grigg
d383ff5054
Fix clippy lints
2021-04-29 10:57:53 +12:00
Jack Grigg
223b7ac533
Replace signing metadata tuple with struct
...
This enables the dummy-only first field to be properly documented.
2021-04-29 10:40:23 +12:00
therealyingtong
de75c9538b
Update constants after hash_to_field fix ( zcash/pasta_curves@a119467 )
2021-04-28 20:53:14 +08:00
therealyingtong
13d7da3c45
Replace OrchardFixedBases enum with newtypes
...
Co-authored-by: Kris Nuttycombe <kris@electriccoin.co>
2021-04-28 20:53:14 +08:00
therealyingtong
e26b6c6123
Test every row in test_lagrange_coeffs() instead of using random scalar
2021-04-28 20:53:14 +08:00
therealyingtong
ce6e59bdb8
Address review comments
2021-04-28 20:53:14 +08:00
therealyingtong
17b66e1c6a
Remember u-values
2021-04-28 20:53:14 +08:00
therealyingtong
69d4c4c35a
Round up division for NUM_WINDOWS
2021-04-28 20:53:14 +08:00
therealyingtong
70ce1ca53f
Impl PartialOrd and Ord for OrchardFixedBases
2021-04-28 20:53:14 +08:00
therealyingtong
21060393fe
Remove redundant imports
2021-04-28 20:53:14 +08:00
therealyingtong
6cc957e998
Add constants for short signed scalar mul
2021-04-28 20:53:14 +08:00
therealyingtong
e4d6af620f
Add l_value to constants
2021-04-28 20:53:14 +08:00
therealyingtong
3381b15cd9
Use fixed-size array for windows in tables
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-04-28 20:53:14 +08:00
therealyingtong
d915097407
Implement Hash, PartialEq, Eq for OrchardFixedBases
2021-04-28 20:53:14 +08:00
therealyingtong
2c11f3a048
Add Orchard fixed bases and tests
2021-04-28 20:53:14 +08:00
therealyingtong
4f1f32dab0
Add Sinsemilla constants
2021-04-28 20:53:14 +08:00
therealyingtong
91fd290ffc
Add SWU hash-to-curve personalizations
2021-04-28 20:53:14 +08:00
Jack Grigg
186914166a
Use `zero` instead of `default` for empty values
2021-04-28 09:06:33 +12:00
Jack Grigg
30f01d122c
Bundle builder
2021-04-27 14:31:21 +12:00
Jack Grigg
497f7e0b86
Remove bundle::Unauthorized type
...
It is being replaced by context-specific unauthorized or
partially-authorized types. The only general type we need is Authorized
which is used in transactions.
2021-04-27 12:30:16 +12:00
Jack Grigg
316729302d
cargo fmt
2021-04-27 12:28:42 +12:00
Jack Grigg
a60051c8a2
Add from_raw constructors to NoteValue and ValueSum
...
These might be replaced later with APIs that can provide more useful
bounds checks, but we do need some way to construct these types.
2021-04-27 12:27:23 +12:00
Jack Grigg
52d87e257c
Return SpendingKey from Note::dummy
...
We need the spending keys to create valid spendAuth signatures for
Actions containing dummy spent notes.
2021-04-27 12:26:24 +12:00
Jack Grigg
5ec65c5d2a
Add a mutable context to Bundle::{try_}authorize
...
This enables us to work around lifetime restrictions on e.g. the
randomness source at signing time, where it is needed for both
per-Action and Bundle-level signatures.
2021-04-27 12:24:33 +12:00
Jack Grigg
29b3071c67
Fix doc comments for bundle flags
2021-04-27 09:10:32 +12:00
Kris Nuttycombe
36529629bc
Expose Flags constructor & accessors.
2021-04-27 09:04:03 +12:00
str4d
3dbebbe08b
Merge pull request #58 from zcash/proof-placeholder
...
Proving and verifying keys, and placeholder proof logic
2021-04-26 19:11:56 +01:00
str4d
0f6794f291
Merge pull request #70 from zcash/bundle-apis
...
Bundle APIs
2021-04-22 21:23:14 +01:00
Kris Nuttycombe
7d243ae60a
Apply suggestions from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-22 07:32:20 -06:00
Jack Grigg
4c4400cb63
Proving and verifying keys, and placeholder proof logic
2021-04-23 01:08:43 +12:00
Jack Grigg
f62bbbbb95
Small conversion helpers
2021-04-23 01:08:43 +12:00
Jack Grigg
35f65bb26a
Expose RedPallas rerandomization
2021-04-23 01:06:10 +12:00
str4d
4db3b54c8b
Generate dummy nullifiers with the same distribution as real ones
...
The x-coordinates of Pallas points are not uniformly distributed base field elements.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-22 13:54:17 +01:00
Jack Grigg
dbfbc66ac7
Add NoteValue::zero as an alias for NoteValue::default
2021-04-23 00:46:39 +12:00
Jack Grigg
77121facb7
Dummy note generation
2021-04-23 00:46:39 +12:00
Jack Grigg
3c2e32e156
Add some internal doc comments
2021-04-22 16:39:36 +12:00
Jack Grigg
09cca41ffb
Add getters for bundle and action internals
2021-04-22 16:39:36 +12:00
Jack Grigg
f1ad9d08de
Bundle and action constructors
2021-04-22 16:39:26 +12:00
Jack Grigg
01d241df7c
Rename some bundle and action variables to match the protocol spec
2021-04-22 16:38:17 +12:00
Jack Grigg
5dbcbf28fb
Bundle Authorization transformations
2021-04-22 16:37:31 +12:00
str4d
ea278aafcb
Merge pull request #63 from zcash/note-commitment-updates
...
Note commitment updates
2021-04-22 01:23:05 +01:00
Jack Grigg
bdaf9d06cc
clippy: Allow binary operators in IncompletePoint addition
...
It's not suspicious, it's constant time! :D
2021-04-22 12:09:32 +12:00
Jack Grigg
09e70cb6e3
Improve performance of IncompletePoint addition
...
We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.
2021-04-22 12:01:59 +12:00
str4d
31d1a67837
Expand documentation of conditions on SpendingKeys
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-04-21 23:28:32 +01:00
Jack Grigg
c7b9ce0ea9
Fix a clippy lint
...
This was leftover after an intermediate refactor that introduced
`hash_to_point_inner`.
2021-04-20 23:57:59 +12:00
Jack Grigg
b1286b4e94
Fix bundle::Action to hold cmx instead of cm
2021-04-20 10:26:58 +12:00
Jack Grigg
c08d12cc52
Use incomplete addition in SinsemillaHashToPoint
...
This requires exposing the ⊥ case throughout the return types. We
prevent it from propagating into the Orchard note and key types by
ensuring that:
- When we generate keys or notes, if we encounter ⊥ we discard and
re-generate.
- When we construct keys or notes via any other pathway (e.g. parsing
from bytes), we check for and reject ⊥.
2021-04-20 10:05:56 +12:00
Jack Grigg
907ff46078
Simulate incomplete addition
...
Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.
2021-04-20 10:04:44 +12:00
Jack Grigg
badaf23f25
Implement ValueCommit^Orchard
2021-04-15 17:08:06 +12:00
Jack Grigg
4c34a61c57
Use const generics for poseidon::ConstantLength
2021-03-30 14:13:15 +13:00
str4d
92cfa372e0
Merge pull request #44 from zcash/note-structure
...
Note structure
2021-03-30 14:01:56 +13:00
Jack Grigg
0f8c5b7dd3
Document TODO for SinsemillaShortCommit usage
...
https://github.com/zcash/orchard/issues/55
2021-03-30 13:55:29 +13:00
Jack Grigg
3b14cfc133
Fix link to NU5 protocol spec draft
2021-03-30 13:54:23 +13:00
Jack Grigg
5646ada113
Make nk the first argument to Nullifier::derive
...
This more closely matches DeriveNullifier in the spec.
2021-03-30 13:52:20 +13:00
Jack Grigg
061ad0656b
Refactor Poseidon primitive to use const generics
2021-03-26 09:07:38 +13:00
Jack Grigg
0f6eb9ca6c
Nullifier derivation
2021-03-26 07:51:05 +13:00
Jack Grigg
1a37ca492d
Extract spec::mod_r_p helper from spec::commit_ivk
2021-03-26 07:51:05 +13:00
Jack Grigg
680c917ce6
Note commitment derivation
2021-03-26 07:51:05 +13:00
str4d
ee2bfa7f43
Merge pull request #41 from zcash/poseidon-primitive
...
Poseidon primitive
2021-03-26 07:36:45 +13:00
therealyingtong
a2c1bfb52a
Remove unnecessary clone()
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:30:03 +08:00
therealyingtong
9c75839e62
Minor changes
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:25:28 +08:00
therealyingtong
7a210fabf3
Store HashDomain in CommitDomain
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:11:13 +08:00
therealyingtong
18fba2a62e
Add getters for Q() and R()
2021-03-24 12:10:37 +08:00
therealyingtong
873e1b7d7e
Call hash_to_curve() only when constructing new domain
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-03-24 12:10:37 +08:00
ying tong
946b50ebfe
Add documentation
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-03-24 12:09:11 +08:00
therealyingtong
a3134e34c5
Introduce HashDomain and CommitDomain traits
...
Co-authored-by: Jack Grigg <thestr4d@gmail.com>
2021-03-24 12:09:11 +08:00
therealyingtong
ee969a64a8
Add Sinsemilla constants
2021-03-24 12:09:11 +08:00
Jack Grigg
b8f02c3b32
Temporarily allow dead code
...
This will make the lints more useful while we are implementing the
Orchard protocol.
2021-03-20 18:31:22 +13:00
Jack Grigg
1ceb60379f
poseidon: Clarify that R_F must be even
2021-03-18 16:47:06 +13:00
Jack Grigg
4c3e20535d
poseidon: s/arity/width
...
To match the paper more closely (arity specifically refers to Merkle
tree instantiations).
2021-03-18 16:47:04 +13:00
Jack Grigg
2beb6c3e82
Invert the Poseidon test vectors for Orchard
...
We now hard-code the Poseidon round constants and MDS for the Poseidon
specification used for Orchard nullifiers, as produced by the reference
implementation, and test that our constant generation can recreate them.
2021-03-18 16:47:01 +13:00
Jack Grigg
872471af17
Fix Poseidon instance definition
...
For Orchard, we want a Poseidon instance with a width of 3 field
elements and an output of one field element. The Poseidon instances
defined in the Poseidon paper have their output size equal to their
capacity size; with a capacity of 1 and pallas::Base as the field,
Poseidon-128 has the corresponding security level.
We do deviate from the paper's instance by adding a single partial
round, which makes the circuit easier to implement in Halo 2.
2021-03-18 16:39:09 +13:00
Jack Grigg
761dea6cc1
Implement domain separation for poseidon::Hash
...
Domain separation is implemented as specified in the Poseidon paper.
We only require constant-input-length hashing.
2021-03-18 16:38:59 +13:00
Jack Grigg
c578c22fe8
Silence clippy needless_range_loop warnings
...
I'm using range loops explicitly to make certain logic clearer.
2021-03-18 16:38:30 +13:00
Jack Grigg
6bcfecd039
Add poseidon::Spec::Rate associated type
...
This removes the need for specifying the rate at runtime, and removes
the remaining heap allocations from Duplex::absorb and Duplex::squeeze.
2021-03-18 16:38:28 +13:00
Jack Grigg
6548666e37
Add poseidon::Spec::State associated type
...
We reuse this type for the per-round round constants, and rows of the
MDS, to provide some type-level same-length guarantees. Once we can use
const generics, these will all be replaced by [F; Spec::ARITY].
2021-03-18 16:38:26 +13:00
Jack Grigg
5c8e9beea7
Simplify poseidon::Spec and remove poseidon::Generic
...
Poseidon specifications are now all concrete, and only generation of
constants at runtime requires an instance of the specification.
2021-03-18 16:38:23 +13:00
Jack Grigg
266705166f
Poseidon duplex sponge and hash function
2021-03-18 16:38:21 +13:00
Jack Grigg
9a2c1b0217
Make poseidon::Generic specific to SboxType::Pow
...
We don't currently require SboxType::Inv, so let's simplify for now.
2021-03-18 16:38:17 +13:00
Jack Grigg
8408f4690c
Rename poseidon::PoseidonSpec trait to poseidon::Spec
2021-03-18 16:38:14 +13:00
Jack Grigg
3fb5bf8344
Modify constant generation to match reference implementation
2021-03-18 16:38:07 +13:00
Jack Grigg
e1719c42bc
Add test vectors from the reference implementation
...
These are generated using v1.1 of the reference implementation.
2021-03-18 16:38:06 +13:00
Jack Grigg
84907c50e1
Poseidon specification and constants
2021-03-18 16:37:36 +13:00
Jack Grigg
3911fb3202
Use Pallas directly from pasta_curves crate
2021-03-18 15:06:16 +13:00
str4d
05e86a4d98
Reuse the hasher inside diversify_hash
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:39:04 +13:00
str4d
51fd94df72
Fix section numbers after spec changes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-03-18 13:38:11 +13:00
Jack Grigg
861eec1765
Document sinsemilla::Pad
2021-03-18 08:30:22 +13:00
Jack Grigg
42ea809b64
Update protocol spec references
2021-03-18 08:30:22 +13:00
Jack Grigg
e0417268ad
Make address generation infallible again
...
DiversifyHash is altered to replace the identity with another fixed
point that is known to not be the identity.
2021-03-18 08:30:22 +13:00
Jack Grigg
8e55b46dbf
Deduplicate default address generation
2021-03-16 10:01:50 +13:00
Jack Grigg
3c8befa0f3
Remove TODO from extract_p
...
The protocol spec now returns \mathbb{P}_x instead of a bit sequence,
matching what we do here.
2021-03-16 09:36:59 +13:00
Jack Grigg
46bf89c122
Update ivk derivation to match latest protocol spec draft
2021-03-16 09:33:07 +13:00
Jack Grigg
e0b40cb3cb
FullViewingKey::address_at(impl Into<DiversifierIndex>)
...
This is a more usable API, which we can use when we have the full
viewing key and can obtain the DiversifierKey.
2021-03-16 09:20:45 +13:00
Jack Grigg
e98f324d7d
Ensure diversify_hash does not return the identity
...
This makes diversified address generation fallible (though with
negligible probability). We expose this to users, so they can decide how
to handle it (either just unwrapping, or incrementing the diversifier
index).
We alter spending key construction to reject spending keys that would
not result in a default address (with diversifier index 0).
2021-03-16 09:03:44 +13:00
Jack Grigg
f7cad7762a
Add clarifying note about nomenclature
...
There's no point in documenting everything as being an Orchard whizzbang.
We are in the `orchard` crate, so the context should be obvious. This
also fits with the standard Rust naming guideline of not duplicating
module names in type name prefixes (`foo::bar::BarThing`).
2021-03-09 10:39:02 +13:00