From 83074b262893dd14bcec9b3d00dda6b4eff0275f Mon Sep 17 00:00:00 2001
From: ying tong <yingtong@z.cash>
Date: Thu, 27 May 2021 12:53:27 +0800
Subject: [PATCH] Document decoding of ephemeral_key from epk

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
---
 orchard_note_encryption.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/orchard_note_encryption.py b/orchard_note_encryption.py
index dc1cdfc..f4d3eec 100644
--- a/orchard_note_encryption.py
+++ b/orchard_note_encryption.py
@@ -112,6 +112,10 @@ class TransmittedNoteCipherText(object):
             return None
 
         shared_secret = OrchardKeyAgreement.agree(ivk, epk)
+        # The protocol spec says to take `ephemeral_key` as input to decryption
+        # and to decode epk from it. That is required for consensus compatibility
+        # in Sapling decryption before ZIP 216, but the reverse is okay here
+        # because Pallas points have no non-canonical encodings.
         ephemeral_key = bytes(epk)
         k_enc = kdf_orchard(shared_secret, ephemeral_key)
         p_enc = OrchardSym.decrypt(k_enc, self.c_enc)
@@ -144,6 +148,10 @@ class TransmittedNoteCipherText(object):
         return (note, np.memo)
 
     def decrypt_using_ovk(self, ovk, rseed, rho, cv, cm_star):
+        # The protocol spec says to take `ephemeral_key` as input to decryption
+        # and to decode epk from it. That is required for consensus compatibility
+        # in Sapling decryption before ZIP 216, but the reverse is okay here
+        # because Pallas points have no non-canonical encodings.
         ock = prf_ock_orchard(ovk, bytes(cv), bytes(cm_star.extract()), bytes(self.epk))
         op = OrchardSym.decrypt(ock, self.c_out)
         if op is None: