This is more generally useful for debugging purposes than the default
`Debug` impl for `&[u8]`.
We also provide an alternate `Debug` impl for `legacy::Script` that
parses and renders known opcodes. Note that we only parse a subset of
the full opcode set.
Extracted from: c8e2d81f58
This method is only called from `try_output_recovery_with_ock`, and we
can instead rely on the check performed in `check_note_validity`,
reducing the number of checks that `Domain` implementations need to
perform.
The `esk` and `ephemeral_key` parameters become unused, and will be
removed in a subsequent commit (as this change needs to be synchronized
with the `orchard` crate).
Extracted from: a115a8f00f
The `Domain::Note` type is now expected to contain information about the
recipient of the note, eliminating the need to pass this information in
via the encryption context.
Extracted from: c88f3e1b9d
This was only used to provide example code for Sapling usage of
the `NoteEncryption` struct; this example code has been moved
to `sapling::note_encryption`.
Extracted from: 29220c716f
This modifies wallet scanning to perform per-block batched
decryption. It also alters the structure of the `ScanningKey`
trait to correctly include internal (change) keys in the scan
process.
Extracted from: 73314dc682
While it is necessary in the worst case to perform `m * n` decryptions,
where `m` is the number of outputs being decrypted and `n` is the number
of IVKs, it is possible to stop performing trial decryptions when the
first successful decryption is performed. Also, it's inconvenient and
unnecessary to return the full cartesian product of these results, as
only one IVK will decrypt a given output. This commit modifies batch
trial decryption to stop on the first successful decryption, and instead
of returning the cartesian product of results we return the index of the
input IVK along with the output it decrypted. Note that this means that
trial decryption is not constant-time with respect to the number and/or
order of IVKs.
Extracted from: 5873950648
Previously we were returning the ciphertext as a slice, and then
asserting its length within the APIs the caller passed it into. Now
instead we require the caller to define whether or not the output is
compact, to make the API more predictable.
This doesn't place any additional constraints on users of this trait,
because the assertions already prevented a full output from being passed
to a compact trial decryption API.
Extracted from: 4fcd83d74e
`Domain::derive_esk` provides sufficient information to determine
whether or not we need to enforce `EphemeralSecretKey`-specific
decryption checks, as it returns `None` for pre-ZIP 212 notes.
Extracted from: d54e1f0bf7
`Domain::parse_note_plaintext_without_memo_ivk` is used with both full
note plaintexts and compact notes, so continues to accept a slice. For
all other `Domain` APIs, we constrain the input to `NotePlaintextBytes`
or `OutPlaintextBytes` as appropriate.
Extracted from: 7c1687dcc1
This replaces the `ShieldedOutput::epk() -> &Domain::EphemeralPublicKey`
which could not be satisfied by output types that did not parse epk.
Extracted from: c7c79d266e
Decrypted output size is `OUT_PLAINTEXT_BYTES`, which the decryptor
can always provide (either by decrypting into the correct size array
as now, or truncating the buffer before passing it to the domain).
Extracted from: 362838c3fa
This was left over from an earlier refactor where we could call a domain
API to extract cmstar from a note commitment (which could fail for
Orchard). This part of extraction was subsequently refactored into the
domain logic (and is rejected earlier for Orchard). The resulting bound
is wrong because it's always possible to serialize a scalar.
Extracted from: ee2b96c82d
This change modifies note encryption and decryption functions
to treat a shielded output as a single value instead of handling
the parts of an output as independent arguments.
Extracted from: 324fc36521
Jack Grigg
Kris Nuttycombe
Daira Hopwood
Kris Nuttycombe
jarys
Kris Nuttycombe