Fix bugs in testnet Orchard circuit

The consensus branch ID is updated (as the NU5 consensus rules are
altered). The testnet NU5 activation height is also reset.

.cargo/config.offline

@@ -11,11 +11,6 @@ git = "https://github.com/str4d/redjubjub.git"
 rev = "416a6a8ebf8bd42c114c938883016c04f338de72"
 replace-with = "vendored-sources"
 
-[source."https://github.com/zcash/halo2.git"]
-git = "https://github.com/zcash/halo2.git"
-rev = "a7cd600eb60b1528159b92af5e426adcc615de1a"
-replace-with = "vendored-sources"
-
 [source."https://github.com/zcash/incrementalmerkletree"]
 git = "https://github.com/zcash/incrementalmerkletree"
 rev = "b7bd6246122a6e9ace8edb51553fbf5228906cbb"
@@ -23,12 +18,12 @@ replace-with = "vendored-sources"
 
 [source."https://github.com/zcash/librustzcash.git"]
 git = "https://github.com/zcash/librustzcash.git"
-rev = "bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 replace-with = "vendored-sources"
 
 [source."https://github.com/zcash/orchard.git"]
 git = "https://github.com/zcash/orchard.git"
-rev = "8779ce8f1a638ebbc9b229d4eff3a29ef4de7ac0"
+rev = "2c8241f25b943aa05203eacf9905db117c69bd29"
 replace-with = "vendored-sources"
 
 [source.vendored-sources]

Cargo.lock

@@ -534,7 +534,7 @@ checksum = "c34f04666d835ff5d62e058c3995147c06f42fe86ff053337632bca83e42702d"
 [[package]]
 name = "equihash"
 version = "0.1.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "blake2b_simd",
  "byteorder",
@@ -543,7 +543,7 @@ dependencies = [
 [[package]]
 name = "f4jumble"
 version = "0.0.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "blake2b_simd",
 ]
@@ -665,8 +665,9 @@ dependencies = [
 
 [[package]]
 name = "halo2"
-version = "0.0.1"
-source = "git+https://github.com/zcash/halo2.git?rev=a7cd600eb60b1528159b92af5e426adcc615de1a#a7cd600eb60b1528159b92af5e426adcc615de1a"
+version = "0.1.0-beta.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f186b85ed81082fb1cf59d52b0111f02915e89a4ac61d292b38d075e570f3a9"
 dependencies = [
  "blake2b_simd",
  "ff",
@@ -1123,7 +1124,7 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 [[package]]
 name = "orchard"
 version = "0.0.0"
-source = "git+https://github.com/zcash/orchard.git?rev=8779ce8f1a638ebbc9b229d4eff3a29ef4de7ac0#8779ce8f1a638ebbc9b229d4eff3a29ef4de7ac0"
+source = "git+https://github.com/zcash/orchard.git?rev=2c8241f25b943aa05203eacf9905db117c69bd29#2c8241f25b943aa05203eacf9905db117c69bd29"
 dependencies = [
  "aes",
  "arrayvec 0.7.1",
@@ -1895,7 +1896,7 @@ dependencies = [
 [[package]]
 name = "zcash_address"
 version = "0.0.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "bech32",
  "blake2b_simd",
@@ -1907,7 +1908,7 @@ dependencies = [
 [[package]]
 name = "zcash_encoding"
 version = "0.0.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "byteorder",
  "nonempty",
@@ -1916,7 +1917,7 @@ dependencies = [
 [[package]]
 name = "zcash_history"
 version = "0.2.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "bigint",
  "blake2b_simd",
@@ -1926,7 +1927,7 @@ dependencies = [
 [[package]]
 name = "zcash_note_encryption"
 version = "0.0.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "blake2b_simd",
  "byteorder",
@@ -1941,7 +1942,7 @@ dependencies = [
 [[package]]
 name = "zcash_primitives"
 version = "0.5.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "aes",
  "bip0039",
@@ -1975,7 +1976,7 @@ dependencies = [
 [[package]]
 name = "zcash_proofs"
 version = "0.5.0"
-source = "git+https://github.com/zcash/librustzcash.git?rev=bfd083b339e0a21e9663d8c269f79fcc57eb742d#bfd083b339e0a21e9663d8c269f79fcc57eb742d"
+source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e"
 dependencies = [
  "bellman",
  "blake2b_simd",

Cargo.toml

@@ -69,11 +69,10 @@ codegen-units = 1
 
 [patch.crates-io]
 ed25519-zebra = { git = "https://github.com/ZcashFoundation/ed25519-zebra.git", rev = "d3512400227a362d08367088ffaa9bd4142a69c7" }
-halo2 = { git = "https://github.com/zcash/halo2.git", rev = "a7cd600eb60b1528159b92af5e426adcc615de1a" }
 incrementalmerkletree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "b7bd6246122a6e9ace8edb51553fbf5228906cbb" }
-orchard = { git = "https://github.com/zcash/orchard.git", rev = "8779ce8f1a638ebbc9b229d4eff3a29ef4de7ac0" }
-zcash_address = { git = "https://github.com/zcash/librustzcash.git", rev = "bfd083b339e0a21e9663d8c269f79fcc57eb742d" }
-zcash_history = { git = "https://github.com/zcash/librustzcash.git", rev = "bfd083b339e0a21e9663d8c269f79fcc57eb742d" }
-zcash_note_encryption = { git = "https://github.com/zcash/librustzcash.git", rev = "bfd083b339e0a21e9663d8c269f79fcc57eb742d" }
-zcash_primitives = { git = "https://github.com/zcash/librustzcash.git", rev = "bfd083b339e0a21e9663d8c269f79fcc57eb742d" }
-zcash_proofs = { git = "https://github.com/zcash/librustzcash.git", rev = "bfd083b339e0a21e9663d8c269f79fcc57eb742d" }
+orchard = { git = "https://github.com/zcash/orchard.git", rev = "2c8241f25b943aa05203eacf9905db117c69bd29" }
+zcash_address = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" }
+zcash_history = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" }
+zcash_note_encryption = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" }
+zcash_primitives = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" }
+zcash_proofs = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" }

doc/release-notes.md

@@ -4,6 +4,56 @@ release-notes at release time)
 Notable changes
 ===============
 
+Fixed bugs in the testnet Orchard circuit
+-----------------------------------------
+
+In the `zcashd v4.5.0` release notes we indicated that a testnet rollback might
+occur to update the consensus rules, if we needed to make backwards-incompatible
+changes. Shortly after `zcashd v4.5.0` was released, during another internal
+review of the Orchard circuit, we identified two bugs that would affect the
+upcoming testnet activation of NU5:
+
+- The diversifier base `g_d_old`, for the note being spent, is required to be a
+  non-identity point. A note created from a payment address with `g_d` set to
+  the identity (via collaboration between sender and recipient) could be spent
+  multiple times with different nullifiers (corresponding to different `ivk`s).
+  The code outside the circuit correctly enforced the non-identity requirement,
+  but the circuit did not correctly constrain this, and allowed the prover to
+  witness the identity.
+
+- SinsemillaCommit can be modeled as a Pedersen commitment to an output of
+  SinsemillaHash: `SinsemillaCommit(r, M) = SinsemillaHashToPoint(M) + [r] R`.
+  The specification used incomplete addition here, matching its use inside
+  SinsemillaHash. However, unlike in SinsemillaHash, an exceptional case can be
+  produced here when `r = 0`. The derivations of `rivk` (for computing `ivk`)
+  and `rcm` (for computing the note commitment) normally ensure that `r = 0`
+  can only occur with negligible probability, but these derivations are not
+  checked by the circuit for efficiency; thus SinsemillaCommit needs to use
+  complete addition.
+
+These bugs do not affect mainnet, as `zcashd v4.5.0` only set the activation
+height for NU5 on testnet for testing purposes. Nevertheless, in the interest of
+keeping the testnet environment as close to mainnet as possible, we are fixing
+these bugs immediately. This means a change to the NU5 consensus rules, and a
+new testnet activation height for NU5.
+
+To this end, the following changes are made in `zcashd v4.5.1`:
+
+- The consensus branch ID for NU5 is changed to `0x37519621`.
+- The protocol version indicating NU5-aware testnet nodes is set to `170015`.
+- The testnet activation height for NU5 is set to **1,599,200**.
+
+Testnet nodes that upgrade to `zcashd v4.5.1` prior to block height 1,590,000
+will follow the new testnet network upgrade. Testnet nodes that are running
+`zcashd v4.5.0` at that height will need to upgrade to `v4.5.1` and then run
+with `-reindex`.
+
+As always, it is possible that further backwards-incompatible changes might be
+made to the NU5 consensus rules in this testing phase, prior to setting the
+mainnet activation height, as we continue to conduct additional internal review.
+In the event that this happens, testnet will be rolled back in (or prior to)
+v5.0.0, and a new testnet activation will occur.
+
 Fixed regression in `getbalance` RPC method
 -------------------------------------------
 

qa/rpc-tests/feature_zip244_blockcommitments.py

@@ -7,9 +7,14 @@
 from test_framework.blocktools import derive_block_commitments_hash
 from test_framework.test_framework import BitcoinTestFramework
 from test_framework.util import (
+    BLOSSOM_BRANCH_ID,
+    CANOPY_BRANCH_ID,
+    HEARTWOOD_BRANCH_ID,
+    NU5_BRANCH_ID,
     assert_equal,
     bytes_to_hex_str,
     hex_str_to_bytes,
+    nuparams,
     start_nodes,
 )
 
@@ -24,12 +29,10 @@ class AuthDataRootTest(BitcoinTestFramework):
 
     def setup_nodes(self):
         return start_nodes(self.num_nodes, self.options.tmpdir, extra_args=[[
-            '-nuparams=5ba81b19:1', # Overwinter
-            '-nuparams=76b809bb:1', # Sapling
-            '-nuparams=2bb40e60:201', # Blossom
-            '-nuparams=f5b9230b:201', # Heartwood
-            '-nuparams=e9ff75a6:201', # Canopy
-            '-nuparams=f919a198:205', # NU5
+            nuparams(BLOSSOM_BRANCH_ID, 201),
+            nuparams(HEARTWOOD_BRANCH_ID, 201),
+            nuparams(CANOPY_BRANCH_ID, 201),
+            nuparams(NU5_BRANCH_ID, 205),
             '-nurejectoldversions=false',
         ]] * self.num_nodes)
 

qa/rpc-tests/mempool_nu_activation.py

@@ -6,7 +6,12 @@
 from test_framework.test_framework import BitcoinTestFramework
 from test_framework.mininode import NU5_PROTO_VERSION
 from test_framework.util import (
+    BLOSSOM_BRANCH_ID,
+    CANOPY_BRANCH_ID,
+    HEARTWOOD_BRANCH_ID,
+    NU5_BRANCH_ID,
     assert_equal, assert_true,
+    nuparams,
     start_node, connect_nodes, wait_and_assert_operationid_status,
     get_coinbase_address
 )
@@ -25,10 +30,10 @@ class MempoolUpgradeActivationTest(BitcoinTestFramework):
 
     def setup_network(self):
         args = ["-checkmempool", "-debug=mempool", "-blockmaxsize=4000",
-            "-nuparams=2bb40e60:200", # Blossom
-            "-nuparams=f5b9230b:210", # Heartwood
-            "-nuparams=e9ff75a6:220", # Canopy
-            "-nuparams=f919a198:230", # NU5
+            nuparams(BLOSSOM_BRANCH_ID, 200),
+            nuparams(HEARTWOOD_BRANCH_ID, 210),
+            nuparams(CANOPY_BRANCH_ID, 220),
+            nuparams(NU5_BRANCH_ID, 230),
         ]
         self.nodes = []
         self.nodes.append(start_node(0, self.options.tmpdir, args))

qa/rpc-tests/test_framework/mininode.py

@@ -52,7 +52,7 @@ SPROUT_PROTO_VERSION = 170002  # past bip-31 for ping/pong
 OVERWINTER_PROTO_VERSION = 170003
 SAPLING_PROTO_VERSION = 170006
 BLOSSOM_PROTO_VERSION = 170008
-NU5_PROTO_VERSION = 170014
+NU5_PROTO_VERSION = 170015
 
 MY_SUBVERSION = b"/python-mininode-tester:0.0.3/"
 

qa/rpc-tests/test_framework/util.py

@@ -40,7 +40,7 @@ SAPLING_BRANCH_ID = 0x76B809BB
 BLOSSOM_BRANCH_ID = 0x2BB40E60
 HEARTWOOD_BRANCH_ID = 0xF5B9230B
 CANOPY_BRANCH_ID = 0xE9FF75A6
-NU5_BRANCH_ID = 0xF919A198
+NU5_BRANCH_ID = 0x37519621
 
 # The maximum number of nodes a single test can spawn
 MAX_NODES = 8

src/chainparams.cpp

@@ -133,7 +133,7 @@ public:
         consensus.vUpgrades[Consensus::UPGRADE_CANOPY].nActivationHeight = 1046400;
         consensus.vUpgrades[Consensus::UPGRADE_CANOPY].hashActivationBlock =
             uint256S("00000000002038016f976744c369dce7419fca30e7171dfac703af5e5f7ad1d4");
-        consensus.vUpgrades[Consensus::UPGRADE_NU5].nProtocolVersion = 170015;
+        consensus.vUpgrades[Consensus::UPGRADE_NU5].nProtocolVersion = 170017;
         consensus.vUpgrades[Consensus::UPGRADE_NU5].nActivationHeight =
             Consensus::NetworkUpgrade::NO_ACTIVATION_HEIGHT;
         consensus.vUpgrades[Consensus::UPGRADE_ZFUTURE].nProtocolVersion = 0x7FFFFFFF;
@@ -417,8 +417,8 @@ public:
         consensus.vUpgrades[Consensus::UPGRADE_CANOPY].nActivationHeight = 1028500;
         consensus.vUpgrades[Consensus::UPGRADE_CANOPY].hashActivationBlock =
             uint256S("01a4d7c6aada30c87762c1bf33fff5df7266b1fd7616bfdb5227fa59bd79e7a2");
-        consensus.vUpgrades[Consensus::UPGRADE_NU5].nProtocolVersion = 170014;
-        consensus.vUpgrades[Consensus::UPGRADE_NU5].nActivationHeight = 1590000;
+        consensus.vUpgrades[Consensus::UPGRADE_NU5].nProtocolVersion = 170015;
+        consensus.vUpgrades[Consensus::UPGRADE_NU5].nActivationHeight = 1599200;
         consensus.vUpgrades[Consensus::UPGRADE_ZFUTURE].nProtocolVersion = 0x7FFFFFFF;
         consensus.vUpgrades[Consensus::UPGRADE_ZFUTURE].nActivationHeight =
             Consensus::NetworkUpgrade::NO_ACTIVATION_HEIGHT;
@@ -663,7 +663,7 @@ public:
         consensus.vUpgrades[Consensus::UPGRADE_CANOPY].nProtocolVersion = 170012;
         consensus.vUpgrades[Consensus::UPGRADE_CANOPY].nActivationHeight =
             Consensus::NetworkUpgrade::NO_ACTIVATION_HEIGHT;
-        consensus.vUpgrades[Consensus::UPGRADE_NU5].nProtocolVersion = 170014;
+        consensus.vUpgrades[Consensus::UPGRADE_NU5].nProtocolVersion = 170015;
         consensus.vUpgrades[Consensus::UPGRADE_NU5].nActivationHeight =
             Consensus::NetworkUpgrade::NO_ACTIVATION_HEIGHT;
         consensus.vUpgrades[Consensus::UPGRADE_ZFUTURE].nProtocolVersion = 0x7FFFFFFF;

src/consensus/upgrades.cpp

@@ -45,7 +45,7 @@ const struct NUInfo NetworkUpgradeInfo[Consensus::MAX_NETWORK_UPGRADES] = {
         .strInfo = "See https://z.cash/upgrade/canopy/ for details.",
     },
     {
-        .nBranchId = 0xf919a198,
+        .nBranchId = 0x37519621,
         .strName = "NU5",
         .strInfo = "See https://z.cash/upgrade/nu5/ for details.",
     },

src/version.h

@@ -9,7 +9,7 @@
  * network protocol versioning
  */
 
-static const int PROTOCOL_VERSION = 170014;
+static const int PROTOCOL_VERSION = 170015;
 
 //! initial proto version, to be increased after version/verack negotiation
 static const int INIT_PROTO_VERSION = 209;