Check Orchard bundle-specific consensus rules, i.e. proofs
This obviously doesn't check the correct proofs yet, but this adds the consensus rule machinery so that when the circuit is implemented, we just need to upgrade the `orchard` dependency.
Closeszcash/zcash#5195.
We are already checking the other bundle-specific consensus rules:
- Encodings are checked during transaction parsing.
- Signatures are batch-validated.
Closeszcash/zcash#5195.
This missing was causing `hashBlockCommitments` to be incorrectly computed
in mined blocks, due to the specific way the coinbase transaction gets
constructed. This went unnoticed when the default `authDigest` for legacy
transactions was the null hash, but was exposed when that changed to
`[0xFF; 32]`.
We compute block commitments ahead of their usage to avoid deriving them
multiple times. However, we only want to derive them for blocks if they
are needed; in particular, deriving hashChainHistoryRoot prior to
Heartwood activation can result in an invalid empty tree being generated.
Move OrchardBundle to its own header file.
This is a prerequisite to the incremental merkle tree
work that otherwise would need to introduce a cyclic
dependency on transaction.h.
Implement Orchard signature validation consensus rules
Implemented via an `AuthValidator` class that internally uses batch validation.
- Currently, only RedPallas signatures are batch-validated. We can extend
this validator to cover Halo 2 proofs in the future.
- Signatures in a batch are not retried individually if the batch fails:
- For per-transaction batching (when adding to the mempool), we don't
care which signature within the transaction failed.
- For per-block batching, we currently don't care which transaction
failed. We might do so in future, at which point this behaviour can
be easily changed.
Closeszcash/zcash#5194.
The orchard crate was pinning a specific rev of zcash_note_encryption
which prevented CI from vendoring the crate dependencies. Now orchard
uses a patch, which enables us to similarly patch here to get the
correct crate versions throughout our tree (while the crates are still
in flux).
- Currently, only RedPallas signatures are batch-validated. We can extend
this validator to cover Halo 2 proofs in the future.
- Signatures in a batch are not retried individually if the batch fails:
- For per-transaction batching (when adding to the mempool), we don't
care which signature within the transaction failed.
- For per-block batching, we currently don't care which transaction
failed. We might do so in future, at which point this behaviour can
be easily changed.