701adc38cb
ZIP212 implementation Closes #4557. (description by @ebfull, taken from #4575) * The `SaplingNote` structure has a new enum called `zip212Enabled`. This member is private and reflects whether the note was or is being created using the derivation method of ZIP 212 (i.e., `BeforeZip212` or `AfterZip212`). * The `SaplingNotePlaintext` structure has a new unsigned char member `leadbyte`. This member is private and contains the leading byte of the plaintext (e.g. `0x01`, `0x02`). * The serialization of `SaplingNotePlaintext` sets `zip212Enabled` to `BeforeZip212` iff the serialized note plaintext version is not `0x01`. * The `r`/`rcm` fields have been removed and replaced with a private field `rseed`. `SaplingNote` and `SaplingNotePlaintext` now have a helper method `rcm()` which returns the `rcm` either by deriving it with `rseed` (if `zip212Enabled` is `AfterZip212`) or returning `rseed` by interpreting `rseed` as `rcm`. * All the methods of obtaining a `SaplingNote` account for these changes: - The `SaplingNote` constructor that is used by e.g. the transaction builder, and internally samples random `rcm`, now takes a `zip212Enabled` argument to decide whether to sample `rcm` the "old" way or the "new" way. - The bare constructor for `SaplingNote` is removed. - The other constructor which takes the raw contents of the note is only used in tests or in `Note.cpp`, but now also takes a `zip212Enabled` argument. - The other way of obtaining a note, by calling `SaplingNotePlaintext::note()`, has been adjusted. * The `SaplingNotePlaintext` class now has an `generate_or_derive_esk()` method that either samples a random `esk` or derives it using the local `rseed` depending on the value of `leadbyte`. * The encryption routine is modified to consult `generate_or_derive_esk()` and provide it to the note encryption object. * The note encryption objects now take an optional `esk` as input and otherwise sample a random `esk` internally. This API functionality is preserved to allow for testing. * The `SaplingNotePlaintext` decryption routines are modified: - The out and enc decryption routines now check that `epk` is consistent with the derived `esk`. - The out decryption routine for plaintexts also checks that `esk` is consistent with what is derived by the note. * The miner and transaction builder consult the activation of Canopy when creating `SaplingNote`s. * The consensus rules are modified so that shielded outputs (miner rewards) must have `v2` note plaintexts after Canopy has activated. |
||
---|---|---|
.. | ||
pull-tester | ||
rpc-tests | ||
zcash |