Add prf_nf and use in From impl to derive Sapling Nullifier

2020-07-28 02:31:07 -04:00 · 2020-07-28 02:31:07 -04:00 · 10a9aa5844
parent eb731a6e2f
commit 10a9aa5844
1 changed files with 32 additions and 1 deletions
--- a/zebra-chain/src/notes/sapling/nullifiers.rs
+++ b/zebra-chain/src/notes/sapling/nullifiers.rs
@ -3,7 +3,30 @@

 use std::io;

-use crate::serialization::{ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize};
+use crate::{
+    commitments::sapling::{mixing_pedersen_hash, NoteCommitment},
+    keys::sapling::NullifierDerivingKey,
+    serialization::{ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize},
+    treestate::note_commitment_tree::Position,
+};
+
+/// Invokes Blake2s-256 as PRF^nfSapling to derive the nullifier for a
+/// Sapling note.
+///
+/// PRF^nfSapling(ρ*) := BLAKE2s-256("Zcash_nf", nk* || ρ*)
+///
+/// https://zips.z.cash/protocol/protocol.pdf#concreteprfs
+fn prf_nf(nk: [u8; 32], rho: [u8; 32]) -> [u8; 32] {
+    let hash = blake2s_simd::Params::new()
+        .hash_length(32)
+        .personal(b"Zcash_nf")
+        .to_state()
+        .update(&nk[..])
+        .update(&rho[..])
+        .finalize();
+
+    *hash.as_array()
+}

 /// A Nullifier for Sapling transactions
 #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
@ -16,6 +39,14 @@ impl From<[u8; 32]> for Nullifier {
    }
 }

+impl From<(NoteCommitment, Position, NullifierDerivingKey)> for Nullifier {
+    fn from((cm, pos, nk): (NoteCommitment, Position, NullifierDerivingKey)) -> Self {
+        let rho = jubjub::AffinePoint::from(mixing_pedersen_hash(cm.0.into(), pos.0.into()));
+
+        Nullifier(prf_nf(nk.into(), rho.to_bytes()))
+    }
+}
+
 impl ZcashDeserialize for Nullifier {
    fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
        let bytes = reader.read_32_bytes()?;