From 9d9491c4e8fdc9a301c992d26b3da41088e0ff9b Mon Sep 17 00:00:00 2001
From: Deirdre Connolly <deirdre@zfnd.org>
Date: Wed, 5 Aug 2020 22:30:44 -0400
Subject: [PATCH] Index at 1, not 0, the main loop of PedersenHashToPoint, to
 match spec math

---
 zebra-chain/src/commitments/sapling.rs | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/zebra-chain/src/commitments/sapling.rs b/zebra-chain/src/commitments/sapling.rs
index cbe7e7796..b8e38e79c 100644
--- a/zebra-chain/src/commitments/sapling.rs
+++ b/zebra-chain/src/commitments/sapling.rs
@@ -47,9 +47,9 @@ where
 /// https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
 #[allow(non_snake_case)]
 pub fn pedersen_hash_to_point(domain: [u8; 8], M: &BitVec<Lsb0, u8>) -> jubjub::ExtendedPoint {
-    // Expects i to be 0-indexed
+    // Expects i to be 1-indexed from the loop it's called in.
     fn I_i(domain: [u8; 8], i: u32) -> jubjub::ExtendedPoint {
-        find_group_hash(domain, &i.to_le_bytes())
+        find_group_hash(domain, &(i - 1).to_le_bytes())
     }
 
     /// ⟨Mᵢ⟩
@@ -101,8 +101,14 @@ pub fn pedersen_hash_to_point(domain: [u8; 8], M: &BitVec<Lsb0, u8>) -> jubjub::
     // Split M into n segments of 3 * c bits, where c = 63, padding the last
     // segment with zeros.
     //
+    // This loop is 1-indexed per the math definitions in the spec.
+    //
     // https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
-    for (i, segment) in M.chunks(189).enumerate() {
+    for (i, segment) in M
+        .chunks(189)
+        .enumerate()
+        .map(|(i, segment)| (i + 1, segment))
+    {
         result += I_i(domain, i as u32) * M_i(&segment);
     }