//! Orchard shielded data for `V5` `Transaction`s. use std::{ cmp::{Eq, PartialEq}, fmt::Debug, io, }; use byteorder::{ReadBytesExt, WriteBytesExt}; use halo2::pasta::pallas; use crate::{ amount::{Amount, NegativeAllowed}, block::MAX_BLOCK_BYTES, orchard::{tree, Action, Nullifier}, primitives::{ redpallas::{Binding, Signature, SpendAuth}, Halo2Proof, }, serialization::{ AtLeastOne, SerializationError, TrustedPreallocate, ZcashDeserialize, ZcashSerialize, }, }; /// A bundle of [`Action`] descriptions and signature data. #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)] pub struct ShieldedData { /// The orchard flags for this transaction. pub flags: Flags, /// The net value of Orchard spends minus outputs. pub value_balance: Amount, /// The shared anchor for all `Spend`s in this transaction. pub shared_anchor: tree::Root, /// The aggregated zk-SNARK proof for all the actions in this transaction. pub proof: Halo2Proof, /// The Orchard Actions, in the order they appear in the transaction. pub actions: AtLeastOne, /// A signature on the transaction `sighash`. pub binding_sig: Signature, } impl ShieldedData { /// Iterate over the [`Action`]s for the [`AuthorizedAction`]s in this /// transaction, in the order they appear in it. pub fn actions(&self) -> impl Iterator { self.actions.actions() } /// Collect the [`Nullifier`]s for this transaction. pub fn nullifiers(&self) -> impl Iterator { self.actions().map(|action| &action.nullifier) } /// Provide access to the `value_balance` field of the shielded data. /// /// Needed to calculate the sapling value balance. pub fn value_balance(&self) -> Amount { self.value_balance } /// Collect the cm_x's for this transaction, if it contains [`Action`]s with /// outputs, in the order they appear in the transaction. pub fn note_commitments(&self) -> impl Iterator { self.actions().map(|action| &action.cm_x) } } impl AtLeastOne { /// Iterate over the [`Action`]s of each [`AuthorizedAction`]. pub fn actions(&self) -> impl Iterator { self.iter() .map(|authorized_action| &authorized_action.action) } } /// An authorized action description. /// /// Every authorized Orchard `Action` must have a corresponding `SpendAuth` signature. #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)] pub struct AuthorizedAction { /// The action description of this Action. pub action: Action, /// The spend signature. pub spend_auth_sig: Signature, } impl AuthorizedAction { /// Split out the action and the signature for V5 transaction /// serialization. pub fn into_parts(self) -> (Action, Signature) { (self.action, self.spend_auth_sig) } // Combine the action and the spend auth sig from V5 transaction /// deserialization. pub fn from_parts(action: Action, spend_auth_sig: Signature) -> AuthorizedAction { AuthorizedAction { action, spend_auth_sig, } } } /// The size of a single Action /// /// Actions are 5 * 32 + 580 + 80 bytes so the total size of each Action is 820 bytes. /// [7.5 Action Description Encoding and Consensus][ps] /// /// [ps] https://zips.z.cash/protocol/nu5.pdf#actionencodingandconsensus pub const ACTION_SIZE: u64 = 5 * 32 + 580 + 80; /// The size of a single Signature /// /// Each Signature is 64 bytes. /// [7.1 Transaction Encoding and Consensus][ps] /// /// [ps] https://zips.z.cash/protocol/nu5.pdf#actionencodingandconsensus pub const SPEND_AUTH_SIG_SIZE: u64 = 64; /// The size of a single AuthorizedAction /// /// Each serialized `Action` has a corresponding `Signature`. pub const AUTHORIZED_ACTION_SIZE: u64 = ACTION_SIZE + SPEND_AUTH_SIG_SIZE; /// The maximum number of orchard actions in a valid Zcash on-chain transaction V5. /// /// If a transaction contains more actions than can fit in maximally large block, it might be /// valid on the network and in the mempool, but it can never be mined into a block. So /// rejecting these large edge-case transactions can never break consensus. impl TrustedPreallocate for Action { fn max_allocation() -> u64 { // Since a serialized Vec uses at least one byte for its length, // and the signature is required, // a valid max allocation can never exceed this size (MAX_BLOCK_BYTES - 1) / AUTHORIZED_ACTION_SIZE } } impl TrustedPreallocate for Signature { fn max_allocation() -> u64 { // Each signature must have a corresponding action. Action::max_allocation() } } bitflags! { /// Per-Transaction flags for Orchard. /// /// The spend and output flags are passed to the `Halo2Proof` verifier, which verifies /// the relevant note spending and creation consensus rules. /// /// Consensus rules: /// /// - "In a version 5 transaction, the reserved bits 2..7 of the flagsOrchard field MUST be zero." /// ([`bitflags`](https://docs.rs/bitflags/1.2.1/bitflags/index.html) restricts its values to the /// set of valid flags) /// - "In a version 5 coinbase transaction, the enableSpendsOrchard flag MUST be 0." /// (Checked in zebra-consensus) #[derive(Deserialize, Serialize)] pub struct Flags: u8 { /// Enable spending non-zero valued Orchard notes. /// /// "the `enableSpendsOrchard` flag, if present, MUST be 0 for coinbase transactions" const ENABLE_SPENDS = 0b00000001; /// Enable creating new non-zero valued Orchard notes. const ENABLE_OUTPUTS = 0b00000010; } } impl ZcashSerialize for Flags { fn zcash_serialize(&self, mut writer: W) -> Result<(), io::Error> { writer.write_u8(self.bits())?; Ok(()) } } impl ZcashDeserialize for Flags { fn zcash_deserialize(mut reader: R) -> Result { // Consensus rule: "In a version 5 transaction, // the reserved bits 2..7 of the flagsOrchard field MUST be zero." // https://zips.z.cash/protocol/protocol.pdf#txnencodingandconsensus Flags::from_bits(reader.read_u8()?) .ok_or(SerializationError::Parse("invalid reserved orchard flags")) } }