Document decoding of ephemeral_key from epk

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-27 12:53:27 +08:00 · 2021-05-27 12:53:27 +08:00 · 83074b2628
parent 2120658d5d
commit 83074b2628
1 changed files with 8 additions and 0 deletions
--- a/orchard_note_encryption.py
+++ b/orchard_note_encryption.py
@ -112,6 +112,10 @@ class TransmittedNoteCipherText(object):
            return None

        shared_secret = OrchardKeyAgreement.agree(ivk, epk)
+        # The protocol spec says to take `ephemeral_key` as input to decryption
+        # and to decode epk from it. That is required for consensus compatibility
+        # in Sapling decryption before ZIP 216, but the reverse is okay here
+        # because Pallas points have no non-canonical encodings.
        ephemeral_key = bytes(epk)
        k_enc = kdf_orchard(shared_secret, ephemeral_key)
        p_enc = OrchardSym.decrypt(k_enc, self.c_enc)
@ -144,6 +148,10 @@ class TransmittedNoteCipherText(object):
        return (note, np.memo)

    def decrypt_using_ovk(self, ovk, rseed, rho, cv, cm_star):
+        # The protocol spec says to take `ephemeral_key` as input to decryption
+        # and to decode epk from it. That is required for consensus compatibility
+        # in Sapling decryption before ZIP 216, but the reverse is okay here
+        # because Pallas points have no non-canonical encodings.
        ock = prf_ock_orchard(ovk, bytes(cv), bytes(cm_star.extract()), bytes(self.epk))
        op = OrchardSym.decrypt(ock, self.c_out)
        if op is None: