Fix commit_ivk specification

Commit^ivk takes ak as a point, and commits to its entire serialization
(not just the x coordinate).

Cargo.toml

@@ -20,6 +20,7 @@ rustdoc-args = [ "--html-in-header", "katex-header.html" ]
 
 [dependencies]
 aes = "0.6"
+bitvec = "0.20"
 blake2b_simd = "0.5"
 ff = "0.9"
 fpe = "0.4"

src/keys.rs

@@ -13,8 +13,7 @@ use crate::{
     address::Address,
     primitives::redpallas::{self, SpendAuth},
     spec::{
-        commit_ivk, diversify_hash, extract_p, ka_orchard, prf_expand, prf_expand_vec, to_base,
-        to_scalar,
+        commit_ivk, diversify_hash, ka_orchard, prf_expand, prf_expand_vec, to_base, to_scalar,
     },
 };
 
@@ -219,7 +218,7 @@ pub struct IncomingViewingKey(pallas::Scalar);
 impl From<&FullViewingKey> for IncomingViewingKey {
     fn from(fvk: &FullViewingKey) -> Self {
         let ak = pallas::Point::from_bytes(&(&fvk.ak.0).into()).unwrap();
-        IncomingViewingKey(commit_ivk(&extract_p(&ak), &fvk.nk.0, &fvk.rivk.0))
+        IncomingViewingKey(commit_ivk(&ak, &fvk.nk.0, &fvk.rivk.0))
     }
 }
 

src/spec.rs

@@ -2,9 +2,10 @@
 
 use std::iter;
 
+use bitvec::{array::BitArray, order::Lsb0};
 use blake2b_simd::{Hash, Params};
 use ff::PrimeField;
-use group::Curve;
+use group::{Curve, GroupEncoding};
 use halo2::{
     arithmetic::{CurveAffine, CurveExt, FieldExt},
     pasta::pallas,
@@ -36,14 +37,14 @@ pub(crate) fn to_scalar(hash: Hash) -> pallas::Scalar {
 ///
 /// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents
 pub(crate) fn commit_ivk(
-    ak: &pallas::Base,
+    ak: &pallas::Point,
     nk: &pallas::Base,
     rivk: &pallas::Scalar,
 ) -> pallas::Scalar {
     let ivk = sinsemilla::short_commit(
         "z.cash:Orchard-CommitIvk",
         iter::empty()
-            .chain(ak.to_le_bits().iter().by_val().take(L_ORCHARD_SCALAR))
+            .chain(BitArray::<Lsb0, _>::new(ak.to_bytes()).iter().by_val())
             .chain(nk.to_le_bits().iter().by_val().take(L_ORCHARD_SCALAR)),
         rivk,
     );