zecfoundation
/
zebra
mirror of https://github.com/ZcashFoundation/zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add sapling prf_ock and generate_trapdoor

This commit is contained in:
Deirdre Connolly 2021-03-08 05:32:08 -05:00 committed by Deirdre Connolly
parent c3e40d73cf
commit 20abeda04b
3 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
zebra-chain/src/sapling/commitment.rs
View File

@ -21,6 +21,24 @@ use super::keys::{find_group_hash, Diversifier, TransmissionKey};
use pedersen_hashes::*; use pedersen_hashes::*;
/// Generates a random scalar from the scalar field 𝔽_{r_𝕁}.
///
/// The prime order subgroup 𝕁^(r) is the order-r_𝕁 subgroup of 𝕁 that consists
/// of the points whose order divides r. This function is useful when generating
/// the uniform distribution on 𝔽_{r_𝕁} needed for Sapling commitment schemes'
/// trapdoor generators.
///
/// https://zips.z.cash/protocol/protocol.pdf#jubjub
pub fn generate_trapdoor<T>(csprng: &mut T) -> jubjub::Fr
where
T: RngCore + CryptoRng,
{
let mut bytes = [0u8; 64];
csprng.fill_bytes(&mut bytes);
// Fr::from_bytes_wide() reduces the input modulo r via Fr::from_u512()
jubjub::Fr::from_bytes_wide(&bytes)
}
/// The randomness used in the Pedersen Hash for note commitment. /// The randomness used in the Pedersen Hash for note commitment.
#[derive(Copy, Clone, Debug, PartialEq)] #[derive(Copy, Clone, Debug, PartialEq)]
pub struct CommitmentRandomness(jubjub::Fr); pub struct CommitmentRandomness(jubjub::Fr);

19
zebra-chain/src/sapling/commitment/pedersen_hashes.rs
View File

@ -1,7 +1,6 @@
//! Pedersen hash functions and helpers. //! Pedersen hash functions and helpers.
use bitvec::prelude::*; use bitvec::prelude::*;
use rand_core::{CryptoRng, RngCore};
use super::super::keys::find_group_hash; use super::super::keys::find_group_hash;
@ -127,21 +126,3 @@ pub fn windowed_pedersen_commitment(r: jubjub::Fr, s: &BitVec<Lsb0, u8>) -> jubj
pedersen_hash_to_point(D, &s) + find_group_hash(D, b"r") * r pedersen_hash_to_point(D, &s) + find_group_hash(D, b"r") * r
} }
/// Generates a random scalar from the scalar field 𝔽_{r_𝕁}.
///
/// The prime order subgroup 𝕁^(r) is the order-r_𝕁 subgroup of 𝕁 that consists
/// of the points whose order divides r. This function is useful when generating
/// the uniform distribution on 𝔽_{r_𝕁} needed for Sapling commitment schemes'
/// trapdoor generators.
///
/// https://zips.z.cash/protocol/protocol.pdf#jubjub
pub fn generate_trapdoor<T>(csprng: &mut T) -> jubjub::Fr
where
T: RngCore + CryptoRng,
{
let mut bytes = [0u8; 64];
csprng.fill_bytes(&mut bytes);
// Fr::from_bytes_wide() reduces the input modulo r via Fr::from_u512()
jubjub::Fr::from_bytes_wide(&bytes)
}

19
zebra-chain/src/sapling/keys.rs
View File

@ -63,6 +63,25 @@ fn prf_expand(sk: [u8; 32], t: &[u8]) -> [u8; 64] {
*hash.as_array() *hash.as_array()
} }
/// Used to derive the outgoing cipher key _ock_ used to encrypt an Output ciphertext.
///
/// PRF^ock(ovk, cv, cm_u, ephemeralKey) := BLAKE2b-256(“Zcash_Derive_ock”, ovk || cv || cm_u || ephemeralKey)
///
/// https://zips.z.cash/protocol/nu5.pdf#concreteprfs
fn prf_ock(ovk: [u8; 32], cv: [u8; 32], cm_u: [u8; 32], ephemeral_key: [u8; 32]) -> [u8; 32] {
let hash = blake2b_simd::Params::new()
.hash_length(32)
.personal(b"Zcash_Derive_ock")
.to_state()
.update(ovk)
.update(cv)
.update(cm_u)
.update(ephemeral_key)
.finalize();
*hash.as_array()
}
/// Invokes Blake2s-256 as _CRH^ivk_, to derive the IncomingViewingKey /// Invokes Blake2s-256 as _CRH^ivk_, to derive the IncomingViewingKey
/// bytes from an AuthorizingKey and NullifierDerivingKey. /// bytes from an AuthorizingKey and NullifierDerivingKey.
/// ///