From c26304d98339901d05cf436ad60077c85391e01c Mon Sep 17 00:00:00 2001
From: Henry de Valence <hdevalence@hdevalence.ca>
Date: Fri, 20 Dec 2019 15:08:20 -0800
Subject: [PATCH] Correct an error in transaction modeling.

In the previous transaction modeling I defined the structs so that the number
of old and new commitments for a JoinSplit were variable, when in fact the
Sprout design fixes both to be 2.  So now they are hardcoded as 2 in the source
code as well.  This commit also fixes some missing `pub` fields on the
`JoinSplit` struct.
---
 zebra-chain/src/transaction.rs           |  2 +-
 zebra-chain/src/transaction/joinsplit.rs | 76 +++++++-----------------
 2 files changed, 24 insertions(+), 54 deletions(-)

diff --git a/zebra-chain/src/transaction.rs b/zebra-chain/src/transaction.rs
index 264ee6e84..63dc76bb2 100644
--- a/zebra-chain/src/transaction.rs
+++ b/zebra-chain/src/transaction.rs
@@ -10,7 +10,7 @@ mod transparent;
 mod tests;
 
 pub use hash::TransactionHash;
-pub use joinsplit::{JoinSplit, JoinSplitData, SproutInputNoteData, SproutOutputNoteData};
+pub use joinsplit::{JoinSplit, JoinSplitData};
 pub use shielded_data::{OutputDescription, ShieldedData, SpendDescription};
 pub use transparent::{OutPoint, TransparentInput, TransparentOutput};
 
diff --git a/zebra-chain/src/transaction/joinsplit.rs b/zebra-chain/src/transaction/joinsplit.rs
index 0ac9618e0..93fc09292 100644
--- a/zebra-chain/src/transaction/joinsplit.rs
+++ b/zebra-chain/src/transaction/joinsplit.rs
@@ -1,48 +1,5 @@
 use crate::proofs::ZkSnarkProof;
 
-/// Describes input notes to a Sprout transaction.
-///
-/// The [protocol specification §7.2][ps] describes these fields as being encoded
-/// separately into two arrays of the same length. Instead, by bundling them
-/// together into one structure, we can ensure that it's not possible to create a
-/// JoinSplit description with mismatched array lengths. This means we do not
-/// need to maintain any invariants about equal array lengths.
-///
-/// [ps]: https://zips.z.cash/protocol/protocol.pdf#joinsplitencoding
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct SproutInputNoteData {
-    /// A nullifier for the input note.
-    ///
-    /// XXX refine type
-    pub nullifier: [u8; 32],
-    /// A message authentication tag.
-    ///
-    /// XXX refine type
-    pub vmac: [u8; 32],
-}
-
-/// Describes output notes from a Sprout transaction.
-///
-/// The [protocol specification §7.2][ps] describes these fields as being encoded
-/// separately into two arrays of the same length. Instead, by bundling them
-/// together into one structure, we can ensure that it's not possible to create a
-/// JoinSplit description with mismatched array lengths. This means we do not
-/// need to maintain any invariants about equal array lengths.
-///
-/// [ps]: https://zips.z.cash/protocol/protocol.pdf#joinsplitencoding
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct SproutOutputNoteData {
-    /// A note commitment for this output note.
-    ///
-    /// XXX refine type
-    pub commitment: [u8; 32],
-    /// A ciphertext component for this output note.
-    ///
-    /// XXX refine type
-    /// XXX this should be a [u8; 601] but we need trait impls.
-    pub enc_ciphertext: Vec<u8>,
-}
-
 /// A _JoinSplit Description_, as described in [protocol specification §7.2][ps].
 ///
 /// [ps]: https://zips.z.cash/protocol/protocol.pdf#joinsplitencoding
@@ -52,31 +9,44 @@ pub struct JoinSplit<P: ZkSnarkProof> {
     /// pool.
     ///
     /// XXX refine to an Amount
-    vpub_old: u64,
+    pub vpub_old: u64,
     /// A value that the JoinSplit transfer inserts into the transparent value
     /// pool.
     ///
     /// XXX refine to an Amount
-    vpub_new: u64,
+    pub vpub_new: u64,
     /// A root of the Sprout note commitment tree at some block height in the
     /// past, or the root produced by a previous JoinSplit transfer in this
     /// transaction.
     ///
     /// XXX refine type
-    anchor: [u8; 32],
+    pub anchor: [u8; 32],
+    /// A nullifier for the input notes.
+    ///
+    /// XXX refine type to [T; 2] -- there are two nullifiers
+    pub nullifiers: [[u8; 32]; 2],
+    /// A note commitment for this output note.
+    ///
+    /// XXX refine type to [T; 2] -- there are two commitments
+    pub commitments: [[u8; 32]; 2],
     /// An X25519 public key.
     ///
     /// XXX refine to an x25519-dalek type?
-    ephemeral_key: [u8; 32],
+    pub ephemeral_key: [u8; 32],
     /// A 256-bit seed that must be chosen independently at random for each
     /// JoinSplit description.
-    random_seed: [u8; 32],
-    /// A sequence of input notes for this transaction.
-    input_notes: Vec<SproutInputNoteData>,
-    /// A sequence of output notes for this transaction.
-    output_notes: Vec<SproutOutputNoteData>,
+    pub random_seed: [u8; 32],
+    /// A message authentication tag.
+    ///
+    /// XXX refine type to [T; 2] -- there are two macs
+    pub vmacs: [[u8; 32]; 2],
     /// A ZK JoinSplit proof, either a [`Groth16Proof`] or a [`Bctv14Proof`].
-    zkproof: P,
+    pub zkproof: P,
+    /// A ciphertext component for this output note.
+    ///
+    /// XXX refine type to [T; 2] -- there are two ctxts
+    /// XXX this should be a [[u8; 601]; 2] but we need trait impls.
+    pub enc_ciphertexts: [Vec<u8>; 2],
 }
 
 /// A bundle of JoinSplit descriptions and signature data.