Sapling value commitment, half done Sapling note commitment

zebra-chain/src/keys/sapling.rs

@@ -124,7 +124,9 @@ fn jubjub_group_hash(d: [u8; 8], m: &[u8]) -> Option<jubjub::ExtendedPoint> {
 ///
 /// [0]: https://github.com/zcash/librustzcash/blob/master/zcash_primitives/src/jubjub/mod.rs#L409
 /// https://zips.z.cash/protocol/protocol.pdf#concretegrouphashjubjub
-fn find_group_hash(d: [u8; 8], m: &[u8]) -> jubjub::ExtendedPoint {
+// TODO: move common functions like these out of the keys module into
+// a more appropriate location
+pub fn find_group_hash(d: [u8; 8], m: &[u8]) -> jubjub::ExtendedPoint {
     let mut tag = m.to_vec();
     let i = tag.len();
     tag.push(0u8);

zebra-chain/src/notes/sapling.rs

@@ -8,7 +8,7 @@ mod commitments;
 mod nullifiers;
 
 use crate::{
-    keys::sapling::{Diversifier, TransmissionKey},
+    keys::sapling::{diversify_hash, find_group_hash, Diversifier, TransmissionKey},
     notes::memo::Memo,
     types::amount::{Amount, NonNegative},
 };
@@ -17,6 +17,11 @@ pub use ciphertexts::{EncryptedCiphertext, OutCiphertext};
 pub use commitments::{CommitmentRandomness, NoteCommitment, ValueCommitment};
 pub use nullifiers::Nullifier;
 
+///
+///
+/// https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
+pub fn pedersen_hash_to_point() {}
+
 /// A Note represents that a value is spendable by the recipient who
 /// holds the spending key corresponding to a given shielded payment
 /// address.
@@ -32,9 +37,17 @@ impl Note {
     /// Perderson hash constructon, and adding a randomized point on
     /// the Jubjub curve.
     ///
+    /// WindowedPedersenCommit_r (s) := \
+    ///   PedersenHashToPoint(“Zcash_PH”, s) + [r]FindGroupHash^J^(r)∗(“Zcash_PH”, “r”)
+    ///
+    /// NoteCommit^Sapling_rcm (g*_d , pk*_d , v) := \
+    ///   WindowedPedersenCommit_rcm([1; 6] || I2LEBSP_64(v) || g*_d || pk*_d)
+    ///
     /// https://zips.z.cash/protocol/protocol.pdf#concretewindowedcommit
     pub fn commit(&self) -> NoteCommitment {
-        unimplemented!()
+        let g_d = diversify_hash(self.diversifier.0).unwrap();
+
+        NoteCommitment::new(g_d, self.transmission_key, self.value)
     }
 }
 

zebra-chain/src/notes/sapling/commitments.rs

@@ -1,10 +1,17 @@
 use std::{fmt, io};
 
+use rand_core::{CryptoRng, RngCore};
+
 use crate::{
+    keys::sapling::find_group_hash,
     serde_helpers,
     serialization::{ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize},
 };
 
+// TODO: replace with reference to redjubjub or jubjub when merged and
+// exported.
+type Scalar = jubjub::Fr;
+
 /// The randomness used in the Pedersen Hash for note commitment.
 #[derive(Copy, Clone, Debug, PartialEq)]
 pub struct CommitmentRandomness(redjubjub::Randomizer);
@@ -38,8 +45,6 @@ impl From<NoteCommitment> for [u8; 32] {
 }
 
 impl ZcashSerialize for NoteCommitment {
-    // The u-coordinate of the note commitment, for the output note
-    // LEBS2OSP256(cm_u) where cm_u = Extract_J(r)(cm). ???
     fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
         writer.write_all(&self.0.to_bytes())?;
         Ok(())
@@ -55,6 +60,26 @@ impl ZcashDeserialize for NoteCommitment {
 }
 
 impl NoteCommitment {
+    /// Generate a new _NoteCommitment_.
+    ///
+    /// https://zips.z.cash/protocol/protocol.pdf#concretewindowedcommit
+    #[allow(non_snake_case)]
+    pub fn new<T>(csprng: &mut T, value_bytes: [u8; 32]) -> Self
+    where
+        T: RngCore + CryptoRng,
+    {
+        let v = Scalar::from_bytes(&value_bytes).unwrap();
+
+        let mut rcv_bytes = [0u8; 32];
+        csprng.fill_bytes(&mut rcv_bytes);
+        let rcv = Scalar::from_bytes(&rcv_bytes).unwrap();
+
+        let V = find_group_hash(*b"Zcash_cv", b"v");
+        let R = find_group_hash(*b"Zcash_cv", b"r");
+
+        Self::from(V * v + R * rcv)
+    }
+
     /// Hash Extractor for Jubjub (?)
     ///
     /// https://zips.z.cash/protocol/protocol.pdf#concreteextractorjubjub
@@ -86,6 +111,12 @@ impl From<[u8; 32]> for ValueCommitment {
     }
 }
 
+impl From<jubjub::ExtendedPoint> for ValueCommitment {
+    fn from(extended_point: jubjub::ExtendedPoint) -> Self {
+        Self(jubjub::AffinePoint::from(extended_point))
+    }
+}
+
 impl Eq for ValueCommitment {}
 
 impl From<ValueCommitment> for [u8; 32] {
@@ -112,3 +143,26 @@ impl ZcashDeserialize for ValueCommitment {
         ))
     }
 }
+
+impl ValueCommitment {
+    /// Generate a new _ValueCommitment_.
+    ///
+    /// https://zips.z.cash/protocol/protocol.pdf#concretehomomorphiccommit
+    // TODO: accept an Amount instead?
+    #[allow(non_snake_case)]
+    pub fn new<T>(csprng: &mut T, value_bytes: [u8; 32]) -> Self
+    where
+        T: RngCore + CryptoRng,
+    {
+        let v = Scalar::from_bytes(&value_bytes).unwrap();
+
+        let mut rcv_bytes = [0u8; 32];
+        csprng.fill_bytes(&mut rcv_bytes);
+        let rcv = Scalar::from_bytes(&rcv_bytes).unwrap();
+
+        let V = find_group_hash(*b"Zcash_cv", b"v");
+        let R = find_group_hash(*b"Zcash_cv", b"r");
+
+        Self::from(V * v + R * rcv)
+    }
+}