Orchard-ZSA reference implementation #372
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Added .circleci/config.yml
Implements the issuer keys as
IssuerAuthorizingKey -> isk
IssuerVerifyingKey -> ik
Test vectors generated with zcash_test_vectors repo
* Added NoteType to Notes * Added NoteType to value commitment derivation
* Circleci project setup (#1) * Added .circleci/config.yml * Added NoteType to Notes * reformated file * updated `derive` for NoteType * added note_type to value commit derivation * rustfmt * updated ci config * updated ci config * updated ci config * updated derive for note_type * added test for arb note_type * added test for `native` note type * zsa-note-encryption: introduce AssetType and encode and decode it in note plaintexts * zsa-note-encryption: extend the size of compact notes to include asset_type * fixed clippy warrnings * rustfmt * zsa-note-encryption: document parsing requirement * zsa-note-encryption: revert support of ZSA compact action * zsa_value: add NoteType method is_native * zsa-note-encryption: remove dependency on changes in the other crate * zsa-note-encryption: extract memo of ZSA notes * zsa-note-encryption: tests (zcash_test_vectors 77c73492) * zsa-note-encryption: simplify roundtrip test * zsa-note-encryption: more test vectors (zcash_test_vectors c10da464) * Circleci project setup (#1) * Added .circleci/config.yml * issuer keys implementation (#5) Implements the issuer keys as IssuerAuthorizingKey -> isk IssuerVerifyingKey -> ik Test vectors generated with zcash_test_vectors repo * Added NoteType to Notes (#2) * Added NoteType to Notes * Added NoteType to value commitment derivation * zsa-note-encryption: use both native and ZSA in proptests * zsa-note-encryption: test vector commit 51398c93 * zsa-note-encryption: fix after merge Co-authored-by: Paul <[email protected]> Co-authored-by: Paul <[email protected]> Co-authored-by: Aurélien Nicolas <[email protected]> Co-authored-by: Daniel Benarroch <[email protected]>
+ Updated test bsk_consistent_with_bvk to verify mixed note types. + Added NoteType support to the builder and the bundle. + added split_flag to SpentInfo and as input to the Circuit (currently commented out) + added conditional cv_sum calculation (currently commented out) + added padding to actions
- added IssueBundle and IssueAction - added a builder for IssueBundle - added verify_issue_bundle() for consensus verification. - unit tests.
added tests in `tests/zsa.rs`
* disabled split notes and proof check for zsa transfer
* fixes and suggestions * changed "issuer" to "issuance" as per zcash#356 (comment) * terminology fixes * updated naming
* rename 2 note_type -> asset as per zcash#356 (comment) * added a dedicated type for "IssuanceAuth" * disabled codecov github action due to bad behavior. * extracted "is_asset_desc_of_valid_size()" into asset_id.rs
* improved `verify_issue_bundle()`
Added a method to add assets to burn to the Builder bvk computation now includes the burnt assets Added Tests for bsk/bvk consistency for burning Added E2E tests for assets burning
Added CI badge to README
Added `OrchardDomainV3` on top of the encryption generalization (QED-it/librustzcash#18). not for review: note_encryption.rs, note_encryptionv2v3.rs and src/test_vectors/note_encryption.rs. These files represent two possible approaches for backward compatibility and will be finalized down the road. (the files were excluded from the build).
Closed
Make IVK::from_bytes public
When split_flag is set, the following values are modified * v_net is equal to -v_new instead of v_old - v_new * cv_net is evaluated with this new value of v_net The following constraints are modified * (v_old - v_new = magnitude * sign) becomes (v_old * (1-split_flag) - v_new = magnitude * sign) to take into account the new value of v_net * nf_old = nf_old_pub is only checked when split_flag=0 * the new constraint asset_old = asset_new is always checked regardless of the value of split_flag
- Renamed AssetId to AssetBase - Changed the AssetBase implementation to support the zip update. - Updated visibility for various members of issuance.rs
…#49) This PR updates the test-vectors from the updates to the zcash-test-vectors repository (see here). The keys test is also updated to now use the asset base from the test vectors instead of just using the native asset.
In the circuit, we update value_commit_orchard to take into account asset.
Previously, value_commit_orchard returns cv_net = [v_net] ValueCommitV + [rcv] ValueCommitR..
Now, value_commit_orchard returns cv_net = [v_net] asset + [rcv] ValueCommitR.
ValueCommitV and ValueCommitR are constants
v_net is equal to sign * magnitude where sign is in {-1, 1} and magnitude is an unsigned integer on 64 bits.
To evaluate [v_net] asset where v_net = sign * magnitude, we perform the following steps
1. verify that magnitude is on 64 bits
2. evaluate commitment=[magnitude]asset with the variable-base long-scalar multiplication
3. evaluate result=[sign]commitment with the new mul_sign gate
We would like to have a constant-time evaluation of the note commitment for both ZEC and ZSA. ZEC_note_commitment=Extract_P(SinsemillaHashToPoint(zec_personalization, common_bits) + [rcm]R) ZSA_note_commitment=Extract_P(SinsemillaHashToPoint(zsa_personalization, common_bits || asset) + [rcm]R) R is the same constant for ZEC and ZSA note commitments.
1. Added a new error, `ValueSumOverflow`, that occurs if the sum value overflows when adding new supply amounts. 2. Created a new `supply_info` module containing `SupplyInfo` and `AssetSupply` structures, with `add_supply` function and unit tests for it. 3. Renamed the `are_note_asset_ids_derived_correctly` function to `verify_supply`, changed its behavior to verify and compute asset supply, added unit tests for it. 4. Updated the `verify_issue_bundle` function to use the changes mentioned above, updated its description, and added new unit tests. 5. Renamed errors with `...NoteType` suffix in the name to `...AssetBase`. 6. Added `update_finalization_set` method to `SupplyInfo` and use after the calls of `verify_issue_bundle function` (if needed), instead of mutating the finalization set inside `verify_issue_bundle`.
- Add getter method for Bundle.burn field
For zcash_note_encryption, we have to use version 0.2 with QEDIT patch.
In the circuit, we update note_commit to take into account asset.
Previously, note_commit returns cm = hash(Q_ZEC, msg) + [rcm]R.
Now, note_commit returns
- cm = hash(Q_ZEC, msg) + [rcm]R for ZEC note
- cm = hash(Q_ZSA, msg || asset) + [rcm]R for ZSA note
We now evaluate note_commit with the following steps
1. evaluate **hash_zec = hash(Q_ZEC, msg)**
2. evaluate **hash_zsa = hash(Q_ZSA, msg || asset)**
3. select **hash = hash_zec if is_native_asset**
**= hash_zsa otherwise**
4. evaluate **cm = hash + [rcm]R**
5. check some constraints on msg and asset and their decompositions
6. return **cm**
The following modifications are required to update note_commit:
- add a is_native_asset witness (and check that it is a boolean and its
value is correct according to asset)
- add a MUX chip to evaluate a multiplexer on Pallas points
Warning: we increased the size of the Orchard circuit !
…uble column in the use of external zip32 crate
…nction. 2) Refactor builder::bundle function (pre-action genetation), to split 'fold' into three parts
- Introduce `derive_bvk` function for streamlined calculation of `bvk` - Use `derive_bvk` in `bundle.binding_validating_key()` to avoid duplication - Adjust `native_value_balance` calculation to an `i64` and convert to `V` - Optimize calculations with iterators to reduce memory usage
This PR merges the latest updates from the `zcash/orchard` repository (version 0.8.0) into `zsa1` branch. These updates include refactorings and enhancements which are detailed below. The integration has been completed in the `zsa1-with-zcash-0.8.0` branch, where conflicts were resolved and all unit tests and CI checks pass successfully. ### Key Changes from zcash/orchard v0.8.0 1. **BundleType enum introduced:** Replaces direct use of bundle flags. 2. **Recipient renamed to Output:** Updates type and function names accordingly. 3. **New type Rho:** Used for variables with `rho` value, keeping Nullifier for nullifiers. 4. **External crate zip32 added and used:** Contains parts of local `zip32` module functionality and new features, while local `zsa32` retains orchard-specific features now. 5. **Refactoring of Builder::build function:** Logic moved to new `bundle` function, introducing BundleMetadata to track indices pre-shuffle.
This pull request aims to generalize the implementation of the Orchard protocol, providing backward compatibility to support both the new (ZSA) and the original (non-ZSA - Vanilla) Orchard protocol variants. Key modifications and enhancements include: ### 1. Trait and Generic Structures for Note Encryption: - **OrchardDomain Trait:** A new `OrchardDomain` trait in `note_encryption.rs` differentiates between the original Orchard (Vanilla) and Orchard ZSA protocols, simplifying the implementation of the `Domain` trait through abstraction. - **OrchardDomainBase Generic Struct:** Introduced to contain data used for internal calculations in both Orchard variants. - **TransmittedNoteCiphertext Modifications:** This struct is now generic, supporting various lengths of encrypted note ciphertext to accommodate both Orchard variants. ### 2. Trait and Generic Structures for Circuit Generalization: - **OrchardCircuit Trait:** A new `OrchardCircuit` trait in `circuit.rs` provides an interface for different implementations of the PLONK circuit tailored to the specific requirements of the Orchard protocol's variants (Vanilla and ZSA). - **OrchardCircuitBase Generic Struct:** Contains data for internal calculations across both Orchard variants. ### 3. Module Organization: - Introduction of `note_encryption_vanilla.rs`, `note_encryption_zsa.rs` to support the different types of encrypted notes. - Introduction of `circuit_vanilla.rs`, and `circuit_zsa.rs` to support various circuit configurations. ### 4. Test Suite Updates: Updates to unit tests include separate versions for Vanilla and ZSA variants, ensuring thorough validation of the modifications. ### 5. Dependency Adaptation: The adoption of a modified version of the Halo2 Rust crate facilitates support for both Orchard protocol variants, guaranteeing that all tests, including those for non-ZSA functionality, pass successfully. --------- Co-authored-by: Paul <[email protected]> Co-authored-by: Dmitry Demin <[email protected]> Co-authored-by: Vivek Arte <[email protected]> Co-authored-by: alexeykoren <[email protected]>
… PR #2 issues resolve (#111) Orchard has been synced with the changes from [PR #10](QED-it/zcash_note_encryption#10) in the `zcash_note_encryption` repository. This update includes the following changes: - Implements new `parse_note_plaintext_bytes`, `parse_note_ciphertext_bytes`, and `parse_compact_note_plaintext_bytes` methods of the `Domain` trait from `zcash_note_encryption`. - Uses the `NoteBytes` trait and `NoteBytesData` structure from `zcash_note_encryption` instead of having local definitions and implementations. ### Note This PR uses the `resolve_zcash_pr2_issues` branch of `zcash_note_encryption` in `Cargo.toml`. Before merging this PR, [PR #10](https://github.com/zcash/zcash_note_encryption/pull/10) needs to be merged into the `zsa1` branch of `zcash_note_encryption`. Then, this Orchard PR branch should be updated to use the `zsa1` branch of `zcash_note_encryption` befor merging this PR. --------- Co-authored-by: Dmitry Demin <[email protected]>
…hertext (#112) This PR updates the `ShieldedOutput` implementation for the `Action`/`CompactAction` struct to align with the recent changes in the `zcash_note_encryption` crate. Specifically, the `enc_ciphertext` method now returns a reference instead of a copy. This change was discussed and suggested in PR zcash/zcash_note_encryption#2 review. --------- Co-authored-by: Dmitry Demin <[email protected]>
- Unified `NoteCommitConfig` and `Config` to have the same configs for both Vanilla and ZSA circuits - Numerous functions and structures initially defined separately for Vanilla and ZSA have been unified into a single definition, incorporating the generic parameter `Lookup`.
This updates the test vectors in this repository to match those created in QED-it/zcash-test-vectors#22.
For actions made with ZSA assets, it is important not to use dummy spend notes to ensure that the asset has been properly issued.
This switches the asset description to be the Vec<u8> type. This is so that orchard doesn't check whether the asset description string is UTF-8 encoded, and just works with the bytes. The UTF-8 recommended check will be performed closer to the top of the stack instead. --------- Co-authored-by: Paul <[email protected]> Co-authored-by: Paul <[email protected]>
…Clone for CompactAction (#118) This PR updates the crate to ensure compatibility with the `zcash_client_backend` crate in `librustzcash` repository. Specifically, it derives the `Clone` trait for the `CompactAction` struct to resolve compilation errors when the `orchard` feature is enabled for `zcash_client_backend` crate (`BatchRunner` struct there requires that).
Exclude non-native assets from value_balance
We would like to remove the generic circuit parameter from Unproven structure. To do that, we create a Witnesses structure which contains the witnesses of the circuit but not the circuit type (OrchardZSA or OrchardVanilla). Key changes: - Updated `src/builder.rs` to replace `Circuit` with `Witnesses` in several function signatures and type definitions. - Adjusted `src/circuit.rs` to define and use the new `Witnesses` structure instead of `Circuit`.
For Vanilla transactions, we would like to use the SIGHASH defined in ZIP 244. For ZSA transactions, we would like to use the SIGHASH defined in ZIP 226.
Add Clone trait to auth-related structures
Update get_actions_by_asset/desc to return an Option<&IssueAction> instead of a Vec<&IssueAction> Rename get_actions_by_asset/desc into get_action_by_asset/desc
When an asset is issue for the first time, we create a reference note which is a note with a value equal to zero and a recipient address equal to the reference recipient address.
Previously, the bundle function returns a `Result<Option<UnauthorizedBundleWithMetadata<V, FL>>, BuildError>` but the `Option` was never `None` because the actions vector could not be empty. Now, the bundle function returns a `Result<UnauthorizedBundleWithMetadata<V, FL>, BuildError>`.
…132) GitHub updated ubuntu-latest from Ubuntu 22.04 to 24.04, which looks like it no longer includes fontconfig by default. This PR adds installation of libfontconfig1-dev so the yeslogic-fontconfig-sys crate (a transitive dependency) can build successfully again.
This PR is an updated copy of #128: > The amount in AssetSupply must be a NoteValue (u64) and not a ValueSum (i128). > We add reference_notes into SupplyInfo. It is a hashmap of asset bases to their respective reference note The code was updated, `get_reference_note` method of `IssueAction` was added and used, `get_reference_notes` was removed. Also, instead of a separate new `reference_notes` `HashMap` in `SupplyInfo` a new field `reference_note` was added to `AssetSupply` struct. Unit tests were fixed accordingly. --------- Co-authored-by: Constance Beguier <[email protected]> Co-authored-by: Paul <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements draft ZIP 226.
Included on top of the Issuance PR:
burnfield inside the Orchardbundleand the ability to utilize it. In addition the changes tobvkandbskto support this change. See ZSA burn functionality QED-it/orchard#35 for a full list of changes.Domaintrait in thezcash_note_encryptioncrate to support various lengths forCOMPACT_NOTE_SIZEby converting the relevant constants into trait-specific types. Later, implementedOrchardDomainV3to support the new note structure. See the supporting PR for more details: zcash_note_encryption generalization librustzcash#746 and V3 encryption QED-it/orchard#38zsa1branch for details.Also included:
note_typewas renamed toassetof typeassetID.AssetIDderivation AssetID test vectors QED-it/orchard#34Included but not activated:
Not included:
AssetID, split notes, and all other new functionality. (in progress, part of milestone 3)The proposed changes should be considered a draft, not a final version.