V3 encryption

Cargo.toml

@@ -84,3 +84,6 @@ debug = true
 
 [profile.bench]
 debug = true
+
+[patch.crates-io]
+zcash_note_encryption = { git = "https://github.com/QED-it/librustzcash.git", rev = "07c377ddedf71ab7c7a266d284b054a2dafc2ed4" }

benches/note_decryption.rs

@@ -5,7 +5,7 @@ use orchard::{
     circuit::ProvingKey,
     keys::{FullViewingKey, PreparedIncomingViewingKey, Scope, SpendingKey},
     note::AssetId,
-    note_encryption::{CompactAction, OrchardDomain},
+    note_encryption_v3::{CompactAction, OrchardDomainV3},
     value::NoteValue,
     Anchor, Bundle,
 };
@@ -79,7 +79,7 @@ fn bench_note_decryption(c: &mut Criterion) {
     };
     let action = bundle.actions().first();
 
-    let domain = OrchardDomain::for_action(action);
+    let domain = OrchardDomainV3::for_action(action);
 
     let compact = {
         let mut group = c.benchmark_group("note-decryption");
@@ -120,12 +120,12 @@ fn bench_note_decryption(c: &mut Criterion) {
         let ivks = 2;
         let valid_ivks = vec![valid_ivk; ivks];
         let actions: Vec<_> = (0..100)
-            .map(|_| (OrchardDomain::for_action(action), action.clone()))
+            .map(|_| (OrchardDomainV3::for_action(action), action.clone()))
             .collect();
         let compact: Vec<_> = (0..100)
             .map(|_| {
                 (
-                    OrchardDomain::for_action(action),
+                    OrchardDomainV3::for_action(action),
                     CompactAction::from(action),
                 )
             })

src/action.rs

@@ -158,7 +158,7 @@ pub(crate) mod testing {
             // FIXME: make a real one from the note.
             let encrypted_note = TransmittedNoteCiphertext {
                 epk_bytes: [0u8; 32],
-                enc_ciphertext: [0u8; 580],
+                enc_ciphertext: [0u8; 612],
                 out_ciphertext: [0u8; 80]
             };
             Action {
@@ -192,7 +192,7 @@ pub(crate) mod testing {
             // FIXME: make a real one from the note.
             let encrypted_note = TransmittedNoteCiphertext {
                 epk_bytes: [0u8; 32],
-                enc_ciphertext: [0u8; 580],
+                enc_ciphertext: [0u8; 612],
                 out_ciphertext: [0u8; 80]
             };
 

src/builder.rs

@@ -20,7 +20,7 @@ use crate::{
         SpendingKey,
     },
     note::{Note, TransmittedNoteCiphertext},
-    note_encryption::OrchardNoteEncryption,
+    note_encryption_v3::OrchardNoteEncryption,
     primitives::redpallas::{self, Binding, SpendAuth},
     tree::{Anchor, MerklePath},
     value::{self, NoteValue, OverflowError, ValueCommitTrapdoor, ValueCommitment, ValueSum},
@@ -79,15 +79,20 @@ impl SpendInfo {
     /// Returns `None` if the `fvk` does not own the `note`.
     ///
     /// [`Builder::add_spend`]: Builder::add_spend
-    pub fn new(fvk: FullViewingKey, note: Note, merkle_path: MerklePath) -> Option<Self> {
+    pub fn new(
+        fvk: FullViewingKey,
+        note: Note,
+        merkle_path: MerklePath,
+        split_flag: bool,
+    ) -> Option<Self> {
         let scope = fvk.scope_for_address(&note.recipient())?;
         Some(SpendInfo {
             dummy_sk: None,
             fvk,
             scope,
             note,
             merkle_path,
-            split_flag: false,
+            split_flag,
         })
     }
 
@@ -112,10 +117,7 @@ impl SpendInfo {
 
     /// Return a copy of this note with the split flag set to `true`.
     fn create_split_spend(&self) -> Self {
-        let mut split_spend = SpendInfo::new(self.fvk.clone(), self.note, self.merkle_path.clone())
-            .expect("The spend info is valid");
-        split_spend.split_flag = true;
-        split_spend
+        SpendInfo::new(self.fvk.clone(), self.note, self.merkle_path.clone(), true).unwrap()
     }
 }
 
@@ -224,7 +226,7 @@ impl ActionInfo {
 
         let encrypted_note = TransmittedNoteCiphertext {
             epk_bytes: encryptor.epk().to_bytes().0,
-            enc_ciphertext: encryptor.encrypt_note_plaintext(),
+            enc_ciphertext: encryptor.encrypt_note_plaintext().0,
             out_ciphertext: encryptor.encrypt_outgoing_plaintext(&cv_net, &cmx, &mut rng),
         };
 
@@ -278,7 +280,7 @@ impl Builder {
     /// Returns an error if the given Merkle path does not have the required anchor for
     /// the given note.
     ///
-    /// [`OrchardDomain`]: crate::note_encryption::OrchardDomain
+    /// [`OrchardDomain`]: crate::note_encryption_v3::OrchardDomainV3
     /// [`MerkleHashOrchard`]: crate::tree::MerkleHashOrchard
     pub fn add_spend(
         &mut self,

src/bundle.rs

@@ -20,7 +20,7 @@ use crate::{
     circuit::{Instance, Proof, VerifyingKey},
     keys::{IncomingViewingKey, OutgoingViewingKey, PreparedIncomingViewingKey},
     note::Note,
-    note_encryption::OrchardDomain,
+    note_encryption_v3::OrchardDomainV3,
     primitives::redpallas::{self, Binding, SpendAuth},
     tree::Anchor,
     value::{ValueCommitTrapdoor, ValueCommitment, ValueSum},
@@ -305,7 +305,7 @@ impl<T: Authorization, V> Bundle<T, V> {
             .iter()
             .enumerate()
             .filter_map(|(idx, action)| {
-                let domain = OrchardDomain::for_action(action);
+                let domain = OrchardDomainV3::for_action(action);
                 prepared_keys.iter().find_map(|(ivk, prepared_ivk)| {
                     try_note_decryption(&domain, prepared_ivk, action)
                         .map(|(n, a, m)| (idx, (*ivk).clone(), n, a, m))
@@ -324,7 +324,7 @@ impl<T: Authorization, V> Bundle<T, V> {
     ) -> Option<(Note, Address, [u8; 512])> {
         let prepared_ivk = PreparedIncomingViewingKey::new(key);
         self.actions.get(action_idx).and_then(move |action| {
-            let domain = OrchardDomain::for_action(action);
+            let domain = OrchardDomainV3::for_action(action);
             try_note_decryption(&domain, &prepared_ivk, action)
         })
     }
@@ -341,7 +341,7 @@ impl<T: Authorization, V> Bundle<T, V> {
             .iter()
             .enumerate()
             .filter_map(|(idx, action)| {
-                let domain = OrchardDomain::for_action(action);
+                let domain = OrchardDomainV3::for_action(action);
                 keys.iter().find_map(move |key| {
                     try_output_recovery_with_ovk(
                         &domain,
@@ -365,7 +365,7 @@ impl<T: Authorization, V> Bundle<T, V> {
         key: &OutgoingViewingKey,
     ) -> Option<(Note, Address, [u8; 512])> {
         self.actions.get(action_idx).and_then(move |action| {
-            let domain = OrchardDomain::for_action(action);
+            let domain = OrchardDomainV3::for_action(action);
             try_output_recovery_with_ovk(
                 &domain,
                 key,
@@ -527,7 +527,7 @@ pub mod testing {
     use super::{Action, Authorization, Authorized, Bundle, Flags};
 
     pub use crate::action::testing::{arb_action, arb_unauthorized_action};
-    use crate::note::asset_id::testing::zsa_asset_id;
+    use crate::note::asset_id::testing::arb_zsa_asset_id;
     use crate::note::AssetId;
     use crate::value::testing::arb_value_sum;
 
@@ -591,7 +591,11 @@ pub mod testing {
 
     prop_compose! {
         /// Create an arbitrary vector of assets to burn.
-        pub fn arb_asset_to_burn()(asset_id in zsa_asset_id(), value in arb_value_sum()) -> (AssetId, ValueSum) {
+        pub fn arb_asset_to_burn()
+        (
+            asset_id in arb_zsa_asset_id(),
+            value in arb_value_sum()
+        ) -> (AssetId, ValueSum) {
             (asset_id, value)
         }
     }

src/bundle/commitments.rs

@@ -42,13 +42,13 @@ pub(crate) fn hash_bundle_txid_data<A: Authorization, V: Copy + Into<i64>>(
         ch.update(&action.nullifier().to_bytes());
         ch.update(&action.cmx().to_bytes());
         ch.update(&action.encrypted_note().epk_bytes);
-        ch.update(&action.encrypted_note().enc_ciphertext[..52]);
+        ch.update(&action.encrypted_note().enc_ciphertext[..84]); // TODO: make sure it is backward compatible with Orchard [..52]
 
-        mh.update(&action.encrypted_note().enc_ciphertext[52..564]);
+        mh.update(&action.encrypted_note().enc_ciphertext[84..596]);
 
         nh.update(&action.cv_net().to_bytes());
         nh.update(&<[u8; 32]>::from(action.rk()));
-        nh.update(&action.encrypted_note().enc_ciphertext[564..]);
+        nh.update(&action.encrypted_note().enc_ciphertext[596..]);
         nh.update(&action.encrypted_note().out_ciphertext);
     }
 

src/issuance.rs

@@ -344,7 +344,7 @@ impl IssueBundle<Signed> {
 ///     * Asset description size is collect.
 ///     * `AssetId` for the `IssueAction` has not been previously finalized.
 /// * For each `Note` inside an `IssueAction`:
-///     * All notes have the same, correct `NoteType`.
+///     * All notes have the same, correct `AssetId`.
 pub fn verify_issue_bundle(
     bundle: &IssueBundle<Signed>,
     sighash: [u8; 32],
@@ -356,7 +356,6 @@ pub fn verify_issue_bundle(
 
     let s = &mut HashSet::<AssetId>::new();
 
-    // An IssueAction could have just one properly derived AssetId.
     let newly_finalized = bundle
         .actions()
         .iter()
@@ -373,7 +372,7 @@ pub fn verify_issue_bundle(
                 return Err(IssueActionPreviouslyFinalizedNoteType(asset));
             }
 
-            // Add to finalization set, if needed.
+            // Add to the finalization set, if needed.
             if action.is_finalized() {
                 newly_finalized.insert(asset);
             }
@@ -1025,30 +1024,31 @@ mod tests {
 pub mod testing {
     use crate::issuance::{IssueAction, IssueBundle, Prepared, Signed, Unauthorized};
     use crate::keys::testing::{arb_issuance_authorizing_key, arb_issuance_validating_key};
+    use crate::note::asset_id::testing::zsa_asset_id;
     use crate::note::testing::arb_zsa_note;
     use proptest::collection::vec;
     use proptest::prelude::*;
     use proptest::prop_compose;
-    use proptest::string::string_regex;
     use rand::{rngs::StdRng, SeedableRng};
 
     prop_compose! {
-        /// Generate an issue action given note value
-        pub fn arb_issue_action()(
-            note in arb_zsa_note(),
-            asset_descr in string_regex(".{1,512}").unwrap()
-        ) -> IssueAction {
-            IssueAction::new(asset_descr, &note)
+        /// Generate an issue action
+        pub fn arb_issue_action(asset_desc: String)
+        (
+            asset in zsa_asset_id(asset_desc.clone()),
+        )
+        (
+            note in arb_zsa_note(asset),
+        )-> IssueAction {
+            IssueAction::new(asset_desc.clone(), &note)
         }
     }
 
     prop_compose! {
-        /// Generate an arbitrary issue bundle with fake authorization data. This bundle does not
-        /// necessarily respect consensus rules; for that use
-        /// [`crate::builder::testing::arb_issue_bundle`]
+        /// Generate an arbitrary issue bundle with fake authorization data.
         pub fn arb_unathorized_issue_bundle(n_actions: usize)
         (
-            actions in vec(arb_issue_action(), n_actions),
+            actions in vec(arb_issue_action("asset_desc".to_string()), n_actions),
             ik in arb_issuance_validating_key()
         ) -> IssueBundle<Unauthorized> {
             IssueBundle {
@@ -1061,11 +1061,10 @@ pub mod testing {
 
     prop_compose! {
         /// Generate an arbitrary issue bundle with fake authorization data. This bundle does not
-        /// necessarily respect consensus rules; for that use
-        /// [`crate::builder::testing::arb_issue_bundle`]
+        /// necessarily respect consensus rules
         pub fn arb_prepared_issue_bundle(n_actions: usize)
         (
-            actions in vec(arb_issue_action(), n_actions),
+            actions in vec(arb_issue_action("asset_desc".to_string()), n_actions),
             ik in arb_issuance_validating_key(),
             fake_sighash in prop::array::uniform32(prop::num::u8::ANY)
         ) -> IssueBundle<Prepared> {
@@ -1079,11 +1078,10 @@ pub mod testing {
 
     prop_compose! {
         /// Generate an arbitrary issue bundle with fake authorization data. This bundle does not
-        /// necessarily respect consensus rules; for that use
-        /// [`crate::builder::testing::arb_issue_bundle`]
+        /// necessarily respect consensus rules
         pub fn arb_signed_issue_bundle(n_actions: usize)
         (
-            actions in vec(arb_issue_action(), n_actions),
+            actions in vec(arb_issue_action("asset_desc".to_string()), n_actions),
             ik in arb_issuance_validating_key(),
             isk in arb_issuance_authorizing_key(),
             rng_seed in prop::array::uniform32(prop::num::u8::ANY),

src/lib.rs

@@ -25,7 +25,8 @@ mod constants;
 pub mod issuance;
 pub mod keys;
 pub mod note;
-pub mod note_encryption;
+// pub mod note_encryption; // disabled until backward compatability is implemented.
+pub mod note_encryption_v3;
 pub mod primitives;
 mod spec;
 pub mod tree;

src/note.rs

@@ -279,7 +279,7 @@ pub struct TransmittedNoteCiphertext {
     /// The serialization of the ephemeral public key
     pub epk_bytes: [u8; 32],
     /// The encrypted note ciphertext
-    pub enc_ciphertext: [u8; 580],
+    pub enc_ciphertext: [u8; 612],
     /// An encrypted value that allows the holder of the outgoing cipher
     /// key for the note to recover the note plaintext.
     pub out_ciphertext: [u8; 80],
@@ -302,7 +302,7 @@ pub mod testing {
     use proptest::prelude::*;
 
     use crate::note::asset_id::testing::arb_asset_id;
-    use crate::note::asset_id::testing::zsa_asset_id;
+    use crate::note::AssetId;
     use crate::value::testing::arb_note_value;
     use crate::{
         address::testing::arb_address, note::nullifier::testing::arb_nullifier, value::NoteValue,
@@ -336,13 +336,30 @@ pub mod testing {
     }
 
     prop_compose! {
-        /// Generate an arbitrary ZSA note
-        pub fn arb_zsa_note()(
+        /// Generate an arbitrary native note
+        pub fn arb_native_note()(
+            recipient in arb_address(),
+            value in arb_note_value(),
+            rho in arb_nullifier(),
+            rseed in arb_rseed(),
+        ) -> Note {
+            Note {
+                recipient,
+                value,
+                asset: AssetId::native(),
+                rho,
+                rseed,
+            }
+        }
+    }
+
+    prop_compose! {
+        /// Generate an arbitrary zsa note
+        pub fn arb_zsa_note(asset: AssetId)(
             recipient in arb_address(),
             value in arb_note_value(),
             rho in arb_nullifier(),
             rseed in arb_rseed(),
-            asset in zsa_asset_id(),
         ) -> Note {
             Note {
                 recipient,

src/note/asset_id.rs

@@ -120,8 +120,8 @@ pub mod testing {
     }
 
     prop_compose! {
-        /// Generate the ZSA note type
-        pub fn zsa_asset_id()(
+        /// Generate an asset ID
+        pub fn arb_zsa_asset_id()(
             sk in arb_spending_key(),
             str in "[A-Za-z]{255}"
         ) -> AssetId {
@@ -130,6 +130,17 @@ pub mod testing {
         }
     }
 
+    prop_compose! {
+        /// Generate an asset ID using a specific description
+        pub fn zsa_asset_id(asset_desc: String)(
+            sk in arb_spending_key(),
+        ) -> AssetId {
+            assert!(super::is_asset_desc_of_valid_size(&asset_desc));
+            let isk = IssuanceAuthorizingKey::from(&sk);
+            AssetId::derive(&IssuanceValidatingKey::from(&isk), &asset_desc)
+        }
+    }
+
     #[test]
     fn test_vectors() {
         let test_vectors = crate::test_vectors::asset_id::test_vectors();