Skip to content

Constant-time note commitment for ZEC and ZSA#54

Merged
ConstanceBeguier merged 10 commits intozsa1from
constant_time_commitment_v3
Apr 25, 2023
Merged

Constant-time note commitment for ZEC and ZSA#54
ConstanceBeguier merged 10 commits intozsa1from
constant_time_commitment_v3

Conversation

@ConstanceBeguier
Copy link
Collaborator

@ConstanceBeguier ConstanceBeguier commented Apr 19, 2023

We would like to have a constant-time evaluation of the note commitment for both ZEC and ZSA.
ZEC_note_commitment=Extract_P(SinsemillaHashToPoint(zec_personalization, common_bits) + [rcm]R)
ZSA_note_commitment=Extract_P(SinsemillaHashToPoint(zsa_personalization, common_bits || asset) + [rcm]R)

R is the same constant for ZEC and ZSA note commitments.

@ConstanceBeguier ConstanceBeguier mentioned this pull request Apr 19, 2023
Closed
@ConstanceBeguier ConstanceBeguier changed the title Constant-time note commitment v2 Constant-time note commitment for ZEC and ZSA Apr 19, 2023
@ConstanceBeguier ConstanceBeguier force-pushed the constant_time_commitment_v3 branch from f3fd3f6 to 2f9de93 Compare April 19, 2023 14:06
PaulLaux
PaulLaux reviewed Apr 20, 2023
View reviewed changes
src/note/commitment.rs
Comment on lines +66 to +72
let type_bits = BitArray::<_, Lsb0>::new(asset.to_bytes());
let zsa_note_bits = iter::empty()
.chain(g_d_bits.iter().by_vals())
.chain(pk_d_bits.iter().by_vals())
.chain(v_bits.iter().by_vals())
.chain(rho_bits.iter().by_vals().take(L_ORCHARD_BASE))
.chain(psi_bits.iter().by_vals().take(L_ORCHARD_BASE))
.chain(type_bits.iter().by_vals());
Copy link
Collaborator

@PaulLaux PaulLaux Apr 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is no need to compute the mutual part twice. Somthing like this should work:

        let common_note_bits = iter::empty()
                    .chain(g_d_bits.iter().by_vals())
                    .chain(pk_d_bits.iter().by_vals())
                    .chain(v_bits.iter().by_vals())
                    .chain(rho_bits.iter().by_vals().take(L_ORCHARD_BASE))
                    .chain(psi_bits.iter().by_vals().take(L_ORCHARD_BASE));

        let zec_note_bits = common_note_bits.cloned();

        let type_bits = BitArray::<_, Lsb0>::new(asset.to_bytes());
        let zsa_note_bits = 
            common_note_bits
            .chain(type_bits.iter().by_vals());

Copy link
Collaborator Author

@ConstanceBeguier ConstanceBeguier Apr 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some difficulties to clone the Chain.
I could convert the chain into a vector, then clone it and then convert it back into an iterator... (see my last commit)
We could discuss about it Monday morning.

@PaulLaux PaulLaux mentioned this pull request Apr 20, 2023
Closed
@QED-it QED-it deleted a comment from what-the-diff bot Apr 20, 2023
@PaulLaux
Copy link
Collaborator

PaulLaux commented Apr 20, 2023

Also blocked by QED-it/zcash-test-vectors#8 (review)

@ConstanceBeguier ConstanceBeguier force-pushed the constant_time_commitment_v3 branch from d84f909 to e35aca4 Compare April 21, 2023 14:00
PaulLaux
PaulLaux reviewed Apr 24, 2023
View reviewed changes
src/note/commitment.rs
.chain(type_bits.iter().by_vals());

let zec_domain = sinsemilla::CommitDomain::new(NOTE_COMMITMENT_PERSONALIZATION);
let zsa_domain = sinsemilla::CommitDomain::new_with_personalization(
Copy link
Collaborator

@PaulLaux PaulLaux Apr 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should rename it to sinsemilla::CommitDomain::new_with_blind_personalization(). Either now or remember to do it after ECC review for our PR.

Copy link
Collaborator Author

@ConstanceBeguier ConstanceBeguier Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I rename it, I have also to rename it in qedit/halo2 but the PR in qedit/halo2 has already been merged on zsa1.
I prefer to rename it after ECC review for our PR.

src/note/commitment.rs Outdated
use rand::{rngs::OsRng, Rng};

#[test]
fn test_note_commit() {
Copy link
Collaborator

@PaulLaux PaulLaux Apr 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As previously mentioned, this does not test derive(). This seems to be a lower-level test, am I missing something?

Copy link
Collaborator Author

@ConstanceBeguier ConstanceBeguier Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is a lower level test. It just tests that splitting the commitment evaluation into hashing and blinding gives the same result than directly evaluating the commitment.

Copy link
Collaborator Author

@ConstanceBeguier ConstanceBeguier Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renamed this test

@ConstanceBeguier ConstanceBeguier merged commit 7d3b6df into zsa1 Apr 25, 2023
@PaulLaux PaulLaux mentioned this pull request May 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PaulLaux PaulLaux PaulLaux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ConstanceBeguier @PaulLaux