chore: minimize orchard fork + switch imt-tree to crates.io

UPSTREAM.md

@@ -0,0 +1,114 @@
+# Orchard fork: upstream checklist
+
+This document lists every remaining change in `orchard/` (our fork of
+[zcash/orchard](https://github.com/zcash/orchard) v0.11.0) that would need to
+be accepted upstream before we can delete the fork and depend on the published
+crate.
+
+Once all items below are merged upstream, replace
+`orchard = { path = "../orchard" }` in `voting-circuits/Cargo.toml` with
+`orchard = "<version>"` and delete the `orchard/` directory.
+
+## Visibility widenings (`pub(crate)` to `pub`)
+
+These items are `pub(crate)` in upstream v0.11.0. Our fork widens them to `pub`
+because voting-circuits imports them directly.
+
+### `circuit.rs` / `circuit/gadget.rs`
+
+- [ ] `pub mod commit_ivk` (circuit.rs) — expose the CommitIvk sub-circuit
+- [ ] `pub mod note_commit` (circuit.rs) — expose the NoteCommit sub-circuit
+- [ ] `pub mod gadget` (circuit.rs) — expose the gadget module
+- [ ] `pub trait AddInstruction` (gadget.rs) — addition trait
+- [ ] `pub fn assign_free_advice` (gadget.rs) — cell assignment helper
+- [ ] `pub fn derive_nullifier` (gadget.rs) — nullifier derivation gadget
+- [ ] `pub use commit_ivk`, `pub use note_commit` (gadget.rs) — re-exports
+
+### `circuit/gadget/add_chip.rs`
+
+- [ ] `pub struct AddConfig` / `pub struct AddChip`
+- [ ] `pub fn configure` / `pub fn construct`
+
+### `circuit/commit_ivk.rs`
+
+- [ ] `pub fn configure` / `pub fn construct`
+- [ ] `pub mod gadgets` / `pub fn commit_ivk`
+
+### `circuit/note_commit.rs`
+
+- [ ] `pub fn configure` / `pub fn construct`
+- [ ] `pub mod gadgets` / `pub fn note_commit`
+
+### `constants.rs`
+
+- [ ] `pub const L_ORCHARD_BASE`
+
+### `constants/fixed_bases.rs`
+
+- [ ] `pub` re-exports: `OrchardFixedBases`, `OrchardFixedBasesFull`
+
+### `keys.rs`
+
+- [ ] `pub struct NullifierDerivingKey` + `pub fn inner()`
+- [ ] `pub struct CommitIvkRandomness` + `pub fn inner()`
+- [ ] `pub fn SpendingKey::random()`
+- [ ] `pub fn SpendAuthorizingKey::derive_inner()`
+- [ ] `pub fn FullViewingKey::nk()` / `pub fn FullViewingKey::rivk()`
+- [ ] `pub fn DiversifiedTransmissionKey::inner()` / `pub fn DiversifiedTransmissionKey::to_bytes()`
+
+### `spec.rs`
+
+- [ ] `pub struct NonIdentityPallasPoint` + `pub fn from_bytes()`
+
+### `note.rs` / `note/commitment.rs` / `note/nullifier.rs`
+
+- [ ] `pub mod commitment` / `pub mod nullifier` (note.rs)
+- [ ] `pub fn Note::new` / `pub fn Note::dummy` / `pub fn Note::from_nf_old`
+- [ ] `pub fn Note::into_inner` / `pub fn Note::psi` / `pub fn Note::rcm`
+- [ ] `pub use NoteCommitTrapdoor` re-export (note.rs)
+- [ ] `pub struct NoteCommitTrapdoor` + `pub fn inner()` (commitment.rs)
+- [ ] `pub fn NoteCommitment::inner()`
+- [ ] `pub fn ExtractedNoteCommitment::inner()`
+- [ ] `pub` field on `Nullifier` (nullifier.rs)
+
+### `tree.rs`
+
+- [ ] `pub fn MerkleHashOrchard::inner()`
+- [ ] `pub fn MerklePath::dummy()`
+
+### `value.rs`
+
+- [ ] `pub fn NoteValue::zero()`
+
+### `address.rs`
+
+- [ ] `pub fn Address::g_d()`
+- [ ] `pub fn Address::pk_d()`
+
+## Structural additions (new code, not just visibility)
+
+These items don't exist in upstream v0.11.0 at all. They would need to be
+proposed as new functionality.
+
+### `constants/fixed_bases.rs`
+
+- [ ] `OrchardBaseFieldBases` enum — new enum routing base-field fixed-base
+  multiplication (variants: `NullifierK`, `SpendAuthGBase`)
+- [ ] `OrchardShortScalarBases` enum — new enum routing short-scalar fixed-base
+  multiplication (variants: `ValueCommitV`, `SpendAuthGShort`)
+- [ ] Expanded `OrchardFixedBases` enum — new `Base(OrchardBaseFieldBases)` and
+  `Short(OrchardShortScalarBases)` variants alongside the existing
+  `Full(OrchardFixedBasesFull)`
+- [ ] `From` trait implementations and `FixedPoint` impls for the new variants
+- [ ] Test additions for the new variants
+
+### `constants/fixed_bases/spend_auth_g.rs`
+
+- [ ] `Z_SHORT` / `U_SHORT` precomputed tables for `SpendAuthGShort` — enables
+  short-scalar multiplication on the spend authorization generator
+
+### `circuit/gadget.rs`
+
+- [ ] `pub fn assign_constant()` — helper for assigning a constant value
+  constrained by the verification key (counterpart to the existing
+  `assign_free_advice`)

orchard/Cargo.toml

@@ -100,11 +100,8 @@ harness = false
 name = "circuit"
 harness = false
 
-[profile.dev]
-opt-level = 1       # Faster runtime for ZK circuits without full release optimization cost
-
 [profile.release]
-debug = false
+debug = true
 
 [profile.bench]
-debug = false
+debug = true

orchard/src/circuit.rs

@@ -26,7 +26,7 @@ use self::{
 use crate::{
     builder::SpendInfo,
     constants::{
-        OrchardCommitDomains, OrchardFixedBases, OrchardHashDomains,
+        OrchardCommitDomains, OrchardFixedBases, OrchardFixedBasesFull, OrchardHashDomains,
         MERKLE_DEPTH_ORCHARD,
     },
     keys::{
@@ -45,7 +45,7 @@ use crate::{
 use halo2_gadgets::{
     ecc::{
         chip::{EccChip, EccConfig},
-        NonIdentityPoint, Point, ScalarFixed, ScalarFixedShort, ScalarVar,
+        FixedPoint, NonIdentityPoint, Point, ScalarFixed, ScalarFixedShort, ScalarVar,
     },
     poseidon::{primitives as poseidon, Pow5Chip as PoseidonChip, Pow5Config as PoseidonConfig},
     sinsemilla::{
@@ -552,19 +552,24 @@ impl plonk::Circuit<pallas::Base> for Circuit {
         };
 
         // Spend authority (https://p.z.cash/ZKS:action-spend-authority)
-        //
-        // Uses the shared gadget from crate::shared_primitives – a 1:1 copy of
-        // the upstream Orchard spend authority check:
-        //   https://github.com/zcash/orchard/blob/main/src/circuit.rs#L542-L558
-        crate::shared_primitives::spend_authority::prove_spend_authority(
-            ecc_chip.clone(),
-            layouter.namespace(|| "spend authority"),
-            self.alpha,
-            &ak_P.clone().into(),
-            config.primary,
-            RK_X,
-            RK_Y,
-        )?;
+        {
+            let alpha =
+                ScalarFixed::new(ecc_chip.clone(), layouter.namespace(|| "alpha"), self.alpha)?;
+
+            // alpha_commitment = [alpha] SpendAuthG
+            let (alpha_commitment, _) = {
+                let spend_auth_g = OrchardFixedBasesFull::SpendAuthG;
+                let spend_auth_g = FixedPoint::from_inner(ecc_chip.clone(), spend_auth_g);
+                spend_auth_g.mul(layouter.namespace(|| "[alpha] SpendAuthG"), alpha)?
+            };
+
+            // [alpha] SpendAuthG + ak_P
+            let rk = alpha_commitment.add(layouter.namespace(|| "rk"), &ak_P)?;
+
+            // Constrain rk to equal public input
+            layouter.constrain_instance(rk.inner().x().cell(), config.primary, RK_X)?;
+            layouter.constrain_instance(rk.inner().y().cell(), config.primary, RK_Y)?;
+        }
 
         // Diversified address integrity (https://p.z.cash/ZKS:action-addr-integrity?partial).
         let pk_d_old = {

orchard/src/circuit/gadget.rs

@@ -25,7 +25,6 @@ use halo2_proofs::{
 };
 
 pub mod add_chip;
-pub mod mul_chip;
 
 impl super::Config {
     pub(super) fn add_chip(&self) -> add_chip::AddChip {
@@ -88,17 +87,6 @@ pub trait AddInstruction<F: Field>: Chip<F> {
     ) -> Result<AssignedCell<F, F>, plonk::Error>;
 }
 
-/// An instruction set for multiplying two circuit words (field elements).
-pub trait MulInstruction<F: Field>: Chip<F> {
-    /// Constraints `a * b` and returns the product.
-    fn mul(
-        &self,
-        layouter: impl Layouter<F>,
-        a: &AssignedCell<F, F>,
-        b: &AssignedCell<F, F>,
-    ) -> Result<AssignedCell<F, F>, plonk::Error>;
-}
-
 /// Witnesses the given value in a standalone region.
 ///
 /// Usages of this helper are technically superfluous, as the single-cell region is only
@@ -134,7 +122,7 @@ pub fn assign_constant<F: Field>(
 /// `ValueCommit^Orchard` from [Section 5.4.8.3 Homomorphic Pedersen commitments (Sapling and Orchard)].
 ///
 /// [Section 5.4.8.3 Homomorphic Pedersen commitments (Sapling and Orchard)]: https://zips.z.cash/protocol/protocol.pdf#concretehomomorphiccommit
-pub fn value_commit_orchard<
+pub(in crate::circuit) fn value_commit_orchard<
     EccChip: EccInstructions<
         pallas::Affine,
         FixedPoints = OrchardFixedBases,