Sapling note encryption#69
Conversation
|
Addressed @ebfull's comments. |
Part of ZIP 307.
str4d
force-pushed
the
sapling-note-encryption
branch
from
d4e6a66 to
e17e4b1
Compare
|
Rebased on master to address merge conflicts. |
This crate exposes both the ChaCha20Poly1305 IETF construction, and the underlying ChaCha20 IETF primitive, removing the need for depending on our own fork of the previous chacha20-poly1305-aead crate.
The crypto_api_chachapoly uses two new features introduced in 1.32: - Self struct constructors - u64::to_le_bytes()
|
In the last month, a new crate has been published that exposes both the ChaCha20Poly1305 IETF construction and the underlying ChaCha20 IETF primitive. I've pushed a commit that switches us from our own fork of an implementation (which would inhibit us publishing crates) to this new crate. The previous test vectors all pass. Note that this requires raising our minimum Rust version to 1.32. Incidentally, by doing this we should be able to replace our own usage of the |
str4d
force-pushed
the
sapling-note-encryption
branch
from
9207b35 to
edf7bc1
Compare
Make util module public
Eirik0
left a comment
Eirik0
left a comment
There was a problem hiding this comment.
Looks good, just had a couple of minor nits. I requested changes.
|
Please note that merging this also blocks on reviewing the |
|
@daira we don't yet depend on any Chacha20Poly1305 implementation in the Rust codebase. When I said "switch", I meant that this PR originally added a dependency on (a fork of) one implementation, and it now adds a dependency on a different implementation. I agree that we should still be happy that the dependency is solid for our usage. |
|
@defuse, @str4d and I reviewed the I have not yet reviewed the PR itself. |
|
Two issues were opened on
|
|
|
||
| let pk_d = edwards::Point::<Bls12, _>::read(&op[0..32], &JUBJUB) | ||
| .ok()? | ||
| .as_prime_order(&JUBJUB)?; |
There was a problem hiding this comment.
as_prime_order does not check that the point is of prime order (in KASapling.PublicPrimeOrder which is J(r)∗), as required by section 4.17.3. It only checks that it is in the prime-order subgroup J(r).
Misleading method name as_prime_order noted at zcash/sapling-crypto#97 (comment) .
| assert_eq!(&ne.encrypt_outgoing_plaintext(&cv, &cmu)[..], &tv.c_out[..]); | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Despite my nitpicking, these are excellent tests! 👍
| } | ||
|
|
||
| pub(crate) fn make_test_vectors() -> Vec<TestVector> { | ||
| // From https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_note_encryption.py |
There was a problem hiding this comment.
I have not checked that these match the source.
This matches how sapling_ka_agree and kdf_sapling are defined in the protocol spec. kdf_sapling also now takes ownership of dhsecret to discourage use of the sapling_ka_agree output elsewhere.
|
Addressed @daira's comments. I also replaced all uses of |
daira
left a comment
daira
left a comment
There was a problem hiding this comment.
ut(ACK+cov) modulo one unaddressed comment (the missing spec reference).
| "checksum constant_time_eq 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)" = "8ff012e225ce166d4422e0e78419d901719760f62ae2b7969ca6b564d1b54a9e" | ||
| "checksum crossbeam 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "24ce9782d4d5c53674646a6a4c1863a21a8fc0cb649b3c94dfc16e45071dea19" | ||
| "checksum crypto_api 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "2f855e87e75a4799e18b8529178adcde6fd4f97c1449ff4821e747ff728bb102" | ||
| "checksum crypto_api_chachapoly 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)" = "2f9ee35dbace0831b5fe7cb9b43eb029aa14a10f594a115025d4628a2baa63ab" |
There was a problem hiding this comment.
I have not checked these hashes.
| NOTE_PLAINTEXT_SIZE | ||
| ); | ||
|
|
||
| // Check note plaintext version |
…cash#69) * Ballot scaling in ZKP #1: convert zatoshi to ballot count Replace the minimum-weight check (condition 8) with ballot scaling that floor-divides v_total by 12,500,000 to produce num_ballots. Condition 7 now hashes num_ballots into the VAN commitment instead of the raw v_total. Circuit constraints for condition 8: - num_ballots * BALLOT_DIVISOR + remainder == v_total - remainder < 2^24 (via shift-by-2^6 into 30-bit lookup check) - 0 < num_ballots <= 2^30 (via nb_minus_one 30-bit range check) Adds MulChip (c = a * b gate) used for the reconstruction constraint and the remainder bit-shift. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Apply ballot scaling to VAN hashes in ZKP #2 and librustvoting ZKP #1 now hashes num_ballots (not raw zatoshi) into VAN commitments. Update all downstream VAN hash callers to match: - vote_proof/builder.rs: convert total_note_value to num_ballots before VAN integrity hashing and share splitting - governance.rs: construct_van now divides total_weight by BALLOT_DIVISOR - Update test values to use weights >= 12,500,000 (one ballot minimum) - Freeze new known-answer VAN test vector Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
6 participants
Implements full trial decryption (per the protocol spec) as well as compact trial decryption (per ZIP 307).