Port zebra-chain::sapling to zebra-chain::orchard

zebra-chain/Cargo.toml

@@ -8,12 +8,12 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-
 default = []
 proptest-impl = ["proptest", "proptest-derive", "itertools"]
 bench = ["zebra-test"]
 
 [dependencies]
+aes = "0.6"
 bech32 = "0.8.0"
 bitflags = "1.2.1"
 bitvec = "0.17.4"
@@ -23,8 +23,14 @@ bs58 = { version = "0.4", features = ["check"] }
 byteorder = "1.4"
 chrono = { version = "0.4", features = ["serde"] }
 displaydoc = "0.2.1"
-equihash = "0.1"
+fpe = "0.4"
+# Temporary workaround for https://github.com/myrrlyn/funty/issues/3
+# TODO: remove: https://github.com/ZcashFoundation/zebra/issues/2082
+funty = "=1.1.0"
 futures = "0.3"
+group = "0.9"
+# TODO: replace w/ crate version when released: https://github.com/ZcashFoundation/zebra/issues/2083
+halo2 = { git = "https://github.com/zcash/halo2.git", rev = "dda60a363001373d564156ad0334e2022d85a5b4"}
 hex = "0.4"
 jubjub = "0.6.0"
 lazy_static = "1.4.0"
@@ -43,14 +49,14 @@ proptest-derive = { version = "0.3.0", optional = true }
 itertools = { version = "0.10.0", optional = true }
 
 # ZF deps
-ed25519-zebra = "2.2.0"
+ed25519-zebra = "2"
+equihash = "0.1"
 redjubjub = "0.4"
 
 zebra-test = { path = "../zebra-test/", optional = true }
 
 [dev-dependencies]
 bincode = "1"
-
 color-eyre = "0.5.11"
 criterion = { version = "0.3", features = ["html_reports"] }
 spandoc = "0.2"

zebra-chain/proptest-regressions/orchard/keys/tests.txt

@@ -0,0 +1,7 @@
+# Seeds for failure cases proptest has generated in the past. It is
+# automatically read and these particular cases re-run before any
+# novel cases are generated.
+#
+# It is recommended to check this file in to source control so that
+# everyone who runs the test benefits from these saved cases.
+cc 8ba80e3da74dc90c627f620bed08c47e7a13bb2e7762aad6e8c8f362237aed1b # shrinks to spending_key = SpendingKey { network: Mainnet, bytes: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }

zebra-chain/src/amount.rs

@@ -166,6 +166,17 @@ impl<C> From<Amount<C>> for jubjub::Fr {
     }
 }
 
+impl<C> From<Amount<C>> for halo2::pasta::pallas::Scalar {
+    fn from(a: Amount<C>) -> halo2::pasta::pallas::Scalar {
+        // TODO: this isn't constant time -- does that matter?
+        if a.0 < 0 {
+            halo2::pasta::pallas::Scalar::from(a.0.abs() as u64).neg()
+        } else {
+            halo2::pasta::pallas::Scalar::from(a.0 as u64)
+        }
+    }
+}
+
 impl<C> TryFrom<i64> for Amount<C>
 where
     C: Constraint,

zebra-chain/src/lib.rs

@@ -1,29 +1,27 @@
 //! Core Zcash data structures. 🦓
 //!
-//! This crate provides definitions of core datastructures for Zcash, such as
+//! This crate provides definitions of core data structures for Zcash, such as
 //! blocks, transactions, addresses, etc.
 
 #![doc(html_favicon_url = "https://www.zfnd.org/images/zebra-favicon-128.png")]
 #![doc(html_logo_url = "https://www.zfnd.org/images/zebra-icon.png")]
 #![doc(html_root_url = "https://doc.zebra.zfnd.org/zebra_chain")]
-// #![deny(missing_docs)]
 #![allow(clippy::try_err)]
+// The actual lints we want to disable
+#![allow(clippy::unnecessary_wraps)]
 // Disable some broken or unwanted clippy nightly lints
 // Build without warnings on nightly 2021-01-17 and later and stable 1.51 and later
 #![allow(unknown_lints)]
 // Disable old lint warnings on nightly until 1.51 is stable
 #![allow(renamed_and_removed_lints)]
-// Use the old lint name to build without warnings on stable until 1.51 is stable
-#![allow(clippy::unknown_clippy_lints)]
-// The actual lints we want to disable
-#![allow(clippy::unnecessary_wraps)]
 
 #[macro_use]
 extern crate serde;
 
 pub mod amount;
 pub mod block;
 pub mod fmt;
+pub mod orchard;
 pub mod parameters;
 pub mod primitives;
 pub mod sapling;

zebra-chain/src/orchard.rs

@@ -0,0 +1,20 @@
+//! Orchard-related functionality.
+
+#![warn(missing_docs)]
+
+mod action;
+mod address;
+#[cfg(any(test, feature = "proptest-impl"))]
+mod arbitrary;
+mod commitment;
+mod note;
+mod sinsemilla;
+
+pub mod keys;
+pub mod tree;
+
+pub use action::Action;
+pub use address::Address;
+pub use commitment::{CommitmentRandomness, NoteCommitment, ValueCommitment};
+pub use keys::Diversifier;
+pub use note::{EncryptedNote, Note, Nullifier};

zebra-chain/src/orchard/action.rs

@@ -0,0 +1,72 @@
+use std::io;
+
+use halo2::pasta::pallas;
+
+use crate::{
+    primitives::redpallas::{self, SpendAuth},
+    serialization::{
+        serde_helpers, ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize,
+    },
+};
+
+use super::{
+    commitment::{self, ValueCommitment},
+    keys,
+    note::{self, Nullifier},
+};
+
+/// An Action description, as described in the [Zcash specification §7.3][actiondesc].
+///
+/// Action transfers can optionally perform a spend, and optionally perform an
+/// output.  Action descriptions are data included in a transaction that
+/// describe Action transfers.
+///
+/// [actiondesc]: https://zips.z.cash/protocol/nu5.pdf#actiondesc
+#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub struct Action {
+    /// A value commitment to net value of the input note minus the output note
+    pub cv: commitment::ValueCommitment,
+    /// The nullifier of the input note being spent.
+    pub nullifier: note::Nullifier,
+    /// The randomized validating key for spendAuthSig,
+    pub rk: redpallas::VerificationKeyBytes<SpendAuth>,
+    /// The x-coordinate of the note commitment for the output note.
+    #[serde(with = "serde_helpers::Base")]
+    pub cm_x: pallas::Base,
+    /// An encoding of an ephemeral Pallas public key corresponding to the
+    /// encrypted private key in `out_ciphertext`.
+    pub ephemeral_key: keys::EphemeralPublicKey,
+    /// A ciphertext component for the encrypted output note.
+    pub enc_ciphertext: note::EncryptedNote,
+    /// A ciphertext component that allows the holder of a full viewing key to
+    /// recover the recipient diversified transmission key and the ephemeral
+    /// private key (and therefore the entire note plaintext).
+    pub out_ciphertext: note::WrappedNoteKey,
+}
+
+impl ZcashSerialize for Action {
+    fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
+        self.cv.zcash_serialize(&mut writer)?;
+        writer.write_all(&<[u8; 32]>::from(self.nullifier)[..])?;
+        writer.write_all(&<[u8; 32]>::from(self.rk)[..])?;
+        writer.write_all(&<[u8; 32]>::from(self.cm_x)[..])?;
+        self.ephemeral_key.zcash_serialize(&mut writer)?;
+        self.enc_ciphertext.zcash_serialize(&mut writer)?;
+        self.out_ciphertext.zcash_serialize(&mut writer)?;
+        Ok(())
+    }
+}
+
+impl ZcashDeserialize for Action {
+    fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
+        Ok(Action {
+            cv: ValueCommitment::zcash_deserialize(&mut reader)?,
+            nullifier: Nullifier::from(reader.read_32_bytes()?),
+            rk: reader.read_32_bytes()?.into(),
+            cm_x: pallas::Base::zcash_deserialize(&mut reader)?,
+            ephemeral_key: keys::EphemeralPublicKey::zcash_deserialize(&mut reader)?,
+            enc_ciphertext: note::EncryptedNote::zcash_deserialize(&mut reader)?,
+            out_ciphertext: note::WrappedNoteKey::zcash_deserialize(&mut reader)?,
+        })
+    }
+}