Generalized orchardZSA

.gitignore

@@ -4,3 +4,5 @@ Cargo.lock
 .vscode
 .idea
 action-circuit-layout.png
+*.[0-9]
+*.[0-9][0-9]

Cargo.toml

@@ -26,11 +26,12 @@ rustdoc-args = ["--cfg", "docsrs", "--html-in-header", "katex-header.html"]
 aes = "0.8"
 bitvec = "1"
 blake2b_simd = "=1.0.1" # Last version required rust 1.66
+half = "=2.2.1" # Last version requires Rust 1.70
 ff = "0.13"
 fpe = "0.6"
 group = { version = "0.13", features = ["wnaf-memuse"] }
-halo2_gadgets = { git = "https://github.com/QED-it/halo2", branch = "zsa1" }
-halo2_proofs = { git = "https://github.com/QED-it/halo2", branch = "zsa1", default-features = false, features = ["batch", "floor-planner-v1-legacy-pdqsort"] }
+halo2_gadgets = { git = "https://github.com/QED-it/halo2", branch = "orchardzsa-backward-compatability" }
+halo2_proofs = { git = "https://github.com/QED-it/halo2", branch = "orchardzsa-backward-compatability", default-features = false, features = ["batch", "floor-planner-v1-legacy-pdqsort"] }
 hex = "0.4"
 k256 = { version = "0.13.0", features = ["arithmetic", "schnorr"] }
 lazy_static = "1"
@@ -54,8 +55,8 @@ plotters = { version = "0.3.0", optional = true }
 
 [dev-dependencies]
 bridgetree = "0.4"
-criterion = "0.4" #Pinned: 0.5 depends on clap 4 which has MSRV 1.70
-halo2_gadgets = { git = "https://github.com/QED-it/halo2", branch = "zsa1", features = ["test-dependencies"] }
+criterion = "0.4" # 0.5 depends on clap 4 which has MSRV 1.70
+halo2_gadgets = { git = "https://github.com/QED-it/halo2", branch = "orchardzsa-backward-compatability", features = ["test-dependencies"] }
 hex = "0.4"
 proptest = "1.0.0"
 zcash_note_encryption_zsa = { package = "zcash_note_encryption", version = "0.4", git = "https://github.com/QED-it/zcash_note_encryption", branch = "zsa1", features = ["pre-zip-212"] }

benches/circuit.rs

@@ -12,6 +12,7 @@ use orchard::{
     bundle::Flags,
     circuit::{ProvingKey, VerifyingKey},
     keys::{FullViewingKey, Scope, SpendingKey},
+    orchard_flavor::OrchardZSA,
     value::NoteValue,
     Anchor, Bundle,
 };
@@ -23,8 +24,9 @@ fn criterion_benchmark(c: &mut Criterion) {
     let sk = SpendingKey::from_bytes([7; 32]).unwrap();
     let recipient = FullViewingKey::from(&sk).address_at(0u32, Scope::External);
 
-    let vk = VerifyingKey::build();
-    let pk = ProvingKey::build();
+    // FIXME: consider adding test for OrchardVanilla as well
+    let vk = VerifyingKey::build::<OrchardZSA>();
+    let pk = ProvingKey::build::<OrchardZSA>();
 
     let create_bundle = |num_recipients| {
         let mut builder = Builder::new(
@@ -42,7 +44,7 @@ fn criterion_benchmark(c: &mut Criterion) {
                 )
                 .unwrap();
         }
-        let bundle: Bundle<_, i64> = builder.build(rng).unwrap();
+        let bundle: Bundle<_, i64, OrchardZSA> = builder.build(rng).unwrap();
 
         let instances: Vec<_> = bundle
             .actions()

benches/note_decryption.rs

@@ -5,7 +5,8 @@ use orchard::{
     circuit::ProvingKey,
     keys::{FullViewingKey, PreparedIncomingViewingKey, Scope, SpendingKey},
     note::AssetBase,
-    note_encryption_v3::{CompactAction, OrchardDomainV3},
+    note_encryption::{action::CompactAction, OrchardDomainBase},
+    orchard_flavor::OrchardZSA,
     value::NoteValue,
     Anchor, Bundle,
 };
@@ -15,9 +16,12 @@ use zcash_note_encryption_zsa::{batch, try_compact_note_decryption, try_note_dec
 #[cfg(unix)]
 use pprof::criterion::{Output, PProfProfiler};
 
+type OrchardDomainZSA = OrchardDomainBase<OrchardZSA>;
+
 fn bench_note_decryption(c: &mut Criterion) {
     let rng = OsRng;
-    let pk = ProvingKey::build();
+    // FIXME: consider adding test for OrchardVanilla as well
+    let pk = ProvingKey::build::<OrchardZSA>();
 
     let fvk = FullViewingKey::from(&SpendingKey::from_bytes([7; 32]).unwrap());
     let valid_ivk = fvk.to_ivk(Scope::External);
@@ -70,7 +74,7 @@ fn bench_note_decryption(c: &mut Criterion) {
                 None,
             )
             .unwrap();
-        let bundle: Bundle<_, i64> = builder.build(rng).unwrap();
+        let bundle: Bundle<_, i64, OrchardZSA> = builder.build(rng).unwrap();
         bundle
             .create_proof(&pk, rng)
             .unwrap()
@@ -79,7 +83,7 @@ fn bench_note_decryption(c: &mut Criterion) {
     };
     let action = bundle.actions().first();
 
-    let domain = OrchardDomainV3::for_action(action);
+    let domain = OrchardDomainZSA::for_action(action);
 
     let compact = {
         let mut group = c.benchmark_group("note-decryption");
@@ -120,12 +124,12 @@ fn bench_note_decryption(c: &mut Criterion) {
         let ivks = 2;
         let valid_ivks = vec![valid_ivk; ivks];
         let actions: Vec<_> = (0..100)
-            .map(|_| (OrchardDomainV3::for_action(action), action.clone()))
+            .map(|_| (OrchardDomainZSA::for_action(action), action.clone()))
             .collect();
         let compact: Vec<_> = (0..100)
             .map(|_| {
                 (
-                    OrchardDomainV3::for_action(action),
+                    OrchardDomainZSA::for_action(action),
                     CompactAction::from(action),
                 )
             })

src/action.rs

@@ -2,6 +2,7 @@ use memuse::DynamicUsage;
 
 use crate::{
     note::{ExtractedNoteCommitment, Nullifier, TransmittedNoteCiphertext},
+    note_encryption::OrchardDomain,
     primitives::redpallas::{self, SpendAuth},
     value::ValueCommitment,
 };
@@ -15,30 +16,30 @@ use crate::{
 /// Internally, this may both consume a note and create a note, or it may do only one of
 /// the two. TODO: Determine which is more efficient (circuit size vs bundle size).
 #[derive(Debug, Clone)]
-pub struct Action<A> {
+pub struct Action<A, D: OrchardDomain> {
     /// The nullifier of the note being spent.
     nf: Nullifier,
     /// The randomized verification key for the note being spent.
     rk: redpallas::VerificationKey<SpendAuth>,
     /// A commitment to the new note being created.
     cmx: ExtractedNoteCommitment,
     /// The transmitted note ciphertext.
-    encrypted_note: TransmittedNoteCiphertext,
+    encrypted_note: TransmittedNoteCiphertext<D>,
     /// A commitment to the net value created or consumed by this action.
     cv_net: ValueCommitment,
     /// The authorization for this action.
     authorization: A,
 }
 
-impl<T> Action<T> {
+impl<A, D: OrchardDomain> Action<A, D> {
     /// Constructs an `Action` from its constituent parts.
     pub fn from_parts(
         nf: Nullifier,
         rk: redpallas::VerificationKey<SpendAuth>,
         cmx: ExtractedNoteCommitment,
-        encrypted_note: TransmittedNoteCiphertext,
+        encrypted_note: TransmittedNoteCiphertext<D>,
         cv_net: ValueCommitment,
-        authorization: T,
+        authorization: A,
     ) -> Self {
         Action {
             nf,
@@ -66,7 +67,7 @@ impl<T> Action<T> {
     }
 
     /// Returns the encrypted note ciphertext.
-    pub fn encrypted_note(&self) -> &TransmittedNoteCiphertext {
+    pub fn encrypted_note(&self) -> &TransmittedNoteCiphertext<D> {
         &self.encrypted_note
     }
 
@@ -76,12 +77,12 @@ impl<T> Action<T> {
     }
 
     /// Returns the authorization for this action.
-    pub fn authorization(&self) -> &T {
+    pub fn authorization(&self) -> &A {
         &self.authorization
     }
 
     /// Transitions this action from one authorization state to another.
-    pub fn map<U>(self, step: impl FnOnce(T) -> U) -> Action<U> {
+    pub fn map<U>(self, step: impl FnOnce(A) -> U) -> Action<U, D> {
         Action {
             nf: self.nf,
             rk: self.rk,
@@ -93,7 +94,7 @@ impl<T> Action<T> {
     }
 
     /// Transitions this action from one authorization state to another.
-    pub fn try_map<U, E>(self, step: impl FnOnce(T) -> Result<U, E>) -> Result<Action<U>, E> {
+    pub fn try_map<U, E>(self, step: impl FnOnce(A) -> Result<U, E>) -> Result<Action<U, D>, E> {
         Ok(Action {
             nf: self.nf,
             rk: self.rk,
@@ -105,7 +106,7 @@ impl<T> Action<T> {
     }
 }
 
-impl DynamicUsage for Action<redpallas::Signature<SpendAuth>> {
+impl<D: OrchardDomain> DynamicUsage for Action<redpallas::Signature<SpendAuth>, D> {
     #[inline(always)]
     fn dynamic_usage(&self) -> usize {
         0
@@ -132,6 +133,7 @@ pub(crate) mod testing {
             commitment::ExtractedNoteCommitment, nullifier::testing::arb_nullifier,
             testing::arb_note, TransmittedNoteCiphertext,
         },
+        note_encryption::OrchardDomain,
         primitives::redpallas::{
             self,
             testing::{arb_spendauth_signing_key, arb_spendauth_verification_key},
@@ -141,70 +143,82 @@ pub(crate) mod testing {
 
     use super::Action;
 
-    prop_compose! {
-        /// Generate an action without authorization data.
-        pub fn arb_unauthorized_action(spend_value: NoteValue, output_value: NoteValue)(
-            nf in arb_nullifier(),
-            rk in arb_spendauth_verification_key(),
-            note in arb_note(output_value),
-            asset in arb_asset_base()
-        ) -> Action<()> {
-            let cmx = ExtractedNoteCommitment::from(note.commitment());
-            let cv_net = ValueCommitment::derive(
-                spend_value - output_value,
-                ValueCommitTrapdoor::zero(),
-                asset
-            );
-            // FIXME: make a real one from the note.
-            let encrypted_note = TransmittedNoteCiphertext {
-                epk_bytes: [0u8; 32],
-                enc_ciphertext: [0u8; 612],
-                out_ciphertext: [0u8; 80]
-            };
-            Action {
-                nf,
-                rk,
-                cmx,
-                encrypted_note,
-                cv_net,
-                authorization: ()
+    /// `ActionArb` serves as a utility structure in property-based testing, designed specifically to adapt
+    /// `arb_...` functions for compatibility with both variations of the Orchard protocol: Vanilla and ZSA.
+    /// This adaptation is necessary due to the proptest crate's limitation, which prevents the direct
+    /// transformation of `arb_...` functions into generic forms suitable for testing different protocol
+    /// flavors.
+    #[derive(Debug)]
+    pub struct ActionArb<D: OrchardDomain> {
+        phantom: std::marker::PhantomData<D>,
+    }
+
+    impl<D: OrchardDomain> ActionArb<D> {
+        prop_compose! {
+            /// Generate an action without authorization data.
+            pub fn arb_unauthorized_action(spend_value: NoteValue, output_value: NoteValue)(
+                nf in arb_nullifier(),
+                rk in arb_spendauth_verification_key(),
+                note in arb_note(output_value),
+                asset in arb_asset_base()
+            ) -> Action<(), D> {
+                let cmx = ExtractedNoteCommitment::from(note.commitment());
+                let cv_net = ValueCommitment::derive(
+                    spend_value - output_value,
+                    ValueCommitTrapdoor::zero(),
+                    asset
+                );
+                // FIXME: make a real one from the note.
+                let encrypted_note = TransmittedNoteCiphertext::<D> {
+                    epk_bytes: [0u8; 32],
+                    enc_ciphertext: D::NoteCiphertextBytes::from(&vec![0u8; D::ENC_CIPHERTEXT_SIZE]),
+                    out_ciphertext: [0u8; 80]
+                };
+                Action {
+                    nf,
+                    rk,
+                    cmx,
+                    encrypted_note,
+                    cv_net,
+                    authorization: ()
+                }
             }
         }
-    }
 
-    prop_compose! {
-        /// Generate an action with invalid (random) authorization data.
-        pub fn arb_action(spend_value: NoteValue, output_value: NoteValue)(
-            nf in arb_nullifier(),
-            sk in arb_spendauth_signing_key(),
-            note in arb_note(output_value),
-            rng_seed in prop::array::uniform32(prop::num::u8::ANY),
-            fake_sighash in prop::array::uniform32(prop::num::u8::ANY),
-            asset in arb_asset_base()
-        ) -> Action<redpallas::Signature<SpendAuth>> {
-            let cmx = ExtractedNoteCommitment::from(note.commitment());
-            let cv_net = ValueCommitment::derive(
-                spend_value - output_value,
-                ValueCommitTrapdoor::zero(),
-                asset
-            );
-
-            // FIXME: make a real one from the note.
-            let encrypted_note = TransmittedNoteCiphertext {
-                epk_bytes: [0u8; 32],
-                enc_ciphertext: [0u8; 612],
-                out_ciphertext: [0u8; 80]
-            };
-
-            let rng = StdRng::from_seed(rng_seed);
-
-            Action {
-                nf,
-                rk: redpallas::VerificationKey::from(&sk),
-                cmx,
-                encrypted_note,
-                cv_net,
-                authorization: sk.sign(rng, &fake_sighash),
+        prop_compose! {
+            /// Generate an action with invalid (random) authorization data.
+            pub fn arb_action(spend_value: NoteValue, output_value: NoteValue)(
+                nf in arb_nullifier(),
+                sk in arb_spendauth_signing_key(),
+                note in arb_note(output_value),
+                rng_seed in prop::array::uniform32(prop::num::u8::ANY),
+                fake_sighash in prop::array::uniform32(prop::num::u8::ANY),
+                asset in arb_asset_base()
+            ) -> Action<redpallas::Signature<SpendAuth>, D> {
+                let cmx = ExtractedNoteCommitment::from(note.commitment());
+                let cv_net = ValueCommitment::derive(
+                    spend_value - output_value,
+                    ValueCommitTrapdoor::zero(),
+                    asset
+                );
+
+                // FIXME: make a real one from the note.
+                let encrypted_note = TransmittedNoteCiphertext::<D> {
+                    epk_bytes: [0u8; 32],
+                    enc_ciphertext: D::NoteCiphertextBytes::from(&vec![0u8; D::ENC_CIPHERTEXT_SIZE]),
+                    out_ciphertext: [0u8; 80]
+                };
+
+                let rng = StdRng::from_seed(rng_seed);
+
+                Action {
+                    nf,
+                    rk: redpallas::VerificationKey::from(&sk),
+                    cmx,
+                    encrypted_note,
+                    cv_net,
+                    authorization: sk.sign(rng, &fake_sighash),
+                }
             }
         }
     }