Skip to content

Zsa1 diff, for reference only#7

Draft
PaulLaux wants to merge 202 commits intomainfrom
zsa1
Draft

Zsa1 diff, for reference only#7
PaulLaux wants to merge 202 commits intomainfrom
zsa1

Conversation

@PaulLaux
Copy link
Collaborator

@PaulLaux PaulLaux commented Jun 14, 2022

This PR implements draft ZIP 226 and draft ZIP 227

What's included:

  • Issuance: Issuance PR:
  • Burning mechanism: the ability to publicly burn ZSA notes. This is done by adding a burn field inside the Orchard bundle and the ability utilize it. In addition the changes to bvk and bsk to support this change. See ZSA burn functionality #35 for full list of changes.
/// A bundle of actions to be applied to the ledger.
#[derive(Clone)]
pub struct Bundle<T: Authorization, V> {
    /// The list of actions that make up this bundle.
    actions: NonEmpty<Action<T::SpendAuth>>,
    /// Orchard-specific transaction-level flags for this bundle.
    flags: Flags,
    /// The net value moved out of the Orchard shielded pool.
    /// This is the sum of Orchard spends minus the sum of Orchard outputs.
    value_balance: V,
    /// Assets intended for burning
    burn: Vec<(AssetId, V)>,
    /// The root of the Orchard commitment tree that this bundle commits to.
    anchor: Anchor,
    /// The authorization for this bundle.
    authorization: T,
}
  • Note Encryption: We extended the Domain trait in the zcash_note_encryption crate to support various lengths for COMPACT_NOTE_SIZE by converting the relevant constants into trait specific types. Later, implemented OrchardDomainV3 to support the new note structure. See the supporting PR for more details: zcash_note_encryption generalization zcash/librustzcash#746 and V3 encryption #38
  • Updated the Python implementation to support the changes. See: Testing encryption v3 zcash-test-vectors#6 and the zsa1 branch for full details.
  • Test vectors for AssetID derivation AssetID test vectors #34
  • Split note mechanism.
  • Circuit changes to support AssetID, split notes, and all other new functionality.
  • Backward compatibility with Orchard bundles.

The proposed changes should be considered as a Draft and should not be considered as final.

@PaulLaux PaulLaux changed the base branch from main to constants July 18, 2022 10:22
@PaulLaux PaulLaux changed the base branch from constants to main July 18, 2022 10:22
PaulLaux and others added 11 commits December 6, 2022 15:02
* Added .circleci/config.yml
Implements the issuer keys as

    IssuerAuthorizingKey -> isk
    IssuerVerifyingKey -> ik

Test vectors generated with zcash_test_vectors repo
* Added NoteType to Notes
* Added NoteType to value commitment derivation
* Circleci project setup (#1)

* Added .circleci/config.yml

* Added NoteType to Notes

* reformated file

* updated `derive` for NoteType

* added note_type to value commit derivation

* rustfmt

* updated ci config

* updated ci config

* updated ci config

* updated derive for note_type

* added test for arb note_type

* added test for `native` note type

* zsa-note-encryption: introduce AssetType and encode and decode it in note plaintexts

* zsa-note-encryption: extend the size of compact notes to include asset_type

* fixed clippy warrnings

* rustfmt

* zsa-note-encryption: document parsing requirement

* zsa-note-encryption: revert support of ZSA compact action

* zsa_value: add NoteType method is_native

* zsa-note-encryption: remove dependency on changes in the other crate

* zsa-note-encryption: extract memo of ZSA notes

* zsa-note-encryption: tests (zcash_test_vectors 77c73492)

* zsa-note-encryption: simplify roundtrip test

* zsa-note-encryption: more test vectors (zcash_test_vectors c10da464)

* Circleci project setup (#1)

* Added .circleci/config.yml

* issuer keys implementation (#5)

Implements the issuer keys as

    IssuerAuthorizingKey -> isk
    IssuerVerifyingKey -> ik

Test vectors generated with zcash_test_vectors repo

* Added NoteType to Notes (#2)

* Added NoteType to Notes
* Added NoteType to value commitment derivation

* zsa-note-encryption: use both native and ZSA in proptests

* zsa-note-encryption: test vector commit 51398c93

* zsa-note-encryption: fix after merge

Co-authored-by: Paul <3682187+PaulLaux@users.noreply.github.com>
Co-authored-by: Paul <lauxpaul@protonmail.com>
Co-authored-by: Aurélien Nicolas <info@nau.re>
Co-authored-by: Daniel Benarroch <danielbenarroch92@gmail.com>
+ Updated test bsk_consistent_with_bvk to verify mixed note types.
+ Added NoteType support to the builder and the bundle.
+ added split_flag to SpentInfo and as input to the Circuit (currently commented out)
+ added conditional cv_sum calculation (currently commented out)
+ added padding to actions
- added IssueBundle and IssueAction
- added a builder for IssueBundle
- added verify_issue_bundle() for consensus verification.
- unit tests.
added tests in `tests/zsa.rs`
* disabled split notes and proof check for zsa transfer
* fixes and suggestions

* changed "issuer" to "issuance" as per zcash#356 (comment)

* terminology fixes

* updated naming
* rename 2 note_type -> asset as per  zcash#356 (comment)

* added a dedicated type for "IssuanceAuth"

* disabled codecov github action due to bad behavior. 

* extracted "is_asset_desc_of_valid_size()" into asset_id.rs
* improved `verify_issue_bundle()`
@PaulLaux PaulLaux force-pushed the zsa1 branch 2 times, most recently from 5ec6aee to 9405f80 Compare December 6, 2022 19:04
alexeykoren and others added 14 commits December 7, 2022 16:19
Added a method to add assets to burn to the Builder

bvk computation now includes the burnt assets

Added Tests for bsk/bvk consistency for burning

Added E2E tests for assets burning
Added CI badge to README
Added `OrchardDomainV3` on top of the encryption generalization (QED-it/librustzcash#18).

not for review: note_encryption.rs, note_encryptionv2v3.rs and src/test_vectors/note_encryption.rs. These files represent two possible approaches for backward compatibility and will be finalized down the road. (the files were excluded from the build).
When split_flag is set, the following values are modified
* v_net is equal to -v_new instead of v_old - v_new
* cv_net is evaluated with this new value of v_net

The following constraints are modified
* (v_old - v_new = magnitude * sign) becomes (v_old * (1-split_flag) - v_new = magnitude * sign) to take into
   account the new value of v_net
* nf_old = nf_old_pub is only checked when split_flag=0
 * the new constraint asset_old = asset_new is always checked regardless of the value of split_flag
- Renamed AssetId to AssetBase
- Changed the  AssetBase implementation to support the zip update.
- Updated visibility for various members of issuance.rs
…#49)

This PR updates the test-vectors from the updates to the zcash-test-vectors repository (see here).

The keys test is also updated to now use the asset base from the test vectors instead of just using the native asset.
In the circuit, we update value_commit_orchard to take into account asset.
Previously, value_commit_orchard returns cv_net = [v_net] ValueCommitV + [rcv] ValueCommitR..
Now, value_commit_orchard returns cv_net = [v_net] asset + [rcv] ValueCommitR.
ValueCommitV and ValueCommitR are constants
v_net is equal to sign * magnitude where sign is in {-1, 1} and magnitude is an unsigned integer on 64 bits.

To evaluate [v_net] asset where v_net = sign * magnitude, we perform the following steps
1. verify that magnitude is on 64 bits
2. evaluate commitment=[magnitude]asset with the variable-base long-scalar multiplication
3. evaluate result=[sign]commitment with the new mul_sign gate
We would like to have a constant-time evaluation of the note commitment for both ZEC and ZSA.
ZEC_note_commitment=Extract_P(SinsemillaHashToPoint(zec_personalization, common_bits) + [rcm]R)
ZSA_note_commitment=Extract_P(SinsemillaHashToPoint(zsa_personalization, common_bits || asset) + [rcm]R)

R is the same constant for ZEC and ZSA note commitments.
1. Added a new error, `ValueSumOverflow`, that occurs if the sum value overflows when adding new supply amounts.
2. Created a new `supply_info` module containing `SupplyInfo` and `AssetSupply` structures, with `add_supply` function and unit tests for it.
3. Renamed the `are_note_asset_ids_derived_correctly` function to `verify_supply`, changed its behavior to verify and compute asset supply, added unit tests for it.
4. Updated the `verify_issue_bundle` function to use the changes mentioned above, updated its description, and added new unit tests.
5. Renamed errors with `...NoteType` suffix in the name to `...AssetBase`.
6.  Added `update_finalization_set` method to `SupplyInfo` and use after the calls of `verify_issue_bundle function` (if needed), instead of mutating the finalization set inside `verify_issue_bundle`.
ConstanceBeguier and others added 30 commits January 15, 2026 16:51
Address the following review comments:
r2602342339
r2602343402
r2602349839
r2602350657
r2602362960
r2602363436
Address the following review comments:
r2542313926
r2550287842
r2602977967
r2543702226
r2542907997
r2585555720 
r2602558531
…text (#229)

Address the following review comments:
r2542655700
r2542668676

This PR introduces a dedicated ZIP-227 issuance key derivation using
hardened-only ZIP-32, separate from Orchard spending keys.
Address the following review comments:
r2602563105
…Issue)SighashKind (#231)

Address the following review comments:
r2550076032
r2550178094
r2585689194
r2602328317
The current CI fails due to a new blake2b_simd release using edition =
2024, which breaks the MSRV toolchain
…ntu steps (#205)

1. Disable LTO for cargo test --release in CI to avoid very slow / stuck
macOS builds (rustc/LLVM during release test compilation).

2. Run apt-get update before installing libfontconfig1-dev on Ubuntu to
prevent intermittent 404s from stale package indexes.
- Pin blake2b_simd to version 1.0.1
- Disable LTO for cargo test --release in CI
- Run apt-get update before installing libfontconfig1-dev on Ubuntu to
prevent intermittent 404s from stale package indexes
Address the following review comments:
r2550615705
Address the following review comments:
r2599737628

Ensures the note plaintext lead byte matches 0x02 for Orchard V5
transactions (OrchardVanilla) and 0x03 for Orchard V6 transactions
(OrchardZSA).
Replace `impl Add for NoteValue` with a dedicated helper function

Update `ValueSum::from_raw`
- Introduce a `pub(crate) ValueSum::from_raw_inner` helper
- Gate `ValueSum::from_raw` behind the `temporary-zebra` feature flag

Update the `sighash_info_for_kind` closure used when evaluating digests
- Change the return type from `&'static [u8]` to `Vec<u8>`
- Expose ReferenceKeys as orchard::issuance::ReferenceKeys for
  consensus verification of reference notes
- Update tests to use ReferenceKeys::recipient() instead of manually
  recreating the reference recipient from well-known seed
Added MAX_BURN_VALUE to be u63 in order to fit both u64 and i64 as
requested in
zcash#471 (comment)
Removed #[allow(clippy::suspicious_arithmetic_impl)] that does not seems
to be needed.
…AULT)` test

to make sure we can create an OrchardZSA bundle with DEFAULT flags
During `Bundle` creation in `build_bundle`, update the order of dummy
spend/output creation and shuffling to ensure backward compatibility
with zcash/orchard.

---------

Co-authored-by: Paul <3682187+PaulLaux@users.noreply.github.com>
This ability is not needed. The only time we need to pad with a non-zatoshi asset,
it is done using `OutputInfo::dummy()`
This PR mirrors zcash#471 on our fork for internal review and
changes.

We’ll address upstream review comments here, then propagate the final
commits and responses back to zcash#471.
…ors` (#238)

QED-it/zcash-test-vectors#47 expands the sample set of Unicode code
points, which leads to a different random selection of asset description
strings, and therefore different asset base values in
`src/test_vectors/asset_base.rs`. This PR copies those changes in, along with 
some CI locking for tests to pass.

---------

Co-authored-by: Dmitry Demin <dmitry@qed-it.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants