sapling-crypto 0.5.0

Cryptographic library for Zcash Sapling
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165

use rand::{CryptoRng, RngCore};

use crate::{
    bundle::{
        Authorization, Authorized, EffectsOnly, GrothProofBytes, OutputDescription,
        SpendDescription,
    },
    Bundle,
};

use super::{Output, Spend};

impl super::Bundle {
    /// Extracts the effects of this PCZT bundle as a [regular `Bundle`].
    ///
    /// This is used by the Signer role to produce the transaction sighash.
    ///
    /// [regular `Bundle`]: crate::Bundle
    pub fn extract_effects<V: TryFrom<i64>>(
        &self,
    ) -> Result<Option<crate::Bundle<EffectsOnly, V>>, TxExtractorError> {
        self.to_tx_data(|_| Ok(()), |_| Ok(()), |_| Ok(()), |_| Ok(EffectsOnly))
    }

    /// Extracts a fully authorized [regular `Bundle`] from this PCZT bundle.
    ///
    /// This is used by the Transaction Extractor role to produce the final transaction.
    ///
    /// [regular `Bundle`]: crate::Bundle
    pub fn extract<V: TryFrom<i64>>(
        self,
    ) -> Result<Option<crate::Bundle<Unbound, V>>, TxExtractorError> {
        self.to_tx_data(
            |spend| spend.zkproof.ok_or(TxExtractorError::MissingProof),
            |spend| {
                spend
                    .spend_auth_sig
                    .ok_or(TxExtractorError::MissingSpendAuthSig)
            },
            |output| output.zkproof.ok_or(TxExtractorError::MissingProof),
            |bundle| {
                Ok(Unbound {
                    bsk: bundle
                        .bsk
                        .ok_or(TxExtractorError::MissingBindingSignatureSigningKey)?,
                })
            },
        )
    }

    fn to_tx_data<A, V, E, F, G, H, I>(
        &self,
        spend_proof: F,
        spend_auth: G,
        output_proof: H,
        bundle_auth: I,
    ) -> Result<Option<crate::Bundle<A, V>>, E>
    where
        A: Authorization,
        E: From<TxExtractorError>,
        F: Fn(&Spend) -> Result<<A as Authorization>::SpendProof, E>,
        G: Fn(&Spend) -> Result<<A as Authorization>::AuthSig, E>,
        H: Fn(&Output) -> Result<<A as Authorization>::OutputProof, E>,
        I: FnOnce(&Self) -> Result<A, E>,
        V: TryFrom<i64>,
    {
        let spends = self
            .spends
            .iter()
            .map(|spend| {
                Ok(SpendDescription::from_parts(
                    spend.cv.clone(),
                    self.anchor.inner(),
                    spend.nullifier,
                    spend.rk,
                    spend_proof(spend)?,
                    spend_auth(spend)?,
                ))
            })
            .collect::<Result<_, E>>()?;

        let outputs = self
            .outputs
            .iter()
            .map(|output| {
                Ok(OutputDescription::from_parts(
                    output.cv.clone(),
                    output.cmu,
                    output.ephemeral_key.clone(),
                    output.enc_ciphertext,
                    output.out_ciphertext,
                    output_proof(output)?,
                ))
            })
            .collect::<Result<_, E>>()?;

        let value_balance = i64::try_from(self.value_sum)
            .ok()
            .and_then(|v| v.try_into().ok())
            .ok_or(TxExtractorError::ValueSumOutOfRange)?;

        let authorization = bundle_auth(self)?;

        Ok(Bundle::from_parts(
            spends,
            outputs,
            value_balance,
            authorization,
        ))
    }
}

/// Errors that can occur while extracting a regular Sapling bundle from a PCZT bundle.
#[derive(Debug)]
pub enum TxExtractorError {
    /// The Transaction Extractor role requires `bsk` to be set.
    MissingBindingSignatureSigningKey,
    /// The Transaction Extractor role requires all `zkproof` fields to be set.
    MissingProof,
    /// The Transaction Extractor role requires all `spend_auth_sig` fields to be set.
    MissingSpendAuthSig,
    /// The value sum does not fit into a `valueBalance`.
    ValueSumOutOfRange,
}

/// Authorizing data for a bundle of actions that is just missing a binding signature.
#[derive(Debug)]
pub struct Unbound {
    bsk: redjubjub::SigningKey<redjubjub::Binding>,
}

impl Authorization for Unbound {
    type SpendProof = GrothProofBytes;
    type OutputProof = GrothProofBytes;
    type AuthSig = redjubjub::Signature<redjubjub::SpendAuth>;
}

impl<V> crate::Bundle<Unbound, V> {
    /// Verifies the given sighash with every `spend_auth_sig`, and then binds the bundle.
    ///
    /// Returns `None` if the given sighash does not validate against every `spend_auth_sig`.
    pub fn apply_binding_signature<R: RngCore + CryptoRng>(
        self,
        sighash: [u8; 32],
        rng: R,
    ) -> Option<crate::Bundle<Authorized, V>> {
        if self
            .shielded_spends()
            .iter()
            .all(|spend| spend.rk().verify(&sighash, spend.spend_auth_sig()).is_ok())
        {
            Some(self.map_authorization(
                &mut (),
                |_, p| p,
                |_, p| p,
                |_, s| s,
                |_, Unbound { bsk }| Authorized {
                    binding_sig: bsk.sign(rng, &sighash),
                },
            ))
        } else {
            None
        }
    }
}