sapling-crypto 0.7.0

Cryptographic library for Zcash Sapling
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

use core::fmt;

use rand::{CryptoRng, RngCore};

use crate::{
    prover::{OutputProver, SpendProver},
    Note, Rseed,
};

impl super::Bundle {
    /// Adds a proof to this PCZT bundle.
    pub fn create_proofs<S, O, R: RngCore + CryptoRng>(
        &mut self,
        spend_prover: &S,
        output_prover: &O,
        mut rng: R,
    ) -> Result<(), ProverError>
    where
        S: SpendProver,
        O: OutputProver,
    {
        for spend in &mut self.spends {
            let proof_generation_key = spend
                .proof_generation_key
                .clone()
                .ok_or(ProverError::MissingProofGenerationKey)?;

            let note = Note::from_parts(
                spend.recipient.ok_or(ProverError::MissingRecipient)?,
                spend.value.ok_or(ProverError::MissingValue)?,
                spend.rseed.ok_or(ProverError::MissingRandomSeed)?,
            );

            let alpha = spend.alpha.ok_or(ProverError::MissingSpendAuthRandomizer)?;

            let rcv = spend
                .rcv
                .clone()
                .ok_or(ProverError::MissingValueCommitTrapdoor)?;

            let merkle_path = spend.witness.clone().ok_or(ProverError::MissingWitness)?;

            let circuit = S::prepare_circuit(
                proof_generation_key,
                *note.recipient().diversifier(),
                *note.rseed(),
                note.value(),
                alpha,
                rcv,
                self.anchor.inner(),
                merkle_path,
            )
            .ok_or(ProverError::InvalidDiversifier)?;

            let proof = spend_prover.create_proof(circuit, &mut rng);
            spend.zkproof = Some(S::encode_proof(proof));
        }

        for output in &mut self.outputs {
            let recipient = output.recipient.ok_or(ProverError::MissingRecipient)?;
            let value = output.value.ok_or(ProverError::MissingValue)?;

            let note = Note::from_parts(
                recipient,
                value,
                output
                    .rseed
                    .map(Rseed::AfterZip212)
                    .ok_or(ProverError::MissingRandomSeed)?,
            );

            let esk = note.generate_or_derive_esk(&mut rng);
            let rcm = note.rcm();

            let rcv = output
                .rcv
                .clone()
                .ok_or(ProverError::MissingValueCommitTrapdoor)?;

            let circuit = O::prepare_circuit(&esk, recipient, rcm, value, rcv);
            let proof = output_prover.create_proof(circuit, &mut rng);
            output.zkproof = Some(O::encode_proof(proof));
        }

        Ok(())
    }
}

/// Errors that can occur while creating Sapling proofs for a PCZT.
#[derive(Debug)]
#[non_exhaustive]
pub enum ProverError {
    /// The `recipient` field has an invalid diversifier.
    ///
    /// This should instead present as a [`ParseError::InvalidRecipient`] earlier on when
    /// processing a PCZT.
    ///
    /// [`ParseError::InvalidRecipient`]: super::ParseError::InvalidRecipient
    InvalidDiversifier,
    /// The Prover role requires all `proof_generation_key` fields to be set.
    MissingProofGenerationKey,
    /// The Prover role requires all `rseed` fields to be set.
    MissingRandomSeed,
    /// The Prover role requires all `recipient` fields to be set.
    MissingRecipient,
    /// The Prover role requires all `alpha` fields to be set.
    MissingSpendAuthRandomizer,
    /// The Prover role requires all `value` fields to be set.
    MissingValue,
    /// The Prover role requires all `rcv` fields to be set.
    MissingValueCommitTrapdoor,
    /// The Prover role requires all `witness` fields to be set.
    MissingWitness,
}

impl fmt::Display for ProverError {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        match self {
            ProverError::InvalidDiversifier => {
                write!(f, "`recipient` has invalid diversifier")
            }
            ProverError::MissingProofGenerationKey => {
                write!(f, "`proof_generation_key` must be set for the Prover role")
            }
            ProverError::MissingRandomSeed => {
                write!(f, "`rseed` fields must be set for the Prover role")
            }
            ProverError::MissingRecipient => {
                write!(f, "`recipient` fields must be set for the Prover role")
            }
            ProverError::MissingSpendAuthRandomizer => {
                write!(f, "`alpha` must be set for the Prover role")
            }
            ProverError::MissingValue => {
                write!(f, "`value` fields must be set for the Prover role")
            }
            ProverError::MissingValueCommitTrapdoor => {
                write!(f, "`rcv` must be set for the Prover role")
            }
            ProverError::MissingWitness => write!(f, "`witness` must be set for the Prover role"),
        }
    }
}

#[cfg(feature = "std")]
impl std::error::Error for ProverError {}