zync-core 0.6.0

Trust-minimized Zcash light client primitives: verification, scanning, proving
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388

//! WASM-compatible parallel note scanner for Orchard
//!
//! This module provides trial decryption of Orchard notes using PreparedIncomingViewingKey
//! from orchard 0.7. It's designed to work in both native and WASM environments:
//!
//! - Native: Uses rayon for parallel scanning across CPU cores
//! - WASM: Uses wasm-bindgen-rayon for multi-threaded scanning via Web Workers
//!   (requires SharedArrayBuffer + CORS headers)
//!
//! Performance characteristics:
//! - Trial decryption: ~3μs per action (invalid), ~50μs per action (valid)
//! - Full chain scan (1.46M blocks): ~5-15 min single-threaded
//! - With parallelism: scales linearly with cores (8 cores = 8x speedup)
//!
//! Build for WASM with parallelism:
//! ```bash
//! RUSTFLAGS='-C target-feature=+atomics,+bulk-memory,+mutable-globals' \
//!   cargo build --target wasm32-unknown-unknown --features wasm-parallel --no-default-features
//! ```
//!
//! Usage:
//! ```ignore
//! let ivk = fvk.to_ivk(Scope::External);
//! let scanner = Scanner::new(&ivk);
//! let results = scanner.scan_actions(&compact_actions);
//! ```

use orchard::{
    keys::{FullViewingKey, IncomingViewingKey, PreparedIncomingViewingKey, Scope},
    note::{ExtractedNoteCommitment, Note, Nullifier},
    note_encryption::{CompactAction, OrchardDomain},
    Address,
};
use subtle::CtOption;
use zcash_note_encryption::{try_compact_note_decryption, EphemeralKeyBytes};

#[cfg(feature = "wasm")]
use wasm_bindgen::prelude::*;

/// compact action for scanning (matches proto/zidecar wire format)
#[derive(Debug, Clone)]
pub struct ScanAction {
    /// nullifier from action (32 bytes)
    pub nullifier: [u8; 32],
    /// note commitment (cmx, 32 bytes)
    pub cmx: [u8; 32],
    /// ephemeral public key (32 bytes)
    pub ephemeral_key: [u8; 32],
    /// encrypted note ciphertext (compact: 52 bytes)
    pub enc_ciphertext: Vec<u8>,
    /// block height where action appeared
    pub block_height: u32,
    /// position within block (for merkle path construction)
    pub position_in_block: u32,
}

/// successfully decrypted note
#[derive(Debug, Clone)]
pub struct DecryptedNote {
    /// the decrypted note
    pub note: Note,
    /// recipient address
    pub recipient: Address,
    /// note value in zatoshis
    pub value: u64,
    /// nullifier for spending
    pub nullifier: [u8; 32],
    /// note commitment
    pub cmx: [u8; 32],
    /// block height
    pub block_height: u32,
    /// position in block
    pub position_in_block: u32,
}

/// scanner for trial decryption of Orchard notes
///
/// Thread-safe: can be cloned and used from multiple threads.
/// For WASM, process in chunks via async.
pub struct Scanner {
    /// prepared ivk for fast decryption (expensive to create, cheap to use)
    prepared_ivk: PreparedIncomingViewingKey,
}

impl Scanner {
    /// create scanner from incoming viewing key
    pub fn new(ivk: &IncomingViewingKey) -> Self {
        Self {
            prepared_ivk: PreparedIncomingViewingKey::new(ivk),
        }
    }

    /// create scanner from full viewing key (external scope)
    pub fn from_fvk(fvk: &FullViewingKey) -> Self {
        Self::new(&fvk.to_ivk(Scope::External))
    }

    /// create scanner from full viewing key with specific scope
    pub fn from_fvk_scoped(fvk: &FullViewingKey, scope: Scope) -> Self {
        Self::new(&fvk.to_ivk(scope))
    }

    /// scan a single action, returning decrypted note if owned
    pub fn try_decrypt(&self, action: &ScanAction) -> Option<DecryptedNote> {
        // construct domain from nullifier
        let nullifier: CtOption<Nullifier> = Nullifier::from_bytes(&action.nullifier);
        let nullifier = Option::from(nullifier)?;
        let domain = OrchardDomain::for_nullifier(nullifier);

        // construct compact action for decryption
        let compact = compact_action_from_scan(action)?;

        // trial decrypt
        let (note, recipient) = try_compact_note_decryption(&domain, &self.prepared_ivk, &compact)?;

        // Verify note commitment: recompute cmx from decrypted note fields and check
        // it matches the cmx the server sent. Without this, a malicious server can
        // craft ciphertexts that decrypt to fake notes with arbitrary values.
        let recomputed = ExtractedNoteCommitment::from(note.commitment());
        if recomputed.to_bytes() != action.cmx {
            return None;
        }

        Some(DecryptedNote {
            value: note.value().inner(),
            note,
            recipient,
            nullifier: action.nullifier,
            cmx: action.cmx,
            block_height: action.block_height,
            position_in_block: action.position_in_block,
        })
    }

    /// scan multiple actions sequentially
    /// suitable for WASM (no threading) or when parallelism not needed
    pub fn scan_sequential(&self, actions: &[ScanAction]) -> Vec<DecryptedNote> {
        actions.iter().filter_map(|a| self.try_decrypt(a)).collect()
    }

    /// scan multiple actions in parallel using rayon
    /// only available on native (not WASM)
    #[cfg(feature = "parallel")]
    pub fn scan_parallel(&self, actions: &[ScanAction]) -> Vec<DecryptedNote> {
        use rayon::prelude::*;
        actions
            .par_iter()
            .filter_map(|a| self.try_decrypt(a))
            .collect()
    }

    /// scan actions with automatic parallelism selection
    /// uses parallel on native, sequential on WASM
    pub fn scan(&self, actions: &[ScanAction]) -> Vec<DecryptedNote> {
        #[cfg(feature = "parallel")]
        {
            self.scan_parallel(actions)
        }
        #[cfg(not(feature = "parallel"))]
        {
            self.scan_sequential(actions)
        }
    }

    /// scan in chunks for progress reporting
    /// callback receives (chunk_index, total_chunks, found_notes)
    pub fn scan_with_progress<F>(
        &self,
        actions: &[ScanAction],
        chunk_size: usize,
        mut on_progress: F,
    ) -> Vec<DecryptedNote>
    where
        F: FnMut(usize, usize, &[DecryptedNote]),
    {
        let total_chunks = actions.len().div_ceil(chunk_size);
        let mut all_notes = Vec::new();

        for (i, chunk) in actions.chunks(chunk_size).enumerate() {
            let notes = self.scan(chunk);
            on_progress(i, total_chunks, &notes);
            all_notes.extend(notes);
        }

        all_notes
    }
}

/// convert ScanAction to orchard CompactAction
fn compact_action_from_scan(action: &ScanAction) -> Option<CompactAction> {
    // parse nullifier using Option::from for CtOption
    let nullifier = Option::from(Nullifier::from_bytes(&action.nullifier))?;

    // parse cmx (extracted note commitment)
    let cmx = Option::from(ExtractedNoteCommitment::from_bytes(&action.cmx))?;

    // ephemeral key is just bytes - EphemeralKeyBytes wraps [u8; 32]
    let epk = EphemeralKeyBytes::from(action.ephemeral_key);

    // enc_ciphertext should be COMPACT_NOTE_SIZE (52) bytes for compact actions
    if action.enc_ciphertext.len() < 52 {
        return None;
    }

    Some(CompactAction::from_parts(
        nullifier,
        cmx,
        epk,
        action.enc_ciphertext[..52].try_into().ok()?,
    ))
}

/// batch scanner for processing multiple blocks efficiently
pub struct BatchScanner {
    scanner: Scanner,
    /// found notes across all scanned blocks
    pub notes: Vec<DecryptedNote>,
    /// nullifiers we've seen (for detecting spends)
    pub seen_nullifiers: std::collections::HashSet<[u8; 32]>,
    /// last scanned height
    pub last_height: u32,
}

impl BatchScanner {
    pub fn new(ivk: &IncomingViewingKey) -> Self {
        Self {
            scanner: Scanner::new(ivk),
            notes: Vec::new(),
            seen_nullifiers: std::collections::HashSet::new(),
            last_height: 0,
        }
    }

    pub fn from_fvk(fvk: &FullViewingKey) -> Self {
        Self::new(&fvk.to_ivk(Scope::External))
    }

    /// scan a batch of actions from a block
    pub fn scan_block(&mut self, height: u32, actions: &[ScanAction]) {
        // check for spent notes first
        for action in actions {
            self.seen_nullifiers.insert(action.nullifier);
        }

        // trial decrypt
        let found = self.scanner.scan(actions);
        self.notes.extend(found);
        self.last_height = height;
    }

    /// get unspent balance
    pub fn unspent_balance(&self) -> u64 {
        self.notes
            .iter()
            .filter(|n| !self.seen_nullifiers.contains(&n.nullifier))
            .map(|n| n.value)
            .sum()
    }

    /// get spent balance
    pub fn spent_balance(&self) -> u64 {
        self.notes
            .iter()
            .filter(|n| self.seen_nullifiers.contains(&n.nullifier))
            .map(|n| n.value)
            .sum()
    }

    /// get unspent notes
    pub fn unspent_notes(&self) -> Vec<&DecryptedNote> {
        self.notes
            .iter()
            .filter(|n| !self.seen_nullifiers.contains(&n.nullifier))
            .collect()
    }
}

/// detection hint for fast filtering (optional FMD-like optimization)
/// Server can compute these without knowing the viewing key
#[derive(Debug, Clone)]
pub struct DetectionHint {
    /// diversified tag (from address)
    pub tag: [u8; 4],
    /// false positive rate bucket
    pub bucket: u8,
}

impl DetectionHint {
    /// check if action might be for us based on hint
    /// false positives possible, false negatives never
    pub fn might_match(&self, action_tag: &[u8; 4]) -> bool {
        // simple prefix match for now
        // real FMD would use clamped multiplication
        self.tag[..2] == action_tag[..2]
    }
}

/// hint generator from viewing key
pub struct HintGenerator {
    /// diversifier key for generating hints
    _dk: [u8; 32],
}

impl HintGenerator {
    /// create from full viewing key
    pub fn from_fvk(_fvk: &FullViewingKey) -> Self {
        // TODO: extract diversifier key from fvk
        Self { _dk: [0u8; 32] }
    }

    /// generate detection hints for a diversifier index range
    pub fn hints_for_range(&self, _start: u32, _count: u32) -> Vec<DetectionHint> {
        // TODO: generate actual hints
        // For now return empty - full scan fallback
        Vec::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_scan_action_size() {
        // compact action should be: nullifier(32) + cmx(32) + epk(32) + enc(52) = 148 bytes
        let action = ScanAction {
            nullifier: [0u8; 32],
            cmx: [0u8; 32],
            ephemeral_key: [0u8; 32],
            enc_ciphertext: vec![0u8; 52],
            block_height: 0,
            position_in_block: 0,
        };

        let total_size = action.nullifier.len()
            + action.cmx.len()
            + action.ephemeral_key.len()
            + action.enc_ciphertext.len();
        assert_eq!(total_size, 148);
    }

    #[test]
    fn test_batch_scanner_balance() {
        // would need actual keys to test decryption
        // just verify balance tracking works
        let fvk = test_fvk();
        let scanner = BatchScanner::from_fvk(&fvk);
        assert_eq!(scanner.unspent_balance(), 0);
        assert_eq!(scanner.spent_balance(), 0);
    }

    fn test_fvk() -> FullViewingKey {
        use orchard::keys::SpendingKey;
        let sk = SpendingKey::from_bytes([42u8; 32]).unwrap();
        FullViewingKey::from(&sk)
    }
}

// ============================================================================
// WASM BINDINGS
// ============================================================================

/// Initialize rayon thread pool for WASM parallel execution
/// Must be called once before using parallel scanning in WASM
///
/// Usage from JavaScript:
/// ```javascript
/// import init, { initThreadPool } from './zync_core.js';
/// await init();
/// await initThreadPool(navigator.hardwareConcurrency);
/// ```
#[cfg(feature = "wasm-parallel")]
#[wasm_bindgen]
pub fn init_thread_pool(num_threads: usize) -> js_sys::Promise {
    // wasm-bindgen-rayon provides this function to set up Web Workers
    wasm_bindgen_rayon::init_thread_pool(num_threads)
}

/// Initialize panic hook for better error messages in browser console
#[cfg(feature = "wasm")]
#[wasm_bindgen(start)]
pub fn wasm_init() {
    console_error_panic_hook::set_once();
}

// Re-export wasm-bindgen-rayon's pub_thread_pool_size for JS access
#[cfg(feature = "wasm-parallel")]
pub use wasm_bindgen_rayon::init_thread_pool as _rayon_init;