Start of, but currently unfinished, Sapling note commitment / Windowed Pedersen Commitment

Cargo.lock

@@ -204,12 +204,13 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
 
 [[package]]
-name = "bitmaps"
+name = "bitvec"
-version = "2.1.0"
+version = "0.17.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "031043d04099746d8db04daf1fa424b2bc8bd69d92b25962dcde24da39ab64a2"
+checksum = "41262f11d771fd4a61aa3ce019fca363b4b6c282fca9da2a31186d3965a47a5c"
 dependencies = [
- "typenum",
+ "either",
+ "radium",
 ]
 
 [[package]]
@@ -674,6 +675,12 @@ version = "1.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
 
+[[package]]
+name = "either"
+version = "1.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
+
 [[package]]
 name = "equihash"
 version = "0.1.0"
@@ -2866,6 +2873,7 @@ version = "3.0.0-alpha.0"
 dependencies = [
  "bech32",
  "bincode",
+ "bitvec",
  "blake2b_simd",
  "blake2s_simd",
  "bs58",

zebra-chain/Cargo.toml

@@ -9,6 +9,7 @@ edition = "2018"
 
 [dependencies]
 bech32 = "0.7.2"
+bitvec = "0.17.4"
 blake2b_simd = "0.5.10"
 blake2s_simd = "0.5.10"
 bs58 = { version = "0.3", features = ["check"] }

zebra-chain/src/keys/sapling.rs

@@ -155,7 +155,7 @@ fn zcash_h() -> jubjub::ExtendedPoint {
 /// Used to derive a diversified base point from a diversifier value.
 ///
 /// https://zips.z.cash/protocol/protocol.pdf#concretediversifyhash
-fn diversify_hash(d: [u8; 11]) -> Option<jubjub::ExtendedPoint> {
+pub fn diversify_hash(d: [u8; 11]) -> Option<jubjub::ExtendedPoint> {
     jubjub_group_hash(*b"Zcash_gd", &d)
 }
 
@@ -623,6 +623,22 @@ impl From<Diversifier> for [u8; 11] {
     }
 }
 
+impl From<Diversifier> for jubjub::AffinePoint {
+    /// Get a diversified base point from a diversifier value in
+    /// affine representation
+    fn from(d: Diversifier) -> jubjub::AffinePoint {
+        jubjub::ExtendedPoint::from(d).into()
+    }
+}
+
+impl From<Diversifier> for jubjub::ExtendedPoint {
+    /// Get a diversified base point from a diversifier value in
+    /// extended representation
+    fn from(d: Diversifier) -> jubjub::ExtendedPoint {
+        diversify_hash(d.0).unwrap()
+    }
+}
+
 impl From<SpendingKey> for Diversifier {
     /// Derives a [_default diversifier_][4.2.2] from a SpendingKey.
     ///

zebra-chain/src/notes/sapling.rs

@@ -8,7 +8,7 @@ mod commitments;
 mod nullifiers;
 
 use crate::{
-    keys::sapling::{diversify_hash, find_group_hash, Diversifier, TransmissionKey},
+    keys::sapling::{Diversifier, TransmissionKey},
     notes::memo::Memo,
     types::amount::{Amount, NonNegative},
 };
@@ -45,9 +45,14 @@ impl Note {
     ///
     /// https://zips.z.cash/protocol/protocol.pdf#concretewindowedcommit
     pub fn commit(&self) -> NoteCommitment {
-        let g_d = diversify_hash(self.diversifier.0).unwrap();
+        use rand_core::OsRng;
 
-        NoteCommitment::new(g_d, self.transmission_key, self.value)
+        NoteCommitment::new(
+            &mut OsRng,
+            self.diversifier,
+            self.transmission_key,
+            self.value,
+        )
     }
 }
 

zebra-chain/src/notes/sapling/commitments.rs

@@ -3,9 +3,10 @@ use std::{fmt, io};
 use rand_core::{CryptoRng, RngCore};
 
 use crate::{
-    keys::sapling::find_group_hash,
+    keys::sapling::{find_group_hash, Diversifier, TransmissionKey},
     serde_helpers,
     serialization::{ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize},
+    types::amount::{Amount, NonNegative},
 };
 
 // TODO: replace with reference to redjubjub or jubjub when merged and
@@ -64,20 +65,44 @@ impl NoteCommitment {
     ///
     /// https://zips.z.cash/protocol/protocol.pdf#concretewindowedcommit
     #[allow(non_snake_case)]
-    pub fn new<T>(csprng: &mut T, value_bytes: [u8; 32]) -> Self
+    pub fn new<T>(
+        csprng: &mut T,
+        diversifier: Diversifier,
+        transmission_key: TransmissionKey,
+        value: Amount<NonNegative>,
+    ) -> Self
     where
         T: RngCore + CryptoRng,
     {
-        let v = Scalar::from_bytes(&value_bytes).unwrap();
+        // use bitvec::prelude::*;
+        // // s as in the argument name for WindowedPedersenCommit_r(s)
+        // let mut s = BitVec::new();
 
-        let mut rcv_bytes = [0u8; 32];
+        // // Prefix
-        csprng.fill_bytes(&mut rcv_bytes);
+        // s.extend([1, 1, 1, 1, 1, 1].iter());
-        let rcv = Scalar::from_bytes(&rcv_bytes).unwrap();
 
-        let V = find_group_hash(*b"Zcash_cv", b"v");
+        // // Jubjub repr_J canonical byte encoding
-        let R = find_group_hash(*b"Zcash_cv", b"r");
+        // // https://zips.z.cash/protocol/protocol.pdf#jubjub
+        // let g_d_bytes = jubjub::AffinePoint::from(diversifier).to_bytes();
+        // let pk_d_bytes = transmission_key.into();
+        // let v_bytes = value.to_bytes();
 
-        Self::from(V * v + R * rcv)
+        // // Expects i to be 0-indexed
+        // fn I_i(D: [u8; 8], i: u32) -> jubjub::ExtendedPoint {
+        //     find_group_hash(D, i.to_le_bytes())
+        // }
+        // // let v = Scalar::from_bytes(&value_bytes).unwrap();
+
+        // // let mut rcv_bytes = [0u8; 32];
+        // // csprng.fill_bytes(&mut rcv_bytes);
+        // // let rcv = Scalar::from_bytes(&rcv_bytes).unwrap();
+
+        // // let V = find_group_hash(*b"Zcash_cv", b"v");
+        // // let R = find_group_hash(*b"Zcash_cv", b"r");
+
+        // // Self::from(V * v + R * rcv)
+
+        unimplemented!()
     }
 
     /// Hash Extractor for Jubjub (?)