Add orchard binding_verification_key (#2441)

* add orchard binding_verification_key * Merge branch 'main' into issue2102 * Merge branch 'main' into issue2102 * fix the build * Merge branch 'main' into issue2102 * Merge branch 'main' into issue2102 * Fix docs Co-authored-by: Deirdre Connolly <durumcrustulum@gmail.com> * Merge branch 'main' into issue2102 * rustfmt * readd binding validation * remove #2103 from the TODO list * Merge branch 'main' into issue2102
2021-08-16 16:16:25 -03:00 · 2021-08-16 16:16:25 -03:00 · c3c302309a
parent 13651d432d
commit c3c302309a
2 changed files with 44 additions and 3 deletions
--- a/zebra-chain/src/orchard/shielded_data.rs
+++ b/zebra-chain/src/orchard/shielded_data.rs
@ -12,9 +12,9 @@ use halo2::pasta::pallas;
 use crate::{
    amount::{Amount, NegativeAllowed},
    block::MAX_BLOCK_BYTES,
-    orchard::{tree, Action, Nullifier},
+    orchard::{tree, Action, Nullifier, ValueCommitment},
    primitives::{
-        redpallas::{Binding, Signature, SpendAuth},
+        redpallas::{self, Binding, Signature, SpendAuth},
        Halo2Proof,
    },
    serialization::{
@ -51,6 +51,40 @@ impl ShieldedData {
        self.actions().map(|action| &action.nullifier)
    }

+    /// Calculate the Action binding verification key.
+    ///
+    /// Getting the binding signature validating key from the Action description
+    /// value commitments and the balancing value implicitly checks that the
+    /// balancing value is consistent with the value transferred in the
+    /// Action descriptions, but also proves that the signer knew the
+    /// randomness used for the Action value commitments, which
+    /// prevents replays of Action descriptions that perform an output.
+    /// In Orchard, all Action descriptions have a spend authorization signature,
+    /// therefore the proof of knowledge of the value commitment randomness
+    /// is less important, but stills provides defense in depth, and reduces the
+    /// differences between Orchard and Sapling.
+    ///
+    /// The net value of Orchard spends minus outputs in a transaction
+    /// is called the balancing value, measured in zatoshi as a signed integer
+    /// cv_balance.
+    ///
+    /// Consistency of cv_balance with the value commitments in Action
+    /// descriptions is enforced by the binding signature.
+    ///
+    /// Instead of generating a key pair at random, we generate it as a function
+    /// of the value commitments in the Action descriptions of the transaction, and
+    /// the balancing value.
+    ///
+    /// https://zips.z.cash/protocol/protocol.pdf#orchardbalance
+    pub fn binding_verification_key(&self) -> redpallas::VerificationKeyBytes<Binding> {
+        let cv: ValueCommitment = self.actions().map(|action| action.cv).sum();
+        let cv_balance: ValueCommitment =
+            ValueCommitment::new(pallas::Scalar::zero(), self.value_balance);
+
+        let key_bytes: [u8; 32] = (cv - cv_balance).into();
+        key_bytes.into()
+    }
+
    /// Provide access to the `value_balance` field of the shielded data.
    ///
    /// Needed to calculate the sapling value balance.
--- a/zebra-consensus/src/transaction.rs
+++ b/zebra-consensus/src/transaction.rs
@ -326,7 +326,6 @@ where
        // - verify orchard shielded pool (ZIP-224) (#2105)
        // - ZIP-216 (#1798)
        // - ZIP-244 (#1874)
-        // - validate bindingSigOrchard (#2103)
        // - remaining consensus rules (#2379)
        // - remove `should_panic` from tests

@ -543,6 +542,14 @@ where
                        .oneshot((action.rk, spend_auth_sig, &shielded_sighash).into()),
                );
            }
+
+            let bvk = orchard_shielded_data.binding_verification_key();
+
+            async_checks.push(
+                primitives::redpallas::VERIFIER
+                    .clone()
+                    .oneshot((bvk, orchard_shielded_data.binding_sig, &shielded_sighash).into()),
+            );
        }

        Ok(async_checks)