Add sighash evaluation for action groups

QED-it · Oct 10, 2024 · 0c061af · 0c061af
1 parent 122a427
commit 0c061af
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 2 deletions.
diff --git a/src/bundle.rs b/src/bundle.rs
@@ -16,7 +16,9 @@ use zcash_note_encryption_zsa::{try_note_decryption, try_output_recovery_with_ov
 use crate::{
     action::Action,
     address::Address,
-    bundle::commitments::{hash_bundle_auth_data, hash_bundle_txid_data},
+    bundle::commitments::{
+        hash_action_groups_txid_data, hash_bundle_auth_data, hash_bundle_txid_data,
+    },
     circuit::{Instance, Proof, VerifyingKey},
     keys::{IncomingViewingKey, OutgoingViewingKey, PreparedIncomingViewingKey},
     note::{AssetBase, Note},
@@ -481,7 +483,12 @@ impl<A: Authorization, V: Copy + Into<i64>, FL: OrchardFlavor> Bundle<A, V, FL>
     /// Computes a commitment to the effects of this bundle, suitable for inclusion within
     /// a transaction ID.
     pub fn commitment(&self) -> BundleCommitment {
-        BundleCommitment(hash_bundle_txid_data(self))
+        match self.timelimit {
+            Some(_) => {
+                BundleCommitment(hash_action_groups_txid_data(vec![self], self.value_balance))
+            }
+            None => BundleCommitment(hash_bundle_txid_data(self)),
+        }
     }
 
     /// Returns the transaction binding validating key for this bundle.

diff --git a/src/bundle/commitments.rs b/src/bundle/commitments.rs
@@ -11,6 +11,7 @@ use crate::{
     value::NoteValue,
 };
 
+const ZCASH_ORCHARD_ACTION_GROUP_HASH_PERSONALIZATION: &[u8; 16] = b"ZTxIdOrcActGHash";
 const ZCASH_ORCHARD_HASH_PERSONALIZATION: &[u8; 16] = b"ZTxIdOrchardHash";
 const ZCASH_ORCHARD_ACTIONS_COMPACT_HASH_PERSONALIZATION: &[u8; 16] = b"ZTxIdOrcActCHash";
 const ZCASH_ORCHARD_ACTIONS_MEMOS_HASH_PERSONALIZATION: &[u8; 16] = b"ZTxIdOrcActMHash";
@@ -106,6 +107,69 @@ pub(crate) fn hash_bundle_txid_data<
     h.finalize()
 }
 
+/// TODO update description
+/// Write disjoint parts of each ActionGroup as 3 separate hashes:
+/// * \[(nullifier, cmx, ephemeral_key, enc_ciphertext\[..52\])*\] personalized
+///   with ZCASH_ORCHARD_ACTIONS_COMPACT_HASH_PERSONALIZATION
+/// * \[enc_ciphertext\[52..564\]*\] (memo ciphertexts) personalized
+///   with ZCASH_ORCHARD_ACTIONS_MEMOS_HASH_PERSONALIZATION
+/// * \[(cv, rk, enc_ciphertext\[564..\], out_ciphertext)*\] personalized
+///   with ZCASH_ORCHARD_ACTIONS_NONCOMPACT_HASH_PERSONALIZATION
+/// as defined in [ZIP-244: Transaction Identifier Non-Malleability][zip244]
+///
+/// Then, hash these together along with (flags, anchor_orchard, timelimit).
+///
+/// The final hash is personalized with ZCASH_ORCHARD_HASH_PERSONALIZATION.
+///
+/// [zip244]: https://zips.z.cash/zip-0244
+/// [zip226]: https://zips.z.cash/zip-0226 (for ZSA burn field hashing)
+pub(crate) fn hash_action_groups_txid_data<
+    A: Authorization,
+    V: Copy + Into<i64>,
+    D: OrchardDomainCommon + OrchardHash,
+>(
+    bundles: Vec<&Bundle<A, V, D>>,
+    value_balance: V,
+) -> Blake2bHash {
+    let mut h = hasher(ZCASH_ORCHARD_HASH_PERSONALIZATION);
+
+    for bundle in bundles {
+        let mut agh = hasher(ZCASH_ORCHARD_ACTION_GROUP_HASH_PERSONALIZATION);
+        let mut ch = hasher(ZCASH_ORCHARD_ACTIONS_COMPACT_HASH_PERSONALIZATION);
+        let mut mh = hasher(ZCASH_ORCHARD_ACTIONS_MEMOS_HASH_PERSONALIZATION);
+        let mut nh = hasher(ZCASH_ORCHARD_ACTIONS_NONCOMPACT_HASH_PERSONALIZATION);
+        for action in bundle.actions().iter() {
+            ch.update(&action.nullifier().to_bytes());
+            ch.update(&action.cmx().to_bytes());
+            ch.update(&action.encrypted_note().epk_bytes);
+            ch.update(&action.encrypted_note().enc_ciphertext.as_ref()[..D::COMPACT_NOTE_SIZE]);
+
+            mh.update(
+                &action.encrypted_note().enc_ciphertext.as_ref()
+                    [D::COMPACT_NOTE_SIZE..D::COMPACT_NOTE_SIZE + MEMO_SIZE],
+            );
+
+            nh.update(&action.cv_net().to_bytes());
+            nh.update(&<[u8; 32]>::from(action.rk()));
+            nh.update(
+                &action.encrypted_note().enc_ciphertext.as_ref()
+                    [D::COMPACT_NOTE_SIZE + MEMO_SIZE..],
+            );
+            nh.update(&action.encrypted_note().out_ciphertext);
+        }
+        agh.update(ch.finalize().as_bytes());
+        agh.update(mh.finalize().as_bytes());
+        agh.update(nh.finalize().as_bytes());
+        agh.update(&[bundle.flags().to_byte()]);
+        agh.update(&bundle.anchor().to_bytes());
+        agh.update(&bundle.timelimit().unwrap().to_le_bytes());
+        h.update(agh.finalize().as_bytes());
+    }
+
+    h.update(&value_balance.into().to_le_bytes());
+    h.finalize()
+}
+
 /// Construct the commitment for the absent bundle as defined in
 /// [ZIP-244: Transaction Identifier Non-Malleability][zip244]
 ///