Refactor ZIP 32 code #1043

str4d · 2023-11-21T02:38:08Z

The Sapling-specific code moves to zcash_primitives::sapling::zip32, to be part of the sapling-crypto extraction.

The protocol-independent types are refactored to support this refactor, and to enable themselves to be refactored into a protocol component crate that can be used by both sapling-crypto and orchard.

Part of #738.

codecov · 2023-11-21T02:57:23Z

Codecov Report

Attention: 10 lines in your changes are missing coverage. Please review.

Comparison is base (1607d01) 70.65% compared to head (7064efe) 70.54%.

Files	Patch %	Lines
zcash_primitives/src/sapling/zip32.rs	82.05%	7 Missing ⚠️
zcash_primitives/src/sapling/keys.rs	0.00%	2 Missing ⚠️
zcash_primitives/src/zip32.rs	92.85%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1043      +/-   ##
==========================================
- Coverage   70.65%   70.54%   -0.11%     
==========================================
  Files         140      140              
  Lines       13802    13792      -10     
==========================================
- Hits         9752     9730      -22     
- Misses       4050     4062      +12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

zcash_primitives/src/zip32.rs

str4d · 2023-11-21T21:24:27Z

In a pairing with @nuttycom, we decided to simplify this by just removing non-hardened derivation support from our Sapling implementation (which we have never used, and to our knowledge no one else widely does either).

daira · 2023-11-22T00:10:37Z

I thought I remembered a dependency of ZIP 316 on non-hardened derivation. Indeed there is, but only transparent non-hardened derivation, not Sapling.

Still, we had better check that none of the ecosystem wallets in common use are using it with Sapling.

str4d · 2023-11-22T04:19:36Z

Force-pushed to remove non-hardened derivation and simplify the resulting refactor.

str4d · 2023-11-22T04:45:25Z

zcash_primitives/src/sapling/zip32.rs

@@ -1193,506 +1151,431 @@ mod tests {
            },
            TestVector {
                ask: Some([
-                    0x28, 0x2b, 0xc1, 0x97, 0xa5, 0x16, 0x28, 0x7c, 0x8e, 0xa8, 0xf6, 0x8c, 0x42,


These updated test vectors come from zcash/zcash-test-vectors#94.

I was just about to ask about that. I also noticed that the URL at the top of this block of test vectors should now change.

Yeah, it would have changed automatically had the test vector repo been updated when the repo was moved.

daira · 2023-11-22T10:47:56Z

zcash_primitives/CHANGELOG.md

@@ -131,6 +139,9 @@ and this library adheres to Rust's notion of
    - `fees::fixed::FeeRule::fixed_fee`
    - `fees::zip317::FeeRule::marginal_fee`
    - `sighash::TransparentAuthorizingContext::input_amounts`
+- `zcash_primitives::zip32`:
+  - `ChildIndex` has been changed from an enum to an opaque struct, and no
+    longer supports non-hardened indices.


Do you want to add a note to ZIP 32 that discourages or deprecates use of non-hardened indices with Sapling?

I feel like this requires more community discussion.

ZIP 32's existing language already somewhat discourages it, particularly the language that specifies Orchard. We only specify non-hardened derivation for an optional address_index path extension for Sapling with MAY, and then immediately note that zcashd did this path extension with hardened derivation instead (which made sense for its use case, and also means I still am unaware of anyone ever exercising this MAY).

I also note that while we do still use a non-hardened-like derivation process to produce Sapling internal keys, it is domain-separated from non-hardened derivation and thus distinct (so we don't use the functionality being removed here).

zcash_primitives/src/sapling/zip32.rs

zcash_primitives/src/sapling/keys.rs

zcash_primitives/src/sapling/zip32.rs

nuttycom · 2023-11-28T01:11:19Z

zcash_primitives/src/zip32.rs

-            ChildIndex::NonHardened(i) => i,
-        }
+    /// Returns the index as a 32-bit integer, including the hardened bit.
+    pub fn index(&self) -> u32 {


The naming here is confusing to me, it's the opposite of what I had thought you had been suggesting; from the perspective of an API user, I would expect "index" to mean the zero-based integer in either the non-hardened or the hardened range, and the "value" to mean the packed binary representation.

ZIP 32 uses "index" to mean the thing that includes the hardened bit (i.e. index >= 2^31 means "hardened"). The closest thing it defines to what I call "value" here is "path level", but that's in the context of a full path, not a single standalone parent-to-child derivation.

Hm. That's unfortunate naming in the ZIP then, but I suppose we're probably stuck with it and this should agree with the ZIP.

The "index" terminology is inherited from BIP 32.

nuttycom · 2023-11-28T01:13:20Z

zcash_primitives/src/zip32.rs

+    /// Parses the given ZIP 32 child index.
+    ///
+    /// Returns `None` if the hardened bit is not set.
+    pub fn from_index(i: u32) -> Option<Self> {


I would almost prefer that this operation be called decode or something of the sort, pursuant to my previous comment.

nuttycom

utACK modulo discussing the naming confusion around "index"

str4d · 2023-11-28T01:36:27Z

Rebased on main to fix merge conflicts.

…dings

str4d · 2023-11-28T01:39:46Z

Force-pushed to make ChildIndex::hardened a const fn.

nuttycom

utACK 7064efe

nuttycom reviewed Nov 21, 2023

View reviewed changes

zcash_primitives/src/zip32.rs Outdated Show resolved Hide resolved

nuttycom reviewed Nov 21, 2023

View reviewed changes

zcash_primitives/src/zip32.rs Outdated Show resolved Hide resolved

nuttycom reviewed Nov 21, 2023

View reviewed changes

zcash_primitives/src/zip32.rs Outdated Show resolved Hide resolved

str4d force-pushed the zip32-refactor branch from 1f6c0a7 to f40337a Compare November 22, 2023 04:16

str4d commented Nov 22, 2023

View reviewed changes