* Added .circleci/config.yml

Implements the issuer keys as

    IssuerAuthorizingKey -> isk
    IssuerVerifyingKey -> ik

Test vectors generated with zcash_test_vectors repo

* Added NoteType to Notes
* Added NoteType to value commitment derivation

* Circleci project setup (#1)

* Added .circleci/config.yml

* Added NoteType to Notes

* reformated file

* updated `derive` for NoteType

* added note_type to value commit derivation

* rustfmt

* updated ci config

* updated ci config

* updated ci config

* updated derive for note_type

* added test for arb note_type

* added test for `native` note type

* zsa-note-encryption: introduce AssetType and encode and decode it in note plaintexts

* zsa-note-encryption: extend the size of compact notes to include asset_type

* fixed clippy warrnings

* rustfmt

* zsa-note-encryption: document parsing requirement

* zsa-note-encryption: revert support of ZSA compact action

* zsa_value: add NoteType method is_native

* zsa-note-encryption: remove dependency on changes in the other crate

* zsa-note-encryption: extract memo of ZSA notes

* zsa-note-encryption: tests (zcash_test_vectors 77c73492)

* zsa-note-encryption: simplify roundtrip test

* zsa-note-encryption: more test vectors (zcash_test_vectors c10da464)

* Circleci project setup (#1)

* Added .circleci/config.yml

* issuer keys implementation (#5)

Implements the issuer keys as

    IssuerAuthorizingKey -> isk
    IssuerVerifyingKey -> ik

Test vectors generated with zcash_test_vectors repo

* Added NoteType to Notes (#2)

* Added NoteType to Notes
* Added NoteType to value commitment derivation

* zsa-note-encryption: use both native and ZSA in proptests

* zsa-note-encryption: test vector commit 51398c93

* zsa-note-encryption: fix after merge

Co-authored-by: Paul <[email protected]>
Co-authored-by: Paul <[email protected]>
Co-authored-by: Aurélien Nicolas <[email protected]>
Co-authored-by: Daniel Benarroch <[email protected]>

+ Updated test bsk_consistent_with_bvk to verify mixed note types.
+ Added NoteType support to the builder and the bundle.
+ added split_flag to SpentInfo and as input to the Circuit (currently commented out)
+ added conditional cv_sum calculation (currently commented out)
+ added padding to actions

- added IssueBundle and IssueAction
- added a builder for IssueBundle
- added verify_issue_bundle() for consensus verification.
- unit tests.

added tests in `tests/zsa.rs`

* disabled split notes and proof check for zsa transfer

* fixes and suggestions

* changed "issuer" to "issuance" as per zcash#356 (comment)

* terminology fixes

* updated naming

* rename 2 note_type -> asset as per  zcash#356 (comment)

* added a dedicated type for "IssuanceAuth"

* disabled codecov github action due to bad behavior. 

* extracted "is_asset_desc_of_valid_size()" into asset_id.rs

* improved `verify_issue_bundle()`

Added a method to add assets to burn to the Builder

bvk computation now includes the burnt assets

Added Tests for bsk/bvk consistency for burning

Added E2E tests for assets burning

Added CI badge to README

Added `OrchardDomainV3` on top of the encryption generalization (QED-it/librustzcash#18).

not for review: note_encryption.rs, note_encryptionv2v3.rs and src/test_vectors/note_encryption.rs. These files represent two possible approaches for backward compatibility and will be finalized down the road. (the files were excluded from the build).

Make IVK::from_bytes public

When split_flag is set, the following values are modified
* v_net is equal to -v_new instead of v_old - v_new
* cv_net is evaluated with this new value of v_net

The following constraints are modified
* (v_old - v_new = magnitude * sign) becomes (v_old * (1-split_flag) - v_new = magnitude * sign) to take into
   account the new value of v_net
* nf_old = nf_old_pub is only checked when split_flag=0
 * the new constraint asset_old = asset_new is always checked regardless of the value of split_flag

- Renamed AssetId to AssetBase
- Changed the  AssetBase implementation to support the zip update.
- Updated visibility for various members of issuance.rs

…#49)

This PR updates the test-vectors from the updates to the zcash-test-vectors repository (see here).

The keys test is also updated to now use the asset base from the test vectors instead of just using the native asset.

In the circuit, we update value_commit_orchard to take into account asset.
Previously, value_commit_orchard returns cv_net = [v_net] ValueCommitV + [rcv] ValueCommitR..
Now, value_commit_orchard returns cv_net = [v_net] asset + [rcv] ValueCommitR.
ValueCommitV and ValueCommitR are constants
v_net is equal to sign * magnitude where sign is in {-1, 1} and magnitude is an unsigned integer on 64 bits.

To evaluate [v_net] asset where v_net = sign * magnitude, we perform the following steps
1. verify that magnitude is on 64 bits
2. evaluate commitment=[magnitude]asset with the variable-base long-scalar multiplication
3. evaluate result=[sign]commitment with the new mul_sign gate

We would like to have a constant-time evaluation of the note commitment for both ZEC and ZSA.
ZEC_note_commitment=Extract_P(SinsemillaHashToPoint(zec_personalization, common_bits) + [rcm]R)
ZSA_note_commitment=Extract_P(SinsemillaHashToPoint(zsa_personalization, common_bits || asset) + [rcm]R)

R is the same constant for ZEC and ZSA note commitments.

1. Added a new error, `ValueSumOverflow`, that occurs if the sum value overflows when adding new supply amounts.
2. Created a new `supply_info` module containing `SupplyInfo` and `AssetSupply` structures, with `add_supply` function and unit tests for it.
3. Renamed the `are_note_asset_ids_derived_correctly` function to `verify_supply`, changed its behavior to verify and compute asset supply, added unit tests for it.
4. Updated the `verify_issue_bundle` function to use the changes mentioned above, updated its description, and added new unit tests.
5. Renamed errors with `...NoteType` suffix in the name to `...AssetBase`.
6.  Added `update_finalization_set` method to `SupplyInfo` and use after the calls of `verify_issue_bundle function` (if needed), instead of mutating the finalization set inside `verify_issue_bundle`.

- Add getter method for Bundle.burn field

For zcash_note_encryption, we have to use version 0.2 with QEDIT patch.

In the circuit, we update note_commit to take into account asset.
Previously, note_commit returns cm = hash(Q_ZEC, msg) + [rcm]R.
Now, note_commit returns
- cm = hash(Q_ZEC, msg) + [rcm]R for ZEC note
- cm = hash(Q_ZSA, msg || asset) + [rcm]R for ZSA note

We now evaluate note_commit with the following steps
1. evaluate **hash_zec = hash(Q_ZEC, msg)**
2. evaluate **hash_zsa = hash(Q_ZSA, msg || asset)**
3. select **hash = hash_zec if is_native_asset**
                         **= hash_zsa otherwise**
4. evaluate **cm = hash + [rcm]R**
5. check some constraints on msg and asset and their decompositions
6. return **cm**

The following modifications are required to update note_commit:
- add a is_native_asset witness (and check that it is a boolean and its
value is correct according to asset)
- add a MUX chip to evaluate a multiplexer on Pallas points

Warning: we increased the size of the Orchard circuit !

… = nf_old_pub) (#62)

Currently, every new note commitment is calculated using
rho_new = nf_old = DeriveNullifier_nk(rho_old, psi_old, cm_old).
For split notes, we would like to evaluate the new note commitment with
rho_new = nf_old_pub (a random nullifier which is stored in the instance nf_old_pub).
For all remaining notes, nf_old = nf_old_pub.
As such, implementing rho_new = nf_old_pub for all notes will not affect
those remaining notes (and only affect split notes).

)

In the circuit derived_pk_d_old is evaluated from rivk, ak, nk and g_d_old.
rivk, ak and nk comes from the FullViewingKey stored in the spent note.
For split note, the FullViewingKey stored in the spent note is random in order to derive a random Nullifier nf_old.
Thus, the constraint pk_d_old = derived_pk_d_old must not be checked for split note (split_flag=1).

Prevent the burning of assets with zero value.

Add some positive and negative tests for Orchard circuit

Due to privacy considerations, we might incorporate dummy or split notes while generating a bundle.
However, to maintain consistency with the previous version, we choose not to include split notes for native asset.

In addition, we use a new dummy/split notes for each extend in order to have different nullifiers.

Each bundle must contain at least two actions for privacy concerns.
Previously, we pad bundle to have at least two actions per asset.
Now, we pad bundle globally, and add dummy/split actions to have at least two actions per bundle.

Add a function `flags` to serialize the `finalize` flag of an IssueAction to a byte.
This function will be used by the client.

The vector of issue actions in an IssueBundle must not be empty.
The vector of notes in an IssueAction could be empty when `finalize` is set to true.

We could add some actions in an `IssueAction` even if `finalize` is set to true.
Only the next block is affected by the `finalize` flag, not the current block.

This updates the computation of the transaction digest and
authorizing data commitment for the issue bundle to be in line with the
specification in ZIP 227.

For zcash_note_encryption, we have to use version 0.2 with QEDIT patch.

…ect the corresponding changes

Updated constants for master (extended) issuance key according to ZIP
227. Previously, we used the same personalization for the master
extended spending key and the master extended issuance key, as well as
the same purpose constant for the spending master key and the issuance
master key.

Now, the following updates have been made:
- Personalization for the master extended issuance key: ZIP32ZSAIssue_V1
- Purpose constant for the issuance master key: 227"

…ve (#71)

As in the title, this is done in two portions:
- A protection is added to `AssetBase::derive()`, which panics if the
output is going to be the identity point. This panic will occur with
negligible probability due to the properties of the hash.
- The `verify_supply()` function now returns an error if the Asset Base
of the notes involved is the identity point.
- A number of tests are added to ensure the `verify_supply`, `verify_issue_bundle` functions raise errors appropriately, and also to confirm that the issue bundle cannot be signed when the asset base is the identity point.

---------

Co-authored-by: Paul <[email protected]>

To be secure against roadblock attacks, we update the process to obtain
a random nullifier for split notes.
Now we have the following formula to evaluate nf_old
- for non split_notes, nf_old = Extract_P([PRF^{nfOrchard}_{nk}(rho_old) + psi_nf) mod q_P] NullifierK + cm_old)
- for split notes, nf_old = Extract_P([PRF^{nfOrchard}_{nk}(rho_old) + psi_nf) mod q_P] NullifierK + cm_old + NullifierL)
where psi_nf is equal to
- psi_old for non split notes
- a random pallas Base element for split notes

The following constraints have been updated into the circuit
- nf_old = nf_old_pub for all notes
- derived_pk_d_old = pk_d_old for all notes
- if split_flag=0, then psi_old = psi_new

…f in root Cargo.toml

…ade (new) (#75)

This pull request focuses on upgrading the `orchard` repository to
integrate it with a version of `librustzcash` repository compatible with
`orchard` v0.5.

The necessary changes have been made in the
`upgrade_librustzcash_for_orchard_v05` branch, and merge conflicts have
been resolved. `upgrade_librustzcash_for_orchard_v05` branch was created
from `librustzcash_980736806` branch that contains previous attempt of
upgading.

Add the constraint: (split_flag=1) => (is_native_asset=0)

Replace the constraint: (v_old=0) or (root=anchor)
by the constraint: (v_old=0 and split_flag=0) or (root=anchor)

Limit the version of half (< 2.3) because recent half versions required
at least rust version 1.70.

To prevent balance violations, we have replaced the constraint
"(v_old = 0 and split_flag = 0) or (root = anchor)"
with the constraint "(v_old = 0 and is_native_asset = 1) or (root = anchor)".
Previously, an adversary could use a zero-valued ZSA note to violate
balance by setting v_old=0, v_new!=0, is_native_asset=0, split_flag=0.

Limit the version of dashmap (< 5.5) because recent dashmap versions
required rust version 1.64 or newer
Limit the version of hashbrown (<0.13) because recent hashbrown versions
required rust version 1.64 or newer

When enable_zsa flag is set to false, it is not possible to perform ZSA transactions (the circuit will fail).

Fix the version of reddsa (=0.5.0) because recent versions required rust version 1.65 or newer
Fix the version of tempfile (=3.5.0) because recent versions required rust version 1.63 or newer
Limit the version of flate2 (<1.0.27) because recent versions raise some clippy issues

Added burn validation, fixes and minor additions. 
Bumped Rust version to 1.65

---------

Co-authored-by: alexeykoren <>
Co-authored-by: Dmitry Demin <[email protected]>
Co-authored-by: Paul <[email protected]>

Short range checks on 4 and 5 bits are now performed with only one
lookup (instead of 2).

With this optimization, we  could come back to k=11 in the circuit.

Remove the multiplexer chip from this repo (this chip has been moved
into halo2 repo).

We optimized note_commitment evaluation by sharing a portion of the hash evaluation between ZEC and ZSA.
1. message_common_prefix = a || b || c || d || e || f || g
2. message_suffix_zec = h_zec
3. message_suffix_zsa = h_zsa || i || j
4. Q = if (is_native_asset == 0) {Q_ZSA} else {Q_ZEC}
5. common_hash = hash(Q, message_common_prefix) // this part is shared
6. hash_point_zec = hash(common_hash, message_suffix_zec)
7. hash_point_zsa = hash(common_hash, message_suffix_zsa)
8. hash_point = if (is_native_asset == 0) {hash_point_zsa} else {hash_point_zec}

…s, minor enhancements) (#89)

This Pull Request introduces the `zcash_note_encryption_zsa` alias,
ensuring compatibility with the Zebra project. This alias is used to
prevent conflicts with the original `zcash_note_encryption` crate, which
is also used in Zebra through the original `orchard` crate that is used
in parallel with our `orchard` (Orchard ZSA) crate.
Additionally, this PR includes minor enhancements to ensure
compatibility with the Zebra project.

---------

Co-authored-by: Dmitry Demin <[email protected]>

…izingKey`, and move to a two key structure (#92)

This performs a consistent renaming of the issuance authorizing key to make it consistent with the ZIP.
It also reworks the `IssuanceAuthorizingKey` struct in place of the `IssuanceKey` and `IssuanceAuthorizingKey` structs, as part of using a two key structure for issuance, as specified in ZIP 227.

In halo2 repository, the mux functionality has been moved into the
CondSwap chip.

This PR updates the dependency reference for `zcash_note_encryption` in
`orchard` crate's `Cargo.toml`. Instead of using `zcash_note_encryption`
crate from the `librustzcash` repository, we are now referencing the
crate from the newly separate `zcash_note_encryption` repository.

Co-authored-by: Dmitry Demin <[email protected]>

…scheme (#93)

This changes the issuance authorization signature from the redpallas signature scheme to the BIP 340 Schnorr signature scheme, as detailed in ZIP 227.

…lation errors in tests)

…rectly

…uble column in the use of external zip32 crate

…nction. 2) Refactor builder::bundle function (pre-action genetation), to split 'fold' into three parts

- Introduce `derive_bvk` function for streamlined calculation of `bvk`
- Use `derive_bvk` in `bundle.binding_validating_key()` to avoid duplication
- Adjust `native_value_balance` calculation to an `i64` and convert to `V`
- Optimize calculations with iterators to reduce memory usage

This PR merges the latest updates from the `zcash/orchard` repository
(version 0.8.0) into `zsa1` branch. These updates include refactorings
and enhancements which are detailed below. The integration has been
completed in the `zsa1-with-zcash-0.8.0` branch, where conflicts were
resolved and all unit tests and CI checks pass successfully.

### Key Changes from zcash/orchard v0.8.0
1. **BundleType enum introduced:** Replaces direct use of bundle flags.
2. **Recipient renamed to Output:** Updates type and function names
accordingly.
3. **New type Rho:** Used for variables with `rho` value, keeping
Nullifier for nullifiers.
4. **External crate zip32 added and used:** Contains parts of local
`zip32` module functionality and new features, while local `zsa32`
retains orchard-specific features now.
5. **Refactoring of Builder::build function:** Logic moved to new
`bundle` function, introducing BundleMetadata to track indices
pre-shuffle.

This pull request aims to generalize the implementation of the Orchard
protocol, providing backward compatibility to support both the new (ZSA)
and the original (non-ZSA - Vanilla) Orchard protocol variants. Key
modifications and enhancements include:

### 1. Trait and Generic Structures for Note Encryption:
- **OrchardDomain Trait:** A new `OrchardDomain` trait in
`note_encryption.rs` differentiates between the original Orchard
(Vanilla) and Orchard ZSA protocols, simplifying the implementation of
the `Domain` trait through abstraction.
- **OrchardDomainBase Generic Struct:** Introduced to contain data used
for internal calculations in both Orchard variants.
- **TransmittedNoteCiphertext Modifications:** This struct is now
generic, supporting various lengths of encrypted note ciphertext to
accommodate both Orchard variants.

### 2. Trait and Generic Structures for Circuit Generalization:
- **OrchardCircuit Trait:** A new `OrchardCircuit` trait in `circuit.rs`
provides an interface for different implementations of the PLONK circuit
tailored to the specific requirements of the Orchard protocol's variants
(Vanilla and ZSA).
- **OrchardCircuitBase Generic Struct:** Contains data for internal
calculations across both Orchard variants.

### 3. Module Organization:
- Introduction of `note_encryption_vanilla.rs`, `note_encryption_zsa.rs`
to support the different types of encrypted notes.
- Introduction of `circuit_vanilla.rs`, and `circuit_zsa.rs` to support
various circuit configurations.

### 4. Test Suite Updates:
Updates to unit tests include separate versions for Vanilla and ZSA
variants, ensuring thorough validation of the modifications.

### 5. Dependency Adaptation:
The adoption of a modified version of the Halo2 Rust crate facilitates
support for both Orchard protocol variants, guaranteeing that all tests,
including those for non-ZSA functionality, pass successfully.

---------

Co-authored-by: Paul <[email protected]>
Co-authored-by: Dmitry Demin <[email protected]>
Co-authored-by: Vivek Arte <[email protected]>
Co-authored-by: alexeykoren <[email protected]>

… PR #2 issues resolve (#111)

Orchard has been synced with the changes from [PR
#10](QED-it/zcash_note_encryption#10) in the
`zcash_note_encryption` repository. This update includes the following
changes:

- Implements new `parse_note_plaintext_bytes`,
`parse_note_ciphertext_bytes`, and `parse_compact_note_plaintext_bytes`
methods of the `Domain` trait from `zcash_note_encryption`.
- Uses the `NoteBytes` trait and `NoteBytesData` structure from
`zcash_note_encryption` instead of having local definitions and
implementations.

### Note
This PR uses the `resolve_zcash_pr2_issues` branch of
`zcash_note_encryption` in `Cargo.toml`. Before merging this PR, [PR
#10](https://github.com/zcash/zcash_note_encryption/pull/10) needs to be
merged into the `zsa1` branch of `zcash_note_encryption`. Then, this
Orchard PR branch should be updated to use the `zsa1` branch of
`zcash_note_encryption` befor merging this PR.

---------

Co-authored-by: Dmitry Demin <[email protected]>

…hertext (#112)

This PR updates the `ShieldedOutput` implementation for the
`Action`/`CompactAction` struct to align with the recent changes in the
`zcash_note_encryption` crate. Specifically, the `enc_ciphertext` method
now returns a reference instead of a copy.

This change was discussed and suggested in PR
zcash/zcash_note_encryption#2 review.

---------

Co-authored-by: Dmitry Demin <[email protected]>

- Unified `NoteCommitConfig` and `Config` to have the same configs for
both Vanilla and ZSA circuits
- Numerous functions and structures initially defined separately for
Vanilla and ZSA have been unified into a single definition,
incorporating the generic parameter `Lookup`.

This updates the test vectors in this repository to match those
created in QED-it/zcash-test-vectors#22.

For actions made with ZSA assets, it is important not to use dummy spend
notes to ensure that the asset has been properly issued.

This switches the asset description to be the Vec<u8> type. This is
so that orchard doesn't check whether the asset description string is
UTF-8 encoded, and just works with the bytes. The UTF-8 recommended
check will be performed closer to the top of the stack instead.

---------

Co-authored-by: Paul <[email protected]>
Co-authored-by: Paul <[email protected]>

…Clone for CompactAction (#118)

This PR updates the crate to ensure compatibility with the
`zcash_client_backend` crate in `librustzcash` repository. Specifically,
it derives the `Clone` trait for the `CompactAction` struct to resolve
compilation errors when the `orchard` feature is enabled for
`zcash_client_backend` crate (`BatchRunner` struct there requires that).