Use a bellman::Proof instead of a byte array in Groth16Proof

[conradoplg]

Motivation

We use a byte array in the Groth16Proof struct. However, not every byte array is a well-formed proof (i.e. the encoding of three field elements, as enforced by the bellman package). For improved type safety, it would be better to use bellman::Proof inside it and parse the proof while parsing the transaction.

However, this requires a lot of code changes:

• A lot of tests expect it to be a byte array
• The tests vectors from https://github.com/zcash-hackworks/zcash-test-vectors/ generate random byte array as proofs. We'd need to change the test vector generators to generate random well-formed proofs.
• In the same way, the Arbitrary implementation must be changed to generate random well-formed proofs.

For this reason, it was postponed for later.

Specifications

Designs

To generate a well-formed proof, you will need to generate 3 field elements: one in G1, second in G2, third in G1 again. See this snippet for reference:

zebra/zebra-consensus/src/transaction/tests.rs

Lines 1956 to 1960 in 81727d7

	// A proof is composed of three field elements, the first and last having 48 bytes.
	// (The middle one has 96 bytes.) To corrupt the proof without making it malformed,
	// simply swap those first and last elements.
	let (first, rest) = joinsplit.zkproof.0.split_at_mut(48);
	first.swap_with_slice(&mut rest[96..144]);

Related Work

[mpguerra]

Hey team! Please add your planning poker estimate with ZenHub @conradoplg @dconnolly @jvff @oxarbitrage @teor2345 @upbqdn

[teor2345]

Making this change would increase the cost of serving blocks to peers, because the proofs would be redundantly re-validated when deserializing from the database.

We're already having this performance problem with some curve types.

So I think it's ok for now.