Disallow Orchard ivk = 0 on IncomingViewingKey::from & SpendingKey generation

[dconnolly]

Motivation

A change to the protocol spec for Orchard to reject scalar values in the Pallas scalar field of 0 for incoming viewing keys.

Specifications

if ivk ∈ {0, ⊥}, discard this key and repeat with a new sk.

https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents

Solution

Update impl From<FullViewingKey> for IncomingViewingKey to become a TryFrom, and return Result::Err if we get ⊥ or the possible pallas::Scalar value is 0 in the scalar field.

Update SpendingKey::new() to also check that a prospective sk doesn't lead to an invalid IncomingViewingKey.

Also implement TryFrom<[u8; 64]> for IncomingViewingKey to enforce that parsing of the raw encoding checks for and rejects the same values.

Closes #3869

Review

This is low priority because it is not an NU5 consensus rule, but an Orchard protocol check for keygen and ingesting of keys/addresses.

Reviewer Checklist

• Code implements Specs and Designs
• Tests for Expected Behaviour
• Tests for Errors

Follow Up Work

[teor2345]

I'm marking this as "do not merge", until we work out how risky it is.
(Or until we've tagged the NU5 testnet rollback code.)

[jvff]

Looks good. I added some ideas, but they are optional.

[dconnolly]

I'm marking this as "do not merge", until we work out how risky it is. (Or until we've tagged the NU5 testnet rollback code.)

All of our shielded key code beyond what is serialized/deserialized on chain/in P2P network messages is currently not being used beyond testing and conformance, until we use it for wallet functionality or whatever. That includes Orchard IncomingViewingKey and SpendingKey derivation. I would consider this a low-risk change.

[dconnolly]

I'm marking this as "do not merge", until we work out how risky it is. (Or until we've tagged the NU5 testnet rollback code.)

Definitely willing to hold as :do-not-merge: until we tag as it is low priority

[teor2345]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[dconnolly]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[dconnolly]

@mergify rebase

[mergify]

rebase

❌ Base branch update has failed

Git reported the following error:

Rebasing (1/3)
error: could not apply 8a7c96d1... Disallow Orchard ivk = 0 on IncomingViewingKey::from and SpendingKey generation
Resolve all conflicts manually, mark them as resolved with
"git add/rm <conflicted_files>", then run "git rebase --continue".
You can instead skip this commit: run "git rebase --skip".
To abort and get back to the state before "git rebase", run "git rebase --abort".
Could not apply 8a7c96d1... Disallow Orchard ivk = 0 on IncomingViewingKey::from and SpendingKey generation
Auto-merging zebra-chain/src/orchard/keys.rs
CONFLICT (content): Merge conflict in zebra-chain/src/orchard/keys.rs
Auto-merging zebra-chain/src/orchard/arbitrary.rs

err-code: E0F31

[teor2345]

@dconnolly this PR hasn't changed in 2 months, can we consider turning it into a ticket as part of the Cryptography triage?

[conradoplg]

Looks good

[dconnolly]

https://github.com/Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[dconnolly]

Mergifyio update

[teor2345]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[teor2345]

Re-approving based on previous approvals

[daira]

Untested ACK.

[teor2345]

This PR needs clippy::unwrap-in-result fixes:
https://github.com/ZcashFoundation/zebra/runs/7086134368?check_suite_focus=true#step:7:543

[daira]

re-untested ACK

[teor2345]

Thanks for these clippy fixes, sorry no-one reviewed this PR until now!

[teor2345]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated