Transaction builder

[str4d]

Supports Sapling spends, Sapling outputs, and transparent (P2PKH and P2SH) outputs.

[Eirik0]

When building I get a few warnings:

warning: variable does not need to be mutable
   --> sapling-crypto/src/jubjub/mod.rs:352:17
    |
352 |             for mut gen in tmp_params.pedersen_hash_generators.iter().cloned() {
    |                 ----^^^
    |                 |
    |                 help: remove this `mut`
    |
    = note: #[warn(unused_mut)] on by default

warning: variable does not need to be mutable
   --> sapling-crypto/src/jubjub/mod.rs:352:17
    |
352 |             for mut gen in tmp_params.pedersen_hash_generators.iter().cloned() {
    |                 ----^^^
    |                 |
    |                 help: remove this `mut`
    |
    = note: #[warn(unused_mut)] on by default

warning: variable does not need to be mutable
   --> sapling-crypto/src/circuit/uint32.rs:426:17
    |
426 |             let mut v = (0..32).map(|_| Boolean::constant(rng.gen())).collect::<Vec<_>>();
    |                 ----^
    |                 |
    |                 help: remove this `mut`

warning: variable does not need to be mutable
   --> sapling-crypto/src/circuit/uint32.rs:457:17
    |
457 |             let mut v = (0..32).map(|_| Boolean::constant(rng.gen())).collect::<Vec<_>>();
    |                 ----^
    |                 |
    |                 help: remove this `mut`

warning: variable does not need to be mutable
   --> sapling-crypto/src/circuit/pedersen_hash.rs:154:21
    |
154 |                 let mut input: Vec<bool> = (0..length).map(|_| rng.gen()).collect();
    |                     ----^^^^^
    |                     |
    |                     help: remove this `mut`

These may not be related to this PR, but are worth noting.

[str4d]

I think those warnings are due to NLL being activated on Rust 2015 edition in Rust 1.36.

[Eirik0]

At least one of them shows up when building from master. I didn't spend too much time digging, but the NLL update makes sense. I don't mind if these are addressed as a separate issue.

[str4d]

I addressed @ebfull's comments by overhauling and extending the Amount struct. It is now used basically everywhere except inside Note, and enforces zatoshi range checks on instantiation.

[ebfull]

This looks great!

[str4d]

Rebased on master to fix merge conflicts caused by #91. I additionally had to modify various parts of this PR to account for the rand upgrade.

[str4d]

I added version 1 as a dependency instead of version 2, because version 1 has fewer transitive dependencies.

[hdevalence]

Is it still maintained?

[str4d]

Version 2 is actively maintained, but has a dependency on redox_users, which pulls in a bunch of extraneous crates we don't actually need. It's unclear to me whether version 1 is maintained.

[str4d]

I added a dependency on rand separately from rand_core and rand_os because I wanted to access rand::seq::SliceRandom for shuffling the order of spends and outputs. I didn't bother replacing all the usages of rand_core and rand_os because it is unnecessary noise.

[hdevalence]

It would be nice if this had a doc-comment explaining the purpose of the newtype and explicitly declaring any invariants it maintains. For instance in from_i64 below, the constructor enforces some requirements on the input -- are those invariants that the type maintains, or just a requirement for that constructor?

[str4d]

The main reason for the newtype is type safety. The requirements in the constructor are somewhat tricky however. MAX_MONEY is not actually the maximum amount of money in the consensus rules due to rounding errors (and in fact that will decrease slightly with the Blossom NU). It is a consensus-critical validity check on visible values (transparent outputs, vpub_old, vpub_new, and valueBalance).

Now, we could have Amount maintain {-MAX_MONEY..MAX_MONEY} as an invariant, but what would this imply for the API? I'm not keen on burdening the API with error checks for every addition, given that the network consensus rules mean that any transaction created leveraging out-of-range values will be unmineable. But is a panic!() a reasonable way to handle this case? Wrapping definitely isn't (and is partly the motivation for checking MAX_MONEY in the constructor, so we know that any values instantiated are far below the u64 upper end, and thus can assume there will be no overflow during transaction building).

I'll add a doc-comment in any case.

[daira]

I think we should panic if addition or subtraction overflows the range -MAX_MONEY..MAX_MONEY.

[hdevalence]

This is a minor nit, but I think that having an allow_negative: bool parameter isn't the best API design. The reason is that when reading caller code, all that appears is

let amt = Amount::from_i64(val, true)?;

or similar, and the reader has to remember that the true means that negative values are allowed, rather than true meaning that the value is required to be positive (and therefore negative values are disallowed), which would be an alternate way to construct the API.

There are two alternatives that I think would improve readability in the long run:

1. (my preference) Split this code into two constructors whose names (strawman proposal) indicate their behaviour:

pub fn from_i64_nonnegative(amount: i64) -> Result<Self, ()>;
pub fn from_i64_allow_negative(amount: i64) -> Result<Self, ()>;

2. Add an enum AmountValidation { NonNegative, NegativeAllowed } and replace the bool with an AmountValidation, so that caller code displays the validation criteria at the callsite:

let amt = Amount::from_i64(val, AmountValidation::NegativeAllowed)?;

[str4d]

This is an excellent point. I also prefer the explicit constructors.

[hdevalence]

Related to the invariant comment, what happens if I create two Amounts with MAX_MONEY - 1 and then add them? Is that a concern for this struct or is that the user's responsibility?

[str4d]

IMHO that's the user's responsibility, from the perspective of this struct. The Amounts are either being constructed from visible fields in a transaction (in which case the consensus rules will reject the result, because at least one field contain the sum that is above MAX_MONEY, or they are being constructed from/for Notes (in which case we are relying on the shielded value balance enforced by the Pedersen commitments, and the commitments themselves being enforced by the circuits). Per my reply to the invariant comment, we could panic!() here.

[str4d]

Pushed commits to address most of @hdevalence's comments. I'm still undecided on whether to enforce MAX_MONEY inside addition etc. with panic!().

[Eirik0]

I haven't finished going through this, but I had some suggestions regarding Error in builder.rs and wanted to get those posted.

[Eirik0]

Some of these errors could include additional information, for example InvalidAmount could include the amount. This can be added later.

[Eirik0]

Note: This will need to be updated to account for Blossom.

[Eirik0]

Would it make sense to change the return type here and for similar functions from Result<Self, ()> to Option<Self>?

[str4d]

I think I prefer this being an explicit (if unit) error. I know we are inconsistent about this in our API; we should open an issue for going through and refactoring everything to be internally consistent in how we decided to return errors vs None.

[Eirik0]

It would be great to go through and make these consistent, but I am happy leaving this for now.

[Eirik0]

utACK. In addition to reviewing this, I went through the cpp code and compared what I could. Everything looks great!

[daira]

ut(ACK+cov) modulo minor comments.

[daira]

Please file a ticket about better error reporting.

[str4d]

Opened #101.

[daira]

sucks air through teeth at repeating this C++ antipattern

[daira]

Why not just use a method?

[str4d]

In order to support concatenating different types with the same builder method (instead of a custom method per type), I would need to implement my own trait, which would result in more code than this. I also felt there was a benefit in having this legacy part be as close to the C++ code as possible for reviewability.

[daira]

This does not seem to enforce (neither does PaymentAddress) that pk_d is not the zero point. zcash/zcash#3827

[str4d]

Opened #102.

[daira]

The protocol spec says: "As in Sprout, a dummy Sapling output note is constructed as normal but with zero value, and sent to a random shielded payment address." This looks correct.

[daira]

This error condition is not tested.

[daira]

This error condition is not tested.

[daira]

This error condition is not tested.

[daira]

I am satisfied that this cannot occur for the local TxProver. We do effectively test it for the mock TxProver (which does not generate a valid binding signature).

[daira]

I think we should panic if addition or subtraction overflows the range -MAX_MONEY..MAX_MONEY.