zcash_primitives: Introduce newtypes for ask and ak

The Sapling key components specification places more constraints on the
values of `ask` and `ak` than general RedJubjub signing and verification
keys.

zcash_primitives/CHANGELOG.md

@@ -45,6 +45,8 @@ and this library adheres to Rust's notion of
   - `circuit::{SpendVerifyingKey, PreparedSpendVerifyingKey}`
   - `circuit::{OutputVerifyingKey, PreparedOutputVerifyingKey}`
   - `constants` module.
+  - `keys::SpendAuthorizingKey`
+  - `keys::SpendValidatingKey`
   - `note_encryption::CompactOutputDescription` (moved from
     `zcash_primitives::transaction::components::sapling`).
   - `note_encryption::SaplingDomain::new`
@@ -145,6 +147,9 @@ and this library adheres to Rust's notion of
   - `circuit::ValueCommitmentOpening::value` is now represented as a `NoteValue`
     instead of as a bare `u64`.
   - `keys::DecodingError` has a new variant `UnsupportedChildIndex`.
+  - `keys::ExpandedSpendingKey.ask` now has type `SpendAuthorizingKey`.
+  - `keys::ProofGenerationKey.ak` now has type `SpendValidatingKey`.
+  - `keys::ViewingKey.ak` now has type `SpendValidatingKey`.
   - `note_encryption`:
     - `SaplingDomain` no longer has a `P: consensus::Parameters` type parameter.
     - The following methods now take a `Zip212Enforcement` argument instead of a
@@ -237,6 +242,12 @@ and this library adheres to Rust's notion of
   - `ChildIndex::NonHardened`
   - `sapling::ExtendedFullViewingKey::derive_child`
 
+### Fixed
+- `zcash_primitives::keys::ExpandedSpendingKey::from_spending_key` now panics if the
+  spending key expands to `ask = 0`. This has a negligible probability of occurring.
+- `zcash_primitives::zip32::ExtendedSpendingKey::derive_child` now panics if the
+  child key has `ask = 0`. This has a negligible probability of occurring.
+
 ## [0.13.0] - 2023-09-25
 ### Added
 - `zcash_primitives::consensus::BlockHeight::saturating_sub`

zcash_primitives/src/sapling/builder.rs

@@ -3,7 +3,7 @@
 use core::fmt;
 use std::{marker::PhantomData, sync::mpsc::Sender};
 
-use group::{ff::Field, GroupEncoding};
+use group::ff::Field;
 use rand::{seq::SliceRandom, RngCore};
 use rand_core::CryptoRng;
 use redjubjub::{Binding, SpendAuth};

zcash_primitives/src/sapling/circuit.rs

@@ -160,7 +160,7 @@ impl Circuit<bls12_381::Scalar> for Spend {
         // Prover witnesses ak (ensures that it's on the curve)
         let ak = ecc::EdwardsPoint::witness(
             cs.namespace(|| "ak"),
-            self.proof_generation_key.as_ref().map(|k| k.ak.into()),
+            self.proof_generation_key.as_ref().map(|k| (&k.ak).into()),
         )?;
 
         // There are no sensible attacks on small order points
@@ -634,9 +634,12 @@ pub struct PreparedOutputVerifyingKey(pub(crate) groth16::PreparedVerifyingKey<B
 
 #[test]
 fn test_input_circuit_with_bls12_381() {
-    use crate::sapling::{pedersen_hash, Diversifier, Note, ProofGenerationKey, Rseed};
+    use crate::sapling::{
+        keys::SpendValidatingKey, pedersen_hash, Diversifier, Note, ProofGenerationKey, Rseed,
+    };
+
     use bellman::gadgets::test::*;
-    use group::{ff::Field, Group};
+    use group::ff::Field;
     use rand_core::{RngCore, SeedableRng};
     use rand_xorshift::XorShiftRng;
 
@@ -654,7 +657,7 @@ fn test_input_circuit_with_bls12_381() {
         };
 
         let proof_generation_key = ProofGenerationKey {
-            ak: jubjub::SubgroupPoint::random(&mut rng),
+            ak: SpendValidatingKey::fake_random(&mut rng),
             nsk: jubjub::Fr::random(&mut rng),
         };
 
@@ -681,7 +684,7 @@ fn test_input_circuit_with_bls12_381() {
         let ar = jubjub::Fr::random(&mut rng);
 
         {
-            let rk = jubjub::ExtendedPoint::from(viewing_key.rk(ar)).to_affine();
+            let rk = jubjub::AffinePoint::from_bytes(viewing_key.rk(ar).into()).unwrap();
             let expected_value_commitment = value_commitment.commitment().to_affine();
             let note = Note::from_parts(
                 payment_address,
@@ -780,9 +783,12 @@ fn test_input_circuit_with_bls12_381() {
 
 #[test]
 fn test_input_circuit_with_bls12_381_external_test_vectors() {
-    use crate::sapling::{pedersen_hash, Diversifier, Note, ProofGenerationKey, Rseed};
+    use crate::sapling::{
+        keys::SpendValidatingKey, pedersen_hash, Diversifier, Note, ProofGenerationKey, Rseed,
+    };
+
     use bellman::gadgets::test::*;
-    use group::{ff::Field, Group};
+    use group::ff::Field;
     use rand_core::{RngCore, SeedableRng};
     use rand_xorshift::XorShiftRng;
 
@@ -826,7 +832,7 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
         };
 
         let proof_generation_key = ProofGenerationKey {
-            ak: jubjub::SubgroupPoint::random(&mut rng),
+            ak: SpendValidatingKey::fake_random(&mut rng),
             nsk: jubjub::Fr::random(&mut rng),
         };
 
@@ -853,7 +859,7 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
         let ar = jubjub::Fr::random(&mut rng);
 
         {
-            let rk = jubjub::ExtendedPoint::from(viewing_key.rk(ar)).to_affine();
+            let rk = jubjub::AffinePoint::from_bytes(viewing_key.rk(ar).into()).unwrap();
             let expected_value_commitment = value_commitment.commitment().to_affine();
             assert_eq!(
                 expected_value_commitment.get_u(),
@@ -960,9 +966,10 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() {
 
 #[test]
 fn test_output_circuit_with_bls12_381() {
-    use crate::sapling::{Diversifier, ProofGenerationKey, Rseed};
+    use crate::sapling::{keys::SpendValidatingKey, Diversifier, ProofGenerationKey, Rseed};
+
     use bellman::gadgets::test::*;
-    use group::{ff::Field, Group};
+    use group::ff::Field;
     use rand_core::{RngCore, SeedableRng};
     use rand_xorshift::XorShiftRng;
 
@@ -978,7 +985,7 @@ fn test_output_circuit_with_bls12_381() {
         };
 
         let nsk = jubjub::Fr::random(&mut rng);
-        let ak = jubjub::SubgroupPoint::random(&mut rng);
+        let ak = SpendValidatingKey::fake_random(&mut rng);
 
         let proof_generation_key = ProofGenerationKey { ak, nsk };