Merge pull request #133 from Zondax/dev

New Release
Zondax · Dec 9, 2024 · c3951ed · c3951ed
2 parents c2a9c9f + 1a200aa
commit c3951ed
Show file tree

Hide file tree

Showing 23 changed files with 381 additions and 374 deletions.
diff --git a/app/Makefile.version b/app/Makefile.version
@@ -3,4 +3,4 @@ APPVERSION_M=4
 # This is the minor version
 APPVERSION_N=2
 # This is the patch version
-APPVERSION_P=3
+APPVERSION_P=4
diff --git a/app/src/apdu_handler.c b/app/src/apdu_handler.c
@@ -145,12 +145,6 @@ void handleApdu(volatile uint32_t *flags, volatile uint32_t *tx, uint32_t rx) {
                     break;
                 }
 
-                case INS_SIGN_SAPLING: {
-                    CHECK_PIN_VALIDATED()
-                    handleSignSapling();
-                    break;
-                }
-
                 default:
                     THROW(APDU_CODE_INS_NOT_SUPPORTED);
             }

diff --git a/app/src/coin.h b/app/src/coin.h
@@ -66,15 +66,12 @@ extern "C" {
 
 #define INS_GET_VERSION                   0x00
 #define INS_GET_ADDR_SECP256K1            0x01
-#define INS_SIGN_SECP256K1                0x02
 #define INS_GET_ADDR_SAPLING_DIV          0x10
 #define INS_GET_ADDR_SAPLING              0x11
-#define INS_SIGN_SAPLING                  0x12
 
 #define INS_GET_DIV_LIST                  0x09
 
 #define INS_INIT_TX                       0xa0
-#define INS_KEY_EXCHANGE                  0xaa
 #define INS_EXTRACT_SPEND                 0xa1
 #define INS_EXTRACT_OUTPUT                0xa2
 #define INS_CHECKANDSIGN                  0xa3
@@ -85,7 +82,6 @@ extern "C" {
 #define INS_GET_OVK                       0xf1
 #define INS_GET_NF                        0xf2
 #define INS_GET_FVK                       0xf3
-#define INS_CRASH_TEST                    0xff
 
 typedef enum { key_ivk = 0, key_ovk = 1, key_fvk = 2, nf = 3 } key_type_e;
 

diff --git a/app/src/handlers/handler_signing.h b/app/src/handlers/handler_signing.h
@@ -333,7 +333,3 @@ __Z_INLINE void handleCheckandSign(volatile uint32_t *tx, uint32_t rx) {
     *tx = 32;
     THROW(APDU_CODE_OK);
 }
-
-__Z_INLINE void handleSignSapling() {
-    THROW(APDU_CODE_COMMAND_NOT_ALLOWED);
-}
diff --git a/docs/APDUSPEC.md b/docs/APDUSPEC.md
@@ -68,7 +68,7 @@ The general structure of commands and responses is as follows:
 
 ---
 
-### GET_VERSION
+### INS_GET_VERSION
 
 #### Command
 
@@ -198,7 +198,7 @@ If a diversifier was not valid, zero-bytes are returned (so always 220 bytes are
 
 ---
 
-### INS_GET_IVK_SAPLING
+### INS_GET_IVK
 
 Returns a sapling incoming viewing key.
 Forced user confirmation (So P1 needs to be 0x01).
@@ -225,7 +225,7 @@ Also returns the default diversifier (starting from index 0).
 
 ---
 
-### INS_GET_OVK_SAPLING
+### INS_GET_OVK
 
 Returns a sapling outgoing viewing key. Forced user confirmation (So P1 needs to be 0x01).
 
@@ -249,7 +249,7 @@ Returns a sapling outgoing viewing key. Forced user confirmation (So P1 needs to
 
 ---
 
-### INS_GET_FVK_SAPLING
+### INS_GET_FVK
 
 Returns a sapling full viewing key fvk = (ak, nk, ovk). Forced user confirmation (So P1 needs to be 0x01).
 
@@ -275,7 +275,7 @@ Returns a sapling full viewing key fvk = (ak, nk, ovk). Forced user confirmation
 
 ---
 
-### INS_GET_NF_SAPLING
+### INS_GET_NF
 
 Returns a sapling nullifier. TODO: Forced user confirmation (So P1 needs to be 0x01).
 
@@ -397,7 +397,7 @@ Data is defined as:
 
 Returns a proof generating key (PGK) and randomness (rcv and alpha) for a sapling spend.
 
-- This command requires you already called the INS_INIT_TX_SAPLING.
+- This command requires you already called the INS_INIT_TX.
 - This command requires that it is needed to extract spendinfo.
 
 #### Command
@@ -425,7 +425,7 @@ Returns a proof generating key (PGK) and randomness (rcv and alpha) for a saplin
 
 Returns randomness (rcv and rseed (after ZIP202) and optional Hash_Seed) for a sapling output.
 
-- This command requires you already called the INS_INIT_TX_SAPLING.
+- This command requires you already called the INS_INIT_TX.
 - This command requires you already called the correct number of INS_GET_SPENDINFO.
 - This command requires that it is needed to extract outputinfo.
 
@@ -560,7 +560,7 @@ Data is defined as:
 
 ---
 
-### INS_GET_EXTRACT_TRANSSSIG
+### INS_EXTRACT_TRANSSIG
 
 Returns a SECP256K1 signature for a sapling transparent input if available. Othrewise, it returns only an error code.
 

diff --git a/docs/previuos/zcash_workflow_v1.md b/docs/previuos/zcash_workflow_v1.md
@@ -0,0 +1,199 @@
+Zcash ledger, first connect:
+- Address generation
+- Sharing address with host
+- Sharing IVK with host
+//TODO: change to APDU API
+```mermaid
+  sequenceDiagram
+  participant LF as Ledger flash storage
+  participant LC as Ledger computation 
+  participant H as Host
+  participant N as Network
+  H ->> LC: compute_address(path: u32)
+  activate LC
+  LC -->> LF: store_ivk(ivk) ?
+  Note over LF: potentially store (path, IVK)
+  LC ->> H: address: (diversifier, pk_d)
+  LC ->> H: incoming viewing key: ivk
+  deactivate LC
+  Note over H,LC: show address on both screens?
+```
+
+Zcash ledger, syncing
+- Sharing IVK with host
+- Decrypt incoming notes and verification note commitments
+- TODO: what to do with matching notes?
+```mermaid
+  sequenceDiagram
+  participant LF as Ledger flash storage
+  participant LC as Ledger computation 
+  participant H as Host
+  participant N as Network
+  H ->> LC: get_ivk(path: u32)
+  #add minor confirmation
+  activate LC
+  LC -->> LF: retrieve_ivk(path) ?
+  LF -->> LC: ivk ?
+  Note over LC: compute_ivk(path)
+  LC ->> H: ivk
+  deactivate LC
+  activate H
+  H ->> N: get_unspend_notes()
+  N ->> H: [unspend_notes]
+  Note over H: [matching_notes] = decrypt_all_unspend_notes(ivk, [unspend_notes])
+  Note over H: store [matching_notes] (d, pk_d, v, rcm)
+  deactivate H
+```
+
+Zcash ledger, make shielded transaction phase 1
+- Verify outputs on screen
+
+```mermaid
+  sequenceDiagram
+  participant LF as Ledger flash storage
+  participant LC as Ledger computation 
+  participant H as Host
+  participant N as Network
+
+  Note over H: show amount, address, memo-fields per output
+  Note over H: validate amount <= total_amount
+  H ->> LC: initiate_transaction()
+N ->> H: anchor of note?
+N ->> H: metadata
+Note over H: input note selection (path, note)
+
+  activate LC
+  loop Every output note
+  H ->> LC: verify_output(d, pk_d, value, memo)
+  Note over H,LC: approve amount and address and verify on screens
+  Note over H,LC: approve hash of memo and verify on screens
+  LC ->> H: approval of output
+  LC ->> LF: store_output_data(d,pk_d,value,memo)
+  end
+  deactivate LC
+  #compute value balance and approve
+  Note over LC,H: continue if all approved
+  ```
+
+  Zcash ledger, make shielded transaction phase 2
+- Process outputs and store in flash
+- Compute hash of all outputs
+
+```mermaid
+  sequenceDiagram
+  participant LF as Ledger flash storage
+  participant LC as Ledger computation 
+  participant H as Host
+  participant N as Network
+  activate LC
+  loop Every output note
+  H ->> LC: make_transaction(path) #TODO: which path??? fixed one makes sense??
+  Note over LC: compute random rcm
+  LC ->> LF: update_rcmnew(rcm)
+  LF ->> LC: (d,pk_d,value)
+  Note over LC: compute value/note commitments
+  LC ->> LF: update_valuecommitsum(vc)
+  LC ->> LF: value/note commitments
+  LC ->> H: value/note commitments
+  LF ->> LC: d,pk_d, value, memo
+  Note over LC: compute eph, c_out, c_enc 
+  LC ->> LF: eph, c_out, c_enc 
+  LC ->> H: eph, c_out, c_enc 
+  deactivate LC
+  activate H
+  H -->> LC: get_proof_key(path) #is this necessary?
+  LC -->> H: proof_key
+  Note over H: ZK proof of output note
+  H ->> LC: zk_proof
+  deactivate H
+  activate LC
+  LC ->> LF: zk_proof
+  end
+  Note over LC: perform shieldedoutput_hash
+  LC ->> H: shielded_output_hash
+  LC ->> LF: shielded_output_hash
+  deactivate LC
+  ```
+
+Zcash ledger, make shielded transaction phase 3
+- Process spends and store in flash
+- Store RCM values in flash
+- Compute hash of all outputs
+
+```mermaid
+  sequenceDiagram
+  participant LF as Ledger flash storage
+  participant LC as Ledger computation 
+  participant H as Host
+  participant N as Network
+  loop Every spend note
+  N ->> H: anchor of note?
+  H ->> LC: spend_this_note(path, valuecommit, rcm, anchor)  # Do we need to verify here that rcm is correct? Is the zkproof of the spend the old one in the blockchain? #what about the valuecommit?
+  LC ->> LF: (path, valuecommit, anchor)
+  LC -->> H: proof_gen_key(path) ? #is this needed
+
+  activate LC
+  LC ->> LF: update_rcmvalue(rcm)
+  LC ->> LF: update_valuecommitsum(vc) #???
+
+  note over LC: compute nullifier
+  LC ->> H: nullifier
+  LC ->> LF: nullifier
+
+  note over LC: compute randomized verification key
+  LC ->> H: randomized verification key
+  LC ->> LF: (path, randomizer value, randomized verification key)
+  deactivate LC
+
+  Note over H: ZK proof of spend note
+  H ->> LC: zk_proof
+  LC ->> LF: zk_proof
+
+  end
+  Note over LC: perform shieldedspend_hash
+  LC ->> LF: shieldedspend_hash #does the host actually need this?
+  LC ->> H: shieldedspend_hash
+```
+
+Zcash ledger, make shielded transaction phase 4
+- Host gives all remaining transaction (meta) data
+- Ledger does the complete TX_HASH_ALL
+- Final approval of transaction?
+- Ledger signs the necessary parts and shares with host
+- Host sends transaction blob to network
+
+```mermaid
+  sequenceDiagram
+  participant LF as Ledger flash storage
+  participant LC as Ledger computation 
+  participant H as Host
+  participant N as Network
+  
+  H -->> N: retrieve meta_data from network?
+  N -->> H: meta_data
+
+  H ->> LC: meta_data transaction
+  LC ->> LF: meta_data transaction
+
+  Note over LC: compute valuebalance and commitment
+  LC ->> LF: valuebalance and commitment
+  Note over LF,LC: verify rcm_secretkey/publickey
+
+  Note over LF,LC: perform_tx_hash_all over all data in flash
+
+  LC ->> H: tx_hash_all
+
+  Note over LC,H: final verification/approval of tx before signing?
+
+  LC ->> H: sign(rcm_secretkey, tx_hash_all)
+  loop Every spend note
+  LF ->> LC: randomized value
+  Note over LC: get_secret_key(path)
+  Note over LC: sign(sk, randomized value, tx_hash_all)
+  LC ->> H: spend_auth_sign
+  end
+
+  Note over H: make raw transaction blob
+  H ->> N: raw_transaction_blob
+
+```
diff --git a/docs/zcash_workflow_version2.md → docs/previuos/zcash_workflow_v2.md b/docs/zcash_workflow_version2.md → docs/previuos/zcash_workflow_v2.md
@@ -74,7 +74,7 @@ Zcash ledger, make shielded transaction phase 1
   end
   deactivate LC
   Note over LC,H: continue if all approved
-  ```
+```
 
   Zcash ledger, make shielded transaction phase 2
 - Process outputs and store in flash
@@ -114,14 +114,14 @@ Zcash ledger, make shielded transaction phase 1
   LC ->> H: shielded_output_hash
   LC ->> LF: shielded_output_hash
   deactivate LC
-  ```
+```
 
 Zcash ledger, make shielded transaction phase 3
 - Process spends and store in flash
 - Store RCM values in flash
 - Compute hash of all outputs
 
-  ```mermaid
+```mermaid
   sequenceDiagram
   participant LF as Ledger flash storage
   participant LC as Ledger computation 
@@ -162,7 +162,7 @@ Zcash ledger, make shielded transaction phase 4
 - Ledger signs the necessary parts and shares with host
 - Host sends transaction blob to network
 
-  ```mermaid
+```mermaid
   sequenceDiagram
   participant LF as Ledger flash storage
   participant LC as Ledger computation