Sapling note encryption test vectors

zcash_primitives/src/lib.rs

@@ -20,6 +20,9 @@ pub mod sapling;
 mod serialize;
 pub mod transaction;
 
+#[cfg(test)]
+mod test_vectors;
+
 lazy_static! {
     pub static ref JUBJUB: JubjubBls12 = { JubjubBls12::new() };
 }

zcash_primitives/src/note_encryption.rs

@@ -152,3 +152,91 @@ impl SaplingNoteEncryption {
         output
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use ff::{PrimeField, PrimeFieldRepr};
+    use pairing::bls12_381::{Bls12, Fr, FrRepr};
+    use sapling_crypto::{
+        jubjub::{
+            edwards,
+            fs::{Fs, FsRepr},
+        },
+        primitives::{Diversifier, PaymentAddress},
+    };
+
+    use super::{kdf_sapling, sapling_ka_agree, Memo, SaplingNoteEncryption};
+    use crate::{keys::OutgoingViewingKey, JUBJUB};
+
+    #[test]
+    fn test_vectors() {
+        let test_vectors = crate::test_vectors::note_encryption::make_test_vectors();
+
+        macro_rules! read_fr {
+            ($field:expr) => {{
+                let mut repr = FrRepr::default();
+                repr.read_le(&$field[..]).unwrap();
+                Fr::from_repr(repr).unwrap()
+            }};
+        }
+
+        macro_rules! read_fs {
+            ($field:expr) => {{
+                let mut repr = FsRepr::default();
+                repr.read_le(&$field[..]).unwrap();
+                Fs::from_repr(repr).unwrap()
+            }};
+        }
+
+        macro_rules! read_point {
+            ($field:expr) => {
+                edwards::Point::<Bls12, _>::read(&$field[..], &JUBJUB).unwrap()
+            };
+        }
+
+        for tv in test_vectors {
+            //
+            // Load the test vector components
+            //
+
+            let pk_d = read_point!(tv.default_pk_d)
+                .as_prime_order(&JUBJUB)
+                .unwrap();
+            let rcm = read_fs!(tv.rcm);
+            let cv = read_point!(tv.cv);
+            let cmu = read_fr!(tv.cmu);
+            let esk = read_fs!(tv.esk);
+            let epk = read_point!(tv.epk).as_prime_order(&JUBJUB).unwrap();
+
+            //
+            // Test the individual components
+            //
+
+            let shared_secret = sapling_ka_agree(&esk, &pk_d);
+            assert_eq!(shared_secret, tv.shared_secret);
+
+            let k_enc = kdf_sapling(&shared_secret, &epk);
+            assert_eq!(k_enc.as_bytes(), tv.k_enc);
+
+            let to = PaymentAddress {
+                pk_d,
+                diversifier: Diversifier(tv.default_d),
+            };
+            let note = to.create_note(tv.v, rcm, &JUBJUB).unwrap();
+            assert_eq!(note.cm(&JUBJUB), cmu);
+
+            //
+            // Test encryption
+            //
+
+            let mut ne =
+                SaplingNoteEncryption::new(OutgoingViewingKey(tv.ovk), note, to, Memo(tv.memo));
+            // Swap in the ephemeral keypair from the test vectors
+            ne.esk = esk;
+            ne.epk = epk;
+
+            assert_eq!(&ne.encrypt_note_plaintext()[..], &tv.c_enc[..]);
+            assert_eq!(&ne.encrypt_outgoing_plaintext(&cv, &cmu)[..], &tv.c_out[..]);
+        }
+    }
+}

zcash_primitives/src/test_vectors.rs

@@ -0,0 +1 @@
+pub(crate) mod note_encryption;