zebra_chain/sapling/
tree.rs

1//! Note Commitment Trees.
2//!
3//! A note commitment tree is an incremental Merkle tree of fixed depth
4//! used to store note commitments that JoinSplit transfers or Spend
5//! transfers produce. Just as the unspent transaction output set (UTXO
6//! set) used in Bitcoin, it is used to express the existence of value and
7//! the capability to spend it. However, unlike the UTXO set, it is not
8//! the job of this tree to protect against double-spending, as it is
9//! append-only.
10//!
11//! A root of a note commitment tree is associated with each treestate.
12
13use std::{
14    default::Default,
15    fmt,
16    hash::{Hash, Hasher},
17    io,
18};
19
20use hex::ToHex;
21use incrementalmerkletree::frontier::{Frontier, NonEmptyFrontier};
22
23use thiserror::Error;
24
25use crate::{
26    serialization::{
27        serde_helpers, ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize,
28    },
29    subtree::{NoteCommitmentSubtreeIndex, TRACKED_SUBTREE_HEIGHT},
30};
31
32pub mod legacy;
33use legacy::LegacyNoteCommitmentTree;
34
35/// The type that is used to update the note commitment tree.
36///
37/// Unfortunately, this is not the same as `sapling::NoteCommitment`.
38pub type NoteCommitmentUpdate = sapling_crypto::note::ExtractedNoteCommitment;
39
40pub(super) const MERKLE_DEPTH: u8 = 32;
41
42/// Sapling note commitment tree root node hash.
43///
44/// The root hash in LEBS2OSP256(rt) encoding of the Sapling note
45/// commitment tree corresponding to the final Sapling treestate of
46/// this block. A root of a note commitment tree is associated with
47/// each treestate.
48#[derive(Clone, Copy, Default, Eq, Serialize, Deserialize)]
49pub struct Root(#[serde(with = "serde_helpers::Fq")] pub(crate) jubjub::Base);
50
51impl Root {
52    /// Return the node bytes in little-endian byte order as required
53    /// by RPCs such as `z_gettreestate`.
54    pub fn bytes_in_display_order(&self) -> [u8; 32] {
55        let mut root: [u8; 32] = self.into();
56        root.reverse();
57        root
58    }
59}
60
61impl fmt::Debug for Root {
62    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
63        f.debug_tuple("Root")
64            .field(&hex::encode(self.0.to_bytes()))
65            .finish()
66    }
67}
68
69impl From<Root> for [u8; 32] {
70    fn from(root: Root) -> Self {
71        root.0.to_bytes()
72    }
73}
74
75impl From<&Root> for [u8; 32] {
76    fn from(root: &Root) -> Self {
77        (*root).into()
78    }
79}
80
81impl PartialEq for Root {
82    fn eq(&self, other: &Self) -> bool {
83        self.0 == other.0
84    }
85}
86
87impl Hash for Root {
88    fn hash<H: Hasher>(&self, state: &mut H) {
89        self.0.to_bytes().hash(state)
90    }
91}
92
93impl TryFrom<[u8; 32]> for Root {
94    type Error = SerializationError;
95
96    fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error> {
97        let possible_point = jubjub::Base::from_bytes(&bytes);
98
99        if possible_point.is_some().into() {
100            Ok(Self(possible_point.unwrap()))
101        } else {
102            Err(SerializationError::Parse(
103                "Invalid jubjub::Base value for Sapling note commitment tree root",
104            ))
105        }
106    }
107}
108
109impl ToHex for &Root {
110    fn encode_hex<T: FromIterator<char>>(&self) -> T {
111        <[u8; 32]>::from(*self).encode_hex()
112    }
113
114    fn encode_hex_upper<T: FromIterator<char>>(&self) -> T {
115        <[u8; 32]>::from(*self).encode_hex_upper()
116    }
117}
118
119impl ToHex for Root {
120    fn encode_hex<T: FromIterator<char>>(&self) -> T {
121        (&self).encode_hex()
122    }
123
124    fn encode_hex_upper<T: FromIterator<char>>(&self) -> T {
125        (&self).encode_hex_upper()
126    }
127}
128
129impl ZcashSerialize for Root {
130    fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
131        writer.write_all(&<[u8; 32]>::from(*self)[..])?;
132
133        Ok(())
134    }
135}
136
137impl ZcashDeserialize for Root {
138    fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
139        Self::try_from(reader.read_32_bytes()?)
140    }
141}
142
143#[derive(Error, Copy, Clone, Debug, Eq, PartialEq, Hash)]
144#[allow(missing_docs)]
145pub enum NoteCommitmentTreeError {
146    #[error("The note commitment tree is full")]
147    FullTree,
148}
149
150/// Sapling Incremental Note Commitment Tree.
151///
152/// Note that the default value of the [`Root`] type is `[0, 0, 0, 0]`. However, this value differs
153/// from the default value of the root of the default tree which is the hash of the root's child
154/// nodes. The default tree is the empty tree which has all leaves empty.
155#[derive(Debug, Serialize, Deserialize)]
156#[serde(into = "LegacyNoteCommitmentTree")]
157#[serde(from = "LegacyNoteCommitmentTree")]
158pub struct NoteCommitmentTree {
159    /// The tree represented as a [`Frontier`].
160    ///
161    /// A Frontier is a subset of the tree that allows to fully specify it.
162    /// It consists of nodes along the rightmost (newer) branch of the tree that
163    /// has non-empty nodes. Upper (near root) empty nodes of the branch are not
164    /// stored.
165    ///
166    /// # Consensus
167    ///
168    /// > [Sapling onward] A block MUST NOT add Sapling note commitments that
169    /// > would result in the Sapling note commitment tree exceeding its capacity
170    /// > of 2^(MerkleDepth^Sapling) leaf nodes.
171    ///
172    /// <https://zips.z.cash/protocol/protocol.pdf#merkletree>
173    ///
174    /// Note: MerkleDepth^Sapling = MERKLE_DEPTH = 32.
175    inner: Frontier<sapling_crypto::Node, MERKLE_DEPTH>,
176
177    /// A cached root of the tree.
178    ///
179    /// Every time the root is computed by [`Self::root`] it is cached here, and
180    /// the cached value will be returned by [`Self::root`] until the tree is
181    /// changed by [`Self::append`]. This greatly increases performance because
182    /// it avoids recomputing the root when the tree does not change between
183    /// blocks. In the finalized state, the tree is read from disk for every
184    /// block processed, which would also require recomputing the root even if
185    /// it has not changed (note that the cached root is serialized with the
186    /// tree). This is particularly important since we decided to instantiate
187    /// the trees from the genesis block, for simplicity.
188    ///
189    /// We use a [`RwLock`](std::sync::RwLock) for this cache, because it is only written once per
190    /// tree update. Each tree has its own cached root, a new lock is created
191    /// for each clone.
192    cached_root: std::sync::RwLock<Option<Root>>,
193}
194
195impl NoteCommitmentTree {
196    /// Adds a note commitment u-coordinate to the tree.
197    ///
198    /// The leaves of the tree are actually a base field element, the
199    /// u-coordinate of the commitment, the data that is actually stored on the
200    /// chain and input into the proof.
201    ///
202    /// Returns an error if the tree is full.
203    #[allow(clippy::unwrap_in_result)]
204    pub fn append(&mut self, cm_u: NoteCommitmentUpdate) -> Result<(), NoteCommitmentTreeError> {
205        if self.inner.append(sapling_crypto::Node::from_cmu(&cm_u)) {
206            // Invalidate cached root
207            let cached_root = self
208                .cached_root
209                .get_mut()
210                .expect("a thread that previously held exclusive lock access panicked");
211
212            *cached_root = None;
213
214            Ok(())
215        } else {
216            Err(NoteCommitmentTreeError::FullTree)
217        }
218    }
219
220    /// Returns frontier of non-empty tree, or None.
221    fn frontier(&self) -> Option<&NonEmptyFrontier<sapling_crypto::Node>> {
222        self.inner.value()
223    }
224
225    /// Returns the position of the most recently appended leaf in the tree.
226    ///
227    /// This method is used for debugging, use `incrementalmerkletree::Address` for tree operations.
228    pub fn position(&self) -> Option<u64> {
229        let Some(tree) = self.frontier() else {
230            // An empty tree doesn't have a previous leaf.
231            return None;
232        };
233
234        Some(tree.position().into())
235    }
236
237    /// Returns true if this tree has at least one new subtree, when compared with `prev_tree`.
238    pub fn contains_new_subtree(&self, prev_tree: &Self) -> bool {
239        // Use -1 for the index of the subtree with no notes, so the comparisons are valid.
240        let index = self.subtree_index().map_or(-1, |index| i32::from(index.0));
241        let prev_index = prev_tree
242            .subtree_index()
243            .map_or(-1, |index| i32::from(index.0));
244
245        // This calculation can't overflow, because we're using i32 for u16 values.
246        let index_difference = index - prev_index;
247
248        // There are 4 cases we need to handle:
249        // - lower index: never a new subtree
250        // - equal index: sometimes a new subtree
251        // - next index: sometimes a new subtree
252        // - greater than the next index: always a new subtree
253        //
254        // To simplify the function, we deal with the simple cases first.
255
256        // There can't be any new subtrees if the current index is strictly lower.
257        if index < prev_index {
258            return false;
259        }
260
261        // There is at least one new subtree, even if there is a spurious index difference.
262        if index_difference > 1 {
263            return true;
264        }
265
266        // If the indexes are equal, there can only be a new subtree if `self` just completed it.
267        if index == prev_index {
268            return self.is_complete_subtree();
269        }
270
271        // If `self` is the next index, check if the last note completed a subtree.
272        if self.is_complete_subtree() {
273            return true;
274        }
275
276        // Then check for spurious index differences.
277        //
278        // There is one new subtree somewhere in the trees. It is either:
279        // - a new subtree at the end of the previous tree, or
280        // - a new subtree in this tree (but not at the end).
281        //
282        // Spurious index differences happen because the subtree index only increases when the
283        // first note is added to the new subtree. So we need to exclude subtrees completed by the
284        // last note commitment in the previous tree.
285        //
286        // We also need to exclude empty previous subtrees, because the index changes to zero when
287        // the first note is added, but a subtree wasn't completed.
288        if prev_tree.is_complete_subtree() || prev_index == -1 {
289            return false;
290        }
291
292        // A new subtree was completed by a note commitment that isn't in the previous tree.
293        true
294    }
295
296    /// Returns true if the most recently appended leaf completes the subtree
297    pub fn is_complete_subtree(&self) -> bool {
298        let Some(tree) = self.frontier() else {
299            // An empty tree can't be a complete subtree.
300            return false;
301        };
302
303        tree.position()
304            .is_complete_subtree(TRACKED_SUBTREE_HEIGHT.into())
305    }
306
307    /// Returns the subtree index at [`TRACKED_SUBTREE_HEIGHT`].
308    /// This is the number of complete or incomplete subtrees that are currently in the tree.
309    /// Returns `None` if the tree is empty.
310    #[allow(clippy::unwrap_in_result)]
311    pub fn subtree_index(&self) -> Option<NoteCommitmentSubtreeIndex> {
312        let tree = self.frontier()?;
313
314        let index = incrementalmerkletree::Address::above_position(
315            TRACKED_SUBTREE_HEIGHT.into(),
316            tree.position(),
317        )
318        .index()
319        .try_into()
320        .expect("fits in u16");
321
322        Some(index)
323    }
324
325    /// Returns the number of leaf nodes required to complete the subtree at
326    /// [`TRACKED_SUBTREE_HEIGHT`].
327    ///
328    /// Returns `2^TRACKED_SUBTREE_HEIGHT` if the tree is empty.
329    #[allow(clippy::unwrap_in_result)]
330    pub fn remaining_subtree_leaf_nodes(&self) -> usize {
331        let remaining = match self.frontier() {
332            // If the subtree has at least one leaf node, the remaining number of nodes can be
333            // calculated using the maximum subtree position and the current position.
334            Some(tree) => {
335                let max_position = incrementalmerkletree::Address::above_position(
336                    TRACKED_SUBTREE_HEIGHT.into(),
337                    tree.position(),
338                )
339                .max_position();
340
341                max_position - tree.position().into()
342            }
343            // If the subtree has no nodes, the remaining number of nodes is the number of nodes in
344            // a subtree.
345            None => {
346                let subtree_address = incrementalmerkletree::Address::above_position(
347                    TRACKED_SUBTREE_HEIGHT.into(),
348                    // This position is guaranteed to be in the first subtree.
349                    0.into(),
350                );
351
352                assert_eq!(
353                    subtree_address.position_range_start(),
354                    0.into(),
355                    "address is not in the first subtree"
356                );
357
358                subtree_address.position_range_end()
359            }
360        };
361
362        u64::from(remaining).try_into().expect("fits in usize")
363    }
364
365    /// Returns subtree index and root if the most recently appended leaf completes the subtree
366    pub fn completed_subtree_index_and_root(
367        &self,
368    ) -> Option<(NoteCommitmentSubtreeIndex, sapling_crypto::Node)> {
369        if !self.is_complete_subtree() {
370            return None;
371        }
372
373        let index = self.subtree_index()?;
374        let root = self.frontier()?.root(Some(TRACKED_SUBTREE_HEIGHT.into()));
375
376        Some((index, root))
377    }
378
379    /// Returns the current root of the tree, used as an anchor in Sapling
380    /// shielded transactions.
381    pub fn root(&self) -> Root {
382        if let Some(root) = self.cached_root() {
383            // Return cached root.
384            return root;
385        }
386
387        // Get exclusive access, compute the root, and cache it.
388        let mut write_root = self
389            .cached_root
390            .write()
391            .expect("a thread that previously held exclusive lock access panicked");
392        let read_root = write_root.as_ref().cloned();
393        match read_root {
394            // Another thread got write access first, return cached root.
395            Some(root) => root,
396            None => {
397                // Compute root and cache it.
398                let root = self.recalculate_root();
399                *write_root = Some(root);
400                root
401            }
402        }
403    }
404
405    /// Returns the current root of the tree, if it has already been cached.
406    #[allow(clippy::unwrap_in_result)]
407    pub fn cached_root(&self) -> Option<Root> {
408        *self
409            .cached_root
410            .read()
411            .expect("a thread that previously held exclusive lock access panicked")
412    }
413
414    /// Calculates and returns the current root of the tree, ignoring any caching.
415    pub fn recalculate_root(&self) -> Root {
416        Root::try_from(self.inner.root().to_bytes()).unwrap()
417    }
418
419    /// Gets the Jubjub-based Pedersen hash of root node of this merkle tree of
420    /// note commitments.
421    pub fn hash(&self) -> [u8; 32] {
422        self.root().into()
423    }
424
425    /// An as-yet unused Sapling note commitment tree leaf node.
426    ///
427    /// Distinct for Sapling, a distinguished hash value of:
428    ///
429    /// Uncommitted^Sapling = I2LEBSP_l_MerkleSapling(1)
430    pub fn uncommitted() -> [u8; 32] {
431        jubjub::Fq::one().to_bytes()
432    }
433
434    /// Counts of note commitments added to the tree.
435    ///
436    /// For Sapling, the tree is capped at 2^32.
437    pub fn count(&self) -> u64 {
438        self.inner
439            .value()
440            .map_or(0, |x| u64::from(x.position()) + 1)
441    }
442
443    /// Checks if the tree roots and inner data structures of `self` and `other` are equal.
444    ///
445    /// # Panics
446    ///
447    /// If they aren't equal, with a message explaining the differences.
448    ///
449    /// Only for use in tests.
450    #[cfg(any(test, feature = "proptest-impl"))]
451    pub fn assert_frontier_eq(&self, other: &Self) {
452        // It's technically ok for the cached root not to be preserved,
453        // but it can result in expensive cryptographic operations,
454        // so we fail the tests if it happens.
455        assert_eq!(self.cached_root(), other.cached_root());
456
457        // Check the data in the internal data structure
458        assert_eq!(self.inner, other.inner);
459
460        // Check the RPC serialization format (not the same as the Zebra database format)
461        assert_eq!(self.to_rpc_bytes(), other.to_rpc_bytes());
462    }
463
464    /// Serializes [`Self`] to a format matching `zcashd`'s RPCs.
465    pub fn to_rpc_bytes(&self) -> Vec<u8> {
466        // Convert the tree from [`Frontier`](incrementalmerkletree::frontier::Frontier) to
467        // [`CommitmentTree`](merkle_tree::CommitmentTree).
468        let tree = incrementalmerkletree::frontier::CommitmentTree::from_frontier(&self.inner);
469
470        let mut rpc_bytes = vec![];
471
472        zcash_primitives::merkle_tree::write_commitment_tree(&tree, &mut rpc_bytes)
473            .expect("serializable tree");
474
475        rpc_bytes
476    }
477}
478
479impl Clone for NoteCommitmentTree {
480    /// Clones the inner tree, and creates a new [`RwLock`](std::sync::RwLock)
481    /// with the cloned root data.
482    fn clone(&self) -> Self {
483        let cached_root = self.cached_root();
484
485        Self {
486            inner: self.inner.clone(),
487            cached_root: std::sync::RwLock::new(cached_root),
488        }
489    }
490}
491
492impl Default for NoteCommitmentTree {
493    fn default() -> Self {
494        Self {
495            inner: incrementalmerkletree::frontier::Frontier::empty(),
496            cached_root: Default::default(),
497        }
498    }
499}
500
501impl Eq for NoteCommitmentTree {}
502
503impl PartialEq for NoteCommitmentTree {
504    fn eq(&self, other: &Self) -> bool {
505        if let (Some(root), Some(other_root)) = (self.cached_root(), other.cached_root()) {
506            // Use cached roots if available
507            root == other_root
508        } else {
509            // Avoid expensive root recalculations which use multiple cryptographic hashes
510            self.inner == other.inner
511        }
512    }
513}
514
515impl From<Vec<sapling_crypto::note::ExtractedNoteCommitment>> for NoteCommitmentTree {
516    /// Computes the tree from a whole bunch of note commitments at once.
517    fn from(values: Vec<sapling_crypto::note::ExtractedNoteCommitment>) -> Self {
518        let mut tree = Self::default();
519
520        if values.is_empty() {
521            return tree;
522        }
523
524        for cm_u in values {
525            let _ = tree.append(cm_u);
526        }
527
528        tree
529    }
530}