zebra_chain/sapling/tree.rs
1//! Note Commitment Trees.
2//!
3//! A note commitment tree is an incremental Merkle tree of fixed depth
4//! used to store note commitments that JoinSplit transfers or Spend
5//! transfers produce. Just as the unspent transaction output set (UTXO
6//! set) used in Bitcoin, it is used to express the existence of value and
7//! the capability to spend it. However, unlike the UTXO set, it is not
8//! the job of this tree to protect against double-spending, as it is
9//! append-only.
10//!
11//! A root of a note commitment tree is associated with each treestate.
12
13use std::{
14 default::Default,
15 fmt,
16 hash::{Hash, Hasher},
17 io,
18};
19
20use hex::ToHex;
21use incrementalmerkletree::frontier::{Frontier, NonEmptyFrontier};
22
23use thiserror::Error;
24
25use crate::{
26 serialization::{
27 serde_helpers, ReadZcashExt, SerializationError, ZcashDeserialize, ZcashSerialize,
28 },
29 subtree::{NoteCommitmentSubtreeIndex, TRACKED_SUBTREE_HEIGHT},
30};
31
32pub mod legacy;
33use legacy::LegacyNoteCommitmentTree;
34
35/// The type that is used to update the note commitment tree.
36///
37/// Unfortunately, this is not the same as `sapling::NoteCommitment`.
38pub type NoteCommitmentUpdate = sapling_crypto::note::ExtractedNoteCommitment;
39
40pub(super) const MERKLE_DEPTH: u8 = 32;
41
42/// Sapling note commitment tree root node hash.
43///
44/// The root hash in LEBS2OSP256(rt) encoding of the Sapling note
45/// commitment tree corresponding to the final Sapling treestate of
46/// this block. A root of a note commitment tree is associated with
47/// each treestate.
48#[derive(Clone, Copy, Default, Eq, Serialize, Deserialize)]
49pub struct Root(#[serde(with = "serde_helpers::Fq")] pub(crate) jubjub::Base);
50
51impl Root {
52 /// Return the node bytes in little-endian byte order as required
53 /// by RPCs such as `z_gettreestate`.
54 pub fn bytes_in_display_order(&self) -> [u8; 32] {
55 let mut root: [u8; 32] = self.into();
56 root.reverse();
57 root
58 }
59}
60
61impl fmt::Debug for Root {
62 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
63 f.debug_tuple("Root")
64 .field(&hex::encode(self.0.to_bytes()))
65 .finish()
66 }
67}
68
69impl From<Root> for [u8; 32] {
70 fn from(root: Root) -> Self {
71 root.0.to_bytes()
72 }
73}
74
75impl From<&Root> for [u8; 32] {
76 fn from(root: &Root) -> Self {
77 (*root).into()
78 }
79}
80
81impl PartialEq for Root {
82 fn eq(&self, other: &Self) -> bool {
83 self.0 == other.0
84 }
85}
86
87impl Hash for Root {
88 fn hash<H: Hasher>(&self, state: &mut H) {
89 self.0.to_bytes().hash(state)
90 }
91}
92
93impl TryFrom<[u8; 32]> for Root {
94 type Error = SerializationError;
95
96 fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error> {
97 let possible_point = jubjub::Base::from_bytes(&bytes);
98
99 if possible_point.is_some().into() {
100 Ok(Self(possible_point.unwrap()))
101 } else {
102 Err(SerializationError::Parse(
103 "Invalid jubjub::Base value for Sapling note commitment tree root",
104 ))
105 }
106 }
107}
108
109impl ToHex for &Root {
110 fn encode_hex<T: FromIterator<char>>(&self) -> T {
111 <[u8; 32]>::from(*self).encode_hex()
112 }
113
114 fn encode_hex_upper<T: FromIterator<char>>(&self) -> T {
115 <[u8; 32]>::from(*self).encode_hex_upper()
116 }
117}
118
119impl ToHex for Root {
120 fn encode_hex<T: FromIterator<char>>(&self) -> T {
121 (&self).encode_hex()
122 }
123
124 fn encode_hex_upper<T: FromIterator<char>>(&self) -> T {
125 (&self).encode_hex_upper()
126 }
127}
128
129impl ZcashSerialize for Root {
130 fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
131 writer.write_all(&<[u8; 32]>::from(*self)[..])?;
132
133 Ok(())
134 }
135}
136
137impl ZcashDeserialize for Root {
138 fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
139 Self::try_from(reader.read_32_bytes()?)
140 }
141}
142
143#[derive(Error, Copy, Clone, Debug, Eq, PartialEq, Hash)]
144#[allow(missing_docs)]
145pub enum NoteCommitmentTreeError {
146 #[error("The note commitment tree is full")]
147 FullTree,
148}
149
150/// Sapling Incremental Note Commitment Tree.
151///
152/// Note that the default value of the [`Root`] type is `[0, 0, 0, 0]`. However, this value differs
153/// from the default value of the root of the default tree which is the hash of the root's child
154/// nodes. The default tree is the empty tree which has all leaves empty.
155#[derive(Debug, Serialize, Deserialize)]
156#[serde(into = "LegacyNoteCommitmentTree")]
157#[serde(from = "LegacyNoteCommitmentTree")]
158pub struct NoteCommitmentTree {
159 /// The tree represented as a [`Frontier`].
160 ///
161 /// A Frontier is a subset of the tree that allows to fully specify it.
162 /// It consists of nodes along the rightmost (newer) branch of the tree that
163 /// has non-empty nodes. Upper (near root) empty nodes of the branch are not
164 /// stored.
165 ///
166 /// # Consensus
167 ///
168 /// > [Sapling onward] A block MUST NOT add Sapling note commitments that
169 /// > would result in the Sapling note commitment tree exceeding its capacity
170 /// > of 2^(MerkleDepth^Sapling) leaf nodes.
171 ///
172 /// <https://zips.z.cash/protocol/protocol.pdf#merkletree>
173 ///
174 /// Note: MerkleDepth^Sapling = MERKLE_DEPTH = 32.
175 inner: Frontier<sapling_crypto::Node, MERKLE_DEPTH>,
176
177 /// A cached root of the tree.
178 ///
179 /// Every time the root is computed by [`Self::root`] it is cached here, and
180 /// the cached value will be returned by [`Self::root`] until the tree is
181 /// changed by [`Self::append`]. This greatly increases performance because
182 /// it avoids recomputing the root when the tree does not change between
183 /// blocks. In the finalized state, the tree is read from disk for every
184 /// block processed, which would also require recomputing the root even if
185 /// it has not changed (note that the cached root is serialized with the
186 /// tree). This is particularly important since we decided to instantiate
187 /// the trees from the genesis block, for simplicity.
188 ///
189 /// We use a [`RwLock`](std::sync::RwLock) for this cache, because it is only written once per
190 /// tree update. Each tree has its own cached root, a new lock is created
191 /// for each clone.
192 cached_root: std::sync::RwLock<Option<Root>>,
193}
194
195impl NoteCommitmentTree {
196 /// Adds a note commitment u-coordinate to the tree.
197 ///
198 /// The leaves of the tree are actually a base field element, the
199 /// u-coordinate of the commitment, the data that is actually stored on the
200 /// chain and input into the proof.
201 ///
202 /// Returns an error if the tree is full.
203 #[allow(clippy::unwrap_in_result)]
204 pub fn append(&mut self, cm_u: NoteCommitmentUpdate) -> Result<(), NoteCommitmentTreeError> {
205 if self.inner.append(sapling_crypto::Node::from_cmu(&cm_u)) {
206 // Invalidate cached root
207 let cached_root = self
208 .cached_root
209 .get_mut()
210 .expect("a thread that previously held exclusive lock access panicked");
211
212 *cached_root = None;
213
214 Ok(())
215 } else {
216 Err(NoteCommitmentTreeError::FullTree)
217 }
218 }
219
220 /// Returns frontier of non-empty tree, or None.
221 fn frontier(&self) -> Option<&NonEmptyFrontier<sapling_crypto::Node>> {
222 self.inner.value()
223 }
224
225 /// Returns the position of the most recently appended leaf in the tree.
226 ///
227 /// This method is used for debugging, use `incrementalmerkletree::Address` for tree operations.
228 pub fn position(&self) -> Option<u64> {
229 let Some(tree) = self.frontier() else {
230 // An empty tree doesn't have a previous leaf.
231 return None;
232 };
233
234 Some(tree.position().into())
235 }
236
237 /// Returns true if this tree has at least one new subtree, when compared with `prev_tree`.
238 pub fn contains_new_subtree(&self, prev_tree: &Self) -> bool {
239 // Use -1 for the index of the subtree with no notes, so the comparisons are valid.
240 let index = self.subtree_index().map_or(-1, |index| i32::from(index.0));
241 let prev_index = prev_tree
242 .subtree_index()
243 .map_or(-1, |index| i32::from(index.0));
244
245 // This calculation can't overflow, because we're using i32 for u16 values.
246 let index_difference = index - prev_index;
247
248 // There are 4 cases we need to handle:
249 // - lower index: never a new subtree
250 // - equal index: sometimes a new subtree
251 // - next index: sometimes a new subtree
252 // - greater than the next index: always a new subtree
253 //
254 // To simplify the function, we deal with the simple cases first.
255
256 // There can't be any new subtrees if the current index is strictly lower.
257 if index < prev_index {
258 return false;
259 }
260
261 // There is at least one new subtree, even if there is a spurious index difference.
262 if index_difference > 1 {
263 return true;
264 }
265
266 // If the indexes are equal, there can only be a new subtree if `self` just completed it.
267 if index == prev_index {
268 return self.is_complete_subtree();
269 }
270
271 // If `self` is the next index, check if the last note completed a subtree.
272 if self.is_complete_subtree() {
273 return true;
274 }
275
276 // Then check for spurious index differences.
277 //
278 // There is one new subtree somewhere in the trees. It is either:
279 // - a new subtree at the end of the previous tree, or
280 // - a new subtree in this tree (but not at the end).
281 //
282 // Spurious index differences happen because the subtree index only increases when the
283 // first note is added to the new subtree. So we need to exclude subtrees completed by the
284 // last note commitment in the previous tree.
285 //
286 // We also need to exclude empty previous subtrees, because the index changes to zero when
287 // the first note is added, but a subtree wasn't completed.
288 if prev_tree.is_complete_subtree() || prev_index == -1 {
289 return false;
290 }
291
292 // A new subtree was completed by a note commitment that isn't in the previous tree.
293 true
294 }
295
296 /// Returns true if the most recently appended leaf completes the subtree
297 pub fn is_complete_subtree(&self) -> bool {
298 let Some(tree) = self.frontier() else {
299 // An empty tree can't be a complete subtree.
300 return false;
301 };
302
303 tree.position()
304 .is_complete_subtree(TRACKED_SUBTREE_HEIGHT.into())
305 }
306
307 /// Returns the subtree index at [`TRACKED_SUBTREE_HEIGHT`].
308 /// This is the number of complete or incomplete subtrees that are currently in the tree.
309 /// Returns `None` if the tree is empty.
310 #[allow(clippy::unwrap_in_result)]
311 pub fn subtree_index(&self) -> Option<NoteCommitmentSubtreeIndex> {
312 let tree = self.frontier()?;
313
314 let index = incrementalmerkletree::Address::above_position(
315 TRACKED_SUBTREE_HEIGHT.into(),
316 tree.position(),
317 )
318 .index()
319 .try_into()
320 .expect("fits in u16");
321
322 Some(index)
323 }
324
325 /// Returns the number of leaf nodes required to complete the subtree at
326 /// [`TRACKED_SUBTREE_HEIGHT`].
327 ///
328 /// Returns `2^TRACKED_SUBTREE_HEIGHT` if the tree is empty.
329 #[allow(clippy::unwrap_in_result)]
330 pub fn remaining_subtree_leaf_nodes(&self) -> usize {
331 let remaining = match self.frontier() {
332 // If the subtree has at least one leaf node, the remaining number of nodes can be
333 // calculated using the maximum subtree position and the current position.
334 Some(tree) => {
335 let max_position = incrementalmerkletree::Address::above_position(
336 TRACKED_SUBTREE_HEIGHT.into(),
337 tree.position(),
338 )
339 .max_position();
340
341 max_position - tree.position().into()
342 }
343 // If the subtree has no nodes, the remaining number of nodes is the number of nodes in
344 // a subtree.
345 None => {
346 let subtree_address = incrementalmerkletree::Address::above_position(
347 TRACKED_SUBTREE_HEIGHT.into(),
348 // This position is guaranteed to be in the first subtree.
349 0.into(),
350 );
351
352 assert_eq!(
353 subtree_address.position_range_start(),
354 0.into(),
355 "address is not in the first subtree"
356 );
357
358 subtree_address.position_range_end()
359 }
360 };
361
362 u64::from(remaining).try_into().expect("fits in usize")
363 }
364
365 /// Returns subtree index and root if the most recently appended leaf completes the subtree
366 pub fn completed_subtree_index_and_root(
367 &self,
368 ) -> Option<(NoteCommitmentSubtreeIndex, sapling_crypto::Node)> {
369 if !self.is_complete_subtree() {
370 return None;
371 }
372
373 let index = self.subtree_index()?;
374 let root = self.frontier()?.root(Some(TRACKED_SUBTREE_HEIGHT.into()));
375
376 Some((index, root))
377 }
378
379 /// Returns the current root of the tree, used as an anchor in Sapling
380 /// shielded transactions.
381 pub fn root(&self) -> Root {
382 if let Some(root) = self.cached_root() {
383 // Return cached root.
384 return root;
385 }
386
387 // Get exclusive access, compute the root, and cache it.
388 let mut write_root = self
389 .cached_root
390 .write()
391 .expect("a thread that previously held exclusive lock access panicked");
392 let read_root = write_root.as_ref().cloned();
393 match read_root {
394 // Another thread got write access first, return cached root.
395 Some(root) => root,
396 None => {
397 // Compute root and cache it.
398 let root = self.recalculate_root();
399 *write_root = Some(root);
400 root
401 }
402 }
403 }
404
405 /// Returns the current root of the tree, if it has already been cached.
406 #[allow(clippy::unwrap_in_result)]
407 pub fn cached_root(&self) -> Option<Root> {
408 *self
409 .cached_root
410 .read()
411 .expect("a thread that previously held exclusive lock access panicked")
412 }
413
414 /// Calculates and returns the current root of the tree, ignoring any caching.
415 pub fn recalculate_root(&self) -> Root {
416 Root::try_from(self.inner.root().to_bytes()).unwrap()
417 }
418
419 /// Gets the Jubjub-based Pedersen hash of root node of this merkle tree of
420 /// note commitments.
421 pub fn hash(&self) -> [u8; 32] {
422 self.root().into()
423 }
424
425 /// An as-yet unused Sapling note commitment tree leaf node.
426 ///
427 /// Distinct for Sapling, a distinguished hash value of:
428 ///
429 /// Uncommitted^Sapling = I2LEBSP_l_MerkleSapling(1)
430 pub fn uncommitted() -> [u8; 32] {
431 jubjub::Fq::one().to_bytes()
432 }
433
434 /// Counts of note commitments added to the tree.
435 ///
436 /// For Sapling, the tree is capped at 2^32.
437 pub fn count(&self) -> u64 {
438 self.inner
439 .value()
440 .map_or(0, |x| u64::from(x.position()) + 1)
441 }
442
443 /// Checks if the tree roots and inner data structures of `self` and `other` are equal.
444 ///
445 /// # Panics
446 ///
447 /// If they aren't equal, with a message explaining the differences.
448 ///
449 /// Only for use in tests.
450 #[cfg(any(test, feature = "proptest-impl"))]
451 pub fn assert_frontier_eq(&self, other: &Self) {
452 // It's technically ok for the cached root not to be preserved,
453 // but it can result in expensive cryptographic operations,
454 // so we fail the tests if it happens.
455 assert_eq!(self.cached_root(), other.cached_root());
456
457 // Check the data in the internal data structure
458 assert_eq!(self.inner, other.inner);
459
460 // Check the RPC serialization format (not the same as the Zebra database format)
461 assert_eq!(self.to_rpc_bytes(), other.to_rpc_bytes());
462 }
463
464 /// Serializes [`Self`] to a format matching `zcashd`'s RPCs.
465 pub fn to_rpc_bytes(&self) -> Vec<u8> {
466 // Convert the tree from [`Frontier`](incrementalmerkletree::frontier::Frontier) to
467 // [`CommitmentTree`](merkle_tree::CommitmentTree).
468 let tree = incrementalmerkletree::frontier::CommitmentTree::from_frontier(&self.inner);
469
470 let mut rpc_bytes = vec![];
471
472 zcash_primitives::merkle_tree::write_commitment_tree(&tree, &mut rpc_bytes)
473 .expect("serializable tree");
474
475 rpc_bytes
476 }
477}
478
479impl Clone for NoteCommitmentTree {
480 /// Clones the inner tree, and creates a new [`RwLock`](std::sync::RwLock)
481 /// with the cloned root data.
482 fn clone(&self) -> Self {
483 let cached_root = self.cached_root();
484
485 Self {
486 inner: self.inner.clone(),
487 cached_root: std::sync::RwLock::new(cached_root),
488 }
489 }
490}
491
492impl Default for NoteCommitmentTree {
493 fn default() -> Self {
494 Self {
495 inner: incrementalmerkletree::frontier::Frontier::empty(),
496 cached_root: Default::default(),
497 }
498 }
499}
500
501impl Eq for NoteCommitmentTree {}
502
503impl PartialEq for NoteCommitmentTree {
504 fn eq(&self, other: &Self) -> bool {
505 if let (Some(root), Some(other_root)) = (self.cached_root(), other.cached_root()) {
506 // Use cached roots if available
507 root == other_root
508 } else {
509 // Avoid expensive root recalculations which use multiple cryptographic hashes
510 self.inner == other.inner
511 }
512 }
513}
514
515impl From<Vec<sapling_crypto::note::ExtractedNoteCommitment>> for NoteCommitmentTree {
516 /// Computes the tree from a whole bunch of note commitments at once.
517 fn from(values: Vec<sapling_crypto::note::ExtractedNoteCommitment>) -> Self {
518 let mut tree = Self::default();
519
520 if values.is_empty() {
521 return tree;
522 }
523
524 for cm_u in values {
525 let _ = tree.append(cm_u);
526 }
527
528 tree
529 }
530}