Use a `bellman::Proof` instead of a byte array in `Groth16Proof`

[conradoplg]

Motivation

We use a byte array in the Groth16Proof struct. However, not every byte array is a well-formed proof (i.e. the encoding of three field elements, as enforced by the bellman package). For improved type safety, it would be better to use bellman::Proof inside it and parse the proof while parsing the transaction.

However, this requires a lot of code changes:

• A lot of tests expect it to be a byte array
• The tests vectors from https://github.com/zcash-hackworks/zcash-test-vectors/ generate random byte array as proofs. We'd need to change the test vector generators to generate random well-formed proofs.
• In the same way, the Arbitrary implementation must be changed to generate random well-formed proofs.

For this reason, it was postponed for later.

Specifications

Designs

To generate a well-formed proof, you will need to generate 3 field elements: one in G1, second in G2, third in G1 again. See this snippet for reference: https://github.com/ZcashFoundation/zebra/blob/81727d7df0ee57e6d4f2172c287e52e414c4e6a0/zebra-consensus/src/transaction/tests.rs#L1956-L1960

Related Work

[mpguerra]

Hey team! Please add your planning poker estimate with ZenHub @conradoplg @dconnolly @jvff @oxarbitrage @teor2345 @upbqdn

[teor2345]

Making this change would increase the cost of serving blocks to peers, because the proofs would be redundantly re-validated when deserializing from the database.

We're already having this performance problem with some curve types.

So I think it's ok for now.