sapling-crypto
sapling-crypto copied to clipboard
zcash_proofs: Extract separate verifiers for proofs, spendAuthSigs, and bindingSig from SaplingVerificationContext
Currently, we have a single SaplingVerificationContext
which we initialize, use to verify each Spend and Output description, and then call final_check
to verify bindingSig
. The reason for this workflow was that there is a data dependency on the entire transaction to fully verify it. However, this data dependency is only a blocker on bindingSig
; the remaining components can be verified independently of the whole transaction (after computing sigHash
), and also batch-verified.
Furthermore, the data dependency for bindingSig
is effectively just on computing bvk
. Once we have that, verification of bindingSig
is equivalent to verifying a spendAuthSig
.
We should extract the per-proof and per-signature verifiers from SaplingVerificationContext
, so they can be run independently or batched. SaplingVerificationContext
would continue to apply the various consensus checks on each spend and output, and final_check
would return bvk
, which could then be used to e.g. batch-verify bindingSig
alongside the spendAuthSig
s.