sapling-crypto
sapling-crypto copied to clipboard
Create specific types for batch-verifying Spend and Output proofs separately
When extracting the Sapling types back into sapling-crypto
, we added more type safety. In particular, we made the proof verifying keys typesafe by placing the bellman
types inside opaque newtype wrappers (to prevent downstream users from trying to verify a Spend proof with the Output proof verifying key, for example; the bellman
types permit that because Groth16 proof encodings do not explicitly bind to the circuit).
In zcashd
we do batch validation at the Sapling bundle level:
https://github.com/zcash/sapling-crypto/blob/d23547f0d3c753b706c6a4fd64456855e153d6b7/src/verifier/batch.rs#L17-L22
This works fine after the type changes: zcashd
passes in whole bundles, and the Spend and Output verifying keys, and sapling-crypto
knows what to do with them.
zebrad
took a different approach, creating independent Tower services for batch-verifying Spend proofs and Output proofs (and every other authorization part). The type safety changes break this use case. Refactoring zebrad
to verify only at the bundle level is not feasible (and maybe has a performance impact, IDK).
We should expose individual batch validation types for Spend and Output proofs individually. We can then use them internally to BatchValidator
for zcashd
, while zebrad
can use them directly (and gain type safety in their batch validation Tower services that is currently missing).