Feature: note plaintext size generalization (draft - to create an updated descrition for the main PR)

[dmidem]

This PR continues the discussion from: zcash/librustzcash#746. Some things have changed, and we need an updated review to continue.

In order to support note encryption for ZSA, we suggest extending the current zcash_note_encryption implementation. Currently, the COMPACT_NOTE_SIZE is a constant; however, we need to support variable note sizes to include the AssetId field for ZSA notes.

Current state in zcash_note_encryption:

/// The size of a compact note.
pub const COMPACT_NOTE_SIZE: usize = 1 + // version
    11 + // diversifier
    8  + // value
    32; // rseed (or rcm prior to ZIP 212)
/// The size of [`NotePlaintextBytes`].
pub const NOTE_PLAINTEXT_SIZE: usize = COMPACT_NOTE_SIZE + 512;

and

pub const ENC_CIPHERTEXT_SIZE: usize = NOTE_PLAINTEXT_SIZE + AEAD_TAG_SIZE;

Proposed changes:

We suggest converting these constants into new abstract types within the Domain trait: NotePlaintextBytes, NoteCiphertextBytes, CompactNotePlaintextBytes, and CompactNoteCiphertextBytes. These types would then be implemented in the orchard and sapling-crypto crates.

After the discussion of the first version of this PR, the following methods are also proposed to be added to the Domain trait to safely convert byte slices into these new types: parse_note_plaintext_bytes, parse_note_ciphertext_bytes, and parse_compact_note_plaintext_bytes.

Updated Domain trait:

pub trait Domain {
    type EphemeralSecretKey: ConstantTimeEq;
    type EphemeralPublicKey;
    type PreparedEphemeralPublicKey;
    type SharedSecret;
    type SymmetricKey: AsRef<[u8]>;
    type Note;
    type Recipient;
    type DiversifiedTransmissionKey;
    type IncomingViewingKey;
    type OutgoingViewingKey;
    type ValueCommitment;
    type ExtractedCommitment;
    type ExtractedCommitmentBytes: Eq + for<'a> From<&'a Self::ExtractedCommitment>;
    type Memo;

    // Types for variable note size handling:
    type NotePlaintextBytes: NoteBytes;
    type NoteCiphertextBytes: NoteBytes;
    type CompactNotePlaintextBytes: NoteBytes;
    type CompactNoteCiphertextBytes: NoteBytes;

    // New parsing methods for safe conversions:
    fn parse_note_plaintext_bytes(plaintext: &[u8]) -> Option<Self::NotePlaintextBytes>;
    fn parse_note_ciphertext_bytes(output: &[u8], tag: [u8; AEAD_TAG_SIZE]) -> Option<Self::NoteCiphertextBytes>;
    fn parse_compact_note_plaintext_bytes(plaintext: &[u8]) -> Option<Self::CompactNotePlaintextBytes>;

Here, NoteBytes is a helper trait designed to simplify and unify the definition and implementation of these new associated types.

Additionally, constants will be removed from function signatures since they are not known at compilation time. For example:

pub fn try_note_decryption<D: Domain, Output: ShieldedOutput<D, ENC_CIPHERTEXT_SIZE>>(...)

will be replaced with:

pub fn try_note_decryption<D: Domain, Output: ShieldedOutput<D>>(...)

Implementation:

We have provided our initial implementation, complemented by the appropriate changes in the orchard and sapling-crypto crates. See the following modules for details:

https://github.com/QED-it/orchard/blob/zsa1/src/note_encryption/domain.rs
https://github.com/QED-it/sapling-crypto/blob/zsa1/src/note_encryption.rs

Additionally, we made several minor updates in the zcash_primitives crate of QED-it's fork of the librustzcash repository to align it with the described changes in zcash_note_encryption, orchard, and sapling-crypto crates:

https://github.com/QED-it/librustzcash/tree/zsa1/zcash_primitives