ZIP-221: Validate chain history commitments in the non-finalized state

zebra-chain/src/lib.rs

@@ -21,6 +21,7 @@ extern crate bitflags;
 pub mod amount;
 pub mod block;
 pub mod fmt;
+pub mod mmr;
 pub mod orchard;
 pub mod parameters;
 pub mod primitives;

zebra-chain/src/mmr.rs

@@ -0,0 +1,43 @@
+//! Merkle mountain range structure that contains information about
+//! the block history as specified in ZIP-221.
+
+use std::borrow::Borrow;
+
+use crate::block::{Block, ChainHistoryMmrRootHash};
+
+/// Merkle mountain range structure.
+pub struct MerkleMountainRange {
+    // TODO
+}
+
+impl MerkleMountainRange {
+    pub fn push(&mut self, block: &Block) {
+        // TODO: zcash_history::Tree::append_leaf receives an Arc<Block>. Should
+        // change that to match, or create an Arc to pass to it?
+        todo!();
+    }
+
+    /// Extend the MMR with the given blocks.
+    // TODO: add Sapling and Orchard roots to parameters
+    pub fn extend<C>(&mut self, _vals: &C)
+    where
+        C: IntoIterator,
+        C::Item: Borrow<Block>,
+        C::IntoIter: ExactSizeIterator,
+    {
+        // TODO: How to convert C to `impl Iterator<Item = (Arc<Block>, sapling::tree::Root)>`
+        // for zcash_history::Tree::append_leaf_iter? Should change that to match C?
+        todo!();
+    }
+
+    /// Return the hash of the MMR root.
+    pub fn hash(&self) -> ChainHistoryMmrRootHash {
+        todo!();
+    }
+}
+
+impl Clone for MerkleMountainRange {
+    fn clone(&self) -> Self {
+        todo!();
+    }
+}

zebra-state/src/error.rs

@@ -3,7 +3,10 @@ use std::sync::Arc;
 use chrono::{DateTime, Utc};
 use thiserror::Error;
 
-use zebra_chain::{block, work::difficulty::CompactDifficulty};
+use zebra_chain::{
+    block::{self, ChainHistoryMmrRootHash, CommitmentError},
+    work::difficulty::CompactDifficulty,
+};
 
 /// A wrapper for type erased errors that is itself clonable and implements the
 /// Error trait
@@ -74,4 +77,14 @@ pub enum ValidateContextError {
         difficulty_threshold: CompactDifficulty,
         expected_difficulty: CompactDifficulty,
     },
+
+    #[error("block contains an invalid commitment")]
+    InvalidCommitment(#[from] CommitmentError),
+
+    #[error("block history commitment {candidate_commitment:?} is different to the expected commitment {expected_commitment:?}")]
+    #[non_exhaustive]
+    InvalidHistoryCommitment {
+        candidate_commitment: ChainHistoryMmrRootHash,
+        expected_commitment: ChainHistoryMmrRootHash,
+    },
 }

zebra-state/src/service.rs

@@ -149,9 +149,14 @@ impl StateService {
         let parent_hash = prepared.block.header.previous_block_hash;
 
         if self.disk.finalized_tip_hash() == parent_hash {
-            self.mem.commit_new_chain(prepared);
+            self.mem
+                .commit_new_chain(prepared, self.disk.mmr().clone())?;
         } else {
-            self.mem.commit_block(prepared);
+            let block_iter = self.any_ancestor_blocks(parent_hash);
+            // TODO: the above creates a immutable borrow of self, and below it uses
+            // a mutable borrow. which causes a compiler error. How to solve this?
+            self.mem
+                .commit_block(prepared, self.disk.mmr(), &block_iter)?;
         }
 
         Ok(())

zebra-state/src/service/check.rs

@@ -4,7 +4,7 @@ use std::borrow::Borrow;
 
 use chrono::Duration;
 use zebra_chain::{
-    block::{self, Block},
+    block::{self, Block, ChainHistoryMmrRootHash},
     parameters::POW_AVERAGING_WINDOW,
     parameters::{Network, NetworkUpgrade},
     work::difficulty::CompactDifficulty,
@@ -86,6 +86,41 @@ where
     Ok(())
 }
 
+#[tracing::instrument(
+    name = "contextual_validation_for_chain",
+    fields(?network),
+    skip(prepared, network)
+)]
+pub(crate) fn block_is_contextually_valid_for_chain(
+    prepared: &PreparedBlock,
+    network: Network,
+    mmr_hash: &ChainHistoryMmrRootHash,
+) -> Result<(), ValidateContextError> {
+    match prepared.block.commitment(network)? {
+        block::Commitment::PreSaplingReserved(_)
+        | block::Commitment::FinalSaplingRoot(_)
+        | block::Commitment::ChainHistoryActivationReserved => {
+            // No contextual checks needed for those.
+            Ok(())
+        }
+        block::Commitment::ChainHistoryRoot(block_mmr_hash) => {
+            if block_mmr_hash == *mmr_hash {
+                Ok(())
+            } else {
+                Err(ValidateContextError::InvalidHistoryCommitment {
+                    candidate_commitment: block_mmr_hash,
+                    expected_commitment: *mmr_hash,
+                })
+            }
+        }
+        block::Commitment::ChainHistoryBlockTxAuthCommitment(_) => {
+            // TODO: Get auth_hash from block (ZIP-244), e.g.
+            // let auth_hash = prepared.block.auth_hash();
+            todo!("hash mmr_hash and auth_hash per ZIP-244 and compare")
+        }
+    }
+}
+
 /// Returns `ValidateContextError::OrphanedBlock` if the height of the given
 /// block is less than or equal to the finalized tip height.
 fn block_is_not_orphaned(

zebra-state/src/service/finalized_state.rs

@@ -7,6 +7,7 @@ mod tests;
 
 use std::{collections::HashMap, convert::TryInto, sync::Arc};
 
+use zebra_chain::mmr::MerkleMountainRange;
 use zebra_chain::transparent;
 use zebra_chain::{
     block::{self, Block},
@@ -378,6 +379,11 @@ impl FinalizedState {
             })
     }
 
+    /// Returns the MMR for the finalized state.
+    pub fn mmr(&self) -> &MerkleMountainRange {
+        todo!("add MMR to finalized state");
+    }
+
     /// If the database is `ephemeral`, delete it.
     fn delete_ephemeral(&self) {
         if self.ephemeral {

zebra-state/src/service/non_finalized_state.rs

@@ -12,19 +12,22 @@ mod tests;
 
 pub use queued_blocks::QueuedBlocks;
 
-use std::{collections::BTreeSet, mem, ops::Deref, sync::Arc};
+use std::{borrow::Borrow, collections::BTreeSet, mem, ops::Deref, sync::Arc};
 
 use zebra_chain::{
     block::{self, Block},
+    mmr::MerkleMountainRange,
     parameters::{Network, NetworkUpgrade::Canopy},
     transaction::{self, Transaction},
     transparent,
 };
 
-use crate::{FinalizedBlock, HashOrHeight, PreparedBlock, Utxo};
+use crate::{FinalizedBlock, HashOrHeight, PreparedBlock, Utxo, ValidateContextError};
 
 use self::chain::Chain;
 
+use super::check;
+
 /// The state of the chains in memory, incuding queued blocks.
 #[derive(Default)]
 pub struct NonFinalizedState {
@@ -76,7 +79,17 @@ impl NonFinalizedState {
     }
 
     /// Commit block to the non-finalized state.
-    pub fn commit_block(&mut self, prepared: PreparedBlock) {
+    pub fn commit_block<C>(
+        &mut self,
+        prepared: PreparedBlock,
+        finalized_tip_mmr: &MerkleMountainRange,
+        block_iter: &C,
+    ) -> Result<(), ValidateContextError>
+    where
+        C: IntoIterator,
+        C::Item: Borrow<Block>,
+        C::IntoIter: ExactSizeIterator,
+    {
         let parent_hash = prepared.block.header.previous_block_hash;
         let (height, hash) = (prepared.height, prepared.hash);
 
@@ -92,24 +105,41 @@ impl NonFinalizedState {
             .or_else(|| {
                 self.chain_set
                     .iter()
-                    .find_map(|chain| chain.fork(parent_hash))
+                    .find_map(|chain| {
+                        let mut mmr = finalized_tip_mmr.clone();
+                        // TODO: pass Sapling and Orchard roots for each block. How?
+                        mmr.extend(block_iter);
+                        chain.fork(parent_hash, mmr)
+                    })
                     .map(Box::new)
             })
             .expect("commit_block is only called with blocks that are ready to be commited");
 
+        check::block_is_contextually_valid_for_chain(
+            &prepared,
+            self.network,
+            &parent_chain.mmr_hash(),
+        )?;
         parent_chain.push(prepared);
         self.chain_set.insert(parent_chain);
         self.update_metrics_for_committed_block(height, hash);
+        Ok(())
     }
 
     /// Commit block to the non-finalized state as a new chain where its parent
     /// is the finalized tip.
-    pub fn commit_new_chain(&mut self, prepared: PreparedBlock) {
-        let mut chain = Chain::default();
+    pub fn commit_new_chain(
+        &mut self,
+        prepared: PreparedBlock,
+        mmr: MerkleMountainRange,
+    ) -> Result<(), ValidateContextError> {
+        let mut chain = Chain::new(mmr);
         let (height, hash) = (prepared.height, prepared.hash);
+        check::block_is_contextually_valid_for_chain(&prepared, self.network, &chain.mmr_hash())?;
         chain.push(prepared);
         self.chain_set.insert(Box::new(chain));
         self.update_metrics_for_committed_block(height, hash);
+        Ok(())
     }
 
     /// Returns the length of the non-finalized portion of the current best chain.

zebra-state/src/service/non_finalized_state/chain.rs

@@ -6,13 +6,19 @@ use std::{
 
 use tracing::{debug_span, instrument, trace};
 use zebra_chain::{
-    block, orchard, primitives::Groth16Proof, sapling, sprout, transaction,
-    transaction::Transaction::*, transparent, work::difficulty::PartialCumulativeWork,
+    block::{self, ChainHistoryMmrRootHash},
+    mmr::MerkleMountainRange,
+    orchard,
+    primitives::Groth16Proof,
+    sapling, sprout, transaction,
+    transaction::Transaction::*,
+    transparent,
+    work::difficulty::PartialCumulativeWork,
 };
 
 use crate::{PreparedBlock, Utxo};
 
-#[derive(Default, Clone)]
+// #[derive(Clone)]
 pub struct Chain {
     pub blocks: BTreeMap<block::Height, PreparedBlock>,
     pub height_by_hash: HashMap<block::Hash, block::Height>,
@@ -27,9 +33,30 @@ pub struct Chain {
     sapling_nullifiers: HashSet<sapling::Nullifier>,
     orchard_nullifiers: HashSet<orchard::Nullifier>,
     partial_cumulative_work: PartialCumulativeWork,
+    mmr: MerkleMountainRange,
 }
 
 impl Chain {
+    /// Create a new empty non-finalized chain with the given MMR.
+    ///
+    /// The MMR must contain the history of the previous (finalized) blocks.
+    pub fn new(mmr: MerkleMountainRange) -> Self {
+        Chain {
+            blocks: Default::default(),
+            height_by_hash: Default::default(),
+            tx_by_hash: Default::default(),
+            created_utxos: Default::default(),
+            spent_utxos: Default::default(),
+            sprout_anchors: Default::default(),
+            sapling_anchors: Default::default(),
+            sprout_nullifiers: Default::default(),
+            sapling_nullifiers: Default::default(),
+            orchard_nullifiers: Default::default(),
+            partial_cumulative_work: Default::default(),
+            mmr,
+        }
+    }
+
     /// Push a contextually valid non-finalized block into a chain as the new tip.
     #[instrument(level = "debug", skip(self, block), fields(block = %block.block))]
     pub fn push(&mut self, block: PreparedBlock) {
@@ -67,12 +94,14 @@ impl Chain {
 
     /// Fork a chain at the block with the given hash, if it is part of this
     /// chain.
-    pub fn fork(&self, fork_tip: block::Hash) -> Option<Self> {
+    ///
+    /// `mmr`: the MMR for the fork.
+    pub fn fork(&self, fork_tip: block::Hash, mmr: MerkleMountainRange) -> Option<Self> {
         if !self.height_by_hash.contains_key(&fork_tip) {
             return None;
         }
 
-        let mut forked = self.clone();
+        let mut forked = self.clone_with_mmr(mmr);
 
         while forked.non_finalized_tip_hash() != fork_tip {
             forked.pop_tip();
@@ -117,6 +146,30 @@ impl Chain {
     pub fn is_empty(&self) -> bool {
         self.blocks.is_empty()
     }
+
+    pub fn mmr_hash(&self) -> ChainHistoryMmrRootHash {
+        self.mmr.hash()
+    }
+
+    /// Clone the Chain but not the MMR.
+    ///
+    /// Useful when forking, where the MMR is rebuilt anyway.
+    fn clone_with_mmr(&self, mmr: MerkleMountainRange) -> Self {
+        Chain {
+            blocks: self.blocks.clone(),
+            height_by_hash: self.height_by_hash.clone(),
+            tx_by_hash: self.tx_by_hash.clone(),
+            created_utxos: self.created_utxos.clone(),
+            spent_utxos: self.spent_utxos.clone(),
+            sprout_anchors: self.sprout_anchors.clone(),
+            sapling_anchors: self.sapling_anchors.clone(),
+            sprout_nullifiers: self.sprout_nullifiers.clone(),
+            sapling_nullifiers: self.sapling_nullifiers.clone(),
+            orchard_nullifiers: self.orchard_nullifiers.clone(),
+            partial_cumulative_work: self.partial_cumulative_work,
+            mmr,
+        }
+    }
 }
 
 /// Helper trait to organize inverse operations done on the `Chain` type. Used to
@@ -160,6 +213,8 @@ impl UpdateWith<PreparedBlock> for Chain {
             .expect("work has already been validated");
         self.partial_cumulative_work += block_work;
 
+        self.mmr.push(block);
+
         // for each transaction in block
         for (transaction_index, (transaction, transaction_hash)) in block
             .transactions
@@ -241,6 +296,8 @@ impl UpdateWith<PreparedBlock> for Chain {
             .expect("work has already been validated");
         self.partial_cumulative_work -= block_work;
 
+        // Note: the MMR is not reverted here; it's rebuilt and passed in fork()
+
         // for each transaction in block
         for (transaction, transaction_hash) in
             block.transactions.iter().zip(transaction_hashes.iter())