Change personalization to match specification.

src/circuit/sapling/mod.rs

@@ -410,7 +410,7 @@ impl<'a, E: JubjubEngine> Circuit<E> for Spend<'a, E> {
         let nf = blake2s::blake2s(
             cs.namespace(|| "nf computation"),
             &nf_preimage,
-            constants::PRF_NR_PERSONALIZATION
+            constants::PRF_NF_PERSONALIZATION
         )?;
 
         multipack::pack_into_inputs(cs.namespace(|| "pack nullifier"), &nf)
@@ -618,7 +618,7 @@ fn test_input_circuit_with_bls12_381() {
 
         assert!(cs.is_satisfied());
         assert_eq!(cs.num_constraints(), 98776);
-        assert_eq!(cs.hash(), "c5c377cad6310a5caa74305b2fe72b53e27a9c1db110edd9c4af164e99c0db71");
+        assert_eq!(cs.hash(), "e6d326669533baf3f771267e86bd752b246184d34b1f2a68f9a6b9283f42e325");
 
         let expected_value_cm = value_commitment.cm(params).into_xy();
 
@@ -744,7 +744,7 @@ fn test_output_circuit_with_bls12_381() {
 
         assert!(cs.is_satisfied());
         assert_eq!(cs.num_constraints(), 7827);
-        assert_eq!(cs.hash(), "2896f259ad7a50c83604976ee9362358396d547b70f2feaf91d82d287e4ffc1d");
+        assert_eq!(cs.hash(), "0c3d4ee7b0ac346836f177a471b2453c3558ea5760c526faad72feb65caf275b");
 
         let expected_cm = payment_address.create_note(
             value_commitment.value,

src/constants.rs

@@ -2,28 +2,47 @@
 /// This is chosen to be some random string that we couldn't have anticipated when we designed
 /// the algorithm, for rigidity purposes.
 /// We deliberately use an ASCII hex string of 32 bytes here.
-pub const GH_FIRST_BLOCK: &'static [u8; 64] = b"0000000000000000002ffe76b973aabaff1d1557d79acf2c3795809c83caf580";
+pub const GH_FIRST_BLOCK: &'static [u8; 64]
+          = b"0000000000000000002ffe76b973aabaff1d1557d79acf2c3795809c83caf580";
 
 // BLAKE2s invocation personalizations
-/// BLAKE2s Personalization for CRH^ivk = BLAKE2s(ak | rk)
+/// BLAKE2s Personalization for CRH^ivk = BLAKE2s(ak | nk)
-pub const CRH_IVK_PERSONALIZATION: &'static [u8; 8] = b"Zcashivk";
+pub const CRH_IVK_PERSONALIZATION: &'static [u8; 8]
-/// BLAKE2s Personalization for PRF^nr = BLAKE2s(rk | cm + position)
+          = b"Zcashivk";
-pub const PRF_NR_PERSONALIZATION: &'static [u8; 8]  = b"WhatTheH";
+
+/// BLAKE2s Personalization for PRF^nf = BLAKE2s(nk | rho)
+pub const PRF_NF_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcash_nf";
 
 // Group hash personalizations
 /// BLAKE2s Personalization for Pedersen hash generators.
-pub const PEDERSEN_HASH_GENERATORS_PERSONALIZATION: &'static [u8; 8] = b"PEDERSEN";
+pub const PEDERSEN_HASH_GENERATORS_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcash_PH";
+
 /// BLAKE2s Personalization for the group hash for key diversification
-pub const KEY_DIVERSIFICATION_PERSONALIZATION: &'static [u8; 8] = b"Zcash_gh";
+pub const KEY_DIVERSIFICATION_PERSONALIZATION: &'static [u8; 8]
-/// BLAKE2s Personalization for the proof generation key base point
+          = b"Zcash_gd";
-pub const PROOF_GENERATION_KEY_BASE_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"12345678";
+
-/// BLAKE2s Personalization for the note commitment randomness generator
-pub const NOTE_COMMITMENT_RANDOMNESS_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"abcdefgh";
-/// BLAKE2s Personalization for the nullifier position generator (for PRF^nr)
-pub const NULLIFIER_POSITION_IN_TREE_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"nfnfnfnf";
-/// BLAKE2s Personalization for the value commitment generator for the value
-pub const VALUE_COMMITMENT_VALUE_GENERATOR_PERSONALIZATION: &'static [u8; 8]     = b"45u8gh45";
-/// BLAKE2s Personalization for the value commitment randomness generator
-pub const VALUE_COMMITMENT_RANDOMNESS_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"11111111";
 /// BLAKE2s Personalization for the spending key base point
-pub const SPENDING_KEY_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"sksksksk";
+pub const SPENDING_KEY_GENERATOR_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcash_G_";
+
+/// BLAKE2s Personalization for the proof generation key base point
+pub const PROOF_GENERATION_KEY_BASE_GENERATOR_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcash_H_";
+
+/// BLAKE2s Personalization for the note commitment randomness generator
+pub const NOTE_COMMITMENT_RANDOMNESS_GENERATOR_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcashrcm";
+
+/// BLAKE2s Personalization for the value commitment randomness generator
+pub const VALUE_COMMITMENT_RANDOMNESS_GENERATOR_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcashrcv";
+
+/// BLAKE2s Personalization for the value commitment generator for the value
+pub const VALUE_COMMITMENT_VALUE_GENERATOR_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcash_cv";
+
+/// BLAKE2s Personalization for the nullifier position generator (for computing rho)
+pub const NULLIFIER_POSITION_IN_TREE_GENERATOR_PERSONALIZATION: &'static [u8; 8]
+          = b"Zcashrho";

src/primitives/mod.rs

@@ -242,7 +242,7 @@ impl<E: JubjubEngine> Note<E> {
         let mut nf_preimage = [0u8; 64];
         viewing_key.nk.write(&mut nf_preimage[0..32]).unwrap();
         rho.write(&mut nf_preimage[32..64]).unwrap();
-        let mut h = Blake2s::with_params(32, &[], &[], constants::PRF_NR_PERSONALIZATION);
+        let mut h = Blake2s::with_params(32, &[], &[], constants::PRF_NF_PERSONALIZATION);
         h.update(&nf_preimage);
         
         h.finalize().as_ref().to_vec()