Add support for Zcash unified addresses

[krnak]

Specification: ZIP-316

Unified addresses feature is conditioned by USE_ZCASH flag.

• unix: USE_ZCASH=1
• firmware: USE_ZCASH=BITCOIN_ONLY , i.e. Zcash parasitizes on btconly free memory

[andrewkozlik]

This would mean that Bitcoin-only firmware automatically has Zcash, then it's not Bitcoin-only. This should be something like USE_ZCASH = ARGUMENTS.get('USE_ZCASH', '0').

1. We should do some memory analysis on this branch to figure out what's bloating the firmware so much and whether it's really needed. I suppose it's the Rust crates? Will we really need the entire thing?
2. If we accept that a special Zcash firmware will be needed, then we need to do some refactoring around BITCOIN_ONLY, see BITCOIN_ONLY feature is not additive #2370.
3. A separate CI build will then be needed for both the Zcash firmware and Zcash emulator.

[andrewkozlik]

This should probably be utils.USE_ZCASH or not utils.BITCOIN_ONLY, or something similar, depending on #2375.

[krnak]

I realized why the flash was overflowing. Crate f4jumble depends on crate blake2b_simd, which uses enormous amount of inlining. After disabling this behavior by enabling blake2b_simd/uninline_portable feature, firmware fits into the flash again.

According to my analysis, dependencies are under 8.7 KiB.

  Size        Crate Name
3.7KiB blake2b_simd blake2b_simd::avx2::compress1_loop
1.3KiB blake2b_simd blake2b_simd::guts::Implementation::compress1_loop
1.1KiB blake2b_simd blake2b_simd::portable::round
  379B blake2b_simd blake2b_simd::Params::hash
  362B blake2b_simd blake2b_simd::Params::to_state
  318B     f4jumble f4jumble::State::g_round
  273B blake2b_simd blake2b_simd::State::update
  214B     f4jumble f4jumble::State::h_round
  179B    [Unknown] main
  171B blake2b_simd blake2b_simd::State::finalize
  140B blake2b_simd blake2b_simd::guts::final_block
  137B blake2b_simd blake2b_simd::State::fill_buf
   84B     f4jumble f4jumble::f4jumble_mut
   56B          std <core::ops::range::Range<usize> as core::slice::index::SliceIndex<[T]>>::index_mut
   45B          std <core::ops::range::Range<usize> as core::slice::index::SliceIndex<[T]>>::index
   35B blake2b_simd core::slice::<impl [T]>::copy_from_slice
   29B          std core::slice::index::<impl core::ops::index::Index<I> for [T]>::index
   26B     f4jumble f4jumble::xor
8.7KiB              .text section size, the file size is 26.6KiB

[prusnak]

Is this for the firmware or for the emulator?

I'm asking because e.g. blake2b_simd::avx2 does not make sense for the firmware (we don't have Intel AVX2 instructions on ARM).

Honestly, I am unsure whether SIMD makes sense for Cortex-M4 at all, because IIRC SIMD is supported only on Cortex-A series. So maybe we could switch to non-SIMD version of blake2b?

[andrewkozlik]

According to my analysis, dependencies are under 8.7 KiB.

Good job!

The code duplication between C and Rust is unfortunate. The C implementation of blake2b also uses a lot of inlining and is one of the biggest crypto implementations that we have #1947 (comment). The only ones that are bigger are the ECC implementations that use precomputed tables.

If we want to get rid of the code duplication, then one option is implementing f4jumble in C, which should be very easy. It's just a 4-round Feistel scheme with blake2b at its core: https://github.com/daira/jumble/blob/main/f4jumble.py.

[krnak]

Is this for the firmware or for the emulator?

firmware

So maybe we could switch to non-SIMD version of blake2b?

This is not so easy since we depend on blake2b_simd indirectly through f4jumble crate :/ Standard approach would be to fork f4jumble and then depend on this fork and maintain it.

If we want to get rid of the code duplication, then one option is implementing f4jumble in C, which should be very easy.

This is possible optimization for sure.

[krnak]

I removed USE_ZCASH conditional compilation and enabled blake2s_simd/uninline_portable 6f2bf03.

But since importing f4jumble already soaked through many files, I will probably open a new PR to make a version based on C-blake2b implementation.

[krnak]

replacing this PR by #2398