Generate an ovk to encrypt outCiphertext for t-addr senders

Closes #3506.

src/zcash/zip32.cpp

@@ -8,6 +8,7 @@
 #include "random.h"
 #include "streams.h"
 #include "version.h"
+#include "zcash/prf.h"
 
 #include <librustzcash.h>
 #include <sodium.h>
@@ -15,6 +16,9 @@
 const unsigned char ZCASH_HD_SEED_FP_PERSONAL[crypto_generichash_blake2b_PERSONALBYTES] =
     {'Z', 'c', 'a', 's', 'h', '_', 'H', 'D', '_', 'S', 'e', 'e', 'd', '_', 'F', 'P'};
 
+const unsigned char ZCASH_TADDR_OVK_PERSONAL[crypto_generichash_blake2b_PERSONALBYTES] =
+    {'Z', 'c', 'T', 'a', 'd', 'd', 'r', 'T', 'o', 'S', 'a', 'p', 'l', 'i', 'n', 'g'};
+
 HDSeed HDSeed::Random(size_t len)
 {
     assert(len >= 32);
@@ -30,6 +34,29 @@ uint256 HDSeed::Fingerprint() const
     return h.GetHash();
 }
 
+uint256 ovkForShieldingFromTaddr(HDSeed& seed) {
+    auto rawSeed = seed.RawSeed();
+
+    // I = BLAKE2b-512("ZcTaddrToSapling", seed)
+    crypto_generichash_blake2b_state state;
+    assert(crypto_generichash_blake2b_init_salt_personal(
+        &state,
+        NULL, 0, // No key.
+        64,
+        NULL,    // No salt.
+        ZCASH_TADDR_OVK_PERSONAL) == 0);
+    crypto_generichash_blake2b_update(&state, rawSeed.data(), rawSeed.size());
+    auto intermediate = std::array<unsigned char, 64>();
+    crypto_generichash_blake2b_final(&state, intermediate.data(), 64);
+
+    // I_L = I[0..32]
+    uint256 intermediate_L;
+    memcpy(intermediate_L.begin(), intermediate.data(), 32);
+
+    // ovk = truncate_32(PRF^expand(I_L, [0x02]))
+    return PRF_ovk(intermediate_L);
+}
+
 namespace libzcash {
 
 boost::optional<SaplingExtendedFullViewingKey> SaplingExtendedFullViewingKey::Derive(uint32_t i) const