zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zips/zip-0227.html

988 lines
79 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<title>ZIP 227: Issuance of Zcash Shielded Assets</title>
<meta charset="utf-8" />
<script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script>
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
<body>
<section>
<pre>ZIP: 227
Title: Issuance of Zcash Shielded Assets
Owners: Pablo Kogan &lt;pablo@qed-it.com&gt;
Vivek Arte &lt;vivek@qed-it.com&gt;
Daira-Emma Hopwood &lt;daira@electriccoin.co&gt;
Jack Grigg &lt;str4d@electriccoin.co&gt;
Credits: Daniel Benarroch
Aurelien Nicolas
Deirdre Connolly
Teor
Status: Draft
Category: Consensus
Created: 2022-05-01
License: MIT
Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/618">https://github.com/zcash/zips/issues/618</a>&gt;
Pull-Request: &lt;<a href="https://github.com/zcash/zips/pull/680">https://github.com/zcash/zips/pull/680</a>&gt;</pre>
<section id="terminology"><h2><span class="section-heading">Terminology</span><span class="section-anchor"> <a rel="bookmark" href="#terminology"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The key words "MUST", "MUST NOT", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 <a id="footnote-reference-1" class="footnote_reference" href="#bcp14">1</a> when, and only when, they appear in all capitals.</p>
<p>The term "network upgrade" in this document is to be interpreted as described in ZIP 200 <a id="footnote-reference-2" class="footnote_reference" href="#zip-0200">7</a>.</p>
<p>The terms "Orchard" and "Action" in this document are to be interpreted as described in ZIP 224 <a id="footnote-reference-3" class="footnote_reference" href="#zip-0224">8</a>.</p>
<p>We define the following additional terms:</p>
<ul>
<li>Asset: A type of note that can be transferred on the Zcash blockchain. Each Asset is identified by an Asset Identifier <a href="#specification-asset-identifier">Specification: Asset Identifier</a>.
<ul>
<li>ZEC is the default (and currently the only defined) Asset for the Zcash mainnet.</li>
<li>TAZ is the default (and currently the only defined) Asset for the Zcash testnet.</li>
<li>We use the term "Custom Asset" to refer to any Asset other than ZEC and TAZ.</li>
</ul>
</li>
<li>Native Asset: a Custom Asset with issuance defined on the Zcash blockchain.</li>
<li>Wrapped Asset: a Custom Asset with native issuance defined outside the Zcash blockchain.</li>
<li>Issuance Action: an instance of a single issuance of a Zcash Shielded Asset. It defines the issuance of a single Asset Identifier.</li>
<li>Issuance Bundle: the bundle in the transaction that contains all the issuance actions of that transaction.</li>
</ul>
</section>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP (ZIP 227) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 226 <a id="footnote-reference-4" class="footnote_reference" href="#zip-0226">9</a>. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 <a id="footnote-reference-5" class="footnote_reference" href="#zip-0226">9</a>. This ZIP must only be implemented in conjunction with ZIP 226 <a id="footnote-reference-6" class="footnote_reference" href="#zip-0226">9</a>. The proposed issuance mechanism is only valid for the Orchard-ZSA transfer protocol, because it produces notes that can only be transferred under ZSA.</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP introduces the issuance mechanism for Custom Assets on the Zcash chain. While originally part of a single ZSA ZIP, the issuance mechanism turned out to be substantial enough to stand on its own and justify the creation of this supporting ZIP for ZIP 226 <a id="footnote-reference-7" class="footnote_reference" href="#zip-0226">9</a>.</p>
<p>This ZIP only enables <em>transparent</em> issuance. As a first step, transparency will allow for proper testing of the applications that will be most used in the Zcash ecosystem, and will enable the supply of Assets to be tracked.</p>
<p>The issuance mechanism described in this ZIP is broad enough for issuers to either create Assets on Zcash (i.e. Assets that originate on the Zcash blockchain), as well as for institutions to create bridges from other chains and import Wrapped Assets. This enables what we hope will be a useful set of applications.</p>
</section>
<section id="use-cases"><h2><span class="section-heading">Use Cases</span><span class="section-anchor"> <a rel="bookmark" href="#use-cases"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The design presented in this ZIP enables issuance of shielded Assets in various modes:</p>
<ul>
<li>The issuer may or may not know the receivers of the issued Asset in advance.</li>
<li>The Asset can be of non-fungible type, where each Asset type can be made part of a single “series”.</li>
<li>The supply of the Asset can be limited in advance or not.</li>
<li>The Asset can be a wrapped version of an Asset issued by another chain (as long as there is a bridge that supports transfer of that Asset between chains).</li>
</ul>
<p>See the <a href="#concrete-applications">Concrete Applications</a> section for more details.</p>
</section>
<section id="requirements"><h2><span class="section-heading">Requirements</span><span class="section-anchor"> <a rel="bookmark" href="#requirements"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<ul>
<li>Any user of the Zcash blockchain can issue Custom Assets on chain.</li>
<li>The issuance mechanism should enable public tracking of the supply of the Assets on the Zcash blockchain.</li>
<li>Issuing or changing the attributes of a specific Asset should require cryptographic authorization.</li>
<li>The Asset identification should be unique (among all shielded pools) and different issuer public keys should not be able to generate the same Asset Identifier.</li>
<li>An issuer should be able to issue different Assets in the same transaction. In other words, in a single "issuance bundle", the issuer should be able publish many "issuance actions", potentially creating multiple Custom Assets.</li>
<li>Every "issuance action" should contain a
<span class="math">\(\mathsf{finalize}\)</span>
boolean that defines whether the specific Custom Asset can have further tokens issued or not.</li>
</ul>
</section>
<section id="specification-issuance-keys-and-issuance-authorization-signature-scheme"><h2><span class="section-heading">Specification: Issuance Keys and Issuance Authorization Signature Scheme</span><span class="section-anchor"> <a rel="bookmark" href="#specification-issuance-keys-and-issuance-authorization-signature-scheme"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The Orchard-ZSA Protocol adds the following keys to the key components <a id="footnote-reference-8" class="footnote_reference" href="#protocol-addressesandkeys">18</a> <a id="footnote-reference-9" class="footnote_reference" href="#protocol-orchardkeycomponents">19</a>:</p>
<ol type="1">
<li>The issuance authorizing key, denoted as
<span class="math">\(\mathsf{isk}\!\)</span>
, is the key used to authorize the issuance of Asset Identifiers by a given issuer, and is only used by that issuer.</li>
<li>The issuance validating key, denoted as
<span class="math">\(\mathsf{ik}\!\)</span>
, is the key that is used to validate issuance transactions. This key is used to validate the issuance of Asset Identifiers by a given issuer, and is used by all blockchain users (specifically the owners of notes for that Asset, and consensus validators) to associate the Asset in question with the issuer.</li>
</ol>
<p>The relations between these keys are shown in the following diagram:</p>
<figure class="align-center" align="center">
<img width="450" src="zip-0227-key-components-zsa.png" alt="" />
<figcaption>Diagram of Issuance Key Components for the Orchard-ZSA Protocol</figcaption>
</figure>
<section id="issuance-authorization-signature-scheme"><h3><span class="section-heading">Issuance Authorization Signature Scheme</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-authorization-signature-scheme"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>We instantiate the issuance authorization signature scheme
<span class="math">\(\mathsf{IssueAuthSig}\)</span>
as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 <a id="footnote-reference-10" class="footnote_reference" href="#bip-0340">16</a>.</p>
<p>Batch verification MAY be used. Precomputation MAY be used if and only if it produces equivalent results; for example, for a given verification key
<span class="math">\(pk\)</span>
and
<span class="math">\(\mathit{lift\_x}(\mathit{int}(pk))\)</span>
MAY be precomputed.</p>
<p>We define the constants as per the secp256k1 standard parameters, as described in BIP 340.</p>
<p>The associated types of the
<span class="math">\(\mathsf{IssueAuthSig}\)</span>
signature scheme are as follows:</p>
<ul>
<li>
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Message} = \mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}}\)</span>
</li>
<li>
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Signature} = \mathbb{B}^{\mathbb{Y}^{[64]}} \cup \{\bot\}\)</span>
</li>
<li>
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Public} = \mathbb{B}^{\mathbb{Y}^{[32]}} \cup \{\bot\}\)</span>
</li>
<li>
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Private} = \mathbb{B}^{\mathbb{Y}^{[32]}}\)</span>
</li>
</ul>
<p>where
<span class="math">\(\mathbb{B}^{\mathbb{Y}^{[k]}}\)</span>
denotes the set of sequences of
<span class="math">\(k\)</span>
bytes, and
<span class="math">\(\mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}}\)</span>
denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification <a id="footnote-reference-11" class="footnote_reference" href="#protocol-notation">17</a>.</p>
<p>The issuance authorizing key generation algorithm and the issuance validating key derivation algorithm are defined in the <a href="#issuance-key-derivation">Issuance Key Derivation</a> section, while the corresponding signing and validation algorithms are defined in the <a href="#issuance-authorization-signing-and-validation">Issuance Authorization Signing and Validation</a> section.</p>
</section>
<section id="issuance-key-derivation"><h3><span class="section-heading">Issuance Key Derivation</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-key-derivation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<section id="issuance-authorizing-key-generation-for-hierarchical-deterministic-wallets"><h4><span class="section-heading">Issuance authorizing key generation for hierarchical deterministic wallets</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-authorizing-key-generation-for-hierarchical-deterministic-wallets"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>The issuance authorizing key is generated using the Orchard master key derivation procedure defined in ZIP 32 <a id="footnote-reference-12" class="footnote_reference" href="#zip-0032-orchard-master">3</a>. We reuse the functions defined there in what follows in this section.</p>
<p>Let
<span class="math">\(S\)</span>
be a seed byte sequence of a chosen length, which MUST be at least 32 and at most 252 bytes. We define the master extended issuance key
<span class="math">\(m_{\mathsf{Issuance}} := \mathsf{MasterKeyGen}(\texttt{"ZIP32ZSAIssue_V1"}, S)\!\)</span>
.</p>
<p>As in ZIP 32 for Orchard <a id="footnote-reference-13" class="footnote_reference" href="#zip-0032-orchard-child-key-derivation">4</a>, we only use hardened child key derivation for the issuance authorizing key. We reuse the
<span class="math">\(\mathsf{CDKsk}\)</span>
function for Orchard child key derivation from ZIP 32.</p>
<p>We use the notation of ZIP 32 <a id="footnote-reference-14" class="footnote_reference" href="#zip-0032-orchard-key-path">6</a> for shielded HD paths, and define the issuance authorizing key path as
<span class="math">\(m_{\mathsf{Issuance}} / \mathit{purpose}' / \mathit{coin\_type}' / \mathit{account}'\!\)</span>
. We fix the path levels as follows:</p>
<ul>
<li>
<span class="math">\(\mathit{purpose}\)</span>
: a constant set to
<span class="math">\(227\)</span>
(i.e.
<span class="math">\(\mathtt{0xe3}\!\)</span>
).
<span class="math">\(\mathit{purpose}'\)</span>
is thus
<span class="math">\(227'\)</span>
(or
<span class="math">\(\mathtt{0x800000e3}\!\)</span>
) following the BIP 43 recommendation.</li>
<li>
<span class="math">\(\mathit{coin\_type}\)</span>
: Defined as in ZIP 32 <a id="footnote-reference-15" class="footnote_reference" href="#zip-0032-key-path-levels">5</a>.</li>
<li>
<span class="math">\(\mathit{account}\)</span>
: fixed to index
<span class="math">\(0\!\)</span>
.</li>
</ul>
<p>From the generated
<span class="math">\((\mathsf{sk}, \mathsf{c})\!\)</span>
, we set the issuance authorizing key to be
<span class="math">\(\mathsf{isk} := \mathsf{sk}\!\)</span>
.</p>
</section>
<section id="derivation-of-issuance-validating-key"><h4><span class="section-heading">Derivation of issuance validating key</span><span class="section-anchor"> <a rel="bookmark" href="#derivation-of-issuance-validating-key"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>Define
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{DerivePublic}\; : \; (\mathsf{isk}\; : \; \mathsf{IssueAuthSig}.\!\mathsf{Private}) \to \mathsf{IssueAuthSig}.\!\mathsf{Public}\)</span>
as:</p>
<ul>
<li>
<span class="math">\(\mathsf{ik} := \textit{PubKey}(\mathsf{isk})\)</span>
</li>
<li>Return
<span class="math">\(\bot\)</span>
if the
<span class="math">\(\textit{PubKey}\)</span>
algorithm invocation fails, otherwise return
<span class="math">\(\mathsf{ik}\!\)</span>
.</li>
</ul>
<p>where the
<span class="math">\(\textit{PubKey}\)</span>
algorithm is defined in BIP 340 <a id="footnote-reference-16" class="footnote_reference" href="#bip-0340">16</a>. Note that the byte representation of
<span class="math">\(\mathsf{ik}\)</span>
is in big-endian order as defined in BIP 340.</p>
<p>It is possible for the
<span class="math">\(\textit{PubKey}\)</span>
algorithm to fail with very low probability, which means that
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{DerivePublic}\)</span>
could return
<span class="math">\(\bot\)</span>
with very low probability. If this happens, discard the keys and repeat with a different
<span class="math">\(\mathsf{isk}\!\)</span>
.</p>
<p>This allows the issuer to use the same wallet it usually uses to transfer Assets, while keeping a disconnect from the other keys. Specifically, this method is aligned with the requirements and motivation of ZIP 32 <a id="footnote-reference-17" class="footnote_reference" href="#zip-0032">2</a>. It provides further anonymity and the ability to delegate issuance of an Asset (or in the future, generate a multi-signature protocol) while the rest of the keys remain in the wallet safe.</p>
</section>
</section>
<section id="issuance-authorization-signing-and-validation"><h3><span class="section-heading">Issuance Authorization Signing and Validation</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-authorization-signing-and-validation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Define
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Sign}\; : \; (\mathsf{isk}\; : \; \mathsf{IssueAuthSig}.\!\mathsf{Private}) \times (M\; : \; \mathsf{IssueAuthSig}.\!\mathsf{Message}) \to \mathsf{IssueAuthSig}.\!\mathsf{Signature}\)</span>
as:</p>
<ul>
<li>Let the auxiliary data
<span class="math">\(a = [\mathtt{0x00}]^{32}\!\)</span>
.</li>
<li>Let
<span class="math">\(\text{σ} = \mathsf{Sign}(\mathsf{isk}, M)\!\)</span>
.</li>
<li>Return
<span class="math">\(\bot\)</span>
if the
<span class="math">\(\mathsf{Sign}\)</span>
algorithm fails in the previous step, otherwise return
<span class="math">\(\text{σ}\!\)</span>
.</li>
</ul>
<p>where the
<span class="math">\(\mathsf{Sign}\)</span>
algorithm is defined in BIP 340 and
<span class="math">\(a\)</span>
denotes the auxiliary data used in BIP 340 <a id="footnote-reference-18" class="footnote_reference" href="#bip-0340">16</a>. Note that
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Sign}\)</span>
could return
<span class="math">\(\bot\)</span>
with very low probability.</p>
<p>Define
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Validate}\; : \; (\mathsf{ik}\; : \; \mathsf{IssueAuthSig}.\!\mathsf{Public}) \times (M\; : \; \mathsf{IssueAuthSig}.\!\mathsf{Message}) \times (\text{σ}\; : \; \mathsf{IssueAuthSig}.\!\mathsf{Signature}) \to \mathbb{B}\)</span>
as:</p>
<ul>
<li>Return
<span class="math">\(0\)</span>
if
<span class="math">\(\text{σ} = \bot\!\)</span>
.</li>
<li>Return
<span class="math">\(1\)</span>
if
<span class="math">\(\mathsf{Verify}(\mathsf{ik}, M, \text{σ})\)</span>
succeeds, otherwise
<span class="math">\(0\!\)</span>
.</li>
</ul>
<p>where the
<span class="math">\(\mathsf{Verify}\)</span>
algorithm is defined in BIP 340 <a id="footnote-reference-19" class="footnote_reference" href="#bip-0340">16</a>.</p>
</section>
</section>
<section id="specification-asset-identifier"><h2><span class="section-heading">Specification: Asset Identifier</span><span class="section-anchor"> <a rel="bookmark" href="#specification-asset-identifier"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>For every new Asset, there must be a new and unique Asset Identifier, denoted
<span class="math">\(\mathsf{AssetId}\!\)</span>
. We define this to be a globally unique pair
<span class="math">\(\mathsf{AssetId} := (\mathsf{ik}, \mathsf{asset\_desc})\!\)</span>
, where
<span class="math">\(\mathsf{ik}\)</span>
is the issuance key and
<span class="math">\(\mathsf{asset\_desc}\)</span>
is a byte string.</p>
<p>A given Asset Identifier is used across all Zcash protocols that support ZSAs -- that is, the Orchard-ZSA protocol and potentially future Zcash shielded protocols. For this Asset Identifier, we derive an Asset Digest,
<span class="math">\(\mathsf{AssetDigest}\!\)</span>
, which is simply is a
<span class="math">\(\textsf{BLAKE2b-512}\)</span>
hash of the Asset Identifier. From the Asset Digest, we derive a specific Asset Base within each shielded protocol using the applicable hash-to-curve algorithm. This Asset Base is included in shielded notes.</p>
<p>Let</p>
<ul>
<li>
<span class="math">\(\mathsf{asset\_desc}\)</span>
be the asset description, which includes any information pertaining to the issuance, and is a byte sequence of up to 512 bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later.</li>
<li>
<span class="math">\(\mathsf{ik}\)</span>
be the issuance validating key of the issuer, a public key used to verify the signature on the issuance transaction's SIGHASH.</li>
</ul>
<p>Define
<span class="math">\(\mathsf{AssetDigest_{AssetId}} := \textsf{BLAKE2b-512}(\texttt{"ZSA-Asset-Digest"},\; \mathsf{EncodeAssetId}(\mathsf{AssetId}))\!\)</span>
, where</p>
<ul>
<li>
<span class="math">\(\mathsf{EncodeAssetId}(\mathsf{AssetId}) = \mathsf{EncodeAssetId}((\mathsf{ik}, \mathsf{asset\_desc})) := \mathtt{0x00} || \mathsf{ik} || \mathsf{asset\_desc}\!\!\)</span>
.</li>
<li>Note that the initial
<span class="math">\(\mathtt{0x00}\)</span>
byte is a version byte.</li>
</ul>
<p>Define
<span class="math">\(\mathsf{AssetBase_{AssetId}} := \mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}})\)</span>
</p>
<p>In the case of the Orchard-ZSA protocol, we define
<span class="math">\(\mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{"z.cash:OrchardZSA"}, \mathsf{AssetDigest_{AssetId}})\)</span>
where
<span class="math">\(\mathsf{GroupHash}^\mathbb{P}\)</span>
is defined as in <a id="footnote-reference-20" class="footnote_reference" href="#protocol-concretegrouphashpallasandvesta">20</a>.</p>
<p>The relations between the Asset Identifier, Asset Digest, and Asset Base are shown in the following diagram:</p>
<figure class="align-center" align="center">
<img width="600" src="zip-0227-asset-identifier-relation.png" alt="" />
<figcaption>Diagram relating the Asset Identifier, Asset Digest, and Asset Base in the ZSA Protocol</figcaption>
</figure>
<p><strong>Note:</strong> To keep notations light and concise, we may omit
<span class="math">\(\mathsf{AssetId}\)</span>
(resp.
<span class="math">\(\mathsf{Protocol}\!\)</span>
) in the subscript (resp. superscript) when the Asset Identifier (resp. Protocol) is clear from the context.</p>
<p>Wallets MUST NOT display just the
<span class="math">\(\mathsf{asset\_desc}\)</span>
string to their users as the name of the Asset. Some possible alternatives include:</p>
<ul>
<li>Wallets could allow clients to provide an additional configuration file that stores a one-to-one mapping of names to Asset Identifiers via a petname system. This allows clients to rename the Assets in a way they find useful. Default versions of this file with well-known Assets listed can be made available online as a starting point for clients.</li>
<li>The Asset Digest could be used as a more compact bytestring to uniquely determine an Asset, and wallets could support clients scanning QR codes to load Asset information into their wallets.</li>
</ul>
</section>
<section id="specification-global-issuance-state"><h2><span class="section-heading">Specification: Global Issuance State</span><span class="section-anchor"> <a rel="bookmark" href="#specification-global-issuance-state"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>Issuance requires the following additions to the global state defined at block boundaries:</p>
<ul>
<li>
<span class="math">\(\mathsf{previously\_finalized}\!\)</span>
, a set of
<span class="math">\(\mathsf{AssetId}\)</span>
that have been finalized (i.e.: the
<span class="math">\(\mathsf{finalize}\)</span>
flag has been set to
<span class="math">\(1\)</span>
in some issuance transaction preceding the block boundary).</li>
</ul>
</section>
<section id="specification-issuance-action-issuance-bundle-and-issuance-protocol"><h2><span class="section-heading">Specification: Issuance Action, Issuance Bundle and Issuance Protocol</span><span class="section-anchor"> <a rel="bookmark" href="#specification-issuance-action-issuance-bundle-and-issuance-protocol"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<section id="issuance-action-description"><h3><span class="section-heading">Issuance Action Description</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-action-description"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>An issuance action, <code>IssueAction</code>, is the instance of issuing a specific Custom Asset, and contains the following fields:</p>
<ul>
<li><code>assetDescSize</code>: the size of the Asset description, a number between
<span class="math">\(0\)</span>
and
<span class="math">\(512\!\)</span>
, stored in two bytes.</li>
<li><code>asset_desc</code>: the Asset description, a byte string of up to 512 bytes as defined in the <a href="#specification-asset-identifier">Specification: Asset Identifier</a> section.</li>
<li><code>vNotes</code>: an array of <code>Note</code> containing the unencrypted output notes of the recipients of the Asset.</li>
<li><code>flagsIssuance</code>: a byte that stores the
<span class="math">\(\mathsf{finalize}\)</span>
boolean that defines whether the issuance of that specific Custom Asset is finalized or not.</li>
</ul>
<p>An asset's
<span class="math">\(\mathsf{AssetDigest}\)</span>
is added to the
<span class="math">\(\mathsf{previously\_finalized}\)</span>
set after a block that contains any issuance transaction for that asset with
<span class="math">\(\mathsf{finalize} = 1\!\)</span>
. It then cannot be removed from this set. For Assets with
<span class="math">\(\mathsf{AssetDigest} \in \mathsf{previously\_finalized}\!\)</span>
, no further tokens can be issued, so as seen below, the validators will reject the transaction. For Assets with
<span class="math">\(\mathsf{AssetDigest} \not\in \mathsf{previously\_finalized}\!\)</span>
, new issuance actions can be issued in future transactions. These must use the same Asset description,
<span class="math">\(\mathsf{asset\_desc}\!\)</span>
, and can either maintain
<span class="math">\(\mathsf{finalize} = 0\)</span>
or change it to
<span class="math">\(\mathsf{finalize} = 1\!\)</span>
, denoting that this Custom Asset cannot be issued after the containing block.</p>
<table>
<thead>
<tr>
<th>Bytes</th>
<th>Name</th>
<th>Data Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>2</code></td>
<td><code>assetDescSize</code></td>
<td><code>byte</code></td>
<td>The length of the <code>asset_desc</code> string in bytes.</td>
</tr>
<tr>
<td><code>assetDescSize</code></td>
<td><code>asset_desc</code></td>
<td><code>byte[assetDescSize]</code></td>
<td>A byte sequence of length <code>assetDescSize</code> bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later.</td>
</tr>
<tr>
<td><code>varies</code></td>
<td><code>nNotes</code></td>
<td><code>compactSize</code></td>
<td>The number of notes in the issuance action.</td>
</tr>
<tr>
<td><code>noteSize * nNotes</code></td>
<td><code>vNotes</code></td>
<td><code>Note[nNotes]</code></td>
<td>A sequence of note descriptions within the issuance action, where <code>noteSize</code> is the size, in bytes, of a Note.</td>
</tr>
<tr>
<td><code>1</code></td>
<td><code>flagsIssuance</code></td>
<td><code>byte</code></td>
<td>
<dl>
<dt>An 8-bit value representing a set of flags. Ordered from LSB to MSB:</dt>
<dd>
<ul>
<li>
<span class="math">\(\mathsf{finalize}\)</span>
</li>
<li>The remaining bits are set to
<span class="math">\(0\!\)</span>
.</li>
</ul>
</dd>
</dl>
</td>
</tr>
</tbody>
</table>
<p>We note that the output note commitment of the recipient's notes are not included in the actual transaction, but when added to the global state of the chain, they will be added to the note commitment tree as a shielded note. This prevents future usage of the note from being linked to the issuance transaction, as the nullifier key is not known to the validators and chain observers.</p>
</section>
<section id="issuance-bundle"><h3><span class="section-heading">Issuance Bundle</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-bundle"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>An issuance bundle, <code>IssueBundle</code>, is the aggregate of all the issuance-related information. Specifically, contains all the issuance actions and the issuer signature on the transaction SIGHASH that validates the issuance itself. It contains the following fields:</p>
<ul>
<li>
<span class="math">\(\mathsf{ik}\)</span>
: the issuance validating key, that allows the validators to verify that the
<span class="math">\(\mathsf{AssetId}\)</span>
is properly associated with the issuer.</li>
<li><code>vIssueActions</code>: an array of issuance actions, of type <code>IssueAction</code>.</li>
<li>
<span class="math">\(\mathsf{issueAuthSig}\)</span>
: the signature of the transaction SIGHASH, signed by the issuance authorizing key,
<span class="math">\(\mathsf{isk}\!\)</span>
, that validates the issuance.</li>
</ul>
<p>The issuance bundle is then added within the transaction format as a new bundle. That is, issuance requires the addition of the following information to the transaction format <a id="footnote-reference-21" class="footnote_reference" href="#protocol-txnencoding">22</a>.</p>
<table>
<thead>
<tr>
<th>Bytes</th>
<th>Name</th>
<th>Data Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>varies</code></td>
<td><code>nIssueActions</code></td>
<td><code>compactSize</code></td>
<td>The number of issuance actions in the bundle.</td>
</tr>
<tr>
<td><code>IssueActionSize * nIssueActions</code></td>
<td><code>vIssueActions</code></td>
<td><code>IssueAction[nIssueActions]</code></td>
<td>A sequence of issuance action descriptions, where IssueActionSize is the size, in bytes, of an IssueAction description.</td>
</tr>
<tr>
<td><code>32</code></td>
<td><code>ik</code></td>
<td><code>byte[32]</code></td>
<td>The issuance validating key of the issuer, used to validate the signature.</td>
</tr>
<tr>
<td><code>64</code></td>
<td><code>issueAuthSig</code></td>
<td><code>byte[64]</code></td>
<td>The signature of the transaction SIGHASH, signed by the issuer, validated as in <a href="#issuance-authorization-signature-scheme">Issuance Authorization Signature Scheme</a>.</td>
</tr>
</tbody>
</table>
</section>
<section id="issuance-protocol"><h3><span class="section-heading">Issuance Protocol</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-protocol"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The issuer program performs the following operations:</p>
<p>For all actions <code>IssueAction</code>:</p>
<ul>
<li>encode
<span class="math">\(\mathsf{asset\_desc}\)</span>
as a UTF-8 byte string of size up to 512.</li>
<li>compute
<span class="math">\(\mathsf{AssetDigest}\)</span>
from the issuance validating key
<span class="math">\(\mathsf{ik}\)</span>
and
<span class="math">\(\mathsf{asset\_desc}\)</span>
as decribed in the <a href="#specification-asset-identifier">Specification: Asset Identifier</a> section.</li>
<li>compute
<span class="math">\(\mathsf{AssetBase}\)</span>
from
<span class="math">\(\mathsf{AssetDigest}\)</span>
as decribed in the <a href="#specification-asset-identifier">Specification: Asset Identifier</a> section.</li>
<li>set the
<span class="math">\(\mathsf{finalize}\)</span>
boolean as desired (if more issuance actions are to be created for this
<span class="math">\(\mathsf{AssetBase}\!\)</span>
, set
<span class="math">\(\mathsf{finalize} = 0\!\)</span>
, otherwise set
<span class="math">\(\mathsf{finalize} = 1\!\)</span>
).</li>
<li>for each recipient
<span class="math">\(i\)</span>
:
<ul>
<li>generate a ZSA output note that includes the Asset Base. For an Orchard-ZSA note this is
<span class="math">\(\mathsf{note}_i = (\mathsf{d}_i, \mathsf{pk}_{\mathsf{d}_i}, \mathsf{v}_i, \text{ρ}_i, \mathsf{rseed}_i, \mathsf{AssetBase}, \mathsf{rcm}_i)\!\)</span>
.</li>
</ul>
</li>
<li>encode the <code>IssueAction</code> into the vector <code>vIssueActions</code> of the bundle.</li>
</ul>
<p>For the <code>IssueBundle</code>:</p>
<ul>
<li>encode the <code>vIssueActions</code> vector.</li>
<li>encode the
<span class="math">\(\mathsf{ik}\)</span>
as 32 byte-string.</li>
<li>sign the SIGHASH transaction hash with the issuance authorizing key,
<span class="math">\(\mathsf{isk}\!\)</span>
, using the
<span class="math">\(\mathsf{IssueAuthSig}\)</span>
signature scheme. The signature is then added to the issuance bundle.</li>
</ul>
<p><strong>Note:</strong> that the commitment is not included in the <code>IssuanceAction</code> itself. As explained below, it is computed later by the validators and added to the note commitment tree.</p>
</section>
</section>
<section id="specification-consensus-rule-changes"><h2><span class="section-heading">Specification: Consensus Rule Changes</span><span class="section-anchor"> <a rel="bookmark" href="#specification-consensus-rule-changes"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>For the <code>IssueBundle</code>:</p>
<ul>
<li>Validate the issuance authorization signature,
<span class="math">\(\mathsf{issueAuthSig}\!\)</span>
, on the SIGHASH transaction hash,
<span class="math">\(\mathsf{SigHash}\!\)</span>
, by invoking
<span class="math">\(\mathsf{IssueAuthSig}.\!\mathsf{Validate}(\mathsf{ik}, \mathsf{SigHash}, \mathsf{issueAuthSig})\!\)</span>
.</li>
</ul>
<p>For each <code>IssueAction</code> in <code>IssueBundle</code>:</p>
<ul>
<li>check that
<span class="math">\(0 &lt; \mathtt{assetDescSize} \leq 512\!\)</span>
.</li>
<li>check that
<span class="math">\(\mathsf{asset\_desc}\)</span>
is a string of length
<span class="math">\(\mathtt{assetDescSize}\)</span>
bytes.</li>
<li>retrieve
<span class="math">\(\mathsf{AssetBase}\)</span>
from the first note in the sequence and check that
<span class="math">\(\mathsf{AssetBase}\)</span>
is derived from the issuance validating key
<span class="math">\(\mathsf{ik}\)</span>
and
<span class="math">\(\mathsf{asset\_desc}\)</span>
as described in the <a href="#specification-asset-identifier">Specification: Asset Identifier</a> section.</li>
<li>check that the
<span class="math">\(\mathsf{AssetDigest}\)</span>
does not exist in the
<span class="math">\(\mathsf{previously\_finalized}\)</span>
set in the global state.</li>
<li>check that every note in the <code>IssueAction</code> contains the same
<span class="math">\(\mathsf{AssetBase}\)</span>
and is properly constructed as
<span class="math">\(\mathsf{note} = (\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \mathsf{rseed}, \mathsf{AssetBase})\!\)</span>
.</li>
</ul>
<p>If all of the above checks pass, do the following:</p>
<ul>
<li>For each note, compute the note commitment as
<span class="math">\(\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})\)</span>
as defined in the Note Structure and Commitment section of ZIP 226 <a id="footnote-reference-22" class="footnote_reference" href="#zip-0226-notestructure">10</a> and</li>
<li>Add
<span class="math">\(\mathsf{cm}\)</span>
to the Merkle tree of note commitments.</li>
<li>If
<span class="math">\(\mathsf{finalize} = 1\!\)</span>
, add
<span class="math">\(\mathsf{AssetDigest}\)</span>
to the
<span class="math">\(\mathsf{previously\_finalized}\)</span>
set immediately after the block in which this transaction occurs.</li>
<li>(Replay Protection) If issue bundle is present, the fees MUST be greater than zero.</li>
</ul>
</section>
<section id="rationale"><h2><span class="section-heading">Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#rationale"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The following is a list of rationale for different decisions made in the proposal:</p>
<ul>
<li>The issuance key structure is independent of the original key tree, but derived in an analogous manner (via ZIP 32). This is in order to keep the issuance details and the Asset Identifiers consistent across multiple shielded pools.</li>
<li>The design decision is not to have a chosen name to describe the Custom Asset, but to delegate it to an off-chain mapping, as this would imply a land-grab “war”.</li>
<li>The
<span class="math">\(\mathsf{asset\_desc}\)</span>
is a general byte string in order to allow for a wide range of information type to be included that may be associated with the Assets. Some are:
<ul>
<li>links for storage such as for NFTs.</li>
<li>metadata for Assets, encoded in any format.</li>
<li>bridging information for Wrapped Assets (chain of origin, issuer name, etc)</li>
<li>information to be committed by the issuer, though not enforceable by the protocol.</li>
</ul>
</li>
<li>We require a check whether the
<span class="math">\(\mathsf{finalize}\)</span>
flag only has been set in a previous block rather than a previous transaction in the same block. In other words, we only update the
<span class="math">\(\mathsf{previously\_finalized}`\)</span>
set at the block boundary. This is in keeping with the current property which allows for a miner to reorder transactions in a block without changing the meaning, which we aim to preserve.</li>
<li>We require non-zero fees in the presence of an issue bundle, in order to preclude the possibility of a transaction containing only an issue bundle. If a transaction includes only an issue bundle, the SIGHASH transaction hash would be computed solely based on the issue bundle. A duplicate bundle would have the same SIGHASH transaction hash, potentially allowing for a replay attack.</li>
</ul>
<section id="concrete-applications"><h3><span class="section-heading">Concrete Applications</span><span class="section-anchor"> <a rel="bookmark" href="#concrete-applications"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p><strong>Asset Features</strong></p>
<ul>
<li>By using the
<span class="math">\(\mathsf{finalize}\)</span>
boolean and the burning mechanism defined in <a id="footnote-reference-23" class="footnote_reference" href="#zip-0226">9</a>, issuers can control the supply production of any Asset associated to their issuer keys. For example,
<ul>
<li>by setting
<span class="math">\(\mathsf{finalize} = 1\)</span>
from the first issuance action for that Asset Identifier, the issuer is in essence creating a one-time issuance transaction. This is useful when the max supply is capped from the beginning and the distribution is known in advance. All tokens are issued at once and distributed as needed.</li>
</ul>
</li>
<li>Issuers can also stop the existing supply production of any Asset associated to their issuer keys. This could be done by
<ul>
<li>issuing a last set of tokens of that specific
<span class="math">\(\mathsf{AssetId}\!\)</span>
, for which
<span class="math">\(\mathsf{finalize} = 1\!\)</span>
, or by</li>
<li>issuing a transaction with a single note in the issuance action pertaining to that
<span class="math">\(\mathsf{AssetId}\!\)</span>
, where the note will contain a
<span class="math">\(\mathsf{value} = 0\!\)</span>
. This can be used for application-specific purposes (NFT collections) or for security purposes to revoke the Asset issuance (see Security and Privacy Considerations).</li>
<li>Note in the above cases, that the setting of the
<span class="math">\(\mathsf{finalize}\)</span>
flag will take effect at the block boundary, that is, after all the transactions in the block.</li>
</ul>
</li>
<li>The issuance and burn mechanisms can be used in conjunction to determine the supply of Assets on the Zcash ecosystem. This allows for the bridging of Assets defined on other chains.</li>
<li>Furthermore, NFT issuance is enabled by issuing in a single bundle several issuance actions, where each
<span class="math">\(\mathsf{AssetId}\)</span>
corresponds to
<span class="math">\(\mathsf{value} = 1\)</span>
at the fundamental unit level. Issuers and users should make sure that
<span class="math">\(\mathsf{finalize} = 1\)</span>
for each of the actions in this scenario.</li>
</ul>
</section>
</section>
<section id="txid-digest-issuance"><h2><span class="section-heading">TxId Digest - Issuance</span><span class="section-anchor"> <a rel="bookmark" href="#txid-digest-issuance"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the Orchard-ZSA protocol can be found in ZIP 226 <a id="footnote-reference-24" class="footnote_reference" href="#zip-0226-txiddigest">11</a>. As in ZIP 244 <a id="footnote-reference-25" class="footnote_reference" href="#zip-0244">12</a>, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.</p>
<p>A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:</p>
<pre>issuance_digest
├── issue_actions_digest
│   ├── issue_notes_digest
│   ├── assetDescription
│   └── flagsIssuance
└── issuanceValidatingKey</pre>
<p>In the specification below, nodes of the tree are presented in depth-first order.</p>
<section id="t-5-issuance-digest"><h3><span class="section-heading">T.5: issuance_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-5-issuance-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.5a: issue_actions_digest (32-byte hash output)
T.5b: issuanceValidatingKey (32 bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSAIssueHash"</pre>
<p>In case the transaction has no issuance components, ''issue_actions_digest'' is:</p>
<pre>BLAKE2b-256("ZTxIdSAIssueHash", [])</pre>
<section id="t-5a-issue-actions-digest"><h4><span class="section-heading">T.5a: issue_actions_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-issue-actions-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A BLAKE2b-256 hash of Issue Action information for all Issuance Actions belonging to the transaction. For each Action, the following elements are included in the hash:</p>
<pre>T.5a.i : notes_digest (32-byte hash output)
T.5a.ii : assetDescription (field encoding bytes)
T.5a.iii: flagsIssuance (1 byte)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdIssuActHash"</pre>
<section id="t-5a-i-issue-notes-digest"><h5><span class="section-heading">T.5a.i: issue_notes_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-issue-notes-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of Note information for all Notes belonging to the Issuance Action. For each Note, the following elements are included in the hash:</p>
<pre>T.5a.i.1: recipient (field encoding bytes)
T.5a.i.2: value (field encoding bytes)
T.5a.i.3: assetBase (field encoding bytes)
T.5a.i.4: rho (field encoding bytes)
T.5a.i.5: rseed (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdIAcNoteHash"</pre>
<section id="t-5a-i-1-recipient"><h6><span class="section-heading">T.5a.i.1: recipient</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-1-recipient"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification <a id="footnote-reference-26" class="footnote_reference" href="#protocol-orchardpaymentaddrencoding">21</a>.</p>
</section>
<section id="t-5a-i-2-value"><h6><span class="section-heading">T.5a.i.2: value</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-2-value"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Note value encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value.</p>
</section>
<section id="t-5a-i-3-assetbase"><h6><span class="section-heading">T.5a.i.3: assetBase</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-3-assetbase"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Asset Base encoded as the 32-byte representation of a point on the Pallas curve.</p>
</section>
<section id="t-5a-i-4-rho"><h6><span class="section-heading">T.5a.i.4: rho</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-4-rho"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Nullifier encoded as 32-byte representation of a point on the Pallas curve.</p>
</section>
<section id="t-5a-i-5-rseed"><h6><span class="section-heading">T.5a.i.5: rseed</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-5-rseed"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>The ZIP 212 32-byte seed randomness for a note.</p>
</section>
</section>
<section id="t-5a-ii-assetdescription"><h5><span class="section-heading">T.5a.ii: assetDescription</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-ii-assetdescription"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>The Asset description byte string.</p>
</section>
<section id="t-5a-iii-flagsissuance"><h5><span class="section-heading">T.5a.iii: flagsIssuance</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-iii-flagsissuance"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>An 8-bit value representing a set of flags. Ordered from LSB to MSB:</p>
<ul>
<li>
<span class="math">\(\mathsf{finalize}\)</span>
</li>
<li>The remaining bits are set to <cite>0!</cite>.</li>
</ul>
</section>
</section>
<section id="t-5b-issuancevalidatingkey"><h4><span class="section-heading">T.5b: issuanceValidatingKey</span><span class="section-anchor"> <a rel="bookmark" href="#t-5b-issuancevalidatingkey"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A byte encoding of issuance validating key for the bundle as defined in the <a href="#issuance-key-derivation">Issuance Key Derivation</a> section.</p>
</section>
</section>
</section>
<section id="signature-digest"><h2><span class="section-heading">Signature Digest</span><span class="section-anchor"> <a rel="bookmark" href="#signature-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The per-input transaction digest algorithm to generate the signature digest in ZIP 244 <a id="footnote-reference-27" class="footnote_reference" href="#zip-0244-sigdigest">13</a> is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.</p>
<p>The overall structure of the hash is as follows. We highlight the changes for the Orchard-ZSA protocol via the <code>[ADDED FOR ZSA]</code> text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:</p>
<pre>signature_digest
├── header_digest
├── transparent_sig_digest
├── sapling_digest
├── orchard_digest
└── issuance_digest [ADDED FOR ZSA]</pre>
<section id="signature-digest-1"><h3><span class="section-heading">signature_digest</span><span class="section-anchor"> <a rel="bookmark" href="#signature-digest-1"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>S.1: header_digest (32-byte hash output)
S.2: transparent_sig_digest (32-byte hash output)
S.3: sapling_digest (32-byte hash output)
S.4: orchard_digest (32-byte hash output)
S.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA]</pre>
<p>The personalization field remains the same as in ZIP 244 <a id="footnote-reference-28" class="footnote_reference" href="#zip-0244">12</a>.</p>
<section id="s-5-issuance-digest"><h4><span class="section-heading">S.5: issuance_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-5-issuance-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>Identical to that specified for the transaction identifier.</p>
</section>
</section>
</section>
<section id="authorizing-data-commitment"><h2><span class="section-heading">Authorizing Data Commitment</span><span class="section-anchor"> <a rel="bookmark" href="#authorizing-data-commitment"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The transaction digest algorithm defined in ZIP 244 <a id="footnote-reference-29" class="footnote_reference" href="#zip-0244-authcommitment">14</a> which commits to the authorizing data of a transaction is modified by the Orchard-ZSA protocol to have the following structure. We highlight the changes for the Orchard-ZSA protocol via the <code>[ADDED FOR ZSA]</code> text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:</p>
<pre>auth_digest
├── transparent_scripts_digest
├── sapling_auth_digest
├── orchard_auth_digest
└── issuance_auth_digest [ADDED FOR ZSA]</pre>
<p>The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.</p>
<section id="auth-digest"><h3><span class="section-heading">auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>A.1: transparent_scripts_digest (32-byte hash output)
A.2: sapling_auth_digest (32-byte hash output)
A.3: orchard_auth_digest (32-byte hash output)
A.4: issuance_auth_digest (32-byte hash output) [ADDED FOR ZSA]</pre>
<p>The personalization field of this hash remains the same as in ZIP 244.</p>
<section id="a-4-issuance-auth-digest"><h4><span class="section-heading">A.4: issuance_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-4-issuance-auth-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the <code>issueAuthSig</code> field of the transaction:</p>
<pre>A.4a: issueAuthSig (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthZSAOrHash"</pre>
<p>In the case that the transaction has no Orchard Actions, <code>issuance_auth_digest</code> is</p>
<pre>BLAKE2b-256("ZTxAuthZSAOrHash", [])</pre>
</section>
</section>
</section>
<section id="security-and-privacy-considerations"><h2><span class="section-heading">Security and Privacy Considerations</span><span class="section-anchor"> <a rel="bookmark" href="#security-and-privacy-considerations"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<section id="displaying-asset-identifier-information-to-users"><h3><span class="section-heading">Displaying Asset Identifier information to users</span><span class="section-anchor"> <a rel="bookmark" href="#displaying-asset-identifier-information-to-users"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Wallets need to communicate the names of the Assets in a non-confusing way to users, since the byte representation of the Asset Identifier would be hard to read for an end user. Possible solutions are provided in the <a href="#specification-asset-identifier">Specification: Asset Identifier</a> section.</p>
</section>
<section id="issuance-key-compromise"><h3><span class="section-heading">Issuance Key Compromise</span><span class="section-anchor"> <a rel="bookmark" href="#issuance-key-compromise"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The design of this protocol does not currently allow for rotation of the issuance validating key that would allow for replacing the key of a specific Asset. In case of compromise, the following actions are recommended:</p>
<ul>
<li>If an issuance validating key is compromised, the
<span class="math">\(\mathsf{finalize}\)</span>
boolean for all the Assets issued with that key should be set to
<span class="math">\(1\)</span>
and the issuer should change to a new issuance authorizing key, and issue new Assets, each with a new
<span class="math">\(\mathsf{AssetId}\!\)</span>
.</li>
</ul>
</section>
<section id="bridging-assets"><h3><span class="section-heading">Bridging Assets</span><span class="section-anchor"> <a rel="bookmark" href="#bridging-assets"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 <a id="footnote-reference-30" class="footnote_reference" href="#zip-0226">9</a>. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.</p>
</section>
</section>
<section id="other-considerations"><h2><span class="section-heading">Other Considerations</span><span class="section-anchor"> <a rel="bookmark" href="#other-considerations"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<section id="implementing-zcash-nodes"><h3><span class="section-heading">Implementing Zcash Nodes</span><span class="section-anchor"> <a rel="bookmark" href="#implementing-zcash-nodes"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Although not enforced in the global state, it is RECOMMENDED that Zcash full validators keep track of the total supply of Assets as a mutable mapping
<span class="math">\(\mathsf{issuanceSupplyInfoMap}\)</span>
from
<span class="math">\(\mathsf{AssetId}\)</span>
to
<span class="math">\((\mathsf{totalSupply}, \mathsf{finalize})\)</span>
in order to properly keep track of the total supply for different Asset Identifiers. This is useful for wallets and other applications that need to keep track of the total supply of Assets.</p>
</section>
<section id="fee-structures"><h3><span class="section-heading">Fee Structures</span><span class="section-anchor"> <a rel="bookmark" href="#fee-structures"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317 <a id="footnote-reference-31" class="footnote_reference" href="#zip-0317b">15</a>.</p>
</section>
</section>
<section id="test-vectors"><h2><span class="section-heading">Test Vectors</span><span class="section-anchor"> <a rel="bookmark" href="#test-vectors"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<ul>
<li>LINK TBD</li>
</ul>
</section>
<section id="reference-implementation"><h2><span class="section-heading">Reference Implementation</span><span class="section-anchor"> <a rel="bookmark" href="#reference-implementation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<ul>
<li>LINK TBD</li>
<li>LINK TBD</li>
</ul>
</section>
<section id="deployment"><h2><span class="section-heading">Deployment</span><span class="section-anchor"> <a rel="bookmark" href="#deployment"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP is proposed to activate with Network Upgrade 6.</p>
</section>
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<table id="bcp14" class="footnote">
<tbody>
<tr>
<th>1</th>
<td><a href="https://www.rfc-editor.org/info/bcp14">Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032" class="footnote">
<tbody>
<tr>
<th>2</th>
<td><a href="zip-0032.html">ZIP 32: Shielded Hierarchical Deterministic Wallets</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032-orchard-master" class="footnote">
<tbody>
<tr>
<th>3</th>
<td><a href="zip-0032.html#orchard-master-key-generation">ZIP 32: Shielded Hierarchical Deterministic Wallets - Orchard master key generation</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032-orchard-child-key-derivation" class="footnote">
<tbody>
<tr>
<th>4</th>
<td><a href="zip-0032.html#orchard-child-key-derivation">ZIP 32: Shielded Hierarchical Deterministic Wallets - Orchard child key derivation</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032-key-path-levels" class="footnote">
<tbody>
<tr>
<th>5</th>
<td><a href="zip-0032.html#key-path-levels">ZIP 32: Shielded Hierarchical Deterministic Wallets - Key path levels</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032-orchard-key-path" class="footnote">
<tbody>
<tr>
<th>6</th>
<td><a href="zip-0032.html#orchard-key-path">ZIP 32: Shielded Hierarchical Deterministic Wallets - Orchard key path</a></td>
</tr>
</tbody>
</table>
<table id="zip-0200" class="footnote">
<tbody>
<tr>
<th>7</th>
<td><a href="zip-0200.html">ZIP 200: Network Upgrade Mechanism</a></td>
</tr>
</tbody>
</table>
<table id="zip-0224" class="footnote">
<tbody>
<tr>
<th>8</th>
<td><a href="zip-0224.html">ZIP 224: Orchard</a></td>
</tr>
</tbody>
</table>
<table id="zip-0226" class="footnote">
<tbody>
<tr>
<th>9</th>
<td><a href="zip-0226.html">ZIP 226: Transfer and Burn of Zcash Shielded Assets</a></td>
</tr>
</tbody>
</table>
<table id="zip-0226-notestructure" class="footnote">
<tbody>
<tr>
<th>10</th>
<td><a href="zip-0226.html#note-structure-commitment">ZIP 226: Transfer and Burn of Zcash Shielded Assets - Note Structure &amp; Commitment</a></td>
</tr>
</tbody>
</table>
<table id="zip-0226-txiddigest" class="footnote">
<tbody>
<tr>
<th>11</th>
<td><a href="zip-0226.html#txid-digest">ZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId Digest</a></td>
</tr>
</tbody>
</table>
<table id="zip-0244" class="footnote">
<tbody>
<tr>
<th>12</th>
<td><a href="zip-0244.html">ZIP 244: Transaction Identifier Non-Malleability</a></td>
</tr>
</tbody>
</table>
<table id="zip-0244-sigdigest" class="footnote">
<tbody>
<tr>
<th>13</th>
<td><a href="zip-0244.html#signature-digest">ZIP 244: Transaction Identifier Non-Malleability: Signature Digest</a></td>
</tr>
</tbody>
</table>
<table id="zip-0244-authcommitment" class="footnote">
<tbody>
<tr>
<th>14</th>
<td><a href="zip-0244.html#authorizing-data-commitment">ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment</a></td>
</tr>
</tbody>
</table>
<table id="zip-0317b" class="footnote">
<tbody>
<tr>
<th>15</th>
<td><a href="https://github.com/zcash/zips/pull/667">ZIP 317: Proportional Transfer Fee Mechanism</a></td>
</tr>
</tbody>
</table>
<table id="bip-0340" class="footnote">
<tbody>
<tr>
<th>16</th>
<td><a href="https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki">BIP 340: Schnorr Signatures for secp256k1</a></td>
</tr>
</tbody>
</table>
<table id="protocol-notation" class="footnote">
<tbody>
<tr>
<th>17</th>
<td><a href="protocol/protocol.pdf#notation">Zcash Protocol Specification, Version 2023.4.0. Section 2: Notation</a></td>
</tr>
</tbody>
</table>
<table id="protocol-addressesandkeys" class="footnote">
<tbody>
<tr>
<th>18</th>
<td><a href="protocol/protocol.pdf#addressesandkeys">Zcash Protocol Specification, Version 2023.4.0. Section 3.1: Payment Addresses and Keys</a></td>
</tr>
</tbody>
</table>
<table id="protocol-orchardkeycomponents" class="footnote">
<tbody>
<tr>
<th>19</th>
<td><a href="protocol/protocol.pdf#orchardkeycomponents">Zcash Protocol Specification, Version 2023.4.0. Section 4.2.3: Orchard Key Components</a></td>
</tr>
</tbody>
</table>
<table id="protocol-concretegrouphashpallasandvesta" class="footnote">
<tbody>
<tr>
<th>20</th>
<td><a href="protocol/protocol.pdf#concretegrouphashpallasandvesta">Zcash Protocol Specification, Version 2023.4.0. Section 5.4.9.8: Group Hash into Pallas and Vesta</a></td>
</tr>
</tbody>
</table>
<table id="protocol-orchardpaymentaddrencoding" class="footnote">
<tbody>
<tr>
<th>21</th>
<td><a href="protocol/protocol.pdf#orchardpaymentaddrencoding">Zcash Protocol Specification, Version 2023.4.0. Section 5.6.4.2: Orchard Raw Payment Addresses</a></td>
</tr>
</tbody>
</table>
<table id="protocol-txnencoding" class="footnote">
<tbody>
<tr>
<th>22</th>
<td><a href="protocol/protocol.pdf#txnencoding">Zcash Protocol Specification, Version 2023.4.0. Section 7.1: Transaction Encoding and Consensus (Transaction Version 5)</a></td>
</tr>
</tbody>
</table>
</section>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink