Add libsnark removal to notable changes
This commit is contained in:
parent
2efcb9e592
commit
4cae370328
|
@ -4,3 +4,40 @@ release-notes at release time)
|
||||||
Notable changes
|
Notable changes
|
||||||
===============
|
===============
|
||||||
|
|
||||||
|
Disabling old Sprout proofs
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
As part of our ongoing work to clean up the codebase and minimise the security
|
||||||
|
surface of `zcashd`, we are removing `libsnark` from the codebase, and dropping
|
||||||
|
support for creating and verifying old Sprout proofs. Funds stored in Sprout
|
||||||
|
addresses are not affected, as they are spent using the hybrid Sprout circuit
|
||||||
|
(built using `bellman`) that was deployed during the Sapling network upgrade.
|
||||||
|
|
||||||
|
This change has several implications:
|
||||||
|
|
||||||
|
- `zcashd` no longer verifies old Sprout proofs, and will instead assume they
|
||||||
|
are valid. This has a minor implication for nodes: during initial block
|
||||||
|
download, an adversary could feed the node fake blocks containing invalid old
|
||||||
|
Sprout proofs, and the node would accept the fake chain as valid. However,
|
||||||
|
`zcashd` internally contains checkpoints after Sapling activation for both
|
||||||
|
block heights and cumulative chain work, and does not exit the initial block
|
||||||
|
download phase until the active chain contains at least as much work as the
|
||||||
|
checkpointed chain work. The node would therefore be non-functional (and would
|
||||||
|
not broadcast the fake chain to other peers) until the fake chain contained as
|
||||||
|
much work as the main chain, making this a 50% + 1 attack, which the current
|
||||||
|
consensus rules already does not protect against.
|
||||||
|
|
||||||
|
- Shielded transactions can no longer be created before Sapling has activated.
|
||||||
|
This does not affect Zcash itself, but will affect downstream codebases that
|
||||||
|
have not yet activated Sapling (or that start a new chain after this point and
|
||||||
|
do not activate Sapling from launch). Note that the old Sprout circuit is
|
||||||
|
[vulnerable to counterfeiting](https://z.cash/support/security/announcements/security-announcement-2019-02-05-cve-2019-7167/)
|
||||||
|
and should not be used in current deployments.
|
||||||
|
|
||||||
|
- Starting from this release, the circuit parameters from the original Sprout
|
||||||
|
MPC are no longer required to start `zcashd`, and will not be downloaded by
|
||||||
|
`fetch-params.sh`. They are not being automatically deleted at this time.
|
||||||
|
|
||||||
|
We would like to take a moment to thank the `libsnark` authors and contributors.
|
||||||
|
It was vital to the success of Zcash, and the development of zero-knowledge
|
||||||
|
proofs in general, to have this code available and usable.
|
||||||
|
|
Loading…
Reference in New Issue