2021-02-15 13:03:28 -08:00
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
ZIP: 225
|
|
|
|
|
Title: Version 5 Transaction Format
|
|
|
|
|
Owners: Daira Hopwood <daira@electriccoin.co>
|
|
|
|
|
Jack Grigg <jack@electriccoin.co>
|
|
|
|
|
Sean Bowe <sean@electriccoin.co>
|
|
|
|
|
Kris Nuttycombe <kris@electriccoin.co>
|
|
|
|
|
Ying Tong Lai <yingtong@electriccoin.co>
|
2021-03-02 12:18:41 -08:00
|
|
|
|
Status: Proposed
|
2021-02-15 13:03:28 -08:00
|
|
|
|
Category: Consensus
|
2021-03-03 08:23:50 -08:00
|
|
|
|
Created: 2021-02-28
|
2021-03-03 08:34:12 -08:00
|
|
|
|
License: MIT
|
2021-02-15 13:03:28 -08:00
|
|
|
|
Discussions-To: <https://github.com/zcash/zips/issues/440>
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Terminology
|
|
|
|
|
===========
|
2021-02-15 13:03:28 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
The key words "MUST" and "MAY" in this document are to be interpreted as described in
|
|
|
|
|
RFC 2119. [#RFC2119]_
|
|
|
|
|
|
2021-03-26 10:17:23 -07:00
|
|
|
|
The character § is used when referring to sections of the Zcash Protocol Specification
|
|
|
|
|
[#protocol-nu5]_.
|
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Abstract
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
This proposal defines an update to the Zcash peer-to-peer transaction format to include
|
2021-03-26 10:30:58 -07:00
|
|
|
|
support for data elements required to support the Orchard protocol [#protocol-nu5]_.
|
2021-03-02 12:18:41 -08:00
|
|
|
|
The new transaction format defines well-bounded regions of the serialized form to serve
|
2021-02-28 11:12:45 -08:00
|
|
|
|
each of the existing pools of funds, and adds and describes a new region containing
|
|
|
|
|
Orchard-specific elements.
|
|
|
|
|
|
2021-03-01 09:55:11 -08:00
|
|
|
|
This ZIP also depends upon and defines modifications to the computation of the values
|
|
|
|
|
**TxId Digest**, **Signature Digest**, and **Authorizing Data Commitment** defined by ZIP
|
|
|
|
|
244 [#zip-0244]_.
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Motivation
|
|
|
|
|
==========
|
|
|
|
|
|
2021-03-01 14:21:39 -08:00
|
|
|
|
The new Orchard shielded pool requires serialized data elements that are distinct from
|
2021-02-28 11:12:45 -08:00
|
|
|
|
any previous Zcash transaction. In addition, with the activation of ZIP 244, the
|
|
|
|
|
serialized transaction format will no longer be consensus-critical. It makes sense at this
|
|
|
|
|
point to define a format that can readily accommodate future extension in a systematic
|
|
|
|
|
fashion, where elements required for support for a given pool are kept separate.
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Requirements
|
|
|
|
|
============
|
|
|
|
|
|
|
|
|
|
The new format must fully support the Orchard protocol.
|
|
|
|
|
|
|
|
|
|
The new format should lend itself to future extension or pruning to add or remove
|
|
|
|
|
value pools.
|
|
|
|
|
|
|
|
|
|
The computation of the non-malleable transaction identifier hash must include all
|
|
|
|
|
newly incorporated elements except those that attest to transaction validity.
|
|
|
|
|
|
|
|
|
|
The computation of the commitment to authorizing data for a transaction must include
|
|
|
|
|
all newly incorporated elements that attest to transaction validity.
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Non-requirements
|
|
|
|
|
================
|
|
|
|
|
|
|
|
|
|
More general forms of extensibility, such as definining a key/value format that
|
|
|
|
|
allows for parsers that are unaware of some components, are not required.
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Specification
|
|
|
|
|
=============
|
|
|
|
|
|
2021-03-31 16:58:37 -07:00
|
|
|
|
The Zcash transaction format for transaction version 5 is as follows:
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
Transaction Format
|
|
|
|
|
------------------
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
| Bytes | Name | Data Type | Description |
|
|
|
|
|
+=============================+==========================+========================================+=====================================================================+
|
|
|
|
|
| **Common Transaction Fields** |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``4`` |``header`` |``uint32`` |Contains: |
|
|
|
|
|
| | | | * ``fOverwintered`` flag (bit 31, always set) |
|
|
|
|
|
| | | | * ``version`` (bits 30 .. 0) – transaction version. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``4`` |``nVersionGroupId`` |``uint32`` |Version group ID (nonzero). |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``4`` |``lock_time`` |``uint32`` |Unix-epoch UTC time or block height, encoded as in Bitcoin. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``4`` |``nExpiryHeight`` |``uint32`` |A block height in the range {1 .. 499999999} after which |
|
|
|
|
|
| | | |the transaction will expire, or 0 to disable expiry. |
|
|
|
|
|
| | | |[ZIP-203] |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
| **Transparent Transaction Fields** |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``tx_in_count`` |``compactSize`` |Number of transparent inputs in ``tx_in``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``tx_in`` |``tx_in`` |Transparent inputs, encoded as in Bitcoin. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``tx_out_count`` |``compactSize`` |Number of transparent outputs in ``tx_out``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``tx_out`` |``tx_out`` |Transparent outputs, encoded as in Bitcoin. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
| **Sapling Transaction Fields** |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``nSpendsSapling`` |``compactSize`` |Number of Sapling Spend descriptions in ``vSpendsSapling``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
2021-03-26 09:30:40 -07:00
|
|
|
|
|``96 * nSpendsSapling`` |``vSpendsSapling`` |``SpendDescriptionV5[nSpendsSapling]`` |A sequence of Sapling Spend descriptions, encoded per |
|
2021-03-02 12:18:41 -08:00
|
|
|
|
| | | |protocol §7.3 ‘Spend Description Encoding and Consensus’. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``nOutputsSapling`` |``compactSize`` |Number of Sapling Output Decriptions in ``vOutputsSapling``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``756 * nOutputsSapling`` |``vOutputsSapling`` |``OutputDescriptionV5[nOutputsSapling]``|A sequence of Sapling Output descriptions, encoded per |
|
|
|
|
|
| | | |protocol §7.4 ‘Output Description Encoding and Consensus’. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``8`` |``valueBalanceSapling`` |``int64`` |The net value of Sapling Spends minus Outputs |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``32`` |``anchorSapling`` |``byte[32]`` |A root of the Sapling note commitment tree |
|
|
|
|
|
| | | |at some block height in the past. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``192 * nSpendsSapling`` |``vSpendProofsSapling`` |``byte[192 * nSpendsSapling]`` |Encodings of the zk-SNARK proofs for each Sapling Spend. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``64 * nSpendsSapling`` |``vSpendAuthSigsSapling`` |``byte[64 * nSpendsSapling]`` |Authorizing signatures for each Sapling Spend. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``192 * nOutputsSapling`` |``vOutputProofsSapling`` |``byte[192 * nOutputsSapling]`` |Encodings of the zk-SNARK proofs for each Sapling Output. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``64`` |``bindingSigSapling`` |``byte[64]`` |A Sapling binding signature on the SIGHASH transaction hash. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
2021-03-31 16:58:37 -07:00
|
|
|
|
| **Orchard Transaction Fields** |
|
2021-03-02 12:18:41 -08:00
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``nActionsOrchard`` |``compactSize`` |The number of Orchard Action descriptions in |
|
|
|
|
|
| | | |``vActionsOrchard``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``884 * nActionsOrchard`` |``vActionsOrchard`` |``OrchardAction[nActionsOrchard]`` |A sequence of Orchard Action descriptions, encoded per |
|
|
|
|
|
| | | |§7.5 ‘Action Description Encoding and Consensus’. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``1`` |``flagsOrchard`` |``byte`` |An 8-bit value representing a set of flags. Ordered from LSB to MSB: |
|
2021-03-26 07:31:04 -07:00
|
|
|
|
| | | | * ``enableSpendsOrchard`` |
|
|
|
|
|
| | | | * ``enableOutputsOrchard`` |
|
2021-03-02 12:18:41 -08:00
|
|
|
|
| | | | * The remaining bits are set to ``0``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``8`` |``valueBalanceOrchard`` |``int64`` |The net value of Orchard spends minus outputs. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``32`` |``anchorOrchard`` |``byte[32]`` |A root of the Orchard note commitment tree at some block |
|
|
|
|
|
| | | |height in the past. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``sizeProofsOrchard`` |``compactSize`` |Length in bytes of ``proofsOrchard``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``sizeProofsOrchard`` |``proofsOrchard`` |``byte[sizeProofsOrchard]`` |Encoding of aggregated zk-SNARK proofs for Orchard Actions. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``64 * nActionsOrchard`` |``vSpendAuthSigsOrchard`` |``byte[64 * nActionsOrchard]`` |Authorizing signatures for each Orchard Action. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``64`` |``bindingSigOrchard`` |``byte[64]`` |An Orchard binding signature on the SIGHASH transaction hash. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
2021-03-01 14:30:35 -08:00
|
|
|
|
|
2021-03-30 14:54:40 -07:00
|
|
|
|
* The fields ``valueBalanceSapling`` and ``bindingSigSapling`` are present if and only if
|
|
|
|
|
:math:`\mathtt{nSpendsSapling} + \mathtt{nOutputsSapling} > 0`. If ``valueBalanceSapling``
|
|
|
|
|
is not present, then :math:`\mathsf{v^{balanceSapling}}`` is defined to be 0.
|
|
|
|
|
|
|
|
|
|
* The field ``anchorSapling`` is present if and only if :math:`\mathtt{nSpendsSapling} > 0`.
|
2021-03-01 14:30:35 -08:00
|
|
|
|
|
2021-03-26 09:40:39 -07:00
|
|
|
|
* The fields ``flagsOrchard``, ``valueBalanceOrchard``, ``anchorOrchard``,
|
2021-03-22 10:29:23 -07:00
|
|
|
|
``sizeProofsOrchard``, ``proofsOrchard``, and ``bindingSigOrchard`` are present if and
|
2021-03-30 14:54:40 -07:00
|
|
|
|
only if :math:`\mathtt{nActionsOrchard} > 0`. If ``valueBalanceOrchard`` is not present,
|
|
|
|
|
then :math:`\mathsf{v^{balanceOrchard}}` is defined to be 0.
|
2021-03-01 14:30:35 -08:00
|
|
|
|
|
2021-03-01 14:21:39 -08:00
|
|
|
|
* The elements of ``vSpendProofsSapling`` and ``vSpendAuthSigsSapling`` have a 1:1
|
2021-03-02 12:18:41 -08:00
|
|
|
|
correspondence to the elements of ``vSpendsSapling`` and MUST be ordered such that the
|
2021-03-01 14:30:35 -08:00
|
|
|
|
proof or signature at a given index corresponds to the ``SpendDescriptionV5`` at the
|
|
|
|
|
same index.
|
2021-03-01 09:55:11 -08:00
|
|
|
|
|
2021-03-01 14:21:39 -08:00
|
|
|
|
* The elements of ``vOutputProofsSapling`` have a 1:1 correspondence to the elements of
|
2021-03-02 12:18:41 -08:00
|
|
|
|
``vOutputsSapling`` and MUST be ordered such that the proof at a given index corresponds
|
2021-03-01 14:21:39 -08:00
|
|
|
|
to the ``OutputDescriptionV5`` at the same index.
|
2021-03-01 09:55:11 -08:00
|
|
|
|
|
2021-03-01 14:30:35 -08:00
|
|
|
|
* The proofs aggregated in ``proofsOrchard``, and the elements of
|
|
|
|
|
``vSpendAuthSigsOrchard``, each have a 1:1 correspondence to the elements of
|
2021-03-02 12:18:41 -08:00
|
|
|
|
``vActionsOrchard`` and MUST be ordered such that the proof or signature at a given
|
2021-03-01 14:30:35 -08:00
|
|
|
|
index corresponds to the ``OrchardAction`` at the same index.
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
2021-03-26 07:31:04 -07:00
|
|
|
|
* For coinbase transactions, the ``enableSpendsOrchard`` bit MUST be set to ``0``.
|
2021-03-01 15:14:04 -08:00
|
|
|
|
|
2021-03-17 10:28:13 -07:00
|
|
|
|
The encodings of ``tx_in``, and ``tx_out`` are as in a version 4 transaction (i.e.
|
|
|
|
|
unchanged from Canopy). The encodings of ``SpendDescriptionV5``, ``OutputDescriptionV5``
|
|
|
|
|
and ``OrchardAction`` are described below. The encoding of Sapling Spends and Outputs has
|
|
|
|
|
changed relative to prior versions in order to better separate data that describe the
|
|
|
|
|
effects of the transaction from the proofs of and commitments to those effects, and for
|
|
|
|
|
symmetry with this separation in the Orchard-related parts of the transaction format.
|
2021-03-01 09:55:11 -08:00
|
|
|
|
|
2021-03-01 14:30:35 -08:00
|
|
|
|
Sapling Spend Description (``SpendDescriptionV5``)
|
|
|
|
|
--------------------------------------------------
|
2021-03-01 09:55:11 -08:00
|
|
|
|
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
| Bytes | Name | Data Type | Description |
|
|
|
|
|
+=============================+==========================+======================================+============================================================+
|
|
|
|
|
|``32`` |``cv`` |``byte[32]`` |A value commitment to the net value of the input note. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``32`` |``nullifier`` |``byte[32]`` |The nullifier of the input note. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``32`` |``rk`` |``byte[32]`` |The randomized validating key for the element of |
|
2021-03-02 12:18:41 -08:00
|
|
|
|
| | | |spendAuthSigsSapling corresponding to this Spend. |
|
2021-03-01 09:55:11 -08:00
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
The encodings of each of these elements are defined in §7.3 ‘Spend Description Encoding
|
|
|
|
|
and Consensus’ of the Zcash Protocol Specification [#protocol-spenddesc]_.
|
2021-03-01 09:55:11 -08:00
|
|
|
|
|
2021-03-01 14:30:35 -08:00
|
|
|
|
Sapling Output Description (``OutputDescriptionV5``)
|
|
|
|
|
----------------------------------------------------
|
2021-03-01 09:55:11 -08:00
|
|
|
|
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
| Bytes | Name | Data Type | Description |
|
|
|
|
|
+=============================+==========================+======================================+============================================================+
|
|
|
|
|
|``32`` |``cv`` |``byte[32]`` |A value commitment to the net value of the output note. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|``32`` |``cmu`` |``byte[32]`` |The u-coordinate of the note commitment for the output note.|
|
2021-03-01 09:55:11 -08:00
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|``32`` |``ephemeralKey`` |``byte[32]`` |An encoding of an ephemeral Jubjub public key. |
|
2021-03-01 09:55:11 -08:00
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``580`` |``encCiphertext`` |``byte[580]`` |The encrypted contents of the note plaintext. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
2021-03-26 10:08:22 -07:00
|
|
|
|
|``80`` |``outCiphertext`` |``byte[80]`` |The encrypted contents of the byte string created by |
|
2021-03-01 09:55:11 -08:00
|
|
|
|
| | | |concatenation of the transmission key with the ephemeral |
|
|
|
|
|
| | | |secret key. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
The encodings of each of these elements are defined in §7.4 ‘Output Description Encoding
|
|
|
|
|
and Consensus’ of the Zcash Protocol Specification [#protocol-outputdesc]_.
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
2021-03-01 14:30:35 -08:00
|
|
|
|
Orchard Action Description (``OrchardAction``)
|
|
|
|
|
----------------------------------------------
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
| Bytes | Name | Data Type | Description |
|
|
|
|
|
+=============================+==========================+======================================+============================================================+
|
|
|
|
|
|``32`` |``cv`` |``byte[32]`` |A value commitment to the net value of the input note minus |
|
|
|
|
|
| | | |the output note. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``32`` |``nullifier`` |``byte[32]`` |The nullifier of the input note. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``32`` |``rk`` |``byte[32]`` |The randomized validating key for the element of |
|
2021-03-02 12:18:41 -08:00
|
|
|
|
| | | |spendAuthSigsOrchard corresponding to this Action. |
|
2021-02-28 11:12:45 -08:00
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|``32`` |``cmx`` |``byte[32]`` |The x-coordinate of the note commitment for the output note.|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``32`` |``ephemeralKey`` |``byte[32]`` |An encoding of an ephemeral Pallas public key |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|``580`` |``encCiphertext`` |``byte[580]`` |The encrypted contents of the note plaintext. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
2021-03-26 10:08:22 -07:00
|
|
|
|
|``80`` |``outCiphertext`` |``byte[80]`` |The encrypted contents of the byte string created by |
|
2021-02-28 11:12:45 -08:00
|
|
|
|
| | | |concatenation of the transmission key with the ephemeral |
|
|
|
|
|
| | | |secret key. |
|
|
|
|
|
+-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding
|
|
|
|
|
and Consensus’ of the Zcash Protocol Specification [#protocol-actiondesc]_.
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
Modifications to ZIP 244
|
2021-03-02 12:18:41 -08:00
|
|
|
|
------------------------
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
TxId Digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
~~~~~~~~~~~
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new
|
|
|
|
|
branch for Orchard hashes. The ``orchard_digest`` branch is the only new addition to the
|
2021-03-26 14:14:59 -07:00
|
|
|
|
tree; ``header_digest``, ``transparent_digest``, and ``sapling_digest`` are as in ZIP
|
|
|
|
|
244::
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
txid_digest
|
|
|
|
|
├── header_digest
|
|
|
|
|
├── transparent_digest
|
|
|
|
|
├── sapling_digest
|
|
|
|
|
└── orchard_digest
|
|
|
|
|
|
|
|
|
|
txid_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
"""""""""""
|
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
The top hash of the ``txid_digest`` tree is modified from the ZIP 244 structure
|
|
|
|
|
to be a BLAKE2b-256 hash of the following values ::
|
|
|
|
|
|
|
|
|
|
T.1: header_digest (32-byte hash output)
|
|
|
|
|
T.2: transparent_digest (32-byte hash output)
|
2021-03-17 10:28:13 -07:00
|
|
|
|
T.3: sapling_digest (32-byte hash output)
|
|
|
|
|
T.4: orchard_digest (32-byte hash output)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is unmodified from ZIP 244.
|
2021-03-31 16:58:37 -07:00
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
T.4: ``orchard_digest``
|
|
|
|
|
"""""""""""""""""""""""
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
A BLAKE2b-256 hash of the following values ::
|
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
T.4a: orchard_actions_compact_digest (32-byte hash output)
|
|
|
|
|
T.4b: orchard_actions_memos_digest (32-byte hash output)
|
|
|
|
|
T.4c: orchard_actions_noncompact_digest (32-byte hash output)
|
|
|
|
|
T.4d: flagsOrchard (1 byte)
|
|
|
|
|
T.4e: valueBalanceOrchard (64-bit signed little-endian)
|
|
|
|
|
T.4f: anchorOrchard (32 bytes)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
2021-03-31 16:58:37 -07:00
|
|
|
|
"ZTxIdOrchardHash"
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
T.4a: orchard_actions_compact_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
""""""""""""""""""""""""""""""""""""
|
|
|
|
|
|
|
|
|
|
A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in
|
2021-02-28 11:12:45 -08:00
|
|
|
|
an updated version of the ZIP-307 [#zip-0307]_ ``CompactBlock`` format for all Orchard
|
2021-03-02 12:18:41 -08:00
|
|
|
|
Actions belonging to the transaction. For each Action, the following elements are included
|
2021-02-28 11:12:45 -08:00
|
|
|
|
in the hash::
|
|
|
|
|
|
2021-03-30 08:40:13 -07:00
|
|
|
|
T.4a.i : nullifier (field encoding bytes)
|
|
|
|
|
T.4a.ii : cmx (field encoding bytes)
|
|
|
|
|
T.4a.iii: ephemeralKey (field encoding bytes)
|
|
|
|
|
T.4a.iv : encCiphertext[..52] (First 52 bytes of field encoding)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
|
|
|
|
"ZTxIdOrcOutCHash"
|
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
T.4b: orchard_actions_memos_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
""""""""""""""""""""""""""""""""""
|
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all Orchard
|
2021-03-02 12:18:41 -08:00
|
|
|
|
Actions belonging to the transaction. For each Action, the following elements are included
|
2021-02-28 11:12:45 -08:00
|
|
|
|
in the hash::
|
|
|
|
|
|
2021-03-30 08:40:13 -07:00
|
|
|
|
T.4b.i: encCiphertext[52..564] (contents of the encrypted memo field)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
|
|
|
|
"ZTxIdOrcOutMHash"
|
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
T.4c: orchard_actions_noncompact_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
"""""""""""""""""""""""""""""""""""""""
|
|
|
|
|
|
|
|
|
|
A BLAKE2b-256 hash of the remaining subset of Orchard Action information **not** intended
|
2021-02-28 11:12:45 -08:00
|
|
|
|
for inclusion in an updated version of the the ZIP 307 [#zip-0307]_ ``CompactBlock``
|
2021-03-02 12:18:41 -08:00
|
|
|
|
format, for all Orchard Actions belonging to the transaction. For each Action,
|
2021-02-28 11:12:45 -08:00
|
|
|
|
the following elements are included in the hash::
|
|
|
|
|
|
2021-03-30 08:40:13 -07:00
|
|
|
|
T.4c.i : cv (field encoding bytes)
|
|
|
|
|
T.4c.ii : rk (field encoding bytes)
|
|
|
|
|
T.4c.iii: encCiphertext[564..] (post-memo suffix of field encoding)
|
|
|
|
|
T.4c.iv : outCiphertext (field encoding bytes)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
"ZTxIdOrcOutNHash"
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
Signature Digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
~~~~~~~~~~~~~~~~
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The signature digest creation algorithm defined by ZIP 244 [#zip-0244]_ is modified to
|
2021-03-26 14:14:59 -07:00
|
|
|
|
include a new branch for Orchard hashes. The ``orchard_digest`` branch is the only new
|
2021-03-30 07:28:09 -07:00
|
|
|
|
addition to the tree; ``header_digest``, ``transparent_sig_digest``, and ``sapling_digest``
|
2021-03-26 14:14:59 -07:00
|
|
|
|
are as in ZIP 244::
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
signature_digest
|
|
|
|
|
├── header_digest
|
2021-03-30 07:28:09 -07:00
|
|
|
|
├── transparent_sig_digest
|
2021-02-28 11:12:45 -08:00
|
|
|
|
├── sapling_digest
|
|
|
|
|
└── orchard_digest
|
|
|
|
|
|
|
|
|
|
signature_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
""""""""""""""""
|
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
A BLAKE2b-256 hash of the following values ::
|
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
S.1: header_digest (32-byte hash output)
|
|
|
|
|
S.2: transparent_sig_digest (32-byte hash output)
|
|
|
|
|
S.3: sapling_digest (32-byte hash output)
|
|
|
|
|
S.4: orchard_digest (32-byte hash output)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is unmodified from ZIP 244
|
|
|
|
|
|
2021-03-17 10:28:13 -07:00
|
|
|
|
S.4: orchard_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
"""""""""""""""""""
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
Identical to that specified for the transaction identifier.
|
|
|
|
|
|
|
|
|
|
Authorizing Data Commitment
|
2021-03-02 12:18:41 -08:00
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The tree of hashes defined by ZIP 244 [#zip-0244]_ for authorizing data commitments is
|
2021-03-30 07:28:09 -07:00
|
|
|
|
re-structured to include a new branch for Orchard Actions. The ``orchard_auth_digest``
|
|
|
|
|
branch is the only new addition to the tree; ``transparent_scripts_digest``, and
|
|
|
|
|
``sapling_auth_digest`` are as in ZIP 244::
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
auth_digest
|
|
|
|
|
├── transparent_scripts_digest
|
|
|
|
|
├── sapling_auth_digest
|
|
|
|
|
└── orchard_auth_digest
|
|
|
|
|
|
|
|
|
|
auth_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
"""""""""""
|
|
|
|
|
|
2021-03-30 07:28:09 -07:00
|
|
|
|
A BLAKE2b-256 hash of the following values::
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
A.1: transparent_scripts_digest (32-byte hash output)
|
2021-03-26 14:14:59 -07:00
|
|
|
|
A.2: sapling_auth_digest (32-byte hash output)
|
|
|
|
|
A.3: orchard_auth_digest (32-byte hash output)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is unmodified from ZIP 244.
|
|
|
|
|
|
2021-03-26 14:14:59 -07:00
|
|
|
|
A.3: orchard_auth_digest
|
2021-03-02 12:18:41 -08:00
|
|
|
|
""""""""""""""""""""""""
|
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
A BLAKE2b-256 hash of the field encoding of the ``zkProofsOrchard``,
|
|
|
|
|
``spendAuthSigsOrchard``, and ``bindingSigOrchard`` fields of the transaction::
|
|
|
|
|
|
2021-03-30 09:57:24 -07:00
|
|
|
|
A.3a: proofsOrchard (field encoding bytes)
|
|
|
|
|
A.3b: vSpendAuthSigsOrchard (field encoding bytes)
|
2021-03-26 14:14:59 -07:00
|
|
|
|
A.3c: bindingSigOrchard (field encoding bytes)
|
2021-02-28 11:12:45 -08:00
|
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
|
|
|
|
"ZTxAuthOrchaHash"
|
|
|
|
|
|
2021-03-02 16:58:12 -08:00
|
|
|
|
Alternatives
|
|
|
|
|
============
|
|
|
|
|
|
2021-03-31 16:58:37 -07:00
|
|
|
|
The original version of ZIP-225 included Sprout-related fields ``nJoinSplit``,
|
2021-03-17 10:28:13 -07:00
|
|
|
|
``vJoinSplit``, ``joinSplitPubKey``, and ``joinSplitSig`` in the V5
|
|
|
|
|
transaction format. The Electric Coin Company and Zcash Foundation teams have
|
2021-03-31 16:58:37 -07:00
|
|
|
|
elected to remove these fields from the V5 transaction format as part of the
|
2021-03-17 10:28:13 -07:00
|
|
|
|
continuing process of deprecation of the Sprout shielded pool. As a consequence
|
2021-03-17 11:15:11 -07:00
|
|
|
|
of these fields being removed:
|
2021-03-17 10:28:13 -07:00
|
|
|
|
|
|
|
|
|
* This effectively prohibits migration transactions that would directly move funds from
|
|
|
|
|
the Sprout pool to the Orchard pool. Sprout -> Transparent and Sprout -> Sapling
|
2021-03-31 16:58:37 -07:00
|
|
|
|
migration transactions will still be supported when using the V4 transaction format.
|
2021-03-02 16:58:12 -08:00
|
|
|
|
|
2021-03-17 11:15:11 -07:00
|
|
|
|
Removing these fields reduces the complexity of the NU5 upgrade in the following ways:
|
2021-03-17 10:28:13 -07:00
|
|
|
|
|
|
|
|
|
* V5 parsing and serialization code does not need to take these fields into account.
|
2021-03-17 11:15:11 -07:00
|
|
|
|
* ZIP 244 [#zip-0244]_ transaction identifier, signature hash, and authorizing
|
2021-03-31 16:58:37 -07:00
|
|
|
|
data commitment computations are simplified by excluding consideration of
|
2021-03-02 16:58:12 -08:00
|
|
|
|
these fields.
|
|
|
|
|
|
2021-03-17 10:54:51 -07:00
|
|
|
|
Removal of these fields means that that in the future, removing the support for the V4
|
|
|
|
|
transaction format will also effectively end support for Sprout transactions on the Zcash
|
2021-03-17 10:28:13 -07:00
|
|
|
|
network, though it might be possible to restore limited support for migration via a future
|
2021-03-17 10:54:07 -07:00
|
|
|
|
ZIP 222 [#zip-0222]_ extension or by other means not yet determined.
|
2021-03-17 10:28:13 -07:00
|
|
|
|
|
2021-03-17 11:15:11 -07:00
|
|
|
|
The original definitions for the transaction fields that have been removed are:
|
2021-03-17 10:28:13 -07:00
|
|
|
|
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
| **Sprout Transaction Fields** |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``varies`` |``nJoinSplit`` |``compactSize`` |The number of JoinSplit descriptions in ``vJoinSplit``. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``1698 * nJoinSplit`` |``vJoinSplit`` |``JSDescriptionGroth16[nJoinSplit]`` |A sequence of JoinSplit descrptions using Groth16 proofs, |
|
|
|
|
|
| | | |encoded per §7.2 ‘JoinSplit Description Encoding and Consensus’. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``32`` |``joinSplitPubKey`` |``byte[32]`` |An encoding of a JoinSplitSig public validating key. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|``64`` |``joinSplitSig`` |``byte[64]`` |A signature on a prefix of the transaction encoding, |
|
|
|
|
|
| | | |to be verfied using joinSplitPubKey as specified in §4.11 |
|
|
|
|
|
| | | |‘Non-malleability (Sprout)’. |
|
|
|
|
|
+-----------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------+
|
|
|
|
|
|
|
|
|
|
* The ``joinSplitPubKey`` and ``joinSplitSig`` fields were specified to be
|
2021-03-30 14:54:40 -07:00
|
|
|
|
present if and only if :math:`\mathtt{nJoinSplit} > 0`.
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
Reference implementation
|
|
|
|
|
========================
|
|
|
|
|
|
|
|
|
|
TBD
|
|
|
|
|
|
2021-03-02 12:18:41 -08:00
|
|
|
|
|
2021-02-28 11:12:45 -08:00
|
|
|
|
References
|
|
|
|
|
==========
|
|
|
|
|
|
|
|
|
|
.. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels <https://www.rfc-editor.org/rfc/rfc2119.html>`_
|
2021-03-26 10:30:58 -07:00
|
|
|
|
.. [#protocol-nu5] `Zcash Protocol Specification, Version 2021.1.20 or later <protocol/nu5.pdf>`_
|
|
|
|
|
.. [#protocol-spenddesc] `Zcash Protocol Specification, Version 2021.1.20 or later. Section 4.4: Spend Descriptions <protocol/nu5.pdf#spenddesc>`_
|
|
|
|
|
.. [#protocol-outputdesc] `Zcash Protocol Specification, Version 2021.1.20 or later. Section 4.5: Output Descriptions <protocol/nu5.pdf#outputdesc>`_
|
|
|
|
|
.. [#protocol-actiondesc] `Zcash Protocol Specification, Version 2021.1.20 or later. Section 4.6: Action Descriptions <protocol/nu5.pdf#actiondesc>`_
|
2021-03-17 10:54:07 -07:00
|
|
|
|
.. [#zip-0222] `ZIP 222: Transparent Zcash Extensions <zip-0222.rst>`_
|
2021-03-02 12:18:41 -08:00
|
|
|
|
.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability <zip-0244.rst>`_
|
2021-02-28 11:12:45 -08:00
|
|
|
|
.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection <zip-0307.rst>`_
|