2020-06-02 14:54:54 -07:00
::
ZIP: 215
2020-06-09 04:56:33 -07:00
Title: Explicitly Defining and Modifying Ed25519 Validation Rules
2020-06-02 14:54:54 -07:00
Owners: Henry de Valence <hdevalence@zfnd.org>
2022-06-22 14:35:03 -07:00
Status: Final
2020-06-02 14:54:54 -07:00
Category: Consensus
Created: 2020-04-27
License: BSD-2-Clause
Terminology
===========
2020-06-05 08:10:28 -07:00
The key words "MUST" and "MUST NOT" in this document is to be interpreted as described
2023-10-28 07:34:22 -07:00
in BCP 14 [#BCP14]_ when, and only when, they appear in all capitals.
2020-06-02 14:54:54 -07:00
2020-07-05 09:17:59 -07:00
2020-06-02 14:54:54 -07:00
Abstract
========
Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519
does not clearly define criteria for signature validity, and implementations conformant
2020-06-05 07:54:52 -07:00
to RFC 8032 [#RFC8032]_ need not agree on whether signatures are valid. This is
2020-06-02 14:54:54 -07:00
unacceptable for a consensus-critical application like Zcash. Currently, Zcash
2020-06-09 05:14:23 -07:00
inherits criteria for signature validity from an obsolete version of
2020-06-02 14:54:54 -07:00
`libsodium` . Instead, this ZIP settles the situation by explicitly defining the
2020-06-09 05:14:23 -07:00
Ed25519 validity criteria and changing them to be compatible with batch
2020-06-09 04:56:33 -07:00
validation.
2020-06-02 14:54:54 -07:00
2020-07-05 09:17:59 -07:00
2020-06-02 14:54:54 -07:00
Motivation
==========
2020-06-09 05:14:23 -07:00
The lack of clear validity criteria for Ed25519 signatures poses a
2020-06-02 14:54:54 -07:00
maintenance burden. The initial implementation of Zcash consensus in `zcashd`
2020-06-09 05:14:23 -07:00
inherited validity criteria from a then-current version of `libsodium` (1.0.15).
2020-06-02 14:54:54 -07:00
Due to `a bug in libsodium <https://github.com/zcash/zcash/issues/2872#issuecomment-576911471> `_ ,
this was different from the intended criteria documented in the Zcash protocol
2020-07-05 09:17:59 -07:00
specification [#protocol-2020.1.1]_ (before the specification was changed to match
2020-06-02 14:54:54 -07:00
`libsodium` 1.0.15 in specification version 2020.1.2). Also, `libsodium` never
2020-06-09 05:14:23 -07:00
guaranteed stable validity criteria, and changed behavior in a later point
2020-06-02 14:54:54 -07:00
release. This forced `zcashd` to use an older version of the library before
2020-06-09 05:14:23 -07:00
eventually patching a newer version to have consistent validity criteria.
2020-06-02 14:54:54 -07:00
To be compatible, Zebra had to implement a special library, `ed25519-zebra` to
provide Zcash-flavored Ed25519, attempting to match `libsodium` 1.0.15 exactly. And
the initial attempt to implement `ed25519-zebra` was also incompatible, because
it precisely matched the wrong compile-time configuration of `libsodium` .
2020-06-09 05:14:23 -07:00
In addition, the validity criteria used by Zcash preclude the use of batch
2020-06-09 04:56:33 -07:00
validation of Ed25519 signatures. While signature validation is not the
primary bottleneck for Zcash, it would be nice to be able to batch-validate
signatures, as is the case for RedJubjub.
2020-06-02 14:54:54 -07:00
2020-07-05 09:17:59 -07:00
2020-06-02 14:54:54 -07:00
Specification
=============
2020-06-05 07:54:52 -07:00
After activation of this ZIP, the :math: `\mathsf{JoinSplitSig}` validation rules
2020-07-05 09:17:59 -07:00
in [#protocol-concreteed25519]_ are changed to the following:
2020-06-02 14:54:54 -07:00
2020-06-05 08:10:28 -07:00
- :math: `\underline{A}` and :math: `\underline{R}` MUST be encodings of points
2020-06-05 08:37:29 -07:00
:math: `A` and :math: `R` respectively on the complete twisted Edwards curve Ed25519;
2020-06-05 08:10:28 -07:00
- :math: `\underline{S}` MUST represent an integer :math: `S` less than :math: `\ell` ;
- The group equation :math: `[8][S]B = [8]R + [8][k]A` MUST be satisfied, where
:math: `k` and :math: `B` are defined as in RFC 8032 sections §5.1.7 and §5.1
respectively. [#RFC8032]_
2020-06-02 14:54:54 -07:00
2020-06-05 08:12:44 -07:00
The language about :math: `\mathsf{ExcludedPointEncodings}` in §5.4.5 of the Zcash
2021-08-04 07:22:46 -07:00
specification [#protocol-concreteed25519]_ no longer applies.
2020-06-02 14:54:54 -07:00
2020-06-05 07:54:52 -07:00
It is *not* required that :math: `\underline{A}` and :math: `\underline{R}`
are canonical encodings; in other words, the integer encoding the
:math: `y` -coordinate of the points may be unreduced modulo :math: `2^{255}-19` .
2020-06-02 14:54:54 -07:00
2020-06-09 04:56:33 -07:00
Note: the alternate validation equation :math: `[S]B = R + [k]A` , allowed
2020-06-05 08:10:28 -07:00
by RFC 8032, MUST NOT be used.
2020-07-05 09:17:59 -07:00
2020-06-02 14:54:54 -07:00
Rationale
=========
This change simplifies the Ed25519 validation logic and reduces future
maintenance burden. Because multiplication by the cofactor admits more
2020-06-09 04:56:33 -07:00
solutions to the validation equation, not fewer, it is compatible with all
2020-06-02 14:54:54 -07:00
existing Ed25519 signatures on the chain.
2020-06-09 04:56:33 -07:00
It also allows the use of batch validation, which requires multiplication
by the cofactor in the validation equation.
2020-06-02 14:54:54 -07:00
2020-07-05 09:17:59 -07:00
2020-06-02 14:54:54 -07:00
Security and Privacy Considerations
===================================
This change has no effect on honestly-generated signatures. Unlike the current
validation rules, it makes it possible for a user to generate weak signing keys
or to generate signing keys with nonzero torsion component and submit them to
the blockchain. However, doing so provides them with no advantage, only
compromise to their own security. Moreover, these cases are not a failure mode
of any deployed implementation.
2020-07-05 09:17:59 -07:00
2020-06-02 14:54:54 -07:00
Deployment
2020-06-05 07:54:52 -07:00
==========
2020-06-02 14:54:54 -07:00
2020-07-05 09:17:59 -07:00
This is intended to be deployed with the Canopy Network Upgrade [#zip-0251]_ ,
which is scheduled to activate on Mainnet [#protocol-networks]_ at block height
1046400.
2020-06-02 14:54:54 -07:00
References
==========
2023-10-28 07:34:22 -07:00
.. [#BCP14] `Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words" <https://www.rfc-editor.org/info/bcp14> `_
2020-11-09 07:59:51 -08:00
.. [#RFC8032] `RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA) <https://www.rfc-editor.org/rfc/rfc8032.html> `_
2020-07-05 09:17:59 -07:00
.. [#protocol-2020.1.1] `Zcash Protocol Specification, Version 2020.1.1 <https://github.com/zcash/zips/blob/v2020.1.1/protocol/protocol.pdf> `_
2021-10-01 16:44:09 -07:00
.. [#protocol-networks] `Zcash Protocol Specification, Version 2021.2.16. Section 3.12: Mainnet and Testnet <protocol/protocol.pdf#networks> `_
.. [#protocol-concreteed25519] `Zcash Protocol Specification, Version 2021.2.16. Section 5.4.6: Ed25519 <protocol/protocol.pdf#concreteed25519> `_
2020-07-05 09:17:59 -07:00
.. [#zip-0251] `ZIP 251: Deployment of the Canopy Network Upgrade <zip-0251.rst> `_