2020-06-02 14:54:54 -07:00
|
|
|
::
|
|
|
|
|
|
|
|
ZIP: 215
|
2020-06-09 04:56:33 -07:00
|
|
|
Title: Explicitly Defining and Modifying Ed25519 Validation Rules
|
2020-06-02 14:54:54 -07:00
|
|
|
Owners: Henry de Valence <hdevalence@zfnd.org>
|
2020-08-11 08:28:15 -07:00
|
|
|
Status: Implemented (zcashd)
|
2020-06-02 14:54:54 -07:00
|
|
|
Category: Consensus
|
|
|
|
Created: 2020-04-27
|
|
|
|
License: BSD-2-Clause
|
|
|
|
|
|
|
|
|
|
|
|
Terminology
|
|
|
|
===========
|
|
|
|
|
2020-06-05 08:10:28 -07:00
|
|
|
The key words "MUST" and "MUST NOT" in this document is to be interpreted as described
|
|
|
|
in RFC 2119. [#RFC2119]_
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
Abstract
|
|
|
|
========
|
|
|
|
|
|
|
|
Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519
|
|
|
|
does not clearly define criteria for signature validity, and implementations conformant
|
2020-06-05 07:54:52 -07:00
|
|
|
to RFC 8032 [#RFC8032]_ need not agree on whether signatures are valid. This is
|
2020-06-02 14:54:54 -07:00
|
|
|
unacceptable for a consensus-critical application like Zcash. Currently, Zcash
|
2020-06-09 05:14:23 -07:00
|
|
|
inherits criteria for signature validity from an obsolete version of
|
2020-06-02 14:54:54 -07:00
|
|
|
`libsodium`. Instead, this ZIP settles the situation by explicitly defining the
|
2020-06-09 05:14:23 -07:00
|
|
|
Ed25519 validity criteria and changing them to be compatible with batch
|
2020-06-09 04:56:33 -07:00
|
|
|
validation.
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
Motivation
|
|
|
|
==========
|
|
|
|
|
2020-06-09 05:14:23 -07:00
|
|
|
The lack of clear validity criteria for Ed25519 signatures poses a
|
2020-06-02 14:54:54 -07:00
|
|
|
maintenance burden. The initial implementation of Zcash consensus in `zcashd`
|
2020-06-09 05:14:23 -07:00
|
|
|
inherited validity criteria from a then-current version of `libsodium` (1.0.15).
|
2020-06-02 14:54:54 -07:00
|
|
|
Due to `a bug in libsodium <https://github.com/zcash/zcash/issues/2872#issuecomment-576911471>`_,
|
|
|
|
this was different from the intended criteria documented in the Zcash protocol
|
2020-07-05 09:17:59 -07:00
|
|
|
specification [#protocol-2020.1.1]_ (before the specification was changed to match
|
2020-06-02 14:54:54 -07:00
|
|
|
`libsodium` 1.0.15 in specification version 2020.1.2). Also, `libsodium` never
|
2020-06-09 05:14:23 -07:00
|
|
|
guaranteed stable validity criteria, and changed behavior in a later point
|
2020-06-02 14:54:54 -07:00
|
|
|
release. This forced `zcashd` to use an older version of the library before
|
2020-06-09 05:14:23 -07:00
|
|
|
eventually patching a newer version to have consistent validity criteria.
|
2020-06-02 14:54:54 -07:00
|
|
|
To be compatible, Zebra had to implement a special library, `ed25519-zebra` to
|
|
|
|
provide Zcash-flavored Ed25519, attempting to match `libsodium` 1.0.15 exactly. And
|
|
|
|
the initial attempt to implement `ed25519-zebra` was also incompatible, because
|
|
|
|
it precisely matched the wrong compile-time configuration of `libsodium`.
|
|
|
|
|
2020-06-09 05:14:23 -07:00
|
|
|
In addition, the validity criteria used by Zcash preclude the use of batch
|
2020-06-09 04:56:33 -07:00
|
|
|
validation of Ed25519 signatures. While signature validation is not the
|
|
|
|
primary bottleneck for Zcash, it would be nice to be able to batch-validate
|
|
|
|
signatures, as is the case for RedJubjub.
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
Specification
|
|
|
|
=============
|
|
|
|
|
2020-06-05 07:54:52 -07:00
|
|
|
After activation of this ZIP, the :math:`\mathsf{JoinSplitSig}` validation rules
|
2020-07-05 09:17:59 -07:00
|
|
|
in [#protocol-concreteed25519]_ are changed to the following:
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-06-05 08:10:28 -07:00
|
|
|
- :math:`\underline{A}` and :math:`\underline{R}` MUST be encodings of points
|
2020-06-05 08:37:29 -07:00
|
|
|
:math:`A` and :math:`R` respectively on the complete twisted Edwards curve Ed25519;
|
2020-06-05 08:10:28 -07:00
|
|
|
- :math:`\underline{S}` MUST represent an integer :math:`S` less than :math:`\ell`;
|
|
|
|
- The group equation :math:`[8][S]B = [8]R + [8][k]A` MUST be satisfied, where
|
|
|
|
:math:`k` and :math:`B` are defined as in RFC 8032 sections §5.1.7 and §5.1
|
|
|
|
respectively. [#RFC8032]_
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-06-05 08:12:44 -07:00
|
|
|
The language about :math:`\mathsf{ExcludedPointEncodings}` in §5.4.5 of the Zcash
|
2020-06-05 07:54:52 -07:00
|
|
|
specification no longer applies.
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-06-05 07:54:52 -07:00
|
|
|
It is *not* required that :math:`\underline{A}` and :math:`\underline{R}`
|
|
|
|
are canonical encodings; in other words, the integer encoding the
|
|
|
|
:math:`y`-coordinate of the points may be unreduced modulo :math:`2^{255}-19`.
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-06-09 04:56:33 -07:00
|
|
|
Note: the alternate validation equation :math:`[S]B = R + [k]A`, allowed
|
2020-06-05 08:10:28 -07:00
|
|
|
by RFC 8032, MUST NOT be used.
|
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
Rationale
|
|
|
|
=========
|
|
|
|
|
|
|
|
This change simplifies the Ed25519 validation logic and reduces future
|
|
|
|
maintenance burden. Because multiplication by the cofactor admits more
|
2020-06-09 04:56:33 -07:00
|
|
|
solutions to the validation equation, not fewer, it is compatible with all
|
2020-06-02 14:54:54 -07:00
|
|
|
existing Ed25519 signatures on the chain.
|
|
|
|
|
2020-06-09 04:56:33 -07:00
|
|
|
It also allows the use of batch validation, which requires multiplication
|
|
|
|
by the cofactor in the validation equation.
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
Security and Privacy Considerations
|
|
|
|
===================================
|
|
|
|
|
|
|
|
This change has no effect on honestly-generated signatures. Unlike the current
|
|
|
|
validation rules, it makes it possible for a user to generate weak signing keys
|
|
|
|
or to generate signing keys with nonzero torsion component and submit them to
|
|
|
|
the blockchain. However, doing so provides them with no advantage, only
|
|
|
|
compromise to their own security. Moreover, these cases are not a failure mode
|
|
|
|
of any deployed implementation.
|
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
Deployment
|
2020-06-05 07:54:52 -07:00
|
|
|
==========
|
2020-06-02 14:54:54 -07:00
|
|
|
|
2020-07-05 09:17:59 -07:00
|
|
|
This is intended to be deployed with the Canopy Network Upgrade [#zip-0251]_,
|
|
|
|
which is scheduled to activate on Mainnet [#protocol-networks]_ at block height
|
|
|
|
1046400.
|
|
|
|
|
2020-06-02 14:54:54 -07:00
|
|
|
|
|
|
|
References
|
|
|
|
==========
|
|
|
|
|
2020-11-09 07:59:51 -08:00
|
|
|
.. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels <https://www.rfc-editor.org/rfc/rfc2119.html>`_
|
|
|
|
.. [#RFC8032] `RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA) <https://www.rfc-editor.org/rfc/rfc8032.html>`_
|
2020-07-05 09:17:59 -07:00
|
|
|
.. [#protocol-2020.1.1] `Zcash Protocol Specification, Version 2020.1.1 <https://github.com/zcash/zips/blob/v2020.1.1/protocol/protocol.pdf>`_
|
2020-11-09 07:59:51 -08:00
|
|
|
.. [#protocol-networks] `Zcash Protocol Specification, Version 2020.1.15. Section 3.11: Mainnet and Testnet <protocol/protocol.pdf#networks>`_
|
|
|
|
.. [#protocol-concreteed25519] `Zcash Protocol Specification, Version 2020.1.15. Section 5.4.5: Ed25519 <protocol/protocol.pdf#concreteed25519>`_
|
2020-07-05 09:17:59 -07:00
|
|
|
.. [#zip-0251] `ZIP 251: Deployment of the Canopy Network Upgrade <zip-0251.rst>`_
|