zips/zip-0224.html

364 lines
24 KiB
HTML
Raw Normal View History

<!DOCTYPE html>
<html>
<head>
<title>ZIP 224: Orchard Shielded Protocol</title>
<meta charset="utf-8" />
<script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script>
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
<body>
<section>
<pre>ZIP: 224
Title: Orchard Shielded Protocol
Owners: Daira Hopwood &lt;daira@electriccoin.co&gt;
Jack Grigg &lt;jack@electriccoin.co&gt;
Sean Bowe &lt;sean@electriccoin.co&gt;
Kris Nuttycombe &lt;kris@electriccoin.co&gt;
Ying Tong Lai &lt;yingtong@electriccoin.co&gt;
Status: Draft
Category: Consensus
Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/435">https://github.com/zcash/zips/issues/435</a>&gt;</pre>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This document proposes the Orchard shielded protocol, which defines a new shielded pool with spending keys and payment addresses that are amenable to future scalability improvements.</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The Orchard protocol is specified as an update to the Zcash Protocol Specification <a id="id1" class="footnote_reference" href="#orchard-spec">1</a>. Given that it largely follows the design of the Sapling protocol, we provide here a list of differences, with references to their normative specifications and associated design rationale.</p>
<section id="curves"><h3><span class="section-heading">Curves</span><span class="section-anchor"> <a rel="bookmark" href="#curves"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its embedded curve Jubjub:</p>
<ul>
<li>Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).</li>
<li>Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).</li>
</ul>
<p>We use (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">25</a> to implement
<span class="math">\(\mathsf{GroupHash}\)</span>
, instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
<span class="math">\(\mathsf{GroupHash}\)</span>
.</p>
<p>The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.</p>
<ul>
<li>Curve specifications: <a id="id3" class="footnote_reference" href="#spec-pasta">10</a></li>
<li>Group hash: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
<li>Supporting evidence: <a id="id5" class="footnote_reference" href="#pasta-evidence">26</a></li>
</ul>
</section>
<section id="proving-system"><h3><span class="section-heading">Proving system</span><span class="section-anchor"> <a rel="bookmark" href="#proving-system"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses the Halo 2 proving system with the UltraPLONK arithmetization (UPA), instead of Groth16 and R1CS.</p>
<p>This ZIP does not make use of Halo 2's support for recursive proofs, but this is expected to be leveraged by future ZIPs.</p>
<ul>
<li>Halo 2 protocol description: TODO</li>
<li>UltraPLONK Arithmetization: <a id="id6" class="footnote_reference" href="#concepts-upa">16</a></li>
<li>Halo 2 explanation and design rationale: <a id="id7" class="footnote_reference" href="#design-halo2">17</a></li>
</ul>
</section>
<section id="circuit"><h3><span class="section-heading">Circuit</span><span class="section-anchor"> <a rel="bookmark" href="#circuit"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action" contains both a single (possibly dummy) note being spent, and a single (possibly dummy) note being created.</p>
<p>An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that covers all of the actions in the bundle.</p>
<ul>
<li>Action description: <a id="id8" class="footnote_reference" href="#spec-actions">4</a></li>
<li>Circuit statement: <a id="id9" class="footnote_reference" href="#spec-action-statement">5</a></li>
<li>Design rationale: <a id="id10" class="footnote_reference" href="#design-actions">19</a></li>
</ul>
</section>
<section id="commitments"><h3><span class="section-heading">Commitments</span><span class="section-anchor"> <a rel="bookmark" href="#commitments"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic commitments, Orchard uses the UPA-efficient Sinsemilla in place of Bowe--Hopwood Pedersen hashes.</p>
<ul>
<li>Sinsemilla hash function: <a id="id11" class="footnote_reference" href="#spec-sinsemilla-hash">7</a></li>
<li>Sinsemilla commitments: <a id="id12" class="footnote_reference" href="#spec-sinsemilla-comm">9</a></li>
<li>Design rationale: <a id="id13" class="footnote_reference" href="#design-commitments">20</a></li>
</ul>
</section>
<section id="commitment-tree"><h3><span class="section-heading">Commitment tree</span><span class="section-anchor"> <a rel="bookmark" href="#commitment-tree"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses an identical commitment tree structure to Sapling, except that we instantiate it with Sinsemilla instead of a Bowe-Hopwood Pedersen hash.</p>
<ul>
<li>Design rationale and considered alternatives: <a id="id14" class="footnote_reference" href="#design-tree">21</a></li>
</ul>
</section>
<section id="keys-and-addresses"><h3><span class="section-heading">Keys and addresses</span><span class="section-anchor"> <a rel="bookmark" href="#keys-and-addresses"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard keys and payment addresses are structurally similar to Sapling, with the following changes:</p>
<ul>
<li>The proof authorizing key is removed, and
<span class="math">\(\mathsf{nk}\)</span>
is now a field element.</li>
<li>
<span class="math">\(\mathsf{ivk}\)</span>
is computed as a Sinsemilla commitment instead of a BLAKE2s output.</li>
<li>
<span class="math">\(\mathsf{ovk}\)</span>
is derived from
<span class="math">\(\mathsf{fvk}\)</span>
, instead of being a component of the spending key.</li>
<li>All diversifiers now result in valid payment addresses.</li>
</ul>
<p>Keys and addresses are encoded using Bech32. Orchard addresses used with the Zcash mainnet have the prefix "zo" (compared to "zc" for Sprout and "zs" for Sapling).</p>
<p>Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt the Sapling HD mechanism from ZIP 32 <a id="id15" class="footnote_reference" href="#zip-0032">23</a> to Orchard; instead, we define a simple hardened-only derivation mechanism.</p>
<ul>
<li>Key components diagram: <a id="id16" class="footnote_reference" href="#spec-addrs-keys">2</a></li>
<li>Key components specification: <a id="id17" class="footnote_reference" href="#spec-keys">6</a></li>
<li>Encodings and HRPs: <a id="id18" class="footnote_reference" href="#spec-encoding-addr">12</a> <a id="id19" class="footnote_reference" href="#spec-encoding-ivk">13</a> <a id="id20" class="footnote_reference" href="#spec-encoding-fvk">14</a> <a id="id21" class="footnote_reference" href="#spec-encoding-sk">15</a></li>
<li>HD key derivation specification: TODO
<ul>
<li>Needs to be hierarchical, but output only needs to be uniform 32 bytes.</li>
<li>Probably just <cite>BLAKE2b-256(derivation_path)</cite>, in line with our existing primitives.</li>
</ul>
</li>
<li>Design rationale: <a id="id22" class="footnote_reference" href="#design-keys">18</a></li>
</ul>
</section>
<section id="notes"><h3><span class="section-heading">Notes</span><span class="section-anchor"> <a rel="bookmark" href="#notes"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard notes have the structure
<span class="math">\((addr, v, \rho, \psi, \mathsf{rcm})\)</span>
.
<span class="math">\(\psi\)</span>
and
<span class="math">\(\mathsf{rcm}\)</span>
are derived from a random seed (as with Sapling after ZIP 212 <a id="id23" class="footnote_reference" href="#zip-0212">24</a>).</p>
<ul>
<li>Orchard notes: <a id="id24" class="footnote_reference" href="#spec-notes">3</a></li>
</ul>
</section>
<section id="nullifiers"><h3><span class="section-heading">Nullifiers</span><span class="section-anchor"> <a rel="bookmark" href="#nullifiers"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Nullifiers for Orchard notes are computed as:</p>
<p>
<span class="math">\(\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm}\)</span>
</p>
<p>where
<span class="math">\(F\)</span>
is instantiated with Poseidon, and
<span class="math">\(\mathcal{G}\)</span>
is a fixed independent base.</p>
<ul>
<li>Poseidon: TODO</li>
<li>Design rationale and considered alternatives: <a id="id25" class="footnote_reference" href="#design-nullifiers">22</a></li>
</ul>
</section>
<section id="signatures"><h3><span class="section-heading">Signatures</span><span class="section-anchor"> <a rel="bookmark" href="#signatures"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).</p>
<ul>
<li>RedPallas: <a id="id26" class="footnote_reference" href="#spec-redpallas">8</a></li>
</ul>
</section>
</section>
<section id="additional-rationale"><h2><span class="section-heading">Additional Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#additional-rationale"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="security-and-privacy-considerations"><h2><span class="section-heading">Security and Privacy Considerations</span><span class="section-anchor"> <a rel="bookmark" href="#security-and-privacy-considerations"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="deployment"><h2><span class="section-heading">Deployment</span><span class="section-anchor"> <a rel="bookmark" href="#deployment"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP is proposed to activate with Network Upgrade 5.</p>
</section>
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<table id="orchard-spec" class="footnote">
<tbody>
<tr>
<th>1</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]</a></td>
</tr>
</tbody>
</table>
<table id="spec-addrs-keys" class="footnote">
<tbody>
<tr>
<th>2</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#addressesandkeys">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys</a></td>
</tr>
</tbody>
</table>
<table id="spec-notes" class="footnote">
<tbody>
<tr>
<th>3</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#notes">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes</a></td>
</tr>
</tbody>
</table>
<table id="spec-actions" class="footnote">
<tbody>
<tr>
<th>4</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actions">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.7: Action Transfers and their Descriptions</a></td>
</tr>
</tbody>
</table>
<table id="spec-action-statement" class="footnote">
<tbody>
<tr>
<th>5</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actionstatement">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. 4.17.4: Action Statement (Orchard)</a></td>
</tr>
</tbody>
</table>
<table id="spec-keys" class="footnote">
<tbody>
<tr>
<th>6</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardkeycomponents">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 4.2.3: Orchard Key Components</a></td>
</tr>
</tbody>
</table>
<table id="spec-sinsemilla-hash" class="footnote">
<tbody>
<tr>
<th>7</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillahash">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.1.9: Sinsemilla Hash Function</a></td>
</tr>
</tbody>
</table>
<table id="spec-redpallas" class="footnote">
<tbody>
<tr>
<th>8</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretereddsa">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.6: RedDSA, RedJubjub, and RedPallas</a></td>
</tr>
</tbody>
</table>
<table id="spec-sinsemilla-comm" class="footnote">
<tbody>
<tr>
<th>9</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillacommit">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.7.4: Sinsemilla commitments</a></td>
</tr>
</tbody>
</table>
<table id="spec-pasta" class="footnote">
<tbody>
<tr>
<th>10</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#pallasandvesta">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.6: Pallas and Vesta</a></td>
</tr>
</tbody>
</table>
<table id="spec-pasta-grouphash" class="footnote">
<tbody>
<tr>
<th>11</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretegrouphashpallasandvesta">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.8: Group Hash into Pallas and Vesta</a></td>
</tr>
</tbody>
</table>
<table id="spec-encoding-addr" class="footnote">
<tbody>
<tr>
<th>12</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardpaymentaddrencoding">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.5: Orchard Payment Address</a></td>
</tr>
</tbody>
</table>
<table id="spec-encoding-ivk" class="footnote">
<tbody>
<tr>
<th>13</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardinviewingkeyencoding">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.8: Orchard Incoming Viewing Keys</a></td>
</tr>
</tbody>
</table>
<table id="spec-encoding-fvk" class="footnote">
<tbody>
<tr>
<th>14</th>
<td>TODO</td>
</tr>
</tbody>
</table>
<table id="spec-encoding-sk" class="footnote">
<tbody>
<tr>
<th>15</th>
<td>TODO</td>
</tr>
</tbody>
</table>
<table id="concepts-upa" class="footnote">
<tbody>
<tr>
<th>16</th>
<td><a href="https://zcash.github.io/halo2/concepts/arithmetization.html">The halo2 Book: 1.2 UltraPLONK Arithmetization</a></td>
</tr>
</tbody>
</table>
<table id="design-halo2" class="footnote">
<tbody>
<tr>
<th>17</th>
<td><a href="https://zcash.github.io/halo2/design/proving-system.html">The halo2 Book: 3.1. Proving system</a></td>
</tr>
</tbody>
</table>
<table id="design-keys" class="footnote">
<tbody>
<tr>
<th>18</th>
<td><a href="https://zcash.github.io/orchard/design/keys.html">The Orchard Book: 3.1. Keys and addresses</a></td>
</tr>
</tbody>
</table>
<table id="design-actions" class="footnote">
<tbody>
<tr>
<th>19</th>
<td><a href="https://zcash.github.io/orchard/design/actions.html">The Orchard Book: 3.2. Actions</a></td>
</tr>
</tbody>
</table>
<table id="design-commitments" class="footnote">
<tbody>
<tr>
<th>20</th>
<td><a href="https://zcash.github.io/orchard/design/commitments.html">The Orchard Book: 3.3. Commitments</a></td>
</tr>
</tbody>
</table>
<table id="design-tree" class="footnote">
<tbody>
<tr>
<th>21</th>
<td><a href="https://zcash.github.io/orchard/design/commitment-tree.html">The Orchard Book: 3.4. Commitment tree</a></td>
</tr>
</tbody>
</table>
<table id="design-nullifiers" class="footnote">
<tbody>
<tr>
<th>22</th>
<td><a href="https://zcash.github.io/orchard/design/nullifiers.html">The Orchard Book: 3.5. Nullifiers</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032" class="footnote">
<tbody>
<tr>
<th>23</th>
<td><a href="zip-0032">ZIP 32: Shielded Hierarchical Deterministic Wallets</a></td>
</tr>
</tbody>
</table>
<table id="zip-0212" class="footnote">
<tbody>
<tr>
<th>24</th>
<td><a href="zip-0212">ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext</a></td>
</tr>
</tbody>
</table>
<table id="ietf-hash-to-curve" class="footnote">
<tbody>
<tr>
<th>25</th>
<td><a href="https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html">draft-irtf-cfrg-hash-to-curve-10: Hashing to Elliptic Curves</a></td>
</tr>
</tbody>
</table>
<table id="pasta-evidence" class="footnote">
<tbody>
<tr>
<th>26</th>
<td><a href="https://github.com/zcash/pasta">Pallas/Vesta supporting evidence</a></td>
</tr>
</tbody>
</table>
</section>
</section>
</body>
</html>