mirror of https://github.com/zcash/zips.git
Merge pull request #217 from str4d/zip-str4d-shielded-coinbase
[ZIP 213] Shielded Coinbase
This commit is contained in:
commit
124476baa4
|
@ -0,0 +1,182 @@
|
|||
::
|
||||
|
||||
ZIP: 213
|
||||
Title: Shielded Coinbase
|
||||
Owners: Jack Grigg <jack@z.cash>
|
||||
Status: Draft
|
||||
Category: Consensus
|
||||
Created: 2019-03-30
|
||||
License: MIT
|
||||
|
||||
|
||||
Terminology
|
||||
===========
|
||||
|
||||
The key words "MUST" and "MAY" in this document are to be interpreted as described in
|
||||
RFC 2119. [#RFC2119]_
|
||||
|
||||
The term "network upgrade" in this document is to be interpreted as described in ZIP 200
|
||||
[#zip-0200]_.
|
||||
|
||||
The term "Sapling" in this document is to be interpreted as described in ZIP 205
|
||||
[#zip-0205]_.
|
||||
|
||||
The terms "Founders' Reward" and "funding stream" in this document are to be interpreted
|
||||
as described in ZIP 207 [#zip-0207]_.
|
||||
|
||||
Abstract
|
||||
========
|
||||
|
||||
This proposal defines modifications to the Zcash consensus rules that enable coinbase
|
||||
funds to be mined to Sapling addresses. It does not disable the use of transparent
|
||||
addresses in coinbase transactions.
|
||||
|
||||
|
||||
Motivation
|
||||
==========
|
||||
|
||||
Zcash inherited the concept of "coinbase transactions" from Bitcoin: special transactions
|
||||
inside each block that are allowed to have no inputs. These transactions are created by
|
||||
miners during block creation, and collect the block reward and transaction fees into new
|
||||
transparent outputs that can then be spent. They are also leveraged in Zcash for the
|
||||
Founders' Reward (and potentially for funding streams [#zip-0207]_).
|
||||
|
||||
On the path to deprecating and removing Bitcoin-inherited transparent addresses within the
|
||||
Zcash network, a required step is to be able to create coinbase transactions that have no
|
||||
transparent outputs. However, Zcash was launched with a consensus rule preventing coinbase
|
||||
transactions from containing shielded outputs, instead enforcing that coinbase funds could
|
||||
not be spent in transactions with transparent outputs. This was partly in order to reduce
|
||||
the complexity of the original Zcash modifications to the Bitcoin Core codebase, but also
|
||||
because at the time, shielded transactions required significant memory and CPU resources
|
||||
to create.
|
||||
|
||||
The Sapling network upgrade [#zip-0205]_ deployed architectural changes and performance
|
||||
improvements that make shielding funds directly in the coinbase transaction feasible. In
|
||||
order to reduce the complexity of the Sapling network upgrade, the existing consensus
|
||||
rules preventing coinbase transactions from containing shielded outputs were extended to
|
||||
cover Sapling outputs. Therefore, it is now necessary to modify the consensus rules in
|
||||
order to enable miners to start using Sapling addresses.
|
||||
|
||||
|
||||
Specification
|
||||
=============
|
||||
|
||||
Prior to activation of the Heartwood network upgrade, this existing consensus rule on
|
||||
coinbase transactions is enforced:
|
||||
|
||||
A coinbase transaction MUST NOT have any JoinSplit descriptions, Spend descriptions,
|
||||
or Output descriptions.
|
||||
|
||||
Once the Heartwood network upgrade activates:
|
||||
|
||||
- Coinbase transactions MAY contain Sapling outputs. More precisely, the above existing
|
||||
consensus rule is modified to:
|
||||
|
||||
A coinbase transaction MUST NOT have any JoinSplit descriptions or Spend
|
||||
descriptions.
|
||||
|
||||
[Pre-Heartwood] A coinbase transaction also MUST NOT have any Output descriptions.
|
||||
|
||||
- The consensus rules applied to ``valueBalance``, ``vShieldedOutput``, and ``bindingSig``
|
||||
in non-coinbase transactions MUST also be applied to coinbase transactions.
|
||||
|
||||
- Only transparent outputs in coinbase transactions are subject to the existing
|
||||
restrictions on spending coinbase funds. More precisely:
|
||||
|
||||
- The existing consensus rule requiring transactions that spend coinbase outputs to have
|
||||
an empty ``vout``, is amended to only apply to transactions that spend transparent
|
||||
coinbase outputs.
|
||||
|
||||
- The existing consensus rule requiring coinbase outputs to have 100 confirmations
|
||||
before they may be spent (coinbase maturity), is amended to only apply to transparent
|
||||
coinbase outputs. Specifically, it becomes:
|
||||
|
||||
A transaction MUST NOT spend a transparent output of a coinbase transaction from a
|
||||
block less than 100 blocks prior to the spend. Note that outputs of coinbase
|
||||
transactions include Founders’ Reward outputs [and potentially funding stream
|
||||
outputs].
|
||||
|
||||
- Full Sapling note decryption MUST succeed using the all-zero outgoing viewing key. More
|
||||
precisely, all Sapling outputs in coinbase transactions MUST have valid note commitments
|
||||
when recovered using a 32-byte array of zeroes as the outgoing viewing key.
|
||||
|
||||
|
||||
Interaction with the Founders' Reward
|
||||
-------------------------------------
|
||||
|
||||
This ZIP does not alter the existing Founders' Reward addresses.
|
||||
|
||||
|
||||
Rationale
|
||||
=========
|
||||
|
||||
The ZIP does not require that all coinbase must be shielded immediately from activation of
|
||||
the network upgrade, so that miners and mining pools may gradually migrate from their
|
||||
existing transparent addresses to Sapling addresses. This also simplifies the consensus
|
||||
rules, because the Founders' Reward targets transparent addresses, and thus it remains
|
||||
necessary for the time being to support them. A future ZIP could require all coinbase to
|
||||
be shielded immediately.
|
||||
|
||||
Enforcing coinbase maturity at the consensus level for Sapling outputs would incur
|
||||
significant complexity in the consensus rules, because it would require special-casing
|
||||
coinbase note commitments in the Sapling commitment tree. The standard recommendation when
|
||||
spending a note is to select an anchor 10 blocks back from the current chain tip, which
|
||||
acts as a de-facto 10-block maturity on all notes, coinbase included. This might be
|
||||
proposed as a consensus rule in future.
|
||||
|
||||
There is another reason for shielded coinbase maturity being unnecessary: when a reorg or
|
||||
rollback occurs that would cause a shielded coinbase output to disappear, it will also
|
||||
invalidate every shielded transaction that uses an anchor descending from the tree that
|
||||
the shielded coinbase output had been appended to. That is, all economic activity would be
|
||||
rolled back in addition to the shielded coinbase output disappearing, so there is no
|
||||
reason to make shielded coinbase a special case when the same behaviour occurs in regular
|
||||
shielded notes already. In the transparent coinbase case, only direct child transactions
|
||||
of the transparent coinbase would become invalid, and thus it would be possible to end up
|
||||
in a situation where a logical child transaction (for example, a mining pool paying out
|
||||
miners) persists in the block chain after its logical parent (the mining pool receiving a
|
||||
block) disappears.
|
||||
|
||||
Requiring that note commitments are valid when recovering using a fixed outgoing viewing
|
||||
key implies that target addresses and values for all Sapling outputs within the coinbase
|
||||
are revealed. This would be necessary to correctly enforce shielded Founders' Reward or
|
||||
funding stream outputs, and it is simpler to enforce this on all outputs. Additionally,
|
||||
this maintains the ability for network observers to track miners and mining pools.
|
||||
Meanwhile, the miners and mining pools could put useful or identifying text in the memo
|
||||
fields of the outputs, instead of storing it ad-hoc elsewhere in the coinbase transaction.
|
||||
|
||||
|
||||
Security and Privacy Considerations
|
||||
===================================
|
||||
|
||||
Sapling outputs in coinbase transactions are by design publicly viewable, in contrast to
|
||||
Sapling outputs in normal transactions. This does not introduce any privacy regressions
|
||||
relative to existing coinbase transactions, because coinbase output values and recipient
|
||||
addresses have always been public information. However, users with threat models that rely
|
||||
on keeping their Sapling address private (for example, to maintain post-quantum privacy),
|
||||
and who are also miners or mining pools, should use a coinbase-specific address when
|
||||
creating blocks.
|
||||
|
||||
Revealing the coinbase output notes does not enable anyone else to detect when the note is
|
||||
spent, which removes the need for a separate shielding step like is enforced for
|
||||
transparent coinbase outputs.
|
||||
|
||||
|
||||
Deployment
|
||||
==========
|
||||
|
||||
This proposal will be deployed with the Heartwood network upgrade.
|
||||
|
||||
|
||||
Reference Implementation
|
||||
========================
|
||||
|
||||
https://github.com/zcash/zcash/pull/4256
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
.. [#RFC2119] `Key words for use in RFCs to Indicate Requirement Levels <https://tools.ietf.org/html/rfc2119>`_
|
||||
.. [#zip-0200] `ZIP 200: Network Upgrade Activation Mechanism <https://github.com/zcash/zips/blob/master/zip-0200.rst>`_
|
||||
.. [#zip-0205] `ZIP 205: Deployment of the Sapling Network Upgrade <https://github.com/zcash/zips/blob/master/zip-0205.rst>`_
|
||||
.. [#zip-0207] `ZIP 207: Split Founders' Reward <https://github.com/zcash/zips/blob/master/zip-0207.rst>`_
|
Loading…
Reference in New Issue