From 12a16786815e3be292c24350d944ad21c026174c Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Wed, 8 Dec 2021 23:47:06 +0000 Subject: [PATCH] ZIPs 32 and 316: Regenerate HTML. Signed-off-by: Daira Hopwood --- zip-0032.html | 9 ++- zip-0316.html | 194 ++++++++++++++++++++++++++++++++++++-------------- 2 files changed, 146 insertions(+), 57 deletions(-) diff --git a/zip-0032.html b/zip-0032.html index fba5d76b..d9f75da1 100644 --- a/zip-0032.html +++ b/zip-0032.html @@ -44,7 +44,7 @@ License: MIT
  • Wallets only need to store a single seed (particularly useful for hardware wallets).
  • A one-time backup of the seed (usually stored as a word phrase 3) can be used to recover funds from all future addresses.
  • Keys are arranged into a tree of chains, enabling wallets to represent "accounts" or other high-level structures.
    • -
  • View authority or spend authority can be delegated independently for sub-trees without compromising the master seed.
    • +
  • Viewing authority or spending authority can be delegated independently for sub-trees without compromising the master seed.

    • At present, no such equivalent exists for Zcash's shielded addresses. This is of particular concern for hardware wallets; all currently-marketed devices only store a seed internally, and have trained their users to only backup that seed. Given that the Sapling upgrade will make it feasible to use hardware wallets with shielded addresses, it is desirable to have a standard mechanism for deriving them.

    @@ -670,7 +670,7 @@ License: MIT ) following the BIP 43 recommendation. It indicates that the subtree of this node is used according to this specification.
  • \(coin\_type\) - : a constant identifying the cybercoin that this subtree's keys are used with. For compatibility with existing BIP 44 implementations, we use the same constants as defined in SLIP 44 6. Note that in keeping with that document, all cybercoin testnets share + : a constant identifying the cryptocurrency that this subtree's keys are used with. For compatibility with existing BIP 44 implementations, we use the same constants as defined in SLIP 44 6. Note that in keeping with that document, all cryptocurrency testnets share \(coin\_type\) index \(1\) @@ -707,6 +707,11 @@ License: MIT \(m_\mathsf{Sapling} / purpose' / coin\_type' / account' / address\_index\) .
    • +

    zcashd version 4.6.0 and later uses this to derive "legacy" Sapling addresses from a mnemonic seed phrase under account + \(\mathtt{0x7FFFFFFF}\) + , using hardened derivation for + \(address\_index\) + .

    Sprout key path

    Wallets implementing Sprout ZIP 32 derivation MUST support the following path:

    diff --git a/zip-0316.html b/zip-0316.html index b170abc4..092d8dfe 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -71,7 +71,7 @@ Discussions-To: <https://g
  • Sapling Addresses

    • Each of these has its own Address Encodings, as a string and as a QR code. (Since the QR code is derivable from the string encoding, for many purposes it suffices to consider the string encoding.)

    -

    The Orchard proposal 10 adds a new Address type, Orchard Addresses.

    +

    The Orchard proposal 18 adds a new Address type, Orchard Addresses.

    The difficulty with defining new Address Encodings for each Address type, is that end-users are forced to be aware of the various types, and in particular which types are supported by a given Consumer or Recipient. In order to make sure that transfers are completed successfully, users may be forced to explicitly generate Addresses of different types and re-distribute encodings of them, which adds significant friction and cognitive overhead to understanding and using Zcash.

    The goals for a Unified Address standard are as follows:

    Viewing Keys

    A Unified Full Viewing Key (resp. Unified Incoming Viewing Key) can be used in a similar way to a Full Viewing Key (resp. Incoming Viewing Key) as described in the Zcash Protocol Specification 2.

    -

    For a Transparent P2PKH Address that is derived according to BIP 32 12 and BIP 44 15, the nearest equivalent to a Full Viewing Key or Incoming Viewing Key for a given BIP 44 account is an extended public key, as defined in the section “Extended keys” of BIP 32. Therefore, UFVKs and UIVKs should be able to include such extended public keys.

    +

    For a Transparent P2PKH Address that is derived according to BIP 32 20 and BIP 44 23, the nearest equivalent to a Full Viewing Key or Incoming Viewing Key for a given BIP 44 account is an extended public key, as defined in the section “Extended keys” of BIP 32. Therefore, UFVKs and UIVKs should be able to include such extended public keys.

    A wallet should support deriving a UIVK from a UFVK, and a Unified Address from a UIVK.

    Open Issues and Known Concerns

    @@ -150,10 +150,10 @@ Discussions-To: <https://g

    Encoding of Unified Full/Incoming Viewing Keys

    Unified Full or Incoming Viewing Keys are encoded and decoded analogously to Unified Addresses. A Consumer MUST use the decoding procedure from the previous section. For Viewing Keys, a Consumer will normally take the union of information provided by all contained Receivers, and therefore the Priority List defined in the previous section is not used.

    -

    For each UFVK Type or UIVK Type currently defined in this specification, the same Typecode is used as for the corresponding Receiver Type in a Unified Address. Additional UFVK Types and UIVK Types MAY be defined in future, and these will not necessarily use the same Typecode as the corresponding Unified Address.

    -

    The following UFVK or UIVK Encodings are used in place of the +

    For each FVK Type or IVK Type currently defined in this specification, the same Typecode is used as for the corresponding Receiver Type in a Unified Address. Additional FVK Types and IVK Types MAY be defined in future, and these will not necessarily use the same Typecode as the corresponding Unified Address.

    +

    The following FVK or IVK Encodings are used in place of the \(\mathtt{addr}\) field:

      -
    • An Orchard UFVK or UIVK Encoding, with Typecode +
    • An Orchard FVK or IVK Encoding, with Typecode \(\mathtt{0x03},\) - is the raw encoding of the Orchard Full Viewing Key or Orchard Incoming Viewing Key respectively.
      • -
    • A Sapling UFVK Encoding, with Typecode + is is the raw encoding of the Orchard Full Viewing Key or Orchard Incoming Viewing Key respectively.
      • +
    • A Sapling FVK Encoding, with Typecode \(\mathtt{0x02},\) - is the encoding of a Sapling Extended Full Viewing Key defined in 7.
      • -
    • A Sapling UIVK Encoding, also with Typecode + is the encoding of + \((\mathsf{ak}, \mathsf{nk}, \mathsf{ovk}, \mathsf{dk})\) + given by + \(\mathsf{EncodeExtFVKParts}(\mathsf{ak}, \mathsf{nk}, \mathsf{ovk}, \mathsf{dk})\) + , where + \(\mathsf{EncodeExtFVKParts}\) + is defined in 11. This SHOULD be derived from the Extended Full Viewing Key at the Account level of the ZIP 32 hierarchy.
      • +
    • A Sapling IVK Encoding, also with Typecode \(\mathtt{0x02},\) is an encoding of \((\mathsf{dk}, \mathsf{ivk})\) @@ -229,11 +235,19 @@ Discussions-To: <https://g
    • There is no defined way to represent a Viewing Key for a Transparent P2SH Address in a UFVK or UIVK (because P2SH Addresses cannot be diversified in an unlinkable way). The Typecode \(\mathtt{0x01}\) MUST NOT be included in a UFVK or UIVK by Producers, and MUST be treated as unrecognized by Consumers.
      • -
    • For Transparent P2PKH Addresses that are derived according to BIP 32 12 and BIP 44 15, the UFVK and UIVK Encodings have Typecode +
    • For Transparent P2PKH Addresses that are derived according to BIP 32 20 and BIP 44 23, the FVK and IVK Encodings have Typecode \(\mathtt{0x00}.\) - These encodings are identical and are the serialization of an extended public key, defined in the section “Serialization format” of BIP 32 13.
      • + Both of these are encodings of the chain code and public key + \((\mathsf{c}, \mathsf{pk})\) + given by + \(\mathsf{c}\,||\,\mathsf{ser_P}(\mathsf{pk})\) + . (This is the same as the last 65 bytes of the extended public key format defined in section “Serialization format” of BIP 32 21.) However, the FVK uses the key at the Account level, i.e. at path + \(m / 44' / coin\_type' / account'\) + , while the IVK uses the external (non-change) child key at the Change level, i.e. at path + \(m / 44' / coin\_type' / account' / 0\) + .
    -

    The Human-Readable Parts (as defined in 17) of Unified Viewing Keys are defined as follows:

    +

    The Human-Readable Parts (as defined in 25) of Unified Viewing Keys are defined as follows:

    • uivk” for Unified Incoming Viewing Keys on Mainnet;
    • uivktest” for Unified Incoming Viewing Keys on Testnet;
      • @@ -254,10 +268,10 @@ Discussions-To: <https://g \(\mathtt{length}\) fields are encoded as \(\mathtt{compactSize}.\) - 20 (Although existing Receiver Encodings and Viewing Key Encodings are all less than 256 bytes and so could use a one-byte length field, encodings for experimental types may be longer.) -
    • Each Receiver, UFVK, or UIVK SHOULD represent an Address or Viewing Key at the ZIP 32 or BIP 44 Account level.
      • + 28 (Although existing Receiver Encodings and Viewing Key Encodings are all less than 256 bytes and so could use a one-byte length field, encodings for experimental types may be longer.) +
    • Within a single UA or UVK, all HD-derived Receivers, FVKs, and IVKs SHOULD represent an Address or Viewing Key for the same account (as used in the ZIP 32 or BIP 44 Account level).
    • For Transparent Addresses, the Receiver Encoding does not include the first two bytes of a raw encoding.
      • -
    • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 9) to send funds into the Sprout chain value pool, this would not be generally useful.
      • +
    • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 17) to send funds into the Sprout chain value pool, this would not be generally useful.
    • Consumers MUST ignore constituent Addresses/Viewing Keys with Typecodes they do not recognize.
    • Consumers MUST reject Unified Addresses/Viewing Keys in which the same Typecode appears more than once, or that include both P2SH and P2PKH Transparent Addresses, or that contain only a Transparent Address.
    • Consumers MUST reject Unified Addresses/Viewing Keys in which any constituent address does not meet the validation requirements of its Receiver Encoding, as specified in the Zcash Protocol Specification 2.
      • @@ -266,33 +280,39 @@ Discussions-To: <https://g

    Adding new types

    -

    It is intended that new Receiver Types and Viewing Key Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 6.

    +

    It is intended that new Receiver Types and Viewing Key Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 10.

    For experimentation prior to proposing a ZIP, experimental types MAY be added using the reserved Typecodes \(\mathtt{0xFFFA}\) to \(\mathtt{0xFFFF}\) inclusive. This provides for six simultaneous experiments, which can be referred to as experiments A to F. This should be sufficient because experiments are expected to be reasonably short-term, and should otherwise be either standardized in a ZIP (and allocated a Typecode outside this reserved range) or discontinued.

    +

    New types SHOULD maintain the same distinction between FVK and IVK authority as existing types, i.e. an FVK is intended to give access to view all transactions to and from the address, while an IVK is intended to give access only to view incoming payments (as opposed to change).

    Deriving a UIVK from a UFVK

    -

    Each UIVK Encoding can straightforwardly be derived from the corresponding UFVK Encoding, without changing the Typecode. In the case of a Transparent P2PKH UFVK Encoding, the UIVK Encoding is the same.

    +

    The following derivations are applied to each component FVK:

    +
      +
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • +
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
      • +
    • For a Transparent P2PKH FVK, the corresponding Transparent P2PKH IVK is obtained by deriving the child key with non-hardened index + \(0\) + as described in 22.
      • +
    +

    In each case, the Typecode remains the same as in the FVK.

    Deriving a Unified Address from a UIVK

    To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is,

      -
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 8.
      • +
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 13.
    • A Transparent diversifier index MUST be in the range \(0\) to - \(2^{31}\) + \(2^{31} - 1\) inclusive.

    There are no additional constraints on an Orchard diversifier index.

    -

    In the case of deriving a Transparent P2PKH Receiver from a Transparent P2PKH UIVK, the diversifier index is used as a BIP 44 child key index at the Index level to derive the address. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 14 MUST be used, with the Change element of the path being 0, and the Index element of the path being the diversifier index 16. That is, the BIP 44 path of the Transparent P2PKH Receiver MUST be:

    -
      -
    • - \(m / 44' / \mathit{coin\_type\kern0.05em'} / \mathit{account\kern0.1em'} / 0 / \mathit{diversifier\_index}.\) -
      • -
    +

    In the case of deriving a Transparent P2PKH Receiver from a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 24 to derive the address. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 22 MUST be used. The IVK is assumed to correspond to the extended public key for the non-change element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be + \(m / 44' / \mathit{coin\_type\kern0.05em'} / \mathit{account\kern0.1em'} / 0 / \mathit{diversifier\_index}.\) +

    Jumbling

    Security goal (near second preimage resistance):

    @@ -605,7 +625,7 @@ c^{n+m}}{q}.\) 2 - Zcash Protocol Specification, Version 2020.2.15 or later [NU5 proposal] + Zcash Protocol Specification, Version 2020.2.16 or later [NU5 proposal] @@ -613,38 +633,78 @@ c^{n+m}}{q}.\) 3 - Zcash Protocol Specification, Version 2020.2.15 or later [NU5 proposal]. Section 2: Notation + Zcash Protocol Specification, Version 2020.2.16. Section 2: Notation + + + + + + + + + + +
    4Zcash Protocol Specification, Version 2020.2.16. Section 4.2.2: Sapling Key Components
    + + + + +
    5Zcash Protocol Specification, Version 2020.2.16. Section 4.2.3: Orchard Key Components
    - - + +
    4Zcash Protocol Specification, Version 2020.2.15 [NU5 proposal]. Section 5.6.3.1: Sapling Payment Addresses6Zcash Protocol Specification, Version 2020.2.16. Section 5.6.3.1: Sapling Payment Addresses
    - - + + + + +
    5Zcash Protocol Specification, Version 2020.2.15 [NU5 proposal]. Section 5.6.4.2: Orchard Raw Payment Addresses7Zcash Protocol Specification, Version 2020.2.16. Section 5.6.4.2: Orchard Raw Payment Addresses
    + + + + + + + +
    8Zcash Protocol Specification, Version 2020.2.16. Section 5.6.4.3: Orchard Raw Incoming Viewing Keys
    + + + + +
    9Zcash Protocol Specification, Version 2020.2.16. Section 5.6.4.4: Orchard Raw Full Viewing Keys
    - +
    610 ZIP 0: ZIP Process
    + + + + + + + +
    11ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling helper functions
    - + @@ -652,15 +712,39 @@ c^{n+m}}{q}.\)
    712 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling extended full viewing keys
    - +
    813 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling diversifier derivation
    + + + + + + + +
    14ZIP 32: Shielded Hierarchical Deterministic Wallets — Orchard child key derivation
    + + + + + + + +
    15ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling key path
    + + + + + + + +
    16ZIP 32: Shielded Hierarchical Deterministic Wallets — Orchard key path
    - + @@ -668,7 +752,7 @@ c^{n+m}}{q}.\)
    917 ZIP 211: Disabling Addition of New Value to the Sprout Chain Value Pool
    - + @@ -676,7 +760,7 @@ c^{n+m}}{q}.\)
    1018 ZIP 224: Orchard Shielded Protocol
    - + @@ -684,7 +768,7 @@ c^{n+m}}{q}.\)
    1119 ZIP 321: Payment Request URIs
    - + @@ -692,15 +776,15 @@ c^{n+m}}{q}.\)
    1220 BIP 32: Hierarchical Deterministic Wallets
    - - + +
    13BIP 32: Hierarchical Deterministic Wallets — Serialization Format21BIP 32: Hierarchical Deterministic Wallets — Serialization Format
    - + @@ -708,7 +792,7 @@ c^{n+m}}{q}.\)
    1422 BIP 32: Hierarchical Deterministic Wallets — Child key derivation (CKD) functions: Public parent key → public child key
    - + @@ -716,7 +800,7 @@ c^{n+m}}{q}.\)
    1523 BIP 44: Multi-Account Hierarchy for Deterministic Wallets
    - + @@ -724,7 +808,7 @@ c^{n+m}}{q}.\)
    1624 BIP 44: Multi-Account Hierarchy for Deterministic Wallets — Path levels: Index
    - + @@ -732,7 +816,7 @@ c^{n+m}}{q}.\)
    1725 BIP 350: Bech32m format for v1+ witness addresses
    - + @@ -740,7 +824,7 @@ c^{n+m}}{q}.\)
    1826 Transactions: P2PKH Script Validation — Bitcoin Developer Guide
    - + @@ -748,7 +832,7 @@ c^{n+m}}{q}.\)
    1927 Transactions: P2SH Scripts — Bitcoin Developer Guide
    - +
    2028 Variable length integer. Bitcoin Wiki