mirror of https://github.com/zcash/zips.git
Merge pull request #320 from daira/spec-timejacking-fix
Protocol Specification version 2020.1.0
This commit is contained in:
Daira Hopwood
GitHub
commit
258c3729de
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 63 KiB |
File diff suppressed because it is too large
Load Diff
|
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 44 KiB |
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 73 KiB |
|
|
@ -13,7 +13,7 @@
|
|||
height="370"
|
||||
id="svg2"
|
||||
version="1.1"
|
||||
inkscape:version="0.92.0 r15299"
|
||||
inkscape:version="0.92.4 (5da689c313, 2019-01-14)"
|
||||
sodipodi:docname="key_components.svg"
|
||||
inkscape:export-filename="/home/davidsarah/zecc/zips/protocol/key_components.png"
|
||||
inkscape:export-xdpi="179.99957"
|
||||
|
|
@ -26,7 +26,7 @@
|
|||
inkscape:pageopacity="0.0"
|
||||
inkscape:pageshadow="2"
|
||||
inkscape:zoom="1.979899"
|
||||
inkscape:cx="256.59392"
|
||||
inkscape:cx="142.95176"
|
||||
inkscape:cy="195.56571"
|
||||
inkscape:document-units="px"
|
||||
inkscape:current-layer="layer1"
|
||||
|
|
@ -190,7 +190,7 @@
|
|||
<dc:format>image/svg+xml</dc:format>
|
||||
<dc:type
|
||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
||||
<dc:title></dc:title>
|
||||
<dc:title />
|
||||
</cc:Work>
|
||||
</rdf:RDF>
|
||||
</metadata>
|
||||
|
|
@ -343,15 +343,15 @@
|
|||
</g>
|
||||
<text
|
||||
id="text3850-7"
|
||||
y="784.07965"
|
||||
x="176.54729"
|
||||
y="784.58472"
|
||||
x="123.51428"
|
||||
style="font-style:italic;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:19.20000076px;line-height:125%;font-family:Serif;-inkscape-font-specification:'Serif Italic';letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1.06666672"
|
||||
xml:space="preserve"><tspan
|
||||
style="font-style:italic;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:23.46666718px;font-family:Quattrocento;-inkscape-font-specification:'Quattrocento Italic';stroke-width:1.06666672"
|
||||
y="784.07965"
|
||||
x="176.54729"
|
||||
y="784.58472"
|
||||
x="123.51428"
|
||||
id="tspan3852-97"
|
||||
sodipodi:role="line">Payment address</tspan></text>
|
||||
sodipodi:role="line">Shielded payment address</tspan></text>
|
||||
<rect
|
||||
ry="26.666662"
|
||||
y="936.75397"
|
||||
|
|
|
|||
|
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 20 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 181 KiB After Width: | Height: | Size: 229 KiB |
|
|
@ -13,7 +13,7 @@
|
|||
height="720"
|
||||
id="svg2"
|
||||
version="1.1"
|
||||
inkscape:version="0.92.0 r15299"
|
||||
inkscape:version="0.92.4 (5da689c313, 2019-01-14)"
|
||||
sodipodi:docname="key_components_sapling.svg"
|
||||
inkscape:export-filename="c:\zcash\key_components_sapling.png"
|
||||
inkscape:export-xdpi="179.99957"
|
||||
|
|
@ -25,16 +25,16 @@
|
|||
borderopacity="1.0"
|
||||
inkscape:pageopacity="0.0"
|
||||
inkscape:pageshadow="2"
|
||||
inkscape:zoom="0.98994951"
|
||||
inkscape:cx="927.70996"
|
||||
inkscape:cy="254.72974"
|
||||
inkscape:zoom="1.4"
|
||||
inkscape:cx="578.63382"
|
||||
inkscape:cy="453.59131"
|
||||
inkscape:document-units="px"
|
||||
inkscape:current-layer="layer1"
|
||||
showgrid="false"
|
||||
inkscape:window-width="1525"
|
||||
inkscape:window-height="943"
|
||||
inkscape:window-x="69"
|
||||
inkscape:window-y="182"
|
||||
inkscape:window-width="3150"
|
||||
inkscape:window-height="1491"
|
||||
inkscape:window-x="453"
|
||||
inkscape:window-y="118"
|
||||
inkscape:window-maximized="0"
|
||||
inkscape:lockguides="false"
|
||||
inkscape:snap-global="false" />
|
||||
|
|
@ -617,15 +617,15 @@
|
|||
</g>
|
||||
<text
|
||||
id="text3850-7"
|
||||
y="512.10144"
|
||||
x="181.49651"
|
||||
y="512.354"
|
||||
x="134.01933"
|
||||
style="font-style:italic;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:19.20000076px;line-height:125%;font-family:Serif;-inkscape-font-specification:'Serif Italic';letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1.06666672"
|
||||
xml:space="preserve"><tspan
|
||||
style="font-style:italic;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:23.46666718px;font-family:Quattrocento;-inkscape-font-specification:'Quattrocento Italic';stroke-width:1.06666672"
|
||||
y="512.10144"
|
||||
x="181.49651"
|
||||
y="512.354"
|
||||
x="134.01933"
|
||||
id="tspan3852-97"
|
||||
sodipodi:role="line">Payment address</tspan></text>
|
||||
sodipodi:role="line">Shielded payment address</tspan></text>
|
||||
<rect
|
||||
ry="26.666662"
|
||||
y="647.65533"
|
||||
|
|
@ -831,15 +831,15 @@
|
|||
</g>
|
||||
<text
|
||||
id="text3850-7-7"
|
||||
y="511.16852"
|
||||
x="800.72668"
|
||||
y="513.18884"
|
||||
x="752.23938"
|
||||
style="font-style:italic;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:19.20000076px;line-height:125%;font-family:Serif;-inkscape-font-specification:'Serif Italic';letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1.06666672"
|
||||
xml:space="preserve"><tspan
|
||||
style="font-style:italic;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:23.46666718px;font-family:Quattrocento;-inkscape-font-specification:'Quattrocento Italic';stroke-width:1.06666672"
|
||||
y="511.16852"
|
||||
x="800.72668"
|
||||
id="tspan3852-97-4"
|
||||
sodipodi:role="line">Payment address</tspan></text>
|
||||
y="513.18884"
|
||||
x="752.23938"
|
||||
sodipodi:role="line"
|
||||
id="tspan4954">Shielded payment address</tspan></text>
|
||||
<rect
|
||||
ry="26.666662"
|
||||
y="644.01617"
|
||||
|
|
|
|||
|
Before Width: | Height: | Size: 57 KiB After Width: | Height: | Size: 57 KiB |
Binary file not shown.
|
|
@ -873,6 +873,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\activationHeight}{\term{activation block height}}
|
||||
\newcommand{\activationHeights}{\terms{activation block height}}
|
||||
\newcommand{\genesisBlock}{\term{genesis block}}
|
||||
\newcommand{\medianTimePast}{\term{median-time-past}}
|
||||
\newcommand{\transaction}{\term{transaction}}
|
||||
\newcommand{\transactions}{\terms{transaction}}
|
||||
\newcommand{\Transaction}{\titleterm{Transaction}}
|
||||
|
|
@ -1027,7 +1028,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\signatureSchemes}{\terms{signature scheme}}
|
||||
\newcommand{\oneTimeSignatureScheme}{\termandindex{one-time signature scheme}{one-time (signature scheme)}}
|
||||
\newcommand{\rerandomizableSignatureScheme}{\termandindex{signature scheme with re\hyp randomizable keys}{signature scheme with re-randomizable keys}}
|
||||
\newcommand{\keyHomomorphicSignatureScheme}{\term{signature scheme with key homomorphism}}
|
||||
\newcommand{\keyMonomorphicSignatureScheme}{\term{signature scheme with key monomorphism}}
|
||||
\newcommand{\sigNonmalleable}{\termandindex{nonmalleable}{nonmalleability (of signatures)}}
|
||||
\newcommand{\sigBatchEntries}{\termandindex{signature batch entries}{signature batch entry}}
|
||||
\newcommand{\xPRF}{\termandindex{PRF}{Pseudo Random Function}}
|
||||
|
|
@ -2205,7 +2206,7 @@ As in \Bitcoin, this is associated with a \privateKey that can be used to
|
|||
spend \notes sent to the address; in \Zcash this is called a \spendingKey.
|
||||
|
||||
To each \note there is cryptographically associated a \noteCommitment. Once the
|
||||
\transaction creating the \note has been mined, it is associated with a fixed
|
||||
\transaction creating a \note has been mined, the \note is associated with a fixed
|
||||
\notePosition in a tree of \noteCommitments, and with a \nullifier\footnoteref{notesandnullifiers}
|
||||
unique to that \note. Computing the \nullifier requires the associated private
|
||||
\spendingKey\sapling{ (or the \nullifierKey for \Sapling \notes)}.
|
||||
|
|
@ -3015,7 +3016,7 @@ for the whole \transaction to balance.
|
|||
|
||||
\vspace{-2ex}
|
||||
\begin{center}
|
||||
\includegraphics[scale=.35]{incremental_merkle}
|
||||
\includegraphics[scale=.4]{incremental_merkle}
|
||||
\end{center}
|
||||
\vspace{-2ex}
|
||||
%\sapling{\todo{The commitment indices in the above diagram should be zero-based to reflect the \notePosition{}.}}
|
||||
|
|
@ -3395,7 +3396,7 @@ $\SigVerify{\vk}(m, s) = 1$.
|
|||
The following security property is needed for $\JoinSplitSig$\sapling{ and $\BindingSig$}.
|
||||
\sapling{Security requirements for $\SpendAuthSig$ are defined in the next section,
|
||||
\crossref{abstractsigrerand}. An additional requirement for $\BindingSig$ is defined
|
||||
in \crossref{abstractsighom}.}
|
||||
in \crossref{abstractsigmono}.}
|
||||
} %notsprout
|
||||
|
||||
\vspace{-1ex}
|
||||
|
|
@ -3418,7 +3419,7 @@ pair without access to the signing key.
|
|||
$\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support
|
||||
the key derivation in \crossref{saplingkeycomponents}. This also simplifies some
|
||||
aspects of the definitions of \signatureSchemes with additional features in
|
||||
\crossref{abstractsigrerand} and \crossref{abstractsighom}.
|
||||
\crossref{abstractsigrerand} and \crossref{abstractsigmono}.
|
||||
} %notsprout
|
||||
\item A fresh signature key pair is generated for each \transaction containing
|
||||
a \joinSplitDescription{}.
|
||||
|
|
@ -3533,9 +3534,9 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
|||
|
||||
\sapling{
|
||||
\introlist
|
||||
\lsubsubsubsection{Signature with Private Key to Public Key Homomorphism}{abstractsighom}
|
||||
\lsubsubsubsection{Signature with Private Key to Public Key Monomorphism}{abstractsigmono}
|
||||
|
||||
A \defining{\keyHomomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
|
||||
A \defining{\keyMonomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
|
||||
additionally defines:
|
||||
|
||||
\begin{itemize}
|
||||
|
|
@ -3551,7 +3552,8 @@ additionally defines:
|
|||
such that for any $\sk_{\oneto{2}} \typecolon \SigPrivate$,
|
||||
$\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \SigDerivePublic(\sk_2)$.
|
||||
|
||||
In other words, $\SigDerivePublic$ is an injective homomorphism from the \privateKey group to the \publicKey group.
|
||||
In other words, $\SigDerivePublic$ is a monomorphism (that is, an injective homomorphism) from the
|
||||
\privateKey group to the \publicKey group.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
|
|
@ -4800,7 +4802,7 @@ be as defined in \crossref{concretevaluecommit}:
|
|||
|
||||
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
|
||||
These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
|
||||
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
|
||||
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}.
|
||||
|
||||
\vspace{1.5ex}
|
||||
\introlist
|
||||
|
|
@ -6944,7 +6946,7 @@ The encoding of a \publicKey is as defined in \cite{BDLSY2012}.
|
|||
|
||||
$\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization
|
||||
as described in \crossref{abstractsigrerand}. It also supports a
|
||||
Secret Key to Public Key Homomorphism as described in \crossref{abstractsighom}.
|
||||
Secret Key to Public Key Monomorphism as described in \crossref{abstractsigmono}.
|
||||
It is based on a scheme from \cite[section 3]{FKMSSS2016}, with some ideas from
|
||||
EdDSA \cite{BJLSY2015}.
|
||||
|
||||
|
|
@ -7076,7 +7078,7 @@ properties, careful analysis of potential interactions is required.}
|
|||
|
||||
\vspace{3ex}
|
||||
\introlist
|
||||
The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$
|
||||
The two abelian groups specified in \crossref{abstractsigmono} are instantiated for $\RedDSA$
|
||||
as follows:
|
||||
\begin{itemize}
|
||||
\item $\grpzero := 0 \pmod{\ParamG{r}}$
|
||||
|
|
@ -7086,7 +7088,7 @@ as follows:
|
|||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
As required, $\RedDSADerivePublic$ is a group homomorphism:
|
||||
As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injective and:
|
||||
|
||||
\begin{tabular}{@{\hskip 1.5em}r@{\;}l}
|
||||
$\RedDSADerivePublic(\sk_1 \grpplus \sk_2)$
|
||||
|
|
@ -7147,8 +7149,8 @@ use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase$
|
|||
See \crossref{bindingsig} for details on the use of this \signatureScheme.
|
||||
|
||||
\securityrequirement{
|
||||
$\BindingSig$ must be a SUF-CMA secure \keyHomomorphicSignatureScheme as defined in
|
||||
\crossref{abstractsighom}. A signature must prove knowledge of the discrete logarithm of
|
||||
$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in
|
||||
\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of
|
||||
the \publicKey with respect to the base $\ValueCommitRandBase$.
|
||||
} %securityrequirement
|
||||
} %sapling
|
||||
|
|
@ -9032,6 +9034,11 @@ the consensus protocol.
|
|||
Let $\ThresholdBits$ be as defined in \crossref{diffadjustment}, and let $\PoWMedianBlockSpan$
|
||||
be the constant defined in \crossref{constants}.
|
||||
|
||||
\defining{Define the \medianTimePast of a \block to be the median (as defined in \crossref{diffadjustment})
|
||||
of the $\nTimeField$ fields of the \emph{preceding} $\PoWMedianBlockSpan$ \blocks (or all
|
||||
preceding \blocks if there are fewer than $\PoWMedianBlockSpan$). The \medianTimePast of a
|
||||
\genesisBlock is not defined.}
|
||||
|
||||
\vspace{2ex}
|
||||
\begin{consensusrules}
|
||||
\item The \blockVersionNumber{} \MUST be greater than or equal to $4$.
|
||||
|
|
@ -9039,8 +9046,11 @@ be the constant defined in \crossref{constants}.
|
|||
$\ThresholdBits(\BlockHeight)$.
|
||||
\item The \block{} \MUST pass the difficulty filter defined in \crossref{difficulty}.
|
||||
\item $\solution$ \MUST represent a \validEquihashSolution as defined in \crossref{equihash}.
|
||||
\item $\nTimeField$ \MUST be strictly greater than the median time of the previous
|
||||
$\PoWMedianBlockSpan$ \blocks.
|
||||
\item For each \block other than the \genesisBlock, $\nTimeField$ \MUST be strictly greater
|
||||
than the \medianTimePast of that \block.
|
||||
\item For each \block at \blockHeight $2$ or greater on the production network, or \blockHeight
|
||||
$653606$ or greater on the test network, $\nTimeField$ \MUST be less than or equal to
|
||||
the \medianTimePast of that \block plus $90 \mult 60$ seconds.
|
||||
\item The size of a \block{} \MUST be less than or equal to $2000000$ bytes.
|
||||
\saplingonwarditem{$\hashFinalSaplingRoot$ \MUST be $\LEBStoOSPOf{256}{\rt}$ where
|
||||
$\rt$ is the \merkleRoot of the \Sapling{} \noteCommitmentTree for the final
|
||||
|
|
@ -9078,6 +9088,10 @@ rejected by this rule at a given point in time may later be accepted.
|
|||
the median of the timestamps of the past $\PoWMedianBlockSpan$ \blocks. The
|
||||
Bitcoin Developer Reference \cite{Bitcoin-Block} was previously in error on this point,
|
||||
but has now been corrected.
|
||||
\item The rule limiting $\nTimeField$ to be no later than $90 \mult 60$ seconds after the
|
||||
\medianTimePast is a retrospective consensus change, applied as a soft fork in
|
||||
\zcashd v2.1.1-1. It had not been violated by any \block from the given \blockHeights
|
||||
in the consensus \blockchains of either the production or test networks.
|
||||
\overwinter{
|
||||
\item There are no changes to the \blockVersionNumber or format for \Overwinter.
|
||||
}
|
||||
|
|
@ -10193,11 +10207,12 @@ Samantha Hulsey, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren,
|
|||
John Tromp, Paige Peterson, Jack Gavigan, jl777, Alison Stevenson, Maureen Walsh,
|
||||
Filippo Valsorda, Zaki Manian, Tracy Hu, Brian Warner, Mary Maller,
|
||||
Michael Dixon, Andrew Poelstra, Eirik Ogilvie-Wigley, Benjamin Winston,
|
||||
Kobi Gurkan, Weikeng Chen, and no doubt others. We would also like to thank
|
||||
the designers and developers of \Bitcoin.
|
||||
Kobi Gurkan, Weikeng Chen, Henry de Valence, Deirdre Connolly, Chelsea Komlo,
|
||||
Zancas Wilcox, and no doubt others.
|
||||
We would also like to thank the designers and developers of \Bitcoin.
|
||||
|
||||
\Zcash has benefited from security audits performed by NCC Group, Coinspect,
|
||||
Least Authority, Mary Maller, Kudelski Security, and QED-it.
|
||||
Least Authority, Mary Maller, Kudelski Security, QED-it, and Trail of Bits.
|
||||
|
||||
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
|
||||
of variations on the attack was performed by Daira Hopwood and Sean Bowe.
|
||||
|
|
@ -10247,6 +10262,21 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\intropart
|
||||
\lsection{Change History}{changehistory}
|
||||
|
||||
\historyentry{2020.1.0}{2020-02-06}
|
||||
|
||||
\begin{itemize}
|
||||
\item Specify a retrospective soft fork implemented in \zcashd v2.1.1-1 that
|
||||
limits the $\nTimeField$ field of a \block relative to its \medianTimePast.
|
||||
\item Correct the definition of \medianTimePast for the first $\PoWMedianBlockSpan$
|
||||
\blocks in a \blockchain.
|
||||
\item Add acknowledgements to Henry de Valence, Deirdre Connolly, Chelsea Komlo,
|
||||
and Zancas Wilcox.
|
||||
\item Add an acknowledgement to Trail of Bits for their security audit.
|
||||
\item Change indices in the \incrementalMerkleTree diagram to be zero-based.
|
||||
\item Use the term \quotedterm{monomorphism} for an injective homomorphism, in
|
||||
the context of a \keyMonomorphicSignatureScheme.
|
||||
\end{itemize}
|
||||
|
||||
\historyentry{2019.0.9}{2019-12-27}
|
||||
|
||||
\begin{itemize}
|
||||
|
|
@ -13155,7 +13185,7 @@ the cost of batched verification is therefore
|
|||
\listtheorems{theorem,lemma}
|
||||
}
|
||||
|
||||
|
||||
\needspace{30ex}
|
||||
\phantompart{Index}{index}
|
||||
|
||||
\begin{flushleft}
|
||||
|
|
|
|||
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue