diff --git a/.github/workflows/render.yml b/.github/workflows/render.yml index 34dd85ff..98c86a0e 100644 --- a/.github/workflows/render.yml +++ b/.github/workflows/render.yml @@ -13,7 +13,7 @@ jobs: - name: Compile Zcash Protocol Specification uses: ./.github/actions/render-protocol-pdf - - uses: EndBug/add-and-commit@v9.0.1 + - uses: EndBug/add-and-commit@v9.1.0 with: add: '**/*.pdf' default_author: github_actions diff --git a/Makefile b/Makefile index b3908f5b..a21a5fbf 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,4 @@ -# Dependencies: -# sudo apt-get install python3-pip pandoc perl sed -# sudo pip3 install rst2html5 +# Dependencies: see zip-guide.rst and protocol/README.rst .PHONY: all all-zips release protocol discard all-zips: .Makefile.uptodate diff --git a/README.rst b/README.rst index 00bed2ce..42a96219 100644 --- a/README.rst +++ b/README.rst @@ -133,6 +133,9 @@ Index of ZIPs 314 Privacy upgrades to the Zcash light client protocol Reserved 315 Best Practices for Wallet Handling of Multiple Pools Reserved 316 Unified Addresses and Unified Viewing Keys Final + 317 Proportional Transfer Fee Mechanism Reserved + 318 Associated Payload Encryption Reserved + 319 Options for Shielded Pool Retirement Reserved 321 Payment Request URIs Proposed 322 Generic Signed Message Format Reserved 323 Specification of getblocktemplate for Zcash Reserved diff --git a/index.html b/index.html index 7896973f..17df2089 100644 --- a/index.html +++ b/index.html @@ -107,6 +107,9 @@ 314 Privacy upgrades to the Zcash light client protocol Reserved 315 Best Practices for Wallet Handling of Multiple Pools Reserved 316 Unified Addresses and Unified Viewing Keys Final + 317 Proportional Transfer Fee Mechanism Reserved + 318 Associated Payload Encryption Reserved + 319 Options for Shielded Pool Retirement Reserved 321 Payment Request URIs Proposed 322 Generic Signed Message Format Reserved 323 Specification of getblocktemplate for Zcash Reserved diff --git a/protocol/Makefile b/protocol/Makefile index 9a4a8d9a..6acb659a 100644 --- a/protocol/Makefile +++ b/protocol/Makefile @@ -1,3 +1,5 @@ +# Dependencies: see zip-guide.rst and protocol/README.rst + SHELL=/bin/bash -eo pipefail # Experimental; options are pdflatex, lualatex, or xelatex. @@ -63,6 +65,7 @@ auxsapling: printf '\\toggletrue{issapling}\n\\renewcommand{\\docversion}{Version %s [\\SaplingSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver mkdir -p aux rm -f aux/sapling.* + cp mymakeindex.sh aux $(LATEXMK) -jobname=sapling -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT) .PHONY: sapling @@ -75,6 +78,7 @@ auxblossom: printf '\\toggletrue{isblossom}\n\\renewcommand{\\docversion}{Version %s [\\BlossomSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver mkdir -p aux rm -f aux/blossom.* + cp mymakeindex.sh aux $(LATEXMK) -jobname=blossom -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT) .PHONY: blossom @@ -87,6 +91,7 @@ auxheartwood: printf '\\toggletrue{isheartwood}\n\\renewcommand{\\docversion}{Version %s [\\HeartwoodSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver mkdir -p aux rm -f aux/heartwood.* + cp mymakeindex.sh aux $(LATEXMK) -jobname=heartwood -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT) .PHONY: heartwood @@ -99,6 +104,7 @@ auxcanopy: printf '\\toggletrue{iscanopy}\n\\renewcommand{\\docversion}{Version %s [\\CanopySpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver mkdir -p aux rm -f aux/canopy.* + cp mymakeindex.sh aux $(LATEXMK) -jobname=canopy -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT) .PHONY: canopy @@ -111,6 +117,7 @@ auxnu5: printf '\\toggletrue{isnufive}\n\\renewcommand{\\docversion}{Version %s [\\NUFiveSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver mkdir -p aux rm -f aux/nu5.* + cp mymakeindex.sh aux $(LATEXMK) -jobname=nu5 -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT) .PHONY: nu5 diff --git a/protocol/README.rst b/protocol/README.rst index 42b3a7c1..96535392 100644 --- a/protocol/README.rst +++ b/protocol/README.rst @@ -6,8 +6,17 @@ Build dependencies on Debian-based systems include, at least: .. code:: - apt-get install texlive texlive-science texlive-fonts-extra \ - texlive-generic-recommended texlive-bibtex-extra biber latexmk perl awk + apt install python3-pip pandoc perl sed perl \ + texlive texlive-science texlive-fonts-extra texlive-bibtex-extra biber latexmk + +Prior to Bullseye you may also need the ``awk`` and ``texlive-generic-recommended`` +packages. + +For link checking, you will also need the following Python packages: + +.. code:: + + pip3 install docutils==0.19 rst2html5 certifi PyPDF2 Building @@ -23,8 +32,10 @@ Use: Sapling upgrades (``sapling.pdf``); * ``make sprout`` to make a version of the specification that does not include Overwinter or Sapling (``sprout.pdf``). +* ``make linkcheck`` (in the root of the repo) to build everything and also + perform link checking. This will access the network. -``make all`` is equivalent to ``make nufour heartwood blossom sapling sprout``. +``make all`` is equivalent to ``make nu5 canopy heartwood blossom sapling``. By default these use ``latexmk``. If you have trouble getting ``latexmk`` to work, you can instead use ``make nolatexmk-sapling``, etc. That is not the diff --git a/protocol/blossom.pdf b/protocol/blossom.pdf index 62898742..0373f07f 100644 Binary files a/protocol/blossom.pdf and b/protocol/blossom.pdf differ diff --git a/protocol/canopy.pdf b/protocol/canopy.pdf index 3491e83e..39576fed 100644 Binary files a/protocol/canopy.pdf and b/protocol/canopy.pdf differ diff --git a/protocol/heartwood.pdf b/protocol/heartwood.pdf index 0d4f3ebd..e1c76810 100644 Binary files a/protocol/heartwood.pdf and b/protocol/heartwood.pdf differ diff --git a/protocol/nu5.pdf b/protocol/nu5.pdf index 229c34bc..4fe7bfb3 100644 Binary files a/protocol/nu5.pdf and b/protocol/nu5.pdf differ diff --git a/protocol/protocol.pdf b/protocol/protocol.pdf index 229c34bc..4fe7bfb3 100644 Binary files a/protocol/protocol.pdf and b/protocol/protocol.pdf differ diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 22896696..d7a282a2 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1258,7 +1258,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\hexint}[1]{\mathtt{0x{#1}}} \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}} -\newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}} +\newcommand{\Justthebox}[2][-1.35ex]{\raisebox{#1}{\;\usebox{#2}\;}} \newcommand{\setof}[1]{\{{#1}\}} \newcommand{\bigsetof}[1]{\big\{{#1}\big\}} \newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)} @@ -3358,7 +3358,7 @@ consensus that it has activated with a given \activationBlock hash. A \fullValid that potentially risks \Mainnet funds or displays \Mainnet \transaction information to a user \MUST do so only for a \blockChain that includes the \activationBlock of the most recent \settled \networkUpgrade, with the corresponding \activationBlock hash. -Currently, there is social consensus that \Canopy has activated on the \Zcash \Mainnet +Currently, there is social consensus that \NUFive has activated on the \Zcash \Mainnet and \Testnet with the \activationBlock hashes given in \crossref{networks}. A \fullValidator \MAY impose a limit on the number of \blocks it will ``roll back'' when @@ -4765,6 +4765,7 @@ infeasible to find a new proof $\Proof{}$ where $\ZKVerify{\vk}(x, \Proof{}) = 1 \end{nnotes} \sapling{ +\vspace{-1ex} \introlist \Zcash uses \notnufive{two}\nufive{three} \provingSystems: \begin{itemize} @@ -4779,20 +4780,23 @@ infeasible to find a new proof $\Proof{}$ where $\ZKVerify{\vk}(x, \Proof{}) = 1 (\crossref{spendstatement}) and \outputStatement (\crossref{outputstatement}). It is also used to prove and verify the \joinSplitStatement after \Sapling activation. + \vspace{-0.5ex} \nufiveonwarditem{\HaloTwo (\crossref{halo2}) is used with the \vestaCurve (\crossref{pallasandvesta}) to prove and verify the \Orchard \actionStatement (\crossref{actionstatement}).} \end{itemize} +\vspace{-0.5ex} These specializations are: \begin{itemize} \item $\JoinSplit$ for the \Sprout \joinSplitStatement (with \BCTV and \BNPairing, or \Groth and \BLSPairing); - \item $\Spend$ for the \Sapling \spendStatement; - \item $\Output$ for the \Sapling \outputStatement\notnufive{.}\notbeforenufive{;} + \item $\Spend$ for the \Sapling \spendStatement and + $\Output$ for the \Sapling \outputStatement\notnufive{.}\notbeforenufive{;} \nufiveonwarditem{$\Action$ for the \Orchard \actionStatement.} \end{itemize} +\vspace{-0.5ex} We omit key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$, taking them to be either the \BCTV \provingKey and \verifyingKey defined in \crossref{bctvparameters}, or the @@ -4816,15 +4820,19 @@ parameter files. \lsubsection{Key Components}{keycomponents} +\vspace{-1ex} \lsubsubsection{\SproutText{} Key Components}{sproutkeycomponents} +\vspace{-0.6ex} Let $\AuthPrivateLength$ be as defined in \crossref{constants}. +\vspace{-0.2ex} Let $\PRFaddr{}$ be a \pseudoRandomFunction, instantiated in \crossref{concreteprfs}. +\vspace{-0.2ex} Let $\KA{Sprout}$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}. -\vspace{0.5ex} +\vspace{0.3ex} A new \Sprout \spendingKey $\AuthPrivate$ is generated by choosing a bit sequence uniformly at random from $\bitseq{\AuthPrivateLength}$. @@ -4832,7 +4840,7 @@ uniformly at random from $\bitseq{\AuthPrivateLength}$. $\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived from $\AuthPrivate$ as follows: -\vspace{-0.5ex} +\vspace{-0.6ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} $\AuthPublic$ &$:= \PRFaddr{\AuthPrivate}(0)$ \\ $\TransmitPrivate$ &$:= \KAFormatPrivate{Sprout}(\PRFaddr{\AuthPrivate}(1))$ \\ @@ -4841,73 +4849,87 @@ $\AuthPrivate$ as follows: \sapling{ +\vspace{-1.8ex} \lsubsubsection{\SaplingText{} Key Components}{saplingkeycomponents} +\vspace{-1ex} Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\InViewingKeyLength{Sapling}$, $\OutViewingKeyLength$, and $\DiversifierLength$ be as defined in \crossref{constants}. -\vspace{-0.5ex} +\vspace{-0.6ex} Let $\SubgroupJ$, $\SubgroupJstar$, $\SubgroupReprJ$, $\reprJ$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}, and let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. +\vspace{-0.2ex} Let $\PRFexpand{}$ and $\PRFock{Sapling}{}$, instantiated in \crossref{concreteprfs}, be \pseudoRandomFunctions. +\vspace{-0.2ex} Let $\KA{Sapling}$, instantiated in \crossref{concretesaplingkeyagreement}, be a \keyAgreementScheme. +\vspace{-0.2ex} Let $\CRHivk$, instantiated in \crossref{concretecrhivk}, be a \hashFunction. +\vspace{-0.2ex} Let $\DiversifyHash{Sapling}$, instantiated in \crossref{concretediversifyhash}, be a \hashFunction. +\vspace{-0.2ex} Let $\SpendAuthSig{Sapling}$, instantiated in \crossref{concretespendauthsig}, be a \rerandomizableSignatureScheme. +\vspace{-0.2ex} Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ be as defined in \crossref{endian}. +\vspace{-0.2ex} Define $\AuthProveBaseSapling := \FindGroupJHash\Of{\ascii{Zcash\_H\_}, \ascii{}}$. +\vspace{-0.2ex} Define $\ToScalar{Sapling}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$. \introlist A new \Sapling \spendingKey $\SpendingKey$ is generated by choosing a bit sequence uniformly at random from $\SpendingKeyType$. +\vspace{-0.2ex} From this \spendingKey, the \authSigningKey $\AuthSignPrivate \typecolon \GFstar{\ParamJ{r}}$, the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the \outgoingViewingKey $\OutViewingKey \typecolon \OutViewingKeyType$ are derived as follows: -\vspace{-0.5ex} +\vspace{-0.6ex} \begin{tabular}{@{\hskip 1.7em}r@{\;}l} $\AuthSignPrivate$ &$:= \ToScalar{Sapling}\big(\PRFexpand{\SpendingKey}([0])\kern-0.1em\big)$ \\ $\AuthProvePrivate$ &$:= \ToScalar{Sapling}\big(\PRFexpand{\SpendingKey}([1])\kern-0.1em\big)$ \\ $\OutViewingKey$ &$:= \truncate{(\OutViewingKeyLength/8)}\big(\PRFexpand{\SpendingKey}([2])\kern-0.1em\big)$ \end{tabular} +\vspace{-0.4ex} If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$. -\vspace{1ex} \introlist +\vspace{-0.2ex} $\AuthSignPublic \typecolon \SubgroupJstar$, $\NullifierKey \typecolon \SubgroupJ$, and the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as: -\vspace{-0.5ex} +\vspace{-0.6ex} \begin{tabular}{@{\hskip 1.7em}r@{\;}l} $\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic{Sapling}(\AuthSignPrivate)$ \\ $\NullifierKey$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}$ \\ $\kern 0.26em\InViewingKey$ &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\NullifierKey}\kern-0.08em\big)$. \end{tabular} +\vspace{-0.4ex} If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$. +\introlist As explained in \crossref{addressesandkeys}, \Sapling allows the efficient creation of multiple \diversifiedPaymentAddresses with the same \spendingAuthority. A group of such addresses shares the same \fullViewingKey and \incomingViewingKey. -\introlist +\vspace{-0.2ex} To create a new \diversifiedPaymentAddress given an \incomingViewingKey $\InViewingKey$, repeatedly pick a \defining{\diversifier} $\Diversifier$ uniformly at random from $\DiversifierType$ until the \defining{\diversifiedBase} @@ -4947,6 +4969,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define: For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$; if this happens, discard the key and repeat with a different $\SpendingKey$. +\introlist \begin{pnotes} \vspace{-0.5ex} \item The protocol does not prevent using the \diversifier $\Diversifier$ to produce @@ -5193,7 +5216,7 @@ where \item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is the value that the \joinSplitTransfer inserts into the \transparentTxValuePool; \item $\rt{Sprout} \typecolon \MerkleHash{Sprout}$ is an \anchor, as defined in - \crossref{blockchain}, for the output \treestate of either + \crossref{transactions}, for the output \treestate of either a previous \block, or a previous \joinSplitTransfer in this \transaction. \item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is @@ -5271,7 +5294,7 @@ where \begin{itemize} \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the input \note; \item $\rt{Sapling} \typecolon \MerkleHash{Sapling}$ is an \anchor, as defined in - \crossref{blockchain}, for the output \treestate of a previous \block; + \crossref{transactions}, for the output \treestate of a previous \block; \item $\nf \typecolon \PRFOutputNfSapling$ is the \nullifier for the input \note; \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}$ is a randomized \validatingKey that should be used to validate $\spendAuthSig$; @@ -5420,8 +5443,8 @@ where \item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the input \note minus the value of the output \note; \vspace{-0.5ex} - \item $\rt{Orchard} \typecolon \MerkleHashOrchard$ is an \anchor (\crossref{blockchain}) for the - output \treestate of a previous \block; + \item $\rt{Orchard} \typecolon \MerkleHashOrchard$ is an \anchor, as defined in \crossref{transactions}, + for the output \treestate of a previous \block; \vspace{-0.25ex} \item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note; \vspace{-0.25ex} @@ -5690,7 +5713,6 @@ output-related fields of an \actionDescription. Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in \crossref{abstractcommit}. \vspace{-0.25ex} -\introlist Let $\PRFexpand{}$ be as specified in \crossref{abstractprfs}. \vspace{-0.25ex} @@ -5709,6 +5731,7 @@ Let $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}. Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. \vspace{0.5ex} +\introlist Let $\OutViewingKey$ be an \Orchard \outgoingViewingKey that is intended to be able to decrypt this payment. The considerations for choosing \outgoingViewingKeys are as described for \Sapling in \crossref{saplingsend}. @@ -5916,37 +5939,21 @@ Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. The spend-related fields of an \actionDescription for a \dummy \Orchard input \note are constructed as follows: \begin{itemize} - \vspace{-0.2ex} \item Choose uniformly random $\SpendingKey \leftarrowR \SpendingKeyType$. - \vspace{-0.2ex} \item Generate a \fullViewingKey $(\AuthSignPublic, \NullifierKey, \CommitIvkRand)$ and a \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ for $\SpendingKey$ as described in \crossref{orchardkeycomponents}. - \vspace{-0.2ex} \item Let $\Value = 0$. - \vspace{-0.2ex} - \item Choose uniformly random $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$. - \vspace{-0.2ex} \item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. - \vspace{-0.2ex} \item Choose uniformly random $\NoteUniqueRandPoint \leftarrowR \GroupP$. - \vspace{-0.2ex} \item Let $\NoteUniqueRand = \ExtractP(\NoteUniqueRandPoint)$ and $\NoteUniqueRandBytes = \ItoLEOSPOf{256}{\NoteUniqueRand}$. - \vspace{-0.2ex} \item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$. - \vspace{-0.2ex} \item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$. - \vspace{-0.2ex} - \item Let $\cv = \ValueCommit{Orchard}{\ValueCommitRand}(\Value)$. - \vspace{-0.2ex} \item Let $\cm = \NoteCommit{Orchard}{\NoteCommitRand}\big(\reprP\Of{\DiversifiedTransmitBase}, \reprP\Of{\DiversifiedTransmitPublic}, \Value, \NoteUniqueRand, \NoteNullifierRand\big)$. - \vspace{-0.2ex} \item If $\cm = \bot$, repeat the above steps using a different $\NoteSeedBytes$. - \vspace{-0.2ex} \item Let $\nf = \DeriveNullifier{\NullifierKey}(\NoteUniqueRand, \NoteNullifierRand, \cm)$. - \vspace{-0.2ex} \item Construct a \dummy \merklePath $\TreePath{}$ for use in the \auxiliaryInput to the \actionStatement (this will not be checked, because $\Value = 0$). \end{itemize} @@ -6325,8 +6332,8 @@ In order to check for implementation faults, the signer \SHOULD also check that \vspace{-1ex} Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4 -\transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5 -\transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$. +\transaction\nufive{ or \cite{ZIP-244} for a version 5 \transaction}, not associated with +an input, using the \sighashType $\SIGHASHALL$. A validator checks balance by validating that $\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. @@ -6691,11 +6698,11 @@ All of the constituent \defining{\nullifiers} are also entered into the would have added a \nullifier to the \nullifierSet that already exists in the set (see \crossref{nullifierset}). -\vspace{2ex} +\vspace{1ex} In \Sprout, each \note has a $\NoteUniqueRand$ component. \sapling{ -\vspace{2ex} +\vspace{1ex} \introlist In \Sapling, each \defining{\positionedNote} has an associated $\NoteUniqueRand$ value which is computed from its \noteCommitment $\cm$ and \notePosition $\NotePosition$ @@ -6708,16 +6715,16 @@ as follows: $\MixingPedersenHash$ is defined in \crossref{concretemixinghash}. } %sapling -\vspace{2ex} +\vspace{1ex} \introlist Let $\PRFnf{Sprout}{}$\sapling{ and $\PRFnf{Sapling}{}$}\nufive{ and $\PRFnf{Orchard}{}$} be as instantiated in \crossref{concreteprfs}. -\vspace{2ex} +\vspace{1ex} For a \Sprout \note, the \nullifier is derived as $\PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand)$, where $\AuthPrivate$ is the \spendingKey associated with the \note. -\vspace{2ex} +\vspace{1ex} \sapling{ For a \Sapling \note, the \nullifier is derived as $\PRFnf{Sapling}{\NullifierKeyRepr}(\NoteUniqueRandRepr)$, where $\NullifierKeyRepr$ @@ -6725,7 +6732,7 @@ is a representation of the \nullifierDerivingKey associated with the \note and $\NoteUniqueRandRepr = \reprJ(\NoteUniqueRand)$. } %sapling -\vspace{2ex} +\vspace{1ex} \nufive{ \introlist The derivation of \nullifiers for \Orchard \notes is a little more complicated. @@ -6909,7 +6916,7 @@ the prover knows an \auxiliaryInput: \vspace{-1ex} \begin{formulae} - \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Sapling}}{\MerkleDepth{Sapling}},\\ + \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Sapling}}{\MerkleDepth{Sapling}},\vspace{-0.4ex}\\ \hparen\NotePosition \typecolon \NotePositionType{Sapling},\vspace{0.4ex}\\ \hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\ \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\ @@ -6951,7 +6958,7 @@ $\nfOld{} = \PRFnf{Sapling}{\NullifierKeyRepr}(\NoteUniqueRandRepr)$ where \item $\NoteUniqueRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$. \end{formulae} -\vspace{-0.5ex} +\vspace{-1ex} \snarkcondition{Spend authority}{spendauthority} $\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic{Sapling}(\AuthSignRandomizer, \AuthSignPublic)$. @@ -7324,6 +7331,7 @@ Then to encrypt: \vspace{-3ex} The resulting \defining{\notesCiphertextSprout} is $(\EphemeralPublic, \TransmitCiphertext{\allNew})$. +\introlist \pnote{ It is technically possible to replace $\TransmitCiphertext{i}$ for a given \note with a random (and undecryptable) dummy ciphertext, relying instead on out-of-band @@ -7334,7 +7342,6 @@ further security considerations, for example of how to validate a \Sprout{} \note received out-of-band, which are not addressed in this document. } -\vspace{-2ex} \lsubsubsection{Decryption (\SproutText)}{sproutdecrypt} \vspace{-1ex} @@ -7399,13 +7406,12 @@ is defined as follows: contain the \transaction in which a \note was output. \end{pnotes} -\vspace{-0.25ex} See \crossref{inbandrationale} for further discussion of the security and engineering rationale behind this encryption scheme. \sapling{ -\vspace{-1ex} +\introsection \extralabel{saplinginband}{\lsubsection{In-band secret distribution (\SaplingAndOrchardText)}{saplingandorchardinband}} \vspace{-1ex} @@ -7423,7 +7429,6 @@ possession of the associated $\KA{Sapling}$\nufive{ or $\KA{Orchard}$} Unlike in \Sprout, each \SaplingOrOrchard \shieldedOutput is encrypted by a fresh \ephemeralPublicKey. \vspace{0.5ex} -\introlist For both encryption and decryption, \vspace{0.25ex} \begin{itemize} @@ -7494,29 +7499,24 @@ These are needed to derive the \defining{\outgoingCipherKey} $\OutCipherKey$ in \vspace{1ex} Then to encrypt: \begin{algorithm} -\vspace{-0.5ex} \item let $\TransmitPlaintext{}$ be the \rawEncoding of $\NotePlaintext{}$ - \vspace{-0.2ex} \item let $\EphemeralPublic = \KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)$ \item let $\ephemeralKey = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\EphemeralPublic}\kern 0.03em}$ - \vspace{-0.5ex} + \vspace{-0.25ex} \item let $\DHSecret{} = \KAAgree{}(\EphemeralPrivate, \DiversifiedTransmitPublic)$ \item let $\TransmitKey{} = \KDF{}(\DHSecret{}, \ephemeralKey)$ \item let $\TransmitCiphertext{} = \SymEncrypt{\TransmitKey{}}(\TransmitPlaintext{})$ \item if $\OutViewingKey = \bot$: - \vspace{-0.25ex} \item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellG{} + 256)/8}$ - \vspace{-0.25ex} \item else: - \vspace{-0.25ex} \item \tab let $\cvField = \LEBStoOSP{\ellG{}}\big(\reprG{}(\cv)\kern-0.12em\big)$ - \vspace{-0.75ex} + \vspace{-0.25ex} \item \tab let $\cmstarField = \LEBStoOSP{256}\big(\ExtractG(\cm)\kern-0.12em\big)$ - \vspace{-1ex} + \vspace{-0.25ex} \item \tab let $\OutCipherKey = \PRFock{}{\OutViewingKey}(\cvField, \cmstarField, \ephemeralKey)$ \vspace{0.25ex} \item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellG{} + 256}{\reprG{}(\DiversifiedTransmitPublic) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$ - \item \blank + \item \vspace{-2ex} \item let $\OutCiphertext = \SymEncrypt{\OutCipherKey}(\OutPlaintext)$ \end{algorithm} @@ -7536,29 +7536,25 @@ received out-of-band, which are not addressed in this document. \sapling{ -\vspace{-1.5ex} \extralabel{saplingdecryptivk}{\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{decryptivk}} -\vspace{-1.5ex} +\vspace{-1ex} Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$\notbeforenufive{ (in \Sapling)\nufive{ or $\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's $\KA{Sapling}$\nufive{ or $\KA{Orchard}$} \privateKey, as specified in \crossref{saplingkeycomponents}\nufive{ or in \crossref{orchardkeycomponents}}. -\vspace{-0.25ex} Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the \outputDescription{}. Let $\cmstarField$ be the $\cmuField$\nufive{ or $\cmxField$} field of the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the \affineCtEdwards $u$-coordinate\nufive{ or \affineSW $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.) \canopy{ -\vspace{-0.25ex} Let the constants $\CanopyActivationHeight$ and $\ZIPTwoOneTwoGracePeriod$ be as defined in \crossref{constants}. -\vspace{-0.25ex} Let $\BlockHeight$ be the \blockHeight of the \block containing this \transaction. } %canopy -\introlist +\introsection The recipient will attempt to decrypt the $\ephemeralKey$ and $\TransmitCiphertext{}$ components of the \noteCiphertext: \begin{algorithm} @@ -7607,34 +7603,34 @@ from $\TransmitPlaintext{}$ \item let $\DiversifiedTransmitPublic = \KADerivePublic{}(\InViewingKey, \DiversifiedTransmitBase)$ \vspace{-0.25ex} \item \notbeforenufive{for \Sapling,} let $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand)$ -\nufive{ - \item for \Orchard: - \vspace{-0.3ex} - \item \tab let $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytesOpt)\kern-0.1em\big)$ \vspace{-0.2ex} - \item \tab let $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteUniqueRand, \NoteNullifierRand, \NoteCommitRand)$ - \item \blank +\nufive{ + \item for \Orchard, let $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteUniqueRand, \NoteNullifierRand, \NoteCommitRand)$ + where $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytesOpt)\kern-0.1em\big)$ + \vspace{-0.2ex} } %nufive \item let $\cmstar' = \NoteCommitment{}\Of{\NoteTuple{}}$ \vspace{-0.2ex} \nufive{ \item if (for \Orchard) $\cmstar' = \bot$, return $\bot$ - \vspace{-0.2ex} } %nufive \item if $\ItoLEOSP{256}\big(\ExtractG{}(\cmstar')\kern-0.1em\big) \neq \cmstarField$, return $\bot$ \vspace{-1ex} \item return $(\NoteTuple{}, \Memo)$. \end{algorithm} +\vspace{-1ex} \begin{pnotes} \item $\DiversifiedTransmitBase$ has already been computed when applying $\NoteCommitment{}$, and need not be computed again. + \vspace{-0.5ex} \item For \Sapling, as explained in the note in \crossref{jubjub}, $\abstJ$ accepts \nonCanonicalPoint compressed encodings of \jubjubCurve points. Therefore, an implementation \MUST use the original $\ephemeralKey$ field as encoded in the \transaction as input to $\KDF{Sapling}$\canopy{, and (if \Canopy is active and $\NotePlaintextLeadByte \neq \hexint{01}$) in the comparison against $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.1em\big)$}. \nufive{For consistency this is also what is specified for \Orchard.} + \vspace{-0.5ex} \item Normally only \noteCiphertextsSapling of \transactions in \blocks need to be decrypted. In that case, any received \Sapling \note is necessarily a \positionedNote, so its $\NoteUniqueRand$ value can immediately be calculated per \crossref{commitmentsandnullifiers}. @@ -7642,12 +7638,15 @@ from $\TransmitPlaintext{}$ the \nullifierDerivingKey $\NullifierKey$; the coin is unspent if and only if the \nullifier computed as in \shortcrossref{commitmentsandnullifiers} is not in the \nullifierSet for that \blockChain. + \vspace{-0.5ex} \item A \note can change from being unspent to spent as a node's view of the \bestValidBlockChain is extended by new \transactions. Also, \blockChainReorganizations can cause a node to switch to a different \bestValidBlockChain that does not contain the \transaction in which a \note was output. + \vspace{-0.5ex} \item A client \MAY attempt to decrypt a \noteCiphertextSapling of a \transaction in the \mempool\canopy{, using the next \blockHeight for $\BlockHeight$}. However, in that case it \MUSTNOT assume that the \transaction will be mined and \MUST treat the decrypted information as provisional, and private. + \vspace{-0.5ex} \nufiveonwarditem{It is a consensus rule (in \crossref{actiondesc}) that each \actionDescription field \MUST be a valid encoding of its declared type, which in the case of $\ephemeralKey$ is $\KAPublic{Orchard}$ (i.e.\ $\GroupPstar$), and therefore $\EphemeralPublic$ cannot be $\ZeroP$.} @@ -7655,8 +7654,10 @@ from $\TransmitPlaintext{}$ } %sapling \sapling{ +\vspace{-2.5ex} \extralabel{saplingdecryptovk}{\lsubsubsection{Decryption using a Full Viewing Key (\SaplingAndOrchardText)}{decryptovk}} +\vspace{-1ex} Let $\OutViewingKey \typecolon \OutViewingKeyType$ be the \outgoingViewingKey, as specified in \crossref{saplingkeycomponents}\nufive{ or \crossref{orchardkeycomponents}}, that is to be used for decryption. @@ -7684,19 +7685,18 @@ For an \Orchard \noteCiphertextOrchard, let $\cvField$ and $\cmstarField$ be the fields of the \actionDescription. } %nufive -\notbeforenufive{\pagebreak} \vspace{0.25ex} The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as follows: \introlist -\vspace{-1.25ex} +\vspace{-1ex} \begin{algorithm} \item let $\OutCipherKey = \PRFock{}{\OutViewingKey}(\cvField, \cmstarField, \ephemeralKey)$ \vspace{-0.4ex} \item let $\OutPlaintext = \SymDecrypt{\OutCipherKey}(\OutCiphertext)$ - \vspace{-0.5ex} + \vspace{-0.4ex} \item if $\OutPlaintext = \bot$, return $\bot$ - \vspace{-0.6ex} + \vspace{-0.4ex} \item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprG{}, \EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$ \item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$ @@ -7710,9 +7710,9 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \item let $\TransmitKey{} = \KDF{}(\DHSecret{}, \ephemeralKey)$ \vspace{-0.3ex} \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ - \vspace{-0.6ex} + \vspace{-0.4ex} \item if $\TransmitPlaintext{} = \bot$, return $\bot$ - \vspace{-0.6ex} + \vspace{-0.4ex} \item extract $\NotePlaintext{} = (\NotePlaintextLeadByte \typecolon \byte, \Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType, \NoteCommitRandBytesOrSeedBytes \typecolon \NoteSeedBytesType, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$ @@ -7734,25 +7734,23 @@ from $\TransmitPlaintext{}$ \end{cases}$} \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ and $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$ - \vspace{-0.6ex} + \vspace{-0.4ex} \item if $\NoteCommitRand \geq \ParamG{r}$ or\notbeforenufive{ (for \Sapling)} $\DiversifiedTransmitBase = \bot$ or $\DiversifiedTransmitPublic \not\in \SubgroupJ$, return $\bot$ \item \notbeforenufive{for \Sapling,} let $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand)$ + \vspace{-0.2ex} \nufive{ - \item for \Orchard: - \vspace{-0.4ex} - \item \tab let $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytesOpt)\kern-0.1em\big)$ - \vspace{-0.4ex} - \item \tab let $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteUniqueRand, \NoteNullifierRand, \NoteCommitRand)$ - \item \vspace{-3.5ex} + \item for \Orchard, let $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteUniqueRand, \NoteNullifierRand, \NoteCommitRand)$ + where $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytesOpt)\kern-0.1em\big)$ + \vspace{-0.2ex} } %nufive \item let $\cmstar' = \NoteCommitment{}\Of{\NoteTuple{}}$ - \vspace{-0.4ex} + \vspace{-0.2ex} \nufive{ \item if (for \Orchard) $\cmstar' = \bot$, return $\bot$ - \vspace{-0.4ex} + \vspace{-0.2ex} } %nufive \item if $\ItoLEOSP{256}\big(\ExtractG{}(\cmstar')\kern-0.1em\big) \neq \cmstarField$, return $\bot$ - \vspace{-1ex} + \vspace{-0.8ex} \item if $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, return $\bot$ \vspace{-0.4ex} @@ -7808,8 +7806,7 @@ and \crossref{decryptivk}\notcanopy{.}\canopy{, especially:\!\! } %sapling -\vspace{-1.5ex} -\intropart +\needspace{100ex} \lsubsection{Block Chain Scanning (\SproutText)}{sproutscan} \vspace{-1ex} @@ -7847,7 +7844,7 @@ to obtain each \note sent to the corresponding \shieldedPaymentAddress, its \mem \vspace{-0.5ex} \item \tab \tab \tab Attempt to decrypt the \notesCiphertextSprout component $(\EphemeralPublic, \TransmitCiphertext{i})$ using $\InViewingKey$ with the - \vspace{-1.2ex} + \vspace{-1ex} \item \tab \tab \tab algorithm in \crossref{sproutdecrypt}. If this succeeds with $(\NoteTuple{}, \Memo)$: \item \tab \tab \tab \tab Add $(\NoteTuple{}, \Memo)$ to $\ReceivedSet$. \item \tab \tab \tab \tab Calculate the nullifier $\nf$ of $\NoteTuple{}$ using $\AuthPrivate$ @@ -7897,11 +7894,11 @@ status (spent or unspent). \item for each \transaction $\tx$: \item \tab for each \outputDescription\nufive{ or \actionDescription} in $\tx$: \item \tab \tab Attempt to decrypt the \noteCiphertextSapling components - $\EphemeralPublic$ and $\TransmitCiphertext{}$ using $\InViewingKey$ with the algorithm\vspace{-1.2ex}% - \item \tab \tab \crossref{decryptivk}. If this succeeds \notbeforenufive{\vspace{-1.2ex}\item \tab \tab }with $(\NoteTuple{}, \Memo)$: + $\EphemeralPublic$ and $\TransmitCiphertext{}$ using $\InViewingKey$ with the algorithm\vspace{-1ex}% + \item \tab \tab \crossref{decryptivk}. If this succeeds \notbeforenufive{\vspace{-1ex}\item \tab \tab }with $(\NoteTuple{}, \Memo)$: \item \tab \tab \tab Add $(\NoteTuple{}, \Memo)$ to $\ReceivedSet$. \item \tab \tab \tab Calculate the nullifier $\nf$ of $\NoteTuple{}$ using $\NullifierKey$ - as described in \crossref{notes}. (This also requires $\NotePosition$\vspace{-1.2ex} + as described in \crossref{notes}. (This also requires $\NotePosition$\vspace{-1ex} \item \tab \tab \tab from the \outputDescription\notbeforenufive{ for \Sapling \notes}.) \item \tab \tab \tab Add the mapping $\nf \rightarrow \NoteTuple{}$ to $\NullifierMap$. \item \blank @@ -8178,7 +8175,7 @@ which instantiates $\SpendAuthSig{Sapling}$ and $\BindingSig{Sapling}$.} \item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$ \end{formulae} -\vspace{-1ex} +\vspace{-1.5ex} \pnote{ $\BlakeTwob{\ell}$ is not the same as $\BlakeTwob{512}$ truncated to $\ell$ bits, because the digest length is encoded in the parameter @@ -8200,7 +8197,7 @@ and $\GroupJHash{}$. } %sapling -\vspace{-2ex} +\vspace{-2.5ex} \introsection \lsubsubsubsection{Merkle Tree Hash Function}{merklecrh} @@ -8220,6 +8217,7 @@ respectively. \vspace{-2ex} \lsubsubsubsubsection{$\MerkleCRH{Sprout}$ Hash Function}{sproutmerklecrh} +\vspace{-2ex} $\MerkleCRH{Sprout} \typecolon \MerkleLayer{Sprout} \times \MerkleHash{Sprout} \times \MerkleHash{Sprout} \rightarrow \MerkleHash{Sprout}$ is defined as follows: @@ -8236,6 +8234,7 @@ $\SHACompress$ is defined in \crossref{concretesha256}. such that $\SHACompress(x) = \zeros{256}$. } +\vspace{-0.5ex} \begin{pnotes} \item The $\layerInput$ argument does not affect the output. \item \shaCompress is not the same as the \shaHash function, which hashes arbitrary-length @@ -8246,7 +8245,7 @@ such that $\SHACompress(x) = \zeros{256}$. \vspace{-2ex} \lsubsubsubsubsection{$\MerkleCRH{Sapling}$ Hash Function}{saplingmerklecrh} -\vspace{-2ex} +\vspace{-1ex} Let $\PedersenHash$ be as specified in \crossref{concretepedersenhash}. $\MerkleCRH{Sapling} \typecolon \MerkleLayer{Sapling} \times \MerkleHash{Sapling} \times \MerkleHash{Sapling} @@ -8258,10 +8257,10 @@ $\MerkleCRH{Sapling} \typecolon \MerkleLayer{Sapling} \times \MerkleHash{Sapling \item where $\layerRepr = \ItoLEBSP{6}\big(\MerkleDepth{Sapling} - 1 - \layerInput\big)$. \end{formulae} -\vspace{-2ex} +\vspace{-2.5ex} \securityrequirement{$\PedersenHash$ must be \collisionResistant\!.} -\vspace{1ex} +\introlist \pnote{The prefix $\layerRepr$ provides domain separation between inputs at different layers of the \noteCommitmentTree. $\NoteCommitAlg{Sapling}$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$, but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.} @@ -8369,7 +8368,7 @@ where \end{formulae} \vspace{1ex} -$\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. +$\BlakeTwosOf{256}{p, x}$ is defined in \crossref{concreteblake2}. \vspace{-1ex} \securityrequirement{ @@ -8527,7 +8526,7 @@ $\PedersenHash$ is an algebraic \hashFunction with \collisionResistance (for fixed input length) derived from assumed hardness of the \xDiscreteLogarithmProblem on the \jubjubCurve. It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf, -Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in +Jurgen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in \cite{CDvdG1987}, \cite{BCP1988} and \cite{CvHP1991}, and of Mihir Bellare, Oded Goldreich, and Shafi Goldwasser in \cite{BGG1995}, with optimizations for efficient instantiation in \zkSNARKCircuits @@ -8689,14 +8688,14 @@ The function must be \collisionResistant on $(r, M, x)$. } -\vspace{1.5ex} +\vspace{2ex} See \crossref{cctmixinghash} for efficient circuit implementation of this function. } %sapling \nufive{ \introlist -\vspace{-2ex} +\vspace{-1ex} \lsubsubsubsection{Sinsemilla Hash Function}{concretesinsemillahash} \vspace{-2ex} @@ -8978,6 +8977,7 @@ inside a circuit. \introlist \lsubsubsubsection{\PoseidonHashText{} Function}{poseidonhash} +\vspace{-1ex} $\Poseidon$ is a cryptographic permutation described in \cite{GKRRS2019}. It operates over a sequence of finite field elements, which we instantiate as $\typeexp{\GF{\ParamP{q}}}{3}$. @@ -9006,6 +9006,7 @@ is specified as: \item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing). \end{formulae} +\vspace{-1ex} The MDS matrix and round constants are generated by \texttt{generate\_parameters\_grain.sage} in Version 1.1 of the reference implementation. The number of full and partial rounds are as calculated by \texttt{calc\_round\_numbers.py} in that implementation, for a $128$-bit security level @@ -9556,7 +9557,6 @@ Define $\KAAgree{Orchard}(\sk, P) := \scalarmult{\sk}{P}$. \end{bytefield} \end{lrbox} -\introsection \nufive{ \lsubsubsubsection{\OrchardText{} Key Derivation}{concreteorchardkdf} @@ -9580,7 +9580,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. } %nufive -\vspace{-1ex} +\introsection \extralabel{concretejssig}{\lsubsubsection{\EdSpecificText}{concreteed25519}} \EdSpecific is a \signatureScheme as specified in \crossref{abstractsig}. @@ -10011,7 +10011,6 @@ $\ValueCommitRandBase{Orchard}$}. \introlist -\vspace{-2ex} \lsubsubsection{Commitment schemes}{concretecommit} \vspace{-1ex} @@ -10057,6 +10056,7 @@ instantiated using \shaHash as follows: \sapling{ +\vspace{-2ex} \introsection \extralabel{concretesaplingnotecommit}{\lsubsubsubsection{Windowed Pedersen commitments}{concretewindowedcommit}} @@ -10888,7 +10888,6 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon \nufive{ -\vspace{-2ex} \lsubsubsubsection{\PallasAndVestaText}{pallasandvesta} \vspace{-1ex} @@ -11019,7 +11018,6 @@ can only be $0$ when $P = \ZeroP$.} } %nufive \nufive{ -\vspace{-2ex} \lsubsubsubsection{Group Hash into \PallasAndVestaText}{concretegrouphashpallasandvesta} \vspace{-1ex} @@ -11138,9 +11136,7 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type \item return $[\,\BEOStoIPOf{512}{b_1}\! \pmod{\ParamG{q}},\, \BEOStoIPOf{512}{b_2}\! \pmod{\ParamG{q}}\,]$. \end{algorithm} -\vspace{-1ex} \begin{nnotes} - \vspace{-0.25ex} \item This algorithm is intended to correspond to $\hashtofield(\msg, 2)$ defined in \cite[section 5.3]{ID-hashtocurve}, using as its $\expandmessage$ parameter the function $\XMDBlakeTwob$ corresponding to $\expandmessagexmd$ defined in @@ -11149,7 +11145,6 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type $\binbytes = 64$ and $\rinbytes = 128$, and we specialize to $\leninbytes = 128$ since that is the only case we need. In the event of any discrepancy or change to the Internet Draft, the definition here takes precedence. - \vspace{-0.25ex} \item The ``security level'' $k$ in the Internet Draft is taken to be $256$. Although this is greater than the conjectured $126$-bit security of the \pallasCurve against generic (e.g.\ Pollard rho) attacks \cite{Hopwood2020}, this design choice is @@ -11157,14 +11152,11 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type from a hash output in the \Orchard protocol, such as $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ defined in \crossref{orchardkeycomponents}, and $\RedDSAHashToScalar$ defined in \crossref{concretereddsa}. - \vspace{-0.25ex} \item Unlike other uses of $\BlakeTwobGeneric$ in \Zcash, zero bytes are used for the $\BlakeTwobGeneric$ personalization, in order to follow the Internet Draft which encodes $\DST$ in the hash inputs instead. - \vspace{-0.25ex} \item The conversion from bytes to field elements uses big-endian order, again in order to follow the Internet Draft\rlap{.} - \vspace{-0.25ex} \item A minor optimization is to cache the state of the $\BlakeTwob{512}$ instance used to compute $b_0$ after processing $\zerobytes{128}$, since this state does not depend on the message. @@ -11180,7 +11172,6 @@ Define $\sqrtratioG(\num, \xdiv) \typecolon \GF{\ParamG{q}} \times \GFstar{\Para \,\big(\,\optsqrt{\ParamG{\lambda} \mult \num / \xdiv}, &\!\!\!\!0\big), \text{ otherwise.} \end{cases}$ \end{formulae} -\vspace{-1ex} \begin{nnotes} \item An arbitrary square root may be chosen in either case of the definition. The result is never $\bot$. \item The choice of the nonsquare $\ParamG{\lambda}$ is also arbitrary and will not affect the output @@ -11197,8 +11188,7 @@ square root may be chosen.}} By definition we have that $\CurveG{}$ is the \swCurve with equation $y^2 = x^3 + \ParamG{b}$, and $\CurveIsoG$ is the \swCurve with equation $y^2 = x^3 + \ParamIsoG{a} \mult x + \ParamIsoG{b}$. -\introlist -\vspace{1ex} +\introsection Define $\maptocurvesimpleswuIsoG(u \typecolon \GF{\ParamG{q}}) \rightarrow \GroupIsoG$ as follows: \vspace{-0.5ex} \begin{algorithm} @@ -11259,6 +11249,7 @@ is calculated as follows: $\big(\mathsf{x}_\num \mult \mathsf{x}_\xdiv : \mathsf{y} \mult \mathsf{x}_\xdiv^3 : \mathsf{x}_\xdiv\big)$. \end{nnotes} +\vspace{-2ex} \pnote{ The uses of $\GroupPHash$ for $\DiversifyHash{Orchard}$, and of both $\GroupPHash$ and $\GroupVHash$ to generate independent bases, need a \randomOracle. The $\hashtocurve$ algorithm @@ -11273,8 +11264,10 @@ verified proof in \cite{BGHOZ2013}. \lsubsubsection{Zero-Knowledge Proving Systems}{concretezk} +\vspace{-0.5ex} \lsubsubsubsection{\BCTVText}{bctv} +\vspace{-1.5ex} \sapling{Before \Sapling activation,} \Zcash uses \zkSNARKs generated by a fork of \libsnark \cite{Zcash-libsnark} with the \defining{\BCTV} \provingSystem described in \cite{BCTV2014a}, which is a modification of @@ -11337,6 +11330,7 @@ Since the most recent \settled \networkUpgrade is after the \Sapling \networkUpg this mitigates the potential risks due to skipping \BCTV proof verification.} \introlist +\vspace{-1ex} \lsubsubsubsubsection{Encoding of \BCTVText{} Proofs}{bctvencoding} \newsavebox{\bctvbox} @@ -11353,6 +11347,7 @@ this mitigates the potential risks due to skipping \BCTV proof verification.} \end{bytefield} \end{lrbox} +\vspace{-1ex} A \BCTV proof is encoded by concatenating the encodings of its elements; for the \BNPairing pairing this is: @@ -11360,19 +11355,22 @@ for the \BNPairing pairing this is: \item $\Justthebox{\bctvbox}$ \end{formulae} +\vspace{-0.5ex} The resulting proof size is $296$ bytes. -\vspace{0.8ex} -\introlist +\vspace{0.5ex} In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2014a}, the verifier \MUST check, for the encoding of each element, that: \begin{itemize} + \vspace{-0.5ex} \item the lead byte is of the required form; + \vspace{-0.5ex} \item the remaining bytes encode a big-endian representation of an integer in - $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) + $\range{0}{\ParamS{q}\!-\!1}$ or (for $\Proof{B}$) $\range{0}{\ParamSexp{q}{2}\!-\!1}$; - \item the encoding represents a point in $\SubgroupGstar{1}$ or (in the case of + \vspace{-0.5ex} + \item the encoding represents a point in $\SubgroupGstar{1}$ or (for $\Proof{B}$) $\SubgroupGstar{2}$, including checking that it is of order $\ParamG{r}$ in the latter case. \end{itemize} @@ -11389,8 +11387,10 @@ verifier \MUST check, for the encoding of each element, that: \end{lrbox} \sapling{ +\vspace{-2ex} \lsubsubsubsection{\GrothText}{groth} +\vspace{-1ex} After \Sapling activation, \Zcash uses \zkSNARKs with the \defining{\Groth} \provingSystem described in \cite{BGM2017}, which is a modification of the system in \cite{Groth2016}. An independent security proof of this system and its setup is given in \cite{Maller2018}. @@ -11422,6 +11422,7 @@ library used by \Zcash, to ensure compatibility. \introlist \lsubsubsubsubsection{Encoding of \GrothText{} Proofs}{grothencoding} +\vspace{-1ex} A \Groth proof is encoded by concatenating the encodings of its elements; for the \BLSPairing pairing this is: @@ -11431,16 +11432,19 @@ for the \BLSPairing pairing this is: The resulting proof size is $192$ bytes. -\vspace{0.8ex} +\vspace{0.5ex} \introlist In addition to the steps to verify a proof given in \cite{Groth2016}, the verifier \MUST check, for the encoding of each element, that: \begin{itemize} + \vspace{-0.5ex} \item the leading bitfield is of the required form; + \vspace{-0.5ex} \item the remaining bits encode a big-endian representation of an integer in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in that range; + \vspace{-0.5ex} \item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$) $\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$ in each case. @@ -11452,12 +11456,14 @@ verifier \MUST check, for the encoding of each element, that: \vspace{-2ex} \lsubsubsubsection{\HaloTwoText}{halo2} +\vspace{-1ex} For \Orchard \actionDescriptions in version 5 \transactions, \Zcash uses \zkSNARKs with the \defining{\HaloTwo} \provingSystem described in \cite{Zcash-halo2}. \introlist \lsubsubsubsubsection{Encoding of \HaloTwoText{} Proofs}{halo2encoding} +\vspace{-1ex} \HaloTwo proofs are defined as byte sequences, and so the encoding is the proof itself. } %nufive @@ -11583,8 +11589,10 @@ rather than \Bech. \vspace{1ex} \xPaymentAddresses \MAY be encoded as QR codes; in this case, the \RECOMMENDED format -for a \Sapling\nufive{ or unified} \paymentAddress is the \Bech\nufive{ or \Bechm} -form converted to uppercase, using the Alphanumeric mode \cite[sections 7.3.4 and 7.4.4]{ISO2015}. +for a \Sapling \paymentAddress is the \Bech form converted to uppercase, using the +Alphanumeric mode \cite[sections 7.3.4 and 7.4.4]{ISO2015}. +\nufive{Similarly, the \RECOMMENDED format for a unified \paymentAddress is the \Bechm +form converted to uppercase, using the Alphanumeric mode.} } %sapling @@ -13573,15 +13581,16 @@ and $\FoundersFraction$ be as defined in \crossref{constants}. \canopy{\,- \ssum{\fs\, \in\, \FundingStreams}{} \fsValue(\BlockHeight)}$. \end{formulae} -\introsection + +\vspace{-2ex} \lsubsection{Payment of Founders' Reward}{foundersreward} +\vspace{-1ex} The \foundersReward is paid by a \transparentOutput in the \coinbaseTransaction, to one of $\NumFounderAddresses$ \transparentAddresses, depending on the \blockHeight. \renewcommand{\arraystretch}{1} -\vspace{1ex} For \Mainnet, $\FounderAddressList_{\oneto{\NumFounderAddresses}}$ is: \scalebox{0.95}{ @@ -14563,7 +14572,7 @@ The authors would like to thank everyone with whom they have discussed the includes Mike Perry, isis agora lovecruft, Leif Ryge, Andrew Miller, Ben Blaxill, Samantha Hulsey, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren, John Tromp, Paige Peterson, jl777, Alison Stevenson, Maureen Walsh, -Filippo Valsorda, Zaki Manian, Tracy Hu, Brian Warner, Mary Maller, +Filippo Valsorda, Zaki Manian, Kexin Hu, Brian Warner, Mary Maller, Michael Dixon, Andrew Poelstra, Benjamin Winston, Josh Cincinnati, Kobi Gurkan, Weikeng Chen, Henry de Valence, Deirdre Connolly, Chelsea Komlo, Zancas Wilcox, Jane Lusby, Teor, Izaak Meckler, Zac Williamson, Vitalik Buterin, @@ -14641,6 +14650,57 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \intropart \lsection{Change History}{changehistory} +\historyentry{2022.3.8}{2022-09-15} + +\begin{itemize} + \item Correct Jurgen Bos' name. +\end{itemize} + + +\historyentry{2022.3.7}{2022-09-10} + +\begin{itemize} +\nufive{ + \item Remove a now-unused sampling of $\ValueCommitRand$ in \crossref{orcharddummynotes}. +} %nufive + \item Specify in \crossref{blockchain} that \NUFive is the most recent settled \networkUpgrade. +\end{itemize} + + +\historyentry{2022.3.6}{2022-09-01} + +\begin{itemize} + \item Correct Kexin Hu's name. + \item Correct cross-references for the definition of an \anchor. +\nufive{ + \item Remove a calculation of $\cv$ in \crossref{orcharddummynotes} that is + not applicable to \Orchard (since $\cv$ for an \actionDescription + depends on both the spent and output \notes). + \item Clarify that the recommended format for a QR code starts with a \Bech + encoding for a \Sapling \paymentAddress and with a \Bechm encoding for + a \unifiedPaymentAddress. +} %nufive + \item Replace ResearchGate links for \cite{CDvdG1987}\notbeforenufive{ and \cite{BDPA2007}} + with alternatives that do not cause false-positive link checker errors. + \item In \texttt{protocol/README.rst}: update the build dependency documentation + for Debian Bullseye, mention the ``\texttt{make linkcheck}'' target, and + correct the description of ``\texttt{make all}''. + \item Update the \Makefile to build correctly with newer versions of \texttt{latexmk}. +\end{itemize} + + +\historyentry{2022.3.5}{2022-08-02} +\begin{itemize} +\nufive{ + \item ZIP 244 is not modified by ZIP 225. +} %nufive +\sapling{ + \item \crossref{concretecrhivk} incorrectly cross-referenced $\BlakeTwob{256}$ rather than $\BlakeTwos{256}$. + The actual specification was correct. +} %sapling +\end{itemize} + + \historyentry{2022.3.4}{2022-06-22} \begin{itemize} \canopy{ @@ -16329,7 +16389,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \begin{itemize} \item Split the descriptions of \shaHash and \shaCompress\sapling{, and of $\BlakeTwoGeneric$,} into their own sections. Specify \shaCompress more precisely. - \item Add Tracy Hu to acknowledgements\sapling{ (for the idea of explicitly + \item Add Kexin Hu to acknowledgements\sapling{ (for the idea of explicitly encoding the root of the \Sapling \noteCommitmentTree in \blockHeaders)}. \item Move bit/byte/integer conversion primitives into \crossref{endian}. \sapling{ @@ -17541,7 +17601,7 @@ None of these costs include the cost of boolean-constraining the scalar. fixed-base scalar multiplication in the \spendCircuit and two in the \outputCircuit\footnote{A \xPedersenCommitment uses fixed-base scalar multiplication as a subcomponent.}, the additional complexity was not considered justified for \Sapling. - \vspace{-0.25ex} + \vspace{-0.5ex} \item For the multiplications with $64$-bit and $32$-bit scalars, the scalar is padded to a multiple of $3$ bits with zeros. This causes the computation of $s\suband$ in the lookup for the most significant window to be optimized out, @@ -17562,21 +17622,27 @@ cannot be used. Instead we use a naïve double-and-add method. Given $k = \ssum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: \begin{algorithm} + \vspace{-0.4ex} \item // $\Base_i = \scalarmult{2^i}{B}$ + \vspace{-0.2ex} \item let $\Base_0 = B$ + \vspace{-0.2ex} \item let $\Acc^u_0 = k_0 \bchoose \Base^u_0 : 0$ + \vspace{-0.2ex} \item let $\Acc^{\spv}_0\hairspace = k_0 \bchoose \Base^{\spv}_0 : 1$ - \vspace{1ex} + \vspace{0.8ex} \item for $i$ from $1$ up to $250$: - \vspace{-0.25ex} + \vspace{-0.4ex} \item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$ - \vspace{0.5ex} + \vspace{0.4ex} \item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$ + \vspace{-0.2ex} \item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$ + \vspace{-0.2ex} \item \tab let $\Addend^{\spv}_i\hairspace = k_i \bchoose \Base^{\spv}_i : 1$ - \vspace{-0.25ex} + \vspace{-0.4ex} \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ - \vspace{1ex} + \vspace{0.8ex} \item let $R = \Acc_{250}$. \end{algorithm} @@ -18452,6 +18518,7 @@ Define $\GrothSProof := \SubgroupSstar{1} \times \SubgroupSstar{2} \times \Subgr A $\GrothS$ proof comprises a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$. +\introlist Verification of a single $\GrothS$ proof against an instance encoded as $a_{\barerange{0}{\ell}} \typecolon \typeexp{\GF{\ParamS{r}}}{\ell+1}$ requires checking the equation \vspace{-0.5ex} @@ -18531,6 +18598,7 @@ $Y$, and $\Psi_{\barerange{0}{\ell}}$. It is straightforward to adapt the above verification keys; the accumulator variables $\Accum{\Delta}$, $\Accum{\Gamma,i}$, and $\Accum{Y}$ are duplicated, with one term in the verification equation for each variable, while $\Accum{AB}$ is shared. +\introlist Neglecting multiplications in $\SubgroupS{T}$ and $\GF{\ParamS{r}}$, and other trivial operations, the cost of batched verification is therefore \begin{itemize} diff --git a/protocol/sapling.pdf b/protocol/sapling.pdf index c99bc93f..08efc7a8 100644 Binary files a/protocol/sapling.pdf and b/protocol/sapling.pdf differ diff --git a/protocol/zcash.bib b/protocol/zcash.bib index 504ab5a5..e8fd56eb 100644 --- a/protocol/zcash.bib +++ b/protocol/zcash.bib @@ -554,8 +554,8 @@ Last updated December~16, 2020.} presort={BDPA2007}, author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}}, title={Sponge functions}, - url={https://www.researchgate.net/publication/242285874_Sponge_Functions}, - urldate={2021-03-01}, + url={https://keccak.team/files/SpongeFunctions.pdf}, + urldate={2022-08-31}, howpublished={ECRYPT Hash Workshop (May 2007), also available as a public comment to NIST as part of the Hash Algorithm Requirements and Evaluation Criteria for the SHA-3 competition.} } @@ -1892,8 +1892,8 @@ Proceedings of the 14th Annual International Cryptology Conference publisher={Springer}, isbn={978-3-540-48184-3}, doi={10.1007/3-540-48184-2_7}, - url={https://www.researchgate.net/profile/Jeroen_Van_de_Graaf/publication/242379939_Multiparty_computations_ensuring_secrecy_of_each_party%27s_input_and_correctness_of_the_output}, - urldate={2018-03-01} + url={https://link.springer.com/content/pdf/10.1007%2F3-540-48184-2_7.pdf}, + urldate={2022-08-31} } @misc{Carroll1876, diff --git a/zip-0000.html b/zip-0000.html index 2c8bc599..41df4fc7 100644 --- a/zip-0000.html +++ b/zip-0000.html @@ -19,8 +19,8 @@ Category: Process Created: 2019-02-16 License: BSD-2-Clause

Terminology

-

The key words "MUST", "SHOULD", "SHOULD NOT", "MAY", "RECOMMENDED", "OPTIONAL", and "REQUIRED" in this document are to be interpreted as described in RFC 2119. 1

-

The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

+

The key words "MUST", "SHOULD", "SHOULD NOT", "MAY", "RECOMMENDED", "OPTIONAL", and "REQUIRED" in this document are to be interpreted as described in RFC 2119. 1

+

The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

Abstract

A Zcash Improvement Proposal (ZIP) is a design document providing information to the Zcash community, or describing a new feature for Zcash or its processes or environment. The ZIP should provide a concise technical specification of the feature and a rationale for the feature.

@@ -75,7 +75,7 @@ License: BSD-2-Clause

The ZIP editors monitor ZIP changes and update ZIP headers as appropriate.

The ZIP Editors MAY reject a proposed ZIP or update to an existing ZIP for any of the following reasons:

The ZIP Editors MUST NOT unreasonably deny publication of a ZIP proposal or update that does not violate any of these criteria. If they refuse a proposal or update, they MUST give an explanation of which of the criteria were violated, with the exception that spam may be deleted without an explanation.

Note that it is not the primary responsibility of the ZIP Editors to review proposals for security, correctness, or implementability.

-

Please send all ZIP-related communications either by email to <zips@z.cash>, or by opening an issue on the ZIPs issue tracker. All communications should abide by the Zcash Code of Conduct 4 and follow the GNU Kind Communication Guidelines

+

Please send all ZIP-related communications either by email to <zips@z.cash>, or by opening an issue on the ZIPs issue tracker. All communications should abide by the Zcash Code of Conduct 4 and follow the GNU Kind Communication Guidelines

ZIP format and structure

-

ZIPs SHOULD be written in reStructuredText 5, Markdown 6, or LaTeX 7. For ZIPs written in LaTeX, a Makefile MUST be provided to build (at least) a PDF version of the document.

+

ZIPs SHOULD be written in reStructuredText 5, Markdown 6, or LaTeX 7. For ZIPs written in LaTeX, a Makefile MUST be provided to build (at least) a PDF version of the document.

Each ZIP SHOULD have the following parts:

ZIP header preamble

diff --git a/zip-0032.html b/zip-0032.html index 8bb4bbed..d6394a89 100644 --- a/zip-0032.html +++ b/zip-0032.html @@ -25,34 +25,34 @@ License: MIT \(% This ZIP makes heavy use of mathematical markup. If you can see this, you may want to instead view the rendered version at https://zips.z.cash/zip-0032 .\)

Terminology

-

The key words "MUST", "MUST NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

-

"Jubjub" refers to the elliptic curve defined in 15.

+

The key words "MUST", "MUST NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

+

"Jubjub" refers to the elliptic curve defined in 15.

A "chain code" is a cryptovalue that is needed, in addition to a spending key, in order to derive descendant keys and addresses of that key.

-

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 10.

+

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 10.

Abstract

-

This proposal defines a mechanism for extending hierarchical deterministic wallets, as decribed in BIP 32 2, to support Zcash's shielded addresses.

+

This proposal defines a mechanism for extending hierarchical deterministic wallets, as decribed in BIP 32 2, to support Zcash's shielded addresses.

The initial parts of the specification define (mostly) equivalent, but independent, systems for deriving a tree of key components from a single seed, for the following shielded pools (which have different internal key structures):

  • Sapling
  • Orchard

Previous versions of this document also defined a similar derivation system for the Sprout shielded pool. This has been removed since it was never used, and is unlikely to be used given that zcashd no longer generates Sprout addresses (and neither Zebra nor the mobile SDKs have ever done so).

-

The last part shows how to use these trees in the context of existing BIP 44 5 wallets.

+

The last part shows how to use these trees in the context of existing BIP 44 5 wallets.

This specification complements the existing use by some Zcash wallets of BIP 32 and BIP 44 for transparent Zcash addresses, and is not intended to deprecate that usage (privacy risks of using transparent addresses notwithstanding).

Motivation

-

BIP 32 2 is the standard mechanism by which wallets for Bitcoin and its derivatives (including Zcash's transparent addresses 6) generate keys and addresses deterministically. This has several advantages over random generation:

+

BIP 32 2 is the standard mechanism by which wallets for Bitcoin and its derivatives (including Zcash's transparent addresses 6) generate keys and addresses deterministically. This has several advantages over random generation:

  • Wallets only need to store a single seed (particularly useful for hardware wallets).
    • -
  • A one-time backup of the seed (usually stored as a word phrase 3) can be used to recover funds from all future addresses.
    • +
  • A one-time backup of the seed (usually stored as a word phrase 3) can be used to recover funds from all future addresses.
  • Keys are arranged into a tree of chains, enabling wallets to represent "accounts" or other high-level structures.
  • Viewing authority or spending authority can be delegated independently for sub-trees without compromising the master seed.

At present, no such equivalent exists for Zcash's shielded addresses. This is of particular concern for hardware wallets; all currently-marketed devices only store a seed internally, and have trained their users to only backup that seed. Given that the Sapling upgrade will make it feasible to use hardware wallets with shielded addresses, it is desirable to have a standard mechanism for deriving them.

Conventions

-

Most of the notation and functions used in this ZIP are defined in the Zcash protocol specification 9. They are reproduced here for convenience:

+

Most of the notation and functions used in this ZIP are defined in the Zcash protocol specification 9. They are reproduced here for convenience:

  • \(\mathsf{truncate}_k(S)\) @@ -104,7 +104,7 @@ License: MIT \(\mathsf{repr}_\mathbb{J}(P)\) is the representation of the Jubjub elliptic curve point \(P\) - as a bit sequence, defined in 15.
    • + as a bit sequence, defined in 15.
  • \(\mathsf{BLAKE2b}\text{-}\mathsf{256}(p, x)\) refers to unkeyed BLAKE2b-256 in sequential mode, with an output digest length of 32 bytes, 16-byte personalization string @@ -144,9 +144,9 @@ License: MIT \(d\) to a base point on the Jubjub elliptic curve, or to \(\bot\) - if the diversifier is invalid. It is instantiated in 13.
    • + if the diversifier is invalid. It is instantiated in 13.
-

The following algorithm standardized in 22 is used:

+

The following algorithm standardized in 22 is used:

  • \(\mathsf{FF1}\text{-}\mathsf{AES256.Encrypt}(key, tweak, x)\) @@ -181,11 +181,11 @@ License: MIT .

Implementors should note that this ZIP is consistently little-endian (in keeping with the Sapling and Orchard specifications), which is the opposite of BIP 32.

-

We adapt the path notation of BIP 32 2 to describe shielded HD paths, using prime marks ( +

We adapt the path notation of BIP 32 2 to describe shielded HD paths, using prime marks ( \('\) ) to indicate hardened derivation ( \(i' = i + 2^{31}\) - ) as in BIP 44 5:

+ ) as in BIP 44 5:

  • \(\mathsf{CDKfvk}(\mathsf{CDKfvk}(\mathsf{CDKfvk}(m_\mathsf{Sapling}, a), b), c)\) @@ -269,7 +269,7 @@ License: MIT \(\mathsf{nsk}_m\) , and \(\mathsf{ovk}_m\) - via the standard Sapling derivation 11: + via the standard Sapling derivation 11:
    • \(\mathsf{ask}_m = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(\mathsf{sk}_m, [\texttt{0x00}]))\) @@ -303,7 +303,7 @@ License: MIT \(0\) , or if the corresponding \(\mathsf{ivk}\) - derived as specified in 11 is + derived as specified in 11 is \(0\) .

@@ -334,7 +334,7 @@ License: MIT \((\mathsf{nk}_{par}, \mathsf{ak}_{par}, \mathsf{ovk}_{par})\) is the full viewing key derived from \((\mathsf{ask}_{par}, \mathsf{nsk}_{par}, \mathsf{ovk}_{par})\) - as described in 11. + as described in 11.
  • Split @@ -378,16 +378,16 @@ License: MIT \(0\) , or if the corresponding \(\mathsf{ivk}\) - derived as specified in 11 is + derived as specified in 11 is \(0\) .

    • Deriving a child extended full viewing key

    Let \(\mathcal{G}^\mathsf{Sapling}\) - be as defined in 14 and let + be as defined in 14 and let \(\mathcal{H}^\mathsf{Sapling}\) - be as defined in 11.

    + be as defined in 11.

    \(\mathsf{CDKfvk}((\mathsf{ak}_{par}, \mathsf{nk}_{par}, \mathsf{ovk}_{par}, \mathsf{dk}_{par}, \mathsf{c}_{par}), i)\) \(\rightarrow (\mathsf{ak}_{i}, \mathsf{nk}_{i}, \mathsf{ovk}_{i}, \mathsf{dk}_{i}, \mathsf{c}_{i})\) @@ -444,13 +444,13 @@ License: MIT \(\mathsf{ak}_i\) is the zero point of Jubjub, or if the corresponding \(\mathsf{ivk}\) - derived as specified in 11 is + derived as specified in 11 is \(0\) .

    Sapling internal key derivation

    -

    The above derivation mechanisms produce external addresses suitable for giving out to senders. We also want to be able to produce another address derived from a given external address, for use by wallets for internal operations such as change and auto-shielding. Unlike BIP 44 that allows deriving a stream of external and internal addresses in the same hierarchical derivation tree 5, for any external full viewing key we only need to be able to derive a single internal full viewing key that has viewing authority for just internal transfers. We also need to be able to derive the corresponding internal spending key if we have the external spending key.

    +

    The above derivation mechanisms produce external addresses suitable for giving out to senders. We also want to be able to produce another address derived from a given external address, for use by wallets for internal operations such as change and auto-shielding. Unlike BIP 44 that allows deriving a stream of external and internal addresses in the same hierarchical derivation tree 5, for any external full viewing key we only need to be able to derive a single internal full viewing key that has viewing authority for just internal transfers. We also need to be able to derive the corresponding internal spending key if we have the external spending key.

    Deriving a Sapling internal spending key

    Let \((\mathsf{ask}, \mathsf{nsk}, \mathsf{ovk}, \mathsf{dk})\) @@ -460,7 +460,7 @@ License: MIT \(\mathsf{ak}\) and \(\mathsf{nk}\) - as specified in 11. + as specified in 11.

  • Let \(I = \textsf{BLAKE2b-256}(\texttt{"Zcash_SaplingInt"}, \mathsf{EncodeExtFVKParts}(\mathsf{ak}, \mathsf{nk}, \mathsf{ovk}, \mathsf{dk}))\) .
    • @@ -488,14 +488,14 @@ License: MIT \(\mathsf{ak}\) is the zero point of Jubjub, or if the corresponding \(\mathsf{ivk}\) - derived as specified in 11 is + derived as specified in 11 is \(0\) .

    Deriving a Sapling internal full viewing key

    Let \(\mathcal{H}^\mathsf{Sapling}\) - be as defined in 11.

    + be as defined in 11.

    Let \((\mathsf{ak}, \mathsf{nk}, \mathsf{ovk}, \mathsf{dk})\) be the external full viewing key.

    @@ -534,16 +534,16 @@ License: MIT \(R\) are the same between deriving a full viewing key, and deriving the corresponding spending key. Both of these derivations are shown in the following diagram:

    - +
    Diagram of Sapling internal key derivation

    (For simplicity, the proof authorizing key is not shown.)

    -

    This method of deriving internal keys is applied to external keys that are children of the Account level. It was implemented in zcashd as part of support for ZIP 316 8.

    +

    This method of deriving internal keys is applied to external keys that are children of the Account level. It was implemented in zcashd as part of support for ZIP 316 8.

    Note that the internal extended key is invalid if \(\mathsf{ak}\) is the zero point of Jubjub, or if the corresponding \(\mathsf{ivk_{internal}}\) - derived from the internal full viewing key as specified in 11 is + derived from the internal full viewing key as specified in 11 is \(0\) .

    @@ -655,7 +655,7 @@ License: MIT \(\mathsf{c}_i\) . -

    Note that the resulting child spending key may produce an invalid external FVK, as specified in 12, with small probability. The corresponding internal FVK derived as specified in the next section may also be invalid with small probability.

    +

    Note that the resulting child spending key may produce an invalid external FVK, as specified in 12, with small probability. The corresponding internal FVK derived as specified in the next section may also be invalid with small probability.

    Orchard internal key derivation

    As in the case of Sapling, for a given external address, we want to produce another address for use by wallets for internal operations such as change and auto-shielding. That is, for any external full viewing key we need to be able to derive a single internal full viewing key that has viewing authority for just internal transfers. We also need to be able to derive the corresponding internal spending key if we have the external spending key.

    @@ -663,7 +663,7 @@ License: MIT \(\mathsf{ask}\) be the spend authorizing key if available, and let \((\mathsf{ak}, \mathsf{nk}, \mathsf{rivk})\) - be the corresponding external full viewing key, obtained as specified in 12.

    + be the corresponding external full viewing key, obtained as specified in 12.

    Define \(\mathsf{DeriveInternalFVK^{Orchard}}(\mathsf{ak}, \mathsf{nk}, \mathsf{rivk})\) as follows:

    @@ -691,13 +691,13 @@ License: MIT \(\mathsf{ivk_{internal}}\) and \(\mathsf{ovk_{internal}}\) - fields being derived, as specified in 12 and shown in the following diagram:

    + fields being derived, as specified in 12 and shown in the following diagram:

    - +
    Diagram of Orchard internal key derivation, also showing derivation from the parent extended spending key
    -

    This method of deriving internal keys is applied to external keys that are children of the Account level. It was implemented in zcashd as part of support for ZIP 316 8.

    -

    Note that the resulting FVK may be invalid, as specified in 12.

    +

    This method of deriving internal keys is applied to external keys that are children of the Account level. It was implemented in zcashd as part of support for ZIP 316 8.

    +

    Note that the resulting FVK may be invalid, as specified in 12.

    Orchard diversifier derivation

    As with Sapling, we define a mechanism for deterministically deriving a sequence of diversifiers, without leaking how many diversified addresses have already been generated for an account. Unlike Sapling, we do so by deriving a diversifier key directly from the full viewing key, instead of as part of the extended spending key. This means that the full viewing key provides the capability to determine the position of a diversifier within the sequence, which matches the capabilities of a Sapling extended full viewing key but simplifies the key structure.

    @@ -738,7 +738,7 @@ License: MIT

    Specification: Wallet usage

    -

    Existing Zcash-supporting HD wallets all use BIP 44 5 to organize their derived keys. In order to more easily mesh with existing user experiences, we broadly follow BIP 44's design here. However, we have altered the design where it makes sense to leverage features of shielded addresses.

    +

    Existing Zcash-supporting HD wallets all use BIP 44 5 to organize their derived keys. In order to more easily mesh with existing user experiences, we broadly follow BIP 44's design here. However, we have altered the design where it makes sense to leverage features of shielded addresses.

    Key path levels

    Sapling and Orchard key paths have the following three path levels at the top, all of which use hardened derivation:

    Unlike BIP 44, none of the shielded key paths have a \(change\) @@ -782,7 +782,7 @@ License: MIT payment addresses, because each diversifier has around a 50% chance of being invalid.

    If in certain circumstances a wallet needs to derive independent spend authorities within a single account, they MAY additionally support a non-hardened \(address\_index\) - path level as in 5:

    + path level as in 5:

    Note: the encoding of the sighash type is masked with 0x1F when checking whether or not the SINGLE and NONE flags are set.

    @@ -117,7 +117,7 @@ License: MIT

    8: nExpiryHeight

    -

    The block height after which the transaction becomes unilaterally invalid, and can never be mined. 13

    +

    The block height after which the transaction becomes unilaterally invalid, and can never be mined. 13

    10b: scriptCode

    The script being currently executed: redeemScript for P2SH, or scriptPubKey in the general case. This is the same script as serialized in the Sprout transaction digest algorithm.

    @@ -129,98 +129,98 @@ License: MIT

    Notes

    The hashPrevouts, hashSequence, hashOutputs, and hashJoinSplits calculated in an earlier validation can be reused in other inputs of the same transaction, so that the time complexity of the whole hashing process reduces from O(n2) to O(n).

    Refer to the reference implementation, reproduced below, for the precise algorithm:

    - 
    const unsigned char ZCASH_PREVOUTS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','P','r','e','v','o','u','t','H','a','s','h'};
-const unsigned char ZCASH_SEQUENCE_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','S','e','q','u','e','n','c','H','a','s','h'};
-const unsigned char ZCASH_OUTPUTS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','O','u','t','p','u','t','s','H','a','s','h'};
-const unsigned char ZCASH_JOINSPLITS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','J','S','p','l','i','t','s','H','a','s','h'};
+                
    const unsigned char ZCASH_PREVOUTS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','P','r','e','v','o','u','t','H','a','s','h'};
+const unsigned char ZCASH_SEQUENCE_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','S','e','q','u','e','n','c','H','a','s','h'};
+const unsigned char ZCASH_OUTPUTS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','O','u','t','p','u','t','s','H','a','s','h'};
+const unsigned char ZCASH_JOINSPLITS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','J','S','p','l','i','t','s','H','a','s','h'};
 
 // The default values are zeroes
-uint256 hashPrevouts;
-uint256 hashSequence;
-uint256 hashOutputs;
-uint256 hashJoinSplits;
+uint256 hashPrevouts;
+uint256 hashSequence;
+uint256 hashOutputs;
+uint256 hashJoinSplits;
 
-if (!(nHashType & SIGHASH_ANYONECANPAY)) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_PREVOUTS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
-        ss << txTo.vin[n].prevout;
-    }
-    hashPrevouts = ss.GetHash();
-}
+if (!(nHashType & SIGHASH_ANYONECANPAY)) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_PREVOUTS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
+        ss << txTo.vin[n].prevout;
+    }
+    hashPrevouts = ss.GetHash();
+}
 
-if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SEQUENCE_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
-        ss << txTo.vin[n].nSequence;
-    }
-    hashSequence = ss.GetHash();
-}
+if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SEQUENCE_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
+        ss << txTo.vin[n].nSequence;
+    }
+    hashSequence = ss.GetHash();
+}
 
-if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vout.size(); n++) {
-        ss << txTo.vout[n];
-    }
-    hashOutputs = ss.GetHash();
-} else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
-    ss << txTo.vout[nIn];
-    hashOutputs = ss.GetHash();
-}
+if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vout.size(); n++) {
+        ss << txTo.vout[n];
+    }
+    hashOutputs = ss.GetHash();
+} else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
+    ss << txTo.vout[nIn];
+    hashOutputs = ss.GetHash();
+}
 
-if (!txTo.vjoinsplit.empty()) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_JOINSPLITS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vjoinsplit.size(); n++) {
-        ss << txTo.vjoinsplit[n];
-    }
-    ss << txTo.joinSplitPubKey;
-    hashJoinSplits = ss.GetHash();
-}
+if (!txTo.vjoinsplit.empty()) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_JOINSPLITS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vjoinsplit.size(); n++) {
+        ss << txTo.vjoinsplit[n];
+    }
+    ss << txTo.joinSplitPubKey;
+    hashJoinSplits = ss.GetHash();
+}
 
-uint32_t leConsensusBranchId = htole32(consensusBranchId);
-unsigned char personalization[16] = {};
-memcpy(personalization, "ZcashSigHash", 12);
-memcpy(personalization+12, &leConsensusBranchId, 4);
+uint32_t leConsensusBranchId = htole32(consensusBranchId);
+unsigned char personalization[16] = {};
+memcpy(personalization, "ZcashSigHash", 12);
+memcpy(personalization+12, &leConsensusBranchId, 4);
 
-CBLAKE2bWriter ss(SER_GETHASH, 0, personalization);
+CBLAKE2bWriter ss(SER_GETHASH, 0, personalization);
 // fOverwintered and nVersion
-ss << txTo.GetHeader();
+ss << txTo.GetHeader();
 // Version group ID
-ss << txTo.nVersionGroupId;
+ss << txTo.nVersionGroupId;
 // Input prevouts/nSequence (none/all, depending on flags)
-ss << hashPrevouts;
-ss << hashSequence;
+ss << hashPrevouts;
+ss << hashSequence;
 // Outputs (none/one/all, depending on flags)
-ss << hashOutputs;
+ss << hashOutputs;
 // JoinSplits
-ss << hashJoinSplits;
+ss << hashJoinSplits;
 // Locktime
-ss << txTo.nLockTime;
+ss << txTo.nLockTime;
 // Expiry height
-ss << txTo.nExpiryHeight;
+ss << txTo.nExpiryHeight;
 // Sighash type
-ss << nHashType;
+ss << nHashType;
 
-if (nIn != NOT_AN_INPUT) {
-    // The input being signed (replacing the scriptSig with scriptCode + amount)
-    // The prevout may already be contained in hashPrevout, and the nSequence
-    // may already be contained in hashSequence.
-    ss << txTo.vin[nIn].prevout;
-    ss << static_cast<const CScriptBase&>(scriptCode);
-    ss << amount;
-    ss << txTo.vin[nIn].nSequence;
-}
+if (nIn != NOT_AN_INPUT) {
+    // The input being signed (replacing the scriptSig with scriptCode + amount)
+    // The prevout may already be contained in hashPrevout, and the nSequence
+    // may already be contained in hashSequence.
+    ss << txTo.vin[nIn].prevout;
+    ss << static_cast<const CScriptBase&>(scriptCode);
+    ss << amount;
+    ss << txTo.vin[nIn].nSequence;
+}
 
-return ss.GetHash();
    
+return ss.GetHash();

    Example

    -

    To ensure consistency in consensus-critical behaviour, developers should test their implementations against the ZIP 143 test vectors 14. The first two test vectors are broken out below for clarity. Note that 32-byte values below are exactly as the hash function returns, and are not reversed. Further examples can be found in the SignatureHash test data 15.

    -

    The test vectors below should be verified with the Overwinter consensus branch ID (0x5ba81b19) 11.

    +

    To ensure consistency in consensus-critical behaviour, developers should test their implementations against the ZIP 143 test vectors 14. The first two test vectors are broken out below for clarity. Note that 32-byte values below are exactly as the hash function returns, and are not reversed. Further examples can be found in the SignatureHash test data 15.

    +

    The test vectors below should be verified with the Overwinter consensus branch ID (0x5ba81b19) 11.

    Test vector 1

    Raw transaction:

    030000807082c4030002e7719811893e0000095200ac6551ac636565b2835a0805750200025151481cdd86b3cc431800
@@ -339,7 +339,7 @@ sighash: 23652e76cb13b85a0e3363bb5fca061fa791c40c533eccee899364e6e60bb4f7

    Deployment

    -

    This proposal is deployed with the Overwinter network upgrade. 11

    +

    This proposal is deployed with the Overwinter network upgrade. 11

    Backward compatibility

    This proposal is backwards-compatible with old UTXOs. It is not backwards-compatible with older software. All transactions will be required to use this transaction digest algorithm for signatures, and so transactions created by older software will be rejected by the network.

    diff --git a/zip-0155.html b/zip-0155.html index 073b73f8..2157b5df 100644 --- a/zip-0155.html +++ b/zip-0155.html @@ -18,9 +18,9 @@ License: BSD-2-Clause Discussions-To: <https://github.com/zcash/zips/issues/542> Pull-Request: <https://github.com/zcash/zips/pull/543>

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 4

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 2.

    +

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 4

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 2.

    "P2P network" means the Zcash peer-to-peer network.

    uint8, uint16, and uint32 denote unsigned integer data types of the corresponding length (8, 16, or 32 bits respectively).

    @@ -28,11 +28,11 @@ Pull-Request: <https://githu

    This document proposes a new P2P message to gossip longer node addresses over the P2P network. This is required to support new-generation onion addresses, I2P, and potentially other networks that have longer endpoint addresses than fit in the 128 bits of the current addr message.

    Motivation

    -

    Tor v3 onion services are part of the stable release of Tor since version 0.3.2.9. They have various advantages compared to the old v2 onion services, among which better encryption and privacy 9. These services have 256-bit addresses and thus do not fit in the existing addr message (unchanged from Bitcoin 7), which encapsulates onion addresses in OnionCat IPv6 addresses.

    +

    Tor v3 onion services are part of the stable release of Tor since version 0.3.2.9. They have various advantages compared to the old v2 onion services, among which better encryption and privacy 9. These services have 256-bit addresses and thus do not fit in the existing addr message (unchanged from Bitcoin 7), which encapsulates onion addresses in OnionCat IPv6 addresses.

    Other transport-layer protocols such as I2P have always used longer addresses. This change would make it possible to gossip such addresses over the P2P network, so that other peers can connect to them.

    Specification

    -

    The addrv2 message is defined as a message where the command field is (NUL-padded) "addrv2". It is serialized in the standard encoding for P2P messages. Its format is similar to the current addr message format described in 7, with the difference that the fixed 16-byte IP address is replaced by a network ID and a variable-length address, and the services format has been changed to 8.

    +

    The addrv2 message is defined as a message where the command field is (NUL-padded) "addrv2". It is serialized in the standard encoding for P2P messages. Its format is similar to the current addr message format described in 7, with the difference that the fixed 16-byte IP address is replaced by a network ID and a variable-length address, and the services format has been changed to 8.

    This means that the message contains a serialized vector of the following structure:

    @@ -127,14 +127,14 @@ Pull-Request: <https://githu
    -

    Network ID 0x03 is intentionally not assigned. In BIP 155 3 it was assigned to Tor v2 onion addresses, but those addresses are no longer supported by the latest Tor client code, and MUST NOT be used once this ZIP is deployed.

    +

    Network ID 0x03 is intentionally not assigned. In BIP 155 3 it was assigned to Tor v2 onion addresses, but those addresses are no longer supported by the latest Tor client code, and MUST NOT be used once this ZIP is deployed.

    Clients SHOULD gossip valid, potentially routable addresses from all known networks, even if they are currently not connected to some of them. That could help multi-homed nodes and make it more difficult for an observer to tell which networks a node is connected to.

    Clients MUST NOT gossip addresses from unknown networks, because they have no means to validate those addresses and so can be tricked to gossip invalid addresses.

    Clients MUST reject messages that contain addresses that have a different length than specified in this table for a specific network ID, as these are meaningless.

    Network address encodings

    The IPV4 and IPV6 network IDs use addresses encoded in the usual way for binary IPv4 and IPv6 addresses in network byte order (big endian).

    Tor v3 address encoding

    -

    According to the spec 9, version 3 .onion addresses are encoded as follows:

    +

    According to the spec 9, version 3 .onion addresses are encoded as follows:

    onion_address = base32(PUBKEY || CHECKSUM || VERSION) + ".onion"
 CHECKSUM = H(".onion checksum" || PUBKEY || VERSION)[:2]  // first 2 bytes

    where:

    @@ -143,30 +143,30 @@ CHECKSUM = H(".onion checksum" || PUBKEY || VERSION)[:2] // first 2 bytes
  • VERSION is a one-byte version field (default value 0x03);
  • ".onion" and ".onion checksum" are constant strings;
  • CHECKSUM is truncated to two bytes before inserting it in onion_address;
    • -
  • H() is the SHA3-256 cryptographic hash function. 10
    • +
  • H() is the SHA3-256 cryptographic hash function. 10

    • Tor v3 addresses MUST be sent with the TORV3 network ID, with the 32-byte PUBKEY part in the addr field. As VERSION will always be 0x03 in the case of v3 addresses, this is enough to reconstruct the onion address.

    I2P address encoding

    -

    Like Tor, I2P naming uses a base32-encoded address format 11.

    +

    Like Tor, I2P naming uses a base32-encoded address format 11.

    I2P uses 52 characters (256 bits) to represent the full SHA-256 hash, followed by .b32.i2p. The base32 encoding does not include "=" padding characters.

    I2P addresses MUST be sent with the I2P network ID, with the decoded SHA-256 hash as address field.

    Cjdns address encoding

    -

    Cjdns addresses are simply IPv6 addresses in the fc00::/8 range 12. They MUST be sent with the CJDNS network ID. They are encoded in network byte order (big endian) as for the IPV6 network ID.

    +

    Cjdns addresses are simply IPv6 addresses in the fc00::/8 range 12. They MUST be sent with the CJDNS network ID. They are encoded in network byte order (big endian) as for the IPV6 network ID.

    Deployment

    TODO: change ${PLACEHOLDER} to a specific peer protocol version.

    -

    Support for this specification is signalled by peer protocol version ${PLACEHOLDER} (on both Testnet and Mainnet). Note that this is the same peer protocol version that signals support for NU5 on Mainnet 6.

    +

    Support for this specification is signalled by peer protocol version ${PLACEHOLDER} (on both Testnet and Mainnet). Note that this is the same peer protocol version that signals support for NU5 on Mainnet 6.

    Nodes that have not negotiated peer protocol version ${PLACEHOLDER} or higher on a given connection, MUST NOT send addrv2 messages on that connection.

    A node that has negotiated peer protocol version ${PLACEHOLDER} or higher on a given connection, MAY still send addr messages on the connection, and MUST handle received addr messages as it would have done prior to this ZIP.

    Rationale

    -

    This ZIP is closely based on BIP 155 3, with the following changes:

    +

    This ZIP is closely based on BIP 155 3, with the following changes:

    Acknowledgements

    -

    This ZIP is closely based on BIP 155 3, written by Wladimir J. van der Laan. Zancas Wilcox ported the implementation for Zcashd.

    +

    This ZIP is closely based on BIP 155 3, written by Wladimir J. van der Laan. Zancas Wilcox ported the implementation for Zcashd.

    Acknowledgements for BIP 155:

    @@ -183,7 +183,7 @@ def bech32_verify_checksum(hrp, data):

    Existing character sets for base-32 encodings include RFC 3548 and z-base-32. The set used for Bech32 was chosen to minimize ambiguity according to this visual similarity data, and the ordering is chosen to minimize the number of pairs of similar characters (according to the same data) that differ in more than 1 bit. As the checksum is chosen to maximize detection capabilities for low numbers of bit errors, this choice improves its performance under some error models.

    Why are the high bits of the human-readable part processed first?

    -

    This design choice had a rationale for Bitcoin Segregated Witness addresses (see 7) that does not apply to Zcash Sapling addresses. It is retained for compatibility with Bech32 encoders/decoders written for Bitcoin.

    +

    This design choice had a rationale for Bitcoin Segregated Witness addresses (see 7) that does not apply to Zcash Sapling addresses. It is retained for compatibility with Bech32 encoders/decoders written for Bitcoin.

    Reference implementations

    diff --git a/zip-0200.html b/zip-0200.html index 3110d361..6f4414ba 100644 --- a/zip-0200.html +++ b/zip-0200.html @@ -14,7 +14,7 @@ Category: Consensus Created: 2018-01-08 License: MIT

    Terminology

    -

    The key words "MUST", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The key words "MUST", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    The terms below are to be interpreted as follows:

    Block chain
    @@ -33,8 +33,8 @@ License: MIT

    This proposal defines a mechanism for coordinating upgrades of the Zcash network, in order to remove ambiguity about when network upgrades will activate, provide defined periods in which users should upgrade their local software, and minimize the risks to both the upgrading network and any users opting out of the changes.

    Motivation

    -

    Zcash is a consensual currency: nobody is ever going to force someone to use a specific software implementation or a specific consensus branch of Zcash. 2 As such, different sub-communities will always have the freedom to choose different variants or branches which offer different design trade-offs.

    -

    The current Zcash software includes an End-of-Service halt feature, causing nodes running a particular version to automatically shut down approximately 16 weeks after that version was released (specifically, at the block height DEPRECATION_HEIGHT defined in the source code for that version). This was implemented for several reasons: 3

    +

    Zcash is a consensual currency: nobody is ever going to force someone to use a specific software implementation or a specific consensus branch of Zcash. 2 As such, different sub-communities will always have the freedom to choose different variants or branches which offer different design trade-offs.

    +

    The current Zcash software includes an End-of-Service halt feature, causing nodes running a particular version to automatically shut down approximately 16 weeks after that version was released (specifically, at the block height DEPRECATION_HEIGHT defined in the source code for that version). This was implemented for several reasons: 3

    -

    Validation of version 3 transactions MUST use the signature validation process detailed in the Transaction Signature Validation for Overwinter ZIP 2.

    +

    Validation of version 3 transactions MUST use the signature validation process detailed in the Transaction Signature Validation for Overwinter ZIP 2.

    Implementation

    @@ -317,14 +317,14 @@ License: MIT }

    It is expected that this test involving nVersionGroupId is only required when a transaction is being constructed or deserialized e.g. when an external transaction enters the system.

    However, it's possible that a clone of Zcash is using the same version group ID and passes the conditional.

    -

    Ultimately, a client can determine if a transaction is truly intended for the client's chain or not by following the signature validation process detailed in the Transaction Signature Validation for Overwinter ZIP 2.

    +

    Ultimately, a client can determine if a transaction is truly intended for the client's chain or not by following the signature validation process detailed in the Transaction Signature Validation for Overwinter ZIP 2.

    Deployment

    -

    This proposal will be deployed with the Overwinter network upgrade. The activation block height proposal is in 4.

    +

    This proposal will be deployed with the Overwinter network upgrade. The activation block height proposal is in 4.

    Backwards compatibility

    -

    This proposal intentionally creates what is known as a "bilateral consensus rule change" 3 between pre-Overwinter software and Overwinter-compatible software. Use of this new transaction format requires that all network participants upgrade their software to a compatible version within the upgrade window. Pre-Overwinter software will treat Overwinter transactions as invalid.

    +

    This proposal intentionally creates what is known as a "bilateral consensus rule change" 3 between pre-Overwinter software and Overwinter-compatible software. Use of this new transaction format requires that all network participants upgrade their software to a compatible version within the upgrade window. Pre-Overwinter software will treat Overwinter transactions as invalid.

    Once Overwinter has activated, Overwinter-compatible software will reject version 1 and version 2 transactions, and will only accept transactions based upon supported transaction version numbers and recognized version group IDs.

    Reference Implementation

    diff --git a/zip-0203.html b/zip-0203.html index 7fa7468f..7a8add0b 100644 --- a/zip-0203.html +++ b/zip-0203.html @@ -48,10 +48,10 @@ License: MIT

    Coinbase: nExpiryHeight on coinbase transactions is ignored, and is set to 0 by convention.

    Every time a transaction expires and should be removed from the mempool, so should all of its dependent transactions.

    Changes for Blossom

    -

    On Blossom activation 2, the default changes to 40 blocks from the current height, which still represents about 50 minutes at the revised 75-second target block spacing.

    +

    On Blossom activation 2, the default changes to 40 blocks from the current height, which still represents about 50 minutes at the revised 75-second target block spacing.

    Changes for NU5

    -

    As mentioned above, nExpiryHeight is ignored for coinbase transactions. However, from NU5 activation 3, the nExpiryHeight field of a coinbase transaction MUST be set equal to the block height. Also, for coinbase transactions only, the bound of 499999999 on nExpiryHeight is removed. The motivation is to ensure that transaction IDs remain unique, as explained in more detail in a note in Section 7.1 of the protocol specification 4.

    +

    As mentioned above, nExpiryHeight is ignored for coinbase transactions. However, from NU5 activation 3, the nExpiryHeight field of a coinbase transaction MUST be set equal to the block height. Also, for coinbase transactions only, the bound of 499999999 on nExpiryHeight is removed. The motivation is to ensure that transaction IDs remain unique, as explained in more detail in a note in Section 7.1 of the protocol specification 4.

    Wallet behavior and UI

    With the addition of this feature, zero-confirmation transactions with an expiration block height set will have even less guarantee of inclusion. This means that UIs and services must never rely on zero-confirmation transactions in Zcash.

    @@ -69,7 +69,7 @@ License: MIT

    --txexpirydelta=100

    Deployment

    -

    This feature will be deployed with Overwinter. The activation blockheight proposal is in 1.

    +

    This feature will be deployed with Overwinter. The activation blockheight proposal is in 1.

    Reference Implementation

    diff --git a/zip-0205.html b/zip-0205.html index 4dfc25eb..c58571c9 100644 --- a/zip-0205.html +++ b/zip-0205.html @@ -15,9 +15,9 @@ Category: Consensus / Network Created: 2018-10-08 License: MIT

    Terminology

    -

    The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "consensus branch" and "network upgrade" in this document are to be interpreted as described in ZIP 200. 7

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

    +

    The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "consensus branch" and "network upgrade" in this document are to be interpreted as described in ZIP 200. 7

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

    The terms below are to be interpreted as follows:

    Sapling
    @@ -31,12 +31,12 @@ License: MIT

    Sapling deployment

    The primary sources of information about Sapling consensus protocol changes are:

      -
    • The Zcash Protocol Specification 2.
      • -
    • Transaction Signature Validation for Sapling 9.
      • -
    • Network Upgrade Mechanism 7.
      • +
    • The Zcash Protocol Specification 2.
      • +
    • Transaction Signature Validation for Sapling 9.
      • +
    • Network Upgrade Mechanism 7.
    -

    The network handshake and peer management mechanisms defined in 8 also apply to this upgrade.

    -

    The following network upgrade constants 7 are defined for the Sapling upgrade:

    +

    The network handshake and peer management mechanisms defined in 8 also apply to this upgrade.

    +

    The following network upgrade constants 7 are defined for the Sapling upgrade:

    CONSENSUS_BRANCH_ID
    0x76b809bb
    @@ -52,7 +52,7 @@ License: MIT

    Approximately three days (defined in terms of block height) before the Sapling activation height, Sapling-compatible nodes will change the behaviour of their peer connection logic in order to prefer pre-Sapling peers for eviction from the set of peer connections.

    /** The period before a network upgrade activates, where connections to upgrading peers are preferred (in blocks). */
 static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 24 * 24 * 3;
    -

    The implementation is similar to that for Overwinter which was described in 8.

    +

    The implementation is similar to that for Overwinter which was described in 8.

    Once Sapling activates on Testnet or Mainnet, Sapling nodes SHOULD take steps to:

    • reject new connections from pre-Sapling nodes;
      • @@ -60,8 +60,8 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 24 * 24 * 3;

    Change to difficulty adjustment on Testnet

    -

    Section 7.6.3 of the Zcash Protocol Specification 5 describes the algorithm used to adjust the difficulty of a block (defined in terms of a "target threshold") based on the nTime and nBits fields of preceding blocks.

    -

    This algorithm changed on Testnet, starting from block 299188, to allow "minimum-difficulty" blocks. If the block time of a block from this height onward is greater than 15 minutes after that of the preceding block, then the block is a minimum-difficulty block. In that case its nBits field MUST be set to ToCompact(PoWLimit), where PoWLimit is the value defined for Testnet in section 5.3 of the Zcash Protocol Specification 4, and ToCompact is as defined in section 7.7.4 of that specification 6.

    +

    Section 7.6.3 of the Zcash Protocol Specification 5 describes the algorithm used to adjust the difficulty of a block (defined in terms of a "target threshold") based on the nTime and nBits fields of preceding blocks.

    +

    This algorithm changed on Testnet, starting from block 299188, to allow "minimum-difficulty" blocks. If the block time of a block from this height onward is greater than 15 minutes after that of the preceding block, then the block is a minimum-difficulty block. In that case its nBits field MUST be set to ToCompact(PoWLimit), where PoWLimit is the value defined for Testnet in section 5.3 of the Zcash Protocol Specification 4, and ToCompact is as defined in section 7.7.4 of that specification 6.

    Note: a previous revision of this ZIP incorrectly said that only the target threshold of minimum-difficulty blocks is affected. In fact the nBits field is modified as well, and this affects difficulty adjustment for subsequent blocks.

    This change does not affect Mainnet.

    diff --git a/zip-0206.html b/zip-0206.html index 8de8566b..db66a2ec 100644 --- a/zip-0206.html +++ b/zip-0206.html @@ -15,16 +15,16 @@ Category: Consensus / Network Created: 2019-07-29 License: MIT

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

    +

    The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

    The terms below are to be interpreted as follows:

    Blossom
    Code-name for the third Zcash network upgrade, also known as Network Upgrade 2.
    Testnet
    -
    The Zcash test network, as defined in 2.
    +
    The Zcash test network, as defined in 2.
    Mainnet
    -
    The Zcash production network, as defined in 2.
    +
    The Zcash production network, as defined in 2.

    Abstract

    @@ -34,12 +34,12 @@ License: MIT

    Blossom deployment

    The primary sources of information about Blossom consensus protocol changes are:

      -
    • The Zcash Protocol Specification 2.
      • -
    • Shorter Block Target Spacing 5.
      • -
    • Network Upgrade Mechanism 3.
      • +
    • The Zcash Protocol Specification 2.
      • +
    • Shorter Block Target Spacing 5.
      • +
    • Network Upgrade Mechanism 3.
    -

    The network handshake and peer management mechanisms defined in 4 also apply to this upgrade.

    -

    The following network upgrade constants 3 are defined for the Blossom upgrade:

    +

    The network handshake and peer management mechanisms defined in 4 also apply to this upgrade.

    +

    The following network upgrade constants 3 are defined for the Blossom upgrade:

    CONSENSUS_BRANCH_ID
    0x2BB40E60
    @@ -54,7 +54,7 @@ License: MIT

    For each network (testnet and mainnet), approximately three days (defined in terms of block height) before the corresponding Blossom activation height, nodes compatible with Blossom activation on that network will change the behaviour of their peer connection logic in order to prefer pre-Blossom peers on that network for eviction from the set of peer connections:

    /** The period before a network upgrade activates, where connections to upgrading peers are preferred (in blocks). */
 static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 24 * 24 * 3;
    -

    The implementation is similar to that for Overwinter which was described in 4.

    +

    The implementation is similar to that for Overwinter which was described in 4.

    Once Blossom activates on testnet or mainnet, Blossom nodes SHOULD take steps to:

    • reject new connections from pre-Blossom nodes on that network;
      • @@ -65,7 +65,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 24 * 24 * 3;

      Backward compatibility

      Prior to the network upgrade activating on each network, Blossom and pre-Blossom nodes are compatible and can connect to each other. However, Blossom nodes will have a preference for connecting to other Blossom nodes, so pre-Blossom nodes will gradually be disconnected in the run up to activation.

      Once the network upgrades, even though pre-Blossom nodes can still accept the numerically larger protocol version used by Blossom as being valid, Blossom nodes will always disconnect peers using lower protocol versions.

      -

      Unlike Overwinter and Sapling, Blossom does not define a new transaction version. Blossom transactions are therefore in the same v4 format as Sapling transactions, and use the same version group ID, i.e. 0x892F2085 as defined in 2 section 7.1. This does not imply that transactions are valid across the Blossom activation, since signatures MUST use the appropriate consensus branch ID.

      +

      Unlike Overwinter and Sapling, Blossom does not define a new transaction version. Blossom transactions are therefore in the same v4 format as Sapling transactions, and use the same version group ID, i.e. 0x892F2085 as defined in 2 section 7.1. This does not imply that transactions are valid across the Blossom activation, since signatures MUST use the appropriate consensus branch ID.

    Support in zcashd

    Support for Blossom on testnet is implemented in zcashd version 2.0.7, which advertises protocol version 170008. Support for Blossom on mainnet is implemented in zcashd version 2.1.0, which advertises protocol version 170009.

    diff --git a/zip-0207.html b/zip-0207.html index 0a4270b6..0df3107a 100644 --- a/zip-0207.html +++ b/zip-0207.html @@ -16,34 +16,34 @@ Category: Consensus Created: 2019-01-04 License: MIT

    Terminology

    -

    The key words "MUST", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "block subsidy" and "halving" in this document are to be interpreted as described in sections 3.9 and 7.7 of the Zcash Protocol Specification. 3 7

    -

    The terms "consensus branch" and "network upgrade" in this document are to be interpreted as described in ZIP 200. 10

    +

    The key words "MUST", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "block subsidy" and "halving" in this document are to be interpreted as described in sections 3.9 and 7.7 of the Zcash Protocol Specification. 3 7

    +

    The terms "consensus branch" and "network upgrade" in this document are to be interpreted as described in ZIP 200. 10

    The terms below are to be interpreted as follows:

    Canopy
    Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.
    Testnet
    -
    The Zcash test network, as defined in the Zcash Protocol Specification. 4
    +
    The Zcash test network, as defined in the Zcash Protocol Specification. 4
    Mainnet
    -
    The Zcash production network, as defined in the Zcash Protocol Specification. 4
    +
    The Zcash production network, as defined in the Zcash Protocol Specification. 4

    Abstract

    This proposal specifies a mechanism to support funding streams, distributed from a portion of the block subsidy for a specified range of block heights.

    -

    This is intended as a means of implementing the Zcash Development Fund, using the funding stream definitions specified in ZIP 214 14. It should be read in conjunction with ZIP 1014 16, which describes the high-level requirements for that fund.

    +

    This is intended as a means of implementing the Zcash Development Fund, using the funding stream definitions specified in ZIP 214 14. It should be read in conjunction with ZIP 1014 16, which describes the high-level requirements for that fund.

    Motivation

    -

    Motivation for the Zcash Development Fund is considered in ZIP 1014 16.

    +

    Motivation for the Zcash Development Fund is considered in ZIP 1014 16.

    This ZIP 207 was originally proposed for the Blossom network upgrade, as a means of splitting the original Founders' Reward into several streams. It was then withdrawn when such splitting was judged to be unnecessary at the consensus level. Since the capabilities of the funding stream mechanism match the requirements for the Zcash Development Fund, the ZIP is being reintroduced for that purpose in order to reuse specification, analysis, and implementation effort.

    Requirements

    -

    The primary requirement of this ZIP is to provide a mechanism for specifying the funding streams that are used in ZIP 214 14 to implement the Zcash Development Fund. It should be sufficiently expressive to handle both the main three "slices" (BP, ZF, and MG) defined in ZIP 1014 16, and also (with additional funding stream definitions) the "direct grant option" described in that ZIP.

    +

    The primary requirement of this ZIP is to provide a mechanism for specifying the funding streams that are used in ZIP 214 14 to implement the Zcash Development Fund. It should be sufficiently expressive to handle both the main three "slices" (BP, ZF, and MG) defined in ZIP 1014 16, and also (with additional funding stream definitions) the "direct grant option" described in that ZIP.

    As for the original Founders' Reward, a mechanism is provided to allow addresses for a given funding stream to be changed on a roughly-monthly basis, so that keys that are not yet needed may be kept off-line as a security measure.

    Specification

    Definitions

    -

    We use the following constants and functions defined in 5, 6, 7, and 8:

    +

    We use the following constants and functions defined in 5, 6, 7, and 8:

    • \(\mathsf{BlossomActivationHeight}\) @@ -74,7 +74,7 @@ License: MIT

    Funding streams

    A funding stream is defined by a block subsidy fraction (represented as a numerator and a denominator), a start height (inclusive), and an end height (exclusive).

    -

    By defining the issuance as a proportion of the total block subsidy, rather than absolute zatoshis, this ZIP dovetails with any changes to both block target spacing and issuance-per-block rates. Such a change occurred at the Blossom network upgrade, for example. 11

    +

    By defining the issuance as a proportion of the total block subsidy, rather than absolute zatoshis, this ZIP dovetails with any changes to both block target spacing and issuance-per-block rates. Such a change occurred at the Blossom network upgrade, for example. 11

    The value of a funding stream at a given block height is defined as:

    \(\mathsf{FundingStream[FUND].Value}(\mathsf{height}) = \mathsf{floor}\left( @@ -196,21 +196,21 @@ License: MIT

    On Mainnet, Canopy is planned to activate exactly at the point when the Founders' Reward expires, at block height 1046400. On Testnet, there will be a shortened Founders' Reward address period prior to Canopy activation.

    Consensus rules

    -

    Prior to activation of the Canopy network upgrade, the existing consensus rule for payment of the original Founders' Reward is enforced. 8

    +

    Prior to activation of the Canopy network upgrade, the existing consensus rule for payment of the original Founders' Reward is enforced. 8

    Once the Canopy network upgrade activates:

      -
    • The existing consensus rule for payment of the Founders' Reward 8 is no longer active. (This would be the case under the preexisting consensus rules for Mainnet, but not for Testnet.)
      • +
    • The existing consensus rule for payment of the Founders' Reward 8 is no longer active. (This would be the case under the preexisting consensus rules for Mainnet, but not for Testnet.)
    • The coinbase transaction in each block MUST contain at least one output per active funding stream that pays the stream's value in the prescribed way to the stream's recipient address for the block's height.
    • The "prescribed way" to pay a transparent P2SH address is to use a standard P2SH script of the form OP_HASH160 RedeemScriptHash(height) OP_EQUAL as the scriptPubKey.
      • -
    • The "prescribed way" to pay a Sapling address is as defined in 13. That is, all Sapling outputs in coinbase transactions (including, but not limited to, outputs for funding streams) MUST have valid note commitments when recovered using a 32-byte array of zeroes as the outgoing viewing key. In this case the note plaintext lead byte MUST be +
    • The "prescribed way" to pay a Sapling address is as defined in 13. That is, all Sapling outputs in coinbase transactions (including, but not limited to, outputs for funding streams) MUST have valid note commitments when recovered using a 32-byte array of zeroes as the outgoing viewing key. In this case the note plaintext lead byte MUST be \(\mathbf{0x02}\) - , as specified in 12.
      • + , as specified in 12.
    -

    For the funding stream definitions to be activated at Canopy, see ZIP 214. 14 Funding stream definitions can be added, changed, or deleted in ZIPs associated with subsequent network upgrades, subject to the ZIP process. 9

    +

    For the funding stream definitions to be activated at Canopy, see ZIP 214. 14 Funding stream definitions can be added, changed, or deleted in ZIPs associated with subsequent network upgrades, subject to the ZIP process. 9

    Deployment

    -

    This proposal is intended to be deployed with Canopy. 15

    +

    This proposal is intended to be deployed with Canopy. 15

    Backward compatibility

    This proposal intentionally creates what is known as a "bilateral consensus rule change". Use of this mechanism requires that all network participants upgrade their software to a compatible version within the upgrade window. Older software will treat post-upgrade blocks as invalid, and will follow any pre-upgrade consensus branch that persists.

    diff --git a/zip-0208.html b/zip-0208.html index ffb11c0a..cc0c24f7 100644 --- a/zip-0208.html +++ b/zip-0208.html @@ -17,13 +17,13 @@ Created: 2019-01-10 License: MIT Pull-Request: <https://github.com/zcash/zips/pull/237>

    Terminology

    -

    The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "block chain", "consensus rule change", "consensus branch", and "network upgrade" are to be interpreted as defined in 9.

    -

    The term "block target spacing" means the time interval between blocks targeted by the difficulty adjustment algorithm in a given consensus branch. It is normally measured in seconds. (This is also sometimes called the "target block time", but "block target spacing" is the term used in the Zcash Protocol Specification 6.)

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 4.

    +

    The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "block chain", "consensus rule change", "consensus branch", and "network upgrade" are to be interpreted as defined in 9.

    +

    The term "block target spacing" means the time interval between blocks targeted by the difficulty adjustment algorithm in a given consensus branch. It is normally measured in seconds. (This is also sometimes called the "target block time", but "block target spacing" is the term used in the Zcash Protocol Specification 6.)

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 4.

    Abstract

    -

    This proposal specifies a change in the block target spacing, to take effect in the Blossom network upgrade 11.

    +

    This proposal specifies a change in the block target spacing, to take effect in the Blossom network upgrade 11.

    The emission schedule of mined ZEC will be approximately the same in terms of time, but this requires the emission per block to be adjusted to take account of the changed block target spacing.

    Motivation

    @@ -33,15 +33,15 @@ Pull-Request: <https://githu
  • Greater throughput of transactions in unit time.

    • The latter goal could alternatively be achieved by increasing the block size limit, but that would not also achieve the former goal.

    -

    Note that, for a given security requirement (in terms of the expected cost distribution of a rollback attack), the number of confirmations needed increases more slowly than the decrease in block time, and so, up to a point, decreasing the block target spacing can provide a better trade-off between latency and security. This argument assumes that the validation and propagation time for a block remain small compared to the block target spacing. See 13 for further analysis in various attack models.

    +

    Note that, for a given security requirement (in terms of the expected cost distribution of a rollback attack), the number of confirmations needed increases more slowly than the decrease in block time, and so, up to a point, decreasing the block target spacing can provide a better trade-off between latency and security. This argument assumes that the validation and propagation time for a block remain small compared to the block target spacing. See 13 for further analysis in various attack models.

    Specification

    -

    The changes described in this section are to be made in the Zcash Protocol Specification 3, relative to the pre-Blossom specification in [#preblossom-protocol].

    +

    The changes described in this section are to be made in the Zcash Protocol Specification 3, relative to the pre-Blossom specification in [#preblossom-protocol].

    Consensus changes

    -

    Throughout the specification, rename HalvingInterval to PreBlossomHalvingInterval, and rename PoWTargetSpacing to PreBlossomTargetSpacing. These constants retain their values from 2 of 840000 (blocks) and 150 (seconds) respectively.

    +

    Throughout the specification, rename HalvingInterval to PreBlossomHalvingInterval, and rename PoWTargetSpacing to PreBlossomTargetSpacing. These constants retain their values from 2 of 840000 (blocks) and 150 (seconds) respectively.

    In section 2 (Notation), add BlossomActivationHeight and PostBlossomPoWTargetSpacing to the list of integer constants.

    In section 5.3 (Constants), define PostBlossomPoWTargetSpacing := 75 seconds.

    -

    For a given network (production or test), define BlossomActivationHeight as the height at which Blossom activates on that network, as specified in 11.

    +

    For a given network (production or test), define BlossomActivationHeight as the height at which Blossom activates on that network, as specified in 11.

    In section 7.6.3 (Difficulty adjustment) [later moved to section 7.7.3], make the following changes:

    Define IsBlossomActivated(height) to return true if height ≥ BlossomActivationHeight, otherwise false.

    This specification assumes that BlossomActivationHeight ≥ SlowStartInterval.

    @@ -111,9 +111,9 @@ Pull-Request: <https://githu

    The change in the effective value of PoWTargetSpacing will cause the block spacing to adjust to the new target, at the normal rate for a difficulty adjustment. The results of simulations are consistent with this expected behaviour.

    Note that the change in AveragingWindowTimespan(height) takes effect immediately when calculating the target difficulty starting from the block at the Blossom activation height, even though the difficulty of the preceding PoWAveragingWindow blocks will have been adjusted using the pre-Blossom target spacing. Therefore it is likely that the difficulty adjustment for the first few blocks after activation will be limited by PoWMaxAdjustDown. This is not anticipated to cause any problem.

    Minimum difficulty blocks on Testnet

    -

    On Testnet from block height 299188 onward, the difficulty adjustment algorithm 6 allows minimum-difficulty blocks, as described in 10, when the block time is greater than a given threshold. This specification changes this threshold to be proportional to the block target spacing.

    -

    That is, if the block time of a block at height height ≥ 299188 is greater than 6 · PoWTargetSpacing(height) seconds after that of the preceding block, then the block is a minimum-difficulty block. In that case its nBits field MUST be set to ToCompact(PoWLimit), where PoWLimit is the value defined for Testnet in section 5.3 of the Zcash Protocol Specification 5, and ToCompact is as defined in section 7.7.4 of that specification 7.

    -

    Note: a previous revision of this ZIP (and 10) incorrectly said that only the target threshold of minimum-difficulty blocks is affected. In fact the nBits field is modified as well, and this affects difficulty adjustment for subsequent blocks.

    +

    On Testnet from block height 299188 onward, the difficulty adjustment algorithm 6 allows minimum-difficulty blocks, as described in 10, when the block time is greater than a given threshold. This specification changes this threshold to be proportional to the block target spacing.

    +

    That is, if the block time of a block at height height ≥ 299188 is greater than 6 · PoWTargetSpacing(height) seconds after that of the preceding block, then the block is a minimum-difficulty block. In that case its nBits field MUST be set to ToCompact(PoWLimit), where PoWLimit is the value defined for Testnet in section 5.3 of the Zcash Protocol Specification 5, and ToCompact is as defined in section 7.7.4 of that specification 7.

    +

    Note: a previous revision of this ZIP (and 10) incorrectly said that only the target threshold of minimum-difficulty blocks is affected. In fact the nBits field is modified as well, and this affects difficulty adjustment for subsequent blocks.

    This change does not affect Mainnet.

    @@ -127,7 +127,7 @@ Pull-Request: <https://githu

    If the -txexpirydelta option is set, then the set value SHOULD be used both before and after Blossom activation.

    Sprout to Sapling migration

    -

    ZIP 308 12 defines a procedure for migrating funds from Sprout to Sapling z-addresses. In that procedure, migration transactions are sent every 500 blocks, which corresponded to roughly 20.83 hours before Blossom.

    +

    ZIP 308 12 defines a procedure for migrating funds from Sprout to Sapling z-addresses. In that procedure, migration transactions are sent every 500 blocks, which corresponded to roughly 20.83 hours before Blossom.

    The 500-block constant has not been changed. Therefore, migration transactions are now sent roughly every 10.42 hours after Blossom activation. This has been noted in the ZIP, and a table showing the expected time to complete migration has been updated accordingly.

    Fingerprinting mitigation

    @@ -137,7 +137,7 @@ Pull-Request: <https://githu // chain if they are valid, and no more than a month older (both in time, and in // best equivalent proof of work) than the best header chain we know about.

    We make no assertion about the significance of fingerprinting for Zcash, and (despite the word "prevent" in the above comment) no claim about the effectiveness of this mitigation.

    -

    In any case, to estimate the "best equivalent proof of work" of a given block chain (measured in units of time), we take the total work of the chain as defined in section 7.7.5 of the Zcash Protocol Specification 8, divide by the work of the block at the active tip, and multiply by the target block spacing of that block.

    +

    In any case, to estimate the "best equivalent proof of work" of a given block chain (measured in units of time), we take the total work of the chain as defined in section 7.7.5 of the Zcash Protocol Specification 8, divide by the work of the block at the active tip, and multiply by the target block spacing of that block.

    It is not a requirement of the Zcash protocol that this fingerprinting mitigation is used; however, if it is used, then it SHOULD use the target block spacing at the same block height that is used for the current work estimate.

    Monitoring for quicker- or slower-than-expected blocks

    @@ -194,7 +194,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;

    Deployment

    -

    This proposal will be deployed with the Blossom network upgrade. 11

    +

    This proposal will be deployed with the Blossom network upgrade. 11

    Backward compatibility

    This proposal intentionally creates what is known as a "bilateral consensus rule change". Use of this mechanism requires that all network participants upgrade their software to a compatible version within the upgrade window. Older software will treat post-upgrade blocks as invalid, and will follow any pre-upgrade consensus branch that persists.

    diff --git a/zip-0209.html b/zip-0209.html index abbce8b5..bca26080 100644 --- a/zip-0209.html +++ b/zip-0209.html @@ -15,12 +15,12 @@ Category: Consensus Created: 2019-02-25 License: MIT

    Terminology

    -

    The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "block chain" and "network upgrade" are to be interpreted as defined in 3.

    +

    The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "block chain" and "network upgrade" are to be interpreted as defined in 3.

    The "Sprout chain value pool balance" for a given block chain is the sum of all vpub_old fields for transactions in the block chain, minus the sum of all vpub_new fields for transactions in the block chain.

    The "Sapling chain value pool balance" for a given block chain is the negation of the sum of all valueBalanceSapling fields for transactions in the block chain.

    The "Orchard chain value pool balance" for a given block chain is the negation of the sum of all valueBalanceOrchard fields for transactions in the block chain. (Before NU5 has activated, the Orchard chain value pool balance is zero.)

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 2.

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 2.

    Abstract

    This proposal defines how the consensus rules are altered such that blocks that produce negative shielded chain value pool balances are prohibited.

    @@ -34,9 +34,9 @@ License: MIT

    Nodes MAY relay transactions even if one or more of them cannot be mined due to the aforementioned restriction.

    Deployment

    -

    This consensus rule is not deployed as part of a network upgrade as defined in ZIP-200 3 and there is no mechanism by which the network will synchronize to enforce this rule. Rather, all nodes SHOULD begin enforcing this consensus rule upon acceptance of this proposal.

    +

    This consensus rule is not deployed as part of a network upgrade as defined in ZIP-200 3 and there is no mechanism by which the network will synchronize to enforce this rule. Rather, all nodes SHOULD begin enforcing this consensus rule upon acceptance of this proposal.

    There is a risk that before all nodes on the network begin enforcing this consensus rule that block(s) will be produced that violate it, potentially leading to network fragmentation. This is considered sufficiently unlikely that the benefits of enforcing this consensus rule sooner are overwhelming.

    -

    This specification was deployed in zcashd v2.0.4 for Testnet, and in zcashd v2.0.5 for Mainnet. The application to the Orchard chain value pool balance will be deployed from NU5 activation 4.

    +

    This specification was deployed in zcashd v2.0.4 for Testnet, and in zcashd v2.0.5 for Mainnet. The application to the Orchard chain value pool balance will be deployed from NU5 activation 4.

    References

    diff --git a/zip-0210.html b/zip-0210.html index ef839126..54e535d3 100644 --- a/zip-0210.html +++ b/zip-0210.html @@ -14,19 +14,19 @@ Category: Consensus Created: 2019-03-27 License: MIT

    Status

    -

    This ZIP has been withdrawn because a similar change has been incorporated into the ZIP 225 proposal for a version 5 transaction format. 5

    +

    This ZIP has been withdrawn because a similar change has been incorporated into the ZIP 225 proposal for a version 5 transaction format. 5

    Terminology

    -

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 3.

    -

    The term "Sapling" in this document is to be interpreted as described in ZIP 205 4.

    +

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 3.

    +

    The term "Sapling" in this document is to be interpreted as described in ZIP 205 4.

    Abstract

    This proposal defines a modification to the transaction format whereby a single Sapling anchor is used for all Sapling spends. This change removes a potential implementation fingerprint, and reduces the size of Sapling transactions within the block chain.

    Motivation

    -

    The Sapling network upgrade 4 introduced new shielded inputs (spends) and outputs. Each spend proves the existence of the note being spent by including the anchor of a Merkle tree that contains the note's commitment, and proving in zero knowledge the existence of a path from the commitment to the anchor (a witness). Valid anchors correspond to the state of the Sapling commitment tree after each block in the chain.

    -

    The choice of anchor leaks information about the note being spent, namely that the note was created no later than the anchor's block height. This is an unavoidable outcome of the Zcash design, and the least information it is possible to leak about a note being spent. However, the Sapling v4 transaction format 2 includes a separate anchor for each Sapling spend, and thus it is possible to leak additional information by using different anchors for different notes. The anchor selection choices could also be used as a fingerprint to identify transactions created by particular wallet implementations, reducing the privacy set.

    +

    The Sapling network upgrade 4 introduced new shielded inputs (spends) and outputs. Each spend proves the existence of the note being spent by including the anchor of a Merkle tree that contains the note's commitment, and proving in zero knowledge the existence of a path from the commitment to the anchor (a witness). Valid anchors correspond to the state of the Sapling commitment tree after each block in the chain.

    +

    The choice of anchor leaks information about the note being spent, namely that the note was created no later than the anchor's block height. This is an unavoidable outcome of the Zcash design, and the least information it is possible to leak about a note being spent. However, the Sapling v4 transaction format 2 includes a separate anchor for each Sapling spend, and thus it is possible to leak additional information by using different anchors for different notes. The anchor selection choices could also be used as a fingerprint to identify transactions created by particular wallet implementations, reducing the privacy set.

    Modifying the transaction format to have a single Sapling anchor field, instead of one field per Sapling spend, removes the ability (within the new transaction format version) to create transactions with this fingerprint. It also reduces the size of the transaction, costing 32 bytes per transaction instead of 32 bytes per spend.

    Specification

    diff --git a/zip-0211.html b/zip-0211.html index ddf39706..85ba392e 100644 --- a/zip-0211.html +++ b/zip-0211.html @@ -15,22 +15,22 @@ Category: Consensus Created: 2019-03-29 License: MIT

    Terminology

    -

    The key words "MUST", "SHOULD", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 3.

    +

    The key words "MUST", "SHOULD", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 3.

    The term "Sprout shielded protocol" in this document refers to the shielded payment protocol defined at the launch of the Zcash network.

    -

    The term "Sapling shielded protocol" in this document refers to the shielded payment protocol introduced in the Sapling network upgrade 4 2.

    -

    The term "Sprout chain value pool balance" in this document is to be interpreted as described in ZIP 209 5.

    +

    The term "Sapling shielded protocol" in this document refers to the shielded payment protocol introduced in the Sapling network upgrade 4 2.

    +

    The term "Sprout chain value pool balance" in this document is to be interpreted as described in ZIP 209 5.

    Abstract

    This proposal disables the ability to add new value to the Sprout chain value pool balance. This takes a step toward being able to remove the Sprout shielded protocol, thus reducing the overall complexity and attack surface of Zcash.

    Motivation

    -

    The first iteration of the Zcash network, called Sprout, provided a shielded payment protocol that was relatively closely based on the original Zerocash proposal. 8

    -

    The Sapling network upgrade 4 introduced significant efficiency and functionality improvements for shielded transactions. It is expected that over time, the use of Sapling will replace the use of Sprout in shielded transactions.

    +

    The first iteration of the Zcash network, called Sprout, provided a shielded payment protocol that was relatively closely based on the original Zerocash proposal. 8

    +

    The Sapling network upgrade 4 introduced significant efficiency and functionality improvements for shielded transactions. It is expected that over time, the use of Sapling will replace the use of Sprout in shielded transactions.

    The Sapling and Sprout shielded protocols employ different cryptographic designs. Since an adversary could potentially exploit any vulnerability in either design, supporting both presents additional risk over supporting only the newer Sapling shielded protocol.

    -

    For example, a vulnerability was discovered in the zero-knowledge proving system originally used by Zcash that could have allowed counterfeiting 9. While this particular vulnerability was addressed (also for Sprout shielded transactions) by the Sapling upgrade, and we are not aware of others at the time of writing, the possibility of other cryptographic weaknesses cannot be entirely ruled out.

    +

    For example, a vulnerability was discovered in the zero-knowledge proving system originally used by Zcash that could have allowed counterfeiting 9. While this particular vulnerability was addressed (also for Sprout shielded transactions) by the Sapling upgrade, and we are not aware of others at the time of writing, the possibility of other cryptographic weaknesses cannot be entirely ruled out.

    In addition, the Zcash specification and implementation incurs complexity and "technical debt" from the requirement to support and test both shielded payment protocols.

    -

    Removing the ability to add to the Sprout chain value pool balance, is a first step toward reducing this complexity and potential risk. This does not prevent extracting value held in Sprout addresses and sending it to transparent addresses, or to Sapling addresses via the migration tool 7.

    +

    Removing the ability to add to the Sprout chain value pool balance, is a first step toward reducing this complexity and potential risk. This does not prevent extracting value held in Sprout addresses and sending it to transparent addresses, or to Sapling addresses via the migration tool 7.

    Specification

    Consensus rule: From the relevant activation height, the vpub_old field of each JoinSplit description MUST be zero.

    @@ -47,7 +47,7 @@ License: MIT

    During the development of this proposal, alternative designs were considered that would have removed some fields of a JoinSplit description. These alternatives were abandoned for several reasons:

    • Privacy concerns raised as a consequence of preventing the use of internal change between JoinSplits, and/or change sent back to the input Sprout addresses. This would have required the total value of the input Sprout notes (or, for some considered designs, the total value of the two Sprout inputs to each JoinSplit) to be leaked. As it is, there is an unavoidable leak of the total value extracted from the Sprout value pool, but not of the sum of values of particular subsets of notes.
      • -
    • Modifications would have been needed to the design of the Sprout to Sapling migration procedure described in 7.
      • +
    • Modifications would have been needed to the design of the Sprout to Sapling migration procedure described in 7.
    • A new transaction version would have been required.
    @@ -56,7 +56,7 @@ License: MIT

    Since all clients change their behaviour at the same time from this proposal's activation height, there is no additional client distinguisher.

    Deployment

    -

    This proposal will be deployed with the Canopy network upgrade. 6

    +

    This proposal will be deployed with the Canopy network upgrade. 6

    Reference Implementation

    https://github.com/zcash/zcash/pull/4489

    diff --git a/zip-0212.html b/zip-0212.html index d5142332..bbfe42bf 100644 --- a/zip-0212.html +++ b/zip-0212.html @@ -15,37 +15,37 @@ Category: Consensus Created: 2019-03-31 License: MIT

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The following functions are defined in the Zcash Protocol Specification 2 according to the type (Sapling or Orchard) of note plaintext being processed:

    +

    The key words "MUST", "MUST NOT", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The following functions are defined in the Zcash Protocol Specification 2 according to the type (Sapling or Orchard) of note plaintext being processed:

    • let \(\mathsf{ToScalar}\) be \(\mathsf{ToScalar^{Sapling}}\) - defined in section 4.2.2 5 or + defined in section 4.2.2 5 or \(\mathsf{ToScalar^{Orchard}}\) - defined in section 4.2.3 6;
      • + defined in section 4.2.3 6;
    • let \(\mathsf{DiversifyHash}\) be \(\mathsf{DiversifyHash^{Sapling}}\) or \(\mathsf{DiversifyHash^{Orchard}}\) - defined in section 5.4.1.6 12;
      • + defined in section 5.4.1.6 12;
    • let \(\mathsf{KA}\) be \(\mathsf{KA^{Sapling}}\) - defined in section 5.4.5.3 13 or + defined in section 5.4.5.3 13 or \(\mathsf{KA^{Orchard}}\) - defined in section 5.4.5.5 14;
      • + defined in section 5.4.5.5 14;
    • let \(\mathsf{NoteCommit}\) be \(\mathsf{NoteCommit^{Sapling}}\) or \(\mathsf{NoteCommit^{Orchard}}\) - defined in section 4.1.8 4.
      • + defined in section 4.1.8 4.

    Abstract

    @@ -113,8 +113,8 @@ License: MIT .

    Specification

    -

    The specification in this ZIP is intended to be aligned with version 2021.2.16 or later of the Zcash Protocol Specification 2.

    -

    Pseudo random functions (PRFs) are defined in section 4.1.2 of the Zcash Protocol Specification 3. We will be adapting +

    The specification in this ZIP is intended to be aligned with version 2021.2.16 or later of the Zcash Protocol Specification 2.

    +

    Pseudo random functions (PRFs) are defined in section 4.1.2 of the Zcash Protocol Specification 3. We will be adapting \(\mathsf{PRF^{expand}}\) for the purposes of this ZIP. This function is keyed by a 256-bit key \(\mathsf{sk}\) @@ -122,7 +122,7 @@ License: MIT \(64\) -byte sequence as output.

    Changes to Sapling and Orchard Note plaintexts

    -

    Note plaintext encodings are specified in section 5.5 of the Zcash Protocol Specification 15. Before activation of this ZIP, the encoding of a Sapling note plaintext required that the first byte take the form +

    Note plaintext encodings are specified in section 5.5 of the Zcash Protocol Specification 15. Before activation of this ZIP, the encoding of a Sapling note plaintext required that the first byte take the form \(\mathtt{0x01}\) , indicating the version of the note plaintext. In addition, a \(256\) @@ -151,7 +151,7 @@ License: MIT field be a scalar of the Jubjub elliptic curve, when interpreted as a little endian integer, is removed from descriptions of note plaintexts in the Zcash Protocol Specification.

    Changes to the process of sending Sapling or Orchard notes

    -

    The process of sending notes is described in section 4.7.2 of the Zcash Protocol Specification for Sapling 7 and section 4.7.3 for Orchard 8. In addition, the process of encrypting a note is described (currently) in section 4.19.1 of the Zcash Protocol Specification 9. Prior to activation of this ZIP, the sender sampled +

    The process of sending notes is described in section 4.7.2 of the Zcash Protocol Specification for Sapling 7 and section 4.7.3 for Orchard 8. In addition, the process of encrypting a note is described (currently) in section 4.19.1 of the Zcash Protocol Specification 9. Prior to activation of this ZIP, the sender sampled \(\mathsf{rcm^{new}}\) and the ephemeral private key \(\mathsf{esk}\) @@ -178,10 +178,10 @@ License: MIT \(\mathsf{ToScalar}(\mathsf{PRF^{expand}_{rseed}}([5]))\) . -

    For Orchard, an encoding of ρ is appended to these PRF inputs, as specified in section 4.7.3 of the Zcash Protocol Specification 8.

    +

    For Orchard, an encoding of ρ is appended to these PRF inputs, as specified in section 4.7.3 of the Zcash Protocol Specification 8.

    Changes to the process of receiving Sapling or Orchard notes

    -

    The process of receiving notes in Sapling is described in sections 4.19.2 and 4.19.3 of the Zcash Protocol Specification. 10 11

    +

    The process of receiving notes in Sapling is described in sections 4.19.2 and 4.19.3 of the Zcash Protocol Specification. 10 11

    There is a "grace period" of 32256 blocks starting from the block at which this ZIP activates, during which note plaintexts with lead byte \(\mathtt{0x01}\) MUST still be accepted.

    @@ -223,11 +223,11 @@ License: MIT , failing decryption if this check is not satisfied. For Orchard, an encoding of ρ is appended to the PRF inputs, as for encryption.

    Consensus rule change for coinbase transactions

    -

    After the activation of this ZIP, any Sapling output of a coinbase transaction that is decrypted to a note plaintext as specified in 17, MUST have note plaintext lead byte equal to +

    After the activation of this ZIP, any Sapling output of a coinbase transaction that is decrypted to a note plaintext as specified in 17, MUST have note plaintext lead byte equal to \(\mathtt{0x02}\) .

    -

    This applies even during the “grace period”, and also applies to funding stream outputs 16 sent to shielded payment addresses, if there are any.

    -

    Since NU5 activates after the end of the grace period 19, Orchard outputs will always require a note plaintext lead byte equal to +

    This applies even during the “grace period”, and also applies to funding stream outputs 16 sent to shielded payment addresses, if there are any.

    +

    Since NU5 activates after the end of the grace period 19, Orchard outputs will always require a note plaintext lead byte equal to \(\mathtt{0x02}\) .

    @@ -253,7 +253,7 @@ License: MIT that were sent conformantly and not mined before the upgrade.

    Historical note: in practice some note plaintexts with lead byte \(\mathtt{0x01}\) - were non-conformantly sent even after the end of the specified grace period. ZecWallet extended its implementation of the grace period by a further 161280 blocks (approximately 20 weeks) in order to allow for recovery of these funds 20.

    + were non-conformantly sent even after the end of the specified grace period. ZecWallet extended its implementation of the grace period by a further 161280 blocks (approximately 20 weeks) in order to allow for recovery of these funds 20.

    Security and Privacy Considerations

    The changes made in this proposal prevent an interactive attack that could link together diversified addresses by only breaking the knowledge soundness assumption of the zk-SNARK. It is already assumed that the adversary cannot defeat the EC-DDH assumption of the Jubjub (or Pallas) elliptic curve, for it could perform a linkability attack trivially in that case.

    @@ -264,7 +264,7 @@ License: MIT ) this would lead to an instance of key-dependent encryption, which is difficult or perhaps impossible to prove secure using existing security notions. Our approach of using a key derivation, which ultimately queries an oracle, allows a proof for IND-CCA2 security to be written by reprogramming the oracle to return bogus keys when necessary.

    Deployment

    -

    This proposal will be deployed with the Canopy network upgrade. 18

    +

    This proposal will be deployed with the Canopy network upgrade. 18

    Reference Implementation

    In zcashd:

    diff --git a/zip-0213.html b/zip-0213.html index c7f383f9..b3c5736d 100644 --- a/zip-0213.html +++ b/zip-0213.html @@ -14,18 +14,18 @@ Category: Consensus Created: 2019-03-30 License: MIT

    Terminology

    -

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 2.

    -

    The term "Sapling" in this document is to be interpreted as described in ZIP 205 3.

    -

    The terms "Founders' Reward" and "funding stream" in this document are to be interpreted as described in ZIP 207 4.

    +

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 2.

    +

    The term "Sapling" in this document is to be interpreted as described in ZIP 205 3.

    +

    The terms "Founders' Reward" and "funding stream" in this document are to be interpreted as described in ZIP 207 4.

    Abstract

    This proposal defines modifications to the Zcash consensus rules that enable coinbase funds to be mined to Sapling (and later Orchard) addresses. It does not disable the use of transparent addresses in coinbase transactions.

    Motivation

    -

    Zcash inherited the concept of "coinbase transactions" from Bitcoin: special transactions inside each block that are allowed to have no inputs. These transactions are created by miners during block creation, and collect the block reward and transaction fees into new transparent outputs that can then be spent. They are also leveraged in Zcash for the Founders' Reward (and potentially for funding streams 4).

    +

    Zcash inherited the concept of "coinbase transactions" from Bitcoin: special transactions inside each block that are allowed to have no inputs. These transactions are created by miners during block creation, and collect the block reward and transaction fees into new transparent outputs that can then be spent. They are also leveraged in Zcash for the Founders' Reward (and potentially for funding streams 4).

    On the path to deprecating and removing Bitcoin-inherited transparent addresses within the Zcash network, a required step is to be able to create coinbase transactions that have no transparent outputs. However, Zcash was launched with a consensus rule preventing coinbase transactions from containing shielded outputs, instead enforcing that coinbase funds could not be spent in transactions with transparent outputs. This was partly in order to reduce the complexity of the original Zcash modifications to the Bitcoin Core codebase, but also because at the time, shielded transactions required significant memory and CPU resources to create.

    -

    The Sapling network upgrade 3 deployed architectural changes and performance improvements that make shielding funds directly in the coinbase transaction feasible. In order to reduce the complexity of the Sapling network upgrade, the existing consensus rules preventing coinbase transactions from containing shielded outputs were extended to cover Sapling outputs. Therefore, it is now necessary to modify the consensus rules in order to enable miners to start using Sapling addresses. It will also be possible for miners to use Orchard addresses starting from activation of the NU5 upgrade 6.

    +

    The Sapling network upgrade 3 deployed architectural changes and performance improvements that make shielding funds directly in the coinbase transaction feasible. In order to reduce the complexity of the Sapling network upgrade, the existing consensus rules preventing coinbase transactions from containing shielded outputs were extended to cover Sapling outputs. Therefore, it is now necessary to modify the consensus rules in order to enable miners to start using Sapling addresses. It will also be possible for miners to use Orchard addresses starting from activation of the NU5 upgrade 6.

    Specification

    Prior to activation of the Heartwood network upgrade, this existing consensus rule on coinbase transactions is enforced:

    @@ -71,7 +71,7 @@ License: MIT

    Revealing the coinbase output notes does not enable anyone else to detect when the note is spent, which removes the need for a separate shielding step like is enforced for transparent coinbase outputs.

    Deployment

    -

    This proposal will be deployed with the Heartwood network upgrade. 5

    +

    This proposal will be deployed with the Heartwood network upgrade. 5

    Reference Implementation

    https://github.com/zcash/zcash/pull/4256

    diff --git a/zip-0214.html b/zip-0214.html index efa036e2..ca7e42f6 100644 --- a/zip-0214.html +++ b/zip-0214.html @@ -15,13 +15,13 @@ Created: 2020-02-28 License: MIT Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polling-results-nu4-and-draft-zip-1014/35560>

    Terminology

    -

    The key words "MUST", "SHALL", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "Zcash" in this document is to be interpreted as described in the Zcash Trademark Donation and License Agreement (6 or successor agreement).

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 8 and the Zcash Trademark Donation and License Agreement (6 or successor agreement).

    -

    The term "block subsidy" in this document is to be interpreted as described in section 3.10 of the Zcash Protocol Specification 3.

    -

    The term "halving" in this document are to be interpreted as described in sections 7.8 of the Zcash Protocol Specification 5.

    -

    The terms "Bootstrap Project" (or "BP"), "Electric Coin Company" (or "ECC"), "Zcash Foundation" (or "ZF"), "Major Grants", "BP slice", "ZF slice", and "MG slice" in this document are to be interpreted as described in ZIP 1014 12.

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 4.

    +

    The key words "MUST", "SHALL", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "Zcash" in this document is to be interpreted as described in the Zcash Trademark Donation and License Agreement (6 or successor agreement).

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200 8 and the Zcash Trademark Donation and License Agreement (6 or successor agreement).

    +

    The term "block subsidy" in this document is to be interpreted as described in section 3.10 of the Zcash Protocol Specification 3.

    +

    The term "halving" in this document are to be interpreted as described in sections 7.8 of the Zcash Protocol Specification 5.

    +

    The terms "Bootstrap Project" (or "BP"), "Electric Coin Company" (or "ECC"), "Zcash Foundation" (or "ZF"), "Major Grants", "BP slice", "ZF slice", and "MG slice" in this document are to be interpreted as described in ZIP 1014 12.

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 4.

    "Canopy" is the code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.

    Abstract

    @@ -31,7 +31,7 @@ Discussions-To: <

    Motivation

    -

    Motivation for the Zcash Development Fund itself is considered in ZIP 1014 12, which gives a high-level description of the intended structure of the fund.

    +

    Motivation for the Zcash Development Fund itself is considered in ZIP 1014 12, which gives a high-level description of the intended structure of the fund.

    An important motivation for describing the consensus rules in a separate ZIP is to avoid making unintended changes to ZIP 1014, which has already been agreed between ECC, ZF, and the Zcash community. This facilitates critically assessing whether the consensus rule changes accurately reflect the intent of ZIP 1014.

    Requirements

    @@ -42,9 +42,9 @@ Discussions-To: <

    Specification

    -

    The Blossom network upgrade changed the height of the first halving to block height 1046400 10, as a consequence of reducing the block target spacing from 150 seconds to 75 seconds.

    +

    The Blossom network upgrade changed the height of the first halving to block height 1046400 10, as a consequence of reducing the block target spacing from 150 seconds to 75 seconds.

    Since ZIP 1014 specifies that the Zcash Development Fund starts at the first halving, the activation height of Canopy on Mainnet therefore SHALL be 1046400.

    -

    ZIP 207 9 SHALL be activated in Canopy.

    +

    ZIP 207 9 SHALL be activated in Canopy.

    The following funding streams are defined for Mainnet:

    @@ -82,7 +82,7 @@ Discussions-To: <9, a funding stream is active for a span of blocks that includes the block at its start height, but excludes the block at its end height.

    +

    As specified in 9, a funding stream is active for a span of blocks that includes the block at its start height, but excludes the block at its end height.

    The following funding streams are defined for Testnet:

    @@ -132,10 +132,10 @@ Discussions-To: <12.

    +

    Funds sent to each Mainnet funding stream SHALL be governed by all requirements on the corresponding slice specified in ZIP 1014 12.

    No requirements are imposed on the use of funds sent to Testnet funding streams.

    Direct-grant option

    -

    ZIP 1014 specifies a "direct-grant option" by which, if agreed upon by both ECC and ZF before Canopy activation, some portion of the MG slice may be directly assigned to the grantee(s), rather than accepted and disbursed by ZF. 12

    +

    ZIP 1014 specifies a "direct-grant option" by which, if agreed upon by both ECC and ZF before Canopy activation, some portion of the MG slice may be directly assigned to the grantee(s), rather than accepted and disbursed by ZF. 12

    The funding stream mechanism allows for this option by adding a funding stream corresponding to each direct grantee, with addresses generated by ZF. In this case the total value of funding streams assigned to direct grantees MUST be subtracted from the value of the funding stream for the remaining MG slice (or, if all Major Grants are direct, replace the funding stream for the MG slice).

    For each network upgrade after Canopy requiring modifications to the set of direct grantees, a separate ZIP SHOULD be published specifying those modifications.

    @@ -259,12 +259,12 @@ FS_ZIP214_MG.AddressList[0..50] = ["t2Gvxv2uNM7hbbACjNox4H6DjByoKZ2Fa3P"] * 51

    Rationale

    -

    The rationale for ZF generating the addresses for the FS_ZIP214_MG funding stream is that ZF is the financial recipient of the MG slice as specified in ZIP 1014. 12

    +

    The rationale for ZF generating the addresses for the FS_ZIP214_MG funding stream is that ZF is the financial recipient of the MG slice as specified in ZIP 1014. 12

    Generation of recipient addresses for Testnet is specified to be done by the same parties as on Mainnet, in order to allow practicing each party's security procedures.

    It was judged to be unnecessary to have a mechanism to update funding stream definitions (in case of security breach or changes to direct grant recipients) other than at network upgrades.

    Deployment

    -

    This proposal is intended to be deployed with Canopy. 11

    +

    This proposal is intended to be deployed with Canopy. 11

    References

    diff --git a/zip-0215.html b/zip-0215.html index 97e1e0a9..9e939ba0 100644 --- a/zip-0215.html +++ b/zip-0215.html @@ -15,19 +15,19 @@ Category: Consensus Created: 2020-04-27 License: BSD-2-Clause

    Terminology

    -

    The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. 1

    +

    The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. 1

    Abstract

    -

    Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 2 need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validity from an obsolete version of libsodium. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validity criteria and changing them to be compatible with batch validation.

    +

    Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 2 need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validity from an obsolete version of libsodium. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validity criteria and changing them to be compatible with batch validation.

    Motivation

    -

    The lack of clear validity criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in zcashd inherited validity criteria from a then-current version of libsodium (1.0.15). Due to a bug in libsodium, this was different from the intended criteria documented in the Zcash protocol specification 3 (before the specification was changed to match libsodium 1.0.15 in specification version 2020.1.2). Also, libsodium never guaranteed stable validity criteria, and changed behavior in a later point release. This forced zcashd to use an older version of the library before eventually patching a newer version to have consistent validity criteria. To be compatible, Zebra had to implement a special library, ed25519-zebra to provide Zcash-flavored Ed25519, attempting to match libsodium 1.0.15 exactly. And the initial attempt to implement ed25519-zebra was also incompatible, because it precisely matched the wrong compile-time configuration of libsodium.

    +

    The lack of clear validity criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in zcashd inherited validity criteria from a then-current version of libsodium (1.0.15). Due to a bug in libsodium, this was different from the intended criteria documented in the Zcash protocol specification 3 (before the specification was changed to match libsodium 1.0.15 in specification version 2020.1.2). Also, libsodium never guaranteed stable validity criteria, and changed behavior in a later point release. This forced zcashd to use an older version of the library before eventually patching a newer version to have consistent validity criteria. To be compatible, Zebra had to implement a special library, ed25519-zebra to provide Zcash-flavored Ed25519, attempting to match libsodium 1.0.15 exactly. And the initial attempt to implement ed25519-zebra was also incompatible, because it precisely matched the wrong compile-time configuration of libsodium.

    In addition, the validity criteria used by Zcash preclude the use of batch validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub.

    Specification

    After activation of this ZIP, the \(\mathsf{JoinSplitSig}\) - validation rules in 5 are changed to the following:

    + validation rules in 5 are changed to the following:

    • \(\underline{A}\) @@ -51,11 +51,11 @@ License: BSD-2-Clause \(k\) and \(B\) - are defined as in RFC 8032 sections §5.1.7 and §5.1 respectively. 2
      • + are defined as in RFC 8032 sections §5.1.7 and §5.1 respectively. 2

    The language about \(\mathsf{ExcludedPointEncodings}\) - in §5.4.5 of the Zcash specification 5 no longer applies.

    + in §5.4.5 of the Zcash specification 5 no longer applies.

    It is not required that \(\underline{A}\) and @@ -77,7 +77,7 @@ License: BSD-2-Clause

    This change has no effect on honestly-generated signatures. Unlike the current validation rules, it makes it possible for a user to generate weak signing keys or to generate signing keys with nonzero torsion component and submit them to the blockchain. However, doing so provides them with no advantage, only compromise to their own security. Moreover, these cases are not a failure mode of any deployed implementation.

    Deployment

    -

    This is intended to be deployed with the Canopy Network Upgrade 6, which is scheduled to activate on Mainnet 4 at block height 1046400.

    +

    This is intended to be deployed with the Canopy Network Upgrade 6, which is scheduled to activate on Mainnet 4 at block height 1046400.

    References

    diff --git a/zip-0216.html b/zip-0216.html index b7a83a1a..bf58b297 100644 --- a/zip-0216.html +++ b/zip-0216.html @@ -17,15 +17,15 @@ Created: 2021-02-11 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/400>

    Terminology

    -

    The key word "MUST" in this document is to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 12

    +

    The key word "MUST" in this document is to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 12

    Abstract

    This ZIP fixes an oversight in the implementation of the Sapling consensus rules, by rejecting all non-canonical representations of Jubjub points.

    Motivation

    -

    The Sapling specification was originally written with the intent that all values, including Jubjub points, are strongly typed with canonical representations. 6 This has significant advantages for security analysis, because it allows the protocol to be modelled with just the abstract types.

    -

    The intention of the Jubjub implementation (both in the jubjub crate 15 and its prior implementations) was to ensure that only canonical point encodings would be accepted by the decoding logic. However, an oversight in the implementation allowed an edge case to slip through: for each point on the curve where the +

    The Sapling specification was originally written with the intent that all values, including Jubjub points, are strongly typed with canonical representations. 6 This has significant advantages for security analysis, because it allows the protocol to be modelled with just the abstract types.

    +

    The intention of the Jubjub implementation (both in the jubjub crate 15 and its prior implementations) was to ensure that only canonical point encodings would be accepted by the decoding logic. However, an oversight in the implementation allowed an edge case to slip through: for each point on the curve where the \(u\!\) -coordinate is zero, there are two encodings that will be accepted:

    // Fix the sign of `u` if necessary
@@ -58,7 +58,7 @@ Discussions-To: <https://g
                 \(\mathsf{repr}_{\mathbb{J}}\)
             , and
                 \(q_{\mathbb{J}}\)
-             be as defined in 6.
    
+             be as defined in 6.
    
             
    Define a non-canonical compressed encoding of a Jubjub point to be a sequence of
                 \(256\)
              bits,
@@ -80,7 +80,7 @@ Discussions-To: <https://g
                 \(\mathtt{0x80}\)
              byte.
    
             
    Once this ZIP activates, the following places within the Sapling consensus protocol where Jubjub points occur MUST reject non-canonical Jubjub point encodings.
    
-            
    In Sapling Spend descriptions 3:
    
+            
    In Sapling Spend descriptions 3:
    
             
    
                 
             
    
-            
    In transactions 10:
    
+            
    In transactions 10:
    
             
    
                 
      
                     
    • the
@@ -106,7 +106,7 @@ Discussions-To: <https://g
             
    
             
    In the plaintext obtained by decrypting the
                 \(\mathsf{C^{out}}\)
-             field of a Sapling transmitted note ciphertext 5:
    
+             field of a Sapling transmitted note ciphertext 5:
    
             
    
                 
    
             
    (This affects decryption of
                 \(\mathsf{C^{out}}\)
-             in all cases, but is consensus-critical only in the case of a shielded coinbase output. 10)
    
+             in all cases, but is consensus-critical only in the case of a shielded coinbase output. 10)
    
             
    There are some additional fields in the consensus protocol that encode Jubjub points, but where non-canonical encodings MUST already be rejected as a side-effect of existing consensus rules.
    
             
    In Sapling Spend descriptions:
    
             
    
@@ -129,7 +129,7 @@ Discussions-To: <https://g
                     
                 
             
    
-            
    In Sapling Output descriptions 4:
    
+            
    In Sapling Output descriptions 4:

    Rationale

    -

    Zcash previously had a similar issue with non-canonical representations of points in Ed25519 public keys and signatures. In that case, given the prevalence of Ed25519 signatures in the wider ecosystem, the decision was made in ZIP 215 13 (which activated with the Canopy network upgrade 14) to allow non-canonical representations of points.

    +

    Zcash previously had a similar issue with non-canonical representations of points in Ed25519 public keys and signatures. In that case, given the prevalence of Ed25519 signatures in the wider ecosystem, the decision was made in ZIP 215 13 (which activated with the Canopy network upgrade 14) to allow non-canonical representations of points.

    In Sapling, we are motivated instead to reject these non-canonical points:

    Security and Privacy Considerations

    This ZIP eliminates a potential source of consensus divergence between differing full node implementations. At the time of writing (February 2021), no such divergence exists for any production implementation of Zcash, but the alpha-stage zebrad node implementation would be susceptible to this issue.

    diff --git a/zip-0221.html b/zip-0221.html index 2d89bdb7..a03cc5dc 100644 --- a/zip-0221.html +++ b/zip-0221.html @@ -18,8 +18,8 @@ Category: Consensus Created: 2019-03-30 License: MIT

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 8

    +

    The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 8

    Light client
    A client that is not a full participant in the network of Zcash peers. It can send and receive payments, but does not store or validate a copy of the block chain.
    @@ -40,7 +40,7 @@ License: MIT

    Abstract

    -

    This ZIP specifies modifications to the Zcash block header semantics and consensus rules in order to support the probabilistic verification FlyClient protocol 2. The hashFinalSaplingRoot commitment in the block header is replaced with a commitment to the root of a Merkle Mountain Range (MMR), that in turn commits to various features of the chain's history, including the Sapling commitment tree.

    +

    This ZIP specifies modifications to the Zcash block header semantics and consensus rules in order to support the probabilistic verification FlyClient protocol 2. The hashFinalSaplingRoot commitment in the block header is replaced with a commitment to the root of a Merkle Mountain Range (MMR), that in turn commits to various features of the chain's history, including the Sapling commitment tree.

    Background

    An MMR is a Merkle tree which allows for efficient appends, proofs, and verifications. Informally, appending data to an MMR consists of creating a new leaf and then iteratively merging neighboring subtrees with the same size. This takes at most @@ -48,7 +48,7 @@ License: MIT operations and only requires knowledge of the previous subtree roots, of which there are fewer than \(\log(n)\) .

    -

    (example adapted from 6) To illustrate this, consider a list of 11 leaves. We first construct the biggest perfect binary subtrees possible by joining any balanced sibling trees that are the same size. We do this starting from the left to the right, adding a parent as soon as 2 children exist. This leaves us with three subtrees ("mountains") of altitudes 3, 1, and 0:

    +

    (example adapted from 6) To illustrate this, consider a list of 11 leaves. We first construct the biggest perfect binary subtrees possible by joining any balanced sibling trees that are the same size. We do this starting from the left to the right, adding a parent as soon as 2 children exist. This leaves us with three subtrees ("mountains") of altitudes 3, 1, and 0:

       /\
   /  \
  /\  /\
@@ -151,7 +151,7 @@ License: MIT

    MMR trees allow for efficient incremental set update operations (push, pop, prune). In addition, MMR update operations and Merkle proofs for recent additions to the leaf set are more efficient than other incremental Merkle tree implementations (e.g. Bitcoin's padded leafset, sparse Merkle trees, and Zcash's incremental note commitment trees).

    Motivation

    -

    MMR proofs are used in the FlyClient protocol 2, to reduce the proof size needed for light clients to verify:

    +

    MMR proofs are used in the FlyClient protocol 2, to reduce the proof size needed for light clients to verify:

    • the validity of a block chain received from a full node, and
    • the inclusion of a block @@ -171,7 +171,7 @@ License: MIT

      ( \(x\) is the activation height of the preceding network upgrade.)

      -

      FlyClient reduces the number of block headers needed for light client verification of a valid chain, from linear (as in the current reference protocol) to logarithmic in block chain length. This verification is correct with high probability. It also allows creation of subtree proofs, so light clients need only check blocks later than the most recently verified block index. Following that, verification of a transaction inclusion within that block follows the usual reference protocol 13.

      +

      FlyClient reduces the number of block headers needed for light client verification of a valid chain, from linear (as in the current reference protocol) to logarithmic in block chain length. This verification is correct with high probability. It also allows creation of subtree proofs, so light clients need only check blocks later than the most recently verified block index. Following that, verification of a transaction inclusion within that block follows the usual reference protocol 13.

      A smaller proof size could enable the verification of Zcash SPV Proofs in block-chain protocols such as Ethereum, enabling efficient cross-chain communication and pegs. It also reduces bandwidth and storage requirements for resource-limited clients like mobile or IoT devices.

    Specification

    @@ -196,7 +196,7 @@ License: MIT \(x\) is defined as above. We extend the standard MMR to allow metadata to propagate upwards through the tree by either summing the metadata of both children, or inheriting the metadata of a specific child as necessary. This allows us to create efficient proofs of selected properties of a range of blocks without transmitting the entire range of blocks or headers.

    Tree Node specification

    -

    Unless otherwise noted, all hashes use BLAKE2b-256 with the personalization field set to 'ZcashHistory' || CONSENSUS_BRANCH_ID. CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the commitment. 8 Which is to say, each node in the tree commits to the consensus branch that produced it.

    +

    Unless otherwise noted, all hashes use BLAKE2b-256 with the personalization field set to 'ZcashHistory' || CONSENSUS_BRANCH_ID. CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the commitment. 8 Which is to say, each node in the tree commits to the consensus branch that produced it.

    Each MMR node is defined as follows:

    1. hashSubtreeCommitment @@ -287,7 +287,7 @@ License: MIT
      Leaf node
      The protocol-defined work of the block: \(\mathsf{floor}(2^{256} / (\mathsf{ToTarget}(\mathsf{nBits}) + 1))\) - . 4
      + . 4
      Internal or root node

      The sum of the nSubTreeTotalWork fields of both children.

      @@ -357,7 +357,7 @@ License: MIT

      Serialized as CompactSize uint.

    -

    The fields marked "[NU5 onward]" are omitted before NU5 activation 11.

    +

    The fields marked "[NU5 onward]" are omitted before NU5 activation 11.

    Each node, when serialized, is between 147 and 171 bytes long (between 212 and 244 bytes after NU5 activation). The canonical serialized representation of a node is used whenever creating child commitments for future nodes. Other than the metadata commitments, the MMR tree's construction is standard.

    Once the MMR has been generated, we produce hashChainHistoryRoot, which we define as the BLAKE2b-256 digest of the serialization of the root node.

    @@ -393,8 +393,8 @@ License: MIT def from_block(Z, block: ZcashBlock) -> ZcashMMRNode: '''Create a leaf node from a block''' return Z( - left_child=None, - right_child=None, + left_child=None, + right_child=None, hashSubtreeCommitment=block.header_hash, nEarliestTimestamp=block.timestamp, nLatestTimestamp=block.timestamp, @@ -424,7 +424,7 @@ License: MIT + serialize_compact_uint(self.nEarliestHeight) + serialize_compact_uint(self.nLatestHeight) + serialize_compact_uint(self.nSaplingTxCount)) - if hashEarliestOrchardRoot is not None: + if hashEarliestOrchardRoot is not None: buf += (hashEarliestOrchardRoot + hashLatestOrchardRoot + serialize_compact_uint(self.nOrchardTxCount)) @@ -452,8 +452,8 @@ License: MIT hashEarliestOrchardRoot=left_child.orchard_root, hashLatestOrchardRoot=right_child.orchard_root, nOrchardTxCount=(left_child.nOrchardTxCount + right_child.nOrchardTxCount - if left_child.nOrchardTxCount is not None and right_child.nOrchardTxCount is not None - else None), + if left_child.nOrchardTxCount is not None and right_child.nOrchardTxCount is not None + else None), consensusBranchId=left_child.consensusBranchId) def make_root_commitment(root: ZcashMMRNode) -> bytes: @@ -465,7 +465,7 @@ License: MIT \(B_n\) , we append a new MMR leaf node corresponding to block \(B_{n-1}\) - . The append operation is detailed below in pseudocode (adapted from 2):

    + . The append operation is detailed below in pseudocode (adapted from 2):

    def get_peaks(node: ZcashMMRNode) -> List[ZcashMMRNode]:
     peaks: List[ZcashMMRNode] = []
 
@@ -553,9 +553,9 @@ License: MIT
    return new_root

    Block header semantics and consensus rules

    -

    The following specification is accurate before NU5 activation. See 9 for header field changes in NU5.

    -

    The hashFinalSaplingRoot block header field (which was named hashReserved prior to the Sapling network upgrade) is renamed to hashLightClientRoot, to reflect its usage by light clients. (In NU5, this field is renamed again to hashBlockCommitments as specified in 9.)

    -

    Prior to activation of the network upgrade that deploys this ZIP, this existing consensus rule on block headers (adjusted for the renamed field) is enforced: 3

    +

    The following specification is accurate before NU5 activation. See 9 for header field changes in NU5.

    +

    The hashFinalSaplingRoot block header field (which was named hashReserved prior to the Sapling network upgrade) is renamed to hashLightClientRoot, to reflect its usage by light clients. (In NU5, this field is renamed again to hashBlockCommitments as specified in 9.)

    +

    Prior to activation of the network upgrade that deploys this ZIP, this existing consensus rule on block headers (adjusted for the renamed field) is enforced: 3

    [Sapling onward] hashLightClientRoot MUST be \(\mathsf{LEBS2OSP}_{256}(\mathsf{rt})\) @@ -625,7 +625,7 @@ License: MIT

    Header Format Change

    The primary goal of the original authors was to minimize header changes; in particular, they preferred not to introduce changes that could affect mining hardware or embedded software. Altering the block header format would require changes throughout the ecosystem, so we decided against adding hashChainHistoryRoot to the header as a new field.

    -

    ZIP 301 states that "[Miner client software] SHOULD alert the user upon receiving jobs containing block header versions they do not know about or support, and MUST ignore such jobs." 12 As the only formally defined block header version is 4, any header version change requires changes to miner client software in order for miners to handle new jobs from mining pools. We therefore do not alter the block version for this semantic change. This does not make block headers ambiguous to interpret, because blocks commit to their block height inside their coinbase transaction, 7 and they are never handled in a standalone context (unlike transactions, which exist in the mempool outside of blocks).

    +

    ZIP 301 states that "[Miner client software] SHOULD alert the user upon receiving jobs containing block header versions they do not know about or support, and MUST ignore such jobs." 12 As the only formally defined block header version is 4, any header version change requires changes to miner client software in order for miners to handle new jobs from mining pools. We therefore do not alter the block version for this semantic change. This does not make block headers ambiguous to interpret, because blocks commit to their block height inside their coinbase transaction, 7 and they are never handled in a standalone context (unlike transactions, which exist in the mempool outside of blocks).

    Replacing hashFinalSaplingRoot with hashChainHistoryRoot does introduce the theoretical possibility of an attack where a miner constructs a Sapling commitment tree update that results in the same 32-byte value as the MMR root. We don't consider this a realistic attack, both because the adversary would need to find a preimage over 32 layers of Pedersen hash, and because light clients already need to update their code to include the consensus branch ID for the Heartwood network upgrade, and can simultaneously make changes to not rely on the value of this header field being the Sapling tree root.

    We also considered putting hashChainHistoryRoot in the hashPrevBlock field as it commits to the entire chain history, but quickly realized it would require massive refactoring of the existing code base and would negatively impact performance. Reorgs in particular are fragile, performance-critical, and rely on backwards iteration over the chain history. If a chain were to be designed from scratch there may be some efficient implementation that would join these commitments, but it is clearly not appropriate for Zcash as it exists.

    The calculation of hashChainHistoryRoot is not well-defined for the genesis block, since then @@ -641,11 +641,11 @@ License: MIT

    Generally, header commitments have no impact on privacy. However, FlyClient has additional security and privacy implications. Because FlyClient is a motivating factor for this ZIP, it seems prudent to include a brief overview. A more in-depth security analysis of FlyClient should be performed before designing a FlyClient-based light client ecosystem for Zcash.

    FlyClient, like all light clients, requires a connection to a light client server. That server may collect information about client requests, and may use that information to attempt to deanonymize clients. However, because FlyClient proofs are non-interactive and publicly verifiable, they could be shared among many light clients after the initial server interaction.

    FlyClient proofs are probabilistic. When properly constructed, there is negligible probability that a dishonest chain commitment will be accepted by the verifier. The security analysis assumes adversary mining power is bounded by a known fraction of combined mining power of honest nodes, and cannot drop or tamper with messages between client and full nodes. It also assumes the client is connected to at least one full node and knows the genesis block.

    -

    In addition, 2 only analyses these security properties in chain models with slowly adjusting difficulty, such as Bitcoin. That paper leaves their analysis in chains with rapidly adjusting difficulty –such as Zcash or Ethereum– as an open problem, and states that the FlyClient protocol provides only heuristic security guarantees in that case. However, as mentioned in FlyClient Requirements and Recommendations, additional commitments allowing light clients to reason about application of the difficulty adjustment algorithm were added in discussion with an author of the FlyClient paper. The use of these fields has not been analysed in the academic security literature. It would be possible to update them in a future network upgrade if further security analysis were to find any deficiencies.

    +

    In addition, 2 only analyses these security properties in chain models with slowly adjusting difficulty, such as Bitcoin. That paper leaves their analysis in chains with rapidly adjusting difficulty –such as Zcash or Ethereum– as an open problem, and states that the FlyClient protocol provides only heuristic security guarantees in that case. However, as mentioned in FlyClient Requirements and Recommendations, additional commitments allowing light clients to reason about application of the difficulty adjustment algorithm were added in discussion with an author of the FlyClient paper. The use of these fields has not been analysed in the academic security literature. It would be possible to update them in a future network upgrade if further security analysis were to find any deficiencies.

    Deployment

    -

    On the Zcash Mainnet and Testnet, this proposal will be deployed with the Heartwood network upgrade. 10

    -

    Additional fields are added on activation of the NU5 network upgrade 11, to support the new Orchard shielded protocol.

    +

    On the Zcash Mainnet and Testnet, this proposal will be deployed with the Heartwood network upgrade. 10

    +

    Additional fields are added on activation of the NU5 network upgrade 11, to support the new Orchard shielded protocol.

    Additional Reading

      diff --git a/zip-0222.html b/zip-0222.html index 657fbc63..949fe4ec 100644 --- a/zip-0222.html +++ b/zip-0222.html @@ -18,17 +18,17 @@ Category: Consensus Created: 2019-07-01 License: MIT

      Terminology

      -

      The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      -

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200 6.

      +

      The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200 6.

      The term "prefix-free" in this document is to be interpreted as to mean that no valid encoding of a value may have the same binary representation as any prefix of the binary encoding of another value of the same type.

      -

      The term "non-malleable" in this document is to be interpreted as described in ZIP 244 7.

      -

      The value MAX_MONEY is as defined in section 5.3 of the Zcash Protocol Specification 3.

      +

      The term "non-malleable" in this document is to be interpreted as described in ZIP 244 7.

      +

      The value MAX_MONEY is as defined in section 5.3 of the Zcash Protocol Specification 3.

      Abstract

      This proposal defines a modification to the consensus rules that enables complex forms of transparent output preconditions to be deployed in network upgrades. This in turn enables the creation of "transparent Zcash extensions" that augment the network's functionality in a carefully-defined and auditable fashion.

      Motivation

      -

      Zcash supports a limited set of preconditions that may be imposed upon how funds, both transparent and shielded, may be spent. Spending limitations on transparent funds are defined by what may be encoded in Bitcoin script, and spending of shielded funds is even more restricted. As such, some use cases (for example, integration of BOLT support 9) are not yet supportable.

      +

      Zcash supports a limited set of preconditions that may be imposed upon how funds, both transparent and shielded, may be spent. Spending limitations on transparent funds are defined by what may be encoded in Bitcoin script, and spending of shielded funds is even more restricted. As such, some use cases (for example, integration of BOLT support 9) are not yet supportable.

      Transparent Zcash Extensions are intended to make it possible to incrementally add new functionality without modifying interpretation of the existing Bitcoin script, which is complex and potentially error-prone. Extensions may also serve as laboratories for evaluating demand for functionality which may eventually be candidates for inclusion in the consensus rules for shielded transactions.

      Definitions

      @@ -249,7 +249,7 @@ License: MIT
    • Non-coinbase transactions MUST have at least one of the following: - nonempty transparent inputs - nonempty shielded inputs - nonempty tze_inputs

    The above rule replaces [Sapling onward] At least one of tx_in_count, -nShieldedSpend, and nJoinSplit MUST be nonzero in 4.

    +nShieldedSpend, and nJoinSplit MUST be nonzero in 4.

    • Transactions MUST have at least one of the following: - nonempty transparent outputs - nonempty shielded outputs - nonempty tze_outputs
    • All amount field values of tze_output records MUST be nonnegative and not greater than MAX_MONEY.
      • @@ -257,8 +257,8 @@ nShieldedSpend, and nJoinSplit MUST be nonzero in

      Changes to signatures over transaction digests

      -

      This ZIP MUST be deployed in conjunction with or after ZIP 244 7, which defines new non-malleable transaction identifier and signature digest algorithms.

      -

      The newly added parts of the transaction, excluding witness information (i.e. not the witness fields of TZE Input Encodings), will be included in transaction digests for transaction identifiers and signatures. See ZIP 245 8 for the specification of these new digests. If the changes in this ZIP are deployed, those described in ZIP 245 MUST be deployed as well.

      +

      This ZIP MUST be deployed in conjunction with or after ZIP 244 7, which defines new non-malleable transaction identifier and signature digest algorithms.

      +

      The newly added parts of the transaction, excluding witness information (i.e. not the witness fields of TZE Input Encodings), will be included in transaction digests for transaction identifiers and signatures. See ZIP 245 8 for the specification of these new digests. If the changes in this ZIP are deployed, those described in ZIP 245 MUST be deployed as well.

    Rationale

    @@ -277,8 +277,8 @@ nShieldedSpend, and nJoinSplit MUST be nonzero in

    Reference Implementation

      -
    • Librustzcash reference implementation of TZE API: 10
      • -
    • Zcashd reference implementation of consensus rule changes: 11
      • +
    • Librustzcash reference implementation of TZE API: 10
      • +
    • Zcashd reference implementation of consensus rule changes: 11

    Acknowledgements

    diff --git a/zip-0224.html b/zip-0224.html index 4f8717de..18cef5e5 100644 --- a/zip-0224.html +++ b/zip-0224.html @@ -20,8 +20,8 @@ Created: 2021-02-27 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/435>

    Terminology

    -

    The key word "MUST" in this document is to be interpreted as described in RFC 2119. 1

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 5.

    +

    The key word "MUST" in this document is to be interpreted as described in RFC 2119. 1

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 5.

    Abstract

    This document proposes the Orchard shielded protocol, which defines a new shielded pool with spending keys and payment addresses that are amenable to future scalability improvements.

    @@ -29,18 +29,18 @@ Discussions-To: <https://g

    Motivation

    Zcash currently has two active shielded protocols and associated shielded pools:

      -
    • The Sprout shielded protocol (based on the Zerocash paper with improvements and security fixes 21), which as of February 2021 is a "closing" shielded pool into which no new ZEC can be sent.
      • +
    • The Sprout shielded protocol (based on the Zerocash paper with improvements and security fixes 21), which as of February 2021 is a "closing" shielded pool into which no new ZEC can be sent.
    • The Sapling shielded protocol, which consisted of numerous improvements to functionality and improved performance by orders of magnitude, and as of Feburary 2021 is the "active" shielded pool.

    Both of these shielded protocols suffer from two issues:

    • Neither Sprout nor Sapling are compatible with known efficient scalability techniques. Recursive zero-knowledge proofs (where a proof verifies an earlier instance of itself along with new state) that are suitable for deployment in a block chain like Zcash require a cycle of elliptic curves. The Sprout protocol does not use elliptic curves and thus is an inherently inefficient protocol to implement inside a circuit, while the Sapling protocol uses curves for which there is no known way to construct an efficient curve cycle (or path to one).
      • -
    • The Sprout and Sapling circuits are implemented using a proving system (Groth16) that requires a "trusted setup": the circuit parameters are a Structured Reference String (SRS) with hidden structure, that if known could be used to create fake proofs and thus counterfeit funds. The parameters are in practice generated using a multiparty computation (MPC), where as long as at least one participant was honest and not compromised, the hidden structure is unrecoverable. The MPCs themselves have improved over the years (Zcash had 6 participants in the Sprout MPC, and around 90 per round in the Sapling MPC two years later 2), but it remains the case that generating these parameters is a point of risk within the protocol. For example, the original proving system used for the Sprout circuit (BCTV14) had a bug that made the Sprout shielded protocol vulnerable to counterfeiting, 3 which needed to be resolved by changing the proving system and running a new MPC.
      • +
    • The Sprout and Sapling circuits are implemented using a proving system (Groth16) that requires a "trusted setup": the circuit parameters are a Structured Reference String (SRS) with hidden structure, that if known could be used to create fake proofs and thus counterfeit funds. The parameters are in practice generated using a multiparty computation (MPC), where as long as at least one participant was honest and not compromised, the hidden structure is unrecoverable. The MPCs themselves have improved over the years (Zcash had 6 participants in the Sprout MPC, and around 90 per round in the Sapling MPC two years later 2), but it remains the case that generating these parameters is a point of risk within the protocol. For example, the original proving system used for the Sprout circuit (BCTV14) had a bug that made the Sprout shielded protocol vulnerable to counterfeiting, 3 which needed to be resolved by changing the proving system and running a new MPC.

    We are thus motivated to deploy a new shielded protocol designed around a curve cycle, using a proving system that is both amenable to recursion and does not require an SRS.

    Specification

    -

    The Orchard protocol MUST be implemented as specified in the Zcash Protocol Specification 4.

    +

    The Orchard protocol MUST be implemented as specified in the Zcash Protocol Specification 4.

    Given that the Orchard protocol largely follows the design of the Sapling protocol, we provide here a list of differences, with references to their normative specifications and associated design rationale.

    Curves

    The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its embedded curve Jubjub:

    @@ -50,41 +50,41 @@ Discussions-To: <https://g

    We use the "simplified SWU" algorithm to define an infallible \(\mathsf{GroupHash}\) - , instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft 33 (but the protocol specification takes precedence in the case of any discrepancy).

    + , instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft 33 (but the protocol specification takes precedence in the case of any discrepancy).

    The presence of the curve cycle is an explicit design choice. This proposal only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future protocol updates.

      -
    • Curve specifications: 15
      • +
    • Curve specifications: 15
    • \(\mathsf{GroupHash}\) - : 16
      • -
    • Supporting evidence: 34
      • + : 16 +
    • Supporting evidence: 34

    Proving system

    -

    Orchard uses the Halo 2 proving system 23 with the PLONKish arithmetization 22, instead of Groth16 and R1CS.

    +

    Orchard uses the Halo 2 proving system 23 with the PLONKish arithmetization 22, instead of Groth16 and R1CS.

    This proposal does not make use of Halo 2's support for recursive proofs, but this is expected to be leveraged by future protocol updates.

    Circuit

    Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action" contains both a single (possibly dummy) note being spent, and a single (possibly dummy) note being created.

    An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that covers all of the actions in the bundle.

      -
    • Action description: 8
      • -
    • Circuit statement: 9
      • -
    • Design rationale: 25
      • +
    • Action description: 8
      • +
    • Circuit statement: 9
      • +
    • Design rationale: 25

    Commitments

    The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic commitments, Orchard uses the PLONKish-efficient Sinsemilla in place of Bowe–Hopwood Pedersen hashes.

      -
    • Sinsemilla hash function: 11
      • -
    • Sinsemilla commitments: 14
      • -
    • Design rationale: 26
      • +
    • Sinsemilla hash function: 11
      • +
    • Sinsemilla commitments: 14
      • +
    • Design rationale: 26

    Commitment tree

    Orchard uses an identical commitment tree structure to Sapling, except that we instantiate it with Sinsemilla instead of a Bowe–Hopwood Pedersen hash.

      -
    • Design rationale and considered alternatives: 27
      • +
    • Design rationale and considered alternatives: 27

    Keys and addresses

    @@ -105,14 +105,14 @@ Discussions-To: <https://g , instead of being a component of the spending key.
  • All diversifiers now result in valid payment addresses.
    • -

    There is no Bech32 encoding defined for an individual Orchard shielded payment address, incoming viewing key, or full viewing key. Instead we define unified payment addresses and viewing keys in 32. Orchard spending keys are encoded using Bech32m as specified in 20.

    +

    There is no Bech32 encoding defined for an individual Orchard shielded payment address, incoming viewing key, or full viewing key. Instead we define unified payment addresses and viewing keys in 32. Orchard spending keys are encoded using Bech32m as specified in 20.

    Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt the Sapling HD mechanism from ZIP 32 to Orchard; instead, we define a hardened-only derivation mechanism (similar to Sprout).

      -
    • Key components diagram: 6
      • -
    • Key components specification: 10
      • -
    • Encodings: 17 18 19 20
      • -
    • HD key derivation specification: 29
      • -
    • Design rationale: 24
      • +
    • Key components diagram: 6
      • +
    • Key components specification: 10
      • +
    • Encodings: 17 18 19 20
      • +
    • HD key derivation specification: 29
      • +
    • Design rationale: 24

    Notes

    @@ -123,9 +123,9 @@ Discussions-To: <https://g \(\psi\) and \(\mathsf{rcm}\) - are derived from a random seed (as with Sapling after ZIP 212 30).

    + are derived from a random seed (as with Sapling after ZIP 212 30).

      -
    • Orchard notes: 7
      • +
    • Orchard notes: 7

    Nullifiers

    @@ -139,14 +139,14 @@ Discussions-To: <https://g \(\mathcal{G}\) is a fixed independent base.

      -
    • Poseidon: 12
      • -
    • Design rationale and considered alternatives: 28
      • +
    • Poseidon: 12
      • +
    • Design rationale and considered alternatives: 28

    Signatures

    Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).

      -
    • RedPallas: 13
      • +
    • RedPallas: 13
    @@ -166,7 +166,7 @@ Discussions-To: <https://g field, combined with the consensus checks that each pool's balance cannot be negative, together enforce that any potential counterfeiting bugs in the Orchard protocol or implementation are contained within the Orchard pool, and similarly any potential counterfeiting bugs in existing shielded pools cannot cause inflation of the Orchard pool.
  • Spending funds residing in the Orchard pool to a non-Orchard address will reveal the value of the transaction. This is a necessary side-effect of the transparent turnstile, but can be mitigated by migrating the majority of shielded activity to the Orchard pool and making these transactions a minority. Wallets should convey within their transaction creation UX that amounts are revealed in these situations.
    • diff --git a/zip-0225.html b/zip-0225.html index d1fe2627..9439bd85 100644 --- a/zip-0225.html +++ b/zip-0225.html @@ -20,12 +20,12 @@ Created: 2021-02-28 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/440>

    Terminology

    -

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The character § is used when referring to sections of the Zcash Protocol Specification 2.

    +

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The character § is used when referring to sections of the Zcash Protocol Specification 2.

    Abstract

    -

    This proposal defines an update to the Zcash peer-to-peer transaction format to include support for data elements required to support the Orchard protocol 2. The new transaction format defines well-bounded regions of the serialized form to serve each of the existing pools of funds, and adds and describes a new region containing Orchard-specific elements.

    -

    This ZIP also depends upon and defines modifications to the computation of the values TxId Digest, Signature Digest, and Authorizing Data Commitment defined by ZIP 244 7.

    +

    This proposal defines an update to the Zcash peer-to-peer transaction format to include support for data elements required to support the Orchard protocol 2. The new transaction format defines well-bounded regions of the serialized form to serve each of the existing pools of funds, and adds and describes a new region containing Orchard-specific elements.

    +

    This ZIP also depends upon and defines modifications to the computation of the values TxId Digest, Signature Digest, and Authorizing Data Commitment defined by ZIP 244 7.

    Motivation

    The new Orchard shielded pool requires serialized data elements that are distinct from any previous Zcash transaction. In addition, with the activation of ZIP 244, the serialized transaction format will no longer be consensus-critical. It makes sense at this point to define a format that can readily accommodate future extension in a systematic fashion, where elements required for support for a given pool are kept separate.

    @@ -262,7 +262,7 @@ Discussions-To: <https://g
  • The fields valueBalanceSapling and bindingSigSapling are present if and only if \(\mathtt{nSpendsSapling} + \mathtt{nOutputsSapling} > 0\) . If valueBalanceSapling is not present, then - \(\mathsf{v^{balanceSapling}}\) + \(\mathsf{v^{balanceSapling}}`\) is defined to be 0.
  • The field anchorSapling is present if and only if \(\mathtt{nSpendsSapling} > 0\) @@ -310,7 +310,7 @@ Discussions-To: <https://g
    • -

    The encodings of each of these elements are defined in §7.3 ‘Spend Description Encoding and Consensus’ of the Zcash Protocol Specification 3.

    +

    The encodings of each of these elements are defined in §7.3 ‘Spend Description Encoding and Consensus’ of the Zcash Protocol Specification 3.

    Sapling Output Description (OutputDescriptionV5)

    @@ -355,7 +355,7 @@ Discussions-To: <https://g
    -

    The encodings of each of these elements are defined in §7.4 ‘Output Description Encoding and Consensus’ of the Zcash Protocol Specification 4.

    +

    The encodings of each of these elements are defined in §7.4 ‘Output Description Encoding and Consensus’ of the Zcash Protocol Specification 4.

    Orchard Action Description (OrchardAction)

    @@ -412,7 +412,7 @@ Discussions-To: <https://g
    -

    The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding and Consensus’ of the Zcash Protocol Specification 5.

    +

    The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding and Consensus’ of the Zcash Protocol Specification 5.

    Alternatives

    @@ -423,9 +423,9 @@ Discussions-To: <https://g

    Removing these fields reduces the complexity of the NU5 upgrade in the following ways:

     -

    Removal of these fields means that that in the future, removing the support for the V4 transaction format will also effectively end support for Sprout transactions on the Zcash network, though it might be possible to restore limited support for migration via a future ZIP 222 6 extension or by other means not yet determined.

    +

    Removal of these fields means that that in the future, removing the support for the V4 transaction format will also effectively end support for Sprout transactions on the Zcash network, though it might be possible to restore limited support for migration via a future ZIP 222 6 extension or by other means not yet determined.

    The original definitions for the transaction fields that have been removed are:

    diff --git a/zip-0239.html b/zip-0239.html index 483c0bb0..02cb4a41 100644 --- a/zip-0239.html +++ b/zip-0239.html @@ -17,11 +17,11 @@ License: MIT Discussions-To: <https://github.com/zcash/zips/issues/515> Pull-Request: <https://github.com/zcash/zips/pull/516>

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "RECOMMENDED" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 4

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 2.

    -

    The term "txid" means a transaction identifier, computed as a SHA-256d hash of the transaction data for v4 and earlier transactions, or as specified in 6 for v5 and later transactions.

    -

    The term "authorizing data commitment" (denoted auth_digest), defined only for v5 and later transactions, is to be interpreted as described in 6.

    +

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "RECOMMENDED" in this document are to be interpreted as described in RFC 2119. 1

    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 4

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 2.

    +

    The term "txid" means a transaction identifier, computed as a SHA-256d hash of the transaction data for v4 and earlier transactions, or as specified in 6 for v5 and later transactions.

    +

    The term "authorizing data commitment" (denoted auth_digest), defined only for v5 and later transactions, is to be interpreted as described in 6.

    The term "witnessed transaction identifier" ("wtxid"), defined only for v5 and later transactions, is a 64-byte value given by concatenating the txid and the authorizing data commitment of the transaction.

    Abstract

    @@ -29,23 +29,23 @@ Pull-Request: <https://githu

    Motivation

    Historically, as in Bitcoin, the inv and getdata messages sent on the Zcash peer-to-peer network to announce or request transactions have referred to those transactions by txid.

    -

    Prior to the introduction of v5 transactions 5 in the NU5 network upgrade 7, a txid was always defined as the SHA-256d hash of the transaction data, the encoding of which is the same in block data and in the peer-to-peer protocol.

    -

    For v5 transactions, a new transaction digest algorithm is defined that constructs the txid from a tree of hashes, which include only effecting data 6. Witness data is committed to by a separate "authorizing data commitment". Unlike previous transaction versions, the format of serialized v5 transaction data is not consensus-critical.

    +

    Prior to the introduction of v5 transactions 5 in the NU5 network upgrade 7, a txid was always defined as the SHA-256d hash of the transaction data, the encoding of which is the same in block data and in the peer-to-peer protocol.

    +

    For v5 transactions, a new transaction digest algorithm is defined that constructs the txid from a tree of hashes, which include only effecting data 6. Witness data is committed to by a separate "authorizing data commitment". Unlike previous transaction versions, the format of serialized v5 transaction data is not consensus-critical.

    Not committing to the witness data in v5 transaction announcements would create inefficiencies: because a v5 transaction's witness can be malleated without altering the txid, a node in receipt of a v5 transaction that the node does not accept would generally still have to download that same transaction when announced by other peers. This is because the alternative — of not downloading a v5 transaction with a given txid after rejecting a previous transaction with that txid — would allow a third party to interfere with transaction relay by malleating a transaction's witness and announcing the resulting invalid transaction to nodes, preventing relay of the valid version of the transaction as well.

    -

    This inefficiency was present in Bitcoin for almost 3 years after activation of its Segwit upgrade 8, until the adoption of BIP 339 9. The latter BIP specifies a way to use the Segwit "wtxid" (which commits to both effecting and witness data) in place of the txid when announcing and fetching transactions. In Zcash, the analogous identifier is also called the wtxid, but it encodes the pair (txid, auth_digest).

    +

    This inefficiency was present in Bitcoin for almost 3 years after activation of its Segwit upgrade 8, until the adoption of BIP 339 9. The latter BIP specifies a way to use the Segwit "wtxid" (which commits to both effecting and witness data) in place of the txid when announcing and fetching transactions. In Zcash, the analogous identifier is also called the wtxid, but it encodes the pair (txid, auth_digest).

    This ZIP is modelled after BIP 339: it adds a MSG_WTX inv type to the peer-to-peer protocol, analogous to BIP 339's MSG_WTX inv type, that announces transactions by their wtxid. Note that the encoding and length of a Zcash wtxid is different to that of a Bitcoin wtxid.

    This ZIP does not introduce any equivalent of BIP 339's wtxidrelay message, since that is not needed for compatibility given that Zcash full nodes are required to support MSG_WTX based on the negotiated peer protocol version (see Deployment).

    Specification

    -

    A new inv type MSG_WTX (0x00000005) is added, for use in both inv messages and getdata requests, indicating that the hash being referenced is the wtxid (i.e. the 64-byte value txid || auth_digest). This inv type MUST be used when announcing v5 transactions. The txid and auth_digest are as defined in 6.

    -

    In the case of getdata requests, the format of a v5 transaction obtained by a MSG_WTX inv type is as given in the Zcash protocol specification. 3

    +

    A new inv type MSG_WTX (0x00000005) is added, for use in both inv messages and getdata requests, indicating that the hash being referenced is the wtxid (i.e. the 64-byte value txid || auth_digest). This inv type MUST be used when announcing v5 transactions. The txid and auth_digest are as defined in 6.

    +

    In the case of getdata requests, the format of a v5 transaction obtained by a MSG_WTX inv type is as given in the Zcash protocol specification. 3

    An inv or getdata message MUST NOT use the MSG_WTX inv type for v4 or earlier transactions, or on peer connections that have not negotiated at least the peer protocol version specified in Deployment.

    Note that MSG_WTX might also be used for future transaction versions after v5. Since such versions are not currently consensus-valid, this is left unspecified for now.

    MSG_TX and MSG_WTX entries may be mixed in arbitrary order in an inv message or a getdata message. Since these entry types are of different lengths (36 bytes or 68 bytes respectively including the 4-byte type field), this implies that the size of the message is not determined by its initial count field, and has to be determined by parsing the whole message.

    Deployment

    This ZIP is assumed to be deployed in advance of the network upgrade that introduces v5 transactions, i.e. NU5.

    -

    The peer protocol version that enables support for this specification is defined to be 170014 (on both Testnet and Mainnet). This is in advance of the minimum protocol version that signals support for NU5 on Testnet. 7

    -

    As specified in 4, a node that supports a network upgrade will clear its mempool when reaching the block before that upgrade's activation block. Before this point, the node will not accept transactions into its mempool that are invalid according to the pre-upgrade consensus protocol (so, in this case, it would not accept v5 transactions). This means that a correctly functioning node will not use the MSG_WTX inv type until it has received the block preceding the NU5 network upgrade.

    +

    The peer protocol version that enables support for this specification is defined to be 170014 (on both Testnet and Mainnet). This is in advance of the minimum protocol version that signals support for NU5 on Testnet. 7

    +

    As specified in 4, a node that supports a network upgrade will clear its mempool when reaching the block before that upgrade's activation block. Before this point, the node will not accept transactions into its mempool that are invalid according to the pre-upgrade consensus protocol (so, in this case, it would not accept v5 transactions). This means that a correctly functioning node will not use the MSG_WTX inv type until it has received the block preceding the NU5 network upgrade.

    Nevertheless, it is possible for a node to receive an inv or getdata message containing an inventory entry of type MSG_WTX, on a peer connection that has negotiated protocol version 170014 or later, before NU5 has activated. In this case, the node MUST NOT advertise, fetch, or provide v5 transactions.

    Note that the behaviour of a node receiving an inv or getdata message with one or more inventory entries of an unrecognized type was previously unspecified. The behaviour of zcashd in such a case was to assume that the length of each inventory entry is 36 bytes (including the type field), regardless of the type. This would result in misparsing the inv or getdata message if the length of the corresponding inventory entry were not 36 bytes.

    The RECOMMENDED behaviour is to parse the inv or getdata message completely, and reject the message if it contains any inventory entries of an unrecognized type. For a getdata message, the set of recognized inventory types, and corresponding entry lengths including the type field, is:

    @@ -57,15 +57,15 @@ Pull-Request: <https://githu

    For an inv message, the set of recognized inventory types is the same, but the MSG_FILTERED_BLOCK type has no useful purpose. Senders of inv messages SHOULD NOT include MSG_FILTERED_BLOCK entries. In order to allow using the same parser for the two message types, a node receiving a MSG_FILTERED_BLOCK entry in an inv message SHOULD ignore it.

    As the MSG_WTX inv type is only enabled between peers that both support it, older clients remain fully compatible and interoperable before NU5 activates, or on a chain in which it does not activate.

    -

    Further information on how zcashd handles data propagation in the peer-to-peer network is given in 12.

    +

    Further information on how zcashd handles data propagation in the peer-to-peer network is given in 12.

    Rationale

    -

    A previous draft of this ZIP left as an open question whether to redefine inv and getdata to segregate MSG_TX and MSG_WTX. This could potentially have made these messages simpler or more efficient to parse, by avoiding variable-length entries in the message data. (See 10 and 11 for how inv and getdata respectively are currently defined in Bitcoin.)

    +

    A previous draft of this ZIP left as an open question whether to redefine inv and getdata to segregate MSG_TX and MSG_WTX. This could potentially have made these messages simpler or more efficient to parse, by avoiding variable-length entries in the message data. (See 10 and 11 for how inv and getdata respectively are currently defined in Bitcoin.)

    This option was rejected because the current specification is simple enough.

    Acknowledgements

    -

    This ZIP is partly based on BIP 339, written by Suhas Daftuar. 9

    +

    This ZIP is partly based on BIP 339, written by Suhas Daftuar. 9

    References

    diff --git a/zip-0243.html b/zip-0243.html index 068194f5..25ae9602 100644 --- a/zip-0243.html +++ b/zip-0243.html @@ -16,9 +16,9 @@ Category: Consensus Created: 2018-04-10 License: MIT

    Terminology

    -

    The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 5

    -

    The term "Sapling" in this document is to be interpreted as described in ZIP 205. 6

    +

    The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 5

    +

    The term "Sapling" in this document is to be interpreted as described in ZIP 205. 6

    Abstract

    This proposal defines a new transaction digest algorithm for signature validation from the Sapling network upgrade, to account for the presence of Sapling shielded inputs and outputs in transactions.

    @@ -48,15 +48,15 @@ License: MIT b. scriptCode of the input (serialized as scripts inside CTxOuts) c. value of the output spent by this input (8-byte little endian) d. nSequence of the input (4-byte little endian) -

    The new algorithm is based on the transaction digest algorithm defined in ZIP 143 4.

    -

    The new algorithm MUST be used for signatures created over the Sapling transaction format 2. Combined with the new consensus rule that v3 transaction formats will be invalid from the Sapling upgrade, this effectively means that all transaction signatures from the Sapling activation height (as specified in 6) will use the new algorithm.

    -

    The BLAKE2b-256 personalization field 3 is set to:

    +

    The new algorithm is based on the transaction digest algorithm defined in ZIP 143 4.

    +

    The new algorithm MUST be used for signatures created over the Sapling transaction format 2. Combined with the new consensus rule that v3 transaction formats will be invalid from the Sapling upgrade, this effectively means that all transaction signatures from the Sapling activation height (as specified in 6) will use the new algorithm.

    +

    The BLAKE2b-256 personalization field 3 is set to:

    "ZcashSigHash" || CONSENSUS_BRANCH_ID
    -

    CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. 5 Domain separation of the signature hash across parallel consensus branches provides replay protection: transactions targeted for one consensus branch will have invalid signatures on other consensus branches.

    +

    CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. 5 Domain separation of the signature hash across parallel consensus branches provides replay protection: transactions targeted for one consensus branch will have invalid signatures on other consensus branches.

    Transaction creators MUST specify the epoch they want their transaction to be mined in. Across a network upgrade, this means that if a transaction is not mined before the activation height, it will never be mined.

    -

    Semantics of the original sighash types are as in ZIP 143 4.

    +

    Semantics of the original sighash types are as in ZIP 143 4.

    Field definitions

    -

    The items 1, 2, 3, 4, 5, 9, 10, 12, and 13 have the same meaning as in ZIP 143 4.

    +

    The items 1, 2, 3, 4, 5, 9, 10, 12, and 13 have the same meaning as in ZIP 143 4.

    6: hashJoinSplits

    • If vjoinsplits is non-empty, hashJoinSplits is the BLAKE2b-256 hash of the serialization of all JoinSplit descriptions (in their canonical v4 transaction serialization format) concatenated with the joinSplitPubKey; @@ -97,130 +97,130 @@ License: MIT

      Notes

      The hashPrevouts, hashSequence, hashOutputs, hashJoinSplits, hashShieldedSpends, and hashShieldedOutputs calculated in an earlier validation can be reused in other inputs of the same transaction, so that the time complexity of the whole hashing process reduces from O(n2) to O(n).

      Refer to the reference implementation, reproduced below, for the precise algorithm:

      - 
      const unsigned char ZCASH_PREVOUTS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','P','r','e','v','o','u','t','H','a','s','h'};
-const unsigned char ZCASH_SEQUENCE_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','S','e','q','u','e','n','c','H','a','s','h'};
-const unsigned char ZCASH_OUTPUTS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','O','u','t','p','u','t','s','H','a','s','h'};
-const unsigned char ZCASH_JOINSPLITS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','J','S','p','l','i','t','s','H','a','s','h'};
-const unsigned char ZCASH_SHIELDED_SPENDS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','S','S','p','e','n','d','s','H','a','s','h'};
-const unsigned char ZCASH_SHIELDED_OUTPUTS_HASH_PERSONALIZATION[16] =
-    {'Z','c','a','s','h','S','O','u','t','p','u','t','H','a','s','h'};
+                
      const unsigned char ZCASH_PREVOUTS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','P','r','e','v','o','u','t','H','a','s','h'};
+const unsigned char ZCASH_SEQUENCE_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','S','e','q','u','e','n','c','H','a','s','h'};
+const unsigned char ZCASH_OUTPUTS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','O','u','t','p','u','t','s','H','a','s','h'};
+const unsigned char ZCASH_JOINSPLITS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','J','S','p','l','i','t','s','H','a','s','h'};
+const unsigned char ZCASH_SHIELDED_SPENDS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','S','S','p','e','n','d','s','H','a','s','h'};
+const unsigned char ZCASH_SHIELDED_OUTPUTS_HASH_PERSONALIZATION[16] =
+    {'Z','c','a','s','h','S','O','u','t','p','u','t','H','a','s','h'};
 
 // The default values are zeroes
-uint256 hashPrevouts;
-uint256 hashSequence;
-uint256 hashOutputs;
-uint256 hashJoinSplits;
-uint256 hashShieldedSpends;
-uint256 hashShieldedOutputs;
+uint256 hashPrevouts;
+uint256 hashSequence;
+uint256 hashOutputs;
+uint256 hashJoinSplits;
+uint256 hashShieldedSpends;
+uint256 hashShieldedOutputs;
 
-if (!(nHashType & SIGHASH_ANYONECANPAY)) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_PREVOUTS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
-        ss << txTo.vin[n].prevout;
-    }
-    hashPrevouts = ss.GetHash();
-}
+if (!(nHashType & SIGHASH_ANYONECANPAY)) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_PREVOUTS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
+        ss << txTo.vin[n].prevout;
+    }
+    hashPrevouts = ss.GetHash();
+}
 
-if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SEQUENCE_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
-        ss << txTo.vin[n].nSequence;
-    }
-    hashSequence = ss.GetHash();
-}
+if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SEQUENCE_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vin.size(); n++) {
+        ss << txTo.vin[n].nSequence;
+    }
+    hashSequence = ss.GetHash();
+}
 
-if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vout.size(); n++) {
-        ss << txTo.vout[n];
-    }
-    hashOutputs = ss.GetHash();
-} else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
-    ss << txTo.vout[nIn];
-    hashOutputs = ss.GetHash();
-}
+if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vout.size(); n++) {
+        ss << txTo.vout[n];
+    }
+    hashOutputs = ss.GetHash();
+} else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_OUTPUTS_HASH_PERSONALIZATION);
+    ss << txTo.vout[nIn];
+    hashOutputs = ss.GetHash();
+}
 
-if (!txTo.vjoinsplit.empty()) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_JOINSPLITS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vjoinsplit.size(); n++) {
-        ss << txTo.vjoinsplit[n];
-    }
-    ss << txTo.joinSplitPubKey;
-    hashJoinSplits = ss.GetHash();
-}
+if (!txTo.vjoinsplit.empty()) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_JOINSPLITS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vjoinsplit.size(); n++) {
+        ss << txTo.vjoinsplit[n];
+    }
+    ss << txTo.joinSplitPubKey;
+    hashJoinSplits = ss.GetHash();
+}
 
-if (!txTo.vShieldedSpend.empty()) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SHIELDED_SPENDS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vShieldedSpend.size(); n++) {
-        ss << txTo.vShieldedSpend[n].cv;
-        ss << txTo.vShieldedSpend[n].anchor;
-        ss << txTo.vShieldedSpend[n].nullifier;
-        ss << txTo.vShieldedSpend[n].rk;
-        ss << txTo.vShieldedSpend[n].zkproof;
-    }
-    hashShieldedSpends = ss.GetHash();
-}
+if (!txTo.vShieldedSpend.empty()) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SHIELDED_SPENDS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vShieldedSpend.size(); n++) {
+        ss << txTo.vShieldedSpend[n].cv;
+        ss << txTo.vShieldedSpend[n].anchor;
+        ss << txTo.vShieldedSpend[n].nullifier;
+        ss << txTo.vShieldedSpend[n].rk;
+        ss << txTo.vShieldedSpend[n].zkproof;
+    }
+    hashShieldedSpends = ss.GetHash();
+}
 
-if (!txTo.vShieldedOutput.empty()) {
-    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SHIELDED_OUTPUTS_HASH_PERSONALIZATION);
-    for (unsigned int n = 0; n < txTo.vShieldedOutput.size(); n++) {
-        ss << txTo.vShieldedOutput[n];
-    }
-    hashShieldedOutputs = ss.GetHash();
-}
+if (!txTo.vShieldedOutput.empty()) {
+    CBLAKE2bWriter ss(SER_GETHASH, 0, ZCASH_SHIELDED_OUTPUTS_HASH_PERSONALIZATION);
+    for (unsigned int n = 0; n < txTo.vShieldedOutput.size(); n++) {
+        ss << txTo.vShieldedOutput[n];
+    }
+    hashShieldedOutputs = ss.GetHash();
+}
 
-uint32_t leConsensusBranchId = htole32(consensusBranchId);
-unsigned char personalization[16] = {};
-memcpy(personalization, "ZcashSigHash", 12);
-memcpy(personalization+12, &leConsensusBranchId, 4);
+uint32_t leConsensusBranchId = htole32(consensusBranchId);
+unsigned char personalization[16] = {};
+memcpy(personalization, "ZcashSigHash", 12);
+memcpy(personalization+12, &leConsensusBranchId, 4);
 
-CBLAKE2bWriter ss(SER_GETHASH, 0, personalization);
+CBLAKE2bWriter ss(SER_GETHASH, 0, personalization);
 // fOverwintered and nVersion
-ss << txTo.GetHeader();
+ss << txTo.GetHeader();
 // Version group ID
-ss << txTo.nVersionGroupId;
+ss << txTo.nVersionGroupId;
 // Input prevouts/nSequence (none/all, depending on flags)
-ss << hashPrevouts;
-ss << hashSequence;
+ss << hashPrevouts;
+ss << hashSequence;
 // Outputs (none/one/all, depending on flags)
-ss << hashOutputs;
+ss << hashOutputs;
 // JoinSplit descriptions
-ss << hashJoinSplits;
+ss << hashJoinSplits;
 // Spend descriptions
-ss << hashShieldedSpends;
+ss << hashShieldedSpends;
 // Output descriptions
-ss << hashShieldedOutputs;
+ss << hashShieldedOutputs;
 // Locktime
-ss << txTo.nLockTime;
+ss << txTo.nLockTime;
 // Expiry height
-ss << txTo.nExpiryHeight;
+ss << txTo.nExpiryHeight;
 // Sapling value balance
-ss << txTo.valueBalance;
+ss << txTo.valueBalance;
 // Sighash type
-ss << nHashType;
+ss << nHashType;
 
-if (nIn != NOT_AN_INPUT) {
-    // The input being signed (replacing the scriptSig with scriptCode + amount)
-    // The prevout may already be contained in hashPrevout, and the nSequence
-    // may already be contained in hashSequence.
-    ss << txTo.vin[nIn].prevout;
-    ss << static_cast<const CScriptBase&>(scriptCode);
-    ss << amount;
-    ss << txTo.vin[nIn].nSequence;
-}
+if (nIn != NOT_AN_INPUT) {
+    // The input being signed (replacing the scriptSig with scriptCode + amount)
+    // The prevout may already be contained in hashPrevout, and the nSequence
+    // may already be contained in hashSequence.
+    ss << txTo.vin[nIn].prevout;
+    ss << static_cast<const CScriptBase&>(scriptCode);
+    ss << amount;
+    ss << txTo.vin[nIn].nSequence;
+}
 
-return ss.GetHash();
      
+return ss.GetHash();

    Example

    -

    To ensure consistency in consensus-critical behaviour, developers should test their implementations against the ZIP 243 test vectors 7. The first two test vectors are broken out below for clarity. Note that 32-byte values below are exactly as the hash function returns, and are not reversed. Further examples can be found in the SignatureHash test data 8.

    -

    The sample transactions below and in 8 are intended only for testing implementations of the transaction digest algorithm; they do not necessarily pass full validation.

    +

    To ensure consistency in consensus-critical behaviour, developers should test their implementations against the ZIP 243 test vectors 7. The first two test vectors are broken out below for clarity. Note that 32-byte values below are exactly as the hash function returns, and are not reversed. Further examples can be found in the SignatureHash test data 8.

    +

    The sample transactions below and in 8 are intended only for testing implementations of the transaction digest algorithm; they do not necessarily pass full validation.

    Test vector 1

    Raw transaction:

    0400008085202f890002e7719811893e0000095200ac6551ac636565b2835a0805750200025151481cdd86b3cc4318442117623ceb0500031b3d1a027c2c40590958b7eb13d742a997738c46a458965baf276ba92f272c721fe01f7e9c8e36d6a5e29d4e30a73594bf5098421c69378af1e40f64e125946f62c2fa7b2fecbcb64b6968912a6381ce3dc166d56a1d62f5a8d7551db5fd931325c9a138f49b1a537edcf04be34a9851a7af9db6990ed83dd64af3597c04323ea51b0052ad8084a8b9da948d320dadd64f5431e61ddf658d24ae67c22c8d1309131fc00fe7f235734276d38d47f1e191e00c7a1d48af046827591e9733a97fa6b679f3dc601d008285edcbdae69ce8fc1be4aac00ff2711ebd931de518856878f73476f21a482ec9378365c8f7393c94e2885315eb4671098b79535e790fe53e29fef2b3766697ac32b4f473f468a008e72389fc03880d780cb07fcfaabe3f1a84b27db59a4a153d882d2b2103596555ed9494c6ac893c49723833ec8926c1039586a7afcf4a0d9c731e985d99589c8bb838e8aaf745533ed9e8ae3a1cd074a51a20da8aba18d1dbebbc862ded42435e92476930d069896cff30eb414f727b895a4b7be1769367e1fe8ad18de11e58d88a0ad5511d3525122b7b0a6f25d28b16457e745939ffedbd12863ce71a02af117d417adb3d15cc54dcb1fce467500c6b8fb86b12b56da9c382857deecc40a98d5f2935395ee4762dd21afdbb5d47fa9a6dd984d567db2857b927b7fae2db587105415d4642789d38f50b8dbcc129cab3d17d19f3355bcf73cecb8cb8a5da01307152f13936a270572670dc82d39026c6cb4cd4b0f7f5aa2a4f5a5341ec5dd715406f2fdd2afa733f5f641c8c21862a1bafce2609d9eecfa158cfb5cd79f88008e315dc7d8388e76c1782fd2795d18a763624c25fa959cc97489ce75745824b77868c53239cfbdf73caec65604037314faaceb56218c6bd30f8374ac13386793f21a9fb80ad03bc0cda4a44946c00e1b1a1df0e5b87b5bece477a709649e950060591394812951e1fe3895b8cc3d14d2cf6556df6ed4b4ddd3d9a69f53357d7767f4f5ccbdbc596631277f8fecd08cb056b95e3025b9792fff7f244fc716269b926d62e9596fa825c6bf21aff9e68625a6b4cbc4b700a364fa76bd8298bc3ec608d4cf7f3566658d5588714ec9448b0f0396128aef884a646114c9f1a6df56319033c3199cc7a09e9e9567482c92695390229407bbc48985675e3f874a4533f1d63a84dfa3e0f460fe2f57e34fbc75423b6883a50a0d470190dfba10a857f82842d3825b3d6da0573d316eb160dc0b716c48fbd467f75b780149ae8808f4e68f50c0536acddf6f1aeab016b6bc1ec144b4e553acfd670f77e755fc88e0677e31ba459b44e307768958fe3789d41c2b1ff434cb30e15914f01bc6bc2307b488d2556d7b7380ea4ffd712f6b02fe806b94569cd4059f396bf29b99d0a40e5e1711ca944f72d436a102fca4b97693da0b086fe9d2e7162470d02e0f05d4bec9512bfb3f38327296efaa74328b118c27402c70c3a90b49ad4bbc68e37c0aa7d9b3fe17799d73b841e751713a02943905aae0803fd69442eb7681ec2a05600054e92eed555028f21b6a155268a2dd6640a69301a52a38d4d9f9f957ae35af7167118141ce4c9be0a6a492fe79f1581a155fa3a034999c538f7a758bb5b1d28fd218fba1938744bdb77b4a4dfa7a5fae96e8cd49b26907dfc6685c5c99b7141ac626ab4761fd3f41e728e1a28f89db89ffdeca364e4b22d81d9968d0119e4c7a189adf22ad96830a54e40dc73eaba6b2aaf14f7ca942e7370b247c046f8e75ef8e3f8bd821cf577491864e20e6d08fd2e32b555c92c661f19588b72a89599710a88061253ca285b6304b37da2b5294f5cb354a894322848ccbdc7c2545b7da568afac87ffa005c312241c2d57f4b45d6419f0d2e2c5af33ae243785b325cdab95404fc7aed70525cddb41872cfcc214b13232edc78609753dbff930eb0dc156612b9cb434bc4b693392deb87c530435312edcedc6a961133338d786c4a3e103f60110a16b1337129704bf4754ff6ba9fbe65951e610620f71cda8fc877625f2c5bb04cbe1228b1e886f4050afd8fe94e97d2e9e85c6bb748c0042d3249abb1342bb0eebf62058bf3de080d94611a3750915b5dc6c0b3899d41222bace760ee9c8818ded599e34c56d7372af1eb86852f2a732104bdb750739de6c2c6e0f9eb7cb17f1942bfc9f4fd6ebb6b4cdd4da2bca26fac4578e9f543405acc7d86ff59158bd0cba3aef6f4a8472d144d99f8b8d1dedaa9077d4f01d4bb27bbe31d88fbefac3dcd4797563a26b1d61fcd9a464ab21ed550fe6fa09695ba0b2f10eea6468cc6e20a66f826e3d14c5006f0563887f5e1289be1b2004caca8d3f34d6e84bf59c1e04619a7c23a996941d889e4622a9b9b1d59d5e319094318cd405ba27b7e2c084762d31453ec4549a4d97729d033460fcf89d6494f2ffd789e98082ea5ce9534b3acd60fe49e37e4f666931677319ed89f85588741b3128901a93bd78e4be0225a9e2692c77c969ed0176bdf9555948cbd5a332d045de6ba6bf4490adfe7444cd467a09075417fcc0062e49f008c51ad4227439c1b4476ccd8e97862dab7be1e8d399c05ef27c6e22ee273e15786e394c8f1be31682a30147963ac8da8d41d804258426a3f70289b8ad19d8de13be4eebe3bd4c8a6f55d6e0c373d456851879f5fbc282db9e134806bff71e11bc33ab75dd6ca067fb73a043b646a7cf39cab4928386786d2f24141ee120fdc34d6764eafc66880ee0204f53cc1167ed20b43a52dea3ca7cff8ef35cd8e6d7c111a68ef44bcd0c1513ad47ca61c659cc5d325b440f6b9f59aff66879bb6688fd2859362b182f207b3175961f6411a493bffd048e7d0d87d82fe6f990a2b0a25f5aa0111a6e68f37bf6f3ac2d26b84686e569d58d99c1383597fad81193c4c1b16e6a90e2d507cdfe6fbdaa86163e9cf5de3100fbca7e8da047b09079362d7792deb3ca9dc1561b87c82e3cb99eb5837319582216a3226774efa90efb7bfc79f425644e4e98c2d7d8642b9db82aa739bf2d71cc4117227db227cf0a05ad9a95832e23c94f271ca0e4694fac6322282ebac6986b8fdc8ad863084ff10fd11e6a13311fb799c79c641d9da43b33e7ad012e28255398789262275f1175be8462c01491c4d842406d0ec4282c9526174a09878fe8fdde33a29604e5e5e7b2a025d6650b97dbb52befb59b1d30a57433b0a351474444099daa371046613260cf3354cfcdada663ece824ffd7e44393886a86165ddddf2b4c41773554c86995269408b11e6737a4c447586f69173446d8e48bf84cbc000a807899973eb93c5e819aad669413f8387933ad1584aa35e43f4ecd1e2d0407c0b1b89920ffdfdb9bea51ac95b557af71b89f903f5d9848f14fcbeb1837570f544d6359eb23faf38a0822da36ce426c4a2fbeffeb0a8a2e297a9d19ba15024590e3329d9fa9261f9938a4032dd34606c9cf9f3dd33e576f05cd1dd6811c6298757d77d9e810abdb226afcaa4346a6560f8932b3181fd355d5d391976183f8d99388839632d6354f666d09d3e5629ea19737388613d38a34fd0f6e50ee5a0cc9677177f50028c141378187bd2819403fc534f80076e9380cb4964d3b6b45819d3b8e9caf54f051852d671bf8c1ffde2d1510756418cb4810936aa57e6965d6fb656a760b7f19adf96c173488552193b147ee58858033dac7cd0eb204c06490bbdedf5f7571acb2ebe76acef3f2a01ee987486dfe6c3f0a5e234c127258f97a28fb5d164a8176be946b8097d0e317287f33bf9c16f9a545409ce29b1f4273725fc0df02a04ebae178b3414fb0a82d50deb09fcf4e6ee9d180ff4f56ff3bc1d3601fc2dc90d814c3256f4967d3a8d64c83fea339c51f5a8e5801fbb97835581b602465dee04b5922c2761b54245bec0c9eef2db97d22b2b3556cc969fbb13d06509765a52b3fac54b93f421bf08e18d52ddd52cc1c8ca8adfaccab7e5cc2f4573fbbf8239bb0b8aedbf8dad16282da5c9125dba1c059d0df8abf621078f02d6c4bc86d40845ac1d59710c45f07d585eb48b32fc0167ba256e73ca3b9311c62d109497957d8dbe10aa3e866b40c0baa2bc492c19ad1e6372d9622bf163fbffeaeee796a3cd9b6fbbfa4d792f34d7fd6e763cd5859dd26833d21d9bc5452bd19515dff9f4995b35bc0c1f876e6ad11f2452dc9ae85aec01fc56f8cbfda75a7727b75ebbd6bbffb43b63a3b1b671e40feb0db002974a3c3b1a788567231bf6399ff89236981149d423802d2341a3bedb9ddcbac1fe7b6435e1479c72e7089b51bfe2ff345857da9b545e88e3221f3f5f72d1e069c9a85dd2236d390989587be005cda16af4408f3ab06a916eeeb9c9594b70424a4c1d171295b6763b22f4712ba7beff0ff27883afaff26034b895735709cf937bd2231891e70eb2771e9927c97f8764eb48e911d428ec8d861b708e8298acb62155145155ae95f0a1d1501034753146e22d05f586d7f6b4fe12dad9a17f5db70b1db96b8d9a83edadc966c8a5466b61fc998c31f1070d9a5c9a6d268d304fe6b8fd3b4010348611abdcbd49fe4f85b623c7828c71382e1034ea67bc8ae97404b0c50b2a04f559e49950afcb0ef462a2ae024b0f0224dfd73684b88c7fbe92d02b68f759c4752663cd7b97a14943649305521326bde085630864629291bae25ff8822a14c4b666a9259ad0dc42a8290ac7bc7f53a16f379f758e5de750f04fd7cad47701c8597f97888bea6fa0bf2999956fbfd0ee68ec36e4688809ae231eb8bc4369f5fe1573f57e099d9c09901bf39caac48dc11956a8ae905ead86954547c448ae43d315e669c4242da565938f417bf43ce7b2b30b1cd4018388e1a910f0fc41fb0877a5925e466819d375b0a912d4fe843b76ef6f223f0f7c894f38f7ab780dfd75f669c8c06cffa43eb47565a50e3b1fa45ad61ce9a1c4727b7aaa53562f523e73952bbf33d8a4104078ade3eaaa49699a69fdf1c5ac7732146ee5e1d6b6ca9b9180f964cc9d0878ae1373524d7d510e58227df6de9d30d271867640177b0f1856e28d5c8afb095ef6184fed651589022eeaea4c0ce1fa6f085092b04979489172b3ef8194a798df5724d6b05f1ae000013a08d612bca8a8c31443c10346dbf61de8475c0bbec5104b47556af3d514458e2321d146071789d2335934a680614e83562f82dfd405b54a45eb32c165448d4d5d61ca2859585369f53f1a137e9e82b67b8fdaf01bda54a317311896ae10280a032440c420a421e944d1e952b70d5826cd3b08b7db9630fe4fd5f22125de840fcc40b98038af11d55be25432597b4b65b9ec1c7a8bbfd052cbf7e1c1785314934b262d5853754f1f17771cfb7503072655753fa3f54ecc587e9f83b581916092df26e63e18994cb0db91a0bbdc7b6119b32222adf5e61d8d8ae89dae4954b54813bb33f08d562ba513fee1b09c0fcd516055419474dd7fda038a89c84ea7b9468287f0eb0c10c4b132520194d3d8d5351fc10d09c15c8cc101aa1663bbf17b84111f38bb439f07353bdea3596d15e713e1e2e7d3f1c383135b47fa7f81f46df7a902a404699ec912f5656c35b85763e4de583aecaa1dfd5d2677d9c8ffee877f63f40a5ca0d67f6e554124700f805af876aeede53aa8b0f8e5604a73c30cbd09dad963d6f8a5dcc40def40797342113ba206fae8ebe4f3bc3caf69259e462eff9ba8b3f4bfaa1300c26925a87
@@ -434,7 +434,7 @@ vJoinSplit:      00

    Deployment

    -

    This proposal is deployed with the Sapling network upgrade. 6

    +

    This proposal is deployed with the Sapling network upgrade. 6

    Backward compatibility

    This proposal is backwards-compatible with old UTXOs. It is not backwards-compatible with older software. Given that v3 transaction formats will be invalid from the Sapling upgrade, all transactions will be required to use this transaction digest algorithm for signatures, and so transactions created by older software will be rejected by the network.

    diff --git a/zip-0244.html b/zip-0244.html index 4b101de0..af83912d 100644 --- a/zip-0244.html +++ b/zip-0244.html @@ -18,9 +18,9 @@ Created: 2021-01-06 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/411>

    Terminology

    -

    The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 3

    -

    The term "field encoding" refers to the binary serialized form of a Zcash transaction field, as specified in section 7.1 of the Zcash protocol specification 2.

    +

    The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 3

    +

    The term "field encoding" refers to the binary serialized form of a Zcash transaction field, as specified in section 7.1 of the Zcash protocol specification 2.

    Abstract

    This proposal defines a new transaction digest algorithm for the NU5 network upgrade onward, in order to introduce non-malleable transaction identifiers that commit to all transaction data except for attestations to transaction validity.

    @@ -75,7 +75,7 @@ Discussions-To: <https://g    ├── valueBalanceOrchard    └── anchorOrchard

    Each node written as snake_case in this tree is a BLAKE2b-256 hash of its children, initialized with a personalization string specific to that branch of the tree. Nodes that are not themselves digests are written in camelCase. In the specification below, nodes of the tree are presented in depth-first order.

    -
    txid_digest
    +
    txid_digest

    A BLAKE2b-256 hash of the following values

    T.1: header_digest       (32-byte hash output)
 T.2: transparent_digest  (32-byte hash output)
@@ -84,7 +84,7 @@ T.4: orchard_digest      (32-byte hash output)

    The personalization field of this hash is set to:

    "ZcashTxHash_" || CONSENSUS_BRANCH_ID

    ZcashTxHash_ has 1 underscore character.

    -

    As in ZIP 143 6, CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. Domain separation of the transaction id hash across parallel consensus branches provides replay protection: transactions targeted for one consensus branch will not have the same transaction identifier on other consensus branches.

    +

    As in ZIP 143 6, CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. Domain separation of the transaction id hash across parallel consensus branches provides replay protection: transactions targeted for one consensus branch will not have the same transaction identifier on other consensus branches.

    This signature hash personalization prefix has been changed to reflect the new role of this hash (relative to ZcashSigHash as specified in ZIP 143) as a transaction identifier rather than a commitment that is exclusively used for signature purposes. The previous computation of the transaction identifier was a SHA256d hash of the serialized transaction contents, and was not personalized.

    T.1: header_digest

    A BLAKE2b-256 hash of the following values

    @@ -128,7 +128,7 @@ T.2c: outputs_digest (32-byte hash)
    T.3: sapling_digest
    -

    In the case that Sapling spends or outputs are present, the digest of Sapling components is composed of two subtrees which are organized to permit easy interoperability with the CompactBlock representation of Sapling data specified by the ZIP 307 Light Client Protocol 8.

    +

    In the case that Sapling spends or outputs are present, the digest of Sapling components is composed of two subtrees which are organized to permit easy interoperability with the CompactBlock representation of Sapling data specified by the ZIP 307 Light Client Protocol 8.

    This digest is a BLAKE2b-256 hash of the following values

    T.3a: sapling_spends_digest  (32-byte hash)
 T.3b: sapling_outputs_digest (32-byte hash)
@@ -170,7 +170,7 @@ T.3b.iii: sapling_outputs_noncompact_digest (32-byte hash)

    In the case that the transaction has Sapling spends but no Sapling outputs, sapling_outputs_digest is

    BLAKE2b-256("ZTxIdSOutputHash", [])
    T.3b.i: sapling_outputs_compact_digest -

    A BLAKE2b-256 hash of the subset of Sapling output information included in the ZIP-307 8 CompactBlock format for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:

    +

    A BLAKE2b-256 hash of the subset of Sapling output information included in the ZIP-307 8 CompactBlock format for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:

    T.3b.i.1: cmu                  (field encoding bytes)
 T.3b.i.2: ephemeral_key        (field encoding bytes)
 T.3b.i.3: enc_ciphertext[..52] (First 52 bytes of field encoding)
    @@ -184,7 +184,7 @@ T.3b.i.3: enc_ciphertext[..52] (First 52 bytes of field encoding) 
    "ZTxIdSOutM__Hash" (2 underscore characters)
    T.3b.iii: sapling_outputs_noncompact_digest -

    A BLAKE2b-256 hash of the remaining subset of Sapling output information not included in the ZIP 307 8 CompactBlock format, excluding zkproof data, for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:

    +

    A BLAKE2b-256 hash of the remaining subset of Sapling output information not included in the ZIP 307 8 CompactBlock format, excluding zkproof data, for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:

    T.3b.iii.1: cv                    (field encoding bytes)
 T.3b.iii.2: enc_ciphertext[564..] (post-memo Poly1305 AEAD tag of field encoding)
 T.3b.iii.3: out_ciphertext        (field encoding bytes)
    @@ -206,7 +206,7 @@ T.4f: anchorOrchard (32 bytes)

    In the case that the transaction has no Orchard actions, orchard_digest is

    BLAKE2b-256("ZTxIdOrchardHash", [])
    T.4a: orchard_actions_compact_digest -

    A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in an updated version of the ZIP-307 8 CompactBlock format for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    +

    A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in an updated version of the ZIP-307 8 CompactBlock format for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    T.4a.i  : nullifier            (field encoding bytes)
 T.4a.ii : cmx                  (field encoding bytes)
 T.4a.iii: ephemeralKey         (field encoding bytes)
@@ -221,7 +221,7 @@ T.4a.iv : encCiphertext[..52]  (First 52 bytes of field encoding)
    "ZTxIdOrcActMHash"
    T.4c: orchard_actions_noncompact_digest -

    A BLAKE2b-256 hash of the remaining subset of Orchard Action information not intended for inclusion in an updated version of the the ZIP 307 8 CompactBlock format, for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    +

    A BLAKE2b-256 hash of the remaining subset of Orchard Action information not intended for inclusion in an updated version of the the ZIP 307 8 CompactBlock format, for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    T.4c.i  : cv                    (field encoding bytes)
 T.4c.ii : rk                    (field encoding bytes)
 T.4c.iii: encCiphertext[564..]  (post-memo suffix of field encoding)
@@ -233,14 +233,14 @@ T.4c.iv : outCiphertext         (field encoding bytes)

    Signature Digest

    -

    A new per-input transaction digest algorithm is defined that constructs a hash that may be signed by a transaction creator to commit to the effects of the transaction. A signature digest is produced for each transparent input, each Sapling input, and each Orchard action. For transparent inputs, this follows closely the algorithms from ZIP 143 6 and ZIP 243 7. For shielded inputs, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    +

    A new per-input transaction digest algorithm is defined that constructs a hash that may be signed by a transaction creator to commit to the effects of the transaction. A signature digest is produced for each transparent input, each Sapling input, and each Orchard action. For transparent inputs, this follows closely the algorithms from ZIP 143 6 and ZIP 243 7. For shielded inputs, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    The overall structure of the hash is as follows; each name referenced here will be described in detail below:

    signature_digest
 ├── header_digest
 ├── transparent_sig_digest
 ├── sapling_digest
 └── orchard_digest
    -
    signature_digest
    +
    signature_digest

    A BLAKE2b-256 hash of the following values

    S.1: header_digest          (32-byte hash output)
 S.2: transparent_sig_digest (32-byte hash output)
@@ -284,14 +284,14 @@ transaction identifier in section T.2a.
    BLAKE2b-256(``ZTxIdPrevoutHash``, [])
    S.2c: amounts_sig_digest -

    If the SIGHASH_ANYONECANPAY flag is not set, the value of amounts_sig_digest is a BLAKE2b-256 hash of the concatenation of the 8-byte signed little-endian representations of all value fields 14 for the coins spent by the transparent inputs to the transaction.

    +

    If the SIGHASH_ANYONECANPAY flag is not set, the value of amounts_sig_digest is a BLAKE2b-256 hash of the concatenation of the 8-byte signed little-endian representations of all value fields 14 for the coins spent by the transparent inputs to the transaction.

    The personalization field of this hash is set to:

    "ZTxTrAmountsHash"

    If the SIGHASH_ANYONECANPAY flag is set, amounts_sig_digest is:

    BLAKE2b-256("ZTxTrAmountsHash", [])
    S.2d: scriptpubkeys_sig_digest -

    If the SIGHASH_ANYONECANPAY flag is not set, the value of scriptpubkeys_sig_digest is a BLAKE2b-256 hash of the concatenation of the field encodings (each including a leading CompactSize) of all pk_script fields 14 for the coins spent by the transparent inputs to the transaction.

    +

    If the SIGHASH_ANYONECANPAY flag is not set, the value of scriptpubkeys_sig_digest is a BLAKE2b-256 hash of the concatenation of the field encodings (each including a leading CompactSize) of all pk_script fields 14 for the coins spent by the transparent inputs to the transaction.

    The personalization field of this hash is set to:

    "ZTxTrScriptsHash"

    If the SIGHASH_ANYONECANPAY flag is set, scriptpubkeys_sig_digest is:

    @@ -325,7 +325,7 @@ S.2g.iv: nSequence (4-byte unsigned little-endian)

    Notes:

    • value is defined in the consensus rules to be a nonnegative value <= MAX_MONEY, but all existing implementations parse this value as signed and enforce the nonnegative constraint as a consensus check. It is defined as signed here for consistency with those existing implementations.
      • -
    • scriptPubKey is the field encoding (including a leading CompactSize) of the pk_script field 14 for the coin spent by the transparent input. For P2SH coins, this differs from the redeemScript committed to in ZIP 243 7.
      • +
    • scriptPubKey is the field encoding (including a leading CompactSize) of the pk_script field 14 for the coin spent by the transparent input. For P2SH coins, this differs from the redeemScript committed to in ZIP 243 7.

    If we are producing a hash for the signature over a Sapling Spend or an Orchard Action, txin_sig_digest is:

    BLAKE2b-256("Zcash___TxInHash", [])
    @@ -397,7 +397,7 @@ A.3c: bindingSigOrchard (field encoding bytes) is well-defined because \(\mathsf{tx\_count} > 0\) , due to the coinbase transaction in each block. Non-leaf hashes in this tree are BLAKE2b-256 hashes personalized by the string "ZcashAuthDatHash".

    -

    Changing the block header format to allow space for an additional commitment is somewhat invasive. Instead, the name and meaning of the hashLightClientRoot field, described in ZIP 221 4, is changed.

    +

    Changing the block header format to allow space for an additional commitment is somewhat invasive. Instead, the name and meaning of the hashLightClientRoot field, described in ZIP 221 4, is changed.

    hashLightClientRoot is renamed to hashBlockCommitments. The value of this hash is the BLAKE2b-256 hash personalized by the string "ZcashBlockCommit" of the following elements:

    hashLightClientRoot (as described in ZIP 221)
 hashAuthDataRoot    (as described below)
@@ -410,19 +410,19 @@ terminator          [0u8;32]

    Rationale

    In S.2, we use the same personalization strings for fields that have matching fields in T.2, in order to facilitate reuse of their digests. In particular, the "no transparent inputs or outputs" case of S.2 is identical to the equivalent case in T.2; thus for fully shielded transactions, signature_digest is equal to txid_digest.

    -

    Several changes in this ZIP (relative to ZIP 243 7) were made to align with BIP 341 9:

    +

    Several changes in this ZIP (relative to ZIP 243 7) were made to align with BIP 341 9:

      -
    • The hash_type field is now restricted via a new consensus rule to be one of a specific set of sighash type encodings. The rationale for this change is inherited from BIP 341 10. +
    • The hash_type field is now restricted via a new consensus rule to be one of a specific set of sighash type encodings. The rationale for this change is inherited from BIP 341 10.
      • Note however that we do not define SIGHASH_DEFAULT, as it is equivalent to SIGHASH_ALL, and we prefer the encodings to be canonical.
      • -
    • Two new commitments (amounts_sig_digest and scriptpubkeys_sig_digest) were added, to address difficulties in the case of a hardware wallet signing transparent inputs. scriptpubkeys_sig_digest helps the hardware wallet to determine the subset of inputs belonging to it 11. amounts_sig_digest prevents the transaction creator from lying to the hardware wallet about the transaction fee 12. Without these commitments, the hardware wallet would need to be sent every transaction containing an outpoint referenced in the transaction being signed.
      • -
    • The semantics of sequence_sig_digest were changed, to commit to nSequence even if SIGHASH_SINGLE or SIGHASH_NONE is set. The rationale for this change is inherited from BIP 341 13.
      • +
    • Two new commitments (amounts_sig_digest and scriptpubkeys_sig_digest) were added, to address difficulties in the case of a hardware wallet signing transparent inputs. scriptpubkeys_sig_digest helps the hardware wallet to determine the subset of inputs belonging to it 11. amounts_sig_digest prevents the transaction creator from lying to the hardware wallet about the transaction fee 12. Without these commitments, the hardware wallet would need to be sent every transaction containing an outpoint referenced in the transaction being signed.
      • +
    • The semantics of sequence_sig_digest were changed, to commit to nSequence even if SIGHASH_SINGLE or SIGHASH_NONE is set. The rationale for this change is inherited from BIP 341 13.
    • The semantics of outputs_sig_digest were changed, via a new consensus rule that rejects transparent inputs for which SIGHASH_SINGLE is set without a corresponding transparent output at the same index. BIP 341 does not give a rationale for this change, but without it these inputs were effectively using SIGHASH_NONE, which is silently misleading.
    • The semantics of txin_sig_digest were changed, to always commit to the scriptPubKey field of the transparent coin being spent, instead of the script actually being executed at the time signature_digest is calculated.
        -
      • This ensures that the signature commits to the entire committed script. In Taproot, this makes it possible to prove to a hardware wallet what (unused) execution paths exist 11. Alternate execution paths don't exist for P2PKH (where the executed script is scriptPubKey) or P2SH (where scriptPubKey is fully executed prior to redeemScript).
        • +
      • This ensures that the signature commits to the entire committed script. In Taproot, this makes it possible to prove to a hardware wallet what (unused) execution paths exist 11. Alternate execution paths don't exist for P2PKH (where the executed script is scriptPubKey) or P2SH (where scriptPubKey is fully executed prior to redeemScript).
      • For P2SH, this means we commit to the Hash160 digest of redeemScript instead of the actual script. Note that the Bitcoin P2SH design depends entirely on Hash160 being preimage-resistant, because otherwise anyone would be able to spend someone else's P2SH UTXO using a preimage. We do need to ensure that there is no collision attack; this holds because even if an adversary could find a Hash160 collision, it would only enable them to alter the input's scriptSig field. Doing so doesn't alter the effecting data of the transaction, which by definition means the transaction has the same effect under consensus (spends the same inputs and produces the same outputs).
      • diff --git a/zip-0245.html b/zip-0245.html index 5861a814..82acf618 100644 --- a/zip-0245.html +++ b/zip-0245.html @@ -15,15 +15,15 @@ Created: 2021-01-13 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/384>

      Terminology

      -

      The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 1

      -

      The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 2

      +

      The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 1

      +

      The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. 2

      Abstract

      -

      This proposal defines changes to ZIP 244 4 transaction id and signature digest algorithms to accommodate the inclusion of transparent Zcash extensions (TZEs) as defined in ZIP 222 3.

      +

      This proposal defines changes to ZIP 244 4 transaction id and signature digest algorithms to accommodate the inclusion of transparent Zcash extensions (TZEs) as defined in ZIP 222 3.

      Specification

      TxId Digest

      -

      The tree of hashes defined by ZIP 244 4 is re-structured to include a new branch for TZE hashes. The tze_digest branch is the only new addition to the tree; header_digest, transparent_digest, sprout_digest, and sapling_digest are as in ZIP 244:

      +

      The tree of hashes defined by ZIP 244 4 is re-structured to include a new branch for TZE hashes. The tze_digest branch is the only new addition to the tree; header_digest, transparent_digest, sprout_digest, and sapling_digest are as in ZIP 244:

      txid_digest
 ├── header_digest
 ├── transparent_digest
@@ -32,7 +32,7 @@ Discussions-To: <https://g
 │   └── tzeout_digest
 ├── sprout_digest
 └── sapling_digest
      -

      txid_digest

      +

      txid_digest

      The top hash of the txid_digest tree is modified from the ZIP 244 structure to be a BLAKE2b-256 hash of the following values

      T.1: header_digest      (32-byte hash output)
 T.2: transparent_digest (32-byte hash output)
@@ -62,7 +62,7 @@ T.2b: tzeout_digest (32-byte hash)

      Signature Digest

      -

      The signature digest creation algorithm defined by ZIP 244 4 is modified to include a new branch for TZE hashes. The tze_digest branch is the only new addition to the tree; header_digest, transparent_digest, sprout_digest, and sapling_digest are as in ZIP 244:

      +

      The signature digest creation algorithm defined by ZIP 244 4 is modified to include a new branch for TZE hashes. The tze_digest branch is the only new addition to the tree; header_digest, transparent_digest, sprout_digest, and sapling_digest are as in ZIP 244:

      signature_digest
 ├── header_digest
 ├── transparent_digest
@@ -71,7 +71,7 @@ T.2b: tzeout_digest (32-byte hash)
      │   └── tzeout_digest ├── sprout_digest └── sapling_digest -

      signature_digest

      +

      signature_digest

      A BLAKE2b-256 hash of the following values

      S.1: header_digest      (32-byte hash output)
 S.2: transparent_digest (32-byte hash output)
@@ -95,7 +95,7 @@ S.3e: value          (8-byte little endian value of the output spent by this inp

      Authorizing Data Commitment

      -

      The tree of hashes defined by ZIP 244 4 for authorizing data commitments is re-structured to include a new branch for TZE hashes. The tze_witnesses_digest branch is the only new addition to the tree; transparent_auth_digest, sprout_auth_digest, and sapling_auth_digest are as in ZIP 244:

      +

      The tree of hashes defined by ZIP 244 4 for authorizing data commitments is re-structured to include a new branch for TZE hashes. The tze_witnesses_digest branch is the only new addition to the tree; transparent_auth_digest, sprout_auth_digest, and sapling_auth_digest are as in ZIP 244:

      auth_digest
 ├── transparent_scripts_digest
 ├── tze_witnesses_digest
diff --git a/zip-0250.html b/zip-0250.html
index 80081241..686e18d3 100644
--- a/zip-0250.html
+++ b/zip-0250.html
@@ -14,16 +14,16 @@ Category: Consensus / Network
 Created: 2020-02-28
 License: MIT

      Terminology

      -

      The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      -

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

      +

      The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

      The terms below are to be interpreted as follows:

      Heartwood
      Code-name for the fourth Zcash network upgrade, also known as Network Upgrade 3.
      Testnet
      -
      The Zcash test network, as defined in 2.
      +
      The Zcash test network, as defined in 2.
      Mainnet
      -
      The Zcash production network, as defined in 2.
      +
      The Zcash production network, as defined in 2.

      Abstract

      @@ -33,13 +33,13 @@ License: MIT

      Heartwood deployment

      The primary sources of information about Heartwood consensus protocol changes are:

        -
      • The Zcash Protocol Specification 2
        • -
      • ZIP 200: Network Upgrade Mechanism 3
        • -
      • ZIP 213: Shielded Coinbase 5
        • -
      • ZIP 221: FlyClient - Consensus-Layer Changes 6.
        • +
      • The Zcash Protocol Specification 2
        • +
      • ZIP 200: Network Upgrade Mechanism 3
        • +
      • ZIP 213: Shielded Coinbase 5
        • +
      • ZIP 221: FlyClient - Consensus-Layer Changes 6.
      -

      The network handshake and peer management mechanisms defined in ZIP 201 4 also apply to this upgrade.

      -

      The following network upgrade constants 3 are defined for the Heartwood upgrade:

      +

      The network handshake and peer management mechanisms defined in ZIP 201 4 also apply to this upgrade.

      +

      The following network upgrade constants 3 are defined for the Heartwood upgrade:

      CONSENSUS_BRANCH_ID
      0xF5B9230B
      @@ -57,7 +57,7 @@ License: MIT * This was three days for upgrades up to and including Blossom, and is 1.5 days from Heartwood onward. */ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728; -

      The implementation is similar to that for Overwinter which was described in 4.

      +

      The implementation is similar to that for Overwinter which was described in 4.

      Once Heartwood activates on testnet or mainnet, Heartwood nodes SHOULD take steps to:

      • reject new connections from pre-Heartwood nodes on that network;
        • @@ -68,7 +68,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;

        Backward compatibility

        Prior to the network upgrade activating on each network, Heartwood and pre-Heartwood nodes are compatible and can connect to each other. However, Heartwood nodes will have a preference for connecting to other Heartwood nodes, so pre-Heartwood nodes will gradually be disconnected in the run up to activation.

        Once the network upgrades, even though pre-Heartwood nodes can still accept the numerically larger protocol version used by Heartwood as being valid, Heartwood nodes will always disconnect peers using lower protocol versions.

        -

        Unlike Overwinter and Sapling, and like Blossom, Heartwood does not define a new transaction version. Heartwood transactions are therefore in the same v4 format as Sapling transactions, use the same version group ID, i.e. 0x892F2085 as defined in 2 section 7.1, and the same transaction digest algorithm as defined in 7. This does not imply that transactions are valid across the Heartwood activation, since signatures MUST use the appropriate consensus branch ID. 7

        +

        Unlike Overwinter and Sapling, and like Blossom, Heartwood does not define a new transaction version. Heartwood transactions are therefore in the same v4 format as Sapling transactions, use the same version group ID, i.e. 0x892F2085 as defined in 2 section 7.1, and the same transaction digest algorithm as defined in 7. This does not imply that transactions are valid across the Heartwood activation, since signatures MUST use the appropriate consensus branch ID. 7

        Support in zcashd

        Support for Heartwood on testnet will be implemented in zcashd version 2.1.2, which will advertise protocol version 170010. Support for Heartwood on mainnet will be implemented in zcashd version 3.0.0, which will advertise protocol version 170011.

        diff --git a/zip-0251.html b/zip-0251.html index b5c65e21..e7d71fde 100644 --- a/zip-0251.html +++ b/zip-0251.html @@ -14,9 +14,9 @@ Category: Consensus / Network Created: 2020-02-28 License: MIT

        Terminology

        -

        The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

        -

        The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 5

        -

        The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

        +

        The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

        +

        The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 5

        +

        The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

        "Canopy" is the code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.

        Abstract

        @@ -26,17 +26,17 @@ License: MIT

        Canopy deployment

        The primary sources of information about Canopy consensus protocol changes are:

          -
        • The Zcash Protocol Specification 2
          • -
        • ZIP 200: Network Upgrade Mechanism 5
          • -
        • ZIP 207: Funding Streams 7
          • -
        • ZIP 211: Disabling Addition of New Value to the Sprout Value Pool 8
          • -
        • ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext 9
          • -
        • ZIP 214: Consensus rules for a Zcash Development Fund 10
          • -
        • ZIP 215: Explicitly Defining and Modifying Ed25519 Validation Rules 11
          • -
        • ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants 13.
          • +
        • The Zcash Protocol Specification 2
          • +
        • ZIP 200: Network Upgrade Mechanism 5
          • +
        • ZIP 207: Funding Streams 7
          • +
        • ZIP 211: Disabling Addition of New Value to the Sprout Value Pool 8
          • +
        • ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext 9
          • +
        • ZIP 214: Consensus rules for a Zcash Development Fund 10
          • +
        • ZIP 215: Explicitly Defining and Modifying Ed25519 Validation Rules 11
          • +
        • ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants 13.
        -

        The network handshake and peer management mechanisms defined in ZIP 201 6 also apply to this upgrade.

        -

        The following network upgrade constants 5 are defined for the Canopy upgrade:

        +

        The network handshake and peer management mechanisms defined in ZIP 201 6 also apply to this upgrade.

        +

        The following network upgrade constants 5 are defined for the Canopy upgrade:

        CONSENSUS_BRANCH_ID
        0xE9FF75A6
        @@ -54,7 +54,7 @@ License: MIT * This was three days for upgrades up to and including Blossom, and is 1.5 days from Heartwood onward. */ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728; -

        The implementation is similar to that for Overwinter which was described in 6.

        +

        The implementation is similar to that for Overwinter which was described in 6.

        Once Canopy activates on testnet or mainnet, Canopy nodes SHOULD take steps to:

        • reject new connections from pre-Canopy nodes on that network;
          • @@ -65,7 +65,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;

          Backward compatibility

          Prior to the network upgrade activating on each network, Canopy and pre-Canopy nodes are compatible and can connect to each other. However, Canopy nodes will have a preference for connecting to other Canopy nodes, so pre-Canopy nodes will gradually be disconnected in the run up to activation.

          Once the network upgrades, even though pre-Canopy nodes can still accept the numerically larger protocol version used by Canopy as being valid, Canopy nodes will always disconnect peers using lower protocol versions.

          -

          Unlike Overwinter and Sapling, and like Blossom and Heartwood, Canopy does not define a new transaction version. Canopy transactions are therefore in the same v4 format as Sapling transactions; use the same version group ID, i.e. 0x892F2085 as defined in 4; and use the same transaction digest algorithm as defined in 12. This does not imply that transactions are valid across the Canopy activation, since signatures MUST use the appropriate consensus branch ID. 12

          +

          Unlike Overwinter and Sapling, and like Blossom and Heartwood, Canopy does not define a new transaction version. Canopy transactions are therefore in the same v4 format as Sapling transactions; use the same version group ID, i.e. 0x892F2085 as defined in 4; and use the same transaction digest algorithm as defined in 12. This does not imply that transactions are valid across the Canopy activation, since signatures MUST use the appropriate consensus branch ID. 12

          Support in zcashd

          Support for Canopy on testnet will be implemented in zcashd version 3.1.0, which will advertise protocol version 170012. Support for Canopy on mainnet will be implemented in zcashd version 4.0.0, which will advertise protocol version 170013.

          diff --git a/zip-0252.html b/zip-0252.html index 49aea2ec..3d9ac765 100644 --- a/zip-0252.html +++ b/zip-0252.html @@ -17,9 +17,9 @@ License: MIT Discussions-To: <https://github.com/zcash/zips/issues/440> Pull-Request: <https://github.com/zcash/zips/pull/446>

          Terminology

          -

          The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

          -

          The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 6

          -

          The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

          +

          The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

          +

          The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 6

          +

          The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

          Abstract

          This proposal defines the deployment of the NU5 network upgrade.

          @@ -28,29 +28,29 @@ Pull-Request: <https://githu

          NU5 deployment

          The primary sources of information about NU5 consensus and peer-to-peer protocol changes are:

            -
          • The Zcash Protocol Specification 2 4
            • -
          • ZIP 200: Network Upgrade Mechanism 6
            • -
          • ZIP 216: Require Canonical Point Encodings 12
            • -
          • ZIP 224: Orchard Shielded Protocol 14
            • -
          • ZIP 225: Version 5 Transaction Format 15
            • -
          • ZIP 239: Relay of Version 5 Transactions 16
            • -
          • ZIP 244: Transaction Identifier Non-Malleability 17
            • -
          • The Orchard Book 20
            • -
          • The halo2 Book 21
            • +
          • The Zcash Protocol Specification 2 4
            • +
          • ZIP 200: Network Upgrade Mechanism 6
            • +
          • ZIP 216: Require Canonical Point Encodings 12
            • +
          • ZIP 224: Orchard Shielded Protocol 14
            • +
          • ZIP 225: Version 5 Transaction Format 15
            • +
          • ZIP 239: Relay of Version 5 Transactions 16
            • +
          • ZIP 244: Transaction Identifier Non-Malleability 17
            • +
          • The Orchard Book 20
            • +
          • The halo2 Book 21
          -

          The network handshake and peer management mechanisms defined in ZIP 201 7 also apply to this upgrade.

          -

          Unified addresses and viewing keys are described in ZIP 316 18.

          +

          The network handshake and peer management mechanisms defined in ZIP 201 7 also apply to this upgrade.

          +

          Unified addresses and viewing keys are described in ZIP 316 18.

          The following ZIPs have been updated in varying degrees to take into account Orchard:

            -
          • ZIP 32: Shielded Hierarchical Deterministic Wallets 5
            • -
          • ZIP 203: Transaction Expiry 8
            • -
          • ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances 9
            • -
          • ZIP 212: Allow Recipient to Derive Ephemeral Secret from Note Plaintext 10
            • -
          • ZIP 213: Shielded Coinbase 11
            • -
          • ZIP 221: FlyClient - Consensus-Layer Changes 13
            • -
          • ZIP 401: Addressing Mempool Denial-of-Service 19
            • +
          • ZIP 32: Shielded Hierarchical Deterministic Wallets 5
            • +
          • ZIP 203: Transaction Expiry 8
            • +
          • ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances 9
            • +
          • ZIP 212: Allow Recipient to Derive Ephemeral Secret from Note Plaintext 10
            • +
          • ZIP 213: Shielded Coinbase 11
            • +
          • ZIP 221: FlyClient - Consensus-Layer Changes 13
            • +
          • ZIP 401: Addressing Mempool Denial-of-Service 19
          -

          The following network upgrade constants 6 are defined for the NU5 upgrade:

          +

          The following network upgrade constants 6 are defined for the NU5 upgrade:

          CONSENSUS_BRANCH_ID
          0xc2d6d0b4
          @@ -73,14 +73,14 @@ Pull-Request: <https://githu
        • reject new connections from pre-NU5 nodes on that network;
        • disconnect any existing connections to pre-NU5 nodes on that network.
        -

        The change to the peer-to-peer protocol described in ZIP 239 took effect from peer protocol version 170014 onward, on both Testnet and Mainnet. 16

        +

        The change to the peer-to-peer protocol described in ZIP 239 took effect from peer protocol version 170014 onward, on both Testnet and Mainnet. 16

        Backward compatibility

        Prior to the network upgrade activating on each network, NU5 and pre-NU5 nodes are compatible and can connect to each other. (In the case of Testnet, there was a prolonged period of network fracturing due to a consensus bug, but this is expected to be resolved with the release of zcashd v4.7.0.)

        Once the network upgrades, even though pre-NU5 nodes can still accept the numerically larger protocol version used by NU5 as being valid, NU5 nodes will always disconnect peers using lower protocol versions.

        -

        Unlike Blossom, Heartwood, and Canopy, and like Overwinter and Sapling, NU5 defines a new transaction version. Therefore, NU5 transactions MAY be in the new v5 format specified by 15. Unlike previous transaction version updates, the existing v4 transaction format remains valid after NU5 activation. Both transaction formats MUST be accepted by NU5 nodes.

        -

        Backward compatibility of the new MSG_WTX inv type introduced for inv and getdata messages is discussed in 16.

        +

        Unlike Blossom, Heartwood, and Canopy, and like Overwinter and Sapling, NU5 defines a new transaction version. Therefore, NU5 transactions MAY be in the new v5 format specified by 15. Unlike previous transaction version updates, the existing v4 transaction format remains valid after NU5 activation. Both transaction formats MUST be accepted by NU5 nodes.

        +

        Backward compatibility of the new MSG_WTX inv type introduced for inv and getdata messages is discussed in 16.

        Support in zcashd

        Several versions of zcashd have implemented versions of the NU5 consensus rules on Testnet:

        @@ -100,7 +100,7 @@ Pull-Request: <https://githu * This was three days for upgrades up to and including Blossom, and is 1.5 days from Heartwood onward. */ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728; -

        The implementation is similar to that for Overwinter which was described in 7.

        +

        The implementation is similar to that for Overwinter which was described in 7.

        However, NU5 nodes will have a preference for connecting to other NU5 nodes, so pre-NU5 nodes will gradually be disconnected in the run up to activation.

        diff --git a/zip-0301.html b/zip-0301.html index 03e5dda1..c952ba56 100644 --- a/zip-0301.html +++ b/zip-0301.html @@ -19,17 +19,17 @@ Category: Standards / Ecosystem Created: 2016-09-23 License: MIT

        Terminology

        -

        The key words "MUST", "MUST NOT", "SHOULD", "MAY", and "RECOMMENDED" in this document are to be interpreted as described in RFC 2119. 1

        +

        The key words "MUST", "MUST NOT", "SHOULD", "MAY", and "RECOMMENDED" in this document are to be interpreted as described in RFC 2119. 1

        Abstract

        This ZIP describes the Zcash variant of the Stratum protocol, used by miners to communicate with mining pool servers.

        Motivation

        -

        Many existing cryptocurrency miners and pools use the original Stratum protocol 4 5 for communication, in situations where the miner does not require any control over what they mine (for example, a miner connected to a local 6 node). However, the protocol is very specific to Bitcoin, in that it makes assumptions about the block header format, and the available nonce space 7. Zcash has made changes that invalidate these assumptions.

        +

        Many existing cryptocurrency miners and pools use the original Stratum protocol 4 5 for communication, in situations where the miner does not require any control over what they mine (for example, a miner connected to a local 6 node). However, the protocol is very specific to Bitcoin, in that it makes assumptions about the block header format, and the available nonce space 7. Zcash has made changes that invalidate these assumptions.

        Having a formal specification for a Zcash-compatible Stratum-style mining protocol means that existing pool operators and miner authors can quickly and easily migrate their frameworks to the Zcash network, with no ambiguity about interoperability.

        Specification

        -

        The Stratum protocol is an instance of 9. The miner is a JSON-RPC client, and the Stratum server is a JSON-RPC server. The miner starts a session by opening a standard TCP connection to the server, which is then used for two-way line-based communication:

        +

        The Stratum protocol is an instance of 9. The miner is a JSON-RPC client, and the Stratum server is a JSON-RPC server. The miner starts a session by opening a standard TCP connection to the server, which is then used for two-way line-based communication:

        • The miner can send requests to the server.
        • The server can respond to requests.
          • @@ -37,10 +37,10 @@ License: MIT

        All communication for a particular session happens through a single connection, which is kept open for the duration of the session. If the connection is broken or either party disconnects, the active session is ended. Servers MAY support session resuming; this is negotiated between the client and server during initial setup (see Session Resuming).

        Each request or response is a JSON string, terminated by an ASCII LF character (denoted in the rest of this specification by \n). The LF character MUST NOT appear elsewhere in a request or response. Client and server implementations MAY assume that once they read a LF character, the current message has been completely received.

        -

        Per 9, there is no requirement for the id property in requests and responses to be unique; only that servers MUST set id in their responses equal to that in the request they are responding to (or null for notifications). However, it is RECOMMENDED that clients use unique ids for their requests, to simplify their response parsing.

        +

        Per 9, there is no requirement for the id property in requests and responses to be unique; only that servers MUST set id in their responses equal to that in the request they are responding to (or null for notifications). However, it is RECOMMENDED that clients use unique ids for their requests, to simplify their response parsing.

        In the protocol messages below, (content) indicates that content is optional. Variable names are indicated in EMPHASIS. All other characters are part of the protocol message.

        Error Objects

        -

        The 9 specification allows for error objects in responses, but does not specify their format. The original Stratum protocol uses the following format for error responses 4:

        +

        The 9 specification allows for error objects in responses, but does not specify their format. The original Stratum protocol uses the following format for error responses 4:

        {"id": ##, "result": null, "error": [ERROR_CODE, "ERROR_MESSAGE", TRACEBACK]} \n

        @@ -52,7 +52,7 @@ License: MIT
        ERROR_CODE (int)

        Indicates the type of error that occurred.

        -

        The error codes are to be interpreted as described in 10. The following application error codes are defined:

        +

        The error codes are to be interpreted as described in 10. The following application error codes are defined:

        • 20 - Other/Unknown
        • 21 - Job not found (=stale)
          • @@ -88,7 +88,7 @@ License: MIT

        Nonce Parts

        -

        In Bitcoin, blocks contain two nonces: the 4-byte block header nonce, and an extra nonce in the coinbase transaction 7. The original Stratum protocol splits this extra nonce into two parts: one set by the server (used for splitting the search space amongst connected miners), and the other iterated by the miner 4. The nonce in Zcash's block header is 32 bytes long 2, and thus can serve both purposes simultaneously.

        +

        In Bitcoin, blocks contain two nonces: the 4-byte block header nonce, and an extra nonce in the coinbase transaction 7. The original Stratum protocol splits this extra nonce into two parts: one set by the server (used for splitting the search space amongst connected miners), and the other iterated by the miner 4. The nonce in Zcash's block header is 32 bytes long 2, and thus can serve both purposes simultaneously.

        We define two nonce parts:

        NONCE_1
        @@ -99,7 +99,7 @@ License: MIT

        In hex, lenHex(NONCE_2) = 64 - lenHex(NONCE_1), and both lengths are even.

        -

        The nonce in the block header is the concatenation of NONCE_1 and NONCE_2 in hex. This means that a miner using bignum representations of nonce MUST increment by 1 << len(NONCE_1) to avoid altering NONCE_1 (because the encoding of the nonce in the block header is little endian, in line with the other 32-byte fields 7 2).

        +

        The nonce in the block header is the concatenation of NONCE_1 and NONCE_2 in hex. This means that a miner using bignum representations of nonce MUST increment by 1 << len(NONCE_1) to avoid altering NONCE_1 (because the encoding of the nonce in the block header is little endian, in line with the other 32-byte fields 7 2).

        Session Resuming

        Servers that support session resuming identify this by setting a SESSION_ID in their initial response. Servers MAY set SESSION_ID to null to indicate that they do not support session resuming. Servers that do not set SESSION_ID to null MUST cache the following information:

        @@ -173,7 +173,7 @@ License: MIT
        AUTHORIZED (bool)
        -
        This MUST be true if authorization succeeded. Per 9, it MUST be null if there was an error.
        +
        This MUST be true if authorization succeeded. Per 9, it MUST be null if there was an error.
        ERROR (obj)

        An error object. This MUST be null if authorization succeeded.

        @@ -189,7 +189,7 @@ License: MIT
        TARGET (hex)
        -

        The server target for the next received job and all subsequent jobs (until the next time this message is sent). The miner compares proposed block hashes with this target as a 256-bit big-endian integer, and valid blocks MUST NOT have hashes larger than (above) the current target (in accordance with the Zcash network consensus rules 3).

        +

        The server target for the next received job and all subsequent jobs (until the next time this message is sent). The miner compares proposed block hashes with this target as a 256-bit big-endian integer, and valid blocks MUST NOT have hashes larger than (above) the current target (in accordance with the Zcash network consensus rules 3).

        Miners SHOULD NOT submit work above this target. Miners SHOULD validate their solutions before submission (to avoid both unnecessary network traffic and wasted miner time).

        Servers MUST NOT accept submissions above this target for jobs sent after this message. Servers MAY accept submissions above this target for jobs sent before this message, but MUST check them against the previous target.

        @@ -251,7 +251,7 @@ License: MIT
        NONCE_2 (hex)
        The second part of the block header nonce (see Nonce Parts).
        EQUIHASH_SOLUTION (hex)
        -
        The Equihash solution, encoded as in a block header (including the compactSize at the beginning in canonical form 8).
        +
        The Equihash solution, encoded as in a block header (including the compactSize at the beginning in canonical form 8).

        Result:

        @@ -259,10 +259,10 @@ License: MIT
        ACCEPTED (bool)
        -
        This MUST be true if the submission was accepted. Per 9, it MUST be null if there was an error.
        +
        This MUST be true if the submission was accepted. Per 9, it MUST be null if there was an error.
        ERROR (obj)
        -

        An error object. Per 9, this MUST be null if the submission was accepted without error.

        +

        An error object. Per 9, this MUST be null if the submission was accepted without error.

        If the submission was not accepted, the server MUST provide an error object describing the reason for not accepting the submission. See Error Objects for the object format.

        diff --git a/zip-0302.html b/zip-0302.html index feadf4db..0d0c4043 100644 --- a/zip-0302.html +++ b/zip-0302.html @@ -22,9 +22,9 @@ Pull-Request: <https://githu

        A well-defined standard for formatting content within the encrypted memo field will help expand its use within the Zcash ecosystem by providing a commonly recognized format for memo values carrying different types of data. Users and third-party services benefit from standardized formatting rules that define the type and length of the data contained within.

        Specification

        -

        Section 5.5 of the Zcash protocol specification 1 defines three cases for the encoding of a memo field:

        +

        Section 5.5 of the Zcash protocol specification 1 defines three cases for the encoding of a memo field:

          -
        • a UTF-8 human-readable string 2, padded by appending zero bytes; or
          • +
        • a UTF-8 human-readable string 2, padded by appending zero bytes; or
        • the byte 0xF6 followed by 511 0x00 bytes, indicating "no memo"; or
        • any other sequence of 512 bytes starting with a byte value 0xF5 or greater (which is therefore not a valid UTF-8 string), as specified in ZIP 302.
        diff --git a/zip-0304.html b/zip-0304.html index 44d520f2..0a27ba8d 100644 --- a/zip-0304.html +++ b/zip-0304.html @@ -19,7 +19,7 @@ License: MIT Discussions-To: <https://github.com/zcash/zips/issues/345> Pull-Request: <https://github.com/zcash/zips/pull/376>

        Terminology

        -

        The key words "MUST" and "SHOULD" in this document is to be interpreted as described in RFC 2119. 1

        +

        The key words "MUST" and "SHOULD" in this document is to be interpreted as described in RFC 2119. 1

        Abstract

        This proposal describes a mechanism for creating signatures with Sapling addresses, suitable for use by the signmessage and verifymessage RPC methods in zcashd.

        @@ -32,25 +32,25 @@ Pull-Request: <https://githu

        One of the R&D achievements behind the Sapling protocol was the ability to use elliptic curves inside a circuit. With this primitive available, Sapling keys and payment addresses could be designed such that transaction authorization involved a signature. While this was designed to enable hardware wallets (which lack the power to create zero-knowledge proofs, but can easily create signatures), it also enables the creation of a mechanism for signing arbitrary messages. That mechanism is the subject of this ZIP.

        Conventions

        -

        The following constants and functions used in this ZIP are defined in the Zcash protocol specification: 3

        +

        The following constants and functions used in this ZIP are defined in the Zcash protocol specification: 3

        We also reproduce some notation and functions here for convenience:

        @@ -257,7 +257,7 @@ Pull-Request: <https://githu , for a total size of 320 bytes.

        When encoding a ZIP 304 signature in a human-readable format, implementations SHOULD use standard Base64 for compatibility with the signmessage and verifymessage RPC methods in zcashd. ZIP 304 signatures in this form are 428 bytes. The encoded form is the string \(\texttt{"zip304:"}\) - followed by the result of Base64-encoding 2 the raw form of the signature.

        + followed by the result of Base64-encoding 2 the raw form of the signature.

        Rationale

        diff --git a/zip-0307.html b/zip-0307.html index 84193c3e..84ed7277 100644 --- a/zip-0307.html +++ b/zip-0307.html @@ -18,7 +18,7 @@ Status: Draft Created: 2018-09-17 License: MIT

        Terminology

        -

        The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

        +

        The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

        The terms below are to be interpreted as follows:

        Light client
        @@ -39,7 +39,7 @@ License: MIT
      • Light client that subscribes to the stream from a proxy server and uses that data to update its own view of the chain state. The light client MAY be attached to a wallet backend that will track particular Sapling notes.
      - +
      Outline of the light wallet architecture
      @@ -56,40 +56,40 @@ License: MIT
    • Detect a spend of your shielded Sapling notes
    • Update your witnesses to generate new Sapling spend proofs.
      • -

      A compact block and its component compact transactions are encoded on the wire using the following Protocol Buffers 9 format:

      - 
      message BlockID {
-     uint64 blockHeight = 1;
-     bytes blockHash = 2;
+            
      A compact block and its component compact transactions are encoded on the wire using the following Protocol Buffers 9 format:
      
+            
      message BlockID {
+     uint64 blockHeight = 1;
+     bytes blockHash = 2;
 }
 
-message CompactBlock {
-    BlockID id = 1;
-    repeated CompactTx vtx = 3;
+message CompactBlock {
+    BlockID id = 1;
+    repeated CompactTx vtx = 3;
 }
 
-message CompactTx {
-    uint64 txIndex = 1;
-    bytes txHash = 2;
+message CompactTx {
+    uint64 txIndex = 1;
+    bytes txHash = 2;
 
-    repeated CompactSpend spends = 3;
-    repeated CompactOutput outputs = 4;
+    repeated CompactSpend spends = 3;
+    repeated CompactOutput outputs = 4;
 }
 
-message CompactSpend {
-    bytes nf = 1;
+message CompactSpend {
+    bytes nf = 1;
 }
 
-message CompactOutput {
-    bytes cmu = 1;
-    bytes epk = 2;
-    bytes ciphertext = 3;
+message CompactOutput {
+    bytes cmu = 1;
+    bytes epk = 2;
+    bytes ciphertext = 3;
 }
      
             
      Encoding Details 
      
                 
      blockHash, txHash, nf, cmu, and epk are encoded as specified in the Zcash Protocol Spec.
      
                 
      The output and spend descriptions are handled differently, as described in the following sections.
      
             
      
             
      Output Compression 
      
-                
      In the normal Zcash protocol, the output ciphertext consists of the AEAD-encrypted form of a note plaintext 5:
      
+                
      In the normal Zcash protocol, the output ciphertext consists of the AEAD-encrypted form of a note plaintext 5:
    @@ -107,7 +107,7 @@ License: MIT

    Since the note commitment is sent outside the ciphertext and is authenticated by the binding signature over the entire transaction, it serves as an adequate check on the validity of the decrypted plaintext (assuming you trust the entity assembling transactions). We therefore recalculate the note commitment from the decrypted plaintext. If the recalculated commitment matches the one in the output, we accept the note as valid and spendable.

    Spend Compression

    -

    Recall that a full Sapling Spend description is 384 bytes long 6:

    +

    Recall that a full Sapling Spend description is 384 bytes long 6:

    @@ -156,38 +156,38 @@ License: MIT

    The proxy's purpose is to provide a scalable and bandwidth-efficient interface between a Zcash node and any number of light clients. It accomplishes this by parsing a blockwise stream of transactions from the node and converting them into the compact format described above.

    The details of the API described below may differ from the implementation.

    The proxy offers the following API to clients:

    - 
    service CompactTxStreamer {
-    rpc GetLatestBlock(ChainSpec) returns (BlockID) {}
-    rpc GetBlock(BlockID) returns (CompactBlock) {}
-    rpc GetBlockRange(RangeFilter) returns (stream CompactBlock) {}
-    rpc GetTransaction(TxFilter) returns (FullTransaction) {}
+            
    service CompactTxStreamer {
+    rpc GetLatestBlock(ChainSpec) returns (BlockID) {}
+    rpc GetBlock(BlockID) returns (CompactBlock) {}
+    rpc GetBlockRange(RangeFilter) returns (stream CompactBlock) {}
+    rpc GetTransaction(TxFilter) returns (FullTransaction) {}
 }
 
 // Remember that proto3 fields are all optional.
 
 // Someday we may want to specify e.g. a particular chain fork.
-message ChainSpec {}
+message ChainSpec {}
 
 
 // A BlockID message contains identifiers to select a block: either a
 // height or a hash.
-message BlockID {
-    uint64 blockHeight = 1;
-    bytes blockHash = 2;
+message BlockID {
+    uint64 blockHeight = 1;
+    bytes blockHash = 2;
 }
 
 
-message RangeFilter {
-    BlockID start = 1;
-    BlockID end = 2;
+message RangeFilter {
+    BlockID start = 1;
+    BlockID end = 2;
 }
 
 // A TxFilter contains the information needed to identify a particular
 // transaction: either a block and an index, or a direct transaction hash.
-message TxFilter {
-    BlockID blockID = 1;
-    uint64 txIndex = 2;
-    bytes txHash = 3;
+message TxFilter {
+    BlockID blockID = 1;
+    uint64 txIndex = 2;
+    bytes txHash = 3;
 }
    
         
         
    Client operation 
    
@@ -201,7 +201,7 @@ License: MIT
    \((\mathtt{cmu}, \mathtt{ephemeralKey}, \mathsf{ciphertext})\) with an incoming viewing key \(\mathsf{ivk}\) - is a slight deviation from the standard decryption process 4 (all constants and algorithms are as defined there):

    + is a slight deviation from the standard decryption process 4 (all constants and algorithms are as defined there):

    • let \(\mathsf{epk} = \mathsf{abst}_{\mathbb{J}}(\mathtt{ephemeralKey})\) @@ -293,7 +293,7 @@ License: MIT

    Creating and updating note witnesses

    -

    As CompactBlocks are received in height order, and the transactions within them have their order preserved, the cmu values in each CompactOutput can be sequentially appended to an incremental Merkle tree of depth 32 in order to maintain a local copy of the Sapling note commitment tree. 2 This can then be used to create incremental witnesses for each unspent note the light client is tracking. 10 An incremental witness updated to height X corresponds to a Merkle path from the note to the Sapling commitment tree anchor for block X. 3

    +

    As CompactBlocks are received in height order, and the transactions within them have their order preserved, the cmu values in each CompactOutput can be sequentially appended to an incremental Merkle tree of depth 32 in order to maintain a local copy of the Sapling note commitment tree. 2 This can then be used to create incremental witnesses for each unspent note the light client is tracking. 10 An incremental witness updated to height X corresponds to a Merkle path from the note to the Sapling commitment tree anchor for block X. 3

    Let tree be the Sapling note commitment tree at height X-1, and note_witnesses be the incremental witnesses for unspent notes detected up to height X-1. When the CompactBlock at height X is received:

    • For each CompactTx in CompactBlock: @@ -319,7 +319,7 @@ License: MIT

    Block header validation

    This section describes a proposed enhancement that has been only partially implemented: currently only prevHash is checked.

    -

    If the CompactBlock for height X contains a block header, the light client can validate it in a similar way to SPV clients 11 by performing the following checks:

    +

    If the CompactBlock for height X contains a block header, the light client can validate it in a similar way to SPV clients 11 by performing the following checks:

    • version >= MIN_BLOCK_VERSION
    • prevHash == prevBlock.id.blockHash where prevBlock is the previous CompactBlock received (at height X-1).
      • diff --git a/zip-0308.html b/zip-0308.html index bb3035da..315b3795 100644 --- a/zip-0308.html +++ b/zip-0308.html @@ -16,7 +16,7 @@ Category: Standards / RPC / Wallet Created: 2018-11-27 License: MIT

      Terminology

      -

      The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      The terms below are to be interpreted as follows:

      Sprout protocol
      @@ -29,9 +29,9 @@ License: MIT

      This proposal describes privacy-preserving procedures to migrate funds from Sprout to Sapling z-addresses; and supporting RPC operations to enable, disable, and monitor the migration process.

      Motivation

      -

      Zcash Sapling 4 introduces significant efficiency improvements relative to the previous iteration of the Zcash shielded protocol, Sprout. These improvements will pave the way for broad mobile, exchange and vendor adoption of shielded addresses.

      +

      Zcash Sapling 4 introduces significant efficiency improvements relative to the previous iteration of the Zcash shielded protocol, Sprout. These improvements will pave the way for broad mobile, exchange and vendor adoption of shielded addresses.

      Therefore, we anticipate that users will want to migrate all their shielded funds from Sprout to Sapling.

      -

      The Zcash consensus rules prohibit direct transfers from Sprout to Sapling z-addresses, unless the amount is revealed by sending it through the "transparent value pool" 2. The primary motivation for this is to allow detection of any overall inflation of the Zcash monetary base, due to exploitation of possible vulnerabilities in the shielded protocols or their implementation, or a compromise of the Sprout multi-party computation. (It is not necessary for Sprout -> Sapling transfers to go via a t-address.)

      +

      The Zcash consensus rules prohibit direct transfers from Sprout to Sapling z-addresses, unless the amount is revealed by sending it through the "transparent value pool" 2. The primary motivation for this is to allow detection of any overall inflation of the Zcash monetary base, due to exploitation of possible vulnerabilities in the shielded protocols or their implementation, or a compromise of the Sprout multi-party computation. (It is not necessary for Sprout -> Sapling transfers to go via a t-address.)

      Since the exposure of the migrated amount potentially compromises the privacy of users, we wish to define a way to perform the migration that mitigates this privacy leak as far as possible. This can be done by hiding individual migration transactions among those of all users that are doing the migration at around the same time.

      The security analysis of migration strategies is quite subtle; the more obvious potential strategies can leak a lot of information.

      @@ -68,7 +68,7 @@ License: MIT

      Transaction schedule

      When migration is enabled, a node will send up to 5 transactions for inclusion in each block with height a multiple of 500 (that is, they are sent immediately after seeing a block with height 499, modulo 500). Up to the limit of 5, as many transactions are sent as are needed to migrate the remaining funds (possibly with a remainder less than 0.01 ZEC left unmigrated).

      Nodes SHOULD NOT send migration transactions during initial block download, or if the timestamp of the triggering block (with height 499, modulo 500) is more than three hours in the past according to the node's adjusted local clock.

      -

      Note: the 500-block interval has not been altered as a result of the halving of target block spacing to 75 seconds with the Blossom upgrade. 5

      +

      Note: the 500-block interval has not been altered as a result of the halving of target block spacing to 75 seconds with the Blossom upgrade. 5

      The migration transactions to be sent in a particular batch can take significant time to generate, and this time depends on the speed of the user's computer. If they were generated only after a block is seen at the target height minus 1, then this could leak information. Therefore, for target height N, implementations SHOULD start generating the transactions at around height N-5 (provided that block's timestamp is not more than three hours in the past). Each migration transaction SHOULD specify an anchor at height N-10 for each Sprout JoinSplit description (and therefore only notes created before this anchor are eligible for migration).

      Open questions:

        @@ -130,7 +130,7 @@ License: MIT

    (The estimated times for larger amounts halved as a result of the target block spacing change in Blossom.)

    The simulation also depends on the amounts sent as specified in the next section. It includes the time spent waiting for the first batch to be sent.

    -

    The code used for this simulation is at 6.

    +

    The code used for this simulation is at 6.

    How much to send in each transaction

    @@ -178,7 +178,7 @@ License: MIT 
    -migration=0/1

    The destination z-address can optionally be set by another option:

    -migrationdestaddress=<zaddr>
    -

    If this option is not present then the migration destination address is the address for Sapling account 0, with the default diversifier 3.

    +

    If this option is not present then the migration destination address is the address for Sapling account 0, with the default diversifier 3.

    The state variable can also be set for a running node using the following RPC method:

    z_setmigration true/false

    It is intentional that the only option associated with the migration is the destination z-address. Other options could potentially distinguish users.

    diff --git a/zip-0310.html b/zip-0310.html index f09f85e9..8bc14225 100644 --- a/zip-0310.html +++ b/zip-0310.html @@ -17,7 +17,7 @@ License: MIT

    Terminology

    Sapling FVK
    -
    A Sapling full viewing key as described in 1, or a Sapling extended full viewing key as described in 3.
    +
    A Sapling full viewing key as described in 1, or a Sapling extended full viewing key as described in 3.
    GUARANTEED
    Information that can be learned by the holder of a Sapling FVK, and ensured to be correct by the Sapling protocol, given the cryptographic assumptions underlying that protocol.
    UNVERIFIED
    @@ -115,7 +115,7 @@ License: MIT

    The balance of a tally after a particular block is defined as the sum of note values that are spendable, according to the Sapling protocol, using the extended spending key associated with the tally, in a block chain that extends from that block.

    Ian can attempt to keep track of a given tally’s balance as of a given block. This would be done as follows:

      -
    • Scan the chain from Sapling activation up to and including the specified block, collecting all of the Sapling spends and Sapling outputs up to and including that block that are relevant to the FVK, as specified in section 4.19 of the Protocol Specification 2. This produces a ReceivedSet of notes that were received by that tally, and a SpentSet of notes that were spent from it.
      • +
    • Scan the chain from Sapling activation up to and including the specified block, collecting all of the Sapling spends and Sapling outputs up to and including that block that are relevant to the FVK, as specified in section 4.19 of the Protocol Specification 2. This produces a ReceivedSet of notes that were received by that tally, and a SpentSet of notes that were spent from it.
    • Compute the balance as the sum of the values of all notes appearing in ReceivedSet but not in SpentSet.

    The following inaccuracies may occur in balance accounting:

    diff --git a/zip-0313.html b/zip-0313.html index 70c432d1..bf18835f 100644 --- a/zip-0313.html +++ b/zip-0313.html @@ -23,7 +23,7 @@ Pull-Request: <https://githu

    Abstract

    The goal of this ZIP is to gather wallet developers, miners & Zcash users for social consensus on reducing the conventional transaction fees and to get the Zcash conventional transaction fee reduced from 10,000 zatoshis to 1,000 zatoshis.

    -

    In addition, this specification harmonizes transaction fees between different kinds of transaction (involving shielded addresses, transparent addresses, or both), as proposed in 6.

    +

    In addition, this specification harmonizes transaction fees between different kinds of transaction (involving shielded addresses, transparent addresses, or both), as proposed in 6.

    Motivation

    The conventional transaction fee presently is 0.0001 ZEC or 10,000 zatoshis. At a ZEC market price of USD 100, for example, a user can send 10,000 transactions for 1 ZEC. This works out to 1 U.S. cent per transaction and it rises with any increase in the price of ZEC.

    @@ -43,8 +43,8 @@ Pull-Request: <https://githu

    Security and privacy considerations

    Unique transaction fees may reveal specific users or wallets or wallet versions, which would reduce privacy for those specific users and the rest of the network. Hence this change should be accepted by a majority of shielded transaction software providers before deploying the change.

    -

    Varying/unique fees are bad for privacy. For the short term before blocks get full, it is fine for everyone to use a constant fee, as long as it is enough to compensate miners for including the transaction. 1

    -

    Long term, the issue of fees needs to be re-visited in separate future proposals as the blocks start getting consistently full. New ZIPs with flexible fees, such as 2, along with scaling solutions, will need to be evaluated and applied.

    +

    Varying/unique fees are bad for privacy. For the short term before blocks get full, it is fine for everyone to use a constant fee, as long as it is enough to compensate miners for including the transaction. 1

    +

    Long term, the issue of fees needs to be re-visited in separate future proposals as the blocks start getting consistently full. New ZIPs with flexible fees, such as 2, along with scaling solutions, will need to be evaluated and applied.

    Denial of Service Vulnerability

    A transaction-rate-based denial of service attack occurs when an attacker generates enough transactions over a window of time to prevent legitimate transactions from being mined, or to hinder syncing blocks for full nodes or miners.

    There are two primary protections to this kind of attack in Zcash: the block size limit, and transaction fees. The block size limit ensures that full nodes and miners can keep up with the block chain even if blocks are completely full. However, users sending legitimate transactions may not have their transactions confirmed in a timely manner.

    @@ -58,10 +58,10 @@ Pull-Request: <https://githu

    Wallets implementing this specification will use a default fee of 0.00001 ZEC (1000 zatoshis) from block 1,080,000, for all transactions.

    Transaction relaying

    zcashd, and potentially other node implementations, implements fee-based restrictions on relaying of mempool transactions. Nodes that normally relay transactions are expected to do so for transactions that pay at least the conventional fee, unless there are other reasons not to do so for robustness or denial-of-service mitigation.

    -

    In zcashd 4.2.0, this change is implemented by 7.

    +

    In zcashd 4.2.0, this change is implemented by 7.

    Mempool size limiting

    -

    zcashd limits the size of the mempool as described in 8. This specifies a low_fee_penalty that is added to the "eviction weight" if the transaction pays a fee less than (in the original ZIP) 10,000 zatoshis. This threshold is modified to match the new conventional fee in zcashd 4.2.0.

    +

    zcashd limits the size of the mempool as described in 8. This specifies a low_fee_penalty that is added to the "eviction weight" if the transaction pays a fee less than (in the original ZIP) 10,000 zatoshis. This threshold is modified to match the new conventional fee in zcashd 4.2.0.

    Support

    @@ -70,9 +70,9 @@ Pull-Request: <https://githu
  • Zbay;
  • Zecwallet Suite (Zecwallet Lite for Desktop/iOS/Android & Zecwallet FullNode);
  • Nighthawk Wallet for Android & iOS;
    • -
  • zcashd built-in wallet 5.
    • +
  • zcashd built-in wallet 5.
    • -

    In zcashd this fee change is implemented in version 4.2.0 (not dependent on block height), and in that version is limited to transactions created using z_* RPC APIs. It is planned to extend this to all transactions in a future version 6.

    +

    In zcashd this fee change is implemented in version 4.2.0 (not dependent on block height), and in that version is limited to transactions created using z_* RPC APIs. It is planned to extend this to all transactions in a future version 6.

    Acknowledgements

    Thanks to Nathan Wilcox for suggesting improvements to the denial of service section. Thanks to Daira Hopwood and Deirdre Connolly for reviewing and fixing the wording in this ZIP.

    diff --git a/zip-0316.html b/zip-0316.html index c50f9fc9..76751a2d 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -22,7 +22,7 @@ Created: 2021-04-07 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/482>

    Terminology

    -

    The key words "MUST", "MUST NOT", and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

    +

    The key words "MUST", "MUST NOT", and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

    The terms below are to be interpreted as follows:

    Recipient
    @@ -62,7 +62,7 @@ Discussions-To: <https://g
    Address Encoding
    The externally visible encoding of an Address (e.g. as a string of characters or a QR code).
    -

    Notation for sequences, conversions, and arithmetic operations follows the Zcash protocol specification 3.

    +

    Notation for sequences, conversions, and arithmetic operations follows the Zcash protocol specification 3.

    Abstract

    This proposal defines Unified Addresses, which bundle together Zcash Addresses of different types in a way that can be presented as a single Address Encoding. It also defines Unified Viewing Keys, which perform a similar function for Zcash viewing keys.

    @@ -74,8 +74,8 @@ Discussions-To: <https://g
  • Sprout Addresses
  • Sapling Addresses
    • -

    Each of these has its own Address Encodings, as a string and as a QR code. (Since the QR code is derivable from the string encoding as described in 8, for many purposes it suffices to consider the string encoding.)

    -

    The Orchard proposal 24 adds a new Address type, Orchard Addresses.

    +

    Each of these has its own Address Encodings, as a string and as a QR code. (Since the QR code is derivable from the string encoding as described in 8, for many purposes it suffices to consider the string encoding.)

    +

    The Orchard proposal 24 adds a new Address type, Orchard Addresses.

    The difficulty with defining new Address Encodings for each Address type, is that end-users are forced to be aware of the various types, and in particular which types are supported by a given Consumer or Recipient. In order to make sure that transfers are completed successfully, users may be forced to explicitly generate Addresses of different types and re-distribute encodings of them, which adds significant friction and cognitive overhead to understanding and using Zcash.

    The goals for a Unified Address standard are as follows:

    Viewing Keys

    -

    A Unified Full Viewing Key (resp. Unified Incoming Viewing Key) can be used in a similar way to a Full Viewing Key (resp. Incoming Viewing Key) as described in the Zcash Protocol Specification 2.

    -

    For a Transparent P2PKH Address that is derived according to BIP 32 27 and BIP 44 30, the nearest equivalent to a Full Viewing Key or Incoming Viewing Key for a given BIP 44 account is an extended public key, as defined in the section “Extended keys” of BIP 32. Therefore, UFVKs and UIVKs should be able to include such extended public keys.

    +

    A Unified Full Viewing Key (resp. Unified Incoming Viewing Key) can be used in a similar way to a Full Viewing Key (resp. Incoming Viewing Key) as described in the Zcash Protocol Specification 2.

    +

    For a Transparent P2PKH Address that is derived according to BIP 32 27 and BIP 44 30, the nearest equivalent to a Full Viewing Key or Incoming Viewing Key for a given BIP 44 account is an extended public key, as defined in the section “Extended keys” of BIP 32. Therefore, UFVKs and UIVKs should be able to include such extended public keys.

    A wallet should support deriving a UIVK from a UFVK, and a Unified Address from a UIVK.

    Open Issues and Known Concerns

    @@ -155,10 +155,10 @@ Discussions-To: <https://g

    Encoding of Unified Full/Incoming Viewing Keys

    @@ -238,7 +238,7 @@ Discussions-To: <https://g \(\mathsf{EncodeExtFVKParts}(\mathsf{ak}, \mathsf{nk}, \mathsf{ovk}, \mathsf{dk})\) , where \(\mathsf{EncodeExtFVKParts}\) - is defined in 14. This SHOULD be derived from the Extended Full Viewing Key at the Account level of the ZIP 32 hierarchy. + is defined in 14. This SHOULD be derived from the Extended Full Viewing Key at the Account level of the ZIP 32 hierarchy.
  • A Sapling IVK Encoding, also with Typecode \(\mathtt{0x02},\) is an encoding of @@ -249,19 +249,19 @@ Discussions-To: <https://g
  • There is no defined way to represent a Viewing Key for a Transparent P2SH Address in a UFVK or UIVK (because P2SH Addresses cannot be diversified in an unlinkable way). The Typecode \(\mathtt{0x01}\) MUST NOT be included in a UFVK or UIVK by Producers, and MUST be treated as unrecognized by Consumers.
    • -
  • For Transparent P2PKH Addresses that are derived according to BIP 32 27 and BIP 44 30, the FVK and IVK Encodings have Typecode +
  • For Transparent P2PKH Addresses that are derived according to BIP 32 27 and BIP 44 30, the FVK and IVK Encodings have Typecode \(\mathtt{0x00}.\) Both of these are encodings of the chain code and public key \((\mathsf{c}, \mathsf{pk})\) given by \(\mathsf{c}\,||\,\mathsf{ser_P}(\mathsf{pk})\) - . (This is the same as the last 65 bytes of the extended public key format defined in section “Serialization format” of BIP 32 28.) However, the FVK uses the key at the Account level, i.e. at path + . (This is the same as the last 65 bytes of the extended public key format defined in section “Serialization format” of BIP 32 28.) However, the FVK uses the key at the Account level, i.e. at path \(m / 44' / coin\_type' / account'\) , while the IVK uses the external (non-change) child key at the Change level, i.e. at path \(m / 44' / coin\_type' / account' / 0\) .
    • -

    The Human-Readable Parts (as defined in 33) of Unified Viewing Keys are defined as follows:

    +

    The Human-Readable Parts (as defined in 33) of Unified Viewing Keys are defined as follows:

    • uivk” for Unified Incoming Viewing Keys on Mainnet;
    • uivktest” for Unified Incoming Viewing Keys on Testnet;
      • @@ -286,13 +286,13 @@ Discussions-To: <https://g \(\mathtt{length}\) fields are encoded as \(\mathtt{compactSize}.\) - 36 (Although existing Receiver Encodings and Viewing Key Encodings are all less than 256 bytes and so could use a one-byte length field, encodings for experimental types may be longer.) + 36 (Although existing Receiver Encodings and Viewing Key Encodings are all less than 256 bytes and so could use a one-byte length field, encodings for experimental types may be longer.)
    • Within a single UA or UVK, all HD-derived Receivers, FVKs, and IVKs SHOULD represent an Address or Viewing Key for the same account (as used in the ZIP 32 or BIP 44 Account level).
    • For Transparent Addresses, the Receiver Encoding does not include the first two bytes of a raw encoding.
      • -
    • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 23) to send funds into the Sprout chain value pool, this would not be generally useful.
      • +
    • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 23) to send funds into the Sprout chain value pool, this would not be generally useful.
    • Consumers MUST ignore constituent Items with Typecodes they do not recognize.
    • Consumers MUST reject Unified Addresses/Viewing Keys in which the same Typecode appears more than once, or that include both P2SH and P2PKH Transparent Addresses, or that contain only a Transparent Address.
      • -
    • Consumers MUST reject Unified Addresses/Viewing Keys in which any constituent Item does not meet the validation requirements of its encoding, as specified in this ZIP and the Zcash Protocol Specification 2.
      • +
    • Consumers MUST reject Unified Addresses/Viewing Keys in which any constituent Item does not meet the validation requirements of its encoding, as specified in this ZIP and the Zcash Protocol Specification 2.
    • Consumers MUST reject Unified Addresses/Viewing Keys in which the constituent Items are not ordered in ascending Typecode order. Note that this is different to priority order, and does not affect which Receiver in a Unified Address should be used by a Sender.
    • There MUST NOT be additional bytes at the end of the raw encoding that cannot be interpreted as specified above.
    • If the encoding of a Unified Address/Viewing Key is shown to a user in an abridged form due to lack of space, at least the first 20 characters MUST be included.
      • @@ -305,7 +305,7 @@ Discussions-To: <https://g

    Adding new types

    -

    It is intended that new Receiver Types and Viewing Key Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    +

    It is intended that new Receiver Types and Viewing Key Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    For experimentation prior to proposing a ZIP, experimental types MAY be added using the reserved Typecodes \(\mathtt{0xFFFA}\) to @@ -320,7 +320,7 @@ Discussions-To: <https://g \(\mathtt{0xFC}\) inclusive are reserved to indicate Metadata Items other than Receivers or Viewing Keys. These items MAY affect the overall interpretation of the UA / UVK (for example, by specifying an expiration date).

    Since Metadata Items are not Receivers, they MUST NOT be selected by a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view information about transactions.

    -

    Currently no Metadata Types are defined. New Metadata Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    +

    Currently no Metadata Types are defined. New Metadata Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    Deriving Internal Keys

    In addition to external addresses suitable for giving out to Senders, a wallet typically requires addresses for internal operations such as change and auto-shielding.

    @@ -344,7 +344,7 @@ Discussions-To: <https://g \(\mathsf{CRH^{ivk}}\) or \(\mathsf{Commit^{ivk}}\) - (for Sapling and Orchard respectively). Derivation of an internal shielded FVK from an external shielded FVK is specified in the "Sapling internal key derivation" 17 and "Orchard internal key derivation" 19 sections of ZIP 32.

    + (for Sapling and Orchard respectively). Derivation of an internal shielded FVK from an external shielded FVK is specified in the "Sapling internal key derivation" 17 and "Orchard internal key derivation" 19 sections of ZIP 32.

    To satisfy the above properties for transparent (P2PKH) keys, we derive the external and internal \(\mathsf{ovk}\) components from the transparent FVK @@ -357,7 +357,7 @@ Discussions-To: <https://g \(\mathsf{ser_P}(pk)\) is \(33\) - bytes, as specified in 28. + bytes, as specified in 28.

  • Let \(\mathsf{ovk_{external}}\) be the first @@ -372,16 +372,16 @@ Discussions-To: <https://g \(I_\mathsf{ovk}\) .
    • -

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 31. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    +

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 31. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    Deriving a UIVK from a UFVK

    The following derivations are applied to each component FVK:

      -
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • -
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
      • +
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • +
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
    • For a Transparent P2PKH FVK, the corresponding Transparent P2PKH IVK is obtained by deriving the child key with non-hardened index \(0\) - as described in 29.
      • + as described in 29.

    In each case, the Typecode remains the same as in the FVK.

    Items (including Metadata Items) that are unrecognized by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a UIVK from a UFVK.

    @@ -389,7 +389,7 @@ Discussions-To: <https://g

    Deriving a Unified Address from a UIVK

    To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is,

      -
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 16.
      • +
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 16.
    • A Transparent diversifier index MUST be in the range \(0\) to @@ -399,9 +399,9 @@ Discussions-To: <https://g

    The following derivations are applied to each component IVK using the diversifier index:

      -
    • For a Sapling IVK, the corresponding Sapling Receiver is obtained as specified in 4.
      • -
    • For an Orchard IVK, the corresponding Orchard Receiver is obtained as specified in 5.
      • -
    • For a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 32 to derive the corresponding Transparent P2PKH Receiver. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 29 MUST be used. The IVK is assumed to correspond to the extended public key for the external (non-change) element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be +
    • For a Sapling IVK, the corresponding Sapling Receiver is obtained as specified in 4.
      • +
    • For an Orchard IVK, the corresponding Orchard Receiver is obtained as specified in 5.
      • +
    • For a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 32 to derive the corresponding Transparent P2PKH Receiver. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 29 MUST be used. The IVK is assumed to correspond to the extended public key for the external (non-change) element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be \(m / 44' / \mathit{coin\_type\kern0.05em'} / \mathit{account\kern0.1em'} / 0 / \mathit{diversifier\_index}.\)
    @@ -409,8 +409,8 @@ Discussions-To: <https://g

    Items (including Metadata Items) that are unrecognized by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a Receiver from a UIVK.

    Usage of Outgoing Viewing Keys

    -

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    -

    However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 20. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 25.)

    +

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    +

    However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 20. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 25.)

    Here we refine the protocol specification in order to allow more precise determination of viewing authority for UFVKs.

    A Sender will attempt to determine a "sending Account" for each transfer. The preferred approach is for the API used to perform a transfer to directly specify a sending Account. Otherwise, if the Sender can ascertain that all funds used in the transfer are from addresses associated with some Account, then it SHOULD treat that as the sending Account. If not, then the sending Account is undetermined.

    The Sender also determines a "preferred sending protocol" —one of "transparent", "Sapling", or "Orchard"— corresponding to the most preferred Receiver Type (as given in Encoding of Unified Addresses) of any funds sent in the transaction.

    @@ -553,7 +553,7 @@ c^{n+m}}{q}.\) \(0 \text{ up to } \mathsf{ceiling}(\ell_R/\ell_H)-1].\)

    - +
    Diagram of 4-round unkeyed Feistel construction

    (In practice the lengths @@ -584,7 +584,7 @@ c^{n+m}}{q}.\)

    Heuristic analysis

    A 3-round unkeyed Feistel, as shown, is not sufficient:

    - +
    Diagram of 3-round unkeyed Feistel construction

    Suppose that an adversary has a target input/output pair diff --git a/zip-0317.html b/zip-0317.html new file mode 100644 index 00000000..58163f1f --- /dev/null +++ b/zip-0317.html @@ -0,0 +1,25 @@ + + + + ZIP 317: Proportional Transfer Fee Mechanism + + + +

    + 
    ZIP: 317
+Title: Proportional Transfer Fee Mechanism
+Owners: Aditya Bharadwaj <nighthawk24@gmail.com>
+Credits: Madars Virza
+         Kris Nuttycombe
+         Daira Hopwood
+         Jack Grigg
+         Francisco Gindre
+Status: Reserved
+Category: Standards / Wallet
+Created: 2022-08-15
+License: MIT
+Discussions-To: <https://forum.zcashcommunity.com/t/zip-proportional-output-fee-mechanism-pofm/42808>
+Pull-Request: <https://github.com/zcash/zips/pull/631>
    +
    + + \ No newline at end of file diff --git a/zip-0317.rst b/zip-0317.rst new file mode 100644 index 00000000..c8399c68 --- /dev/null +++ b/zip-0317.rst @@ -0,0 +1,16 @@ +:: + + ZIP: 317 + Title: Proportional Transfer Fee Mechanism + Owners: Aditya Bharadwaj + Credits: Madars Virza + Kris Nuttycombe + Daira Hopwood + Jack Grigg + Francisco Gindre + Status: Reserved + Category: Standards / Wallet + Created: 2022-08-15 + License: MIT + Discussions-To: + Pull-Request: diff --git a/zip-0318.html b/zip-0318.html new file mode 100644 index 00000000..f60a9b25 --- /dev/null +++ b/zip-0318.html @@ -0,0 +1,20 @@ + + + + ZIP 318: Associated Payload Encryption + + + +
    + 
    ZIP: 318
+Title: Associated Payload Encryption
+Owners: Kris Nuttycombe <kris@electriccoin.co>
+        Daira Hopwood <daira@electriccoin.co>
+Status: Reserved
+Category: Standards Track
+Created: 2022-09-19
+License: MIT
+Discussions-To: <https://github.com/zcash/zips/issues/633>
    +
    + + \ No newline at end of file diff --git a/zip-0318.rst b/zip-0318.rst new file mode 100644 index 00000000..a7d0c24a --- /dev/null +++ b/zip-0318.rst @@ -0,0 +1,11 @@ +:: + + ZIP: 318 + Title: Associated Payload Encryption + Owners: Kris Nuttycombe + Daira Hopwood + Status: Reserved + Category: Standards Track + Created: 2022-09-19 + License: MIT + Discussions-To: diff --git a/zip-0319.html b/zip-0319.html new file mode 100644 index 00000000..12088159 --- /dev/null +++ b/zip-0319.html @@ -0,0 +1,20 @@ + + + + ZIP 319: Options for Shielded Pool Retirement + + + +
    + 
    ZIP: 319
+Title: Options for Shielded Pool Retirement
+Owners: Nathan Wilcox <nathan@electriccoin.co>
+        Daira Hopwood <daira@electriccoin.co>
+Status: Reserved
+Category: Informational
+Created: 2022-09-20
+License: MIT
+Discussions-To: <https://github.com/zcash/zips/issues/635>
    +
    + + \ No newline at end of file diff --git a/zip-0319.rst b/zip-0319.rst new file mode 100644 index 00000000..c5803436 --- /dev/null +++ b/zip-0319.rst @@ -0,0 +1,11 @@ +:: + + ZIP: 319 + Title: Options for Shielded Pool Retirement + Owners: Nathan Wilcox + Daira Hopwood + Status: Reserved + Category: Informational + Created: 2022-09-20 + License: MIT + Discussions-To: diff --git a/zip-0321.html b/zip-0321.html index c928f264..c31aea12 100644 --- a/zip-0321.html +++ b/zip-0321.html @@ -17,8 +17,8 @@ Discussions-To: <https://g Pull-Request: <https://github.com/zcash/zips/pull/395> License: MIT

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.11 of the Zcash Protocol Specification 10.

    +

    The key words "MUST", "MUST NOT", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.11 of the Zcash Protocol Specification 10.

    The terms below are to be interpreted as follows:

    payment
    @@ -33,7 +33,7 @@ License: MIT

    Motivation

    In order for a robust transactional ecosystem to evolve for Zcash, it is necessary for vendors to be able to issue requests for payment. At present, the best option available is to manually specify a payment address, a payment amount, and potentially memo field content. Of these three components, existing wallets only provide functionality for reading payment addresses in a semi-automated fashion. It is then necessary for the user to manually enter payment amounts and any associated memo information, which is tedious and may be error-prone, particularly if a payment is intended for multiple recipients or the memo field information contains structured data that must be faithfully reproduced.

    This ZIP seeks to eliminate these issues by proposing a standard format that wallet vendors may support so that human intervention is required only for approval, not creation, of such a transaction.

    -

    In Bitcoin, two different standards exist to permit vendors to issue payment requests that are understood by wallets: BIP-0021 5 and BIP-0070 6. BIP-0021 provides a URI format that can be interpreted by a wallet to construct simple, single-recipient transactions; BIP-0070 uses a protobuf-based protocol that permits requests for transactions of arbitrary complexity.

    +

    In Bitcoin, two different standards exist to permit vendors to issue payment requests that are understood by wallets: BIP-0021 5 and BIP-0070 6. BIP-0021 provides a URI format that can be interpreted by a wallet to construct simple, single-recipient transactions; BIP-0070 uses a protobuf-based protocol that permits requests for transactions of arbitrary complexity.

    The format proposed in this ZIP seeks a middle ground between these approaches: to provide a URI-based format which supports both the trivial use case and the slightly-more-complex situation where a transaction may include payments to multiple recipients.

    Requirements

    @@ -42,7 +42,7 @@ License: MIT

    Specification

    URI Syntax

    -

    The following syntax specification uses ABNF 2.

    +

    The following syntax specification uses ABNF 2.

    zcashurn        = "zcash:" ( zcashaddress [ "?" zcashparams ] / "?" zcashparams )
 zcashaddress    = 1*( ALPHA / DIGIT )
 zcashparams     = zcashparam [ "&" zcashparams ]
@@ -60,7 +60,7 @@ License: MIT
    otherparam = paramname [ paramindex ] [ "=" *qchar ] qchar = unreserved / pct-encoded / allowed-delims / ":" / "@" allowed-delims = "!" / "$" / "'" / "(" / ")" / "*" / "+" / "," / ";" -

    Here, ALPHA, unreserved and pct-encoded are as defined in 3. "base64url" is defined as in 4 with padding omitted. (Note that this uses a different alphabet to the usual base64; the values 62 and 63 in the alphabet are encoded as - and _ respectively. Implementations MUST NOT accept the characters +, /, and = that occur only in the usual base64.)

    +

    Here, ALPHA, unreserved and pct-encoded are as defined in 3. "base64url" is defined as in 4 with padding omitted. (Note that this uses a different alphabet to the usual base64; the values 62 and 63 in the alphabet are encoded as - and _ respectively. Implementations MUST NOT accept the characters +, /, and = that occur only in the usual base64.)

    Productions of the form 1*x indicate one or more successive instances of the production x. Productions of the form <n>*<m>x indicate at least <n> and at most <m> instances of production x.

    Note that this grammar does not allow percent encoding outside the productions that use qchar, i.e. the values of label, message, reqparam, and otherparam parameters.

    Purported ZIP 321 URIs that cannot be parsed according to the above grammar MUST NOT be accepted.

    @@ -68,16 +68,16 @@ License: MIT

    URI Semantics

    A ZIP-321 URI represents a request for the construction of a transaction having one or more payments. In the case that only a single payment is being requested, the recipient address SHOULD be included in the hier-part component of the RFC 3986 URI; otherwise, multiple recipient addresses can be specified using addrparam parameters with different indices.

    Addresses, amounts, labels, and messages sharing the same paramindex (including the empty paramindex) are interpreted to be associated with the same payment for the purposes of payment construction. A paramindex MUST NOT have leading zero(s). There is no significance to the ordering of parameters, and paramindex values need not be sequential.

    -

    Due to restrictions on transaction construction described in 11, there may be no more than 2109 distinct payments requested by a single ZIP-321 URI.

    +

    Due to restrictions on transaction construction described in 11, there may be no more than 2109 distinct payments requested by a single ZIP-321 URI.

    A URI of the form zcash:<address>?... MUST be considered equivalent to a URI of the form zcash:?address=<address>&... where <address> is an instance of zcashaddress.

    If there are any non-address parameters having a given paramindex, then the URI MUST contain an address parameter having that paramindex. There MUST NOT be more than one occurrence of a given parameter and paramindex.

    Implementations SHOULD check that each instance of zcashaddress is a valid string encoding of either:

      -
    • a Zcash transparent address, using Base58Check 7 as defined in 12; or
      • -
    • a Zcash Sapling address, using Bech32 8 as defined in 13.
      • +
    • a Zcash transparent address, using Base58Check 7 as defined in 12; or
      • +
    • a Zcash Sapling address, using Bech32 8 as defined in 13.

    New address formats may be added in future. If the context of whether the payment URI is intended for Testnet or Mainnet is available, then each address SHOULD be checked to be for the correct network.

    -

    Sprout addresses MUST NOT be supported in payment requests. The rationale for this is that transfers to Sprout addresses will, at activation of the Canopy network upgrade, be restricted by ZIP 211 9; it cannot generally be expected that senders will have funds available in the Sprout pool with which to satisfy requests for payment to a Sprout address.

    +

    Sprout addresses MUST NOT be supported in payment requests. The rationale for this is that transfers to Sprout addresses will, at activation of the Canopy network upgrade, be restricted by ZIP 211 9; it cannot generally be expected that senders will have funds available in the Sprout pool with which to satisfy requests for payment to a Sprout address.

    Transfer amount

    If an amount is provided, it MUST be specified in decimal ZEC. If a decimal fraction is present then a period (.) MUST be used as the separating character to separate the whole number from the decimal fraction, and both the whole number and the decimal fraction MUST be nonempty. No other separators (such as commas for grouping or thousands) are permitted. Leading zeros in the whole number or trailing zeros in the decimal fraction are ignored. There MUST NOT be more than 8 digits in the decimal fraction.

    @@ -128,7 +128,7 @@ zcash:tmEZhbWHTpdKMw5it8YDspUXSMGQyFwovpU?%61mount=1 zcash:%74mEZhbWHTpdKMw5it8YDspUXSMGQyFwovpU?amount=1

    Invalid; percent encoding is only allowed in qchar productions, which do not include addresses, amounts, or parameter names.

    zcash://tmEZhbWHTpdKMw5it8YDspUXSMGQyFwovpU?amount=1
    -

    Invalid; the grammar does not allow //. ZIP 321 URIs are not "hierarchical URIs" in the sense defined in 3 section 1.2.3, and do not have an "authority component".

    +

    Invalid; the grammar does not allow //. ZIP 321 URIs are not "hierarchical URIs" in the sense defined in 3 section 1.2.3, and do not have an "authority component".

    Forward compatibility

    diff --git a/zip-0400.html b/zip-0400.html index 59da568a..704bb007 100644 --- a/zip-0400.html +++ b/zip-0400.html @@ -14,7 +14,7 @@ Category: Wallet Created: 2020-05-26 License: MIT

    Terminology

    -

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The key words "MUST" and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    Abstract

    This proposal defines the current format used in zcashd for wallet persistent storage, commonly known as wallet.dat.

    @@ -23,7 +23,7 @@ License: MIT

    The process of saving wallet data into disk is currently unspecified. The key-values used in the current implementation are undocumented, and their structure and functionality are unknown without a deep analysis of the involved source code. This document details the schema and the mechanics of the wallet database. This is an informational document, no changes will be done to the source code.

    Specification

    -

    Zcash stores wallet information in a Berkeley database (BDB) 2 commonly known as wallet.dat. The main purpose of this is the persistence of public and private keys the user created and the ability to recover the wallet state after a node restart. This file also allows the migration of user information from one node to another by moving the database to the corresponding new data directory, assuming both zcashd instances are running the same or similar version. A re-index may be necessary after this operation.

    +

    Zcash stores wallet information in a Berkeley database (BDB) 2 commonly known as wallet.dat. The main purpose of this is the persistence of public and private keys the user created and the ability to recover the wallet state after a node restart. This file also allows the migration of user information from one node to another by moving the database to the corresponding new data directory, assuming both zcashd instances are running the same or similar version. A re-index may be necessary after this operation.

    The current database is a key-value store where keys and values can have multiple data types in binary format. The first data found in a database key is always the property name, the rest of the key is generally used to identify a record, for example:

    <------ KEY ----+- VALUE ->
 ---------------------------
@@ -190,7 +190,7 @@ License: MIT
    hdseed* - Hierarchical Deterministic seed. 4 + Hierarchical Deterministic seed. 4
    1. uint256 seedFp
      2. @@ -463,8 +463,8 @@ License: MIT

      The wallet database file may become corrupted. There are utilities in the zcutil/bin directory that may help with recovering it if this happens. Please ask for help on the Zcash forum or Community Discord.

    Wallet Encryption

    -

    Encryption will not be discussed in this document in detail as it is expected for the algorithm to change in the future according to the Wallet format ZIP issue: 3.

    -

    For a deeper understanding of the current encryption mechanism please refer to 5

    +

    Encryption will not be discussed in this document in detail as it is expected for the algorithm to change in the future according to the Wallet format ZIP issue: 3.

    +

    For a deeper understanding of the current encryption mechanism please refer to 5

    diff --git a/zip-0401.html b/zip-0401.html index 13104849..c63991bb 100644 --- a/zip-0401.html +++ b/zip-0401.html @@ -14,14 +14,14 @@ Category: Network Created: 2019-09-09 License: MIT

    Terminology

    -

    The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    +

    The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    Abstract

    This proposal specifies a change to the behaviour of zcashd nodes intended to mitigate denial-of-service from transaction flooding.

    Motivation

    Adoption of this proposal would increase robustness of Zcash nodes against denial-of-service attack, in particular attacks that attempt to exhaust node memory.

    -

    Bitcoin Core added size limitation for the mempool in version 0.12 6, defaulting to 300 MB. This was after Zcash forked from Bitcoin Core.

    +

    Bitcoin Core added size limitation for the mempool in version 0.12 6, defaulting to 300 MB. This was after Zcash forked from Bitcoin Core.

    Requirements

    The memory usage of a node’s mempool should be bounded.

    @@ -29,7 +29,7 @@ License: MIT

    Any configuration options should have reasonable defaults, i.e. without changing relevant configuration, a node should be adequately protected from denial-of-service via mempool memory exhaustion.

    Non-requirements

    -

    The current architecture of Zcash imposes fundamental limits on scaling of transaction throughput. This proposal does not increase the aggregate transaction capacity of the network. (The Blossom upgrade does increase transaction capacity, by a factor of two 2.)

    +

    The current architecture of Zcash imposes fundamental limits on scaling of transaction throughput. This proposal does not increase the aggregate transaction capacity of the network. (The Blossom upgrade does increase transaction capacity, by a factor of two 2.)

    Denial-of-service issues in the messaging layer of the peer-to-peer protocol are out of scope for this proposal.

    This proposal is focused primarily on memory exhaustion attacks. It does not attempt to use fees to make denial-of-service economically prohibitive, since that is unlikely to be feasible while maintaining low fees for legitimate users. It does not preclude changes in fee policy.

    @@ -39,8 +39,8 @@ License: MIT

    max(serialized transaction size in bytes, 4000)

    -

    Each transaction also has an eviction weight, which is cost + low_fee_penalty, where low_fee_penalty is 16000 if the transaction pays a fee less than the conventional fee, otherwise 0. The conventional fee is currently defined as 1000 zatoshis 5.

    -

    Each node also MUST hold a FIFO queue RecentlyEvicted of pairs (txid, time), where the time indicates when the transaction with the given txid was evicted. The txid (rather than the wtxid as defined in 3) is used even for version 5 transactions after activation of NU5 4.

    +

    Each transaction also has an eviction weight, which is cost + low_fee_penalty, where low_fee_penalty is 16000 if the transaction pays a fee less than the conventional fee, otherwise 0. The conventional fee is currently defined as 1000 zatoshis 5.

    +

    Each node also MUST hold a FIFO queue RecentlyEvicted of pairs (txid, time), where the time indicates when the transaction with the given txid was evicted. The txid (rather than the wtxid as defined in 3) is used even for version 5 transactions after activation of NU5 4.

    The RecentlyEvicted queue SHOULD be empty on node startup. The size of RecentlyEvicted SHOULD never exceed eviction_memory_entries entries, which is the constant 40000.

    There MUST be a configuration option mempooltxcostlimit, which SHOULD default to 80000000.

    There MUST be a configuration option mempoolevictionmemoryminutes, which SHOULD default to 60.

    @@ -60,9 +60,9 @@ License: MIT

    Rationale

    The accounting for transaction size should include some overhead per transaction, to reflect the cost to the network of processing them (proof and signature verification; networking overheads; size of in-memory data structures). The implication of not including overhead is that a denial-of-service attacker would be likely to use minimum-size transactions so that more of them would fit in a block, increasing the unaccounted-for overhead. A possible counterargument would be that the complexity of accounting for this overhead is unwarranted given that the format of a transaction already imposes a minimum size. However, the proposed cost function is almost as simple as using transaction size directly.

    The threshold 4000 for the cost function is chosen so that the size in bytes of a typical fully shielded Sapling transaction (with, say, 2 shielded outputs and up to 5 shielded inputs) will fall below the threshold. This has the effect of ensuring that such transactions are not evicted preferentially to typical transparent transactions because of their size.

    -

    The proposed eviction policy differs significantly from that of Bitcoin Core 6, which is primarily fee-based. This reflects differing philosophies about the motivation for fees and the level of fee that legitimate users can reasonably be expected to pay. The proposed eviction weight function does involve a penalty for transactions with a fee lower than the standard (0.0001 ZEC) value, but since there is no further benefit to increasing the fee above the standard value, it creates no pressure toward escalating fees. For transactions up to 4000 bytes, this penalty makes a transaction that pays less than the standard fee value five times as likely to be chosen for eviction (because 4000 + 16000 = 20000 = 4000 * 5).

    +

    The proposed eviction policy differs significantly from that of Bitcoin Core 6, which is primarily fee-based. This reflects differing philosophies about the motivation for fees and the level of fee that legitimate users can reasonably be expected to pay. The proposed eviction weight function does involve a penalty for transactions with a fee lower than the standard (0.0001 ZEC) value, but since there is no further benefit to increasing the fee above the standard value, it creates no pressure toward escalating fees. For transactions up to 4000 bytes, this penalty makes a transaction that pays less than the standard fee value five times as likely to be chosen for eviction (because 4000 + 16000 = 20000 = 4000 * 5).

    The fee penalty is not included in the cost that determines whether the mempool is considered full. This ensures that a DoS attacker does not have an incentive to pay less than the standard fee in order to cause the mempool to be considered full sooner.

    -

    The default value of 80000000 for mempooltxcostlimit represents no more than 40 blocks’ worth of transactions in the worst case, which is the default expiration height after the Blossom network upgrade 2. It would serve no purpose to make it larger.

    +

    The default value of 80000000 for mempooltxcostlimit represents no more than 40 blocks’ worth of transactions in the worst case, which is the default expiration height after the Blossom network upgrade 2. It would serve no purpose to make it larger.

    The mempooltxcostlimit is a per-node configurable parameter in order to provide flexibility for node operators to change it either in response to attempted denial-of-service attacks, or if needed to handle spikes in transaction demand. It may also be useful for nodes running in memory-constrained environments to reduce this parameter.

    The limit of eviction_memory_entries = 40000 entries in RecentlyEvicted bounds the memory needed for this data structure. Since a txid is 32 bytes and a timestamp 8 bytes, 40000 entries can be stored in ~1.6 MB, which is small compared to other node memory usage (in particular, small compared to the maximum memory usage of the mempool itself under the default mempooltxcostlimit). eviction_memory_entries entries should be sufficient to mitigate any performance loss caused by re-accepting transactions that were previously evicted. In particular, since a transaction has a minimum cost of 4000, and the default mempooltxcostlimit is 80000000, at most 20000 transactions can be in the mempool of a node using the default parameters. While the number of transactions “in flight” or across the mempools of all nodes in the network could exceed this number, we believe that is unlikely to be a problem in practice.

    Note that the RecentlyEvicted queue is intended as a performance optimization under certain conditions, rather than as a DoS-mitigation measure in itself.

    @@ -74,7 +74,7 @@ License: MIT

    Reference implementation

    References

    diff --git a/zip-0401.rst b/zip-0401.rst index 1abad5bf..9bf30692 100644 --- a/zip-0401.rst +++ b/zip-0401.rst @@ -201,7 +201,7 @@ Reference implementation ======================== * `PR 4145: Implementation `_ -* `PR 4166: macOS compliation fix `_ +* `PR 4166: macOS compilation fix `_ References diff --git a/zip-1001.html b/zip-1001.html index 9f23a836..01321105 100644 --- a/zip-1001.html +++ b/zip-1001.html @@ -15,15 +15,15 @@ Created: 2019-08-01 License: CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0/> Discussions-To: <https://forum.zcashcommunity.com/t/zip-proposal-keep-the-block-distribution-as-initaly-defined-90-to-miners/33843>

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC 2119. 2

    +

    The key words "MUST", "MUST NOT", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC 2119. 2

    For clarity this ZIP defines these terms:

    • Mining software in the context of this ZIP refers to pool software, local mining software, or staking software.
    • Mining is defined as the action of processing transactions, so this would include proof of stake, if Zcash would switch to that.
    • Mining coins transferred via fees are considered rewards (infinite), coins generated via block generation are considered distribution (finite).
    • Block distribution is defined as the block reward minus transaction fees. the protocol specification uses "block subsidy".
      • -
    • Spirit is defined as what is the intended outcome of the ZIP. 1
      • -
    • Initial promise is non-neutral language referencing the block distribution rules as initially set out. 3
      • +
    • Spirit is defined as what is the intended outcome of the ZIP. 1
      • +
    • Initial promise is non-neutral language referencing the block distribution rules as initially set out. 3
    @@ -60,8 +60,8 @@ Discussions-To: <

    Specification

      -
    • The existing Founders’ Reward consensus rules 4 5 MUST be preserved.
      • -
    • Specifically, FoundersReward(height) MUST equal 0 if Halving(height) >= 1. (For clarity once the halving happens the Founders’ Reward stops, as per the rules outlined in 4 and 5.)
      • +
    • The existing Founders’ Reward consensus rules 4 5 MUST be preserved.
      • +
    • Specifically, FoundersReward(height) MUST equal 0 if Halving(height) >= 1. (For clarity once the halving happens the Founders’ Reward stops, as per the rules outlined in 4 and 5.)
    • This specification is only meant to stop the Founders’ Reward, not protocol-based donations.
    • Enforcing some kind of mandatory donation via whatever mechanism would be seen as continuation of the Founders’ Reward.
    diff --git a/zip-1002.html b/zip-1002.html index 3f48640b..44cad897 100644 --- a/zip-1002.html +++ b/zip-1002.html @@ -15,7 +15,7 @@ Created: 2019-07-17 License: CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0/> Discussions-To: <https://forum.zcashcommunity.com/t/zip-proposal-a-genuine-opt-in-protocol-level-development-donation-option/33846>

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 3

    +

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 3

    This ZIP defines these terms:

    • Signalling is defined as expressing a voice through whatever mechanism is implemented or sought for that decision. In the context of this ZIP it primarily refers to signalling what to do with funds. This could be done by miners, straw poll, coinbase, proof of value, some internet poll thing, etc.
      • @@ -31,7 +31,7 @@ Discussions-To: <1 +
    • Spirit is defined as what is the intended outcome of the ZIP. 1
    @@ -60,7 +60,7 @@ Discussions-To: <

    Requirements

      -
    • An additional opt-in mechanism, baked into the protocol. This is a condition of the Zcash Foundation too. 2
      • +
    • An additional opt-in mechanism, baked into the protocol. This is a condition of the Zcash Foundation too. 2
    • Give an alterative to redistribution of either the current block distribution structure or the emission curve.
    • The funding received by the Electric Coin Company and/or Zcash Foundation under this proposal MUST only be used to fund ZEC development for the lifetime of their receipt of it.
    • To give a strong indication to the community and users that they have freedom to decide what they do with their coins and donations.
      • @@ -73,7 +73,7 @@ Discussions-To: <4) that the Foundation would only support proposals that: a) don’t rely on the Foundation being a single gatekeeper of funds; b) don’t change the upper bound of ZEC supply; and c) have some kind of opt-in mechanism for choosing to disburse funds (from miners and/or users). +
    The Zcash Foundation has stated (later clarified in 4) that the Foundation would only support proposals that: a) don’t rely on the Foundation being a single gatekeeper of funds; b) don’t change the upper bound of ZEC supply; and c) have some kind of opt-in mechanism for choosing to disburse funds (from miners and/or users).
    diff --git a/zip-1003.html b/zip-1003.html index 9e66f881..8d940548 100644 --- a/zip-1003.html +++ b/zip-1003.html @@ -15,7 +15,7 @@ Created: 2019-06-19 License: MIT Discussions-To: <https://forum.zcashcommunity.com/t/dev-fund-proposal-20-split-between-the-ecc-and-the-foundation/33862>

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC 2119. 1

    +

    The key words "MUST", "MUST NOT", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC 2119. 1

    For clarity in this ZIP I define these terms:

    2nd Halvening period
    @@ -63,11 +63,11 @@ Discussions-To: <2. +
  • Yearly reviews of organization performance, along the lines of the State of the Zcash Foundation report 2.

    • Requirements Specifically for the ECC

    -

    Motivated by the Zcash Foundation’s proposal that the ECC become a non-profit 3, I am going to list general requirements for the ECC to abide by if they choose to receive funds and work on behalf of ZEC holders.

    +

    Motivated by the Zcash Foundation’s proposal that the ECC become a non-profit 3, I am going to list general requirements for the ECC to abide by if they choose to receive funds and work on behalf of ZEC holders.

    1. Because I share the Foundation’s concern that the ECC could be “beholden to its shareholders”, I am mandating that the ECC should be working in the service of the Zcash community and shall serve no other masters. The original investors/founders who are not still working in the service of the Zcash community SHOULD NOT have control over the use of the new development funds.
    2. The revenue received from the Dev Fund SHOULD NOT be used to give further rewards to, even indirectly, the investors, founders, or shareholders of the ECC, who are not working on Zcash after the first halving. They have already received the Founders’ Reward and this new development fund is not supposed to further benefit them.
      3. diff --git a/zip-1004.html b/zip-1004.html index d6ddaf00..a070c30c 100644 --- a/zip-1004.html +++ b/zip-1004.html @@ -15,7 +15,7 @@ Created: 2019-06-19 License: public domain Discussions-To: <https://forum.zcashcommunity.com/t/dev-fund-proposal-miner-directed-dev-fund-was-20-to-any-combination-of-ecc-zfnd-parity-or-burn/33864>

      Terminology

      -

      The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      For clarity, this ZIP defines these terms:

      2nd Halvening Period
      @@ -37,8 +37,8 @@ Discussions-To: <

      Motivation

      -

      Like most development fund proposals, this is motivated by the potential value to the Zcash community of using newly minted coins to hire developers to continue improving Zcash. 2

      -

      Unlike most other development fund proposals, this proposal is distinct in providing a fine-grained “opt-in” 3 feature, since miners have the choice to provide a small amount of development funding or none at all.

      +

      Like most development fund proposals, this is motivated by the potential value to the Zcash community of using newly minted coins to hire developers to continue improving Zcash. 2

      +

      Unlike most other development fund proposals, this proposal is distinct in providing a fine-grained “opt-in” 3 feature, since miners have the choice to provide a small amount of development funding or none at all.

      Requirements

        @@ -53,7 +53,7 @@ Discussions-To: <

        Examples

        -

        The following examples illustrate how miners can build the outputs of the coinbase transactions to allocate the MDDF to eligible developers. Assume Dev1, Dev2 are the hardcoded addresses of eligible developers, and Miner is the address of the mining pool mining this block. Assume that the total newly minted coins are 3.125 ZEC per block during the 2nd Halvening Period (this takes into account the change to a 75-second block target spacing after the Blossom Network Upgrade 5), and that DF% = 20%, MR% = 80%.

        +

        The following examples illustrate how miners can build the outputs of the coinbase transactions to allocate the MDDF to eligible developers. Assume Dev1, Dev2 are the hardcoded addresses of eligible developers, and Miner is the address of the mining pool mining this block. Assume that the total newly minted coins are 3.125 ZEC per block during the 2nd Halvening Period (this takes into account the change to a 75-second block target spacing after the Blossom Network Upgrade 5), and that DF% = 20%, MR% = 80%.

        Example 1: Split equally between two developers

        The transaction outputs of the coinbase transaction are as follows:

          @@ -79,7 +79,7 @@ Discussions-To: <4, have suggested that a 20% development fund would set a precedent for a perpetual 20% development fund. This proposal is explicitly limited in scope to the 2nd Halvening Period. Thus adopting this proposal on its own, if there are no further updates, would result in the the development fund ending in 2024. +
        • Several others, notably the Blocktown Capital proposal 4, have suggested that a 20% development fund would set a precedent for a perpetual 20% development fund. This proposal is explicitly limited in scope to the 2nd Halvening Period. Thus adopting this proposal on its own, if there are no further updates, would result in the the development fund ending in 2024.

      References

      diff --git a/zip-1006.html b/zip-1006.html index 8ca8ce5d..5ef580ed 100644 --- a/zip-1006.html +++ b/zip-1006.html @@ -18,7 +18,7 @@ Created: 2019-08-31 License: MIT Discussions-To: <https://forum.zcashcommunity.com/t/blocktown-development-fund-proposal-10-to-a-2-of-3-multisig-with-community-involved-third-entity/34782>

      Terminology

      -

      The key words “MUST”, “SHOULD”, “SHOULD NOT”, and “MAY” in this document are to be interpreted as described in RFC 2119. 1

      +

      The key words “MUST”, “SHOULD”, “SHOULD NOT”, and “MAY” in this document are to be interpreted as described in RFC 2119. 1

      The additional terms below are to be interpreted as follows:

      Mining
      @@ -28,7 +28,7 @@ Discussions-To: <9 or otherwise. +
      Any consensus rule change to the Zcash protocol, introduced as part of the standard Zcash Network Upgrade Pipeline 9 or otherwise.
      Founder’s Reward
      The 20% ZEC from mined blocks allocated to the Electric Coin Company (ECC), Zcash Foundation (ZF), employees, investors and/or other entities prior to the expected first halving in October 2020.
      Zcash Development Fund
      @@ -56,13 +56,13 @@ Discussions-To: <2. +
    3. Prior to any movement of funds from the Zcash Development Fund, the ZF and ECC MUST coordinate with each other and the community to establish the Third Entity that will be involved in governance of the Zcash Development Fund. The process of determining the exact initial composition and rules of governance of the Third Entity MUST involve the Zcash community at large in a process similar to that outlined in the section "How the Foundation will select a particular proposal" in the ZF’s August 6, 2019 statement 2.

      4. The governance rules of the Third Entity MUST include the following:

      • All decision-making and other governing processes of the Third Entity MUST be independent of the ECC and ZF, and MUST include measures that are necessary to avoid conflicts of interest in relation to the ECC and ZF.
      • At creation, the Third Entity MUST include an uneven number of at least 5 individuals with independent previous affiliations, each having a single vote. All such decisions MUST have majority support within the Third Entity to result in an overall approving vote by the Third Entity.
        • -
      • Once the Third Entity is established, it MAY decide to change its rules of governance (e.g. simple majority versus supermajority rules), but any such change MUST be preceded by the involvement of the Zcash community at large, similar to the process outlined in the ZF’s August 6, 2019 statement 2.
        • +
      • Once the Third Entity is established, it MAY decide to change its rules of governance (e.g. simple majority versus supermajority rules), but any such change MUST be preceded by the involvement of the Zcash community at large, similar to the process outlined in the ZF’s August 6, 2019 statement 2.
      • Once the Third Entity is established as a self-governing body, it SHOULD evolve toward a system whereby ZEC holders have a direct role in determining votes and internal governance of the Third Entity.
      • The Third Entity MAY apply for funding from the Zcash Development Fund, if deemed appropriate by its governing body. This would be subject to a majority vote by the ECC, ZF and Third Entity.
      @@ -79,23 +79,23 @@ Discussions-To: <2. All transfers from the Zcash Development Fund MUST be in full accordance with the requirements described in this proposal.

      +

      Any decision to alter the governance of the Zcash Development Fund as described in this proposal and in final detail by the ECC, ZF, and Third Entity MUST involve the Zcash community at large, similar to the process outlined in the ZF’s August 6, 2019 statement 2. All transfers from the Zcash Development Fund MUST be in full accordance with the requirements described in this proposal.

      Issues not addressed in this proposal/Out-of-Scope

        -
      • Details of the decision-making process for supporting or rejecting this or other relevant proposals by the ECC, ZF, and/or other Zcash stakeholders. We do maintain, however, that any decision by the ECC and/or the ZF on the issue described in the Motivation section below SHOULD be preceded by the procedures for measuring community sentiment as outlined in the ZF’s August 6, 2019 statement 2.
        • +
      • Details of the decision-making process for supporting or rejecting this or other relevant proposals by the ECC, ZF, and/or other Zcash stakeholders. We do maintain, however, that any decision by the ECC and/or the ZF on the issue described in the Motivation section below SHOULD be preceded by the procedures for measuring community sentiment as outlined in the ZF’s August 6, 2019 statement 2.
      • Additional methods for measuring community sentiment MAY include a way for ZEC holders to signal their support of specific proposals.
        • -
      • The matter of whether the ECC should reorganize itself into a non-profit or remain for-profit, as addressed by the ZF in their August 6, 2019 statement 2. The current proposal is neutral on this matter, and funding from the Development Fund would be available for non-profit and/or for-profit entities. We consider the governance rules of the Development Fund outlined in this Specification section adequate for transparency and accountability.
        • +
      • The matter of whether the ECC should reorganize itself into a non-profit or remain for-profit, as addressed by the ZF in their August 6, 2019 statement 2. The current proposal is neutral on this matter, and funding from the Development Fund would be available for non-profit and/or for-profit entities. We consider the governance rules of the Development Fund outlined in this Specification section adequate for transparency and accountability.

      Motivation

      The Zcash network is scheduled to undergo its first halving in October 2020, per current protocol specifications. At the time of the first halving, the codebase dictates that the Founder’s Reward, which consists of 20% of the ZEC from every block reward, will be terminated. Without codebase modification, for example in the upcoming NU4 Network Upgrade, 100% of block rewards would be claimed by miners after the first halving.

      -

      The two organizations presently leading development and maintenance of the Zcash network receive funds from the Founder’s Reward. These organizations, the ECC and ZF, have recently requested a source of funding after the first halving in order to continue operations for the foreseeable future. The source of funds could theoretically be from either a modification to the codebase dictating a Zcash Development Fund from block rewards or, alternatively, from external sources. The ECC has indicated though that it would “wind down or pivot” rather than accept funding from any sources that would give “special interests” control over the ECC 3.

      +

      The two organizations presently leading development and maintenance of the Zcash network receive funds from the Founder’s Reward. These organizations, the ECC and ZF, have recently requested a source of funding after the first halving in order to continue operations for the foreseeable future. The source of funds could theoretically be from either a modification to the codebase dictating a Zcash Development Fund from block rewards or, alternatively, from external sources. The ECC has indicated though that it would “wind down or pivot” rather than accept funding from any sources that would give “special interests” control over the ECC 3.

      Based on the ECC’s demands, the block reward appears to be the most agreeable source of resources for a Zcash Development Fund.

      -

      This proposal, originally published in the Zcash Community Forum on August 14, 2019 4 and formalized further in a blog post on August 23, 2019 5, outlines the funding mechanism and governance of such a Zcash Development Fund. Herein, we propose a feature of NU4 whereby 10% of the ZEC from every new block reward between the first halving and second halving would be directly deposited in a Zcash Development Fund.

      +

      This proposal, originally published in the Zcash Community Forum on August 14, 2019 4 and formalized further in a blog post on August 23, 2019 5, outlines the funding mechanism and governance of such a Zcash Development Fund. Herein, we propose a feature of NU4 whereby 10% of the ZEC from every new block reward between the first halving and second halving would be directly deposited in a Zcash Development Fund.

      For the period between the launch of the Zcash network in 2016 and the first halving, there has been a centralized 20% fee known as the Founder’s Reward taken from the block reward. Other active ZIP drafts advocate a Zcash Development Fund of 20% allocation from the block reward after the first halving. We believe that a cumulative eight years of centralized fees from the block reward at the identical rate of 20% would ultimately result in a narrow community that accepts the likelihood of a perpetual 20% fee on the Zcash network.

      -

      With a Zcash Development Fund that is only 10% of the block reward, a precedent will be set that a large centralized fund is not indefinite and will decrease faster than simply the rate of block reward halvings. Although this proposal specifically addresses the period between the first and second halving, this proposed feature may set a precedent whereby the percent fee from block rewards allocated to a Zcash Development Fund continually decreases every halving, e.g. 20% (FR) from 2016-2020, 10% from 2020-2024, 5% from 2024-2028, 2.5% from 2028-2032 (effectively quartering the ZEC allocated to a development fund every four years). We believe that this social contract could restore the community’s faith in the decentralization of Zcash as the network incentives align more closely with that of Bitcoin’s over time. Alternatively, it is not unreasonable for the Zcash governance system to elect a 0% allocation for the Zcash Development Fund upon the second halving. For a more detailed exploration regarding the selection of 10%, please review the blog post ‘Proposal for 10% Dev Fund in Zcash 2020 Network Upgrade’ 6.

      +

      With a Zcash Development Fund that is only 10% of the block reward, a precedent will be set that a large centralized fund is not indefinite and will decrease faster than simply the rate of block reward halvings. Although this proposal specifically addresses the period between the first and second halving, this proposed feature may set a precedent whereby the percent fee from block rewards allocated to a Zcash Development Fund continually decreases every halving, e.g. 20% (FR) from 2016-2020, 10% from 2020-2024, 5% from 2024-2028, 2.5% from 2028-2032 (effectively quartering the ZEC allocated to a development fund every four years). We believe that this social contract could restore the community’s faith in the decentralization of Zcash as the network incentives align more closely with that of Bitcoin’s over time. Alternatively, it is not unreasonable for the Zcash governance system to elect a 0% allocation for the Zcash Development Fund upon the second halving. For a more detailed exploration regarding the selection of 10%, please review the blog post ‘Proposal for 10% Dev Fund in Zcash 2020 Network Upgrade’ 6.

      Of note, we are not suggesting or implying that the funding from the Founder’s Reward and a Zcash Development Fund would be managed in a similar way or have similar directives. The Zcash Development Fund feature that we propose for NU4 does not allocate any funds to former angel investors, VCs or vested employees. Furthermore, the Zcash Development Fund would be subject to more explicit and transparent rules of governance, as outlined in the Specification section of this proposal.

      Rationale

      @@ -112,14 +112,14 @@ Discussions-To: <6 and summarized in 7, we believe 10% instead of 20% is superior for network security, decentralization, uniting the Zcash community and renewing interest in ZEC. +
    4. The funding mechanism in this proposal is a Zcash Development Fund consisting of 10% of newly issued ZEC from block rewards after the first halving. This is in contrast to other proposals that allocate 20% of the mining rewards to the Zcash Development Fund – presumably a popular selection because the original Founder’s Reward was also set at 20%. For reasons we have explored in depth 6 and summarized in 7, we believe 10% instead of 20% is superior for network security, decentralization, uniting the Zcash community and renewing interest in ZEC.
    5. Various parameters of governance in approving Applicant requests for funding from the Zcash Development Fund.
    6. The inclusion of a Third Entity in governance. One notable objection is the possibility of collusion between Third Entity and either the ECC or ZF that would result in a “usurped” Zcash Development Fund. We believe that the process for a community elected Third Entity, however, will mature over time – giving the community and Zcash stakeholders that important third opinion in deciding the proper allocation of funds. As demonstrated by the resilience of the Bitcoin network and community, well-formed communities tend to resist any collusion with corporations and controlling entities that do not promote the direct success of the network. Moreover, the inclusion of a Third Entity has the advantage of offering a “tie-breaker” in the event of a deadlock vote between the ECC and ZF and/or a situation where one entity holds the other hostage, which is a possible scenario in a 2-of-2 multisig agreement.
    7. This proposal does not have a clause dictating that a Recipient must abstain from voting. If a Recipient must abstain from voting in a 2-of-3 multisig governance system, then this could –as in the case of 2-of-2 multisig– result in an entity holding another hostage. For example, if the ECC refuses to fund the ZF until the ZF complies with the ECC’s demands, then the ECC has the power to deadlock any vote to fund the ZF, which requires the ECC and Third Entity to both vote approvingly.

      8. Acknowledgements

      -

      Aspects of this proposal, particularly the Terminology and Specification sections, were adapted and expanded definitions and concepts put forth in Placeholder’s dev fund proposal from August 22, 2019 8.

      +

      Aspects of this proposal, particularly the Terminology and Specification sections, were adapted and expanded definitions and concepts put forth in Placeholder’s dev fund proposal from August 22, 2019 8.

      References

      diff --git a/zip-1007.html b/zip-1007.html index aae79d0e..504d7852 100644 --- a/zip-1007.html +++ b/zip-1007.html @@ -16,7 +16,7 @@ Created: 2019-08-24 License: CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0/> Discussions-To: <https://forum.zcashcommunity.com/t/dev-fund-supplemental-proposal-enforce-devfund-commitments-with-legal-charter/34709>

      Terminology

      -

      The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      For clarity this ZIP defines these terms:

      • Covenant is defined as a legally binding agreement, upon which a specific aspect of development of the Zcash protocol and/or adoption is scheduled and agreed.
        • @@ -34,13 +34,13 @@ Discussions-To: <

        Motivation and Requirements

        This proposal is supplemental to any Development Funding Proposal that places or purports to place conditions on how the Electric Coin Company (ECC) and the Zcash Foundation (ZF) use development funds, or take other related off-chain actions such as requirements and Covenants.

        -

        For example, the proposal 2 provides that “[f]unds accruing to the Zcash Development Fund MUST be used only for ... technical work directly connected to the various software implementations of the Zcash protocol.” However, once development funding is approved and implemented via a Network Upgrade, there will be no enforcement mechanism to ensure that the ZF and ECC abide by this requirement.

        +

        For example, the proposal 2 provides that “[f]unds accruing to the Zcash Development Fund MUST be used only for ... technical work directly connected to the various software implementations of the Zcash protocol.” However, once development funding is approved and implemented via a Network Upgrade, there will be no enforcement mechanism to ensure that the ZF and ECC abide by this requirement.

        This proposal aims to provide such an enforcement mechanism. If this proposal is adopted, then the ECC and/or ZF, as applicable MUST enter into a legal agreement that would entitle ZEC holders to enforce ECC’s/ZF’s performance of any Covenants. For the purposes of this proposal we will refer to the legal agreement as the “DevFund Charter” or “Charter” for short, but it MAY also be styled in other ways – e.g. as a Constitution, Bylaws, Fund Governance Agreement, etc.

        The DevFund Charter SHOULD be used to the benefit of all ZEC users, but the DevFund Charter MAY provide that an enforcement action requires the support of the holders of a plurality, majority or supermajority of ZEC. ZEC held by the ZF, ECC and their officers, directors, employees and/or affiliates SHOULD be excluded from the denominator in calculating the requisite plurality, majority or supermajority of ZEC.

        a "plurality" in a vote means the option that received more votes than any other single option, but it is unclear how this applies to "a plurality of ZEC". Taking into account experience from stake-weighted voting in other cryptocurrencies, the threshold of a simple majority (50%), or more, of all *issued* ZEC voting for any enforcement action would seem to be an extremely high bar.

        A quorum of yet-to-be-decided number of representatives from a number of groups specified by the DevFund Charter MAY provide that an enforcement action requires the support of the assigned representatives of each. One such mechanism SHOULD be ZEC balance, however this would require a 66% majority or a 85% supermajority. (These numbers are not binding and are up for discussion)

        It is assumed that the Electric Coin Company, Zcash Foundation, or party with a direct conflict of interest SHOULD identify their vote/signal - which MAY be rejected from the vote.

        -

        Legal enforcement MAY occur in a court of law, non-binding mediation or binding arbitration. The DevFund Charter MAY also provide rights to other Zcash community constituencies, such as specified miners or the “Third Entity” contemplated by 2.

        +

        Legal enforcement MAY occur in a court of law, non-binding mediation or binding arbitration. The DevFund Charter MAY also provide rights to other Zcash community constituencies, such as specified miners or the “Third Entity” contemplated by 2.

      Rationale

      Because ZEC holders do not have specific legal rights against the ECC or ZF, but MAY wish to condition renewed on-chain development funding on the ECC’s or ZF’s agreement to use the development funds in certain ways, ZEC holders should have the legal right to enforce ECC’s/ZF’s compliance with those agreements.

      diff --git a/zip-1008.html b/zip-1008.html index 0054d184..55ef39fd 100644 --- a/zip-1008.html +++ b/zip-1008.html @@ -16,10 +16,10 @@ Created: 2019-09-02 License: CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0/> Discussions-To: <https://forum.zcashcommunity.com/t/kek-s-proposal-fund-ecc-for-2-more-years/34778>

      Terminology

      -

      The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 2

      +

      The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. 2

      For clarity this ZIP defines these terms:

        -
      • Spirit is defined as what is the intended outcome of the ZIP. 1
        • +
      • Spirit is defined as what is the intended outcome of the ZIP. 1
      @@ -50,7 +50,7 @@ Discussions-To: <A previous version of this ZIP stated the following requirements: "The ECC's portion of block subsidy MUST be capped at their projected 1.1m USD costs a month." and "The ECC's portion of block subsidy MUST NOT be greater than 10% of total block subsidy of any one block." These requirements were mistakenly introduced in the process of ZIP editing; they do not reflect the intent of the original author @kek. They are also inconsistent with the summary that was posted in the Community Sentiment Collection Poll blog post at <https://www.zfnd.org/blog/community-sentiment-collection-poll/>, which stated an ECC percentage of 20%. Votes on the Community Sentiment Collection Poll, the Community Advisory Panel Helios poll, and/or the stake-weighted petition reported at <https://forum.zcashcommunity.com/t/staked-poll-on-zcash-dev-fund-debate/34846/71>, should be interpreted with care in light of this ambiguity. Also note that the 1.1m USD cap could not in any case be specified as a consensus rule since there is no on-chain oracle for the USD price.

      Rationale

      -

      Provisions that referred to specific block heights have been revised since they were inconsistent with the change in block target spacing 4 that will occur with the Blossom Network Upgrade 3; and even if recalculated, fixed block heights would potentially be inconsistent with future changes in target block spacing.

      +

      Provisions that referred to specific block heights have been revised since they were inconsistent with the change in block target spacing 4 that will occur with the Blossom Network Upgrade 3; and even if recalculated, fixed block heights would potentially be inconsistent with future changes in target block spacing.

      Raised objections and issues so far

      diff --git a/zip-1010.html b/zip-1010.html index 6fabaf02..aec1113f 100644 --- a/zip-1010.html +++ b/zip-1010.html @@ -21,8 +21,8 @@ Created: 2019-08-31 License: MIT Discussions-To: <https://forum.zcashcommunity.com/t/a-grand-compromise-synthesis-zip-proposal/34812>

      Terminology

      -

      The key words "MUST", "MUST NOT", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC 2119. 1

      -

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 2

      +

      The key words "MUST", "MUST NOT", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC 2119. 1

      +

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 2

      Abstract

      I try to put the best pieces of various proposals together. A 20% of the block reward for a 4-year development fund that disburses to a trust controlled by both the Electric Coin Company (ECC) and Zcash Foundation (ZF), but with stringent controls on how funds may be allocated. It sidesteps code complexity in implementation by off-loading disbursements to a legal trust; funds the ECC/ZF; ECC stays a for-profit with restrictions; funds external parties through ZF Grants; all while carving out a limited-scoped opportunity for extending governance to more groups than the ECC/ZF.

      @@ -31,21 +31,21 @@ Discussions-To: <3 and other proposals being suggested. +
    8. The ECC and Zcash Foundation shouldn't get a blank check; accountability is a prerequisite for any disbursement, based on the Foundation's statement 3 and other proposals being suggested.
    9. It's possible for the ECC to remain a for-profit, but with (legally enforced) restrictions that ensure accountability and add teeth to their claim that no early investors are enriched by a new dev fund / no new investors are beneficiaries.
    10. A nontrivial portion of the funds should be directed to users/organisations outside of the ECC/Zcash Foundation, and the ECC/Zcash Foundation should be in the minority in deciding how these funds are disbursed (e.g. through some process with broader input beyond ECC/Zcash Foundation employees, like a more constrained version of Placeholder or Blocktower's "third party" proposals).
    11. The actual code changes for the NU4 network upgrade should be minimal and the "governance complexity" should be offloaded to legal agreements, not engineering hours. The dev fund would be deposited into a single address for the fund (ideally shielded with a viewing key) controlled through a trust (originally Andrew Miller’s idea), disbursed quarterly based on the accountability requirements and shielded adoption metrics described below. Trustees will be mutually agreed upon by the ECC and Zcash Foundation, and the Zcash Foundation will bear the cost of operating the trust.
    12. The gross amount of the dev fund should still be 20% of the block reward, and it should end in 4 years. (Unless we go through another process like this one to extend it, though I personally hope we don’t.)

      13. for security reasons, it may be useful to refine the "single address" to a list of rolling addresses as described in section 7.8 of the current protocol specification. Other references to a "single address" in this document have not been changed.

      -

      Please note: a previous version of this proposal included a portion of the funds being tied to shielded adoption, based on ideas brought forward by Eran Tromer in 4. After many discussions I came to worry about the gameability of the metric and decided to drop it entirely.

      +

      Please note: a previous version of this proposal included a portion of the funds being tied to shielded adoption, based on ideas brought forward by Eran Tromer in 4. After many discussions I came to worry about the gameability of the metric and decided to drop it entirely.

      Specification

      Upon the NU4 network activation, 20% of the mining reward (post-Blossom / post-halvening = 0.625 ZEC per block) MUST go to a single shielded address with a viewing key widely distributed and known to the community and controlled by a trust established by the ECC and Zcash Foundation. If the trust and associated address aren't established by the NU4 activation deadline, then there MUST NOT be any change to the mining reward. Every quarter-year (105,000 blocks at the post-Blossom rate), until 4 years after NU4 activation (1,680,000 blocks at the post-Blossom rate), the trust SHOULD disburse funds the following way, requiring a public report with every disbursement:

      • 30% of the fund to the ECC, if they meet the accountability requirements set by the trust/described below;
      • 30% of the fund to the Zcash Foundation, if they meet the accountability requirements set by the trust/described below;
        • -
      • 40% of the fund to the Zcash Foundation as a RESTRICTED donation 5 purely for disbursement through ZF Grants 6, with additional restrictions and stipulations described below.
        • +
      • 40% of the fund to the Zcash Foundation as a RESTRICTED donation 5 purely for disbursement through ZF Grants 6, with additional restrictions and stipulations described below.

      When this proposal was written it was expected that NU4 activation would correspond exactly to the first (October 2020) halvening. Since that may not be the case, I have resolved a potential ambiguity in the original wording by specifying that the trust disburses funds for 4 years, rather than that it disburses funds until the second (October 2024) halvening.

      Example disbursements by the trust for a hypothetical 105000-block period

      @@ -58,10 +58,10 @@ Discussions-To: <

      The trust's accountability requirements

      -

      Here I'm borrowing from the Foundation's guidance 3 but adding some stipulations to cement the Foundation's independence, prevent the Foundation from hoarding its endowment, and handle the ECC as a for-profit. Before disbursing funds each quarter, the trust MUST validate that both the ECC and Zcash Foundation:

      +

      Here I'm borrowing from the Foundation's guidance 3 but adding some stipulations to cement the Foundation's independence, prevent the Foundation from hoarding its endowment, and handle the ECC as a for-profit. Before disbursing funds each quarter, the trust MUST validate that both the ECC and Zcash Foundation:

      • Published quarterly technical roadmap reports and financial reports, detailing spending levels/burn rate and cash/ZEC on hand;
        • -
      • (if the first disbursement in a calendar year) Published a yearly review of organization performance, along the lines of the Zcash Foundation's "State of the Foundation" report 7.
        • +
      • (if the first disbursement in a calendar year) Published a yearly review of organization performance, along the lines of the Zcash Foundation's "State of the Foundation" report 7.

      For the Zcash Foundation, the trust MUST further require:

        @@ -83,7 +83,7 @@ Discussions-To: <

        The ZF Grants portion

        A portion of the dev fund goes to the Foundation but with the express (and restricted) purpose of being distributed via ZF Grants (a restriction that MUST be legally enforced by the trust). The Foundation would continue to administer ZF Grants and distribute funds, but it SHOULD NOT decide where those funds go and would not allowed to be recipients of these funds; instead, the trust MUST demand that the ZF Grants process include broader input in the manner described below. In the discussions around the various "third party" proposals, some have suggested a 3-of-5 approach where the ECC and Zcash Foundation are in the minority; I think that structure would work well for these funds. It's not the full dev fund so we are limiting the downside risk of selecting the "wrong" third parties, which also means we can give those third parties more voice (by making them outnumber the ECC/Zcash Foundation). The Foundation MAY also chose to fund ZF Grants beyond the restricted donations from the trust, but doing so would be at their discretion.

        -

        Thanks to the discussion on Matt Luongo's proposal there's a good blueprint for how this group would work. I'm borrowing some comments I made on Matt's proposal thread 8 and modifying them to apply to a ZF Grants-specific Grant Review Committee, rather than the Foundation's board.

        +

        Thanks to the discussion on Matt Luongo's proposal there's a good blueprint for how this group would work. I'm borrowing some comments I made on Matt's proposal thread 8 and modifying them to apply to a ZF Grants-specific Grant Review Committee, rather than the Foundation's board.

        The ZF Grant Review Committee would be compromised of five members, voted on in the following manner:

        • 1 seat for the ECC. Though the appointed member may change, they retain power to choose the seat for 4 years.
          • @@ -106,7 +106,7 @@ Discussions-To: <

      Why a trust?

      -

      The main reason: reducing complexity creep in consensus code. Rather than try to incorporate some complex mechanism for dev fund disbursements on-chain, we can meet the NU4 with the simplest possible code-change and spend more time ironing out the details of the trust "off-chain." Since both the ECC and the Zcash Foundation are based in the US, using a trust with well-specified criteria for disbursements is a reasonable path. This also fits in nicely with lex-node's proposal 9 for legal covenants on funding.

      +

      The main reason: reducing complexity creep in consensus code. Rather than try to incorporate some complex mechanism for dev fund disbursements on-chain, we can meet the NU4 with the simplest possible code-change and spend more time ironing out the details of the trust "off-chain." Since both the ECC and the Zcash Foundation are based in the US, using a trust with well-specified criteria for disbursements is a reasonable path. This also fits in nicely with lex-node's proposal 9 for legal covenants on funding.

      Security and Privacy Considerations

      diff --git a/zip-1013.html b/zip-1013.html index 0f68c045..666ba3f2 100644 --- a/zip-1013.html +++ b/zip-1013.html @@ -16,7 +16,7 @@ License: Public Domain Discussions-To: <https://forum.zcashcommunity.com/t/zip-keep-it-simple-zcashers-kisz-10-to-ecc-10-to-zfnd/35425> Pull-Request: <https://github.com/zcash/zips/pull/293>

      Terminology

      -

      The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

      +

      The key words "MUST" and "SHOULD" in this document are to be interpreted as described in RFC 2119. 1

      The terms below are to be interpreted as follows:

      ECC
      diff --git a/zip-1014.html b/zip-1014.html index 7cefa1d3..3dff0dd5 100644 --- a/zip-1014.html +++ b/zip-1014.html @@ -25,15 +25,15 @@ License: MIT Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polling-results-nu4-and-draft-zip-1014/35560> Pull-Request: <https://github.com/zcash/zips/pull/308>

      Terminology

      -

      The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      -

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200 6 and the Zcash Trademark Donation and License Agreement (4 or successor agreement).

      -

      The terms "block subsidy" and "halving" in this document are to be interpreted as described in sections 3.10 and 7.8 of the Zcash Protocol Specification. 2

      +

      The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      The term "network upgrade" in this document is to be interpreted as described in ZIP 200 6 and the Zcash Trademark Donation and License Agreement (4 or successor agreement).

      +

      The terms "block subsidy" and "halving" in this document are to be interpreted as described in sections 3.10 and 7.8 of the Zcash Protocol Specification. 2

      "Electric Coin Company", also called "ECC", refers to the Zerocoin Electric Coin Company, LLC.

      "Bootstrap Project", also called "BP", refers to the 501(c)(3) nonprofit corporation of that name.

      "Zcash Foundation", also called "ZF", refers to the 501(c)(3) nonprofit corporation of that name.

      -

      "Section 501(c)(3)" refers to that section of the U.S. Internal Revenue Code (Title 26 of the U.S. Code). 12

      -

      "Community Advisory Panel" refers to the panel of community members assembled by the Zcash Foundation and described at 11.

      -

      The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

      +

      "Section 501(c)(3)" refers to that section of the U.S. Internal Revenue Code (Title 26 of the U.S. Code). 12

      +

      "Community Advisory Panel" refers to the panel of community members assembled by the Zcash Foundation and described at 11.

      +

      The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 3.

      Abstract

      This proposal describes a structure for the Zcash Development Fund, to be enacted in Network Upgrade 4 and last for 4 years. This Dev Fund would consist of 20% of the block subsidies, split into 3 slices:

      @@ -119,7 +119,7 @@ Pull-Request: <https://githu

      BP, ECC, ZF, and grant recipients MUST promptly disclose any security or privacy risks that may affect users of Zcash (by responsible disclosure under confidence to the pertinent developers, where applicable).

      BP's reports, ECC's reports, and ZF's annual report on its non-grant operations, SHOULD be at least as detailed as grant proposals/reports submitted by other funded parties, and satisfy similar levels of public scrutiny.

      -

      All substantial software whose development was funded by the Dev Fund SHOULD be released under an Open Source license (as defined by the Open Source Initiative 5), preferably the MIT license.

      +

      All substantial software whose development was funded by the Dev Fund SHOULD be released under an Open Source license (as defined by the Open Source Initiative 5), preferably the MIT license.

      Enforcement

      For grant recipients, these conditions SHOULD be included in their contract with ZF, such that substantial violation, not promptly remedied, will cause forfeiture of their grant funds and their return to ZF.

      @@ -137,8 +137,8 @@ Pull-Request: <https://githu

      Acknowledgements

      -

      This proposal is a limited modification of Eran Tromer's ZIP 1012 10 by the Zcash Foundation, the ECC, further modified by feedback from the community and the results of the latest Helios poll.

      -

      Eran's proposal is most closely based on the Matt Luongo 'Decentralize the Dev Fee' proposal (ZIP 1011) 9. Relative to ZIP 1011 there are substantial changes and mixing in of elements from @aristarchus's '20% Split Evenly Between the ECC and the Zcash Foundation' (ZIP 1003) 7, Josh Cincinnati's 'Compromise Dev Fund Proposal With Diverse Funding Streams' (ZIP 1010) 8, and extensive discussions in the Zcash Community Forum.

      +

      This proposal is a limited modification of Eran Tromer's ZIP 1012 10 by the Zcash Foundation, the ECC, further modified by feedback from the community and the results of the latest Helios poll.

      +

      Eran's proposal is most closely based on the Matt Luongo 'Decentralize the Dev Fee' proposal (ZIP 1011) 9. Relative to ZIP 1011 there are substantial changes and mixing in of elements from @aristarchus's '20% Split Evenly Between the ECC and the Zcash Foundation' (ZIP 1003) 7, Josh Cincinnati's 'Compromise Dev Fund Proposal With Diverse Funding Streams' (ZIP 1010) 8, and extensive discussions in the Zcash Community Forum.

      The authors are grateful to all of the above for their excellent ideas and any insightful discussions, and to forum users @aristarchus and @dontbeevil for valuable initial comments on ZIP 1012.

      References

      diff --git a/zip-guide.html b/zip-guide.html index f888c3a3..35ff8402 100644 --- a/zip-guide.html +++ b/zip-guide.html @@ -22,7 +22,7 @@ Pull-Request: <https://githu

      {Delete this section.}

      Terminology

      -

      {Edit this to reflect the key words that are actually used.} The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      +

      {Edit this to reflect the key words that are actually used.} The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

      The terms below are to be interpreted as follows:

      {Term to be defined}
      @@ -34,7 +34,7 @@ Pull-Request: <https://githu

      Abstract

      {Describe what this proposal does, typically in a few paragraphs.

      The Abstract should only provide a summary of the ZIP; the ZIP should remain complete without the Abstract.

      -

      Use links where applicable, e.g. 2 3.}

      +

      Use links where applicable, e.g. 2 3.}

      Motivation

      {Why is this proposal needed?

      @@ -63,8 +63,8 @@ Pull-Request: <https://githu

      Valid reStructuredText

      This is optional before publishing a PR, but to check whether a document is valid reStructuredText, first install rst2html5. E.g. on Debian-based distros:

      - 
      sudo apt-get install python3-pip pandoc perl sed
-sudo pip3 install rst2html5
      + 
      sudo apt install python3-pip pandoc perl sed
+pip3 install docutils==0.19 rst2html5

      Then, with zip-xxxx.rst in the root directory of a clone of this repo, run:

      make zip-xxxx.html

      (or just make) and view zip-xxxx.html in a web browser.

      diff --git a/zip-guide.rst b/zip-guide.rst index 6acd0890..152c800c 100644 --- a/zip-guide.rst +++ b/zip-guide.rst @@ -118,8 +118,8 @@ Valid reStructuredText This is optional before publishing a PR, but to check whether a document is valid reStructuredText, first install ``rst2html5``. E.g. on Debian-based distros:: - sudo apt-get install python3-pip pandoc perl sed - sudo pip3 install rst2html5 + sudo apt install python3-pip pandoc perl sed + pip3 install docutils==0.19 rst2html5 Then, with ``zip-xxxx.rst`` in the root directory of a clone of this repo, run::