diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index feff86d4..e8a950a6 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -8950,6 +8950,9 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$.
\heartwoodonwarditem{All \Sapling outputs in \coinbaseTransactions{} \MUST decrypt to a \notePlaintext,
i.e. the procedure in \crossref{saplingdecryptovk} does not return $\bot$, using a sequence of
$32$ zero bytes as the \outgoingViewingKey.}
+ \canopyonwarditem{Any \Sapling output of a \coinbaseTransaction decrypted to a \notePlaintext according
+ to the preceding rule \MUST have \notePlaintextLeadByte equal to $\hexint{02}$. (This applies even
+ during the ``grace period'' specified in \cite{ZIP-212}.)}
\item \todo{Other rules inherited from \Bitcoin.}
\end{consensusrules}
@@ -8998,6 +9001,11 @@ each \spendDescription (\crossref{spendencoding}), and each \outputDescription (
to spend coinbase outputs only in \transactions with no \transparent outputs, applied to
\emph{all} coinbase outputs.
}
+\canopy{
+ \item The rule that \Sapling outputs in \coinbaseTransactions \MUST decrypt to a \notePlaintext
+ with lead byte $\hexint{02}$, also applies to \fundingStream outputs that specify \Sapling
+ \paymentAddresses, if there are any.
+}
\end{pnotes}
\introlist
@@ -10510,6 +10518,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Repair the argument for $\GroupJHash{\URS}$ being usable as a random oracle, which
previously depended on $\abstJ$ being injective.
}
+\canopy{
+ \item Specify that \shieldedOutputs of \coinbaseTransactions \MUST use v2 \notePlaintexts after
+ \Canopy activation.
+}
\end{itemize}
diff --git a/zip-0207.html b/zip-0207.html
index c6cdb63a..d23bd327 100644
--- a/zip-0207.html
+++ b/zip-0207.html
@@ -31,14 +31,14 @@ License: MIT
Abstract 
This proposal specifies a mechanism to support funding streams, distributed from a portion of the block subsidy for a specified range of block heights.
- This is intended as a means of implementing the Zcash Development Fund, using the funding stream definitions specified in ZIP 214 . It should be read in conjunction with ZIP 1014 , which describes the high-level requirements for that fund.
+ This is intended as a means of implementing the Zcash Development Fund, using the funding stream definitions specified in ZIP 214 . It should be read in conjunction with ZIP 1014 , which describes the high-level requirements for that fund.
Motivation
- Motivation for the Zcash Development Fund is considered in ZIP 1014 .
+ Motivation for the Zcash Development Fund is considered in ZIP 1014 .
This ZIP 207 was originally proposed for the Blossom network upgrade, as a means of splitting the original Founders' Reward into several streams. It was then withdrawn when such splitting was judged to be unnecessary at the consensus level. Since the capabilities of the funding stream mechanism match the requirements for the Zcash Development Fund, the ZIP is being reintroduced for that purpose in order to reuse specification, analysis, and implementation effort.
Requirements
- The primary requirement of this ZIP is to provide a mechanism for specifying the funding streams that are used in ZIP 214 to implement the Zcash Development Fund. It should be sufficiently expressive to handle both the main three "slices" (ECC, ZF, and MG) defined in ZIP 1014 , and also (with additional funding stream definitions) the "direct grant option" described in that ZIP.
+ The primary requirement of this ZIP is to provide a mechanism for specifying the funding streams that are used in ZIP 214 to implement the Zcash Development Fund. It should be sufficiently expressive to handle both the main three "slices" (ECC, ZF, and MG) defined in ZIP 1014 , and also (with additional funding stream definitions) the "direct grant option" described in that ZIP.
As for the original Founders' Reward, addresses for a given funding stream are changed on a roughly-monthly basis, so that keys that are not yet needed may be kept off-line as a security measure.
Specification
@@ -202,9 +202,11 @@ License: MIT
The existing consensus rule for payment of the Founders' Reward is no longer active. (This would be the case under the preexisting consensus rules for Mainnet, but not for Testnet.)
The coinbase transaction in each block MUST contain at least one output per active funding stream that pays the stream's value in the prescribed way to the stream's recipient address for the block's height.
The "prescribed way" to pay a transparent P2SH address is to use a standard P2SH script of the form OP_HASH160 RedeemScriptHash(height) OP_EQUAL as the scriptPubKey.
- The "prescribed way" to pay a Sapling address is as defined in . That is, all Sapling outputs in coinbase transactions (including, but not limited to, outputs for funding streams) MUST have valid note commitments when recovered using a 32-byte array of zeroes as the outgoing viewing key.
+ The "prescribed way" to pay a Sapling address is as defined in . That is, all Sapling outputs in coinbase transactions (including, but not limited to, outputs for funding streams) MUST have valid note commitments when recovered using a 32-byte array of zeroes as the outgoing viewing key. In this case the note plaintext lead byte MUST be
+ \(\mathbf{0x02}\)
+ , as specified in .
- For the funding stream definitions to be activated at Canopy, see ZIP 214. Funding stream definitions can be added, changed, or deleted in ZIPs associated with subsequent network upgrades, subject to the ZIP process.
+ For the funding stream definitions to be activated at Canopy, see ZIP 214. Funding stream definitions can be added, changed, or deleted in ZIPs associated with subsequent network upgrades, subject to the ZIP process.
Example implementation
struct FundingPeriod {
@@ -369,7 +371,7 @@ License: MIT
Deployment
- This proposal is intended to be deployed with Canopy.
+ This proposal is intended to be deployed with Canopy.
Backward compatibility
This proposal intentionally creates what is known as a "bilateral consensus rule change". Use of this mechanism requires that all network participants upgrade their software to a compatible version within the upgrade window. Older software will treat post-upgrade blocks as invalid, and will follow any pre-upgrade consensus branch that persists.
@@ -450,10 +452,18 @@ License: MIT
-
diff --git a/zip-0212.rst b/zip-0212.rst
index d8ecde2c..d9114d6e 100644
--- a/zip-0212.rst
+++ b/zip-0212.rst
@@ -151,6 +151,19 @@ Further, the recipient MUST compute :math:`\mathsf{esk}` as
that :math:`\mathsf{epk} = [\mathsf{esk}] \mathsf{g_d}` and fail decryption
if this check is not satisfied.
+TODO: grace period.
+
+Consensus rule change for coinbase transactions
+-----------------------------------------------
+
+After the activation of this ZIP, any Sapling output of a coinbase transaction
+that is decrypted to a note plaintext as specified in [#zip-0213]_, MUST have
+note plaintext lead byte equal to 0x02.
+
+This applies even during the “grace period”, and also applies to funding stream
+outputs [#zip-0207]_ sent to shielded payment addresses, if there are any.
+
+
Rationale
=========
@@ -175,6 +188,9 @@ It is possible to transmit a signature of knowledge of a correct
to be an unnecessary complication and is likely slower than just supplying
:math:`\mathsf{esk}`.
+TODO: rationale for grace period.
+
+
Security and Privacy Considerations
===================================
@@ -214,3 +230,5 @@ References
.. [#saplingdecryptivk] `Section 4.17.2: Decryption using an Incoming Viewing Key (Sapling). Zcash Protocol Specification, Version 2020.1.4 [Overwinter+Sapling+Blossom+Heartwood] or later