From 5c402793c3b458ee2780fd0adcf6806ac95e5dd4 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 25 Oct 2021 20:12:23 +0100 Subject: [PATCH] Corrections for Orchard Viewing Keys. Signed-off-by: Daira Hopwood --- zip-0316.rst | 55 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/zip-0316.rst b/zip-0316.rst index ddfbb07b..11439efd 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -388,12 +388,22 @@ corresponding Unified Address. The following FVK or IVK Encodings are used in place of the :math:`\mathtt{addr}` field: -* An Orchard UFVK or UIVK Encoding, with Typecode :math:`\mathtt{0x03},` - is the raw encoding of the Orchard Full Viewing Key or Orchard Incoming - Viewing Key respectively. The UFVK uses the key at the Account level - of the ZIP 32 hierarchy, i.e. at path - :math:`m_\mathsf{Orchard} / 32' / coin\_type' / account'`, - while the UIVK uses its non-change child key at path +* An Orchard FVK Encoding, with Typecode :math:`\mathtt{0x03},` is + a concatenation of: + + * the raw encoding [#protocol-orchardfullviewingkeyencoding]_ of the + Orchard Full Viewing Key at the non-change child of the Account + level, i.e. at path + :math:`m_\mathsf{Orchard} / 32' / coin\_type' / account' / 0'`; + * the raw encoding [#protocol-orchardfullviewingkeyencoding]_ of the + Orchard Full Viewing Key at the change child of the Account level, + i.e. at path + :math:`m_\mathsf{Orchard} / 32' / coin\_type' / account' / 1'`. + +* An Orchard IVK Encoding, also with Typecode :math:`\mathtt{0x03},` + is the raw encoding [#protocol-orchardinviewingkeyencoding]_ of the + Orchard Incoming Viewing Key corresponding to the non-change child + (only) of the Account level, i.e. at path :math:`m_\mathsf{Orchard} / 32' / coin\_type' / account' / 0'`. * A Sapling FVK Encoding, with Typecode :math:`\mathtt{0x02},` is @@ -512,20 +522,23 @@ to give access only to view incoming payments (as opposed to change). Deriving a UIVK from a UFVK --------------------------- -For a Sapling UFVK, the corresponding Sapling UIVK is obtained as -specified in [#protocol-saplingkeycomponents]_. +The following derivations are applied to each component FVK: -For an Orchard UFVK, the corresponding Orchard UIVK is obtained by -deriving the child UFVK with non-hardened index :math:`0`, as specified -in [#zip-0032-orchard-child-key-derivation]_, and then the UIVK as -specified in [#protocol-orchardkeycomponents]_. +* For a Sapling FVK, the corresponding Sapling IVK is obtained as + specified in [#protocol-saplingkeycomponents]_. -For a Transparent P2PKH UFVK Encoding, the UIVK Encoding is obtained -from the extended public key corresponding to the account's non-change -key path, i.e. by deriving the child key with non-hardened index :math:`0`. -It is encoded in the same way as the UFVK Encoding. +* For an Orchard FVK, the corresponding Orchard IVK is obtained by + decoding the first :math:`96` bytes of the FVK Encoding (normally + corresponding to the FVK at the non-change child of the Account level) + as an Orchard Full Viewing Key, then deriving the IVK as specified in + [#protocol-orchardkeycomponents]_. -In each case, the Typecode remains the same as in the UFVK. +* For a Transparent P2PKH FVK, the corresponding Transparent P2PKH IVK + is obtained from the extended public key corresponding to the account's + non-change key path, i.e. by deriving the child key with non-hardened + index :math:`0`. It is encoded in the same way as the FVK Encoding. + +In each case, the Typecode remains the same as in the FVK. Deriving a Unified Address from a UIVK @@ -543,9 +556,9 @@ UIVK. That is, There are no additional constraints on an Orchard diversifier index. -Note that Sapling Receiver addresses MUST be derived from the key path +Note that Sapling Receiver addresses are derived from the key path at the Account level [#zip-0032-sapling-key-path]_, while Orchard Receiver -addresses MUST be derived from the non-change branch of the key path at +addresses are derived from the non-change branch of the key path at :math:`m_\mathsf{Orchard} / 32' / coin\_type' / account' / 0'` [#zip-0032-orchard-key-path]_. This is to accommodate the use of a distinct change spend authority in Orchard. @@ -564,7 +577,7 @@ then the BIP 44 path of the Transparent P2PKH Receiver will be: Jumbling ---------- +-------- Security goal (**near second preimage resistance**): @@ -814,6 +827,8 @@ References .. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2020.2.16. Section 4.2.3: Orchard Key Components `_ .. [#protocol-saplingpaymentaddrencoding] `Zcash Protocol Specification, Version 2020.2.16. Section 5.6.3.1: Sapling Payment Addresses `_ .. [#protocol-orchardpaymentaddrencoding] `Zcash Protocol Specification, Version 2020.2.16. Section 5.6.4.2: Orchard Raw Payment Addresses `_ +.. [#protocol-orchardinviewingkeyencoding] `Zcash Protocol Specification, Version 2020.2.16. Section 5.6.4.3: Orchard Raw Incoming Viewing Keys `_ +.. [#protocol-orchardfullviewingkeyencoding] `Zcash Protocol Specification, Version 2020.2.16. Section 5.6.4.4: Orchard Raw Full Viewing Keys `_ .. [#zip-0000] `ZIP 0: ZIP Process `_ .. [#zip-0032-sapling-extfvk] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling extended full viewing keys `_ .. [#zip-0032-sapling-diversifier-derivation] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling diversifier derivation `_