diff --git a/zip-0224.html b/zip-0224.html index 86752203..d9946805 100644 --- a/zip-0224.html +++ b/zip-0224.html @@ -17,6 +17,9 @@ Owners: Daira Hopwood <daira@electriccoin.co> Status: Draft Category: Consensus Discussions-To: <https://github.com/zcash/zips/issues/435> +

Terminology

+

The key word "MUST" in this document is to be interpreted as described in RFC 2119. 1

+

Abstract

This document proposes the Orchard shielded protocol, which defines a new shielded pool with spending keys and payment addresses that are amenable to future scalability improvements.

@@ -24,7 +27,8 @@ Discussions-To: <https://g

TBD

Specification

-

The Orchard protocol is specified as an update to the Zcash Protocol Specification 1. Given that it largely follows the design of the Sapling protocol, we provide here a list of differences, with references to their normative specifications and associated design rationale.

+

The Orchard protocol MUST be implemented as specified in the Zcash Protocol Specification 2.

+

Given that the Orchard protocol largely follows the design of the Sapling protocol, we provide here a list of differences, with references to their normative specifications and associated design rationale.

Curves

The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its embedded curve Jubjub:

We use the "simplified SWU" algorithm to define an infallible \(\mathsf{GroupHash}\) - , instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft 26 (but the protocol specification takes precedence in the case of any discrepancy).

+ , instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft 27 (but the protocol specification takes precedence in the case of any discrepancy).

The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.

Proving system

@@ -48,31 +52,31 @@ Discussions-To: <https://g

This ZIP does not make use of Halo 2's support for recursive proofs, but this is expected to be leveraged by future ZIPs.

Circuit

Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action" contains both a single (possibly dummy) note being spent, and a single (possibly dummy) note being created.

An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that covers all of the actions in the bundle.

Commitments

The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic commitments, Orchard uses the UPA-efficient Sinsemilla in place of Bowe--Hopwood Pedersen hashes.

Commitment tree

Orchard uses an identical commitment tree structure to Sapling, except that we instantiate it with Sinsemilla instead of a Bowe-Hopwood Pedersen hash.

Keys and addresses

@@ -94,11 +98,11 @@ Discussions-To: <https://g

Keys and addresses are encoded using Bech32. Orchard addresses used with the Zcash mainnet have the prefix "zo" (compared to "zc" for Sprout and "zs" for Sapling).

Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt the Sapling HD mechanism from ZIP 32 to Orchard; instead, we define a hardened-only derivation mechanism (similar to Sprout).

Notes

@@ -109,9 +113,9 @@ Discussions-To: <https://g \(\psi\) and \(\mathsf{rcm}\) - are derived from a random seed (as with Sapling after ZIP 212 24).

+ are derived from a random seed (as with Sapling after ZIP 212 25).

Nullifiers

@@ -126,13 +130,13 @@ Discussions-To: <https://g is a fixed independent base.

Signatures

Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).

@@ -152,7 +156,7 @@ Discussions-To: <https://g field, combined with the consensus checks that each pool's balance cannot be negative, together enforce that any potential counterfeiting bugs in the Orchard protocol or implementation are contained within the Orchard pool, and similarly any potential counterfeiting bugs in existing shielded pools cannot cause inflation of the Orchard pool.
  • Spending funds residing in the Orchard pool to a non-Orchard address will reveal the value of the transaction. This is a necessary side-effect of the transparent turnstile, but can be mitigated by migrating the majority of shielded activity to the Orchard pool and making these transactions a minority. Wallets should convey within their transaction creation UX that amounts are revealed in these situations.
    • @@ -172,10 +176,18 @@ Discussions-To: <https://g

    This ZIP is proposed to activate with Network Upgrade 5.

    References

    - +
    + + + +
    1RFC 2119: Key words for use in RFCs to Indicate Requirement Levels
    + + + + @@ -183,7 +195,7 @@ Discussions-To: <https://g
    2 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]
    - + @@ -191,7 +203,7 @@ Discussions-To: <https://g
    23 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys
    - + @@ -199,7 +211,7 @@ Discussions-To: <https://g
    34 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes
    - + @@ -207,7 +219,7 @@ Discussions-To: <https://g
    45 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.7: Action Transfers and their Descriptions
    - + @@ -215,7 +227,7 @@ Discussions-To: <https://g
    56 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. 4.17.4: Action Statement (Orchard)
    - + @@ -223,7 +235,7 @@ Discussions-To: <https://g
    67 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 4.2.3: Orchard Key Components
    - + @@ -231,7 +243,7 @@ Discussions-To: <https://g
    78 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.1.9: Sinsemilla Hash Function
    - + @@ -239,7 +251,7 @@ Discussions-To: <https://g
    89 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.6: RedDSA, RedJubjub, and RedPallas
    - + @@ -247,7 +259,7 @@ Discussions-To: <https://g
    910 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.7.4: Sinsemilla commitments
    - + @@ -255,7 +267,7 @@ Discussions-To: <https://g
    1011 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.6: Pallas and Vesta
    - + @@ -263,7 +275,7 @@ Discussions-To: <https://g
    1112 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.8: Group Hash into Pallas and Vesta
    - + @@ -271,7 +283,7 @@ Discussions-To: <https://g
    1213 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.5: Orchard Payment Address
    - + @@ -279,7 +291,7 @@ Discussions-To: <https://g
    1314 Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.8: Orchard Incoming Viewing Keys
    - + @@ -287,7 +299,7 @@ Discussions-To: <https://g
    1415 TODO
    - + @@ -295,7 +307,7 @@ Discussions-To: <https://g
    1516 TODO
    - + @@ -303,7 +315,7 @@ Discussions-To: <https://g
    1617 The halo2 Book: 1.2 UltraPLONK Arithmetization
    - + @@ -311,7 +323,7 @@ Discussions-To: <https://g
    1718 The halo2 Book: 3.1. Proving system
    - + @@ -319,7 +331,7 @@ Discussions-To: <https://g
    1819 The Orchard Book: 3.1. Keys and addresses
    - + @@ -327,7 +339,7 @@ Discussions-To: <https://g
    1920 The Orchard Book: 3.2. Actions
    - + @@ -335,7 +347,7 @@ Discussions-To: <https://g
    2021 The Orchard Book: 3.3. Commitments
    - + @@ -343,7 +355,7 @@ Discussions-To: <https://g
    2122 The Orchard Book: 3.4. Commitment tree
    - + @@ -351,7 +363,7 @@ Discussions-To: <https://g
    2223 The Orchard Book: 3.5. Nullifiers
    - + @@ -359,7 +371,7 @@ Discussions-To: <https://g
    2324 ZIP 32: Shielded Hierarchical Deterministic Wallets
    - + @@ -367,7 +379,7 @@ Discussions-To: <https://g
    2425 ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext
    - + @@ -375,7 +387,7 @@ Discussions-To: <https://g
    2526 ZIP 315: Best Practices for Wallet Handling of Multiple Pools
    - + @@ -383,7 +395,7 @@ Discussions-To: <https://g
    2627 draft-irtf-cfrg-hash-to-curve-10: Hashing to Elliptic Curves
    - + diff --git a/zip-0224.rst b/zip-0224.rst index 39dbe2aa..fd756445 100644 --- a/zip-0224.rst +++ b/zip-0224.rst @@ -12,6 +12,12 @@ Discussions-To: +Terminology +=========== + +The key word "MUST" in this document is to be interpreted as described in RFC 2119. [#RFC2119]_ + + Abstract ======== @@ -29,10 +35,12 @@ TBD Specification ============= -The Orchard protocol is specified as an update to the Zcash Protocol Specification -[#orchard-spec]_. Given that it largely follows the design of the Sapling protocol, we -provide here a list of differences, with references to their normative specifications -and associated design rationale. +The Orchard protocol MUST be implemented as specified in the Zcash Protocol Specification +[#orchard-spec]_. + +Given that the Orchard protocol largely follows the design of the Sapling protocol, we +provide here a list of differences, with references to their normative specifications and +associated design rationale. Curves ------ @@ -232,6 +240,7 @@ This ZIP is proposed to activate with Network Upgrade 5. References ========== +.. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels `_ .. [#orchard-spec] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal] `_ .. [#spec-addrs-keys] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys `_ .. [#spec-notes] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes `_
    2728 Pallas/Vesta supporting evidence