zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ZIP 224: Add references to specification and design rationale

This commit is contained in:
Jack Grigg 2021-02-27 03:30:11 +00:00 committed by Daira Hopwood
parent a55581bae5
commit 7350f94b0e
4 changed files with 547 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.rst
View File

@ -98,7 +98,7 @@ Index of ZIPs
<tr> <td><span class="reserved">219</span></td> <td class="left"><a class="reserved" href="zip-0219.rst">Disabling Addition of New Value to the Sapling Chain Value Pool</a></td> <td>Reserved</td>
<tr> <td>221</td> <td class="left"><a href="zip-0221.rst">FlyClient - Consensus-Layer Changes</a></td> <td>Final</td>
<tr> <td>222</td> <td class="left"><a href="zip-0222.rst">Transparent Zcash Extensions</a></td> <td>Draft</td>
<tr> <td><span class="reserved">224</span></td> <td class="left"><a class="reserved" href="zip-0224.rst">Orchard Shielded Protocol</a></td> <td>Reserved</td>
<tr> <td>224</td> <td class="left"><a href="zip-0224.rst">Orchard Shielded Protocol</a></td> <td>Draft</td>
<tr> <td>225</td> <td class="left"><a href="zip-0225.rst">Version 5 Transaction Format</a></td> <td>Proposed</td>
<tr> <td>243</td> <td class="left"><a href="zip-0243.rst">Transaction Signature Validation for Sapling</a></td> <td>Final</td>
<tr> <td>244</td> <td class="left"><a href="zip-0244.rst">Transaction Identifier Non-Malleability</a></td> <td>Proposed</td>

2
index.html
View File

@ -71,7 +71,7 @@
<tr> <td><span class="reserved">219</span></td> <td class="left"><a class="reserved" href="zip-0219">Disabling Addition of New Value to the Sapling Chain Value Pool</a></td> <td>Reserved</td>
<tr> <td>221</td> <td class="left"><a href="zip-0221">FlyClient - Consensus-Layer Changes</a></td> <td>Final</td>
<tr> <td>222</td> <td class="left"><a href="zip-0222">Transparent Zcash Extensions</a></td> <td>Draft</td>
<tr> <td><span class="reserved">224</span></td> <td class="left"><a class="reserved" href="zip-0224">Orchard Shielded Protocol</a></td> <td>Reserved</td>
<tr> <td>224</td> <td class="left"><a href="zip-0224">Orchard Shielded Protocol</a></td> <td>Draft</td>
<tr> <td>225</td> <td class="left"><a href="zip-0225">Version 5 Transaction Format</a></td> <td>Proposed</td>
<tr> <td>243</td> <td class="left"><a href="zip-0243">Transaction Signature Validation for Sapling</a></td> <td>Final</td>
<tr> <td>244</td> <td class="left"><a href="zip-0244">Transaction Identifier Non-Malleability</a></td> <td>Proposed</td>

351
zip-0224.html
View File

@ -3,6 +3,7 @@
<head>
<title>ZIP 224: Orchard Shielded Protocol</title>
<meta charset="utf-8" />
<script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script>
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
<body>
<section>
@ -13,15 +14,351 @@ Owners: Daira Hopwood &lt;daira@electriccoin.co&gt;
Sean Bowe &lt;sean@electriccoin.co&gt;
Kris Nuttycombe &lt;kris@electriccoin.co&gt;
Ying Tong Lai &lt;yingtong@electriccoin.co&gt;
Status: Reserved
Status: Draft
Category: Consensus
Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/435">https://github.com/zcash/zips/issues/435</a>&gt;</pre>
<p>This ZIP number is reserved. Preliminary technical content relating to Orchard and Halo 2 are currently in:</p>
<ul>
<li>the <a href="https://zcash.github.io/orchard/design.html">Orchard Book</a>;</li>
<li>the <a href="https://zcash.github.io/halo2/">Halo Book</a>;</li>
<li>zcash/zcash GitHub tickets labeled <a href="https://github.com/zcash/zcash/issues?q=label%3AA-Orchard">A-Orchard</a> and <a href="https://github.com/zcash/zcash/issues?q=label%3AA-Halo">A-Halo</a>.</li>
</ul>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This document proposes the Orchard shielded protocol, which defines a new shielded pool with spending keys and payment addresses that are amenable to future scalability improvements.</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The Orchard protocol is specified as an update to the Zcash Protocol Specification <a id="id1" class="footnote_reference" href="#orchard-spec">1</a>. Given that it largely follows the design of the Sapling protocol, we provide here a list of differences, with references to their normative specifications and associated design rationale.</p>
<section id="curves"><h3><span class="section-heading">Curves</span><span class="section-anchor"> <a rel="bookmark" href="#curves"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its embedded curve Jubjub:</p>
<ul>
<li>Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).</li>
<li>Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).</li>
</ul>
<p>We use (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">25</a> to implement
<span class="math">\(\mathsf{GroupHash}\)</span>
, instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
<span class="math">\(\mathsf{GroupHash}\)</span>
.</p>
<p>The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.</p>
<ul>
<li>Curve specifications: <a id="id3" class="footnote_reference" href="#spec-pasta">10</a></li>
<li>Group hash: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
<li>Supporting evidence: <a id="id5" class="footnote_reference" href="#pasta-evidence">26</a></li>
</ul>
</section>
<section id="proving-system"><h3><span class="section-heading">Proving system</span><span class="section-anchor"> <a rel="bookmark" href="#proving-system"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses the Halo 2 proving system with the UltraPLONK arithmetization (UPA), instead of Groth16 and R1CS.</p>
<p>This ZIP does not make use of Halo 2's support for recursive proofs, but this is expected to be leveraged by future ZIPs.</p>
<ul>
<li>Halo 2 protocol description: TODO</li>
<li>UltraPLONK Arithmetization: <a id="id6" class="footnote_reference" href="#concepts-upa">16</a></li>
<li>Halo 2 explanation and design rationale: <a id="id7" class="footnote_reference" href="#design-halo2">17</a></li>
</ul>
</section>
<section id="circuit"><h3><span class="section-heading">Circuit</span><span class="section-anchor"> <a rel="bookmark" href="#circuit"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action" contains both a single (possibly dummy) note being spent, and a single (possibly dummy) note being created.</p>
<p>An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that covers all of the actions in the bundle.</p>
<ul>
<li>Action description: <a id="id8" class="footnote_reference" href="#spec-actions">4</a></li>
<li>Circuit statement: <a id="id9" class="footnote_reference" href="#spec-action-statement">5</a></li>
<li>Design rationale: <a id="id10" class="footnote_reference" href="#design-actions">19</a></li>
</ul>
</section>
<section id="commitments"><h3><span class="section-heading">Commitments</span><span class="section-anchor"> <a rel="bookmark" href="#commitments"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic commitments, Orchard uses the UPA-efficient Sinsemilla in place of Bowe--Hopwood Pedersen hashes.</p>
<ul>
<li>Sinsemilla hash function: <a id="id11" class="footnote_reference" href="#spec-sinsemilla-hash">7</a></li>
<li>Sinsemilla commitments: <a id="id12" class="footnote_reference" href="#spec-sinsemilla-comm">9</a></li>
<li>Design rationale: <a id="id13" class="footnote_reference" href="#design-commitments">20</a></li>
</ul>
</section>
<section id="commitment-tree"><h3><span class="section-heading">Commitment tree</span><span class="section-anchor"> <a rel="bookmark" href="#commitment-tree"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses an identical commitment tree structure to Sapling, except that we instantiate it with Sinsemilla instead of a Bowe-Hopwood Pedersen hash.</p>
<ul>
<li>Design rationale and considered alternatives: <a id="id14" class="footnote_reference" href="#design-tree">21</a></li>
</ul>
</section>
<section id="keys-and-addresses"><h3><span class="section-heading">Keys and addresses</span><span class="section-anchor"> <a rel="bookmark" href="#keys-and-addresses"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard keys and payment addresses are structurally similar to Sapling, with the following changes:</p>
<ul>
<li>The proof authorizing key is removed, and
<span class="math">\(\mathsf{nk}\)</span>
is now a field element.</li>
<li>
<span class="math">\(\mathsf{ivk}\)</span>
is computed as a Sinsemilla commitment instead of a BLAKE2s output.</li>
<li>
<span class="math">\(\mathsf{ovk}\)</span>
is derived from
<span class="math">\(\mathsf{fvk}\)</span>
, instead of being a component of the spending key.</li>
<li>All diversifiers now result in valid payment addresses.</li>
</ul>
<p>Keys and addresses are encoded using Bech32. Orchard addresses used with the Zcash mainnet have the prefix "zo" (compared to "zc" for Sprout and "zs" for Sapling).</p>
<p>Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt the Sapling HD mechanism from ZIP 32 <a id="id15" class="footnote_reference" href="#zip-0032">23</a> to Orchard; instead, we define a simple hardened-only derivation mechanism.</p>
<ul>
<li>Key components diagram: <a id="id16" class="footnote_reference" href="#spec-addrs-keys">2</a></li>
<li>Key components specification: <a id="id17" class="footnote_reference" href="#spec-keys">6</a></li>
<li>Encodings and HRPs: <a id="id18" class="footnote_reference" href="#spec-encoding-addr">12</a> <a id="id19" class="footnote_reference" href="#spec-encoding-ivk">13</a> <a id="id20" class="footnote_reference" href="#spec-encoding-fvk">14</a> <a id="id21" class="footnote_reference" href="#spec-encoding-sk">15</a></li>
<li>HD key derivation specification: TODO
<ul>
<li>Needs to be hierarchical, but output only needs to be uniform 32 bytes.</li>
<li>Probably just <cite>BLAKE2b-256(derivation_path)</cite>, in line with our existing primitives.</li>
</ul>
</li>
<li>Design rationale: <a id="id22" class="footnote_reference" href="#design-keys">18</a></li>
</ul>
</section>
<section id="notes"><h3><span class="section-heading">Notes</span><span class="section-anchor"> <a rel="bookmark" href="#notes"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard notes have the structure
<span class="math">\((addr, v, \rho, \psi, \mathsf{rcm})\)</span>
.
<span class="math">\(\psi\)</span>
and
<span class="math">\(\mathsf{rcm}\)</span>
are derived from a random seed (as with Sapling after ZIP 212 <a id="id23" class="footnote_reference" href="#zip-0212">24</a>).</p>
<ul>
<li>Orchard notes: <a id="id24" class="footnote_reference" href="#spec-notes">3</a></li>
</ul>
</section>
<section id="nullifiers"><h3><span class="section-heading">Nullifiers</span><span class="section-anchor"> <a rel="bookmark" href="#nullifiers"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Nullifiers for Orchard notes are computed as:</p>
<p>
<span class="math">\(\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm}\)</span>
</p>
<p>where
<span class="math">\(F\)</span>
is instantiated with Poseidon, and
<span class="math">\(\mathcal{G}\)</span>
is a fixed independent base.</p>
<ul>
<li>Poseidon: TODO</li>
<li>Design rationale and considered alternatives: <a id="id25" class="footnote_reference" href="#design-nullifiers">22</a></li>
</ul>
</section>
<section id="signatures"><h3><span class="section-heading">Signatures</span><span class="section-anchor"> <a rel="bookmark" href="#signatures"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).</p>
<ul>
<li>RedPallas: <a id="id26" class="footnote_reference" href="#spec-redpallas">8</a></li>
</ul>
</section>
</section>
<section id="additional-rationale"><h2><span class="section-heading">Additional Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#additional-rationale"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="security-and-privacy-considerations"><h2><span class="section-heading">Security and Privacy Considerations</span><span class="section-anchor"> <a rel="bookmark" href="#security-and-privacy-considerations"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="deployment"><h2><span class="section-heading">Deployment</span><span class="section-anchor"> <a rel="bookmark" href="#deployment"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP is proposed to activate with Network Upgrade 5.</p>
</section>
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<table id="orchard-spec" class="footnote">
<tbody>
<tr>
<th>1</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]</a></td>
</tr>
</tbody>
</table>
<table id="spec-addrs-keys" class="footnote">
<tbody>
<tr>
<th>2</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#addressesandkeys">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys</a></td>
</tr>
</tbody>
</table>
<table id="spec-notes" class="footnote">
<tbody>
<tr>
<th>3</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#notes">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes</a></td>
</tr>
</tbody>
</table>
<table id="spec-actions" class="footnote">
<tbody>
<tr>
<th>4</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actions">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.7: Action Transfers and their Descriptions</a></td>
</tr>
</tbody>
</table>
<table id="spec-action-statement" class="footnote">
<tbody>
<tr>
<th>5</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actionstatement">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. 4.17.4: Action Statement (Orchard)</a></td>
</tr>
</tbody>
</table>
<table id="spec-keys" class="footnote">
<tbody>
<tr>
<th>6</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardkeycomponents">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 4.2.3: Orchard Key Components</a></td>
</tr>
</tbody>
</table>
<table id="spec-sinsemilla-hash" class="footnote">
<tbody>
<tr>
<th>7</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillahash">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.1.9: Sinsemilla Hash Function</a></td>
</tr>
</tbody>
</table>
<table id="spec-redpallas" class="footnote">
<tbody>
<tr>
<th>8</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretereddsa">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.6: RedDSA, RedJubjub, and RedPallas</a></td>
</tr>
</tbody>
</table>
<table id="spec-sinsemilla-comm" class="footnote">
<tbody>
<tr>
<th>9</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillacommit">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.7.4: Sinsemilla commitments</a></td>
</tr>
</tbody>
</table>
<table id="spec-pasta" class="footnote">
<tbody>
<tr>
<th>10</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#pallasandvesta">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.6: Pallas and Vesta</a></td>
</tr>
</tbody>
</table>
<table id="spec-pasta-grouphash" class="footnote">
<tbody>
<tr>
<th>11</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretegrouphashpallasandvesta">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.8: Group Hash into Pallas and Vesta</a></td>
</tr>
</tbody>
</table>
<table id="spec-encoding-addr" class="footnote">
<tbody>
<tr>
<th>12</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardpaymentaddrencoding">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.5: Orchard Payment Address</a></td>
</tr>
</tbody>
</table>
<table id="spec-encoding-ivk" class="footnote">
<tbody>
<tr>
<th>13</th>
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardinviewingkeyencoding">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.8: Orchard Incoming Viewing Keys</a></td>
</tr>
</tbody>
</table>
<table id="spec-encoding-fvk" class="footnote">
<tbody>
<tr>
<th>14</th>
<td>TODO</td>
</tr>
</tbody>
</table>
<table id="spec-encoding-sk" class="footnote">
<tbody>
<tr>
<th>15</th>
<td>TODO</td>
</tr>
</tbody>
</table>
<table id="concepts-upa" class="footnote">
<tbody>
<tr>
<th>16</th>
<td><a href="https://zcash.github.io/halo2/concepts/arithmetization.html">The halo2 Book: 1.2 UltraPLONK Arithmetization</a></td>
</tr>
</tbody>
</table>
<table id="design-halo2" class="footnote">
<tbody>
<tr>
<th>17</th>
<td><a href="https://zcash.github.io/halo2/design/proving-system.html">The halo2 Book: 3.1. Proving system</a></td>
</tr>
</tbody>
</table>
<table id="design-keys" class="footnote">
<tbody>
<tr>
<th>18</th>
<td><a href="https://zcash.github.io/orchard/design/keys.html">The Orchard Book: 3.1. Keys and addresses</a></td>
</tr>
</tbody>
</table>
<table id="design-actions" class="footnote">
<tbody>
<tr>
<th>19</th>
<td><a href="https://zcash.github.io/orchard/design/actions.html">The Orchard Book: 3.2. Actions</a></td>
</tr>
</tbody>
</table>
<table id="design-commitments" class="footnote">
<tbody>
<tr>
<th>20</th>
<td><a href="https://zcash.github.io/orchard/design/commitments.html">The Orchard Book: 3.3. Commitments</a></td>
</tr>
</tbody>
</table>
<table id="design-tree" class="footnote">
<tbody>
<tr>
<th>21</th>
<td><a href="https://zcash.github.io/orchard/design/commitment-tree.html">The Orchard Book: 3.4. Commitment tree</a></td>
</tr>
</tbody>
</table>
<table id="design-nullifiers" class="footnote">
<tbody>
<tr>
<th>22</th>
<td><a href="https://zcash.github.io/orchard/design/nullifiers.html">The Orchard Book: 3.5. Nullifiers</a></td>
</tr>
</tbody>
</table>
<table id="zip-0032" class="footnote">
<tbody>
<tr>
<th>23</th>
<td><a href="zip-0032">ZIP 32: Shielded Hierarchical Deterministic Wallets</a></td>
</tr>
</tbody>
</table>
<table id="zip-0212" class="footnote">
<tbody>
<tr>
<th>24</th>
<td><a href="zip-0212">ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext</a></td>
</tr>
</tbody>
</table>
<table id="ietf-hash-to-curve" class="footnote">
<tbody>
<tr>
<th>25</th>
<td><a href="https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html">draft-irtf-cfrg-hash-to-curve-10: Hashing to Elliptic Curves</a></td>
</tr>
</tbody>
</table>
<table id="pasta-evidence" class="footnote">
<tbody>
<tr>
<th>26</th>
<td><a href="https://github.com/zcash/pasta">Pallas/Vesta supporting evidence</a></td>
</tr>
</tbody>
</table>
</section>
</section>
</body>
</html>

208
zip-0224.rst
View File

@ -7,14 +7,208 @@
Sean Bowe <sean@electriccoin.co>
Kris Nuttycombe <kris@electriccoin.co>
Ying Tong Lai <yingtong@electriccoin.co>
Status: Reserved
Status: Draft
Category: Consensus
Discussions-To: <https://github.com/zcash/zips/issues/435>
This ZIP number is reserved. Preliminary technical content relating to Orchard and Halo 2
are currently in:
* the `Orchard Book <https://zcash.github.io/orchard/design.html>`_;
* the `Halo Book <https://zcash.github.io/halo2/>`_;
* zcash/zcash GitHub tickets labeled `A-Orchard <https://github.com/zcash/zcash/issues?q=label%3AA-Orchard>`_
and `A-Halo <https://github.com/zcash/zcash/issues?q=label%3AA-Halo>`_.
Abstract
========
This document proposes the Orchard shielded protocol, which defines a new shielded pool
with spending keys and payment addresses that are amenable to future scalability
improvements.
Motivation
==========
TBD
Specification
=============
The Orchard protocol is specified as an update to the Zcash Protocol Specification
[#orchard-spec]_. Given that it largely follows the design of the Sapling protocol, we
provide here a list of differences, with references to their normative specifications
and associated design rationale.
Curves
------
The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its
embedded curve Jubjub:
- Pallas is used as the "application curve", on which the Orchard protocol itself is
implemented (c/f Jubjub).
- Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas)
is the "word" type over which the circuit is implemented (c/f BLS12-381).
We use (version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ to
implement :math:`\mathsf{GroupHash}`, instead of the BLAKE2s-based mechanism used for
Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
:math:`\mathsf{GroupHash}`.
The presence of the curve cycle is an explicit design choice. This ZIP only uses half of
the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be
leveraged by future ZIPs.
- Curve specifications: [#spec-pasta]_
- Group hash: [#spec-pasta-grouphash]_
- Supporting evidence: [#pasta-evidence]_
Proving system
--------------
Orchard uses the Halo 2 proving system with the UltraPLONK arithmetization (UPA), instead
of Groth16 and R1CS.
This ZIP does not make use of Halo 2's support for recursive proofs, but this is expected
to be leveraged by future ZIPs.
- Halo 2 protocol description: TODO
- UltraPLONK Arithmetization: [#concepts-upa]_
- Halo 2 explanation and design rationale: [#design-halo2]_
Circuit
-------
Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action"
contains both a single (possibly dummy) note being spent, and a single (possibly dummy)
note being created.
An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that
covers all of the actions in the bundle.
- Action description: [#spec-actions]_
- Circuit statement: [#spec-action-statement]_
- Design rationale: [#design-actions]_
Commitments
-----------
The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic
commitments, Orchard uses the UPA-efficient Sinsemilla in place of Bowe--Hopwood Pedersen
hashes.
- Sinsemilla hash function: [#spec-sinsemilla-hash]_
- Sinsemilla commitments: [#spec-sinsemilla-comm]_
- Design rationale: [#design-commitments]_
Commitment tree
---------------
Orchard uses an identical commitment tree structure to Sapling, except that we instantiate
it with Sinsemilla instead of a Bowe-Hopwood Pedersen hash.
- Design rationale and considered alternatives: [#design-tree]_
Keys and addresses
------------------
Orchard keys and payment addresses are structurally similar to Sapling, with the following
changes:
- The proof authorizing key is removed, and :math:`\mathsf{nk}` is now a field element.
- :math:`\mathsf{ivk}` is computed as a Sinsemilla commitment instead of a BLAKE2s output.
- :math:`\mathsf{ovk}` is derived from :math:`\mathsf{fvk}`, instead of being a component
of the spending key.
- All diversifiers now result in valid payment addresses.
Keys and addresses are encoded using Bech32. Orchard addresses used with the Zcash mainnet
have the prefix "zo" (compared to "zc" for Sprout and "zs" for Sapling).
Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt
the Sapling HD mechanism from ZIP 32 [#zip-0032]_ to Orchard; instead, we define a simple
hardened-only derivation mechanism.
- Key components diagram: [#spec-addrs-keys]_
- Key components specification: [#spec-keys]_
- Encodings and HRPs: [#spec-encoding-addr]_ [#spec-encoding-ivk]_ [#spec-encoding-fvk]_
[#spec-encoding-sk]_
- HD key derivation specification: TODO
- Needs to be hierarchical, but output only needs to be uniform 32 bytes.
- Probably just `BLAKE2b-256(derivation_path)`, in line with our existing primitives.
- Design rationale: [#design-keys]_
Notes
-----
Orchard notes have the structure :math:`(addr, v, \rho, \psi, \mathsf{rcm})`. :math:`\psi`
and :math:`\mathsf{rcm}` are derived from a random seed (as with Sapling after ZIP 212
[#zip-0212]_).
- Orchard notes: [#spec-notes]_
Nullifiers
----------
Nullifiers for Orchard notes are computed as:
:math:`\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm}`
where :math:`F` is instantiated with Poseidon, and :math:`\mathcal{G}` is a fixed
independent base.
- Poseidon: TODO
- Design rationale and considered alternatives: [#design-nullifiers]_
Signatures
----------
Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme
in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).
- RedPallas: [#spec-redpallas]_
Additional Rationale
====================
TBD
Security and Privacy Considerations
===================================
TBD
Deployment
==========
This ZIP is proposed to activate with Network Upgrade 5.
References
==========
.. [#orchard-spec] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal] <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf>`_
.. [#spec-addrs-keys] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#addressesandkeys>`_
.. [#spec-notes] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#notes>`_
.. [#spec-actions] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.7: Action Transfers and their Descriptions <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actions>`_
.. [#spec-action-statement] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. 4.17.4: Action Statement (Orchard) <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actionstatement>`_
.. [#spec-keys] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 4.2.3: Orchard Key Components <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardkeycomponents>`_
.. [#spec-sinsemilla-hash] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.1.9: Sinsemilla Hash Function <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillahash>`_
.. [#spec-redpallas] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.6: RedDSA, RedJubjub, and RedPallas <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretereddsa>`_
.. [#spec-sinsemilla-comm] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.7.4: Sinsemilla commitments <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillacommit>`_
.. [#spec-pasta] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.6: Pallas and Vesta <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#pallasandvesta>`_
.. [#spec-pasta-grouphash] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.8: Group Hash into Pallas and Vesta <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretegrouphashpallasandvesta>`_
.. [#spec-encoding-addr] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.5: Orchard Payment Address <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardpaymentaddrencoding>`_
.. [#spec-encoding-ivk] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.8: Orchard Incoming Viewing Keys <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardinviewingkeyencoding>`_
.. [#spec-encoding-fvk] TODO
.. [#spec-encoding-sk] TODO
.. [#concepts-upa] `The halo2 Book: 1.2 UltraPLONK Arithmetization <https://zcash.github.io/halo2/concepts/arithmetization.html>`_
.. [#design-halo2] `The halo2 Book: 3.1. Proving system <https://zcash.github.io/halo2/design/proving-system.html>`_
.. [#design-keys] `The Orchard Book: 3.1. Keys and addresses <https://zcash.github.io/orchard/design/keys.html>`_
.. [#design-actions] `The Orchard Book: 3.2. Actions <https://zcash.github.io/orchard/design/actions.html>`_
.. [#design-commitments] `The Orchard Book: 3.3. Commitments <https://zcash.github.io/orchard/design/commitments.html>`_
.. [#design-tree] `The Orchard Book: 3.4. Commitment tree <https://zcash.github.io/orchard/design/commitment-tree.html>`_
.. [#design-nullifiers] `The Orchard Book: 3.5. Nullifiers <https://zcash.github.io/orchard/design/nullifiers.html>`_
.. [#zip-0032] `ZIP 32: Shielded Hierarchical Deterministic Wallets <zip-0032.rst>`_
.. [#zip-0212] `ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext <zip-0212.rst>`_
.. [#ietf-hash-to-curve] `draft-irtf-cfrg-hash-to-curve-10: Hashing to Elliptic Curves <https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html>`_
.. [#pasta-evidence] `Pallas/Vesta supporting evidence <https://github.com/zcash/pasta>`_