mirror of https://github.com/zcash/zips.git
ZIP 224: Add references to specification and design rationale
This commit is contained in:
parent
a55581bae5
commit
7350f94b0e
|
@ -98,7 +98,7 @@ Index of ZIPs
|
|||
<tr> <td><span class="reserved">219</span></td> <td class="left"><a class="reserved" href="zip-0219.rst">Disabling Addition of New Value to the Sapling Chain Value Pool</a></td> <td>Reserved</td>
|
||||
<tr> <td>221</td> <td class="left"><a href="zip-0221.rst">FlyClient - Consensus-Layer Changes</a></td> <td>Final</td>
|
||||
<tr> <td>222</td> <td class="left"><a href="zip-0222.rst">Transparent Zcash Extensions</a></td> <td>Draft</td>
|
||||
<tr> <td><span class="reserved">224</span></td> <td class="left"><a class="reserved" href="zip-0224.rst">Orchard Shielded Protocol</a></td> <td>Reserved</td>
|
||||
<tr> <td>224</td> <td class="left"><a href="zip-0224.rst">Orchard Shielded Protocol</a></td> <td>Draft</td>
|
||||
<tr> <td>225</td> <td class="left"><a href="zip-0225.rst">Version 5 Transaction Format</a></td> <td>Proposed</td>
|
||||
<tr> <td>243</td> <td class="left"><a href="zip-0243.rst">Transaction Signature Validation for Sapling</a></td> <td>Final</td>
|
||||
<tr> <td>244</td> <td class="left"><a href="zip-0244.rst">Transaction Identifier Non-Malleability</a></td> <td>Proposed</td>
|
||||
|
|
|
@ -71,7 +71,7 @@
|
|||
<tr> <td><span class="reserved">219</span></td> <td class="left"><a class="reserved" href="zip-0219">Disabling Addition of New Value to the Sapling Chain Value Pool</a></td> <td>Reserved</td>
|
||||
<tr> <td>221</td> <td class="left"><a href="zip-0221">FlyClient - Consensus-Layer Changes</a></td> <td>Final</td>
|
||||
<tr> <td>222</td> <td class="left"><a href="zip-0222">Transparent Zcash Extensions</a></td> <td>Draft</td>
|
||||
<tr> <td><span class="reserved">224</span></td> <td class="left"><a class="reserved" href="zip-0224">Orchard Shielded Protocol</a></td> <td>Reserved</td>
|
||||
<tr> <td>224</td> <td class="left"><a href="zip-0224">Orchard Shielded Protocol</a></td> <td>Draft</td>
|
||||
<tr> <td>225</td> <td class="left"><a href="zip-0225">Version 5 Transaction Format</a></td> <td>Proposed</td>
|
||||
<tr> <td>243</td> <td class="left"><a href="zip-0243">Transaction Signature Validation for Sapling</a></td> <td>Final</td>
|
||||
<tr> <td>244</td> <td class="left"><a href="zip-0244">Transaction Identifier Non-Malleability</a></td> <td>Proposed</td>
|
||||
|
|
351
zip-0224.html
351
zip-0224.html
|
@ -3,6 +3,7 @@
|
|||
<head>
|
||||
<title>ZIP 224: Orchard Shielded Protocol</title>
|
||||
<meta charset="utf-8" />
|
||||
<script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
|
||||
<body>
|
||||
<section>
|
||||
|
@ -13,15 +14,351 @@ Owners: Daira Hopwood <daira@electriccoin.co>
|
|||
Sean Bowe <sean@electriccoin.co>
|
||||
Kris Nuttycombe <kris@electriccoin.co>
|
||||
Ying Tong Lai <yingtong@electriccoin.co>
|
||||
Status: Reserved
|
||||
Status: Draft
|
||||
Category: Consensus
|
||||
Discussions-To: <<a href="https://github.com/zcash/zips/issues/435">https://github.com/zcash/zips/issues/435</a>></pre>
|
||||
<p>This ZIP number is reserved. Preliminary technical content relating to Orchard and Halo 2 are currently in:</p>
|
||||
<ul>
|
||||
<li>the <a href="https://zcash.github.io/orchard/design.html">Orchard Book</a>;</li>
|
||||
<li>the <a href="https://zcash.github.io/halo2/">Halo Book</a>;</li>
|
||||
<li>zcash/zcash GitHub tickets labeled <a href="https://github.com/zcash/zcash/issues?q=label%3AA-Orchard">A-Orchard</a> and <a href="https://github.com/zcash/zcash/issues?q=label%3AA-Halo">A-Halo</a>.</li>
|
||||
</ul>
|
||||
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<p>This document proposes the Orchard shielded protocol, which defines a new shielded pool with spending keys and payment addresses that are amenable to future scalability improvements.</p>
|
||||
</section>
|
||||
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<p>TBD</p>
|
||||
</section>
|
||||
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<p>The Orchard protocol is specified as an update to the Zcash Protocol Specification <a id="id1" class="footnote_reference" href="#orchard-spec">1</a>. Given that it largely follows the design of the Sapling protocol, we provide here a list of differences, with references to their normative specifications and associated design rationale.</p>
|
||||
<section id="curves"><h3><span class="section-heading">Curves</span><span class="section-anchor"> <a rel="bookmark" href="#curves"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its embedded curve Jubjub:</p>
|
||||
<ul>
|
||||
<li>Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).</li>
|
||||
<li>Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).</li>
|
||||
</ul>
|
||||
<p>We use (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">25</a> to implement
|
||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||
, instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
|
||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||
.</p>
|
||||
<p>The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.</p>
|
||||
<ul>
|
||||
<li>Curve specifications: <a id="id3" class="footnote_reference" href="#spec-pasta">10</a></li>
|
||||
<li>Group hash: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
|
||||
<li>Supporting evidence: <a id="id5" class="footnote_reference" href="#pasta-evidence">26</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="proving-system"><h3><span class="section-heading">Proving system</span><span class="section-anchor"> <a rel="bookmark" href="#proving-system"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Orchard uses the Halo 2 proving system with the UltraPLONK arithmetization (UPA), instead of Groth16 and R1CS.</p>
|
||||
<p>This ZIP does not make use of Halo 2's support for recursive proofs, but this is expected to be leveraged by future ZIPs.</p>
|
||||
<ul>
|
||||
<li>Halo 2 protocol description: TODO</li>
|
||||
<li>UltraPLONK Arithmetization: <a id="id6" class="footnote_reference" href="#concepts-upa">16</a></li>
|
||||
<li>Halo 2 explanation and design rationale: <a id="id7" class="footnote_reference" href="#design-halo2">17</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="circuit"><h3><span class="section-heading">Circuit</span><span class="section-anchor"> <a rel="bookmark" href="#circuit"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action" contains both a single (possibly dummy) note being spent, and a single (possibly dummy) note being created.</p>
|
||||
<p>An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that covers all of the actions in the bundle.</p>
|
||||
<ul>
|
||||
<li>Action description: <a id="id8" class="footnote_reference" href="#spec-actions">4</a></li>
|
||||
<li>Circuit statement: <a id="id9" class="footnote_reference" href="#spec-action-statement">5</a></li>
|
||||
<li>Design rationale: <a id="id10" class="footnote_reference" href="#design-actions">19</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="commitments"><h3><span class="section-heading">Commitments</span><span class="section-anchor"> <a rel="bookmark" href="#commitments"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic commitments, Orchard uses the UPA-efficient Sinsemilla in place of Bowe--Hopwood Pedersen hashes.</p>
|
||||
<ul>
|
||||
<li>Sinsemilla hash function: <a id="id11" class="footnote_reference" href="#spec-sinsemilla-hash">7</a></li>
|
||||
<li>Sinsemilla commitments: <a id="id12" class="footnote_reference" href="#spec-sinsemilla-comm">9</a></li>
|
||||
<li>Design rationale: <a id="id13" class="footnote_reference" href="#design-commitments">20</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="commitment-tree"><h3><span class="section-heading">Commitment tree</span><span class="section-anchor"> <a rel="bookmark" href="#commitment-tree"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Orchard uses an identical commitment tree structure to Sapling, except that we instantiate it with Sinsemilla instead of a Bowe-Hopwood Pedersen hash.</p>
|
||||
<ul>
|
||||
<li>Design rationale and considered alternatives: <a id="id14" class="footnote_reference" href="#design-tree">21</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="keys-and-addresses"><h3><span class="section-heading">Keys and addresses</span><span class="section-anchor"> <a rel="bookmark" href="#keys-and-addresses"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Orchard keys and payment addresses are structurally similar to Sapling, with the following changes:</p>
|
||||
<ul>
|
||||
<li>The proof authorizing key is removed, and
|
||||
<span class="math">\(\mathsf{nk}\)</span>
|
||||
is now a field element.</li>
|
||||
<li>
|
||||
<span class="math">\(\mathsf{ivk}\)</span>
|
||||
is computed as a Sinsemilla commitment instead of a BLAKE2s output.</li>
|
||||
<li>
|
||||
<span class="math">\(\mathsf{ovk}\)</span>
|
||||
is derived from
|
||||
<span class="math">\(\mathsf{fvk}\)</span>
|
||||
, instead of being a component of the spending key.</li>
|
||||
<li>All diversifiers now result in valid payment addresses.</li>
|
||||
</ul>
|
||||
<p>Keys and addresses are encoded using Bech32. Orchard addresses used with the Zcash mainnet have the prefix "zo" (compared to "zc" for Sprout and "zs" for Sapling).</p>
|
||||
<p>Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt the Sapling HD mechanism from ZIP 32 <a id="id15" class="footnote_reference" href="#zip-0032">23</a> to Orchard; instead, we define a simple hardened-only derivation mechanism.</p>
|
||||
<ul>
|
||||
<li>Key components diagram: <a id="id16" class="footnote_reference" href="#spec-addrs-keys">2</a></li>
|
||||
<li>Key components specification: <a id="id17" class="footnote_reference" href="#spec-keys">6</a></li>
|
||||
<li>Encodings and HRPs: <a id="id18" class="footnote_reference" href="#spec-encoding-addr">12</a> <a id="id19" class="footnote_reference" href="#spec-encoding-ivk">13</a> <a id="id20" class="footnote_reference" href="#spec-encoding-fvk">14</a> <a id="id21" class="footnote_reference" href="#spec-encoding-sk">15</a></li>
|
||||
<li>HD key derivation specification: TODO
|
||||
<ul>
|
||||
<li>Needs to be hierarchical, but output only needs to be uniform 32 bytes.</li>
|
||||
<li>Probably just <cite>BLAKE2b-256(derivation_path)</cite>, in line with our existing primitives.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>Design rationale: <a id="id22" class="footnote_reference" href="#design-keys">18</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="notes"><h3><span class="section-heading">Notes</span><span class="section-anchor"> <a rel="bookmark" href="#notes"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Orchard notes have the structure
|
||||
<span class="math">\((addr, v, \rho, \psi, \mathsf{rcm})\)</span>
|
||||
.
|
||||
<span class="math">\(\psi\)</span>
|
||||
and
|
||||
<span class="math">\(\mathsf{rcm}\)</span>
|
||||
are derived from a random seed (as with Sapling after ZIP 212 <a id="id23" class="footnote_reference" href="#zip-0212">24</a>).</p>
|
||||
<ul>
|
||||
<li>Orchard notes: <a id="id24" class="footnote_reference" href="#spec-notes">3</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="nullifiers"><h3><span class="section-heading">Nullifiers</span><span class="section-anchor"> <a rel="bookmark" href="#nullifiers"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Nullifiers for Orchard notes are computed as:</p>
|
||||
<p>
|
||||
<span class="math">\(\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm}\)</span>
|
||||
</p>
|
||||
<p>where
|
||||
<span class="math">\(F\)</span>
|
||||
is instantiated with Poseidon, and
|
||||
<span class="math">\(\mathcal{G}\)</span>
|
||||
is a fixed independent base.</p>
|
||||
<ul>
|
||||
<li>Poseidon: TODO</li>
|
||||
<li>Design rationale and considered alternatives: <a id="id25" class="footnote_reference" href="#design-nullifiers">22</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section id="signatures"><h3><span class="section-heading">Signatures</span><span class="section-anchor"> <a rel="bookmark" href="#signatures"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
|
||||
<p>Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).</p>
|
||||
<ul>
|
||||
<li>RedPallas: <a id="id26" class="footnote_reference" href="#spec-redpallas">8</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
</section>
|
||||
<section id="additional-rationale"><h2><span class="section-heading">Additional Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#additional-rationale"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<p>TBD</p>
|
||||
</section>
|
||||
<section id="security-and-privacy-considerations"><h2><span class="section-heading">Security and Privacy Considerations</span><span class="section-anchor"> <a rel="bookmark" href="#security-and-privacy-considerations"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<p>TBD</p>
|
||||
</section>
|
||||
<section id="deployment"><h2><span class="section-heading">Deployment</span><span class="section-anchor"> <a rel="bookmark" href="#deployment"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<p>This ZIP is proposed to activate with Network Upgrade 5.</p>
|
||||
</section>
|
||||
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||
<table id="orchard-spec" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>1</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-addrs-keys" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>2</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#addressesandkeys">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-notes" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>3</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#notes">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-actions" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>4</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actions">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.7: Action Transfers and their Descriptions</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-action-statement" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>5</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actionstatement">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. 4.17.4: Action Statement (Orchard)</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-keys" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>6</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardkeycomponents">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 4.2.3: Orchard Key Components</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-sinsemilla-hash" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>7</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillahash">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.1.9: Sinsemilla Hash Function</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-redpallas" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>8</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretereddsa">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.6: RedDSA, RedJubjub, and RedPallas</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-sinsemilla-comm" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>9</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillacommit">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.7.4: Sinsemilla commitments</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-pasta" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>10</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#pallasandvesta">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.6: Pallas and Vesta</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-pasta-grouphash" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>11</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretegrouphashpallasandvesta">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.8: Group Hash into Pallas and Vesta</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-encoding-addr" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>12</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardpaymentaddrencoding">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.5: Orchard Payment Address</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-encoding-ivk" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>13</th>
|
||||
<td><a href="https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardinviewingkeyencoding">Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.8: Orchard Incoming Viewing Keys</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-encoding-fvk" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>14</th>
|
||||
<td>TODO</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="spec-encoding-sk" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>15</th>
|
||||
<td>TODO</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="concepts-upa" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>16</th>
|
||||
<td><a href="https://zcash.github.io/halo2/concepts/arithmetization.html">The halo2 Book: 1.2 UltraPLONK Arithmetization</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="design-halo2" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>17</th>
|
||||
<td><a href="https://zcash.github.io/halo2/design/proving-system.html">The halo2 Book: 3.1. Proving system</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="design-keys" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>18</th>
|
||||
<td><a href="https://zcash.github.io/orchard/design/keys.html">The Orchard Book: 3.1. Keys and addresses</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="design-actions" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>19</th>
|
||||
<td><a href="https://zcash.github.io/orchard/design/actions.html">The Orchard Book: 3.2. Actions</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="design-commitments" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>20</th>
|
||||
<td><a href="https://zcash.github.io/orchard/design/commitments.html">The Orchard Book: 3.3. Commitments</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="design-tree" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>21</th>
|
||||
<td><a href="https://zcash.github.io/orchard/design/commitment-tree.html">The Orchard Book: 3.4. Commitment tree</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="design-nullifiers" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>22</th>
|
||||
<td><a href="https://zcash.github.io/orchard/design/nullifiers.html">The Orchard Book: 3.5. Nullifiers</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="zip-0032" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>23</th>
|
||||
<td><a href="zip-0032">ZIP 32: Shielded Hierarchical Deterministic Wallets</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="zip-0212" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>24</th>
|
||||
<td><a href="zip-0212">ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="ietf-hash-to-curve" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>25</th>
|
||||
<td><a href="https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html">draft-irtf-cfrg-hash-to-curve-10: Hashing to Elliptic Curves</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<table id="pasta-evidence" class="footnote">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>26</th>
|
||||
<td><a href="https://github.com/zcash/pasta">Pallas/Vesta supporting evidence</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</section>
|
||||
</section>
|
||||
</body>
|
||||
</html>
|
208
zip-0224.rst
208
zip-0224.rst
|
@ -7,14 +7,208 @@
|
|||
Sean Bowe <sean@electriccoin.co>
|
||||
Kris Nuttycombe <kris@electriccoin.co>
|
||||
Ying Tong Lai <yingtong@electriccoin.co>
|
||||
Status: Reserved
|
||||
Status: Draft
|
||||
Category: Consensus
|
||||
Discussions-To: <https://github.com/zcash/zips/issues/435>
|
||||
|
||||
This ZIP number is reserved. Preliminary technical content relating to Orchard and Halo 2
|
||||
are currently in:
|
||||
|
||||
* the `Orchard Book <https://zcash.github.io/orchard/design.html>`_;
|
||||
* the `Halo Book <https://zcash.github.io/halo2/>`_;
|
||||
* zcash/zcash GitHub tickets labeled `A-Orchard <https://github.com/zcash/zcash/issues?q=label%3AA-Orchard>`_
|
||||
and `A-Halo <https://github.com/zcash/zcash/issues?q=label%3AA-Halo>`_.
|
||||
Abstract
|
||||
========
|
||||
|
||||
This document proposes the Orchard shielded protocol, which defines a new shielded pool
|
||||
with spending keys and payment addresses that are amenable to future scalability
|
||||
improvements.
|
||||
|
||||
|
||||
Motivation
|
||||
==========
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
Specification
|
||||
=============
|
||||
|
||||
The Orchard protocol is specified as an update to the Zcash Protocol Specification
|
||||
[#orchard-spec]_. Given that it largely follows the design of the Sapling protocol, we
|
||||
provide here a list of differences, with references to their normative specifications
|
||||
and associated design rationale.
|
||||
|
||||
Curves
|
||||
------
|
||||
|
||||
The Orchard protocol uses the Pallas / Vesta curve cycle, in place of BLS12-381 and its
|
||||
embedded curve Jubjub:
|
||||
|
||||
- Pallas is used as the "application curve", on which the Orchard protocol itself is
|
||||
implemented (c/f Jubjub).
|
||||
- Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas)
|
||||
is the "word" type over which the circuit is implemented (c/f BLS12-381).
|
||||
|
||||
We use (version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ to
|
||||
implement :math:`\mathsf{GroupHash}`, instead of the BLAKE2s-based mechanism used for
|
||||
Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
|
||||
:math:`\mathsf{GroupHash}`.
|
||||
|
||||
The presence of the curve cycle is an explicit design choice. This ZIP only uses half of
|
||||
the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be
|
||||
leveraged by future ZIPs.
|
||||
|
||||
- Curve specifications: [#spec-pasta]_
|
||||
- Group hash: [#spec-pasta-grouphash]_
|
||||
- Supporting evidence: [#pasta-evidence]_
|
||||
|
||||
Proving system
|
||||
--------------
|
||||
|
||||
Orchard uses the Halo 2 proving system with the UltraPLONK arithmetization (UPA), instead
|
||||
of Groth16 and R1CS.
|
||||
|
||||
This ZIP does not make use of Halo 2's support for recursive proofs, but this is expected
|
||||
to be leveraged by future ZIPs.
|
||||
|
||||
- Halo 2 protocol description: TODO
|
||||
- UltraPLONK Arithmetization: [#concepts-upa]_
|
||||
- Halo 2 explanation and design rationale: [#design-halo2]_
|
||||
|
||||
Circuit
|
||||
-------
|
||||
|
||||
Orchard uses a single circuit for both spends and outputs, similar to Sprout. An "action"
|
||||
contains both a single (possibly dummy) note being spent, and a single (possibly dummy)
|
||||
note being created.
|
||||
|
||||
An Orchard transaction contains a "bundle" of actions, and a single Halo 2 proof that
|
||||
covers all of the actions in the bundle.
|
||||
|
||||
- Action description: [#spec-actions]_
|
||||
- Circuit statement: [#spec-action-statement]_
|
||||
- Design rationale: [#design-actions]_
|
||||
|
||||
Commitments
|
||||
-----------
|
||||
|
||||
The Orchard protocol has equivalent commitment schemes to Sapling. For non-homomorphic
|
||||
commitments, Orchard uses the UPA-efficient Sinsemilla in place of Bowe--Hopwood Pedersen
|
||||
hashes.
|
||||
|
||||
- Sinsemilla hash function: [#spec-sinsemilla-hash]_
|
||||
- Sinsemilla commitments: [#spec-sinsemilla-comm]_
|
||||
- Design rationale: [#design-commitments]_
|
||||
|
||||
Commitment tree
|
||||
---------------
|
||||
|
||||
Orchard uses an identical commitment tree structure to Sapling, except that we instantiate
|
||||
it with Sinsemilla instead of a Bowe-Hopwood Pedersen hash.
|
||||
|
||||
- Design rationale and considered alternatives: [#design-tree]_
|
||||
|
||||
Keys and addresses
|
||||
------------------
|
||||
|
||||
Orchard keys and payment addresses are structurally similar to Sapling, with the following
|
||||
changes:
|
||||
|
||||
- The proof authorizing key is removed, and :math:`\mathsf{nk}` is now a field element.
|
||||
- :math:`\mathsf{ivk}` is computed as a Sinsemilla commitment instead of a BLAKE2s output.
|
||||
- :math:`\mathsf{ovk}` is derived from :math:`\mathsf{fvk}`, instead of being a component
|
||||
of the spending key.
|
||||
- All diversifiers now result in valid payment addresses.
|
||||
|
||||
Keys and addresses are encoded using Bech32. Orchard addresses used with the Zcash mainnet
|
||||
have the prefix "zo" (compared to "zc" for Sprout and "zs" for Sapling).
|
||||
|
||||
Orchard keys may be derived in a hierarchical deterministic (HD) manner. We do not adapt
|
||||
the Sapling HD mechanism from ZIP 32 [#zip-0032]_ to Orchard; instead, we define a simple
|
||||
hardened-only derivation mechanism.
|
||||
|
||||
- Key components diagram: [#spec-addrs-keys]_
|
||||
- Key components specification: [#spec-keys]_
|
||||
- Encodings and HRPs: [#spec-encoding-addr]_ [#spec-encoding-ivk]_ [#spec-encoding-fvk]_
|
||||
[#spec-encoding-sk]_
|
||||
- HD key derivation specification: TODO
|
||||
|
||||
- Needs to be hierarchical, but output only needs to be uniform 32 bytes.
|
||||
- Probably just `BLAKE2b-256(derivation_path)`, in line with our existing primitives.
|
||||
|
||||
- Design rationale: [#design-keys]_
|
||||
|
||||
Notes
|
||||
-----
|
||||
|
||||
Orchard notes have the structure :math:`(addr, v, \rho, \psi, \mathsf{rcm})`. :math:`\psi`
|
||||
and :math:`\mathsf{rcm}` are derived from a random seed (as with Sapling after ZIP 212
|
||||
[#zip-0212]_).
|
||||
|
||||
- Orchard notes: [#spec-notes]_
|
||||
|
||||
Nullifiers
|
||||
----------
|
||||
|
||||
Nullifiers for Orchard notes are computed as:
|
||||
|
||||
:math:`\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm}`
|
||||
|
||||
where :math:`F` is instantiated with Poseidon, and :math:`\mathcal{G}` is a fixed
|
||||
independent base.
|
||||
|
||||
- Poseidon: TODO
|
||||
- Design rationale and considered alternatives: [#design-nullifiers]_
|
||||
|
||||
Signatures
|
||||
----------
|
||||
|
||||
Orchard uses RedPallas (RedDSA instantiated with the Pallas curve) as its signature scheme
|
||||
in place of Sapling's RedJubjub (RedDSA instantiated with the Jubjub curve).
|
||||
|
||||
- RedPallas: [#spec-redpallas]_
|
||||
|
||||
|
||||
Additional Rationale
|
||||
====================
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
Security and Privacy Considerations
|
||||
===================================
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
Deployment
|
||||
==========
|
||||
|
||||
This ZIP is proposed to activate with Network Upgrade 5.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
.. [#orchard-spec] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal] <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf>`_
|
||||
.. [#spec-addrs-keys] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.1: Payment Addresses and Keys <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#addressesandkeys>`_
|
||||
.. [#spec-notes] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.2: Notes <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#notes>`_
|
||||
.. [#spec-actions] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 3.7: Action Transfers and their Descriptions <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actions>`_
|
||||
.. [#spec-action-statement] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. 4.17.4: Action Statement (Orchard) <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#actionstatement>`_
|
||||
.. [#spec-keys] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 4.2.3: Orchard Key Components <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardkeycomponents>`_
|
||||
.. [#spec-sinsemilla-hash] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.1.9: Sinsemilla Hash Function <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillahash>`_
|
||||
.. [#spec-redpallas] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.6: RedDSA, RedJubjub, and RedPallas <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretereddsa>`_
|
||||
.. [#spec-sinsemilla-comm] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.7.4: Sinsemilla commitments <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretesinsemillacommit>`_
|
||||
.. [#spec-pasta] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.6: Pallas and Vesta <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#pallasandvesta>`_
|
||||
.. [#spec-pasta-grouphash] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.4.8.8: Group Hash into Pallas and Vesta <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#concretegrouphashpallasandvesta>`_
|
||||
.. [#spec-encoding-addr] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.5: Orchard Payment Address <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardpaymentaddrencoding>`_
|
||||
.. [#spec-encoding-ivk] `Zcash Protocol Specification, Version 2021.1.16-gc8c7dd [Orchard proposal]. Section 5.6.8: Orchard Incoming Viewing Keys <https://raw.githubusercontent.com/daira/zips/orchard-circuit/protocol/orchard.pdf#orchardinviewingkeyencoding>`_
|
||||
.. [#spec-encoding-fvk] TODO
|
||||
.. [#spec-encoding-sk] TODO
|
||||
.. [#concepts-upa] `The halo2 Book: 1.2 UltraPLONK Arithmetization <https://zcash.github.io/halo2/concepts/arithmetization.html>`_
|
||||
.. [#design-halo2] `The halo2 Book: 3.1. Proving system <https://zcash.github.io/halo2/design/proving-system.html>`_
|
||||
.. [#design-keys] `The Orchard Book: 3.1. Keys and addresses <https://zcash.github.io/orchard/design/keys.html>`_
|
||||
.. [#design-actions] `The Orchard Book: 3.2. Actions <https://zcash.github.io/orchard/design/actions.html>`_
|
||||
.. [#design-commitments] `The Orchard Book: 3.3. Commitments <https://zcash.github.io/orchard/design/commitments.html>`_
|
||||
.. [#design-tree] `The Orchard Book: 3.4. Commitment tree <https://zcash.github.io/orchard/design/commitment-tree.html>`_
|
||||
.. [#design-nullifiers] `The Orchard Book: 3.5. Nullifiers <https://zcash.github.io/orchard/design/nullifiers.html>`_
|
||||
.. [#zip-0032] `ZIP 32: Shielded Hierarchical Deterministic Wallets <zip-0032.rst>`_
|
||||
.. [#zip-0212] `ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext <zip-0212.rst>`_
|
||||
.. [#ietf-hash-to-curve] `draft-irtf-cfrg-hash-to-curve-10: Hashing to Elliptic Curves <https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html>`_
|
||||
.. [#pasta-evidence] `Pallas/Vesta supporting evidence <https://github.com/zcash/pasta>`_
|
||||
|
|
Loading…
Reference in New Issue