From a83a64fefc05a3c612c8a4302c61b017ed542cbf Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sun, 5 Jul 2020 17:17:59 +0100 Subject: [PATCH] ZIPs 207, 214, 215 and 251: some suggested changes from NCC audit. Signed-off-by: Daira Hopwood --- zip-0207.html | 80 ++++++++++++++++++++++++++++++--------------------- zip-0207.rst | 18 ++++++------ zip-0214.html | 69 ++++++++++++++++++++++---------------------- zip-0214.rst | 22 +++++++------- zip-0215.html | 34 ++++++++++++++++++---- zip-0215.rst | 21 ++++++++++---- zip-0251.html | 73 +++++++++++++++++++++++++--------------------- zip-0251.rst | 17 ++++++----- 8 files changed, 197 insertions(+), 137 deletions(-) diff --git a/zip-0207.html b/zip-0207.html index d23bd327..cb142ea3 100644 --- a/zip-0207.html +++ b/zip-0207.html @@ -17,33 +17,33 @@ Created: 2019-01-04 License: MIT

Terminology

The key words "MUST", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

-

The terms "block subsidy" and "halving" in this document are to be interpreted as described in sections 3.9 and 7.7 of the Zcash Protocol Specification. 3 5

-

The terms "consensus branch" and "network upgrade" in this document are to be interpreted as described in ZIP 200. 8

+

The terms "block subsidy" and "halving" in this document are to be interpreted as described in sections 3.9 and 7.7 of the Zcash Protocol Specification. 4 7

+

The terms "consensus branch" and "network upgrade" in this document are to be interpreted as described in ZIP 200. 10

The terms below are to be interpreted as follows:

Canopy
Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.
Testnet
-
The Zcash test network, as defined in the Zcash Protocol Specification. 2
+
The Zcash test network, as defined in the Zcash Protocol Specification. 3
Mainnet
-
The Zcash production network, as defined in the Zcash Protocol Specification. 2
+
The Zcash production network, as defined in the Zcash Protocol Specification. 3

Abstract

This proposal specifies a mechanism to support funding streams, distributed from a portion of the block subsidy for a specified range of block heights.

-

This is intended as a means of implementing the Zcash Development Fund, using the funding stream definitions specified in ZIP 214 12. It should be read in conjunction with ZIP 1014 14, which describes the high-level requirements for that fund.

+

This is intended as a means of implementing the Zcash Development Fund, using the funding stream definitions specified in ZIP 214 14. It should be read in conjunction with ZIP 1014 16, which describes the high-level requirements for that fund.

Motivation

-

Motivation for the Zcash Development Fund is considered in ZIP 1014 14.

+

Motivation for the Zcash Development Fund is considered in ZIP 1014 16.

This ZIP 207 was originally proposed for the Blossom network upgrade, as a means of splitting the original Founders' Reward into several streams. It was then withdrawn when such splitting was judged to be unnecessary at the consensus level. Since the capabilities of the funding stream mechanism match the requirements for the Zcash Development Fund, the ZIP is being reintroduced for that purpose in order to reuse specification, analysis, and implementation effort.

Requirements

-

The primary requirement of this ZIP is to provide a mechanism for specifying the funding streams that are used in ZIP 214 12 to implement the Zcash Development Fund. It should be sufficiently expressive to handle both the main three "slices" (ECC, ZF, and MG) defined in ZIP 1014 14, and also (with additional funding stream definitions) the "direct grant option" described in that ZIP.

+

The primary requirement of this ZIP is to provide a mechanism for specifying the funding streams that are used in ZIP 214 14 to implement the Zcash Development Fund. It should be sufficiently expressive to handle both the main three "slices" (ECC, ZF, and MG) defined in ZIP 1014 16, and also (with additional funding stream definitions) the "direct grant option" described in that ZIP.

As for the original Founders' Reward, addresses for a given funding stream are changed on a roughly-monthly basis, so that keys that are not yet needed may be kept off-line as a security measure.

Specification

Definitions

-

We use the following constants and functions defined in 4, 5, and 6:

+

We use the following constants and functions defined in 5, 6, 7, and 8:

  • \(\mathsf{BlossomActivationHeight}\) @@ -74,7 +74,7 @@ License: MIT

Funding streams

A funding stream is defined by a block subsidy fraction (represented as a numerator and a denominator), a start height (inclusive), and an end height (exclusive).

-

By defining the issuance as a proportion of the total block subsidy, rather than absolute zatoshis, this ZIP dovetails with any changes to both block target spacing and issuance-per-block rates. Such a change occurred at the Blossom network upgrade, for example. 9

+

By defining the issuance as a proportion of the total block subsidy, rather than absolute zatoshis, this ZIP dovetails with any changes to both block target spacing and issuance-per-block rates. Such a change occurred at the Blossom network upgrade, for example. 11

The value of a funding stream at a given block height is defined as:

\(\mathsf{FundingStream[FUND].Value}(\mathsf{height}) = \mathsf{floor}\left( @@ -196,17 +196,17 @@ License: MIT

On Mainnet, Canopy is planned to activate exactly at the point when the Founders' Reward expires, at block height 1046400. On Testnet, there will be a shortened Founders' Reward address period prior to Canopy activation.

Consensus rules

-

Prior to activation of the Canopy network upgrade, the existing consensus rule for payment of the original Founders' Reward is enforced. 6

+

Prior to activation of the Canopy network upgrade, the existing consensus rule for payment of the original Founders' Reward is enforced. 8

Once the Canopy network upgrade activates:

    -
  • The existing consensus rule for payment of the Founders' Reward 6 is no longer active. (This would be the case under the preexisting consensus rules for Mainnet, but not for Testnet.)
  • +
  • The existing consensus rule for payment of the Founders' Reward 8 is no longer active. (This would be the case under the preexisting consensus rules for Mainnet, but not for Testnet.)
  • The coinbase transaction in each block MUST contain at least one output per active funding stream that pays the stream's value in the prescribed way to the stream's recipient address for the block's height.
  • The "prescribed way" to pay a transparent P2SH address is to use a standard P2SH script of the form OP_HASH160 RedeemScriptHash(height) OP_EQUAL as the scriptPubKey.
  • -
  • The "prescribed way" to pay a Sapling address is as defined in 11. That is, all Sapling outputs in coinbase transactions (including, but not limited to, outputs for funding streams) MUST have valid note commitments when recovered using a 32-byte array of zeroes as the outgoing viewing key. In this case the note plaintext lead byte MUST be +
  • The "prescribed way" to pay a Sapling address is as defined in 13. That is, all Sapling outputs in coinbase transactions (including, but not limited to, outputs for funding streams) MUST have valid note commitments when recovered using a 32-byte array of zeroes as the outgoing viewing key. In this case the note plaintext lead byte MUST be \(\mathbf{0x02}\) - , as specified in 10.
  • + , as specified in 12.
-

For the funding stream definitions to be activated at Canopy, see ZIP 214. 12 Funding stream definitions can be added, changed, or deleted in ZIPs associated with subsequent network upgrades, subject to the ZIP process. 7

+

For the funding stream definitions to be activated at Canopy, see ZIP 214. 14 Funding stream definitions can be added, changed, or deleted in ZIPs associated with subsequent network upgrades, subject to the ZIP process. 9

Example implementation

struct FundingPeriod {
@@ -371,7 +371,7 @@ License: MIT

Deployment

-

This proposal is intended to be deployed with Canopy. 13

+

This proposal is intended to be deployed with Canopy. 15

Backward compatibility

This proposal intentionally creates what is known as a "bilateral consensus rule change". Use of this mechanism requires that all network participants upgrade their software to a compatible version within the upgrade window. Older software will treat post-upgrade blocks as invalid, and will follow any pre-upgrade consensus branch that persists.

@@ -392,46 +392,62 @@ License: MIT 2 - Zcash Protocol Specification, Version 2020.1.1 or later + Zcash Protocol Specification, Version 2020.1.9 or later [Canopy] + + + + + + + +
3Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet
- - + +
3Section 3.9: Block Subsidy and Founders' Reward. Zcash Protocol Specification, Version 2020.1.1 or later4Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.9: Block Subsidy and Founders' Reward
- - + + + + +
4Section 5.3: Constants. Zcash Protocol Specification, Version 2020.1.1 or later5Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 5.3: Constants
+ + + + +
6Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.6.3: Difficulty adjustment
- - + +
5Section 7.7: Calculation of Block Subsidy and Founders' Reward. Zcash Protocol Specification, Version 2020.1.1 or later7Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.7: Calculation of Block Subsidy and Founders' Reward
- - + +
6Section 7.8: Payment of Founders' Reward. Zcash Protocol Specification, Version 2020.1.1 or later8Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.8: Payment of Founders' Reward
- + @@ -439,7 +455,7 @@ License: MIT
79 ZIP 0: ZIP Process
- + @@ -447,7 +463,7 @@ License: MIT
810 ZIP 200: Network Upgrade Mechanism
- + @@ -455,7 +471,7 @@ License: MIT
911 ZIP 208: Shorter Block Target Spacing
- + @@ -463,7 +479,7 @@ License: MIT
1012 ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext
- + @@ -471,7 +487,7 @@ License: MIT
1113 ZIP 213: Shielded Coinbase
- + @@ -479,7 +495,7 @@ License: MIT
1214 ZIP 214: Consensus rules for a Zcash Development Fund
- + @@ -487,7 +503,7 @@ License: MIT
1315 ZIP 251: Deployment of the Canopy Network Upgrade
- + diff --git a/zip-0207.rst b/zip-0207.rst index 778fa1ab..2c4a5498 100644 --- a/zip-0207.rst +++ b/zip-0207.rst @@ -28,9 +28,9 @@ The terms below are to be interpreted as follows: Canopy Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4. Testnet - The Zcash test network, as defined in the Zcash Protocol Specification. [#protocol]_ + The Zcash test network, as defined in the Zcash Protocol Specification. [#protocol-networks]_ Mainnet - The Zcash production network, as defined in the Zcash Protocol Specification. [#protocol]_ + The Zcash production network, as defined in the Zcash Protocol Specification. [#protocol-networks]_ Abstract @@ -81,7 +81,7 @@ Definitions ----------- We use the following constants and functions defined in [#protocol-constants]_, -[#protocol-subsidies]_, and [#protocol-foundersreward]_: +[#protocol-diffadjustment]_, [#protocol-subsidies]_, and [#protocol-foundersreward]_: - :math:`\mathsf{BlossomActivationHeight}` - :math:`\mathsf{PostBlossomHalvingInterval}` @@ -398,11 +398,13 @@ References ========== .. [#RFC2119] `Key words for use in RFCs to Indicate Requirement Levels `_ -.. [#protocol] `Zcash Protocol Specification, Version 2020.1.1 or later `_ -.. [#protocol-subsidyconcepts] `Section 3.9: Block Subsidy and Founders' Reward. Zcash Protocol Specification, Version 2020.1.1 or later `_ -.. [#protocol-constants] `Section 5.3: Constants. Zcash Protocol Specification, Version 2020.1.1 or later `_ -.. [#protocol-subsidies] `Section 7.7: Calculation of Block Subsidy and Founders' Reward. Zcash Protocol Specification, Version 2020.1.1 or later `_ -.. [#protocol-foundersreward] `Section 7.8: Payment of Founders' Reward. Zcash Protocol Specification, Version 2020.1.1 or later `_ +.. [#protocol] `Zcash Protocol Specification, Version 2020.1.9 or later [Canopy] `_ +.. [#protocol-networks] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet `_ +.. [#protocol-subsidyconcepts] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.9: Block Subsidy and Founders' Reward `_ +.. [#protocol-constants] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 5.3: Constants `_ +.. [#protocol-diffadjustment] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.6.3: Difficulty adjustment `_ +.. [#protocol-subsidies] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.7: Calculation of Block Subsidy and Founders' Reward `_ +.. [#protocol-foundersreward] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.8: Payment of Founders' Reward `_ .. [#zip-0000] `ZIP 0: ZIP Process `_ .. [#zip-0200] `ZIP 200: Network Upgrade Mechanism `_ .. [#zip-0208] `ZIP 208: Shorter Block Target Spacing `_ diff --git a/zip-0214.html b/zip-0214.html index 27c8ee3c..80900f17 100644 --- a/zip-0214.html +++ b/zip-0214.html @@ -16,20 +16,13 @@ License: MIT Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polling-results-nu4-and-draft-zip-1014/35560>

Terminology

The key words "MUST", "SHALL", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

-

The term "Zcash" in this document is to be interpreted as described in the Zcash Trademark Donation and License Agreement (5 or successor agreement).

-

The term "network upgrade" in this document is to be interpreted as described in ZIP 200 7 and the Zcash Trademark Donation and License Agreement (5 or successor agreement).

-

The term "block subsidy" in this document is to be interpreted as described in section 3.9 of the Zcash Protocol Specification 3.

-

The term "halving" in this document are to be interpreted as described in sections 7.7 of the Zcash Protocol Specification 4.

-

The terms "Electric Coin Company" (or "ECC"), "Zcash Foundation" (or "ZF"), "Major Grants", "ECC slice", "ZF slice", and "MG slice" in this document are to be interpreted as described in ZIP 1014 11.

-

The terms below are to be interpreted as follows:

-
-
Canopy
-
Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.
-
Testnet
-
The Zcash test network, as defined in 2.
-
Mainnet
-
The Zcash production network, as defined in 2.
-
+

The term "Zcash" in this document is to be interpreted as described in the Zcash Trademark Donation and License Agreement (6 or successor agreement).

+

The term "network upgrade" in this document is to be interpreted as described in ZIP 200 8 and the Zcash Trademark Donation and License Agreement (6 or successor agreement).

+

The term "block subsidy" in this document is to be interpreted as described in section 3.9 of the Zcash Protocol Specification 4.

+

The term "halving" in this document are to be interpreted as described in sections 7.7 of the Zcash Protocol Specification 5.

+

The terms "Electric Coin Company" (or "ECC"), "Zcash Foundation" (or "ZF"), "Major Grants", "ECC slice", "ZF slice", and "MG slice" in this document are to be interpreted as described in ZIP 1014 12.

+

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.11 of the Zcash Protocol Specification 3.

+

"Canopy" is the code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.

Abstract

This ZIP describes consensus rule changes interpreting the proposed structure of the Zcash Development Fund, which is to be enacted in Network Upgrade 4 and last for 4 years.

@@ -38,7 +31,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli

This ZIP concerns the Zcash Mainnet and Testnet, and is not intended to be applicable to other block chains using Zcash technology.

Motivation

-

Motivation for the Zcash Development Fund itself is considered in ZIP 1014 11, which gives a high-level description of the intended structure of the fund.

+

Motivation for the Zcash Development Fund itself is considered in ZIP 1014 12, which gives a high-level description of the intended structure of the fund.

An important motivation for describing the consensus rules in a separate ZIP is to avoid making unintended changes to ZIP 1014, which has already been agreed between ECC, ZF, and the Zcash community. This facilitates critically assessing whether the consensus rule changes accurately reflect the intent of ZIP 1014.

Requirements

@@ -49,9 +42,9 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli

This ZIP is not required to enforce provisions of ZIP 1014 that fall outside what is implementable by Zcash consensus rules.

Specification

-

The Blossom network upgrade changed the height of the first halving to block height 1046400 9, as a consequence of reducing the block target spacing from 150 seconds to 75 seconds.

+

The Blossom network upgrade changed the height of the first halving to block height 1046400 10, as a consequence of reducing the block target spacing from 150 seconds to 75 seconds.

Since ZIP 1014 specifies that the Zcash Development Fund starts at the first halving, the activation height of Canopy on Mainnet therefore SHALL be 1046400.

-

ZIP 207 8 SHALL be activated in Canopy.

+

ZIP 207 9 SHALL be activated in Canopy.

The following funding streams are defined for Mainnet:

1416 ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants
@@ -89,7 +82,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
-

As specified in 8, a funding stream is active for a span of blocks that includes the block at its start height, but excludes the block at its end height.

+

As specified in 9, a funding stream is active for a span of blocks that includes the block at its start height, but excludes the block at its end height.

The funding streams defined for Testnet are identical except that the start height of each stream is the activation height of Canopy on Testnet, i.e. TODO.

Note: on Testnet, the activation height of Canopy will be before the first halving. Therefore, the consequence of the above rules for Testnet is that the amount sent to each Zcash Development Fund recipient address will initially (before Testnet block height 1046400) be double the number of currency units as the corresponding initial amount on Mainnet. This reduces to the same number of currency units as on Mainnet, from Testnet block heights 1046400 (inclusive) to 2726400 (exclusive).

Dev Fund Recipient Addresses

@@ -99,10 +92,10 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
  • ZF SHALL generate the addresses for the FS_ZF and FS_MG funding streams, which on Mainnet correspond to the ZF slice and MG slice respectively.
  • Within each stream, the addresses MAY be independent, or MAY be repeated between funding periods. Each party SHOULD take account of operational security issues associated with potential compromise of the associated spending keys.

    -

    Funds sent to each Mainnet funding stream SHALL be governed by all requirements on the corresponding slice specified in ZIP 1014 11.

    +

    Funds sent to each Mainnet funding stream SHALL be governed by all requirements on the corresponding slice specified in ZIP 1014 12.

    No requirements are imposed on the use of funds sent to Testnet funding streams.

    Direct-grant option

    -

    ZIP 1014 specifies a "direct-grant option" by which, if agreed upon by both ECC and ZF before Canopy activation, some portion of the MG slice may be directly assigned to the grantee(s), rather than accepted and disbursed by ZF. 11

    +

    ZIP 1014 specifies a "direct-grant option" by which, if agreed upon by both ECC and ZF before Canopy activation, some portion of the MG slice may be directly assigned to the grantee(s), rather than accepted and disbursed by ZF. 12

    The funding stream mechanism allows for this option by adding a funding stream corresponding to each direct grantee, with addresses generated by ZF. In this case the total value of funding streams assigned to direct grantees MUST be subtracted from the value of the funding stream for the remaining MG slice (or, if all Major Grants are direct, replace the funding stream for the MG slice).

    For each network upgrade after Canopy requiring modifications to the set of direct grantees, a separate ZIP SHOULD be published specifying those modifications.

    @@ -124,13 +117,13 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli

    Rationale

    -

    The rationale for ZF generating the addresses for the ZF_MG funding stream is that ZF is the financial recipient of the MG slice as specified in ZIP 1014. 11

    +

    The rationale for ZF generating the addresses for the ZF_MG funding stream is that ZF is the financial recipient of the MG slice as specified in ZIP 1014. 12

    Generation of recipient addresses for Testnet is specified to be done by the same parties as on Mainnet, in order to allow practicing each party's security procedures.

    Since Testnet is ahead of Mainnet in terms of block height (by ~77000 blocks at the time of writing, which is the equivalent of ~67 days at the post-Blossom block target spacing), the activation height and the start heights of the funding streams could have also been set to 1046400 on Testnet. However, 67 days is arguably too short a testing period, and the block rate on Testnet is less predictable than on Mainnet.

    It was judged to be unnecessary to have a mechanism to update funding stream definitions (in case of security breach or changes to direct grant recipients) other than at network upgrades.

    Deployment

    -

    This proposal is intended to be deployed with Canopy. 10

    +

    This proposal is intended to be deployed with Canopy. 11

    References

    @@ -145,30 +138,38 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli - +
    2Zcash Protocol Specification, Version 2020.1.1 or laterZcash Protocol Specification, Version 2020.1.9 or later [Canopy]
    - +
    - +
    3Zcash Protocol Specification, Version 2020.1.4. Section 3.9: Block Subsidy and Founders' RewardZcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet
    - +
    - + + + +
    4Zcash Protocol Specification, Version 2020.1.4. Section 7.7: Calculation of Block Subsidy and Founders' RewardZcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.9: Block Subsidy and Founders' Reward
    + + + + +
    5Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.7: Calculation of Block Subsidy and Founders' Reward
    - + @@ -176,7 +177,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
    56 Zcash Trademark Donation and License Agreement
    - + @@ -184,7 +185,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
    67 The Open Source Definition
    - + @@ -192,7 +193,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
    78 ZIP 200: Network Upgrade Mechanism
    - + @@ -200,7 +201,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
    89 ZIP 207: Funding Streams
    - + @@ -208,7 +209,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
    910 ZIP 208: Shorter Block Target Spacing
    - + @@ -216,7 +217,7 @@ Discussions-To: <https://forum.zcashcommunity.com/t/community-sentiment-polli
    1011 ZIP 251: Deployment of the Canopy Network Upgrade
    - + diff --git a/zip-0214.rst b/zip-0214.rst index 85f285ff..69374265 100644 --- a/zip-0214.rst +++ b/zip-0214.rst @@ -25,23 +25,20 @@ described in ZIP 200 [#zip-0200]_ and the Zcash Trademark Donation and License Agreement ([#trademark]_ or successor agreement). The term "block subsidy" in this document is to be interpreted as described in -section 3.9 of the Zcash Protocol Specification [#protocol-blocksubsidy]_. +section 3.9 of the Zcash Protocol Specification [#protocol-subsidyconcepts]_. The term "halving" in this document are to be interpreted as described in -sections 7.7 of the Zcash Protocol Specification [#protocol-calculation]_. +sections 7.7 of the Zcash Protocol Specification [#protocol-subsidies]_. The terms "Electric Coin Company" (or "ECC"), "Zcash Foundation" (or "ZF"), "Major Grants", "ECC slice", "ZF slice", and "MG slice" in this document are to be interpreted as described in ZIP 1014 [#zip-1014]_. -The terms below are to be interpreted as follows: +The terms "Testnet" and "Mainnet" are to be interpreted as described in +section 3.11 of the Zcash Protocol Specification [#protocol-networks]_. -Canopy - Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4. -Testnet - The Zcash test network, as defined in [#protocol]_. -Mainnet - The Zcash production network, as defined in [#protocol]_. +"Canopy" is the code-name for the fifth Zcash network upgrade, also known as +Network Upgrade 4. Abstract @@ -360,9 +357,10 @@ References ========== .. [#RFC2119] `Key words for use in RFCs to Indicate Requirement Levels `_ -.. [#protocol] `Zcash Protocol Specification, Version 2020.1.1 or later `_ -.. [#protocol-blocksubsidy] `Zcash Protocol Specification, Version 2020.1.4. Section 3.9: Block Subsidy and Founders' Reward `_ -.. [#protocol-calculation] `Zcash Protocol Specification, Version 2020.1.4. Section 7.7: Calculation of Block Subsidy and Founders' Reward `_ +.. [#protocol] `Zcash Protocol Specification, Version 2020.1.9 or later [Canopy] `_ +.. [#protocol-networks] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet `_ +.. [#protocol-subsidyconcepts] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.9: Block Subsidy and Founders' Reward `_ +.. [#protocol-subsidies] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.7: Calculation of Block Subsidy and Founders' Reward `_ .. [#trademark] `Zcash Trademark Donation and License Agreement `_ .. [#osd] `The Open Source Definition `_ .. [#zip-0200] `ZIP 200: Network Upgrade Mechanism `_ diff --git a/zip-0215.html b/zip-0215.html index c87d24ba..14015874 100644 --- a/zip-0215.html +++ b/zip-0215.html @@ -21,13 +21,13 @@ License: BSD-2-Clause

    Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 2 need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validity from an obsolete version of libsodium. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validity criteria and changing them to be compatible with batch validation.

    Motivation

    -

    The lack of clear validity criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in zcashd inherited validity criteria from a then-current version of libsodium (1.0.15). Due to a bug in libsodium, this was different from the intended criteria documented in the Zcash protocol specification 3 (before the specification was changed to match libsodium 1.0.15 in specification version 2020.1.2). Also, libsodium never guaranteed stable validity criteria, and changed behavior in a later point release. This forced zcashd to use an older version of the library before eventually patching a newer version to have consistent validity criteria. To be compatible, Zebra had to implement a special library, ed25519-zebra to provide Zcash-flavored Ed25519, attempting to match libsodium 1.0.15 exactly. And the initial attempt to implement ed25519-zebra was also incompatible, because it precisely matched the wrong compile-time configuration of libsodium.

    +

    The lack of clear validity criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in zcashd inherited validity criteria from a then-current version of libsodium (1.0.15). Due to a bug in libsodium, this was different from the intended criteria documented in the Zcash protocol specification 3 (before the specification was changed to match libsodium 1.0.15 in specification version 2020.1.2). Also, libsodium never guaranteed stable validity criteria, and changed behavior in a later point release. This forced zcashd to use an older version of the library before eventually patching a newer version to have consistent validity criteria. To be compatible, Zebra had to implement a special library, ed25519-zebra to provide Zcash-flavored Ed25519, attempting to match libsodium 1.0.15 exactly. And the initial attempt to implement ed25519-zebra was also incompatible, because it precisely matched the wrong compile-time configuration of libsodium.

    In addition, the validity criteria used by Zcash preclude the use of batch validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub.

    Specification

    After activation of this ZIP, the \(\mathsf{JoinSplitSig}\) - validation rules in §5.4.5 of the protocol specification 3 are changed to the following:

    + validation rules in 5 are changed to the following:

    • \(\underline{A}\) @@ -77,7 +77,7 @@ License: BSD-2-Clause

      This change has no effect on honestly-generated signatures. Unlike the current validation rules, it makes it possible for a user to generate weak signing keys or to generate signing keys with nonzero torsion component and submit them to the blockchain. However, doing so provides them with no advantage, only compromise to their own security. Moreover, these cases are not a failure mode of any deployed implementation.

    Deployment

    -

    This is intended to be deployed with the Canopy Network Upgrade, which is scheduled to activate on Mainnet at block height 1046400.

    +

    This is intended to be deployed with the Canopy Network Upgrade 6, which is scheduled to activate on Mainnet 4 at block height 1046400.

    References

    1112 ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants
    @@ -96,11 +96,35 @@ License: BSD-2-Clause
    - +
    - + + + +
    3Zcash Protocol Specification, Version 2020.1.5 or later [Overwinter+Sapling+Blossom+Heartwood]Zcash Protocol Specification, Version 2020.1.1
    + + + + + + + +
    4Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet
    + + + + + + + +
    5Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 5.4.5: Ed25519
    + + + + +
    6ZIP 251: Deployment of the Canopy Network Upgrade
    diff --git a/zip-0215.rst b/zip-0215.rst index 246f716b..b600ec30 100644 --- a/zip-0215.rst +++ b/zip-0215.rst @@ -15,6 +15,7 @@ Terminology The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. [#RFC2119]_ + Abstract ======== @@ -27,6 +28,7 @@ inherits criteria for signature validity from an obsolete version of Ed25519 validity criteria and changing them to be compatible with batch validation. + Motivation ========== @@ -35,7 +37,7 @@ maintenance burden. The initial implementation of Zcash consensus in `zcashd` inherited validity criteria from a then-current version of `libsodium` (1.0.15). Due to `a bug in libsodium `_, this was different from the intended criteria documented in the Zcash protocol -specification [#protocol]_ (before the specification was changed to match +specification [#protocol-2020.1.1]_ (before the specification was changed to match `libsodium` 1.0.15 in specification version 2020.1.2). Also, `libsodium` never guaranteed stable validity criteria, and changed behavior in a later point release. This forced `zcashd` to use an older version of the library before @@ -50,11 +52,12 @@ validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub. + Specification ============= After activation of this ZIP, the :math:`\mathsf{JoinSplitSig}` validation rules -in §5.4.5 of the protocol specification [#protocol]_ are changed to the following: +in [#protocol-concreteed25519]_ are changed to the following: - :math:`\underline{A}` and :math:`\underline{R}` MUST be encodings of points :math:`A` and :math:`R` respectively on the complete twisted Edwards curve Ed25519; @@ -73,6 +76,7 @@ are canonical encodings; in other words, the integer encoding the Note: the alternate validation equation :math:`[S]B = R + [k]A`, allowed by RFC 8032, MUST NOT be used. + Rationale ========= @@ -84,6 +88,7 @@ existing Ed25519 signatures on the chain. It also allows the use of batch validation, which requires multiplication by the cofactor in the validation equation. + Security and Privacy Considerations =================================== @@ -94,15 +99,21 @@ the blockchain. However, doing so provides them with no advantage, only compromise to their own security. Moreover, these cases are not a failure mode of any deployed implementation. + Deployment ========== -This is intended to be deployed with the Canopy Network Upgrade, which is -scheduled to activate on Mainnet at block height 1046400. +This is intended to be deployed with the Canopy Network Upgrade [#zip-0251]_, +which is scheduled to activate on Mainnet [#protocol-networks]_ at block height +1046400. + References ========== .. [#RFC2119] `Key words for use in RFCs to Indicate Requirement Levels `_ .. [#RFC8032] `Edwards-Curve Digital Signature Algorithm (EdDSA) `_ -.. [#protocol] `Zcash Protocol Specification, Version 2020.1.5 or later [Overwinter+Sapling+Blossom+Heartwood] `_ +.. [#protocol-2020.1.1] `Zcash Protocol Specification, Version 2020.1.1 `_ +.. [#protocol-networks] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet `_ +.. [#protocol-concreteed25519] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 5.4.5: Ed25519 `_ +.. [#zip-0251] `ZIP 251: Deployment of the Canopy Network Upgrade `_ diff --git a/zip-0251.html b/zip-0251.html index 5340bdb6..b6770e42 100644 --- a/zip-0251.html +++ b/zip-0251.html @@ -15,16 +15,9 @@ Created: 2020-02-28 License: MIT

    Terminology

    The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119. 1

    -

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 3

    -

    The terms below are to be interpreted as follows:

    -
    -
    Canopy
    -
    Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.
    -
    Testnet
    -
    The Zcash test network, as defined in 2.
    -
    Mainnet
    -
    The Zcash production network, as defined in 2.
    -
    +

    The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 5

    +

    The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.11 of the Zcash Protocol Specification 3.

    +

    "Canopy" is the code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4.

    Abstract

    This proposal defines the deployment of the Canopy network upgrade.

    @@ -33,17 +26,17 @@ License: MIT

    Canopy deployment

    The primary sources of information about Canopy consensus protocol changes are:

      -
    • The Zcash Protocol Specification 2
    • -
    • ZIP 200: Network Upgrade Mechanism 3
    • -
    • ZIP 207: Funding Streams 5
    • -
    • ZIP 211: Disabling Addition of New Value to the Sprout Value Pool 6
    • -
    • ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext 7
    • -
    • ZIP 214: Consensus rules for a Zcash Development Fund 8
    • -
    • ZIP 215: Explicitly Defining and Modifying Ed25519 Validation Rules 9
    • -
    • ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants 11.
    • +
    • The Zcash Protocol Specification 2
    • +
    • ZIP 200: Network Upgrade Mechanism 5
    • +
    • ZIP 207: Funding Streams 7
    • +
    • ZIP 211: Disabling Addition of New Value to the Sprout Value Pool 8
    • +
    • ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext 9
    • +
    • ZIP 214: Consensus rules for a Zcash Development Fund 10
    • +
    • ZIP 215: Explicitly Defining and Modifying Ed25519 Validation Rules 11
    • +
    • ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants 13.
    -

    The network handshake and peer management mechanisms defined in ZIP 201 4 also apply to this upgrade.

    -

    The following network upgrade constants 3 are defined for the Canopy upgrade:

    +

    The network handshake and peer management mechanisms defined in ZIP 201 6 also apply to this upgrade.

    +

    The following network upgrade constants 5 are defined for the Canopy upgrade:

    CONSENSUS_BRANCH_ID
    0xE9FF75A6
    @@ -61,7 +54,7 @@ License: MIT * This was three days for upgrades up to and including Blossom, and is 1.5 days from Heartwood onward. */ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728; -

    The implementation is similar to that for Overwinter which was described in 4.

    +

    The implementation is similar to that for Overwinter which was described in 6.

    Once Canopy activates on testnet or mainnet, Canopy nodes SHOULD take steps to:

    • reject new connections from pre-Canopy nodes on that network;
    • @@ -72,7 +65,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;

      Backward compatibility

      Prior to the network upgrade activating on each network, Canopy and pre-Canopy nodes are compatible and can connect to each other. However, Canopy nodes will have a preference for connecting to other Canopy nodes, so pre-Canopy nodes will gradually be disconnected in the run up to activation.

      Once the network upgrades, even though pre-Canopy nodes can still accept the numerically larger protocol version used by Canopy as being valid, Canopy nodes will always disconnect peers using lower protocol versions.

      -

      Unlike Overwinter and Sapling, and like Blossom and Heartwood, Canopy does not define a new transaction version. Canopy transactions are therefore in the same v4 format as Sapling transactions; use the same version group ID, i.e. 0x892F2085 as defined in 2 section 7.1; and use the same transaction digest algorithm as defined in 10. This does not imply that transactions are valid across the Canopy activation, since signatures MUST use the appropriate consensus branch ID. 10

      +

      Unlike Overwinter and Sapling, and like Blossom and Heartwood, Canopy does not define a new transaction version. Canopy transactions are therefore in the same v4 format as Sapling transactions; use the same version group ID, i.e. 0x892F2085 as defined in 4; and use the same transaction digest algorithm as defined in 12. This does not imply that transactions are valid across the Canopy activation, since signatures MUST use the appropriate consensus branch ID. 12

      Support in zcashd

      Support for Canopy on testnet will be implemented in zcashd version 3.1.0, which will advertise protocol version 170012. Support for Canopy on mainnet will be implemented in zcashd version 4.0.0, which will advertise protocol version 170013.

      @@ -90,14 +83,30 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728; 2 - Zcash Protocol Specification, Version 2020.1.1 or later + Zcash Protocol Specification, Version 2020.1.9 or later [Canopy] + + + + + + + + + + +
      3Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet
      + + + + +
      4Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.1: Encoding of Transactions
      - + @@ -105,7 +114,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      35 ZIP 200: Network Upgrade Activation Mechanism
      - + @@ -113,7 +122,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      46 ZIP 201: Network Peer Management for Overwinter
      - + @@ -121,7 +130,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      57 ZIP 207: Funding Streams
      - + @@ -129,7 +138,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      68 ZIP 211: Disabling Addition of New Value to the Sprout Value Pool
      - + @@ -137,7 +146,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      79 ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext
      - + @@ -145,7 +154,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      810 ZIP 214: Consensus rules for a Zcash Development Fund
      - + @@ -153,7 +162,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      911 ZIP 215: Explicitly Defining and Modifying Ed25519 Validation Rules
      - + @@ -161,7 +170,7 @@ static const int NETWORK_UPGRADE_PEER_PREFERENCE_BLOCK_PERIOD = 1728;
      1012 ZIP 243: Transaction Signature Validation for Sapling
      - + diff --git a/zip-0251.rst b/zip-0251.rst index 747ee533..556cca7b 100644 --- a/zip-0251.rst +++ b/zip-0251.rst @@ -18,14 +18,11 @@ interpreted as described in RFC 2119. [#RFC2119]_ The term "network upgrade" in this document is to be interpreted as described in ZIP 200. [#zip-0200]_ -The terms below are to be interpreted as follows: +The terms "Testnet" and "Mainnet" are to be interpreted as described in +section 3.11 of the Zcash Protocol Specification [#protocol-networks]_. -Canopy - Code-name for the fifth Zcash network upgrade, also known as Network Upgrade 4. -Testnet - The Zcash test network, as defined in [#protocol]_. -Mainnet - The Zcash production network, as defined in [#protocol]_. +"Canopy" is the code-name for the fifth Zcash network upgrade, also known as +Network Upgrade 4. Abstract @@ -113,7 +110,7 @@ will always disconnect peers using lower protocol versions. Unlike Overwinter and Sapling, and like Blossom and Heartwood, Canopy does not define a new transaction version. Canopy transactions are therefore in the same v4 format as Sapling transactions; use the same version group ID, i.e. 0x892F2085 -as defined in [#protocol]_ section 7.1; and use the same transaction digest +as defined in [#protocol-txnencoding]_; and use the same transaction digest algorithm as defined in [#zip-0243]_. This does not imply that transactions are valid across the Canopy activation, since signatures MUST use the appropriate consensus branch ID. [#zip-0243]_ @@ -131,7 +128,9 @@ References ========== .. [#RFC2119] `Key words for use in RFCs to Indicate Requirement Levels `_ -.. [#protocol] `Zcash Protocol Specification, Version 2020.1.1 or later `_ +.. [#protocol] `Zcash Protocol Specification, Version 2020.1.9 or later [Canopy] `_ +.. [#protocol-networks] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 3.11: Mainnet and Testnet `_ +.. [#protocol-txnencoding] `Zcash Protocol Specification, Version 2020.1.9 [Canopy]. Section 7.1: Encoding of Transactions `_ .. [#zip-0200] `ZIP 200: Network Upgrade Activation Mechanism `_ .. [#zip-0201] `ZIP 201: Network Peer Management for Overwinter `_ .. [#zip-0207] `ZIP 207: Funding Streams `_
      1113 ZIP 1014: Establishing a Dev Fund for ECC, ZF, and Major Grants