diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 44384057..e8360a27 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -355,15 +355,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\setchanged}{\color{\changedcolor}} \newcommand{\changed}[1]{\texorpdfstring{{\setchanged{#1}}}{#1}} \newcommand{\saplingcolor}{green} -\newcommand{\nuzerocolor}{blue} +\newcommand{\overwintercolor}{blue} \iftoggle{issapling}{ \newcommand{\sprout}[1]{} \newcommand{\notsprout}[1]{#1} \newcommand{\setsapling}{\color{\saplingcolor}} \newcommand{\sapling}[1]{\texorpdfstring{{\setsapling{#1}}}{#1}} - \newcommand{\setnuzero}{\color{\nuzerocolor}} - \newcommand{\nuzero}[1]{\texorpdfstring{{\setnuzero{#1}}}{#1}} + \newcommand{\setoverwinter}{\color{\overwintercolor}} + \newcommand{\overwinter}[1]{\texorpdfstring{{\setoverwinter{#1}}}{#1}} \newcommand{\optSprout}[1]{{#1}^\mathsf{Sprout}} %\pagecolor{yellow!3} } { @@ -371,8 +371,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\notsprout}[1]{} \newcommand{\setsapling}{} \newcommand{\sapling}[1]{} - \newcommand{\setnuzero}{} - \newcommand{\nuzero}[1]{} + \newcommand{\setoverwinter}{} + \newcommand{\overwinter}[1]{} \newcommand{\optSprout}[1]{#1} } @@ -392,7 +392,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SproutOrNothing}{\notsprout{\Sprout}} \newcommand{\pSproutOrNothing}{\notsprout{ (\Sprout)}} \newcommand{\Sapling}{\termbf{Sapling}} -\newcommand{\NUZero}{\termbf{Overwinter}} +\newcommand{\Overwinter}{\termbf{Overwinter}} \newcommand{\Bitcoin}{\termbf{Bitcoin}} \newcommand{\CryptoNote}{\termbf{CryptoNote}} \newcommand{\Mimblewimble}{\termbf{Mimblewimble}} @@ -1647,15 +1647,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\sproutspecificitem}[1]{\item \sproutspecific{#1}} \newcommand{\presaplingitem}[1]{\item \presapling{#1}} \newcommand{\saplingonwarditem}[1]{\sapling{\item {[\Sapling onward]}\, {#1}}} -\newcommand{\prenuzeroitem}[1]{\item \prenuzero{#1}} -\newcommand{\nuzeroonlyitem}[1]{\nuzero{\item {[\NUZero only, pre-\Sapling\!]}\, {#1}}} -\newcommand{\nuzeroonwarditem}[1]{\nuzero{\item {[\NUZero onward]}\, {#1}}} +\newcommand{\preoverwinteritem}[1]{\item \preoverwinter{#1}} +\newcommand{\overwinteronlyitem}[1]{\overwinter{\item {[\Overwinter only, pre-\Sapling\!]}\, {#1}}} +\newcommand{\overwinteronwarditem}[1]{\overwinter{\item {[\Overwinter onward]}\, {#1}}} \newcommand{\sproutspecific}[1]{\notsprout{[\Sprout\!]\,} {#1}} \newcommand{\presapling}[1]{\notsprout{[Pre-\Sapling\!]\,} {#1}} \newcommand{\saplingonward}[1]{\sapling{[\Sapling onward]\, {#1}}} -\newcommand{\prenuzero}[1]{\notsprout{[Pre-\NUZero\!]\,} {#1}} -\newcommand{\nuzeroonly}[1]{\nuzero{[\NUZero only, pre-\Sapling\!]\, {#1}}} -\newcommand{\nuzeroonward}[1]{\nuzero{[\NUZero onward]\, {#1}}} +\newcommand{\preoverwinter}[1]{\notsprout{[Pre-\Overwinter\!]\,} {#1}} +\newcommand{\overwinteronly}[1]{\overwinter{[\Overwinter only, pre-\Sapling\!]\, {#1}}} +\newcommand{\overwinteronward}[1]{\overwinter{[\Overwinter onward]\, {#1}}} \newcommand{\securityrequirement}[1]{\needspace{3ex}\subparagraph{Security requirement:}{#1}} \newenvironment{securityrequirements}{\introlist\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}} @@ -1665,9 +1665,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newenvironment{nnotes}{\introlist\subparagraph{Non-normative notes:}\begin{itemize}}{\end{itemize}} \newcommand{\sproutspecificpnote}[1]{\notsprout{[\Sprout\!]\,\,} \textbf{Note:\,} {#1}} \newcommand{\presaplingpnote}[1]{\notsprout{[Pre-\Sapling\!]\,\,} \textbf{Note:\,} {#1}} -\newcommand{\prenuzeropnote}[1]{\notsprout{[Pre-\NUZero\!]\,\,} \textbf{Note:\,} {#1}} -\newcommand{\nuzeroonlypnote}[1]{\nuzero{[\NUZero only, pre-\Sapling\!]\,\,} \textbf{Note:\,} {#1}} -\newcommand{\nuzeroonwardpnote}[1]{\nuzero{[\NUZero onward]\,\,} \textbf{Note:\,} {#1}} +\newcommand{\preoverwinterpnote}[1]{\notsprout{[Pre-\Overwinter\!]\,\,} \textbf{Note:\,} {#1}} +\newcommand{\overwinteronlypnote}[1]{\overwinter{[\Overwinter only, pre-\Sapling\!]\,\,} \textbf{Note:\,} {#1}} +\newcommand{\overwinteronwardpnote}[1]{\overwinter{[\Overwinter onward]\,\,} \textbf{Note:\,} {#1}} \newcommand{\fact}[1]{\subparagraph{Fact:}{#1}} \newcommand{\facts}[1]{\subparagraph{Facts:}{#1}} \newcommand{\snarkcondition}[1]{\vspace{-3.5ex}\subparagraph{#1}} @@ -1708,7 +1708,7 @@ memory-hard proof-of-work algorithm. \sprout{\noindent This specification defines the \Zcash consensus protocol and explains its differences from \Zerocash and \Bitcoin.} \sapling{\noindent This specification defines the \Zcash consensus protocol -at launch; after the upgrade codenamed \NUZero; and after the +at launch; after the upgrade codenamed \Overwinter; and after the subsequent upgrade codenamed \Sapling. It is a work in progress. Protocol differences from \Zerocash and \Bitcoin are also explained.} @@ -1738,12 +1738,12 @@ non-interactive arguments of knowledge (\zkSNARKs). Changes from the original \Zerocash are explained in \crossref{differences}, and highlighted in \changed{\changedcolor} throughout the document. -\notsprout{Changes specific to the \NUZero upgrade (which are also changes from -\Zerocash) are highlighted in \nuzero{\nuzerocolor}. -Changes specific to the \Sapling upgrade following \NUZero (which are also +\notsprout{Changes specific to the \Overwinter upgrade (which are also changes from +\Zerocash) are highlighted in \overwinter{\overwintercolor}. +Changes specific to the \Sapling upgrade following \Overwinter (which are also changes from \Zerocash) are highlighted in \sapling{\saplingcolor}. The name \Sprout is used for the \Zcash protocol prior to \Sapling -(both before and after \NUZero). +(both before and after \Overwinter). } %notsprout Technical terms for concepts that play an important rôle in \Zcash are @@ -1768,7 +1768,7 @@ This specification is structured as follows: \item Concrete Protocol — how the functions and encodings of the abstract protocol are instantiated; \notsprout{ - \item Network Upgrades — the strategy for upgrading to \NUZero and then \Sapling; + \item Network Upgrades — the strategy for upgrading to \Overwinter and then \Sapling; } \item Consensus Changes from \Bitcoin — how \Zcash differs from \Bitcoin at the consensus layer, including the Proof of Work; @@ -4275,19 +4275,19 @@ of the \transaction.} \changed{In \Zcash, all \sighashTypes are extended to cover the \Zcash-specific fields $\nJoinSplit$, $\vJoinSplit$, and if present $\joinSplitPubKey$. These fields are described in \crossref{txnencoding}. The hash \emph{does not} cover the field $\joinSplitSig$.} -\nuzero{ -After \NUZero\sapling{ and \Sapling} activation, all \sighashTypes are also extended to cover +\overwinter{ +After \Overwinter\sapling{ and \Sapling} activation, all \sighashTypes are also extended to cover \transaction fields introduced in those upgrades. The original \sighash algorithm defined by \Bitcoin suffered from some deficiencies as described in \cite{ZIP-143}; in \Zcash these are to be addressed by changing this algorithm -as part of the \NUZero upgrade. -} %nuzero +as part of the \Overwinter upgrade. +} %overwinter -\prenuzero{The \sighash algorithm used prior to \NUZero activation, i.e.\ for +\preoverwinter{The \sighash algorithm used prior to \Overwinter activation, i.e.\ for version 1 and 2 \transactions, will be defined in \cite{ZIP-76} (to be written).} -\nuzeroonly{The \sighash algorithm used after \NUZero activation and before \Sapling +\overwinteronly{The \sighash algorithm used after \Overwinter activation and before \Sapling activation, i.e.\ for version 3 \transactions, is defined in \cite{ZIP-143}.} \saplingonward{The \sighash algorithm used after \Sapling activation, i.e.\ for @@ -5551,7 +5551,7 @@ $16$-byte personalization string $p$, and input $x$. \introlist $\BlakeTwobGeneric$ is used to instantiate $\hSigCRH$, $\EquihashGen{}$, and $\KDFSprout$. -\nuzero{From \NUZero onward, it is used to compute \sighashTxHashes +\overwinter{From \Overwinter onward, it is used to compute \sighashTxHashes as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after \Sapling activation}.} \sapling{For \Sapling, it is also used to instantiate $\PRFexpand{}$, @@ -7936,16 +7936,16 @@ It is derived as described in \cite{Bowe2018}: \section{Network Upgrades} \label{networkupgrades} \Zcash launched with a protocol revision that we call \Sprout. -At the time of writing, two upgrades are planned: \NUZero, and +At the time of writing, two upgrades are planned: \Overwinter, and \Sapling. This section summarizes the planned strategy for upgrading -from \Sprout to \NUZero and then \Sapling. +from \Sprout to \Overwinter and then \Sapling. The upgrade mechanism is described in \cite{ZIP-200}. -The specifications of the \NUZero upgrade are described in \cite{ZIP-201}, +The specifications of the \Overwinter upgrade are described in \cite{ZIP-201}, \cite{ZIP-202}, \cite{ZIP-203}, and \cite{ZIP-143}. \vspace{1ex} -\NUZero and \Sapling will each be introduced as a +\Overwinter and \Sapling will each be introduced as a \quotedterm{bilateral consensus rule change}. In this kind of upgrade, \begin{itemize} @@ -7963,7 +7963,7 @@ Full support for each upgrade is indicated by a minimum version of the peer-to-peer protocol. At the planned upgrade \blockHeight, nodes that support a given upgrade will disconnect from (and will not reconnect to) nodes with a protocol version lower than this -minimum. See \cite{ZIP-201} for how this applies to the \NUZero +minimum. See \cite{ZIP-201} for how this applies to the \Overwinter upgrade. This ensures that upgrade-supporting nodes transition cleanly @@ -8084,10 +8084,10 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. \begin{consensusrules} \item The \transactionVersionNumber{} \MUST be greater than or equal to $1$. - \prenuzeroitem{The \fOverwintered{} flag \MUSTNOT be set\sprout{ in the protocol version described by this document}.} - \nuzeroonwarditem{The \fOverwintered{} flag \MUST be set.} - \nuzeroonwarditem{The \versionGroupID{} \MUST be recognized.} - \nuzeroonlyitem{The \transactionVersionNumber{} \MUST be $3$ and the \versionGroupID{} \MUST + \preoverwinteritem{The \fOverwintered{} flag \MUSTNOT be set\sprout{ in the protocol version described by this document}.} + \overwinteronwarditem{The \fOverwintered{} flag \MUST be set.} + \overwinteronwarditem{The \versionGroupID{} \MUST be recognized.} + \overwinteronlyitem{The \transactionVersionNumber{} \MUST be $3$ and the \versionGroupID{} \MUST be $\hexint{03C48270}$.} \saplingonwarditem{The \transactionVersionNumber{} \MUST be $4$ and the \versionGroupID{} \MUST be $\hexint{892F2085}$.} @@ -8119,8 +8119,8 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. (necessarily a \transparent output) from a \block less than 100 \blocks prior to the spend. Note that outputs of \coinbaseTransactions include \foundersReward outputs. - \nuzeroonwarditem{\nExpiryHeight{} \MUST be less than or equal to 499999999.} - \nuzeroonwarditem{If a \transaction is not a \coinbaseTransaction and its \nExpiryHeight{} field + \overwinteronwarditem{\nExpiryHeight{} \MUST be less than or equal to 499999999.} + \overwinteronwarditem{If a \transaction is not a \coinbaseTransaction and its \nExpiryHeight{} field is nonzero, then it \MUSTNOT be mined at a \blockHeight greater than its \nExpiryHeight.} \saplingonwarditem{\valueBalance{} \MUST be in the range $\range{-\MAXMONEY}{\MAXMONEY}$.} \item \todo{Other rules inherited from \Bitcoin.} @@ -8133,33 +8133,33 @@ each \spendDescription (\crossref{spendencoding}), and each \outputDescription ( \begin{pnotes} \item Previous versions of this specification defined what is now the \headerField{} field as a signed $\type{int32}$ field which was required to be positive. The consensus - rule that the \fOverwintered{} flag \MUSTNOT be set before \NUZero has activated, + rule that the \fOverwintered{} flag \MUSTNOT be set before \Overwinter has activated, has the same effect. - \sprout{(\NUZero is an upgrade of the \Zcash protocol, not specified in + \sprout{(\Overwinter is an upgrade of the \Zcash protocol, not specified in this document.)} \item The semantics of \transactions with \transactionVersionNumber not equal to\sprout{ either $1$ or $2$ is not currently defined. Miners \MUSTNOT create \blocks containing such \transactions. }\notsprout{ - $1$, $2$, \nuzero{$3$,}\sapling{ or $4$} is not currently defined. - Miners \MUSTNOT create \blocks before the \NUZero \activationHeight + $1$, $2$, \overwinter{$3$,}\sapling{ or $4$} is not currently defined. + Miners \MUSTNOT create \blocks before the \Overwinter \activationHeight containing \transactions with version other than $1$ or $2$. } \item The exclusion of \transactions with \transactionVersionNumber - \emph{greater than} $2$ is not a consensus rule\notsprout{ before \NUZero activation}. + \emph{greater than} $2$ is not a consensus rule\notsprout{ before \Overwinter activation}. Such \transactions may exist in the \blockchain and \MUST be treated identically to version $2$ \transactions. - \nuzeroonwarditem{Once \NUZero has activated, limits on the maximum + \overwinteronwarditem{Once \Overwinter has activated, limits on the maximum \transactionVersionNumber are consensus rules.} - \item Note that a future upgrade might use \emph{any} \transactionVersionNumber\nuzero{ or + \item Note that a future upgrade might use \emph{any} \transactionVersionNumber\overwinter{ or \versionGroupID}. - It is likely that an upgrade that changes the \transactionVersionNumber\nuzero{ or + It is likely that an upgrade that changes the \transactionVersionNumber\overwinter{ or \versionGroupID} will also change the \transaction format, and software that parses \transactions{} \SHOULD take this into account. -%\nuzero{ +%\overwinter{ % \item \todo{Describe interpretation of \fOverwintered{} and \versionField{}.} %} - \nuzeroonwarditem{The purpose of \versionGroupID{} is to allow unambiguous parsing of + \overwinteronwarditem{The purpose of \versionGroupID{} is to allow unambiguous parsing of \quotedterm{loose} \transactions, independent of the context of a \blockchain. Code that parses \transactions is likely to be reused between \blockchain \branches as defined in \cite{ZIP-200}, and in that case the \fOverwintered{} and \versionField{} @@ -8461,8 +8461,8 @@ rejected by this rule at a given point in time may later be accepted. the median of the timestamps of the past $\PoWMedianBlockSpan$ \blocks. The Bitcoin Developer Reference \cite{Bitcoin-Block} was previously in error on this point, but has now been corrected. -\nuzero{ - \item There are no changes to the \blockVersionNumber or format for \NUZero. +\overwinter{ + \item There are no changes to the \blockVersionNumber or format for \Overwinter. } \sapling{ \item Although the \blockVersionNumber does not change for \Sapling, @@ -9599,7 +9599,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Add a consensus rule that $\valueBalance$ is in the range $\range{-\MAXMONEY}{\MAXMONEY}$. \item Enforce stronger constraints on the types of key components $\DiversifiedTransmitPublic$, $\AuthSignPublic$, and $\AuthProvePublic$. - \item Correct the conformance rule for \fOverwintered{} (it must not be set before \NUZero has + \item Correct the conformance rule for \fOverwintered{} (it must not be set before \Overwinter has activated, not before \Sapling has activated). \item Correct the argument that $\vSum$ is in range in \crossref{saplingbalance}. \item Correct an error in the algorithm for $\RedDSAVerify{}$: the public key $\vk$ is given directly @@ -9636,7 +9636,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Add the Jubjub bird image to the title page. This image has been edited from a scan of Peter Newell's original illustration (as it appeared in \cite{Carroll1902}) to remove the background and Bandersnatch, and to restore the bird's clipped right wing. - \item Change the light yellow background to white (indicating that this \NUZero and \Sapling + \item Change the light yellow background to white (indicating that this \Overwinter and \Sapling specification is no longer a draft). } %sapling \end{itemize} @@ -9756,9 +9756,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Clarify the bit ordering of SHA-256. \item Drop $\type{\_t}$ from the names of representation types. \item Remove functions from the \Sprout specification that it does not use. -\nuzero{ +\overwinter{ \item Updates to transaction format and consensus rules for Overwinter and Sapling. -} %nuzero +} %overwinter \sapling{ \item Add specification of the \outputStatement. \item Change $\MerkleDepthSapling$ from $29$ to $32$. @@ -9815,9 +9815,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \begin{itemize} \item No changes to \Sprout. -\nuzero{ - \item Add references to \NUZero ZIPs and update the section on - \NUZero/\Sapling transitions. +\overwinter{ + \item Add references to \Overwinter ZIPs and update the section on + \Overwinter/\Sapling transitions. } \sapling{ \item Add a section on re-randomizable signatures. @@ -9852,7 +9852,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. encoding the root of the \Sapling \noteCommitmentTree in \blockHeaders)}. \item Move bit/byte/integer conversion primitives into \crossref{endian}. \sapling{ - \item Refer to \NUZero and \Sapling just as ``upgrades'' in the abstract, not as + \item Refer to \Overwinter and \Sapling just as ``upgrades'' in the abstract, not as the next ``minor version'' and ``major version''. \item $\PRF{}{\mathsf{nr}}$ must be \collisionResistant\!. \item Correct an error in the \xPedersenHash specification. @@ -9873,8 +9873,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Specify the coinbase maturity rule, and the rule that \coinbaseTransactions cannot contain \joinSplitDescriptions\sapling{, \spendDescriptions, or \outputDescriptions}. -\nuzero{ - \item Delay lifting the 100000-byte \transaction size limit from \NUZero to +\overwinter{ + \item Delay lifting the 100000-byte \transaction size limit from \Overwinter to \Sapling. } \sapling{ @@ -9974,8 +9974,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Refer to $\TransmitPrivate$ as a \receivingKey rather than as a viewing key. \item Updates for \incomingViewingKey support. -\nuzero{ - \item Refer to Network Upgrade 0 as \NUZero. +\overwinter{ + \item Refer to Network Upgrade 0 as \Overwinter. } \end{itemize}