zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ZIP 215: "validation criteria" -> "validity criteria". 

(Validity is the condition of being valid, validation is what you do to check validity.)

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2020-06-09 13:14:23 +01:00
parent a93aa6d142
commit fb8b435b4c
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zip-0215.html
View File

@ -18,11 +18,11 @@ License: BSD-2-Clause</pre>
<p>The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
</section>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 <a id="id2" class="footnote_reference" href="#rfc8032">2</a> need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validation from an obsolete version of <cite>libsodium</cite>. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validation criteria and changing them to be compatible with batch validation.</p>
<p>Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 <a id="id2" class="footnote_reference" href="#rfc8032">2</a> need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validity from an obsolete version of <cite>libsodium</cite>. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validity criteria and changing them to be compatible with batch validation.</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The lack of clear validation criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in <cite>zcashd</cite> inherited validation criteria from a then-current version of <cite>libsodium</cite> (1.0.15). Due to <a href="https://github.com/zcash/zcash/issues/2872#issuecomment-576911471">a bug in libsodium</a>, this was different from the intended criteria documented in the Zcash protocol specification <a id="id3" class="footnote_reference" href="#protocol">3</a> (before the specification was changed to match <cite>libsodium</cite> 1.0.15 in specification version 2020.1.2). Also, <cite>libsodium</cite> never guaranteed stable validation criteria, and changed behavior in a later point release. This forced <cite>zcashd</cite> to use an older version of the library before eventually patching a newer version to have consistent validation criteria. To be compatible, Zebra had to implement a special library, <cite>ed25519-zebra</cite> to provide Zcash-flavored Ed25519, attempting to match <cite>libsodium</cite> 1.0.15 exactly. And the initial attempt to implement <cite>ed25519-zebra</cite> was also incompatible, because it precisely matched the wrong compile-time configuration of <cite>libsodium</cite>.</p>
<p>In addition, the validation criteria used by Zcash preclude the use of batch validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub.</p>
<p>The lack of clear validity criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in <cite>zcashd</cite> inherited validity criteria from a then-current version of <cite>libsodium</cite> (1.0.15). Due to <a href="https://github.com/zcash/zcash/issues/2872#issuecomment-576911471">a bug in libsodium</a>, this was different from the intended criteria documented in the Zcash protocol specification <a id="id3" class="footnote_reference" href="#protocol">3</a> (before the specification was changed to match <cite>libsodium</cite> 1.0.15 in specification version 2020.1.2). Also, <cite>libsodium</cite> never guaranteed stable validity criteria, and changed behavior in a later point release. This forced <cite>zcashd</cite> to use an older version of the library before eventually patching a newer version to have consistent validity criteria. To be compatible, Zebra had to implement a special library, <cite>ed25519-zebra</cite> to provide Zcash-flavored Ed25519, attempting to match <cite>libsodium</cite> 1.0.15 exactly. And the initial attempt to implement <cite>ed25519-zebra</cite> was also incompatible, because it precisely matched the wrong compile-time configuration of <cite>libsodium</cite>.</p>
<p>In addition, the validity criteria used by Zcash preclude the use of batch validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub.</p>
</section>
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>After activation of this ZIP, the

14
zip-0215.rst
View File

@ -22,30 +22,30 @@ Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519
does not clearly define criteria for signature validity, and implementations conformant
to RFC 8032 [#RFC8032]_ need not agree on whether signatures are valid. This is
unacceptable for a consensus-critical application like Zcash. Currently, Zcash
inherits criteria for signature validation from an obsolete version of
inherits criteria for signature validity from an obsolete version of
`libsodium`. Instead, this ZIP settles the situation by explicitly defining the
Ed25519 validation criteria and changing them to be compatible with batch
Ed25519 validity criteria and changing them to be compatible with batch
validation.
Motivation
==========
The lack of clear validation criteria for Ed25519 signatures poses a
The lack of clear validity criteria for Ed25519 signatures poses a
maintenance burden. The initial implementation of Zcash consensus in `zcashd`
inherited validation criteria from a then-current version of `libsodium` (1.0.15).
inherited validity criteria from a then-current version of `libsodium` (1.0.15).
Due to `a bug in libsodium <https://github.com/zcash/zcash/issues/2872#issuecomment-576911471>`_,
this was different from the intended criteria documented in the Zcash protocol
specification [#protocol]_ (before the specification was changed to match
`libsodium` 1.0.15 in specification version 2020.1.2). Also, `libsodium` never
guaranteed stable validation criteria, and changed behavior in a later point
guaranteed stable validity criteria, and changed behavior in a later point
release. This forced `zcashd` to use an older version of the library before
eventually patching a newer version to have consistent validation criteria.
eventually patching a newer version to have consistent validity criteria.
To be compatible, Zebra had to implement a special library, `ed25519-zebra` to
provide Zcash-flavored Ed25519, attempting to match `libsodium` 1.0.15 exactly. And
the initial attempt to implement `ed25519-zebra` was also incompatible, because
it precisely matched the wrong compile-time configuration of `libsodium`.
In addition, the validation criteria used by Zcash preclude the use of batch
In addition, the validity criteria used by Zcash preclude the use of batch
validation of Ed25519 signatures. While signature validation is not the
primary bottleneck for Zcash, it would be nice to be able to batch-validate
signatures, as is the case for RedJubjub.