mirror of https://github.com/zcash/zips.git
ZIP 215: "validation criteria" -> "validity criteria".
(Validity is the condition of being valid, validation is what you do to check validity.) Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
a93aa6d142
commit
fb8b435b4c
|
@ -18,11 +18,11 @@ License: BSD-2-Clause</pre>
|
||||||
<p>The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
|
<p>The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
|
||||||
</section>
|
</section>
|
||||||
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||||
<p>Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 <a id="id2" class="footnote_reference" href="#rfc8032">2</a> need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validation from an obsolete version of <cite>libsodium</cite>. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validation criteria and changing them to be compatible with batch validation.</p>
|
<p>Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 <a id="id2" class="footnote_reference" href="#rfc8032">2</a> need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature validity from an obsolete version of <cite>libsodium</cite>. Instead, this ZIP settles the situation by explicitly defining the Ed25519 validity criteria and changing them to be compatible with batch validation.</p>
|
||||||
</section>
|
</section>
|
||||||
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||||
<p>The lack of clear validation criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in <cite>zcashd</cite> inherited validation criteria from a then-current version of <cite>libsodium</cite> (1.0.15). Due to <a href="https://github.com/zcash/zcash/issues/2872#issuecomment-576911471">a bug in libsodium</a>, this was different from the intended criteria documented in the Zcash protocol specification <a id="id3" class="footnote_reference" href="#protocol">3</a> (before the specification was changed to match <cite>libsodium</cite> 1.0.15 in specification version 2020.1.2). Also, <cite>libsodium</cite> never guaranteed stable validation criteria, and changed behavior in a later point release. This forced <cite>zcashd</cite> to use an older version of the library before eventually patching a newer version to have consistent validation criteria. To be compatible, Zebra had to implement a special library, <cite>ed25519-zebra</cite> to provide Zcash-flavored Ed25519, attempting to match <cite>libsodium</cite> 1.0.15 exactly. And the initial attempt to implement <cite>ed25519-zebra</cite> was also incompatible, because it precisely matched the wrong compile-time configuration of <cite>libsodium</cite>.</p>
|
<p>The lack of clear validity criteria for Ed25519 signatures poses a maintenance burden. The initial implementation of Zcash consensus in <cite>zcashd</cite> inherited validity criteria from a then-current version of <cite>libsodium</cite> (1.0.15). Due to <a href="https://github.com/zcash/zcash/issues/2872#issuecomment-576911471">a bug in libsodium</a>, this was different from the intended criteria documented in the Zcash protocol specification <a id="id3" class="footnote_reference" href="#protocol">3</a> (before the specification was changed to match <cite>libsodium</cite> 1.0.15 in specification version 2020.1.2). Also, <cite>libsodium</cite> never guaranteed stable validity criteria, and changed behavior in a later point release. This forced <cite>zcashd</cite> to use an older version of the library before eventually patching a newer version to have consistent validity criteria. To be compatible, Zebra had to implement a special library, <cite>ed25519-zebra</cite> to provide Zcash-flavored Ed25519, attempting to match <cite>libsodium</cite> 1.0.15 exactly. And the initial attempt to implement <cite>ed25519-zebra</cite> was also incompatible, because it precisely matched the wrong compile-time configuration of <cite>libsodium</cite>.</p>
|
||||||
<p>In addition, the validation criteria used by Zcash preclude the use of batch validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub.</p>
|
<p>In addition, the validity criteria used by Zcash preclude the use of batch validation of Ed25519 signatures. While signature validation is not the primary bottleneck for Zcash, it would be nice to be able to batch-validate signatures, as is the case for RedJubjub.</p>
|
||||||
</section>
|
</section>
|
||||||
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||||
<p>After activation of this ZIP, the
|
<p>After activation of this ZIP, the
|
||||||
|
|
14
zip-0215.rst
14
zip-0215.rst
|
@ -22,30 +22,30 @@ Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519
|
||||||
does not clearly define criteria for signature validity, and implementations conformant
|
does not clearly define criteria for signature validity, and implementations conformant
|
||||||
to RFC 8032 [#RFC8032]_ need not agree on whether signatures are valid. This is
|
to RFC 8032 [#RFC8032]_ need not agree on whether signatures are valid. This is
|
||||||
unacceptable for a consensus-critical application like Zcash. Currently, Zcash
|
unacceptable for a consensus-critical application like Zcash. Currently, Zcash
|
||||||
inherits criteria for signature validation from an obsolete version of
|
inherits criteria for signature validity from an obsolete version of
|
||||||
`libsodium`. Instead, this ZIP settles the situation by explicitly defining the
|
`libsodium`. Instead, this ZIP settles the situation by explicitly defining the
|
||||||
Ed25519 validation criteria and changing them to be compatible with batch
|
Ed25519 validity criteria and changing them to be compatible with batch
|
||||||
validation.
|
validation.
|
||||||
|
|
||||||
Motivation
|
Motivation
|
||||||
==========
|
==========
|
||||||
|
|
||||||
The lack of clear validation criteria for Ed25519 signatures poses a
|
The lack of clear validity criteria for Ed25519 signatures poses a
|
||||||
maintenance burden. The initial implementation of Zcash consensus in `zcashd`
|
maintenance burden. The initial implementation of Zcash consensus in `zcashd`
|
||||||
inherited validation criteria from a then-current version of `libsodium` (1.0.15).
|
inherited validity criteria from a then-current version of `libsodium` (1.0.15).
|
||||||
Due to `a bug in libsodium <https://github.com/zcash/zcash/issues/2872#issuecomment-576911471>`_,
|
Due to `a bug in libsodium <https://github.com/zcash/zcash/issues/2872#issuecomment-576911471>`_,
|
||||||
this was different from the intended criteria documented in the Zcash protocol
|
this was different from the intended criteria documented in the Zcash protocol
|
||||||
specification [#protocol]_ (before the specification was changed to match
|
specification [#protocol]_ (before the specification was changed to match
|
||||||
`libsodium` 1.0.15 in specification version 2020.1.2). Also, `libsodium` never
|
`libsodium` 1.0.15 in specification version 2020.1.2). Also, `libsodium` never
|
||||||
guaranteed stable validation criteria, and changed behavior in a later point
|
guaranteed stable validity criteria, and changed behavior in a later point
|
||||||
release. This forced `zcashd` to use an older version of the library before
|
release. This forced `zcashd` to use an older version of the library before
|
||||||
eventually patching a newer version to have consistent validation criteria.
|
eventually patching a newer version to have consistent validity criteria.
|
||||||
To be compatible, Zebra had to implement a special library, `ed25519-zebra` to
|
To be compatible, Zebra had to implement a special library, `ed25519-zebra` to
|
||||||
provide Zcash-flavored Ed25519, attempting to match `libsodium` 1.0.15 exactly. And
|
provide Zcash-flavored Ed25519, attempting to match `libsodium` 1.0.15 exactly. And
|
||||||
the initial attempt to implement `ed25519-zebra` was also incompatible, because
|
the initial attempt to implement `ed25519-zebra` was also incompatible, because
|
||||||
it precisely matched the wrong compile-time configuration of `libsodium`.
|
it precisely matched the wrong compile-time configuration of `libsodium`.
|
||||||
|
|
||||||
In addition, the validation criteria used by Zcash preclude the use of batch
|
In addition, the validity criteria used by Zcash preclude the use of batch
|
||||||
validation of Ed25519 signatures. While signature validation is not the
|
validation of Ed25519 signatures. While signature validation is not the
|
||||||
primary bottleneck for Zcash, it would be nice to be able to batch-validate
|
primary bottleneck for Zcash, it would be nice to be able to batch-validate
|
||||||
signatures, as is the case for RedJubjub.
|
signatures, as is the case for RedJubjub.
|
||||||
|
|
Loading…
Reference in New Issue