zips/zip-0239.rst

::

  ZIP: 239
  Title: Relay of Version 5 Transactions
  Owners: Daira Hopwood <daira@electriccoin.co>
          Jack Grigg <jack@electriccoin.co>
  Status: Proposed
  Category: Network
  Created: 2021-05-29
  License: MIT
  Discussions-To: <https://github.com/zcash/zips/issues/515>
  Pull-Request: <https://github.com/zcash/zips/pull/516>


Terminology
===========

The key words "MUST", "MUST NOT", and "SHOULD" in this document are to be interpreted
as described in RFC 2119. [#RFC2119]_

The term "network upgrade" in this document is to be interpreted as described in
ZIP 200. [#zip-0200]_

The terms "Testnet" and "Mainnet" are to be interpreted as described in
section 3.11 of the Zcash Protocol Specification [#protocol-networks]_.

The term "txid" means a transaction identifier, computed as a SHA-256d hash of
the transaction data for v4 and earlier transactions, or as specified in [#zip-0244]_
for v5 and later transactions.


Abstract
========

This ZIP describes changes to the Zcash peer-to-peer protocol to support transaction
relay based on a transaction's authorizing digest as well as its txid.


Motivation
==========

Historically, as in Bitcoin, the ``inv`` and ``getdata`` messages sent on the Zcash
peer-to-peer network to announce or request transactions have referred to those
transactions by txid.

Prior to the introduction of v5 transactions [#zip-0225]_ in the NU5 network upgrade
[#zip-0252]_, a txid was always defined as the SHA-256d hash of the transaction data,
the encoding of which is the same in block data and in the peer-to-peer protocol.

For v5 transactions, a new transaction digest algorithm is defined that constructs
the txid from a tree of hashes, which include only effecting data [#zip-0244]_.
Witness data is committed to by a separate "authorizing digest".

Not committing to the witness data in v5 transaction announcements would create
inefficiencies: because a v5 transaction's witness can be malleated without altering
the txid, a node in receipt of a v5 transaction that the node does not accept would
generally still have to download that same transaction when announced by other peers.
This is because the alternative — of not downloading a v5 transaction with a given
txid after rejecting a previous transaction with that txid — would allow a third
party to interfere with transaction relay by malleating a transaction's witness and
announcing the resulting invalid transaction to nodes, preventing relay of the valid
version of the transaction as well.

This inefficiency was present in Bitcoin for almost 3 years after activation of its
Segwit upgrade [#bip-0141]_, until the adoption of BIP 339 [#bip-0339]_. The latter
BIP specifies a way to use the Segwit "wtxid" (which commits to both effecting and
witness data) in place of the txid when announcing and fetching transactions. In Zcash,
the analogous identifier is the pair (txid, auth_digest).

This ZIP is modelled after BIP 339: it adds a ``MSG_TXV5`` inv type to the
peer-to-peer protocol, analogous to BIP 339's ``MSG_WTX`` inv type, that announces
transactions by their (txid, auth_digest) pair. It does not introduce any equivalent
of BIP 339's ``wtxidrelay`` message, since that is not needed for compatibility given
that Zcash full nodes are required to support ``MSG_TXV5`` based on the negotiated
peer protocol version (see `Deployment`_).


Specification
=============

A new inv type ``MSG_TXV5`` (0x00000005) is added, for use in both ``inv`` messages
and ``getdata`` requests, indicating that the hash being referenced is the 64-byte
value ``txid`` || ``auth_digest``. This inv type MUST be used when announcing v5
transactions, and only for such transactions. The ``txid`` and ``auth_digest`` are
as defined in [#zip-0244]_.

In the case of ``getdata`` requests, the format of a v5 transaction obtained by a
``MSG_TXV5`` inv type is as given in the Zcash protocol specification.
[#protocol-txnencodingandconsensus]_

An ``inv`` or ``getdata`` message MUST NOT use the ``MSG_TXV5`` inv type for v4
transactions, or on peer connections that have not negotiated at least the peer
protocol version specified in `Deployment`_.

Note that the name ``MSG_TXV5`` does not imply that this inv type cannot be used
for future transaction versions after v5. New inv types might be added for future
transaction versions, but only as needed.

``MSG_TX`` and ``MSG_TXV5`` entries may be mixed in arbitrary order in an ``inv``
message or a ``getdata`` message. Since these entry types are of different lengths
(36 bytes or 68 bytes respectively including the 4-byte type field), this implies
that the size of the message is not determined by its initial ``count`` field, and
has to be determined by parsing the whole message.

**Open issue:**

* Should we redefine ``inv`` and ``getdata`` to segregate ``MSG_TX``
  and ``MSG_TXV5``, making these messages simpler / more efficient to parse?
  This could be done by adding new ``inv5`` and ``getdata5`` messages.
  See [#p2p-inv]_ and [#p2p-getdata]_ for how ``inv`` and ``getdata``
  respectively are currently defined in Bitcoin.


Deployment
----------

This ZIP is assumed to be deployed in advance of the network upgrade that introduces
v5 transactions, i.e. NU5. In [#zip-0252]_, the minimum protocol version that signals
support for NU5 on Testnet is defined to be 170014. Therefore, the peer protocol
version that enables support for this specification is also defined to be 170014
(on both Testnet and Mainnet).

As specified in [#zip-0200]_, a node that supports a network upgrade will clear its
mempool when reaching the block before that upgrade's activation block. Before this
point, the node will not accept transactions into its mempool that are invalid
according to the pre-upgrade consensus protocol (so, in this case, it would not
accept v5 transactions). This means that a correctly functioning node will not
use the ``MSG_TXV5`` inv type until it has received the block preceding the NU5
network upgrade.

Nevertheless, it is possible for a node to receive an ``inv`` or ``getdata`` message
with a ``MSG_TXV5`` inv type, on a peer connection that has negotiated protocol
version 170014 or later, before NU5 has activated. The node MUST handle this case
in the same way that it would after NU5 activation when it has no v5 transactions
to relay. Receiving a ``MSG_TXV5`` inv type on a peer connection that has negotiated
a protocol version before 170014, on the other hand, SHOULD be treated as a protocol
error.

As the ``MSG_TXV5`` inv type is only enabled between peers that both support it,
older clients remain fully compatible and interoperable before NU5 activates, or on
a chain in which it does not activate.


Acknowledgements
================

This ZIP is partly based on BIP 339, written by Suhas Daftuar. [#bip-0339]_


References
==========

.. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels <https://www.rfc-editor.org/rfc/rfc2119.html>`_
.. [#zip-0200] `ZIP 200: Network Upgrade Activation Mechanism <zip-0200.rst>`_
.. [#zip-0225] `ZIP 225: Version 5 Transaction Format <zip-0225.rst>`_
.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability <zip-0244.rst>`_
.. [#zip-0252] `ZIP 252: Deployment of the NU5 Network Upgrade <zip-0252.rst>`_
.. [#protocol-networks] `Zcash Protocol Specification, Version 2020.2.2 [NU5 proposal]. Section 3.12 Mainnet and Testnet <protocol/nu5.pdf#networks>`_
.. [#protocol-txnencodingandconsensus] `Zcash Protocol Specification, Version 2020.2.2 [NU5 proposal]. Section 7.1: Transaction Encoding and Consensus <protocol/nu5.pdf#txnencodingandconsensus>`_
.. [#bip-0141] `BIP 141: Segregated Witness (Consensus layer) <https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki>`_
.. [#bip-0339] `BIP 339: WTXID-based transaction relay <https://github.com/bitcoin/bips/blob/master/bip-0339.mediawiki>`_
.. [#p2p-inv] `Bitcoin Developer Reference: P2P Network — Inv <https://developer.bitcoin.org/reference/p2p_networking.html#inv>`_
.. [#p2p-getdata] `Bitcoin Developer Reference: P2P Network — GetData <https://developer.bitcoin.org/reference/p2p_networking.html#getdata>`_