diff --git a/rendered/zip-0227.html b/rendered/zip-0227.html index 3039bb82a..ec14a6e17 100644 --- a/rendered/zip-0227.html +++ b/rendered/zip-0227.html @@ -75,7 +75,7 @@

Specification: Issuance Keys and Issuance Authorization Signature Scheme

-

The OrchardZSA Protocol adds the following keys to the key components 24 25:

+

The OrchardZSA Protocol adds the following keys to the key components 25 27:

  1. The issuance authorizing key, denoted as \(\mathsf{isk}\!\) @@ -92,7 +92,7 @@

    Issuance Authorization Signature Scheme

    We instantiate the issuance authorization signature scheme \(\mathsf{IssueAuthSig}\) - as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 22.

    + as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 23.

    Batch verification MAY be used. Precomputation MAY be used if and only if it produces equivalent results; for example, for a given verification key \(pk\) and @@ -122,7 +122,7 @@ \(k\) bytes, and \(\mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}}\) - denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification 23.

    + denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification 24.

    The issuance authorizing key generation algorithm and the issuance validating key derivation algorithm are defined in the Issuance Key Derivation section, while the corresponding signing and validation algorithms are defined in the Issuance Authorization Signing and Validation section.

    Issuance Key Derivation

    @@ -168,7 +168,7 @@ \(227'\) (or \(\mathtt{0x800000e3}\!\) - ) following the BIP 43 recommendation. 21
    2. + ) following the BIP 43 recommendation. 22
  2. \(\mathit{coin\_type}\!\) : Defined as in ZIP 32 5.
    3. @@ -202,7 +202,7 @@

    where the \(\textit{PubKey}\) - algorithm is defined in BIP 340 22. Note that the byte representation of + algorithm is defined in BIP 340 23. Note that the byte representation of \(\mathsf{ik}\) is in big-endian order as defined in BIP 340.

    It is possible for the @@ -240,7 +240,7 @@ \(\mathsf{Sign}\) algorithm is defined in BIP 340 and \(a\) - denotes the auxiliary data used in BIP 340 22. Note that + denotes the auxiliary data used in BIP 340 23. Note that \(\mathsf{IssueAuthSig.Sign}\) could return \(\bot\) @@ -264,7 +264,7 @@

    where the \(\mathsf{Verify}\) - algorithm is defined in BIP 340 22.

    + algorithm is defined in BIP 340 23.

Specification: Asset Identifier

@@ -309,7 +309,7 @@ \(\mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{"z.cash:OrchardZSA"}, \mathsf{AssetDigest_{AssetId}})\) where \(\mathsf{GroupHash}^\mathbb{P}\) - is defined as in 27.

+ is defined as in 29.

The relations between the Asset Identifier, Asset Digest, and Asset Base are shown in the following diagram:

@@ -328,11 +328,42 @@
  • The Asset Digest could be used as a more compact bytestring to uniquely determine an Asset, and wallets could support clients scanning QR codes to load Asset information into their wallets.
    • -

    Specification: Issuance Action, Issuance Bundle and Issuance Protocol

    -

    Issue Note Description

    -

    TODO: Fill this section.

    +

    Specification: Issue Note, Issuance Action, Issuance Bundle and Issuance Protocol

    +

    Issue Note

    +

    The maximum total supply of any issued Custom Asset is denoted by the constant + \(\mathsf{MAX\_ISSUE} := 2^{64} - 1\!\) + .

    +

    An Issue Note represents that a value + \(\mathsf{v} : \{0 .. \mathsf{MAX\_ISSUE}\}\) + of a specific Custom Asset is issued to a recipient. An Issue Note is a tuple + \((\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \mathsf{rseed})\!\) + , where:

    +
      +
    • + \(\mathsf{d}: \mathbb{B}^{[\ell_{\mathsf{d}}]}\) + is the diversifier of the recipient's shielded payment address, as in §3.2 of the protocol specification 26.
      • +
    • + \(\mathsf{pk_d}: \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public}\) + is the recipient's diversified transmission key, as in §3.2 of the protocol specification 26.
      • +
    • + \(\mathsf{v} : \{0 .. \mathsf{MAX\_ISSUE}\}\) + is the value of the note in terms of the number of Asset tokens.
      • +
    • + \(\mathsf{AssetBase}: \mathbb{P}^*\) + is the Asset Base corresponding to the ZSA being issued in the Issue Note.
      • +
    • + \(\text{ρ}: \mathbb{F}_{q_{\mathbb{P}}}\) + is used to derive the nullifier of the note, and is computed as in Computation of ρ.
      • +
    • + \(\mathsf{rseed}: \mathbb{B}^{[\mathbb{Y}^{32}]}\) + MUST be sampled uniformly at random by the issuer.
      • +
    +

    The complete encoding of these fields into an IssueNote is defined in ZIP 230 16.

    +

    Computation of ρ

    +

    TO BE FILLED

    +
    -

    Issuance Action Description

    +

    Issuance Action

    An issuance action, IssueAction, is the instance of issuing a specific Custom Asset, and contains the following fields:

    • assetDescSize: the size of the Asset description, a number between @@ -349,7 +380,7 @@

      The \(\mathsf{finalize}\) boolean is set by the Issuer to signal that there will be no further issuance of the specific Custom Asset. As we will see in Specification: Consensus Rule Changes, transactions that attempt to issue further amounts of a Custom Asset that has previously been finalized will be rejected.

      -

      The complete encoding of these fields into an IssueAction is defined in ZIP 230 15.

      +

      The complete encoding of these fields into an IssueAction is defined in ZIP 230 15.

      We note that the output note commitment of the recipient's notes are not included in the actual transaction, but when added to the global state of the chain, they will be added to the note commitment tree as a shielded note. This prevents future usage of the note from being linked to the issuance transaction, as the nullifier key is not known to the validators and chain observers.

    Issuance Bundle

    @@ -367,7 +398,7 @@ \(\mathsf{isk}\!\) , that validates the issuance. -

    The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 16.

    +

    The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 17.

    Issuance Protocol

    The issuer program performs the following operations:

    @@ -495,7 +526,7 @@ .
  • The \(\mathsf{assetBurn}\) - set MUST satisfy the consensus rules specified in ZIP 226 12.
    • + set MUST satisfy the consensus rules specified in ZIP 226 12.
  • It MUST be the case that for all \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}\!\) , @@ -509,7 +540,7 @@ .
  • Let \(\mathsf{SigHash}\) - be the SIGHASH transaction hash of this transaction, as defined in §4.10 of the protocol specification 26 with the modifications described in ZIP 226 13, using + be the SIGHASH transaction hash of this transaction, as defined in §4.10 of the protocol specification 28 with the modifications described in ZIP 226 13, using \(\mathsf{SIGHASH\_ALL}\!\) .
  • The issuance authorization signature, @@ -533,7 +564,7 @@ is a string of length \(\mathtt{assetDescSize}\) bytes.
    • -
  • Elements of every issue note description in IssueAction MUST be valid encodings of the types given in Issue Note Description, and MUST encode the same +
  • Elements of every issue note description in IssueAction MUST be valid encodings of the types given in Issue Note, and MUST encode the same \(\mathsf{AssetBase}\!\) .
  • This @@ -557,7 +588,7 @@ .
  • The node MUST compute the note commitment, \(\mathsf{cm}_{\mathsf{i,j}}\!\) - , as defined in the Note Structure and Commitment section of ZIP 226 11.
    • + , as defined in the Note Structure and Commitment section of ZIP 226 11.
  • If @@ -594,7 +625,7 @@
  • We require non-zero fees in the presence of an issue bundle, in order to preclude the possibility of a transaction containing only an issue bundle. If a transaction includes only an issue bundle, the SIGHASH transaction hash would be computed solely based on the issue bundle. A duplicate bundle would have the same SIGHASH transaction hash, potentially allowing for a replay attack.

    • Rationale for Global Issuance State

    -

    It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 8. However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record based on the issuance and burn transactions processed. This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the transaction or block.

    +

    It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 8. However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record based on the issuance and burn transactions processed. This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the transaction or block.

    We limit the total issuance of any Asset to a maximum of \(\mathsf{MAX\_ISSUE}\!\) . This is a practical limit that also allows an issuer to issue the complete supply of an Asset in a single transaction.

    @@ -607,7 +638,7 @@
    • By using the \(\mathsf{finalize}\) - boolean and the burning mechanism defined in 10, issuers can control the supply production of any Asset associated to their issuer keys. For example, + boolean and the burning mechanism defined in 10, issuers can control the supply production of any Asset associated to their issuer keys. For example,
      • by setting \(\mathsf{finalize} = 1\) @@ -640,7 +671,7 @@

    TxId Digest - Issuance

    -

    This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 18, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

    +

    This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 19, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

    A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:

    issuance_digest
 ├── issue_actions_digest
@@ -676,7 +707,7 @@
                         
    In case the transaction has no Issue Notes, ''issue_notes_digest'' is:
    
                         
    BLAKE2b-256("ZTxIdIAcNoteHash", [])
    
                         
    T.5a.i.1: recipient 
    
-                            
    This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 28.
    
+                            
    This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 30.
    
                         
    
                         
    T.5a.i.2: value 
    
                             
    Note value encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value.
    
@@ -710,7 +741,7 @@

    Signature Digest

    -

    The per-input transaction digest algorithm to generate the signature digest in ZIP 244 19 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    +

    The per-input transaction digest algorithm to generate the signature digest in ZIP 244 20 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

    signature_digest
 ├── header_digest
@@ -725,14 +756,14 @@
 S.3: sapling_digest         (32-byte hash output)
 S.4: orchard_digest         (32-byte hash output)
 S.5: issuance_digest        (32-byte hash output)  [ADDED FOR ZSA]
    -

    The personalization field remains the same as in ZIP 244 18.

    +

    The personalization field remains the same as in ZIP 244 19.

    S.5: issuance_digest

    Identical to that specified for the transaction identifier.

    Authorizing Data Commitment - Issuance

    -

    This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 14.

    +

    This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 14.

    A.4: issuance_auth_digest

    In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the issueAuthSig field of the transaction:

    A.4a: issueAuthSig            (field encoding bytes)
    @@ -743,7 +774,7 @@

    OrchardZSA Fee Calculation

    -

    In addition to the parameters defined in the Fee calculation section of ZIP 317 20, the OrchardZSA protocol upgrade defines the following additional parameters:

    +

    In addition to the parameters defined in the Fee calculation section of ZIP 317 21, the OrchardZSA protocol upgrade defines the following additional parameters:

    @@ -797,7 +828,7 @@
    -

    The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 29 and the global state. They are defined in the Fee calculation section of ZIP 317 20. Note that +

    The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 31 and the global state. They are defined in the Fee calculation section of ZIP 317 21. Note that \(nOrchardActions\!\) , that is used in the computation of \(logical\_actions\!\) @@ -842,7 +873,7 @@

    Bridging Assets

    -

    For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

    +

    For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

    Other Considerations

    @@ -856,7 +887,7 @@ in order to properly keep track of the total supply for different Asset Identifiers. This is useful for wallets and other applications that need to keep track of the total supply of Assets.

    Fee Structures

    -

    The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 17.

    +

    The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 18.

    Test Vectors

    @@ -994,10 +1025,18 @@ - +
    + + + +
    16ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote)
    + + + + @@ -1005,7 +1044,7 @@
    17 ZIP 230: Version 6 Transaction Format: Transaction Format
    - + @@ -1013,7 +1052,7 @@
    1718 ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation
    - + @@ -1021,7 +1060,7 @@
    1819 ZIP 244: Transaction Identifier Non-Malleability
    - + @@ -1029,7 +1068,7 @@
    1920 ZIP 244: Transaction Identifier Non-Malleability: Signature Digest
    - + @@ -1037,7 +1076,7 @@
    2021 ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation
    - + @@ -1045,7 +1084,7 @@
    2122 BIP 43: Purpose Field for Deterministic Wallets
    - + @@ -1053,7 +1092,7 @@
    2223 BIP 340: Schnorr Signatures for secp256k1
    - + @@ -1061,15 +1100,23 @@
    2324 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 2: Notation
    - +
    2425 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.1: Payment Addresses and Keys
    + + + + + + + +
    26Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes
    - + @@ -1077,7 +1124,7 @@
    2527 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.2.3: Orchard Key Components
    - + @@ -1085,7 +1132,7 @@
    2628 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.10: SIGHASH Transaction Hashing
    - + @@ -1093,7 +1140,7 @@
    2729 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.9.8: Group Hash into Pallas and Vesta
    - + @@ -1101,7 +1148,7 @@
    2830 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.6.4.2: Orchard Raw Payment Addresses
    - + diff --git a/zips/zip-0227.rst b/zips/zip-0227.rst index f8fb8db58..d30978976 100644 --- a/zips/zip-0227.rst +++ b/zips/zip-0227.rst @@ -224,16 +224,34 @@ Wallets MUST NOT display just the $\mathsf{asset\_desc}$ string to their users a - The Asset Digest could be used as a more compact bytestring to uniquely determine an Asset, and wallets could support clients scanning QR codes to load Asset information into their wallets. -Specification: Issuance Action, Issuance Bundle and Issuance Protocol -===================================================================== +Specification: Issue Note, Issuance Action, Issuance Bundle and Issuance Protocol +================================================================================= -Issue Note Description ----------------------- +Issue Note +---------- -TODO: Fill this section. +The maximum total supply of any issued Custom Asset is denoted by the constant $\mathsf{MAX\_ISSUE} := 2^{64} - 1$. + +An Issue Note represents that a value $\mathsf{v} : \{0 .. \mathsf{MAX\_ISSUE}\}$ of a specific Custom Asset is issued to a recipient. +An Issue Note is a tuple $(\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \mathsf{rseed})$, where: + +- $\mathsf{d}: \mathbb{B}^{[\ell_{\mathsf{d}}]}$ is the diversifier of the recipient's shielded payment address, as in §3.2 of the protocol specification [#protocol-notes]_. +- $\mathsf{pk_d}: \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public}$ is the recipient's diversified transmission key, as in §3.2 of the protocol specification [#protocol-notes]_. +- $\mathsf{v} : \{0 .. \mathsf{MAX\_ISSUE}\}$ is the value of the note in terms of the number of Asset tokens. +- $\mathsf{AssetBase}: \mathbb{P}^*$ is the Asset Base corresponding to the ZSA being issued in the Issue Note. +- $\text{ρ}: \mathbb{F}_{q_{\mathbb{P}}}$ is used to derive the nullifier of the note, and is computed as in `Computation of ρ`_. +- $\mathsf{rseed}: \mathbb{B}^{[\mathbb{Y}^{32}]}$ MUST be sampled uniformly at random by the issuer. + +The complete encoding of these fields into an ``IssueNote`` is defined in ZIP 230 [#zip-0230-issue-note]_. -Issuance Action Description ---------------------------- + +Computation of ρ +```````````````` + +TO BE FILLED + +Issuance Action +--------------- An issuance action, ``IssueAction``, is the instance of issuing a specific Custom Asset, and contains the following fields: @@ -335,7 +353,7 @@ For every transaction: - It MUST be the case that $0 < \mathtt{assetDescSize} \leq 512$. - It MUST be the case that $\mathsf{asset\_desc}$ is a string of length $\mathtt{assetDescSize}$ bytes. - - Elements of every issue note description in ``IssueAction`` MUST be valid encodings of the types given in `Issue Note Description`_, and MUST encode the same $\mathsf{AssetBase}$. + - Elements of every issue note description in ``IssueAction`` MUST be valid encodings of the types given in `Issue Note`_, and MUST encode the same $\mathsf{AssetBase}$. - This $\mathsf{AssetBase}$ MUST satisfy the derivation from the issuance validating key and asset description described in the `Specification: Asset Identifier`_ section. - It MUST be the case that $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\!\mathsf{final} \neq 1$. - For every issue note description ($\mathsf{note}_{\mathsf{j}},\ 1 \leq j \leq \mathtt{nNotes}$) in ``IssueAction``: @@ -685,6 +703,7 @@ References .. [#zip-0226-txiddigest] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId Digest `_ .. [#zip-0226-authcommitment] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment `_ .. [#zip-0230-issuance-action-description] `ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction) `_ +.. [#zip-0230-issue-note] `ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote) `_ .. [#zip-0230-transaction-format] `ZIP 230: Version 6 Transaction Format: Transaction Format `_ .. [#zip-0230-orchardzsa-fee-calculation] `ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation `_ .. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ @@ -694,6 +713,7 @@ References .. [#bip-0340] `BIP 340: Schnorr Signatures for secp256k1 `_ .. [#protocol-notation] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 2: Notation `_ .. [#protocol-addressesandkeys] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.1: Payment Addresses and Keys `_ +.. [#protocol-notes] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes `_ .. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.2.3: Orchard Key Components `_ .. [#protocol-sighash] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.10: SIGHASH Transaction Hashing `_ .. [#protocol-concretegrouphashpallasandvesta] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.9.8: Group Hash into Pallas and Vesta `_
    2931 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 7.1: Transaction Encoding and Consensus