diff --git a/rendered/zip-0226.html b/rendered/zip-0226.html index bd3e83f33..99406b462 100644 --- a/rendered/zip-0226.html +++ b/rendered/zip-0226.html @@ -39,7 +39,7 @@

Abstract

-

This ZIP (ZIP 226) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 227 5. The ZSA protocol is an extension of the Orchard protocol that enables the issuance, transfer and burn of custom Assets on the Zcash chain. The issuance of such Assets is defined in ZIP 227 5, while the transfer and burn of such Assets is defined in this ZIP (ZIP 226). While the proposed ZSA protocol is a modification to the Orchard protocol, it has been designed with adaptation to possible future shielded protocols in mind.

+

This ZIP (ZIP 226) proposes the Orchard Zcash Shielded Assets (OrchardZSA) protocol, in conjunction with ZIP 227 5. The OrchardZSA protocol is an extension of the Orchard protocol that enables the issuance, transfer and burn of custom Assets on the Zcash chain. The issuance of such Assets is defined in ZIP 227 5, while the transfer and burn of such Assets is defined in this ZIP (ZIP 226). While the proposed OrchardZSA protocol is a modification to the Orchard protocol, it has been designed with adaptation to possible future shielded protocols in mind.

Motivation

None of the currently deployed Zcash transfer protocols support Custom Assets. Enabling multi-asset support on the Zcash chain will open the door for a host of applications, and enhance the ecosystem with application developers and Asset custody institutions for issuance and bridging purposes. This ZIP builds on the issuance mechanism introduced in ZIP 227 5.

@@ -49,19 +49,19 @@ \(\mathsf{AssetId}\!\) . This Asset Identifier maps to an Asset Base \(\mathsf{AssetBase}\) - that is stored in Orchard-based ZSA notes. These terms are formally defined in ZIP 227 5.

-

The Asset Identifier (via means of the Asset Digest and Asset Base) will be used to enforce that the balance of an Action Description 16 29 is preserved across Assets (see the Orchard Binding Signature 19), and by extension the balance of an Orchard transaction. That is, the sum of all the + that is stored in OrchardZSA notes. These terms are formally defined in ZIP 227 5.

+

The Asset Identifier (via means of the Asset Digest and Asset Base) will be used to enforce that the balance of an Action Description 18 31 is preserved across Assets (see the Orchard Binding Signature 21), and by extension the balance of an Orchard transaction. That is, the sum of all the \(\mathsf{value^{net}}\) from each Action Description, computed as \(\mathsf{value^{old}} - \mathsf{value^{new}}\!\) , must be balanced only with respect to the same Asset Identifier. This is especially important since we will allow different Action Descriptions to transfer notes of different Asset Identifiers, where the overall balance is checked without revealing which (or how many distinct) Assets are being transferred.

-

As was initially proposed by Jack Grigg and Daira-Emma Hopwood 30 31, we propose to make this happen by changing the value base point, +

As was initially proposed by Jack Grigg and Daira-Emma Hopwood 32 33, we propose to make this happen by changing the value base point, \(\mathcal{V}^{\mathsf{Orchard}}\!\) , in the Homomorphic Pedersen Commitment that derives the value commitment, \(\mathsf{cv^{net}}\!\) , of the net value in an Orchard Action.

-

Because in a single transaction all value commitments are balanced, there must be as many different value base points as there are Asset Identifiers for a given shielded protocol used in a transaction. We propose to make the Asset Base an auxiliary input to the proof for each Action statement 21, represented already as a point on the Pallas curve. The circuit then should check that the same Asset Base is used in the old note commitment and the new note commitment 26, and as the base point in the value commitment 25. This ensures (1) that the input and output notes are of the same Asset Base, and (2) that only Actions with the same Asset Base will balance out in the Orchard binding signature.

-

In order to ensure the security of the transfers, and as we will explain below, we are redefining input dummy notes 18 for Custom Assets, as we need to enforce that the +

Because in a single transaction all value commitments are balanced, there must be as many different value base points as there are Asset Identifiers for a given shielded protocol used in a transaction. We propose to make the Asset Base an auxiliary input to the proof for each Action statement 23, represented already as a point on the Pallas curve. The circuit then should check that the same Asset Base is used in the old note commitment and the new note commitment 28, and as the base point in the value commitment 27. This ensures (1) that the input and output notes are of the same Asset Base, and (2) that only Actions with the same Asset Base will balance out in the Orchard binding signature.

+

In order to ensure the security of the transfers, and as we will explain below, we are redefining input dummy notes 20 for Custom Assets, as we need to enforce that the \(\mathsf{AssetBase}\) of the output note of that Split Action is the output of a valid \(\mathsf{ZSAValueBase}\) @@ -80,7 +80,7 @@

Specification

Most of the protocol is kept the same as the Orchard protocol released with NU5, except for the following.

Asset Identifiers

-

For every new Asset, there must be a new and unique Asset Identifier. Every Asset is defined by an Asset description, +

For every new Asset, there MUST be a new and unique Asset Identifier. Every Asset is defined by an Asset description, \(\mathsf{asset\_desc}\!\) , which is a global byte string (scoped across all future versions of Zcash). From this Asset description and the issuance validating key of the issuer, the specific Asset Identifier, \(\mathsf{AssetId}\!\) @@ -95,26 +95,30 @@

Note Structure & Commitment

-

Let - \(\mathsf{Note^{OrchardZSA}}\) - be the type of a ZSA note, i.e. - \(\mathsf{Note^{OrchardZSA}} := \mathsf{Note^{Orchard}} \times \mathbb{P}^*\!\) - .

-

An Orchard ZSA note differs from an Orchard note 15 by additionally including the Asset Base, +

An OrchardZSA note differs from an Orchard note 17 by additionally including the Asset Base, \(\mathsf{AssetBase}\!\) - . So a ZSA note is a tuple - \((\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})\!\) + . So an OrchardZSA note is a tuple + \((\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \text{ψ}, \mathsf{rcm})\!\) , where

Note that the above assumes a canonical encoding, which is true for the Pallas group, but may not hold for future shielded protocols.

+

Let + \(\mathsf{Note^{OrchardZSA}}\) + be the type of a OrchardZSA note, i.e.

+
\(\mathsf{Note^{OrchardZSA}} := \mathbb{B}^{[\ell_{\mathsf{d}}]} \times \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public} \times \{0 .. 2^{\ell_{\mathsf{value}}} - 1\} \times \mathbb{P}^* \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathsf{NoteCommit^{Orchard}.Trapdoor},\)
+

where + \(\mathbb{P}^*\) + is the Pallas group excluding the identity element, and the other types are as defined in §3.2 of the protocol specification 17.

+

Non-normative note: The type and definition of the OrchardZSA note reflect that it is a tuple of all the components of an Orchard note, with the addition of the Asset Base into the tuple.

We define the note commitment scheme \(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}\) as follows:

@@ -131,9 +135,9 @@

where \(\mathbb{P}, \ell_{\mathbb{P}}, q_{\mathbb{P}}\) - are as defined for the Pallas curve 27, and where + are as defined for the Pallas curve 29, and where \(\mathsf{NoteCommit^{Orchard}.\{Trapdoor, Output\}}\) - are as defined in the Zcash protocol specification 17. This note commitment scheme is instantiated using the Sinsemilla Commitment 26 as follows:

+ are as defined in the Zcash protocol specification 19. This note commitment scheme is instantiated using the Sinsemilla Commitment 28 as follows:

\(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{g_d}\star, \mathsf{pk_d}\star, \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase}) := \begin{cases} \mathsf{NoteCommit^{Orchard}_{rcm}}(\mathsf{g_d}\star, \mathsf{pk_d}\star, \mathsf{v}, \text{ρ}, \text{ψ}), &\!\!\text{if } \mathsf{AssetBase} = \mathcal{V}^{\mathsf{Orchard}} \\ @@ -152,27 +156,27 @@ \(\mathsf{repr}_{\mathbb{P}}\) and \(\mathsf{GroupHash}^{\mathbb{P}}\) - are as defined for the Pallas curve 27, + are as defined for the Pallas curve 29, \(\ell^{\mathsf{Orchard}}_{\mathsf{base}}\) - is as defined in §5.3 23, and + is as defined in §5.3 25, and \(\mathsf{I2LEBSP}\) - is as defined in §5.1 22 of the Zcash protocol specification.

-

The nullifier is generated in the same manner as in the Orchard protocol 20.

-

The ZSA note plaintext also includes the Asset Base in addition to the components in the Orchard note plaintext 28. It consists of

+ is as defined in §5.1 24 of the Zcash protocol specification.

+

The nullifier is generated in the same manner as in the Orchard protocol 22.

+

The OrchardZSA note plaintext also includes the Asset Base in addition to the components in the Orchard note plaintext 30. It consists of

\((\mathsf{leadByte} : \mathbb{B}^{\mathbb{Y}}, \mathsf{d} : \mathbb{B}^{[\ell_{\mathsf{d}}]}, \mathsf{v} : \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}, \mathsf{rseed} : \mathbb{B}^{\mathbb{Y}[32]}, \mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]}, \mathsf{memo} : \mathbb{B}^{\mathbb{Y}[512]})\)

Rationale for Note Commitment

-

In the ZSA protocol, the instance of the note commitment scheme, +

In the OrchardZSA protocol, the instance of the note commitment scheme, \(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}\!\) , differs from the Orchard note commitment \(\mathsf{NoteCommit^{Orchard}_{rcm}}\) - in that for Custom Assets, the Asset Base will be added as an input to the commitment computation. In the case where the Asset is the ZEC Asset, the commitment is computed identically to the Orchard note commitment, without making use of the ZEC Asset Base as an input. As we will see, the nested structure of the Sinsemilla-based commitment 26 allows us to add the Asset Base as a final recursive step.

-

The note commitment output is still indistinguishable from the original Orchard ZEC note commitments, by definition of the Sinsemilla hash function 24. ZSA note commitments will therefore be added to the same Orchard Note Commitment Tree. In essence, we have:

+ in that for Custom Assets, the Asset Base will be added as an input to the commitment computation. In the case where the Asset is the ZEC Asset, the commitment is computed identically to the Orchard note commitment, without making use of the ZEC Asset Base as an input. As we will see, the nested structure of the Sinsemilla-based commitment 28 allows us to add the Asset Base as a final recursive step.

+

The note commitment output is still indistinguishable from the original Orchard ZEC note commitments, by definition of the Sinsemilla hash function 26. OrchardZSA note commitments will therefore be added to the same Orchard Note Commitment Tree. In essence, we have:

\(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase}) \in \mathsf{NoteCommit^{Orchard}.Output}\)
-

This definition can be viewed as a generalization of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and ZSA notes.

+

This definition can be viewed as a generalization of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and OrchardZSA notes.

Value Commitment

-

In the case of the Orchard-based ZSA protocol, the value of different Asset Identifiers in a given transaction will be committed using a different value base point. The value commitment becomes:

+

In the case of the OrchardZSA protocol, the value of different Asset Identifiers in a given transaction will be committed using a different value base point. The value commitment becomes:

\(\mathsf{cv^{net}} := \mathsf{ValueCommit^{OrchardZSA}_{rcv}}(\mathsf{AssetBase_{AssetId}}, \mathsf{v^{net}_{AssetId}}) = [\mathsf{v^{net}_{AssetId}}]\,\mathsf{AssetBase_{AssetId}} + [\mathsf{rcv}]\,\mathcal{R}^{\mathsf{Orchard}}\)

where \(\mathsf{v^{net}_{AssetId}} = \mathsf{v^{old}_{AssetId}} - \mathsf{v^{new}_{AssetId}}\) @@ -187,20 +191,20 @@ respectively,

  • \(\mathsf{AssetBase_{AssetId}}\) - is defined in ZIP 227 5, and
    • + is defined in ZIP 227 5, and
  • \(\mathcal{R}^{\mathsf{Orchard}} := \mathsf{GroupHash^{\mathbb{P}}}(\texttt{“z.cash:Orchard-cv”}, \texttt{“r”})\!\) , as in the Orchard protocol.

    • For ZEC, we define \(\mathsf{AssetBase}_{\mathsf{AssetId}} := \mathcal{V}^{\mathsf{Orchard}}\) - so that the value commitment for ZEC notes is computed identically to the Orchard protocol deployed in NU5 4. As such + so that the value commitment for ZEC notes is computed identically to the Orchard protocol deployed in NU5 4. As such \(\mathsf{ValueCommit^{Orchard}_{rcv}}(\mathsf{v})\) - as defined in 4 is used as + as defined in 4 is used as \(\mathsf{ValueCommit^{OrchardZSA}_{rcv}}(\mathcal{V}^{\mathsf{Orchard}}, \mathsf{v})\) here.

    Rationale for Value Commitment

    -

    The Orchard Protocol uses a Homomorphic Pedersen Commitment 25 to perform the value commitment, with fixed base points +

    The Orchard Protocol uses a Homomorphic Pedersen Commitment 27 to perform the value commitment, with fixed base points \(\mathcal{V}^{\mathsf{Orchard}}\) and \(\mathcal{R}^{\mathsf{Orchard}}\) @@ -209,8 +213,8 @@

    Burn Mechanism

    -

    The burn mechanism is a transparent extension to the transfer protocol that enables a specific amount of any Custom Asset to be "destroyed" by the holder. The burn mechanism does NOT send Assets to a non-spendable address, it simply reduces the total number of units of a given Custom Asset in circulation. It is enforced at the consensus level, by using an extension of the value balance mechanism used for ZEC Assets. Burning makes it globally provable that a given amount of a Custom Asset has been destroyed. Note that the OrchardZSA Protocol does not allow for the burning of ZEC (or TAZ).

    -

    In the Orchard-ZSA Transaction Structure, there is now an +

    The burn mechanism is a transparent extension to the transfer protocol that enables a specific amount of any Custom Asset to be "destroyed" by the holder. The burn mechanism does NOT send Assets to a non-spendable address, it simply reduces the total number of units of a given Custom Asset in circulation. It is enforced at the consensus level, by using an extension of the value balance mechanism used for ZEC Assets. Burning makes it globally provable that a given amount of a Custom Asset has been destroyed. Note that the OrchardZSA Protocol does not allow for the burning of the Native Asset (i.e. ZEC or TAZ).

    +

    In the OrchardZSA Transaction Structure, there is now an \(\mathsf{assetBurn}\) set. For every Custom Asset (represented by its \(\mathsf{AssetBase}\!\) @@ -226,41 +230,28 @@ \(\mathsf{assetBurn}\) set in a transaction.

    As described in Value Balance Verification, this provides the information for the validator of the transaction to compute the value commitment with the corresponding Asset Base. This ensures that the values are all balanced out on a per-Asset basis in the transaction.

    -

    Additional Consensus Rules

    +

    Additional Consensus Rules for the assetBurn set

      -
    1. Check that for every +
    2. It MUST be the case that for every \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{AssetBase} \neq \mathcal{V}^{\mathsf{Orchard}}\!\) - . That is, ZEC or TAZ is not allowed to be burnt by this mechanism.
      3. -
    3. Check that for every + . That is, the Native Asset is not allowed to be burnt by this mechanism.
      4. +
    4. It MUST be that for every \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{v} \neq 0\!\) .
      5. -
    5. Check that there is no duplication of Custom Assets in the +
    6. There MUST be no duplication of Custom Assets in the \(\mathsf{assetBurn}\) set. That is, every \(\mathsf{AssetBase}\) has at most one entry in \(\mathsf{assetBurn}\!\) .
      7. -
    7. Check that for every - \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}\!\) - , - \(\mathsf{v} \leq \mathsf{issued\_assets(AssetBase).balance}\!\) - , where the map - \(\mathsf{issued\_assets}\) - is defined in ZIP 227 6. That is, it is not possible to burn more of an Asset than is currently in circulation.
    -

    If all these checks pass, then for every - \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}\!\) - , reduce the value of - \(\mathsf{issued\_assets(AssetBase).balance}\) - in the global state by - \(\mathsf{v}\!\) - .

    -

    Note: Even if this mechanism allows having transparent ↔ shielded Asset transfers in theory, the transparent protocol will not be changed with this ZIP to adapt to a multiple Asset structure. This means that unless future consensus rules changes do allow it, unshielding will not be possible for Custom Assets.

    +

    The other consensus rule changes for the OrchardZSA protocol are specified in ZIP 227 8.

    +

    Note: The transparent protocol will not be changed with this ZIP to adapt to a multiple Asset structure. This means that unless future consensus rules changes do allow it, unshielding will not be possible for Custom Assets.

    Value Balance Verification

    -

    In order to verify the balance of the different Assets, the verifier MUST perform a similar process as for the Orchard protocol 19, with the addition of the burn information.

    +

    In order to verify the balance of the different Assets, the verifier MUST perform a similar process as for the Orchard protocol 21, with the addition of the burn information.

    For a total of \(n\) Actions in a transfer, the prover MUST still sign the SIGHASH transaction hash using the binding signature key @@ -283,7 +274,7 @@ the set of indices of Actions that are related to Custom Assets.

    The right hand side of the value balance verification equation can be expanded to:

    \(((\sum_{i \in S_{\mathsf{ZEC}}} \mathsf{cv}^{\mathsf{net}}_i) + (\sum_{j \in S_{\mathsf{CA}}} \mathsf{cv}^{\mathsf{net}}_j)) - ([\mathsf{v^{balanceOrchard}}]\,\mathcal{V}^{\mathsf{Orchard}} + [0]\,\mathcal{R}^{\mathsf{Orchard}}) - (\sum_{(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}} [\mathsf{v}]\,\mathsf{AssetBase} + [0]\,\mathcal{R}^{\mathsf{Orchard}})\)
    -

    This equation contains the balance check of the Orchard protocol 19. With ZSA, transfer Actions for Custom Assets must also be balanced across Asset Bases. All Custom Assets are contained within the shielded pool, and cannot be unshielded via a regular transfer. Custom Assets can be burnt, the mechanism for which reveals the amount and identifier of the Asset being burnt, within the +

    This equation contains the balance check of the Orchard protocol 21. With ZSA, transfer Actions for Custom Assets must also be balanced across Asset Bases. All Custom Assets are contained within the shielded pool, and cannot be unshielded via a regular transfer. Custom Assets can be burnt, the mechanism for which reveals the amount and identifier of the Asset being burnt, within the \(\mathsf{assetBurn}\) set. As such, for a correctly constructed transaction, we will get \(\sum_{j \in S_{\mathsf{CA}}} \mathsf{cv}^{\mathsf{net}}_j - \sum_{(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}} [\mathsf{v}]\,\mathsf{AssetBase} = \sum_{j \in S_{\mathsf{CA}}} [\mathsf{rcv}^{\mathsf{net}}_j]\,\mathcal{R}^{\mathsf{Orchard}}\!\) @@ -332,21 +323,21 @@ \(\mathbb{F}_{q_{\mathbb{P}}}\!\) , \(\mathcal{K}^{\mathsf{Orchard}}\) - is the Orchard Nullifier Base as defined in 20, and + is the Orchard Nullifier Base as defined in 22, and \(\mathcal{L}^{\mathsf{Orchard}} := \mathsf{GroupHash^{\mathbb{P}}}(\texttt{“z.cash:Orchard”}, \texttt{“L”})\!\) .

    Rationale for Split Notes

    -

    In the Orchard protocol, since each Action represents an input and an output, the transaction that wants to send one input to multiple outputs must have multiple inputs. The Orchard protocol gives dummy spend notes 18 to the Actions that have not been assigned input notes.

    -

    The Orchard technique requires modification for the ZSA protocol with multiple Asset Identifiers, as the output note of the split Actions cannot contain just any Asset Base. We must enforce it to be an actual output of a GroupHash computation (in fact, we want it to be of the same Asset Base as the original input note, but the binding signature takes care that the proper balancing is performed). Without this enforcement the prover could input a multiple (or linear combination) of an existing Asset Base, and thereby attack the network by overflowing the ZEC value balance and hence counterfeiting ZEC funds.

    -

    Therefore, for Custom Assets we enforce that every input note to an ZSA Action must be proven to exist in the set of note commitments in the note commitment tree. We then enforce this real note to be “unspendable” in the sense that its value will be zeroed in split Actions and the nullifier will be randomized, making the note not spendable in the specific Action. Then, the proof itself ensures that the output note is of the same Asset Base as the input note. In the circuit, the split note functionality will be activated by a boolean private input to the proof (aka the +

    In the Orchard protocol, since each Action represents an input and an output, the transaction that wants to send one input to multiple outputs must have multiple inputs. The Orchard protocol gives dummy spend notes 20 to the Actions that have not been assigned input notes.

    +

    The Orchard technique requires modification for the OrchardZSA protocol with multiple Asset Identifiers, as the output note of the split Actions cannot contain just any Asset Base. We must enforce it to be an actual output of a GroupHash computation (in fact, we want it to be of the same Asset Base as the original input note, but the binding signature takes care that the proper balancing is performed). Without this enforcement the prover could input a multiple (or linear combination) of an existing Asset Base, and thereby attack the network by overflowing the ZEC value balance and hence counterfeiting ZEC funds.

    +

    Therefore, for Custom Assets we enforce that every input note to an OrchardZSA Action must be proven to exist in the set of note commitments in the note commitment tree. We then enforce this real note to be “unspendable” in the sense that its value will be zeroed in split Actions and the nullifier will be randomized, making the note not spendable in the specific Action. Then, the proof itself ensures that the output note is of the same Asset Base as the input note. In the circuit, the split note functionality will be activated by a boolean private input to the proof (aka the \(\mathsf{split\_flag}\) boolean). This ensures that the value base points of all output notes of a transfer are actual outputs of a GroupHash, as they originate in the Issuance protocol which is publicly verified.

    Note that the Orchard dummy note functionality remains in use for ZEC notes, and the Split Input technique is used in order to support Custom Assets.

    Circuit Statement

    -

    Every ZSA Action statement is closely similar to the Orchard Action statement 21, except for a few additions that ensure the security of the Asset Identifier system. We detail these changes below.

    -

    All modifications in the Circuit are detailed in 32.

    +

    Every OrchardZSA Action statement is closely similar to the Orchard Action statement 23, except for a few additions that ensure the security of the Asset Identifier system. We detail these changes below.

    +

    All modifications in the Circuit are detailed in 34.

    Asset Base Equality

    The following constraints must be added to ensure that the input and output note are of the same \(\mathsf{AssetBase}\!\) @@ -355,12 +346,12 @@

  • The Asset Base, \(\mathsf{AssetBase_{AssetId}}\!\) , for the note is witnessed once, as an auxiliary input.
    • -
  • In the Old note commitment integrity constraint in the Orchard Action statement 21, +
  • In the Old note commitment integrity constraint in the Orchard Action statement 23, \(\mathsf{NoteCommit^{Orchard}_{rcm^{old}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{old}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{old}}), \mathsf{v^{old}}, \text{ρ}^{\mathsf{old}}, \text{ψ}^{\mathsf{old}})\) is replaced with \(\mathsf{NoteCommit^{OrchardZSA}_{rcm^{old}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{old}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{old}}), \mathsf{v^{old}}, \text{ρ}^{\mathsf{old}}, \text{ψ}^{\mathsf{old}}, \mathsf{AssetBase_{AssetId}})\!\) .
    • -
  • In the New note commitment integrity constraint in the Orchard Action statement 21, +
  • In the New note commitment integrity constraint in the Orchard Action statement 23, \(\mathsf{NoteCommit^{Orchard}_{rcm^{new}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{new}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{new}}), \mathsf{v^{new}}, \text{ρ}^{\mathsf{new}}, \text{ψ}^{\mathsf{new}})\) is replaced with \(\mathsf{NoteCommit^{OrchardZSA}_{rcm^{new}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{new}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{new}}), \mathsf{v^{new}}, \text{ρ}^{\mathsf{new}}, \text{ψ}^{\mathsf{new}}, \mathsf{AssetBase_{AssetId}})\!\) @@ -462,110 +453,158 @@

    The

    • Backwards Compatibility with ZEC Notes

    -

    The input note in the old note commitment integrity check must either include an Asset Base (ZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion 17. If the note is a ZSA note, the note commitment is computed as defined in the Note Structure & Commitment section.

    +

    The input note in the old note commitment integrity check must either include an Asset Base (OrchardZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion 19. If the note is an OrchardZSA note, the note commitment is computed as defined in the Note Structure & Commitment section.

    -

    Orchard-ZSA Transaction Structure

    -

    The transaction format for v6 transactions is described in ZIP 230 11.

    +

    OrchardZSA Transaction Structure

    +

    The transaction format for v6 transactions is described in ZIP 230 12.

    TxId Digest

    -

    The transaction digest algorithm defined in ZIP 244 12 is modified by the ZSA protocol to add a new branch for issuance information, along with modifications within the orchard_digest to account for the inclusion of the Asset Base. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the ZSA protocol.

    +

    The transaction digest algorithm defined in ZIP 244 14 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with modifications within the orchard_digest to account for the inclusion of the Asset Base. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.

    txid_digest

    -

    A BLAKE2b-256 hash of the following values

    +

    A BLAKE2b-256 hash of the following values:

    T.1: header_digest       (32-byte hash output)
 T.2: transparent_digest  (32-byte hash output)
 T.3: sapling_digest      (32-byte hash output)
 T.4: orchard_digest      (32-byte hash output)  [UPDATED FOR ZSA]
 T.5: issuance_digest     (32-byte hash output)  [ADDED FOR ZSA]
    -

    The personalization field remains the same as in ZIP 244 12.

    +

    The personalization field remains the same as in ZIP 244 14.

    T.4: orchard_digest

    -

    When Orchard Actions are present in the transaction, this digest is a BLAKE2b-256 hash of the following values

    - 
    T.4a: orchard_actions_compact_digest      (32-byte hash output)          [UPDATED FOR ZSA]
-T.4b: orchard_actions_memos_digest        (32-byte hash output)          [UPDATED FOR ZSA]
-T.4c: orchard_actions_noncompact_digest   (32-byte hash output)          [UPDATED FOR ZSA]
-T.4d: orchard_zsa_burn_digest             (32-byte hash output)          [ADDED FOR ZSA]
-T.4e: flagsOrchard                        (1 byte)
-T.4f: valueBalanceOrchard                 (64-bit signed little-endian)
-T.4g: anchorOrchard                       (32 bytes)
    -
    T.4a: orchard_actions_compact_digest
    -

    A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in an updated version of the ZIP-307 13 CompactBlock format for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    - 
    T.4a.i  : nullifier            (field encoding bytes)
-T.4a.ii : cmx                  (field encoding bytes)
-T.4a.iii: ephemeralKey         (field encoding bytes)
-T.4a.iv : encCiphertext[..84]  (First 84 bytes of field encoding)  [UPDATED FOR ZSA]
    -

    The personalization field of this hash is the same as in ZIP 244:

    - 
    "ZTxIdOrcActCHash"
    -
    -
    T.4b: orchard_actions_memos_digest
    -

    A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    - 
    T.4b.i: encCiphertext[84..596] (contents of the encrypted memo field)  [UPDATED FOR ZSA]
    -

    The personalization field of this hash remains identical to ZIP 244:

    - 
    "ZTxIdOrcActMHash"
    -
    -
    T.4c: orchard_actions_noncompact_digest
    -

    A BLAKE2b-256 hash of the remaining subset of Orchard Action information not intended for inclusion in an updated version of the the ZIP 307 13 CompactBlock format, for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

    - 
    T.4d.i  : cv                    (field encoding bytes)
-T.4d.ii : rk                    (field encoding bytes)
-T.4d.iii: encCiphertext[596..]  (post-memo suffix of field encoding)  [UPDATED FOR ZSA]
-T.4d.iv : outCiphertext         (field encoding bytes)
    -

    The personalization field of this hash is defined identically to ZIP 244:

    - 
    "ZTxIdOrcActNHash"
    +

    When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values:

    + 
    T.4a: orchard_action_groups_digest   (32-byte hash output)          [ADDED FOR ZSA]
+T.4b: orchard_zsa_burn_digest        (32-byte hash output)          [ADDED FOR ZSA]
+T.4c: valueBalanceOrchard            (64-bit signed little-endian)
    +

    The personalization field of this hash is the same as in ZIP 244 14

    + 
    "ZTxIdOrchardHash"
    +

    In the case that the transaction has no OrchardZSA Action Groups, orchard_digest is

    + 
    BLAKE2b-256("ZTxIdOrchardHash", [])
    +
    T.4a: orchard_action_groups_digest
    +

    A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction. For each Action Group, the following elements are included in the hash:

    + 
    T.4a.i  : orchard_actions_compact_digest      (32-byte hash output)
+T.4a.ii : orchard_actions_memos_digest        (32-byte hash output)
+T.4a.iii: orchard_actions_noncompact_digest   (32-byte hash output)
+T.4a.iv : flagsOrchard                        (1 byte)
+T.4a.v  : anchorOrchard                       (32 bytes)
+T.4a.vi : nAGExpiryHeight                     (4 bytes)
    +

    The personalization field of this hash is set to:

    + 
    "ZTxIdOrcActGHash"
    +
    T.4a.i: orchard_actions_compact_digest
    +

    A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in an updated version of the ZIP-307 16 CompactBlock format for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:

    + 
    T.4a.i.1 : nullifier            (field encoding bytes)
+T.4a.i.2 : cmx                  (field encoding bytes)
+T.4a.i.3 : ephemeralKey         (field encoding bytes)
+T.4a.i.4 : encCiphertext[..84]  (First 84 bytes of field encoding)  [UPDATED FOR ZSA]
    +

    The personalization field of this hash is the same as in ZIP 244:

    + 
    "ZTxIdOrcActCHash"
    +
    +
    T.4a.ii: orchard_actions_memos_digest
    +

    A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:

    + 
    T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field)  [UPDATED FOR ZSA]
    +

    The personalization field of this hash remains identical to ZIP 244:

    + 
    "ZTxIdOrcActMHash"
    +
    +
    T.4a.iii: orchard_actions_noncompact_digest
    +

    A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information not intended for inclusion in an updated version of the the ZIP 307 16 CompactBlock format, for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:

    + 
    T.4a.iii.1 : cv                    (field encoding bytes)
+T.4a.iii.2 : rk                    (field encoding bytes)
+T.4a.iii.3 : encCiphertext[596..]  (post-memo suffix of field encoding)  [UPDATED FOR ZSA]
+T.4a.iii.4 : outCiphertext         (field encoding bytes)
    +

    The personalization field of this hash is defined identically to ZIP 244:

    + 
    "ZTxIdOrcActNHash"
    +
    -
    T.4d: orchard_zsa_burn_digest
    +
    T.4b: orchard_zsa_burn_digest

    A BLAKE2b-256 hash of the data from the burn fields of the transaction. For each tuple in the \(\mathsf{assetBurn}\) set, the following elements are included in the hash:

    - 
    T.4d.i : assetBase    (field encoding bytes)
-T.4d.ii: valueBurn    (field encoding bytes)
    + 
    T.4b.i : assetBase    (field encoding bytes)
+T.4b.ii: valueBurn    (field encoding bytes)

    The personalization field of this hash is set to:

    "ZTxIdOrcBurnHash"

    In case the transaction does not perform the burning of any Assets (i.e. the \(\mathsf{assetBurn}\) set is empty), the ''orchard_zsa_burn_digest'' is:

    BLAKE2b-256("ZTxIdOrcBurnHash", [])
    -
    T.4d.i: assetBase
    +
    T.4b.i: assetBase

    The Asset Base being burnt encoded as the 32-byte representation of a point on the Pallas curve.

    -
    T.4d.ii: valueBurn
    +
    T.4b.ii: valueBurn

    Value of the Asset Base being burnt encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value.

    T.5: issuance_digest

    -

    The details of the computation of this value are in ZIP 227 8.

    +

    The details of the computation of this value are in ZIP 227 9.

    -

    Signature Digest and Authorizing Data Commitment

    -

    The details of the changes to these algorithms are in ZIP 227 9 10.

    +

    Signature Digest

    +

    The details of the changes to this algorithm are in ZIP 227 10.

    +
    +

    Authorizing Data Commitment

    +

    The transaction digest algorithm defined in ZIP 244 15 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, along with modifications within the orchard_auth_digest to account for the presence of Action Groups.

    +

    We highlight the changes for the OrchardZSA protocol via the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

    + 
    auth_digest
+├── transparent_scripts_digest
+├── sapling_auth_digest
+├── orchard_auth_digest         [UPDATED FOR ZSA]
+└── issuance_auth_digest        [ADDED FOR ZSA]
    +

    The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.

    +

    auth_digest

    +

    A BLAKE2b-256 hash of the following values

    + 
    A.1: transparent_scripts_digest (32-byte hash output)
+A.2: sapling_auth_digest        (32-byte hash output)
+A.3: orchard_auth_digest        (32-byte hash output)  [UPDATED FOR ZSA]
+A.4: issuance_auth_digest       (32-byte hash output)  [ADDED FOR ZSA]
    +

    The personalization field of this hash remains the same as in ZIP 244.

    +

    A.3: orchard_auth_digest

    +

    In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values:

    + 
    A.3a: orchard_action_groups_auth_digest  (32-byte hash output)  [ADDED FOR ZSA]
+A.3b: bindingSigOrchard                  (field encoding bytes)
    +

    The personalization field of this hash is the same as in ZIP 244, that is:

    + 
    "ZTxAuthOrchaHash"
    +

    In case that the transaction has no OrchardZSA Action Groups, orchard_auth_digest is:

    + 
    BLAKE2b-256("ZTxAuthOrchaHash", [])
    +
    A.3a: orchard_action_groups_auth_digest
    +

    This is a BLAKE2b-256 hash of the proofsOrchard and spendAuthSigsOrchard fields of all OrchardZSA Action Groups belonging to the transaction:

    + 
    A.3a.i:  proofsOrchard               (field encoding bytes)
+A.3a.ii: spendAuthSigsOrchard        (field encoding bytes)
    +

    The personalization field of this hash is set to:

    + 
    "ZTxAuthOrcAGHash"
    +
    +
    +

    A.4: issuance_auth_digest

    +

    The details of the computation of this value are in ZIP 227 11.

    +
    +

    Security and Privacy Considerations

      -
    • After the protocol upgrade, the Orchard shielded pool will be shared by the Orchard protocol and the Orchard-ZSA protocol.
      • -
    • Deploying the Orchard-ZSA protocol does not necessitate disabling the Orchard protocol. Both can co-exist and be addressed via different transaction versions (V5 for Orchard and V6 for Orchard-ZSA). Due to this, Orchard note commitments can be distinguished from Orchard-ZSA note commitments. This holds whether or not the two protocols are active simultaneously.
      • -
    • Orchard-ZSA note commitments for the native asset (ZEC) are indistinguishable from Orchard-ZSA note commitments for non-native Assets.
      • +
    • After the protocol upgrade, the Orchard shielded pool will be shared by the Orchard protocol and the OrchardZSA protocol.
      • +
    • Deploying the OrchardZSA protocol does not necessitate disabling the Orchard protocol. Both can co-exist and be addressed via different transaction versions (V5 for Orchard and V6 for OrchardZSA). Due to this, Orchard note commitments can be distinguished from OrchardZSA note commitments. This holds whether or not the two protocols are active simultaneously.
      • +
    • OrchardZSA note commitments for the native asset (ZEC) are indistinguishable from OrchardZSA note commitments for non-native Assets.
    • When including new Assets we would like to maintain the amount and identifiers of Assets private, which is achieved with the design.
    • We prevent a potential malleability attack on the Asset Identifier by ensuring the output notes receive an Asset Base that exists on the global state.

    Other Considerations

    Transaction Fees

    -

    The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the ZSA protocol upgrade 14.

    +

    The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 230 13.

    Backward Compatibility

    -

    In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and ZSA notes. As we specify above, there are three main reasons we can do this:

    +

    In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and OrchardZSA notes. As we specify above, there are three main reasons we can do this:

    • Note commitments for ZEC notes will remain the same, while note commitments for Custom Assets will be computed taking into account the \(\mathsf{AssetBase}\) value as well.
      • -
    • The existing Orchard shielded pool will continue to be used for the new ZSA notes post the upgrade.
      • +
    • The existing Orchard shielded pool will continue to be used for the new OrchardZSA notes post the upgrade.
    • The value commitment is abstracted to allow for the value base-point as a variable private input to the proof.
      • -
    • The ZEC-based Actions will still include dummy input notes, whereas the ZSA-based Actions will include split input notes and will not include dummy input notes.
      • +
    • The ZEC-based Actions will still include dummy input notes, whereas the OrchardZSA Actions will include split input notes and will not include dummy input notes.

    Deployment

    -

    The Zcash Shielded Assets protocol will be deployed in a subsequent Network Upgrade.

    +

    The Zcash Shielded Assets protocol is scheduled to be deployed in Network Upgrade 7 (NU7).

    Test Vectors

    @@ -634,14 +673,22 @@

    The 7 - ZIP 227: Issuance of Zcash Shielded Assets: Specification: Asset Identifier + ZIP 227: Issuance of Zcash Shielded Assets: Specification: Asset Identifier - +
    + + + +
    8ZIP 227: Issuance of Zcash Shielded Assets: Specification: Consensus Rule Changes
    + + + + @@ -649,7 +696,7 @@

    The

    9 ZIP 227: Issuance of Zcash Shielded Assets: TxId Digest - Issuance
    - + @@ -657,47 +704,55 @@

    The

    910 ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest
    - - + +
    10ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment11ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment
    - +
    1112 ZIP 230: Version 6 Transaction Format
    + + + + + + + +
    13ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation
    - +
    1214 ZIP 244: Transaction Identifier Non-Malleability
    - +
    - - + +
    13ZIP 307: Light Client Protocol for Payment Detection15ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment
    - +
    - - + +
    14ZIP 317: Proportional Transfer Fee Mechanism - Pull Request #667 for ZSA Protocol ZIPs16ZIP 307: Light Client Protocol for Payment Detection
    - + @@ -705,7 +760,7 @@

    The

    1517 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes
    - + @@ -713,7 +768,7 @@

    The

    1618 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.7: Action Transfers and their Descriptions
    - + @@ -721,7 +776,7 @@

    The

    1719 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.1.8: Commitment
    - + @@ -729,7 +784,7 @@

    The

    1820 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.8.3: Dummy Notes (Orchard)
    - + @@ -737,7 +792,7 @@

    The

    1921 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.14: Balance and Binding Signature (Orchard)
    - + @@ -745,7 +800,7 @@

    The

    2022 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.16: Computing ρ values and Nullifiers
    - + @@ -753,7 +808,7 @@

    The

    2123 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.18.4: Action Statement (Orchard)
    - + @@ -761,7 +816,7 @@

    The

    2224 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.1: Integers, Bit Sequences, and Endianness
    - + @@ -769,7 +824,7 @@

    The

    2325 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.3: Constants
    - + @@ -777,7 +832,7 @@

    The

    2426 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.1.9: Sinsemilla hash function
    - + @@ -785,7 +840,7 @@

    The

    2527 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.8.3: Homomorphic Pedersen commitments (Sapling and Orchard)
    - + @@ -793,7 +848,7 @@

    The

    2628 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.8.4: Sinsemilla commitments
    - + @@ -801,7 +856,7 @@

    The

    2729 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.9.6: Pallas and Vesta
    - + @@ -809,7 +864,7 @@

    The

    2830 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.5: Encodings of Note Plaintexts and Memo Fields
    - + @@ -817,7 +872,7 @@

    The

    2931 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 7.5: Action Description Encoding and Consensus
    - + @@ -825,7 +880,7 @@

    The

    3032 User-Defined Assets and Wrapped Assets
    - + @@ -833,8 +888,8 @@

    The

    3133 Comment on Generalized Value Commitments
    - - + +
    32Modifications to the Orchard circuit for the ZSA Protocol34Modifications to the Orchard circuit for the OrchardZSA Protocol
    diff --git a/rendered/zip-0227.html b/rendered/zip-0227.html index d236295e6..a75aff283 100644 --- a/rendered/zip-0227.html +++ b/rendered/zip-0227.html @@ -31,7 +31,7 @@

    The terms "Orchard" and "Action" in this document are to be interpreted as described in ZIP 224 9.

    We define the following additional terms:

      -
    • Asset: A type of note that can be transferred on the Zcash blockchain. Each Asset is identified by an Asset Identifier Specification: Asset Identifier. +
    • Asset: A type of note that can be transferred on the Zcash blockchain. Each Asset is identified by an Asset Identifier Specification: Asset Identifier, Asset Digest, and Asset Base.
      • ZEC is the default (and currently the only defined) Asset for the Zcash mainnet.
      • TAZ is the default (and currently the only defined) Asset for the Zcash testnet.
        • @@ -45,7 +45,7 @@

    Abstract

    -

    This ZIP (ZIP 227) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 226 10. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 10. This ZIP must only be implemented in conjunction with ZIP 226 10. The proposed issuance mechanism is only valid for the Orchard-ZSA transfer protocol, because it produces notes that can only be transferred under ZSA.

    +

    This ZIP (ZIP 227) proposes the Orchard Zcash Shielded Assets (OrchardZSA) protocol, in conjunction with ZIP 226 10. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 10. This ZIP must only be implemented in conjunction with ZIP 226 10. The proposed issuance mechanism is only valid for the OrchardZSA transfer protocol, because it produces notes that can only be transferred via this protocol.

    Motivation

    This ZIP introduces the issuance mechanism for Custom Assets on the Zcash chain. While originally part of a single ZSA ZIP, the issuance mechanism turned out to be substantial enough to stand on its own and justify the creation of this supporting ZIP for ZIP 226 10.

    @@ -75,7 +75,7 @@

    Specification: Issuance Keys and Issuance Authorization Signature Scheme

    -

    The Orchard-ZSA Protocol adds the following keys to the key components 20 21:

    +

    The OrchardZSA Protocol adds the following keys to the key components 25 27:

    1. The issuance authorizing key, denoted as \(\mathsf{isk}\!\) @@ -87,12 +87,12 @@

      The relations between these keys are shown in the following diagram:

      -
      Diagram of Issuance Key Components for the Orchard-ZSA Protocol
      +
      Diagram of Issuance Key Components for the OrchardZSA Protocol

      Issuance Authorization Signature Scheme

      We instantiate the issuance authorization signature scheme \(\mathsf{IssueAuthSig}\) - as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 18.

      + as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 23.

      Batch verification MAY be used. Precomputation MAY be used if and only if it produces equivalent results; for example, for a given verification key \(pk\) and @@ -122,7 +122,7 @@ \(k\) bytes, and \(\mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}}\) - denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification 19.

      + denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification 24.

      The issuance authorizing key generation algorithm and the issuance validating key derivation algorithm are defined in the Issuance Key Derivation section, while the corresponding signing and validation algorithms are defined in the Issuance Authorization Signing and Validation section.

      Issuance Key Derivation

      @@ -168,7 +168,7 @@ \(227'\) (or \(\mathtt{0x800000e3}\!\) - ) following the BIP 43 recommendation. 17
      2. + ) following the BIP 43 recommendation. 22
    2. \(\mathit{coin\_type}\!\) : Defined as in ZIP 32 5.
      3. @@ -202,7 +202,7 @@

      where the \(\textit{PubKey}\) - algorithm is defined in BIP 340 18. Note that the byte representation of + algorithm is defined in BIP 340 23. Note that the byte representation of \(\mathsf{ik}\) is in big-endian order as defined in BIP 340.

      It is possible for the @@ -240,7 +240,7 @@ \(\mathsf{Sign}\) algorithm is defined in BIP 340 and \(a\) - denotes the auxiliary data used in BIP 340 18. Note that + denotes the auxiliary data used in BIP 340 23. Note that \(\mathsf{IssueAuthSig.Sign}\) could return \(\bot\) @@ -264,11 +264,11 @@

      where the \(\mathsf{Verify}\) - algorithm is defined in BIP 340 18.

      + algorithm is defined in BIP 340 23.

    -

    Specification: Asset Identifier

    -

    For every new Asset, there must be a new and unique Asset Identifier, denoted +

    Specification: Asset Identifier, Asset Digest, and Asset Base

    +

    For every new Asset, there MUST be a new and unique Asset Identifier, denoted \(\mathsf{AssetId}\!\) . We define this to be a globally unique pair \(\mathsf{AssetId} := (\mathsf{ik}, \mathsf{asset\_desc})\!\) @@ -277,7 +277,7 @@ is the issuance key and \(\mathsf{asset\_desc}\) is a byte string.

    -

    A given Asset Identifier is used across all Zcash protocols that support ZSAs -- that is, the Orchard-ZSA protocol and potentially future Zcash shielded protocols. For this Asset Identifier, we derive an Asset Digest, +

    A given Asset Identifier is used across all Zcash protocols that support ZSAs -- that is, the OrchardZSA protocol and potentially future Zcash shielded protocols. For this Asset Identifier, we derive an Asset Digest, \(\mathsf{AssetDigest}\!\) , which is simply is a \(\textsf{BLAKE2b-512}\) @@ -291,9 +291,9 @@ \(\mathsf{ik}\) be the issuance validating key of the issuer, a public key used to verify the signature on the issuance transaction's SIGHASH. -

    Define - \(\mathsf{AssetDigest_{AssetId}} := \textsf{BLAKE2b-512}(\texttt{“ZSA-Asset-Digest”},\; \mathsf{EncodeAssetId}(\mathsf{AssetId}))\!\) - , where

    +

    Define

    +
    \(\mathsf{AssetDigest_{AssetId}} := \textsf{BLAKE2b-512}(\texttt{“ZSA-Asset-Digest”},\; \mathsf{EncodeAssetId}(\mathsf{AssetId})),\)
    +

    where

    • \(\mathsf{EncodeAssetId}(\mathsf{AssetId}) = \mathsf{EncodeAssetId}((\mathsf{ik}, \mathsf{asset\_desc})) := \mathtt{0x00} || \mathsf{ik} || \mathsf{asset\_desc}\!\!\) @@ -302,18 +302,17 @@ \(\mathtt{0x00}\) byte is a version byte.
    -

    Define - \(\mathsf{AssetBase_{AssetId}} := \mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}})\) -

    -

    In the case of the Orchard-ZSA protocol, we define - \(\mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{“z.cash:OrchardZSA”}, \mathsf{AssetDigest_{AssetId}})\) - where +

    Define

    +
    \(\mathsf{AssetBase_{AssetId}} := \mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}})\)
    +

    In the case of the OrchardZSA protocol, we define

    +
    \(\mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{"z.cash:OrchardZSA"}, \mathsf{AssetDigest_{AssetId}})\)
    +

    where \(\mathsf{GroupHash}^\mathbb{P}\) - is defined as in 22.

    + is defined as in 30.

    The relations between the Asset Identifier, Asset Digest, and Asset Base are shown in the following diagram:

    -
    Diagram relating the Asset Identifier, Asset Digest, and Asset Base in the ZSA Protocol
    +
    Diagram relating the Asset Identifier, Asset Digest, and Asset Base in the OrchardZSA Protocol

    Note: To keep notations light and concise, we may omit \(\mathsf{AssetId}\) @@ -328,137 +327,63 @@

  • The Asset Digest could be used as a more compact bytestring to uniquely determine an Asset, and wallets could support clients scanning QR codes to load Asset information into their wallets.
    • -

    Specification: Global Issuance State

    -

    Issuance requires the following additions to the global state defined at block boundaries:

    -

    A map, - \(\mathsf{issued\_assets}\!\) - , from the Asset Base, - \(\mathsf{AssetBase}\!\) - , to a tuple - \((\mathsf{balance}, \mathsf{final})\!\) - , for every Asset that has been issued up until the block boundary. For each Asset:

    -
      -
    • The amount of the Asset in circulation, computed as the amount of the Asset that has been issued less the amount of the Asset that has been burnt, is stored in - \(\mathsf{balance}\!\) - .
      • -
    • The boolean - \(\mathsf{final}\) - stores the finalization status of the Asset (i.e.: whether the - \(\mathsf{finalize}\) - flag has been set to - \(1\) - in some issuance transaction for the Asset preceding the block boundary). The value of - \(\mathsf{final}\) - for any Asset cannot be changed from - \(1\) - to - \(0\!\) - .
      • -
    -

    We use the notation - \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{balance}\) - and - \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{final}\) - to access, respectively, the balance and finalization status of the Asset stored in the global state.

    -

    Rationale for Global Issuance State

    -

    It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 8. However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record at the block boundary based on the issuance and burn transactions within the block. This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the block.

    -

    Nodes also need to ensure the rejection of blocks in which issuance of Custom Assets that have been previously finalized. The - \(\mathsf{issued\_assets}\) - map allows nodes to store whether or not a given Asset has been finalized.

    +

    Specification: Issue Note, Issuance Action, Issuance Bundle and Issuance Protocol

    +

    Issue Note

    +

    Let + \(\ell_{\mathsf{value}}\) + be as defined in §5.3 of the protocol specification 29. An Issue Note represents that a value + \(\mathsf{v} : \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}\) + of a specific Custom Asset is issued to a recipient. An Issue Note is a tuple + \((\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \mathsf{rseed})\!\) + , where:

    +
      +
    • + \(\mathsf{d}: \mathbb{B}^{[\ell_{\mathsf{d}}]}\) + is the diversifier of the recipient's shielded payment address, as in §3.2 of the protocol specification 26.
      • +
    • + \(\mathsf{pk_d}: \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public}\) + is the recipient's diversified transmission key, as in §3.2 of the protocol specification 26.
      • +
    • + \(\mathsf{v} : \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}\) + is the value of the note in terms of the number of Asset tokens.
      • +
    • + \(\mathsf{AssetBase}: \mathbb{P}^*\) + is the Asset Base corresponding to the ZSA being issued in the Issue Note.
      • +
    • + \(\text{ρ}: \mathbb{F}_{q_{\mathbb{P}}}\) + is used to derive the nullifier of the note, and is computed as in Computation of ρ.
      • +
    • + \(\mathsf{rseed}: \mathbb{B}^{[\mathbb{Y}^{32}]}\) + MUST be sampled uniformly at random by the issuer.
      • +
    +

    The complete encoding of these fields into an IssueNote is defined in ZIP 230 16.

    +

    Let + \(\mathsf{Note^{Issue}}\) + be the type of an Issue Note, i.e.

    +
    \(\mathsf{Note^{Issue}} := \mathbb{B}^{[\ell_{\mathsf{d}}]} \times \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public} \times \{0 .. 2^{\ell_{\mathsf{value}}} - 1\} \times \mathbb{P}^* \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathbb{B}^{[\mathbb{Y}^{32}]}.\)
    +

    The note commitments of Issue Notes are computed in the same manner as for OrchardZSA Notes. They will be added to the note commitment tree as any other shielded note when the transaction issuing the Asset is included on chain. This prevents future usage of the note from being linked to the issuance transaction, as the nullifier key is not known to the validators and chain observers.

    -
    -

    Specification: Issuance Action, Issuance Bundle and Issuance Protocol

    -

    Issuance Action Description

    +

    Issuance Action

    An issuance action, IssueAction, is the instance of issuing a specific Custom Asset, and contains the following fields:

    • assetDescSize: the size of the Asset description, a number between \(0\) and \(512\!\) - , stored in two bytes.
      • -
    • asset_desc: the Asset description, a byte string of up to 512 bytes as defined in the Specification: Asset Identifier section.
      • -
    • vNotes: an array of Note containing the unencrypted output notes of the recipients of the Asset.
      • + . +
    • asset_desc: the Asset description, a byte string of up to 512 bytes as defined in the Specification: Asset Identifier, Asset Digest, and Asset Base section.
      • +
    • vNotes: an array of Issue Notes containing the unencrypted output notes to the recipients of the Asset.
    • flagsIssuance: a byte that stores the \(\mathsf{finalize}\) boolean that defines whether the issuance of that specific Custom Asset is finalized or not.
    -

    An asset's - \(\mathsf{AssetDigest}\) - is added to the - \(\mathsf{previously\_finalized}\) - set after a block that contains any issuance transaction for that asset with - \(\mathsf{finalize} = 1\!\) - . It then cannot be removed from this set. For Assets with - \(\mathsf{AssetDigest} \in \mathsf{previously\_finalized}\!\) - , no further tokens can be issued, so as seen below, the validators will reject the transaction. For Assets with - \(\mathsf{AssetDigest} \not\in \mathsf{previously\_finalized}\!\) - , new issuance actions can be issued in future transactions. These must use the same Asset description, - \(\mathsf{asset\_desc}\!\) - , and can either maintain - \(\mathsf{finalize} = 0\) - or change it to - \(\mathsf{finalize} = 1\!\) - , denoting that this Custom Asset cannot be issued after the containing block.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    BytesNameData TypeDescription
    2assetDescSizebyteThe length of the asset_desc string in bytes.
    assetDescSizeasset_descbyte[assetDescSize]A byte sequence of length assetDescSize bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later.
    variesnNotescompactSizeThe number of notes in the issuance action.
    noteSize * nNotesvNotesNote[nNotes]A sequence of note descriptions within the issuance action, where noteSize is the size, in bytes, of a Note.
    1flagsIssuancebyte -
    -
    An 8-bit value representing a set of flags. Ordered from LSB to MSB:
    -
    -
      -
    • - \(\mathsf{finalize}\) -
      • -
    • The remaining bits are set to - \(0\!\) - .
      • -
    -
    -
    -
    -

    We note that the output note commitment of the recipient's notes are not included in the actual transaction, but when added to the global state of the chain, they will be added to the note commitment tree as a shielded note. This prevents future usage of the note from being linked to the issuance transaction, as the nullifier key is not known to the validators and chain observers.

    +

    The + \(\mathsf{finalize}\) + boolean is set by the Issuer to signal that there will be no further issuance of the specific Custom Asset. As we will see in Specification: Consensus Rule Changes, transactions that attempt to issue further amounts of a Custom Asset that has previously been finalized will be rejected.

    +

    The complete encoding of these fields into an IssueAction is defined in ZIP 230 15.

    Issuance Bundle

    -

    An issuance bundle, IssueBundle, is the aggregate of all the issuance-related information. Specifically, contains all the issuance actions and the issuer signature on the transaction SIGHASH that validates the issuance itself. It contains the following fields:

    +

    An issuance bundle is the aggregate of all the issuance-related information. Specifically, contains all the issuance actions and the issuer signature on the transaction SIGHASH that validates the issuance itself. It contains the following fields:

    • \(\mathsf{ik}\!\) @@ -472,43 +397,37 @@ \(\mathsf{isk}\!\) , that validates the issuance.
    -

    The issuance bundle is then added within the transaction format as a new bundle. That is, issuance requires the addition of the following information to the transaction format 24.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    BytesNameData TypeDescription
    variesnIssueActionscompactSizeThe number of issuance actions in the bundle.
    IssueActionSize * nIssueActionsvIssueActionsIssueAction[nIssueActions]A sequence of issuance action descriptions, where IssueActionSize is the size, in bytes, of an IssueAction description.
    32ikbyte[32]The issuance validating key of the issuer, used to validate the signature.
    64issueAuthSigbyte[64]The signature of the transaction SIGHASH, signed by the issuer, validated as in Issuance Authorization Signature Scheme.
    +

    The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 17.

    +
    +

    Computation of ρ

    +

    We define a function + \(\mathsf{DeriveIssuedRho} : \mathbb{F}_{q_{\mathbb{P}}} \times \{0 .. 2^{32} - 1\} \times \{0 .. 2^{32} - 1\} \to \mathbb{F}_{q_{\mathbb{P}}}\) + as follows:

    +
    \(\mathsf{DeriveIssuedRho}(\mathsf{nf}, \mathsf{i_{A}}, \mathsf{i_{N}}) := \mathsf{ToBase}^{\mathsf{Rho}}(\mathsf{PRF}^{\mathsf{Rho}}(\mathsf{I2LEOSP}_{256}(\mathsf{nf}), [\mathtt{0x84}] \| \mathsf{I2LEOSP}_{32}(\mathsf{i_{A}}) \| \mathsf{I2LEOSP}_{32}(\mathsf{i_{N}}))),\)
    +

    where

    +
      +
    • + \(\mathsf{ToBase}^{\mathsf{Rho}} : \mathbb{B}^{512} \to \mathbb{F}_{q_{\mathbb{P}}}\) + is defined as + \(\mathsf{ToBase}^{\mathsf{Rho}}(x) := \mathsf{LEOS2IP}_{512}(x) \mod q_{\mathbb{P}}\) +
      • +
    • + \(\mathsf{PRF}^{\mathsf{Rho}} : \mathbb{B}^{256} \times \mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}} \to \mathbb{B}^{512}\) + is defined as + \(\mathsf{PRF}^{\mathsf{Rho}}(\mathsf{k},t) := \textsf{BLAKE2b-512}(\mathtt{"ZSA\_IssueNoteRho"}, \mathsf{k} \| t)\) +
      • +
    +

    The + \(\text{ρ}\) + field of an Issue Note is computed as

    +
    \(\text{ρ} := \mathsf{DeriveIssuedRho}(\mathsf{nf}_{1,1}, \mathsf{index_{Action}}, \mathsf{index_{Note}}),\)
    +

    where + \(\mathsf{nf}_{1,1}\) + is the nullifier of the first Note in the first Action of the OrchardZSA Bundle of the transaction, + \(\mathsf{index_{Action}}\) + is the index of the Issuance Action in the Issuance Bundle, and + \(\mathsf{index_{Note}}\) + is the index of the Issue Note in the Issuance Action.

    Issuance Protocol

    The issuer program performs the following operations:

    @@ -523,12 +442,12 @@ \(\mathsf{ik}\) and \(\mathsf{asset\_desc}\) - as decribed in the Specification: Asset Identifier section. + as decribed in the Specification: Asset Identifier, Asset Digest, and Asset Base section.
  • compute \(\mathsf{AssetBase}\) from \(\mathsf{AssetDigest}\) - as decribed in the Specification: Asset Identifier section.
    • + as decribed in the Specification: Asset Identifier, Asset Digest, and Asset Base section.
  • set the \(\mathsf{finalize}\) boolean as desired (if more issuance actions are to be created for this @@ -542,9 +461,12 @@ \(i\!\) :
      -
    • generate a ZSA output note that includes the Asset Base. For an Orchard-ZSA note this is - \(\mathsf{note}_i = (\mathsf{d}_i, \mathsf{pk}_{\mathsf{d}_i}, \mathsf{v}_i, \text{ρ}_i, \mathsf{rseed}_i, \mathsf{AssetBase}, \mathsf{rcm}_i)\!\) +
    • generate an Issue Note, + \(\mathsf{note}_i = (\mathsf{d}_i, \mathsf{pk}_{\mathsf{d}_i}, \mathsf{v}_i, \mathsf{AssetBase}, \text{ρ}_i, \mathsf{rseed}_i)\!\) .
      • +
    • encode the + \(\mathsf{note}_i\) + into the vector vNotes of the IssueAction.
  • encode the IssueAction into the vector vIssueActions of the bundle.
    • @@ -564,77 +486,220 @@

    Note: that the commitment is not included in the IssuanceAction itself. As explained below, it is computed later by the validators and added to the note commitment tree.

    +

    Specification: Reference Notes and Global Issuance State

    +

    Reference Notes

    +

    A reference note for a Custom Asset MUST be included by the issuer as the first Note in the Action of the Issuance Bundle where that Custom Asset is being issued for the first time.

    +

    A reference note for a Custom Asset is an Issue Note where the value + \(\mathsf{v}\) + is set to + \(0\!\) + , the Asset Base ( + \(\mathsf{AssetBase}\!\) + ) corresponds to that of the Custom Asset, and the recipient address + \((\mathsf{d}, \mathsf{pk}_{\mathsf{d}})\) + is set to the default diversified payment address (i.e. the diversified payment address with diversifier index + \(0\!\) + ) derived from the all-zero Orchard spending key using the algorithm specified in §4.2.3 of the protocol specification 27. This corresponds to a 43 byte u8 array with the following entries:

    + 
    [
+  204, 54, 96, 25, 89, 33, 59, 107, 12, 219, 150, 167, 92, 23, 195, 166, 104, 169, 127, 13, 106,
+  140, 92, 225, 100, 165, 24, 234, 155, 169, 165, 14, 167, 81, 145, 253, 134, 27, 15, 241, 14,
+  98, 176,
+]
    +
    +

    Global Issuance State

    +

    The maximum total supply of any issued Custom Asset is denoted by the constant + \(\mathsf{MAX\_ISSUE} := 2^{64} - 1\!\) + . Issuance requires the following additions to the global state:

    +

    A map, + \(\mathsf{issued\_assets} : \mathbb{P}^* \to \{0 .. \mathsf{MAX\_ISSUE}\} \times \mathbb{B} \times \mathsf{Note^{Issue}}\!\) + , from the Asset Base, + \(\mathsf{AssetBase} : \mathbb{P}^*\!\) + , to a tuple + \((\mathsf{balance}, \mathsf{final}, \mathsf{note_{ref}})\!\) + , for every Asset that has been issued. We use the notation + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{balance}\!\) + , + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final}\!\) + , and + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{note_{ref}}\) + to access, respectively, the elements of the tuple stored in the global state for a given + \(\mathsf{AssetBase}\!\) + . If + \(\mathsf{issued\_assets}(\mathsf{AssetBase}) = \bot\!\) + , it is assumed that + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{balance} = 0\!\) + , + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final} = 0\!\) + , and + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{note_{ref}} = \bot\!\) + .

    +

    For any Asset represented by + \(\mathsf{AssetBase}\!\) + :

    +
      +
    • + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{balance} \in \{0 .. \mathsf{MAX\_ISSUE}\}\) + stores the amount of the Asset in circulation, computed as the amount of the Asset that has been issued less the amount of the Asset that has been burnt.
      • +
    • + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final} : \mathbb{B}\) + is a Boolean that stores the finalization status of the Asset (i.e.: whether the + \(\mathsf{finalize}\) + flag has been set to + \(1\) + in any preceding issuance transaction for the Asset). The value of + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final}\) + for any + \(\mathsf{AssetBase}\) + cannot be changed from + \(1\) + to + \(0\!\) + .
      • +
    • + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{note_{ref}} : \mathsf{Note^{Issue}}\) + stores the reference note for the Asset, as defined in the Reference Notes section.
      • +
    +

    The maximum total supply of any issued Custom Asset is denoted by the constant + \(\mathsf{MAX\_ISSUE} := 2^{64} - 1\!\) + .

    +
    +

    Management of the Global Issuance State

    +

    The issuance state, that is, the + \(\mathsf{issued\_assets}\) + map, MUST be updated by a node during the processing of any transaction that contains burn information, or an issuance bundle. The issuance state is chained as follows:

    +
      +
    • The issuance state for the first block post the activation of the OrchardZSA protocol is the empty map.
      • +
    • The input issuance state for the first transaction of a block is the final issuance state of the immediately preceding block.
      • +
    • The input issuance state of each subsequent transaction in the block is the output issuance state of the immediately preceding transaction.
      • +
    • The final issuance state of a block is the output issuance state of the last transaction in the block.
      • +
    +

    We describe the consensus rule changes that govern the management of the global issuance state in the Specification: Consensus Rule Changes section. We use + \(\mathsf{issued\_assets}_{\mathsf{IN}}\) + and + \(\mathsf{issued\_assets}_{\mathsf{OUT}}\) + to denote the input issuance state and output issuance state for a transaction, respectively.

    +
    +

    Specification: Consensus Rule Changes

    -

    For the IssueBundle:

    +

    For every transaction:

      -
    • Validate the issuance authorization signature, - \(\mathsf{issueAuthSig}\!\) - , on the SIGHASH transaction hash, - \(\mathsf{SigHash}\!\) - , by invoking - \(\mathsf{IssueAuthSig.Validate}(\mathsf{ik}, \mathsf{SigHash}, \mathsf{issueAuthSig})\!\) +
    • The output issuance state of the transaction MUST be initialized to be the same as the input issuance state, + \(\mathsf{issued\_assets}_{\mathsf{OUT}} = \mathsf{issued\_assets}_{\mathsf{IN}}\!\) .
      • -
    -

    For each IssueAction in IssueBundle:

    -
      -
    • check that - \(0 < \mathtt{assetDescSize} \leq 512\!\) +
    • The + \(\mathsf{assetBurn}\) + set MUST satisfy the consensus rules specified in ZIP 226 12.
      • +
    • It MUST be the case that for all + \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}\!\) + , + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} \geq \mathsf{v}\!\) + . The node then MUST update + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase})\) + prior to processing the issuance bundle in the following manner. For every + \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{AssetBurn}\!\) + , + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} = \mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} - \mathsf{v}\!\) .
      • -
    • check that - \(\mathsf{asset\_desc}\) - is a string of length - \(\mathtt{assetDescSize}\) - bytes.
      • -
    • retrieve - \(\mathsf{AssetBase}\) - from the first note in the sequence and check that - \(\mathsf{AssetBase}\) - is derived from the issuance validating key - \(\mathsf{ik}\) - and - \(\mathsf{asset\_desc}\) - as described in the Specification: Asset Identifier section.
      • -
    • check that - \(\mathsf{issued\_assets(AssetBase).final} \neq 1\) - in the global state.
      • -
    • check that every note in the IssueAction contains the same - \(\mathsf{AssetBase}\) - and is properly constructed as - \(\mathsf{note} = (\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \mathsf{rseed}, \mathsf{AssetBase})\!\) +
    • Let + \(\mathsf{SigHash}\) + be the SIGHASH transaction hash of this transaction, as defined in §4.10 of the protocol specification 28 with the modifications described in ZIP 226 13, using + \(\mathsf{SIGHASH\_ALL}\!\) .
      • -
    -

    If all of the above checks pass, do the following:

    -
      -
    • For each note, +
    • If the transaction contains an Issuance Bundle, it MUST also contain at least one OrchardZSA Action.
      • +
    • The issuance authorization signature, + \(\mathsf{issueAuthSig}\!\) + , MUST be a valid + \(\mathsf{IssueAuthSig}\) + signature over + \(\mathsf{SigHash}\!\) + , i.e. + \(\mathsf{IssueAuthSig}.\!\mathsf{Validate}(\mathsf{ik}, \mathsf{SigHash}, \mathsf{issueAuthSig}) = 1\!\) + .
      • +
    • For every issuance action description ( + \(\mathsf{IssueAction}_\mathsf{i},\ 1 \leq i \leq \mathtt{nIssueActions}\!\) + ) in the issuance bundle:
        -
      • compute the note commitment as - \(\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})\) - as defined in the Note Structure and Commitment section of ZIP 226 11.
        • -
      • Add - \(\mathsf{cm}\) - to the Merkle tree of note commitments.
        • -
      • Increase the value of - \(\mathsf{issued\_assets(AssetBase).balance}\) - by the value of the note, - \(\mathsf{v}\!\) +
      • It MUST be the case that + \(0 < \mathtt{assetDescSize} \leq 512\!\) + .
        • +
      • It MUST be the case that + \(\mathsf{asset\_desc}\) + is a string of length + \(\mathtt{assetDescSize}\) + bytes.
        • +
      • Every Issue Note in IssueAction MUST be a valid encoding of the + \(\mathsf{Note^{Issue}}\) + type, and MUST encode the same + \(\mathsf{AssetBase}\!\) + .
        • +
      • This + \(\mathsf{AssetBase}\) + MUST satisfy the derivation from the issuance validating key and asset description described in the Specification: Asset Identifier, Asset Digest, and Asset Base section.
        • +
      • It MUST be the case that + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{final} \neq 1\!\) + .
        • +
      • If + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{note_{ref}} = \bot\!\) + , then let + \(\mathsf{note}_1\) + be the first Issue Note in the Issuance Action. +
          +
        • The recipient address + \((\mathsf{d}, \mathsf{pk}_{\mathsf{d}})\) + of + \(\mathsf{note}_1\) + MUST be the default diversified payment address derived from the all-zero Orchard spending key, as described in the Reference Notes section.
          • +
        • The value + \(\mathsf{v}_0\) + of + \(\mathsf{note}_1\) + MUST be + \(0\!\) + .
          • +
        • The node MUST update + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{note_{ref}} = \mathsf{note}_1\!\) + .
          • +
        +
        • +
      • For every issue note description ( + \(\mathsf{note}_{\mathsf{j}},\ 1 \leq j \leq \mathtt{nNotes}\!\) + ) in IssueAction: +
          +
        • The + \(\text{ρ}\) + field of the issue note MUST have been computed as described in the Computation of ρ section.
          • +
        • It MUST be the case that + \(\mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} + \mathsf{v} \leq \mathsf{MAX\_ISSUE}\!\) + , where + \(\mathsf{v}\) + is the value of + \(\mathsf{note}_{\mathsf{j}}\!\) + . The node then MUST update + \(\mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} = \mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} + \mathsf{v}\!\) + .
          • +
        • The node MUST compute the note commitment, + \(\mathsf{cm}_{\mathsf{i,j}}\!\) + , as defined in the Note Structure and Commitment section of ZIP 226 11.
          • +
        +
        • +
      • If + \(\mathsf{finalize} = 1\) + within the flagsIssuance field of IssueAction, the node MUST set + \(\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{final} = 1\!\) .
      • -
    • If - \(\mathsf{finalize} = 1\!\) - , set - \(\mathsf{issued\_assets(AssetBase).final}\) - to - \(1\) - in the global state.
      • -
    • (Replay Protection) If issue bundle is present, the fees MUST be greater than zero.
      • +
    • If all the consensus rules are satisfied, the node MUST add the note commitments, + \(\mathsf{cm}_{\mathsf{i,j}}\ \forall\ \mathsf{i} \in \{1..\mathtt{nIssueActions}\},\ \mathsf{j} \in \{1..\mathtt{nNotes}\}\!\) + , to the Merkle tree of note commitments.
      • +
    • (Replay Protection) If an issue bundle is present, the fees MUST be greater than zero.

    Rationale

    The following is a list of rationale for different decisions made in the proposal:

      -
    • The issuance key structure is independent of the original key tree, but derived in an analogous manner (via ZIP 32). This is in order to keep the issuance details and the Asset Identifiers consistent across multiple shielded pools.
      • -
    • The design decision is not to have a chosen name to describe the Custom Asset, but to delegate it to an off-chain mapping, as this would imply a land-grab “war”.
      • +
    • The issuance key structure is independent of the original key tree, but derived in an analogous manner (via ZIP 32). This keeps the issuance details and the Asset Identifiers consistent across multiple shielded pools. It also separates the issuance authority from the spend authority, allowing for the potential transfer of issuance authority without compromising the spend authority.
      • +
    • The Custom Asset is described via a combination of the issuance validating key and an asset description string, to preclude the possibility of two different issuers creating colliding Custom Assets.
    • The \(\mathsf{asset\_desc}\) is a general byte string in order to allow for a wide range of information type to be included that may be associated with the Assets. Some are: @@ -650,12 +715,21 @@ string to 512 bytes as it is a reasonable size to store metadata about the Asset, for example in JSON format.
    • We require non-zero fees in the presence of an issue bundle, in order to preclude the possibility of a transaction containing only an issue bundle. If a transaction includes only an issue bundle, the SIGHASH transaction hash would be computed solely based on the issue bundle. A duplicate bundle would have the same SIGHASH transaction hash, potentially allowing for a replay attack.
    +

    Rationale for Global Issuance State

    +

    It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 8. However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record based on the issuance and burn transactions processed. This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the transaction or block.

    +

    We limit the total issuance of any Asset to a maximum of + \(\mathsf{MAX\_ISSUE}\!\) + . This is a practical limit that also allows an issuer to issue the complete supply of an Asset in a single transaction.

    +

    Nodes also need to reject transactions that issue Custom Assets that have been previously finalized. The + \(\mathsf{issued\_assets}\) + map allows nodes to store whether or not a given Asset has been finalized.

    +

    Concrete Applications

    Asset Features

    • By using the \(\mathsf{finalize}\) - boolean and the burning mechanism defined in 10, issuers can control the supply production of any Asset associated to their issuer keys. For example, + boolean and the burning mechanism defined in 10, issuers can control the supply production of any Asset associated to their issuer keys. For example,
      • by setting \(\mathsf{finalize} = 1\) @@ -674,9 +748,6 @@ , where the note will contain a \(\mathsf{value} = 0\!\) . This can be used for application-specific purposes (NFT collections) or for security purposes to revoke the Asset issuance (see Security and Privacy Considerations).
        • -
      • Note in the above cases, that the setting of the - \(\mathsf{finalize}\) - flag will take effect at the block boundary, that is, after all the transactions in the block.
    • The issuance and burn mechanisms can be used in conjunction to determine the supply of Assets on the Zcash ecosystem. This allows for the bridging of Assets defined on other chains.
      • @@ -691,7 +762,7 @@

    TxId Digest - Issuance

    -

    This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the Orchard-ZSA protocol can be found in ZIP 226 12. As in ZIP 244 13, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

    +

    This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 19, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

    A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:

    issuance_digest
 ├── issue_actions_digest
@@ -727,7 +798,7 @@
                         
    In case the transaction has no Issue Notes, ''issue_notes_digest'' is:
    
                         
    BLAKE2b-256("ZTxIdIAcNoteHash", [])
    
                         
    T.5a.i.1: recipient 
    
-                            
    This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 23.
    
+                            
    This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 31.
    
                         
    
                         
    T.5a.i.2: value 
    
                             
    Note value encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value.
    
@@ -761,8 +832,8 @@

    Signature Digest

    -

    The per-input transaction digest algorithm to generate the signature digest in ZIP 244 14 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    -

    The overall structure of the hash is as follows. We highlight the changes for the Orchard-ZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:

    +

    The per-input transaction digest algorithm to generate the signature digest in ZIP 244 20 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    +

    The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

    signature_digest
 ├── header_digest
 ├── transparent_sig_digest
@@ -776,40 +847,109 @@
 S.3: sapling_digest         (32-byte hash output)
 S.4: orchard_digest         (32-byte hash output)
 S.5: issuance_digest        (32-byte hash output)  [ADDED FOR ZSA]
    -

    The personalization field remains the same as in ZIP 244 13.

    +

    The personalization field remains the same as in ZIP 244 19.

    S.5: issuance_digest

    Identical to that specified for the transaction identifier.

    -

    Authorizing Data Commitment

    -

    The transaction digest algorithm defined in ZIP 244 15 which commits to the authorizing data of a transaction is modified by the Orchard-ZSA protocol to have the following structure. We highlight the changes for the Orchard-ZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:

    - 
    auth_digest
-├── transparent_scripts_digest
-├── sapling_auth_digest
-├── orchard_auth_digest
-└── issuance_auth_digest        [ADDED FOR ZSA]
    -

    The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.

    -

    auth_digest

    -

    A BLAKE2b-256 hash of the following values

    - 
    A.1: transparent_scripts_digest (32-byte hash output)
-A.2: sapling_auth_digest        (32-byte hash output)
-A.3: orchard_auth_digest        (32-byte hash output)
-A.4: issuance_auth_digest       (32-byte hash output)  [ADDED FOR ZSA]
    -

    The personalization field of this hash remains the same as in ZIP 244.

    -

    A.4: issuance_auth_digest

    -

    In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the issueAuthSig field of the transaction:

    - 
    A.4a: issueAuthSig            (field encoding bytes)
    -

    The personalization field of this hash is set to:

    - 
    "ZTxAuthZSAOrHash"
    -

    In the case that the transaction has no Orchard Actions, issuance_auth_digest is

    - 
    BLAKE2b-256("ZTxAuthZSAOrHash", [])
    -
    +

    Authorizing Data Commitment - Issuance

    +

    This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 14.

    +

    A.4: issuance_auth_digest

    +

    In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the issueAuthSig field of the transaction:

    + 
    A.4a: issueAuthSig            (field encoding bytes)
    +

    The personalization field of this hash is set to:

    + 
    "ZTxAuthZSAOrHash"
    +

    In the case that the transaction has no Orchard Actions, issuance_auth_digest is

    + 
    BLAKE2b-256("ZTxAuthZSAOrHash", [])
    +
    +
    +

    OrchardZSA Fee Calculation

    +

    In addition to the parameters defined in the Fee calculation section of ZIP 317 21, the OrchardZSA protocol upgrade defines the following additional parameters:

    + + + + + + + + + + + + + +
    ParameterValue
    + \(issuance\_fee\) + + \(100 \cdot marginal\_fee\) + per issuance action (as defined below)
    +

    Wallets implementing this specification SHOULD use a conventional fee, viz. + \(zsa\_conventional\_fee\!\) + , that is calculated in zatoshis. Additional definitions that are used in the formula for the calculation are in the table below:

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    InputUnitsDescription
    + \(nOrchardActions\) + numberthe number of OrchardZSA transfer actions (including ZEC actions)
    + \(nTotalOutputsZSAIssuance\) + numberthe total number of OrchardZSA issuance outputs (added across issuance actions)
    + \(nCreateActions\) + numberthe number of OrchardZSA issuance actions that issue a Custom Asset that is not present in the Global Issuance State
    +

    The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 32 and the global state. They are defined in the Fee calculation section of ZIP 317 21. Note that + \(nOrchardActions\!\) + , that is used in the computation of + \(logical\_actions\!\) + , is redefined in the above table, and now combines the actions for native ZEC as well as OrchardZSA transfer actions for Custom Assets.

    +

    The formula for the computation of the + \(zsa\_logical\_actions\) + (with the updated computation of + \(logical\_actions\) + as described above) is:

    +
    \(zsa\_logical\_actions = logical\_actions \;+ nTotalOutputsZSAIssuance\)
    +

    The formula for the computation of the + \(zsa\_conventional\_fee\) + is:

    +
    \(\begin{array}{rcl} + zsa\_conventional\_fee &=& marginal\_fee \cdot \mathsf{max}(grace\_actions, zsa\_logical\_actions) \;+ \\ + & & issuance\_fee \cdot nCreateActions +\end{array}\)
    +

    It is not a consensus requirement that fees follow this formula; however, wallets SHOULD create transactions that pay this fee, in order to reduce information leakage, unless overridden by the user.

    +

    Rationale for OrchardZSA Fee calculation

    +

    The OrchardZSA fee calculation accounts for the additions to the Global Issuance State that are required for the OrchardZSA protocol. Every newly created Custom Asset adds a new row to the Global Issuance State. Subsequent issuance, finalization, or burn of existing Custom Assets only changes the values in the corresponding row.

    +

    This explains the need for a higher fee for the creation of entirely new Custom Assets, in order to disincentivize the creation of "junk" assets.

    +
    +

    OrchardZSA Fee Considerations

    +

    We choose to maintain the native ZEC Asset as the primary token for the Zcash blockchain, similar to how ETH is needed for ERC20 transactions to the benefit of the Ethereum ecosystem.

    +

    An alternative proposal for the OrchardZSA fee mechanism that was not adopted was to adopt a new type of fee, denominated in the custom Asset being issued or transferred. In the context of transparent transactions, such a fee allows miners to “tap into” the ZSA value of the transactions, rather than the ZEC value of transactions. However when transactions are shielded, any design that lifts value from the transaction would also leak information about it.

    Security and Privacy Considerations

    Displaying Asset Identifier information to users

    -

    Wallets need to communicate the names of the Assets in a non-confusing way to users, since the byte representation of the Asset Identifier would be hard to read for an end user. Possible solutions are provided in the Specification: Asset Identifier section.

    +

    Wallets need to communicate the names of the Assets in a non-confusing way to users, since the byte representation of the Asset Identifier would be hard to read for an end user. Possible solutions are provided in the Specification: Asset Identifier, Asset Digest, and Asset Base section.

    Issuance Key Compromise

    The design of this protocol does not currently allow for rotation of the issuance validating key that would allow for replacing the key of a specific Asset. In case of compromise, the following actions are recommended:

    @@ -824,7 +964,7 @@

    Bridging Assets

    -

    For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

    +

    For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

    Other Considerations

    @@ -838,7 +978,7 @@ in order to properly keep track of the total supply for different Asset Identifiers. This is useful for wallets and other applications that need to keep track of the total supply of Assets.

    Fee Structures

    -

    The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317 16.

    +

    The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 18.

    Test Vectors

    @@ -944,58 +1084,98 @@ - +
    - +
    12ZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId DigestZIP 226: Transfer and Burn of Zcash Shielded Assets - Additional Consensus Rules for the assetBurn set
    - +
    - +
    13ZIP 244: Transaction Identifier Non-MalleabilityZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId Digest
    - +
    - +
    14ZIP 244: Transaction Identifier Non-Malleability: Signature DigestZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment
    - +
    - +
    15ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data CommitmentZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction)
    - +
    - +
    16ZIP 317: Proportional Transfer Fee MechanismZIP 230: Version 6 Transaction Format: Issue Note (IssueNote)
    - +
    - +
    17BIP 43: Purpose Field for Deterministic WalletsZIP 230: Version 6 Transaction Format: Transaction Format
    - +
    + + + +
    18ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation
    + + + + + + + +
    19ZIP 244: Transaction Identifier Non-Malleability
    + + + + + + + +
    20ZIP 244: Transaction Identifier Non-Malleability: Signature Digest
    + + + + + + + +
    21ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation
    + + + + + + + +
    22BIP 43: Purpose Field for Deterministic Wallets
    + + + + @@ -1003,7 +1183,7 @@
    23 BIP 340: Schnorr Signatures for secp256k1
    - + @@ -1011,23 +1191,47 @@
    1924 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 2: Notation
    - +
    2025 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.1: Payment Addresses and Keys
    + + + + + + + +
    26Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes
    - +
    2127 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.2.3: Orchard Key Components
    + + + + + + + +
    28Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.10: SIGHASH Transaction Hashing
    + + + + + + + +
    29Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.3: Constants
    - + @@ -1035,7 +1239,7 @@
    2230 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.9.8: Group Hash into Pallas and Vesta
    - + @@ -1043,7 +1247,7 @@
    2331 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.6.4.2: Orchard Raw Payment Addresses
    - + diff --git a/rendered/zip-0230.html b/rendered/zip-0230.html index 80f3a8a6b..0373bee5f 100644 --- a/rendered/zip-0230.html +++ b/rendered/zip-0230.html @@ -27,8 +27,8 @@ Discussions-To: <https://github.com/zcash/zips/issues/686>

    Terminology

    The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

    -

    The terms "Zcash Shielded Asset", "ZSA" and "Asset" in this document are to be interpreted as described in ZIP 226 7.

    -

    The term "Issuance" and "Issuance Action" in this document are to be interpreted as described in ZIP 227 8.

    +

    The terms "Zcash Shielded Asset", "OrchardZSA", "ZSA" and "Asset" in this document are to be interpreted as described in ZIP 226 8.

    +

    The term "Issuance" and "Issuance Action" in this document are to be interpreted as described in ZIP 227 9.

    We define the following additional terms:

    • Issuance Fee: This is the specific fixed fee that has to be paid to the network for every given issuance action.
      • @@ -36,20 +36,20 @@

      The character § is used when referring to sections of the Zcash Protocol Specification 2.

    Abstract

    -

    This proposal defines a new Zcash peer-to-peer transaction format, which includes data that supports the Orchard-ZSA protocol and all operations related to Zcash Shielded Assets (ZSAs). The new format adds and describes new fields containing ZSA-specific elements. Like the existing v5 transaction format, it keeps well-bounded regions of the serialized form to serve each pool of funds.

    -

    This ZIP also depends upon and defines modifications to the computation of the values TxId Digest, Signature Digest, and Authorizing Data Commitment defined by ZIP 244 9.

    -

    This ZIP additionally defines the fee mechanism associated with the Orchard Zcash Shielded Assets (OrchardZSA) protocol as described in ZIP 226 7 and ZIP 227 8. The fee mechanism is defined in terms of modifications to the Proportionak Transfer Fee Mechanism 11.

    +

    This proposal defines a new Zcash peer-to-peer transaction format, which includes data that supports the OrchardZSA protocol and all operations related to Zcash Shielded Assets (ZSAs). The new format adds and describes new fields containing ZSA-specific elements. Like the existing v5 transaction format, it keeps well-bounded regions of the serialized form to serve each pool of funds.

    +

    This ZIP also depends upon and defines modifications to the computation of the values TxId Digest, Signature Digest, and Authorizing Data Commitment defined by ZIP 244 11.

    +

    This ZIP additionally defines the fee mechanism associated with the Orchard Zcash Shielded Assets (OrchardZSA) protocol as described in ZIP 226 8 and ZIP 227 9. The fee mechanism is defined in terms of modifications to the Proportionak Transfer Fee Mechanism 13.

    Motivation

    -

    The Orchard-ZSA protocol requires serialized data elements that are distinct from any previous Zcash transaction. Since ZIP 244 was activated in NU5, the v5 and later serialized transaction formats are not consensus-critical. Thus, this ZIP defines format that can easily accommodate future extensions, where elements or a given pool are kept separate.

    -

    The upgrade to the OrchardZSA protocol will also need to define a fee structure consistent with the objectives of ZIP 317 11. This involves adaptation for the transfer protocol 7, as well as additional considerations for the issuance protocol 8 such as fees for asset issuance. Specifically, the OrchardZSA Transfer and Burn mechanism should follow the same fee mechanism in order to not discriminate between transfer bundle types. When it comes to Issuance of ZSA, however, there should be a disincentive that will stop users from flooding the chain with useless asset identifiers. In the case of Issuance, the computational power needed to verify the bundle is not large. The transaction size, however, can be an issue as the number of output notes can be large. Furthermore, as defined in ZIP 227 8, there is an additional data structure in the global state that needs to be maintained as part of the consensus. This motivates further the addition of an Issuance-specific fee.

    +

    The OrchardZSA protocol requires serialized data elements that are distinct from any previous Zcash transaction. Since ZIP 244 was activated in NU5, the v5 and later serialized transaction formats are not consensus-critical. Thus, this ZIP defines format that can easily accommodate future extensions, where elements or a given pool are kept separate.

    +

    The upgrade to the OrchardZSA protocol will also need to define a fee structure consistent with the objectives of ZIP 317 13. This involves adaptation for the transfer protocol 8, as well as additional considerations for the issuance protocol 9 such as fees for asset issuance. Specifically, the OrchardZSA Transfer and Burn mechanism should follow the same fee mechanism in order to not discriminate between transfer bundle types. When it comes to Issuance of ZSA, however, there should be a disincentive that will stop users from flooding the chain with useless asset identifiers. In the case of Issuance, the computational power needed to verify the bundle is not large. The transaction size, however, can be an issue as the number of output notes can be large. Furthermore, as defined in ZIP 227 9, there is an additional data structure in the global state that needs to be maintained as part of the consensus. This motivates further the addition of an Issuance-specific fee.

    Requirements

    -

    The new format must fully support the Orchard-ZSA protocol.

    +

    The new format must fully support the OrchardZSA protocol.

    The new format should lend itself to future extension or pruning to add or remove value pools.

    The computation of the non-malleable transaction identifier hash must include all newly incorporated elements except those that attest to transaction validity.

    The computation of the commitment to authorizing data for a transaction must include all newly incorporated elements that attest to transaction validity.

    -

    In addition to the requirements of ZIP 317 11, the fee mechanism for the OrchardZSA protocol should satisfy the following requirements:

    +

    In addition to the requirements of ZIP 317 13, the fee mechanism for the OrchardZSA protocol should satisfy the following requirements:

    • The conventional fee should not leak private information used in constructing the transaction; that is, it should be computable from only the public data of the transaction.
    • Users should be discouraged from issuing new “garbage” custom Assets. The fee should reflect the cost of adding new data to the global state.
      • @@ -212,39 +212,19 @@
    - + - + - - - - - - - + - - - - + + + + @@ -252,32 +232,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - @@ -288,16 +242,16 @@ - + - + - + @@ -321,7 +275,7 @@ - +
    2432 Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 7.1: Transaction Encoding and Consensus
    A Sapling binding signature on the SIGHASH transaction hash.
    Orchard-ZSA Transaction FieldsOrchardZSA Transaction Fields
    variesnActionsOrchardnActionGroupsOrchard compactSizeThe number of Orchard-ZSA Action descriptions in vActionsOrchard.
    852 * nActionsOrchardvActionsOrchardOrchardZsaAction[nActionsOrchard]A sequence of Orchard-ZSA Action descriptions, encoded per the Orchard-ZSA Action Description Encoding.The number of Action Group descriptions in vActionGroupsOrchard. This MUST have a value of either 0 or 1.
    1flagsOrchardbyte -
    -
    An 8-bit value representing a set of flags. Ordered from LSB to MSB:
    -
    -
      -
    • enableSpendsOrchard
      • -
    • enableOutputsOrchard
      • -
    • enableZSAs
      • -
    • The remaining bits are set to - \(0\!\) - .
      • -
    -
    -
    -     		variesvActionGroupsOrchardActionGroupDescription[nActionGroupsOrchard]A sequence of Action Group descriptions, encoded as per the OrchardZSA Action Group Description.
    8int64 The net value of Orchard spends minus outputs.
    32anchorOrchardbyte[32]A root of the Orchard note commitment tree at some block height in the past.
    variessizeProofsOrchardZSAcompactSizeLength in bytes of proofsOrchardZSA. Value is (TO UPDATE) - \(2720 + 2272 \cdot \mathtt{nActionsOrchard}\!\) - .
    sizeProofsOrchardZSAproofsOrchardZSAbyte[sizeProofsOrchardZSA]Encoding of aggregated zk-SNARK proofs for Orchard-ZSA Actions.
    64 * nActionsOrchardvSpendAuthSigsOrchardbyte[64 * nActionsOrchard]Authorizing signatures for each Orchard-ZSA Action.
    varies nAssetBurn40 * nAssetBurn vAssetBurn AssetBurn[nAssetBurn]A sequence of Asset Burn descriptions, encoded per Orchard-ZSA Asset Burn Description.A sequence of Asset Burn descriptions, encoded per OrchardZSA Asset Burn Description.
    64 bindingSigOrchard byte[64]An Orchard-ZSA binding signature on the SIGHASH transaction hash.An OrchardZSA binding signature on the SIGHASH transaction hash.
    Orchard-ZSA Issuance FieldsOrchardZSA Issuance Fields
    varies64 issueAuthSig byte[64]The signature of the transaction SIGHASH, signed by the issuer, validated as in Issuance Authorization Signature Scheme 8.The signature of the transaction SIGHASH, signed by the issuer, validated as in Issuance Authorization Signature Scheme 9.
    @@ -338,14 +292,13 @@ .
  • The elements of vSpendProofsSapling and vSpendAuthSigsSapling have a 1:1 correspondence to the elements of vSpendsSapling and MUST be ordered such that the proof or signature at a given index corresponds to the SpendDescriptionV6 at the same index.
  • The elements of vOutputProofsSapling have a 1:1 correspondence to the elements of vOutputsSapling and MUST be ordered such that the proof at a given index corresponds to the OutputDescriptionV6 at the same index.
    • -
  • The fields flagsOrchard, valueBalanceOrchard, anchorOrchard, sizeProofsOrchardZSA, proofsOrchardZSA, and bindingSigOrchard are present if and only if - \(\mathtt{nActionsOrchard} > 0\!\) +
  • The fields valueBalanceOrchard and bindingSigOrchard are present if and only if + \(\mathtt{nActionGroupsOrchard} > 0\!\) . If valueBalanceOrchard is not present, then \(\mathsf{v^{balanceOrchard}}\) is defined to be \(0\!\) .
    • -
  • The proofs aggregated in proofsOrchardZSA, and the elements of vSpendAuthSigsOrchard, each have a 1:1 correspondence to the elements of vActionsOrchard and MUST be ordered such that the proof or signature at a given index corresponds to the OrchardZsaAction at the same index.
  • The fields ik and issueAuthSig are present if and only if \(\mathtt{nIssueActions} > 0\!\) .
    • @@ -353,7 +306,7 @@ \(0\!\) . -

    The encodings of tx_in, and tx_out are as in a version 4 transaction (i.e. unchanged from Canopy). The encodings of SpendDescriptionV6, OutputDescriptionV6 , OrchardZsaAction, AssetBurn and IssueAction are described below. The encoding of Sapling Spends and Outputs has changed relative to prior versions in order to better separate data that describe the effects of the transaction from the proofs of and commitments to those effects, and for symmetry with this separation in the Orchard-related parts of the transaction format.

    +

    The encodings of tx_in, and tx_out are as in a version 4 transaction (i.e. unchanged from Canopy). The encodings of SpendDescriptionV6, OutputDescriptionV6 , ActionGroupDescription, AssetBurn and IssueAction are described below. The encoding of Sapling Spends and Outputs has changed relative to prior versions in order to better separate data that describe the effects of the transaction from the proofs of and commitments to those effects, and for symmetry with this separation in the Orchard-related parts of the transaction format.

    Sapling Spend Description (SpendDescriptionV6)

    @@ -435,7 +388,77 @@

    The encodings of each of these elements are defined in §7.4 ‘Output Description Encoding and Consensus’ of the Zcash Protocol Specification 4.

    -

    Orchard-ZSA Action Description (OrchardZsaAction)

    +

    OrchardZSA Action Group Description

    +

    The OrchardZSA Action Group Description is encoded in a transaction as an instance of an ActionGroupDescription type:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    BytesNameData TypeDescription
    variesnActionsOrchardcompactSizeThe number of Action descriptions in vActionsOrchard. This MUST have a value strictly greater than 0.
    852 * nActionsOrchardvActionsOrchardOrchardZSAAction[nActionsOrchard]A sequence of OrchardZSA Action descriptions in the Action Group.
    1flagsOrchardbyteAs defined in Section 7.1 of the Protocol Specification 6.
    32anchorOrchardbyte[32]As defined in Section 7.1 of the Protocol Specification 6.
    variessizeProofsOrchardcompactSizeAs defined in Section 7.1 of the Protocol Specification 6.
    sizeProofsOrchardproofsOrchardbyte[sizeProofsOrchard]The aggregated zk-SNARK proof for all Actions in the Action Group.
    4nAGExpiryHeightuint32A block height (in the future) after which the Actions of the Action Group become invalid and should be rejected by consensus. This MUST have a value of 0.
    64 * nActionsOrchardvSpendAuthSigsOrchardbyte[64 * nActionsOrchard]Authorizing signatures for each Action of the Action Group in a transaction.
    +

    The encoding of OrchardZSAAction is described below.

    +
      +
    • The proofs aggregated in proofsOrchardZSA, and the elements of vSpendAuthSigsOrchard, each have a 1:1 correspondence to the elements of vActionsOrchard and MUST be ordered such that the proof or signature at a given index corresponds to the OrchardZSAAction at the same index.
      • +
    +

    Rationale for nAGExpiryHeight

    +

    We introduce the nAGExpiryHeight field in this transaction format in order to be forward compatible with Swaps over ZSAs, as proposed in ZIP 228 10. For the OrchardZSA protocol, which does not make use of an additional expiry height for transactions, we set the value of nAGExpiryHeight to be 0 by consensus. This serves as a default value to represent the situation where there is no expiry, analogous to the convention adopted for nExpiryHeight in ZIP 203 [#zip-0203].

    +
    +
    +

    OrchardZSA Action Description (OrchardZSAAction)

    @@ -476,7 +499,7 @@ - + @@ -492,10 +515,10 @@
    32 ephemeralKey byte[32]An encoding of an ephemeral Pallas public keyAn encoding of an ephemeral Pallas public key.
    612
    -

    The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding and Consensus’ of the Zcash Protocol Specification 5.

    +

    The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding and Consensus’ of the Zcash Protocol Specification 5.

    -

    Orchard-ZSA Asset Burn Description

    -

    An Orchard-ZSA Asset Burn description is encoded in a transaction as an instance of an AssetBurn type:

    +

    OrchardZSA Asset Burn Description

    +

    An OrchardZSA Asset Burn description is encoded in a transaction as an instance of an AssetBurn type:

    @@ -510,7 +533,7 @@ - @@ -522,7 +545,7 @@
    32 AssetBase byte[32]For the Orchard-based ZSA protocol, this is the encoding of the Asset Base + For the OrchardZSA protocol, this is the encoding of the Asset Base \(\mathsf{AssetBase^{Orchard}}\!\) .
    -

    The encodings of each of these elements are defined in ZIP 226 7.

    +

    The encodings of each of these elements are defined in ZIP 226 8.

    Issuance Action Description (IssueAction)

    An issuance action, IssueAction, is the instance of issuing a specific Custom Asset, and contains the following fields:

    @@ -640,91 +663,8 @@
    -

    OrchardZSA Fee Calculation

    -

    In addition to the parameters defined in the Fee calculation section of ZIP 317 12, the OrchardZSA protocol upgrade defines the following additional parameters:

    - - - - - - - - - - - - - -
    ParameterValue
    - \(\mathsf{issuance\_fee}\) - - \(100 \cdot marginal\_fee\) - per issuance action (as defined below)
    -

    Wallets implementing this specification SHOULD use a conventional fee, viz. - \(\mathsf{zsa\_conventional\_fee}\!\) - , that is calculated in zatoshis. Additional definitions that are used in the formula for the calculation are in the table below:

    - - - - - - - - - - - - - - - - - - - - - - - - - -
    InputUnitsDescription
    - \(\mathsf{nOrchardActions}\) - numberthe number of OrchardZSA transfer actions (including ZEC actions)
    - \(\mathsf{nTotalOutputsZsaIssuance}\) - numberthe total number of OrchardZSA issuance outputs (added across issuance actions)
    - \(\mathsf{nCreateActions}\) - numberthe number of OrchardZSA issuance actions that issue a Custom Asset that is not present in the Global Issuance State
    -

    The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 6 and the global state. They are defined in the Fee calculation section of ZIP 317 12. Note that - \(\mathsf{nOrchardActions}\!\) - , that is used in the computation of - \(\mathsf{logical\_actions}\!\) - , is redefined in the above table, and now combines the actions for native ZEC as well as OrchardZSA transfer actions for Custom Assets.

    -

    The formula for the computation of the - \(\mathsf{zsa\_logical\_actions}\) - (with the updated computation of - \(\mathsf{logical\_actions}\) - as described above) is:

    -
    \(\mathsf{zsa\_logical\_actions} = \mathsf{logical\_actions} \;+ \mathsf{nTotalOutputsZsaIssuance}\)
    -

    The formula for the computation of the - \(\mathsf{zsa\_conventional\_fee}\) - is:

    -
    \(\begin{array}{rcl} - \mathsf{zsa\_conventional\_fee} &=& \mathsf{marginal\_fee} \cdot \mathsf{max}(\mathsf{grace\_actions}, \mathsf{zsa\_logical\_actions}) \;+ \\ - & & \mathsf{issuance\_fee} \cdot \mathsf{nCreateActions} -\end{array}\)
    -

    It is not a consensus requirement that fees follow this formula; however, wallets SHOULD create transactions that pay this fee, in order to reduce information leakage, unless overridden by the user.

    -

    Rationale for OrchardZSA Fee calculation

    -

    The OrchardZSA fee calculation accounts for the additions to the Global Issuance State that are required for the OrchardZSA protocol. Every newly created Custom Asset adds a new row to the Global Issuance State. Subsequent issuance, finalization, or burn of existing Custom Assets only changes the values in the corresponding row.

    -

    This explains the need for a higher fee for the creation of entirely new Custom Assets, in order to disincentivize the creation of "junk" assets.

    -
    -

    OrchardZSA Fee Considerations

    -

    We choose to maintain the native ZEC Asset as the primary token for the Zcash blockchain, similar to how ETH is needed for ERC20 transactions to the benefit of the Ethereum ecosystem.

    -

    An alternative proposal for the OrchardZSA fee mechanism that was not adopted was to adopt a new type of fee, denominated in the custom Asset being issued or transferred. In the context of transparent transactions, such a fee allows miners to “tap into” the ZSA value of the transactions, rather than the ZEC value of transactions. However when transactions are shielded, any design that lifts value from the transaction would also leak information about it.

    -
    -

    Deployment

    -

    Version 6 transactions are proposed to be allowed on the network starting from Network Upgrade 7. 10

    +

    Version 6 transactions are proposed to be allowed on the network starting from Network Upgrade 7. 12

    Reference implementation

    TODO

    @@ -778,34 +718,50 @@ - +
    - +
    7ZIP 226: Transfer and Burn of Zcash Shielded AssetsZIP 203: Transaction Expiry
    - +
    - +
    8ZIP 227: Issuance of Zcash Shielded AssetsZIP 226: Transfer and Burn of Zcash Shielded Assets
    - +
    - +
    9ZIP 244: Transaction Identifier Non-MalleabilityZIP 227: Issuance of Zcash Shielded Assets
    - +
    + + + +
    10ZIP 228: Asset Swaps for Zcash Shielded Assets
    + + + + + + + +
    11ZIP 244: Transaction Identifier Non-Malleability
    + + + + @@ -813,16 +769,16 @@
    12 ZIP 254: Deployment of the NU7 Network Upgrade
    - - + +
    11ZIP 317: Proportional Transfer Fee Mechanism13ZIP 317: Proportional Transfer Fee Mechanism
    - - + +
    12ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation14ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation
    diff --git a/zips/zip-0226.rst b/zips/zip-0226.rst index a31fa11a0..df572af60 100644 --- a/zips/zip-0226.rst +++ b/zips/zip-0226.rst @@ -37,8 +37,8 @@ We define the following additional terms: Abstract ======== -This ZIP (ZIP 226) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 227 [#zip-0227]_. The ZSA protocol is an extension of the Orchard protocol that enables the issuance, transfer and burn of custom Assets on the Zcash chain. The issuance of such Assets is defined in ZIP 227 [#zip-0227]_, while the transfer and burn of such Assets is defined in this ZIP (ZIP 226). -While the proposed ZSA protocol is a modification to the Orchard protocol, it has been designed with adaptation to possible future shielded protocols in mind. +This ZIP (ZIP 226) proposes the Orchard Zcash Shielded Assets (OrchardZSA) protocol, in conjunction with ZIP 227 [#zip-0227]_. The OrchardZSA protocol is an extension of the Orchard protocol that enables the issuance, transfer and burn of custom Assets on the Zcash chain. The issuance of such Assets is defined in ZIP 227 [#zip-0227]_, while the transfer and burn of such Assets is defined in this ZIP (ZIP 226). +While the proposed OrchardZSA protocol is a modification to the Orchard protocol, it has been designed with adaptation to possible future shielded protocols in mind. Motivation ========== @@ -49,7 +49,7 @@ This ZIP builds on the issuance mechanism introduced in ZIP 227 [#zip-0227]_. Overview ======== In order to be able to represent different Assets, we need to define a data field that uniquely represents the Asset in question, which we call the Asset Identifier $\mathsf{AssetId}$. -This Asset Identifier maps to an Asset Base $\mathsf{AssetBase}$ that is stored in Orchard-based ZSA notes. +This Asset Identifier maps to an Asset Base $\mathsf{AssetBase}$ that is stored in OrchardZSA notes. These terms are formally defined in ZIP 227 [#zip-0227]_. The Asset Identifier (via means of the Asset Digest and Asset Base) will be used to enforce that the balance of an Action Description [#protocol-actions]_ [#protocol-actionencodingandconsensus]_ is preserved across Assets (see the Orchard Binding Signature [#protocol-orchardbalance]_), and by extension the balance of an Orchard transaction. That is, the sum of all the $\mathsf{value^{net}}$ from each Action Description, computed as $\mathsf{value^{old}} - \mathsf{value^{new}}$, must be balanced **only with respect to the same Asset Identifier**. This is especially important since we will allow different Action Descriptions to transfer notes of different Asset Identifiers, where the overall balance is checked without revealing which (or how many distinct) Assets are being transferred. @@ -74,7 +74,7 @@ Most of the protocol is kept the same as the Orchard protocol released with NU5, Asset Identifiers ----------------- -For every new Asset, there must be a new and unique Asset Identifier. Every Asset is defined by an *Asset description*, $\mathsf{asset\_desc}$, which is a global byte string (scoped across all future versions of Zcash). From this Asset description and the issuance validating key of the issuer, the specific Asset Identifier, $\mathsf{AssetId}$, the Asset Digest, and the Asset Base ($\!\mathsf{AssetBase}$) are derived as defined in ZIP 227 [#zip-0227]_. +For every new Asset, there MUST be a new and unique Asset Identifier. Every Asset is defined by an *Asset description*, $\mathsf{asset\_desc}$, which is a global byte string (scoped across all future versions of Zcash). From this Asset description and the issuance validating key of the issuer, the specific Asset Identifier, $\mathsf{AssetId}$, the Asset Digest, and the Asset Base ($\!\mathsf{AssetBase}$) are derived as defined in ZIP 227 [#zip-0227]_. This Asset Base will be the base point of the value commitment for the specific Custom Asset. Note that the Asset Base of the ZEC Asset will be kept as the original value base point, $\mathcal{V}^{\mathsf{Orchard}}$. @@ -86,16 +86,23 @@ In future network and protocol upgrades, the same Asset description string can b Note Structure & Commitment --------------------------- -Let $\mathsf{Note^{OrchardZSA}}$ be the type of a ZSA note, i.e. -$\mathsf{Note^{OrchardZSA}} := \mathsf{Note^{Orchard}} \times \mathbb{P}^*$. - -An Orchard ZSA note differs from an Orchard note [#protocol-notes]_ by additionally including the Asset Base, $\mathsf{AssetBase}$. So a ZSA note is a tuple $(\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})$, +An OrchardZSA note differs from an Orchard note [#protocol-notes]_ by additionally including the Asset Base, $\mathsf{AssetBase}$. So an OrchardZSA note is a tuple $(\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \text{ψ}, \mathsf{rcm})$, where -- $\mathsf{AssetBase} : \mathbb{P}^*$ is the unique element of the Pallas group [#protocol-pallasandvesta]_ that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 [#zip-0227]_, a valid group element that is not the identity and is not $\bot$. The byte representation of the Asset Base is defined as $\mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]} := \mathsf{repr}_{\mathbb{P}}(\mathsf{AssetBase})$. +- $\mathsf{AssetBase} : \mathbb{P}^*$ is the unique element of the Pallas group [#protocol-pallasandvesta]_ that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 [#zip-0227-assetidentifier]_, a valid group element that is not the identity and is not $\bot$. The byte representation of the Asset Base is defined as $\mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]} := \mathsf{repr}_{\mathbb{P}}(\mathsf{AssetBase})$. +- The remaining terms are as defined in §3.2 of the protocol specification [#protocol-notes]_. Note that the above assumes a canonical encoding, which is true for the Pallas group, but may not hold for future shielded protocols. +Let $\mathsf{Note^{OrchardZSA}}$ be the type of a OrchardZSA note, i.e. + +.. math:: \mathsf{Note^{OrchardZSA}} := \mathbb{B}^{[\ell_{\mathsf{d}}]} \times \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public} \times \{0 .. 2^{\ell_{\mathsf{value}}} - 1\} \times \mathbb{P}^* \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathsf{NoteCommit^{Orchard}.Trapdoor}, + +where $\mathbb{P}^*$ is the Pallas group excluding the identity element, and the other types are as defined in §3.2 of the protocol specification [#protocol-notes]_. + +**Non-normative note:** +The type and definition of the OrchardZSA note reflect that it is a tuple of all the components of an Orchard note, with the addition of the Asset Base into the tuple. + We define the note commitment scheme $\mathsf{NoteCommit^{OrchardZSA}_{rcm}}$ as follows: * $\mathsf{NoteCommit}^{\mathsf{OrchardZSA}} : \mathsf{NoteCommit^{Orchard}.Trapdoor}\hspace{-1em}$ @@ -127,7 +134,7 @@ Note that $\mathsf{repr}_{\mathbb{P}}$ and $\mathsf{GroupHash}^{\mathbb{P}}$ are The nullifier is generated in the same manner as in the Orchard protocol [#protocol-commitmentsandnullifiers]_. -The ZSA note plaintext also includes the Asset Base in addition to the components in the Orchard note plaintext [#protocol-notept]_. +The OrchardZSA note plaintext also includes the Asset Base in addition to the components in the Orchard note plaintext [#protocol-notept]_. It consists of .. math:: (\mathsf{leadByte} : \mathbb{B}^{\mathbb{Y}}, \mathsf{d} : \mathbb{B}^{[\ell_{\mathsf{d}}]}, \mathsf{v} : \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}, \mathsf{rseed} : \mathbb{B}^{\mathbb{Y}[32]}, \mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]}, \mathsf{memo} : \mathbb{B}^{\mathbb{Y}[512]}) @@ -135,20 +142,20 @@ It consists of Rationale for Note Commitment ````````````````````````````` -In the ZSA protocol, the instance of the note commitment scheme, $\mathsf{NoteCommit^{OrchardZSA}_{rcm}}$, differs from the Orchard note commitment $\mathsf{NoteCommit^{Orchard}_{rcm}}$ in that for Custom Assets, the Asset Base will be added as an input to the commitment computation. +In the OrchardZSA protocol, the instance of the note commitment scheme, $\mathsf{NoteCommit^{OrchardZSA}_{rcm}}$, differs from the Orchard note commitment $\mathsf{NoteCommit^{Orchard}_{rcm}}$ in that for Custom Assets, the Asset Base will be added as an input to the commitment computation. In the case where the Asset is the ZEC Asset, the commitment is computed identically to the Orchard note commitment, without making use of the ZEC Asset Base as an input. As we will see, the nested structure of the Sinsemilla-based commitment [#protocol-concretesinsemillacommit]_ allows us to add the Asset Base as a final recursive step. -The note commitment output is still indistinguishable from the original Orchard ZEC note commitments, by definition of the Sinsemilla hash function [#protocol-concretesinsemillahash]_. ZSA note commitments will therefore be added to the same Orchard Note Commitment Tree. In essence, we have: +The note commitment output is still indistinguishable from the original Orchard ZEC note commitments, by definition of the Sinsemilla hash function [#protocol-concretesinsemillahash]_. OrchardZSA note commitments will therefore be added to the same Orchard Note Commitment Tree. In essence, we have: .. math:: \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase}) \in \mathsf{NoteCommit^{Orchard}.Output} -This definition can be viewed as a generalization of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and ZSA notes. +This definition can be viewed as a generalization of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and OrchardZSA notes. Value Commitment ---------------- -In the case of the Orchard-based ZSA protocol, the value of different Asset Identifiers in a given transaction will be committed using a **different value base point**. The value commitment becomes: +In the case of the OrchardZSA protocol, the value of different Asset Identifiers in a given transaction will be committed using a **different value base point**. The value commitment becomes: .. math:: \mathsf{cv^{net}} := \mathsf{ValueCommit^{OrchardZSA}_{rcv}}(\mathsf{AssetBase_{AssetId}}, \mathsf{v^{net}_{AssetId}}) = [\mathsf{v^{net}_{AssetId}}]\,\mathsf{AssetBase_{AssetId}} + [\mathsf{rcv}]\,\mathcal{R}^{\mathsf{Orchard}} @@ -176,26 +183,26 @@ The burn mechanism is a transparent extension to the transfer protocol that enab The burn mechanism does NOT send Assets to a non-spendable address, it simply reduces the total number of units of a given Custom Asset in circulation. It is enforced at the consensus level, by using an extension of the value balance mechanism used for ZEC Assets. Burning makes it globally provable that a given amount of a Custom Asset has been destroyed. -Note that the OrchardZSA Protocol does not allow for the burning of ZEC (or TAZ). +Note that the OrchardZSA Protocol does not allow for the burning of the Native Asset (i.e. ZEC or TAZ). -In the `Orchard-ZSA Transaction Structure`_, there is now an $\mathsf{assetBurn}$ set. +In the `OrchardZSA Transaction Structure`_, there is now an $\mathsf{assetBurn}$ set. For every Custom Asset (represented by its $\mathsf{AssetBase}$) that is burnt in the transaction, the sender adds to $\mathsf{assetBurn}$ the tuple $(\mathsf{AssetBase}, \mathsf{v})$, where $\mathsf{v}$ is the amount of the Custom Asset the sender wants to burn. We denote by $L$ the cardinality of the $\mathsf{assetBurn}$ set in a transaction. As described in `Value Balance Verification`_, this provides the information for the validator of the transaction to compute the value commitment with the corresponding Asset Base. This ensures that the values are all balanced out on a per-Asset basis in the transaction. -Additional Consensus Rules -`````````````````````````` +Additional Consensus Rules for the assetBurn set +```````````````````````````````````````````````` -1. Check that for every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{AssetBase} \neq \mathcal{V}^{\mathsf{Orchard}}$. That is, ZEC or TAZ is not allowed to be burnt by this mechanism. -2. Check that for every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{v} \neq 0$. -3. Check that there is no duplication of Custom Assets in the $\mathsf{assetBurn}$ set. That is, every $\mathsf{AssetBase}$ has at most one entry in $\mathsf{assetBurn}$. -4. Check that for every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}$, $\mathsf{v} \leq \mathsf{issued\_assets(AssetBase).balance}$, where the map $\mathsf{issued\_assets}$ is defined in ZIP 227 [#zip-0227-specification-global-issuance-state]_. That is, it is not possible to burn more of an Asset than is currently in circulation. +1. It MUST be the case that for every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{AssetBase} \neq \mathcal{V}^{\mathsf{Orchard}}$. That is, the Native Asset is not allowed to be burnt by this mechanism. +2. It MUST be that for every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{v} \neq 0$. +3. There MUST be no duplication of Custom Assets in the $\mathsf{assetBurn}$ set. That is, every $\mathsf{AssetBase}$ has at most one entry in $\mathsf{assetBurn}$. -If all these checks pass, then for every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}$, reduce the value of $\mathsf{issued\_assets(AssetBase).balance}$ in the global state by $\mathsf{v}$. +The other consensus rule changes for the OrchardZSA protocol are specified in ZIP 227 [#zip-0227-consensus]_. -**Note:** Even if this mechanism allows having transparent ↔ shielded Asset transfers in theory, the transparent protocol will not be changed with this ZIP to adapt to a multiple Asset structure. This means that unless future consensus rules changes do allow it, unshielding will not be possible for Custom Assets. +**Note:** The transparent protocol will not be changed with this ZIP to adapt to a multiple Asset structure. +This means that unless future consensus rules changes do allow it, unshielding will not be possible for Custom Assets. Value Balance Verification -------------------------- @@ -263,9 +270,9 @@ Rationale for Split Notes In the Orchard protocol, since each Action represents an input and an output, the transaction that wants to send one input to multiple outputs must have multiple inputs. The Orchard protocol gives *dummy spend notes* [#protocol-orcharddummynotes]_ to the Actions that have not been assigned input notes. -The Orchard technique requires modification for the ZSA protocol with multiple Asset Identifiers, as the output note of the split Actions *cannot* contain *just any* Asset Base. We must enforce it to be an actual output of a GroupHash computation (in fact, we want it to be of the same Asset Base as the original input note, but the binding signature takes care that the proper balancing is performed). Without this enforcement the prover could input a multiple (or linear combination) of an existing Asset Base, and thereby attack the network by overflowing the ZEC value balance and hence counterfeiting ZEC funds. +The Orchard technique requires modification for the OrchardZSA protocol with multiple Asset Identifiers, as the output note of the split Actions *cannot* contain *just any* Asset Base. We must enforce it to be an actual output of a GroupHash computation (in fact, we want it to be of the same Asset Base as the original input note, but the binding signature takes care that the proper balancing is performed). Without this enforcement the prover could input a multiple (or linear combination) of an existing Asset Base, and thereby attack the network by overflowing the ZEC value balance and hence counterfeiting ZEC funds. -Therefore, for Custom Assets we enforce that *every* input note to an ZSA Action must be proven to exist in the set of note commitments in the note commitment tree. We then enforce this real note to be “unspendable” in the sense that its value will be zeroed in split Actions and the nullifier will be randomized, making the note not spendable in the specific Action. Then, the proof itself ensures that the output note is of the same Asset Base as the input note. In the circuit, the split note functionality will be activated by a boolean private input to the proof (aka the $\mathsf{split\_flag}$ boolean). +Therefore, for Custom Assets we enforce that *every* input note to an OrchardZSA Action must be proven to exist in the set of note commitments in the note commitment tree. We then enforce this real note to be “unspendable” in the sense that its value will be zeroed in split Actions and the nullifier will be randomized, making the note not spendable in the specific Action. Then, the proof itself ensures that the output note is of the same Asset Base as the input note. In the circuit, the split note functionality will be activated by a boolean private input to the proof (aka the $\mathsf{split\_flag}$ boolean). This ensures that the value base points of all output notes of a transfer are actual outputs of a GroupHash, as they originate in the Issuance protocol which is publicly verified. Note that the Orchard dummy note functionality remains in use for ZEC notes, and the Split Input technique is used in order to support Custom Assets. @@ -274,7 +281,7 @@ Note that the Orchard dummy note functionality remains in use for ZEC notes, and Circuit Statement ----------------- -Every *ZSA Action statement* is closely similar to the Orchard Action statement [#protocol-actionstatement]_, except for a few additions that ensure the security of the Asset Identifier system. We detail these changes below. +Every *OrchardZSA Action statement* is closely similar to the Orchard Action statement [#protocol-actionstatement]_, except for a few additions that ensure the security of the Asset Identifier system. We detail these changes below. All modifications in the Circuit are detailed in [#circuit-modifications]_. @@ -328,10 +335,10 @@ Senders must not be able to change the Asset Base for the output note in a Split Backwards Compatibility with ZEC Notes `````````````````````````````````````` -The input note in the old note commitment integrity check must either include an Asset Base (ZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion [#protocol-abstractcommit]_. If the note is a ZSA note, the note commitment is computed as defined in the `Note Structure & Commitment`_ section. +The input note in the old note commitment integrity check must either include an Asset Base (OrchardZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion [#protocol-abstractcommit]_. If the note is an OrchardZSA note, the note commitment is computed as defined in the `Note Structure & Commitment`_ section. -Orchard-ZSA Transaction Structure -================================= +OrchardZSA Transaction Structure +================================ The transaction format for v6 transactions is described in ZIP 230 [#zip-0230]_. @@ -339,12 +346,12 @@ The transaction format for v6 transactions is described in ZIP 230 [#zip-0230]_. TxId Digest =========== -The transaction digest algorithm defined in ZIP 244 [#zip-0244]_ is modified by the ZSA protocol to add a new branch for issuance information, along with modifications within the ``orchard_digest`` to account for the inclusion of the Asset Base. -The details of these changes are described in this section, and highlighted using the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label. We omit the details of the sections that do not change for the ZSA protocol. +The transaction digest algorithm defined in ZIP 244 [#zip-0244]_ is modified by the OrchardZSA protocol to add a new branch for issuance information, along with modifications within the ``orchard_digest`` to account for the inclusion of the Asset Base. +The details of these changes are described in this section, and highlighted using the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label. We omit the details of the sections that do not change for the OrchardZSA protocol. txid_digest ----------- -A BLAKE2b-256 hash of the following values :: +A BLAKE2b-256 hash of the following values:: T.1: header_digest (32-byte hash output) T.2: transparent_digest (32-byte hash output) @@ -356,74 +363,96 @@ The personalization field remains the same as in ZIP 244 [#zip-0244]_. T.4: orchard_digest ``````````````````` -When Orchard Actions are present in the transaction, this digest is a BLAKE2b-256 hash of the following values :: - - T.4a: orchard_actions_compact_digest (32-byte hash output) [UPDATED FOR ZSA] - T.4b: orchard_actions_memos_digest (32-byte hash output) [UPDATED FOR ZSA] - T.4c: orchard_actions_noncompact_digest (32-byte hash output) [UPDATED FOR ZSA] - T.4d: orchard_zsa_burn_digest (32-byte hash output) [ADDED FOR ZSA] - T.4e: flagsOrchard (1 byte) - T.4f: valueBalanceOrchard (64-bit signed little-endian) - T.4g: anchorOrchard (32 bytes) - -T.4a: orchard_actions_compact_digest -'''''''''''''''''''''''''''''''''''' - -A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in -an updated version of the ZIP-307 [#zip-0307]_ ``CompactBlock`` format for all Orchard -Actions belonging to the transaction. For each Action, the following elements are included +When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values:: + + T.4a: orchard_action_groups_digest (32-byte hash output) [ADDED FOR ZSA] + T.4b: orchard_zsa_burn_digest (32-byte hash output) [ADDED FOR ZSA] + T.4c: valueBalanceOrchard (64-bit signed little-endian) + +The personalization field of this hash is the same as in ZIP 244 [#zip-0244]_ :: + + "ZTxIdOrchardHash" + +In the case that the transaction has no OrchardZSA Action Groups, ``orchard_digest`` is :: + + BLAKE2b-256("ZTxIdOrchardHash", []) + +T.4a: orchard_action_groups_digest +'''''''''''''''''''''''''''''''''' + +A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction. +For each Action Group, the following elements are included in the hash:: + + T.4a.i : orchard_actions_compact_digest (32-byte hash output) + T.4a.ii : orchard_actions_memos_digest (32-byte hash output) + T.4a.iii: orchard_actions_noncompact_digest (32-byte hash output) + T.4a.iv : flagsOrchard (1 byte) + T.4a.v : anchorOrchard (32 bytes) + T.4a.vi : nAGExpiryHeight (4 bytes) + +The personalization field of this hash is set to:: + + "ZTxIdOrcActGHash" + + +T.4a.i: orchard_actions_compact_digest +...................................... + +A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in +an updated version of the ZIP-307 [#zip-0307]_ ``CompactBlock`` format for all OrchardZSA +Actions belonging to the Action Group. For each Action, the following elements are included in the hash:: - T.4a.i : nullifier (field encoding bytes) - T.4a.ii : cmx (field encoding bytes) - T.4a.iii: ephemeralKey (field encoding bytes) - T.4a.iv : encCiphertext[..84] (First 84 bytes of field encoding) [UPDATED FOR ZSA] + T.4a.i.1 : nullifier (field encoding bytes) + T.4a.i.2 : cmx (field encoding bytes) + T.4a.i.3 : ephemeralKey (field encoding bytes) + T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) [UPDATED FOR ZSA] The personalization field of this hash is the same as in ZIP 244:: "ZTxIdOrcActCHash" -T.4b: orchard_actions_memos_digest -'''''''''''''''''''''''''''''''''' +T.4a.ii: orchard_actions_memos_digest +..................................... -A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all Orchard -Actions belonging to the transaction. For each Action, the following elements are included +A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all OrchardZSA +Actions belonging to the Action Group. For each Action, the following elements are included in the hash:: - T.4b.i: encCiphertext[84..596] (contents of the encrypted memo field) [UPDATED FOR ZSA] + T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field) [UPDATED FOR ZSA] The personalization field of this hash remains identical to ZIP 244:: "ZTxIdOrcActMHash" -T.4c: orchard_actions_noncompact_digest -''''''''''''''''''''''''''''''''''''''' +T.4a.iii: orchard_actions_noncompact_digest +........................................... -A BLAKE2b-256 hash of the remaining subset of Orchard Action information **not** intended +A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information **not** intended for inclusion in an updated version of the the ZIP 307 [#zip-0307]_ ``CompactBlock`` -format, for all Orchard Actions belonging to the transaction. For each Action, +format, for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:: - T.4d.i : cv (field encoding bytes) - T.4d.ii : rk (field encoding bytes) - T.4d.iii: encCiphertext[596..] (post-memo suffix of field encoding) [UPDATED FOR ZSA] - T.4d.iv : outCiphertext (field encoding bytes) + T.4a.iii.1 : cv (field encoding bytes) + T.4a.iii.2 : rk (field encoding bytes) + T.4a.iii.3 : encCiphertext[596..] (post-memo suffix of field encoding) [UPDATED FOR ZSA] + T.4a.iii.4 : outCiphertext (field encoding bytes) The personalization field of this hash is defined identically to ZIP 244:: "ZTxIdOrcActNHash" -T.4d: orchard_zsa_burn_digest +T.4b: orchard_zsa_burn_digest ''''''''''''''''''''''''''''' A BLAKE2b-256 hash of the data from the burn fields of the transaction. For each tuple in the $\mathsf{assetBurn}$ set, the following elements are included in the hash:: - T.4d.i : assetBase (field encoding bytes) - T.4d.ii: valueBurn (field encoding bytes) + T.4b.i : assetBase (field encoding bytes) + T.4b.ii: valueBurn (field encoding bytes) The personalization field of this hash is set to:: @@ -434,12 +463,12 @@ $\mathsf{assetBurn}$ set is empty), the ''orchard_zsa_burn_digest'' is:: BLAKE2b-256("ZTxIdOrcBurnHash", []) -T.4d.i: assetBase +T.4b.i: assetBase ................. The Asset Base being burnt encoded as the 32-byte representation of a point on the Pallas curve. -T.4d.ii: valueBurn +T.4b.ii: valueBurn .................. Value of the Asset Base being burnt encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value. @@ -449,17 +478,79 @@ T.5: issuance_digest ```````````````````` The details of the computation of this value are in ZIP 227 [#zip-0227-txiddigest]_. -Signature Digest and Authorizing Data Commitment -================================================ +Signature Digest +================ + +The details of the changes to this algorithm are in ZIP 227 [#zip-0227-sigdigest]_. + +Authorizing Data Commitment +=========================== + +The transaction digest algorithm defined in ZIP 244 [#zip-0244-authcommitment]_ which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. +There is a new branch added for issuance information, along with modifications within the ``orchard_auth_digest`` to account for the presence of Action Groups. + +We highlight the changes for the OrchardZSA protocol via the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:: + + auth_digest + ├── transparent_scripts_digest + ├── sapling_auth_digest + ├── orchard_auth_digest [UPDATED FOR ZSA] + └── issuance_auth_digest [ADDED FOR ZSA] + +The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block. + +auth_digest +----------- +A BLAKE2b-256 hash of the following values :: + + A.1: transparent_scripts_digest (32-byte hash output) + A.2: sapling_auth_digest (32-byte hash output) + A.3: orchard_auth_digest (32-byte hash output) [UPDATED FOR ZSA] + A.4: issuance_auth_digest (32-byte hash output) [ADDED FOR ZSA] + +The personalization field of this hash remains the same as in ZIP 244. + + +A.3: orchard_auth_digest +```````````````````````` + +In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values:: + + A.3a: orchard_action_groups_auth_digest (32-byte hash output) [ADDED FOR ZSA] + A.3b: bindingSigOrchard (field encoding bytes) + +The personalization field of this hash is the same as in ZIP 244, that is:: + + "ZTxAuthOrchaHash" + +In case that the transaction has no OrchardZSA Action Groups, ``orchard_auth_digest`` is:: + + BLAKE2b-256("ZTxAuthOrchaHash", []) + +A.3a: orchard_action_groups_auth_digest +''''''''''''''''''''''''''''''''''''''' + +This is a BLAKE2b-256 hash of the ``proofsOrchard`` and ``spendAuthSigsOrchard`` fields of all OrchardZSA Action Groups belonging to the transaction:: + + A.3a.i: proofsOrchard (field encoding bytes) + A.3a.ii: spendAuthSigsOrchard (field encoding bytes) + +The personalization field of this hash is set to:: + + "ZTxAuthOrcAGHash" + +A.4: issuance_auth_digest +````````````````````````` + +The details of the computation of this value are in ZIP 227 [#zip-0227-authcommitment]_. -The details of the changes to these algorithms are in ZIP 227 [#zip-0227-sigdigest]_ [#zip-0227-authcommitment]_. Security and Privacy Considerations =================================== -- After the protocol upgrade, the Orchard shielded pool will be shared by the Orchard protocol and the Orchard-ZSA protocol. -- Deploying the Orchard-ZSA protocol does not necessitate disabling the Orchard protocol. Both can co-exist and be addressed via different transaction versions (V5 for Orchard and V6 for Orchard-ZSA). Due to this, Orchard note commitments can be distinguished from Orchard-ZSA note commitments. This holds whether or not the two protocols are active simultaneously. -- Orchard-ZSA note commitments for the native asset (ZEC) are indistinguishable from Orchard-ZSA note commitments for non-native Assets. +- After the protocol upgrade, the Orchard shielded pool will be shared by the Orchard protocol and the OrchardZSA protocol. +- Deploying the OrchardZSA protocol does not necessitate disabling the Orchard protocol. Both can co-exist and be addressed via different transaction versions (V5 for Orchard and V6 for OrchardZSA). Due to this, Orchard note commitments can be distinguished from OrchardZSA note commitments. This holds whether or not the two protocols are active simultaneously. +- OrchardZSA note commitments for the native asset (ZEC) are indistinguishable from OrchardZSA note commitments for non-native Assets. - When including new Assets we would like to maintain the amount and identifiers of Assets private, which is achieved with the design. - We prevent a potential malleability attack on the Asset Identifier by ensuring the output notes receive an Asset Base that exists on the global state. @@ -469,21 +560,21 @@ Other Considerations Transaction Fees ---------------- -The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the ZSA protocol upgrade [#zip-0317b]_. +The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 230 [#zip-0230-orchardzsa-fee-calculation]_. Backward Compatibility ---------------------- -In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and ZSA notes. As we specify above, there are three main reasons we can do this: +In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and OrchardZSA notes. As we specify above, there are three main reasons we can do this: - Note commitments for ZEC notes will remain the same, while note commitments for Custom Assets will be computed taking into account the $\mathsf{AssetBase}$ value as well. -- The existing Orchard shielded pool will continue to be used for the new ZSA notes post the upgrade. +- The existing Orchard shielded pool will continue to be used for the new OrchardZSA notes post the upgrade. - The value commitment is abstracted to allow for the value base-point as a variable private input to the proof. -- The ZEC-based Actions will still include dummy input notes, whereas the ZSA-based Actions will include split input notes and will not include dummy input notes. +- The ZEC-based Actions will still include dummy input notes, whereas the OrchardZSA Actions will include split input notes and will not include dummy input notes. Deployment ----------- -The Zcash Shielded Assets protocol will be deployed in a subsequent Network Upgrade. +The Zcash Shielded Assets protocol is scheduled to be deployed in Network Upgrade 7 (NU7). Test Vectors ============ @@ -507,14 +598,16 @@ References .. [#zip-0224] `ZIP 224: Orchard `_ .. [#zip-0227] `ZIP 227: Issuance of Zcash Shielded Assets `_ .. [#zip-0227-specification-global-issuance-state] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Global Issuance State `_ -.. [#zip-0227-assetidentifier] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Asset Identifier `_ +.. [#zip-0227-assetidentifier] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Asset Identifier `_ +.. [#zip-0227-consensus] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Consensus Rule Changes `_ .. [#zip-0227-txiddigest] `ZIP 227: Issuance of Zcash Shielded Assets: TxId Digest - Issuance `_ .. [#zip-0227-sigdigest] `ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest `_ -.. [#zip-0227-authcommitment] `ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment `_ +.. [#zip-0227-authcommitment] `ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment `_ .. [#zip-0230] `ZIP 230: Version 6 Transaction Format `_ +.. [#zip-0230-orchardzsa-fee-calculation] `ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation `_ .. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ +.. [#zip-0244-authcommitment] `ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment `_ .. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection `_ -.. [#zip-0317b] `ZIP 317: Proportional Transfer Fee Mechanism - Pull Request #667 for ZSA Protocol ZIPs `_ .. [#protocol-notes] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes `_ .. [#protocol-actions] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.7: Action Transfers and their Descriptions `_ .. [#protocol-abstractcommit] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.1.8: Commitment `_ @@ -532,4 +625,4 @@ References .. [#protocol-actionencodingandconsensus] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 7.5: Action Description Encoding and Consensus `_ .. [#initial-zsa-issue] `User-Defined Assets and Wrapped Assets `_ .. [#generalized-value-commitments] `Comment on Generalized Value Commitments `_ -.. [#circuit-modifications] `Modifications to the Orchard circuit for the ZSA Protocol `_ +.. [#circuit-modifications] `Modifications to the Orchard circuit for the OrchardZSA Protocol `_ diff --git a/zips/zip-0227.rst b/zips/zip-0227.rst index 52ac96274..67ce28473 100644 --- a/zips/zip-0227.rst +++ b/zips/zip-0227.rst @@ -30,7 +30,7 @@ ZIP 224 [#zip-0224]_. We define the following additional terms: -- Asset: A type of note that can be transferred on the Zcash blockchain. Each Asset is identified by an Asset Identifier `Specification: Asset Identifier`_. +- Asset: A type of note that can be transferred on the Zcash blockchain. Each Asset is identified by an Asset Identifier `Specification: Asset Identifier, Asset Digest, and Asset Base`_. - ZEC is the default (and currently the only defined) Asset for the Zcash mainnet. - TAZ is the default (and currently the only defined) Asset for the Zcash testnet. @@ -44,7 +44,7 @@ We define the following additional terms: Abstract ======== -This ZIP (ZIP 227) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 226 [#zip-0226]_. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 [#zip-0226]_. This ZIP must only be implemented in conjunction with ZIP 226 [#zip-0226]_. The proposed issuance mechanism is only valid for the Orchard-ZSA transfer protocol, because it produces notes that can only be transferred under ZSA. +This ZIP (ZIP 227) proposes the Orchard Zcash Shielded Assets (OrchardZSA) protocol, in conjunction with ZIP 226 [#zip-0226]_. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 [#zip-0226]_. This ZIP must only be implemented in conjunction with ZIP 226 [#zip-0226]_. The proposed issuance mechanism is only valid for the OrchardZSA transfer protocol, because it produces notes that can only be transferred via this protocol. Motivation ========== @@ -81,7 +81,7 @@ Requirements Specification: Issuance Keys and Issuance Authorization Signature Scheme ======================================================================== -The Orchard-ZSA Protocol adds the following keys to the key components [#protocol-addressesandkeys]_ [#protocol-orchardkeycomponents]_: +The OrchardZSA Protocol adds the following keys to the key components [#protocol-addressesandkeys]_ [#protocol-orchardkeycomponents]_: 1. The issuance authorizing key, denoted as $\mathsf{isk}$, is the key used to authorize the issuance of Asset Identifiers by a given issuer, and is only used by that issuer. @@ -94,7 +94,7 @@ The relations between these keys are shown in the following diagram: :align: center :figclass: align-center - Diagram of Issuance Key Components for the Orchard-ZSA Protocol + Diagram of Issuance Key Components for the OrchardZSA Protocol Issuance Authorization Signature Scheme @@ -182,12 +182,12 @@ Define $\mathsf{IssueAuthSig.Validate} \;{\small ⦂}\; (\mathsf{ik} \;{\small where the $\mathsf{Verify}$ algorithm is defined in BIP 340 [#bip-0340]_. -Specification: Asset Identifier -=============================== +Specification: Asset Identifier, Asset Digest, and Asset Base +============================================================= -For every new Asset, there must be a new and unique Asset Identifier, denoted $\mathsf{AssetId}$. We define this to be a globally unique pair $\mathsf{AssetId} := (\mathsf{ik}, \mathsf{asset\_desc})$, where $\mathsf{ik}$ is the issuance key and $\mathsf{asset\_desc}$ is a byte string. +For every new Asset, there MUST be a new and unique Asset Identifier, denoted $\mathsf{AssetId}$. We define this to be a globally unique pair $\mathsf{AssetId} := (\mathsf{ik}, \mathsf{asset\_desc})$, where $\mathsf{ik}$ is the issuance key and $\mathsf{asset\_desc}$ is a byte string. -A given Asset Identifier is used across all Zcash protocols that support ZSAs -- that is, the Orchard-ZSA protocol and potentially future Zcash shielded protocols. For this Asset Identifier, we derive an Asset Digest, $\mathsf{AssetDigest}$, which is simply is a $\textsf{BLAKE2b-512}$ hash of the Asset Identifier. +A given Asset Identifier is used across all Zcash protocols that support ZSAs -- that is, the OrchardZSA protocol and potentially future Zcash shielded protocols. For this Asset Identifier, we derive an Asset Digest, $\mathsf{AssetDigest}$, which is simply is a $\textsf{BLAKE2b-512}$ hash of the Asset Identifier. From the Asset Digest, we derive a specific Asset Base within each shielded protocol using the applicable hash-to-curve algorithm. This Asset Base is included in shielded notes. Let @@ -195,15 +195,23 @@ Let - $\mathsf{asset\_desc}$ be the asset description, which includes any information pertaining to the issuance, and is a byte sequence of up to 512 bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later. - $\mathsf{ik}$ be the issuance validating key of the issuer, a public key used to verify the signature on the issuance transaction's SIGHASH. -Define $\mathsf{AssetDigest_{AssetId}} := \textsf{BLAKE2b-512}(\texttt{“ZSA-Asset-Digest”},\; \mathsf{EncodeAssetId}(\mathsf{AssetId}))$, +Define + +.. math:: \mathsf{AssetDigest_{AssetId}} := \textsf{BLAKE2b-512}(\texttt{“ZSA-Asset-Digest”},\; \mathsf{EncodeAssetId}(\mathsf{AssetId})), + where - $\mathsf{EncodeAssetId}(\mathsf{AssetId}) = \mathsf{EncodeAssetId}((\mathsf{ik}, \mathsf{asset\_desc})) := \mathtt{0x00} || \mathsf{ik} || \mathsf{asset\_desc}\!$. - Note that the initial $\mathtt{0x00}$ byte is a version byte. -Define $\mathsf{AssetBase_{AssetId}} := \mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}})$ +Define + +.. math:: \mathsf{AssetBase_{AssetId}} := \mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) + +In the case of the OrchardZSA protocol, we define + +.. math:: \mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{"z.cash:OrchardZSA"}, \mathsf{AssetDigest_{AssetId}}) -In the case of the Orchard-ZSA protocol, we define $\mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{“z.cash:OrchardZSA”}, \mathsf{AssetDigest_{AssetId}})$ where $\mathsf{GroupHash}^\mathbb{P}$ is defined as in [#protocol-concretegrouphashpallasandvesta]_. The relations between the Asset Identifier, Asset Digest, and Asset Base are shown in the following diagram: @@ -213,7 +221,7 @@ The relations between the Asset Identifier, Asset Digest, and Asset Base are sho :align: center :figclass: align-center - Diagram relating the Asset Identifier, Asset Digest, and Asset Base in the ZSA Protocol + Diagram relating the Asset Identifier, Asset Digest, and Asset Base in the OrchardZSA Protocol **Note:** To keep notations light and concise, we may omit $\mathsf{AssetId}$ (resp. $\mathsf{Protocol}$) in the subscript (resp. superscript) when the Asset Identifier (resp. Protocol) is clear from the context. @@ -223,72 +231,55 @@ Wallets MUST NOT display just the $\mathsf{asset\_desc}$ string to their users a - Wallets could allow clients to provide an additional configuration file that stores a one-to-one mapping of names to Asset Identifiers via a petname system. This allows clients to rename the Assets in a way they find useful. Default versions of this file with well-known Assets listed can be made available online as a starting point for clients. - The Asset Digest could be used as a more compact bytestring to uniquely determine an Asset, and wallets could support clients scanning QR codes to load Asset information into their wallets. -Specification: Global Issuance State -==================================== -Issuance requires the following additions to the global state defined at block boundaries: +Specification: Issue Note, Issuance Action, Issuance Bundle and Issuance Protocol +================================================================================= -A map, $\mathsf{issued\_assets}$, from the Asset Base, $\mathsf{AssetBase}$, to a tuple $(\mathsf{balance}, \mathsf{final})$, for every Asset that has been issued up until the block boundary. For each Asset: +Issue Note +---------- -- The amount of the Asset in circulation, computed as the amount of the Asset that has been issued less the amount of the Asset that has been burnt, is stored in $\mathsf{balance}$. -- The boolean $\mathsf{final}$ stores the finalization status of the Asset (i.e.: whether the $\mathsf{finalize}$ flag has been set to $1$ in some issuance transaction for the Asset preceding the block boundary). The value of $\mathsf{final}$ for any Asset cannot be changed from $1$ to $0$. +Let $\ell_{\mathsf{value}}$ be as defined in §5.3 of the protocol specification [#protocol-constants]_. +An Issue Note represents that a value $\mathsf{v} : \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}$ of a specific Custom Asset is issued to a recipient. +An Issue Note is a tuple $(\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \mathsf{rseed})$, where: +- $\mathsf{d}: \mathbb{B}^{[\ell_{\mathsf{d}}]}$ is the diversifier of the recipient's shielded payment address, as in §3.2 of the protocol specification [#protocol-notes]_. +- $\mathsf{pk_d}: \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public}$ is the recipient's diversified transmission key, as in §3.2 of the protocol specification [#protocol-notes]_. +- $\mathsf{v} : \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}$ is the value of the note in terms of the number of Asset tokens. +- $\mathsf{AssetBase}: \mathbb{P}^*$ is the Asset Base corresponding to the ZSA being issued in the Issue Note. +- $\text{ρ}: \mathbb{F}_{q_{\mathbb{P}}}$ is used to derive the nullifier of the note, and is computed as in `Computation of ρ`_. +- $\mathsf{rseed}: \mathbb{B}^{[\mathbb{Y}^{32}]}$ MUST be sampled uniformly at random by the issuer. -We use the notation $\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{balance}$ and $\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{final}$ to access, respectively, the balance and finalization status of the Asset stored in the global state. +The complete encoding of these fields into an ``IssueNote`` is defined in ZIP 230 [#zip-0230-issue-note]_. -Rationale for Global Issuance State ------------------------------------ +Let $\mathsf{Note^{Issue}}$ be the type of an Issue Note, i.e. -It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 [#zip-0209]_. -However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. -Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record at the block boundary based on the issuance and burn transactions within the block. -This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the block. +.. math:: \mathsf{Note^{Issue}} := \mathbb{B}^{[\ell_{\mathsf{d}}]} \times \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public} \times \{0 .. 2^{\ell_{\mathsf{value}}} - 1\} \times \mathbb{P}^* \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathbb{B}^{[\mathbb{Y}^{32}]}. -Nodes also need to ensure the rejection of blocks in which issuance of Custom Assets that have been previously finalized. -The $\mathsf{issued\_assets}$ map allows nodes to store whether or not a given Asset has been finalized. +The note commitments of Issue Notes are computed in the same manner as for OrchardZSA Notes. +They will be added to the note commitment tree as any other shielded note when the transaction issuing the Asset is included on chain. +This prevents future usage of the note from being linked to the issuance transaction, as the nullifier key is not known to the validators and chain observers. -Specification: Issuance Action, Issuance Bundle and Issuance Protocol -===================================================================== -Issuance Action Description ---------------------------- +Issuance Action +--------------- An issuance action, ``IssueAction``, is the instance of issuing a specific Custom Asset, and contains the following fields: -- ``assetDescSize``: the size of the Asset description, a number between $0$ and $512$, stored in two bytes. -- ``asset_desc``: the Asset description, a byte string of up to 512 bytes as defined in the `Specification: Asset Identifier`_ section. -- ``vNotes``: an array of ``Note`` containing the unencrypted output notes of the recipients of the Asset. +- ``assetDescSize``: the size of the Asset description, a number between $0$ and $512$. +- ``asset_desc``: the Asset description, a byte string of up to 512 bytes as defined in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section. +- ``vNotes``: an array of Issue Notes containing the unencrypted output notes to the recipients of the Asset. - ``flagsIssuance``: a byte that stores the $\mathsf{finalize}$ boolean that defines whether the issuance of that specific Custom Asset is finalized or not. -An asset's $\mathsf{AssetDigest}$ is added to the $\mathsf{previously\_finalized}$ set after a block that contains any issuance transaction for that asset with $\mathsf{finalize} = 1$. It then cannot be removed from this set. For Assets with $\mathsf{AssetDigest} \in \mathsf{previously\_finalized}$, no further tokens can be issued, so as seen below, the validators will reject the transaction. For Assets with $\mathsf{AssetDigest} \not\in \mathsf{previously\_finalized}$, new issuance actions can be issued in future transactions. These must use the same Asset description, $\mathsf{asset\_desc}$, and can either maintain $\mathsf{finalize} = 0$ or change it to $\mathsf{finalize} = 1$, denoting that this Custom Asset cannot be issued after the containing block. - - -+-----------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------+ -| Bytes | Name | Data Type | Description | -+=============================+==========================+===========================================+=====================================================================+ -|``2`` |``assetDescSize`` |``byte`` |The length of the ``asset_desc`` string in bytes. | -+-----------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------+ -|``assetDescSize`` |``asset_desc`` |``byte[assetDescSize]`` |A byte sequence of length ``assetDescSize`` bytes which SHOULD be a | -| | | |well-formed UTF-8 code unit sequence according to Unicode 15.0.0 | -| | | |or later. | -+-----------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------+ -|``varies`` |``nNotes`` |``compactSize`` |The number of notes in the issuance action. | -+-----------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------+ -|``noteSize * nNotes`` |``vNotes`` |``Note[nNotes]`` |A sequence of note descriptions within the issuance action, | -| | | |where ``noteSize`` is the size, in bytes, of a Note. | -+-----------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------+ -|``1`` |``flagsIssuance`` |``byte`` |An 8-bit value representing a set of flags. Ordered from LSB to MSB: | -| | | | * :math:`\mathsf{finalize}` | -| | | | * The remaining bits are set to :math:`0\!`. | -+-----------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------+ - -We note that the output note commitment of the recipient's notes are not included in the actual transaction, but when added to the global state of the chain, they will be added to the note commitment tree as a shielded note. -This prevents future usage of the note from being linked to the issuance transaction, as the nullifier key is not known to the validators and chain observers. +The $\mathsf{finalize}$ boolean is set by the Issuer to signal that there will be no further issuance of the specific Custom Asset. +As we will see in `Specification: Consensus Rule Changes`_, transactions that attempt to issue further amounts of a Custom Asset that has previously been finalized will be rejected. + +The complete encoding of these fields into an ``IssueAction`` is defined in ZIP 230 [#zip-0230-issuance-action-description]_. + Issuance Bundle --------------- -An issuance bundle, ``IssueBundle``, is the aggregate of all the issuance-related information. +An issuance bundle is the aggregate of all the issuance-related information. Specifically, contains all the issuance actions and the issuer signature on the transaction SIGHASH that validates the issuance itself. It contains the following fields: @@ -296,21 +287,27 @@ It contains the following fields: - ``vIssueActions``: an array of issuance actions, of type ``IssueAction``. - $\mathsf{issueAuthSig}$: the signature of the transaction SIGHASH, signed by the issuance authorizing key, $\mathsf{isk}$, that validates the issuance. -The issuance bundle is then added within the transaction format as a new bundle. That is, issuance requires the addition of the following information to the transaction format [#protocol-txnencoding]_. - -+------------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------+ -| Bytes | Name | Data Type | Description | -+====================================+==========================+===========================================+===========================================================================+ -|``varies`` |``nIssueActions`` |``compactSize`` |The number of issuance actions in the bundle. | -+------------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------+ -|``IssueActionSize * nIssueActions`` |``vIssueActions`` |``IssueAction[nIssueActions]`` |A sequence of issuance action descriptions, where IssueActionSize is | -| | | |the size, in bytes, of an IssueAction description. | -+------------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------+ -|``32`` |``ik`` |``byte[32]`` |The issuance validating key of the issuer, used to validate the signature. | -+------------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------+ -|``64`` |``issueAuthSig`` |``byte[64]`` |The signature of the transaction SIGHASH, signed by the issuer, | -| | | |validated as in `Issuance Authorization Signature Scheme`_. | -+------------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------+ +The issuance bundle is added within the transaction format as a new bundle. +The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 [#zip-0230-transaction-format]_. + +Computation of ρ +---------------- + +We define a function $\mathsf{DeriveIssuedRho} : \mathbb{F}_{q_{\mathbb{P}}} \times \{0 .. 2^{32} - 1\} \times \{0 .. 2^{32} - 1\} \to \mathbb{F}_{q_{\mathbb{P}}}$ as follows: + +.. math:: \mathsf{DeriveIssuedRho}(\mathsf{nf}, \mathsf{i_{A}}, \mathsf{i_{N}}) := \mathsf{ToBase}^{\mathsf{Rho}}(\mathsf{PRF}^{\mathsf{Rho}}(\mathsf{I2LEOSP}_{256}(\mathsf{nf}), [\mathtt{0x84}] \| \mathsf{I2LEOSP}_{32}(\mathsf{i_{A}}) \| \mathsf{I2LEOSP}_{32}(\mathsf{i_{N}}))), + +where + +- $\mathsf{ToBase}^{\mathsf{Rho}} : \mathbb{B}^{512} \to \mathbb{F}_{q_{\mathbb{P}}}$ is defined as $\mathsf{ToBase}^{\mathsf{Rho}}(x) := \mathsf{LEOS2IP}_{512}(x) \mod q_{\mathbb{P}}$ +- $\mathsf{PRF}^{\mathsf{Rho}} : \mathbb{B}^{256} \times \mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}} \to \mathbb{B}^{512}$ is defined as $\mathsf{PRF}^{\mathsf{Rho}}(\mathsf{k},t) := \textsf{BLAKE2b-512}(\mathtt{"ZSA\_IssueNoteRho"}, \mathsf{k} \| t)$ + +The $\text{ρ}$ field of an Issue Note is computed as + +.. math:: \text{ρ} := \mathsf{DeriveIssuedRho}(\mathsf{nf}_{1,1}, \mathsf{index_{Action}}, \mathsf{index_{Note}}), + +where $\mathsf{nf}_{1,1}$ is the nullifier of the first Note in the first Action of the OrchardZSA Bundle of the transaction, $\mathsf{index_{Action}}$ is the index of the Issuance Action in the Issuance Bundle, and $\mathsf{index_{Note}}$ is the index of the Issue Note in the Issuance Action. + Issuance Protocol ----------------- @@ -319,12 +316,13 @@ The issuer program performs the following operations: For all actions ``IssueAction``: - encode $\mathsf{asset\_desc}$ as a UTF-8 byte string of size up to 512. -- compute $\mathsf{AssetDigest}$ from the issuance validating key $\mathsf{ik}$ and $\mathsf{asset\_desc}$ as decribed in the `Specification: Asset Identifier`_ section. -- compute $\mathsf{AssetBase}$ from $\mathsf{AssetDigest}$ as decribed in the `Specification: Asset Identifier`_ section. +- compute $\mathsf{AssetDigest}$ from the issuance validating key $\mathsf{ik}$ and $\mathsf{asset\_desc}$ as decribed in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section. +- compute $\mathsf{AssetBase}$ from $\mathsf{AssetDigest}$ as decribed in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section. - set the $\mathsf{finalize}$ boolean as desired (if more issuance actions are to be created for this $\mathsf{AssetBase}$, set $\mathsf{finalize} = 0$, otherwise set $\mathsf{finalize} = 1$). - for each recipient $i$: - - generate a ZSA output note that includes the Asset Base. For an Orchard-ZSA note this is $\mathsf{note}_i = (\mathsf{d}_i, \mathsf{pk}_{\mathsf{d}_i}, \mathsf{v}_i, \text{ρ}_i, \mathsf{rseed}_i, \mathsf{AssetBase}, \mathsf{rcm}_i)$. + - generate an Issue Note, $\mathsf{note}_i = (\mathsf{d}_i, \mathsf{pk}_{\mathsf{d}_i}, \mathsf{v}_i, \mathsf{AssetBase}, \text{ρ}_i, \mathsf{rseed}_i)$. + - encode the $\mathsf{note}_i$ into the vector ``vNotes`` of the ``IssueAction``. - encode the ``IssueAction`` into the vector ``vIssueActions`` of the bundle. @@ -337,34 +335,89 @@ For the ``IssueBundle``: **Note:** that the commitment is not included in the ``IssuanceAction`` itself. As explained below, it is computed later by the validators and added to the note commitment tree. +Specification: Reference Notes and Global Issuance State +======================================================== -Specification: Consensus Rule Changes -===================================== +Reference Notes +--------------- -For the ``IssueBundle``: +A reference note for a Custom Asset MUST be included by the issuer as the first Note in the Action of the Issuance Bundle where that Custom Asset is being issued for the first time. + +A reference note for a Custom Asset is an Issue Note where the value $\mathsf{v}$ is set to $0$, the Asset Base ($\mathsf{AssetBase}$) corresponds to that of the Custom Asset, and the recipient address $(\mathsf{d}, \mathsf{pk}_{\mathsf{d}})$ is set to the default diversified payment address (i.e. the diversified payment address with diversifier index $0$) derived from the all-zero Orchard spending key using the algorithm specified in §4.2.3 of the protocol specification [#protocol-orchardkeycomponents]_. This corresponds to a 43 byte ``u8`` array with the following entries:: + + [ + 204, 54, 96, 25, 89, 33, 59, 107, 12, 219, 150, 167, 92, 23, 195, 166, 104, 169, 127, 13, 106, + 140, 92, 225, 100, 165, 24, 234, 155, 169, 165, 14, 167, 81, 145, 253, 134, 27, 15, 241, 14, + 98, 176, + ] -- Validate the issuance authorization signature, $\mathsf{issueAuthSig}$, on the SIGHASH transaction hash, $\mathsf{SigHash}$, by invoking $\mathsf{IssueAuthSig.Validate}(\mathsf{ik}, \mathsf{SigHash}, \mathsf{issueAuthSig})$. -For each ``IssueAction`` in ``IssueBundle``: +Global Issuance State +--------------------- + +The maximum total supply of any issued Custom Asset is denoted by the constant $\mathsf{MAX\_ISSUE} := 2^{64} - 1$. +Issuance requires the following additions to the global state: -- check that $0 < \mathtt{assetDescSize} \leq 512$. -- check that $\mathsf{asset\_desc}$ is a string of length $\mathtt{assetDescSize}$ bytes. +A map, $\mathsf{issued\_assets} : \mathbb{P}^* \to \{0 .. \mathsf{MAX\_ISSUE}\} \times \mathbb{B} \times \mathsf{Note^{Issue}}$, from the Asset Base, $\mathsf{AssetBase} : \mathbb{P}^*$, to a tuple $(\mathsf{balance}, \mathsf{final}, \mathsf{note_{ref}})$, for every Asset that has been issued. +We use the notation $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{balance}$, $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final}$, and $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{note_{ref}}$ to access, respectively, the elements of the tuple stored in the global state for a given $\mathsf{AssetBase}$. +If $\mathsf{issued\_assets}(\mathsf{AssetBase}) = \bot$, it is assumed that $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{balance} = 0$, $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final} = 0$, and $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{note_{ref}} = \bot$. -- retrieve $\mathsf{AssetBase}$ from the first note in the sequence and check that $\mathsf{AssetBase}$ is derived from the issuance validating key $\mathsf{ik}$ and $\mathsf{asset\_desc}$ as described in the `Specification: Asset Identifier`_ section. -- check that $\mathsf{issued\_assets(AssetBase).final} \neq 1$ in the global state. -- check that every note in the ``IssueAction`` contains the same $\mathsf{AssetBase}$ and is properly constructed as $\mathsf{note} = (\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \mathsf{rseed}, \mathsf{AssetBase})$. +For any Asset represented by $\mathsf{AssetBase}$: -If all of the above checks pass, do the following: +- $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{balance} \in \{0 .. \mathsf{MAX\_ISSUE}\}$ stores the amount of the Asset in circulation, computed as the amount of the Asset that has been issued less the amount of the Asset that has been burnt. +- $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final} : \mathbb{B}$ is a Boolean that stores the finalization status of the Asset (i.e.: whether the $\mathsf{finalize}$ flag has been set to $1$ in any preceding issuance transaction for the Asset). The value of $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{final}$ for any $\mathsf{AssetBase}$ cannot be changed from $1$ to $0$. +- $\mathsf{issued\_assets}(\mathsf{AssetBase}).\mathsf{note_{ref}} : \mathsf{Note^{Issue}}$ stores the reference note for the Asset, as defined in the `Reference Notes`_ section. -- For each note, +The maximum total supply of any issued Custom Asset is denoted by the constant $\mathsf{MAX\_ISSUE} := 2^{64} - 1$. + + +Management of the Global Issuance State +--------------------------------------- + +The issuance state, that is, the $\mathsf{issued\_assets}$ map, MUST be updated by a node during the processing of any transaction that contains burn information, or an issuance bundle. +The issuance state is chained as follows: + +- The issuance state for the first block post the activation of the OrchardZSA protocol is the empty map. +- The input issuance state for the first transaction of a block is the final issuance state of the immediately preceding block. +- The input issuance state of each subsequent transaction in the block is the output issuance state of the immediately preceding transaction. +- The final issuance state of a block is the output issuance state of the last transaction in the block. + +We describe the consensus rule changes that govern the management of the global issuance state in the `Specification: Consensus Rule Changes`_ section. +We use $\mathsf{issued\_assets}_{\mathsf{IN}}$ and $\mathsf{issued\_assets}_{\mathsf{OUT}}$ to denote the input issuance state and output issuance state for a transaction, respectively. + + +Specification: Consensus Rule Changes +===================================== - - compute the note commitment as $\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})$ as defined in the Note Structure and Commitment section of ZIP 226 [#zip-0226-notestructure]_. - - Add $\mathsf{cm}$ to the Merkle tree of note commitments. - - Increase the value of $\mathsf{issued\_assets(AssetBase).balance}$ by the value of the note, $\mathsf{v}$. +For every transaction: -- If $\mathsf{finalize} = 1$, set $\mathsf{issued\_assets(AssetBase).final}$ to $1$ in the global state. +- The output issuance state of the transaction MUST be initialized to be the same as the input issuance state, $\mathsf{issued\_assets}_{\mathsf{OUT}} = \mathsf{issued\_assets}_{\mathsf{IN}}$. +- The $\mathsf{assetBurn}$ set MUST satisfy the consensus rules specified in ZIP 226 [#zip-0226-assetburn]_. +- It MUST be the case that for all $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}$, $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} \geq \mathsf{v}$. The node then MUST update $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase})$ prior to processing the issuance bundle in the following manner. For every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{AssetBurn}$, $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} = \mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} - \mathsf{v}$. +- Let $\mathsf{SigHash}$ be the SIGHASH transaction hash of this transaction, as defined in §4.10 of the protocol specification [#protocol-sighash]_ with the modifications described in ZIP 226 [#zip-0226-txiddigest]_, using $\mathsf{SIGHASH\_ALL}$. +- If the transaction contains an Issuance Bundle, it MUST also contain at least one OrchardZSA Action. +- The issuance authorization signature, $\mathsf{issueAuthSig}$, MUST be a valid $\mathsf{IssueAuthSig}$ signature over $\mathsf{SigHash}$, i.e. $\mathsf{IssueAuthSig}.\!\mathsf{Validate}(\mathsf{ik}, \mathsf{SigHash}, \mathsf{issueAuthSig}) = 1$. +- For every issuance action description ($\mathsf{IssueAction}_\mathsf{i},\ 1 \leq i \leq \mathtt{nIssueActions}$) in the issuance bundle: -- (Replay Protection) If issue bundle is present, the fees MUST be greater than zero. + - It MUST be the case that $0 < \mathtt{assetDescSize} \leq 512$. + - It MUST be the case that $\mathsf{asset\_desc}$ is a string of length $\mathtt{assetDescSize}$ bytes. + - Every Issue Note in ``IssueAction`` MUST be a valid encoding of the $\mathsf{Note^{Issue}}$ type, and MUST encode the same $\mathsf{AssetBase}$. + - This $\mathsf{AssetBase}$ MUST satisfy the derivation from the issuance validating key and asset description described in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section. + - It MUST be the case that $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{final} \neq 1$. + - If $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{note_{ref}} = \bot$, then let $\mathsf{note}_1$ be the first Issue Note in the Issuance Action. + + - The recipient address $(\mathsf{d}, \mathsf{pk}_{\mathsf{d}})$ of $\mathsf{note}_1$ MUST be the default diversified payment address derived from the all-zero Orchard spending key, as described in the `Reference Notes`_ section. + - The value $\mathsf{v}_0$ of $\mathsf{note}_1$ MUST be $0$. + - The node MUST update $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{note_{ref}} = \mathsf{note}_1$. + + - For every issue note description ($\mathsf{note}_{\mathsf{j}},\ 1 \leq j \leq \mathtt{nNotes}$) in ``IssueAction``: + + - The $\text{ρ}$ field of the issue note MUST have been computed as described in the `Computation of ρ`_ section. + - It MUST be the case that $\mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} + \mathsf{v} \leq \mathsf{MAX\_ISSUE}$, where $\mathsf{v}$ is the value of $\mathsf{note}_{\mathsf{j}}$. The node then MUST update $\mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} = \mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} + \mathsf{v}$. + - The node MUST compute the note commitment, $\mathsf{cm}_{\mathsf{i,j}}$, as defined in the Note Structure and Commitment section of ZIP 226 [#zip-0226-notestructure]_. + - If $\mathsf{finalize} = 1$ within the ``flagsIssuance`` field of ``IssueAction``, the node MUST set $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{final} = 1$. +- If all the consensus rules are satisfied, the node MUST add the note commitments, $\mathsf{cm}_{\mathsf{i,j}}\ \forall\ \mathsf{i} \in \{1..\mathtt{nIssueActions}\},\ \mathsf{j} \in \{1..\mathtt{nNotes}\}$, to the Merkle tree of note commitments. +- (Replay Protection) If an issue bundle is present, the fees MUST be greater than zero. @@ -372,8 +425,8 @@ Rationale ========= The following is a list of rationale for different decisions made in the proposal: -- The issuance key structure is independent of the original key tree, but derived in an analogous manner (via ZIP 32). This is in order to keep the issuance details and the Asset Identifiers consistent across multiple shielded pools. -- The design decision is not to have a chosen name to describe the Custom Asset, but to delegate it to an off-chain mapping, as this would imply a land-grab “war”. +- The issuance key structure is independent of the original key tree, but derived in an analogous manner (via ZIP 32). This keeps the issuance details and the Asset Identifiers consistent across multiple shielded pools. It also separates the issuance authority from the spend authority, allowing for the potential transfer of issuance authority without compromising the spend authority. +- The Custom Asset is described via a combination of the issuance validating key and an asset description string, to preclude the possibility of two different issuers creating colliding Custom Assets. - The $\mathsf{asset\_desc}$ is a general byte string in order to allow for a wide range of information type to be included that may be associated with the Assets. Some are: - links for storage such as for NFTs. @@ -384,6 +437,21 @@ The following is a list of rationale for different decisions made in the proposa - We limit the size of the $\mathsf{asset\_desc}$ string to 512 bytes as it is a reasonable size to store metadata about the Asset, for example in JSON format. - We require non-zero fees in the presence of an issue bundle, in order to preclude the possibility of a transaction containing only an issue bundle. If a transaction includes only an issue bundle, the SIGHASH transaction hash would be computed solely based on the issue bundle. A duplicate bundle would have the same SIGHASH transaction hash, potentially allowing for a replay attack. +Rationale for Global Issuance State +----------------------------------- + +It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 [#zip-0209]_. +However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. +Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record based on the issuance and burn transactions processed. +This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the transaction or block. + +We limit the total issuance of any Asset to a maximum of $\mathsf{MAX\_ISSUE}$. +This is a practical limit that also allows an issuer to issue the complete supply of an Asset in a single transaction. + +Nodes also need to reject transactions that issue Custom Assets that have been previously finalized. +The $\mathsf{issued\_assets}$ map allows nodes to store whether or not a given Asset has been finalized. + + Concrete Applications --------------------- @@ -397,7 +465,6 @@ Concrete Applications - issuing a last set of tokens of that specific $\mathsf{AssetId}$, for which $\mathsf{finalize} = 1$, or by - issuing a transaction with a single note in the issuance action pertaining to that $\mathsf{AssetId}$, where the note will contain a $\mathsf{value} = 0$. This can be used for application-specific purposes (NFT collections) or for security purposes to revoke the Asset issuance (see Security and Privacy Considerations). - - Note in the above cases, that the setting of the $\mathsf{finalize}$ flag will take effect at the block boundary, that is, after all the transactions in the block. - The issuance and burn mechanisms can be used in conjunction to determine the supply of Assets on the Zcash ecosystem. This allows for the bridging of Assets defined on other chains. @@ -409,7 +476,7 @@ TxId Digest - Issuance ====================== This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. -Details of the overall changes to the transaction digest due to the Orchard-ZSA protocol can be found in ZIP 226 [#zip-0226-txiddigest]_. +Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 [#zip-0226-txiddigest]_. As in ZIP 244 [#zip-0244]_, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used. A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:: @@ -510,7 +577,7 @@ Signature Digest The per-input transaction digest algorithm to generate the signature digest in ZIP 244 [#zip-0244-sigdigest]_ is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly. -The overall structure of the hash is as follows. We highlight the changes for the Orchard-ZSA protocol via the ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:: +The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:: signature_digest ├── header_digest @@ -535,33 +602,15 @@ S.5: issuance_digest ```````````````````` Identical to that specified for the transaction identifier. -Authorizing Data Commitment -=========================== - -The transaction digest algorithm defined in ZIP 244 [#zip-0244-authcommitment]_ which commits to the authorizing data of a transaction is modified by the Orchard-ZSA protocol to have the following structure. -We highlight the changes for the Orchard-ZSA protocol via the ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:: - - auth_digest - ├── transparent_scripts_digest - ├── sapling_auth_digest - ├── orchard_auth_digest - └── issuance_auth_digest [ADDED FOR ZSA] - -The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block. +Authorizing Data Commitment - Issuance +====================================== -auth_digest ------------ -A BLAKE2b-256 hash of the following values :: - - A.1: transparent_scripts_digest (32-byte hash output) - A.2: sapling_auth_digest (32-byte hash output) - A.3: orchard_auth_digest (32-byte hash output) - A.4: issuance_auth_digest (32-byte hash output) [ADDED FOR ZSA] - -The personalization field of this hash remains the same as in ZIP 244. +This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. +Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 [#zip-0226-authcommitment]_. A.4: issuance_auth_digest -````````````````````````` +------------------------- + In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the ``issueAuthSig`` field of the transaction:: A.4a: issueAuthSig (field encoding bytes) @@ -574,13 +623,79 @@ In the case that the transaction has no Orchard Actions, ``issuance_auth_digest` BLAKE2b-256("ZTxAuthZSAOrHash", []) + +OrchardZSA Fee Calculation +========================== + +In addition to the parameters defined in the Fee calculation section of ZIP 317 [#zip-0317-fee-calc]_, the OrchardZSA protocol upgrade defines the following additional parameters: + +===================================== ========================================================================== +Parameter Value +===================================== ========================================================================== +:math:`issuance\_fee` :math:`100 \cdot marginal\_fee` per issuance action (as defined below) +===================================== ========================================================================== + +Wallets implementing this specification SHOULD use a conventional fee, viz. $zsa\_conventional\_fee$, that is +calculated in zatoshis. Additional definitions that are used in the formula for the calculation are in the table below: + +================================ ====== ==================================================================================================================== +Input Units Description +================================ ====== ==================================================================================================================== +:math:`nOrchardActions` number the number of OrchardZSA transfer actions (including ZEC actions) +:math:`nTotalOutputsZSAIssuance` number the total number of OrchardZSA issuance outputs (added across issuance actions) +:math:`nCreateActions` number the number of OrchardZSA issuance actions that issue a Custom Asset that is not present in the Global Issuance State +================================ ====== ==================================================================================================================== + +The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification [#protocol-txnencoding]_ and the global state. +They are defined in the Fee calculation section of ZIP 317 [#zip-0317-fee-calc]_. +Note that $nOrchardActions$, that is used in the computation of $logical\_actions$, is redefined in the above table, and now combines the actions for native ZEC as well as OrchardZSA transfer actions for Custom Assets. + +The formula for the computation of the $zsa\_logical\_actions$ (with the updated computation of $logical\_actions$ as described above) is: + +.. math:: + zsa\_logical\_actions = logical\_actions \;+ nTotalOutputsZSAIssuance + +The formula for the computation of the $zsa\_conventional\_fee$ is: + +.. math:: + \begin{array}{rcl} + zsa\_conventional\_fee &=& marginal\_fee \cdot \mathsf{max}(grace\_actions, zsa\_logical\_actions) \;+ \\ + & & issuance\_fee \cdot nCreateActions + \end{array} + + + + +It is not a consensus requirement that fees follow this formula; however, +wallets SHOULD create transactions that pay this fee, in order to reduce +information leakage, unless overridden by the user. + +Rationale for OrchardZSA Fee calculation +---------------------------------------- + +The OrchardZSA fee calculation accounts for the additions to the Global Issuance State that are required for the OrchardZSA protocol. +Every newly created Custom Asset adds a new row to the Global Issuance State. +Subsequent issuance, finalization, or burn of existing Custom Assets only changes the values in the corresponding row. + +This explains the need for a higher fee for the creation of entirely new Custom Assets, in order to disincentivize the creation of "junk" assets. + +OrchardZSA Fee Considerations +----------------------------- + +We choose to maintain the native ZEC Asset as the primary token for the Zcash blockchain, similar to how ETH is needed for ERC20 transactions to the benefit of the Ethereum ecosystem. + +An alternative proposal for the OrchardZSA fee mechanism that was not adopted was to adopt a new type of fee, denominated in the custom Asset being issued or transferred. +In the context of transparent transactions, such a fee allows miners to “tap into” the ZSA value of the transactions, rather than the ZEC value of transactions. +However when transactions are shielded, any design that lifts value from the transaction would also leak information about it. + + Security and Privacy Considerations =================================== Displaying Asset Identifier information to users ------------------------------------------------ -Wallets need to communicate the names of the Assets in a non-confusing way to users, since the byte representation of the Asset Identifier would be hard to read for an end user. Possible solutions are provided in the `Specification: Asset Identifier`_ section. +Wallets need to communicate the names of the Assets in a non-confusing way to users, since the byte representation of the Asset Identifier would be hard to read for an end user. Possible solutions are provided in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section. Issuance Key Compromise ----------------------- @@ -605,7 +720,7 @@ Although not enforced in the global state, it is RECOMMENDED that Zcash full val Fee Structures -------------- -The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317 [#zip-0317b]_. +The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 [#zip-0230-orchardzsa-fee-calculation]_. Test Vectors @@ -639,16 +754,24 @@ References .. [#zip-0224] `ZIP 224: Orchard `_ .. [#zip-0226] `ZIP 226: Transfer and Burn of Zcash Shielded Assets `_ .. [#zip-0226-notestructure] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Note Structure & Commitment `_ +.. [#zip-0226-assetburn] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Additional Consensus Rules for the assetBurn set `_ .. [#zip-0226-txiddigest] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId Digest `_ +.. [#zip-0226-authcommitment] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment `_ +.. [#zip-0230-issuance-action-description] `ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction) `_ +.. [#zip-0230-issue-note] `ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote) `_ +.. [#zip-0230-transaction-format] `ZIP 230: Version 6 Transaction Format: Transaction Format `_ +.. [#zip-0230-orchardzsa-fee-calculation] `ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation `_ .. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ .. [#zip-0244-sigdigest] `ZIP 244: Transaction Identifier Non-Malleability: Signature Digest `_ -.. [#zip-0244-authcommitment] `ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment `_ -.. [#zip-0317b] `ZIP 317: Proportional Transfer Fee Mechanism `_ -.. [#bip-0043] `BIP 43: Purpose Field for Deterministic Wallets `_ +.. [#zip-0317-fee-calc] `ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation `_ +.. [#bip-0043] `BIP 43: Purpose Field for Deterministic Wallets `_ .. [#bip-0340] `BIP 340: Schnorr Signatures for secp256k1 `_ .. [#protocol-notation] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 2: Notation `_ .. [#protocol-addressesandkeys] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.1: Payment Addresses and Keys `_ +.. [#protocol-notes] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes `_ .. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.2.3: Orchard Key Components `_ +.. [#protocol-sighash] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.10: SIGHASH Transaction Hashing `_ +.. [#protocol-constants] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.3: Constants `_ .. [#protocol-concretegrouphashpallasandvesta] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.9.8: Group Hash into Pallas and Vesta `_ .. [#protocol-orchardpaymentaddrencoding] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.6.4.2: Orchard Raw Payment Addresses `_ .. [#protocol-txnencoding] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 7.1: Transaction Encoding and Consensus `_ diff --git a/zips/zip-0230.rst b/zips/zip-0230.rst index 05a236f8b..5d24ae7e9 100644 --- a/zips/zip-0230.rst +++ b/zips/zip-0230.rst @@ -24,7 +24,7 @@ Terminology The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in BCP 14 [#BCP14]_ when, and only when, they appear in all capitals. -The terms "Zcash Shielded Asset", "ZSA" and "Asset" in this document are to be interpreted as described in ZIP 226 [#zip-0226]_. +The terms "Zcash Shielded Asset", "OrchardZSA", "ZSA" and "Asset" in this document are to be interpreted as described in ZIP 226 [#zip-0226]_. The term "Issuance" and "Issuance Action" in this document are to be interpreted as described in ZIP 227 [#zip-0227]_. @@ -40,7 +40,7 @@ Abstract ======== This proposal defines a new Zcash peer-to-peer transaction format, which includes -data that supports the Orchard-ZSA protocol and all operations related to Zcash +data that supports the OrchardZSA protocol and all operations related to Zcash Shielded Assets (ZSAs). The new format adds and describes new fields containing ZSA-specific elements. Like the existing v5 transaction format, it keeps well-bounded regions of the serialized form to serve each pool of funds. @@ -57,7 +57,7 @@ The fee mechanism is defined in terms of modifications to the Proportionak Trans Motivation ========== -The Orchard-ZSA protocol requires serialized data elements that are distinct from +The OrchardZSA protocol requires serialized data elements that are distinct from any previous Zcash transaction. Since ZIP 244 was activated in NU5, the v5 and later serialized transaction formats are not consensus-critical. Thus, this ZIP defines format that can easily accommodate future extensions, @@ -76,7 +76,7 @@ This motivates further the addition of an Issuance-specific fee. Requirements ============ -The new format must fully support the Orchard-ZSA protocol. +The new format must fully support the OrchardZSA protocol. The new format should lend itself to future extension or pruning to add or remove value pools. @@ -113,107 +113,91 @@ The Zcash transaction format for transaction version 6 is as follows: Transaction Format ------------------ -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| Bytes | Name | Data Type | Description | -+====================================+==========================+========================================+===========================================================================+ -| **Common Transaction Fields** | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``4`` |``header`` |``uint32`` |Contains: | -| | | | * ``fOverwintered`` flag (bit 31, always set) | -| | | | * ``version`` (bits 30 .. 0) – transaction version. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``4`` |``nVersionGroupId`` |``uint32`` |Version group ID (nonzero). | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``4`` |``nConsensusBranchId`` |``uint32`` |Consensus branch ID (nonzero). | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``4`` |``lock_time`` |``uint32`` |Unix-epoch UTC time or block height, encoded as in Bitcoin. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``4`` |``nExpiryHeight`` |``uint32`` |A block height in the range {1 .. 499999999} after which | -| | | |the transaction will expire, or 0 to disable expiry. | -| | | |[ZIP-203] | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``8`` |``fee`` |``int64`` |The fee to be paid by this transaction, in zatoshis. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| **Transparent Transaction Fields** | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``tx_in_count`` |``compactSize`` |Number of transparent inputs in ``tx_in``. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``tx_in`` |``tx_in`` |Transparent inputs, encoded as in Bitcoin. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``tx_out_count`` |``compactSize`` |Number of transparent outputs in ``tx_out``. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``tx_out`` |``tx_out`` |Transparent outputs, encoded as in Bitcoin. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| **Sapling Transaction Fields** | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``nSpendsSapling`` |``compactSize`` |Number of Sapling Spend descriptions in ``vSpendsSapling``. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``96 * nSpendsSapling`` |``vSpendsSapling`` |``SpendDescriptionV6[nSpendsSapling]`` |A sequence of Sapling Spend descriptions, encoded per | -| | | |protocol §7.3 ‘Spend Description Encoding and Consensus’. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``nOutputsSapling`` |``compactSize`` |Number of Sapling Output Decriptions in ``vOutputsSapling``. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``756 * nOutputsSapling`` |``vOutputsSapling`` |``OutputDescriptionV6[nOutputsSapling]``|A sequence of Sapling Output descriptions, encoded per | -| | | |protocol §7.4 ‘Output Description Encoding and Consensus’. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``8`` |``valueBalanceSapling`` |``int64`` |The net value of Sapling Spends minus Outputs | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``32`` |``anchorSapling`` |``byte[32]`` |A root of the Sapling note commitment tree | -| | | |at some block height in the past. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``192 * nSpendsSapling`` |``vSpendProofsSapling`` |``byte[192 * nSpendsSapling]`` |Encodings of the zk-SNARK proofs for each Sapling Spend. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``64 * nSpendsSapling`` |``vSpendAuthSigsSapling`` |``byte[64 * nSpendsSapling]`` |Authorizing signatures for each Sapling Spend. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``192 * nOutputsSapling`` |``vOutputProofsSapling`` |``byte[192 * nOutputsSapling]`` |Encodings of the zk-SNARK proofs for each Sapling Output. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``64`` |``bindingSigSapling`` |``byte[64]`` |A Sapling binding signature on the SIGHASH transaction hash. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| **Orchard-ZSA Transaction Fields** | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``nActionsOrchard`` |``compactSize`` |The number of Orchard-ZSA Action descriptions in | -| | | |``vActionsOrchard``. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``852 * nActionsOrchard`` |``vActionsOrchard`` |``OrchardZsaAction[nActionsOrchard]`` |A sequence of Orchard-ZSA Action descriptions, encoded per | -| | | |the `Orchard-ZSA Action Description Encoding`. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``1`` |``flagsOrchard`` |``byte`` |An 8-bit value representing a set of flags. Ordered from LSB to MSB: | -| | | | * ``enableSpendsOrchard`` | -| | | | * ``enableOutputsOrchard`` | -| | | | * ``enableZSAs`` | -| | | | * The remaining bits are set to :math:`0\!`. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``8`` |``valueBalanceOrchard`` |``int64`` |The net value of Orchard spends minus outputs. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``32`` |``anchorOrchard`` |``byte[32]`` |A root of the Orchard note commitment tree at some block | -| | | |height in the past. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``sizeProofsOrchardZSA`` |``compactSize`` |Length in bytes of ``proofsOrchardZSA``. Value is **(TO UPDATE)** | -| | | |:math:`2720 + 2272 \cdot \mathtt{nActionsOrchard}\!`. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``sizeProofsOrchardZSA`` |``proofsOrchardZSA`` |``byte[sizeProofsOrchardZSA]`` |Encoding of aggregated zk-SNARK proofs for Orchard-ZSA Actions. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``64 * nActionsOrchard`` |``vSpendAuthSigsOrchard`` |``byte[64 * nActionsOrchard]`` |Authorizing signatures for each Orchard-ZSA Action. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| ``varies`` | ``nAssetBurn`` | ``compactSize`` | The number of Assets burnt. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| ``40 * nAssetBurn`` | ``vAssetBurn`` | ``AssetBurn[nAssetBurn]`` | A sequence of Asset Burn descriptions, | -| | | | encoded per `Orchard-ZSA Asset Burn Description`_. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``64`` |``bindingSigOrchard`` |``byte[64]`` |An Orchard-ZSA binding signature on the SIGHASH transaction hash. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -| **Orchard-ZSA Issuance Fields** | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``varies`` |``nIssueActions`` |``compactSize`` |The number of issuance actions in the bundle. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``IssueActionSize * nIssueActions`` |``vIssueActions`` |``IssueAction[nIssueActions]`` |A sequence of issuance action descriptions, where IssueActionSize is | -| | | |the size, in bytes, of an IssueAction description. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``32`` |``ik`` |``byte[32]`` |The issuance validating key of the issuer, used to validate the signature. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ -|``64`` |``issueAuthSig`` |``byte[64]`` |The signature of the transaction SIGHASH, signed by the issuer, | -| | | |validated as in Issuance Authorization Signature Scheme [#zip-0227]_. | -+------------------------------------+--------------------------+----------------------------------------+---------------------------------------------------------------------------+ ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| Bytes | Name | Data Type | Description | ++====================================+==========================+==================================================+===========================================================================+ +| **Common Transaction Fields** | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``4`` |``header`` |``uint32`` |Contains: | +| | | | * ``fOverwintered`` flag (bit 31, always set) | +| | | | * ``version`` (bits 30 .. 0) – transaction version. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``4`` |``nVersionGroupId`` |``uint32`` |Version group ID (nonzero). | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``4`` |``nConsensusBranchId`` |``uint32`` |Consensus branch ID (nonzero). | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``4`` |``lock_time`` |``uint32`` |Unix-epoch UTC time or block height, encoded as in Bitcoin. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``4`` |``nExpiryHeight`` |``uint32`` |A block height in the range {1 .. 499999999} after which | +| | | |the transaction will expire, or 0 to disable expiry. | +| | | |[ZIP-203] | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``8`` |``fee`` |``int64`` |The fee to be paid by this transaction, in zatoshis. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| **Transparent Transaction Fields** | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``tx_in_count`` |``compactSize`` |Number of transparent inputs in ``tx_in``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``tx_in`` |``tx_in`` |Transparent inputs, encoded as in Bitcoin. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``tx_out_count`` |``compactSize`` |Number of transparent outputs in ``tx_out``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``tx_out`` |``tx_out`` |Transparent outputs, encoded as in Bitcoin. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| **Sapling Transaction Fields** | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``nSpendsSapling`` |``compactSize`` |Number of Sapling Spend descriptions in ``vSpendsSapling``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``96 * nSpendsSapling`` |``vSpendsSapling`` |``SpendDescriptionV6[nSpendsSapling]`` |A sequence of Sapling Spend descriptions, encoded per | +| | | |protocol §7.3 ‘Spend Description Encoding and Consensus’. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``nOutputsSapling`` |``compactSize`` |Number of Sapling Output Decriptions in ``vOutputsSapling``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``756 * nOutputsSapling`` |``vOutputsSapling`` |``OutputDescriptionV6[nOutputsSapling]`` |A sequence of Sapling Output descriptions, encoded per | +| | | |protocol §7.4 ‘Output Description Encoding and Consensus’. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``8`` |``valueBalanceSapling`` |``int64`` |The net value of Sapling Spends minus Outputs | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``32`` |``anchorSapling`` |``byte[32]`` |A root of the Sapling note commitment tree | +| | | |at some block height in the past. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``192 * nSpendsSapling`` |``vSpendProofsSapling`` |``byte[192 * nSpendsSapling]`` |Encodings of the zk-SNARK proofs for each Sapling Spend. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``64 * nSpendsSapling`` |``vSpendAuthSigsSapling`` |``byte[64 * nSpendsSapling]`` |Authorizing signatures for each Sapling Spend. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``192 * nOutputsSapling`` |``vOutputProofsSapling`` |``byte[192 * nOutputsSapling]`` |Encodings of the zk-SNARK proofs for each Sapling Output. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``64`` |``bindingSigSapling`` |``byte[64]`` |A Sapling binding signature on the SIGHASH transaction hash. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| **OrchardZSA Transaction Fields** | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``nActionGroupsOrchard`` |``compactSize`` |The number of Action Group descriptions in ``vActionGroupsOrchard``. | +| | | |This MUST have a value of either ``0`` or ``1``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``vActionGroupsOrchard`` |``ActionGroupDescription[nActionGroupsOrchard]`` |A sequence of Action Group descriptions, encoded as per the | +| | | |`OrchardZSA Action Group Description`_. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``8`` |``valueBalanceOrchard`` |``int64`` |The net value of Orchard spends minus outputs. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| ``varies`` | ``nAssetBurn`` | ``compactSize`` | The number of Assets burnt. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| ``40 * nAssetBurn`` | ``vAssetBurn`` | ``AssetBurn[nAssetBurn]`` | A sequence of Asset Burn descriptions, | +| | | | encoded per `OrchardZSA Asset Burn Description`_. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``64`` |``bindingSigOrchard`` |``byte[64]`` |An OrchardZSA binding signature on the SIGHASH transaction hash. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +| **OrchardZSA Issuance Fields** | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``varies`` |``nIssueActions`` |``compactSize`` |The number of issuance actions in the bundle. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``IssueActionSize * nIssueActions`` |``vIssueActions`` |``IssueAction[nIssueActions]`` |A sequence of issuance action descriptions, where IssueActionSize is | +| | | |the size, in bytes, of an IssueAction description. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``32`` |``ik`` |``byte[32]`` |The issuance validating key of the issuer, used to validate the signature. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ +|``64`` |``issueAuthSig`` |``byte[64]`` |The signature of the transaction SIGHASH, signed by the issuer, | +| | | |validated as in Issuance Authorization Signature Scheme [#zip-0227]_. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------------+ * The fields ``valueBalanceSapling`` and ``bindingSigSapling`` are present if and only if @@ -231,26 +215,21 @@ Transaction Format ``vOutputsSapling`` and MUST be ordered such that the proof at a given index corresponds to the ``OutputDescriptionV6`` at the same index. -* The fields ``flagsOrchard``, ``valueBalanceOrchard``, ``anchorOrchard``, - ``sizeProofsOrchardZSA``, ``proofsOrchardZSA``, and ``bindingSigOrchard`` are present if and - only if $\mathtt{nActionsOrchard} > 0$. If ``valueBalanceOrchard`` is not present, +* The fields ``valueBalanceOrchard`` and ``bindingSigOrchard`` are present if and + only if $\mathtt{nActionGroupsOrchard} > 0$. If ``valueBalanceOrchard`` is not present, then $\mathsf{v^{balanceOrchard}}$ is defined to be $0$. -* The proofs aggregated in ``proofsOrchardZSA``, and the elements of - ``vSpendAuthSigsOrchard``, each have a 1:1 correspondence to the elements of - ``vActionsOrchard`` and MUST be ordered such that the proof or signature at a given - index corresponds to the ``OrchardZsaAction`` at the same index. - * The fields ``ik`` and ``issueAuthSig`` are present if and only if $\mathtt{nIssueActions} > 0$. * For coinbase transactions, the ``enableSpendsOrchard`` and ``enableZSAs`` bits MUST be set to $0$. The encodings of ``tx_in``, and ``tx_out`` are as in a version 4 transaction (i.e. unchanged from Canopy). The encodings of ``SpendDescriptionV6``, ``OutputDescriptionV6`` -, ``OrchardZsaAction``, ``AssetBurn`` and ``IssueAction`` are described below. The encoding of Sapling Spends and Outputs has -changed relative to prior versions in order to better separate data that describe the -effects of the transaction from the proofs of and commitments to those effects, and for -symmetry with this separation in the Orchard-related parts of the transaction format. +, ``ActionGroupDescription``, ``AssetBurn`` and ``IssueAction`` are described below. +The encoding of Sapling Spends and Outputs has changed relative to prior versions in order +to better separate data that describe the effects of the transaction from the proofs of and +commitments to those effects, and for symmetry with this separation in the Orchard-related parts +of the transaction format. Sapling Spend Description (``SpendDescriptionV6``) -------------------------------------------------- @@ -292,8 +271,54 @@ Sapling Output Description (``OutputDescriptionV6``) The encodings of each of these elements are defined in §7.4 ‘Output Description Encoding and Consensus’ of the Zcash Protocol Specification [#protocol-outputdesc]_. -Orchard-ZSA Action Description (``OrchardZsaAction``) ------------------------------------------------------ +OrchardZSA Action Group Description +----------------------------------- + +The OrchardZSA Action Group Description is encoded in a transaction as an instance of an ``ActionGroupDescription`` type: + ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +| Bytes | Name | Data Type | Description | ++====================================+==========================+==================================================+=====================================================================+ +|``varies`` |``nActionsOrchard`` |``compactSize`` |The number of Action descriptions in ``vActionsOrchard``. | +| | | |This MUST have a value strictly greater than ``0``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``852 * nActionsOrchard`` |``vActionsOrchard`` |``OrchardZSAAction[nActionsOrchard]`` |A sequence of OrchardZSA Action descriptions in the Action Group. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``1`` |``flagsOrchard`` |``byte`` |As defined in Section 7.1 of the Protocol | +| | | |Specification [#protocol-txnencoding]_. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``32`` |``anchorOrchard`` |``byte[32]`` |As defined in Section 7.1 of the Protocol | +| | | |Specification [#protocol-txnencoding]_. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``varies`` |``sizeProofsOrchard`` |``compactSize`` |As defined in Section 7.1 of the Protocol | +| | | |Specification [#protocol-txnencoding]_. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``sizeProofsOrchard`` |``proofsOrchard`` |``byte[sizeProofsOrchard]`` |The aggregated zk-SNARK proof for all Actions in the Action Group. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``4`` |``nAGExpiryHeight`` |``uint32`` |A block height (in the future) after which the Actions of the | +| | | |Action Group become invalid and should be rejected by consensus. | +| | | |This MUST have a value of ``0``. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ +|``64 * nActionsOrchard`` |``vSpendAuthSigsOrchard`` |``byte[64 * nActionsOrchard]`` |Authorizing signatures for each Action of the Action Group in a | +| | | |transaction. | ++------------------------------------+--------------------------+--------------------------------------------------+---------------------------------------------------------------------+ + +The encoding of ``OrchardZSAAction`` is described below. + +* The proofs aggregated in ``proofsOrchardZSA``, and the elements of + ``vSpendAuthSigsOrchard``, each have a 1:1 correspondence to the elements of + ``vActionsOrchard`` and MUST be ordered such that the proof or signature at a given + index corresponds to the ``OrchardZSAAction`` at the same index. + +Rationale for nAGExpiryHeight +````````````````````````````` + +We introduce the ``nAGExpiryHeight`` field in this transaction format in order to be forward compatible with Swaps over ZSAs, as proposed in ZIP 228 [#zip-0228]_. +For the OrchardZSA protocol, which does not make use of an additional expiry height for transactions, we set the value of ``nAGExpiryHeight`` to be ``0`` by consensus. +This serves as a default value to represent the situation where there is no expiry, analogous to the convention adopted for ``nExpiryHeight`` in ZIP 203 [#zip-0203]. + +OrchardZSA Action Description (``OrchardZSAAction``) +---------------------------------------------------- +-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+ | Bytes | Name | Data Type | Description | @@ -309,7 +334,7 @@ Orchard-ZSA Action Description (``OrchardZsaAction``) |``32`` |``cmx`` |``byte[32]`` |The :math:`x\!`-coordinate of the note commitment for the | | | | |output note. | +-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+ -|``32`` |``ephemeralKey`` |``byte[32]`` |An encoding of an ephemeral Pallas public key | +|``32`` |``ephemeralKey`` |``byte[32]`` |An encoding of an ephemeral Pallas public key. | +-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+ |``612`` |``encCiphertext`` |``byte[580]`` |The encrypted contents of the note plaintext. | +-----------------------------+--------------------------+--------------------------------------+------------------------------------------------------------+ @@ -321,15 +346,15 @@ Orchard-ZSA Action Description (``OrchardZsaAction``) The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding and Consensus’ of the Zcash Protocol Specification [#protocol-actiondesc]_. -Orchard-ZSA Asset Burn Description +OrchardZSA Asset Burn Description ---------------------------------- -An Orchard-ZSA Asset Burn description is encoded in a transaction as an instance of an ``AssetBurn`` type: +An OrchardZSA Asset Burn description is encoded in a transaction as an instance of an ``AssetBurn`` type: +-------+---------------+-----------------------------+--------------------------------------------------------------------------------------------------------------------+ | Bytes | Name | Data Type | Description | +=======+===============+=============================+====================================================================================================================+ -| 32 | ``AssetBase`` | ``byte[32]`` | For the Orchard-based ZSA protocol, this is the encoding of the Asset Base :math:`\mathsf{AssetBase^{Orchard}}\!`. | +| 32 | ``AssetBase`` | ``byte[32]`` | For the OrchardZSA protocol, this is the encoding of the Asset Base :math:`\mathsf{AssetBase^{Orchard}}\!`. | +-------+---------------+-----------------------------+--------------------------------------------------------------------------------------------------------------------+ | 8 | ``valueBurn`` | ``uint64`` | The amount being burnt. The value is checked by consensus to be non-zero. | +-------+---------------+-----------------------------+--------------------------------------------------------------------------------------------------------------------+ @@ -392,69 +417,6 @@ An issuance note, ``IssueNote`` contains the following fields: | | | |protocol §3.2.1 'Note Plaintexts and Memo Fields'. | +-----------------------------+--------------------------+--------------------------------------+--------------------------------------------------------------------+ -OrchardZSA Fee Calculation -========================== - -In addition to the parameters defined in the Fee calculation section of ZIP 317 [#zip-0317-fee-calc]_, the OrchardZSA protocol upgrade defines the following additional parameters: - -===================================== ========================================================================== -Parameter Value -===================================== ========================================================================== -:math:`\mathsf{issuance\_fee}` :math:`100 \cdot marginal\_fee` per issuance action (as defined below) -===================================== ========================================================================== - -Wallets implementing this specification SHOULD use a conventional fee, viz. $\mathsf{zsa\_conventional\_fee}$, that is -calculated in zatoshis. Additional definitions that are used in the formula for the calculation are in the table below: - -========================================= ====== ==================================================================================================================== -Input Units Description -========================================= ====== ==================================================================================================================== -:math:`\mathsf{nOrchardActions}` number the number of OrchardZSA transfer actions (including ZEC actions) -:math:`\mathsf{nTotalOutputsZsaIssuance}` number the total number of OrchardZSA issuance outputs (added across issuance actions) -:math:`\mathsf{nCreateActions}` number the number of OrchardZSA issuance actions that issue a Custom Asset that is not present in the Global Issuance State -========================================= ====== ==================================================================================================================== - -The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification [#protocol-txnencoding]_ and the global state. -They are defined in the Fee calculation section of ZIP 317 [#zip-0317-fee-calc]_. -Note that $\mathsf{nOrchardActions}$, that is used in the computation of $\mathsf{logical\_actions}$, is redefined in -the above table, and now combines the actions for native ZEC as well as OrchardZSA transfer actions for Custom Assets. - -The formula for the computation of the $\mathsf{zsa\_logical\_actions}$ (with the updated computation of -$\mathsf{logical\_actions}$ as described above) is: - -.. math:: - \mathsf{zsa\_logical\_actions} = \mathsf{logical\_actions} \;+ \mathsf{nTotalOutputsZsaIssuance} - -The formula for the computation of the $\mathsf{zsa\_conventional\_fee}$ is: - -.. math:: - \begin{array}{rcl} - \mathsf{zsa\_conventional\_fee} &=& \mathsf{marginal\_fee} \cdot \mathsf{max}(\mathsf{grace\_actions}, \mathsf{zsa\_logical\_actions}) \;+ \\ - & & \mathsf{issuance\_fee} \cdot \mathsf{nCreateActions} - \end{array} - -It is not a consensus requirement that fees follow this formula; however, -wallets SHOULD create transactions that pay this fee, in order to reduce -information leakage, unless overridden by the user. - -Rationale for OrchardZSA Fee calculation ----------------------------------------- - -The OrchardZSA fee calculation accounts for the additions to the Global Issuance State that are required for the OrchardZSA protocol. -Every newly created Custom Asset adds a new row to the Global Issuance State. -Subsequent issuance, finalization, or burn of existing Custom Assets only changes the values in the corresponding row. - -This explains the need for a higher fee for the creation of entirely new Custom Assets, in order to disincentivize the creation of "junk" assets. - -OrchardZSA Fee Considerations ------------------------------ - -We choose to maintain the native ZEC Asset as the primary token for the Zcash blockchain, similar to how ETH is needed for ERC20 transactions to the benefit of the Ethereum ecosystem. - -An alternative proposal for the OrchardZSA fee mechanism that was not adopted was to adopt a new type of fee, denominated in the custom Asset being issued or transferred. -In the context of transparent transactions, such a fee allows miners to “tap into” the ZSA value of the transactions, rather than the ZEC value of transactions. -However when transactions are shielded, any design that lifts value from the transaction would also leak information about it. - Deployment ========== @@ -478,9 +440,11 @@ References .. [#protocol-outputdesc] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.5: Output Descriptions `_ .. [#protocol-actiondesc] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.6: Action Descriptions `_ .. [#protocol-txnencoding] `Zcash Protocol Specification, Version 2022.3.8. Section 7.1: Transaction Encoding and Consensus `_ -.. [#zip-0226] `ZIP 226: Transfer and Burn of Zcash Shielded Assets `_ -.. [#zip-0227] `ZIP 227: Issuance of Zcash Shielded Assets `_ -.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ +.. [#zip-0203] `ZIP 203: Transaction Expiry `_ +.. [#zip-0226] `ZIP 226: Transfer and Burn of Zcash Shielded Assets `_ +.. [#zip-0227] `ZIP 227: Issuance of Zcash Shielded Assets `_ +.. [#zip-0228] `ZIP 228: Asset Swaps for Zcash Shielded Assets `_ +.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ .. [#zip-0254] `ZIP 254: Deployment of the NU7 Network Upgrade `_ -.. [#zip-0317] `ZIP 317: Proportional Transfer Fee Mechanism `_ -.. [#zip-0317-fee-calc] `ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation `_ +.. [#zip-0317] `ZIP 317: Proportional Transfer Fee Mechanism `_ +.. [#zip-0317-fee-calc] `ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation `_