From c0c2600b34e36879843935cd1da04a9550be4c1d Mon Sep 17 00:00:00 2001 From: Vivek Arte <46618816+vivek-arte@users.noreply.github.com> Date: Thu, 15 Aug 2024 14:52:23 +0530 Subject: [PATCH] Updating specification of the global issuance state, the issued_assets map (#59) This adds a map called `issued_assets` to the global state. This is used to track ZSA balances in the shielded pool along the lines of ZIP 209. This should resolve https://github.com/zcash/zips/issues/844. --- rendered/zip-0226.html | 154 +++++++++++++++++++++++----------------- rendered/zip-0227.html | 156 ++++++++++++++++++++++++++--------------- zips/zip-0226.rst | 10 ++- zips/zip-0227.rst | 34 +++++++-- 4 files changed, 221 insertions(+), 133 deletions(-) diff --git a/rendered/zip-0226.html b/rendered/zip-0226.html index c54818e33..5fdacb6ce 100644 --- a/rendered/zip-0226.html +++ b/rendered/zip-0226.html @@ -32,7 +32,7 @@ @@ -48,18 +48,18 @@ . This Asset Identifier maps to an Asset Base \(\mathsf{AssetBase}\) that is stored in Orchard-based ZSA notes. These terms are formally defined in ZIP 227 5.

-

The Asset Identifier (via means of the Asset Digest and Asset Base) will be used to enforce that the balance of an Action Description 15 28 is preserved across Assets (see the Orchard Binding Signature 18), and by extension the balance of an Orchard transaction. That is, the sum of all the +

The Asset Identifier (via means of the Asset Digest and Asset Base) will be used to enforce that the balance of an Action Description 16 29 is preserved across Assets (see the Orchard Binding Signature 19), and by extension the balance of an Orchard transaction. That is, the sum of all the \(\mathsf{value^{net}}\) from each Action Description, computed as \(\mathsf{value^{old}} - \mathsf{value^{new}}\!\) , must be balanced only with respect to the same Asset Identifier. This is especially important since we will allow different Action Descriptions to transfer notes of different Asset Identifiers, where the overall balance is checked without revealing which (or how many distinct) Assets are being transferred.

-

As was initially proposed by Jack Grigg and Daira-Emma Hopwood 29 30, we propose to make this happen by changing the value base point, +

As was initially proposed by Jack Grigg and Daira-Emma Hopwood 30 31, we propose to make this happen by changing the value base point, \(\mathcal{V}^{\mathsf{Orchard}}\!\) , in the Homomorphic Pedersen Commitment that derives the value commitment, \(\mathsf{cv^{net}}\!\) , of the net value in an Orchard Action.

-

Because in a single transaction all value commitments are balanced, there must be as many different value base points as there are Asset Identifiers for a given shielded protocol used in a transaction. We propose to make the Asset Base an auxiliary input to the proof for each Action statement 20, represented already as a point on the Pallas curve. The circuit then should check that the same Asset Base is used in the old note commitment and the new note commitment 25, and as the base point in the value commitment 24. This ensures (1) that the input and output notes are of the same Asset Base, and (2) that only Actions with the same Asset Base will balance out in the Orchard binding signature.

-

In order to ensure the security of the transfers, and as we will explain below, we are redefining input dummy notes 17 for Custom Assets, as we need to enforce that the +

Because in a single transaction all value commitments are balanced, there must be as many different value base points as there are Asset Identifiers for a given shielded protocol used in a transaction. We propose to make the Asset Base an auxiliary input to the proof for each Action statement 21, represented already as a point on the Pallas curve. The circuit then should check that the same Asset Base is used in the old note commitment and the new note commitment 26, and as the base point in the value commitment 25. This ensures (1) that the input and output notes are of the same Asset Base, and (2) that only Actions with the same Asset Base will balance out in the Orchard binding signature.

+

In order to ensure the security of the transfers, and as we will explain below, we are redefining input dummy notes 18 for Custom Assets, as we need to enforce that the \(\mathsf{AssetBase}\) of the output note of that Split Action is the output of a valid \(\mathsf{ZSAValueBase}\) @@ -98,7 +98,7 @@ be the type of a ZSA note, i.e. \(\mathsf{Note^{OrchardZSA}} := \mathsf{Note^{Orchard}} \times \mathbb{P}^*\!\) .

-

An Orchard ZSA note differs from an Orchard note 14 by additionally including the Asset Base, +

An Orchard ZSA note differs from an Orchard note 15 by additionally including the Asset Base, \(\mathsf{AssetBase}\!\) . So a ZSA note is a tuple \((\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})\!\) @@ -106,7 +106,7 @@

Backwards Compatibility with ZEC Notes

-

The input note in the old note commitment integrity check must either include an Asset Base (ZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion 16. If the note is a ZSA note, the note commitment is computed as defined in the Note Structure & Commitment section.

+

The input note in the old note commitment integrity check must either include an Asset Base (ZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion 17. If the note is a ZSA note, the note commitment is computed as defined in the Note Structure & Commitment section.

Orchard-ZSA Transaction Structure

-

The transaction format for v6 transactions is described in ZIP 230 10.

+

The transaction format for v6 transactions is described in ZIP 230 11.

TxId Digest

-

The transaction digest algorithm defined in ZIP 244 11 is modified by the ZSA protocol to add a new branch for issuance information, along with modifications within the orchard_digest to account for the inclusion of the Asset Base. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the ZSA protocol.

+

The transaction digest algorithm defined in ZIP 244 12 is modified by the ZSA protocol to add a new branch for issuance information, along with modifications within the orchard_digest to account for the inclusion of the Asset Base. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the ZSA protocol.

txid_digest

A BLAKE2b-256 hash of the following values

T.1: header_digest       (32-byte hash output)
@@ -465,7 +479,7 @@ 
The
 T.3: sapling_digest      (32-byte hash output)
 T.4: orchard_digest      (32-byte hash output)  [UPDATED FOR ZSA]
 T.5: issuance_digest     (32-byte hash output)  [ADDED FOR ZSA]
-

The personalization field remains the same as in ZIP 244 11.

+

The personalization field remains the same as in ZIP 244 12.

T.4: orchard_digest

When Orchard Actions are present in the transaction, this digest is a BLAKE2b-256 hash of the following values

T.4a: orchard_actions_compact_digest      (32-byte hash output)          [UPDATED FOR ZSA]
@@ -476,7 +490,7 @@ 
The
 T.4f: valueBalanceOrchard                 (64-bit signed little-endian)
 T.4g: anchorOrchard                       (32 bytes)
T.4a: orchard_actions_compact_digest
-

A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in an updated version of the ZIP-307 12 CompactBlock format for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

+

A BLAKE2b-256 hash of the subset of Orchard Action information intended to be included in an updated version of the ZIP-307 13 CompactBlock format for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

T.4a.i  : nullifier            (field encoding bytes)
 T.4a.ii : cmx                  (field encoding bytes)
 T.4a.iii: ephemeralKey         (field encoding bytes)
@@ -491,7 +505,7 @@ 
The
                         
"ZTxIdOrcActMHash"
T.4c: orchard_actions_noncompact_digest
-

A BLAKE2b-256 hash of the remaining subset of Orchard Action information not intended for inclusion in an updated version of the the ZIP 307 12 CompactBlock format, for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

+

A BLAKE2b-256 hash of the remaining subset of Orchard Action information not intended for inclusion in an updated version of the the ZIP 307 13 CompactBlock format, for all Orchard Actions belonging to the transaction. For each Action, the following elements are included in the hash:

T.4d.i  : cv                    (field encoding bytes)
 T.4d.ii : rk                    (field encoding bytes)
 T.4d.iii: encCiphertext[596..]  (post-memo suffix of field encoding)  [UPDATED FOR ZSA]
@@ -520,12 +534,12 @@ 
The

T.5: issuance_digest

-

The details of the computation of this value are in ZIP 227 7.

+

The details of the computation of this value are in ZIP 227 8.

Signature Digest and Authorizing Data Commitment

-

The details of the changes to these algorithms are in ZIP 227 8 9.

+

The details of the changes to these algorithms are in ZIP 227 9 10.

Security and Privacy Considerations

Other Considerations

Transaction Fees

-

The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the ZSA protocol upgrade 13.

+

The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the ZSA protocol upgrade 14.

Backward Compatibility

In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and ZSA notes. As we specify above, there are three main reasons we can do this:

@@ -609,10 +623,18 @@

The - +
+ + + +
6ZIP 227: Issuance of Zcash Shielded Assets: Specification: Global Issuance State
+ + + + @@ -620,7 +642,7 @@

The

7 ZIP 227: Issuance of Zcash Shielded Assets: Specification: Asset Identifier
- + @@ -628,7 +650,7 @@

The

78 ZIP 227: Issuance of Zcash Shielded Assets: TxId Digest - Issuance
- + @@ -636,7 +658,7 @@

The

89 ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest
- + @@ -644,7 +666,7 @@

The

910 ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment
- + @@ -652,7 +674,7 @@

The

1011 ZIP 230: Version 6 Transaction Format
- + @@ -660,7 +682,7 @@

The

1112 ZIP 244: Transaction Identifier Non-Malleability
- + @@ -668,7 +690,7 @@

The

1213 ZIP 307: Light Client Protocol for Payment Detection
- + @@ -676,7 +698,7 @@

The

1314 ZIP 317: Proportional Transfer Fee Mechanism - Pull Request #667 for ZSA Protocol ZIPs
- + @@ -684,7 +706,7 @@

The

1415 Zcash Protocol Specification, Version 2023.4.0. Section 3.2: Notes
- + @@ -692,7 +714,7 @@

The

1516 Zcash Protocol Specification, Version 2023.4.0. Section 3.7: Action Transfers and their Descriptions
- + @@ -700,7 +722,7 @@

The

1617 Zcash Protocol Specification, Version 2023.4.0. Section 4.1.8: Commitment
- + @@ -708,7 +730,7 @@

The

1718 Zcash Protocol Specification, Version 2023.4.0. Section 4.8.3: Dummy Notes (Orchard)
- + @@ -716,7 +738,7 @@

The

1819 Zcash Protocol Specification, Version 2023.4.0. Section 4.14: Balance and Binding Signature (Orchard)
- + @@ -724,7 +746,7 @@

The

1920 Zcash Protocol Specification, Version 2023.4.0. Section 4.16: Note Commitments and Nullifiers
- + @@ -732,7 +754,7 @@

The

2021 Zcash Protocol Specification, Version 2023.4.0. Section 4.17.4: Action Statement (Orchard)
- + @@ -740,7 +762,7 @@

The

2122 Zcash Protocol Specification, Version 2023.4.0. Section 5.1: Integers, Bit Sequences, and Endianness
- + @@ -748,7 +770,7 @@

The

2223 Zcash Protocol Specification, Version 2023.4.0. Section 5.3: Constants
- + @@ -756,7 +778,7 @@

The

2324 Zcash Protocol Specification, Version 2023.4.0. Section 5.4.1.9: Sinsemilla hash function
- + @@ -764,7 +786,7 @@

The

2425 Zcash Protocol Specification, Version 2023.4.0. Section 5.4.8.3: Homomorphic Pedersen commitments (Sapling and Orchard)
- + @@ -772,7 +794,7 @@

The

2526 Zcash Protocol Specification, Version 2023.4.0. Section 5.4.8.4: Sinsemilla commitments
- + @@ -780,7 +802,7 @@

The

2627 Zcash Protocol Specification, Version 2023.4.0. Section 5.4.9.6: Pallas and Vesta
- + @@ -788,7 +810,7 @@

The

2728 Zcash Protocol Specification, Version 2023.4.0. Section 5.5: Encodings of Note Plaintexts and Memo Fields
- + @@ -796,7 +818,7 @@

The

2829 Zcash Protocol Specification, Version 2023.4.0. Section 7.5: Action Description Encoding and Consensus
- + @@ -804,7 +826,7 @@

The

2930 User-Defined Assets and Wrapped Assets
- + @@ -812,7 +834,7 @@

The

3031 Comment on Generalized Value Commitments
- + diff --git a/rendered/zip-0227.html b/rendered/zip-0227.html index 3b313b876..89513e33c 100644 --- a/rendered/zip-0227.html +++ b/rendered/zip-0227.html @@ -26,7 +26,7 @@

Terminology

The key words "MUST", "MUST NOT", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

The term "network upgrade" in this document is to be interpreted as described in ZIP 200 7.

-

The terms "Orchard" and "Action" in this document are to be interpreted as described in ZIP 224 8.

+

The terms "Orchard" and "Action" in this document are to be interpreted as described in ZIP 224 9.

We define the following additional terms:

  • Asset: A type of note that can be transferred on the Zcash blockchain. Each Asset is identified by an Asset Identifier Specification: Asset Identifier. @@ -43,10 +43,10 @@

Abstract

-

This ZIP (ZIP 227) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 226 9. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 9. This ZIP must only be implemented in conjunction with ZIP 226 9. The proposed issuance mechanism is only valid for the Orchard-ZSA transfer protocol, because it produces notes that can only be transferred under ZSA.

+

This ZIP (ZIP 227) proposes the Zcash Shielded Assets (ZSA) protocol, in conjunction with ZIP 226 10. This protocol is an extension of the Orchard protocol that enables the creation, transfer and burn of Custom Assets on the Zcash chain. The creation of such Assets is defined in this ZIP (ZIP 227), while the transfer and burn of such Assets is defined in ZIP 226 10. This ZIP must only be implemented in conjunction with ZIP 226 10. The proposed issuance mechanism is only valid for the Orchard-ZSA transfer protocol, because it produces notes that can only be transferred under ZSA.

Motivation

-

This ZIP introduces the issuance mechanism for Custom Assets on the Zcash chain. While originally part of a single ZSA ZIP, the issuance mechanism turned out to be substantial enough to stand on its own and justify the creation of this supporting ZIP for ZIP 226 9.

+

This ZIP introduces the issuance mechanism for Custom Assets on the Zcash chain. While originally part of a single ZSA ZIP, the issuance mechanism turned out to be substantial enough to stand on its own and justify the creation of this supporting ZIP for ZIP 226 10.

This ZIP only enables transparent issuance. As a first step, transparency will allow for proper testing of the applications that will be most used in the Zcash ecosystem, and will enable the supply of Assets to be tracked.

The issuance mechanism described in this ZIP is broad enough for issuers to either create Assets on Zcash (i.e. Assets that originate on the Zcash blockchain), as well as for institutions to create bridges from other chains and import Wrapped Assets. This enables what we hope will be a useful set of applications.

@@ -73,7 +73,7 @@

Specification: Issuance Keys and Issuance Authorization Signature Scheme

-

The Orchard-ZSA Protocol adds the following keys to the key components 18 19:

+

The Orchard-ZSA Protocol adds the following keys to the key components 19 20:

  1. The issuance authorizing key, denoted as \(\mathsf{isk}\!\) @@ -90,7 +90,7 @@

    Issuance Authorization Signature Scheme

    We instantiate the issuance authorization signature scheme \(\mathsf{IssueAuthSig}\) - as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 16.

    + as a BIP-340 Schnorr signature over the secp256k1 curve. The signing and validation algorithms, signature encoding, and public key encoding MUST follow BIP 340 17.

    Batch verification MAY be used. Precomputation MAY be used if and only if it produces equivalent results; for example, for a given verification key \(pk\) and @@ -120,7 +120,7 @@ \(k\) bytes, and \(\mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}}\) - denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification 17.

    + denotes the type of byte sequences of arbitrary length, as defined in the Zcash protocol specification 18.

    The issuance authorizing key generation algorithm and the issuance validating key derivation algorithm are defined in the Issuance Key Derivation section, while the corresponding signing and validation algorithms are defined in the Issuance Authorization Signing and Validation section.

    Issuance Key Derivation

    @@ -184,7 +184,7 @@

    where the \(\textit{PubKey}\) - algorithm is defined in BIP 340 16. Note that the byte representation of + algorithm is defined in BIP 340 17. Note that the byte representation of \(\mathsf{ik}\) is in big-endian order as defined in BIP 340.

    It is possible for the @@ -222,7 +222,7 @@ \(\mathsf{Sign}\) algorithm is defined in BIP 340 and \(a\) - denotes the auxiliary data used in BIP 340 16. Note that + denotes the auxiliary data used in BIP 340 17. Note that \(\mathsf{IssueAuthSig}.\!\mathsf{Sign}\) could return \(\bot\) @@ -246,7 +246,7 @@

    where the \(\mathsf{Verify}\) - algorithm is defined in BIP 340 16.

    + algorithm is defined in BIP 340 17.

Specification: Asset Identifier

@@ -291,7 +291,7 @@ \(\mathsf{ZSAValueBase}(\mathsf{AssetDigest_{AssetId}}) := \mathsf{GroupHash}^\mathbb{P}(\texttt{"z.cash:OrchardZSA"}, \mathsf{AssetDigest_{AssetId}})\) where \(\mathsf{GroupHash}^\mathbb{P}\) - is defined as in 20.

+ is defined as in 21.

The relations between the Asset Identifier, Asset Digest, and Asset Base are shown in the following diagram:

@@ -312,17 +312,42 @@

Specification: Global Issuance State

Issuance requires the following additions to the global state defined at block boundaries:

+

A map, + \(\mathsf{issued\_assets}\!\) + , from the Asset Base, + \(\mathsf{AssetBase}\) + , to a tuple + \((\mathsf{balance}, \mathsf{final})\!\) + , for every Asset that has been issued up until the block boundary. For each Asset:

    -
  • - \(\mathsf{previously\_finalized}\!\) - , a set of - \(\mathsf{AssetId}\) - that have been finalized (i.e.: the +
  • The amount of the Asset in circulation, computed as the amount of the Asset that has been issued less the amount of the Asset that has been burnt, is stored in + \(\mathsf{balance}\!\) + .
    • +
  • The boolean + \(\mathsf{final}\) + stores the finalization status of the Asset (i.e.: whether the \(\mathsf{finalize}\) flag has been set to \(1\) - in some issuance transaction preceding the block boundary).
    • + in some issuance transaction for the Asset preceding the block boundary). The value of + \(\mathsf{final}\) + for any Asset cannot be changed from + \(1\) + to + \(0\) + .
+

We use the notation + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{balance}\) + and + \(\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{final}\) + to access, respectively, the balance and finalization status of the Asset stored in the global state.

+

Rationale for Global Issuance State

+

It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 8. However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record at the block boundary based on the issuance and burn transactions within the block. This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the block.

+

Nodes also need to ensure the rejection of blocks in which issuance of Custom Assets that have been previously finalized. The + \(\mathsf{issued\_assets}\) + map allows nodes to store whether or not a given Asset has been finalized.

+

Specification: Issuance Action, Issuance Bundle and Issuance Protocol

Issuance Action Description

@@ -429,7 +454,7 @@ \(\mathsf{isk}\!\) , that validates the issuance. -

The issuance bundle is then added within the transaction format as a new bundle. That is, issuance requires the addition of the following information to the transaction format 22.

+

The issuance bundle is then added within the transaction format as a new bundle. That is, issuance requires the addition of the following information to the transaction format 23.

3132 Modifications to the Orchard circuit for the ZSA Protocol
@@ -551,11 +576,9 @@ and \(\mathsf{asset\_desc}\) as described in the Specification: Asset Identifier section. -
  • check that the - \(\mathsf{AssetDigest}\) - does not exist in the - \(\mathsf{previously\_finalized}\) - set in the global state.
    • +
  • check that + \(\mathsf{issued\_assets(AssetBase).final} \neq 1\) + in the global state.
  • check that every note in the IssueAction contains the same \(\mathsf{AssetBase}\) and is properly constructed as @@ -564,19 +587,28 @@

    If all of the above checks pass, do the following:

      -
    • For each note, compute the note commitment as - \(\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})\) - as defined in the Note Structure and Commitment section of ZIP 226 10 and
      • -
    • Add - \(\mathsf{cm}\) - to the Merkle tree of note commitments.
      • +
    • For each note, +
        +
      • compute the note commitment as + \(\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})\) + as defined in the Note Structure and Commitment section of ZIP 226 11.
        • +
      • Add + \(\mathsf{cm}\) + to the Merkle tree of note commitments.
        • +
      • Increase the value of + \(\mathsf{issued\_assets(AssetBase).balance}\) + by the value of the note, + \(\mathsf{v}\) + .
        • +
      +
    • If \(\mathsf{finalize} = 1\!\) - , add - \(\mathsf{AssetDigest}\) - to the - \(\mathsf{previously\_finalized}\) - set immediately after the block in which this transaction occurs.
      • + , set + \(\mathsf{issued\_assets(AssetBase).final}\) + to + \(1\) + in the global state immediately after the block in which this transaction occurs.
    • (Replay Protection) If issue bundle is present, the fees MUST be greater than zero.
    @@ -598,8 +630,8 @@
  • We require a check whether the \(\mathsf{finalize}\) flag only has been set in a previous block rather than a previous transaction in the same block. In other words, we only update the - \(\mathsf{previously\_finalized}`\) - set at the block boundary. This is in keeping with the current property which allows for a miner to reorder transactions in a block without changing the meaning, which we aim to preserve.
    • + \(\mathsf{issued\_assets}\) + map at the block boundary. This is in keeping with the current property which allows for a miner to reorder transactions in a block without changing the meaning, which we aim to preserve.
  • We require non-zero fees in the presence of an issue bundle, in order to preclude the possibility of a transaction containing only an issue bundle. If a transaction includes only an issue bundle, the SIGHASH transaction hash would be computed solely based on the issue bundle. A duplicate bundle would have the same SIGHASH transaction hash, potentially allowing for a replay attack.

    • Concrete Applications

    @@ -607,7 +639,7 @@
    • By using the \(\mathsf{finalize}\) - boolean and the burning mechanism defined in 9, issuers can control the supply production of any Asset associated to their issuer keys. For example, + boolean and the burning mechanism defined in 10, issuers can control the supply production of any Asset associated to their issuer keys. For example,
      • by setting \(\mathsf{finalize} = 1\) @@ -643,7 +675,7 @@

    TxId Digest - Issuance

    -

    This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the Orchard-ZSA protocol can be found in ZIP 226 11. As in ZIP 244 12, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

    +

    This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the Orchard-ZSA protocol can be found in ZIP 226 12. As in ZIP 244 13, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

    A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:

    issuance_digest
 ├── issue_actions_digest
@@ -679,7 +711,7 @@
                         
    In case the transaction has no Issue Notes, ''issue_notes_digest'' is:
    
                         
    BLAKE2b-256("ZTxIdIAcNoteHash", [])
    
                         
    T.5a.i.1: recipient 
    
-                            
    This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 21.
    
+                            
    This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 22.
    
                         
    
                         
    T.5a.i.2: value 
    
                             
    Note value encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value.
    
@@ -713,7 +745,7 @@

    Signature Digest

    -

    The per-input transaction digest algorithm to generate the signature digest in ZIP 244 13 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    +

    The per-input transaction digest algorithm to generate the signature digest in ZIP 244 14 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

    The overall structure of the hash is as follows. We highlight the changes for the Orchard-ZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:

    signature_digest
 ├── header_digest
@@ -728,14 +760,14 @@
 S.3: sapling_digest         (32-byte hash output)
 S.4: orchard_digest         (32-byte hash output)
 S.5: issuance_digest        (32-byte hash output)  [ADDED FOR ZSA]
    -

    The personalization field remains the same as in ZIP 244 12.

    +

    The personalization field remains the same as in ZIP 244 13.

    S.5: issuance_digest

    Identical to that specified for the transaction identifier.

    Authorizing Data Commitment

    -

    The transaction digest algorithm defined in ZIP 244 14 which commits to the authorizing data of a transaction is modified by the Orchard-ZSA protocol to have the following structure. We highlight the changes for the Orchard-ZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:

    +

    The transaction digest algorithm defined in ZIP 244 15 which commits to the authorizing data of a transaction is modified by the Orchard-ZSA protocol to have the following structure. We highlight the changes for the Orchard-ZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the Orchard-ZSA protocol:

    auth_digest
 ├── transparent_scripts_digest
 ├── sapling_auth_digest
@@ -776,7 +808,7 @@

    Bridging Assets

    -

    For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 9. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

    +

    For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

    Other Considerations

    @@ -790,7 +822,7 @@ in order to properly keep track of the total supply for different Asset Identifiers. This is useful for wallets and other applications that need to keep track of the total supply of Assets.

    Fee Structures

    -

    The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317 15.

    +

    The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317 16.

    Test Vectors

    @@ -864,10 +896,18 @@
    - +
    + + + +
    8ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances
    + + + + @@ -875,7 +915,7 @@
    9 ZIP 224: Orchard
    - + @@ -883,7 +923,7 @@
    910 ZIP 226: Transfer and Burn of Zcash Shielded Assets
    - + @@ -891,7 +931,7 @@
    1011 ZIP 226: Transfer and Burn of Zcash Shielded Assets - Note Structure & Commitment
    - + @@ -899,7 +939,7 @@
    1112 ZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId Digest
    - + @@ -907,7 +947,7 @@
    1213 ZIP 244: Transaction Identifier Non-Malleability
    - + @@ -915,7 +955,7 @@
    1314 ZIP 244: Transaction Identifier Non-Malleability: Signature Digest
    - + @@ -923,7 +963,7 @@
    1415 ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment
    - + @@ -931,7 +971,7 @@
    1516 ZIP 317: Proportional Transfer Fee Mechanism
    - + @@ -939,7 +979,7 @@
    1617 BIP 340: Schnorr Signatures for secp256k1
    - + @@ -947,7 +987,7 @@
    1718 Zcash Protocol Specification, Version 2023.4.0. Section 2: Notation
    - + @@ -955,7 +995,7 @@
    1819 Zcash Protocol Specification, Version 2023.4.0. Section 3.1: Payment Addresses and Keys
    - + @@ -963,7 +1003,7 @@
    1920 Zcash Protocol Specification, Version 2023.4.0. Section 4.2.3: Orchard Key Components
    - + @@ -971,7 +1011,7 @@
    2021 Zcash Protocol Specification, Version 2023.4.0. Section 5.4.9.8: Group Hash into Pallas and Vesta
    - + @@ -979,7 +1019,7 @@
    2122 Zcash Protocol Specification, Version 2023.4.0. Section 5.6.4.2: Orchard Raw Payment Addresses
    - + diff --git a/zips/zip-0226.rst b/zips/zip-0226.rst index a498db3cb..34341c0bd 100644 --- a/zips/zip-0226.rst +++ b/zips/zip-0226.rst @@ -182,9 +182,12 @@ We denote by :math:`L` the cardinality of the :math:`\mathsf{assetBurn}` set. Additional Consensus Rules `````````````````````````` -1. We require that for every :math:`(\mathsf{AssetBase_{AssetId}}, \mathsf{v_{AssetId}}) \in \mathsf{assetBurn}, \mathsf{AssetBase_{AssetId}} \neq \mathcal{V}^{\mathsf{Orchard}}\!`. That is, ZEC or TAZ is not allowed to be burnt by this mechanism. -2. We require that for every :math:`(\mathsf{AssetBase_{AssetId}}, \mathsf{v_{AssetId}}) \in \mathsf{assetBurn}, \mathsf{v_{AssetId}} \neq 0\!`. -3. We require that there be no duplication of Custom Assets in the :math:`\mathsf{assetBurn}` set. That is, every :math:`\mathsf{AssetBase_{AssetId}}` has at most one entry in :math:`\mathsf{assetBurn}\!`. +1. Check that for every :math:`(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{AssetBase} \neq \mathcal{V}^{\mathsf{Orchard}}\!`. That is, ZEC or TAZ is not allowed to be burnt by this mechanism. +2. Check that for every :math:`(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{v} \neq 0\!`. +3. Check that there is no duplication of Custom Assets in the :math:`\mathsf{assetBurn}` set. That is, every :math:`\mathsf{AssetBase}` has at most one entry in :math:`\mathsf{assetBurn}\!`. +4. Check that for every :math:`(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}\!`, :math:`\mathsf{v} \leq \mathsf{issued\_assets(AssetBase).balance}\!`, where the map :math:`\mathsf{issued\_assets}` is defined in ZIP 227 [#zip-0227-specification-global-issuance-state]_. That is, it is not possible to burn more of an Asset than is currently in circulation. + +If all these checks pass, then for every :math:`(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}\!`, reduce the value of :math:`\mathsf{issued\_assets(AssetBase).balance}` in the global state by :math:`\mathsf{v}\!`. **Note:** Even if this mechanism allows having transparent ↔ shielded Asset transfers in theory, the transparent protocol will not be changed with this ZIP to adapt to a multiple Asset structure. This means that unless future consensus rules changes do allow it, unshielding will not be possible for Custom Assets. @@ -491,6 +494,7 @@ References .. [#zip-0209] `ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances `_ .. [#zip-0224] `ZIP 224: Orchard `_ .. [#zip-0227] `ZIP 227: Issuance of Zcash Shielded Assets `_ +.. [#zip-0227-specification-global-issuance-state] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Global Issuance State `_ .. [#zip-0227-assetidentifier] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Asset Identifier `_ .. [#zip-0227-txiddigest] `ZIP 227: Issuance of Zcash Shielded Assets: TxId Digest - Issuance `_ .. [#zip-0227-sigdigest] `ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest `_ diff --git a/zips/zip-0227.rst b/zips/zip-0227.rst index 7aed636a5..3da87f248 100644 --- a/zips/zip-0227.rst +++ b/zips/zip-0227.rst @@ -221,8 +221,24 @@ Specification: Global Issuance State Issuance requires the following additions to the global state defined at block boundaries: -- :math:`\mathsf{previously\_finalized}\!`, a set of :math:`\mathsf{AssetId}` that have been finalized (i.e.: the :math:`\mathsf{finalize}` flag has been set to :math:`1` in some issuance transaction preceding the block boundary). +A map, :math:`\mathsf{issued\_assets}\!`, from the Asset Base, :math:`\mathsf{AssetBase}`, to a tuple :math:`(\mathsf{balance}, \mathsf{final})\!`, for every Asset that has been issued up until the block boundary. For each Asset: +- The amount of the Asset in circulation, computed as the amount of the Asset that has been issued less the amount of the Asset that has been burnt, is stored in :math:`\mathsf{balance}\!`. +- The boolean :math:`\mathsf{final}` stores the finalization status of the Asset (i.e.: whether the :math:`\mathsf{finalize}` flag has been set to :math:`1` in some issuance transaction for the Asset preceding the block boundary). The value of :math:`\mathsf{final}` for any Asset cannot be changed from :math:`1` to :math:`0`. + + +We use the notation :math:`\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{balance}` and :math:`\mathsf{issued\_assets}(\mathsf{AssetBase}).\!\mathsf{final}` to access, respectively, the balance and finalization status of the Asset stored in the global state. + +Rationale for Global Issuance State +----------------------------------- + +It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 [#zip-0209]_. +However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset. +Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record at the block boundary based on the issuance and burn transactions within the block. +This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the block. + +Nodes also need to ensure the rejection of blocks in which issuance of Custom Assets that have been previously finalized. +The :math:`\mathsf{issued\_assets}` map allows nodes to store whether or not a given Asset has been finalized. Specification: Issuance Action, Issuance Bundle and Issuance Protocol ===================================================================== @@ -328,14 +344,19 @@ For each ``IssueAction`` in ``IssueBundle``: - check that :math:`\mathsf{asset\_desc}` is a string of length :math:`\mathtt{assetDescSize}` bytes. - retrieve :math:`\mathsf{AssetBase}` from the first note in the sequence and check that :math:`\mathsf{AssetBase}` is derived from the issuance validating key :math:`\mathsf{ik}` and :math:`\mathsf{asset\_desc}` as described in the `Specification: Asset Identifier`_ section. -- check that the :math:`\mathsf{AssetDigest}` does not exist in the :math:`\mathsf{previously\_finalized}` set in the global state. +- check that :math:`\mathsf{issued\_assets(AssetBase).final} \neq 1` in the global state. - check that every note in the ``IssueAction`` contains the same :math:`\mathsf{AssetBase}` and is properly constructed as :math:`\mathsf{note} = (\mathsf{g_d}, \mathsf{pk_d}, \mathsf{v}, \text{ρ}, \mathsf{rseed}, \mathsf{AssetBase})\!`. If all of the above checks pass, do the following: -- For each note, compute the note commitment as :math:`\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})` as defined in the Note Structure and Commitment section of ZIP 226 [#zip-0226-notestructure]_ and -- Add :math:`\mathsf{cm}` to the Merkle tree of note commitments. -- If :math:`\mathsf{finalize} = 1\!`, add :math:`\mathsf{AssetDigest}` to the :math:`\mathsf{previously\_finalized}` set immediately after the block in which this transaction occurs. +- For each note, + + - compute the note commitment as :math:`\mathsf{cm} = \mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase})` as defined in the Note Structure and Commitment section of ZIP 226 [#zip-0226-notestructure]_. + - Add :math:`\mathsf{cm}` to the Merkle tree of note commitments. + - Increase the value of :math:`\mathsf{issued\_assets(AssetBase).balance}` by the value of the note, :math:`\mathsf{v}`. + +- If :math:`\mathsf{finalize} = 1\!`, set :math:`\mathsf{issued\_assets(AssetBase).final}` to :math:`1` in the global state immediately after the block in which this transaction occurs. + - (Replay Protection) If issue bundle is present, the fees MUST be greater than zero. @@ -353,7 +374,7 @@ The following is a list of rationale for different decisions made in the proposa - bridging information for Wrapped Assets (chain of origin, issuer name, etc) - information to be committed by the issuer, though not enforceable by the protocol. -- We require a check whether the :math:`\mathsf{finalize}` flag only has been set in a previous block rather than a previous transaction in the same block. In other words, we only update the :math:`\mathsf{previously\_finalized}`` set at the block boundary. This is in keeping with the current property which allows for a miner to reorder transactions in a block without changing the meaning, which we aim to preserve. +- We require a check whether the :math:`\mathsf{finalize}` flag only has been set in a previous block rather than a previous transaction in the same block. In other words, we only update the :math:`\mathsf{issued\_assets}` map at the block boundary. This is in keeping with the current property which allows for a miner to reorder transactions in a block without changing the meaning, which we aim to preserve. - We require non-zero fees in the presence of an issue bundle, in order to preclude the possibility of a transaction containing only an issue bundle. If a transaction includes only an issue bundle, the SIGHASH transaction hash would be computed solely based on the issue bundle. A duplicate bundle would have the same SIGHASH transaction hash, potentially allowing for a replay attack. Concrete Applications @@ -606,6 +627,7 @@ References .. [#zip-0032-key-path-levels] `ZIP 32: Shielded Hierarchical Deterministic Wallets - Key path levels `_ .. [#zip-0032-orchard-key-path] `ZIP 32: Shielded Hierarchical Deterministic Wallets - Orchard key path `_ .. [#zip-0200] `ZIP 200: Network Upgrade Mechanism `_ +.. [#zip-0209] `ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances `_ .. [#zip-0224] `ZIP 224: Orchard `_ .. [#zip-0226] `ZIP 226: Transfer and Burn of Zcash Shielded Assets `_ .. [#zip-0226-notestructure] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Note Structure & Commitment `_
    2223 Zcash Protocol Specification, Version 2023.4.0. Section 7.1: Transaction Encoding and Consensus (Transaction Version 5)