Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding issuance key derivation details #8

Merged
merged 4 commits into from
Apr 17, 2023
Merged

Conversation

vivek-arte
Copy link

@vivek-arte vivek-arte commented Mar 11, 2023

This PR contains the changes to the Issuance ZIP for the derivation of the issuance keys based on the techniques from ZIP 32.

@netlify
Copy link

netlify bot commented Mar 11, 2023

Deploy Preview for zcash-zips-qedit ready!

Name Link
🔨 Latest commit 60ba78d
🔍 Latest deploy log https://app.netlify.com/sites/zcash-zips-qedit/deploys/6433a79c5719ba00086779c6
😎 Deploy Preview https://deploy-preview-8--zcash-zips-qedit.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

zip-0227.rst Outdated
Comment on lines 121 to 132
As in ZIP 32 for Orchard [#zip-0032-orchard-child-key-derivation]_, we only use hardened child key derivation for issuance master key.
We define the following function for child key derivation:

:math:`\mathsf{CDKik}((\mathsf{sk}_{par},\mathsf{c}_{par}),i) \to (\mathsf{sk}_i, \mathsf{c}_i)`

- Check whether :math:`i \geq 2^{31}` (i.e. whether the child is a hardened key)

- If so (hardened child): Let :math:`I = \mathsf{PRF^{expand}}(\mathsf{c}_{par}, [\mathtt{0xa1}] \| \mathsf{sk}_{par} \| \mathsf{I2LEOSP}_{32}(i))`.
- If not (non-hardened child): return failure.

- Split :math:`I` into two 32-byte sequences :math:`I_L` and :math:`I_R`.
- Set :math:`(\mathsf{sk}_i, \mathsf{c}_i) = (I_L, I_R)`.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 0xa1 "personalization" is the only thing changed from the Orchard definition of the CDKsk function. But this domain separation seems necessary, so it required defining a fresh function (that I named CDKik for clarity)

zip-0227.rst Outdated
Comment on lines 142 to 143
- :math:`coin\_type`: a constant identifying the cryptocurrency that this subtree's keys are used with. We use the same constants as defined in SLIP 44
[#slip-0044]_ for ZEC, namely :math:`\texttt{0x80000085}`. Also, in keeping with that document, all cryptocurrency testnets share :math:`coin\_type` index :math:`1`.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I explicitly fixed it to the ZEC value, because if we write it the way it is written in ZIP 32, it could be taken to mean that if we are issuing a wrapped BTC we should use the coin_type for BTC, and so on.

I think fixing it to ZEC seems to be the best approach, but suggestions are welcome.

@vivek-arte vivek-arte changed the base branch from zsa-zips to zsa1 March 15, 2023 13:06
Copy link

@PaulLaux PaulLaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks better.
Also, need to reapply the changes on top of the current zsa1 before the final approve.


The issuance master key is generated by choosing a bit sequence uniformly at random from :math:`\mathbb{B}^{\mathbb{Y}[32]}`, like the Orchard spending key [#protocol-orchardkeycomponents]_.

Issuance master key derivation for hierarchical deterministic wallets

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edited this in this commit.

zip-0227.rst Outdated
Comment on lines 99 to 105
Issuance Authorization Signature Scheme
```````````````````````````````````````

We define the issuance authorization signature scheme :math:`\mathsf{IssueAuthSig}` similar to :math:`\mathsf{SpendAuthSig}^{\mathsf{Orchard}}`, the Orchard spend authorization signature scheme [#protocol-concretespendauthsig]_.
Specifically, we instantiate :math:`\mathsf{IssueAuthSig}` as :math:`\mathsf{RedPallas}` without key re-randomization using generator :math:`\mathcal{P}_{\mathbb{G}} = \mathcal{G}^{\mathsf{Issuance}} := \mathsf{GroupHash}^\mathbb{P}(\texttt{"z.cash:ZSA"}, \texttt{"Issuance"})` where :math:`\mathsf{GroupHash}^\mathbb{P}` is defined as in the Zcash protocol specification [#protocol-concretegrouphashpallasandvesta]_.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section seems out of place, I would put after the keys, just before https://deploy-preview-8--zcash-zips-qedit.netlify.app/zip-0227#asset-identifier

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for defining it first is that IssueAuthSig is used in the Derivation of issuance authorizing key and issuance validating key section, so it needed to be defined before that.

zip-0227.rst Outdated Show resolved Hide resolved
zip-0227.rst Outdated Show resolved Hide resolved
zip-0227.rst Outdated Show resolved Hide resolved
zip-0227.rst Outdated Show resolved Hide resolved

- :math:`purpose`: a constant set to :math:`227'` (or :math:`\texttt{0x800000e3}`) following the BIP 43 recommendation.
- :math:`coin\_type`: Defined as in ZIP 32 [#zip-0032-key-path-levels]_.
- :math:`account`: fixed to index :math:`0`.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the account index equals to i from above? if so, should be specified. If not, what is i?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The i in the CDKsk definition is just the argument of the terms in the path - so m / a / b / c signifies CDKsk(CDKsk(CDKsk(m,a),b),c).

After the change to use the same CDKsk as in Orchard, we no longer have this i in our spec.

We use the notation of ZIP 32 [#zip-0032-orchard-key-path]_ for shielded HD paths, and define the issuance master key path as :math:`m_\mathsf{Issuance} / purpose' / coin\_type' / account'`. We fix the path levels as follows:

- :math:`purpose`: a constant set to :math:`227'` (or :math:`\texttt{0x800000e3}`) following the BIP 43 recommendation.
- :math:`coin\_type`: Defined as in ZIP 32 [#zip-0032-key-path-levels]_.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's specify the exact value.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

str4d and Daira had recommended against putting in the explicit 0x80000085 value in the earlier meeting, because someone who forks the repo should know not to hardcode it. They had said it would need rewording in ZIP 32 to specify it is to be set to the base cryptocurrency (aka ZEC for us), so I have left it to be the same as in ZIP 32 for now.

zip-0227.rst Outdated Show resolved Hide resolved
Copy link

@PaulLaux PaulLaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please provide a proper description for the PR and for the git commit.

@vivek-arte vivek-arte merged commit c211fc2 into zsa1 Apr 17, 2023
PaulLaux pushed a commit that referenced this pull request Oct 4, 2023
This covers the changes made to derive the issuance key independently of the Orchard key structure, using the techniques from [ZIP 32](https://zips.z.cash/zip-0032).
vivek-arte added a commit that referenced this pull request Feb 12, 2024
This covers the changes made to derive the issuance key independently of the Orchard key structure, using the techniques from [ZIP 32](https://zips.z.cash/zip-0032).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants