uip 7: clarify diversifier behavior

penumbra-zone · Dec 11, 2024 · ce8026c · ce8026c
1 parent 6c21ef9
commit ce8026c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/uips/SUMMARY.md b/uips/SUMMARY.md
@@ -9,6 +9,7 @@
   - [UIP-4](./uip-4.md)
   - [UIP-5](./uip-5.md)
   - [UIP-6](./uip-6.md)
+  - [UIP-7](./uip-7.md)
 
 # UIP template
 

diff --git a/uips/uip-7.md b/uips/uip-7.md
@@ -17,9 +17,11 @@ This UIP introduces transparent addresses ("t-addresses"), a 32-byte Bech32 addr
 
 Recent compatibility issues with external systems (e.g., Noble's USDC integration) have highlighted the need for a maximally compatible address format. While the correct long-term solution is full support for Penumbra's native addresses, a shorter address format can serve as an immediate solution and future-proof escape hatch for similar issues. Penumbra's native addresses have two major differences from most other addresses in the Cosmos ecosystem, in that:
 
-1. They are longer: 144 bytes.
+1. They are longer: 80 bytes of data (144 bytes encoded).
 2. They use Bech32m encoding, instead of Bech32.
 
+Transparent addresses are 32 bytes long, and use Bech32 encoding for maximum compatibility with external systems.
+
 ## Specification
 
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174.
@@ -44,7 +46,7 @@ consists of:
 The diversifier $d$ is then used to derive the diversified basepoint $B_d$ using
 decaf377 hash-to-group $H_{\mathbb{G}}^{d}$:
 
-$B_d = H_{\mathbb{G}}^{d}(d)$
+$B_d = H_{\mathbb{G}}^{d}(d)$
 
 This diversified basepoint is used to to derive the transmission key $pk_d$:
 
@@ -88,12 +90,14 @@ The diversifier decryption is modified as follows:
 The zero ciphertext `[0u8; 16]` is defined to correspond to the address index
 corresponding to the default account index 0, with no randomizer.
 
-The implications of this are that there are two valid diversifiers for the
-default account:
+The implications of this are that the valid diversifiers for the
+default account are:
+
+* 1 special case diversifier: the zero ciphertext (`[0u8; 16]`)
 
-* The zero ciphertext (`[0u8; 16]`)
+* $2^{96}$ diversifiers that normally decrypt to the address index for the default account, i.e. those that have the first four bytes equal to `[0u8; 4]` and any randomizer
 
-* The ciphertext of the 0 address index
+Note that if a null diversifier happened by chance - as the encryption of some address index $a$ - it will in the future be interpreted as the address index for the default account 0 instead of $a$. The probability of this event is astronomically low, $1/2^{128}$.
 
 ### Fuzzy Message Detection (FMD)