From fc4fded73e04bf6260f44749f00f925e1882ed54 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Tue, 22 Oct 2024 21:56:22 +0100 Subject: [PATCH 1/5] draft-hopwood-remove-consensus-dependency-on-note-encryption: initial outline. Signed-off-by: Daira-Emma Hopwood --- ...onsensus-dependency-on-note-encryption.rst | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst diff --git a/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst b/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst new file mode 100644 index 000000000..81c3fff43 --- /dev/null +++ b/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst @@ -0,0 +1,91 @@ +:: + + ZIP: Unassigned + Title: Remove the dependency of consensus on note encryption + Owners: Daira-Emma Hopwood + Status: Draft + Category: Consensus + Created: 2024-10-22 + License: MIT + Discussions-To: + Pull-Request: + + +Terminology +=========== + +The key word "MUST" in this document is to be interpreted as described in BCP 14 +[#BCP14]_ when, and only when, it appears in all capitals. + +The term "network upgrade" in this document is to be interpreted as described in +ZIP 200. [#zip-0200]_ + +The terms "Testnet" and "Mainnet" are to be interpreted as described in section +3.12 of the Zcash Protocol Specification. [#protocol-networks]_ + +The character § is used when referring to sections of the Zcash Protocol Specification +[#protocol]_. + + +Abstract +======== + +ZIP 213 [#zip-0213]_ added the ability for coinbase outputs to be shielded. An +unfortunate side effect of this was to make consensus dependent on the details of +note encryption, because these outputs are required to be validly encrypted with +the zero key. This has unnecessarily complicated the specification and implementation +of consensus rules. + +This proposal disentangles note encryption from consensus, by instead requiring +coinbase outputs for v6 and later transaction versions to be unencrypted. The +disentanglement will be complete once earlier transaction versions are no longer +allowed on the network, which is likely to happen in some later upgrade. + + +Motivation +========== + +[...] + + +Requirements +============ + +The consensus rule change specified in this ZIP must, from transaction version 6 +onward, make the implementation and specification of shielded coinbase outputs +independent of note encryption. + + +Specification +============= + +TBD. + + +Deployment +========== + +This ZIP is proposed to be deployed with the next transaction version change, +which is assumed to be v6. + + +Reference implementation +======================== + +TBD. + + +Acknowledgements +================ + +The author would like to thank Jack Grigg and Kris Nuttycombe for discussions leading +to the submission of this ZIP. + + +References +========== + +.. [#BCP14] `Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words" `_ +.. [#protocol] `Zcash Protocol Specification, Version 2024.5.1 or later `_ +.. [#protocol-networks] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.12: Mainnet and Testnet `_ +.. [#zip-0213] `ZIP 213: Shielded Coinbase `_ From 8ad31039d629999202d7feea469ec451304ac098 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Tue, 5 Nov 2024 12:07:10 +0000 Subject: [PATCH 2/5] Fill in motivation and most of specification. Signed-off-by: Daira-Emma Hopwood --- ...onsensus-dependency-on-note-encryption.rst | 86 +++++++++++++++++-- 1 file changed, 80 insertions(+), 6 deletions(-) diff --git a/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst b/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst index 81c3fff43..d1ee00132 100644 --- a/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst +++ b/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst @@ -31,10 +31,9 @@ Abstract ======== ZIP 213 [#zip-0213]_ added the ability for coinbase outputs to be shielded. An -unfortunate side effect of this was to make consensus dependent on the details of -note encryption, because these outputs are required to be validly encrypted with -the zero key. This has unnecessarily complicated the specification and implementation -of consensus rules. +unfortunate side effect of this was to make consensus dependent on the details +of note encryption. This has unnecessarily complicated the specification and +implementation of consensus rules. This proposal disentangles note encryption from consensus, by instead requiring coinbase outputs for v6 and later transaction versions to be unencrypted. The @@ -45,7 +44,26 @@ allowed on the network, which is likely to happen in some later upgrade. Motivation ========== -[...] +In the original design of Zcash, the consensus protocol was carefully isolated +from the details of note encryption. This property, which was preserved through +the Overwinter, Sapling, and Blossom upgrades, reduces the complexity and attack +surface of the consensus protocol. It also potentially allows changes to note +encryption to be made outside network upgrades. + +A dependency on note encryption crept into the consensus protocol as a result +of the changes to support shielded coinbase outputs in ZIP 213 [#zip-0213]_, +deployed in the Heartwood network upgrade. These changes added the requirement +that it must be possible to decrypt Sapling and Orchard outputs in coinbase +transactions using a sequence of 32 zero bytes as the outgoing viewing key. + +The complexity impact of this change was overlooked. This became apparent during +the design of ZIP 212 [#zip-0212]_ for the Heartwood network upgrade. In fact +for a time there were separate and slightly diverging implementations of note +decryption for the consensus checks in `zcashd`, and in `librustzcash`. This +could have led to a chain fork between `zcashd` and `zebrad` before the +implementations were reconciled. + +This ZIP restores the originally intended design property. Requirements @@ -59,7 +77,61 @@ independent of note encryption. Specification ============= -TBD. +Changes to the protocol specification +------------------------------------- + +In § 5.4.3 'Symmetric Encryption', rename :math:`Sym` to :math:`NoteSym` and +add the following text: + +> Let :math:`\mathsf{NullSym.}\mathbf{K} := \mathbb{B}^{[256]}`, +> :math:`\mathsf{NullSym.}\mathbf{P} := \mathbb{B^Y}^{\mathbb{N}}`, and +> :math:`\mathsf{NullSym.}\mathbf{C} := \mathbb{B^Y}^{\mathbb{N}}`. +> +> Let :math:`\mathsf{NullSym.Encrypt_K}(\mathsf{P}) := \mathsf{P} || [0x00]^{16}`. +> +> Define :math:`\mathsf{NullSym.Decrypt_K}(\mathsf{C})` as follows: +> * If the last 16 bytes of :math:`\mathsf{C}` are not :math:`[0x00]^{16}`, +> return :math:`\bot`. Otherwise discard those 16 bytes and return the +> remaining prefix of :math:`\mathsf{C}`. +> +> Note: These definitions intentionally ignore the key; :math:`\mathsf{NullSym}` +> is not a secure authenticated encryption scheme. It MUST be used only for +> notes in shielded coinbase outputs, which are intended to be visible as +> cleartext. + +In § 4.20 'In-band secret distribution (Sapling and Orchard)', change: + +> let :math:`\mathsf{Sym}` be the encryption scheme instantiated in +> § 5.4.3 'Symmetric Encryption'. + +to + +> let :math:`\mathsf{NoteSym}` and :math:`\mathsf{NullSym}` be as +> instantiated in § 5.4.3 'Symmetric Encryption'. +> +> [Pre-NU7] let :math:`\mathsf{Sym}` be :math:`\mathsf{NoteSym}`. +> +> [NU7 onward] if the note to be decrypted is in an output of a version 6 +> or later coinbase transaction, let :math:`\mathsf{Sym}` be +> :math:`\mathsf{NullSym}`, otherwise let it be :math:`\mathsf{NoteSym}`. + +In § 4.20.1 'Encryption (Sapling and Orchard)', add at the beginning: + +> [NU7 onward] If the note to be encrypted is in an output of a +> version 6 or later coinbase transaction, then use the procedure in +> § 4.20.4 'Null Coinbase Output Encryption (Sapling and Orchard)' +> instead of the procedure in this section. + +In both § 4.20.2 'Decryption using an Incoming Viewing Key (Sapling and Orchard)', +and § 4.20.3 'Decryption using a Full Viewing Key (Sapling and Orchard)' +add at the beginning: + +> [NU7 onward] If the note to be encrypted is in an output of a +> version 6 or later coinbase transaction, then use the procedure in +> § 4.20.5 'Null Coinbase Output Decryption (Sapling and Orchard)' +> instead of the procedure in this section. + +Add § 4.20.4 'Null Coinbase Output Encryption (Sapling and Orchard)' Deployment @@ -88,4 +160,6 @@ References .. [#BCP14] `Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words" `_ .. [#protocol] `Zcash Protocol Specification, Version 2024.5.1 or later `_ .. [#protocol-networks] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.12: Mainnet and Testnet `_ +.. [#zip-0200] `ZIP 200: Network Upgrade Mechanism `_ +.. [#zip-0212] `ZIP 212: Allow Recipient to Derive Ephemeral Secret from Note Plaintext `_ .. [#zip-0213] `ZIP 213: Shielded Coinbase `_ From d7bc7a3e7b7392548f3643a5ce44c314cd2ccd03 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Tue, 5 Nov 2024 23:20:06 +0000 Subject: [PATCH 3/5] Assign ZIP 2004 for draft-hopwood-remove-consensus-dependency-on-note-encryption Signed-off-by: Daira-Emma Hopwood --- ...e-consensus-dependency-on-note-encryption.rst => zip-2004.rst} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename zips/{draft-hopwood-remove-consensus-dependency-on-note-encryption.rst => zip-2004.rst} (100%) diff --git a/zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst b/zips/zip-2004.rst similarity index 100% rename from zips/draft-hopwood-remove-consensus-dependency-on-note-encryption.rst rename to zips/zip-2004.rst From bbe33a070fb6684977135abc02d1e357758ef882 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Tue, 5 Nov 2024 23:20:34 +0000 Subject: [PATCH 4/5] ZIP 2004: fix rst syntax. Signed-off-by: Daira-Emma Hopwood --- zips/zip-2004.rst | 71 +++++++++++++++++++++++------------------------ 1 file changed, 35 insertions(+), 36 deletions(-) diff --git a/zips/zip-2004.rst b/zips/zip-2004.rst index d1ee00132..e19c7c52e 100644 --- a/zips/zip-2004.rst +++ b/zips/zip-2004.rst @@ -1,6 +1,6 @@ :: - ZIP: Unassigned + ZIP: 2004 Title: Remove the dependency of consensus on note encryption Owners: Daira-Emma Hopwood Status: Draft @@ -83,55 +83,54 @@ Changes to the protocol specification In § 5.4.3 'Symmetric Encryption', rename :math:`Sym` to :math:`NoteSym` and add the following text: -> Let :math:`\mathsf{NullSym.}\mathbf{K} := \mathbb{B}^{[256]}`, -> :math:`\mathsf{NullSym.}\mathbf{P} := \mathbb{B^Y}^{\mathbb{N}}`, and -> :math:`\mathsf{NullSym.}\mathbf{C} := \mathbb{B^Y}^{\mathbb{N}}`. -> -> Let :math:`\mathsf{NullSym.Encrypt_K}(\mathsf{P}) := \mathsf{P} || [0x00]^{16}`. -> -> Define :math:`\mathsf{NullSym.Decrypt_K}(\mathsf{C})` as follows: -> * If the last 16 bytes of :math:`\mathsf{C}` are not :math:`[0x00]^{16}`, -> return :math:`\bot`. Otherwise discard those 16 bytes and return the -> remaining prefix of :math:`\mathsf{C}`. -> -> Note: These definitions intentionally ignore the key; :math:`\mathsf{NullSym}` -> is not a secure authenticated encryption scheme. It MUST be used only for -> notes in shielded coinbase outputs, which are intended to be visible as -> cleartext. + Let :math:`\mathsf{NullSym.}\mathbf{K} := \mathbb{B}^{[256]}`, + :math:`\mathsf{NullSym.}\mathbf{P} := \mathbb{B^Y}^{\mathbb{N}}`, and + :math:`\mathsf{NullSym.}\mathbf{C} := \mathbb{B^Y}^{\mathbb{N}}`. + + Let :math:`\mathsf{NullSym.Encrypt_K}(\mathsf{P}) := \mathsf{P} || [0x00]^{16}`. + + Define :math:`\mathsf{NullSym.Decrypt_K}(\mathsf{C})` as follows: + + * If the last 16 bytes of :math:`\mathsf{C}` are not :math:`[0x00]^{16}`, + return :math:`\bot`. Otherwise discard those 16 bytes and return the + remaining prefix of :math:`\mathsf{C}`. + + Note: These definitions intentionally ignore the key; :math:`\mathsf{NullSym}` + is not a secure authenticated encryption scheme. It MUST be used only for + notes in shielded coinbase outputs, which are intended to be visible as + cleartext. In § 4.20 'In-band secret distribution (Sapling and Orchard)', change: -> let :math:`\mathsf{Sym}` be the encryption scheme instantiated in -> § 5.4.3 'Symmetric Encryption'. + let :math:`\mathsf{Sym}` be the encryption scheme instantiated in + § 5.4.3 'Symmetric Encryption'. to -> let :math:`\mathsf{NoteSym}` and :math:`\mathsf{NullSym}` be as -> instantiated in § 5.4.3 'Symmetric Encryption'. -> -> [Pre-NU7] let :math:`\mathsf{Sym}` be :math:`\mathsf{NoteSym}`. -> -> [NU7 onward] if the note to be decrypted is in an output of a version 6 -> or later coinbase transaction, let :math:`\mathsf{Sym}` be -> :math:`\mathsf{NullSym}`, otherwise let it be :math:`\mathsf{NoteSym}`. + let :math:`\mathsf{NoteSym}` and :math:`\mathsf{NullSym}` be as + instantiated in § 5.4.3 'Symmetric Encryption'. + + [Pre-NU7] let :math:`\mathsf{Sym}` be :math:`\mathsf{NoteSym}`. + + [NU7 onward] if the note to be decrypted is in an output of a version 6 + or later coinbase transaction, let :math:`\mathsf{Sym}` be + :math:`\mathsf{NullSym}`, otherwise let it be :math:`\mathsf{NoteSym}`. In § 4.20.1 'Encryption (Sapling and Orchard)', add at the beginning: -> [NU7 onward] If the note to be encrypted is in an output of a -> version 6 or later coinbase transaction, then use the procedure in -> § 4.20.4 'Null Coinbase Output Encryption (Sapling and Orchard)' -> instead of the procedure in this section. + [NU7 onward] If the note to be encrypted is in an output of a + version 6 or later coinbase transaction, then use the procedure in + § 4.20.4 'Null Coinbase Output Encryption (Sapling and Orchard)' + instead of the procedure in this section. In both § 4.20.2 'Decryption using an Incoming Viewing Key (Sapling and Orchard)', and § 4.20.3 'Decryption using a Full Viewing Key (Sapling and Orchard)' add at the beginning: -> [NU7 onward] If the note to be encrypted is in an output of a -> version 6 or later coinbase transaction, then use the procedure in -> § 4.20.5 'Null Coinbase Output Decryption (Sapling and Orchard)' -> instead of the procedure in this section. - -Add § 4.20.4 'Null Coinbase Output Encryption (Sapling and Orchard)' + [NU7 onward] If the note to be encrypted is in an output of a + version 6 or later coinbase transaction, then use the procedure in + § 4.20.5 'Null Coinbase Output Decryption (Sapling and Orchard)' + instead of the procedure in this section. Deployment From 9e57a8f2c35e27529172ba6825ebd7078d372139 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Tue, 5 Nov 2024 23:25:23 +0000 Subject: [PATCH 5/5] ZIP 2004: remove paragraphs from the approach-not-taken. Signed-off-by: Daira-Emma Hopwood --- zips/zip-2004.rst | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/zips/zip-2004.rst b/zips/zip-2004.rst index e19c7c52e..47787e685 100644 --- a/zips/zip-2004.rst +++ b/zips/zip-2004.rst @@ -116,22 +116,6 @@ to or later coinbase transaction, let :math:`\mathsf{Sym}` be :math:`\mathsf{NullSym}`, otherwise let it be :math:`\mathsf{NoteSym}`. -In § 4.20.1 'Encryption (Sapling and Orchard)', add at the beginning: - - [NU7 onward] If the note to be encrypted is in an output of a - version 6 or later coinbase transaction, then use the procedure in - § 4.20.4 'Null Coinbase Output Encryption (Sapling and Orchard)' - instead of the procedure in this section. - -In both § 4.20.2 'Decryption using an Incoming Viewing Key (Sapling and Orchard)', -and § 4.20.3 'Decryption using a Full Viewing Key (Sapling and Orchard)' -add at the beginning: - - [NU7 onward] If the note to be encrypted is in an output of a - version 6 or later coinbase transaction, then use the procedure in - § 4.20.5 'Null Coinbase Output Decryption (Sapling and Orchard)' - instead of the procedure in this section. - Deployment ==========