From d4d34ed6fff84fc602c4723a71cefdc4dde31eb8 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Fri, 1 Dec 2023 09:55:01 -0700 Subject: [PATCH 1/6] ZIP 316, Revision 1: MUST-understand metadata items Reserve a range of metadata typecodes that unified container parsers must understand; if a parser does not understand a typecode in the specified range, then it must treat the entire unified address as unsupported. Co-authored-by: Daira Emma Hopwood --- zip-0316.html | 30 +++++++++++++++++++-------- zip-0316.rst | 57 ++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 62 insertions(+), 25 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index 6cc68afa1..1e77f23a0 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -121,8 +121,8 @@

When new Transport Protocols are introduced to the Zcash protocol after Unified Addresses are standardized, those should introduce new Receiver Types but not different Address types outside of the UA standard. There needs to be a compelling reason to deviate from the standard, since the benefits of UA come precisely from their applicability across all new protocol upgrades.

Receivers

-

Every wallet must properly parse encodings of a Unified Address or Unified Viewing Key containing unrecognized Items.

-

A wallet may process unrecognized Items by indicating to the user their presence or similar information for usability or diagnostic purposes.

+

Every wallet must properly parse encodings of a Unified Address or Unified Viewing Key containing unrecognised Items.

+

A wallet may process unrecognised Items by indicating to the user their presence or similar information for usability or diagnostic purposes.

Transport Encoding

The Unified String Encoding is “opaque” to human readers: it does not allow visual identification of which Receivers or Receiver Types are present.

@@ -131,11 +131,11 @@

There is a well-defined transformation between the Unified QR Encoding and Unified String Encoding of a given UA/UVK in either direction.

The Unified String Encoding fits into ZIP-321 Payment URIs 26 and general URIs without introducing parse ambiguities.

The encoding must support sufficiently many Recipient Types to allow for reasonable future expansion.

-

The encoding must allow all wallets to safely and correctly parse out unrecognized Receiver Types well enough to ignore them.

+

The encoding must allow all wallets to safely and correctly parse out unrecognised Receiver Types well enough to ignore them.

Transfers

When executing a Transfer the Sender selects a Receiver via a Selection process.

-

Given a valid UA, Selection must treat any unrecognized Item as though it were absent.

+

Given a valid UA, Selection must treat any unrecognised Item as though it were absent.

  • This property is crucial for forward compatibility to ensure users who upgrade to newer protocols / UAs don't lose the ability to smoothly interact with older wallets.
  • This property is crucial for allowing Transparent-Only UA-Conformant wallets to interact with newer shielded wallets, removing a disincentive for adopting newer shielded wallets.
    • @@ -154,6 +154,11 @@

    Privacy impacts of transparent or cross-pool transactions, and the associated UX issues, will be addressed in ZIP 315 (in preparation).

+

Revision History

+ +

Specification

Encoding of Unified Addresses

Rather than defining a Bech32 string encoding of Orchard Shielded Payment Addresses, we instead define a Unified Address format that is able to encode a set of Receivers of different types. This enables the Consumer of a Unified Address to choose the Receiver of the best type it supports, providing a better user experience as new Receiver Types are added in the future.

@@ -254,7 +259,7 @@
  • There is no defined way to represent a Viewing Key for a Transparent P2SH Address in a UFVK or UIVK (because P2SH Addresses cannot be diversified in an unlinkable way). The Typecode \(\mathtt{0x01}\) - MUST NOT be included in a UFVK or UIVK by Producers, and MUST be treated as unrecognized by Consumers.
    • + MUST NOT be included in a UFVK or UIVK by Producers, and MUST be treated as unrecognised by Consumers.
  • For Transparent P2PKH Addresses that are derived according to BIP 32 27 and BIP 44 30, the FVK and IVK Encodings have Typecode \(\mathtt{0x00}.\) Both of these are encodings of the chain code and public key @@ -298,7 +303,7 @@
  • Within a single UA or UVK, all HD-derived Receivers, FVKs, and IVKs SHOULD represent an Address or Viewing Key for the same account (as used in the ZIP 32 or BIP 44 Account level).
  • For Transparent Addresses, the Receiver Encoding does not include the first two bytes of a raw encoding.
  • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 23) to send funds into the Sprout chain value pool, this would not be generally useful.
    • -
  • Consumers MUST ignore constituent Items with Typecodes they do not recognize.
    • +
  • Consumers MUST ignore constituent Items with Typecodes they do not recognise.
  • Consumers MUST reject Unified Addresses/Viewing Keys in which the same Typecode appears more than once, or that include both P2SH and P2PKH Transparent Addresses, or that contain only a Transparent Address.
  • Consumers MUST reject Unified Addresses/Viewing Keys in which any constituent Item does not meet the validation requirements of its encoding, as specified in this ZIP and the Zcash Protocol Specification 2.
  • Consumers MUST reject Unified Addresses/Viewing Keys in which the constituent Items are not ordered in ascending Typecode order. Note that this is different to priority order, and does not affect which Receiver in a Unified Address should be used by a Sender.
    • @@ -308,7 +313,7 @@

    Rationale for Item ordering

    Click to show/hide -

    The rationale for requiring Items to be canonically ordered by Typecode is that it enables implementations to use an in-memory representation that discards ordering, while retaining the same round-trip serialization of a UA / UVK (provided that unrecognized Items are retained).

    +

    The rationale for requiring Items to be canonically ordered by Typecode is that it enables implementations to use an in-memory representation that discards ordering, while retaining the same round-trip serialization of a UA / UVK (provided that unrecognised Items are retained).

    Rationale for showing at least the first 20 characters

    @@ -331,6 +336,11 @@ to \(\mathtt{0xFC}\) inclusive are reserved to indicate Metadata Items other than Receivers or Viewing Keys. These Items MAY affect the overall interpretation of the UA / UVK (for example, by specifying an expiration date).

    +

    As of Revision 1, the subset of Metadata typecodes in the range + \(mathtt{0xE0}\) + to + \(mathtt{0xEF}\) + inclusive are designated as "MUST-understand": if a Consumer is unable to recognise the meaning of a Metadata Item with a typecode in this range, then it MUST regard the entire UA/UVK as unsupported and not process it further.

    Since Metadata Items are not Receivers, they MUST NOT be selected by a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view information about transactions.

    Currently no Metadata Types are defined. New Metadata Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    @@ -387,6 +397,7 @@

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 31. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    Deriving a UIVK from a UFVK

    +

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item typecodes present in the UFVK in order to perform UIVK derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    The following derivations are applied to each component FVK:

    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • @@ -396,9 +407,10 @@ as described in 29.

    In each case, the Typecode remains the same as in the FVK.

    -

    Items (including Metadata Items) that are unrecognized by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a UIVK from a UFVK.

    +

    Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a UIVK from a UFVK.

    Deriving a Unified Address from a UIVK

    +

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item typecodes present in the UIVK in order to perform Unified Address derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is,

    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 16.
      • @@ -418,7 +430,7 @@

    In each case, the Typecode remains the same as in the IVK.

    -

    Items (including Metadata Items) that are unrecognized by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a Receiver from a UIVK.

    +

    Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a Unified Address from a UIVK.

    Usage of Outgoing Viewing Keys

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    diff --git a/zip-0316.rst b/zip-0316.rst index 19f6d13b5..82a630d9d 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -215,9 +215,9 @@ Receivers --------- Every wallet must properly *parse* encodings of a Unified Address or -Unified Viewing Key containing unrecognized Items. +Unified Viewing Key containing unrecognised Items. -A wallet may process unrecognized Items by indicating to the user their +A wallet may process unrecognised Items by indicating to the user their presence or similar information for usability or diagnostic purposes. Transport Encoding @@ -244,7 +244,7 @@ The encoding must support sufficiently many Recipient Types to allow for reasonable future expansion. The encoding must allow all wallets to safely and correctly parse out -unrecognized Receiver Types well enough to ignore them. +unrecognised Receiver Types well enough to ignore them. Transfers --------- @@ -252,7 +252,7 @@ Transfers When executing a Transfer the Sender selects a Receiver via a Selection process. -Given a valid UA, Selection must treat any unrecognized Item as though +Given a valid UA, Selection must treat any unrecognised Item as though it were absent. - This property is crucial for forward compatibility to ensure users @@ -300,6 +300,12 @@ Open Issues and Known Concerns Privacy impacts of transparent or cross-pool transactions, and the associated UX issues, will be addressed in ZIP 315 (in preparation). +Revision History +================ + +.. _`Revision 1`: + +* Revision 1: `MUST-understand typecodes`_ Specification ============= @@ -438,7 +444,7 @@ The following FVK or IVK Encodings are used in place of the P2SH Address in a UFVK or UIVK (because P2SH Addresses cannot be diversified in an unlinkable way). The Typecode :math:`\mathtt{0x01}` MUST NOT be included in a UFVK or UIVK by Producers, and MUST be - treated as unrecognized by Consumers. + treated as unrecognised by Consumers. * For Transparent P2PKH Addresses that are derived according to BIP 32 [#bip-0032]_ and BIP 44 [#bip-0044]_, the FVK and IVK Encodings have @@ -512,7 +518,7 @@ Requirements for both Unified Addresses and Unified Viewing Keys pool, this would not be generally useful. * Consumers MUST ignore constituent Items with Typecodes they do not - recognize. + recognise. * Consumers MUST reject Unified Addresses/Viewing Keys in which the same Typecode appears more than once, or that include both P2SH and @@ -547,7 +553,7 @@ Rationale for Item ordering The rationale for requiring Items to be canonically ordered by Typecode is that it enables implementations to use an in-memory representation that discards ordering, while retaining the same round-trip serialization -of a UA / UVK (provided that unrecognized Items are retained). +of a UA / UVK (provided that unrecognised Items are retained). .. raw:: html @@ -604,6 +610,14 @@ are reserved to indicate Metadata Items other than Receivers or Viewing Keys. These Items MAY affect the overall interpretation of the UA / UVK (for example, by specifying an expiration date). +.. _`MUST-understand typecodes`: + +As of `Revision 1`_, the subset of Metadata typecodes in the range +:math:`mathtt{0xE0}` to :math:`mathtt{0xEF}` inclusive are designated +as "MUST-understand": if a Consumer is unable to recognise the meaning +of a Metadata Item with a typecode in this range, then it MUST regard +the entire UA/UVK as unsupported and not process it further. + Since Metadata Items are not Receivers, they MUST NOT be selected by a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view @@ -664,6 +678,12 @@ Change level is non-hardened. Deriving a UIVK from a UFVK --------------------------- +As of `Revision 1`_, a Consumer of a UIVK MUST understand the +meaning of all "MUST-understand" Metadata Item typecodes present in the +UFVK in order to perform UIVK derivation. For Metadata Items recognised +by the Consumer, the processing of the Item when deriving a UIVK is +specified in the section or ZIP describing that Item. + The following derivations are applied to each component FVK: * For a Sapling FVK, the corresponding Sapling IVK is obtained as @@ -678,15 +698,21 @@ The following derivations are applied to each component FVK: In each case, the Typecode remains the same as in the FVK. -Items (including Metadata Items) that are unrecognized by a given -Consumer, or that are specified in experiments that the user has not -opted into (see `Experimental Usage`_), MUST be dropped when deriving -a UIVK from a UFVK. +Items (including Metadata Items that are not "MUST-understand") that +are unrecognised by a given Consumer, or that are specified in experiments +that the user has not opted into (see `Experimental Usage`_), MUST be +dropped when deriving a UIVK from a UFVK. Deriving a Unified Address from a UIVK -------------------------------------- +As of `Revision 1`_, a Consumer of a UIVK MUST understand the meaning +of all "MUST-understand" Metadata Item typecodes present in the UIVK +in order to perform Unified Address derivation. For Metadata Items +recognised by the Consumer, the processing of the Item when deriving +a UIVK is specified in the section or ZIP describing that Item. + To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is, @@ -721,11 +747,10 @@ diversifier index: In each case, the Typecode remains the same as in the IVK. -Items (including Metadata Items) that are unrecognized by a given -Consumer, or that are specified in experiments that the user has not -opted into (see `Experimental Usage`_), MUST be dropped when deriving -a Receiver from a UIVK. - +Items (including Metadata Items that are not "MUST-understand") that +are unrecognised by a given Consumer, or that are specified in experiments +that the user has not opted into (see `Experimental Usage`_), MUST be +dropped when deriving a Unified Address from a UIVK. Usage of Outgoing Viewing Keys ------------------------------ From 34ac94b73cf9d7b2823fa0e41ed980b9b580811e Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Fri, 1 Dec 2023 09:55:01 -0700 Subject: [PATCH 2/6] ZIP 316, Revision 1: Address Expiration Metadata This change adds metadata that allows a user to specify either an expiry height or an expiry time (or both) for their addresses, and specifies how wallets should interpret expiry metadata. Co-authored-by: Daira Emma Hopwood --- zip-0316.html | 58 ++++++++++++++++++++++++++++++++++----------- zip-0316.rst | 65 +++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 105 insertions(+), 18 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index 1e77f23a0..aafda9d3e 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -67,6 +67,8 @@
    An encoding of a UA/UVK as a QR code, intended for display and transfer by Zcash end-users in situations where usability advantages of a 2D bar code may be relevant.
    Address Encoding
    The externally visible encoding of an Address (e.g. as a string of characters or a QR code).
    +
    Unix Epoch Time
    +
    An integer representing a UTC time in seconds relative to the Unix Epoch of 1970-01-01T00:00:00Z.

    Notation for sequences, conversions, and arithmetic operations follows the Zcash protocol specification 3.

    @@ -156,7 +158,7 @@

    Revision History

    Specification

    @@ -342,7 +344,35 @@ \(mathtt{0xEF}\) inclusive are designated as "MUST-understand": if a Consumer is unable to recognise the meaning of a Metadata Item with a typecode in this range, then it MUST regard the entire UA/UVK as unsupported and not process it further.

    Since Metadata Items are not Receivers, they MUST NOT be selected by a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view information about transactions.

    -

    Currently no Metadata Types are defined. New Metadata Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    +
    +

    Address Expiration Metadata

    +

    As of Revision 1, typecodes + \(\mathtt{0xE0}\) + and + \(\mathtt{0xE1}\) + are reserved for address expiry metadata.

    +

    The value of a + \(\mathtt{0xE0}\) + item MUST be an unsigned 32-bit integer in little-endian order specifying the Address Expiry Height, a block height of the Zcash chain associated with the UA/UVK. A Unified Address containing metadata typecode + \(\mathtt{0xE0}\) + MUST be considered expired when the height of the Zcash chain is greater than this value.

    +

    The value of a + \(\mathtt{0xE1}\) + item MUST be an unsigned 64-bit integer in little-endian order specifying a Unix Epoch Time, hereafter referred to as the Address Expiry Time. A Unified Address containing metadata typecode + \(\mathtt{0xE1}\) + MUST be considered expired when the current time is after the Address Expiry Time.

    +

    A Sender that supports Revision 1 of this specification MUST set a non-zero nExpiryHeight field in transactions that it creates. If the nExpiryHeight normally constructed by the Sender would be greater than the Address Expiry Height, then the transaction MUST NOT be sent. If only an Address Expiry Time is specified, then the Sender MUST choose a value for nExpiryHeight such that the transaction will expire no more than 24 hours after the current time.

    +

    If wallet user attempts to send to an expired address, the error presented to the user by the wallet SHOULD include a suggestion that the user should attempt to obtain a currently-valid address for the intended recipient.

    +

    When deriving from a UFVK or UIVK containing typecodes + \(\mathtt{0xE0}\) + and/or + \(\mathtt{0xE1}\) + , these Metadata Items MUST be retained unmodified in the output.

    +

    Rationale

    +

    The intent of this specification is that Consumers of Unified Addresses MUST NOT send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window.

    +

    The reason that the transaction MUST NOT be sent when its nExpiryHeight as normally constructed is greater than the Address Expiry Height is to avoid unnecessary information leakage in that field about which address was used as the destination. If a sender were to instead use the expiry height to directly set nExpiryHeight field, this would leak the expiry information of the destination address, which may then be identifiable.

    +

    When honoring an Address Expiry Time, the reason that a sender must choose a nExpiryHeight that is expected to occur within 24 hours of the time of transaction construction is to ensure that the expiry time is respected to within a day; since block times are not exact and computer clocks often disagree, an Address Expiry Time is advisory and not a hard bound. Setting an expiry height as specified ensures that the expiry time will be at least loosely respected, and it is of course both permissible and perhaps advisable to set this bound more tightly. A common expiry delta used by many wallets is 40 blocks from the current chain tip.

    +

    Deriving Internal Keys

    In addition to external addresses suitable for giving out to Senders, a wallet typically requires addresses for internal operations such as change and auto-shielding.

    @@ -366,7 +396,7 @@ \(\mathsf{CRH^{ivk}}\) or \(\mathsf{Commit^{ivk}}\) - (for Sapling and Orchard respectively). Derivation of an internal shielded FVK from an external shielded FVK is specified in the "Sapling internal key derivation" 17 and "Orchard internal key derivation" 19 sections of ZIP 32.

    + (for Sapling and Orchard respectively). Derivation of an internal shielded FVK from an external shielded FVK is specified in the "Sapling internal key derivation" 17 and "Orchard internal key derivation" 19 sections of ZIP 32.

    To satisfy the above properties for transparent (P2PKH) keys, we derive the external and internal \(\mathsf{ovk}\) components from the transparent FVK @@ -379,7 +409,7 @@ \(\mathsf{ser_P}(pk)\) is \(33\) - bytes, as specified in 28. + bytes, as specified in 28.

  • Let \(\mathsf{ovk_{external}}\) be the first @@ -394,17 +424,17 @@ \(I_\mathsf{ovk}\) .
    • -

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 31. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    +

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 31. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    Deriving a UIVK from a UFVK

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item typecodes present in the UFVK in order to perform UIVK derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    The following derivations are applied to each component FVK:

      -
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • -
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
      • +
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • +
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
    • For a Transparent P2PKH FVK, the corresponding Transparent P2PKH IVK is obtained by deriving the child key with non-hardened index \(0\) - as described in 29.
      • + as described in 29.

    In each case, the Typecode remains the same as in the FVK.

    Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a UIVK from a UFVK.

    @@ -413,7 +443,7 @@

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item typecodes present in the UIVK in order to perform Unified Address derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is,

      -
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 16.
      • +
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 16.
    • A Transparent diversifier index MUST be in the range \(0\) to @@ -423,9 +453,9 @@

    The following derivations are applied to each component IVK using the diversifier index:

      -
    • For a Sapling IVK, the corresponding Sapling Receiver is obtained as specified in 4.
      • -
    • For an Orchard IVK, the corresponding Orchard Receiver is obtained as specified in 5.
      • -
    • For a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 32 to derive the corresponding Transparent P2PKH Receiver. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 29 MUST be used. The IVK is assumed to correspond to the extended public key for the external (non-change) element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be +
    • For a Sapling IVK, the corresponding Sapling Receiver is obtained as specified in 4.
      • +
    • For an Orchard IVK, the corresponding Orchard Receiver is obtained as specified in 5.
      • +
    • For a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 32 to derive the corresponding Transparent P2PKH Receiver. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 29 MUST be used. The IVK is assumed to correspond to the extended public key for the external (non-change) element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be \(m / 44' / \mathit{coin\_type\kern0.05em'} / \mathit{account\kern0.1em'} / 0 / \mathit{diversifier\_index}.\)
    @@ -433,8 +463,8 @@

    Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a Unified Address from a UIVK.

    Usage of Outgoing Viewing Keys

    -

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    -

    However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 20. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 25.)

    +

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    +

    However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 20. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 25.)

    Here we refine the protocol specification in order to allow more precise determination of viewing authority for UFVKs.

    A Sender will attempt to determine a "sending Account" for each transfer. The preferred approach is for the API used to perform a transfer to directly specify a sending Account. Otherwise, if the Sender can ascertain that all funds used in the transfer are from addresses associated with some Account, then it SHOULD treat that as the sending Account. If not, then the sending Account is undetermined.

    The Sender also determines a "preferred sending protocol" —one of "transparent", "Sapling", or "Orchard"— corresponding to the most preferred Receiver Type (as given in Encoding of Unified Addresses) of any funds sent in the transaction.

    diff --git a/zip-0316.rst b/zip-0316.rst index 82a630d9d..ab0d4b29d 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -90,6 +90,9 @@ Unified QR Encoding Address Encoding The externally visible encoding of an Address (e.g. as a string of characters or a QR code). +Unix Epoch Time + An integer representing a UTC time in seconds relative to the Unix Epoch + of 1970-01-01T00:00:00Z. Notation for sequences, conversions, and arithmetic operations follows the Zcash protocol specification [#protocol-notation]_. @@ -305,7 +308,7 @@ Revision History .. _`Revision 1`: -* Revision 1: `MUST-understand typecodes`_ +* Revision 1: `MUST-understand typecodes`_ and `Address Expiration Metadata`_ Specification ============= @@ -623,10 +626,64 @@ a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view information about transactions. -Currently no Metadata Types are defined. New Metadata Types SHOULD be -introduced either by a modification to this ZIP or by a new ZIP, in -accordance with the ZIP Process [#zip-0000]_. +Address Expiration Metadata +--------------------------- +As of `Revision 1`_, typecodes :math:`\mathtt{0xE0}` and +:math:`\mathtt{0xE1}` are reserved for address expiry metadata. + +The value of a :math:`\mathtt{0xE0}` item MUST be an unsigned 32-bit integer in +little-endian order specifying the Address Expiry Height, a block height of the +Zcash chain associated with the UA/UVK. A Unified Address containing metadata +typecode :math:`\mathtt{0xE0}` MUST be considered expired when the height of +the Zcash chain is greater than this value. + +The value of a :math:`\mathtt{0xE1}` item MUST be an unsigned 64-bit integer in +little-endian order specifying a Unix Epoch Time, hereafter referred to as the +Address Expiry Time. A Unified Address containing metadata typecode +:math:`\mathtt{0xE1}` MUST be considered expired when the current time is +after the Address Expiry Time. + +A Sender that supports `Revision 1`_ of this specification MUST set +a non-zero ``nExpiryHeight`` field in transactions that it creates. If the +``nExpiryHeight`` normally constructed by the Sender would be greater than the +Address Expiry Height, then the transaction MUST NOT be sent. If only an +Address Expiry Time is specified, then the Sender MUST choose a value for +``nExpiryHeight`` such that the transaction will expire no more than 24 hours +after the current time. + +If wallet user attempts to send to an expired address, the error presented to +the user by the wallet SHOULD include a suggestion that the user should +attempt to obtain a currently-valid address for the intended recipient. + +When deriving from a UFVK or UIVK containing typecodes :math:`\mathtt{0xE0}` +and/or :math:`\mathtt{0xE1}`, these Metadata Items MUST be retained unmodified +in the output. + +Rationale +''''''''' + +The intent of this specification is that Consumers of Unified Addresses MUST +NOT send to expired addresses. If only an Address Expiry Time is specified, a +transaction to the associated address could be mined after the Address Expiry +Time within a 24-hour window. + +The reason that the transaction MUST NOT be sent when its nExpiryHeight as +normally constructed is greater than the Address Expiry Height is to avoid +unnecessary information leakage in that field about which address was used as +the destination. If a sender were to instead use the expiry height to directly +set nExpiryHeight field, this would leak the expiry information of the +destination address, which may then be identifiable. + +When honoring an Address Expiry Time, the reason that a sender must choose a +``nExpiryHeight`` that is expected to occur within 24 hours of the time of +transaction construction is to ensure that the expiry time is respected to +within a day; since block times are not exact and computer clocks often +disagree, an Address Expiry Time is advisory and not a hard bound. Setting an +expiry height as specified ensures that the expiry time will be at least +loosely respected, and it is of course both permissible and perhaps advisable +to set this bound more tightly. A common expiry delta used by many wallets +is 40 blocks from the current chain tip. Deriving Internal Keys ---------------------- From 099ef4397fb96542bdf22d26a5aa254239e8e813 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Sat, 13 Jan 2024 10:10:38 -0700 Subject: [PATCH 3/6] ZIP 316, Revision 1: Clarify that address expiration metadata is optional. --- zip-0316.html | 3 ++- zip-0316.rst | 11 +++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index aafda9d3e..0edc08f5f 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -350,7 +350,7 @@ \(\mathtt{0xE0}\) and \(\mathtt{0xE1}\) - are reserved for address expiry metadata.

    + are reserved for optional address expiry metadata. A producer MAY choose to generate Unified Addresses containing either or both of the following Metadata Item Types, or none.

    The value of a \(\mathtt{0xE0}\) item MUST be an unsigned 32-bit integer in little-endian order specifying the Address Expiry Height, a block height of the Zcash chain associated with the UA/UVK. A Unified Address containing metadata typecode @@ -368,6 +368,7 @@ and/or \(\mathtt{0xE1}\) , these Metadata Items MUST be retained unmodified in the output.

    +

    Address expiration imposes no constraints on the Producer of an address. A Producer MAY generate multiple Unified Addresses with the same Receivers but different expiration metadata and/or any number of distinct Diversified Unified Addresses with the same or different expiry metadata, in any combination.

    Rationale

    The intent of this specification is that Consumers of Unified Addresses MUST NOT send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window.

    The reason that the transaction MUST NOT be sent when its nExpiryHeight as normally constructed is greater than the Address Expiry Height is to avoid unnecessary information leakage in that field about which address was used as the destination. If a sender were to instead use the expiry height to directly set nExpiryHeight field, this would leak the expiry information of the destination address, which may then be identifiable.

    diff --git a/zip-0316.rst b/zip-0316.rst index ab0d4b29d..ff6dc5c1b 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -629,8 +629,10 @@ information about transactions. Address Expiration Metadata --------------------------- -As of `Revision 1`_, typecodes :math:`\mathtt{0xE0}` and -:math:`\mathtt{0xE1}` are reserved for address expiry metadata. +As of `Revision 1`_, typecodes :math:`\mathtt{0xE0}` and :math:`\mathtt{0xE1}` +are reserved for optional address expiry metadata. A producer MAY choose to +generate Unified Addresses containing either or both of the following Metadata +Item Types, or none. The value of a :math:`\mathtt{0xE0}` item MUST be an unsigned 32-bit integer in little-endian order specifying the Address Expiry Height, a block height of the @@ -660,6 +662,11 @@ When deriving from a UFVK or UIVK containing typecodes :math:`\mathtt{0xE0}` and/or :math:`\mathtt{0xE1}`, these Metadata Items MUST be retained unmodified in the output. +Address expiration imposes no constraints on the Producer of an address. A +Producer MAY generate multiple Unified Addresses with the same Receivers but +different expiration metadata and/or any number of distinct Diversified Unified +Addresses with the same or different expiry metadata, in any combination. + Rationale ''''''''' From 5b92bcd07642d4504ac467c1199dfa9400a04161 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Sun, 14 Jan 2024 19:05:12 -0700 Subject: [PATCH 4/6] ZIP 316, Revision 1: Apply suggestions from code review Co-authored-by: Daira Emma Hopwood --- zip-0316.html | 203 ++++++++++++++++++++++++++++---------------------- zip-0316.rst | 96 ++++++++++++++++-------- 2 files changed, 180 insertions(+), 119 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index 0edc08f5f..124e5aad4 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -24,7 +24,7 @@ License: MIT Discussions-To: <https://github.com/zcash/zips/issues/482>

    Terminology

    -

    The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

    +

    The key words "MUST", "MUST NOT", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

    The terms below are to be interpreted as follows:

    Recipient
    @@ -82,8 +82,8 @@
  • Sprout Addresses
  • Sapling Addresses
    • -

    Each of these has its own Address Encodings, as a string and as a QR code. (Since the QR code is derivable from the string encoding as described in 8, for many purposes it suffices to consider the string encoding.)

    -

    The Orchard proposal 24 adds a new Address type, Orchard Addresses.

    +

    Each of these has its own Address Encodings, as a string and as a QR code. (Since the QR code is derivable from the string encoding as described in 9, for many purposes it suffices to consider the string encoding.)

    +

    The Orchard proposal 26 adds a new Address type, Orchard Addresses.

    The difficulty with defining new Address Encodings for each Address type, is that end-users are forced to be aware of the various types, and in particular which types are supported by a given Consumer or Recipient. In order to make sure that transfers are completed successfully, users may be forced to explicitly generate Addresses of different types and re-distribute encodings of them, which adds significant friction and cognitive overhead to understanding and using Zcash.

    The goals for a Unified Address standard are as follows:

      @@ -103,7 +103,7 @@

      Overview

      Unified Addresses specify multiple methods for payment to a Recipient's wallet. The Sender's wallet can then non-interactively select the method of payment.

      Importantly, any wallet can support Unified Addresses, even when that wallet only supports a subset of payment methods for receiving and/or sending.

      -

      Despite having some similar characteristics, the Unified Address standard is orthogonal to Payment Request URIs 26 and similar schemes. Since Payment Requests encode addresses as alphanumeric strings, no change to ZIP 321 is required in order to use Unified Addresses in Payment Requests.

      +

      Despite having some similar characteristics, the Unified Address standard is orthogonal to Payment Request URIs 28 and similar schemes. Since Payment Requests encode addresses as alphanumeric strings, no change to ZIP 321 is required in order to use Unified Addresses in Payment Requests.

      Concepts

      Wallets follow a model Interaction Flow as follows:

      @@ -131,7 +131,7 @@

      The Unified String Encoding is resilient against typos, transcription errors, cut-and-paste errors, truncation, or other likely UX hazards.

      There is a well-defined Unified QR Encoding of a Unified Address (or UFVK or UIVK) as a QR code, which produces QR codes that are reasonably compact and robust.

      There is a well-defined transformation between the Unified QR Encoding and Unified String Encoding of a given UA/UVK in either direction.

      -

      The Unified String Encoding fits into ZIP-321 Payment URIs 26 and general URIs without introducing parse ambiguities.

      +

      The Unified String Encoding fits into ZIP-321 Payment URIs 28 and general URIs without introducing parse ambiguities.

      The encoding must support sufficiently many Recipient Types to allow for reasonable future expansion.

      The encoding must allow all wallets to safely and correctly parse out unrecognised Receiver Types well enough to ignore them.

      @@ -148,8 +148,8 @@

      Unified Addresses and Unified Viewing Keys must be able to include Receivers and Viewing Keys of experimental types, possibly alongside non-experimental ones. These experimental Receivers or Viewing Keys must be used only by wallets whose users have explicitly opted into the corresponding experiment.

    Viewing Keys

    -

    A Unified Full Viewing Key (resp. Unified Incoming Viewing Key) can be used in a similar way to a Full Viewing Key (resp. Incoming Viewing Key) as described in the Zcash Protocol Specification 2.

    -

    For a Transparent P2PKH Address that is derived according to BIP 32 27 and BIP 44 30, the nearest equivalent to a Full Viewing Key or Incoming Viewing Key for a given BIP 44 account is an extended public key, as defined in the section “Extended keys” of BIP 32. Therefore, UFVKs and UIVKs should be able to include such extended public keys.

    +

    A Unified Full Viewing Key (resp. Unified Incoming Viewing Key) can be used in a similar way to a Full Viewing Key (resp. Incoming Viewing Key) as described in the Zcash Protocol Specification 2.

    +

    For a Transparent P2PKH Address that is derived according to BIP 32 29 and BIP 44 32, the nearest equivalent to a Full Viewing Key or Incoming Viewing Key for a given BIP 44 account is an extended public key, as defined in the section “Extended keys” of BIP 32. Therefore, UFVKs and UIVKs should be able to include such extended public keys.

    A wallet should support deriving a UIVK from a UFVK, and a Unified Address from a UIVK.

    Open Issues and Known Concerns

    @@ -158,7 +158,7 @@

    Revision History

    Specification

    @@ -168,10 +168,10 @@
    • Typecode \(\mathtt{0x03}\) - — an Orchard raw address as defined in 10;
      • + — an Orchard raw address as defined in 11;
    • Typecode \(\mathtt{0x02}\) - — a Sapling raw address as defined in 9;
      • + — a Sapling raw address as defined in 10;
    • Typecode \(\mathtt{0x01}\) — a Transparent P2SH address, or Typecode @@ -209,9 +209,9 @@ in practice.)

      A Receiver Encoding is the raw encoding of a Shielded Payment Address, or the \(160\!\) - -bit script hash of a P2SH address 35, or the + -bit script hash of a P2SH address 37, or the \(160\!\) - -bit validating key hash of a P2PKH address 34.

      + -bit validating key hash of a P2PKH address 36.

      Let padding be the Human-Readable Part of the Unified Address in US-ASCII, padded to 16 bytes with zero bytes. We append padding to the concatenated encodings, and then apply the \(\mathsf{F4Jumble}\) algorithm as described in Jumbling. (In order for the limitation on the @@ -220,7 +220,7 @@ \(\ell^\mathsf{MAX}_M - 16\) bytes, where \(\ell^\mathsf{MAX}_M\) - is defined in Jumbling.) The output is then encoded with Bech32m 33, ignoring any length restrictions. This is chosen over Bech32 in order to better handle variable-length inputs.

      + is defined in Jumbling.) The output is then encoded with Bech32m 35, ignoring any length restrictions. This is chosen over Bech32 in order to better handle variable-length inputs.

      To decode a Unified Address Encoding, a Consumer MUST use the following procedure:

      • Decode using Bech32m, rejecting any address with an incorrect checksum.
        • @@ -230,7 +230,7 @@
      • Let padding be the Human-Readable Part, padded to 16 bytes as for encoding. If the result ends in padding, remove these 16 bytes; otherwise reject.
      • Parse the result as a raw encoding as described above, rejecting the entire Unified Address if it does not parse correctly.
      -

      For Unified Addresses on Mainnet, the Human-Readable Part (as defined in 33) is “u”. For Unified Addresses on Testnet, the Human-Readable Part is “utest”.

      +

      For Unified Addresses on Mainnet, the Human-Readable Part (as defined in 35) is “u”. For Unified Addresses on Testnet, the Human-Readable Part is “utest”.

      A wallet MAY allow its user(s) to configure which Receiver Types it can send to. It MUST NOT allow the user(s) to change the order of the Priority List used to choose the Receiver Type, except by opting into experiments.

    Encoding of Unified Full/Incoming Viewing Keys

    @@ -251,7 +251,7 @@ \(\mathsf{EncodeExtFVKParts}(\mathsf{ak}, \mathsf{nk}, \mathsf{ovk}, \mathsf{dk})\) , where \(\mathsf{EncodeExtFVKParts}\) - is defined in 14. This SHOULD be derived from the Extended Full Viewing Key at the Account level of the ZIP 32 hierarchy. + is defined in 15. This SHOULD be derived from the Extended Full Viewing Key at the Account level of the ZIP 32 hierarchy.
  • A Sapling IVK Encoding, also with Typecode \(\mathtt{0x02},\) is an encoding of @@ -262,19 +262,19 @@
  • There is no defined way to represent a Viewing Key for a Transparent P2SH Address in a UFVK or UIVK (because P2SH Addresses cannot be diversified in an unlinkable way). The Typecode \(\mathtt{0x01}\) MUST NOT be included in a UFVK or UIVK by Producers, and MUST be treated as unrecognised by Consumers.
    • -
  • For Transparent P2PKH Addresses that are derived according to BIP 32 27 and BIP 44 30, the FVK and IVK Encodings have Typecode +
  • For Transparent P2PKH Addresses that are derived according to BIP 32 29 and BIP 44 32, the FVK and IVK Encodings have Typecode \(\mathtt{0x00}.\) Both of these are encodings of the chain code and public key \((\mathsf{c}, \mathsf{pk})\) given by \(\mathsf{c}\,||\,\mathsf{ser_P}(\mathsf{pk})\) - . (This is the same as the last 65 bytes of the extended public key format defined in section “Serialization format” of BIP 32 28.) However, the FVK uses the key at the Account level, i.e. at path + . (This is the same as the last 65 bytes of the extended public key format defined in section “Serialization format” of BIP 32 30.) However, the FVK uses the key at the Account level, i.e. at path \(m / 44' / coin\_type' / account'\) , while the IVK uses the external (non-change) child key at the Change level, i.e. at path \(m / 44' / coin\_type' / account' / 0\) .
    • -

    The Human-Readable Parts (as defined in 33) of Unified Viewing Keys are defined as follows:

    +

    The Human-Readable Parts (as defined in 35) of Unified Viewing Keys are defined as follows:

    • uivk” for Unified Incoming Viewing Keys on Mainnet;
    • uivktest” for Unified Incoming Viewing Keys on Testnet;
      • @@ -301,13 +301,13 @@ \(\mathtt{length}\) fields are encoded as \(\mathtt{compactSize}.\) - 36 (Although existing Receiver Encodings and Viewing Key Encodings are all less than 256 bytes and so could use a one-byte length field, encodings for experimental types may be longer.) + 38 (Although existing Receiver Encodings and Viewing Key Encodings are all less than 256 bytes and so could use a one-byte length field, encodings for experimental types may be longer.)
    • Within a single UA or UVK, all HD-derived Receivers, FVKs, and IVKs SHOULD represent an Address or Viewing Key for the same account (as used in the ZIP 32 or BIP 44 Account level).
    • For Transparent Addresses, the Receiver Encoding does not include the first two bytes of a raw encoding.
      • -
    • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 23) to send funds into the Sprout chain value pool, this would not be generally useful.
      • +
    • There is intentionally no Typecode defined for a Sprout Shielded Payment Address or Sprout Incoming Viewing Key. Since it is no longer possible (since activation of ZIP 211 in the Canopy network upgrade 25) to send funds into the Sprout chain value pool, this would not be generally useful.
    • Consumers MUST ignore constituent Items with Typecodes they do not recognise.
    • Consumers MUST reject Unified Addresses/Viewing Keys in which the same Typecode appears more than once, or that include both P2SH and P2PKH Transparent Addresses, or that contain only a Transparent Address.
      • -
    • Consumers MUST reject Unified Addresses/Viewing Keys in which any constituent Item does not meet the validation requirements of its encoding, as specified in this ZIP and the Zcash Protocol Specification 2.
      • +
    • Consumers MUST reject Unified Addresses/Viewing Keys in which any constituent Item does not meet the validation requirements of its encoding, as specified in this ZIP and the Zcash Protocol Specification 2.
    • Consumers MUST reject Unified Addresses/Viewing Keys in which the constituent Items are not ordered in ascending Typecode order. Note that this is different to priority order, and does not affect which Receiver in a Unified Address should be used by a Sender.
    • There MUST NOT be additional bytes at the end of the raw encoding that cannot be interpreted as specified above.
    • If the encoding of a Unified Address/Viewing Key is shown to a user in an abridged form due to lack of space, at least the first 20 characters MUST be included.
      • @@ -324,7 +324,7 @@

    Adding new types

    -

    It is intended that new Receiver Types and Viewing Key Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 13.

    +

    It is intended that new Receiver Types and Viewing Key Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 14.

    For experimentation prior to proposing a ZIP, experimental types MAY be added using the reserved Typecodes \(\mathtt{0xFFFA}\) to @@ -338,41 +338,53 @@ to \(\mathtt{0xFC}\) inclusive are reserved to indicate Metadata Items other than Receivers or Viewing Keys. These Items MAY affect the overall interpretation of the UA / UVK (for example, by specifying an expiration date).

    -

    As of Revision 1, the subset of Metadata typecodes in the range +

    As of Revision 1, the subset of Metadata Typecodes in the range \(mathtt{0xE0}\) to \(mathtt{0xEF}\) - inclusive are designated as "MUST-understand": if a Consumer is unable to recognise the meaning of a Metadata Item with a typecode in this range, then it MUST regard the entire UA/UVK as unsupported and not process it further.

    + inclusive are designated as "MUST-understand": if a Consumer is unable to recognise the meaning of a Metadata Item with a Typecode in this range, then it MUST regard the entire UA/UVK as unsupported and not process it further.

    Since Metadata Items are not Receivers, they MUST NOT be selected by a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view information about transactions.

    +

    New Metadata Types SHOULD be introduced either by a modification to this ZIP or by a new ZIP, in accordance with the ZIP Process 14.

    Address Expiration Metadata

    -

    As of Revision 1, typecodes +

    As of Revision 1, Typecodes \(\mathtt{0xE0}\) and \(\mathtt{0xE1}\) are reserved for optional address expiry metadata. A producer MAY choose to generate Unified Addresses containing either or both of the following Metadata Item Types, or none.

    The value of a \(\mathtt{0xE0}\) - item MUST be an unsigned 32-bit integer in little-endian order specifying the Address Expiry Height, a block height of the Zcash chain associated with the UA/UVK. A Unified Address containing metadata typecode + item MUST be an unsigned 32-bit integer in little-endian order specifying the Address Expiry Height, a block height of the Zcash chain associated with the UA/UVK. A Unified Address containing metadata Typecode \(\mathtt{0xE0}\) MUST be considered expired when the height of the Zcash chain is greater than this value.

    The value of a \(\mathtt{0xE1}\) - item MUST be an unsigned 64-bit integer in little-endian order specifying a Unix Epoch Time, hereafter referred to as the Address Expiry Time. A Unified Address containing metadata typecode + item MUST be an unsigned 64-bit integer in little-endian order specifying a Unix Epoch Time, hereafter referred to as the Address Expiry Time. A Unified Address containing Metadata Typecode \(\mathtt{0xE1}\) MUST be considered expired when the current time is after the Address Expiry Time.

    A Sender that supports Revision 1 of this specification MUST set a non-zero nExpiryHeight field in transactions that it creates. If the nExpiryHeight normally constructed by the Sender would be greater than the Address Expiry Height, then the transaction MUST NOT be sent. If only an Address Expiry Time is specified, then the Sender MUST choose a value for nExpiryHeight such that the transaction will expire no more than 24 hours after the current time.

    If wallet user attempts to send to an expired address, the error presented to the user by the wallet SHOULD include a suggestion that the user should attempt to obtain a currently-valid address for the intended recipient.

    -

    When deriving from a UFVK or UIVK containing typecodes +

    Address expiration imposes no constraints on the Producer of an address. A Producer MAY generate multiple Unified Addresses with the same Receivers but different expiration metadata and/or any number of distinct Diversified Unified Addresses with the same or different expiry metadata, in any combination.

    +

    When deriving a UIVK from a UFVK containing Typecodes \(\mathtt{0xE0}\) and/or \(\mathtt{0xE1}\) - , these Metadata Items MUST be retained unmodified in the output.

    -

    Address expiration imposes no constraints on the Producer of an address. A Producer MAY generate multiple Unified Addresses with the same Receivers but different expiration metadata and/or any number of distinct Diversified Unified Addresses with the same or different expiry metadata, in any combination.

    + , these Metadata Items MUST be retained unmodified in the derived UIVK.

    +

    When deriving a Unified Address from a UFVK or UIVK containing a Metadata Item having Typecode + \(\mathtt{0xE0}\) + , the derived Unified Address MUST contain a Metadata Item having Typecode + \(\mathtt{0xE0}\) + such that the Address Expiry Height of the resulting address is less than or equal to the Expiry Height of the viewing key.

    +

    When deriving a Unified Address from a UFVK or UIVK containing a Metadata Item having Typecode + \(\mathtt{0xE1}\) + , the derived Unified Address MUST contain a Metadata Item having Typecode + \(\mathtt{0xE1}\) + such that the Address Expiry Time of the resulting address is less than or equal to the Expiry Time of the viewing key.

    +

    Producers of Diversified Unified Addresses should be aware that the expiration metadata could potentially be used to link addresses from the same source. Normally, if Diversified Unified Addresses derived from the same UIVK contain only Sapling and/or Orchard Receivers and no Metadata Items, they will be unlinkable as described in 8; this property does not hold when Metadata Items are present. It is RECOMMENDED that when deriving Unified Addresses from a UFVK or UIVK containing expiry metadata that the Expiry Height and Expiry Time of each distinct address vary from one another, so as to reduce the likelihood that addresses may be linked via their expiry metadata.

    Rationale

    The intent of this specification is that Consumers of Unified Addresses MUST NOT send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window.

    -

    The reason that the transaction MUST NOT be sent when its nExpiryHeight as normally constructed is greater than the Address Expiry Height is to avoid unnecessary information leakage in that field about which address was used as the destination. If a sender were to instead use the expiry height to directly set nExpiryHeight field, this would leak the expiry information of the destination address, which may then be identifiable.

    -

    When honoring an Address Expiry Time, the reason that a sender must choose a nExpiryHeight that is expected to occur within 24 hours of the time of transaction construction is to ensure that the expiry time is respected to within a day; since block times are not exact and computer clocks often disagree, an Address Expiry Time is advisory and not a hard bound. Setting an expiry height as specified ensures that the expiry time will be at least loosely respected, and it is of course both permissible and perhaps advisable to set this bound more tightly. A common expiry delta used by many wallets is 40 blocks from the current chain tip.

    +

    The reason that the transaction MUST NOT be sent when its nExpiryHeight as normally constructed is greater than the Address Expiry Height is to avoid unnecessary information leakage in that field about which address was used as the destination. If a sender were to instead use the expiry height to directly set the nExpiryHeight field, this would leak the expiry information of the destination address, which may then be identifiable.

    +

    When honoring an Address Expiry Time, the reason that a sender must choose a nExpiryHeight that is expected to occur within 24 hours of the time of transaction construction is to ensure that the expiry time is respected to within a day; since block times are not exact and computer clocks often disagree, an Address Expiry Time is advisory and not a hard bound. Setting an expiry height as specified ensures that the expiry time will be at least loosely respected, and it is of course both permissible and perhaps advisable to set this bound more tightly. A common expiry delta used by many wallets is 40 blocks from the current chain tip, as suggested in ZIP 203 24.

    Deriving Internal Keys

    @@ -397,7 +409,7 @@ \(\mathsf{CRH^{ivk}}\) or \(\mathsf{Commit^{ivk}}\) - (for Sapling and Orchard respectively). Derivation of an internal shielded FVK from an external shielded FVK is specified in the "Sapling internal key derivation" 17 and "Orchard internal key derivation" 19 sections of ZIP 32.

    + (for Sapling and Orchard respectively). Derivation of an internal shielded FVK from an external shielded FVK is specified in the "Sapling internal key derivation" 18 and "Orchard internal key derivation" 20 sections of ZIP 32.

    To satisfy the above properties for transparent (P2PKH) keys, we derive the external and internal \(\mathsf{ovk}\) components from the transparent FVK @@ -410,7 +422,7 @@ \(\mathsf{ser_P}(pk)\) is \(33\) - bytes, as specified in 28. + bytes, as specified in 30.

  • Let \(\mathsf{ovk_{external}}\) be the first @@ -425,26 +437,26 @@ \(I_\mathsf{ovk}\) .
    • -

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 31. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    +

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 33. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    Deriving a UIVK from a UFVK

    -

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item typecodes present in the UFVK in order to perform UIVK derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    +

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item Typecodes present in the UFVK in order to perform UIVK derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    The following derivations are applied to each component FVK:

      -
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • -
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
      • +
    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • +
    • For an Orchard FVK, the corresponding Orchard IVK is obtained as specified in 5.
    • For a Transparent P2PKH FVK, the corresponding Transparent P2PKH IVK is obtained by deriving the child key with non-hardened index \(0\) - as described in 29.
      • + as described in 31.

    In each case, the Typecode remains the same as in the FVK.

    Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a UIVK from a UFVK.

    Deriving a Unified Address from a UIVK

    -

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item typecodes present in the UIVK in order to perform Unified Address derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    +

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item Typecodes present in the UIVK in order to perform Unified Address derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is,

      -
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 16.
      • +
    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 17.
    • A Transparent diversifier index MUST be in the range \(0\) to @@ -454,18 +466,19 @@

    The following derivations are applied to each component IVK using the diversifier index:

      -
    • For a Sapling IVK, the corresponding Sapling Receiver is obtained as specified in 4.
      • -
    • For an Orchard IVK, the corresponding Orchard Receiver is obtained as specified in 5.
      • -
    • For a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 32 to derive the corresponding Transparent P2PKH Receiver. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 29 MUST be used. The IVK is assumed to correspond to the extended public key for the external (non-change) element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be +
    • For a Sapling IVK, the corresponding Sapling Receiver is obtained as specified in 4.
      • +
    • For an Orchard IVK, the corresponding Orchard Receiver is obtained as specified in 5.
      • +
    • For a Transparent P2PKH IVK, the diversifier index is used as a BIP 44 child key index at the Index level 34 to derive the corresponding Transparent P2PKH Receiver. As is usual for derivations below the BIP 44 Account level, non-hardened (public) derivation 31 MUST be used. The IVK is assumed to correspond to the extended public key for the external (non-change) element of the path. That is, if the UIVK was constructed correctly then the BIP 44 path of the Transparent P2PKH Receiver will be \(m / 44' / \mathit{coin\_type\kern0.05em'} / \mathit{account\kern0.1em'} / 0 / \mathit{diversifier\_index}.\)

    In each case, the Typecode remains the same as in the IVK.

    Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a Unified Address from a UIVK.

    +

    See Address Expiration Metadata for discussion of potential linking of Diversified Unified Addresses via their metadata.

    Usage of Outgoing Viewing Keys

    -

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    -

    However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 20. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 25.)

    +

    When a Sender constructs a transaction that creates Sapling or Orchard notes, it uses an outgoing viewing key, as described in 6 and 7, to encrypt an outgoing ciphertext. Decryption with the outgoing viewing key allows recovering the sent note plaintext, including destination address, amount, and memo. The intention is that this outgoing viewing key should be associated with the source of the funds.

    +

    However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 21. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 27.)

    Here we refine the protocol specification in order to allow more precise determination of viewing authority for UFVKs.

    A Sender will attempt to determine a "sending Account" for each transfer. The preferred approach is for the API used to perform a transfer to directly specify a sending Account. Otherwise, if the Sender can ascertain that all funds used in the transfer are from addresses associated with some Account, then it SHOULD treat that as the sending Account. If not, then the sending Account is undetermined.

    The Sender also determines a "preferred sending protocol" —one of "transparent", "Sapling", or "Orchard"— corresponding to the most preferred Receiver Type (as given in Encoding of Unified Addresses) of any funds sent in the transaction.

    @@ -783,11 +796,11 @@ - +
    - +
    2Zcash Protocol Specification, Version 2022.2.19 or later [NU5 proposal]Zcash Protocol Specification, Version 2023.4.0 or later
    @@ -795,7 +808,7 @@ 3 - Zcash Protocol Specification, Version 2022.2.19. Section 2: Notation + Zcash Protocol Specification, Version 2023.4.0. Section 2: Notation @@ -803,7 +816,7 @@ 4 - Zcash Protocol Specification, Version 2022.2.19. Section 4.2.2: Sapling Key Components + Zcash Protocol Specification, Version 2023.4.0. Section 4.2.2: Sapling Key Components @@ -811,7 +824,7 @@ 5 - Zcash Protocol Specification, Version 2022.2.19. Section 4.2.3: Orchard Key Components + Zcash Protocol Specification, Version 2023.4.0. Section 4.2.3: Orchard Key Components @@ -819,7 +832,7 @@ 6 - Zcash Protocol Specification, Version 2022.2.19. Section 4.7.2: Sending Notes (Sapling) + Zcash Protocol Specification, Version 2023.4.0. Section 4.7.2: Sending Notes (Sapling) @@ -827,54 +840,62 @@ 7 - Zcash Protocol Specification, Version 2022.2.19. Section 4.7.3: Sending Notes (Orchard) + Zcash Protocol Specification, Version 2023.4.0. Section 4.7.3: Sending Notes (Orchard) - +
    - +
    8Zcash Protocol Specification, Version 2022.2.19. Section 5.6: Encodings of Addresses and KeysZcash Protocol Specification, Version 2023.4.0. Section 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions
    - +
    - +
    9Zcash Protocol Specification, Version 2022.2.19. Section 5.6.3.1: Sapling Payment AddressesZcash Protocol Specification, Version 2023.4.0. Section 5.6: Encodings of Addresses and Keys
    - +
    - +
    10Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.2: Orchard Raw Payment AddressesZcash Protocol Specification, Version 2023.4.0. Section 5.6.3.1: Sapling Payment Addresses
    - +
    - +
    11Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.3: Orchard Raw Incoming Viewing KeysZcash Protocol Specification, Version 2023.4.0. Section 5.6.4.2: Orchard Raw Payment Addresses
    - +
    - +
    12Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.4: Orchard Raw Full Viewing KeysZcash Protocol Specification, Version 2023.4.0. Section 5.6.4.3: Orchard Raw Incoming Viewing Keys
    - +
    + + + +
    13Zcash Protocol Specification, Version 2023.4.0. Section 5.6.4.4: Orchard Raw Full Viewing Keys
    + + + + @@ -882,7 +903,7 @@
    14 ZIP 0: ZIP Process
    - + @@ -890,7 +911,7 @@
    1415 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling helper functions
    - + @@ -898,7 +919,7 @@
    1516 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling extended full viewing keys
    - + @@ -906,7 +927,7 @@
    1617 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling diversifier derivation
    - + @@ -914,7 +935,7 @@
    1718 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling internal key derivation
    - + @@ -922,7 +943,7 @@
    1819 ZIP 32: Shielded Hierarchical Deterministic Wallets — Orchard child key derivation
    - + @@ -930,7 +951,7 @@
    1920 ZIP 32: Shielded Hierarchical Deterministic Wallets — Orchard internal key derivation
    - + @@ -938,7 +959,7 @@
    2021 ZIP 32: Shielded Hierarchical Deterministic Wallets — Specification: Wallet usage
    - + @@ -946,15 +967,23 @@
    2122 ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling key path
    - +
    2223 ZIP 32: Shielded Hierarchical Deterministic Wallets — Orchard key path
    + + + + + + + +
    24ZIP 203: Transaction Expiry — Changes for Blossom
    - + @@ -962,7 +991,7 @@
    2325 ZIP 211: Disabling Addition of New Value to the Sprout Chain Value Pool
    - + @@ -970,7 +999,7 @@
    2426 ZIP 224: Orchard Shielded Protocol
    - + @@ -978,7 +1007,7 @@
    2527 ZIP 315: Best Practices for Wallet Handling of Multiple Pools
    - + @@ -986,7 +1015,7 @@
    2628 ZIP 321: Payment Request URIs
    - + @@ -994,7 +1023,7 @@
    2729 BIP 32: Hierarchical Deterministic Wallets
    - + @@ -1002,7 +1031,7 @@
    2830 BIP 32: Hierarchical Deterministic Wallets — Serialization Format
    - + @@ -1010,7 +1039,7 @@
    2931 BIP 32: Hierarchical Deterministic Wallets — Child key derivation (CKD) functions: Public parent key → public child key
    - + @@ -1018,7 +1047,7 @@
    3032 BIP 44: Multi-Account Hierarchy for Deterministic Wallets
    - + @@ -1026,7 +1055,7 @@
    3133 BIP 44: Multi-Account Hierarchy for Deterministic Wallets — Path levels: Change
    - + @@ -1034,7 +1063,7 @@
    3234 BIP 44: Multi-Account Hierarchy for Deterministic Wallets — Path levels: Index
    - + @@ -1042,7 +1071,7 @@
    3335 BIP 350: Bech32m format for v1+ witness addresses
    - + @@ -1050,7 +1079,7 @@
    3436 Transactions: P2PKH Script Validation — Bitcoin Developer Guide
    - + @@ -1058,7 +1087,7 @@
    3537 Transactions: P2SH Scripts — Bitcoin Developer Guide
    - + diff --git a/zip-0316.rst b/zip-0316.rst index ff6dc5c1b..5354fe872 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -21,9 +21,9 @@ Terminology =========== -The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document are -to be interpreted as described in BCP 14 [#BCP14]_ when, and only when, they -appear in all capitals. +The key words "MUST", "MUST NOT", "SHOULD", "RECOMMENDED", and "MAY" in this +document are to be interpreted as described in BCP 14 [#BCP14]_ when, and only +when, they appear in all capitals. The terms below are to be interpreted as follows: @@ -284,7 +284,7 @@ Viewing Keys A Unified Full Viewing Key (resp. Unified Incoming Viewing Key) can be used in a similar way to a Full Viewing Key (resp. Incoming Viewing Key) -as described in the Zcash Protocol Specification [#protocol-nu5]_. +as described in the Zcash Protocol Specification [#protocol]_. For a Transparent P2PKH Address that is derived according to BIP 32 [#bip-0032]_ and BIP 44 [#bip-0044]_, the nearest equivalent to a @@ -308,7 +308,7 @@ Revision History .. _`Revision 1`: -* Revision 1: `MUST-understand typecodes`_ and `Address Expiration Metadata`_ +* Revision 1: `MUST-understand Typecodes`_ and `Address Expiration Metadata`_ Specification ============= @@ -531,7 +531,7 @@ Requirements for both Unified Addresses and Unified Viewing Keys * Consumers MUST reject Unified Addresses/Viewing Keys in which *any* constituent Item does not meet the validation requirements of its encoding, as specified in this ZIP and the Zcash Protocol Specification - [#protocol-nu5]_. + [#protocol]_. * Consumers MUST reject Unified Addresses/Viewing Keys in which the constituent Items are not ordered in ascending Typecode order. Note @@ -613,12 +613,12 @@ are reserved to indicate Metadata Items other than Receivers or Viewing Keys. These Items MAY affect the overall interpretation of the UA / UVK (for example, by specifying an expiration date). -.. _`MUST-understand typecodes`: +.. _`MUST-understand Typecodes`: -As of `Revision 1`_, the subset of Metadata typecodes in the range +As of `Revision 1`_, the subset of Metadata Typecodes in the range :math:`mathtt{0xE0}` to :math:`mathtt{0xEF}` inclusive are designated as "MUST-understand": if a Consumer is unable to recognise the meaning -of a Metadata Item with a typecode in this range, then it MUST regard +of a Metadata Item with a Typecode in this range, then it MUST regard the entire UA/UVK as unsupported and not process it further. Since Metadata Items are not Receivers, they MUST NOT be selected by @@ -626,10 +626,13 @@ a Sender when choosing a Receiver to send to, and since they are not Viewing Keys, they MUST NOT provide additional authority to view information about transactions. +New Metadata Types SHOULD be introduced either by a modification to this +ZIP or by a new ZIP, in accordance with the ZIP Process [#zip-0000]_. + Address Expiration Metadata --------------------------- -As of `Revision 1`_, typecodes :math:`\mathtt{0xE0}` and :math:`\mathtt{0xE1}` +As of `Revision 1`_, Typecodes :math:`\mathtt{0xE0}` and :math:`\mathtt{0xE1}` are reserved for optional address expiry metadata. A producer MAY choose to generate Unified Addresses containing either or both of the following Metadata Item Types, or none. @@ -637,12 +640,12 @@ Item Types, or none. The value of a :math:`\mathtt{0xE0}` item MUST be an unsigned 32-bit integer in little-endian order specifying the Address Expiry Height, a block height of the Zcash chain associated with the UA/UVK. A Unified Address containing metadata -typecode :math:`\mathtt{0xE0}` MUST be considered expired when the height of +Typecode :math:`\mathtt{0xE0}` MUST be considered expired when the height of the Zcash chain is greater than this value. The value of a :math:`\mathtt{0xE1}` item MUST be an unsigned 64-bit integer in little-endian order specifying a Unix Epoch Time, hereafter referred to as the -Address Expiry Time. A Unified Address containing metadata typecode +Address Expiry Time. A Unified Address containing Metadata Typecode :math:`\mathtt{0xE1}` MUST be considered expired when the current time is after the Address Expiry Time. @@ -658,15 +661,38 @@ If wallet user attempts to send to an expired address, the error presented to the user by the wallet SHOULD include a suggestion that the user should attempt to obtain a currently-valid address for the intended recipient. -When deriving from a UFVK or UIVK containing typecodes :math:`\mathtt{0xE0}` -and/or :math:`\mathtt{0xE1}`, these Metadata Items MUST be retained unmodified -in the output. - Address expiration imposes no constraints on the Producer of an address. A Producer MAY generate multiple Unified Addresses with the same Receivers but different expiration metadata and/or any number of distinct Diversified Unified Addresses with the same or different expiry metadata, in any combination. +When deriving a UIVK from a UFVK containing Typecodes :math:`\mathtt{0xE0}` +and/or :math:`\mathtt{0xE1}`, these Metadata Items MUST be retained unmodified +in the derived UIVK. + +When deriving a Unified Address from a UFVK or UIVK containing a Metadata Item +having Typecode :math:`\mathtt{0xE0}`, the derived Unified Address MUST contain +a Metadata Item having Typecode :math:`\mathtt{0xE0}` such that the Address +Expiry Height of the resulting address is less than or equal to the Expiry Height +of the viewing key. + +When deriving a Unified Address from a UFVK or UIVK containing a Metadata Item +having Typecode :math:`\mathtt{0xE1}`, the derived Unified Address MUST contain +a Metadata Item having Typecode :math:`\mathtt{0xE1}` such that the Address +Expiry Time of the resulting address is less than or equal to the Expiry Time +of the viewing key. + +Producers of Diversified Unified Addresses should be aware that the expiration +metadata could potentially be used to link addresses from the same source. +Normally, if Diversified Unified Addresses derived from the same UIVK contain +only Sapling and/or Orchard Receivers and no Metadata Items, they will be +unlinkable as described in [#protocol-concretediversifyhash]_; this property +does not hold when Metadata Items are present. It is RECOMMENDED that when +deriving Unified Addresses from a UFVK or UIVK containing expiry metadata that +the Expiry Height and Expiry Time of each distinct address vary from one +another, so as to reduce the likelihood that addresses may be linked via their +expiry metadata. + Rationale ''''''''' @@ -675,11 +701,11 @@ NOT send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window. -The reason that the transaction MUST NOT be sent when its nExpiryHeight as +The reason that the transaction MUST NOT be sent when its ``nExpiryHeight`` as normally constructed is greater than the Address Expiry Height is to avoid unnecessary information leakage in that field about which address was used as the destination. If a sender were to instead use the expiry height to directly -set nExpiryHeight field, this would leak the expiry information of the +set the ``nExpiryHeight`` field, this would leak the expiry information of the destination address, which may then be identifiable. When honoring an Address Expiry Time, the reason that a sender must choose a @@ -690,7 +716,8 @@ disagree, an Address Expiry Time is advisory and not a hard bound. Setting an expiry height as specified ensures that the expiry time will be at least loosely respected, and it is of course both permissible and perhaps advisable to set this bound more tightly. A common expiry delta used by many wallets -is 40 blocks from the current chain tip. +is 40 blocks from the current chain tip, as suggested in +ZIP 203 [#zip-0203-default-expiry]_. Deriving Internal Keys ---------------------- @@ -743,7 +770,7 @@ Deriving a UIVK from a UFVK --------------------------- As of `Revision 1`_, a Consumer of a UIVK MUST understand the -meaning of all "MUST-understand" Metadata Item typecodes present in the +meaning of all "MUST-understand" Metadata Item Typecodes present in the UFVK in order to perform UIVK derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item. @@ -772,7 +799,7 @@ Deriving a Unified Address from a UIVK -------------------------------------- As of `Revision 1`_, a Consumer of a UIVK MUST understand the meaning -of all "MUST-understand" Metadata Item typecodes present in the UIVK +of all "MUST-understand" Metadata Item Typecodes present in the UIVK in order to perform Unified Address derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item. @@ -816,6 +843,9 @@ are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see `Experimental Usage`_), MUST be dropped when deriving a Unified Address from a UIVK. +See `Address Expiration Metadata`_ for discussion of potential linking of +Diversified Unified Addresses via their metadata. + Usage of Outgoing Viewing Keys ------------------------------ @@ -1119,17 +1149,18 @@ References ========== .. [#BCP14] `Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words" `_ -.. [#protocol-nu5] `Zcash Protocol Specification, Version 2022.2.19 or later [NU5 proposal] `_ -.. [#protocol-notation] `Zcash Protocol Specification, Version 2022.2.19. Section 2: Notation `_ -.. [#protocol-saplingkeycomponents] `Zcash Protocol Specification, Version 2022.2.19. Section 4.2.2: Sapling Key Components `_ -.. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2022.2.19. Section 4.2.3: Orchard Key Components `_ -.. [#protocol-saplingsend] `Zcash Protocol Specification, Version 2022.2.19. Section 4.7.2: Sending Notes (Sapling) `_ -.. [#protocol-orchardsend] `Zcash Protocol Specification, Version 2022.2.19. Section 4.7.3: Sending Notes (Orchard) `_ -.. [#protocol-addressandkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6: Encodings of Addresses and Keys `_ -.. [#protocol-saplingpaymentaddrencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.3.1: Sapling Payment Addresses `_ -.. [#protocol-orchardpaymentaddrencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.2: Orchard Raw Payment Addresses `_ -.. [#protocol-orchardinviewingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.3: Orchard Raw Incoming Viewing Keys `_ -.. [#protocol-orchardfullviewingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.4: Orchard Raw Full Viewing Keys `_ +.. [#protocol] `Zcash Protocol Specification, Version 2023.4.0 or later `_ +.. [#protocol-notation] `Zcash Protocol Specification, Version 2023.4.0. Section 2: Notation `_ +.. [#protocol-saplingkeycomponents] `Zcash Protocol Specification, Version 2023.4.0. Section 4.2.2: Sapling Key Components `_ +.. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2023.4.0. Section 4.2.3: Orchard Key Components `_ +.. [#protocol-saplingsend] `Zcash Protocol Specification, Version 2023.4.0. Section 4.7.2: Sending Notes (Sapling) `_ +.. [#protocol-orchardsend] `Zcash Protocol Specification, Version 2023.4.0. Section 4.7.3: Sending Notes (Orchard) `_ +.. [#protocol-concretediversifyhash] `Zcash Protocol Specification, Version 2023.4.0. Section 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions `_ +.. [#protocol-addressandkeyencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6: Encodings of Addresses and Keys `_ +.. [#protocol-saplingpaymentaddrencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6.3.1: Sapling Payment Addresses `_ +.. [#protocol-orchardpaymentaddrencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6.4.2: Orchard Raw Payment Addresses `_ +.. [#protocol-orchardinviewingkeyencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6.4.3: Orchard Raw Incoming Viewing Keys `_ +.. [#protocol-orchardfullviewingkeyencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6.4.4: Orchard Raw Full Viewing Keys `_ .. [#zip-0000] `ZIP 0: ZIP Process `_ .. [#zip-0032-sapling-helper-functions] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling helper functions `_ .. [#zip-0032-sapling-extfvk] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling extended full viewing keys `_ @@ -1140,6 +1171,7 @@ References .. [#zip-0032-specification-wallet-usage] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Specification: Wallet usage `_ .. [#zip-0032-sapling-key-path] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Sapling key path `_ .. [#zip-0032-orchard-key-path] `ZIP 32: Shielded Hierarchical Deterministic Wallets — Orchard key path `_ +.. [#zip-0203-default-expiry] `ZIP 203: Transaction Expiry — Changes for Blossom `_ .. [#zip-0211] `ZIP 211: Disabling Addition of New Value to the Sprout Chain Value Pool `_ .. [#zip-0224] `ZIP 224: Orchard Shielded Protocol `_ .. [#zip-0315] `ZIP 315: Best Practices for Wallet Handling of Multiple Pools `_ From e05c7faa30a255277e957a1dea6daed79dbb901b Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Thu, 18 Jan 2024 09:16:24 -0700 Subject: [PATCH 5/6] ZIP 316, Revision 1: Clarify constraints with respect to expiry times. --- zip-0316.html | 12 ++++++++---- zip-0316.rst | 31 +++++++++++++++++-------------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index 124e5aad4..f50d3407c 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -362,8 +362,12 @@ item MUST be an unsigned 64-bit integer in little-endian order specifying a Unix Epoch Time, hereafter referred to as the Address Expiry Time. A Unified Address containing Metadata Typecode \(\mathtt{0xE1}\) MUST be considered expired when the current time is after the Address Expiry Time.

    -

    A Sender that supports Revision 1 of this specification MUST set a non-zero nExpiryHeight field in transactions that it creates. If the nExpiryHeight normally constructed by the Sender would be greater than the Address Expiry Height, then the transaction MUST NOT be sent. If only an Address Expiry Time is specified, then the Sender MUST choose a value for nExpiryHeight such that the transaction will expire no more than 24 hours after the current time.

    -

    If wallet user attempts to send to an expired address, the error presented to the user by the wallet SHOULD include a suggestion that the user should attempt to obtain a currently-valid address for the intended recipient.

    +

    A Sender that supports Revision 1 of this specification MUST set a non-zero nExpiryHeight field in transactions that it creates. If the nExpiryHeight normally constructed by the Sender would be greater than the Address Expiry Height, then the transaction MUST NOT be sent. If only an Address Expiry Time is specified, then the Sender SHOULD choose a value for nExpiryHeight such that the transaction will expire no more than 24 hours after the current time. If both + \(\mathtt{0xE0}\) + and + \(\mathtt{0xE1}\) + Metadata Items are present, then both restrictions apply.

    +

    If wallet user attempts to send to an expired address, the error presented to the user by the wallet SHOULD include a suggestion that the user should attempt to obtain a currently-valid address for the intended recipient. A wallet MUST NOT send to an address that it knows to have expired.

    Address expiration imposes no constraints on the Producer of an address. A Producer MAY generate multiple Unified Addresses with the same Receivers but different expiration metadata and/or any number of distinct Diversified Unified Addresses with the same or different expiry metadata, in any combination.

    When deriving a UIVK from a UFVK containing Typecodes \(\mathtt{0xE0}\) @@ -382,9 +386,9 @@ such that the Address Expiry Time of the resulting address is less than or equal to the Expiry Time of the viewing key.

    Producers of Diversified Unified Addresses should be aware that the expiration metadata could potentially be used to link addresses from the same source. Normally, if Diversified Unified Addresses derived from the same UIVK contain only Sapling and/or Orchard Receivers and no Metadata Items, they will be unlinkable as described in 8; this property does not hold when Metadata Items are present. It is RECOMMENDED that when deriving Unified Addresses from a UFVK or UIVK containing expiry metadata that the Expiry Height and Expiry Time of each distinct address vary from one another, so as to reduce the likelihood that addresses may be linked via their expiry metadata.

    Rationale

    -

    The intent of this specification is that Consumers of Unified Addresses MUST NOT send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window.

    +

    The intent of this specification is that Consumers of Unified Addresses must not send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window.

    The reason that the transaction MUST NOT be sent when its nExpiryHeight as normally constructed is greater than the Address Expiry Height is to avoid unnecessary information leakage in that field about which address was used as the destination. If a sender were to instead use the expiry height to directly set the nExpiryHeight field, this would leak the expiry information of the destination address, which may then be identifiable.

    -

    When honoring an Address Expiry Time, the reason that a sender must choose a nExpiryHeight that is expected to occur within 24 hours of the time of transaction construction is to ensure that the expiry time is respected to within a day; since block times are not exact and computer clocks often disagree, an Address Expiry Time is advisory and not a hard bound. Setting an expiry height as specified ensures that the expiry time will be at least loosely respected, and it is of course both permissible and perhaps advisable to set this bound more tightly. A common expiry delta used by many wallets is 40 blocks from the current chain tip, as suggested in ZIP 203 24.

    +

    When honoring an Address Expiry Time, the reason that a sender SHOULD choose a nExpiryHeight that is expected to occur within 24 hours of the time of transaction construction is to, when possible, ensure that the expiry time is respected to within a day. Address Expiry Times are advisory and do not represent hard bounds because computer clocks often disagree, but every effort should be made to ensure that transactions expire instead of being mined more than 24 hours after a recipient address's expiry time. When chain height information is available to the Sender, it is both permissible and advisable to set this bound more tightly; a common expiry delta used by many wallets is 40 blocks from the current chain tip, as suggested in ZIP 203 24.

    Deriving Internal Keys

    diff --git a/zip-0316.rst b/zip-0316.rst index 5354fe872..082bad0e9 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -653,13 +653,15 @@ A Sender that supports `Revision 1`_ of this specification MUST set a non-zero ``nExpiryHeight`` field in transactions that it creates. If the ``nExpiryHeight`` normally constructed by the Sender would be greater than the Address Expiry Height, then the transaction MUST NOT be sent. If only an -Address Expiry Time is specified, then the Sender MUST choose a value for +Address Expiry Time is specified, then the Sender SHOULD choose a value for ``nExpiryHeight`` such that the transaction will expire no more than 24 hours -after the current time. +after the current time. If both :math:`\mathtt{0xE0}` and :math:`\mathtt{0xE1}` +Metadata Items are present, then both restrictions apply. If wallet user attempts to send to an expired address, the error presented to the user by the wallet SHOULD include a suggestion that the user should -attempt to obtain a currently-valid address for the intended recipient. +attempt to obtain a currently-valid address for the intended recipient. A +wallet MUST NOT send to an address that it knows to have expired. Address expiration imposes no constraints on the Producer of an address. A Producer MAY generate multiple Unified Addresses with the same Receivers but @@ -696,8 +698,8 @@ expiry metadata. Rationale ''''''''' -The intent of this specification is that Consumers of Unified Addresses MUST -NOT send to expired addresses. If only an Address Expiry Time is specified, a +The intent of this specification is that Consumers of Unified Addresses must +not send to expired addresses. If only an Address Expiry Time is specified, a transaction to the associated address could be mined after the Address Expiry Time within a 24-hour window. @@ -708,16 +710,17 @@ the destination. If a sender were to instead use the expiry height to directly set the ``nExpiryHeight`` field, this would leak the expiry information of the destination address, which may then be identifiable. -When honoring an Address Expiry Time, the reason that a sender must choose a +When honoring an Address Expiry Time, the reason that a sender SHOULD choose a ``nExpiryHeight`` that is expected to occur within 24 hours of the time of -transaction construction is to ensure that the expiry time is respected to -within a day; since block times are not exact and computer clocks often -disagree, an Address Expiry Time is advisory and not a hard bound. Setting an -expiry height as specified ensures that the expiry time will be at least -loosely respected, and it is of course both permissible and perhaps advisable -to set this bound more tightly. A common expiry delta used by many wallets -is 40 blocks from the current chain tip, as suggested in -ZIP 203 [#zip-0203-default-expiry]_. +transaction construction is to, when possible, ensure that the expiry time is +respected to within a day. Address Expiry Times are advisory and do not +represent hard bounds because computer clocks often disagree, but every effort +should be made to ensure that transactions expire instead of being mined more +than 24 hours after a recipient address's expiry time. When chain height +information is available to the Sender, it is both permissible and advisable to +set this bound more tightly; a common expiry delta used by many wallets is 40 +blocks from the current chain tip, as suggested in ZIP 203 +[#zip-0203-default-expiry]_. Deriving Internal Keys ---------------------- From b0de22d1e2217d758e9796a0bb30c83271403da6 Mon Sep 17 00:00:00 2001 From: Daira Emma Hopwood Date: Thu, 18 Jan 2024 19:36:50 +0000 Subject: [PATCH 6/6] ZIP 316, Revision 1: Clarify relation of "MUST-understand" typecodes to derivation. Signed-off-by: Daira Emma Hopwood --- zip-0316.html | 6 ++++-- zip-0316.rst | 26 ++++++++++++++++---------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index f50d3407c..4fd6440d3 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -444,7 +444,8 @@

    Since an external P2PKH FVK encodes the chain code and public key at the Account level, we can derive both external and internal child keys from it, as described in BIP 44 33. It is possible to derive an internal P2PKH FVK from the external P2PKH FVK (i.e. its parent) without having the external spending key, because child derivation at the Change level is non-hardened.

    Deriving a UIVK from a UFVK

    -

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item Typecodes present in the UFVK in order to perform UIVK derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    +

    As a consequence of the specification in MUST-understand Typecodes, as of Revision 1 a Consumer of a UFVK MUST understand the meaning of all "MUST-understand" Metadata Item Typecodes present in the UFVK in order to derive a UIVK from it.

    +

    For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    The following derivations are applied to each component FVK:

    • For a Sapling FVK, the corresponding Sapling IVK is obtained as specified in 4.
      • @@ -457,7 +458,8 @@

      Items (including Metadata Items that are not "MUST-understand") that are unrecognised by a given Consumer, or that are specified in experiments that the user has not opted into (see Experimental Usage), MUST be dropped when deriving a UIVK from a UFVK.

    Deriving a Unified Address from a UIVK

    -

    As of Revision 1, a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item Typecodes present in the UIVK in order to perform Unified Address derivation. For Metadata Items recognised by the Consumer, the processing of the Item when deriving a UIVK is specified in the section or ZIP describing that Item.

    +

    As a consequence of the specification in MUST-understand Typecodes, as of Revision 1 a Consumer of a UIVK MUST understand the meaning of all "MUST-understand" Metadata Item Typecodes present in the UIVK in order to derive a Unified Address from it.

    +

    For Metadata Items recognised by the Consumer, the processing of the Item when deriving a Unified Address is specified in the section or ZIP describing that Item.

    To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the UIVK. That is,

    • A Sapling diversifier index MUST generate a valid diversifier as defined in ZIP 32 section “Sapling diversifier derivation” 17.
      • diff --git a/zip-0316.rst b/zip-0316.rst index 082bad0e9..ef5c83b2f 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -772,11 +772,14 @@ Change level is non-hardened. Deriving a UIVK from a UFVK --------------------------- -As of `Revision 1`_, a Consumer of a UIVK MUST understand the -meaning of all "MUST-understand" Metadata Item Typecodes present in the -UFVK in order to perform UIVK derivation. For Metadata Items recognised -by the Consumer, the processing of the Item when deriving a UIVK is -specified in the section or ZIP describing that Item. +As a consequence of the specification in `MUST-understand Typecodes`_, +as of `Revision 1`_ a Consumer of a UFVK MUST understand the meaning of +all "MUST-understand" Metadata Item Typecodes present in the UFVK in +order to derive a UIVK from it. + +For Metadata Items recognised by the Consumer, the processing of the +Item when deriving a UIVK is specified in the section or ZIP describing +that Item. The following derivations are applied to each component FVK: @@ -801,11 +804,14 @@ dropped when deriving a UIVK from a UFVK. Deriving a Unified Address from a UIVK -------------------------------------- -As of `Revision 1`_, a Consumer of a UIVK MUST understand the meaning -of all "MUST-understand" Metadata Item Typecodes present in the UIVK -in order to perform Unified Address derivation. For Metadata Items -recognised by the Consumer, the processing of the Item when deriving -a UIVK is specified in the section or ZIP describing that Item. +As a consequence of the specification in `MUST-understand Typecodes`_, +as of `Revision 1`_ a Consumer of a UIVK MUST understand the meaning of +all "MUST-understand" Metadata Item Typecodes present in the UIVK in +order to derive a Unified Address from it. + +For Metadata Items recognised by the Consumer, the processing of the +Item when deriving a Unified Address is specified in the section or +ZIP describing that Item. To derive a Unified Address from a UIVK we need to choose a diversifier index, which MUST be valid for all of the Viewing Key Types in the
    3638 Variable length integer. Bitcoin Wiki