-
Notifications
You must be signed in to change notification settings - Fork 159
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Daira-Emma Hopwood <[email protected]>
- Loading branch information
Showing
35 changed files
with
1,142 additions
and
943 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,9 @@ | |
| <head> | ||
| <title>ZIP 203: Transaction Expiry</title> | ||
| <meta charset="utf-8" /> | ||
| <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script> | ||
| <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.css" integrity="sha384-nB0miv6/jRmo5UMMR1wu3Gz6NLsoTkbqJghGIsx//Rlm+ZU03BU6SQNC66uf4l5+" crossorigin="anonymous"> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.js" integrity="sha384-7zkQWkzuo3B5mTepMUcHkMB5jZaolc2xDwL6VFqjFALcbeS9Ggm/Yr2r3Dy4lfFg" crossorigin="anonymous"></script> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/contrib/auto-render.min.js" integrity="sha384-43gviWU0YVjaDtb/GhzOouOXtZMP/7XUzwPTstBeZFe/+rCMvRwr4yROQP43s0Xk" crossorigin="anonymous" onload="renderMathInElement(document.body);"></script> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head> | ||
| <body> | ||
| <section> | ||
|
|
@@ -22,14 +24,14 @@ | |
| <p>Transactions that have insufficient fees are often not mined. This indeterminism is a source of confusion for users and wallets. Allowing a transaction to set a block height after which it cannot be mined would provide certainty around how long a transaction has to confirm before it is rejected by the network and must be re-sent.</p> | ||
| <p>Advantages include optimizing mempool performance by removing transactions that will not be mined, and potentially simplifying bidirectional payment channels by reducing the need to store and compress revocations for past states, since transactions not committed to the chain could expire and become invalid after a period of time.</p> | ||
| <p>If the expiry is at block height | ||
| <span class="math">\(N\)</span> | ||
| <span class="math">\(N\!\!\)</span> | ||
| , then the transaction must be included in block | ||
| <span class="math">\(N\)</span> | ||
| or earlier. Block | ||
| <span class="math">\(N+1\)</span> | ||
| will be too late, and the transaction will be removed from the mempool.</p> | ||
| <p>The new consensus rule will enforce that the transaction will not be considered valid if included in block of height greater than | ||
| <span class="math">\(N\)</span> | ||
| <span class="math">\(N\!\!\)</span> | ||
| , and blocks that include expired transactions will not be considered valid.</p> | ||
| </section> | ||
| <section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2> | ||
|
|
||
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,9 @@ | |
| <head> | ||
| <title>ZIP 212: Allow Recipient to Derive Ephemeral Secret from Note Plaintext</title> | ||
| <meta charset="utf-8" /> | ||
| <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script> | ||
| <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.css" integrity="sha384-nB0miv6/jRmo5UMMR1wu3Gz6NLsoTkbqJghGIsx//Rlm+ZU03BU6SQNC66uf4l5+" crossorigin="anonymous"> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.js" integrity="sha384-7zkQWkzuo3B5mTepMUcHkMB5jZaolc2xDwL6VFqjFALcbeS9Ggm/Yr2r3Dy4lfFg" crossorigin="anonymous"></script> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/contrib/auto-render.min.js" integrity="sha384-43gviWU0YVjaDtb/GhzOouOXtZMP/7XUzwPTstBeZFe/+rCMvRwr4yROQP43s0Xk" crossorigin="anonymous" onload="renderMathInElement(document.body);"></script> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head> | ||
| <body> | ||
| <section> | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,9 @@ | |
| <head> | ||
| <title>ZIP 215: Explicitly Defining and Modifying Ed25519 Validation Rules</title> | ||
| <meta charset="utf-8" /> | ||
| <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script> | ||
| <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.css" integrity="sha384-nB0miv6/jRmo5UMMR1wu3Gz6NLsoTkbqJghGIsx//Rlm+ZU03BU6SQNC66uf4l5+" crossorigin="anonymous"> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.js" integrity="sha384-7zkQWkzuo3B5mTepMUcHkMB5jZaolc2xDwL6VFqjFALcbeS9Ggm/Yr2r3Dy4lfFg" crossorigin="anonymous"></script> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/contrib/auto-render.min.js" integrity="sha384-43gviWU0YVjaDtb/GhzOouOXtZMP/7XUzwPTstBeZFe/+rCMvRwr4yROQP43s0Xk" crossorigin="anonymous" onload="renderMathInElement(document.body);"></script> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head> | ||
| <body> | ||
| <section> | ||
|
|
@@ -43,7 +45,7 @@ | |
| MUST represent an integer | ||
| <span class="math">\(S\)</span> | ||
| less than | ||
| <span class="math">\(\ell\)</span> | ||
| <span class="math">\(\ell\!\)</span> | ||
| ;</li> | ||
| <li>The group equation | ||
| <span class="math">\([8][S]B = [8]R + [8][k]A\)</span> | ||
|
|
@@ -61,12 +63,12 @@ | |
| and | ||
| <span class="math">\(\underline{R}\)</span> | ||
| are canonical encodings; in other words, the integer encoding the | ||
| <span class="math">\(y\)</span> | ||
| <span class="math">\(y\!\)</span> | ||
| -coordinate of the points may be unreduced modulo | ||
| <span class="math">\(2^{255}-19\)</span> | ||
| <span class="math">\(2^{255}-19\!\)</span> | ||
| .</p> | ||
| <p>Note: the alternate validation equation | ||
| <span class="math">\([S]B = R + [k]A\)</span> | ||
| <span class="math">\([S]B = R + [k]A\!\)</span> | ||
| , allowed by RFC 8032, MUST NOT be used.</p> | ||
| </section> | ||
| <section id="rationale"><h2><span class="section-heading">Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#rationale"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2> | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,9 @@ | |
| <head> | ||
| <title>ZIP 216: Require Canonical Jubjub Point Encodings</title> | ||
| <meta charset="utf-8" /> | ||
| <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script> | ||
| <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.css" integrity="sha384-nB0miv6/jRmo5UMMR1wu3Gz6NLsoTkbqJghGIsx//Rlm+ZU03BU6SQNC66uf4l5+" crossorigin="anonymous"> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.js" integrity="sha384-7zkQWkzuo3B5mTepMUcHkMB5jZaolc2xDwL6VFqjFALcbeS9Ggm/Yr2r3Dy4lfFg" crossorigin="anonymous"></script> | ||
| <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/contrib/auto-render.min.js" integrity="sha384-43gviWU0YVjaDtb/GhzOouOXtZMP/7XUzwPTstBeZFe/+rCMvRwr4yROQP43s0Xk" crossorigin="anonymous" onload="renderMathInElement(document.body);"></script> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head> | ||
| <body> | ||
| <section> | ||
|
|
@@ -38,40 +40,40 @@ | |
| -coordinate zero:</p> | ||
| <ul> | ||
| <li> | ||
| <span class="math">\((0, 1)\)</span> | ||
| <span class="math">\((0, 1)\!\)</span> | ||
| , which is the identity;</li> | ||
| <li> | ||
| <span class="math">\((0, -1)\)</span> | ||
| <span class="math">\((0, -1)\!\)</span> | ||
| , which is a point of order two.</li> | ||
| </ul> | ||
| <p>Each of these has a single non-canonical encoding in which the value of the sign bit is | ||
| <span class="math">\(1\)</span> | ||
| <span class="math">\(1\!\)</span> | ||
| .</p> | ||
| <p>This creates a consensus issue because (unlike other non-canonical point encodings that are rejected) either of the above encodings can be decoded, and then re-encoded to a <em>different</em> encoding. For example, if a non-canonical encoding appeared in a transaction field, then node implementations that store points internally as abstract curve points, and used those to derive transaction IDs, would derive different IDs than nodes which store transactions as bytes (such as <cite>zcashd</cite>).</p> | ||
| <p>This issue is not known to cause any security vulnerability, beyond the risk of consensus incompatibility. In fact, for some of the fields that would otherwise be affected, the issue does not occur because there are already consensus rules that prohibit small-order points, and this incidentally prohibits non-canonical encodings.</p> | ||
| <p>Adjustments to the protocol specification were made in versions 2020.1.8, 2020.1.9, 2020.1.15, and 2021.1.17 to match the <cite>zcashd</cite> implementation. (The fact that this required 4 specification revisions to get right, conclusively demonstrates the problem.)</p> | ||
| </section> | ||
| <section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2> | ||
| <p>Let | ||
| <span class="math">\(\mathsf{abst}_{\mathbb{J}}\)</span> | ||
| <span class="math">\(\mathsf{abst}_{\mathbb{J}}\!\)</span> | ||
| , | ||
| <span class="math">\(\mathsf{repr}_{\mathbb{J}}\)</span> | ||
| <span class="math">\(\mathsf{repr}_{\mathbb{J}}\!\)</span> | ||
| , and | ||
| <span class="math">\(q_{\mathbb{J}}\)</span> | ||
| be as defined in <a id="footnote-reference-5" class="footnote_reference" href="#protocol-jubjub">6</a>.</p> | ||
| <p>Define a non-canonical compressed encoding of a Jubjub point to be a sequence of | ||
| <span class="math">\(256\)</span> | ||
| bits, | ||
| <span class="math">\(b\)</span> | ||
| <span class="math">\(b\!\)</span> | ||
| , such that | ||
| <span class="math">\(\mathsf{abst}_{\mathbb{J}}(b) \neq \bot\)</span> | ||
| and | ||
| <span class="math">\(\mathsf{repr_{\mathbb{J}}}\big(\mathsf{abst}_{\mathbb{J}}(b)\big) \neq b\)</span> | ||
| <span class="math">\(\mathsf{repr_{\mathbb{J}}}\big(\mathsf{abst}_{\mathbb{J}}(b)\big) \neq b\!\)</span> | ||
| .</p> | ||
| <p>Non-normative note: There are two such bit sequences, | ||
| <span class="math">\(\mathsf{I2LEOSP}_{\ell_{\mathbb{J}}}(2^{255} + 1)\)</span> | ||
| and | ||
| <span class="math">\(\mathsf{I2LEOSP}_{\ell_{\mathbb{J}}}(2^{255} + q_{\mathbb{J}} - 1)\)</span> | ||
| <span class="math">\(\mathsf{I2LEOSP}_{\ell_{\mathbb{J}}}(2^{255} + q_{\mathbb{J}} - 1)\!\)</span> | ||
| . The Sapling protocol uses little-endian ordering when converting between bit and byte sequences, so the first of these sequences corresponds to a | ||
| <span class="math">\(\mathtt{0x01}\)</span> | ||
| byte, followed by | ||
|
|
@@ -110,7 +112,7 @@ | |
| <blockquote> | ||
| <ul> | ||
| <li> | ||
| <span class="math">\(\mathsf{pk}\star_{\mathsf{d}}\)</span> | ||
| <span class="math">\(\mathsf{pk}\star_{\mathsf{d}}\!\)</span> | ||
| .</li> | ||
| </ul> | ||
| </blockquote> | ||
|
|
@@ -136,35 +138,35 @@ | |
| <span class="math">\(\mathtt{cv}\)</span> | ||
| </li> | ||
| <li> | ||
| <span class="math">\(\mathtt{ephemeralKey}\)</span> | ||
| <span class="math">\(\mathtt{ephemeralKey}\!\)</span> | ||
| .</li> | ||
| </ul> | ||
| </blockquote> | ||
| <p>These fields cannot by consensus contain small-order points. All of the points with non-canonical encodings are small-order.</p> | ||
| <p>Implementations MAY choose to reject non-canonical encodings of the above four fields early in decoding of a transaction. This eliminates the risk that parts of the transaction could be re-serialized from their internal representation to a different byte sequence than in the original transaction, e.g. when calculating transaction IDs.</p> | ||
| <p>In addition, Sapling addresses and full viewing keys MUST be considered invalid when imported if they contain non-canonical Jubjub point encodings, or encodings of points that are not in the prime-order subgroup | ||
| <span class="math">\(\mathbb{J}^{(r)}\)</span> | ||
| <span class="math">\(\mathbb{J}^{(r)}\!\)</span> | ||
| . These requirements MAY be enforced in advance of NU5 activation.</p> | ||
| <p>In Sapling addresses <a id="footnote-reference-11" class="footnote_reference" href="#protocol-saplingpaymentaddrencoding">8</a>:</p> | ||
| <blockquote> | ||
| <ul> | ||
| <li>the encoding of | ||
| <span class="math">\(\mathsf{pk_d}\)</span> | ||
| <span class="math">\(\mathsf{pk_d}\!\)</span> | ||
| .</li> | ||
| </ul> | ||
| </blockquote> | ||
| <p>In Sapling full viewing keys <a id="footnote-reference-12" class="footnote_reference" href="#protocol-saplingfullviewingkeyencoding">9</a> and extended full viewing keys <a id="footnote-reference-13" class="footnote_reference" href="#zip-0032-extfvk">11</a>:</p> | ||
| <blockquote> | ||
| <ul> | ||
| <li>the encoding of | ||
| <span class="math">\(\mathsf{ak}\)</span> | ||
| <span class="math">\(\mathsf{ak}\!\)</span> | ||
| .</li> | ||
| </ul> | ||
| </blockquote> | ||
| <p>( | ||
| <span class="math">\(\mathsf{ak}\)</span> | ||
| also MUST NOT encode the zero point | ||
| <span class="math">\(\mathcal{O}_{\mathbb{J}}\)</span> | ||
| <span class="math">\(\mathcal{O}_{\mathbb{J}}\!\)</span> | ||
| .)</p> | ||
| <p>The above is intended to be a complete list of the places where compressed encodings of Jubjub points occur in the Zcash consensus protocol and in plaintext, address, or key formats.</p> | ||
| </section> | ||
|
|
@@ -178,22 +180,22 @@ | |
| </ul> | ||
| <p>The necessary checks are very simple and do not require cryptographic operations, therefore the performance impact will be negligible.</p> | ||
| <p>The public inputs of Jubjub points to the Spend circuit ( | ||
| <span class="math">\(\mathsf{rk}\)</span> | ||
| <span class="math">\(\!\mathsf{rk}\)</span> | ||
| and | ||
| <span class="math">\(\mathsf{cv^{old}}\)</span> | ||
| <span class="math">\(\mathsf{cv^{old}}\!\)</span> | ||
| ) and Output circuit ( | ||
| <span class="math">\(\mathsf{cv^{new}}\)</span> | ||
| <span class="math">\(\!\mathsf{cv^{new}}\)</span> | ||
| and | ||
| <span class="math">\(\mathsf{epk}\)</span> | ||
| <span class="math">\(\mathsf{epk}\!\)</span> | ||
| ) are not affected because they are represented in affine coordinates as elements of the correct field ( | ||
| <span class="math">\(\mathbb{F}_{r_\mathbb{S}} = \mathbb{F}_{q_\mathbb{J}}\)</span> | ||
| <span class="math">\(\!\mathbb{F}_{r_\mathbb{S}} = \mathbb{F}_{q_\mathbb{J}}\!\)</span> | ||
| ), and so no issue of encoding canonicity arises.</p> | ||
| <p>Encodings of elliptic curve points on Curve25519, BN-254 | ||
| <span class="math">\(\mathbb{G}_1\)</span> | ||
| <span class="math">\(\mathbb{G}_1\!\)</span> | ||
| , BN-254 | ||
| <span class="math">\(\mathbb{G}_2\)</span> | ||
| <span class="math">\(\mathbb{G}_2\!\)</span> | ||
| , BLS12-381 | ||
| <span class="math">\(\mathbb{G}_1\)</span> | ||
| <span class="math">\(\mathbb{G}_1\!\)</span> | ||
| , and BLS12-381 | ||
| <span class="math">\(\mathbb{G}_2\)</span> | ||
| are not affected.</p> | ||
|
|
||
Oops, something went wrong.