1818Status: Draft
1919Category: Consensus / Wallet
2020Created: 2024-04-26
21- License: MIT</ code > </ pre >
21+ License: MIT
22+ Discussions-To: << a href ="https://github.com/zcash/zips/issues/627 "> https://github.com/zcash/zips/issues/627</ a > ></ code > </ pre >
2223< h1 id ="terminology "> Terminology</ h1 >
2324< p > The key words “MUST”, “MUST NOT”, “SHOULD”, and “MAY” in this
2425document are to be interpreted as described in BCP 14 < a href ="#fn1 "
@@ -119,7 +120,7 @@ <h2 id="changes-to-the-zcash-protocol-specification">Changes to the
119120class ="math inline "> < strong > n</ strong > < strong > p</ strong > </ span > )
120121consists of</ p >
121122< p > < span
122- class ="math inline "> (leadByte⦂ 𝔹< sup > 𝕐</ sup > ,d⦂ 𝔹< sup > [ℓ< sub > d</ sub > ]</ sup > ,rseed⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > ,memo⦂ 𝔹< sup > 𝕐[𝟝𝟙𝟚]</ sup > )</ span > </ p >
123+ class ="math inline "> (leadByte ⦂ 𝔹< sup > 𝕐</ sup > , d ⦂ 𝔹< sup > [ℓ< sub > d</ sub > ]</ sup > , rseed ⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > , memo ⦂ 𝔹< sup > 𝕐[𝟝𝟙𝟚]</ sup > )</ span > </ p >
123124</ blockquote >
124125< p > to</ p >
125126< blockquote >
@@ -130,12 +131,12 @@ <h2 id="changes-to-the-zcash-protocol-specification">Changes to the
130131class ="math inline "> < strong > n</ strong > < strong > p</ strong > </ span > )
131132consists of</ p >
132133< p > < span
133- class ="math inline "> (leadByte⦂ 𝔹< sup > 𝕐</ sup > ,d⦂ 𝔹< sup > [ℓ< sub > d</ sub > ]</ sup > ,rseed⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > ,memo⦂ 𝔹< sup > 𝕐[𝟝𝟙𝟚]</ sup > )</ span > </ p >
134+ class ="math inline "> (leadByte ⦂ 𝔹< sup > 𝕐</ sup > , d ⦂ 𝔹< sup > [ℓ< sub > d</ sub > ]</ sup > , rseed ⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > , memo ⦂ 𝔹< sup > 𝕐[𝟝𝟙𝟚]</ sup > )</ span > </ p >
134135< p > Each v6-onward Sapling or Orchard note plaintext (denoted < span
135136class ="math inline "> < strong > n</ strong > < strong > p</ strong > </ span > )
136137consists of</ p >
137138< p > < span
138- class ="math inline "> (leadByte⦂ 𝔹< sup > 𝕐</ sup > ,d⦂ 𝔹< sup > [ℓ< sub > d</ sub > ]</ sup > ,rseed⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > ,K< sup > memo</ sup > ⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > )</ span > </ p >
139+ class ="math inline "> (leadByte ⦂ 𝔹< sup > 𝕐</ sup > , d ⦂ 𝔹< sup > [ℓ< sub > d</ sub > ]</ sup > , rseed ⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > , K< sup > memo</ sup > ⦂ 𝔹< sup > 𝕐[𝟛𝟚]</ sup > )</ span > </ p >
139140</ blockquote > </ li >
140141</ ul >
141142< p > In § 5.5 ‘Encodings of Note Plaintexts and Memo Fields’ < a
@@ -194,7 +195,7 @@ <h2 id="changes-to-the-zcash-protocol-specification">Changes to the
194195< li > < p > Change</ p >
195196< blockquote >
196197< p > Let < span
197- class ="math inline "> < strong > n</ strong > < strong > p</ strong > = (leadByte,d,v, rseed,memo) </ span > .</ p >
198+ class ="math inline "> < strong > n</ strong > < strong > p</ strong > = (leadByte, d, v, rseed, memo) </ span > .</ p >
198199</ blockquote >
199200< p > to</ p >
200201< blockquote >
@@ -217,7 +218,7 @@ <h2 id="changes-to-the-zcash-protocol-specification">Changes to the
217218< li > < p > Change</ p >
218219< blockquote >
219220< p > Let < span
220- class ="math inline "> < strong > n</ strong > < strong > p</ strong > = (leadByte,d,v, rseed,memo)</ span >
221+ class ="math inline "> < strong > n</ strong > < strong > p</ strong > = (leadByte, d, v, rseed, memo)</ span >
221222be the Sapling or Orchard note plaintext. < span
222223class ="math inline "> < strong > n</ strong > < strong > p</ strong > </ span > is
223224encoded as defined in § 5.5 ‘Encodings of Note Plaintexts and Memo
@@ -304,14 +305,15 @@ <h2 id="memo-encryption">Memo encryption</h2>
304305alternatively MAY omit this check.</ p >
305306< p > Each memo is padded to a multiple of 256 bytes with zeroes, and split
306307into 256-byte chunks. Each memo chunk is encrypted with ChaCha20Poly1305
307- [^rfc-8439] as follows:</ p >
308+ < a href ="#fn12 " class ="footnote-ref " id ="fnref12 "
309+ role ="doc-noteref "> < sup > 12</ sup > </ a > as follows:</ p >
308310< p > < span
309- class ="math inline "> IETF_AEAD_CHACHA20_POLY1305(encryption_key,nonce,memo_chunk)</ span > </ p >
311+ class ="math inline "> IETF_AEAD_CHACHA20_POLY1305(encryption_key, nonce, memo_chunk)</ span > </ p >
310312< p > where < span
311313class ="math inline "> nonce = I2BEOSP< sub > 88</ sub > (counter)||[final_chunk] </ span > .</ p >
312- < p > This is a variant of the STREAM construction < a href ="#fn12 "
313- class ="footnote-ref " id ="fnref12 "
314- role ="doc-noteref "> < sup > 12 </ sup > </ a > .</ p >
314+ < p > This is a variant of the STREAM construction < a href ="#fn13 "
315+ class ="footnote-ref " id ="fnref13 "
316+ role ="doc-noteref "> < sup > 13 </ sup > </ a > .</ p >
315317< ul >
316318< li > < span class ="math inline "> counter</ span > is a big-endian chunk
317319counter starting at zero and incrementing by one for each subsequent
@@ -449,9 +451,9 @@ <h2 id="transaction-fees">Transaction fees</h2>
449451< p > (This section will become a modification to ZIP 317.)</ p >
450452< p > A memo bundle may contain two free chunks if there are any shielded
451453outputs in the transaction. Otherwise, each memo chunk requires
452- < code > marginal_fee</ code > as defined in ZIP 317 < a href ="#fn13 "
453- class ="footnote-ref " id ="fnref13 "
454- role ="doc-noteref "> < sup > 13 </ sup > </ a > .</ p >
454+ < code > marginal_fee</ code > as defined in ZIP 317 < a href ="#fn14 "
455+ class ="footnote-ref " id ="fnref14 "
456+ role ="doc-noteref "> < sup > 14 </ sup > </ a > .</ p >
455457< h2 id ="network-protocol "> Network protocol</ h2 >
456458< p > Nodes must reject < code > GetData</ code > responses having an
457459< code > fAllPruned</ code > value that is nonzero, or any byte of
@@ -571,8 +573,8 @@ <h2 id="memo-key-size">Memo key size</h2>
571573< p > The decrease in overhead is relatively modest in most cases, but more
572574noticeable for small memos with a 256-byte memo chunk.</ p >
573575< p > However, 128-bit keys don’t meet Zcash’s target security level of 125
574- bits, as argued in < a href ="#fn14 " class ="footnote-ref " id ="fnref14 "
575- role ="doc-noteref "> < sup > 14 </ sup > </ a > .</ p >
576+ bits, as argued in < a href ="#fn15 " class ="footnote-ref " id ="fnref15 "
577+ role ="doc-noteref "> < sup > 15 </ sup > </ a > .</ p >
576578< p > The benefits of 256-bit keys are:</ p >
577579< ul >
578580< li > They incur only a small transaction size overhead above the minimum
@@ -599,8 +601,8 @@ <h2 id="encryption-format">Encryption format</h2>
599601< ul >
600602< li > It would force the transaction builder to fully define all shielded
601603outputs before encrypting the memos, which might prevent potential use
602- cases of PCZTs < a href ="#fn15 " class ="footnote-ref " id ="fnref15 "
603- role ="doc-noteref "> < sup > 15 </ sup > </ a > .</ li >
604+ cases of PCZTs < a href ="#fn16 " class ="footnote-ref " id ="fnref16 "
605+ role ="doc-noteref "> < sup > 16 </ sup > </ a > .</ li >
604606< li > We don’t want to unnecessarily prevent the ability to create a
605607transaction with a memo bundle and no shielded outputs, as there may be
606608use cases for, e.g. a fully-transparent transaction with encrypted memo,
@@ -652,79 +654,73 @@ <h2 id="transaction-fees-1">Transaction fees</h2>
652654< h1 id ="reference-implementation "> Reference implementation</ h1 >
653655< p > TBD</ p >
654656< h1 id ="references "> References</ h1 >
655- < p > [^rfc-8439] < a href ="https://www.rfc-editor.org/rfc/rfc8439.html "> RFC
656- 8439: ChaCha20 and Poly1305 for IETF Protocols</ a > </ p >
657- < section class ="footnotes footnotes-end-of-document "
657+ < section id ="footnotes " class ="footnotes footnotes-end-of-document "
658658role ="doc-endnotes ">
659659< hr />
660660< ol >
661- < li id ="fn1 " role =" doc-endnote " > < p > < a
661+ < li id ="fn1 "> < p > < a
662662href ="https://www.rfc-editor.org/info/bcp14 "> Information on BCP 14 —
663663“RFC 2119: Key words for use in RFCs to Indicate Requirement Levels” and
664664“RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key
665665Words”</ a > < a href ="#fnref1 " class ="footnote-back "
666666role ="doc-backlink "> ↩︎</ a > </ p > </ li >
667- < li id ="fn2 " role ="doc-endnote "> < p > < a href ="protocol/protocol.pdf "> Zcash
668- Protocol Specification, Version 2024.5.1 [NU6] or later</ a > < a
669- href ="#fnref2 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
670- < li id ="fn3 " role ="doc-endnote "> < p > < a
671- href ="protocol/protocol.pdf#noteptconcept "> Zcash Protocol Specification,
672- Version 2024.5.1 [NU6]. Section 3.2.1: Note Plaintexts and Memo
673- Fields</ a > < a href ="#fnref3 " class ="footnote-back "
667+ < li id ="fn2 "> < p > < a href ="protocol/protocol.pdf "> Zcash Protocol
668+ Specification, Version 2024.5.1 [NU6] or later</ a > < a href ="#fnref2 "
669+ class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
670+ < li id ="fn3 "> < p > < a href ="protocol/protocol.pdf#noteptconcept "> Zcash
671+ Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2.1: Note
672+ Plaintexts and Memo Fields</ a > < a href ="#fnref3 " class ="footnote-back "
673+ role ="doc-backlink "> ↩︎</ a > </ p > </ li >
674+ < li id ="fn4 "> < p > < a href ="zip-0307 "> ZIP 307: Light Client Protocol
675+ for Payment Detection</ a > < a href ="#fnref4 " class ="footnote-back "
674676role ="doc-backlink "> ↩︎</ a > </ p > </ li >
675- < li id ="fn4 " role ="doc-endnote "> < p > < a href ="zip-0307 "> ZIP 307: Light
676- Client Protocol for Payment Detection</ a > < a href ="#fnref4 "
677+ < li id ="fn5 "> < p > < a href ="protocol/protocol.pdf#noteptencoding "> Zcash
678+ Protocol Specification, Version 2024.5.1 [NU6]. Section 5.5: Encodings
679+ of Note Plaintexts and Memo Fields</ a > < a href ="#fnref5 "
677680class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
678- < li id ="fn5 " role ="doc-endnote "> < p > < a
679- href ="protocol/protocol.pdf#noteptencoding "> Zcash Protocol
680- Specification, Version 2024.5.1 [NU6]. Section 5.5: Encodings of Note
681- Plaintexts and Memo Fields</ a > < a href ="#fnref5 " class ="footnote-back "
681+ < li id ="fn6 "> < p > < a href ="protocol/protocol.pdf#saplingsend "> Zcash
682+ Protocol Specification, Version 2024.5.1 [NU6]. Section 4.7.2: Sending
683+ Notes (Sapling)</ a > < a href ="#fnref6 " class ="footnote-back "
684+ role ="doc-backlink "> ↩︎</ a > </ p > </ li >
685+ < li id ="fn7 "> < p > < a href ="protocol/protocol.pdf#orchardsend "> Zcash
686+ Protocol Specification, Version 2024.5.1 [NU6]. Section 4.7.3: Sending
687+ Notes (Orchard)</ a > < a href ="#fnref7 " class ="footnote-back "
682688role ="doc-backlink "> ↩︎</ a > </ p > </ li >
683- < li id ="fn6 " role ="doc-endnote "> < p > < a
684- href ="protocol/protocol.pdf#saplingsend "> Zcash Protocol Specification,
685- Version 2024.5.1 [NU6]. Section 4.7.2: Sending Notes (Sapling)</ a > < a
686- href ="#fnref6 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
687- < li id ="fn7 " role ="doc-endnote "> < p > < a
688- href ="protocol/protocol.pdf#orchardsend "> Zcash Protocol Specification,
689- Version 2024.5.1 [NU6]. Section 4.7.3: Sending Notes (Orchard)</ a > < a
690- href ="#fnref7 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
691- < li id ="fn8 " role ="doc-endnote "> < p > < a
689+ < li id ="fn8 "> < p > < a
692690href ="protocol/protocol.pdf#saplingandorchardinband "> Zcash Protocol
693691Specification, Version 2024.5.1 [NU6]. Section 4.20.1: Encryption
694692(Sapling and Orchard)</ a > < a href ="#fnref8 " class ="footnote-back "
695693role ="doc-backlink "> ↩︎</ a > </ p > </ li >
696- < li id ="fn9 " role ="doc-endnote "> < p > < a
697- href ="protocol/protocol.pdf#decryptivk "> Zcash Protocol Specification,
698- Version 2024.5.1 [NU6]. Section 4.20.2: Decryption using an Incoming
699- Viewing Key (Sapling and Orchard)</ a > < a href ="#fnref9 "
700- class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
701- < li id ="fn10 " role ="doc-endnote "> < p > < a
702- href ="protocol/protocol.pdf#decryptovk "> Zcash Protocol Specification,
703- Version 2024.5.1 [NU6]. Section 4.20.3: Decryption using a Full Viewing
704- Key (Sapling and Orchard)</ a > < a href ="#fnref10 " class ="footnote-back "
705- role ="doc-backlink "> ↩︎</ a > </ p > </ li >
706- < li id ="fn11 " role ="doc-endnote "> < p > < a
707- href ="protocol/protocol.pdf#abstractprfs "> Zcash Protocol Specification,
708- Version 2024.5.1 [NU6]. Section 4.1.2: Pseudo Random Functions</ a > < a
709- href ="#fnref11 " class ="footnote-back "
694+ < li id ="fn9 "> < p > < a href ="protocol/protocol.pdf#decryptivk "> Zcash
695+ Protocol Specification, Version 2024.5.1 [NU6]. Section 4.20.2:
696+ Decryption using an Incoming Viewing Key (Sapling and Orchard)</ a > < a
697+ href ="#fnref9 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
698+ < li id ="fn10 "> < p > < a href ="protocol/protocol.pdf#decryptovk "> Zcash
699+ Protocol Specification, Version 2024.5.1 [NU6]. Section 4.20.3:
700+ Decryption using a Full Viewing Key (Sapling and Orchard)</ a > < a
701+ href ="#fnref10 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
702+ < li id ="fn11 "> < p > < a href ="protocol/protocol.pdf#abstractprfs "> Zcash
703+ Protocol Specification, Version 2024.5.1 [NU6]. Section 4.1.2: Pseudo
704+ Random Functions</ a > < a href ="#fnref11 " class ="footnote-back "
710705role ="doc-backlink "> ↩︎</ a > </ p > </ li >
711- < li id ="fn12 " role =" doc-endnote " > < p > < a
712- href ="https://eprint.iacr .org/2015/189 " > Online Authenticated-Encryption
713- and its Nonce-Reuse Misuse-Resistance </ a > < a href ="#fnref12 "
706+ < li id ="fn12 "> < p > < a
707+ href ="https://www.rfc-editor .org/rfc/rfc8439.html " > RFC 8439: ChaCha20
708+ and Poly1305 for IETF Protocols </ a > < a href ="#fnref12 "
714709class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
715- < li id ="fn13 " role ="doc-endnote "> < p > < a href ="zip-0317 "> ZIP 317:
716- Proportional Transfer Fee Mechanism</ a > < a href ="#fnref13 "
717- class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
718- < li id ="fn14 " role ="doc-endnote "> < p > < a
719- href ="protocol/protocol.pdf#inbandrationale "> Zcash Protocol
720- Specification, Version 2024.5.1 [NU6]. Section 8.7: In-band secret
721- distribution</ a > < a href ="#fnref14 " class ="footnote-back "
710+ < li id ="fn13 "> < p > < a href ="https://eprint.iacr.org/2015/189 "> Online
711+ Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance</ a > < a
712+ href ="#fnref13 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
713+ < li id ="fn14 "> < p > < a href ="zip-0317 "> ZIP 317: Proportional Transfer
714+ Fee Mechanism</ a > < a href ="#fnref14 " class ="footnote-back "
715+ role ="doc-backlink "> ↩︎</ a > </ p > </ li >
716+ < li id ="fn15 "> < p > < a href ="protocol/protocol.pdf#inbandrationale "> Zcash
717+ Protocol Specification, Version 2024.5.1 [NU6]. Section 8.7: In-band
718+ secret distribution</ a > < a href ="#fnref15 " class ="footnote-back "
722719role ="doc-backlink "> ↩︎</ a > </ p > </ li >
723- < li id ="fn15 " role =" doc-endnote "> < p > < a
720+ < li id ="fn16 "> < p > < a
724721href ="https://github.com/zcash/zips/issues/693 "> zcash/zips issue #693:
725722Standardize a protocol for creating shielded transactions offline</ a > < a
726- href ="#fnref15 " class ="footnote-back "
727- role ="doc-backlink "> ↩︎</ a > </ p > </ li >
723+ href ="#fnref16 " class ="footnote-back " role ="doc-backlink "> ↩︎</ a > </ p > </ li >
728724</ ol >
729725</ section >
730726</ body >
0 commit comments