You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: rendered/zip-0230.html
+2-2
Original file line number
Diff line number
Diff line change
@@ -218,7 +218,7 @@
218
218
<td><code>varies</code></td>
219
219
<td><code>nActionGroupsOrchard</code></td>
220
220
<td><code>compactSize</code></td>
221
-
<td>The number of Action Group descriptions in <code>vActionGroupsOrchard</code>. This MUST have a value of either <code>0</code> or <code>1</code>.</td>
221
+
<td>The number of Action Group descriptions in <code>vActionGroupsOrchard</code>.</td>
222
222
</tr>
223
223
<tr>
224
224
<td><code>varies</code></td>
@@ -440,7 +440,7 @@
440
440
<td><code>4</code></td>
441
441
<td><code>nAGExpiryHeight</code></td>
442
442
<td><code>uint32</code></td>
443
-
<td>A block height (in the future) after which the Actions of the Action Group become invalid and should be rejected by consensus. This MUST have a value of <code>0</code>.</td>
443
+
<td>A block height (in the future) after which the Actions of the Action Group become invalid and should be rejected by consensus.</td>
The explicit order of addition of the note commitments to the note commitment tree is specified in ZIP 227 [#zip-0227-note-commitment-order]_.
143
+
142
144
Rationale for Note Commitment
143
145
`````````````````````````````
144
146
@@ -560,7 +562,7 @@ Other Considerations
560
562
Transaction Fees
561
563
----------------
562
564
563
-
The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 230 [#zip-0230-orchardzsa-fee-calculation]_.
565
+
The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 227 [#zip-0227-orchardzsa-fee-calculation]_.
564
566
565
567
Backward Compatibility
566
568
----------------------
@@ -600,11 +602,12 @@ References
600
602
.. [#zip-0227-specification-global-issuance-state] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Global Issuance State <zip-0227.html#specification-global-issuance-state>`_
.. [#zip-0227-note-commitment-order] `ZIP 227: Issuance of Zcash Shielded Assets: Addition to the Note Commitment Tree <zip-0227.html#addition-to-the-note-commitment-tree>`_
Copy file name to clipboardexpand all lines: zips/zip-0227.rst
+27-17
Original file line number
Diff line number
Diff line change
@@ -192,7 +192,7 @@ From the Asset Digest, we derive a specific Asset Base within each shielded prot
192
192
193
193
Let
194
194
195
-
- $\mathsf{asset\_desc}$ be the asset description, which includes any information pertaining to the issuance, and is a byte sequence of up to 512 bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later.
195
+
- $\mathsf{asset\_desc}$ be the asset description, which includes any information pertaining to the issuance, and is a non-empty byte sequence of at most 512 bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later.
196
196
- $\mathsf{ik}$ be the issuance validating key of the issuer, a public key used to verify the signature on the issuance transaction's SIGHASH.
197
197
198
198
Define
@@ -265,7 +265,7 @@ Issuance Action
265
265
266
266
An issuance action, ``IssueAction``, is the instance of issuing a specific Custom Asset, and contains the following fields:
267
267
268
-
- ``assetDescSize``: the size of the Asset description, a number between $0$ and $512$.
268
+
- ``assetDescSize``: the size of the Asset description, a non-zero number that is at most $512$.
269
269
- ``asset_desc``: the Asset description, a byte string of up to 512 bytes as defined in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section.
270
270
- ``vNotes``: an array of Issue Notes containing the unencrypted output notes to the recipients of the Asset.
271
271
- ``flagsIssuance``: a byte that stores the $\mathsf{finalize}$ boolean that defines whether the issuance of that specific Custom Asset is finalized or not.
@@ -293,21 +293,20 @@ The detailed encoding of the issuance bundle as a part of the V6 transaction for
293
293
Computation of ρ
294
294
----------------
295
295
296
-
We define a function $\mathsf{DeriveIssuedRho} : \mathbb{F}_{q_{\mathbb{P}}} \times \{0 .. 2^{32} - 1\}\times \{0 .. 2^{32} - 1\}\to \mathbb{F}_{q_{\mathbb{P}}}$ as follows:
296
+
We define a function $\mathsf{DeriveIssuedRho} : \mathbb{F}_{q_{\mathbb{P}}} \times \{0 .. 2^{32} - 1\}\times \{0 .. 2^{32} - 1\}\to \mathbb{F}_{q_{\mathbb{P}}}$ for Issue Notes in the OrchardZSA Protocol as follows:
- $\mathsf{ToBase}^{\mathsf{Rho}} : \mathbb{B}^{512} \to \mathbb{F}_{q_{\mathbb{P}}}$ is defined as $\mathsf{ToBase}^{\mathsf{Rho}}(x) := \mathsf{LEOS2IP}_{512}(x) \mod q_{\mathbb{P}}$
303
-
- $\mathsf{PRF}^{\mathsf{Rho}} : \mathbb{B}^{256} \times \mathbb{B}^{\mathbb{Y}^{[\mathbb{N}]}} \to \mathbb{B}^{512}$ is defined as $\mathsf{PRF}^{\mathsf{Rho}}(\mathsf{k},t) := \textsf{BLAKE2b-512}(\mathtt{"ZSA\_IssueNoteRho"}, \mathsf{k} \| t)$
300
+
where $\mathsf{ToBase}^{\mathsf{Orchard}}$ is defined in §4.2.3 of the protocol specification [#protocol-orchardkeycomponents]_, and $\mathsf{PRF}^{\mathsf{expand}}$ is defined in §5.4.2 of the protocol specification [#protocol-concreteprfs]_.
304
301
305
302
The $\text{ρ}$ field of an Issue Note is computed as
where $\mathsf{nf}_{1,1}$ is the nullifier of the first Note in the first Action of the OrchardZSA Bundle of the transaction, $\mathsf{index_{Action}}$ is the index of the Issuance Action in the Issuance Bundle, and $\mathsf{index_{Note}}$ is the index of the Issue Note in the Issuance Action.
306
+
where $\mathsf{nf}_{0,0}$ is the nullifier of the first Note in the first Action in the first Action Group of the OrchardZSA Bundle of the transaction, $\mathsf{index_{Action}}$ is the zero-based index of the Issuance Action in the Issuance Bundle, and $\mathsf{index_{Note}}$ is the zero-based index of the Issue Note in the Issuance Action.
310
307
308
+
**NOTE:** This implicitly requires that there always is an Action Group in the OrchardZSA bundle of the transaction.
309
+
This is enforced by the sixth consensus rule in the `Specification: Consensus Rule Changes`_ section.
311
310
312
311
Issuance Protocol
313
312
-----------------
@@ -333,7 +332,7 @@ For the ``IssueBundle``:
333
332
- sign the SIGHASH transaction hash with the issuance authorizing key, $\mathsf{isk}$, using the $\mathsf{IssueAuthSig}$ signature scheme. The signature is then added to the issuance bundle.
334
333
335
334
336
-
**Note:** that the commitment is not included in the ``IssuanceAction`` itself. As explained below, it is computed later by the validators and added to the note commitment tree.
335
+
**Note:** The note commitment is not included in the ``IssuanceAction`` itself. As explained below, it is computed later by the validators and added to the note commitment tree.
337
336
338
337
Specification: Reference Notes and Global Issuance State
@@ -377,7 +376,7 @@ Management of the Global Issuance State
377
376
The issuance state, that is, the $\mathsf{issued\_assets}$ map, MUST be updated by a node during the processing of any transaction that contains burn information, or an issuance bundle.
378
377
The issuance state is chained as follows:
379
378
380
-
- The issuance state for the first block post the activation of the OrchardZSA protocol is the empty map.
379
+
- The input issuance state for the activation block of the OrchardZSA protocol is the empty map.
381
380
- The input issuance state for the first transaction of a block is the final issuance state of the immediately preceding block.
382
381
- The input issuance state of each subsequent transaction in the block is the output issuance state of the immediately preceding transaction.
383
382
- The final issuance state of a block is the output issuance state of the last transaction in the block.
- The ``nActionGroupsOrchard`` field MUST have a value of either ``0`` or ``1`` and the ``nAGExpiryHeight`` field MUST have a value of ``0``.
394
394
- The output issuance state of the transaction MUST be initialized to be the same as the input issuance state, $\mathsf{issued\_assets}_{\mathsf{OUT}} = \mathsf{issued\_assets}_{\mathsf{IN}}$.
395
395
- The $\mathsf{assetBurn}$ set MUST satisfy the consensus rules specified in ZIP 226 [#zip-0226-assetburn]_.
396
396
- It MUST be the case that for all $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}$, $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} \geq \mathsf{v}$. The node then MUST update $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase})$ prior to processing the issuance bundle in the following manner. For every $(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{AssetBurn}$, $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} = \mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{balance} - \mathsf{v}$.
397
397
- Let $\mathsf{SigHash}$ be the SIGHASH transaction hash of this transaction, as defined in §4.10 of the protocol specification [#protocol-sighash]_ with the modifications described in ZIP 226 [#zip-0226-txiddigest]_, using $\mathsf{SIGHASH\_ALL}$.
398
-
- If the transaction contains an Issuance Bundle, it MUST also contain at least one OrchardZSA Action.
398
+
- If the transaction contains an Issuance Bundle, it MUST also contain at least one OrchardZSA Action Group.
399
399
- The issuance authorization signature, $\mathsf{issueAuthSig}$, MUST be a valid $\mathsf{IssueAuthSig}$ signature over $\mathsf{SigHash}$, i.e. $\mathsf{IssueAuthSig}.\!\mathsf{Validate}(\mathsf{ik}, \mathsf{SigHash}, \mathsf{issueAuthSig}) = 1$.
400
400
- For every issuance action description ($\mathsf{IssueAction}_\mathsf{i},\ 1 \leq i \leq \mathtt{nIssueActions}$) in the issuance bundle:
401
401
402
402
- It MUST be the case that $0 < \mathtt{assetDescSize} \leq 512$.
403
-
- It MUST be the case that $\mathsf{asset\_desc}$ is a string of length $\mathtt{assetDescSize}$ bytes.
404
403
- Every Issue Note in ``IssueAction`` MUST be a valid encoding of the $\mathsf{Note^{Issue}}$ type, and MUST encode the same $\mathsf{AssetBase}$.
405
404
- This $\mathsf{AssetBase}$ MUST satisfy the derivation from the issuance validating key and asset description described in the `Specification: Asset Identifier, Asset Digest, and Asset Base`_ section.
406
405
- It MUST be the case that $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{final} \neq 1$.
@@ -416,10 +415,20 @@ For every transaction:
416
415
- It MUST be the case that $\mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} + \mathsf{v} \leq \mathsf{MAX\_ISSUE}$, where $\mathsf{v}$ is the value of $\mathsf{note}_{\mathsf{j}}$. The node then MUST update $\mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} = \mathsf{issued\_assets}_{\mathsf{OUT}}.\mathsf{balance} + \mathsf{v}$.
417
416
- The node MUST compute the note commitment, $\mathsf{cm}_{\mathsf{i,j}}$, as defined in the Note Structure and Commitment section of ZIP 226 [#zip-0226-notestructure]_.
418
417
- If $\mathsf{finalize} = 1$ within the ``flagsIssuance`` field of ``IssueAction``, the node MUST set $\mathsf{issued\_assets}_{\mathsf{OUT}}(\mathsf{AssetBase}).\mathsf{final} = 1$.
419
-
- If all the consensus rules are satisfied, the node MUST add the note commitments, $\mathsf{cm}_{\mathsf{i,j}}\ \forall\ \mathsf{i} \in \{1..\mathtt{nIssueActions}\},\ \mathsf{j} \in \{1..\mathtt{nNotes}\}$, to the Merkle tree of note commitments.
420
-
- (Replay Protection) If an issue bundle is present, the fees MUST be greater than zero.
421
418
419
+
Addition to the Note Commitment Tree
420
+
------------------------------------
421
+
422
+
If the transaction is added to the block chain, the note commitments of all the OrchardZSA Notes and the Issue Notes in the transaction are added to the note commitment tree of the associated treestate.
423
+
The order of addition to the tree is as specified below:
424
+
425
+
- For each Action Group in the OrchardZSA Bundle:
426
+
427
+
- For every Action in the Action Group, append the note commitment of every new OrchardZSA note in the Action to the note commitment tree.
428
+
429
+
- For each Issue Action in the Issue Bundle:
422
430
431
+
- For every Issue Note in the Issue Action, append the note commitment of the Issue Note to the note commitment tree.
423
432
424
433
Rationale
425
434
=========
@@ -443,7 +452,7 @@ Rationale for Global Issuance State
443
452
It is necessary to ensure that the balance of any issued Custom Asset never becomes negative within a shielded pool, along the lines of ZIP 209 [#zip-0209]_.
444
453
However, unlike for the shielded ZEC pools, there is no individual transaction field that directly corresponds to both the issued and burnt amounts for a given Asset.
445
454
Therefore, we require that all nodes maintain a record of the current amount in circulation for every issued Custom Asset, and update this record based on the issuance and burn transactions processed.
446
-
This allows for efficient detection of balance violations for any Asset, in which scenario we specify a consensus rule to reject the transaction or block.
455
+
This allows for efficient detection of balance violations for any Asset, in which case we specify a consensus rule to reject the transaction or block.
447
456
448
457
We limit the total issuance of any Asset to a maximum of $\mathsf{MAX\_ISSUE}$.
449
458
This is a practical limit that also allows an issuer to issue the complete supply of an Asset in a single transaction.
.. [#protocol-concreteprfs] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.2: Pseudo Random Functions <protocol/protocol.pdf#concreteprfs>`_
775
785
.. [#protocol-concretegrouphashpallasandvesta] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.4.9.8: Group Hash into Pallas and Vesta <protocol/protocol.pdf#concretegrouphashpallasandvesta>`_
776
786
.. [#protocol-orchardpaymentaddrencoding] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 5.6.4.2: Orchard Raw Payment Addresses <protocol/protocol.pdf#orchardpaymentaddrencoding>`_
777
787
.. [#protocol-txnencoding] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 7.1: Transaction Encoding and Consensus <protocol/protocol.pdf#txnencoding>`_
|``64 * nActionsOrchard`` |``vSpendAuthSigsOrchard`` |``byte[64 * nActionsOrchard]`` |Authorizing signatures for each Action of the Action Group in a |
0 commit comments