From 05ecd086cf7c17963f5b92a02c5c51bf163d1457 Mon Sep 17 00:00:00 2001
From: Daira Emma Hopwood Notation for sequences, conversions, and arithmetic operations follows the Zcash protocol specification 3. The notation
+ \(\mathtt{X}[i\,..\!=j]\)
+ , where
+ \(\mathtt{X}\)
+ is a byte sequence, means the subsequence of bytes of
+ \(\mathtt{X}\)
+ at zero-based indices
+ \(i\)
+ to
+ \(j\)
+ inclusive. This proposal defines Unified Addresses, which bundle together Zcash Addresses of different types in a way that can be presented as a single Address Encoding. It also defines Unified Viewing Keys, which perform a similar function for Zcash viewing keys. Encodings of the same Address may be distributed zero or more times through different means. Zero or more Consumers may import Addresses. Zero or more of those (that are Senders) may execute a Transfer. A single Sender may execute multiple Transfers over time from a single import. Steps 1 to 5 inclusive also apply to Interaction Flows for Unified Full Viewing Keys and Unified Incoming Viewing Keys. Steps 1 to 5 inclusive also apply to Interaction Flows for Full Viewing Keys and Incoming Viewing Keys. A Unified Address (or UA for short) combines one or more Receivers. Every wallet must properly parse encodings of a Unified Address or Unified Viewing Key containing unrecognized Items. A wallet may process unrecognized Items by indicating to the user their presence or similar information for usability or diagnostic purposes. Unified Addresses and Unified Viewing Keys must support sufficiently many Receiver Types to allow for reasonable future expansion. The Unified String Encoding is “opaque” to human readers: it does not allow visual identification of which Receivers or Receiver Types are present. The Unified String Encoding is resilient against typos, transcription errors, cut-and-paste errors, truncation, or other likely UX hazards. The Unified String Encoding is resistant, as far as reasonably possible, to “malleability attacks” that attempt to substitute a visually similar string representing a different valid Address in order to lure a user into sending funds to the wrong Address. In particular, as long as a user checks sufficiently many characters of a given Unified String Encoding (say, at least 20 characters) against the corresponding characters of a known-good reference Unified String Encoding, that check should be sufficient to give them confidence that a malleability attack would be infeasible: either they have an invalid Address Encoding, or one identical to the reference. There is a well-defined Unified QR Encoding of a Unified Address (or UFVK or UIVK) as a QR code, which produces QR codes that are reasonably compact and robust. There is a well-defined transformation between the Unified QR Encoding and Unified String Encoding of a given UA/UVK in either direction. There is a well-defined Unified Raw Encoding of a UA/UVK which is a compact byte sequence, without excessive encoding overhead. Since the Unified Raw Encoding is intended to only be used internally to Zcash-related software or transmitted over reliable channels, it need not have the resilience and nonmalleability properties described above. There are well-defined transformations between the Unified QR Encoding, Unified String Encoding, and Unified Raw Encoding of a given UA/UVK in any direction. The Unified String Encoding fits into ZIP-321 Payment URIs 26 and general URIs without introducing parse ambiguities. The encoding must support sufficiently many Recipient Types to allow for reasonable future expansion. The encoding must allow all wallets to safely and correctly parse out unrecognized Receiver Types well enough to ignore them. When executing a Transfer the Sender selects a Receiver via a Selection process. Rather than defining a Bech32 string encoding of Orchard Shielded Payment Addresses, we instead define a Unified Address format that is able to encode a set of Receivers of different types. This enables the Consumer of a Unified Address to choose the Receiver of the best type it supports, providing a better user experience as new Receiver Types are added in the future. Assume that we are given a set of one or more Receiver Encodings for distinct types. That is, the set may optionally contain one Receiver of each of the Receiver Types in the following fixed Priority List: Rather than defining a Bech32 string encoding of Orchard Shielded Payment Addresses, we instead define a Unified Address format that is able to encode a set of Receivers of different types. This enables the Consumer of a Unified Address to choose the Receiver of the best type it supports, providing a better user experience as new Receiver Types are added in the future. Similarly, a Unified Full Viewing Key or Unified Incoming Viewing Key provides the corresponding visibility into transactions that may use addresses of different types. Typically these will be the addresses for each pool derived from an Account as defined in 20. (It is not possible for a UVK to include viewing keys for multiple addresses of the same type.) When a string encoding of a Unified Address or Unified Viewing Key is shown to a user, it MUST be encoded using the Unified String Encoding defined in String Encodings of Unified Addresses and Unified Viewing Keys. The main reason for this is to satisfy the requirements concerning resilience to user error and resistance to malleability attacks, as described in Transport Encodings. In cases where Unified Addresses or Unified Viewing Keys are not shown directly to users but need to be encoded as machine-readable data, the Unified Raw Encoding MAY be used instead of the Unified String Encoding. This has the advantage of reducing the space requirement, and may also reduce computational costs and implementation complexity. A Unified Raw Encoding has no resilience to data corruption and transcription errors, or resistance to malleability attacks, and therefore MUST NOT be used in situations where these properties are required. For clarity, this includes all situations where Address Encodings are exposed directly to end-users. The following HRPs (Human-Readable Parts as defined in 33) and Lead Bytes are defined to tag particular Unified Address or Viewing Key types on a specific network. Their usage is defined in the following sections. Assume that we are given a set of one or more Receiver Items for distinct types. That is, the set may optionally contain one Receiver of each of the Receiver Types in the following fixed Priority List: We say that a Receiver Type is “preferred” over another when it appears earlier in this Priority List (as potentially modified by experiments). The Sender of a payment to a Unified Address MUST use the Receiver of the most preferred Receiver Type that it supports from the set. For example, consider a wallet that supports sending funds to Orchard Receivers, and does not support sending to any Receiver Type that is preferred over Orchard. If that wallet is given a UA that includes an Orchard Receiver and possibly other Receivers, it MUST send to the Orchard Receiver. The raw encoding of a Unified Address is a concatenation of
+ A Binary HRP is a single length byte
+ \(\mathtt{hrp\_len}\)
+ from 0 to 16 inclusive, followed by
+ \(\mathtt{hrp\_len}\)
+ bytes of a US-ASCII-encoded HRP. The Unified Raw Encoding of a Unified Address is a Binary HRP followed by a concatenation of
\((\mathtt{typecode}, \mathtt{length}, \mathtt{addr})\)
- encodings of the consituent Receivers, in ascending order of Typecode:Abstract
Addresses
Receivers
Transport Encoding
+ Transport Encodings
Transfers
Specification
- Encoding of Unified Addresses
- Encoding Prefixes
+
+
+
+
+
+
+
+ Meaning
+ HRP
+ Lead Byte
+
+
+ Unified Addresses on Mainnet
+
+ u
0
+
+
+ Unified Addresses on Testnet
+
+ utest
1
+
+
+ Unified Incoming Viewing Keys on Mainnet
+
+ uivk
2
+
+
+ Unified Incoming Viewing Keys on Testnet
+
+ uivktest
3
+
+
+ Unified Full Viewing Keys on Mainnet
+
+ uview
4
+
+
+
+ Unified Full Viewing Keys on Testnet
+
+ uviewtest
5
+ Raw Encoding of Unified Addresses
+
The values of the \(\mathtt{typecode}\) @@ -200,43 +268,24 @@ (The limitation on the total length of encodings described below imposes a smaller limit for \(\mathtt{length}\) in practice.)
-A Receiver Encoding is the raw encoding of a Shielded Payment Address, or the +
A Receiver Item is the raw encoding of a Shielded Payment Address, or the \(160\!\) - -bit script hash of a P2SH address 35, or the + -bit script hash of a P2SH address 35, or the \(160\!\) - -bit validating key hash of a P2PKH address 34.
-Let padding
be the Human-Readable Part of the Unified Address in US-ASCII, padded to 16 bytes with zero bytes. We append padding
to the concatenated encodings, and then apply the
- \(\mathsf{F4Jumble}\)
- algorithm as described in Jumbling. (In order for the limitation on the
- \(\mathsf{F4Jumble}\)
- input size to be met, the total length of encodings MUST be at most
- \(\ell^\mathsf{MAX}_M - 16\)
- bytes, where
- \(\ell^\mathsf{MAX}_M\)
- is defined in Jumbling.) The output is then encoded with Bech32m 33, ignoring any length restrictions. This is chosen over Bech32 in order to better handle variable-length inputs.
To decode a Unified Address Encoding, a Consumer MUST use the following procedure:
-padding
be the Human-Readable Part, padded to 16 bytes as for encoding. If the result ends in padding
, remove these 16 bytes; otherwise reject.For Unified Addresses on Mainnet, the Human-Readable Part (as defined in 33) is “u
”. For Unified Addresses on Testnet, the Human-Readable Part is “utest
”.
A wallet MAY allow its user(s) to configure which Receiver Types it can send to. It MUST NOT allow the user(s) to change the order of the Priority List used to choose the Receiver Type, except by opting into experiments.
-Unified Full or Incoming Viewing Keys are encoded and decoded analogously to Unified Addresses. A Consumer MUST use the decoding procedure from the previous section. For Viewing Keys, a Consumer will normally take the union of information provided by all contained Receivers, and therefore the Priority List defined in the previous section is not used.
+Unified Full or Incoming Viewing Keys are encoded and decoded analogously to Unified Addresses. For Viewing Keys, a Consumer will normally take the union of information provided by all contained Receivers, and therefore the Priority List defined in the previous section is not used.
For each FVK Type or IVK Type currently defined in this specification, the same Typecode is used as for the corresponding Receiver Type in a Unified Address. Additional FVK Types and IVK Types MAY be defined in future, and these will not necessarily use the same Typecode as the corresponding Unified Address.
-The following FVK or IVK Encodings are used in place of the +
The following FVK or IVK Items are used in place of the \(\mathtt{addr}\) field:
The Human-Readable Parts (as defined in 33) of Unified Viewing Keys are defined as follows:
-uivk
” for Unified Incoming Viewing Keys on Mainnet;uivktest
” for Unified Incoming Viewing Keys on Testnet;uview
” for Unified Full Viewing Keys on Mainnet;uviewtest
” for Unified Full Viewing Keys on Testnet.The design of address derivation is designed to maintain unlinkability between addresses derived from the same UIVK, to the extent possible. (This is only partially achieved if the UA contains a Transparent P2PKH Address, since the on-chain transaction graph can potentially be used to link transparent addresses.)
Note that it may be difficult to retain this property for Metadata Items, and this should be taken into account in the design of such Items.
A Unified String Encoding for a UA/UIVK is obtained by constructing the corresponding Unified Raw Encoding as defined in previous sections, and then converting it to a Unified String Encoding as follows.
+Let + \(\ell^\mathsf{MAX}_M\) + be as defined in Jumbling.
+Any equivalent procedure MAY be used, for example, a Producer MAY construct + \(\mathtt{padded\_hrp}\) + and + \(\mathtt{raw\_items}\) + directly rather than explicitly obtaining them from a Unified Raw Encoding.
+The check that + \(\mathsf{length}(\mathtt{R}) - 1 - \mathtt{hrp\_len} > \ell^\mathsf{MAX}_M - 16\) + in step 1 ensures that + \(\mathtt{raw\_items} \,||\, \mathtt{padded\_hrp}\) + never exceeds the + \(\mathsf{F4Jumble}\) + input size limitation in step 3.
+Bech32m is chosen over Bech32 in order to better handle variable-length inputs.
+To decode a Unified String Encoding, a Consumer MUST use the following procedure:
+The Human-Readable Parts of Unified Addresses and Unified Viewing Keys are defined as given in Encoding Prefixes.
+However, the specification of which outgoing viewing key should be used is left somewhat open in 6 and 7; in particular, it was unclear whether transfers should be considered as being sent from an address, or from a ZIP 32 account 20. The adoption of multiple shielded protocols that support outgoing viewing keys (i.e. Sapling and Orchard) further complicates this question, since from NU5 activation, nothing at the consensus level prevents a wallet from spending both Sapling and Orchard notes in the same transaction. (Recommendations about wallet usage of multiple pools will be given in ZIP 315 25.)
Here we refine the protocol specification in order to allow more precise determination of viewing authority for UFVKs.
A Sender will attempt to determine a "sending Account" for each transfer. The preferred approach is for the API used to perform a transfer to directly specify a sending Account. Otherwise, if the Sender can ascertain that all funds used in the transfer are from addresses associated with some Account, then it SHOULD treat that as the sending Account. If not, then the sending Account is undetermined.
-The Sender also determines a "preferred sending protocol" —one of "transparent", "Sapling", or "Orchard"— corresponding to the most preferred Receiver Type (as given in Encoding of Unified Addresses) of any funds sent in the transaction.
+The Sender also determines a "preferred sending protocol" —one of "transparent", "Sapling", or "Orchard"— corresponding to the most preferred Receiver Type (as given in Raw Encoding of Unified Addresses) of any funds sent in the transaction.
If the sending Account has been determined, then the Sender SHOULD use the external or internal \(\mathsf{ovk}\) (according to the type of transfer), as specified by the preferred sending protocol, of the full viewing key for that Account (i.e. at the ZIP 32 Account level).
@@ -715,6 +830,15 @@LIONESS is a similarly structured 4-round unbalanced Feistel cipher.
The Unified QR Encoding of a UA or UVK is as specified in 8; that is, the QR code representation of its Unified String Encoding converted to uppercase, using the Alphanumeric mode specified in sections 7.3.4 and 7.4.4 of 37.
+A Consumer MAY support parsing multiple kinds of address and/or viewing key from a QR code, in which case it SHOULD use the HRP to provisionally recognize (subject to further validation) potential address or viewing key types.
+When a Consumer recognizes the content of a QR code as a potential Unified String Encoding, it SHOULD NOT present the resulting content to the user as representing an address, without first checking that it is a valid Unified String Encoding by attempting to decode it.
+A Producer MUST NOT generate a QR Encoding directly from a Unified Raw Encoding (using the QR "Byte mode" defined in 37 section 7.3.5, or otherwise).
+A QR code using the Unified Raw Encoding in Byte mode could be slightly smaller, however we believe this choice would be likely to cause interoperability problems. It also would not satisfy the requirement that the Unified Raw Encoding not be shown to users, since it is common for software that supports QR codes to try to decode the content and present it as a string. (Clause 6.1 b) 3) of 37 specifies that the default interpretation of byte data is as an ISO-8859-1 text string.)
+