Zcash Protocol Speci Cation
Total Page:16
File Type:pdf, Size:1020Kb
Zcash Protocol Specication Version 2018.0-beta-14 Daira Hopwood† Sean Bowe† — Taylor Hornby† — Nathan Wilcox† March 11, 2018 Abstract. Zcash is an implementation of the Decentralized Anonymous Payment scheme Zerocash, with security xes and adjustments to terminology, functionality and performance. It bridges the exist- ing transparent payment scheme used by Bitcoin with a shielded payment scheme secured by zero- knowledge succinct non-interactive arguments of knowledge (zk-SNARKs). It attempts to address the problem of mining centralization by use of the Equihash memory-hard proof-of-work algorithm. This specication denes the Zcash consensus protocol and explains its differences from Zerocash and Bitcoin. Keywords: anonymity, applications, cryptographic protocols, electronic commerce and payment, nancial privacy, proof of work, zero knowledge. Contents 1 1 Introduction 5 1.1 Caution . .5 1.2 High-level Overview . .5 2 Notation 7 3 Concepts 8 3.1 Payment Addresses and Keys . .8 3.2 Notes...........................................................9 3.2.1 Note Plaintexts and Memo Fields . .9 3.3 The Block Chain . 10 3.4 Transactions and Treestates . 10 3.5 JoinSplit Transfers and Descriptions . 11 3.6 Note Commitment Trees . 11 3.7 Nullier Sets . 12 3.8 Block Subsidy and Founders’ Reward . 12 3.9 Coinbase Transactions . 12 † Zerocoin Electric Coin Company 1 4 Abstract Protocol 12 4.1 Abstract Cryptographic Schemes . 12 4.1.1 Hash Functions . 12 4.1.2 Pseudo Random Functions . 13 4.1.3 Authenticated One-Time Symmetric Encryption . 13 4.1.4 Key Agreement . 13 4.1.5 Key Derivation . 14 4.1.6 Signature . 15 4.1.6.1 Signature with Re-Randomizable Keys . 15 4.1.7 Commitment . 17 4.1.8 Represented Group . 17 4.1.9 Represented Pairing . 18 4.1.10 Zero-Knowledge Proving System . 18 4.2 Key Components . 19 4.3 JoinSplit Descriptions . 19 4.4 Sending Notes . 20 4.4.1 Dummy Notes . 21 4.5 Merkle path validity . 21 4.6 Non-malleability . 22 4.7 Balance . 22 4.8 Note Commitments and Nulliers . 22 4.9 Zk-SNARK Statements . 23 4.9.1 JoinSplit Statement . 23 4.10 In-band secret distribution . 24 4.10.1 Encryption . 24 4.10.2 Decryption by a Recipient . 25 5 Concrete Protocol 25 5.1 Caution . 25 5.2 Integers, Bit Sequences, and Endianness . 26 5.3 Constants . 26 5.4 Concrete Cryptographic Schemes . 27 5.4.1 Hash Functions . 27 5.4.1.1 SHA-256 and SHA256Compress Hash Functions . 27 5.4.1.2 BLAKE2 Hash Function . 27 5.4.1.3 Merkle Tree Hash Function . 28 5.4.1.4 hSig Hash Function . 28 5.4.1.5 Equihash Generator . 28 5.4.2 Pseudo Random Functions . 29 2 5.4.3 Authenticated One-Time Symmetric Encryption . 29 5.4.4 Key Agreement and Derivation . 30 5.4.4.1 Key Agreement . 30 5.4.4.2 Key Derivation . 30 5.4.5 JoinSplit Signature . 30 5.4.6 Commitment schemes . 31 5.4.6.1 Note Commitments . 31 5.4.7 Represented Groups and Pairings . 31 5.4.7.1 BN-254 . 31 5.4.8 Zero-Knowledge Proving Systems . 32 5.4.8.1 PHGR13 . 32 5.5 Note Plaintexts and Memo Fields . 33 5.6 Encodings of Addresses and Keys . 34 5.6.1 Transparent Addresses . 34 5.6.2 Transparent Private Keys . 35 5.6.3 Shielded Payment Addresses . 35 5.6.4 Incoming Viewing Keys . 35 5.6.5 Spending Keys . 36 5.7 zk-SNARK Parameters . 36 6 Consensus Changes from Bitcoin 37 6.1 Encoding of Transactions . 37 6.2 Encoding of JoinSplit Descriptions . 39 6.3 Block Header . 40 6.4 Proof of Work . 41 6.4.1 Equihash . ..