From 05d4c99a558450c50944698a27ba1e77be6159e7 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Wed, 13 Mar 2024 17:31:59 +0000 Subject: [PATCH 1/4] ZIP 320: choose TEX Address alternative. Signed-off-by: Daira-Emma Hopwood --- zip-0320.html | 243 +++++++++---------------------------- zip-0320.rst | 330 ++++++++++++++------------------------------------ 2 files changed, 149 insertions(+), 424 deletions(-) diff --git a/zip-0320.html b/zip-0320.html index 0876b0d3c..9a324a8b2 100644 --- a/zip-0320.html +++ b/zip-0320.html @@ -21,16 +21,15 @@ <https://github.com/zcash/zips/pull/766>

Terminology

The key words "MUST", "SHOULD", "NOT RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

-

The terms "Recipient", "Producer", "Consumer", "Sender", "Receiver", "Item", "Metadata Item", "Typecode", "Address", "Unified Address" (UA), "Unified Viewing Key" (UVK), "Unified Full Viewing Key" (UFVK), and "Unified Incoming Viewing Key" (UIVK) are to be interpreted as described in ZIP 316 5.

-

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 13.

+

The terms "Recipient", "Producer", "Consumer", "Sender", "Receiver", "Address", and "Unified Address" are to be interpreted as described in ZIP 316 7.

+

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 11.

Abstract

This ZIP defines a new encoding for transparent Zcash addresses. Wallets must ensure that no shielded notes are spent in transactions that send to a transparent address encoded in the specified fashion.

-

This ZIP is presently in Draft status, and defines two alternate encodings for consideration. Analysis of the benefits and drawbacks of each of the proposed alternatives is presented at the end of this document.

Background

In November of 2023, the Zcash community received notice from the Binance cryptocurrency exchange that Zcash was at risk of being delisted from the exchange unless the community could provide a mechanism by which Binance could refuse deposits from shielded addresses and return them to the depositor. This issue was raised and discussed at length in the Zcash Community forum 2.

-

In the course of that discussion thread, wallet developer and community member @hanh 3 suggested a wallet-oriented approach 4 that involved defining a new encoding for Zcash transparent P2PKH addresses. A Consumer of such an address, whether it be a wallet or an exchange, could recognize this encoding as a directive that the wallet should only spend transparent funds when creating an output to that address.

+

In the course of that discussion thread, wallet developer and community member @hanh 3 suggested a wallet-oriented approach 4 that involved defining a new encoding for Zcash transparent P2PKH addresses. A Consumer of such an address, whether it be a wallet or an exchange, could recognize this encoding as a directive that the wallet should only spend transparent funds when creating an output to that address. This ZIP formalizes that proposal.

Motivation

The Binance cryptocurrency exchange requires that funds sent to their deposit addresses come from source addresses that are readily identifiable using on-chain information, such that if necessary funds may be rejected by sending them back to the source address(es). This ZIP is intended to standardize a transparent address encoding that is not yet understood by preexisting Consumers, in order to prevent inadvertent shielded spends when sending to such addresses. Then, Consumers that upgrade to support the new encoding will do so with the understanding that they must respect the restrictions on sources of funds described in this ZIP.

@@ -39,34 +38,39 @@
  1. A Recipient wishing to receive funds from exclusively transparent sources must be able to generate a receiving address such that only transparent funds will be spent in transactions with an output to this address.
  2. Wallets and other Consumers that have not been upgraded to recognize the new address format cannot mistake the address for another address type or inadvertently send shielded funds to the address.
    3. -
  3. No changes to Recipient infrastructure beyond changes to address encoding and decoding should be required as a consequence of this ZIP.
    4. +
  4. No changes to Recipient infrastructure beyond changes to address encoding and decoding should be required as a consequence of this ZIP. In particular, conversion between a transparent-source-only address and the corresponding unrestricted transparent address should be possible using only dependencies that are available to Binance's front-end code.
+

It is only required to support a transparent-source-only form of P2PKH addresses; P2SH address support is not necessary.

-

Alternative 1

-

This alternative was suggested by @hanh in 4.

-

TEX Addresses

-

A TEX Address is a Bech32m 18 reencoding of a transparent Zcash P2PKH address 14.

-
-

Motivations for Alternative 1

-

The TEX Address is the simplest possible approach to creating a new address type that indicates that only transparent sources of funds should be used.

-
-

Specification (Alternative 1)

-

A TEX address is produced from a Mainnet Zcash P2PKH Address by executing the following steps:

-
    -
  1. Decode the address to a byte sequence using the Base58Check decoding algorithm 16.
    2. -
  2. If the length of the resulting byte sequence is not 22 bytes or if its two-byte address prefix is not - \([\mathtt{0x1C}, \mathtt{0xB8}]\) - , return an error. Otherwise, let the validating key hash be the remaining 20 bytes of the sequence after removing the two-byte address prefix.
    3. -
  3. Reencode the 20-byte validating key hash using the Bech32m encoding defined in 18 with the human-readable prefix (HRP) "tex".
    4. -
-

For Testnet addresses, the required lead bytes of a P2PKH address in step 2 are - \([\mathtt{0x1D}, \mathtt{0x25}]\) - , and the "textest" HRP is used when reencoding in step 3.

-

Wallets and other Senders sending to a TEX address (as any output) MUST ensure that only transparent UTXOs are spent in the creation of a transaction.

+

Specification

+

A TEX Address, also called a Transparent-Source-Only Address, is a Bech32m 15 reencoding of a transparent Zcash P2PKH address 12.

+

Wallets and other Senders sending to a TEX address (as any output) MUST ensure that only transparent (P2SH or P2PKH) UTXOs are spent in the creation of the transaction. For simplicity of parsing and interpreting such transactions, they also SHOULD only send to transparent outputs.

+

A TEX address can be produced from a Mainnet Zcash P2PKH Address by executing the following steps:

+
    +
  1. Decode the address to a byte sequence using the Base58Check decoding algorithm 14.
    2. +
  2. If the length of the resulting byte sequence is not 22 bytes or if its two-byte address prefix is not + \([\mathtt{0x1C}, \mathtt{0xB8}]\) + , return an error. Otherwise, let the validating key hash be the remaining 20 bytes of the sequence after removing the two-byte address prefix.
    3. +
  3. Reencode the 20-byte validating key hash using the Bech32m encoding defined in 15 with the human-readable prefix (HRP) "tex".
    4. +
+

For Testnet addresses, the required lead bytes of a P2PKH address in step 2 are + \([\mathtt{0x1D}, \mathtt{0x25}]\) + , and the "textest" HRP is used when reencoding in step 3.

+

A TEX address can be parsed by reversing this encoding, i.e.:

+
    +
  1. Decode the address to a byte sequence using Bech32m 15, checking that the HRP is "tex" for a Mainnet TEX Address and "textest" for a Testnet TEX Address.
    2. +
  2. If the length of the resulting byte sequence is not 20 bytes, return an error. Otherwise, the validating key hash is this byte sequence.
    3. +
+

Design considerations for Senders

+

If a user desires to spend shielded funds to a TEX Address, a Sender supporting this ZIP MUST create two transactions: one that unshields the funds to an ephemeral transparent address, and one that spends from that ephemeral address to the destination TEX Address. This does not defeat the intent of the ZIP, because it is still possible for a Recipient to return the funds to the Sender by sending them back to the ephemeral address.

+

Wallets MUST be able to recognize funds that have been returned in this way and spend them if desired. In order for this to be possible without use of TEX Addresses increasing the risk of loss of funds, wallets based on ZIP 32 5 SHOULD choose ephemeral addresses in a way that allows the corresponding private keys to be recovered from a ZIP 32 master seed.

+

However, ephemeral addresses SHOULD NOT be chosen in a way that allows them to be linked between transactions, without knowledge of the wallet seed or the relevant transparent viewing keys.

+

In order to show accurate transaction history to a user, wallets SHOULD remember when a particular transaction output was sent to a TEX Address, so that they can show that form rather than its P2PKH form. It is acceptable that this information may be lost on recovery from seed.

-

Reference Implementation (Alternative 1)

-

Javascript:

- 
import bs58check from 'bs58check'
+
+

Reference Implementation

+

Javascript:

+ 
import bs58check from 'bs58check'
 import {bech32m} from 'bech32'
 
 // From t1 to tex
@@ -84,123 +88,16 @@
 console.assert(pkh2.length == 20, 'Invalid length');
 var t1 = bs58check.encode(Buffer.concat([Uint8Array.from([0x1C, 0xB8]), pkh2]))
 console.log(t1)
-
-
-

Alternative 2

-

Traceable Unified Addresses

-

A Traceable Unified Address is a reencoding of a transparent Zcash P2PKH address into a Unified Address 8.

-
-

Motivations for Alternative 2

-

Traceable Unified Addresses fit into the Zcash Unified Address ecosystem defined by ZIP 316, Revision 1 7. Existing Consumers of Unified Addresses will not be able to send to these address unless they update their code to understand the new MUST-understand Metadata Typecode defined in this ZIP.

-

By integrating with the Unified Address framework, it becomes possible for the addresses being generated to include extra metadata; in particular, metadata items such as an Address Expiry Height or Address Expiry Date 12 may be included. For exchange use cases such as Binance's, it is useful to ensure that an address provided to a user has a limited utility life, such that after expiration the user must obtain a new address in order to be able to continue to send funds 15.

-
-

Specification (Alternative 2)

-

Upon activation of this ZIP, the section Metadata Items of ZIP 316 11 will be modified to define a new MUST-understand Metadata Item type: Source Restriction Metadata, having Typecode - \(\mathtt{0xE2}\) - , the value of which MUST be a single byte:

-
    -
  • - \(\mathtt{0x00}\) - - Transparent Source Only
    • -
-

Additional Source Restriction Metadata values can be defined in the future, but a Consumer that does not recognise the value MUST reject the entire UA/UVK as invalid.

-

Wallets and other Senders MUST ensure that only transparent UTXOs are spent in the creation of a transaction to any Unified Address containing a Source Restriction Metadata Item having value - \(\mathtt{0x00}\) - .

-

A Traceable Unified Address is produced from a Mainnet Zcash P2PKH address by executing the following steps:

-
    -
  1. Decode the address to a byte sequence using the Base58Check decoding algorithm 16.
    2. -
  2. If the length of the resulting byte sequence is not 22 bytes or if its two-byte address prefix is not - \([\mathtt{0x1C}, \mathtt{0xB8}]\) - , return an error. Otherwise, let the validating key hash be the remaining 20 bytes of the array after removing the two-byte address prefix.
    3. -
  3. Construct a new Revision 1 Unified Address using a single P2PKH Receiver - \(\mathtt{0x04}\) - with the 20-byte validating key hash as its value, and a Source Restriction Metadata Item (Typecode - \(\mathtt{0xE2}\) - ) having value - \(\mathtt{0x00}\) - (Transparent Source Only). In addition, metadata items such as an Address Expiry Height or Address Expiry Date 12 MAY be included.
    4. -
  4. Encode the Unified Address using the “ur” Human Readable Part as specified for Revision 1 of ZIP 316 7.
    5. -
-

For Testnet addresses, the required lead bytes of a P2PKH address in step 2 are - \([\mathtt{0x1D}, \mathtt{0x25}]\) - .

-

The HRP of the resulting Unified Address is the same as for any other Revision 1 Unified Address on the relevant network as specified in 7, i.e. "ur" for Mainnet and "urtest" for Testnet.

-

Any Source Restriction Metadata Item MUST be preserved with the same value when deriving a UIVK from a UFVK, or a UA from a UIVK. It has no other effect on the meaning of the UFVK or UIVK.

-

Note that it is possible for a Unified Address to include shielded Receivers and also Source Restriction Metadata with value Transparent Source Only. The semantics of such UAs are well defined: they allow a shielding transaction that only spends transparent UTXOs when sending to a shielded Receiver, and the priority order of Receivers defined by ZIP 316 is unaffected. However, this combination of requirements might result in wallet interoperability issues, and so producing such UAs is NOT RECOMMENDED.

-

Dependencies on Revision 1 of ZIP 316

-

This specification depends upon the following changes made for Revision 1 of ZIP 316 7:

-
    -
  • A Revision 1 UA/UVK is not required to include a shielded Item. This is necessary for a Traceable Unified Address containing only a P2PKH Receiver to be valid. (It also has other independent motivations, as explained in 10.)
    • -
  • The change to the HRPs for Revision 1 UAs implies that a Sender implementing the Revision 0 specification will not recognize the UA as valid, which is necessary because it may not understand the Source Restriction Metadata.
    • -
  • A Consumer of a Revision 1 UIVK or UFVK is required to retain the Source Restriction Metadata when deriving a UA or UIVK respectively.
    • -
-
-
-

Reference Implementation (Alternative 2)

-

Javascript using zcash_address_wasm 19:

- 
import init, { to_traceable_address, traceable_to_p2pkh, addr_expiry_time } from 'zcash_address_wasm';
-init().then(() => {
-  var t_address = "t1VmmGiyjVNeCjxDZzg7vZmd99WyzVby9yC";
-  console.log("original P2PKH address: " + t_address);
-
-  var expiry_time = new Date();
-  // Add 30 days in UTC.
-  expiry_time.setUTCDate(expiry_time.getUTCDate() + 30);
-  // Date.getTime() returns UTC time since 1970-01-01T00:00:00Z in milliseconds.
-  var expiry_unix_seconds = BigInt(Math.floor(expiry_time.getTime() / 1000));
-
-  var traceable_address = to_traceable_address(t_address, expiry_unix_seconds);
-  console.log("Traceable Unified Address: " + traceable_address);
-
-  var p2pkh_addr = traceable_to_p2pkh(traceable_address);
-  console.log("decoded P2PKH address: " + p2pkh_addr);
-
-  var expiry = addr_expiry_time(traceable_address);
-  // Ignore far-future expiry times not representable as a Date.
-  if (expiry !== null && expiry <= 8_640_000_000_000n) {
-      console.log("expiry time: " + new Date(Number(expiry) * 1000).toUTCString());
-  }
-});
-

Example output:

- 
original P2PKH address: t1VmmGiyjVNeCjxDZzg7vZmd99WyzVby9yC
-Traceable Unified Address: u1p3temdfuxr6vcfr2z3n5weh652rg0hv7q44c652y3su77d0pyktt47am3tng7uxxtk553hhka75r6cvfs5j
-decoded P2PKH address: t1VmmGiyjVNeCjxDZzg7vZmd99WyzVby9yC
-expiry time: Mon Feb 13 2024 01:14:18 GMT
-
-
-

Analysis of Alternative 1

-

Pros to Alternative 1

-
    -
  • The reencoding from Zcash P2PKH addresses is extremely straightforward and relies only upon widely available encoding libraries.
    • -
-
-

Cons to Alternative 1

-
    -
  • Existing wallets and other Consumers will regard the new address type as entirely invalid, and will not automatically prompt their users that they need to upgrade in order to send to this type of address.
    • -
  • Creation of a new fully distinct address type further fragments the Zcash address ecosystem. Avoiding such fragmentation and providing smooth upgrade paths and good error messages to users is exactly the problem that Unified Addresses 6 were intended to avoid.
    • -
  • The TEX address type does not provide any mechanism for address expiration. One of the questions Binance has asked has been what to do about users who have stored their existing transparent deposit address in their wallets, or use them as a withdrawal address for other exchanges or services. This is a challenging problem to mitigate now because address expiration was not previously implemented. We should not further compound this problem by defining a new distinct address type that does not provide a mechanism for address expiry.
    • -
-
+

TEX addresses are also supported by the zcash_address_wasm library 16.

-

Analysis of Alternative 2

-

Pros To Alternative 2

-
    -
  • By integrating with the Unified Address framework, Consumers of Revision 1 Unified Addresses that have not yet been upgraded to recognize these addresses can automatically be prompted to upgrade their wallets or services to understand the unrecognized MUST-understand Metadata Typecode.
    • -
  • It is possible to include address expiration metadata in a Traceable Unified Address, which can help to mitigate problems related to stored addresses in the future.
    • -
  • The Source Restriction Metadata feature can easily be extended to express other kinds of source restriction, such as "Shielded Source Only" or "Fully Shielded with No Pool Crossing".
    • -
  • Traceable Unified Addresses benefit from the robustness to errors and protection against malleation of Unified Addresses 17.
    • -
  • Regardless of which proposal is adopted, the Zcash Community will need to work with exchanges other than Binance to update their address parsing logic to understand the new address format. By encouraging Consumers such as exchanges to adopt parsing for Unified Addresses, this proposal furthers the original goal of Unified Addresses to reduce fragmentation in the address ecosystem. -

    Whenever any new feature is added, wallets have a choice whether or not to support that new feature. The point of Unified Address parsing is that wallets don’t have to upgrade to recognize a different address format as a valid Zcash address. Instead of returning a “Not a valid Zcash address” error, which could be confusing for users, they can return an error more like “This is a valid Zcash address, but this wallet does not support sending to it.” This can be used as a prompt to upgrade the wallet to a version (or alternative) that does support that feature.

    -
    • -
-
-

Cons to Alternative 2

-
    -
  • Existing wallets and other Consumers of Revision 0 Unified Addresses will regard the new address type as entirely invalid, and will not automatically prompt their users that they need to upgrade in order to send to this type of address.
    • -
  • Unified Address encoding is slightly more complex than the proposed TEX address encoding, and requires use of the F4Jumble encoding algorithm 17. However, this can be readily mitigated by providing a purpose-built library for Traceable Unified Address encoding to Producers.
    • -
  • A Traceable Unified Address is somewhat longer than a TEX address, although not excessively so.
    • -
+

Rationale

+

TEX addresses are the simplest possible approach to creating a new address type that indicates that only transparent sources of funds should be used.

+

As required by Binance, it will possible to convert between a TEX address and an unrestricted transparent P2PKH address using extremely straightforward code that depends only on Base58Check and Bech32m encoding/decoding, as shown in the above Reference Implementation.

+

An earlier version of this ZIP also described another alternative using metadata in Unified Addresses, as specified in ZIP 316 6. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with the transparent-source-only indicator, such as an expiration block height or time 10.

+

However, ultimately the Unified Address-based approach did not meet all of the requirements, since it would in practice have required dependencies on address handling libraries that Binance did not want to depend on in their front-end code.

+

Some of the design elements of that approach that apply to metadata in general have been incorporated into ZIP 316 Revision 1 8. A more general form of Source Restriction Metadata is also under consideration.

+

Disadvantages

+

A disadvantage of TEX Addresses (and also of the alternative approach using Unified Addresses) is that the information that a TEX Address was used does not appear on-chain, i.e. a transaction sending to a TEX Address is indistinguishable from one sending to the underlying P2PKH address. This is inevitable given the desire not to change the underlying consensus protocol to support this functionality.

References

@@ -236,58 +133,42 @@ - +
- +
5ZIP 316: Unified Addresses and Unified Viewing Keys — TerminologyZIP 32: Shielded Hierarchical Deterministic Wallets
- +
- +
6ZIP 316: Unified Addresses and Unified Viewing Keys — MotivationZIP 316: Unified Addresses and Unified Viewing Keys
- +
- +
7ZIP 316: Unified Addresses and Unified Viewing Keys — Revision 1ZIP 316: Unified Addresses and Unified Viewing Keys — Terminology
- +
- - - -
8ZIP 316: Unified Addresses and Unified Viewing Keys — Encoding of Unified Addresses
- - - - - - - -
9ZIP 316: Unified Addresses and Unified Viewing Keys — Requirements for both Unified Addresses and Unified Viewing Keys
- - - - - +
10ZIP 316: Unified Addresses and Unified Viewing Keys — Rationale for dropping the "at least one shielded Item" restrictionZIP 316: Unified Addresses and Unified Viewing Keys — Revision 1
- + @@ -295,7 +176,7 @@
119 ZIP 316: Unified Addresses and Unified Viewing Keys — Metadata Items
- + @@ -303,7 +184,7 @@
1210 ZIP 316: Unified Addresses and Unified Viewing Keys — Address Expiration Metadata
- + @@ -311,7 +192,7 @@
1311 Zcash Protocol Specification, Version 2023.4.0. Section 3.12: Mainnet and Testnet
- + @@ -319,7 +200,7 @@
1412 Zcash Protocol Specification, Version 2023.4.0. Section 5.6.1.1 Transparent Addresses
- + @@ -327,23 +208,15 @@
1513 Zcash Community Forum post describing motivations for address expiry
- +
1614 Base58Check encoding — Bitcoin Wiki
- - - - - - - -
17ZIP 316: Unified Addresses and Unified Viewing Keys — Jumbling
- + @@ -351,7 +224,7 @@
1815 BIP 350: Bech32m format for v1+ witness addresses
- + diff --git a/zip-0320.rst b/zip-0320.rst index 05182394f..176a528a0 100644 --- a/zip-0320.rst +++ b/zip-0320.rst @@ -21,15 +21,14 @@ The key words "MUST", "SHOULD", "NOT RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 [#BCP14]_ when, and only when, they appear in all capitals. -The terms "Recipient", "Producer", "Consumer", "Sender", "Receiver", "Item", -"Metadata Item", "Typecode", "Address", "Unified Address" (UA), "Unified -Viewing Key" (UVK), "Unified Full Viewing Key" (UFVK), and "Unified Incoming -Viewing Key" (UIVK) are to be interpreted as described in ZIP 316 +The terms "Recipient", "Producer", "Consumer", "Sender", "Receiver", "Address", +and "Unified Address" are to be interpreted as described in ZIP 316 [#zip-0316-terminology]_. The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification [#protocol-networks]_. - + + Abstract ======== @@ -37,9 +36,6 @@ This ZIP defines a new encoding for transparent Zcash addresses. Wallets must ensure that no shielded notes are spent in transactions that send to a transparent address encoded in the specified fashion. -This ZIP is presently in Draft status, and defines two alternate encodings for -consideration. Analysis of the benefits and drawbacks of each of the proposed -alternatives is presented at the end of this document. Background ========== @@ -56,7 +52,9 @@ In the course of that discussion thread, wallet developer and community member that involved defining a new encoding for Zcash transparent P2PKH addresses. A Consumer of such an address, whether it be a wallet or an exchange, could recognize this encoding as a directive that the wallet should only spend -transparent funds when creating an output to that address. +transparent funds when creating an output to that address. This ZIP formalizes +that proposal. + Motivation ========== @@ -71,6 +69,7 @@ addresses. Then, Consumers that upgrade to support the new encoding will do so with the understanding that they must respect the restrictions on sources of funds described in this ZIP. + Requirements ============ @@ -81,37 +80,35 @@ Requirements address format cannot mistake the address for another address type or inadvertently send shielded funds to the address. 3. No changes to Recipient infrastructure beyond changes to address encoding - and decoding should be required as a consequence of this ZIP. - -Alternative 1 -============= + and decoding should be required as a consequence of this ZIP. In particular, + conversion between a transparent-source-only address and the corresponding + unrestricted transparent address should be possible using only dependencies + that are available to Binance's front-end code. -This alternative was suggested by @hanh in [#hanh-suggestion]_. +It is only required to support a transparent-source-only form of P2PKH addresses; +P2SH address support is not necessary. -TEX Addresses -------------- - -A TEX Address is a Bech32m [#bip-0350]_ reencoding of a transparent Zcash -P2PKH address [#protocol-transparentaddrencoding]_. -Motivations for Alternative 1 ------------------------------ +Specification +============= -The TEX Address is the simplest possible approach to creating a new address -type that indicates that only transparent sources of funds should be used. +A TEX Address, also called a Transparent-Source-Only Address, is a Bech32m [#bip-0350]_ +reencoding of a transparent Zcash P2PKH address [#protocol-transparentaddrencoding]_. -Specification (Alternative 1) ------------------------------ +Wallets and other Senders sending to a TEX address (as any output) MUST ensure that +only transparent (P2SH or P2PKH) UTXOs are spent in the creation of the transaction. +For simplicity of parsing and interpreting such transactions, they also SHOULD only +send to transparent outputs. -A TEX address is produced from a Mainnet Zcash P2PKH Address by executing the +A TEX address can be produced from a Mainnet Zcash P2PKH Address by executing the following steps: 1. Decode the address to a byte sequence using the Base58Check decoding algorithm [#Base58Check]_. 2. If the length of the resulting byte sequence is not 22 bytes or if its two-byte - address prefix is not :math:`[\mathtt{0x1C}, \mathtt{0xB8}]`, return an error. Otherwise, - let the **validating key hash** be the remaining 20 bytes of the sequence after - removing the two-byte address prefix. + address prefix is not :math:`[\mathtt{0x1C}, \mathtt{0xB8}]`, return an error. + Otherwise, let the **validating key hash** be the remaining 20 bytes of the + sequence after removing the two-byte address prefix. 3. Reencode the 20-byte **validating key hash** using the Bech32m encoding defined in [#bip-0350]_ with the human-readable prefix (HRP) ``"tex"``. @@ -119,12 +116,42 @@ For Testnet addresses, the required lead bytes of a P2PKH address in step 2 are :math:`[\mathtt{0x1D}, \mathtt{0x25}]`, and the ``"textest"`` HRP is used when reencoding in step 3. -Wallets and other Senders sending to a TEX address (as any output) MUST -ensure that only transparent UTXOs are spent in the creation of a -transaction. +A TEX address can be parsed by reversing this encoding, i.e.: + +1. Decode the address to a byte sequence using Bech32m [#bip-0350]_, checking + that the HRP is ``"tex"`` for a Mainnet TEX Address and ``"textest"`` for a + Testnet TEX Address. +2. If the length of the resulting byte sequence is not 20 bytes, return an error. + Otherwise, the **validating key hash** is this byte sequence. + +Design considerations for Senders +--------------------------------- + +If a user desires to spend shielded funds to a TEX Address, a Sender supporting +this ZIP MUST create two transactions: one that unshields the funds to an +ephemeral transparent address, and one that spends from that ephemeral address +to the destination TEX Address. This does not defeat the intent of the ZIP, +because it is still possible for a Recipient to return the funds to the Sender +by sending them back to the ephemeral address. -Reference Implementation (Alternative 1) ----------------------------------------- +Wallets MUST be able to recognize funds that have been returned in this way +and spend them if desired. In order for this to be possible without use of +TEX Addresses increasing the risk of loss of funds, wallets based on ZIP 32 +[#zip-0032]_ SHOULD choose ephemeral addresses in a way that allows the +corresponding private keys to be recovered from a ZIP 32 master seed. + +However, ephemeral addresses SHOULD NOT be chosen in a way that allows them +to be linked between transactions, without knowledge of the wallet seed or +the relevant transparent viewing keys. + +In order to show accurate transaction history to a user, wallets SHOULD +remember when a particular transaction output was sent to a TEX Address, so +that they can show that form rather than its P2PKH form. It is acceptable that +this information may be lost on recovery from seed. + + +Reference Implementation +======================== Javascript:: @@ -147,215 +174,43 @@ Javascript:: var t1 = bs58check.encode(Buffer.concat([Uint8Array.from([0x1C, 0xB8]), pkh2])) console.log(t1) -Alternative 2 -============= - -Traceable Unified Addresses ---------------------------- +TEX addresses are also supported by the ``zcash_address_wasm`` library [#zcash_address_wasm]_. -A Traceable Unified Address is a reencoding of a transparent Zcash P2PKH -address into a Unified Address [#zip-0316-unified-addresses]_. +Rationale +========= -Motivations for Alternative 2 ------------------------------ +TEX addresses are the simplest possible approach to creating a new address type that +indicates that only transparent sources of funds should be used. -Traceable Unified Addresses fit into the Zcash Unified Address ecosystem -defined by ZIP 316, Revision 1 [#zip-0316-revision-1]_. Existing Consumers of -Unified Addresses will not be able to send to these address unless they update -their code to understand the new MUST-understand Metadata Typecode defined in -this ZIP. +As required by Binance, it will possible to convert between a TEX address and an +unrestricted transparent P2PKH address using extremely straightforward code that +depends only on Base58Check and Bech32m encoding/decoding, as shown in the above +`Reference Implementation`_. -By integrating with the Unified Address framework, it becomes possible for the -addresses being generated to include extra metadata; in particular, metadata -items such as an Address Expiry Height or Address Expiry Date -[#zip-0316-address-expiry]_ may be included. For exchange use cases such as -Binance's, it is useful to ensure that an address provided to a user has a -limited utility life, such that after expiration the user must obtain a new -address in order to be able to continue to send funds -[#binance-address-expiry]_. +An earlier version of this ZIP also described another alternative using metadata +in Unified Addresses, as specified in ZIP 316 [#zip-0316]_. That alternative was +designed to enable better integration with the Zcash Unified Address ecosystem, and +had the advantage of being able to combine different types of metadata along with +the transparent-source-only indicator, such as an expiration block height or time +[#zip-0316-address-expiry]_. -Specification (Alternative 2) ------------------------------ +However, ultimately the Unified Address-based approach did not meet all of the +requirements, since it would in practice have required dependencies on address +handling libraries that Binance did not want to depend on in their front-end code. -Upon activation of this ZIP, the section `Metadata Items` of ZIP 316 -[#zip-0316-metadata-items]_ will be modified to define a new MUST-understand -Metadata Item type: Source Restriction Metadata, having Typecode -:math:`\mathtt{0xE2}`, the value of which MUST be a single byte: +Some of the design elements of that approach that apply to metadata in general have +been incorporated into ZIP 316 Revision 1 [#zip-0316-revision-1]_. A more general +form of Source Restriction Metadata is also under consideration. -* :math:`\mathtt{0x00}` - Transparent Source Only - -Additional Source Restriction Metadata values can be defined in the future, -but a Consumer that does not recognise the value MUST reject the entire -UA/UVK as invalid. - -Wallets and other Senders MUST ensure that only transparent UTXOs are spent in -the creation of a transaction to any Unified Address containing a Source -Restriction Metadata Item having value :math:`\mathtt{0x00}`. +Disadvantages +------------- -A Traceable Unified Address is produced from a Mainnet Zcash P2PKH address by -executing the following steps: +A disadvantage of TEX Addresses (and also of the alternative approach using +Unified Addresses) is that the information that a TEX Address was used does not +appear on-chain, i.e. a transaction sending to a TEX Address is indistinguishable +from one sending to the underlying P2PKH address. This is inevitable given the +desire not to change the underlying consensus protocol to support this functionality. -1. Decode the address to a byte sequence using the Base58Check decoding - algorithm [#Base58Check]_. -2. If the length of the resulting byte sequence is not 22 bytes or if its - two-byte address prefix is not :math:`[\mathtt{0x1C}, \mathtt{0xB8}]`, - return an error. Otherwise, let the **validating key hash** be the remaining - 20 bytes of the array after removing the two-byte address prefix. -3. Construct a new Revision 1 Unified Address using a single P2PKH Receiver - :math:`\mathtt{0x04}` with the 20-byte **validating key hash** as its value, - and a Source Restriction Metadata Item (Typecode :math:`\mathtt{0xE2}`) - having value :math:`\mathtt{0x00}` (Transparent Source Only). In addition, - metadata items such as an Address Expiry Height or Address Expiry Date - [#zip-0316-address-expiry]_ MAY be included. -4. Encode the Unified Address using the “``ur``” Human Readable Part as - specified for Revision 1 of ZIP 316 [#zip-0316-revision-1]_. - -For Testnet addresses, the required lead bytes of a P2PKH address in step 2 -are :math:`[\mathtt{0x1D}, \mathtt{0x25}]`. - -The HRP of the resulting Unified Address is the same as for any other Revision 1 -Unified Address on the relevant network as specified in [#zip-0316-revision-1]_, -i.e. ``"ur"`` for Mainnet and ``"urtest"`` for Testnet. - -Any Source Restriction Metadata Item MUST be preserved with the same value -when deriving a UIVK from a UFVK, or a UA from a UIVK. It has no other effect -on the meaning of the UFVK or UIVK. - -Note that it is possible for a Unified Address to include shielded Receivers -and also Source Restriction Metadata with value Transparent Source Only. The -semantics of such UAs are well defined: they allow a shielding transaction -that only spends transparent UTXOs when sending to a shielded Receiver, and -the priority order of Receivers defined by ZIP 316 is unaffected. However, -this combination of requirements might result in wallet interoperability -issues, and so producing such UAs is NOT RECOMMENDED. - -Dependencies on Revision 1 of ZIP 316 -''''''''''''''''''''''''''''''''''''' - -This specification depends upon the following changes made for Revision 1 of -ZIP 316 [#zip-0316-revision-1]_: - -* A Revision 1 UA/UVK is *not* required to include a shielded Item. This is - necessary for a Traceable Unified Address containing only a P2PKH Receiver - to be valid. (It also has other independent motivations, as explained in - [#zip-0316-drop-shielded-restriction]_.) -* The change to the HRPs for Revision 1 UAs implies that a Sender implementing - the Revision 0 specification will not recognize the UA as valid, which is - necessary because it may not understand the Source Restriction Metadata. -* A Consumer of a Revision 1 UIVK or UFVK is required to retain the Source - Restriction Metadata when deriving a UA or UIVK respectively. - -Reference Implementation (Alternative 2) ----------------------------------------- - -Javascript using `zcash_address_wasm` [#zcash_address_wasm]_:: - - import init, { to_traceable_address, traceable_to_p2pkh, addr_expiry_time } from 'zcash_address_wasm'; - init().then(() => { - var t_address = "t1VmmGiyjVNeCjxDZzg7vZmd99WyzVby9yC"; - console.log("original P2PKH address: " + t_address); - - var expiry_time = new Date(); - // Add 30 days in UTC. - expiry_time.setUTCDate(expiry_time.getUTCDate() + 30); - // Date.getTime() returns UTC time since 1970-01-01T00:00:00Z in milliseconds. - var expiry_unix_seconds = BigInt(Math.floor(expiry_time.getTime() / 1000)); - - var traceable_address = to_traceable_address(t_address, expiry_unix_seconds); - console.log("Traceable Unified Address: " + traceable_address); - - var p2pkh_addr = traceable_to_p2pkh(traceable_address); - console.log("decoded P2PKH address: " + p2pkh_addr); - - var expiry = addr_expiry_time(traceable_address); - // Ignore far-future expiry times not representable as a Date. - if (expiry !== null && expiry <= 8_640_000_000_000n) { - console.log("expiry time: " + new Date(Number(expiry) * 1000).toUTCString()); - } - }); - -Example output:: - - original P2PKH address: t1VmmGiyjVNeCjxDZzg7vZmd99WyzVby9yC - Traceable Unified Address: u1p3temdfuxr6vcfr2z3n5weh652rg0hv7q44c652y3su77d0pyktt47am3tng7uxxtk553hhka75r6cvfs5j - decoded P2PKH address: t1VmmGiyjVNeCjxDZzg7vZmd99WyzVby9yC - expiry time: Mon Feb 13 2024 01:14:18 GMT - -Analysis of Alternative 1 -========================= - -Pros to Alternative 1 ---------------------- - -- The reencoding from Zcash P2PKH addresses is extremely straightforward and - relies only upon widely available encoding libraries. - -Cons to Alternative 1 ---------------------- - -- Existing wallets and other Consumers will regard the new address type as - entirely invalid, and will not automatically prompt their users that they - need to upgrade in order to send to this type of address. -- Creation of a new fully distinct address type further fragments the Zcash - address ecosystem. Avoiding such fragmentation and providing smooth upgrade - paths and good error messages to users is exactly the problem that Unified - Addresses [#zip-0316-motivation]_ were intended to avoid. -- The TEX address type does not provide any mechanism for address expiration. - One of the questions Binance has asked has been what to do about users who - have stored their existing transparent deposit address in their wallets, or - use them as a withdrawal address for other exchanges or services. This is a - challenging problem to mitigate now because address expiration was not - previously implemented. We should not further compound this problem by - defining a new distinct address type that does not provide a mechanism for - address expiry. - -Analysis of Alternative 2 -========================= - -Pros To Alternative 2 ---------------------- - -- By integrating with the Unified Address framework, Consumers of Revision 1 - Unified Addresses that have not yet been upgraded to recognize these - addresses can automatically be prompted to upgrade their wallets or services - to understand the unrecognized MUST-understand Metadata Typecode. -- It is possible to include address expiration metadata in a Traceable Unified - Address, which can help to mitigate problems related to stored addresses in - the future. -- The Source Restriction Metadata feature can easily be extended to express - other kinds of source restriction, such as "Shielded Source Only" or - "Fully Shielded with No Pool Crossing". -- Traceable Unified Addresses benefit from the robustness to errors and - protection against malleation of Unified Addresses [#F4Jumble]_. -- Regardless of which proposal is adopted, the Zcash Community will need to - work with exchanges other than Binance to update their address parsing logic - to understand the new address format. By encouraging Consumers such as - exchanges to adopt parsing for Unified Addresses, this proposal furthers the - original goal of Unified Addresses to reduce fragmentation in the address - ecosystem. - - Whenever any new feature is added, wallets have a choice whether or not to - support that new feature. The point of Unified Address parsing is that - wallets don’t have to upgrade to recognize a different address format as a - valid Zcash address. Instead of returning a “Not a valid Zcash address” - error, which could be confusing for users, they can return an error more like - “This is a valid Zcash address, but this wallet does not support sending to - it.” This can be used as a prompt to upgrade the wallet to a version (or - alternative) that does support that feature. - -Cons to Alternative 2 ---------------------- - -- Existing wallets and other Consumers of Revision 0 Unified Addresses will - regard the new address type as entirely invalid, and will not automatically - prompt their users that they need to upgrade in order to send to this type of - address. -- Unified Address encoding is slightly more complex than the proposed TEX - address encoding, and requires use of the F4Jumble encoding algorithm - [#F4Jumble]_. However, this can be readily mitigated by providing a - purpose-built library for Traceable Unified Address encoding to Producers. -- A Traceable Unified Address is somewhat longer than a TEX address, although - not excessively so. References ========== @@ -364,18 +219,15 @@ References .. [#binance-delisting] `Zcash Community Forum thread "Important: Potential Binance Delisting" `_ .. [#hanh-profile] `Zcash Community Forum user @hanh `_ .. [#hanh-suggestion] `Ywallet developer @hanh's proposal `_ +.. [#zip-0032] `ZIP 32: Shielded Hierarchical Deterministic Wallets `_ +.. [#zip-0316] `ZIP 316: Unified Addresses and Unified Viewing Keys `_ .. [#zip-0316-terminology] `ZIP 316: Unified Addresses and Unified Viewing Keys — Terminology `_ -.. [#zip-0316-motivation] `ZIP 316: Unified Addresses and Unified Viewing Keys — Motivation `_ .. [#zip-0316-revision-1] `ZIP 316: Unified Addresses and Unified Viewing Keys — Revision 1 `_ -.. [#zip-0316-unified-addresses] `ZIP 316: Unified Addresses and Unified Viewing Keys — Encoding of Unified Addresses `_ -.. [#zip-0316-unified-requirements] `ZIP 316: Unified Addresses and Unified Viewing Keys — Requirements for both Unified Addresses and Unified Viewing Keys `_ -.. [#zip-0316-drop-shielded-restriction] `ZIP 316: Unified Addresses and Unified Viewing Keys — Rationale for dropping the "at least one shielded Item" restriction `_ .. [#zip-0316-metadata-items] `ZIP 316: Unified Addresses and Unified Viewing Keys — Metadata Items `_ .. [#zip-0316-address-expiry] `ZIP 316: Unified Addresses and Unified Viewing Keys — Address Expiration Metadata `_ .. [#protocol-networks] `Zcash Protocol Specification, Version 2023.4.0. Section 3.12: Mainnet and Testnet `_ .. [#protocol-transparentaddrencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6.1.1 Transparent Addresses `_ .. [#binance-address-expiry] `Zcash Community Forum post describing motivations for address expiry `_ .. [#Base58Check] `Base58Check encoding — Bitcoin Wiki `_ -.. [#F4Jumble] `ZIP 316: Unified Addresses and Unified Viewing Keys — Jumbling `_ .. [#bip-0350] `BIP 350: Bech32m format for v1+ witness addresses `_ .. [#zcash_address_wasm] `zcash_address_wasm: Proof-of-concept library for Traceable Unified Address Encoding `_ From e5a24b4d9470e1efcd5da69ba34a0947909902d2 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Sun, 17 Mar 2024 21:51:56 +0000 Subject: [PATCH 2/4] ZIP 320: address review comments and make additional clarifications. Signed-off-by: Daira-Emma Hopwood --- zip-0320.html | 65 +++++++++++++++++++++++++-------------------------- zip-0320.rst | 65 ++++++++++++++++++++++++++++++++++----------------- 2 files changed, 76 insertions(+), 54 deletions(-) diff --git a/zip-0320.html b/zip-0320.html index 9a324a8b2..827f802a8 100644 --- a/zip-0320.html +++ b/zip-0320.html @@ -22,32 +22,39 @@

Terminology

The key words "MUST", "SHOULD", "NOT RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

The terms "Recipient", "Producer", "Consumer", "Sender", "Receiver", "Address", and "Unified Address" are to be interpreted as described in ZIP 316 7.

-

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 11.

+

The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification 10.

Abstract

This ZIP defines a new encoding for transparent Zcash addresses. Wallets must ensure that no shielded notes are spent in transactions that send to a transparent address encoded in the specified fashion.

Background

-

In November of 2023, the Zcash community received notice from the Binance cryptocurrency exchange that Zcash was at risk of being delisted from the exchange unless the community could provide a mechanism by which Binance could refuse deposits from shielded addresses and return them to the depositor. This issue was raised and discussed at length in the Zcash Community forum 2.

+

In November 2023, the Zcash community received notice from the Binance cryptocurrency exchange that Zcash was at risk of being delisted from the exchange unless the community could provide a mechanism by which Binance could refuse deposits from shielded addresses and return them to the depositor. This issue was raised and discussed at length in the Zcash Community forum 2.

In the course of that discussion thread, wallet developer and community member @hanh 3 suggested a wallet-oriented approach 4 that involved defining a new encoding for Zcash transparent P2PKH addresses. A Consumer of such an address, whether it be a wallet or an exchange, could recognize this encoding as a directive that the wallet should only spend transparent funds when creating an output to that address. This ZIP formalizes that proposal.

Motivation

-

The Binance cryptocurrency exchange requires that funds sent to their deposit addresses come from source addresses that are readily identifiable using on-chain information, such that if necessary funds may be rejected by sending them back to the source address(es). This ZIP is intended to standardize a transparent address encoding that is not yet understood by preexisting Consumers, in order to prevent inadvertent shielded spends when sending to such addresses. Then, Consumers that upgrade to support the new encoding will do so with the understanding that they must respect the restrictions on sources of funds described in this ZIP.

+

The Binance cryptocurrency exchange requires that funds sent to their deposit addresses come from source addresses that are readily identifiable using on-chain information, such that if necessary funds may be rejected by sending them back to one of the source addresses. This ZIP is intended to standardize a transparent address encoding that is not yet understood by preexisting Consumers, in order to prevent inadvertent shielded spends when sending to such addresses. Then, Consumers that upgrade to support the new encoding will do so with the understanding that they must respect the restrictions on sources of funds described in this ZIP.

+

It is not expected that other exchanges or Producers of Zcash addresses will generate Transparent-Source-Only Addresses unless they have a specific need to be able to identify the address or addresses from which a payment was funded. However, all Consumers of Zcash addresses should implement this specification, in order to promote interoperability across the Zcash ecosystem.

Requirements

    -
  1. A Recipient wishing to receive funds from exclusively transparent sources must be able to generate a receiving address such that only transparent funds will be spent in transactions with an output to this address.
    2. +
  2. A Recipient wishing to receive funds from exclusively transparent sources must be able to generate a receiving address such that only transparent funds will be spent in transactions with an output to this address. The purpose of this is to ensure that it is reliably possible for the Recipient to send back funds received from a Sender that conforms to this ZIP.
  3. Wallets and other Consumers that have not been upgraded to recognize the new address format cannot mistake the address for another address type or inadvertently send shielded funds to the address.
    4. -
  4. No changes to Recipient infrastructure beyond changes to address encoding and decoding should be required as a consequence of this ZIP. In particular, conversion between a transparent-source-only address and the corresponding unrestricted transparent address should be possible using only dependencies that are available to Binance's front-end code.
    5. +
  5. No changes to Recipient infrastructure beyond changes to address encoding and decoding should be required as a consequence of this ZIP. In particular, conversion between a Transparent-Source-Only Address and the corresponding unrestricted transparent address should be possible using only dependencies that are available to Binance's front-end code.
    6. +
+
+

Non-requirements

+
    +
  1. It is only required to support a Transparent-Source-Only form of P2PKH addresses; P2SH address support is not necessary.
    2. +
  2. It is not required to limit the source of transparent funds sent to a Transparent-Source-Only Address to a single source address. This implies that if the Recipient chooses to send back the funds, it is acceptable for it to send them back to any of the source addresses if there is more than one.
    3. +
  3. It is not necessary for the restriction on the source of funds to be enforced as a consensus rule. If a Sender fails to adhere to the restriction, it risks loss of funds, which is acceptable in the case of a non-conforming Sender implementation.
-

It is only required to support a transparent-source-only form of P2PKH addresses; P2SH address support is not necessary.

Specification

-

A TEX Address, also called a Transparent-Source-Only Address, is a Bech32m 15 reencoding of a transparent Zcash P2PKH address 12.

+

A TEX Address, also called a Transparent-Source-Only Address, is a Bech32m 15 reencoding of a transparent Zcash P2PKH address 11.

Wallets and other Senders sending to a TEX address (as any output) MUST ensure that only transparent (P2SH or P2PKH) UTXOs are spent in the creation of the transaction. For simplicity of parsing and interpreting such transactions, they also SHOULD only send to transparent outputs.

A TEX address can be produced from a Mainnet Zcash P2PKH Address by executing the following steps:

    -
  1. Decode the address to a byte sequence using the Base58Check decoding algorithm 14.
    2. +
  2. Decode the address to a byte sequence using the Base58Check decoding algorithm 13.
  3. If the length of the resulting byte sequence is not 22 bytes or if its two-byte address prefix is not \([\mathtt{0x1C}, \mathtt{0xB8}]\) , return an error. Otherwise, let the validating key hash be the remaining 20 bytes of the sequence after removing the two-byte address prefix.
    4. @@ -62,9 +69,10 @@
  4. If the length of the resulting byte sequence is not 20 bytes, return an error. Otherwise, the validating key hash is this byte sequence.

Design considerations for Senders

-

If a user desires to spend shielded funds to a TEX Address, a Sender supporting this ZIP MUST create two transactions: one that unshields the funds to an ephemeral transparent address, and one that spends from that ephemeral address to the destination TEX Address. This does not defeat the intent of the ZIP, because it is still possible for a Recipient to return the funds to the Sender by sending them back to the ephemeral address.

+

For a transaction that spends only from transparent funds to a TEX Address, this specification imposes no additional requirements.

+

If, on the other hand, a user desires to spend shielded funds to a TEX Address, a Sender supporting this ZIP MUST create two transactions: one that unshields the funds to an ephemeral transparent address, and one that spends from that ephemeral address to the destination TEX Address. This does not defeat the intent of the ZIP, because it is still possible for a Recipient to return the funds to the Sender by sending them back to the ephemeral address.

Wallets MUST be able to recognize funds that have been returned in this way and spend them if desired. In order for this to be possible without use of TEX Addresses increasing the risk of loss of funds, wallets based on ZIP 32 5 SHOULD choose ephemeral addresses in a way that allows the corresponding private keys to be recovered from a ZIP 32 master seed.

-

However, ephemeral addresses SHOULD NOT be chosen in a way that allows them to be linked between transactions, without knowledge of the wallet seed or the relevant transparent viewing keys.

+

However, ephemeral addresses SHOULD NOT be chosen in a way that allows them to be linked between transactions, without knowledge of the wallet seed or the relevant transparent viewing keys. This also implies that they SHOULD be chosen in a way that avoids collisions with addresses for previously generated outputs (including change outputs), such as might have been created by a transparent-only wallet using Bitcoin-derived code based on BIP 44 14.

In order to show accurate transaction history to a user, wallets SHOULD remember when a particular transaction output was sent to a TEX Address, so that they can show that form rather than its P2PKH form. It is acceptable that this information may be lost on recovery from seed.

@@ -88,14 +96,13 @@ console.assert(pkh2.length == 20, 'Invalid length'); var t1 = bs58check.encode(Buffer.concat([Uint8Array.from([0x1C, 0xB8]), pkh2])) console.log(t1) -

TEX addresses are also supported by the zcash_address_wasm library 16.

Rationale

TEX addresses are the simplest possible approach to creating a new address type that indicates that only transparent sources of funds should be used.

-

As required by Binance, it will possible to convert between a TEX address and an unrestricted transparent P2PKH address using extremely straightforward code that depends only on Base58Check and Bech32m encoding/decoding, as shown in the above Reference Implementation.

-

An earlier version of this ZIP also described another alternative using metadata in Unified Addresses, as specified in ZIP 316 6. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with the transparent-source-only indicator, such as an expiration block height or time 10.

+

As required by Binance, it will be possible to convert between a TEX address and an unrestricted transparent P2PKH address using extremely straightforward code that depends only on Base58Check and Bech32m encoding/decoding, as shown in the above Reference Implementation.

+

An earlier version of this ZIP also described another alternative using metadata in Unified Addresses, as specified in ZIP 316 6. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with the Transparent-Source-Only indicator, such as an expiration block height or time 9.

However, ultimately the Unified Address-based approach did not meet all of the requirements, since it would in practice have required dependencies on address handling libraries that Binance did not want to depend on in their front-end code.

-

Some of the design elements of that approach that apply to metadata in general have been incorporated into ZIP 316 Revision 1 8. A more general form of Source Restriction Metadata is also under consideration.

+

Some design elements of that approach that apply to metadata in general have been incorporated into ZIP 316 Revision 1 8. A more general form of Source Restriction Metadata is also under consideration.

Disadvantages

A disadvantage of TEX Addresses (and also of the alternative approach using Unified Addresses) is that the information that a TEX Address was used does not appear on-chain, i.e. a transaction sending to a TEX Address is indistinguishable from one sending to the underlying P2PKH address. This is inevitable given the desire not to change the underlying consensus protocol to support this functionality.

@@ -165,18 +172,10 @@
1916 zcash_address_wasm: Proof-of-concept library for Traceable Unified Address Encoding
- - - - - - - -
9ZIP 316: Unified Addresses and Unified Viewing Keys — Metadata Items
- + @@ -184,7 +183,7 @@
109 ZIP 316: Unified Addresses and Unified Viewing Keys — Address Expiration Metadata
- + @@ -192,7 +191,7 @@
1110 Zcash Protocol Specification, Version 2023.4.0. Section 3.12: Mainnet and Testnet
- + @@ -200,7 +199,7 @@
1211 Zcash Protocol Specification, Version 2023.4.0. Section 5.6.1.1 Transparent Addresses
- + @@ -208,24 +207,24 @@
1312 Zcash Community Forum post describing motivations for address expiry
- +
1413 Base58Check encoding — Bitcoin Wiki
- +
- - + +
15BIP 350: Bech32m format for v1+ witness addresses14BIP 44: Multi-Account Hierarchy for Deterministic Wallets
- +
- - + +
16zcash_address_wasm: Proof-of-concept library for Traceable Unified Address Encoding15BIP 350: Bech32m format for v1+ witness addresses
diff --git a/zip-0320.rst b/zip-0320.rst index 176a528a0..5bc08a509 100644 --- a/zip-0320.rst +++ b/zip-0320.rst @@ -40,7 +40,7 @@ transparent address encoded in the specified fashion. Background ========== -In November of 2023, the Zcash community received notice from the Binance +In November 2023, the Zcash community received notice from the Binance cryptocurrency exchange that Zcash was at risk of being delisted from the exchange unless the community could provide a mechanism by which Binance could refuse deposits from shielded addresses and return them to the depositor. This @@ -62,31 +62,51 @@ Motivation The Binance cryptocurrency exchange requires that funds sent to their deposit addresses come from source addresses that are readily identifiable using on-chain information, such that if necessary funds may be rejected by sending -them back to the source address(es). This ZIP is intended to standardize a -transparent address encoding that is not yet understood by preexisting +them back to one of the source addresses. This ZIP is intended to standardize +a transparent address encoding that is not yet understood by preexisting Consumers, in order to prevent inadvertent shielded spends when sending to such addresses. Then, Consumers that upgrade to support the new encoding will do so with the understanding that they must respect the restrictions on sources of funds described in this ZIP. +It is not expected that other exchanges or Producers of Zcash addresses will +generate Transparent-Source-Only Addresses unless they have a specific need to +be able to identify the address or addresses from which a payment was funded. +However, all Consumers of Zcash addresses should implement this specification, +in order to promote interoperability across the Zcash ecosystem. + Requirements ============ 1. A Recipient wishing to receive funds from exclusively transparent sources must be able to generate a receiving address such that only transparent - funds will be spent in transactions with an output to this address. + funds will be spent in transactions with an output to this address. The + purpose of this is to ensure that it is reliably possible for the Recipient + to send back funds received from a Sender that conforms to this ZIP. 2. Wallets and other Consumers that have not been upgraded to recognize the new address format cannot mistake the address for another address type or inadvertently send shielded funds to the address. 3. No changes to Recipient infrastructure beyond changes to address encoding and decoding should be required as a consequence of this ZIP. In particular, - conversion between a transparent-source-only address and the corresponding + conversion between a Transparent-Source-Only Address and the corresponding unrestricted transparent address should be possible using only dependencies that are available to Binance's front-end code. -It is only required to support a transparent-source-only form of P2PKH addresses; -P2SH address support is not necessary. + +Non-requirements +================ + +1. It is only required to support a Transparent-Source-Only form of P2PKH + addresses; P2SH address support is not necessary. +2. It is not required to limit the source of transparent funds sent to a + Transparent-Source-Only Address to a single source address. This implies that + if the Recipient chooses to send back the funds, it is acceptable for it to + send them back to any of the source addresses if there is more than one. +3. It is not necessary for the restriction on the source of funds to be enforced + as a consensus rule. If a Sender fails to adhere to the restriction, it risks + loss of funds, which is acceptable in the case of a non-conforming Sender + implementation. Specification @@ -127,12 +147,15 @@ A TEX address can be parsed by reversing this encoding, i.e.: Design considerations for Senders --------------------------------- -If a user desires to spend shielded funds to a TEX Address, a Sender supporting -this ZIP MUST create two transactions: one that unshields the funds to an -ephemeral transparent address, and one that spends from that ephemeral address -to the destination TEX Address. This does not defeat the intent of the ZIP, -because it is still possible for a Recipient to return the funds to the Sender -by sending them back to the ephemeral address. +For a transaction that spends only from transparent funds to a TEX Address, +this specification imposes no additional requirements. + +If, on the other hand, a user desires to spend shielded funds to a TEX Address, +a Sender supporting this ZIP MUST create two transactions: one that unshields +the funds to an ephemeral transparent address, and one that spends from that +ephemeral address to the destination TEX Address. This does not defeat the +intent of the ZIP, because it is still possible for a Recipient to return the +funds to the Sender by sending them back to the ephemeral address. Wallets MUST be able to recognize funds that have been returned in this way and spend them if desired. In order for this to be possible without use of @@ -142,7 +165,10 @@ corresponding private keys to be recovered from a ZIP 32 master seed. However, ephemeral addresses SHOULD NOT be chosen in a way that allows them to be linked between transactions, without knowledge of the wallet seed or -the relevant transparent viewing keys. +the relevant transparent viewing keys. This also implies that they SHOULD be +chosen in a way that avoids collisions with addresses for previously generated +outputs (including change outputs), such as might have been created by a +transparent-only wallet using Bitcoin-derived code based on BIP 44 [#bip-0044]_. In order to show accurate transaction history to a user, wallets SHOULD remember when a particular transaction output was sent to a TEX Address, so @@ -174,15 +200,13 @@ Javascript:: var t1 = bs58check.encode(Buffer.concat([Uint8Array.from([0x1C, 0xB8]), pkh2])) console.log(t1) -TEX addresses are also supported by the ``zcash_address_wasm`` library [#zcash_address_wasm]_. - Rationale ========= TEX addresses are the simplest possible approach to creating a new address type that indicates that only transparent sources of funds should be used. -As required by Binance, it will possible to convert between a TEX address and an +As required by Binance, it will be possible to convert between a TEX address and an unrestricted transparent P2PKH address using extremely straightforward code that depends only on Base58Check and Bech32m encoding/decoding, as shown in the above `Reference Implementation`_. @@ -191,14 +215,14 @@ An earlier version of this ZIP also described another alternative using metadata in Unified Addresses, as specified in ZIP 316 [#zip-0316]_. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with -the transparent-source-only indicator, such as an expiration block height or time +the Transparent-Source-Only indicator, such as an expiration block height or time [#zip-0316-address-expiry]_. However, ultimately the Unified Address-based approach did not meet all of the requirements, since it would in practice have required dependencies on address handling libraries that Binance did not want to depend on in their front-end code. -Some of the design elements of that approach that apply to metadata in general have +Some design elements of that approach that apply to metadata in general have been incorporated into ZIP 316 Revision 1 [#zip-0316-revision-1]_. A more general form of Source Restriction Metadata is also under consideration. @@ -223,11 +247,10 @@ References .. [#zip-0316] `ZIP 316: Unified Addresses and Unified Viewing Keys `_ .. [#zip-0316-terminology] `ZIP 316: Unified Addresses and Unified Viewing Keys — Terminology `_ .. [#zip-0316-revision-1] `ZIP 316: Unified Addresses and Unified Viewing Keys — Revision 1 `_ -.. [#zip-0316-metadata-items] `ZIP 316: Unified Addresses and Unified Viewing Keys — Metadata Items `_ .. [#zip-0316-address-expiry] `ZIP 316: Unified Addresses and Unified Viewing Keys — Address Expiration Metadata `_ .. [#protocol-networks] `Zcash Protocol Specification, Version 2023.4.0. Section 3.12: Mainnet and Testnet `_ .. [#protocol-transparentaddrencoding] `Zcash Protocol Specification, Version 2023.4.0. Section 5.6.1.1 Transparent Addresses `_ .. [#binance-address-expiry] `Zcash Community Forum post describing motivations for address expiry `_ .. [#Base58Check] `Base58Check encoding — Bitcoin Wiki `_ +.. [#bip-0044] `BIP 44: Multi-Account Hierarchy for Deterministic Wallets `_ .. [#bip-0350] `BIP 350: Bech32m format for v1+ witness addresses `_ -.. [#zcash_address_wasm] `zcash_address_wasm: Proof-of-concept library for Traceable Unified Address Encoding `_ From 870d23056ae010859e1463b46ea35f10c829542c Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Mon, 18 Mar 2024 17:46:41 +0000 Subject: [PATCH 3/4] ZIP 320: use the [#binance-address-expiry] reference. Signed-off-by: Daira-Emma Hopwood --- zip-0320.html | 4 ++-- zip-0320.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/zip-0320.html b/zip-0320.html index 827f802a8..22a2fcaa9 100644 --- a/zip-0320.html +++ b/zip-0320.html @@ -100,9 +100,9 @@

Rationale

TEX addresses are the simplest possible approach to creating a new address type that indicates that only transparent sources of funds should be used.

As required by Binance, it will be possible to convert between a TEX address and an unrestricted transparent P2PKH address using extremely straightforward code that depends only on Base58Check and Bech32m encoding/decoding, as shown in the above Reference Implementation.

-

An earlier version of this ZIP also described another alternative using metadata in Unified Addresses, as specified in ZIP 316 6. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with the Transparent-Source-Only indicator, such as an expiration block height or time 9.

+

An earlier version of this ZIP also described another alternative using metadata in Unified Addresses, as specified in ZIP 316 6. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with the Transparent-Source-Only indicator, such as an expiration block height or time 9 12.

However, ultimately the Unified Address-based approach did not meet all of the requirements, since it would in practice have required dependencies on address handling libraries that Binance did not want to depend on in their front-end code.

-

Some design elements of that approach that apply to metadata in general have been incorporated into ZIP 316 Revision 1 8. A more general form of Source Restriction Metadata is also under consideration.

+

Some design elements of that approach that apply to metadata in general have been incorporated into ZIP 316 Revision 1 8. A more general form of Source Restriction Metadata is also under consideration.

Disadvantages

A disadvantage of TEX Addresses (and also of the alternative approach using Unified Addresses) is that the information that a TEX Address was used does not appear on-chain, i.e. a transaction sending to a TEX Address is indistinguishable from one sending to the underlying P2PKH address. This is inevitable given the desire not to change the underlying consensus protocol to support this functionality.

diff --git a/zip-0320.rst b/zip-0320.rst index 5bc08a509..ea655ef52 100644 --- a/zip-0320.rst +++ b/zip-0320.rst @@ -216,7 +216,7 @@ in Unified Addresses, as specified in ZIP 316 [#zip-0316]_. That alternative was designed to enable better integration with the Zcash Unified Address ecosystem, and had the advantage of being able to combine different types of metadata along with the Transparent-Source-Only indicator, such as an expiration block height or time -[#zip-0316-address-expiry]_. +[#zip-0316-address-expiry]_ [#binance-address-expiry]_. However, ultimately the Unified Address-based approach did not meet all of the requirements, since it would in practice have required dependencies on address From 8cea84fcf312f55e0817ac6a20562fbc17314cb5 Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Mon, 18 Mar 2024 17:49:39 +0000 Subject: [PATCH 4/4] ZIP 320: update Discussions-To and Pull-Request metadata. Signed-off-by: Daira-Emma Hopwood --- zip-0320.html | 4 +++- zip-0320.rst | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/zip-0320.html b/zip-0320.html index 22a2fcaa9..f076f63f0 100644 --- a/zip-0320.html +++ b/zip-0320.html @@ -17,8 +17,10 @@ Created: 2024-01-12 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/757> + <https://github.com/zcash/zips/issues/795> Pull-Request: <https://github.com/zcash/zips/pull/760> - <https://github.com/zcash/zips/pull/766> + <https://github.com/zcash/zips/pull/766> + <https://github.com/zcash/zips/pull/798>

Terminology

The key words "MUST", "SHOULD", "NOT RECOMMENDED", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

The terms "Recipient", "Producer", "Consumer", "Sender", "Receiver", "Address", and "Unified Address" are to be interpreted as described in ZIP 316 7.

diff --git a/zip-0320.rst b/zip-0320.rst index ea655ef52..4ffea15d7 100644 --- a/zip-0320.rst +++ b/zip-0320.rst @@ -10,8 +10,10 @@ Created: 2024-01-12 License: MIT Discussions-To: + Pull-Request: + Terminology