ZIP: 211 Title: Disabling Addition of New Value to the Sprout Value Pool Owners: Daira Hopwood <email@example.com> Credits: Sean Bowe Status: Proposed Category: Consensus Created: 2019-03-29 License: MIT
The key words "MUST", "SHOULD", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. 1
The term "network upgrade" in this document is to be interpreted as described in ZIP 200 2.
The term "Sapling" in this document is to be interpreted as described in ZIP 205 3.
The term "Sprout value pool balance" in this document is to be interpreted as described in ZIP 209 4.
This proposal disables the ability to add new value to the Sprout value pool balance. This takes a step toward being able to remove the Sprout protocol, thus reducing the overall complexity and attack surface of Zcash.
The first iteration of the Zcash network, called Sprout, provided a shielded payment protocol that was relatively closely based on the original Zerocash proposal. 7
The Sapling network upgrade 3 introduced significant efficiency and functionality improvements for shielded transactions. It is expected that over time, the use of Sapling shielded transactions will replace the use of Sprout.
The Sapling and Sprout shielded protocols employ different cryptographic designs. Since an adversary could potentially exploit any vulnerability in either design, supporting both presents additional risk over supporting only the newer Sapling protocol.
For example, a vulnerability was discovered in the zero-knowledge proving system originally used by Zcash that could have allowed counterfeiting 8. While this particular vulnerability was addressed (also for Sprout shielded transactions) by the Sapling upgrade, and we are not aware of others at the time of writing, the possibility of other cryptographic weaknesses cannot be entirely ruled out.
In addition, the Zcash specification and implementation incurs complexity and "technical debt" from the requirement to support and test both shielded transaction protocols.
Removing the ability to add to the Sprout shielded value pool balance, is a first step toward reducing this complexity and potential risk. This does not prevent extracting value held in Sprout addresses and sending it to transparent addresses, or to Sapling addresses via the migration tool 6.
From the relevant activation height, the
vpub_old field of each JoinSplit description MUST be zero.
When this proposal is activated, nodes and wallets MUST disable any facilities to send to Sprout addresses, and this SHOULD be made clear in user interfaces and API documentation.
Note that the facility to send to Sprout addresses, before activation of this proposal, is in any case OPTIONAL for a particular node or wallet implementation.
This design does not require any change to the JoinSplit circuit, thus minimizing the risk of security regressions, and avoiding the need for a new ceremony to generate circuit parameters.
The code changes needed are very small and simple, and their security is easy to analyse.
During the development of this proposal, alternative designs were considered that would have removed some fields of a JoinSplit description. These alternatives were abandoned for several reasons:
The security motivations for making this change are described in the Motivation section. Privacy concerns that led to the current design are discussed in the Rationale section.
Since all clients change their behaviour at the same time from this proposal's activation height, there is no additional client distinguisher.
This proposal will be deployed with the Canopy network upgrade. 5
|1||Key words for use in RFCs to Indicate Requirement Levels|
|2||ZIP 200: Network Upgrade Activation Mechanism|
|3||ZIP 205: Deployment of the Sapling Network Upgrade|
|4||ZIP 209: Prohibit Negative Shielded Value Pool|
|5||ZIP 251: Deployment of the Canopy Network Upgrade|
|6||ZIP 308: Sprout to Sapling Migration|
|7||Zerocash: Decentralized Anonymous Payments from Bitcoin (extended version)|
|8||Zcash Counterfeiting Vulnerability Successfully Remediated|