ZIP 230: Version 6 Transaction Format

ZIP: 230
Title: Version 6 Transaction Format
Owners: Daira-Emma Hopwood <daira-emma@electriccoin.co>
        Jack Grigg <jack@electriccoin.co>
        Sean Bowe <sean@electriccoin.co>
        Kris Nuttycombe <kris@electriccoin.co>
        Pablo Kogan <pablo@qed-it.com>
        Vivek Arte <vivek@qed-it.com>
Original-Authors: Greg Pfeil
                  Deirdre Connolly
Credits: Ying Tong Lai
Status: Draft
Category: Consensus
Created: 2023-04-18
License: MIT
Discussions-To: <https://github.com/zcash/zips/issues/686>

Terminology

The key words "MUST", "SHOULD", and "MAY" in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

The terms "Zcash Shielded Asset", "ZSA" and "Asset" in this document are to be interpreted as described in ZIP 226 7.

The term "Issuance" and "Issuance Action" in this document are to be interpreted as described in ZIP 227 8.

We define the following additional terms:

Issuance Fee: This is the specific fixed fee that has to be paid to the network for every given issuance action.

The character § is used when referring to sections of the Zcash Protocol Specification 2.

Abstract

This proposal defines a new Zcash peer-to-peer transaction format, which includes data that supports the Orchard-ZSA protocol and all operations related to Zcash Shielded Assets (ZSAs). The new format adds and describes new fields containing ZSA-specific elements. Like the existing v5 transaction format, it keeps well-bounded regions of the serialized form to serve each pool of funds.

This ZIP also depends upon and defines modifications to the computation of the values TxId Digest, Signature Digest, and Authorizing Data Commitment defined by ZIP 244 9.

This ZIP additionally defines the fee mechanism associated with the Orchard Zcash Shielded Assets (OrchardZSA) protocol as described in ZIP 226 7 and ZIP 227 8. The fee mechanism is defined in terms of modifications to the Proportionak Transfer Fee Mechanism 11.

Motivation

The Orchard-ZSA protocol requires serialized data elements that are distinct from any previous Zcash transaction. Since ZIP 244 was activated in NU5, the v5 and later serialized transaction formats are not consensus-critical. Thus, this ZIP defines format that can easily accommodate future extensions, where elements or a given pool are kept separate.

The upgrade to the OrchardZSA protocol will also need to define a fee structure consistent with the objectives of ZIP 317 11. This involves adaptation for the transfer protocol 7, as well as additional considerations for the issuance protocol 8 such as fees for asset issuance. Specifically, the OrchardZSA Transfer and Burn mechanism should follow the same fee mechanism in order to not discriminate between transfer bundle types. When it comes to Issuance of ZSA, however, there should be a disincentive that will stop users from flooding the chain with useless asset identifiers. In the case of Issuance, the computational power needed to verify the bundle is not large. The transaction size, however, can be an issue as the number of output notes can be large. Furthermore, as defined in ZIP 227 8, there is an additional data structure in the global state that needs to be maintained as part of the consensus. This motivates further the addition of an Issuance-specific fee.

Requirements

The new format must fully support the Orchard-ZSA protocol.

The new format should lend itself to future extension or pruning to add or remove value pools.

The computation of the non-malleable transaction identifier hash must include all newly incorporated elements except those that attest to transaction validity.

The computation of the commitment to authorizing data for a transaction must include all newly incorporated elements that attest to transaction validity.

In addition to the requirements of ZIP 317 11, the fee mechanism for the OrchardZSA protocol should satisfy the following requirements:

The conventional fee should not leak private information used in constructing the transaction; that is, it should be computable from only the public data of the transaction.
Users should be discouraged from issuing new “garbage” custom Assets. The fee should reflect the cost of adding new data to the global state.

Non-requirements

More general forms of extensibility, such as definining a key/value format that allows for parsers that are unaware of some components, are not required.

Specification

All fields in this specification are encoded as little-endian.

The Zcash transaction format for transaction version 6 is as follows:

Transaction Format

Bytes	Name	Data Type	Description
Common Transaction Fields
`4`	`header`	`uint32`	Contains: `fOverwintered` flag (bit 31, always set) `version` (bits 30 .. 0) – transaction version.
`4`	`nVersionGroupId`	`uint32`	Version group ID (nonzero).
`4`	`nConsensusBranchId`	`uint32`	Consensus branch ID (nonzero).
`4`	`lock_time`	`uint32`	Unix-epoch UTC time or block height, encoded as in Bitcoin.
`4`	`nExpiryHeight`	`uint32`	A block height in the range {1 .. 499999999} after which the transaction will expire, or 0 to disable expiry. [ZIP-203]
`8`	`fee`	`int64`	The fee to be paid by this transaction, in zatoshis.
Transparent Transaction Fields
`varies`	`tx_in_count`	`compactSize`	Number of transparent inputs in `tx_in`.
`varies`	`tx_in`	`tx_in`	Transparent inputs, encoded as in Bitcoin.
`varies`	`tx_out_count`	`compactSize`	Number of transparent outputs in `tx_out`.
`varies`	`tx_out`	`tx_out`	Transparent outputs, encoded as in Bitcoin.
Sapling Transaction Fields
`varies`	`nSpendsSapling`	`compactSize`	Number of Sapling Spend descriptions in `vSpendsSapling`.
`96 * nSpendsSapling`	`vSpendsSapling`	`SpendDescriptionV6[nSpendsSapling]`	A sequence of Sapling Spend descriptions, encoded per protocol §7.3 ‘Spend Description Encoding and Consensus’.
`varies`	`nOutputsSapling`	`compactSize`	Number of Sapling Output Decriptions in `vOutputsSapling`.
`756 * nOutputsSapling`	`vOutputsSapling`	`OutputDescriptionV6[nOutputsSapling]`	A sequence of Sapling Output descriptions, encoded per protocol §7.4 ‘Output Description Encoding and Consensus’.
`8`	`valueBalanceSapling`	`int64`	The net value of Sapling Spends minus Outputs
`32`	`anchorSapling`	`byte[32]`	A root of the Sapling note commitment tree at some block height in the past.
`192 * nSpendsSapling`	`vSpendProofsSapling`	`byte[192 * nSpendsSapling]`	Encodings of the zk-SNARK proofs for each Sapling Spend.
`64 * nSpendsSapling`	`vSpendAuthSigsSapling`	`byte[64 * nSpendsSapling]`	Authorizing signatures for each Sapling Spend.
`192 * nOutputsSapling`	`vOutputProofsSapling`	`byte[192 * nOutputsSapling]`	Encodings of the zk-SNARK proofs for each Sapling Output.
`64`	`bindingSigSapling`	`byte[64]`	A Sapling binding signature on the SIGHASH transaction hash.
Orchard-ZSA Transaction Fields
`varies`	`nActionsOrchard`	`compactSize`	The number of Orchard-ZSA Action descriptions in `vActionsOrchard`.
`852 * nActionsOrchard`	`vActionsOrchard`	`OrchardZsaAction[nActionsOrchard]`	A sequence of Orchard-ZSA Action descriptions, encoded per the Orchard-ZSA Action Description Encoding.
`1`	`flagsOrchard`	`byte`	An 8-bit value representing a set of flags. Ordered from LSB to MSB: `enableSpendsOrchard` `enableOutputsOrchard` `enableZSAs` The remaining bits are set to \(0\!\) .
`8`	`valueBalanceOrchard`	`int64`	The net value of Orchard spends minus outputs.
`32`	`anchorOrchard`	`byte[32]`	A root of the Orchard note commitment tree at some block height in the past.
`varies`	`sizeProofsOrchardZSA`	`compactSize`	Length in bytes of `proofsOrchardZSA`. Value is (TO UPDATE) \(2720 + 2272 \cdot \mathtt{nActionsOrchard}\!\) .
`sizeProofsOrchardZSA`	`proofsOrchardZSA`	`byte[sizeProofsOrchardZSA]`	Encoding of aggregated zk-SNARK proofs for Orchard-ZSA Actions.
`64 * nActionsOrchard`	`vSpendAuthSigsOrchard`	`byte[64 * nActionsOrchard]`	Authorizing signatures for each Orchard-ZSA Action.
`varies`	`nAssetBurn`	`compactSize`	The number of Assets burnt.
`40 * nAssetBurn`	`vAssetBurn`	`AssetBurn[nAssetBurn]`	A sequence of Asset Burn descriptions, encoded per Orchard-ZSA Asset Burn Description.
`64`	`bindingSigOrchard`	`byte[64]`	An Orchard-ZSA binding signature on the SIGHASH transaction hash.
Orchard-ZSA Issuance Fields
`varies`	`nIssueActions`	`compactSize`	The number of issuance actions in the bundle.
`IssueActionSize * nIssueActions`	`vIssueActions`	`IssueAction[nIssueActions]`	A sequence of issuance action descriptions, where IssueActionSize is the size, in bytes, of an IssueAction description.
`32`	`ik`	`byte[32]`	The issuance validating key of the issuer, used to validate the signature.
`64`	`issueAuthSig`	`byte[64]`	The signature of the transaction SIGHASH, signed by the issuer, validated as in Issuance Authorization Signature Scheme 8.

The fields valueBalanceSapling and bindingSigSapling are present if and only if \(\mathtt{nSpendsSapling} + \mathtt{nOutputsSapling} > 0\!\) . If valueBalanceSapling is not present, then \(\mathsf{v^{balanceSapling}}\) is defined to be \(0\!\) .
The field anchorSapling is present if and only if \(\mathtt{nSpendsSapling} > 0\!\) .
The elements of vSpendProofsSapling and vSpendAuthSigsSapling have a 1:1 correspondence to the elements of vSpendsSapling and MUST be ordered such that the proof or signature at a given index corresponds to the SpendDescriptionV6 at the same index.
The elements of vOutputProofsSapling have a 1:1 correspondence to the elements of vOutputsSapling and MUST be ordered such that the proof at a given index corresponds to the OutputDescriptionV6 at the same index.
The fields flagsOrchard, valueBalanceOrchard, anchorOrchard, sizeProofsOrchardZSA, proofsOrchardZSA, and bindingSigOrchard are present if and only if \(\mathtt{nActionsOrchard} > 0\!\) . If valueBalanceOrchard is not present, then \(\mathsf{v^{balanceOrchard}}\) is defined to be \(0\!\) .
The proofs aggregated in proofsOrchardZSA, and the elements of vSpendAuthSigsOrchard, each have a 1:1 correspondence to the elements of vActionsOrchard and MUST be ordered such that the proof or signature at a given index corresponds to the OrchardZsaAction at the same index.
The fields ik and issueAuthSig are present if and only if \(\mathtt{nIssueActions} > 0\!\) .
For coinbase transactions, the enableSpendsOrchard and enableZSAs bits MUST be set to \(0\!\) .

The encodings of tx_in, and tx_out are as in a version 4 transaction (i.e. unchanged from Canopy). The encodings of SpendDescriptionV6, OutputDescriptionV6 , OrchardZsaAction, AssetBurn and IssueAction are described below. The encoding of Sapling Spends and Outputs has changed relative to prior versions in order to better separate data that describe the effects of the transaction from the proofs of and commitments to those effects, and for symmetry with this separation in the Orchard-related parts of the transaction format.

Sapling Spend Description (`SpendDescriptionV6`)

Bytes	Name	Data Type	Description
`32`	`cv`	`byte[32]`	A value commitment to the net value of the input note.
`32`	`nullifier`	`byte[32]`	The nullifier of the input note.
`32`	`rk`	`byte[32]`	The randomized validating key for the element of spendAuthSigsSapling corresponding to this Spend.

The encodings of each of these elements are defined in §7.3 ‘Spend Description Encoding and Consensus’ of the Zcash Protocol Specification 3.

Sapling Output Description (`OutputDescriptionV6`)

Bytes	Name	Data Type	Description
`32`	`cv`	`byte[32]`	A value commitment to the net value of the output note.
`32`	`cmu`	`byte[32]`	The \(u\!\) -coordinate of the note commitment for the output note.
`32`	`ephemeralKey`	`byte[32]`	An encoding of an ephemeral Jubjub public key.
`580`	`encCiphertext`	`byte[580]`	The encrypted contents of the note plaintext.
`80`	`outCiphertext`	`byte[80]`	The encrypted contents of the byte string created by concatenation of the transmission key with the ephemeral secret key.

The encodings of each of these elements are defined in §7.4 ‘Output Description Encoding and Consensus’ of the Zcash Protocol Specification 4.

Orchard-ZSA Action Description (`OrchardZsaAction`)

Bytes	Name	Data Type	Description
`32`	`cv`	`byte[32]`	A value commitment to the net value of the input note minus the output note.
`32`	`nullifier`	`byte[32]`	The nullifier of the input note.
`32`	`rk`	`byte[32]`	The randomized validating key for the element of spendAuthSigsOrchard corresponding to this Action.
`32`	`cmx`	`byte[32]`	The \(x\!\) -coordinate of the note commitment for the output note.
`32`	`ephemeralKey`	`byte[32]`	An encoding of an ephemeral Pallas public key
`612`	`encCiphertext`	`byte[580]`	The encrypted contents of the note plaintext.
`80`	`outCiphertext`	`byte[80]`	The encrypted contents of the byte string created by concatenation of the transmission key with the ephemeral secret key.

The encodings of each of these elements are defined in §7.5 ‘Action Description Encoding and Consensus’ of the Zcash Protocol Specification 5.

Orchard-ZSA Asset Burn Description

An Orchard-ZSA Asset Burn description is encoded in a transaction as an instance of an AssetBurn type:

Bytes	Name	Data Type	Description
32	`AssetBase`	`byte[32]`	For the Orchard-based ZSA protocol, this is the encoding of the Asset Base \(\mathsf{AssetBase^{Orchard}}\!\) .
8	`valueBurn`	`uint64`	The amount being burnt. The value is checked by consensus to be non-zero.

The encodings of each of these elements are defined in ZIP 226 7.

Issuance Action Description (`IssueAction`)

An issuance action, IssueAction, is the instance of issuing a specific Custom Asset, and contains the following fields:

Bytes	Name	Data Type	Description
`varies`	`assetDescSize`	`compactSize`	The length of the asset description string in bytes.
`assetDescSize`	`asset_desc`	`byte[assetDescSize]`	A byte sequence of length `assetDescSize` bytes which SHOULD be a well-formed UTF-8 code unit sequence according to Unicode 15.0.0 or later.
`varies`	`nNotes`	`compactSize`	The number of notes in the Issuance Action.
`147 * nNotes`	`vNotes`	`IssueNote[nNotes]`	A sequence of note descriptions within the Issuance Action.
`1`	`flagsIssuance`	`byte`	An 8-bit value representing a set of flags. Ordered from LSB to MSB: \(\mathsf{finalize}\) The remaining bits are set to \(0\!\) .

The encoding of IssueNote is described below. Note that we allow the number of notes (represented by nNotes) to be zero. This allows for issuers to create Issuance Actions to only finalize an issued Asset, without needing them to simultaneously issue more of that Asset.

Issue Note Description (`IssueNote`)

An issuance note, IssueNote contains the following fields:

Bytes	Name	Data Type	Description
`43`	`recipient`	`byte[43]`	The encoding of a recipient's diversified payment address, as \(\mathsf{LEBS2OSP}_{88}(\mathsf{d})\\| \mathsf{LEBS2OSP}_{256}(\mathsf{repr}_{\mathbb{P}} (\mathsf{pk}_\mathsf{d}))\!\) , where \(\mathsf{d}\) is the diversifier and \(\mathsf{pk_d}\) is the diversified transmission key. Non Normative Note: This is the same as the encoding of an Orchard Raw Payment Address, as defined in the protocol specification §5.6.4.2 ‘Orchard Raw Payment Addresses’.
`8`	`value`	`uint64`	The amount being issued in this note.
`32`	`assetBase`	`byte[32]`	The encoding of the Asset Base \(\mathsf{AssetBase^{Orchard}}\!\) , as defined in 'ZIP 227'.
`32`	`rho`	`byte[32]`	This is defined and encoded in the same manner as for Orchard notes in protocol §3.2.1 'Note Plaintexts and Memo Fields'.
`32`	`rseed`	`byte[32]`	The `rseed` field of the note, encoded as for Orchard notes in protocol §3.2.1 'Note Plaintexts and Memo Fields'.

OrchardZSA Fee Calculation

In addition to the parameters defined in the Fee calculation section of ZIP 317 12, the OrchardZSA protocol upgrade defines the following additional parameters:

Parameter	Value
\(\mathsf{issuance\_fee}\)	\(100 \cdot marginal\_fee\) per issuance action (as defined below)

Wallets implementing this specification SHOULD use a conventional fee, viz. \(\mathsf{zsa\_conventional\_fee}\!\) , that is calculated in zatoshis. Additional definitions that are used in the formula for the calculation are in the table below:

Input	Units	Description
\(\mathsf{nOrchardActions}\)	number	the number of OrchardZSA transfer actions (including ZEC actions)
\(\mathsf{nTotalOutputsZsaIssuance}\)	number	the total number of OrchardZSA issuance outputs (added across issuance actions)
\(\mathsf{nCreateActions}\)	number	the number of OrchardZSA issuance actions that issue a Custom Asset that is not present in the Global Issuance State

The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 6 and the global state. They are defined in the Fee calculation section of ZIP 317 12. Note that \(\mathsf{nOrchardActions}\!\) , that is used in the computation of \(\mathsf{logical\_actions}\!\) , is redefined in the above table, and now combines the actions for native ZEC as well as OrchardZSA transfer actions for Custom Assets.

The formula for the computation of the \(\mathsf{zsa\_logical\_actions}\) (with the updated computation of \(\mathsf{logical\_actions}\) as described above) is:

\(\mathsf{zsa\_logical\_actions} = \mathsf{logical\_actions} \;+ \mathsf{nTotalOutputsZsaIssuance}\)

The formula for the computation of the \(\mathsf{zsa\_conventional\_fee}\) is:

\(\begin{array}{rcl} \mathsf{zsa\_conventional\_fee} &=& \mathsf{marginal\_fee} \cdot \mathsf{max}(\mathsf{grace\_actions}, \mathsf{zsa\_logical\_actions}) \;+ \\ & & \mathsf{issuance\_fee} \cdot \mathsf{nCreateActions} \end{array}\)

It is not a consensus requirement that fees follow this formula; however, wallets SHOULD create transactions that pay this fee, in order to reduce information leakage, unless overridden by the user.

Rationale for OrchardZSA Fee calculation

The OrchardZSA fee calculation accounts for the additions to the Global Issuance State that are required for the OrchardZSA protocol. Every newly created Custom Asset adds a new row to the Global Issuance State. Subsequent issuance, finalization, or burn of existing Custom Assets only changes the values in the corresponding row.

This explains the need for a higher fee for the creation of entirely new Custom Assets, in order to disincentivize the creation of "junk" assets.

OrchardZSA Fee Considerations

We choose to maintain the native ZEC Asset as the primary token for the Zcash blockchain, similar to how ETH is needed for ERC20 transactions to the benefit of the Ethereum ecosystem.

An alternative proposal for the OrchardZSA fee mechanism that was not adopted was to adopt a new type of fee, denominated in the custom Asset being issued or transferred. In the context of transparent transactions, such a fee allows miners to “tap into” the ZSA value of the transactions, rather than the ZEC value of transactions. However when transactions are shielded, any design that lifts value from the transaction would also leak information about it.

Deployment

Version 6 transactions are proposed to be allowed on the network starting from Network Upgrade 7. 10

Reference implementation

TODO

References

1	Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"

2	Zcash Protocol Specification, Version 2024.5.1 or later [NU6]

3	Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.4: Spend Descriptions

4	Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.5: Output Descriptions

5	Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.6: Action Descriptions

6	Zcash Protocol Specification, Version 2022.3.8. Section 7.1: Transaction Encoding and Consensus

7	ZIP 226: Transfer and Burn of Zcash Shielded Assets

8	ZIP 227: Issuance of Zcash Shielded Assets

9	ZIP 244: Transaction Identifier Non-Malleability

10	ZIP 254: Deployment of the NU7 Network Upgrade

11	ZIP 317: Proportional Transfer Fee Mechanism

12	ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation