ZIP: 304 Title: Sapling Address Signatures Owners: Jack Grigg <jack@electriccoin.co> Credits: Daira-Emma Hopwood <daira-emma@electriccoin.co> Sean Bowe <sean@electriccoin.co> Status: Draft Category: Standards / RPC / Wallet Created: 2020-06-01 License: MIT Discussions-To: <https://github.com/zcash/zips/issues/345> Pull-Request: <https://github.com/zcash/zips/pull/376>
The key words "MUST" and "SHOULD" in this document is to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.
This proposal describes a mechanism for creating signatures with Sapling addresses, suitable for use by the signmessage
and verifymessage
RPC methods in zcashd
.
There are a variety of situations where it is useful for a user to be able to prove that they control a given payment address. For example, before a high-value transfer of funds, the sender may want to verify that the recipient will definitely be able to spend them, to ensure that the funds won't be stuck in an invalid or unusable address.
A payment address is analogous (in some cases, identical) to a public key in a signature scheme. A transaction that spends funds received by the address, is authorized by making (the equivalent of) a signature with the corresponding spending key. This authorization protocol can be repurposed to instead sign a message provided by a third party.
Bitcoin Core's bitcoind
provides a signmessage
RPC method that implements message signing for Bitcoin addresses, leveraging the fact that a Bitcoin private key is just a secp256k
private key, and a Bitcoin transaction authorizes spends with a signature. zcashd
inherited this RPC method, and it can be used to make signatures for transparent Zcash addresses.
However, support for signing messages with shielded addresses was not possible when Zcash launched, because of the design of the Sprout protocol (and the state of zero-knowledge proof R&D at the time). Shielded transactions, by design, do not expose the payment address of the sender when creating a transaction; in Sprout, this meant that the spending key was a private input to the zero-knowledge proof, and not a key that could be used to create a signature.
One of the R&D achievements behind the Sapling protocol was the ability to use elliptic curves inside a circuit. With this primitive available, Sapling keys and payment addresses could be designed such that transaction authorization involved a signature. While this was designed to enable hardware wallets (which lack the power to create zero-knowledge proofs, but can easily create signatures), it also enables the creation of a mechanism for signing arbitrary messages. That mechanism is the subject of this ZIP.
The following constants and functions used in this ZIP are defined in the Zcash protocol specification: 3
We also reproduce some notation and functions here for convenience:
Given a payment address, a message, and a valid signature, the following properties should hold:
Multiple signatures by a single payment addresses are not required to be unlinkable.
A Sapling address signature is created by taking the process for creating a Sapling Spend description, and running it with fixed inputs:
The inputs to the signature algorithm are:
The signature is created as follows:
The inputs to the verification algorithm are:
The signature MUST be verified as follows:
The raw form of a ZIP 304 signature is \(\mathsf{nf}\,||\,\mathsf{LEBS2OSP}_{256}(\mathsf{repr}_{\mathbb{J}}(\mathsf{rk}))\,||\,zkproof\,||\,spendAuthSig\!\) , for a total size of 320 bytes.
When encoding a ZIP 304 signature in a human-readable format, implementations SHOULD use standard Base64 for compatibility with the signmessage
and verifymessage
RPC methods in zcashd
. ZIP 304 signatures in this form are 428 bytes. The encoded form is the string
\(\texttt{“zip304:”}\)
followed by the result of Base64-encoding 2 the raw form of the signature.
We use a fake note within the signature scheme in order to reuse the Sapling Spend circuit and its parameters. It is possible to construct a signature scheme with a smaller encoded signature, but this would require a new circuit and another parameter-generation ceremony (if Groth16 were used).
We use a note value of \(1\) zatoshi instead of zero to ensure that the payment address is fully bound to \(zkproof\!\) . Notes with zero value have certain constraints disabled inside the circuit.
We set \(\mathsf{rcm}\) and \(\mathsf{rcv}\) to zero because we do not need the hiding properties of the note commitment or value commitment schemes (as we are using a fixed-value fake note), and can thus omit both \(\mathsf{rcm}\) and \(\mathsf{rcv}\) from the signature.
A normal (and desired) property of signature schemes is that all signatures for a specific public key are linkable if the public key is known. ZIP 304 signatures have the additional property that all signatures for a specific payment address are linkable without knowing the payment address, as the first 32 bytes of each signature will be identical.
A signature is bound to a specific diversified address of the spending key. Signatures for different diversified addresses of the same spending key are unlinkable, as long as \(α\) is never re-used across signatures.
Most of the data within a ZIP 304 signature is inherently non-malleable:
The one component that is inherently malleable is \(zkproof\!\) . The zero-knowledge property of a Groth16 proof implies that anyone can take a valid proof, and re-randomize it to obtain another valid proof with a different encoding. We prevent this by binding the encoding of \(zkproof\) to \(spendAuthSig\!\) , by including \(zkproof\) in the message digest.
1 | Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words" |
---|
2 | RFC 4648: The Base16, Base32, and Base64 Data Encodings |
---|
3 | Zcash Protocol Specification, Version 2020.1.15 or later |
---|
4 | Zcash Protocol Specification, Version 2020.1.15. Section 4.8: Merkle path validity |
---|
5 | Zcash Protocol Specification, Version 2020.1.15. Section 4.15.2: Spend Statement (Sapling) |
---|
6 | Zcash Protocol Specification, Version 2020.1.15. Section 5.3: Constants |
---|
7 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.1.3: Merkle Tree Hash Function |
---|
8 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.1.6: DiversifyHash Hash Function |
---|
9 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.1.8: Mixing Pedersen Hash Function |
---|
10 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.2: Pseudo Random Functions |
---|
11 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.6.1: Spend Authorization Signature |
---|
12 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.7.2: Windowed Pedersen commitments |
---|
13 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.7.3: Homomorphic Pedersen commitments |
---|
14 | Zcash Protocol Specification, Version 2020.1.15. Section 5.4.8.3: Jubjub |
---|
15 | SLIP-0044 : Registered coin types for BIP-0044 |
---|