[ZIP 2005] Update the Quantum Recoverability deployment plan#1207
[ZIP 2005] Update the Quantum Recoverability deployment plan#1207ValarDragon wants to merge 3 commits into
Conversation
|
Something that came up is that this will require a keystone firmware update. So deployment strategy needs to be adapted accordingly. I am testing the UX of keystone firmware updates from my phone, and what we can do to make ZODL alert a user if their keystone isn't updated. There is not yet keystone version negotiation in ZODL, I don't yet have an answer if its possible without a keystone firmware update. An alternative design would be to adapt QR to not need a note commitment change, e.g. via editing the binding signature which is purely wallet only |
| October 2025 (as proposed for the NU6.1 upgrade). Another revision | ||
| may be needed to merge with other changes in a future v6 transaction | ||
| format (memo bundles [^zip-0231] and |
There was a problem hiding this comment.
"Revision" has a specific meaning in ZIPs - it is our backwards-incompatible change indicator (similar to major SemVer).
This paragraph is not about making a revision. It is an editorial note, about the fact that once the ZIP transitions from Draft to Proposed, the ZIP Editors will take the updates in this section and apply them to the specified locations, performing the merges with other updates as necessary.
Proposed rewording:
| October 2025 (as proposed for the NU6.1 upgrade). Another revision | |
| may be needed to merge with other changes in a future v6 transaction | |
| format (memo bundles [^zip-0231] and | |
| October 2025 (as proposed for the NU6.1 upgrade). It will need to be merged | |
| with any other changes to the note plaintext format in whichever NU deploys the | |
| v6 transaction format (for example, memo bundles [^zip-0231] and/or |
| It is described in sections [Usage with FROST] and [Usage with Hardware Wallets]. | ||
|
|
||
| A new note plaintext version is specified, beginning with a | ||
| $\{ \mathtt{0x03} \}$ byte. Wallets are intended to upgrade to |
There was a problem hiding this comment.
None of the changes in this PR are in the Specification section, which is a sign that this PR is not actually making any normative changes to the ZIP. Changes to Motivation and Deployment are not normative.
At a minimum there needs to be a change to the acceptable versions function, to handle the fact that pre-NU wallets would need to start accepting 0x03 note plaintexts independently of a tx version update (instead of what this ZIP previously was specifying, which was having 0x03 be solely associated with v6 txs).
| external notes. | ||
| * There is a risk that if the recipient wallet is not yet phase 1, | ||
| they will not receive the payment until they upgrade their wallet | ||
| version, and it re-syncs. |
There was a problem hiding this comment.
This needs to be expressed as a change to the protocol spec's conformance requirements on wallets, and probably also a change to ZIP 315.
Additionally, even Phase 1 would need some defined activation height, even if it is a purely trivial one (e.g. the block height at which this ZIP transitions from Draft to Proposed). Phase 1 doesn't need to worry about this being in the past, because wallets are only sending notes to themselves (so the effective activation height is "whenever the wallet implementor implements Phase 1 and makes an app update"); having a defined activation height just ensures that on recovery, wallets don't try and look for 0x03 earlier than they could have existed.
| We view the risks laid out above worth taking, for the benefit of | ||
| getting users quantum recoverable sooner. There were difficulties in | ||
| the deployment of [ZIP 212](https://zips.z.cash/zip-0212), which | ||
| centered around upgraded wallets not being able to receive funds from | ||
| a wallet who did not upgrade during the allotted grace period. This | ||
| is fixed here, because within the v5 transaction format, non quantum | ||
| recoverable notes will always be accepted by all wallets. |
There was a problem hiding this comment.
This should be Rationale for the changes to the acceptable versions function, not Deployment.
| features. That note plaintext version would be with $\{\mathsf{0x04}\}$ or | ||
| greater. |
There was a problem hiding this comment.
This is the first time 0x04 is mentioned. It needs to be specified in the Specification section.
Also (from @daira) they are "note plaintext lead bytes", not "note plaintext versions".
| format change, and no changes to today's Orchard circuit. We roll out | ||
| the note plaintext change in two phases, with planned further | ||
| restrictions in the eventual v6 transaction format. In Phase 1, every | ||
| wallet independently updates to support receiving the new quantum | ||
| recoverable note format, and begins using it for internal change | ||
| notes. Each wallet is intended to warn the user, that they may see | ||
| lower balances if they use the same seed phrase on distinct, old | ||
| wallet software. In Phase 2, a coordinated upgrade height is decided | ||
| upon, for wallets to begin sending quantum recoverable notes in the | ||
| v5 transaction format. In Phase 2, wallets all still accept non | ||
| quantum recoverable notes. This deployment is structured such that users can | ||
| get quantum recoverability guarantees very quickly, with the only risks to | ||
| user funds are: | ||
|
|
||
| * During phase 1 and phase 2, if you use the same seed on another older | ||
| wallet version, you will see an inaccurate balance on the older | ||
| wallet. | ||
| * After the phase 2 coordinated upgrade height, if you use an older | ||
| wallet that did not upgrade for phase 1, you will not see incoming | ||
| payments from phase 2 wallets until you upgrade. |
There was a problem hiding this comment.
This feels more like Rationale for the spec (which could be done inline as "Rationale for Foo" subsections), mixed with Deployment content (vs the changes to Deployment which as noted are really Specification).
| future versions of Zcash designed to be so. We call this property | ||
| quantum recoverability. |
There was a problem hiding this comment.
"this property" is ambiguous referent.
I see several problems with this:
It is necessary that recipients can check their notes are correctly bound, and reject |
|
Thank you for all the comments! I'll make changes accordingly.
Your right! We could use the randomness for the signature from The same compact block problem would apply, but the trade-off is somewhat:
The only way I can see for how to safely pack data into a compact block without a lead plaintext byte change would be the memo. A candidate strategy would be on receipt of a tx, the wallet downloads the full tx or QR data to determine if its a QR note. Perhaps the trade-off looks like:
|
|
|
Ah your right, more accurate would be "only way to detect QR that I can see, in the existing light client protocol, and no note plaintext lead byte change". (Since the full memo is downloaded in the current light client protocol, after trial decrypt) |
This can't work. The current note commitment scheme is not post-quantum binding and that's a major part of the problem to be solved, so I think this comment indicates a misunderstanding of what that problem is. We will not change the semantics of the note plaintext without changing the lead byte. The lead byte is how the creator of the note communicates to the recipient what the semantics are. Also nothing is to be gained by not changing the lead byte, because the recipient would in that case compute the wrong commitment, so it would ignore the note. It does not matter for compatibility whether it ignores the note because of computing the wrong commitment, or it ignores it because of an unrecognized lead byte — but the former is less explicit and less easily debuggable, which is why we will not do it that way. |
| Owners: Daira-Emma Hopwood <daira@jacaranda.org> | ||
| Jack Grigg <thestr4d@gmail.com> | ||
| Credits: Sean Bowe | ||
| Credits: Sean Bowe, Dev Ojha |
There was a problem hiding this comment.
| Credits: Sean Bowe, Dev Ojha | |
| Credits: Sean Bowe | |
| Dev Ojha |
I'm unable to continue reviewing this, so dismissing my review to ensure it doesn't block merging. Someone else will need to review to confirm that the ZIP Editor's comments are addressed, once the relevant changes are made.
This PR suggests amendments to ZIP 2005 allowing us to get started on getting wallets quantum recoverable very quickly.
TL;DR:
Example code for doing this integration (Will properly integration test, and demo on mainnet later in the week w/ @greg0x after further governance work):
orchardNoteVersionenumAdd QR rcm derivation:
RandomSeed::qr_rcm()Add version-aware note commitment, plaintext encoding, and decryption
Add per-output
Builder::add_versioned_output()zcash_primitives(librustzcash)zcash_client_backend(librustzcash)add_versioned_orchard_output(..., NoteVersion::V3_Qr)for change outputs (ZIP-2005 phase 1)