ZIP 226: Transfer and Burn of Zcash Shielded Assets

ZIP: 226
Title: Transfer and Burn of Zcash Shielded Assets
Owners: Pablo Kogan <pablo@qed-it.com>
        Vivek Arte <vivek@qed-it.com>
        Daira-Emma Hopwood <daira@jacaranda.org>
        Jack Grigg <thestr4d@gmail.com>
Credits: Daniel Benarroch
         Aurelien Nicolas
         Deirdre Connolly
         Teor
Status: Draft
Category: Consensus
Created: 2022-05-01
License: MIT
Discussions-To: <https://github.com/zcash/zips/issues/618>
Pull-Request: <https://github.com/zcash/zips/pull/680>

Terminology

The key word "MUST" in this document is to be interpreted as described in BCP 14 1 when, and only when, it appears in all capitals.

The term "network upgrade" in this document is to be interpreted as described in ZIP 200. 2

The character § is used when referring to sections of the Zcash Protocol Specification. 25

The terms "Orchard" and "Action" in this document are to be interpreted as described in ZIP 224. 4

The terms "Asset" and "Custom Asset" in this document are to be interpreted as described in ZIP 227. 5

We define the following additional terms:

Action Group: an Action Group is a group of OrchardZSA Actions (as defined in 4) which share the same tuple \((\mathsf{rt}, \mathsf{enableSpends}, \mathsf{enableOutputs}, \mathsf{enableZSA}, \mathsf{nAGExpiryHeight})\!\) . In this ZIP, we denote the above shared tuple by "Orchard Commons".
Split Input: an Action input used to ensure that the output note of that Action is of a validly issued \(\mathsf{AssetBase}\) (see 7) when there is no corresponding real input note, in situations where the number of outputs are larger than the number of inputs. See formal definition in Split Notes.
Split Action: an Action that contains a Split Input.
v1 Signature Digest: the per-Action-Group signature digest defined in v1 Signature Digest and Spend Authorization Signatures. This is used in certain cases to provide spend authorization for the Actions of a single Action Group.

Abstract

This ZIP (ZIP 226) proposes the Orchard Zcash Shielded Assets (OrchardZSA) protocol, in conjunction with ZIP 227 5. The OrchardZSA protocol is an extension of the Orchard protocol that enables the issuance, transfer and burn of custom Assets on the Zcash chain. The issuance of such Assets is defined in ZIP 227 5, while the transfer and burn of such Assets is defined in this ZIP (ZIP 226). While the proposed OrchardZSA protocol is a modification to the Orchard protocol, it has been designed with adaptation to possible future shielded protocols in mind.

This ZIP is defined relative to the Zcash protocol with the changes specified in ZIP 2005 24 applied. ZIP 2005 (Orchard Quantum Recoverability) is expected to deploy before any ZSA activation; the references in this document to \(\mathsf{H^{rcm,Orchard}}\!\) , \(\mathsf{H^{\text{ψ},Orchard}}\!\) , recoverable note plaintexts, and related constructs are to be interpreted as defined by ZIP 2005's modifications to the protocol specification.

Motivation

None of the currently deployed Zcash transfer protocols support Custom Assets. Enabling multi-asset support on the Zcash chain will open the door for a host of applications, and enhance the ecosystem with application developers and Asset custody institutions for issuance and bridging purposes. This ZIP builds on the issuance mechanism introduced in ZIP 227 5.

Overview

In order to be able to represent different Assets, we need to define a data field that uniquely represents the Asset in question, which we call the Asset Identifier \(\mathsf{AssetId}\!\) . This Asset Identifier maps to an Asset Base \(\mathsf{AssetBase}\) that is stored in OrchardZSA notes. These terms are formally defined in ZIP 227 5.

The Asset Identifier (via means of the Asset Digest and Asset Base) will be used to enforce that the balance of an Action Description 27 42 is preserved across Assets (see the Orchard Binding Signature 31), and by extension the balance of an Orchard transaction. That is, the sum of all the \(\mathsf{value^{net}}\) from each Action Description, computed as \(\mathsf{value^{old}} - \mathsf{value^{new}}\!\) , must be balanced only with respect to the same Asset Identifier. This is especially important since we will allow different Action Descriptions to transfer notes of different Asset Identifiers, where the overall balance is checked without revealing which (or how many distinct) Assets are being transferred.

As was initially proposed by Jack Grigg and Daira-Emma Hopwood 43 44, we propose to make this happen by changing the value base point, \(\mathcal{V}^{\mathsf{Orchard}}\!\) , in the Homomorphic Pedersen Commitment that derives the value commitment, \(\mathsf{cv^{net}}\!\) , of the net value in an Orchard Action.

Because in a single transaction all value commitments are balanced, there must be as many different value base points as there are Asset Identifiers for a given shielded protocol used in a transaction. We propose to make the Asset Base an auxiliary input to the proof for each Action statement 34, represented already as a point on the Pallas curve. The circuit then should check that the same Asset Base is used in the old note commitment and the new note commitment 39, and as the base point in the value commitment 38. This ensures (1) that the input and output notes are of the same Asset Base, and (2) that only Actions with the same Asset Base will balance out in the Orchard binding signature.

In order to ensure the security of the transfers, and as we will explain below, we are redefining input dummy notes 30 for Custom Assets, as we need to enforce that the \(\mathsf{AssetBase}\) of the output note of that Split Action is the output of a valid \(\mathsf{ZSAValueBase}\) computation defined in ZIP 227 5.

We include the ability to pause the ZSA functionality, via a \(\mathsf{enableZSA}\) boolean flag. When this flag is set to false, the proof will fail for any non-native Asset, making it impossible to perform transactions involving Custom Assets. When this flag is set to true, the circuit will allow transactions involving Custom Assets subject to the values of the \(\mathsf{enableSpendsOrchard}\) and \(\mathsf{enableOutputsOrchard}\) flags, similar to the vanilla Orchard setting.

Finally, in this ZIP we also describe the burn mechanism, which is a direct extension of the transfer mechanism. The burn process uses a similar mechanism to what is used in Orchard to unshield ZEC, by using the \(\mathsf{valueBalance}\) of the Asset in question. Burning Assets is useful for many purposes, including bridging, and removing supply of Assets.

Privacy Implications

After the protocol upgrade, the Orchard shielded pool will be shared by the Orchard protocol and the OrchardZSA protocol.
Deploying the OrchardZSA protocol does not necessitate disabling the Orchard protocol. Both can co-exist and be addressed via different transaction versions (V5 for Orchard and V6 for OrchardZSA). Due to this, Orchard note commitments can be distinguished from OrchardZSA note commitments. This holds whether or not the two protocols are active simultaneously.
OrchardZSA note commitments for the native asset (ZEC) are indistinguishable from OrchardZSA note commitments for non-native Assets.
When including new Assets we would like to maintain the amount and identifiers of Assets private, which is achieved with the design.

Specification

Most of the protocol is kept the same as the Orchard protocol released with NU5, except for the following.

Asset Identifiers

For every new Asset, there MUST be a new and unique Asset Identifier. Every Asset is defined by an Asset description, \(\mathsf{asset\_desc}\!\) , which is a global byte string (scoped across all future versions of Zcash). From this Asset description and the issuance validating key of the issuer, the specific Asset Identifier, \(\mathsf{AssetId}\!\) , the Asset Digest, and the Asset Base ( \(\!\mathsf{AssetBase}\!\) ) are derived as defined in ZIP 227 5.

This Asset Base will be the base point of the value commitment for the specific Custom Asset. Note that the Asset Base of the ZEC Asset will be kept as the original value base point, \(\mathcal{V}^{\mathsf{Orchard}}\!\) .

Rationale for Asset Identifiers

In future network and protocol upgrades, the same Asset description string can be carried on, potentially mapping into a different shielded pool. In that case, nodes should know how to transform the Asset Identifier, the Asset Digest, and the Asset Base from one shielded pool to another, while ensuring there are no balance violations 3.

We prevent a potential malleability attack on the Asset Identifier by ensuring the output notes receive an Asset Base that exists on the global state.

Note Structure and Commitment

An OrchardZSA note differs from an Orchard note 26 by additionally including the Asset Base, \(\mathsf{AssetBase}\!\) . So an OrchardZSA note is a tuple \((\mathsf{d}, \mathsf{pk_d}, \mathsf{v}, \mathsf{AssetBase}, \text{ρ}, \text{ψ}, \mathsf{rcm})\!\) , where

\(\mathsf{AssetBase} : \mathbb{P}^*\) is the unique element of the Pallas group 40 that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 7, a valid group element that is not the identity and is not \(\bot\!\) . The byte representation of the Asset Base is defined as \(\mathsf{asset\_base} : \mathbb{B}^{\mathbb{Y}^{[\ell_{\mathbb{P}}/8]}} := \mathsf{LEBS2OSP}_{\ell_{\mathbb{P}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{AssetBase}))\!\) .
The remaining terms are as defined in §3.2 ‘Notes’ 26.

Note that the above assumes a canonical encoding, which is true for the Pallas group, but may not hold for future shielded protocols.

Let \(\mathsf{Note^{OrchardZSA}}\) be the type of a OrchardZSA note, i.e.

\(\mathsf{Note^{OrchardZSA}} := \mathbb{B}^{[\ell_{\mathsf{d}}]} \times \mathsf{KA}^{\mathsf{Orchard}}.\mathsf{Public} \times \{0 .. 2^{\ell_{\mathsf{value}}} - 1\} \times \mathbb{P}^* \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathbb{F}_{q_{\mathbb{P}}} \times \mathsf{NoteCommit^{Orchard}.Trapdoor},\)

where \(\mathbb{P}^*\) is the Pallas group excluding the identity element, and the other types are as defined in §3.2 ‘Notes’ 26.

Non-normative note: The type and definition of the OrchardZSA note reflect that it is a tuple of all the components of an Orchard note, with the addition of the Asset Base into the tuple.

We define the note commitment scheme \(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}\) as follows:

\(\mathsf{NoteCommit}^{\mathsf{OrchardZSA}} : \mathsf{NoteCommit^{Orchard}.Trapdoor}\hspace{-1em}\) \(\hspace{1em}\times\, \mathbb{B}^{[\ell_{\mathbb{P}}]}\hspace{-1em}\) \(\hspace{1em}\times\, \mathbb{B}^{[\ell_{\mathbb{P}}]}\hspace{-1em}\) \(\hspace{1em}\times\, \{0 .. 2^{\ell_{\mathsf{value}}} - 1\}\hspace{-1em}\) \(\hspace{1em}\times\, \mathbb{F}_{q_{\mathbb{P}}}\hspace{-1em}\) \(\hspace{1em}\times\, \mathbb{F}_{q_{\mathbb{P}}}\hspace{-1em}\) \(\hspace{1em}\times\, \mathbb{P}^* \to \mathsf{NoteCommit^{Orchard}.Output}\)

where \(\mathbb{P}, \ell_{\mathbb{P}}, q_{\mathbb{P}}\) are as defined for the Pallas curve 40, and where \(\mathsf{NoteCommit^{Orchard}.\{Trapdoor, Output\}}\) are as defined in §4.1.8 ‘Commitment’ 28. This uses the note commitment scheme defined in §5.4.8.4 ‘Sinsemilla Commitments’ 39 as follows:

\(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{g_d}\star, \mathsf{pk_d}\star, \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase}) := \begin{cases} \mathsf{NoteCommit^{Orchard}_{rcm}}(\mathsf{g_d}\star, \mathsf{pk_d}\star, \mathsf{v}, \text{ρ}, \text{ψ}), &\!\!\text{if } \mathsf{AssetBase} = \mathcal{V}^{\mathsf{Orchard}} \\ \mathsf{cm_{ZSA}} &\!\!\text{otherwise} \end{cases}\)

where:

\(\mathsf{cm_{ZSA}} := \mathsf{SinsemillaHashToPoint}(\texttt{“z.cash:ZSA-NoteCommit-M”},\hspace{-6em}\) \(\hspace{6em}\mathsf{g_{d}\star} \,||\, \mathsf{pk_{d}\star} \,||\, \mathsf{I2LEBSP_{64}(v)} \,||\, \mathsf{I2LEBSP}_{\ell^{\mathsf{Orchard}}_{\mathsf{base}}}(\text{ρ})\hspace{-6em}\) \(\hspace{6em}\,||\, \mathsf{I2LEBSP}_{\ell^{\mathsf{Orchard}}_{\mathsf{base}}}(\text{ψ}) \,||\, \mathsf{asset\_base})\hspace{-4em}\) \(\hspace{4em}\,+\; [\mathsf{rcm}]\,\mathsf{GroupHash}^{\mathbb{P}}(\texttt{“z.cash:Orchard-NoteCommit-r”}, \texttt{“”})\)

Note that \(\mathsf{repr}_{\mathbb{P}}\) and \(\mathsf{GroupHash}^{\mathbb{P}}\) are as defined for the Pallas curve 40, \(\ell^{\mathsf{Orchard}}_{\mathsf{base}}\) is as defined in §5.3 ‘Constants’ 36, and \(\mathsf{I2LEBSP}\) is as defined in §5.1 ‘Integers, Bit Sequences, and Endianness’ 35.

The nullifier is generated in the same manner as in the Orchard protocol §4.16 ‘Computing ρ values and Nullifiers’ 33.

The OrchardZSA note plaintext also includes the Asset Base \(\mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]}\) in addition to the components in the Orchard note plaintext 41. The explicit encoding of the note plaintext is provided in ZIP 230 18.

When § 4.7.3 'Sending Notes (Orchard)' 29 or § 4.8.3 'Dummy Notes (Orchard)' 30 are invoked directly or indirectly in the computation of \(\text{ρ}\) and \(\text{ψ}\) for an OrchardZSA note, \(\mathsf{leadByte}\) MUST be set to {{ZSALEADBYTE}}.

The explicit order of addition of the note commitments to the note commitment tree is specified in ZIP 227 9.

Rationale for Note Commitment

In the OrchardZSA protocol, the instance of the note commitment scheme, \(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}\!\) , differs from the Orchard note commitment \(\mathsf{NoteCommit^{Orchard}_{rcm}}\) in that for Custom Assets, the Asset Base will be added as an input to the commitment computation. In the case where the Asset is the ZEC Asset, the commitment is computed identically to the Orchard note commitment, without making use of the ZEC Asset Base as an input. As we will see, the nested structure of the Sinsemilla-based commitment 39 allows us to add the Asset Base as a final recursive step.

The note commitment output is still indistinguishable from the original Orchard ZEC note commitments, by definition of the Sinsemilla hash function 37. OrchardZSA note commitments will therefore be added to the same Orchard Note Commitment Tree. In essence, we have:

\(\mathsf{NoteCommit^{OrchardZSA}_{rcm}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d}), \mathsf{v}, \text{ρ}, \text{ψ}, \mathsf{AssetBase}) \in \mathsf{NoteCommit^{Orchard}.Output}\)

This definition can be viewed as a generalization of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and OrchardZSA notes.

Value Commitment

In the case of the OrchardZSA protocol, the value of different Asset Identifiers in a given transaction will be committed using a different value base point. The value commitment becomes:

\(\mathsf{cv^{net}} := \mathsf{ValueCommit^{OrchardZSA}_{rcv}}(\mathsf{AssetBase_{AssetId}}, \mathsf{v^{net}_{AssetId}}) = [\mathsf{v^{net}_{AssetId}}]\,\mathsf{AssetBase_{AssetId}} + [\mathsf{rcv}]\,\mathcal{R}^{\mathsf{Orchard}}\)

where \(\mathsf{v^{net}_{AssetId}} = \mathsf{v^{old}_{AssetId}} - \mathsf{v^{new}_{AssetId}}\) such that

\(\mathsf{v^{old}_{AssetId}}\) and \(\mathsf{v^{new}_{AssetId}}\) are the values of the old and new notes of Asset Identifier \(\mathsf{AssetId}\) respectively,
\(\mathsf{AssetBase_{AssetId}}\) is defined in ZIP 227 5, and
\(\mathcal{R}^{\mathsf{Orchard}} := \mathsf{GroupHash^{\mathbb{P}}}(\texttt{“z.cash:Orchard-cv”}, \texttt{“r”})\!\) , as in the Orchard protocol.

For ZEC, we define \(\mathsf{AssetBase}_{\mathsf{AssetId}} := \mathcal{V}^{\mathsf{Orchard}}\) so that the value commitment for ZEC notes is computed identically to the Orchard protocol deployed in NU5 4. As such \(\mathsf{ValueCommit^{Orchard}_{rcv}}(\mathsf{v})\) as defined in 4 is used as \(\mathsf{ValueCommit^{OrchardZSA}_{rcv}}(\mathcal{V}^{\mathsf{Orchard}}, \mathsf{v})\) here.

Rationale for Value Commitment

The Orchard Protocol uses a Homomorphic Pedersen Commitment 38 to perform the value commitment, with fixed base points \(\mathcal{V}^{\mathsf{Orchard}}\) and \(\mathcal{R}^{\mathsf{Orchard}}\) as the values represent the amount of ZEC being transferred.

The use of different value base points for different Assets enables the final balance of the transaction to be securely computed, such that each Asset Identifier is balanced independently, which is required as different Assets are not meant to be mutually fungible.

Action Groups

OrchardZSA Actions in transactions are organized into one or more Action Groups. An Action Group is a group of OrchardZSA Actions which share the same tuple \((\mathsf{rt}, \mathsf{enableSpends}, \mathsf{enableOutputs}, \mathsf{enableZSA}, \mathsf{nAGExpiryHeight})\!\) , which we denote by "Orchard Commons". A transaction MAY contain more than one Action Group.

An Action Group contains a list of OrchardZSA Actions that share the same Orchard Commons, along with those Orchard Commons, the Burn Mechanism data, and the authorizing data such as the Spend Authorization Signatures and proofs. The encoding of the Action Group is defined in ZIP 230 16.

The Orchard Commons of each Action Group includes an expiry height, \(\mathsf{nAGExpiryHeight}\!\) , which specifies the maximum block height at which a transaction containing that Action Group may be mined. A value of \(0\) indicates that the Action Group places no expiry constraint.

Rationale for Action Groups

In the Zcash protocol deployed in NU5, the anchor is not included in the Action Description, and is only included once in the entire transaction. Action Groups are a generalization of the protocol that allows for Actions generated against different anchors to be combined in a single transaction. The Action Groups abstraction achieves the same function as including the tuple (Merkle Root ( \(\mathsf{rt}\!\) ), enableSpend, enableOutputs) in each Action - but more efficiently. It allows for the binding of multiple Actions, along with an expiry height, in an inseparable manner. It reduces information duplication within the transaction object, and thus is more bandwidth efficient.

One of the applications that takes advantage of this generalization is ZSA Swaps 13. In this application, components provided by two parties, with possible different blockchain states, can be combined in a single transaction.

Rationale for Expiry Height

The expiry height \(\mathsf{nAGExpiryHeight}\) allows for a time limit to be set for the inclusion of a particular Action Group in a mined block. This is useful for applications such as ZSA Swaps 13, where a party might want to limit how long the counterparty has an indefinite option on their trade intent.

v1 Signature Digest and Spend Authorization Signatures

ZIP 246 21 introduces versioning for SIGHASH algorithms. We define the v1 Signature Digest for an Action Group as the output of the orchard_action_groups_digest for that Action Group, as defined in ZIP 246 22.

If there is only one Action Group in the transaction, then the Spend Authorization Signatures for the Actions in the transaction MUST be computed as in the Orchard protocol, over the v0 Signature Digest. If there are multiple Action Groups in the transaction, then the Spend Authorization Signatures for the Actions in each Action Group MUST be computed over the v1 Signature Digest of that Action Group.

Rationale for v1 Signature Digests and Spend Authorization Signature Changes

In the OrchardZSA protocol, each Action includes a Spend Authorization Signature 32 that binds a specific spend instruction to a specific transaction and prevents replay attacks.

However, in the generalization to multiple Action Groups, each of which might be generated by different parties, the mechanism needs updating. This is because the transaction SIGHASH represents a hash over a full consensus-compliant transaction object. The party creating the Action Group might not be able to construct the SIGHASH as the full transaction might not be known at that point. This is because various fields are set only when the full bundle transaction is formed and sent to the chain.

To make sure the time limit isn't malleable and replay attacks are precluded, the sender signs the information in the Action Group of the Order. The orchard_action_groups_digest contains all the information that the sender needs to authorize, which is why we use this for the v1 Signature Digest. The non-malleability of the expiry height and other fields of received orders during order matching is guaranteed by the unforgeability of the sender's Spend Authorization Signature.

Burn Mechanism

The burn mechanism is a transparent extension to the transfer protocol that enables a specific amount of any Custom Asset to be "destroyed" by the holder. The burn mechanism does NOT send Assets to a non-spendable address, it simply reduces the total number of units of a given Custom Asset in circulation. It is enforced at the consensus level, by using an extension of the value balance mechanism used for ZEC Assets. Burning makes it globally provable that a given amount of a Custom Asset has been destroyed. Note that the OrchardZSA Protocol does not allow for the burning of the Native Asset (i.e. ZEC or TAZ).

In the OrchardZSA Transaction Structure, there is now an \(\mathsf{assetBurn}_{\mathsf{AG}}\) set for each Action Group. For every Custom Asset (represented by its \(\mathsf{AssetBase}\!\) ) that is burnt in the Action Group, the sender adds to \(\mathsf{assetBurn}_{\mathsf{AG}}\) the tuple \((\mathsf{AssetBase}, \mathsf{v})\!\) , where \(\mathsf{v}\) is the amount of the Custom Asset the sender wants to burn. We define a constant \(\mathsf{MAX\_BURN\_VALUE} := 2^{63} - 1\!\) , which denotes the maximum amount of a given Custom Asset that can be burnt in a transaction. We denote by \(L\) the cardinality of the \(\mathsf{assetBurn}\) set in a transaction.

As described in Value Balance Verification, this provides the information for the validator of the transaction to compute the value commitment with the corresponding Asset Base. This ensures that the values are all balanced out on a per-Asset basis in the transaction.

Note: In a transaction with multiple Action Groups, each with their own \(\mathsf{assetBurn}_{\mathsf{AG}}\) set, there MAY be multiple entries for the same Custom Asset across the different \(\mathsf{assetBurn}_{\mathsf{AG}}\) sets.

We construct a set \(\mathsf{assetBurn}\) as the union of all the \(\mathsf{assetBurn}_{\mathsf{AG}}\) sets across all Action Groups in the transaction. This is constructed in two steps:

First, we set \(\mathsf{assetBurn} := \bigcup_{\mathsf{AG}} \mathsf{assetBurn}_{\mathsf{AG}}\!\) . That is, we take the union of the \(\mathsf{assetBurn}_{\mathsf{AG}}\) sets across all Action Groups in the transaction.
Then, if there are multiple entries for the same Custom Asset in the resulting \(\mathsf{assetBurn}\) set, we de-duplicate by summing the corresponding burn values \(\mathsf{v}\) for those entries, and keep a single entry for that Custom Asset with the summed burn value.

Additional Consensus Rules for the assetBurn set

It MUST be the case that for every \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{AssetBase} \neq \mathcal{V}^{\mathsf{Orchard}}\!\) . That is, the Native Asset is not allowed to be burnt by this mechanism.
It MUST be that for every \((\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}, \mathsf{v} > 0\) and \(\mathsf{v} \leq \mathsf{MAX\_BURN\_VALUE}\!\) .
There MUST be no duplication of Custom Assets in the \(\mathsf{assetBurn}_{\mathsf{AG}}\) set, for each Action Group \(\mathsf{AG}\!\) . That is, every \(\mathsf{AssetBase}\) has at most one entry in \(\mathsf{assetBurn}_{\mathsf{AG}}\) for each Action Group.

The other consensus rule changes for the OrchardZSA protocol are specified in ZIP 227 8.

Note: The transparent protocol will not be changed with this ZIP to adapt to a multiple Asset structure. This means that unless future consensus rules changes do allow it, unshielding will not be possible for Custom Assets.

Rationale for MAX_BURN_VALUE

The maximum amount of any Custom Asset allowed to be burnt in a transaction is set to \(\mathsf{MAX\_BURN\_VALUE}\) in order to prevent it from being incompatible with other valueBalance fields, which are signed 64-bit integers. It will also allow for compatibility with future Custom-asset-specific value balances in subsequent pools that support transferring ZSAs from the Orchard pool via a turnstile.

Value Balance Verification

Transactions continue to have a single Binding Signature, which covers all the Actions across the Action Groups in the transaction. The signature continues to be computed over the v0 Signature Digest of the transaction.

In order to verify the balance of the different Assets, the validator MUST perform a similar process as for the Orchard protocol 31, with the addition of the burn information.

For a total of \(n\) Actions in a transfer (across Action Groups), the signer MUST still sign the SIGHASH transaction hash using the binding signature key \(\mathsf{bsk} = \sum_{i=1}^{n} \mathsf{rcv}_i\!\) .

The validator MUST compute the value balance verification equation:

\(\mathsf{bvk} = (\sum_{i=1}^{n} \mathsf{cv}^{\mathsf{net}}_i) - \mathsf{ValueCommit_0^{OrchardZSA}(\mathcal{V}^{\mathsf{Orchard}}, v^{balanceOrchard})} - \sum_{(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}} \mathsf{ValueCommit_0^{OrchardZSA}}(\mathsf{AssetBase}, \mathsf{v})\)

After computing \(\mathsf{bvk}\!\) , the validator MUST use it to verify the binding signature on the SIGHASH transaction hash.

Note: In the equation above, the set \(\mathsf{assetBurn}\) across all Action Groups in the transaction, is as defined in the Burn Mechanism section.

An application that requires the signer to assemble the transaction from independently generated components MUST include a mechanism to ensure that the signer has the information necessary to compute the \(\mathsf{bsk}\) as described above. The specific mechanism is out of scope for this ZIP. Refer to ZIP 228 13 for an example of how this can be achieved in the context of ZSA swaps.

Rationale for Value Balance Verification

We assume \(n\) Actions in a transfer. Out of these \(n\) Actions, we further distinguish (for the sake of clarity) between Actions related to ZEC and Actions related to Custom Assets. We denote by \(S_{\mathsf{ZEC}} \subseteq \{1 .. n\}\) the set of indices of Actions that are related to ZEC, and by \(S_{\mathsf{CA}} = \{1 .. n\} \setminus S_{\mathsf{ZEC}}\) the set of indices of Actions that are related to Custom Assets.

The right hand side of the value balance verification equation can be expanded to:

\(((\sum_{i \in S_{\mathsf{ZEC}}} \mathsf{cv}^{\mathsf{net}}_i) + (\sum_{j \in S_{\mathsf{CA}}} \mathsf{cv}^{\mathsf{net}}_j)) - ([\mathsf{v^{balanceOrchard}}]\,\mathcal{V}^{\mathsf{Orchard}} + [0]\,\mathcal{R}^{\mathsf{Orchard}}) - (\sum_{(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}} [\mathsf{v}]\,\mathsf{AssetBase} + [0]\,\mathcal{R}^{\mathsf{Orchard}})\)

This equation contains the balance check of the Orchard protocol 31. With ZSA, transfer Actions for Custom Assets must also be balanced across Asset Bases. All Custom Assets are contained within the shielded pool, and cannot be unshielded via a regular transfer. Custom Assets can be burnt, the mechanism for which reveals the amount and identifier of the Asset being burnt, within the \(\mathsf{assetBurn}\) set. As such, for a correctly constructed transaction, we will get \(\sum_{j \in S_{\mathsf{CA}}} \mathsf{cv}^{\mathsf{net}}_j - \sum_{(\mathsf{AssetBase}, \mathsf{v}) \in \mathsf{assetBurn}} [\mathsf{v}]\,\mathsf{AssetBase} = \sum_{j \in S_{\mathsf{CA}}} [\mathsf{rcv}^{\mathsf{net}}_j]\,\mathcal{R}^{\mathsf{Orchard}}\!\) .

When the Asset is not being burnt, the net balance of the input and output values is zero, and there will be no addition to the \(\mathsf{assetBurn}\) vector. Therefore, the relationship between \(\mathsf{bvk}\) and \(\mathsf{bsk}\) will hold if and only if, per Custom Asset, the sum of the net values of the relevant Actions equals the corresponding \(\mathsf{v}_k\) value (or equals \(0\) if that Asset is not in the \(\mathsf{assetBurn}\) set), and for ZEC, the sum of the net values of the relevant Actions equals the \(\mathsf{v^{balanceOrchard}}\) value.

As in the Orchard protocol, the binding signature verification key, \(\mathsf{bvk}\!\) , will only be valid (and hence verify the signature correctly), as long as the committed values sum to zero. In contrast, in this protocol, the committed values must sum to zero per Asset Base, as the Pedersen commitments add up homomorphically only with respect to the same value base point.

Split Notes

A Split Input is a copy of a previously issued input note (that is, a note that has previously been included in the Merkle tree), with the following changes:

A \(\mathsf{split\_flag}\) boolean is set to 1.
The value of the note is replaced with the value 0 during the computation of the value commitment.

Input notes are sometimes split in two (or more) output notes, as in most cases, not all the value in a single note is sent to a single output.

When the number of input notes of a particular Asset Base is smaller than the required number of output notes for the same Asset Base, the sender creates Split Inputs of the same Asset Base as padding for the input-less Actions. Note that we do not care about whether the previously issued note copied to create a Split Input is owned by the sender, or whether it was nullified before.

Wallets and other clients have to choose from the following to ensure the Asset Base is preserved for the output note of a Split Action:

The Split Input note could be another note containing the same Asset Base that is being spent by this transaction (but not by this Split Input).
The Split Input note could be a different unspent note containing the same Asset Base (note that the note will not actually be spent).
The Split Input note could be an already spent note containing the same Asset Base (note that by zeroing the value in the circuit, we prevent double spending).

For Split Notes, the nullifier is generated as follows:

\(\mathsf{nf_{old}} = \mathsf{Extract}_{\mathbb{P}} ([(\mathsf{PRF^{nfOrchard}_{nk}} (\text{ρ}^{\mathsf{old}}) + \text{ψ}^{\mathsf{nf}}) \bmod q_{\mathbb{P}}]\,\mathcal{K}^\mathsf{Orchard} + \mathsf{cm^{old}} + \mathcal{L}^\mathsf{Orchard})\)

where \(\text{ψ}^{\mathsf{nf}}\) is computed as \(\mathsf{ToBase^{Orchard}}\big(\mathsf{PRF^{expand}_{rseed\_nf}}([\mathtt{0x0A}] \,||\, \underline{\text{ρ}^{\mathsf{old}}})\kern-0.1em\big)\) for \(\mathsf{rseed\_nf}\) sampled uniformly at random on \(\mathbb{B}^{{\kern-0.1em\tiny\mathbb{Y}}[32]}\!\) , \(\mathcal{K}^{\mathsf{Orchard}}\) is the Orchard Nullifier Base as defined in §4.16 ‘Computing ρ values and Nullifiers’ 33, and \(\mathcal{L}^{\mathsf{Orchard}} := \mathsf{GroupHash^{\mathbb{P}}}(\texttt{“z.cash:Orchard”}, \texttt{“L”})\!\) . The first-byte domain separator \(\mathtt{0x0A}\) for \(\mathsf{PRF^{expand}}\) is reserved by ZIP 2005 24 for this use.

Rationale for Split Notes

In the Orchard protocol, since each Action represents an input and an output, the transaction that wants to send one input to multiple outputs must have multiple inputs. The Orchard protocol gives dummy spend notes 30 to the Actions that have not been assigned input notes.

The Orchard technique requires modification for the OrchardZSA protocol with multiple Asset Identifiers, as the output note of the split Actions cannot contain just any Asset Base. We must enforce it to be an actual output of a GroupHash computation (in fact, we want it to be of the same Asset Base as the original input note, but the binding signature takes care that the proper balancing is performed). Without this enforcement the prover could input a multiple (or linear combination) of an existing Asset Base, and thereby attack the network by overflowing the ZEC value balance and hence counterfeiting ZEC funds.

Therefore, for Custom Assets we enforce that every input note to an OrchardZSA Action must be proven to exist in the set of note commitments in the note commitment tree. We then enforce this real note to be “unspendable” in the sense that its value will be zeroed in split Actions and the nullifier will be randomized, making the note not spendable in the specific Action. Then, the proof itself ensures that the output note is of the same Asset Base as the input note. In the circuit, the split note functionality will be activated by a boolean private input to the proof (aka the \(\mathsf{split\_flag}\) boolean). This ensures that the value base points of all output notes of a transfer are actual outputs of a GroupHash, as they originate in the Issuance protocol which is publicly verified.

Note that the Orchard dummy note functionality remains in use for ZEC notes, and the Split Input technique is used in order to support Custom Assets.

Circuit Statement

Every OrchardZSA Action statement is closely similar to the Orchard Action statement 34, except for a few additions that ensure the security of the Asset Identifier system. We detail these changes below.

All modifications in the Circuit are detailed in 45.

Asset Base Equality

The following constraints must be added to ensure that the input and output note are of the same \(\mathsf{AssetBase}\!\) :

The Asset Base, \(\mathsf{AssetBase}\!\) , for the note is witnessed once, as an auxiliary input.
In the Old note commitment integrity constraint in the Orchard Action statement 34, \(\mathsf{NoteCommit^{Orchard}_{rcm^{old}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{old}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{old}}), \mathsf{v^{old}}, \text{ρ}^{\mathsf{old}}, \text{ψ}^{\mathsf{old}})\) is replaced with \(\mathsf{NoteCommit^{OrchardZSA}_{rcm^{old}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{old}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{old}}), \mathsf{v^{old}}, \text{ρ}^{\mathsf{old}}, \text{ψ}^{\mathsf{old}}, \mathsf{AssetBase})\!\) .
In the New note commitment integrity constraint in the Orchard Action statement 34, \(\mathsf{NoteCommit^{Orchard}_{rcm^{new}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{new}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{new}}), \mathsf{v^{new}}, \text{ρ}^{\mathsf{new}}, \text{ψ}^{\mathsf{new}})\) is replaced with \(\mathsf{NoteCommit^{OrchardZSA}_{rcm^{new}}}(\mathsf{repr}_{\mathbb{P}}(\mathsf{g_d^{new}}), \mathsf{repr}_{\mathbb{P}}(\mathsf{pk_d^{new}}), \mathsf{v^{new}}, \text{ρ}^{\mathsf{new}}, \text{ψ}^{\mathsf{new}}, \mathsf{AssetBase})\!\) .

To make the evaluation of the note commitment easier, we add a boolean \(\mathsf{is\_native\_asset}\) as an auxiliary witness. We also add some constraints to verify that this variable is activated (i.e. \(\mathsf{is\_native\_asset} = 1\!\) ) if the Asset Base is equal to \(\mathcal{V}^{\mathsf{Orchard}}\) and this variable is not activated (i.e. \(\mathsf{is\_native\_asset} = 0\!\) ) if the Asset Base is not equal to \(\mathcal{V}^{\mathsf{Orchard}}\!\) .

The \(\mathsf{enableZSA}\) Flag

The following constraints must be added to disable transactions involving Custom Assets when the \(\mathsf{enableZSA}\) flag is set to false:

if \(\mathsf{enableZSA}\) is not activated (i.e. \(\mathsf{enableZSA} = 0\!\) ), then constrain \(\mathsf{is\_native\_asset} = 1\!\) , since the \(\mathsf{AsssetBase}\) must be equal to the native asset.

Value Commitment Correctness

The following constraints must be added to ensure that the value commitment is computed using the witnessed Asset Base:

The fixed-base multiplication constraint between the value and the value base point of the value commitment, \(\mathsf{cv}\!\) , is replaced with a variable-base multiplication between the two.
The witness to the value base point (as defined in the asset base equation) is the auxiliary input \(\mathsf{AssetBase}\!\) .

Asset Identifier Consistency for Split Actions

Senders must not be able to change the Asset Base for the output note in a Split Action. We do this via the following constraints:

The Value Commitment Integrity should be changed:
- Replace the input note value by a generic value, \(\mathsf{v}'\!\) , as \(\mathsf{cv^{net}} = \mathsf{ValueCommit_rcv^{OrchardZSA}}(\mathsf{AssetBase}, \mathsf{v}' - \mathsf{v^{new}})\)
Add a boolean \(\mathsf{split\_flag}\) variable as an auxiliary witness. This variable is to be activated \(\mathsf{split\_flag} = 1\) if the Action in question has a Split Input and \(\mathsf{split\_flag} = 0\) if the Action is actually spending an input note:
- If \(\mathsf{split\_flag} = 1\) then constrain \(\mathsf{v}' = 0\) otherwise constrain \(\mathsf{v}' = \mathsf{v^{old}}\) from the auxiliary input.
- If \(\mathsf{split\_flag} = 1\) then constrain \(\mathsf{is\_native\_asset} = 0\) because split notes are only available for Custom Assets.
The Merkle Path Validity should check the existence of the note commitment as usual (and not like with dummy notes):
- Check for all notes except dummy notes that \((\mathsf{path}, \mathsf{pos})\) is a valid Merkle path of depth \(\mathsf{MerkleDepth^{Orchard}}\!\) , from \(\mathsf{cm^{old}}\) to the anchor \(\mathsf{rt^{Orchard}}\!\) .
- The new constraint is \(\underbrace{(\mathsf{v^{old}} = 0 \land \mathsf{is\_native\_asset} = 1)}_\text{It is a dummy note} \lor \underbrace{(\mathsf{Valid\,Merkle\,Path})}_\text{The Merkle Path is valid}\!\) .
The Nullifier Integrity will be changed to prevent the identification of notes as defined in the Split Notes section.

Backwards Compatibility with ZEC Notes

The input note in the old note commitment integrity check must either include an Asset Base (OrchardZSA note) or not (pre-ZSA Orchard note). If the note is a pre-ZSA Orchard note, the note commitment is computed in the original Orchard fashion 28. If the note is an OrchardZSA note, the note commitment is computed as defined in the Note Structure and Commitment section.

OrchardZSA Transaction Structure

The transaction format for v6 transactions is described in ZIP 230 14. The ZSA-related changes in v6 include:

updates to the transaction structure 15 and the sighash digest computation 21;
new note plaintext formats for both Sapling and Orchard outputs 17, with corresponding changes to the note decryption algorithms for incoming and outgoing viewing keys 24.

Implications for Wallets

The following requirements on wallets are specified and motivated in ZIP 230 19:

All wallets should switch to sending only v6 transactions once NU7 has activated. The main consequence of not doing so relevant to ZSAs, is that users would not obtain the privacy benefit of indistinguishability between native and non-native assets in the Orchard shielded pool, because v5 transactions can only transact in the native ZEC asset. For other consequences see ZIP 230.
All wallets should be ready to receive funds in outputs of v6 transactions as soon as ZSAs activate. The consequence of not doing so would be that funds sent to Orchard addresses of a wallet without this support could be temporarily inaccessible, until the wallet is upgraded to fully support v6 and to rescan outputs since v6 activation.

Sighash modifications relative to ZIP 244 20

Relative to the sighash algorithm defined in ZIP 244 20, the sighash algorithm that applies to v6 transactions differs by altering the Orchard bundle within the tree hash to match the corresponding OrchardZSA changes. See ZIP 246 21 for details.

Transaction Fees

The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 227 12.

Backward Compatibility

In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and OrchardZSA notes. As we specify above, there are three main reasons we can do this:

Note commitments for ZEC notes will remain the same, while note commitments for Custom Assets will be computed taking into account the \(\mathsf{AssetBase}\) value as well.
The existing Orchard shielded pool will continue to be used for the new OrchardZSA notes post the upgrade.
The value commitment is abstracted to allow for the value base-point as a variable private input to the proof.
The ZEC-based Actions will still include dummy input notes, whereas the OrchardZSA Actions will include split input notes and will not include dummy input notes.

Security and Privacy Considerations

Protection Against Replay attacks

We consider whether our change from signing the v0 SIGHASH in the spend authorization signature to signing the v1 Signature Digest opens any possibilities of replay attacks.

This is prevented by the use of the v0 SIGHASH in the binding signature. If an adversary tries to extract an Action Group and associated Spend Authorization Signature from a transaction on the network to replay it within another transaction - which would be detrimental in the form of front-running - the adversary will also need to be able to generate a binding signature on their replayed transaction, which is not possible without knowing the \(\mathsf{bsk}\) associated with the Action Group being replayed. The \(\mathsf{bsk}\) is computed based on values communicated over a secure channel off-chain between the parties in the case of multiple Action Groups generated by different parties. This precludes the possibility of replay attacks.

Non-Malleability of the Expiry Height

We protect against the malleation of the nAGExpiryHeight field by a malicious matching party by including the expiry height inside the v1 Signature Digest that is signed using the Spend Authorization Signature (see more details in Rationale for Expiry Height). The security of the Spend Authorization Signature and the collision resistance of the BLAKE2b-256 hash then ensures that the expiry height remains the same as the one mandated by the creator of the Swap Order.

Deployment

The Zcash Shielded Assets protocol is scheduled to be deployed in Network Upgrade 7 (NU7). This ZIP currently assumes that this will be the case.

Test Vectors

https://github.com/QED-it/zcash-test-vectors

Reference Implementation

https://github.com/QED-it/zcash (in zcashd)
https://github.com/QED-it/orchard (in orchard)
https://github.com/QED-it/librustzcash (in librustzcash)
https://github.com/QED-it/halo2 (in halo2)

References

1	Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"

2	ZIP 200: Network Upgrade Mechanism

3	ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances

4	ZIP 224: Orchard

5	ZIP 227: Issuance of Zcash Shielded Assets

6	ZIP 227: Issuance of Zcash Shielded Assets — Specification: Global Issuance State

7	ZIP 227: Issuance of Zcash Shielded Assets — Specification: Asset Identifier

8	ZIP 227: Issuance of Zcash Shielded Assets — Specification: Consensus Rule Changes

9	ZIP 227: Issuance of Zcash Shielded Assets — Addition to the Note Commitment Tree

10	ZIP 227: Issuance of Zcash Shielded Assets — TxId Digest - Issuance

11	ZIP 227: Issuance of Zcash Shielded Assets — Authorizing Data Commitment

12	ZIP 227: Issuance of Zcash Shielded Assets — OrchardZSA Fee Calculation

13	ZIP 228: Asset Swaps for Zcash Shielded Assets

14	ZIP 230: Version 6 Transaction Format

15	ZIP 230: Version 6 Transaction Format — Transaction Format

16	ZIP 230: Version 6 Transaction Format — OrchardZSA Action Group Description

17	ZIP 230: Version 6 Transaction Format — Note Plaintexts

18	ZIP 230: Version 6 Transaction Format — Orchard Note Plaintext

19	ZIP 230: Version 6 Transaction Format — Implications for Wallets

20	ZIP 244: Transaction Identifier Non-Malleability

21	ZIP 246: Digests for the Version 6 Transaction Format

22	ZIP 246: Digests for the Version 6 Transaction Format — T.4a: orchard_action_groups_digest

23	ZIP 307: Light Client Protocol for Payment Detection

24	ZIP 2005: Orchard Quantum Recoverability

25	Zcash Protocol Specification, Version 2025.6.2 [NU6.1] or later.

26	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 3.2: Notes

27	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 3.7: Action Transfers and their Descriptions

28	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 4.1.8: Commitment

29	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 4.7.3: Sending Notes (Orchard)

30	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 4.8.3: Dummy Notes (Orchard)

31	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 4.14: Balance and Binding Signature (Orchard)

32	Zcash Protocol Specification, Version 2024.5.1. Section 4.15: Spend Authorization Signature (Sapling and Orchard)

33	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 4.16: Computing ρ values and Nullifiers

34	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 4.18.4: Action Statement (Orchard)

35	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.1: Integers, Bit Sequences, and Endianness

36	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.3: Constants

37	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.4.1.9: Sinsemilla hash function

38	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.4.8.3: Homomorphic Pedersen commitments (Sapling and Orchard)

39	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.4.8.4: Sinsemilla commitments

40	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.4.9.6: Pallas and Vesta

41	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 5.5: Encodings of Note Plaintexts and Memo Fields

42	Zcash Protocol Specification, Version 2025.6.2 [NU6.1]. Section 7.5: Action Description Encoding and Consensus

43	User-Defined Assets and Wrapped Assets

44	Comment on Generalized Value Commitments

45	Modifications to the Orchard circuit for the OrchardZSA Protocol