Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ZIP 307] Light Client Protocol for Payment Detection #226

Closed
wants to merge 10 commits into from

Conversation

str4d
Copy link
Collaborator

@str4d str4d commented Apr 11, 2019

==========

Currently a client that wishes to send or receive shielded payments must be a full node
participanting in the Zcash network. This requires an amount of available bandwidth,
Copy link
Contributor

@rex4539 rex4539 Apr 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
participanting in the Zcash network. This requires an amount of available bandwidth,
participating in the Zcash network. This requires an amount of available bandwidth,

is, the proxy should not learn which transactions (received from the blockchain) are
addressed to a given light wallet. If we further assume network privacy (via Tor or
similar), the proxy should not be able to link different connections or queries as
deriving from the the same wallet.
Copy link
Contributor

@rex4539 rex4539 Apr 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
deriving from the the same wallet.
deriving from the same wallet.


A key observation in this protocol is that the current zcashd encrypted field is several
hundred bytes long, due to the inclusion of a transaction “memo”. The need to download
this entire field imposes a substantial bandwidth cost on each light wallets, which may be
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: "on each light wallets"

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
this entire field imposes a substantial bandwidth cost on each light wallets, which may be
this entire field imposes a substantial bandwidth cost on each light wallet instance, which may be

this entire field imposes a substantial bandwidth cost on each light wallets, which may be
a limited mobile device on a restricted-bandwidth plan. While more efficient techniques
can be developed in the future, for the moment we propose ignoring the memo field during
payment detection. Futhermore, we can also ignore any information that is not directly
Copy link
Contributor

@rex4539 rex4539 Apr 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
payment detection. Futhermore, we can also ignore any information that is not directly
payment detection. Furthermore, we can also ignore any information that is not directly

========================

This proposal is supported by a set of libraries and reference code made available by the
Zcash Company.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zcash Company -> Electric Coin Company

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Zcash Company.
Electric Coin Company.

@@ -0,0 +1,612 @@
::

ZIP: XXX
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ZIP: XXX -> ZIP: 307

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ZIP: XXX
ZIP: 307

@acityinohio
Copy link
Contributor

Concept ACK

@daira
Copy link
Collaborator

daira commented May 20, 2019

Concept ACK. This looks like it's not ready for merge yet (missing references, TODOs that should be resolved).


- let sharedSecret = KA\ :sup:`Sapling`\ .Agree(*ivk*, *epk*)
- let K\ :sup:`enc` = KDF\ :sup:`Sapling`\ (sharedSecret, *epk*)
- let P\ :sup:`enc` = ChaCha20.Decrypt\ :sub:`K^enc`\ (*ciphertext*)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not specified precisely enough. The intent is to perform the decryption as it would be performed by IETF_AEAD_CHACHA20_POLY1305, but this involves decrypting with the block counter starting from 1. Since ChaCha20 is not defined at all, it's not clear that the block counter should start with 1.

I suggest adding a definition like this:

Let ChaCha20.Decrypt\ :sub:`K^enc`\ (*initialCounter*, *ciphertext*) be the
decryption of *ciphertext* with key K^enc, initial counter value *initialCounter*,
and all-zero nonce, as specified in section 2.4 of [#RFC7539]_.

and then use ChaCha20.DecryptK^enc(1, ciphertext).

@daira daira force-pushed the master branch 10 times, most recently from fff4d5c to f5af3a3 Compare August 6, 2019 00:56
@daira
Copy link
Collaborator

daira commented Jun 29, 2020

Published at https://zips.z.cash/zip-0307 .

@daira daira closed this Jun 29, 2020
@r3ld3v r3ld3v added this to the Core Sprint 2020-25 milestone Jun 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants