Lib.rs

CryptographyMagic Beans
#transaction #output #input #spend #input-output #prover #flags

pczt

Tools for working with partially-created Zcash transactions

by Jack Grigg. Co-owned by Kris Nuttycombe.

2 unstable releases

new 0.1.0 Dec 17, 2024
0.0.0 Oct 8, 2024

#4 in #spend

MIT/Apache

455KB
7K SLoC

pczt

TBD

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

lib.rs:

The Partially Created Zcash Transaction (PCZT) format.

Goal is to split up the parts of creating a transaction across distinct entities. The entity roles roughly match BIP 174: Partially Signed Bitcoin Transaction Format.

  • Creator (single entity)
    • Creates the base PCZT with no information about spends or outputs.
  • Constructor (anyone can contribute)
    • Adds spends and outputs to the PCZT.
    • Before any input or output may be added, the constructor must check the Global.tx_modifiable field. Inputs may only be added if the Inputs Modifiable flag is True. Outputs may only be added if the Outputs Modifiable flag is True.
    • A single entity is likely to be both a Creator and Constructor.
  • IO Finalizer (anyone can execute)
    • Sets the appropriate bits in Global.tx_modifiable to 0.
    • Updates the various bsk values using the rcv information from spends and outputs.
  • Updater (anyone can contribute)
    • Adds information necessary for subsequent entities to proceed, such as key paths for signing spends.
  • Prover (capability holders can contribute)
    • Needs all private information for a single spend or output.
    • In practice, the Updater that adds a given spend or output will either act as the Prover themselves, or add the necessary data, offload to the Prover, and then receive back the PCZT with private data stripped and proof added.
  • Signer (capability holders can contribute)
    • Needs the spend authorization randomizers to create signatures.
    • Needs sufficient information to verify that the proof is over the correct data, without needing to verify the proof itself.
    • A Signer should only need to implement:
      • Pedersen commitments using Jubjub / Pallas arithmetic (for note and value commitments)
      • BLAKE2b and BLAKE2s (and the various PRFs / CRHs they are used in)
      • Nullifier check (using Jubjub / Pallas arithmetic)
      • KDF plus note decryption (AEAD_CHACHA20_POLY1305)
      • SignatureHash algorithm
      • Signatures (RedJubjub / RedPallas)
      • A source of randomness.
  • Combiner (anyone can execute)
    • Combines several PCZTs that represent the same transaction into a single PCZT.
  • Spend Finalizer (anyone can execute)
    • Combines partial transparent signatures into script_sigs.
  • Transaction Extractor (anyone can execute)
    • Creates bindingSig and extracts the final transaction.

Dependencies

~3.5–8MB
~147K SLoC