[WIP]Feat/zcash

[soralit]

Keystone Zcash UR Registries

This protocol is based on the Uniform Resources. It describes the data schemas (UR Registries) used in Zcash integrations.

Introduction

Keystone's QR workflow involves two main steps: linking the wallet and signing data, broken down into three sub-steps:

1. Wallet Linking: Keystone generates a QR code with public key info for the Watch-Only wallet to scan and import.
2. Transaction Creation: The Watch-Only wallet creates a transaction and generates a QR code for Keystone to scan, parse, and display.
3. Signing Authorization: Keystone signs the transaction, displays the result as a QR code for the Watch-Only wallet to scan and broadcast.

Two UR Registries are needed for these steps, utilizing the Partially Created Zcash Transaction structure.

Zcash Accounts

Unified Full Viewing Key (UFVK)

UFVK is a standard account expression format in Zcash as per ZIP-316. It consists of:

1. Transparent
2. Sprout
3. Sapling
4. Orchard

This protocol focuses on the Transparent and Orchard components.

CDDL for Zcash Accounts

The specification uses CDDL and includes crypto-hdkey and crypto-key-path specs defined in https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-007-hdkey.md.

zcash-accounts = {
    seed-fingerprint: bytes.32, ; the seed fingerprint specified by ZIP-32 to identify the wallet
    accounts: [+ zcash-ufvk],
    ? origin: text, ; source of data, e.g., Keystone
}

zcash-ufvk = {
    ? transparent: crypto-hdkey,
    orchard: zcash-fvk,
    ? name: text,
}

zcash-fvk = {
    key-path: crypto-key-path,
    key-data: bytes,
}

zcash-ufvk describes the UFVK of a Zcash account. Each seed has multiple accounts with different indexes. For index 0, zcash-ufvk should contain a BIP32 extended public key with path M/44'/133'/0' (transparent) and an Orchard FVK with path M_orchard/32'/133'/0' (Orchard).

CDDL for Zcash PCZT

zcash-pczt {
    data: bytes, ; Zcash PCZT, signatures inserted after signing.
}

[daira]

ZIP 32 specifies a 16-byte seed fingerprint: https://zips.z.cash/zip-0032#seed-fingerprints
It's a byte array so endian-independent.

[soralit]

It's good to use this seed fingerprint instead.

[daira]

Specify that:

• M is defined as in https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#master-key-generation
• M_orchard (we use $m_{\mathsf{Orchard}}$) is defined as in https://zips.z.cash/zip-0032#orchard-master-key-generation .

133' is for mainnet. Like other coins, we use 1' for testnet as specified in SLIP 44.

[soralit]

Latest protocol is updated in the code base.

[daira]

//is versionGroupId still needed?

The purpose of versionGroupId is to unambiguously identify the transaction format even if version numbers are reused across Zcash forks, and that's still relevant for PCZTs.

I think we'd want to include Sapling components even if it isn't supported for Keystone, because it is needed for other applications of PCZTs.

[soralit]

Added a proto file. Also added the sapling definitions.

[daira]

I see that the barred Z is transparent. I think that's correct in that it should be white in light mode and black in dark mode (see "Horizontal logos" or "Vertical logos" at https://z.cash/press/ ).

[daira]

This is probably not going to work in light mode, because the Zashi logo and name are in white.

[str4d]

I have not confirmed the alterations to your vendored code, but if target here has type bip32::ExtendedPublicKey<secp256k1::PublicKey> (like it does inside zcash_primitives::legacy::keys::AccountPubKey) then there is a bug here: you are comparing the serialized public key to the script_pubkey, but for P2PKH scripts the serialized public key appears in the script_sig; only its hash is present in script_pubkey.

[str4d]

Similarly, this check is incorrect:

• hash is the hash of the script_pubkey
• input.bip32_derivation() contains a map from the encoded public key to its derivation.

This follows PSBT semantics (from BIP 174) where the derivation map lists encoded keys; bip32_derivation is not a map from script_pubkey to derivation path. This is because a P2SH script may contain multiple such keys and require multiple signatures. A P2PKH script happens to only contain one, but for symmetry the PCZT format treats it the same way (like PSBT).

[str4d]

This is similarly incorrect.

[str4d]

This is similarly incorrect.