WIP unfinished changes

zcash · Nov 8, 2024 · eb4275f · eb4275f
1 parent 615e262
commit eb4275f
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 0 deletions.
diff --git a/pczt/src/lib.rs b/pczt/src/lib.rs
@@ -1,20 +1,68 @@
 //! The Partially Created Zcash Transaction (PCZT) format.
 //!
+//! General flow for creating a shielded transaction:
+//! - Create "unsigned transaction"
+//!   - In practice means deciding on the global parts of the transaction
+//! - Collect each output
+//!   - Proofs can be created at this time
+//! - Decide on an anchor
+//!   - All spends should use the same anchor for indistinguishability
+//!   - In a future transaction version, all spends will be required to do so
+//! - Collect each spend
+//!   - Proofs can and should be created at this time
+//! - Create proofs for each spend and output
+//!   - Data necessary for proofs can be stripped out of the format
+//! - Collect proofs
+//! - Distribute collected data to signers
+//!   - Signers must verify the transaction before signing, and reject if not satisfied.
+//!   - This is the no-turning-back point regarding spend authorization!
+//! - Collect signatures
+//! - Create binding signature
+//!   - The party that performs this does not need to be trusted, because each signer
+//!     has verified the transaction and signed it, so the bindingSig can only be
+//!     computed over the same data if a valid transaction is to be created.
+//! - Extract final transaction
+//!
 //! Goal is to split up the parts of creating a transaction across distinct entities.
 //! The entity roles roughly match BIP 174: Partially Signed Bitcoin Transaction Format.
 //! - Creator
 //!   - Creates the base PCZT with no information about spends or outputs.
 //! - Constructor
 //!   - Adds spends and outputs to the PCZT.
+//!   - Before any input or output may be added, the constructor must check the
+//!     PSBT_GLOBAL_TX_MODIFIABLE field. Inputs may only be added if the Inputs Modifiable
+//!     flag is True. Outputs may only be added if the Outputs Modifiable flag is True.
 //!   - A single entity is likely to be both a Creator and Constructor.
+//! - IO Finalizer
+//!   - Sets the appropriate bits in PSBT_GLOBAL_TX_MODIFIABLE to 0. (TODO fix up)
+//!   - Inspects the inputs and outputs throughout the PCZT and picks a transaction
+//!     version that is compatible with all of them (or returns an error).
+//!   - Updates the various bsk values using the rcv information from spends and outputs.
+//!   - This can happen after each spend or output is added if they are added serially.
+//!     If spends and outputs are created in parallel, the IO Finalizer must act after
+//!     the Combiner.
+//! - Updater
+//!   - Adds information necessary for subsequent entities to proceed, such as key paths
+//!     for signing spends.
+//! - Redactor
+//!   - Removes information that is unnecessary for subsequent entities to proceed.
+//!   - This can be useful e.g. when creating a transaction that has inputs from multiple
+//!     independent Signers; each can receive a PCZT with just the information they need
+//!     to sign, but (e.g.) not the `alpha` values for other Signers.
 //! - Prover
 //!   - Needs all private information for a single spend or output.
 //!   - In practice, the Updater that adds a given spend or output will either act as
 //!     the Prover themselves, or add the necessary data, offload to the Prover, and
 //!     then receive back the PCZT with private data stripped and proof added.
 //! - Signer
 //!   - Needs the spend authorization randomizers to create signatures.
+//!   - Needs sufficient information to verify that the proof is over the correct data.
+//!     without needing to verify the proof itself.
 //!   - A Signer should only need to implement:
+//!     - Pedersen commitments using Jubjub arithmetic (for note and value commitments)
+//!     - BLAKE2b and BLAKE2s (and the various PRFs / CRHs they are used in)
+//!     - Nullifier check (using Jubjub arithmetic)
+//!     - KDF plus note decryption (AEAD_CHACHA20_POLY1305)
 //!     - SignatureHash algorithm
 //!     - Signatures (RedJubjub)
 //!     - A source of randomness.
@@ -34,6 +82,9 @@
 //!         the PCZT, with spendAuthSigs and bindingSig empty, and then enforcing equality.
 //!       - This is equivalent to BIP 147's equality definition (the partial transactions
 //!         must be identical).
+//! - Spend Finalizer
+//!   - Currently unnecessary, but when shielded multisig is implemented, this would be the
+//!     entity that combines the separate signatures into a multisignature.
 //! - Transaction Extractor
 //!   - Creates bindingSig and extracts the final transaction.
 

diff --git a/pczt/src/orchard.rs b/pczt/src/orchard.rs
@@ -147,6 +147,8 @@ pub(crate) struct Spend {
     /// being spent.
     pub(crate) zip32_derivation: Option<Zip32Derivation>,
 
+    // TODO FROST
+
     pub(crate) proprietary: BTreeMap<String, Vec<u8>>,
 }
 

diff --git a/pczt/src/sapling.rs b/pczt/src/sapling.rs
@@ -114,6 +114,8 @@ pub(crate) struct Spend {
     /// being spent.
     pub(crate) zip32_derivation: Option<Zip32Derivation>,
 
+    // TODO FROST
+
     pub(crate) proprietary: BTreeMap<String, Vec<u8>>,
 }