[WIP]Feat/zcash

[soralit]

Keystone Zcash UR Registries

This protocol is based on the Uniform Resources. It describes the data schemas (UR Registries) used in Zcash integrations.

Introduction

Keystone's QR workflow involves two main steps: linking the wallet and signing data, broken down into three sub-steps:

1. Wallet Linking: Keystone generates a QR code with public key info for the Watch-Only wallet to scan and import.
2. Transaction Creation: The Watch-Only wallet creates a transaction and generates a QR code for Keystone to scan, parse, and display.
3. Signing Authorization: Keystone signs the transaction, displays the result as a QR code for the Watch-Only wallet to scan and broadcast.

Two UR Registries are needed for these steps, utilizing the Partially Created Zcash Transaction structure.

Zcash Accounts

Unified Full Viewing Key (UFVK)

UFVK is a standard account expression format in Zcash as per ZIP-316. It consists of:

1. Transparent
2. Sprout
3. Sapling
4. Orchard

This protocol focuses on the Transparent and Orchard components.

CDDL for Zcash Accounts

The specification uses CDDL and includes crypto-hdkey and crypto-key-path specs defined in https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-007-hdkey.md.

zcash-accounts = {
    seed-fingerprint: bytes.32, ; the seed fingerprint specified by ZIP-32 to identify the wallet
    accounts: [+ zcash-ufvk],
    ? origin: text, ; source of data, e.g., Keystone
}

zcash-ufvk = {
    ? transparent: crypto-hdkey,
    orchard: zcash-fvk,
    ? name: text,
}

zcash-fvk = {
    key-path: crypto-key-path,
    key-data: bytes,
}

zcash-ufvk describes the UFVK of a Zcash account. Each seed has multiple accounts with different indexes. For index 0, zcash-ufvk should contain a BIP32 extended public key with path M/44'/133'/0' (transparent) and an Orchard FVK with path M_orchard/32'/133'/0' (Orchard).

CDDL for Zcash PCZT

zcash-pczt {
    data: bytes, ; Zcash PCZT, signatures inserted after signing.
}

[soralit]

Latest protocol is updated in the code base.

[daira]

//is versionGroupId still needed?

The purpose of versionGroupId is to unambiguously identify the transaction format even if version numbers are reused across Zcash forks, and that's still relevant for PCZTs.

I think we'd want to include Sapling components even if it isn't supported for Keystone, because it is needed for other applications of PCZTs.

[daira]

This is probably not going to work in light mode, because the Zashi logo and name are in white.

[str4d]

This TODO still needs addressing by someone with access to the TRNG documentation, in particular to confirm that ret will never be negative. (Also to confirm that ret = 0 means success, but I think that's the case as otherwise this function would have been consistently returning an error.)

[soralit]

Just checked the ret is asserted in the SE driver level so the error code should always be SUCCESS_CODE(0) here.

[str4d]

Reviewed as of d41a8f2. This is not a full review or audit of the PR, just what I had time to look over.

[str4d]

This currently puts an upper limit of 256 accounts (2^8, vs the total possible 2^31), which is fine for now (given that only account 0 is supported at present) assuming that this cache struct can be altered later.

[str4d]

The Keystone device is generating the UFVKs, so the limit here only needs to encompass the data those UFVKs will contain:

• Orchard: 96 bytes (+ 2 for TLV overhead)
• Transparent: 65 bytes (+ 2 for TLV overhead)
• HRP padding: 16 bytes
• Total: 181 bytes
• Bech32 encoding: 6 + (181*8/5) + 6 = 302 characters

A limit of 384 bytes leaves plenty of overhead for e.g. metadata.

[str4d]

This file is only used by rust/apps/zcash/src/pczt/sign.rs, so if desired we could move this file there, and remove rust/zcash_vendor entirely (moving its relevant imports into the other crates). Non-blocking, I might look at this refactor separately.

[str4d]

I'm adding an orchard::pczt::Zip32Derivation::extract_account_index API in zcash/orchard#449 that can replace this in future.

[str4d]

This can in future be replaced by checking the output of Zip32Derivation::extract_account_index once the firmware is upgraded to an orchard release containing zcash/orchard#449.

[str4d]

The user_address field of the Orchard action output is currently checked in pczt::parse::parse_orchard_output. We could instead move that check to here, given that action.output().recipient() is confirmed to be present if verify_note_commitment passes. Then all that parse_orchard_output would be checking is that the decrypted note's recipient matches action.output().recipient() (unless that is also moved here per the TODO below).

[str4d]

I meant to note that I did later see the comment about CPU management being why this was done later. I'd be interested to know what specifically is the CPU bottleneck.

[str4d]

This is going to prevent users from sending Keystone-controlled funds to P2SH addresses, which should be fixed at some point (the PCZT format does allow it). The same checking should be applied to user_address in that case as above, but instead that it matches Receiver::P2sh(hash).

[str4d]

This will prevent creation of transactions where one of the inputs is a P2PKH coin controlled by a Keystone device, and another input is a P2SH coin. It will also prevent users from manually constructing e.g. P2SH multi-sig addresses where one of the pubkeys is controlled by a Keystone device.

Unlike on the output side, I think this limitation is fine for now; Zashi doesn't support creating these kinds of transactions. But it might be something to consider for future firmware updates.

[str4d]

Currently total_transfer_value will be completely incorrect if has_sapling = true. It should at a minimum include the Sapling bundle's value_sum in the calculation; that value is included in the sighash, and thus even if it hasn't been checked to match the individual Sapling spends and outputs, it can still be "trusted" (because any change to it by the online wallet would invalidate the signature).

[str4d]

This is subtly incorrect: rather than only stripping trailing nul bytes from the memo bytes, it is stripping every nul byte from the memo bytes. nul is a valid byte in UTF-8 (as part of the NUL character).

If a NUL character cannot be included in rendered memo strings (if Keystone requires C-strings), then it should be replaced with an appropriate Unicode replacement character.

[soralit]

I aim to remove until the first non-zero value but implement a wrong one.