Translator: Li Rongqiang, author of the public account "The Road to Certainty Investment".
Translator press:Currently Zcash has three version codes, one is Sprout, Sapling, and Halo 2 to be deployed soon. Each version has a corresponding code and an anonymous mining pool address in response, so these codes will be used directly in subsequent translations.
We are proud to introduce the features of this version of ZIP224, which provides a way to introduce Halo 2 to the Zcash network.
Halo 2 zero-knowledge proof system, invented and developed by ECC, removes the initial trust settings, reduces the attack surface of the Zcash protocol, and improves the guarantee of the integrity of the total ZEC supply.
As the first release of the Halo 2 zero-knowledge platform, this will make it possible for future circular upgrades without trust-setting ceremonies, making the Zcash anonymity protocol more agile to adapt to future upgrades, such as issuing other assets.
In addition, the current version opens the way for aggregation proof and blockchain conciseness. These two scalability enhancements enable the Zcash protocol to keep pace with the times.
1. A Zcash protocol function proposal
The first phase of Halo 2 deployment in Zcash introduces a new anonymous transaction protocol, which makes the creation of the first anonymous transfer capability without relying on trust settings.
The functions provided by this protocol will be very similar to those provided by the Sapling version, however, the credential system will use the Halo 2 technology stack.
This release includes new elliptic curve periods, Pallas and Vesta periods, which together are called Pasta curves.
The Pasta curve, a new encryption structure, is the result of ECC's continuous efforts to ensure that Zcash can benefit as much as possible from breakthrough cryptographic inventions. These innovations also improve security and performance.
The Mir protocol and Mina project adoption (previously Coda) have adopted Pasta curve, and Mina has been integrated in Ledger for Pasta curve. This integration has been submitted to Zondax for future Zcash Ledger integration.
It began to come in handy in ledger integration, which has been submitted to Zondax for future Zcash ledger integration. They are also included in the Arkworks Rust library.
This ZIP release package introduces a new anonymous address format, uses Pasta curve, and a new anonymous pool.
The design features and anonymous features of this protocol are deliberately the same as the Sapling version, in order to limit technical risks and simplify user experience and ease of use.
Before the new agreement and implementation are ready, a third-party audit will be entrusted to enhance confidence in the new agreement and implementation security.
2. Anonymous pool
If this protocol is activated, this ZIP release will create a third anonymous pool for Zcash. To show the continuity of our Zk-SNARK technology stack, the first anonymous pool is called Sprout, and the second anonymous pool is called Sapling.
The new anonymous pool will be protected by an anonymous pool revolving door, just as this revolving door was previously used to transition between Sprout and Sapling pools.
We will phase out the old anonymity pool. This design allows us to minimize the risks of secrecy and engineering when deploying new anonymity technologies.
This encourages us to migrate to a trustless certification system, which enhances people's trust in the integrity of the Zcash supply, while reducing the complexity of implementation and the attack surface of Zcash.
During the Canopy network upgrade process, we deployed Zip 211 to disable the ability to add new coins to the old Sprout anonymous pool.
Similarly, after Zip224 is activated, there will be new network upgrades in the future. Our intention is to deploy ZIP219, and we will similarly disable the addition of new currency to the old Sapling anonymous pool.
The current tool for migration from Sprout anonymous pool to -To-Sapling anonymous pool will be upgraded. After activation, it will support migration from Sprout anonymous pool to Halo anonymous pool, as well as migration from Sapling anonymous pool to Halo anonymous pool.
3. Reduce metadata leakage
Taking into account some experience in the upgrade process of Sprout and Sapling, the current zip contains some changes in order to reduce the leakage of meta-information during some unencrypted transactions.
This function is achieved by combining the output and cost into one indistinguishable action, and is achieved by using a single anchor for all actions in a transaction.
4. Zcash future certificates
In the Sapling version, the currently activated protocol is Grout16, the smallest but most efficient verifiable zero-knowledge proof structure. In current Zcashd, the capacity of these proofs is less than 200 bytes, and it takes about 7-10 milliseconds to verify a transaction individually.
It is sufficient for the network scale we currently use, and this verification time is within the network delay noise tolerance.
However, even to a certain extent, this is not enough, especially considering some use cases of Zcash's extensibility, such as UDA user-defined assets.
When we discuss the acceptable verification time and transaction capacity in Zcash, the order of magnitude is not the key to success or failure. However, the credentials we need are to support technical scalability and programmability, such as carrying data in the credentials.
These technologies allow vouchers to be processed together and amortized the time required to verify vouchers. As a result, the verification cost and transaction capacity of each transaction are reduced exponentially. Except for very limited circumstances, our existing credentials cannot support all of these technologies.
And what we implemented on Halo2 not only supports the above technical operations, and these operations are indispensable tools for achieving scalability, but even without these tools, the size of our current certificate and the size of a single certificate The verification time is still sufficient for the use of Zcash in the short term.
By removing the need for initial trust settings, the current Zip package not only alleviates people’s concerns about the security of the initial setup process, but also ensures that any new changes in the future will no longer require this MPC trust setup ceremony, such as the introduction of UDA (User-defined assets, that is, issuing new tokens) feature.
This feature makes these updates easy to implement in the Zcash network, while also reducing the cost, risk and time of future upgrades. Compared with the current Groth16ping credentials, Halo relies on weaker and less complex cryptographic assumptions, which rely on pair-based cryptography.
Even if there is no urgent reason for us to worry about the BLS12-318 pairing protocol currently used in the Zcash network, the assumption of being able to use lower security is welcome.
The realization of Zcash's scalability requires a large-scale redesign of Zcash's current related protocols, not just the implementation of Halo 2 on Zcash.
Halo 2 will be the core component in the design of these protocols. In the near future, we will use the features of Halo 2 to reduce on-chain bandwidth and verification time through transaction aggregation.
In the end, these features can also enable us to implement a completely concise blockchain, achieve near real-time synchronization, and provide full node-level security guarantees for lightweight clients.
5. Performance
From the moment when Halo2 was developed, we have been working hard to ensure that we can solve the scalability challenges and remove the trust setting without reducing performance in any meaningful way.
In terms of calculations, we believe that Halo 2 is also competitive with Sapling, and may even be better than Sapling, even if the transaction volume will be larger.
In addition, the accumulation and aggregation functions of Halo 2 will enable us to greatly reduce transaction volume in future scalable versions.
The construction of Halo 2 in anonymous transactions will look a little different compared to the construction of Groth 16 credential system. Halo 2 does not need to create several single vouchers for each cost and output description like Groth 16, but creates all vouchers in parallel, so they can share transaction volume and time spent.
A rough calculation of a transaction with only a single voucher is a few kb in size, but the marginal size of additional voucher materials is much smaller, and the marginal verification time is insignificant.
The aforementioned anonymous transaction can contain several kb of remark data, which does not mean a significant increase in transaction size. It takes 30 milliseconds for a single thread to verify a single transaction, which is a bit worse than Groth16 for single credential verification.
But unlike Groth16 credentials that require a lot of serial operations, our credentials can be verified in parallel and can be expanded according to the number of available threads.
Halo 2 only needs 3-4 threads to process in parallel, and the performance at this time is close to the level of Groth16. If there are more threads, Halo 2 will perform better in the Zcash network.
6. Concrete realization
We will explain for different types of users. Generally speaking, for all types of users, the upgrade of this feature increases the risk of new errors or unexpected design flaws, which is important for any network upgrade function. So.
In addition, since Sapling will still be an active pool, when activating the network upgrade that includes ZIP 224, you can continue to use the Sapling address or integrate with the Sapling anonymous address instead of upgrading to a supported version of Zcashd or Our mobile wallet SDK.
Those users who directly rely on Zcashd or our wallet SDK, as well as users who have no complicated requirements for the end user experience, should have a relatively simple implementation.
(1) For mine pool operators
In order to use the new Zip224 address as a new anonymous address, the operator only needs to add the -mineraddress parameter in response when generating the address.
For those who use the new Zip224 anonymous address as the payee, the mining pool operator does not need to make any changes to send.
(2) Wallet supplier
For those who use our SDK wallet providers, such as NightHawk and Unstoppable versions, they only need to upgrade the corresponding supported version, and they will automatically get the newly released features of Zip224. Other work needs to be done in the user interface code to accommodate the ZIP 224 address.
(3) Trading platform and hardware wallet users
Exchanges such as Gemini that support the Sapling version of anonymous withdrawal addresses will need to add support for Zip224 format addresses. Zondax also needs support for Ledger integration, but Mina has already supported projects that use Pasta curve, which will help Zondax's work.
(4) For developers
The implementation of ZIP 224 benefited from ECC's cryptographic engineering expertise, which was generated through ZKP technology at multiple deployment levels.
Combined with ECC's efforts in the anonymous address wallet SDK, we believe that this updated technology will be easier to deploy and integrate than the current Zcash Sapling version.
(5) Current Zec holders
Current Zec holders can use the migration tool mentioned above or the standard transfer mechanism currently in use to migrate their funds to the new anonymous pool.
(6) Blockchain browser
Block explorers must change the way they handle Zcash total supply calculations, and correspondingly parse and display detailed information about ZIP224 transfers.
Original link:
https://electriccoin.co/blog/technical-explainer-halo-on-zcash/
Do you know Zcash technology? What do you think of this technology? Welcome to write down your opinion in the message area.
Previous post: Why is there no blockchain technology giant and top public chain in China?
▎It is recommended to read
2021, which is likely to be the "high-light year" of
Ethereum. Early 2021 outlook: these 10 directions are the most worthy of attention.
If there is the next big bull market, then more than 90% of the people will not be able to support that moment
. Tell me what exactly BTC, BCH, BSV are fighting for
——End——
"Disclaimer: This article is the author's independent point of view, and does not represent the vernacular blockchain position. This content is only for the popular science learning and exchanges of encryption enthusiasts, and does not constitute investment opinions or suggestions. Please treat it rationally, establish a correct concept, and increase risk awareness. The copyright of the article and the final interpretation right belong to the vernacular blockchain. 』
Dear, it is said that 99.9% of interesting people have ordered "Watching"????