A Proposal for Shielded Assets (ZSA/UDA) for DeFi on Zcash

Yesss, this is fantastic news :tada: Congratulations to the QEDIT team!

24 Likes

Amazing, congrats to all!

6 Likes

Thank you @decentralistdan for the news!
We are very excited to get things started. It will take us a couple of weeks to truly get going (as the team gets freed from previous commitments), but we are starting to imagine how the interaction with the community will look like, to ensure that we gain consensus on the feature’s usability and applications.

And of course, we will post monthly updates to the forum, and most likely more than just monthly as we hope to interact often with the community (at least in the first few months of the project).

Please do let us know how to move forward with the formalization of the grant and KYC requirements? Feel free to email me the details if it is easier.

Let’s build these shielded assets!!!

13 Likes

I love it.
Will be the cover of the kick-off post in a couple of weeks jaja

4 Likes

I wouldn’t expect that the zcashd and Zebra implementations have to be completely independent. A lot of the Rust libraries can be shared; Zebra already shares the circuit code in zcash_proofs, for example.

9 Likes

Going live on TwitterSpaces in 50minutes!

https://twitter.com/i/spaces/1gqxvldXArnGB

8 Likes

Yay it lets me listen without logging in, cool!

4 Likes

Fyi: The Twitter app doesn’t like the link for recording on my phone. Works if I search for it or put link in browser.

1 Like

Issuance

TLDR; we should consider only allow for a single issuance of assets at asset creation time. My understanding of the issuance discussion was that allowing for multiple issuance calls was one of the likely options. That might be the best option but I want to make sure the team has thoroughly thought through if there are actually any benefits or if we are just complicating ZSAs for the sake of having nice sounding “issue” function.

It might be better for users to issue large amounts of assets at ZSA creation and disperse them as needed from a single/multisig address.

There are a few concerns I have with multiple issuance:

  • How does an owner of “wrapped Bitcoin” transfer the issuance keys to a new owner?
  • We can barely trust certificate authorities to never leak private keys let alone a $1B wrapped Bitcoin asset.
  • It adds extra consensus rules
  • There’s a meaningful amount of work for providers, exchanges, explorers, wallets, developers, and users to adapt to the idea of multiple issuance.
  • When we implement DAOs we have the extra complexity of DAOing transfers AND issuance.
  • How does burning work?

Single issuance answers a few of these questions:

  • An owner of “wrapped Bitcoin” can transfer the remaining issuance holding to a new owners address.
  • If the owner of “wrapped Bitcoin” was worried about the safety of their private keys (e.g. hardware lost/compromised) they can transfer assets to new address (with their backup).
  • Single issuance during asset creation simplifies implementation of ZSAs and reduces surface area for attack/audit.
  • Single issuance would mean explorers/wallets don’t have to worry about the UX concerns of multiple issuance.
  • Zcash DAOs might be simpler to implement if only having to deal with transactions and not issuance.
  • In most cases sending an asset back to the asset disperser/DAO would be equivalent to a burn.

Unfortunately we don’t have DAO like structures yet but I imagine sometime in the future we have something similar to ZSA-addresses.

I feel like multiple issuance adds unnecessary complexity to implementing DAOs. For example could a ZSA-address control issuance?

4 Likes

Reflecting on my reply if we were to have multiple issuance we need to make sure we implement burning correctly. If we advocate issuance should be transparent (in some way) we should have a native (and simple) transparent burn too.

3 Likes

I very much agree with the idea of keep it simple and I share your worry things will get complex. But I think its needless complexity we can eliminate and I think single issuance in the way you suggest would actually result in more work.

Each ZSA requires an identifier. The simplest way to do that is have it be the hash of the public key you sign the issuance statement with. Absent adding global state keeping and consensus rules, that allows unlimited issuance. (Ideally, we’d support keys and sigs people can already custody in hardware)

The easiest way to allow single issuance would be to support the same signing key as identifier trick, but append/prepend the blockhash its issued in before hashing.

Moreover, I suspect multi issuance is a key thing if you wanted to have, for example, shielded tether. The alternative would end up hurting privacy: whenever tether wanted to issue more, they’d have to make another distinct ZSA. This is a fungibility and privacy issue.

6 Likes

Reducing complexity is always good :+1:.

This is the part I haven’t grasped yet. What’s the difference between multiple issuance and tether performing a single issuance with the max amount (2^56?) assets to a transparent-like address and transfering them out when required?

  • Both create visible on-chain actions
  • Both are controlled by a private keys
  • Both can be used to calculate the effective issuance

My understanding was this would be easier to implement then multiple issuance. If that’s not the case I stand corrected.

1 Like

In the case of single issuance I think the biggest benefit is at least tether could transfer any uncirculated assets to a new address if needed. Not sure it’ll be possible to transfer an “issuance” address in this MVP?

1 Like

Are you referring to the DAO mechanism I mentioned? Yes I think that’s a lot of work and am sure there are better solutions so let’s ignore that part :person_facepalming:.

The only aspect I’m still unclear of is what benefits we get from multiple issuance over a single max issuance to a transparent-like address and dispersing them as required.

But if multiple issuance doesn’t add that much extra complexity I’m happy to take your word for it :slightly_smiling_face:. My intuition is telling me multiple issuance adds just enough complexity it’ll create a little snowball effect which adds complexity all the way down the chain but like you said maybe it’s manageable? I was just curious if there was any actual benefit or is just “easy enough” we may as well do it anyways?

1 Like

Oh, if you assume theres both transparent issuance and a pending state before it gets shielded, yes you can do that. At least pre QEDIT, no one had proposed that and I don’t think QEDIT did either. But this just moves all the problems you worried about + managing a pending state to this transparent asset.

Popping up a level: I agree, the thing we do need to avoid, and I think this is what you’re getting at more generally, is complexity. ZSAs should be as minimalist a feature as possible. And making a complicated feature seems like a real risk. Preventing that will require constantly proposing alternatives and seeing if we can get something radically simpler (maybe by dropping a requirement).

In particular, we should avoid adding a very complex state machine to handle multiple issuance (as i said above, I think thats possible), key rotation, and whatever other features are deemed necessary.

Luckily I think this is doable. And I think we can make a system that only requires a tiny amount of simple state kept in a UTXO. No global state or smart contracts. Just a local object that you can do two things with 1) issue new units of currency under the objects identifier (if it was created to allow that) by signing under an associated key 2) replace the key that allows issuance (also by signing under and associated key)

5 Likes

The thing i’d ask both @GGuy and everyone else, is track what the features are for ZSAs and then see if you can propose a simpler way of doing it. Ideally dropping no features, possibly dropping at most one.

I’ve heard a part of the community wants issuance to not use transparent transactions.
So the amount of an issued asset in almost all cases needs to be public. So any method that extends Orchard TXs would have to do that. None the less, not using transparent has an appeal, both philosophically and technically: it doesn’t intrench tadds. And indeed, I think the inability for Zcash as a community to say, at some point in the distant future, taddrs should go away, is a major problem.

BUT, my guess is doing issuance (but again, fully shielded transactions) via transparent is radically simpler. We have an existing design for simple statekeeping via TZEs, so the engineering is simpler. Perhaps more importantly, tooling exists for signing bitcoin like transactions that partners can readily adapt.

To go the other way is to risk complicated features interacting with complicated cryptography. That’s not a good way to ship something on time or on budget.

4 Likes

Should these be combined into the issuance mechanism? An issuance specifies the subsequent (or same) key required for next issuance?

I imagine there is more in common between a transparent transaction and a transparent issuance then there is between a shielded transaction and a transparent issuance.

Maybe we need to consider where transparent transactions will exist in the future.

  • A seperate recursive proof based transparent pool?
  • Within a shielded pool?
  • Not at all?

I’d probably argue we’d want transparent issuance to happen in the same place transparent transactions happen.

1 Like

Hey @GGuy, I just saw this discussion and it is great.

We have not yet fleshed out all the challenges associated with a 2-step issuance, but we are also considering a 1-step issuance (currently the preferred option).

Essentially we are thinking about

  • issuance through an “output-only” note using the sapling or orchard structures, while ensuring that the encryption keys are always some 0 vector, known to all, or the viewing keys are provided (tbd what is more efficient / robust / easier to implement)
  • burning mechanism through a “spend-only” note in a similar fashion as the issuance. This would be very elegant in my opinion, but there is also the simpler version of just sending the tokens through a usual transfer to a pre-determined burn address that no one has the keys for.

In general I tend to agree with your pros/cons list, except that

  1. Even if a two-step issuance is more complicated to implement, it may allow for more flexibility in the future in terms of extending the issuance functionality (i.e.: describing issuance schedules, auctions, etc…), so we are also evaluating the extensibility
  2. Even if two-step issuance requires more consensus rules (i.e.: two transaction structures and the second one must match the first, etc…), the two-step would probably provide a more “secure” issuance mechanism as the first transaction would essentially register the tokens, sort of committing to them. In this respect, I am not sure what you mean by

Why would a two-step issuance imply easier leakage?

  1. I actually believe that the two-step issuance may be easier to track for explorers / wallets, as there is even more information that can be provided (e.g.: amount of assets in circulation vs the amount of assets to be put in circulation)

Regarding the ZSA addresses, we were also playing with the idea, and though it is in principle out of scope for the project, it is one of the use-cases that I am personally most excited about.
Having “contract-like” addresses in Zcash would not only enable DAO-like structures for funds to be controlled by some specific trigger or other, but also things like non-interactive atomic-swaps, fund locking mechanisms for DeFi, as liquidity providers / custodian addresses.

And regarding this

In fact, the first step issuance may be used to enable the ZSA-address to issue tokens as a DAO structure, whereas the one-step issuance may not.

8 Likes

ZSAs

I assume by two-step you are referring to a process whereby the second step is issuance and could happen more then once? With one-step I wasn’t sure if you were referring to a single issuance, multiple issuance, or both. I’ll assume multiple for my responses.

Two-Step

Using the past precedent that transactions can have outputs that have never been seen maybe that means issuance should too?

While I do agree two-steps would give us more flexibility I’m not sure these extra options need to be a compulsory first step. Rather it could be implemented as an optional first or second step. Hopefully that means any future additions of this as an optional first or second step shouldn’t break existing ZSA users if we only implement one-step for the MVP.

One-Step

One-step could support single or multiple issuance. In the case of multiple issuance I imagine the parameters could include the ID (random for a new asset?), the amount of the asset, and the subsequent issuance address thats allowed to issue more. This subsequent address could be the same or different to the previous issuer. Also if you wanted to announce an asset but not issue any just set amount to 0. Not sure if this would make things drastically simpler though.

We might also want to mark the first issuance in a one-step scenario so in the future we could take advantage of any optimisations that could be gained by partially or fully ignoring blocks before genesis of the asset in certain use-cases.

Burning

While I imagine it’s unlikely to be used in the near term I imagine if both were available a spend-only note could signify a recyclable asset (one that might be reissued) while a burn address would signify an asset that shouldn’t be reissued (as is the case today). So yes I also like the idea of a spend-only note to mark why that action is special.

Encryption/viewing keys

Don’t know what’s best. While hardcoding some known keys for this feels a bit hacky it’s probably not a bad hack, especially for an MVP :slightly_smiling_face:.

DAOs

I imagine, as mentioned above, a one-step approach could specify a DAO as the next address with a 0 issuance. In the future we could allow for that optional “setup” step to configure more complex configurations/options.

Changing/Revoking issuance keys

I made this statement assuming issuance keys can have a long life and can’t be easily changed or revoked. CAs feel similar as they could also be thought of as two-step.

  1. Creation of root certificate
  2. Issuance of intermediate and end entities certs

Are you thinking about a mechanism for how we can change the issuing keys? Could be as simple as a one-step issuance I mentioned where we specifying the new key (which could be the same) to be used for the next issuance. Or could be a seperate method/mechanism. Removing issuance could also be achieved by setting the next issuer to 0x0.


ZSA Addresses (off topic)

The way I like to think of it is what are the minimum set of features that allow for a decentralized L2? I imagine a DAO-like ZSA-address controlled by staked nodes could give us that. Then the debate is no longer “what features should Zcash have?” but rather “should this feature exist in L1 or L2”? :exploding_head:

2 Likes

Single issuance

If you were referring to one-step issuance as a single issuance mechanism I agree with everything you said with regards to us losing some of that extra information on-chain. Multiple issuance is one way to get that. This is probably the strongest justification for multiple issuance.

The other is a more generic labelling/marking of transactions but that’s outside the scope of this work. It also introduces a significant side-channel an attacker could use to leak/disseminate information so would require some deeper thinking before commiting to it.

1 Like