Do you support deprecating Sprout?

This is a bit misleading. The turnstile does not use the transparent pool, it just reveals amounts being crossed. So while, yes, there is some privacy issues with crossing the turnstile, it is much less severe than using the transparent pool. It is also the same mechanism through which Sapling is converted into Orchard. Also, this privacy issue can be mitigated by crossing fixed amounts, etc.

But yes, I agree that if Sprout is truly deprecated then there should be announcements, etc, but nothing has been formally decided so far.

Exactly, users are the most important group. Only a fraction of users hold coins in the Sprout Pool, namely approx. 0.16% of the current circulating supply. All other active users are only disadvantaged by the fact that sprout still exists. For example, it slows down development, because devs have to continue supporting old parts of the protocol. So a large proportion of users are currently being neglected due to the laziness of a very small number of users. As already described here, privacy cannot be a valid reasoning for not moving the coins to a newer pool.

Apart from that it has already been documented and communicated how you can transfer your coins to the new pools (Sprout-to-Sapling Migration — Zcash Documentation 6.2.0 documentation). Obviously one can also ask here and will get help from the devs for sure.

It is completely normal that old “software” is no longer supported over time. That’s part of the risk, especially with cutting edge tech like Zcash. I do not see Windows 95 users complaining that Microsoft stopped updates for it. This analogy probably doesn’t quite fit, but you get what I mean.

Do a final information round on all communication channels with a deadline and just close that chapter. Why do we make life so difficult for ourselves with unnecessary perfectionism?

Alright, I suppose that for that pool, currently, this may be the best course of action. My point was really more about the pool deprecation subject more broadly. We will likely have to do this again so let’s have a clear process for handling this with class?

The unified address privacy leak, to name just that, didn’t give me too much vibe of unnecessary perfectionism; pretty sure we can improve on that front.

I think this is contrafactual.

Going along that line of thought, early users of a command-line-tool-only, cutting-edge, zero-knowledge-proof-powered cryptocurrency were not precisely risk averse folks. It’s not like they were investing in US Sovereign bonds (known to be the safest investment if you re a prudent bear kind of investor)

Cold storage of a sprout holding wallet is also a question. That probably means a thumb drive with a wallet.dat file. Not your metal plate kind of thing either.

Kinda yes, kinda no. Bitcoin gave the benchmark all users are making reasonable assumptions from.

That is to say that, while technically I agree with you, we have to be careful that when this happens we don’t get a too massive backlash. We’ll get the backlash, no doubt. So it’s about how big.

That’s why acing the PR is key. The reasoning for deprecating is sound, now we just need to walk the very fine line to making it happen without breaking too many eggs.

P.R.

Good thing we have Coinholder-directed funding for a case like this.

This is how the supply looks like
https://mainnet.zcashexplorer.app/api/v1/supply

[
  {
    "chainValue": 12957132.0053024,
    "chainValueZat": 1295713200530239,
    "id": "transparent",

  },
  {
    "chainValue": 25789.7816951,
    "chainValueZat": 2578978169510,
    "id": "sprout",
    "monitored": true
  },
  {
    "chainValue": 840235.9610622,
    "chainValueZat": 84023596106220,
    "id": "sapling",

  },
  {
    "chainValue": 2305255.91748511,
    "chainValueZat": 230525591748511,
    "id": "orchard",

  },
  {
    "chainValue": 51652.125,
    "chainValueZat": 5165212500000,
    "id": "lockbox",

  }
]

With the exception of a few folks, we are kind of “money talk elusive” in this community, Which is fine but at some point it’s inevitable to talk about it.

Software tech debt is always collected. You can go and pay it yourself or wait for the collector to knock your door (down if necessary). I think it would be important to know what’s the value of the sprout pool in terms of how much it costs the ecosystem to actually maintain this “backward-compatibility” and how much ZEC it holds. It could have an equilibrium point at which it’s no longer economically sustainable to maintain it.

My feel for this, which may be wrong obviously, but I think there is a consensus around the fact that it is indeed no longer economically sustainable to maintain it. It’s really just the “how” do we handle that hot potato where there is less agreement.

There are already several possible designs for this, that I’ve been discussing with other Zcash protocol devs (on the side at conferences, in dev calls, and in spare time) as the next step for Sprout deprecation (as well as a model for future pool deprecation).

• If we as a community want to pay the cost of Sprout logic in consensus forever, then the remaining Sprout funds are frozen, and a Sprout redemption circuit replaces the current Sprout logic, using a value balance mechanism compatible with one of the non-deprecated pools (i.e. Orchard).
  • I suggested this 4.5 years ago: What do we do about legacy value pools? - #56 by str4d. No one has taken action to productionise it in the intervening time.
  • Redemption actions would be distinguishable on chain, just like Sprout transactions are currently distinguishable from non-Sprout transactions, so there’s no change there. Redemption values would be hidden, which is an improvement.
  • This requires paying for a new circuit to be written, reviewed, audited, and deployed.
  • If we wanted the redemption actions to be indistinguishable from other actions, that would require recursive proofs, which are not currently present in Zcash consensus and thus would require additional time and funding. And given that the status quo doesn’t have this, I don’t see the benefit outweighing the complexity (at least for Sprout deprecation).
• Once ZSAs are deployed, another option is that the remaining Sprout funds are frozen and then turned into a ZSA.
  • Conversion from frozen Sprout to the “synthetic Sprout ZSA” would be done off-chain by users presenting a proof (probably reusing the current Sprout circuit) to a trusted group of orgs via a multisig.
    • The Zcash community should be fine with this trust model; the Dev Fund lockbox contains over double the amount of ZEC left in Sprout, and there was clear support for the Coinholder-directed dev fund model that uses a similar trusted group of orgs for disbursing funds.
  • The Sprout logic on-chain would be replaced with a small consensus rule that permits users to reveal and burn N units of “synthetic Sprout ZSA” in order to move N units of ZEC from the frozen Sprout pool’s remaining balance (to any currently-active pool). This replaces the current turnstile between Sprout and the other pools.
    • A user who wants to avoid the turnstile, could instead trade their "synthetic Sprout ZSA"s for ZEC inside the Orchard pool (to a counterparty who is happy to cross through the turnstile). This would reveal the moved amount to the other user (or DEX or whatever mechanism is used) instead of publicly on chain, same as with any regular shielded payment.
  • The redemption process should have a (widely publicised) redemption window (e.g. several years). Once that window of time ends, the trusted group of orgs could use the ZSA finalization flag to ensure that no more "synthetic Sprout ZSA"s can be issued, at which point any remaining frozen ZEC in the Sprout pool (which would primarily be ZEC stored in lost keys/wallets that can never be moved) could then e.g. be unissued via the NSM (and thus returned into circulation via the block subsidy, funding network security and development).
    • Another way to incentivise redemption that I’ve seen suggested before is to have the redemption “exchange rate” include the cost to the network of the legacy pool, by having two outputs from each redemption action (one issuing the synthetic ZSA at a reduced exchange rate, the other moving the remainder of the ZEC into the NSM). In this design, the exchange rate would decrease from 1.0 to 0.0 over the redemption window (either continuously, or in several steps at well-defined times). Once the exchange rate reaches 0, any redemption would result in all funds going to the NSM, which provides the “window end” cut-off point.
  • Even with a redemption window, the Sprout pool balance would not be guaranteed to go to zero under the above process, because someone could go through the redemption process to obtain "synthetic Sprout ZSA"s and then lose access to their wallet before they convert them back into ZEC. This could be handled with a separate “conversion window”, which could be e.g. a consensus rule like “synthetic legacy pool ZSAs will only be supported until the subsequent 2 pools are both also deprecated, and then they can’t cross the turnstile into a ZSA-supporting 3rd pool”.
    • This would mean that the effective “lifetime” of Sprout could end up being several times longer than its “active lifetime” (which was 4 years; the network prohibited moving funds into Sprout in the Canopy NU in 2020).
  • By using ZSAs as the base for this, the cost of deprecating legacy pools is much lower (as they can all reuse the ZSA circuitry and logic as it exists in whatever is the current pool), and it could be specified as the deprecation process for all current and future pools (because it just requires the concept of ZSAs to continue to exist in Zcash) which would provide certainty for users going forward.

(I started writing the above at 1am and it’s now past 2am; hopefully it isn’t too rambly!)

While this solution would certainly be elegant, I am wondering whether this may overcomplicate affairs. The wider Zcash community has limited resources. We could just publicize that we are going to burn the remainder of the deprecated pool at a certain date and get on with it.

In the same spirit, when I hear discussions about how we may get exchanges to move off zcashd once zebrad has achieved feature parity, I always wonder why ECC doesn’t just announce an EOL date alongside an upgrade path.

After all, crypto tokens are very different types of artifacts compared to gold coins. They are distributed software systems built upon a moving ecosystem, which means that they require continuous labor to stay operational. Just as you cannot expect your iPhone 4 backup to work today, I see no reason why your ZEC should work after you skipped a decade of upgrades.

Ultimately the decision we take is about the message we want to send and the precedent we want to create.

As mentioned before, I support deprecating Sprout. Let’s just do it the very best way we can come up with. It’s also a communication opportunity.

This is not a privacy-preserving option, at all. Someone who wants to move their funds out of Sprout should use the sprout-to-sapling migration tool provided by the zcashd wallet; in fact, that is currently the only supported method for moving sprout funds, and that is going away with zcashd retirement.

On the contrary, it was stated in a blog post about the intended evolution of Zcash on 15 October 2016, shortly before launch, that one of things that might happen in a “potentially surprising upgrade” was to expire dormant funds:

Some of the counterfeit detection schemes we’ve considered rely on expiring old, abandoned funds (i.e. users might need to take action to ensure that their dormant funds are not flagged as expired).

It was further stated in the Abstract of ZIP 211, which became active with the Canopy upgrade on 18 November 2020, that the purpose of that ZIP was to “take a step toward being able to remove the Sprout shielded protocol”:

This proposal disables the ability to add new value to the Sprout chain value pool balance. This takes a step toward being able to remove the Sprout shielded protocol, thus reducing the overall complexity and attack surface of Zcash.

I completely realize that we shouldn’t rely on users having seen a particular 2016 blog post, or a particular ZIP that activated in 2020. But the same message has been repeated consistently by the designers of Zcash to anyone who has ever asked, and whenever the topic has come up. We have not been quiet about it.

ZIP 2004 proposes that v4 transactions be disabled with NU7, and note that even without ZIP 2004 there will be no wallet support for doing so.

This proposal disallows v4 transactions. The v5 transaction format introduced in the NU5 network upgrade does not support Sprout, and so this will have the effect of disabling the ability to spend Sprout funds.

It is not proposed in this ZIP to unissue, burn, or otherwise make Sprout funds permanently unavailable. This leaves open the possibility of re-enabling v4 transactions, or of adding another facility to retrieve these funds if the Zcash community considers it worthwhile. However, since it is possible the ability to spend Sprout funds will never be re-enabled, holders of these funds should move them out of the Sprout pool without delay.

To reiterate: if you have Sprout funds and still have the keys for them, you should move those funds now before you are no longer able to.

I completely agree, but none of the existing pools have been designed for long-term cold storage. Such a pool would have to use different cryptography that is focused on that goal, as opposed to being focused on payments.

One of the reasons why none of Sprout, Sapling, Orchard, or (as of NU7) OrchardZSA are suitable as a long-term cold storage protocol, is that they will be vulnerable to quantum computers when those become viable. I personally no longer think it is “if”; I estimate that there is a significant chance within the next 3 years that we will be forced to make a decision about whether to also disable the ability to spend Sapling and pre-NU7 Orchard notes.

OrchardZSA is likely to have a “quantum resilience” property that allows its notes to be spent safely after any post-quantum transition. It’s likely that wallets will prioritize non-quantum-resilient notes for spending, so that the vast majority of funds will have been migrated to be quantum-resilient by the time we need to make the decision of whether to disable spending of Sapling and pre-NU7 Orchard notes. But Sapling probably will never be quantum-resilient, and Sprout cannot be.

I will not support any proposal that exposes other pools to unbounded inflation risk due to reimplementing the Sprout shielded protocol.

There might be ways of recovering funds from the Sprout pool that don’t expose other pools to unbounded inflation risk from Sprout. I’m not going to spend any time on that, because the opportunity cost of doing more work on it instead of doing more useful things is huge, even aside from the security risk.

On that topic, see Reconsider note selection and pool-crossing policy to favour migration to Orchard · Issue #1889 · zcash/librustzcash · GitHub.

Do I understand correctly that this does not mean that the transparent part is resistant to such threats? And do I understand correctly that this refers to all the popular blockchain’s cryptography that has been accumulated by this point?

The threat refers to breaking encryption so a transparent ledger doesn’t really count. The threat applies (at least) to all forms of elliptic curve cryptography. Idk if there are any smaller (blockchain) projects working on PQR but given that the overall privacy space that we exist in isn’t very big, I can’t imagine there being very many others.

So. Do I support the deprecation of the transparent part?

There has been transactional activity in Sprout in the last week. What could be the reason for this?
The last time was on May 20th.

If we understood the pattern, we could probably speed up this process.

It’s not merely breaking encryption. A quantum computer will allow creation of spend authorizing signatures by individuals who don’t hold the spending keys. This would mean that all transparent UTXOs would have to be considered untrusted (and effectively burned.)

This would also completely destroy Bitcoin, Ethereum, and any other protocol that has not explicitly implemented the kind of quantum resilience that is being proposed here.

@daira is working on a ZIP, and the rationale there will clarify these questions.

Correct, the transparent protocol would be potentially vulnerable to any attack from quantum computers, and there is no current proposal that would alter that. You should store funds long-term in the Orchard pool in order for them to be quantum-resilient after the quantum resilience proposal activates. Fortunately, that is a practical policy for Zcash wallets to enforce.

Almost all.

@Daira how long until we have ZCASH quantum resistant , what´s the roadmap, I think this should be the number one priority at this point.