|
|
|
@ -203,12 +203,16 @@ |
|
|
|
\newcommand{\anchors}{\term{anchors}} |
|
|
|
\newcommand{\block}{\term{block}} |
|
|
|
\newcommand{\blocks}{\term{blocks}} |
|
|
|
\newcommand{\header}{\term{header}} |
|
|
|
\newcommand{\headers}{\term{headers}} |
|
|
|
\newcommand{\blockHeader}{\term{block header}} |
|
|
|
\newcommand{\blockHeaders}{\term{block headers}} |
|
|
|
\newcommand{\BlockHeaders}{\titleterm{Block Headers}} |
|
|
|
\newcommand{\Blockheader}{\term{Block header}} |
|
|
|
\newcommand{\BlockHeader}{\titleterm{Block Header}} |
|
|
|
\newcommand{\blockVersionNumber}{\term{block version number}} |
|
|
|
\newcommand{\blockTime}{\term{block time}} |
|
|
|
\newcommand{\blockHeight}{\term{block height}} |
|
|
|
\newcommand{\blockHeights}{\term{block heights}} |
|
|
|
\newcommand{\genesisBlock}{\term{genesis block}} |
|
|
|
\newcommand{\transaction}{\term{transaction}} |
|
|
|
\newcommand{\transactions}{\term{transactions}} |
|
|
|
@ -299,6 +303,13 @@ |
|
|
|
\newcommand{\bitseq}[1]{\typeexp{\bit}{#1}} |
|
|
|
\newcommand{\byteseqs}{\typeexp{\bit}{8\mult\Nat}} |
|
|
|
\newcommand{\concatbits}{\mathsf{concat}_\bit} |
|
|
|
\newcommand{\sorted}{\mathsf{sorted}} |
|
|
|
\newcommand{\length}{\mathsf{length}} |
|
|
|
\newcommand{\mean}{\mathsf{mean}} |
|
|
|
\newcommand{\median}{\mathsf{median}} |
|
|
|
\newcommand{\clamp}[2]{\mathsf{clamp\,}_{#1}^{#2}} |
|
|
|
\newcommand{\Lower}{\mathsf{lower}} |
|
|
|
\newcommand{\Upper}{\mathsf{upper}} |
|
|
|
\newcommand{\hexint}[1]{\mathbf{0x{#1}}} |
|
|
|
\newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} |
|
|
|
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}} |
|
|
|
@ -319,8 +330,9 @@ |
|
|
|
\newcommand{\setof}[1]{\{{#1}\}} |
|
|
|
\newcommand{\range}[2]{\{{#1}\,..\,{#2}\}} |
|
|
|
\newcommand{\minimum}{\mathsf{min}} |
|
|
|
\newcommand{\maximum}{\mathsf{max}} |
|
|
|
\newcommand{\floor}[1]{\mathsf{floor}\!\left({#1}\right)} |
|
|
|
\newcommand{\ceiling}[1]{\mathsf{ceiling}\!\left({#1}\right)} |
|
|
|
\newcommand{\ceiling}[1]{\mathsf{ceiling}\left({#1}\right)} |
|
|
|
\newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}} |
|
|
|
\newcommand{\vxor}[2]{\smashoperator[r]{\bigoplus_{#1}^{#2}}} |
|
|
|
\newcommand{\xor}{\oplus} |
|
|
|
@ -476,6 +488,26 @@ |
|
|
|
\newcommand{\slowStartPeriod}{\term{slow-start period}} |
|
|
|
\newcommand{\halvingInterval}{\term{halving interval}} |
|
|
|
|
|
|
|
\newcommand{\PoWLimit}{\mathsf{PoWLimit}} |
|
|
|
\newcommand{\PoWAveragingWindow}{\mathsf{PoWAveragingWindow}} |
|
|
|
\newcommand{\PoWMedianBlockSpan}{\mathsf{PoWMedianBlockSpan}} |
|
|
|
\newcommand{\PoWMaxAdjustDown}{\mathsf{PoWMaxAdjustDown}} |
|
|
|
\newcommand{\PoWMaxAdjustUp}{\mathsf{PoWMaxAdjustUp}} |
|
|
|
\newcommand{\PoWDampingFactor}{\mathsf{PoWDampingFactor}} |
|
|
|
\newcommand{\PoWTargetSpacing}{\mathsf{PoWTargetSpacing}} |
|
|
|
\newcommand{\MeanTarget}{\mathsf{MeanTarget}} |
|
|
|
\newcommand{\MedianTime}{\mathsf{MedianTime}} |
|
|
|
\newcommand{\AveragingWindowTimespan}{\mathsf{AveragingWindowTimespan}} |
|
|
|
\newcommand{\MinActualTimespan}{\mathsf{MinActualTimespan}} |
|
|
|
\newcommand{\MaxActualTimespan}{\mathsf{MaxActualTimespan}} |
|
|
|
\newcommand{\ActualTimespan}{\mathsf{ActualTimespan}} |
|
|
|
\newcommand{\ActualTimespanDamped}{\mathsf{ActualTimespanDamped}} |
|
|
|
\newcommand{\ActualTimespanClamped}{\mathsf{ActualTimespanClamped}} |
|
|
|
\newcommand{\Threshold}{\mathsf{Threshold}} |
|
|
|
|
|
|
|
\newcommand{\targetThreshold}{\term{target threshold}} |
|
|
|
\newcommand{\targetThresholds}{\term{target thresholds}} |
|
|
|
|
|
|
|
% Signatures |
|
|
|
\newcommand{\Sig}{\mathsf{Sig}} |
|
|
|
\newcommand{\SigPublic}{\mathsf{Sig.Public}} |
|
|
|
@ -555,8 +587,10 @@ |
|
|
|
\newcommand{\hashPrevBlock}{\mathtt{hashPrevBlock}} |
|
|
|
\newcommand{\hashMerkleRoot}{\mathtt{hashMerkleRoot}} |
|
|
|
\newcommand{\hashReserved}{\mathtt{hashReserved}} |
|
|
|
\newcommand{\nTime}{\mathtt{nTime}} |
|
|
|
\newcommand{\nBits}{\mathtt{nBits}} |
|
|
|
\newcommand{\nTimeField}{\mathtt{nTime}} |
|
|
|
\newcommand{\nTime}{\mathsf{nTime}} |
|
|
|
\newcommand{\nBitsField}{\mathtt{nBits}} |
|
|
|
\newcommand{\nBitsTarget}{\mathsf{nBitsTarget}} |
|
|
|
\newcommand{\nNonce}{\mathtt{nNonce}} |
|
|
|
\newcommand{\solutionSize}{\mathtt{solutionSize}} |
|
|
|
\newcommand{\solution}{\mathtt{solution}} |
|
|
|
@ -845,6 +879,9 @@ concatenating the elements of $S$ viewed as bit sequences. If the |
|
|
|
elements of $S$ are byte sequences, they are converted to bit sequences |
|
|
|
with the \emph{most significant} bit of each byte first. |
|
|
|
|
|
|
|
The notation $\sorted(S)$ means the sequence formed by sorting the elements |
|
|
|
of $S$. |
|
|
|
|
|
|
|
The notation $\GF{n}$ means the finite field with $n$ elements, and |
|
|
|
$\GFstar{n}$ means its group under multiplication. |
|
|
|
$\GF{n}[z]$ means the ring of polynomials over $z$ with coefficients |
|
|
|
@ -879,10 +916,11 @@ The following integer constants will be instantiated in \crossref{constants}: |
|
|
|
$\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$, |
|
|
|
$\PRFOutputLength$, $\NoteCommitRandLength$, $\RandomSeedLength$, $\AuthPrivateLength$, |
|
|
|
$\NoteAddressPreRandLength$, $\MAXMONEY$, $\SlowStartInterval$, $\HalvingInterval$, |
|
|
|
$\MaxBlockSubsidy$, $\NumFounderAddresses$. |
|
|
|
$\MaxBlockSubsidy$, $\NumFounderAddresses$, $\PoWLimit$, $\PoWAveragingWindow$, |
|
|
|
$\PoWMedianBlockSpan$, $\PoWDampingFactor$, $\PoWTargetSpacing$. |
|
|
|
The bit sequence constant $\Uncommitted \typecolon \bitseq{\MerkleHashLength}$ |
|
|
|
and the rational constant $\FoundersFraction \typecolon \Rat$ will also be defined |
|
|
|
in that section. |
|
|
|
and the rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and |
|
|
|
$\PoWMaxAdjustUp$ will also be defined in that section. |
|
|
|
|
|
|
|
|
|
|
|
\nsection{Concepts} |
|
|
|
@ -1952,7 +1990,14 @@ Define: |
|
|
|
\item[] $\HalvingInterval \typecolon \Nat := 840000$ |
|
|
|
\item[] $\MaxBlockSubsidy \typecolon \Nat := 1.25 \mult 10^9$ (\zatoshi) |
|
|
|
\item[] $\NumFounderAddresses \typecolon \Nat := 48$ |
|
|
|
\item[] $\FoundersFraction \typecolon \Rat := \frac{1}{5}$. |
|
|
|
\item[] $\FoundersFraction \typecolon \Rat := \frac{1}{5}$ |
|
|
|
\item[] $\PoWLimit \typecolon \Nat := 2^{243} - 1$ |
|
|
|
\item[] $\PoWAveragingWindow \typecolon \Nat := 17$ |
|
|
|
\item[] $\PoWMedianBlockSpan \typecolon \Nat := 11$ |
|
|
|
\item[] $\PoWMaxAdjustDown \typecolon \Rat := \frac{32}{100}$ |
|
|
|
\item[] $\PoWMaxAdjustUp \typecolon \Rat := \frac{16}{100}$ |
|
|
|
\item[] $\PoWDampingFactor \typecolon \Nat := 4$ |
|
|
|
\item[] $\PoWTargetSpacing \typecolon \Nat := 150$ (seconds). |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
|
|
|
|
@ -2861,12 +2906,12 @@ components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \ |
|
|
|
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsection{\BlockHeaders} |
|
|
|
\nsubsection{\BlockHeader} \label{blockheader} |
|
|
|
|
|
|
|
The \Zcash \blockHeader format is as follows: |
|
|
|
|
|
|
|
\begin{center} |
|
|
|
\hbadness=1000 |
|
|
|
\hbadness=2500 |
|
|
|
\begin{tabularx}{0.92\textwidth}{|c|l|p{10.7em}|X|} |
|
|
|
\hline |
|
|
|
Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ |
|
|
|
@ -2877,26 +2922,26 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ |
|
|
|
for \Zcash is $4$. \\ \hline |
|
|
|
|
|
|
|
32 & $\hashPrevBlock$ & \type{char[32]} & A $\SHAd$ hash in internal byte order of the |
|
|
|
previous \block's header. This ensures no previous \block can be changed without also |
|
|
|
changing this \block's header. \\ \hline |
|
|
|
previous \block's \header. This ensures no previous \block can be changed without also |
|
|
|
changing this \block's \header. \\ \hline |
|
|
|
|
|
|
|
32 & $\hashMerkleRoot$ & \type{char[32]} & A $\SHAd$ hash in internal byte order. The |
|
|
|
merkle root is derived from the hashes of all \transactions included in this \block, |
|
|
|
ensuring that none of those \transactions can be modified without modifying the header. \\ \hline |
|
|
|
ensuring that none of those \transactions can be modified without modifying the \header. \\ \hline |
|
|
|
|
|
|
|
32 & $\hashReserved$ & \type{char[32]} & A reserved field which should be ignored. \\ \hline |
|
|
|
|
|
|
|
4 & $\nTime$ & \type{uint32\_t} & The \blockTime is a Unix epoch time when the miner |
|
|
|
started hashing the header (according to the miner). This \MUST be greater than or equal |
|
|
|
to the median time of the previous 11 blocks. A \fullnode{} \MUSTNOT accept \blocks with |
|
|
|
headers more than two hours in the future according to its clock. \\ \hline |
|
|
|
4 & $\nTimeField$ & \type{uint32\_t} & The \blockTime is a Unix epoch time when the miner |
|
|
|
started hashing the \header (according to the miner). This \MUST be greater than or equal |
|
|
|
to the median time of the previous $\PoWMedianBlockSpan$ \blocks. A \fullnode{} \MUSTNOT |
|
|
|
accept \blocks with $\nTimeField$ more than two hours in the future according to its clock. \\ \hline |
|
|
|
|
|
|
|
4 & $\nBits$ & \type{uint32\_t} & An encoded version of the target threshold this \block's |
|
|
|
header hash must be less than or equal to, in the same nBits format used by \Bitcoin. |
|
|
|
4 & $\nBitsField$ & \type{uint32\_t} & An encoded version of the \targetThreshold this \block's |
|
|
|
\header hash must be less than or equal to, in the same nBits format used by \Bitcoin. |
|
|
|
\cite{Bitcoin-nBits} \\ \hline |
|
|
|
|
|
|
|
32 & $\nNonce$ & \type{char[32]} & An arbitrary field miners change to modify the |
|
|
|
header hash in order to produce a hash below the target threshold. \\ \hline |
|
|
|
\header hash in order to produce a hash less than or equal to the \targetThreshold. \\ \hline |
|
|
|
|
|
|
|
3 & $\solutionSize$ & \compactSize & The size of an Equihash solution in bytes (always 1344). \\ \hline |
|
|
|
|
|
|
|
@ -2960,8 +3005,8 @@ derived from the \blockHeader and a nonce: |
|
|
|
\bitbox{256}{256-bit $\hashPrevBlock$} |
|
|
|
\bitbox{256}{256-bit $\hashMerkleRoot$} \\ |
|
|
|
\bitbox{256}{256-bit $\hashReserved$} |
|
|
|
\bitbox{128}{32-bit $\nTime$} |
|
|
|
\bitbox{128}{32-bit $\nBits$} \\ |
|
|
|
\bitbox{128}{32-bit $\nTimeField$} |
|
|
|
\bitbox{128}{32-bit $\nBitsField$} \\ |
|
|
|
\bitbox{256}{256-bit $\nNonce$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
@ -3055,8 +3100,14 @@ ordering of bits in the solution encoding would require bit-reversal |
|
|
|
|
|
|
|
\nsubsubsection{Difficulty filter} \label{difficulty} |
|
|
|
|
|
|
|
Difficulty is defined in terms of a \targetThreshold, which is adjusted for each |
|
|
|
\block according to the algorithm defined in \crossref{diffadjustment}. |
|
|
|
|
|
|
|
The difficulty filter is unchanged from \Bitcoin, and is calculated using |
|
|
|
\SHAd on the whole \blockHeader (including $\solutionSize$ and $\solution$). |
|
|
|
The result is interpreted as a 256-bit integer represented in little-endian |
|
|
|
byte order, which \MUST be less than or equal to the \targetThreshold. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsubsection{Difficulty adjustment} \label{diffadjustment} |
|
|
|
|
|
|
|
@ -3065,8 +3116,61 @@ with simplifications and altered parameters, to adjust difficulty to target |
|
|
|
the desired 2.5-minute block time. |
|
|
|
Unlike \Bitcoin, the difficulty adjustment occurs after every block. |
|
|
|
|
|
|
|
\todo{Describe the algorithm.} |
|
|
|
The constants $\PoWLimit$, $\PoWAveragingWindow$, $\PoWMaxAdjustDown$, $\PoWMaxAdjustUp$, |
|
|
|
$\PoWDampingFactor$, and $\PoWTargetSpacing$ are instantiated in \crossref{constants}. |
|
|
|
|
|
|
|
Let $\nTime(\BlockHeight)$ be the value of the $\nTimeField$ field in the \header of the |
|
|
|
\block at \blockHeight $\BlockHeight$. |
|
|
|
|
|
|
|
Let $\nBitsTarget(\BlockHeight)$ be the \targetThreshold obtained by decoding the |
|
|
|
$\nBitsField$ field in the \header of the \block at \blockHeight $\BlockHeight$. |
|
|
|
The encoding of this field is described in \cite{Bitcoin-nBits}. |
|
|
|
|
|
|
|
\Blockheader fields are specified in \crossref{blockheader}. |
|
|
|
|
|
|
|
\vspace{1ex} |
|
|
|
Define: |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
\hskip 1.5em $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$. |
|
|
|
|
|
|
|
\hskip 1.5em $\median(S) := \sorted(S)_{\ceiling{\length(S) / 2}}$ |
|
|
|
|
|
|
|
\hskip 1.5em $\clamp{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$ |
|
|
|
|
|
|
|
\hskip 1.5em $\AveragingWindowTimespan := \PoWAveragingWindow \mult \PoWTargetSpacing$ |
|
|
|
|
|
|
|
\hskip 1.5em $\MinActualTimespan := \floor{\AveragingWindowTimespan \mult (1 - \PoWMaxAdjustUp)}$ |
|
|
|
|
|
|
|
\hskip 1.5em $\MaxActualTimespan := \floor{\AveragingWindowTimespan \mult (1 + \PoWMaxAdjustDown)}$ |
|
|
|
|
|
|
|
\hskip 1.5em $\MedianTime(\BlockHeight) := \median([\,\nTime(i)$ for $i$ from $\maximum(0, \BlockHeight - \PoWMedianBlockSpan)$ to $\BlockHeight - 1\,])$ |
|
|
|
|
|
|
|
\hskip 1.5em $\ActualTimespan(\BlockHeight) := \MedianTime(\BlockHeight) - \MedianTime(\BlockHeight - \PoWAveragingWindow)$ |
|
|
|
|
|
|
|
\hskip 1.5em $\ActualTimespanDamped(\BlockHeight) := \AveragingWindowTimespan + \hfrac{\ActualTimespan(\BlockHeight) - \AveragingWindowTimespan}{\PoWDampingFactor}$ |
|
|
|
|
|
|
|
\hskip 1.5em $\ActualTimespanClamped(\BlockHeight) := \clamp{\MinActualTimespan}{\MaxActualTimespan}(\ActualTimespanDamped(\BlockHeight))$ |
|
|
|
|
|
|
|
\hskip 1.5em $\MeanTarget(\BlockHeight) := \begin{cases} |
|
|
|
\PoWLimit, \hspace{16em}\text{if } \BlockHeight \leq \PoWAveragingWindow \\ |
|
|
|
\mean([\nBitsTarget(i)$ for $i$ from $\maximum(0, \BlockHeight - \PoWAveragingWindow)$ to $\BlockHeight - 1]),\\ |
|
|
|
\hspace{20.7em}\text{otherwise} |
|
|
|
\end{cases}$ |
|
|
|
|
|
|
|
\vspace{2ex} |
|
|
|
The \targetThreshold for a given \blockHeight $\BlockHeight$ is then calculated as: |
|
|
|
|
|
|
|
\hskip 1.5em $\Threshold(\BlockHeight) \hspace{0.43em} := \hspace{0.43em} \begin{cases} |
|
|
|
\PoWLimit, \hspace{16em}\text{if } \BlockHeight = 0 \\ |
|
|
|
\minimum(\PoWLimit, \floor{\hfrac{\MeanTarget(\BlockHeight)}{\AveragingWindowTimespan}} \mult \ActualTimespanClamped(\BlockHeight)),\\ |
|
|
|
\hspace{20.7em}\text{otherwise.} |
|
|
|
\end{cases}$ |
|
|
|
|
|
|
|
\pnote{ |
|
|
|
$\MeanTarget(\PoWAveragingWindow)$ is defined to be $\PoWLimit$, not (as might be expected) |
|
|
|
the mean of the \targetThresholds of the first $\PoWAveragingWindow$ \blocks. |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsection{Calculation of Block Subsidy and Founders' Reward} \label{subsidies} |
|
|
|
|
|
|
|
@ -3689,6 +3793,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\subparagraph{2016.0-beta-1.13} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Specify the difficulty adjustment algorithm. |
|
|
|
\item Clarify some definitions of fields in a \blockHeader. |
|
|
|
\item Define $\PRFaddr{}$ in \crossref{keycomponents}. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
|
Daira Hopwood