Zcash plans to release Halo Arc, an iterative product suite, on October 1st, 221, including updates to Zcashd (Zcash *** knowledge node), ECC Reference Wallet application and ECC wallet SDK, and will cover two upcoming improvements of Zcash. Including Zcash network upgrade 5 (NU5, the expected activation date is also October 1, 221) and unified addresses, wherein Zcash network upgrade 5 realizes Orchard anonymous protocol, and migrates Zcash from zk-SNARKs to Halo 2 certification system without initial setting of trust; Unified address is a supplementary function, which introduces a future-proof address format that gives priority to shielded adoption.
Orchard Anonymity Protocol defines a new anonymous pool with new keys and addresses, which is convenient for future scale promotion.
there are currently two anonymous protocols and anonymous pools in zcash.
But there are still two problems in these two protocols:
Orchard protocol uses elliptic curve pairs, and Halo2 is used to prove that the system realizes recursion, and there is no need for trusted settings.
curve
Orchard protocol uses Pallas/Vesta elliptic curve pairs instead of BLS12-381 and Jubjub curves. Pallas is the application layer curve and Vesta curve is the circuit curve, that is, the scalar domain of Vesta is the Pallas base domain.
the simplified SWU algorithm will be used to define the implementation of GroupHash, instead of the original error-prone BLAKE2s mechanism.
proof system
Orchard uses Halo 2 proof system, and uses UPA(UltraPlonk) arithmetic process to replace Groth16 and R1CS.
Orchard protocol has not been proved recursively by Halo 2, and will be used in future protocol upgrade.
circuit
Orchard uses one circuit to realize all the inputs (spends) and outputs. A single action includes a spent note and a new note.
An Orchard transaction can package multiple actions and use a halo2 proof.
commitment
Orchard protocol uses UPA efficient Sinsemilla to replace the original heterogeneous commitment.
commitment tree
Orchard uses a commitment tree similar to sapling, except that it uses Sinsemilla instead of the original Pedersen hash.
keys and addresses
keys and addresses are similar to those of Sapling, with the following changes:
keys and addresses are coded by Bech32, and addresses on the main network are prefixed with ZO (the prefix of Sprout address is ZC, and the prefix of sapling address is zs).
Orchard key adopts hierarchical derivation (HD).
Note
Note structure is, which is used to generate nullifier and is derived from random seeds.
Nullifier
Nullifier is calculated as follows:
Poseiden hash function is adopted, which is a fixed base point.
signature
Orchard uses RedPallas instead of the original RedJubjub scheme.
unified address, UA) is a future-proof address format, which can improve usability and interoperability, and supports anonymity by default.
background
because the Zcash protocol has been iteratively upgraded, there are many address types. Using UA can improve the user experience and support automatic anonymity.
UA can also promote the iterative upgrade of Zcash network and promote the interoperability of Layer 2, Defi applications.
UA
the unified address is generated by multiple Zcash address types (transparent, Sapling, Orchard), which can facilitate users to move funds to the latest anonymous pool and realize automatic migration and anonymity.
the unified address is compatible with all cash pools (transparent and shied) of Zcash, and when it is transferred from a transparent address, it can be automatically transferred to an anonymous pool.
/zcash/halo2
/zcash/orchard
https://electriccoin.co/blog/unified-addresses-in-zcash-explained/
https://electriccoin.co/blog/nu5-proposed-features/