Quantum recoverability fixes

README.rst

@@ -181,6 +181,7 @@ written.
     <tr> <td>235</td> <td class="left"><a href="zips/zip-0235.md">Remove 60% of Transaction Fees From Circulation</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/924">zips#924</a></td>
     <tr> <td>245</td> <td class="left"><a href="zips/zip-0245.rst">Transaction Identifier Digests & Signature Validation for Transparent Zcash Extensions</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/384">zips#384</a></td>
     <tr> <td>246</td> <td class="left"><a href="zips/zip-0246.rst">Digests for the Version 6 Transaction Format</a></td> <td>Draft</td> <td class="left"></td>
+    <tr> <td>248</td> <td class="left"><a href="zips/zip-0248.rst">Extensible Transaction Format</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/pull/1163">zips/pull/1163</a></td>
     <tr> <td><span class="reserved">270</span></td> <td class="left"><a class="reserved" href="zips/zip-0270.md">Key Rotation for Tracked Signing Keys</a></td> <td>Reserved</td> <td class="left"><a href="https://github.com/zcash/zips/issues/1047">zips#1047</a></td>
     <tr> <td>302</td> <td class="left"><a href="zips/zip-0302.rst">Standardized Memo Field Format</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/366">zips#366</a></td>
     <tr> <td><span class="reserved">303</span></td> <td class="left"><a class="reserved" href="zips/zip-0303.rst">Sprout Payment Disclosure</a></td> <td>Reserved</td> <td class="left"></td>
@@ -209,9 +210,10 @@ written.
     <tr> <td>2002</td> <td class="left"><a href="zips/zip-2002.rst">Explicit Fees</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/803">zips#803</a></td>
     <tr> <td>2003</td> <td class="left"><a href="zips/zip-2003.rst">Disallow version 4 transactions</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/825">zips#825</a></td>
     <tr> <td>2004</td> <td class="left"><a href="zips/zip-2004.rst">Remove the dependency of consensus on note encryption</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/917">zips#917</a></td>
-    <tr> <td>2005</td> <td class="left"><a href="zips/zip-2005.md">Quantum Recoverability</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/1135">zips#1135</a></td>
+    <tr> <td>2005</td> <td class="left"><a href="zips/zip-2005.md">Orchard Quantum Recoverability</a></td> <td>Draft</td> <td class="left"><a href="https://github.com/zcash/zips/issues/1135">zips#1135</a></td>
     <tr> <td>guide-markdown</td> <td class="left"><a href="zips/zip-guide-markdown.md">{Something Short and To the Point}</a></td> <td>Draft</td> <td class="left"></td>
     <tr> <td>guide</td> <td class="left"><a href="zips/zip-guide.rst">{Something Short and To the Point}</a></td> <td>Draft</td> <td class="left"></td>
+    <tr> <td>template</td> <td class="left"><a href="zips/zip-template.md">{Something Short and To the Point}</a></td> <td>Draft</td> <td class="left"></td>
   </table></embed>
 
 Drafts without assigned ZIP numbers
@@ -320,6 +322,7 @@ Index of ZIPs
     <tr> <td>244</td> <td class="left"><a href="zips/zip-0244.rst">Transaction Identifier Non-Malleability</a></td> <td>Final</td>
     <tr> <td>245</td> <td class="left"><a href="zips/zip-0245.rst">Transaction Identifier Digests & Signature Validation for Transparent Zcash Extensions</a></td> <td>Draft</td>
     <tr> <td>246</td> <td class="left"><a href="zips/zip-0246.rst">Digests for the Version 6 Transaction Format</a></td> <td>Draft</td>
+    <tr> <td>248</td> <td class="left"><a href="zips/zip-0248.rst">Extensible Transaction Format</a></td> <td>Draft</td>
     <tr> <td>250</td> <td class="left"><a href="zips/zip-0250.rst">Deployment of the Heartwood Network Upgrade</a></td> <td>Final</td>
     <tr> <td>251</td> <td class="left"><a href="zips/zip-0251.rst">Deployment of the Canopy Network Upgrade</a></td> <td>Final</td>
     <tr> <td>252</td> <td class="left"><a href="zips/zip-0252.rst">Deployment of the NU5 Network Upgrade</a></td> <td>Final</td>
@@ -381,7 +384,8 @@ Index of ZIPs
     <tr> <td>2002</td> <td class="left"><a href="zips/zip-2002.rst">Explicit Fees</a></td> <td>Draft</td>
     <tr> <td>2003</td> <td class="left"><a href="zips/zip-2003.rst">Disallow version 4 transactions</a></td> <td>Draft</td>
     <tr> <td>2004</td> <td class="left"><a href="zips/zip-2004.rst">Remove the dependency of consensus on note encryption</a></td> <td>Draft</td>
-    <tr> <td>2005</td> <td class="left"><a href="zips/zip-2005.md">Quantum Recoverability</a></td> <td>Draft</td>
+    <tr> <td>2005</td> <td class="left"><a href="zips/zip-2005.md">Orchard Quantum Recoverability</a></td> <td>Draft</td>
     <tr> <td>guide-markdown</td> <td class="left"><a href="zips/zip-guide-markdown.md">{Something Short and To the Point}</a></td> <td>Draft</td>
     <tr> <td>guide</td> <td class="left"><a href="zips/zip-guide.rst">{Something Short and To the Point}</a></td> <td>Draft</td>
+    <tr> <td>template</td> <td class="left"><a href="zips/zip-template.md">{Something Short and To the Point}</a></td> <td>Draft</td>
   </table></embed>

protocol/protocol.tex

@@ -1690,6 +1690,7 @@
 \newcommand{\DiversifierIndex}{\mathsf{index}}
 \newcommand{\FVK}{\mathsf{FVK}}
 \newcommand{\DeriveInternalFVKOrchard}{\mathsf{DeriveInternalFVK^{Orchard}}}
+\newcommand{\DeriveDkAndOvkOrchard}{\mathsf{DeriveDkAndOvk^{Orchard}}}
 \newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}}
 \newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g\Repr_d}}
 \newcommand{\DiversifiedTransmitBaseOld}{\mathsf{g^{old}_d}}
@@ -4256,8 +4257,7 @@
 $\PRFexpand{}$ is used in the following places:
 \begin{itemize}
   \item \sapling{\crossref{saplingkeycomponents}, with inputs $[\hexint{00}]$, $[\hexint{01}]$, $[\hexint{02}]$, and $[\hexint{03}, i \typecolon \byte]$;}
-  \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[\hexint{06}]$, $[\hexint{07}]$, $[\hexint{08}]$, and with first byte $\hexint{82}$
-        (the last of these is also specified in \cite{ZIP-32});}
+  \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[\hexint{06}]$, $[\hexint{07}]$, $[\hexint{08}]$, and with first byte $\hexint{82}$;}
 \notnufive{
   \item \sapling{sending (\crossref{saplingsend}) and receiving (\shortcrossref{saplingandorchardinband}) \Sapling \notes,
         with inputs $[\hexint{04}]$ and $[\hexint{05}]$;}
@@ -4269,7 +4269,7 @@
 } %notbeforenufive
   \item in \cite{ZIP-32}, \sapling{with inputs $[\hexint{00}]$, $[\hexint{01}]$, $[\hexint{02}]$ (intentionally matching \shortcrossref{saplingkeycomponents}),
         $[\hexint{10}]$, $[\hexint{13}]$, $[\hexint{14}]$, and} with first byte in
-        $\setof{\sapling{\hexint{11}, \hexint{12}, \hexint{15}, \hexint{16}, \hexint{17}, \hexint{18},\,}\hexint{80}\nufive{, \hexint{81}, \hexint{82}, \hexint{83}}}$;
+        $\setof{\sapling{\hexint{11}, \hexint{12}, \hexint{15}, \hexint{16}, \hexint{17}, \hexint{18},\,}\hexint{80}\nufive{, \hexint{81}, \hexint{83}}}$;
   \item in \cite{ZIP-316}, with first byte $\hexint{D0}$.
 \end{itemize}
 
@@ -5354,53 +5354,64 @@
 \introsection
 \lsubsubsection{\OrchardText{} Key Components}{orchardkeycomponents}
 
-\vspace{-1ex}
 Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$,
 and $\DiversifierKeyLength$ be as defined in \crossref{constants}.
 
 Let $\GroupP$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in
 \crossref{pallasandvesta}.
 
-\vspace{-0.25ex}
+\vspace{-0.2ex}
 Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
 
-\vspace{-0.35ex}
+\vspace{-0.3ex}
 Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}.
 
-\vspace{-0.25ex}
+\vspace{-0.2ex}
 Let $\PRFexpand{}$ and $\PRFock{Orchard}{}$ be as defined in \crossref{concreteprfs}.
 
-\vspace{-0.5ex}
+\vspace{-0.4ex}
 Let $\DeriveInternalFVKOrchard$ be as defined in \cite[Orchard internal key derivation]{ZIP-32}.
 
-\vspace{-0.25ex}
+\vspace{-0.2ex}
 Let $\PRPd{} \typecolon \DiversifierKeyType \times \DiversifierType \rightarrow \DiversifierType$
 be as defined in \crossref{concreteprps}.
 
-\vspace{-0.35ex}
+\vspace{-0.3ex}
 Let $\KA{Orchard}$, instantiated in \crossref{concreteorchardkeyagreement},
 be a \keyAgreementScheme.
 
-\vspace{-0.35ex}
+\vspace{-0.3ex}
 Let $\CommitIvk{}$, instantiated in \crossref{concretesinsemillacommit},
 be a \commitmentScheme.
 
-\vspace{-0.25ex}
+\vspace{-0.2ex}
 Let $\DiversifyHash{Orchard}$ be as defined in \crossref{concretediversifyhash}.
 
-\vspace{-0.25ex}
+\vspace{-0.2ex}
 Let $\SpendAuthSig{Orchard}$ instantiated in \crossref{concretespendauthsig}
 be a \rerandomizableSignatureScheme.
 
-\vspace{-0.25ex}
+\vspace{-0.2ex}
 Let $\ItoLEBSP{}$, $\ItoLEOSP{}$, and $\LEOStoIP{}$ be as defined in \crossref{endian}.
 
-\vspace{0.5ex}
+\vspace{0.4ex}
 Define $\ToBase{Orchard}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamP{q}}$.
 
-\vspace{-1.5ex}
+\vspace{-1.3ex}
 Define $\ToScalar{Orchard}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamP{r}}$.
 
+Define $\DeriveDkAndOvkOrchard(\CommitIvkRand \typecolon \CommitIvkRandType, \AuthSignPublic \typecolon \AuthSignPublicTypeOrchard, \NullifierKey \typecolon \NullifierKeyTypeOrchard)$
+as follows:
+
+\begin{algorithm}
+  \item let $K = \ItoLEBSPOf{\SpendingKeyLength}{\CommitIvkRand}$
+        \vspace{-0.3ex}
+  \item let $R = \PRFexpand{\!K}\big([\hexint{82}] \bconcat \ItoLEOSPOf{256}{\AuthSignPublic} \bconcat \ItoLEOSPOf{256}{\NullifierKey}\kern-0.25em\big)$
+  \item let $\DiversifierKey \typecolon \DiversifierKeyType$ be the first $\DiversifierKeyLength/8$ bytes of $R$ and
+        let $\OutViewingKey \typecolon \OutViewingKeyType$ be the remaining $\OutViewingKeyLength/8$ bytes of $R$.
+  \item return $(\DiversifierKey, \OutViewingKey)$
+\end{algorithm}
+
 \introlist
 A new \Orchard \spendingKey $\SpendingKey$ is generated by choosing a \bitSequence
 uniformly at random from $\SpendingKeyType$.
@@ -5435,30 +5446,22 @@
         \vspace{-0.3ex}
   \item if $\InViewingKey \in \setof{0, \bot}$, discard this key and repeat with a new $\SpendingKey$.
         \vspace{-0.2ex}
-  \item let $K = \ItoLEBSPOf{\SpendingKeyLength}{\CommitIvkRand}$
-        \vspace{-0.5ex}
-  \item let $R = \PRFexpand{K}\big([\hexint{82}] \bconcat \ItoLEOSPOf{256}{\AuthSignPublic} \bconcat \ItoLEOSPOf{256}{\NullifierKey}\kern-0.25em\big)$
-        \vspace{-0.2ex}
-  \item let $\DiversifierKey$ be the first $\DiversifierKeyLength/8$ bytes of $R$ and
-        let $\OutViewingKey$ be the remaining $\OutViewingKeyLength/8$ bytes of $R$.
+  \item let $(\DiversifierKey, \OutViewingKey) = \DeriveDkAndOvkOrchard(\CommitIvkRand, \AuthSignPublic, \NullifierKey)$
         \vspace{-0.4ex}
   \item let $(\Internal{\AuthSignPublic}, \Internal{\NullifierKey}, \Internal{\CommitIvkRand}) = \DeriveInternalFVKOrchard(\AuthSignPublic, \NullifierKey, \CommitIvkRand)$
         \vspace{-0.3ex}
   \item let $\Internal{\InViewingKey} = \CommitIvk{\Internal{\CommitIvkRand}}\big(\Internal{\AuthSignPublic}, \Internal{\NullifierKey}\big)$
         \vspace{-0.2ex}
   \item if $\Internal{\InViewingKey} \in \setof{0, \bot}$, discard this key and repeat with a new $\SpendingKey$.
         \vspace{-0.2ex}
-  \item let $\Internal{K} = \ItoLEBSPOf{\SpendingKeyLength}{\Internal{\CommitIvkRand}}$
-        \vspace{-0.5ex}
-  \item let $\Internal{R} = \PRFexpand{\Internal{K}}\big([\hexint{82}] \bconcat \ItoLEOSPOf{256}{\Internal{\AuthSignPublic}} \bconcat \ItoLEOSPOf{256}{\Internal{\NullifierKey}}\kern-0.25em\big)$
-        \vspace{-0.2ex}
-  \item let $\Internal{\DiversifierKey}$ be the first $\DiversifierKeyLength/8$ bytes of $\Internal{R}$ and
-        let $\Internal{\OutViewingKey}$ be the remaining $\OutViewingKeyLength/8$ bytes of $\Internal{R}$.
+  \item let $(\Internal{\DiversifierKey}, \Internal{\OutViewingKey}) = \DeriveDkAndOvkOrchard\big(\Internal{\CommitIvkRand}, \Internal{\AuthSignPublic}, \Internal{\NullifierKey}\big)$.
 \end{algorithm}
 
+\vspace{-1ex}
 \introlist
 \pnote{$\Internal{\AuthSignPublic} = \AuthSignPublic$ and $\Internal{\NullifierKey} = \NullifierKey$.}
 
+\vspace{1ex}
 As explained in \crossref{addressesandkeys}, \Orchard allows the efficient
 creation of multiple \diversifiedPaymentAddresses with the same \spendingAuthority.
 A group of such addresses shares the same \fullViewingKey, \incomingViewingKey, and
@@ -5577,9 +5580,9 @@
         a sequence of ciphertext components for the encrypted output \notes.
 \end{itemize}
 
-\introlist
 The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertextSprout.
 
+\introlist
 The value $\hSig$ is also computed from $\RandomSeed$, $\nfOld{\allOld}$, and the
 $\joinSplitPubKey$ of the containing \transaction:
 \begin{formulae}
@@ -5747,9 +5750,11 @@
 } %sapling
 
 
+\vspace{-2ex}
 \nufive{
 \lsubsection{Action Descriptions}{actiondesc}
 
+\vspace{-1ex}
 An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an
 \defining{\actionDescription}.
 Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}.
@@ -5775,56 +5780,57 @@
 
 Let $\Action$ be as defined in \crossref{abstractzk}.
 
-\vspace{1ex}
+\vspace{0.5ex}
 \introsection
-An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
-\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$
-where
+An \actionDescription comprises $(\cvNet{}\kern-0.2em, \rt{Orchard}\kern-0.2em, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
+\cmX\kern-0.1em, \EphemeralPublic, \TransmitCiphertext{}\kern-0.2em, \OutCiphertext\kern-0.2em, \enableSpends, \enableOutputs, \Proof{})$:
+\vspace{-1.5ex}
 \begin{itemize}
   \item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the
         input \note minus the value of the output \note;
         \vspace{-0.5ex}
   \item $\rt{Orchard} \typecolon \MerkleHashOrchard$ is an \anchor, as defined in \crossref{transactions},
         for the output \treestate of a previous \block;
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note;
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey
         that should be used to validate $\spendAuthSig$;
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature,
         validated as specified in \crossref{spendauthsig};
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\cmX \typecolon \MerkleHashOrchard$ is the result of applying $\ExtractP$ to the \noteCommitment for
         the output \note;
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is
         a key agreement \publicKey, used to derive the key for encryption
         of the \noteCiphertextOrchard (\crossref{saplinginband});
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is
         a ciphertext component for the encrypted output \note;
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of
         the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient
         \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey
         $\EphemeralPrivate$, hence the entire \notePlaintext;
+        \vspace{-0.15ex}
   \item $\enableSpends \typecolon \bit$ is a flag that is set in order to enable \nh{non-zero-valued}
         spends in this Action;
+        \vspace{-0.15ex}
   \item $\enableOutputs \typecolon \bit$ is a flag that is set in order to enable \nh{non-zero-valued}
         outputs in this Action;
-        \vspace{-0.25ex}
+        \vspace{-0.3ex}
   \item $\Proof{} \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput
         $(\cv, \rt{Orchard}\kern-0.1em, \nf\kern-0.1em, \AuthSignRandomizedPublic, \cmX, \enableSpends, \enableOutputs)$
         for the \actionStatement defined in \crossref{actionstatement}.
 \end{itemize}
 
 \vspace{-1.5ex}
 \pnote{The $\rt{Orchard}$, $\enableSpends$, and $\enableOutputs$ components are the same for all
-\actionTransfers in a \transaction. They are encoded once in the \transaction body (see
-\crossref{txnencoding}), not in the $\type{ActionDescription}$ structure.
-$\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrchard$ field of a
-\transaction.}
+\actionTransfers in a \transaction, and are encoded once in the \transaction body
+(\crossref{txnencoding}), not the $\type{ActionDescription}$ structure.
+$\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrchard$ field.}
 
 \begin{consensusrules}
         \vspace{-0.25ex}
@@ -5844,7 +5850,7 @@
         i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpends, \enableOutputs), \Proof{}\big) = 1$.
 \end{consensusrules}
 
-\vspace{-1.5ex}
+\vspace{-2ex}
 \begin{nnotes}
         \vspace{-0.25ex}
   \item $\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$. $\EphemeralPublic$ cannot
@@ -5856,7 +5862,7 @@
 } %nufive
 
 
-\vspace{-3ex}
+\vspace{-2.5ex}
 \lsubsection{Sending Notes}{send}
 
 \vspace{-1ex}
@@ -5869,15 +5875,16 @@
 \introlist
 Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}.
 
-\vspace{-0.5ex}
+\vspace{-0.6ex}
 Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}.
 
-\vspace{-0.5ex}
+\vspace{-0.6ex}
 Let $\RandomSeedLength$ and $\NoteUniquePreRandLength$ be as specified in \crossref{constants}.
 
 Sending a \transaction containing \joinSplitDescriptions involves first
 generating a new $\JoinSplitSig$ key pair:
 
+\vspace{-0.4ex}
 \begin{formulae}
   \item $\joinSplitPrivKey \leftarrowR \JoinSplitSigGenPrivate()$
   \item $\joinSplitPubKey := \JoinSplitSigDerivePublic(\joinSplitPrivKey)$.
@@ -5902,10 +5909,10 @@
   \item Let $\NotePlaintext{i} = (\hexint{00}, \Value_i, \NoteUniqueRand_i, \NoteCommitRand_i, \Memo_i)$.
 \end{itemize}
 
-\vspace{-1ex}
+\vspace{-1.3ex}
 $\NotePlaintext{\allNew}$ are then encrypted to the recipient \transmissionKeys
 $\TransmitPublicSub{\allNew}$, giving the \notesCiphertextSprout
-$(\EphemeralPublic, \TransmitCiphertext{\allNew})$, as described in \crossref{sproutinband}.
+$\big(\EphemeralPublic, \TransmitCiphertext{\allNew}\big)$, as described in \crossref{sproutinband}.
 
 In order to minimize information leakage, the sender \SHOULD randomize the order
 of the input \notes and of the output \notes. Other considerations relating to
@@ -5920,7 +5927,7 @@
   \item $\joinSplitSig \leftarrowR \JoinSplitSigSign{\text{\small\joinSplitPrivKey}}(\dataToBeSigned)$
 \end{formulae}
 
-\vspace{-0.5ex}
+\vspace{-1ex}
 Then the encoded \transaction including $\joinSplitSig$ is submitted to the \peerToPeerNetwork.
 
 \canopyonwardpnote{\cite{ZIP-211} specifies that nodes and wallets \MUST disable any facilities