Concepts: Airdrop Nullifiers

To guard against airdrop double-claims while keeping claims unlinkable to later Zcash shielded spends, we publish an airdrop nullifier: a public, deterministic, airdrop-scoped identifier derived from the note’s nullifier key material via domain separation.

An airdrop configuration fixes two public domain parameters:

• targetS: Sapling domain parameter (BLAKE2s personalization, exactly 8 bytes).
• targetO: Orchard domain parameter used as the hash-to-curve domain string (at most 32 bytes, and must be valid UTF-8).

These parameters must be chosen so they do not coincide with the protocol domains for standard nullifiers: Zcash_nf (Sapling) and z.cash:Orchard (Orchard). See the cited specifications below.

Sapling

Sapling specifies the standard nullifier PRF (Sapling Protocol Specification, §5.4.2):

$$\mathsf{PR}{\mathsf{F}}_{\mathsf{n}{\mathsf{k}}^{\star }}^{\mathsf{nfSapling}}({\rho }^{\star })=BLAKE2s\text{-}256(\text{"Zcash\_nf"},LEBS2OS{\mathsf{P}}_{256}(n{k}^{\star })\Vert LEBS2OS{\mathsf{P}}_{256}({\rho }^{\star })).$$

The Sapling airdrop nullifier uses the same construction, but replaces the personalization string with the public airdrop parameter targetS:

$$\mathsf{PR}{\mathsf{F}}_{\mathsf{n}{\mathsf{k}}^{\star }}^{\mathsf{nfSaplingAirdrop}}({\rho }^{\star })=BLAKE2s\text{-}256(\text{targetS},LEBS2OS{\mathsf{P}}_{256}(n{k}^{\star })\Vert LEBS2OS{\mathsf{P}}_{256}({\rho }^{\star })).$$

Orchard

Orchard specifies nullifier derivation (Zcash Protocol Specification, §4.16):

$${\mathsf{DeriveNullifier}}_{\text{nk}}(\rho ,\psi ,\text{cm})={\mathrm{Extract}}_{\mathbb{P}}\left(\left[\left(\mathsf{PR}{\mathsf{F}}_{\mathsf{nk}}^{\mathsf{nfOrchard}}(\rho )+\psi \right)\mathrm{mod}{q}_{\mathbb{P}}\right]\cdot {\mathcal{K}}^{\mathrm{Orchard}}+\text{cm}\right).$$

with generator:

$${\mathcal{K}}^{\mathrm{Orchard}}:={\text{GroupHash}}^{\mathbb{P}}(\text{"z.cash:Orchard"},\text{K}).$$

The Orchard airdrop nullifier is derived by using an airdrop-specific generator:

$${\mathcal{K}}^{\mathrm{OrchardAirdrop}}:={\text{GroupHash}}^{\mathbb{P}}(\text{targetO},\text{K}),$$

and then computing $\mathsf{DeriveNullifier}$ as specified, but replacing ${\mathcal{K}}^{\mathrm{Orchard}}$ with ${\mathcal{K}}^{\mathrm{OrchardAirdrop}}$.