Randomised signature keys. All inputs are signed with a randomised version of a secret key. *

Zero knowledge proofs needed to spend a transaction outputs. See spec section 4.15 *

Signature needed to spend tokens. Computed with a randomised version of the secret key and verifies under a randomised version of the public key. Signs a hash of an input concatenated with an optional anti-replay string. *

Zero-knowledge proof needed to create money. See spec section 4.15 *

Contains the necessary information to spend tokens (except the root which we include in the transaction). *

Contains the necessary information to create tokens. *

Ties a transaction to a balance (difference between the tokens created and spent). Proves with the commitment values that sum of values of inputs minus sums of values of output equals balance. *

Transaction that is sent to a verifier. The root corresponds to a merkle tree where the inputs are present. Even if this root can in principle be very old, a verifier may keep only the last n known roots considering anything older as invalid. bound_data is arbitrary data that gets signed by the Sapling keys and can typically be used to connect the Sapling protocol to another one. For example it can contain the recipient address of an unshield operation. The memo_size field is checked at encoding and encoding to be the real memo size of all outputs. A transaction leaks the balance between inputs and outputs and the number of inputs and outputs. Note that the number of inputs is limited to 5208 and number of outputs to 2019, by a check in the encoding. This is important to avoid invalidating a proof over the balance as described in section 4.12 of the spec.

The encoding enforces the limits on number of inputs and outputs.

Maximum amount of shielded tokens. This value is imposed by librustzcash. *