From 8d0b7ed8c297b6aa0aa458e1c415d79f087efa01 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Wed, 8 Jun 2022 19:02:53 +0100
Subject: [PATCH] ZIP 32: Add an Account discovery section.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 zip-0032.html | 125 +++++++++++++++++++++++++++++++++++++-------------
 zip-0032.rst  |  77 +++++++++++++++++++++++++------
 2 files changed, 154 insertions(+), 48 deletions(-)

diff --git a/zip-0032.html b/zip-0032.html
index 8bb4bbed1..4f6ba50b1 100644
--- a/zip-0032.html
+++ b/zip-0032.html
@@ -25,8 +25,8 @@
             <span class="math">\(% This ZIP makes heavy use of mathematical markup. If you can see this, you may want to instead view the rendered version at https://zips.z.cash/zip-0032 .\)</span>
         </p>
         <section id="terminology"><h2><span class="section-heading">Terminology</span><span class="section-anchor"> <a rel="bookmark" href="#terminology"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
-            <p>The key words "MUST", "MUST NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
-            <p>"Jubjub" refers to the elliptic curve defined in <a id="id2" class="footnote_reference" href="#protocol-jubjub">15</a>.</p>
+            <p>The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
+            <p>"Jubjub" refers to the elliptic curve defined in <a id="id2" class="footnote_reference" href="#protocol-jubjub">16</a>.</p>
             <p>A "chain code" is a cryptovalue that is needed, in addition to a spending key, in order to derive descendant keys and addresses of that key.</p>
             <p>The terms "Testnet" and "Mainnet" are to be interpreted as described in section 3.12 of the Zcash Protocol Specification <a id="id3" class="footnote_reference" href="#protocol-networks">10</a>.</p>
         </section>
@@ -104,7 +104,7 @@
                     <span class="math">\(\mathsf{repr}_\mathbb{J}(P)\)</span>
                  is the representation of the Jubjub elliptic curve point
                     <span class="math">\(P\)</span>
-                 as a bit sequence, defined in <a id="id10" class="footnote_reference" href="#protocol-jubjub">15</a>.</li>
+                 as a bit sequence, defined in <a id="id10" class="footnote_reference" href="#protocol-jubjub">16</a>.</li>
                 <li>
                     <span class="math">\(\mathsf{BLAKE2b}\text{-}\mathsf{256}(p, x)\)</span>
                  refers to unkeyed BLAKE2b-256 in sequential mode, with an output digest length of 32 bytes, 16-byte personalization string
@@ -144,9 +144,9 @@
                     <span class="math">\(d\)</span>
                  to a base point on the Jubjub elliptic curve, or to
                     <span class="math">\(\bot\)</span>
-                 if the diversifier is invalid. It is instantiated in <a id="id11" class="footnote_reference" href="#protocol-concretediversifyhash">13</a>.</li>
+                 if the diversifier is invalid. It is instantiated in <a id="id11" class="footnote_reference" href="#protocol-concretediversifyhash">14</a>.</li>
             </ul>
-            <p>The following algorithm standardized in <a id="id12" class="footnote_reference" href="#nist-sp-800-38g">22</a> is used:</p>
+            <p>The following algorithm standardized in <a id="id12" class="footnote_reference" href="#nist-sp-800-38g">23</a> is used:</p>
             <ul>
                 <li>
                     <span class="math">\(\mathsf{FF1}\text{-}\mathsf{AES256.Encrypt}(key, tweak, x)\)</span>
@@ -385,7 +385,7 @@
                 <section id="deriving-a-child-extended-full-viewing-key"><h4><span class="section-heading">Deriving a child extended full viewing key</span><span class="section-anchor"> <a rel="bookmark" href="#deriving-a-child-extended-full-viewing-key"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
                     <p>Let
                         <span class="math">\(\mathcal{G}^\mathsf{Sapling}\)</span>
-                     be as defined in <a id="id19" class="footnote_reference" href="#protocol-concretespendauthsig">14</a> and let
+                     be as defined in <a id="id19" class="footnote_reference" href="#protocol-concretespendauthsig">15</a> and let
                         <span class="math">\(\mathcal{H}^\mathsf{Sapling}\)</span>
                      be as defined in <a id="id20" class="footnote_reference" href="#protocol-saplingkeycomponents">11</a>.</p>
                     <p>
@@ -809,12 +809,63 @@
                     <span class="math">\(2^{88}\)</span>
                  payment addresses (unlike Sapling, all Orchard diversifiers are valid).</p>
             </section>
+            <section id="account-discovery"><h3><span class="section-heading">Account discovery</span><span class="section-anchor"> <a rel="bookmark" href="#account-discovery"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
+                <p>A wallet that imports a master seed from an external source SHOULD attempt to discover accounts in the following manner.</p>
+                <p>Let
+                    <span class="math">\(M\)</span>
+                 be the subset of
+                    <span class="math">\(\{ m_\mathsf{Sapling}, m_\mathsf{Orchard} \}\)</span>
+                 corresponding to master keys for address types that this wallet supports.</p>
+                <ul>
+                    <li>For each account index starting from
+                        <span class="math">\(account = 0\)</span>
+                    :
+                        <ul>
+                            <li>For
+                                <span class="math">\(m \in M\)</span>
+                            :
+                                <ol type="1">
+                                    <li>Derive the external full viewing key of the account at path
+                                        <span class="math">\(m / purpose' / coin\_type' / account'\)</span>
+                                    .</li>
+                                    <li>Scan for transactions sending to this account using the algorithm in <a id="id37" class="footnote_reference" href="#protocol-scan">13</a>.</li>
+                                </ol>
+                            </li>
+                        </ul>
+                        <p>If no transactions are found for either Sapling or Orchard at a given account index, break from the loop over
+                            <span class="math">\(account\)</span>
+                        .</p>
+                    </li>
+                    <li>If the wallet supports Sapling addresses, then for each address index starting from
+                        <span class="math">\(address\_index = 0\)</span>
+                    :
+                        <ol type="1">
+                            <li>Derive the external full viewing key of the Sapling address at path
+                                <span class="math">\(m_{Sapling} / purpose' / coin\_type' / \mathtt{0x7FFFFFFF}' / address\_index\)</span>
+                            .</li>
+                            <li>Scan for transactions sending to this address using the algorithm in <a id="id38" class="footnote_reference" href="#protocol-scan">13</a>.</li>
+                        </ol>
+                        <p>If no transactions are found for a range of (<a href="#legacy-address-gap-limit">Legacy address gap limit</a>) consecutive addresses, break from the loop over
+                            <span class="math">\(address\_index\)</span>
+                        .</p>
+                    </li>
+                </ul>
+                <p>(The loop over
+                    <span class="math">\(address\_index\)</span>
+                 finds legacy Sapling addresses generated by <cite>zcashd</cite>.)</p>
+                <p>This algorithm is successful because wallets SHOULD disallow creation of new accounts if the previous one has no transaction history, as described in <a href="#key-path-levels">Key path levels</a> above.</p>
+                <p>Please note that the algorithm works with the transaction history, not account balances, so you can have an account with zero balance and the algorithm will still continue with discovery.</p>
+                <section id="legacy-address-gap-limit"><h4><span class="section-heading">Legacy address gap limit</span><span class="section-anchor"> <a rel="bookmark" href="#legacy-address-gap-limit"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
+                    <p>The RECOMMENDED address gap limit for legacy Sapling addresses is 20. If a wallet hits this number of unused addresses in a row, it expects there to be no used addresses beyond this point and SHOULD stop searching the legacy Sapling address chain. We scan just the external chains, because internal chains receive only coins that come from the associated external chains.</p>
+                    <p>Wallet software should warn when the user is trying to exceed the gap limit on an external chain by generating a new address.</p>
+                </section>
+            </section>
         </section>
         <section id="specification-fingerprints-and-tags"><h2><span class="section-heading">Specification: Fingerprints and Tags</span><span class="section-anchor"> <a rel="bookmark" href="#specification-fingerprints-and-tags"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
             <section id="sapling-full-viewing-key-fingerprints-and-tags"><h3><span class="section-heading">Sapling Full Viewing Key Fingerprints and Tags</span><span class="section-anchor"> <a rel="bookmark" href="#sapling-full-viewing-key-fingerprints-and-tags"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
                 <p>A "Sapling full viewing key fingerprint" of a full viewing key with raw encoding
                     <span class="math">\(\mathit{FVK}\)</span>
-                 (as specified in <a id="id37" class="footnote_reference" href="#protocol-saplingfullviewingkeyencoding">18</a>) is given by:</p>
+                 (as specified in <a id="id39" class="footnote_reference" href="#protocol-saplingfullviewingkeyencoding">19</a>) is given by:</p>
                 <ul>
                     <li>
                         <span class="math">\(\mathsf{BLAKE2b}\text{-}\mathsf{256}(\texttt{“ZcashSaplingFVFP”}, \mathit{FVK})\)</span>
@@ -826,7 +877,7 @@
             <section id="orchard-full-viewing-key-fingerprints-and-tags"><h3><span class="section-heading">Orchard Full Viewing Key Fingerprints and Tags</span><span class="section-anchor"> <a rel="bookmark" href="#orchard-full-viewing-key-fingerprints-and-tags"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
                 <p>An "Orchard full viewing key fingerprint" of a full viewing key with raw encoding
                     <span class="math">\(\mathit{FVK}\)</span>
-                 (as specified in <a id="id38" class="footnote_reference" href="#protocol-orchardfullviewingkeyencoding">20</a>) is given by:</p>
+                 (as specified in <a id="id40" class="footnote_reference" href="#protocol-orchardfullviewingkeyencoding">21</a>) is given by:</p>
                 <ul>
                     <li>
                         <span class="math">\(\mathsf{BLAKE2b}\text{-}\mathsf{256}(\texttt{“ZcashOrchardFVFP”}, \mathit{FVK})\)</span>
@@ -851,7 +902,7 @@
             </section>
         </section>
         <section id="specification-key-encodings"><h2><span class="section-heading">Specification: Key Encodings</span><span class="section-anchor"> <a rel="bookmark" href="#specification-key-encodings"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
-            <p>The following encodings are analogous to the <code>xprv</code> and <code>xpub</code> encodings defined in BIP 32 for transparent keys and addresses. Each key type has a raw representation and a Bech32 <a id="id39" class="footnote_reference" href="#bip-0173">7</a> encoding.</p>
+            <p>The following encodings are analogous to the <code>xprv</code> and <code>xpub</code> encodings defined in BIP 32 for transparent keys and addresses. Each key type has a raw representation and a Bech32 <a id="id41" class="footnote_reference" href="#bip-0173">7</a> encoding.</p>
             <section id="sapling-extended-spending-keys"><h3><span class="section-heading">Sapling extended spending keys</span><span class="section-anchor"> <a rel="bookmark" href="#sapling-extended-spending-keys"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
                 <p>A Sapling extended spending key
                     <span class="math">\((\mathsf{ask, nsk, ovk, dk, c})\)</span>
@@ -943,7 +994,7 @@
                     <span class="math">\(0\)</span>
                 .</p>
                 <p>When encoded as Bech32, the Human-Readable Part is <code>secret-orchard-extsk-main</code> for Mainnet, or <code>secret-orchard-extsk-test</code> for Testnet.</p>
-                <p>We define this encoding for completeness, however given that it includes the capability to derive child spending keys, we expect that most wallets will only expose the regular Orchard spending key encoding to users <a id="id40" class="footnote_reference" href="#protocol-orchardspendingkeyencoding">21</a>.</p>
+                <p>We define this encoding for completeness, however given that it includes the capability to derive child spending keys, we expect that most wallets will only expose the regular Orchard spending key encoding to users <a id="id42" class="footnote_reference" href="#protocol-orchardspendingkeyencoding">22</a>.</p>
             </section>
         </section>
         <section id="values-reserved-due-to-previous-specification-for-sprout"><h2><span class="section-heading">Values reserved due to previous specification for Sprout</span><span class="section-anchor"> <a rel="bookmark" href="#values-reserved-due-to-previous-specification-for-sprout"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
@@ -1047,7 +1098,7 @@
                 <tbody>
                     <tr>
                         <th>9</th>
-                        <td><a href="protocol/protocol.pdf">Zcash Protocol Specification, Version 2022.2.19 or later [NU5 proposal]</a></td>
+                        <td><a href="protocol/protocol.pdf">Zcash Protocol Specification, Version 2022.3.2 or later [NU5 proposal]</a></td>
                     </tr>
                 </tbody>
             </table>
@@ -1055,7 +1106,7 @@
                 <tbody>
                     <tr>
                         <th>10</th>
-                        <td><a href="protocol/protocol.pdf#networks">Zcash Protocol Specification, Version 2022.2.19. Section 3.12: Mainnet and Testnet</a></td>
+                        <td><a href="protocol/protocol.pdf#networks">Zcash Protocol Specification, Version 2022.3.2. Section 3.12: Mainnet and Testnet</a></td>
                     </tr>
                 </tbody>
             </table>
@@ -1063,7 +1114,7 @@
                 <tbody>
                     <tr>
                         <th>11</th>
-                        <td><a href="protocol/protocol.pdf#saplingkeycomponents">Zcash Protocol Specification, Version 2022.2.19. Section 4.2.2: Sapling Key Components</a></td>
+                        <td><a href="protocol/protocol.pdf#saplingkeycomponents">Zcash Protocol Specification, Version 2022.3.2. Section 4.2.2: Sapling Key Components</a></td>
                     </tr>
                 </tbody>
             </table>
@@ -1071,86 +1122,94 @@
                 <tbody>
                     <tr>
                         <th>12</th>
-                        <td><a href="protocol/protocol.pdf#orchardkeycomponents">Zcash Protocol Specification, Version 2022.2.19. Section 4.2.3: Orchard Key Components</a></td>
+                        <td><a href="protocol/protocol.pdf#orchardkeycomponents">Zcash Protocol Specification, Version 2022.3.2. Section 4.2.3: Orchard Key Components</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-concretediversifyhash" class="footnote">
+            <table id="protocol-scan" class="footnote">
                 <tbody>
                     <tr>
                         <th>13</th>
-                        <td><a href="protocol/protocol.pdf#concretediversifyhash">Zcash Protocol Specification, Version 2022.2.19. Section 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions</a></td>
+                        <td><a href="protocol/protocol.pdf#scan">Zcash Protocol Specification, Version 2022.3.2. Section 4.21: Block Chain Scanning (Sapling and Orchard)</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-concretespendauthsig" class="footnote">
+            <table id="protocol-concretediversifyhash" class="footnote">
                 <tbody>
                     <tr>
                         <th>14</th>
-                        <td><a href="protocol/protocol.pdf#concretespendauthsig">Zcash Protocol Specification, Version 2022.2.19. Section 5.4.6.1: Spend Authorization Signature</a></td>
+                        <td><a href="protocol/protocol.pdf#concretediversifyhash">Zcash Protocol Specification, Version 2022.3.2. Section 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-jubjub" class="footnote">
+            <table id="protocol-concretespendauthsig" class="footnote">
                 <tbody>
                     <tr>
                         <th>15</th>
-                        <td><a href="protocol/protocol.pdf#jubjub">Zcash Protocol Specification, Version 2022.2.19. Section 5.4.9.3: Jubjub</a></td>
+                        <td><a href="protocol/protocol.pdf#concretespendauthsig">Zcash Protocol Specification, Version 2022.3.2. Section 5.4.7.1: Spend Authorization Signature</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-sproutpaymentaddrencoding" class="footnote">
+            <table id="protocol-jubjub" class="footnote">
                 <tbody>
                     <tr>
                         <th>16</th>
-                        <td><a href="protocol/protocol.pdf#sproutpaymentaddrencoding">Zcash Protocol Specification, Version 2022.2.19. Section 5.6.2.1: Sprout Payment Addresses</a></td>
+                        <td><a href="protocol/protocol.pdf#jubjub">Zcash Protocol Specification, Version 2022.3.2. Section 5.4.9.3: Jubjub</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-sproutspendingkeyencoding" class="footnote">
+            <table id="protocol-sproutpaymentaddrencoding" class="footnote">
                 <tbody>
                     <tr>
                         <th>17</th>
-                        <td><a href="protocol/protocol.pdf#sproutspendingkeyencoding">Zcash Protocol Specification, Version 2022.2.19. Section 5.6.2.3: Sprout Spending Keys</a></td>
+                        <td><a href="protocol/protocol.pdf#sproutpaymentaddrencoding">Zcash Protocol Specification, Version 2022.3.2. Section 5.6.2.1: Sprout Payment Addresses</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-saplingfullviewingkeyencoding" class="footnote">
+            <table id="protocol-sproutspendingkeyencoding" class="footnote">
                 <tbody>
                     <tr>
                         <th>18</th>
-                        <td><a href="protocol/protocol.pdf#saplingfullviewingkeyencoding">Zcash Protocol Specification, Version 2022.2.19. Section 5.6.3.3: Sapling Full Viewing Keys</a></td>
+                        <td><a href="protocol/protocol.pdf#sproutspendingkeyencoding">Zcash Protocol Specification, Version 2022.3.2. Section 5.6.2.3: Sprout Spending Keys</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-saplingspendingkeyencoding" class="footnote">
+            <table id="protocol-saplingfullviewingkeyencoding" class="footnote">
                 <tbody>
                     <tr>
                         <th>19</th>
-                        <td><a href="protocol/protocol.pdf#saplingspendingkeyencoding">Zcash Protocol Specification, Version 2022.2.19. Section 5.6.3.4: Sapling Spending Keys</a></td>
+                        <td><a href="protocol/protocol.pdf#saplingfullviewingkeyencoding">Zcash Protocol Specification, Version 2022.3.2. Section 5.6.3.3: Sapling Full Viewing Keys</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-orchardfullviewingkeyencoding" class="footnote">
+            <table id="protocol-saplingspendingkeyencoding" class="footnote">
                 <tbody>
                     <tr>
                         <th>20</th>
-                        <td><a href="protocol/protocol.pdf#orchardfullviewingkeyencoding">Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.4: Orchard Raw Full Viewing Keys</a></td>
+                        <td><a href="protocol/protocol.pdf#saplingspendingkeyencoding">Zcash Protocol Specification, Version 2022.3.2. Section 5.6.3.4: Sapling Spending Keys</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="protocol-orchardspendingkeyencoding" class="footnote">
+            <table id="protocol-orchardfullviewingkeyencoding" class="footnote">
                 <tbody>
                     <tr>
                         <th>21</th>
-                        <td><a href="protocol/protocol.pdf#orchardspendingkeyencoding">Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.5: Orchard Spending Keys</a></td>
+                        <td><a href="protocol/protocol.pdf#orchardfullviewingkeyencoding">Zcash Protocol Specification, Version 2022.3.2. Section 5.6.4.4: Orchard Raw Full Viewing Keys</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="nist-sp-800-38g" class="footnote">
+            <table id="protocol-orchardspendingkeyencoding" class="footnote">
                 <tbody>
                     <tr>
                         <th>22</th>
+                        <td><a href="protocol/protocol.pdf#orchardspendingkeyencoding">Zcash Protocol Specification, Version 2022.3.2. Section 5.6.4.5: Orchard Spending Keys</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="nist-sp-800-38g" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>23</th>
                         <td><a href="https://dx.doi.org/10.6028/NIST.SP.800-38G">NIST Special Publication 800-38G — Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption</a></td>
                     </tr>
                 </tbody>
diff --git a/zip-0032.rst b/zip-0032.rst
index 9f49e4418..0f5474ab8 100644
--- a/zip-0032.rst
+++ b/zip-0032.rst
@@ -20,8 +20,8 @@
 Terminology
 ===========
 
-The key words "MUST", "MUST NOT", and "MAY" in this document are to be interpreted as described in RFC 2119.
-[#RFC2119]_
+The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be
+interpreted as described in RFC 2119. [#RFC2119]_
 
 "Jubjub" refers to the elliptic curve defined in [#protocol-jubjub]_.
 
@@ -549,6 +549,52 @@ each recipient.
 Note that a given account can have a maximum of :math:`2^{88}` payment addresses (unlike Sapling, all Orchard
 diversifiers are valid).
 
+Account discovery
+-----------------
+
+A wallet that imports a master seed from an external source SHOULD attempt to discover accounts in the
+following manner.
+
+Let :math:`M` be the subset of :math:`\{ m_\mathsf{Sapling}, m_\mathsf{Orchard} \}` corresponding to master keys
+for address types that this wallet supports.
+
+* For each account index starting from :math:`account = 0`:
+
+  * For :math:`m \in M`:
+
+    1. Derive the external full viewing key of the account at path :math:`m / purpose' / coin\_type' / account'`.
+    2. Scan for transactions sending to this account using the algorithm in [#protocol-scan]_.
+
+  If no transactions are found for either Sapling or Orchard at a given account index, break from the loop
+  over :math:`account`.
+
+* If the wallet supports Sapling addresses, then for each address index starting from :math:`address\_index = 0`:
+
+  1. Derive the external full viewing key of the Sapling address at path :math:`m_{Sapling} / purpose' / coin\_type' / \mathtt{0x7FFFFFFF}' / address\_index`.
+  2. Scan for transactions sending to this address using the algorithm in [#protocol-scan]_.
+
+  If no transactions are found for a range of (`Legacy address gap limit`_) consecutive addresses, break
+  from the loop over :math:`address\_index`.
+
+(The loop over :math:`address\_index` finds legacy Sapling addresses generated by `zcashd`.)
+
+This algorithm is successful because wallets SHOULD disallow creation of new accounts if the previous one
+has no transaction history, as described in `Key path levels`_ above.
+
+Please note that the algorithm works with the transaction history, not account balances, so you can have
+an account with zero balance and the algorithm will still continue with discovery.
+
+Legacy address gap limit
+````````````````````````
+
+The RECOMMENDED address gap limit for legacy Sapling addresses is 20. If a wallet hits this number of unused
+addresses in a row, it expects there to be no used addresses beyond this point and SHOULD stop searching
+the legacy Sapling address chain. We scan just the external chains, because internal chains receive only
+coins that come from the associated external chains.
+
+Wallet software should warn when the user is trying to exceed the gap limit on an external chain by
+generating a new address.
+
 
 Specification: Fingerprints and Tags
 ====================================
@@ -695,17 +741,18 @@ References
 .. [#slip-0044] `SLIP 44: Registered coin types for BIP-0044 <https://github.com/satoshilabs/slips/blob/master/slip-0044.md>`_
 .. [#bip-0173] `BIP 173: Base32 address format for native v0-16 witness outputs <https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki>`_
 .. [#zip-0316] `ZIP 316: Unified Addresses and Unified Viewing Keys <zip-0316.rst>`_
-.. [#protocol] `Zcash Protocol Specification, Version 2022.2.19 or later [NU5 proposal] <protocol/protocol.pdf>`_
-.. [#protocol-networks] `Zcash Protocol Specification, Version 2022.2.19. Section 3.12: Mainnet and Testnet <protocol/protocol.pdf#networks>`_
-.. [#protocol-saplingkeycomponents] `Zcash Protocol Specification, Version 2022.2.19. Section 4.2.2: Sapling Key Components <protocol/protocol.pdf#saplingkeycomponents>`_
-.. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2022.2.19. Section 4.2.3: Orchard Key Components <protocol/protocol.pdf#orchardkeycomponents>`_
-.. [#protocol-concretediversifyhash] `Zcash Protocol Specification, Version 2022.2.19. Section 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions <protocol/protocol.pdf#concretediversifyhash>`_
-.. [#protocol-concretespendauthsig] `Zcash Protocol Specification, Version 2022.2.19. Section 5.4.6.1: Spend Authorization Signature <protocol/protocol.pdf#concretespendauthsig>`_
-.. [#protocol-jubjub] `Zcash Protocol Specification, Version 2022.2.19. Section 5.4.9.3: Jubjub <protocol/protocol.pdf#jubjub>`_
-.. [#protocol-sproutpaymentaddrencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.2.1: Sprout Payment Addresses <protocol/protocol.pdf#sproutpaymentaddrencoding>`_
-.. [#protocol-sproutspendingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.2.3: Sprout Spending Keys <protocol/protocol.pdf#sproutspendingkeyencoding>`_
-.. [#protocol-saplingfullviewingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.3.3: Sapling Full Viewing Keys <protocol/protocol.pdf#saplingfullviewingkeyencoding>`_
-.. [#protocol-saplingspendingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.3.4: Sapling Spending Keys <protocol/protocol.pdf#saplingspendingkeyencoding>`_
-.. [#protocol-orchardfullviewingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.4: Orchard Raw Full Viewing Keys <protocol/protocol.pdf#orchardfullviewingkeyencoding>`_
-.. [#protocol-orchardspendingkeyencoding] `Zcash Protocol Specification, Version 2022.2.19. Section 5.6.4.5: Orchard Spending Keys <protocol/protocol.pdf#orchardspendingkeyencoding>`_
+.. [#protocol] `Zcash Protocol Specification, Version 2022.3.2 or later [NU5 proposal] <protocol/protocol.pdf>`_
+.. [#protocol-networks] `Zcash Protocol Specification, Version 2022.3.2. Section 3.12: Mainnet and Testnet <protocol/protocol.pdf#networks>`_
+.. [#protocol-saplingkeycomponents] `Zcash Protocol Specification, Version 2022.3.2. Section 4.2.2: Sapling Key Components <protocol/protocol.pdf#saplingkeycomponents>`_
+.. [#protocol-orchardkeycomponents] `Zcash Protocol Specification, Version 2022.3.2. Section 4.2.3: Orchard Key Components <protocol/protocol.pdf#orchardkeycomponents>`_
+.. [#protocol-scan] `Zcash Protocol Specification, Version 2022.3.2. Section 4.21: Block Chain Scanning (Sapling and Orchard) <protocol/protocol.pdf#scan>`_
+.. [#protocol-concretediversifyhash] `Zcash Protocol Specification, Version 2022.3.2. Section 5.4.1.6: DiversifyHash^Sapling and DiversifyHash^Orchard Hash Functions <protocol/protocol.pdf#concretediversifyhash>`_
+.. [#protocol-concretespendauthsig] `Zcash Protocol Specification, Version 2022.3.2. Section 5.4.7.1: Spend Authorization Signature <protocol/protocol.pdf#concretespendauthsig>`_
+.. [#protocol-jubjub] `Zcash Protocol Specification, Version 2022.3.2. Section 5.4.9.3: Jubjub <protocol/protocol.pdf#jubjub>`_
+.. [#protocol-sproutpaymentaddrencoding] `Zcash Protocol Specification, Version 2022.3.2. Section 5.6.2.1: Sprout Payment Addresses <protocol/protocol.pdf#sproutpaymentaddrencoding>`_
+.. [#protocol-sproutspendingkeyencoding] `Zcash Protocol Specification, Version 2022.3.2. Section 5.6.2.3: Sprout Spending Keys <protocol/protocol.pdf#sproutspendingkeyencoding>`_
+.. [#protocol-saplingfullviewingkeyencoding] `Zcash Protocol Specification, Version 2022.3.2. Section 5.6.3.3: Sapling Full Viewing Keys <protocol/protocol.pdf#saplingfullviewingkeyencoding>`_
+.. [#protocol-saplingspendingkeyencoding] `Zcash Protocol Specification, Version 2022.3.2. Section 5.6.3.4: Sapling Spending Keys <protocol/protocol.pdf#saplingspendingkeyencoding>`_
+.. [#protocol-orchardfullviewingkeyencoding] `Zcash Protocol Specification, Version 2022.3.2. Section 5.6.4.4: Orchard Raw Full Viewing Keys <protocol/protocol.pdf#orchardfullviewingkeyencoding>`_
+.. [#protocol-orchardspendingkeyencoding] `Zcash Protocol Specification, Version 2022.3.2. Section 5.6.4.5: Orchard Spending Keys <protocol/protocol.pdf#orchardspendingkeyencoding>`_
 .. [#NIST-SP-800-38G] `NIST Special Publication 800-38G — Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption <https://dx.doi.org/10.6028/NIST.SP.800-38G>`_