zecfoundation
/
zips
mirror of https://github.com/ZcashFoundation/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zips/zip-0245.rst

196 lines
6.0 KiB
ReStructuredText
Raw Permalink Blame History

::
ZIP: 245
Title: Transaction Identifier Digests & Signature Validation for Transparent Zcash Extensions
Owners: Kris Nuttycombe <kris@electriccoin.co>
Status: Draft
Category: Consensus
Created: 2021-01-13
License: MIT
Discussions-To: <https://github.com/zcash/zips/issues/384>
Terminology
===========
The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. [#RFC2119]_
The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as
described in ZIP 200. [#zip-0200]_
Abstract
========
This proposal defines changes to ZIP 244 [#zip-0244]_ transaction id and signature digest
algorithms to accommodate the inclusion of transparent Zcash extensions (TZEs)
as defined in ZIP 222 [#zip-0222]_.
Specification
=============
TxId Digest
-----------
The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new
branch for TZE hashes. The ``tze_digest`` branch is the only new addition to the
tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and ``sapling_digest``
are as in ZIP 244::
txid_digest
├── header_digest
├── transparent_digest
├── tze_digest
│   ├── tzein_digest
│   └── tzeout_digest
├── sprout_digest
└── sapling_digest
txid_digest
```````````
The top hash of the ``txid_digest`` tree is modified from the ZIP 244 structure
to be a BLAKE2b-256 hash of the following values ::
T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: tze_digest (32-byte hash output)
T.4: sprout_digest (32-byte hash output)
T.5: sapling_digest (32-byte hash output)
The personalization field of this hash is unmodified from ZIP 244.
2: ``tze_digest``
'''''''''''''''''
A BLAKE2b-256 hash of the following values ::
T.2a: tzein_digest (32-byte hash)
T.2b: tzeout_digest (32-byte hash)
The personalization field of this hash is set to::
"ZTxIdTZE____Hash" (4 underscore characters)
2a: tzein_digest
................
A BLAKE2b-256 hash of all TZE inputs to the transaction, excluding witness data.
For each TZE input, the following values are appended to this hash::
2a.i: extension_id (CompactSize field encoding)
2a.ii: mode (CompactSize field encoding)
The personalization field of this hash is set to::
"ZTxIdTZEIns_Hash" (1 underscore character)
2a: tzeout_digest
.................
A BLAKE2b-256 hash of the field encoding of all TZE outputs
belonging to the transaction.
The personalization field of this hash is set to::
"ZTxIdTzeOutsHash"
Signature Digest
----------------
The signature digest creation algorithm defined by ZIP 244 [#zip-0244]_ is modified to
include a new branch for TZE hashes. The ``tze_digest`` branch is the only new addition
to the tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and
``sapling_digest`` are as in ZIP 244::
signature_digest
├── header_digest
├── transparent_digest
├── tze_digest
│   ├── tzein_digest
│   └── tzeout_digest
├── sprout_digest
└── sapling_digest
signature_digest
````````````````
A BLAKE2b-256 hash of the following values ::
S.1: header_digest (32-byte hash output)
S.2: transparent_digest (32-byte hash output)
S.3: tze_digest (32-byte hash output)
S.4: sprout_digest (32-byte hash output)
S.5: sapling_digest (32-byte hash output)
The personalization field of this hash is set to::
"ZcashTxHash_" || CONSENSUS_BRANCH_ID
``ZcashTxHash_`` has 1 underscore character.
This value must have the same personalization as the top hash of the transaction
identifier digest tree, in order to make it possible to sign the transaction id
in the case that there are no transparent inputs.
S.3: tze_digest
'''''''''''''''
This digest is a BLAKE2b-256 hash of the following values of the TZE
input being signed::
S.3a: prevout_digest (field encoding bytes)
S.3b: extension_id (CompactSize field encoding)
S.3c: mode (CompactSize field encoding)
S.3d: payload (arbitrary bytes)
S.3e: value (8-byte little endian value of the output spent by this input)
The personalization field of this hash is set to::
"Zcash__TzeInHash" (2 underscore characters)
Authorizing Data Commitment
---------------------------
The tree of hashes defined by ZIP 244 [#zip-0244]_ for authorizing data commitments is
re-structured to include a new branch for TZE hashes. The ``tze_witnesses_digest`` branch
is the only new addition to the tree; ``transparent_auth_digest``, ``sprout_auth_digest``,
and ``sapling_auth_digest`` are as in ZIP 244::
auth_digest
├── transparent_scripts_digest
├── tze_witnesses_digest
├── sprout_auth_digest
└── sapling_auth_digest
auth_digest
```````````
The top hash of the ``auth_digest`` tree is modified from the ZIP 244 structure
to be a BLAKE2b-256 hash of the following values ::
A.1: transparent_scripts_digest (32-byte hash output)
A.2: tze_witnesses_digest (32-byte hash output)
A.3: sprout_auth_digest (32-byte hash output)
A.4: sapling_auth_digest (32-byte hash output)
The personalization field of this hash is unmodified from ZIP 244.
2: tze_witnesses_digest
```````````````````````
A BLAKE2b-256 hash of the field encoding of the witness ``payload`` data associated
with each TZE input belonging to the transaction.
The personalization field of this hash is set to::
"ZTxAuthTZE__Hash" (2 underscore characters)
Reference implementation
========================
- https://github.com/zcash/librustzcash/pull/319/files
References
==========
.. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels <https://www.rfc-editor.org/rfc/rfc2119.html>`_
.. [#zip-0200] `ZIP 200: Network Upgrade Mechanism <zip-0200.rst>`_
.. [#zip-0222] `ZIP 222: Transparent Zcash Extensions <zip-0222.rst>`_
.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability <zip-0244.rst>`_
Reference in New Issue View Git Blame Copy Permalink