Merge pull request #72 from zcash-hackworks/zip_244_coinbase

Update ZIP 244 test vectors to reflect changes in coinbase transaction signatures.
This commit is contained in:
str4d 2022-01-31 21:55:04 +00:00 committed by GitHub
commit 5d6b92cd5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 132 additions and 56 deletions

File diff suppressed because one or more lines are too long

View File

@ -149,9 +149,10 @@ def tv_part_rust(name, value, config, indent=3):
elif type(value) == int: elif type(value) == int:
tv_int_rust(name, value, pad) tv_int_rust(name, value, pad)
elif type(value) == list: elif type(value) == list:
print('''%s%s: [''' % ( print('''%s%s: %s[''' % (
pad, pad,
name, name,
'vec!' if config['rust_type'].startswith('Vec<') else '',
)) ))
for item in value: for item in value:
if 'Vec<u8>' in config['rust_type']: if 'Vec<u8>' in config['rust_type']:

View File

@ -11,7 +11,7 @@ from .sapling.jubjub import (
Point, Point,
Fr as JubjubScalar, Fr as JubjubScalar,
) )
from .utils import leos2ip from .utils import leos2ip, i2leosp
from .zc_utils import write_compact_size from .zc_utils import write_compact_size
MAX_MONEY = 21000000 * 100000000 MAX_MONEY = 21000000 * 100000000
@ -160,6 +160,8 @@ class OutputDescription(object):
class OrchardActionDescription(object): class OrchardActionDescription(object):
def __init__(self, rand): def __init__(self, rand):
# We don't need to take account of whether this is a coinbase transaction,
# because we're only generating random fields.
self.cv = pallas_group_hash(b'TVRandPt', rand.b(32)) self.cv = pallas_group_hash(b'TVRandPt', rand.b(32))
self.nullifier = PallasBase(leos2ip(rand.b(32))) self.nullifier = PallasBase(leos2ip(rand.b(32)))
self.rk = pallas_group_hash(b'TVRandPt', rand.b(32)) self.rk = pallas_group_hash(b'TVRandPt', rand.b(32))
@ -220,11 +222,40 @@ RAND_OPCODES = [
] ]
class Script(object): class Script(object):
def __init__(self, rand): def __init__(self, rand=None):
if rand is not None:
self._script = bytes([ self._script = bytes([
rand.a(RAND_OPCODES) for i in range(rand.i8() % 10) rand.a(RAND_OPCODES) for i in range(rand.i8() % 10)
]) ])
@staticmethod
def from_bytes(b):
script = Script()
script._script = b
return script
@staticmethod
def coinbase_from_height(height):
assert height >= 0
if height == 0:
enc_height = b'\x00'
elif height <= 16:
enc_height = bytes([0x50 + height])
elif height <= 0x7F:
enc_height = b'\x01' + i2leosp( 8, height)
elif height <= 0x7FFF:
enc_height = b'\x02' + i2leosp(16, height)
elif height <= 0x7FFFFF:
enc_height = b'\x03' + i2leosp(24, height)
elif height <= 0x7FFFFFFF:
enc_height = b'\x04' + i2leosp(32, height)
else:
assert height <= 0x7FFFFFFFFF
enc_height = b'\x05' + i2leosp(40, height)
# zcashd adds an OP_0
return Script.from_bytes(enc_height + b'\x00')
def raw(self): def raw(self):
return self._script return self._script
@ -233,20 +264,37 @@ class Script(object):
class OutPoint(object): class OutPoint(object):
def __init__(self, rand): def __init__(self, rand=None):
if rand is not None:
self.txid = rand.b(32) self.txid = rand.b(32)
self.n = rand.u32() self.n = rand.u32()
@staticmethod
def from_components(txid, n):
outpoint = OutPoint()
outpoint.txid = txid
outpoint.n = n
return outpoint
def __bytes__(self): def __bytes__(self):
return self.txid + struct.pack('<I', self.n) return self.txid + struct.pack('<I', self.n)
class TxIn(object): class TxIn(object):
def __init__(self, rand): def __init__(self, rand=None):
if rand is not None:
self.prevout = OutPoint(rand) self.prevout = OutPoint(rand)
self.scriptSig = Script(rand) self.scriptSig = Script(rand)
self.nSequence = rand.u32() self.nSequence = rand.u32()
@staticmethod
def from_components(prevout, scriptSig, nSequence):
txin = TxIn()
txin.prevout = prevout
txin.scriptSig = scriptSig
txin.nSequence = nSequence
return txin
def __bytes__(self): def __bytes__(self):
return ( return (
bytes(self.prevout) + bytes(self.prevout) +
@ -372,6 +420,7 @@ class TransactionV5(object):
have_transparent_out = (flip_coins >> 1) % 2 have_transparent_out = (flip_coins >> 1) % 2
have_sapling = (flip_coins >> 2) % 2 have_sapling = (flip_coins >> 2) % 2
have_orchard = (flip_coins >> 3) % 2 have_orchard = (flip_coins >> 3) % 2
is_coinbase = (not have_transparent_in) and (flip_coins >> 4) % 2
# Common Transaction Fields # Common Transaction Fields
self.nVersionGroupId = NU5_VERSION_GROUP_ID self.nVersionGroupId = NU5_VERSION_GROUP_ID
@ -385,6 +434,11 @@ class TransactionV5(object):
if have_transparent_in: if have_transparent_in:
for _ in range((rand.u8() % 3) + 1): for _ in range((rand.u8() % 3) + 1):
self.vin.append(TxIn(rand)) self.vin.append(TxIn(rand))
if is_coinbase:
self.vin.append(TxIn.from_components(
OutPoint.from_components(b'\x00' * 32, 0xFFFFFFFF),
Script.coinbase_from_height(self.nExpiryHeight),
0xFFFFFFFF))
if have_transparent_out: if have_transparent_out:
for _ in range((rand.u8() % 3) + 1): for _ in range((rand.u8() % 3) + 1):
self.vout.append(TxOut(rand)) self.vout.append(TxOut(rand))
@ -394,8 +448,11 @@ class TransactionV5(object):
self.vOutputsSapling = [] self.vOutputsSapling = []
if have_sapling: if have_sapling:
self.anchorSapling = Fq(leos2ip(rand.b(32))) self.anchorSapling = Fq(leos2ip(rand.b(32)))
# We use the randomness unconditionally here to avoid unnecessary test vector changes.
for _ in range(rand.u8() % 3): for _ in range(rand.u8() % 3):
self.vSpendsSapling.append(SpendDescription(rand, self.anchorSapling)) spend = SpendDescription(rand, self.anchorSapling)
if not is_coinbase:
self.vSpendsSapling.append(spend)
for _ in range(rand.u8() % 3): for _ in range(rand.u8() % 3):
self.vOutputsSapling.append(OutputDescription(rand)) self.vOutputsSapling.append(OutputDescription(rand))
self.valueBalanceSapling = rand.u64() % (MAX_MONEY + 1) self.valueBalanceSapling = rand.u64() % (MAX_MONEY + 1)
@ -411,6 +468,9 @@ class TransactionV5(object):
for _ in range(rand.u8() % 5): for _ in range(rand.u8() % 5):
self.vActionsOrchard.append(OrchardActionDescription(rand)) self.vActionsOrchard.append(OrchardActionDescription(rand))
self.flagsOrchard = rand.u8() & 3 # Only two flag bits are currently defined. self.flagsOrchard = rand.u8() & 3 # Only two flag bits are currently defined.
if is_coinbase:
# set enableSpendsOrchard = 0
self.flagsOrchard &= 2
self.valueBalanceOrchard = rand.u64() % (MAX_MONEY + 1) self.valueBalanceOrchard = rand.u64() % (MAX_MONEY + 1)
self.anchorOrchard = PallasBase(leos2ip(rand.b(32))) self.anchorOrchard = PallasBase(leos2ip(rand.b(32)))
self.proofsOrchard = rand.b(rand.u8() + 32) # Proof will always contain at least one element self.proofsOrchard = rand.b(rand.u8() + 32) # Proof will always contain at least one element
@ -420,9 +480,15 @@ class TransactionV5(object):
# v^balanceOrchard is defined to be 0. # v^balanceOrchard is defined to be 0.
self.valueBalanceOrchard = 0 self.valueBalanceOrchard = 0
assert is_coinbase == self.is_coinbase()
def version_bytes(self): def version_bytes(self):
return NU5_TX_VERSION | (1 << 31) return NU5_TX_VERSION | (1 << 31)
def is_coinbase(self):
# <https://github.com/zcash/zcash/blob/d8c818bfa507adb845e527f5beb38345c490b330/src/primitives/transaction.h#L969-L972>
return len(self.vin) == 1 and bytes(self.vin[0].prevout.txid) == b'\x00'*32 and self.vin[0].prevout.n == 0xFFFFFFFF
# TODO: Update ZIP 225 to document endianness # TODO: Update ZIP 225 to document endianness
def __bytes__(self): def __bytes__(self):
ret = b'' ret = b''

View File

@ -240,9 +240,15 @@ def signature_digest(tx, t_inputs, nHashType, txin):
return digest.digest() return digest.digest()
def transparent_sig_digest(tx, t_inputs, nHashType, txin): def transparent_sig_digest(tx, t_inputs, nHashType, txin):
digest = blake2b(digest_size=32, person=b'ZTxIdTranspaHash') # If we are producing a hash for either a coinbase transaction, or a
# non-coinbase transaction that has no transparent inputs, the value of
# ``transparent_sig_digest`` is identical to the value specified in section
# T.2 <https://zips.z.cash/zip-0244#t-2-transparent-digest>.
if len(tx.vin) + len(tx.vout) > 0: if tx.is_coinbase() or len(tx.vin) == 0:
return transparent_digest(tx)
else:
digest = blake2b(digest_size=32, person=b'ZTxIdTranspaHash')
digest.update(hash_type(tx, nHashType, txin)) digest.update(hash_type(tx, nHashType, txin))
digest.update(prevouts_sig_digest(tx, nHashType)) digest.update(prevouts_sig_digest(tx, nHashType))
digest.update(amounts_sig_digest(t_inputs, nHashType)) digest.update(amounts_sig_digest(t_inputs, nHashType))
@ -350,10 +356,13 @@ def main():
txid = txid_digest(tx) txid = txid_digest(tx)
auth = auth_digest(tx) auth = auth_digest(tx)
# Generate amounts and scriptCodes for each transparent input. # Generate amounts and scriptCodes for each non-dummy transparent input.
if tx.is_coinbase():
t_inputs = []
else:
t_inputs = [TransparentInput(nIn, rand) for nIn in range(len(tx.vin))] t_inputs = [TransparentInput(nIn, rand) for nIn in range(len(tx.vin))]
# If there are any transparent inputs, derive a corresponding transparent sighash. # If there are any non-dummy transparent inputs, derive a corresponding transparent sighash.
if len(t_inputs) > 0: if len(t_inputs) > 0:
txin = rand.a(t_inputs) txin = rand.a(t_inputs)
else: else:
@ -400,9 +409,9 @@ def main():
('tx', {'rust_type': 'Vec<u8>', 'bitcoin_flavoured': False}), ('tx', {'rust_type': 'Vec<u8>', 'bitcoin_flavoured': False}),
('txid', '[u8; 32]'), ('txid', '[u8; 32]'),
('auth_digest', '[u8; 32]'), ('auth_digest', '[u8; 32]'),
('amounts', '[i64; %d]' % len(t_inputs)), ('amounts', {'rust_type': 'Vec<i64>'}),
('script_pubkeys', { ('script_pubkeys', {
'rust_type': '[Vec<u8>; %d]' % len(t_inputs), 'rust_type': 'Vec<Vec<u8>>',
'bitcoin_flavoured': False, 'bitcoin_flavoured': False,
}), }),
('transparent_input', { ('transparent_input', {