2021-01-07 14:23:16 -08:00
|
|
|
::
|
|
|
|
|
|
|
|
ZIP: 245
|
2021-01-13 15:27:19 -08:00
|
|
|
Title: Transaction Identifier Digests & Signature Validation for Transparent Zcash Extensions
|
|
|
|
Owners: Kris Nuttycombe <kris@electriccoin.co>
|
2021-01-07 14:23:16 -08:00
|
|
|
Status: Reserved
|
|
|
|
Category: Consensus
|
2021-01-13 15:27:19 -08:00
|
|
|
Discussions-To: <https://github.com/zcash/zips/issues/384>
|
|
|
|
|
|
|
|
Terminology
|
|
|
|
===========
|
|
|
|
|
|
|
|
The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. [#RFC2119]_
|
|
|
|
|
|
|
|
The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as
|
|
|
|
described in ZIP 200. [#zip-0200]_
|
|
|
|
|
|
|
|
Abstract
|
|
|
|
========
|
|
|
|
|
|
|
|
This proposal defines changes to ZIP 244 [#zip-0244]_ transaction id and signature digest
|
|
|
|
algorithms to accommodate the inclusion of transparent Zcash extensions (TZEs)
|
|
|
|
as defined in ZIP 222 [#zip-0222]_.
|
|
|
|
|
|
|
|
Specification
|
|
|
|
=============
|
|
|
|
|
|
|
|
TxId Digest
|
|
|
|
-----------
|
|
|
|
|
|
|
|
The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new
|
|
|
|
branch for TZE hashes. The ``tze_digest`` branch is the only new addition to the
|
|
|
|
tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and ``sapling_digest``
|
2021-01-26 13:31:47 -08:00
|
|
|
are as in ZIP 244::
|
2021-01-13 15:27:19 -08:00
|
|
|
|
2021-01-26 13:31:47 -08:00
|
|
|
txid_digest
|
|
|
|
├── header_digest
|
|
|
|
├── transparent_digest
|
|
|
|
├── tze_digest
|
|
|
|
│ ├── tzein_digest
|
|
|
|
│ └── tzeout_digest
|
|
|
|
├── sprout_digest
|
|
|
|
└── sapling_digest
|
2021-01-13 15:27:19 -08:00
|
|
|
|
|
|
|
``txid_digest``
|
|
|
|
```````````````
|
|
|
|
The top hash of the ``txid_digest`` tree is modified from the ZIP 244 structure
|
|
|
|
to be a BLAKE2b-256 hash of the following values ::
|
|
|
|
|
|
|
|
* ``header_digest`` (32-byte hash output)
|
|
|
|
* ``transparent_digest`` (32-byte hash output)
|
|
|
|
* ``tze_digest (32-byte hash output)
|
|
|
|
* ``sprout_digest (32-byte hash output)
|
|
|
|
* ``sapling_digest (32-byte hash output)
|
|
|
|
|
|
|
|
The personalization field of this hash is unmodified from ZIP 244.
|
|
|
|
|
|
|
|
2: ``tze_digest``
|
|
|
|
'''''''''''''''''
|
|
|
|
A BLAKE2b-256 hash of the following values ::
|
|
|
|
|
|
|
|
* 2a. ``tzein_digest`` (32-byte hash)
|
|
|
|
* 2b. ``tzeout_digest`` (32-byte hash)
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
2021-01-13 15:57:38 -08:00
|
|
|
"ZTxIdTZE____Hash" (4 underscore characters)
|
2021-01-13 15:27:19 -08:00
|
|
|
|
|
|
|
2a: ``tzein_digest``
|
|
|
|
....................
|
|
|
|
A BLAKE2b-256 hash of all TZE inputs to the transaction, excluding witness data.
|
|
|
|
For each TZE input, the following values are appended to this hash::
|
|
|
|
|
|
|
|
* 2a.i. the field encoding of the CompactSize representation
|
|
|
|
of the TZE extension id for the input.
|
|
|
|
* 2a.i. the field encoding of the CompactSize representation
|
|
|
|
of the TZE mode for the input.
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
2021-01-13 15:57:38 -08:00
|
|
|
"ZTxIdTZEIns_Hash" (1 underscore character)
|
2021-01-13 15:27:19 -08:00
|
|
|
|
|
|
|
2a: ``tzeout_digest``
|
|
|
|
.....................
|
|
|
|
A BLAKE2b-256 hash of the field encoding of all TZE outputs
|
|
|
|
belonging to the transaction.
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
|
|
"ZTxIdTzeOutsHash"
|
|
|
|
|
2021-01-26 13:31:47 -08:00
|
|
|
Signature Digest
|
|
|
|
----------------
|
|
|
|
|
|
|
|
The signature digest creation algorithm defined by ZIP 244 [#zip-0244]_ is modified to
|
|
|
|
include a new branch for TZE hashes. The ``tze_digest`` branch is the only new addition
|
|
|
|
to the tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and
|
|
|
|
``sapling_digest`` are as in ZIP 244::
|
|
|
|
|
|
|
|
signature_digest
|
|
|
|
├── header_digest
|
|
|
|
├── transparent_digest
|
|
|
|
├── tze_digest
|
|
|
|
│ ├── tzein_digest
|
|
|
|
│ └── tzeout_digest
|
|
|
|
├── sprout_digest
|
|
|
|
└── sapling_digest
|
|
|
|
|
|
|
|
``signature_digest``
|
2021-01-26 14:06:30 -08:00
|
|
|
````````````````````
|
2021-01-26 13:31:47 -08:00
|
|
|
A BLAKE2b-256 hash of the following values ::
|
2021-01-13 15:27:19 -08:00
|
|
|
|
2021-01-26 13:31:47 -08:00
|
|
|
* S.1: ``header_digest`` (32-byte hash output)
|
|
|
|
* S.2: ``transparent_digest`` (32-byte hash output)
|
|
|
|
* S.3: ``tze_digest`` (32-byte hash output)
|
|
|
|
* S.4: ``sprout_digest (32-byte hash output)
|
|
|
|
* S.5: ``sapling_digest (32-byte hash output)
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
|
|
"ZcashTxHash_" || CONSENSUS_BRANCH_ID
|
|
|
|
|
|
|
|
This value must have the same personalization as the top hash of the transaction
|
|
|
|
identifier digest tree, in order to make it possible to sign the transaction id
|
|
|
|
in the case that there are no transparent inputs.
|
|
|
|
|
|
|
|
S.3: ``tze_digest``
|
2021-01-26 14:06:30 -08:00
|
|
|
'''''''''''''''''''
|
2021-01-26 13:31:47 -08:00
|
|
|
This digest is a BLAKE2b-256 hash of the following values of the TZE
|
|
|
|
input being signed::
|
|
|
|
|
|
|
|
* S.3a. ``prevout_digest`` (field encoding bytes)
|
|
|
|
* S.3b. ``extension_id`` (CompactSize field encoding)
|
|
|
|
* S.3c. ``mode`` (CompactSize field encoding)
|
|
|
|
* S.3d. ``payload`` (arbitrary bytes)
|
|
|
|
* S.3e. ``value`` of the output spent by this input (8-byte little endian)
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
|
|
|
"Zcash__TzeInHash"
|
|
|
|
|
|
|
|
Authorizing Data Commitment
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
The tree of hashes defined by ZIP 244 [#zip-0244]_ for authorizing data commitments is
|
|
|
|
re-structured to include a new branch for TZE hashes. The ``tze_digest`` branch is the
|
|
|
|
only new addition to the tree; ``transparent_digest``, ``sprout_digest``, and
|
|
|
|
``sapling_digest`` are as in ZIP 244::
|
2021-01-13 15:27:19 -08:00
|
|
|
|
2021-01-26 13:31:47 -08:00
|
|
|
auth_digest
|
|
|
|
├── transparent_scripts_digest
|
|
|
|
├── tze_witnesses_digest
|
|
|
|
├── sprout_sigs_digest
|
|
|
|
└── sapling_sigs_digest
|
2021-01-13 15:27:19 -08:00
|
|
|
|
|
|
|
``auth_digest``
|
|
|
|
```````````````
|
|
|
|
The top hash of the ``auth_digest`` tree is modified from the ZIP 244 structure
|
|
|
|
to be a BLAKE2b-256 hash of the following values ::
|
|
|
|
|
|
|
|
* ``transparent_scripts_digest`` (32-byte hash output)
|
|
|
|
* ``tze_witnesses_digest (32-byte hash output)
|
|
|
|
* ``sprout_sigs_digest (32-byte hash output)
|
|
|
|
* ``sapling_sigs_digest (32-byte hash output)
|
|
|
|
|
|
|
|
The personalization field of this hash is unmodified from ZIP 244.
|
|
|
|
|
|
|
|
2: ``tze_witnesses_digest``
|
|
|
|
```````````````````````````
|
2021-01-26 13:31:47 -08:00
|
|
|
A BLAKE2b-256 hash of the field encoding of the witness ``payload`` data associated
|
2021-01-13 15:27:19 -08:00
|
|
|
with each TZE input belonging to the transaction.
|
|
|
|
|
|
|
|
The personalization field of this hash is set to::
|
|
|
|
|
2021-01-13 15:57:38 -08:00
|
|
|
"ZTxAuthTZE__Hash" (2 underscore characters)
|
2021-01-13 15:27:19 -08:00
|
|
|
|
|
|
|
Reference implementation
|
|
|
|
========================
|
|
|
|
|
|
|
|
- https://github.com/zcash/librustzcash/pull/319/files
|
|
|
|
|
|
|
|
References
|
|
|
|
==========
|
2021-01-26 14:06:30 -08:00
|
|
|
|
|
|
|
.. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels <https://www.rfc-editor.org/rfc/rfc2119.html>`_
|
|
|
|
.. [#zip-0200] `ZIP 200: Network Upgrade Activation Mechanism <zip-0200.rst>`_
|
|
|
|
.. [#zip-0222] `ZIP 222: Transparent Zcash Extensions <zip-0222.rst>`_
|
|
|
|
.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability <zip-0244.rst>`_
|