zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clean up HTML rendering of the RST.

This commit is contained in:
Kris Nuttycombe 2021-01-26 15:29:24 -07:00
parent e3729e8e7c
commit 3bc233bafb
4 changed files with 311 additions and 315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
zip-0244.html
View File

@ -63,116 +63,116 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/411">https://g
│   └── sapling_outputs_noncompact_digest
  └── valueBalance</pre>
<p>Each node written as <code>snake_case</code> in this tree is a BLAKE2b-256 hash of its children, initialized with a personalization string specific to that branch of the tree. Nodes that are not themselves digests are written in <code>camelCase</code>. In the specification below, nodes of the tree are presented in depth-first order.</p>
<section id="id3"><h5><span class="section-heading"><code>txid_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#id3"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<section id="id3"><h5><span class="section-heading">txid_digest</span><span class="section-anchor"> <a rel="bookmark" href="#id3"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* T.1: ``header_digest`` (32-byte hash output)
* T.2: ``transparent_digest`` (32-byte hash output)
* T.3: ``sprout_digest (32-byte hash output)
* T.4: ``sapling_digest (32-byte hash output)</pre>
<pre>T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: sprout_digest (32-byte hash output)
T.4: sapling_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p>As in ZIP 143 <a id="id4" class="footnote_reference" href="#zip-0143">5</a>, CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. Domain separation of the transaction id hash across parallel consensus branches provides replay protection: transactions targeted for one consensus branch will not have the same transaction identifier on other consensus branches.</p>
<section id="t-1-header-digest"><h6><span class="section-heading">T.1: <code>header_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-1-header-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="t-1-header-digest"><h6><span class="section-heading">T.1: header_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-1-header-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* T.1a. ``version`` (4-byte little-endian version identifier including overwinter flag)
* T.1b. ``version_group_id`` (4-byte little-endian version group identifier)
* T.1c. ``consensus_branch_id`` (4-byte little-endian consensus branch id)
* T.1d. ``lock_time`` (4-byte little-endian nLockTime value)
* T.1e. ``expiry_height`` (4-byte little-endian block height)</pre>
<pre>T.1a: version (4-byte little-endian version identifier including overwinter flag)
T.1b: version_group_id (4-byte little-endian version group identifier)
T.1c: consensus_branch_id (4-byte little-endian consensus branch id)
T.1d: lock_time (4-byte little-endian nLockTime value)
T.1e: expiry_height (4-byte little-endian block height)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdHeadersHash"</pre>
</section>
<section id="t-2-transparent-digest"><h6><span class="section-heading">T.2: <code>transparent_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-2-transparent-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="t-2-transparent-digest"><h6><span class="section-heading">T.2: transparent_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2-transparent-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* T.2a. ``prevouts_digest`` (32-byte hash)
* T.2b. ``sequence_digest`` (32-byte hash)
* T.2c. ``outputs_digest`` (32-byte hash)</pre>
<pre>T.2a: prevouts_digest (32-byte hash)
T.2b: sequence_digest (32-byte hash)
T.2c: outputs_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTranspaHash"</pre>
<section id="t-2a-prevouts-digest"><h7><span class="section-heading">T.2a: <code>prevouts_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-2a-prevouts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="t-2a-prevouts-digest"><h7><span class="section-heading">T.2a: prevouts_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2a-prevouts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the field encoding of all <code>outpoint</code> field values of transparent inputs to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdPrevoutHash"</pre>
</section>
<section id="t-2b-sequence-digest"><h7><span class="section-heading">T.2b: <code>sequence_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-2b-sequence-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="t-2b-sequence-digest"><h7><span class="section-heading">T.2b: sequence_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2b-sequence-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the 32-bit little-endian representation of all <code>nSequence</code> field values of transparent inputs to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSequencHash"</pre>
</section>
<section id="t-2c-outputs-digest"><h7><span class="section-heading">T.2c: <code>outputs_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-2c-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="t-2c-outputs-digest"><h7><span class="section-heading">T.2c: outputs_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2c-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the field encodings of all <code>prevout</code> field values of transparent inputs belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdOutputsHash"</pre>
</section>
</section>
<section id="t-3-sprout-digest"><h6><span class="section-heading">T.3: <code>sprout_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-3-sprout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="t-3-sprout-digest"><h6><span class="section-heading">T.3: sprout_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-3-sprout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the non-authorizing components of Sprout <code>JSDescription</code> values belonging to the transaction. For each <code>JSDescription</code>, the following elements are appended to the hash</p>
<pre>* T.3a. ``vpub_old`` (8-byte signed little-endian)
* T.3b. ``vpub_new`` (8-byte signed little-endian)
* T.3c. ``anchor`` (32 bytes)
* T.3d. ``nullifiers`` (2 x 32 bytes)
* T.3e. ``commitments`` (2 x 32 bytes)
* T.3f. ``ephemeral_key`` (32 bytes)
* T.3g. ``random_seed`` (32 bytes)
* T.3h. ``macs`` (2 x 32 bytes)
* T.3i. ``ciphertexts`` (2 x 601 bytes)</pre>
<pre>T.3a: vpub_old (8-byte signed little-endian)
T.3b: vpub_new (8-byte signed little-endian)
T.3c: anchor (32 bytes)
T.3d: nullifiers (2 x 32 bytes)
T.3e: commitments (2 x 32 bytes)
T.3f: ephemeral_key (32 bytes)
T.3g: random_seed (32 bytes)
T.3h: macs (2 x 32 bytes)
T.3i: ciphertexts (2 x 601 bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdJSplitsHash"</pre>
</section>
<section id="t-4-sapling-digest"><h6><span class="section-heading">T.4: <code>sapling_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4-sapling-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="t-4-sapling-digest"><h6><span class="section-heading">T.4: sapling_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4-sapling-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>The digest of Sapling components is composed of two subtrees which are organized to permit easy interoperability with the <code>CompactBlock</code> representation of Sapling data specified by the ZIP 307 Light Client Protocol <a id="id5" class="footnote_reference" href="#zip-0307">6</a>.</p>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>* T.4a. ``sapling_spends_digest`` (32-byte hash)
* T.4b. ``sapling_outputs_digest`` (32-byte hash)
* T.4c. ``valueBalance`` (64-bit signed little-endian)</pre>
<pre>T.4a: sapling_spends_digest (32-byte hash)
T.4b: sapling_outputs_digest (32-byte hash)
T.4c: valueBalance (64-bit signed little-endian)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSaplingHash"</pre>
<section id="t-4a-sapling-spends-digest"><h7><span class="section-heading">T.4a: <code>sapling_spends_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-sapling-spends-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="t-4a-sapling-spends-digest"><h7><span class="section-heading">T.4a: sapling_spends_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-sapling-spends-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>* T.4a.i. ``sapling_spends_compact_digest`` (32-byte hash)
* T.4a.ii. ``sapling_spends_noncompact_digest`` (32-byte hash)</pre>
<pre>T.4a.i: sapling_spends_compact_digest (32-byte hash)
T.4a.ii: sapling_spends_noncompact_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSSpendsHash"</pre>
<section id="t-4a-i-sapling-spends-compact-digest"><h8><span class="section-heading">T.4a.i: <code>sapling_spends_compact_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-i-sapling-spends-compact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<section id="t-4a-i-sapling-spends-compact-digest"><h8><span class="section-heading">T.4a.i: sapling_spends_compact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-i-sapling-spends-compact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the field encoding of all <code>nullifier</code> field values of Sapling shielded spends belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSSpendCHash"</pre>
</section>
<section id="t-4a-ii-sapling-spends-noncompact-digest"><h8><span class="section-heading">T.4a.ii: <code>sapling_spends_noncompact_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-sapling-spends-noncompact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<section id="t-4a-ii-sapling-spends-noncompact-digest"><h8><span class="section-heading">T.4a.ii: sapling_spends_noncompact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-sapling-spends-noncompact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the non-nullifier information for all Sapling shielded spends belonging to the transaction, excluding zkproof data. For each spend, the following elements are included in the hash:</p>
<pre>* T.4a.ii.1 ``cv`` (field encoding bytes)
* T.4a.ii.2 ``anchor`` (field encoding bytes)
* T.4a.ii.3 ``rk`` (field encoding bytes)</pre>
<pre>T.4a.ii.1: cv (field encoding bytes)
T.4a.ii.2: anchor (field encoding bytes)
T.4a.ii.3: rk (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSSpendNHash"</pre>
</section>
</section>
<section id="t-4b-sapling-outputs-digest"><h7><span class="section-heading">T.4b: <code>sapling_outputs_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4b-sapling-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="t-4b-sapling-outputs-digest"><h7><span class="section-heading">T.4b: sapling_outputs_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4b-sapling-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>* T.4a.i. ``sapling_outputs_compact_digest`` (32-byte hash)
* T.4b.ii. ``sapling_outputs_memos_digest`` (32-byte hash)
* T.4b.iii. ``sapling_outputs_noncompact_digest`` (32-byte hash)</pre>
<pre>T.4a.i: sapling_outputs_compact_digest (32-byte hash)
T.4b.ii: sapling_outputs_memos_digest (32-byte hash)
T.4b.iii: sapling_outputs_noncompact_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutputHash"</pre>
<section id="t-4b-i-sapling-outputs-compact-digest"><h8><span class="section-heading">T.4b.i: <code>sapling_outputs_compact_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4b-i-sapling-outputs-compact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<section id="t-4b-i-sapling-outputs-compact-digest"><h8><span class="section-heading">T.4b.i: sapling_outputs_compact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4b-i-sapling-outputs-compact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the subset of Sapling output information included in the ZIP-307 <a id="id6" class="footnote_reference" href="#zip-0307">6</a> <code>CompactBlock</code> format for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>* T.4b.i.1 ``cmu`` (field encoding bytes)
* T.4b.i.2 ``ephemeral_key`` (field encoding bytes)
* T.4b.i.3 ``enc_ciphertext[..52]`` (First 52 bytes of field encoding)</pre>
<pre>T.4b.i.1: cmu (field encoding bytes)
T.4b.i.2: ephemeral_key (field encoding bytes)
T.4b.i.3: enc_ciphertext[..52] (First 52 bytes of field encoding)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutC__Hash"</pre>
</section>
<section id="t-4a-ii-sapling-outputs-memos-digest"><h8><span class="section-heading">T.4a.ii: <code>sapling_outputs_memos_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-sapling-outputs-memos-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<section id="t-4a-ii-sapling-outputs-memos-digest"><h8><span class="section-heading">T.4a.ii: sapling_outputs_memos_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-sapling-outputs-memos-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the subset of Sapling shielded memo field data for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>* T.4b.ii.1 ``enc_ciphertext[52..564] (contents of the encrypted memo field)</pre>
<pre>T.4b.ii.1: enc_ciphertext[52..564] (contents of the encrypted memo field)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutM__Hash"</pre>
</section>
<section id="t-4a-iii-sapling-outputs-noncompact-digest"><h8><span class="section-heading">T.4a.iii: <code>sapling_outputs_noncompact_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-iii-sapling-outputs-noncompact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<section id="t-4a-iii-sapling-outputs-noncompact-digest"><h8><span class="section-heading">T.4a.iii: sapling_outputs_noncompact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-iii-sapling-outputs-noncompact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the remaining subset of Sapling output information <strong>not</strong> included in the ZIP 307 <a id="id7" class="footnote_reference" href="#zip-0307">6</a> <code>CompactBlock</code> format, excluding zkproof data, for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>* T.4b.iii.1 ``cv`` (field encoding bytes)
* T.4b.iii.2 ``enc_ciphertext[564..]`` (post-memo suffix of field encoding)
* T.4b.iii.3 ``out_ciphertext`` (field encoding bytes)</pre>
<pre>T.4b.iii.1: cv (field encoding bytes)
T.4b.iii.2: enc_ciphertext[564..] (post-memo suffix of field encoding)
T.4b.iii.3: out_ciphertext (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutN__Hash" (2 underscore characters)</pre>
</section>
@ -188,74 +188,74 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/411">https://g
├── transparent_digest
├── sprout_digest
└── sapling_digest</pre>
<section id="id9"><h5><span class="section-heading"><code>signature_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#id9"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<section id="id9"><h5><span class="section-heading">signature_digest</span><span class="section-anchor"> <a rel="bookmark" href="#id9"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* S.1: ``header_digest`` (32-byte hash output)
* S.2: ``transparent_digest`` (32-byte hash output)
* S.3: ``sprout_digest (32-byte hash output)
* S.4: ``sapling_digest (32-byte hash output)</pre>
<pre>S.1: header_digest (32-byte hash output)
S.2: transparent_digest (32-byte hash output)
S.3: sprout_digest (32-byte hash output)
S.4: sapling_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p>This value must have the same personalization as the top hash of the transaction identifier digest tree, in order to make it possible to sign the transaction id in the case that there are no transparent inputs.</p>
<section id="s-1-header-digest"><h6><span class="section-heading">S.1: <code>header_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-1-header-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="s-1-header-digest"><h6><span class="section-heading">S.1: header_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-1-header-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
<section id="s-2-transparent-digest"><h6><span class="section-heading">S.2: <code>transparent_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-2-transparent-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="s-2-transparent-digest"><h6><span class="section-heading">S.2: transparent_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2-transparent-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>If we are producing a hash for the signature over a transparent input, the value of the digest produced here depends upon the value of a <code>hash_type</code> flag as in ZIP 143 <a id="id10" class="footnote_reference" href="#zip-0143">5</a>.</p>
<p>The construction of each component below depends upon the values of the <code>hash_type</code> flag bits. Each component will be described separately</p>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>* S.2a. ``prevouts_digest`` (32-byte hash)
* S.2b. ``sequence_digest`` (32-byte hash)
* S.2c. ``outputs_digest`` (32-byte hash)
* S.2d. ``txin_sig_digest`` (32-byte hash)</pre>
<pre>S.2a: prevouts_digest (32-byte hash)
S.2b: sequence_digest (32-byte hash)
S.2c: outputs_digest (32-byte hash)
S.2d: txin_sig_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTranspaHash"</pre>
<section id="s-2a-prevouts-digest"><h7><span class="section-heading">S.2a: <code>prevouts_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-2a-prevouts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="s-2a-prevouts-digest"><h7><span class="section-heading">S.2a: prevouts_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2a-prevouts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value "ZTxIdPrevoutHash".</p>
<p>If the <code>SIGHASH_ANYONECANPAY</code> flag is not set:</p>
<pre>* identical to the value of ``prevouts_digest`` as specified for the
<pre>identical to the value of ``prevouts_digest`` as specified for the
transaction identifier in section T.2a.</pre>
<p>otherwise:</p>
<pre>* the hash is immediately finalized, without being updated with any
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
<section id="s-2b-sequence-digest"><h7><span class="section-heading">S.2b: <code>sequence_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-2b-sequence-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="s-2b-sequence-digest"><h7><span class="section-heading">S.2b: sequence_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2b-sequence-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value "ZTxIdSequencHash".</p>
<p>If none of the <code>SIGHASH_ANYONECANPAY</code>, <code>SIGHASH_SINGLE</code>, or <code>SIGHASH_NONE</code> flags are set:</p>
<pre>* identical to the value of ``sequence_digest`` as specified for the
<pre>identical to the value of ``sequence_digest`` as specified for the
transaction identifier in section T.2b.</pre>
<p>otherwise:</p>
<pre>* the hash is immediately finalized, without being updated with any
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
<section id="s-2c-outputs-digest"><h7><span class="section-heading">S.2c: <code>outputs_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-2c-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="s-2c-outputs-digest"><h7><span class="section-heading">S.2c: outputs_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2c-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value "ZTxIdOutputsHash".</p>
<p>If none of the <code>SIGHASH_SINGLE</code> or <code>SIGHASH_NONE</code> flags are set:</p>
<pre>* identical to the value of ``outputs_digest`` as specified for the
<pre>identical to the value of ``outputs_digest`` as specified for the
transaction identifier in section T.2c.</pre>
<p>If the <code>SIGHASH_SINGLE</code> flag is set and the signature hash is being computed for the transparent input at a particular index, and a transparent output appears in the transaction at that index:</p>
<pre>* the hash is updated with the transaction serialized form of the
<pre>the hash is updated with the transaction serialized form of the
transparent output at that index, and finalized.</pre>
<p>If the <code>SIGHASH_SINGLE</code> flag is set and the signature is being computed for a shielded input, or if the <code>SIGHASH_NONE</code> flag is set:</p>
<pre>* the hash is immediately finalized, without being updated with any
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
<section id="s-2d-txin-sig-digest"><h7><span class="section-heading">S.2d: <code>txin_sig_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-2d-txin-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<section id="s-2d-txin-sig-digest"><h7><span class="section-heading">S.2d: txin_sig_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2d-txin-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value "Zcash___TxInHash" (3 underscores).</p>
<p>If the signature hash is being computed for a transparent input, the hash is updated with the following properties of that input:</p>
<pre>* S.2d.i. ``prevout`` (field encoding)
* S.2d.ii. ``script_code`` (field encoding)
* S.2d.iii. ``value`` (8-byte signed little-endian)
* S.2d.iv. ``nSequence`` (4-byte unsigned little-endian)</pre>
<pre>S.2d.i: prevout (field encoding)
S.2d.ii: script_code (field encoding)
S.2d.iii: value (8-byte signed little-endian)
S.2d.iv: nSequence (4-byte unsigned little-endian)</pre>
<p>otherwise:</p>
<pre>* the hash is immediately finalized, without being updated with any
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
</section>
<section id="s-3-sprout-digest"><h6><span class="section-heading">S.3: <code>sprout_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-3-sprout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="s-3-sprout-digest"><h6><span class="section-heading">S.3: sprout_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-3-sprout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
<section id="s-4-sapling-digest"><h6><span class="section-heading">S.4: <code>sapling_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-4-sapling-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="s-4-sapling-digest"><h6><span class="section-heading">S.4: sapling_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-4-sapling-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
</section>
@ -267,31 +267,31 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/411">https://g
</blockquote>
<p>Each node written as <code>snake_case</code> in this tree is a BLAKE2b-256 hash of authorizing data of the transaction.</p>
<p>The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.</p>
<section id="auth-digest"><h5><span class="section-heading"><code>auth_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<section id="auth-digest"><h5><span class="section-heading">auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* ``transparent_scripts_digest`` (32-byte hash output)
* ``sprout_auth_digest (32-byte hash output)
* ``sapling_auth_digest (32-byte hash output)</pre>
<pre>A1: transparent_scripts_digest (32-byte hash output)
A2: sprout_auth_digest (32-byte hash output)
A3: sapling_auth_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthHash_" || CONSENSUS_BRANCH_ID</pre>
<section id="a-1-transparent-scripts-digest"><h6><span class="section-heading">A.1: <code>transparent_scripts_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#a-1-transparent-scripts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="a-1-transparent-scripts-digest"><h6><span class="section-heading">A.1: transparent_scripts_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-1-transparent-scripts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of the Bitcoin script associated with each transparent input belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthTransHash"</pre>
</section>
<section id="a-2-sprout-auth-digest"><h6><span class="section-heading">A.2: <code>sprout_auth_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#a-2-sprout-auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="a-2-sprout-auth-digest"><h6><span class="section-heading">A.2: sprout_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-2-sprout-auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of the <code>zkproof</code> values of each <code>JSDescription</code> belonging to the transaction, followed by the <code>joinsplit_pubkey</code> and <code>joinsplit_sig</code>:</p>
<pre>* A.2a. ``zkproofs`` (field encoding bytes)
* A.2b. ``joinsplit_pubkey``
* A.2b. ``joinsplit_sig``</pre>
<pre>A.2a: zkproofs (field encoding bytes)
A.2b: joinsplit_pubkey (field encoding bytes)
A.2b: joinsplit_sig (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthSprouHash"</pre>
</section>
<section id="a-3-sapling-auth-digest"><h6><span class="section-heading">A.3: <code>sapling_auth_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#a-3-sapling-auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="a-3-sapling-auth-digest"><h6><span class="section-heading">A.3: sapling_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-3-sapling-auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of the Sapling zkproof values of each Sapling spend description and output description belonging to the transaction, followed by the field encoding of the binding signature</p>
<pre>* A.3a. ``spend_zkproofs`` (field encoding bytes)
* A.3b. ``output_zkproofs`` (field encoding bytes)
* A.3c. ``binding_sig``</pre>
<pre>A.3a: spend_zkproofs (field encoding bytes)
A.3b: output_zkproofs (field encoding bytes)
A.3c: binding_sig (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthSapliHash"</pre>
</section>
@ -302,11 +302,11 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/411">https://g
<p>The nonmalleable transaction identifier specified by this ZIP will be used in the place of the current malleable transaction identifier within the Merkel tree committed to by the <code>hashMerkleRoot</code> value. However, this change now means that <code>hashMerkleRoot</code> is not sufficient to fully commit to the transaction data, including witnesses, that appear within the block.</p>
<p>As a consequence, we now need to add a new commitment to the block header. This commitment will be the root of a Merkle tree that has parallel structure to the tree committed to by <code>hashMerkleRoot</code> (a path through this merkle tree to a transaction identifies the same transaction as that path reaches in the tree rooted at <code>hashMerkleRoot</code>) but where the leaves are hashes produced according to the <cite>Authorizing Data Commitment</cite> part of this specification.</p>
<p>This new commitment is named <code>hashAuthDataRoot</code> and is the root of a left-dense binary merkle tree of transaction authorizing data commitments. Empty internal nodes and leaves in the merkle tree (nodes without children) have the "null" hash value <code>[0u8; 32]</code>. Hashes in this tree are BLAKE2b-256 hashes personalized by the string <code>"ZcashAuthDatHash"</code>.</p>
<p>Changing the block header format to allow space for an additional commitment is somewhat invasive. Instead, the name and meaning of the <code>hashLightClientRoot</code> field is changed.</p>
<p>Changing the block header format to allow space for an additional commitment is somewhat invasive. Instead, the name and meaning of the <code>hashLightClientRoot</code> field, described in ZIP 221 <a id="id11" class="footnote_reference" href="#zip-0221">3</a>, is changed.</p>
<p><code>hashLightClientRoot</code> is renamed to <code>hashBlockCommitments</code>. The value of this hash is the BLAKE2b-256 hash personalized by the string <code>"ZcashBlockCommit"</code> of the following elements:</p>
<pre>* ``hashLightClientRoot`` as described in ZIP 221 [#zip-0221]_
* ``hashAuthDataRoot``
* ``terminator`` [0u8;32]</pre>
<pre>hashLightClientRoot (as described in ZIP 221)
hashAuthDataRoot (as described below)
terminator [0u8;32]</pre>
<p>This representation treats the <code>hashBlockCommitments</code> value as a linked list of hashes terminated by arbitrary data. In the case of protocol upgrades where additional commitments need to be included in the block header, it is possible to replace this terminator with the hash of a newly defined structure which ends in a similar terminator. Fully validating nodes MUST always use the entire structure defined by the latest activated protocol version that they support.</p>
<p>The linked structure of this hash is intended to provide extensibility for use by light clients which may be connected to a third-party server that supports a later protocol version. Such a third party SHOULD provide a value that can be used instead of the all-zeros terminator to permit the light client to perform validation of the parts of the structure it needs.</p>
</section>

256
zip-0244.rst
View File

@ -131,14 +131,14 @@ children, initialized with a personalization string specific to that branch
of the tree. Nodes that are not themselves digests are written in ``camelCase``.
In the specification below, nodes of the tree are presented in depth-first order.
``txid_digest``
---------------
txid_digest
-----------
A BLAKE2b-256 hash of the following values ::
* T.1: ``header_digest`` (32-byte hash output)
* T.2: ``transparent_digest`` (32-byte hash output)
* T.3: ``sprout_digest (32-byte hash output)
* T.4: ``sapling_digest (32-byte hash output)
T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: sprout_digest (32-byte hash output)
T.4: sapling_digest (32-byte hash output)
The personalization field of this hash is set to::
@ -150,34 +150,34 @@ separation of the transaction id hash across parallel consensus branches provide
protection: transactions targeted for one consensus branch will not have the same
transaction identifier on other consensus branches.
T.1: ``header_digest``
``````````````````````
T.1: header_digest
``````````````````
A BLAKE2b-256 hash of the following values ::
* T.1a. ``version`` (4-byte little-endian version identifier including overwinter flag)
* T.1b. ``version_group_id`` (4-byte little-endian version group identifier)
* T.1c. ``consensus_branch_id`` (4-byte little-endian consensus branch id)
* T.1d. ``lock_time`` (4-byte little-endian nLockTime value)
* T.1e. ``expiry_height`` (4-byte little-endian block height)
T.1a: version (4-byte little-endian version identifier including overwinter flag)
T.1b: version_group_id (4-byte little-endian version group identifier)
T.1c: consensus_branch_id (4-byte little-endian consensus branch id)
T.1d: lock_time (4-byte little-endian nLockTime value)
T.1e: expiry_height (4-byte little-endian block height)
The personalization field of this hash is set to::
"ZTxIdHeadersHash"
T.2: ``transparent_digest``
```````````````````````````
T.2: transparent_digest
```````````````````````
A BLAKE2b-256 hash of the following values ::
* T.2a. ``prevouts_digest`` (32-byte hash)
* T.2b. ``sequence_digest`` (32-byte hash)
* T.2c. ``outputs_digest`` (32-byte hash)
T.2a: prevouts_digest (32-byte hash)
T.2b: sequence_digest (32-byte hash)
T.2c: outputs_digest (32-byte hash)
The personalization field of this hash is set to::
"ZTxIdTranspaHash"
T.2a: ``prevouts_digest``
'''''''''''''''''''''''''
T.2a: prevouts_digest
'''''''''''''''''''''
A BLAKE2b-256 hash of the field encoding of all ``outpoint``
field values of transparent inputs to the transaction.
@ -185,8 +185,8 @@ The personalization field of this hash is set to::
"ZTxIdPrevoutHash"
T.2b: ``sequence_digest``
'''''''''''''''''''''''''
T.2b: sequence_digest
'''''''''''''''''''''
A BLAKE2b-256 hash of the 32-bit little-endian representation of all ``nSequence``
field values of transparent inputs to the transaction.
@ -194,8 +194,8 @@ The personalization field of this hash is set to::
"ZTxIdSequencHash"
T.2c: ``outputs_digest``
''''''''''''''''''''''''
T.2c: outputs_digest
''''''''''''''''''''
A BLAKE2b-256 hash of the field encodings of all ``prevout`` field values of
transparent inputs belonging to the transaction.
@ -203,55 +203,55 @@ The personalization field of this hash is set to::
"ZTxIdOutputsHash"
T.3: ``sprout_digest``
``````````````````````
T.3: sprout_digest
``````````````````
A BLAKE2b-256 hash of the non-authorizing components of Sprout ``JSDescription`` values
belonging to the transaction. For each ``JSDescription``, the following elements are
appended to the hash ::
* T.3a. ``vpub_old`` (8-byte signed little-endian)
* T.3b. ``vpub_new`` (8-byte signed little-endian)
* T.3c. ``anchor`` (32 bytes)
* T.3d. ``nullifiers`` (2 x 32 bytes)
* T.3e. ``commitments`` (2 x 32 bytes)
* T.3f. ``ephemeral_key`` (32 bytes)
* T.3g. ``random_seed`` (32 bytes)
* T.3h. ``macs`` (2 x 32 bytes)
* T.3i. ``ciphertexts`` (2 x 601 bytes)
T.3a: vpub_old (8-byte signed little-endian)
T.3b: vpub_new (8-byte signed little-endian)
T.3c: anchor (32 bytes)
T.3d: nullifiers (2 x 32 bytes)
T.3e: commitments (2 x 32 bytes)
T.3f: ephemeral_key (32 bytes)
T.3g: random_seed (32 bytes)
T.3h: macs (2 x 32 bytes)
T.3i: ciphertexts (2 x 601 bytes)
The personalization field of this hash is set to::
"ZTxIdJSplitsHash"
T.4: ``sapling_digest``
```````````````````````
T.4: sapling_digest
```````````````````
The digest of Sapling components is composed of two subtrees which are organized to
permit easy interoperability with the ``CompactBlock`` representation of Sapling data
specified by the ZIP 307 Light Client Protocol [#zip-0307]_.
This digest is a BLAKE2b-256 hash of the following values ::
* T.4a. ``sapling_spends_digest`` (32-byte hash)
* T.4b. ``sapling_outputs_digest`` (32-byte hash)
* T.4c. ``valueBalance`` (64-bit signed little-endian)
T.4a: sapling_spends_digest (32-byte hash)
T.4b: sapling_outputs_digest (32-byte hash)
T.4c: valueBalance (64-bit signed little-endian)
The personalization field of this hash is set to::
"ZTxIdSaplingHash"
T.4a: ``sapling_spends_digest``
'''''''''''''''''''''''''''''''
T.4a: sapling_spends_digest
'''''''''''''''''''''''''''
This digest is a BLAKE2b-256 hash of the following values ::
* T.4a.i. ``sapling_spends_compact_digest`` (32-byte hash)
* T.4a.ii. ``sapling_spends_noncompact_digest`` (32-byte hash)
T.4a.i: sapling_spends_compact_digest (32-byte hash)
T.4a.ii: sapling_spends_noncompact_digest (32-byte hash)
The personalization field of this hash is set to::
"ZTxIdSSpendsHash"
T.4a.i: ``sapling_spends_compact_digest``
.........................................
T.4a.i: sapling_spends_compact_digest
.....................................
A BLAKE2b-256 hash of the field encoding of all ``nullifier`` field
values of Sapling shielded spends belonging to the transaction.
@ -259,69 +259,69 @@ The personalization field of this hash is set to::
"ZTxIdSSpendCHash"
T.4a.ii: ``sapling_spends_noncompact_digest``
.............................................
T.4a.ii: sapling_spends_noncompact_digest
.........................................
A BLAKE2b-256 hash of the non-nullifier information for all Sapling shielded spends
belonging to the transaction, excluding zkproof data. For each spend, the following
elements are included in the hash::
* T.4a.ii.1 ``cv`` (field encoding bytes)
* T.4a.ii.2 ``anchor`` (field encoding bytes)
* T.4a.ii.3 ``rk`` (field encoding bytes)
T.4a.ii.1: cv (field encoding bytes)
T.4a.ii.2: anchor (field encoding bytes)
T.4a.ii.3: rk (field encoding bytes)
The personalization field of this hash is set to::
"ZTxIdSSpendNHash"
T.4b: ``sapling_outputs_digest``
''''''''''''''''''''''''''''''''
T.4b: sapling_outputs_digest
''''''''''''''''''''''''''''
This digest is a BLAKE2b-256 hash of the following values ::
* T.4a.i. ``sapling_outputs_compact_digest`` (32-byte hash)
* T.4b.ii. ``sapling_outputs_memos_digest`` (32-byte hash)
* T.4b.iii. ``sapling_outputs_noncompact_digest`` (32-byte hash)
T.4a.i: sapling_outputs_compact_digest (32-byte hash)
T.4b.ii: sapling_outputs_memos_digest (32-byte hash)
T.4b.iii: sapling_outputs_noncompact_digest (32-byte hash)
The personalization field of this hash is set to::
"ZTxIdSOutputHash"
T.4b.i: ``sapling_outputs_compact_digest``
..........................................
T.4b.i: sapling_outputs_compact_digest
......................................
A BLAKE2b-256 hash of the subset of Sapling output information included in the
ZIP-307 [#zip-0307]_ ``CompactBlock`` format for all Sapling shielded outputs
belonging to the transaction. For each output, the following elements are included
in the hash::
* T.4b.i.1 ``cmu`` (field encoding bytes)
* T.4b.i.2 ``ephemeral_key`` (field encoding bytes)
* T.4b.i.3 ``enc_ciphertext[..52]`` (First 52 bytes of field encoding)
T.4b.i.1: cmu (field encoding bytes)
T.4b.i.2: ephemeral_key (field encoding bytes)
T.4b.i.3: enc_ciphertext[..52] (First 52 bytes of field encoding)
The personalization field of this hash is set to::
"ZTxIdSOutC__Hash"
T.4a.ii: ``sapling_outputs_memos_digest``
.........................................
T.4a.ii: sapling_outputs_memos_digest
.....................................
A BLAKE2b-256 hash of the subset of Sapling shielded memo field data for all Sapling
shielded outputs belonging to the transaction. For each output, the following elements
are included in the hash::
* T.4b.ii.1 ``enc_ciphertext[52..564] (contents of the encrypted memo field)
T.4b.ii.1: enc_ciphertext[52..564] (contents of the encrypted memo field)
The personalization field of this hash is set to::
"ZTxIdSOutM__Hash"
T.4a.iii: ``sapling_outputs_noncompact_digest``
...............................................
T.4a.iii: sapling_outputs_noncompact_digest
...........................................
A BLAKE2b-256 hash of the remaining subset of Sapling output information **not** included
in the ZIP 307 [#zip-0307]_ ``CompactBlock`` format, excluding zkproof data, for all
Sapling shielded outputs belonging to the transaction. For each output, the following
elements are included in the hash::
* T.4b.iii.1 ``cv`` (field encoding bytes)
* T.4b.iii.2 ``enc_ciphertext[564..]`` (post-memo suffix of field encoding)
* T.4b.iii.3 ``out_ciphertext`` (field encoding bytes)
T.4b.iii.1: cv (field encoding bytes)
T.4b.iii.2: enc_ciphertext[564..] (post-memo suffix of field encoding)
T.4b.iii.3: out_ciphertext (field encoding bytes)
The personalization field of this hash is set to::
@ -346,14 +346,14 @@ described in detail below::
├── sprout_digest
└── sapling_digest
``signature_digest``
--------------------
signature_digest
----------------
A BLAKE2b-256 hash of the following values ::
* S.1: ``header_digest`` (32-byte hash output)
* S.2: ``transparent_digest`` (32-byte hash output)
* S.3: ``sprout_digest (32-byte hash output)
* S.4: ``sapling_digest (32-byte hash output)
S.1: header_digest (32-byte hash output)
S.2: transparent_digest (32-byte hash output)
S.3: sprout_digest (32-byte hash output)
S.4: sapling_digest (32-byte hash output)
The personalization field of this hash is set to::
@ -363,12 +363,12 @@ This value must have the same personalization as the top hash of the transaction
identifier digest tree, in order to make it possible to sign the transaction id
in the case that there are no transparent inputs.
S.1: ``header_digest``
``````````````````````
S.1: header_digest
``````````````````
Identical to that specified for the transaction identifier.
S.2: ``transparent_digest``
```````````````````````````
S.2: transparent_digest
```````````````````````
If we are producing a hash for the signature over a transparent input,
the value of the digest produced here depends upon the value of a ``hash_type``
flag as in ZIP 143 [#zip-0143]_.
@ -378,93 +378,93 @@ The construction of each component below depends upon the values of the
This digest is a BLAKE2b-256 hash of the following values ::
* S.2a. ``prevouts_digest`` (32-byte hash)
* S.2b. ``sequence_digest`` (32-byte hash)
* S.2c. ``outputs_digest`` (32-byte hash)
* S.2d. ``txin_sig_digest`` (32-byte hash)
S.2a: prevouts_digest (32-byte hash)
S.2b: sequence_digest (32-byte hash)
S.2c: outputs_digest (32-byte hash)
S.2d: txin_sig_digest (32-byte hash)
The personalization field of this hash is set to::
"ZTxIdTranspaHash"
S.2a: ``prevouts_digest``
'''''''''''''''''''''''''
S.2a: prevouts_digest
'''''''''''''''''''''
This is a BLAKE2b-256 hash initialized with the personalization field value
"ZTxIdPrevoutHash".
If the ``SIGHASH_ANYONECANPAY`` flag is not set::
* identical to the value of ``prevouts_digest`` as specified for the
identical to the value of ``prevouts_digest`` as specified for the
transaction identifier in section T.2a.
otherwise::
* the hash is immediately finalized, without being updated with any
the hash is immediately finalized, without being updated with any
additional data
S.2b: ``sequence_digest``
'''''''''''''''''''''''''
S.2b: sequence_digest
'''''''''''''''''''''
This is a BLAKE2b-256 hash initialized with the personalization field value
"ZTxIdSequencHash".
If none of the ``SIGHASH_ANYONECANPAY``, ``SIGHASH_SINGLE``, or ``SIGHASH_NONE`` flags are
set::
* identical to the value of ``sequence_digest`` as specified for the
identical to the value of ``sequence_digest`` as specified for the
transaction identifier in section T.2b.
otherwise::
* the hash is immediately finalized, without being updated with any
the hash is immediately finalized, without being updated with any
additional data
S.2c: ``outputs_digest``
''''''''''''''''''''''''
S.2c: outputs_digest
''''''''''''''''''''
This is a BLAKE2b-256 hash initialized with the personalization field value
"ZTxIdOutputsHash".
If none of the ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` flags are set::
* identical to the value of ``outputs_digest`` as specified for the
identical to the value of ``outputs_digest`` as specified for the
transaction identifier in section T.2c.
If the ``SIGHASH_SINGLE`` flag is set and the signature hash is being computed for
the transparent input at a particular index, and a transparent output appears in
the transaction at that index::
* the hash is updated with the transaction serialized form of the
the hash is updated with the transaction serialized form of the
transparent output at that index, and finalized.
If the ``SIGHASH_SINGLE`` flag is set and the signature is being computed for
a shielded input, or if the ``SIGHASH_NONE`` flag is set::
* the hash is immediately finalized, without being updated with any
the hash is immediately finalized, without being updated with any
additional data
S.2d: ``txin_sig_digest``
'''''''''''''''''''''''''
S.2d: txin_sig_digest
'''''''''''''''''''''
This is a BLAKE2b-256 hash initialized with the personalization field value
"Zcash___TxInHash" (3 underscores).
If the signature hash is being computed for a transparent input, the hash
is updated with the following properties of that input::
* S.2d.i. ``prevout`` (field encoding)
* S.2d.ii. ``script_code`` (field encoding)
* S.2d.iii. ``value`` (8-byte signed little-endian)
* S.2d.iv. ``nSequence`` (4-byte unsigned little-endian)
S.2d.i: prevout (field encoding)
S.2d.ii: script_code (field encoding)
S.2d.iii: value (8-byte signed little-endian)
S.2d.iv: nSequence (4-byte unsigned little-endian)
otherwise::
* the hash is immediately finalized, without being updated with any
the hash is immediately finalized, without being updated with any
additional data
S.3: ``sprout_digest``
``````````````````````
S.3: sprout_digest
``````````````````
Identical to that specified for the transaction identifier.
S.4: ``sapling_digest``
```````````````````````
S.4: sapling_digest
```````````````````
Identical to that specified for the transaction identifier.
Authorizing Data Commitment
@ -485,20 +485,20 @@ data of the transaction.
The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the
data of a serialized transaction that may be included in a block.
``auth_digest``
---------------
auth_digest
-----------
A BLAKE2b-256 hash of the following values ::
* ``transparent_scripts_digest`` (32-byte hash output)
* ``sprout_auth_digest (32-byte hash output)
* ``sapling_auth_digest (32-byte hash output)
A1: transparent_scripts_digest (32-byte hash output)
A2: sprout_auth_digest (32-byte hash output)
A3: sapling_auth_digest (32-byte hash output)
The personalization field of this hash is set to::
"ZTxAuthHash_" || CONSENSUS_BRANCH_ID
A.1: ``transparent_scripts_digest``
```````````````````````````````````
A.1: transparent_scripts_digest
```````````````````````````````
A BLAKE2b-256 hash of the field encoding of the Bitcoin script associated
with each transparent input belonging to the transaction.
@ -506,29 +506,29 @@ The personalization field of this hash is set to::
"ZTxAuthTransHash"
A.2: ``sprout_auth_digest``
```````````````````````````
A.2: sprout_auth_digest
```````````````````````
A BLAKE2b-256 hash of the field encoding of the ``zkproof`` values of each
``JSDescription`` belonging to the transaction, followed by the
``joinsplit_pubkey`` and ``joinsplit_sig``::
* A.2a. ``zkproofs`` (field encoding bytes)
* A.2b. ``joinsplit_pubkey``
* A.2b. ``joinsplit_sig``
A.2a: zkproofs (field encoding bytes)
A.2b: joinsplit_pubkey (field encoding bytes)
A.2b: joinsplit_sig (field encoding bytes)
The personalization field of this hash is set to::
"ZTxAuthSprouHash"
A.3: ``sapling_auth_digest``
````````````````````````````
A.3: sapling_auth_digest
````````````````````````
A BLAKE2b-256 hash of the field encoding of the Sapling zkproof values
of each Sapling spend description and output description belonging to
the transaction, followed by the field encoding of the binding signature ::
* A.3a. ``spend_zkproofs`` (field encoding bytes)
* A.3b. ``output_zkproofs`` (field encoding bytes)
* A.3c. ``binding_sig``
A.3a: spend_zkproofs (field encoding bytes)
A.3b: output_zkproofs (field encoding bytes)
A.3c: binding_sig (field encoding bytes)
The personalization field of this hash is set to::
@ -560,15 +560,15 @@ and leaves in the merkle tree (nodes without children) have the "null" hash valu
Changing the block header format to allow space for an additional
commitment is somewhat invasive. Instead, the name and meaning of the
``hashLightClientRoot`` field is changed.
``hashLightClientRoot`` field, described in ZIP 221 [#zip-0221]_, is changed.
``hashLightClientRoot`` is renamed to ``hashBlockCommitments``. The value
of this hash is the BLAKE2b-256 hash personalized by the string ``"ZcashBlockCommit"``
of the following elements::
* ``hashLightClientRoot`` as described in ZIP 221 [#zip-0221]_
* ``hashAuthDataRoot``
* ``terminator`` [0u8;32]
hashLightClientRoot (as described in ZIP 221)
hashAuthDataRoot (as described below)
terminator [0u8;32]
This representation treats the ``hashBlockCommitments`` value as a linked
list of hashes terminated by arbitrary data. In the case of protocol upgrades

62
zip-0245.html
View File

@ -30,30 +30,28 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/384">https://g
│   └── tzeout_digest
├── sprout_digest
└── sapling_digest</pre>
<section id="id6"><h4><span class="section-heading"><code>txid_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#id6"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<section id="id6"><h4><span class="section-heading">txid_digest</span><span class="section-anchor"> <a rel="bookmark" href="#id6"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>The top hash of the <code>txid_digest</code> tree is modified from the ZIP 244 structure to be a BLAKE2b-256 hash of the following values</p>
<pre>* ``header_digest`` (32-byte hash output)
* ``transparent_digest`` (32-byte hash output)
* ``tze_digest (32-byte hash output)
* ``sprout_digest (32-byte hash output)
* ``sapling_digest (32-byte hash output)</pre>
<pre>T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: tze_digest (32-byte hash output)
T.4: sprout_digest (32-byte hash output)
T.5: sapling_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is unmodified from ZIP 244.</p>
<section id="tze-digest"><h5><span class="section-heading">2: <code>tze_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#tze-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* 2a. ``tzein_digest`` (32-byte hash)
* 2b. ``tzeout_digest`` (32-byte hash)</pre>
<pre>T.2a: tzein_digest (32-byte hash)
T.2b: tzeout_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTZE____Hash" (4 underscore characters)</pre>
<section id="a-tzein-digest"><h6><span class="section-heading">2a: <code>tzein_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#a-tzein-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="a-tzein-digest"><h6><span class="section-heading">2a: tzein_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-tzein-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of all TZE inputs to the transaction, excluding witness data. For each TZE input, the following values are appended to this hash:</p>
<pre>* 2a.i. the field encoding of the CompactSize representation
of the TZE extension id for the input.
* 2a.i. the field encoding of the CompactSize representation
of the TZE mode for the input.</pre>
<pre>2a.i: extension_id (CompactSize field encoding)
2a.ii: mode (CompactSize field encoding)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTZEIns_Hash" (1 underscore character)</pre>
</section>
<section id="a-tzeout-digest"><h6><span class="section-heading">2a: <code>tzeout_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#a-tzeout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<section id="a-tzeout-digest"><h6><span class="section-heading">2a: tzeout_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-tzeout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of all TZE outputs belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTzeOutsHash"</pre>
@ -71,23 +69,23 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/384">https://g
│   └── tzeout_digest
├── sprout_digest
└── sapling_digest</pre>
<section id="id8"><h4><span class="section-heading"><code>signature_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#id8"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<section id="id8"><h4><span class="section-heading">signature_digest</span><span class="section-anchor"> <a rel="bookmark" href="#id8"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>* S.1: ``header_digest`` (32-byte hash output)
* S.2: ``transparent_digest`` (32-byte hash output)
* S.3: ``tze_digest`` (32-byte hash output)
* S.4: ``sprout_digest (32-byte hash output)
* S.5: ``sapling_digest (32-byte hash output)</pre>
<pre>S.1: header_digest (32-byte hash output)
S.2: transparent_digest (32-byte hash output)
S.3: tze_digest (32-byte hash output)
S.4: sprout_digest (32-byte hash output)
S.5: sapling_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p>This value must have the same personalization as the top hash of the transaction identifier digest tree, in order to make it possible to sign the transaction id in the case that there are no transparent inputs.</p>
<section id="s-3-tze-digest"><h5><span class="section-heading">S.3: <code>tze_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#s-3-tze-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<section id="s-3-tze-digest"><h5><span class="section-heading">S.3: tze_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-3-tze-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>This digest is a BLAKE2b-256 hash of the following values of the TZE input being signed:</p>
<pre>* S.3a. ``prevout_digest`` (field encoding bytes)
* S.3b. ``extension_id`` (CompactSize field encoding)
* S.3c. ``mode`` (CompactSize field encoding)
* S.3d. ``payload`` (arbitrary bytes)
* S.3e. ``value`` of the output spent by this input (8-byte little endian)</pre>
<pre>S.3a: prevout_digest (field encoding bytes)
S.3b: extension_id (CompactSize field encoding)
S.3c: mode (CompactSize field encoding)
S.3d: payload (arbitrary bytes)
S.3e: value (8-byte little endian value of the output spent by this input)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"Zcash__TzeInHash"</pre>
</section>
@ -100,15 +98,15 @@ Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/384">https://g
├── tze_witnesses_digest
├── sprout_sigs_digest
└── sapling_sigs_digest</pre>
<section id="auth-digest"><h4><span class="section-heading"><code>auth_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<section id="auth-digest"><h4><span class="section-heading">auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>The top hash of the <code>auth_digest</code> tree is modified from the ZIP 244 structure to be a BLAKE2b-256 hash of the following values</p>
<pre>* ``transparent_scripts_digest`` (32-byte hash output)
* ``tze_witnesses_digest (32-byte hash output)
* ``sprout_sigs_digest (32-byte hash output)
* ``sapling_sigs_digest (32-byte hash output)</pre>
<pre>A.1: transparent_scripts_digest (32-byte hash output)
A.2: tze_witnesses_digest (32-byte hash output)
A.3: sprout_sigs_digest (32-byte hash output)
A.4: sapling_sigs_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is unmodified from ZIP 244.</p>
</section>
<section id="tze-witnesses-digest"><h4><span class="section-heading">2: <code>tze_witnesses_digest</code></span><span class="section-anchor"> <a rel="bookmark" href="#tze-witnesses-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<section id="tze-witnesses-digest"><h4><span class="section-heading">2: tze_witnesses_digest</span><span class="section-anchor"> <a rel="bookmark" href="#tze-witnesses-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A BLAKE2b-256 hash of the field encoding of the witness <code>payload</code> data associated with each TZE input belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthTZE__Hash" (2 underscore characters)</pre>

76
zip-0245.rst
View File

@ -42,16 +42,16 @@ are as in ZIP 244::
├── sprout_digest
└── sapling_digest
``txid_digest``
```````````````
txid_digest
```````````
The top hash of the ``txid_digest`` tree is modified from the ZIP 244 structure
to be a BLAKE2b-256 hash of the following values ::
* ``header_digest`` (32-byte hash output)
* ``transparent_digest`` (32-byte hash output)
* ``tze_digest (32-byte hash output)
* ``sprout_digest (32-byte hash output)
* ``sapling_digest (32-byte hash output)
T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: tze_digest (32-byte hash output)
T.4: sprout_digest (32-byte hash output)
T.5: sapling_digest (32-byte hash output)
The personalization field of this hash is unmodified from ZIP 244.
@ -59,29 +59,27 @@ The personalization field of this hash is unmodified from ZIP 244.
'''''''''''''''''
A BLAKE2b-256 hash of the following values ::
* 2a. ``tzein_digest`` (32-byte hash)
* 2b. ``tzeout_digest`` (32-byte hash)
T.2a: tzein_digest (32-byte hash)
T.2b: tzeout_digest (32-byte hash)
The personalization field of this hash is set to::
"ZTxIdTZE____Hash" (4 underscore characters)
2a: ``tzein_digest``
....................
2a: tzein_digest
................
A BLAKE2b-256 hash of all TZE inputs to the transaction, excluding witness data.
For each TZE input, the following values are appended to this hash::
* 2a.i. the field encoding of the CompactSize representation
of the TZE extension id for the input.
* 2a.i. the field encoding of the CompactSize representation
of the TZE mode for the input.
2a.i: extension_id (CompactSize field encoding)
2a.ii: mode (CompactSize field encoding)
The personalization field of this hash is set to::
"ZTxIdTZEIns_Hash" (1 underscore character)
2a: ``tzeout_digest``
.....................
2a: tzeout_digest
.................
A BLAKE2b-256 hash of the field encoding of all TZE outputs
belonging to the transaction.
@ -106,15 +104,15 @@ to the tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and
├── sprout_digest
└── sapling_digest
``signature_digest``
````````````````````
signature_digest
````````````````
A BLAKE2b-256 hash of the following values ::
* S.1: ``header_digest`` (32-byte hash output)
* S.2: ``transparent_digest`` (32-byte hash output)
* S.3: ``tze_digest`` (32-byte hash output)
* S.4: ``sprout_digest (32-byte hash output)
* S.5: ``sapling_digest (32-byte hash output)
S.1: header_digest (32-byte hash output)
S.2: transparent_digest (32-byte hash output)
S.3: tze_digest (32-byte hash output)
S.4: sprout_digest (32-byte hash output)
S.5: sapling_digest (32-byte hash output)
The personalization field of this hash is set to::
@ -124,16 +122,16 @@ This value must have the same personalization as the top hash of the transaction
identifier digest tree, in order to make it possible to sign the transaction id
in the case that there are no transparent inputs.
S.3: ``tze_digest``
'''''''''''''''''''
S.3: tze_digest
'''''''''''''''
This digest is a BLAKE2b-256 hash of the following values of the TZE
input being signed::
* S.3a. ``prevout_digest`` (field encoding bytes)
* S.3b. ``extension_id`` (CompactSize field encoding)
* S.3c. ``mode`` (CompactSize field encoding)
* S.3d. ``payload`` (arbitrary bytes)
* S.3e. ``value`` of the output spent by this input (8-byte little endian)
S.3a: prevout_digest (field encoding bytes)
S.3b: extension_id (CompactSize field encoding)
S.3c: mode (CompactSize field encoding)
S.3d: payload (arbitrary bytes)
S.3e: value (8-byte little endian value of the output spent by this input)
The personalization field of this hash is set to::
@ -153,20 +151,20 @@ only new addition to the tree; ``transparent_digest``, ``sprout_digest``, and
├── sprout_sigs_digest
└── sapling_sigs_digest
``auth_digest``
```````````````
auth_digest
```````````
The top hash of the ``auth_digest`` tree is modified from the ZIP 244 structure
to be a BLAKE2b-256 hash of the following values ::
* ``transparent_scripts_digest`` (32-byte hash output)
* ``tze_witnesses_digest (32-byte hash output)
* ``sprout_sigs_digest (32-byte hash output)
* ``sapling_sigs_digest (32-byte hash output)
A.1: transparent_scripts_digest (32-byte hash output)
A.2: tze_witnesses_digest (32-byte hash output)
A.3: sprout_sigs_digest (32-byte hash output)
A.4: sapling_sigs_digest (32-byte hash output)
The personalization field of this hash is unmodified from ZIP 244.
2: ``tze_witnesses_digest``
```````````````````````````
2: tze_witnesses_digest
```````````````````````
A BLAKE2b-256 hash of the field encoding of the witness ``payload`` data associated
with each TZE input belonging to the transaction.