Add signature digest algorithm for TZEs.

zip-0244.rst

@@ -252,7 +252,7 @@ The personalization field of this hash is set to::
 
 T.4a.i: ``sapling_spends_compact_digest``
 .......................................
-A BLAKE2b-256 hash of the field encoding of all nullifier field
+A BLAKE2b-256 hash of the field encoding of all ``nullifier`` field
 values of Sapling shielded spends belonging to the transaction.
 
 The personalization field of this hash is set to::
@@ -330,12 +330,12 @@ The personalization field of this hash is set to::
 Signature Digest
 ================
 
-A new per-input transaction digest algorithm that constructs a hash that may be signed
+A new per-input transaction digest algorithm is defined that constructs a hash that may be
-by a transaction creator to commit to the effects of the transaction. In the
+signed by a transaction creator to commit to the effects of the transaction. In the case
-case that the transaction consumes no transparent inputs, it should be possible
+that the transaction consumes no transparent inputs, it should be possible to just sign
-to just sign the transaction identifier produced by the ``TxId Digest`` algorithm.
+the transaction identifier produced by the ``TxId Digest`` algorithm.  In the case that
-In the case that transparent inputs are present, this algorithm follows closely
+transparent inputs are present, this algorithm follows closely the ZIP 143 [#zip-0143]_
-the ZIP 143 [#zip-0143]_ algorithm.
+algorithm.
 
 The overall structure of the hash is as follows; each name referenced here will be
 described in detail below:
@@ -495,7 +495,7 @@ A BLAKE2b-256 hash of the following values ::
 
 The personalization field of this hash is set to::
 
-  "ZTxAuth_____Hash" (5 underscore characters)
+  "ZTxAuthHash_" || CONSENSUS_BRANCH_ID
 
 1: ``transparent_scripts_digest``
 `````````````````````````````````
@@ -508,8 +508,9 @@ The personalization field of this hash is set to::
 
 2: ``sprout_auth_digest``
 ```````````````````````````
-A BLAKE2b-256 hash of the field encoding of the zkproof values of each
+A BLAKE2b-256 hash of the field encoding of the ``zkproof`` values of each
-``JSDescription`` belonging to the transaction.
+``JSDescription`` belonging to the transaction, followed by the 
+``joinsplit_pubkey`` and ``joinsplit_sig``.
 
    * 2a. ``zkproofs``         (field encoding bytes)
    * 2b. ``joinsplit_pubkey``    

zip-0245.rst

@@ -31,7 +31,7 @@ TxId Digest
 The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new
 branch for TZE hashes. The ``tze_digest`` branch is the only new addition to the
 tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and ``sapling_digest``
-are as in ZIP 244.
+are as in ZIP 244::
 
    txid_digest
    ├── header_digest
@@ -89,13 +89,80 @@ The personalization field of this hash is set to::
 
   "ZTxIdTzeOutsHash"
 
-Witness Digest
+Signature Digest
---------------
+----------------
 
-The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new
+The signature digest creation algorithm defined by ZIP 244 [#zip-0244]_ is modified to
-branch for TZE hashes. The ``tze_digest`` branch is the only new addition to the
+include a new branch for TZE hashes.  The ``tze_digest`` branch is the only new addition
-tree; ``transparent_digest``, ``sprout_digest``, and ``sapling_digest``
+to the tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and
-are as in ZIP 244.
+``sapling_digest`` are as in ZIP 244::
+
+    signature_digest
+    ├── header_digest
+    ├── transparent_digest
+    ├── tze_digest
+    │   ├── tzein_digest
+    │   └── tzeout_digest
+    ├── sprout_digest
+    └── sapling_digest
+
+``signature_digest``
+--------------------
+A BLAKE2b-256 hash of the following values ::
+
+   * S.1: ``header_digest`` (32-byte hash output)
+   * S.2: ``transparent_digest`` (32-byte hash output)
+   * S.3: ``tze_digest`` (32-byte hash output)
+   * S.4: ``sprout_digest (32-byte hash output)
+   * S.5: ``sapling_digest (32-byte hash output)
+
+The personalization field of this hash is set to::
+
+  "ZcashTxHash_" || CONSENSUS_BRANCH_ID
+
+This value must have the same personalization as the top hash of the transaction
+identifier digest tree, in order to make it possible to sign the transaction id
+in the case that there are no transparent inputs.
+
+S.1: ``header_digest``
+`````````````````````````
+Identical to that specified by S.1 in ZIP 244
+
+S.2: ``transparent_digest``
+```````````````````````````
+Identical to that specified by S.2 in ZIP 244
+
+S.3: ``tze_digest``
+`````````````````````````
+This digest is a BLAKE2b-256 hash of the following values of the TZE
+input being signed::
+
+   * S.3a. ``prevout_digest`` (field encoding bytes)
+   * S.3b. ``extension_id`` (CompactSize field encoding)
+   * S.3c. ``mode`` (CompactSize field encoding)
+   * S.3d. ``payload`` (arbitrary bytes)
+   * S.3e. ``value`` of the output spent by this input (8-byte little endian)
+
+The personalization field of this hash is set to::
+
+   "Zcash__TzeInHash"
+
+S.4: ``sprout_digest``
+`````````````````````````
+Identical to that specified by S.3 in ZIP 244
+
+S.5: ``sapling_digest``
+`````````````````````````
+Identical to that specified by S.4 in ZIP 244
+
+
+Authorizing Data Commitment
+---------------------------
+
+The tree of hashes defined by ZIP 244 [#zip-0244]_ for authorizing data commitments is
+re-structured to include a new branch for TZE hashes. The ``tze_digest`` branch is the
+only new addition to the tree; ``transparent_digest``, ``sprout_digest``, and
+``sapling_digest`` are as in ZIP 244::
 
    auth_digest
    ├── transparent_scripts_digest
@@ -117,7 +184,7 @@ The personalization field of this hash is unmodified from ZIP 244.
 
 2: ``tze_witnesses_digest``
 ```````````````````````````
-A BLAKE2b-256 hash of the field encoding of the witness data associated
+A BLAKE2b-256 hash of the field encoding of the witness ``payload`` data associated
 with each TZE input belonging to the transaction.
 
 The personalization field of this hash is set to::