From a424153462c32ac7e85d5acc59a8c9738f78ea04 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Thu, 4 Feb 2021 10:57:28 -0700 Subject: [PATCH] Clarify rationale for personalization changes. Also clarify terminology around signature hash flags vs. types. --- zip-0244.rst | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/zip-0244.rst b/zip-0244.rst index c1041ed7..178fa77a 100644 --- a/zip-0244.rst +++ b/zip-0244.rst @@ -148,7 +148,7 @@ The personalization field of this hash is set to:: "ZcashTxHash_" || CONSENSUS_BRANCH_ID -"ZcashTxHash_" has 1 underscore character. +``ZcashTxHash_`` has 1 underscore character. As in ZIP 143 [#zip-0143]_, CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. Domain @@ -156,6 +156,12 @@ separation of the transaction id hash across parallel consensus branches provide protection: transactions targeted for one consensus branch will not have the same transaction identifier on other consensus branches. +This signature hash personalization prefix has been changed to reflect the new role of +this hash (relative to ``ZcashSigHash`` as specified in ZIP 143) as a transaction +identifier rather than a commitment that is exclusively used for signature purposes. +The previous computation of the transaction identifier was a SHA256d hash of the +serialized transaction contents, and was not personalized. + T.1: header_digest `````````````````` A BLAKE2b-256 hash of the following values :: @@ -268,7 +274,7 @@ The personalization field of this hash is set to:: T.4a.ii: sapling_spends_noncompact_digest ......................................... A BLAKE2b-256 hash of the non-nullifier information for all Sapling shielded spends -belonging to the transaction, excluding zkproof data and spend authorization +belonging to the transaction, excluding zkproof data and spend authorization signature. For each spend, the following elements are included in the hash:: T.4a.ii.1: cv (field encoding bytes) @@ -365,7 +371,7 @@ The personalization field of this hash is set to:: "ZcashTxHash_" || CONSENSUS_BRANCH_ID -"ZcashTxHash_" has 1 underscore character. +``ZcashTxHash_`` has 1 underscore character. This value has the same personalization as the top hash of the transaction identifier digest tree, so that what is being signed in the case that there are @@ -398,7 +404,7 @@ The personalization field of this hash is set to:: S.2a: prevouts_digest ''''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value -"ZTxIdPrevoutHash". +``ZTxIdPrevoutHash``. If the ``SIGHASH_ANYONECANPAY`` flag is not set:: @@ -413,10 +419,10 @@ otherwise:: S.2b: sequence_digest ''''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value -"ZTxIdSequencHash". +``ZTxIdSequencHash``. -If none of the ``SIGHASH_ANYONECANPAY``, ``SIGHASH_SINGLE``, or ``SIGHASH_NONE`` flags are -set:: +If the ``SIGHASH_ANYONECANPAY`` flag is not set, and the sighash type is neither +``SIGHASH_SINGLE`` nor ``SIGHASH_NONE``:: identical to the value of ``sequence_digest`` as specified for the transaction identifier in section T.2b. @@ -429,22 +435,22 @@ otherwise:: S.2c: outputs_digest '''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value -"ZTxIdOutputsHash". +``ZTxIdOutputsHash``. -If none of the ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` flags are set:: +If the sighash type is neither ``SIGHASH_SINGLE`` nor ``SIGHASH_NONE``:: identical to the value of ``outputs_digest`` as specified for the transaction identifier in section T.2c. -If the ``SIGHASH_SINGLE`` flag is set and the signature hash is being computed for +If the sighash type is ``SIGHASH_SINGLE`` and the signature hash is being computed for the transparent input at a particular index, and a transparent output appears in the transaction at that index:: the hash is updated with the transaction serialized form of the transparent output at that index, and finalized. -If the ``SIGHASH_SINGLE`` flag is set and the signature is being computed for -a shielded input, or if the ``SIGHASH_NONE`` flag is set:: +If the sighash type is ``SIGHASH_SINGLE`` and the signature is being computed for +a shielded input, or if the sighash type is ``SIGHASH_NONE``:: the hash is immediately finalized, without being updated with any additional data @@ -452,7 +458,7 @@ a shielded input, or if the ``SIGHASH_NONE`` flag is set:: S.2d: txin_sig_digest ''''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value -"Zcash___TxInHash" (3 underscores). +``Zcash___TxInHash`` (3 underscores). If the signature hash is being computed for a transparent input, the hash is updated with the following properties of that input:: @@ -505,7 +511,7 @@ The personalization field of this hash is set to:: "ZTxAuthHash_" || CONSENSUS_BRANCH_ID -"ZTxAuthHash_" has 1 underscore character. +``ZTxAuthHash_`` has 1 underscore character. A.1: transparent_scripts_digest ```````````````````````````````