From c693ab88bdf08ae8a9691a597d463968813a89d6 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Thu, 21 Jan 2021 17:23:09 -0700 Subject: [PATCH] Fix outputs digest in signature hash. --- zip-0244.rst | 75 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 45 insertions(+), 30 deletions(-) diff --git a/zip-0244.rst b/zip-0244.rst index d890ff92..56e18753 100644 --- a/zip-0244.rst +++ b/zip-0244.rst @@ -31,7 +31,7 @@ This proposal also defines a new transaction digest algorithm for signature vali which shares all available structure produced during the construction of transaction identifiers, in order to minimize redundant data hashing in validation. -This proposal also defines new semantics for the ``hashLightClientRoot`` field of the +This proposal also defines a new name and semantics for the ``hashLightClientRoot`` field of the block header, to enable additional commitments to be represented in this hash and to provide a mechanism for future extensibility of the set of commitments represented. @@ -371,10 +371,10 @@ S.2: ``transparent_digest`` ````````````````````````` If we are producing a hash for the signature over a transparent input, the value of the digest produced here depends upon the value of a ``hash_type`` -flag as in ZIP 143 [#zip-0143]_ and BIP 143 [#bip-0143]_. +flag as in ZIP 143 [#zip-0143]_. The construction of each component below depends upon the values of the -hash_type flag bits. Each component will be described separately +``hash_type`` flag bits. Each component will be described separately This digest is a BLAKE2b-256 hash of the following values :: @@ -392,42 +392,48 @@ S.2a: ``prevouts_digest`` This is a BLAKE2b-256 hash initialized with the personalization field value "ZTxIdPrevoutHash". -If the ``SIGHASH_ANYONECANPAY`` flag is set:: - - * the hash is immediately finalized, without being updated with any - additional data - -otherwise:: +If the ``SIGHASH_ANYONECANPAY`` flag is not set:: * identical to the value of ``prevouts_digest`` as specified for the transaction identifier in section T.2a. +otherwise:: + + * the hash is immediately finalized, without being updated with any + additional data + S.2b: ``sequence_digest`` ''''''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value "ZTxIdSequencHash". -If any of the ``SIGHASH_ANYONECANPAY``, ``SIGHASH_SINGLE``, or ``SIGHASH_NONE`` flags are +If none of the ``SIGHASH_ANYONECANPAY``, ``SIGHASH_SINGLE``, or ``SIGHASH_NONE`` flags are set:: - * the hash is immediately finalized, without being updated with any - additional data - -otherwise:: - * identical to the value of ``sequence_digest`` as specified for the transaction identifier in section T.2b. +otherwise:: + + * the hash is immediately finalized, without being updated with any + additional data + S.2c: ``outputs_digest`` ''''''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value "ZTxIdOutputsHash". -If the ``SIGHASH_SINGLE`` flag is set and the signature hash is being computed for a -transparent input:: +If none of the ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` flags are set:: - * the hash is updated with the field encoding of the ``prevout`` field value - of the input, then finalized + * identical to the value of ``outputs_digest`` as specified for the + transaction identifier in section T.2c. + +If the ``SIGHASH_SINGLE`` flag is set and the signature hash is being computed for +the transparent input at a particular index, and a transparent output appears in +the transaction at that index:: + + * the hash is updated with the transaction serialized form of the + transparent output at that index, and finalized. If the ``SIGHASH_SINGLE`` flag is set and the signature is being computed for a shielded input, or if the ``SIGHASH_NONE`` flag is set:: @@ -435,11 +441,6 @@ a shielded input, or if the ``SIGHASH_NONE`` flag is set:: * the hash is immediately finalized, without being updated with any additional data -otherwise:: - - * identical to the value of ``outputs_digest`` as specified for the - transaction identifier in section T.2c. - S.2d: ``txin_sig_digest`` ''''''''''''''''''''''''' This is a BLAKE2b-256 hash initialized with the personalization field value @@ -566,6 +567,21 @@ of the following elements:: * ``hashLightClientRoot`` as described in ZIP 221 [#zip-0221]_ * ``hashAuthDataRoot`` + * ``terminator`` [0u8;32] + +This representation treats the ``hashBlockCommitments`` value as a linked +list of hashes terminated by arbitrary data. In the case of protocol upgrades +where additional commitments need to be included in the block header, it is +possible to replace this terminator with the hash of a newly defined structure +which ends in a similar terminator. Fully validating nodes MUST always use the +entire structure defined by the latest activated protocol version that they +support. + +The linked structure of this hash is intended to provide extensibility for +use by light clients which may be connected to a third-party server that supports +a later protocol version. Such a third party SHOULD provide a value that can +be used instead of the all-zeros terminator to permit the light client to +perform validation of the parts of the structure it needs. ======================== @@ -579,10 +595,9 @@ References ========== .. [#RFC2119] `RFC 2119: Key words for use in RFCs to Indicate Requirement Levels `_ -.. [#zip-0200] `ZIP 200: Network Upgrade Activation Mechanism `_ -.. [#zip-0221] `ZIP 221: FlyClient - Consensus Layer Changes `_ -.. [#zip-0076] `ZIP 76: Transaction Signature Validation before Overwinter `_ -.. [#zip-0143] `ZIP 143: Transaction Signature Validation for Overwinter `_ -.. [#bip-0143] `Transaction Signature Verification for Version 0 Witness Program `_ -.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection `_ +.. [#zip-0200] `ZIP 200: Network Upgrade Activation Mechanism `_ +.. [#zip-0221] `ZIP 221: FlyClient - Consensus Layer Changes `_ +.. [#zip-0076] `ZIP 76: Transaction Signature Validation before Overwinter `_ +.. [#zip-0143] `ZIP 143: Transaction Signature Validation for Overwinter `_ +.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection `_