mirror of https://github.com/zcash/zips.git
ZIP 244: Add new S.2 commitments to input amounts and scriptCodes
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2442192519
commit
daac926497
65
zip-0244.rst
65
zip-0244.rst
|
@ -503,10 +503,12 @@ The construction of each component below depends upon the values of the
|
|||
|
||||
This digest is a BLAKE2b-256 hash of the following values ::
|
||||
|
||||
S.2a: prevouts_sig_digest (32-byte hash)
|
||||
S.2b: sequence_sig_digest (32-byte hash)
|
||||
S.2c: outputs_sig_digest (32-byte hash)
|
||||
S.2d: txin_sig_digest (32-byte hash)
|
||||
S.2a: prevouts_sig_digest (32-byte hash)
|
||||
S.2b: amounts_sig_digest (32-byte hash)
|
||||
S.2c: script_codes_sig_digest (32-byte hash)
|
||||
S.2d: sequence_sig_digest (32-byte hash)
|
||||
S.2e: outputs_sig_digest (32-byte hash)
|
||||
S.2f: txin_sig_digest (32-byte hash)
|
||||
|
||||
The personalization field of this hash is set to::
|
||||
|
||||
|
@ -526,7 +528,37 @@ otherwise::
|
|||
|
||||
BLAKE2b-256(``ZTxIdPrevoutHash``, [])
|
||||
|
||||
S.2b: sequence_sig_digest
|
||||
S.2b: amounts_sig_digest
|
||||
''''''''''''''''''''''''
|
||||
If the ``SIGHASH_ANYONECANPAY`` flag is not set, the value of
|
||||
``amounts_sig_digest`` is a BLAKE2b-256 hash of the concatenation of the 8-byte
|
||||
signed little-endian representations of all ``value`` fields [#bdr-txout]_ for
|
||||
the coins spent by the transparent inputs to the transaction.
|
||||
|
||||
The personalization field of this hash is set to::
|
||||
|
||||
"ZTxTrAmountsHash"
|
||||
|
||||
If the ``SIGHASH_ANYONECANPAY`` flag is set, ``amounts_sig_digest`` is::
|
||||
|
||||
BLAKE2b-256("ZTxTrAmountsHash", [])
|
||||
|
||||
S.2c: script_codes_sig_digest
|
||||
'''''''''''''''''''''''''''''
|
||||
If the ``SIGHASH_ANYONECANPAY`` flag is not set, the value of
|
||||
``script_codes_sig_digest`` is a BLAKE2b-256 hash of the concatenation of the
|
||||
field encodings (including leading ``CompactSize``) of all ``pk_script`` fields
|
||||
[#bdr-txout]_ for the coins spent by the transparent inputs to the transaction.
|
||||
|
||||
The personalization field of this hash is set to::
|
||||
|
||||
"ZTxTrScriptsHash"
|
||||
|
||||
If the ``SIGHASH_ANYONECANPAY`` flag is set, ``script_codes_sig_digest`` is::
|
||||
|
||||
BLAKE2b-256("ZTxTrScriptsHash", [])
|
||||
|
||||
S.2d: sequence_sig_digest
|
||||
'''''''''''''''''''''''''
|
||||
This is a BLAKE2b-256 hash initialized with the personalization field value
|
||||
``ZTxIdSequencHash``.
|
||||
|
@ -540,7 +572,7 @@ otherwise::
|
|||
|
||||
BLAKE2b-256(``ZTxIdSequencHash``, [])
|
||||
|
||||
S.2c: outputs_sig_digest
|
||||
S.2e: outputs_sig_digest
|
||||
''''''''''''''''''''''''
|
||||
This is a BLAKE2b-256 hash initialized with the personalization field value
|
||||
``ZTxIdOutputsHash``.
|
||||
|
@ -561,16 +593,16 @@ otherwise::
|
|||
|
||||
BLAKE2b-256(``ZTxIdOutputsHash``, [])
|
||||
|
||||
S.2d: txin_sig_digest
|
||||
S.2f: txin_sig_digest
|
||||
'''''''''''''''''''''
|
||||
This is a BLAKE2b-256 hash of the following properties of the transparent input being
|
||||
signed, initialized with the personalization field value ``Zcash___TxInHash`` (3
|
||||
underscores)::
|
||||
|
||||
S.2d.i: prevout (field encoding)
|
||||
S.2d.ii: script_code (field encoding)
|
||||
S.2d.iii: value (8-byte signed little-endian)
|
||||
S.2d.iv: nSequence (4-byte unsigned little-endian)
|
||||
S.2f.i: prevout (field encoding)
|
||||
S.2f.ii: script_code (field encoding)
|
||||
S.2f.iii: value (8-byte signed little-endian)
|
||||
S.2f.iv: nSequence (4-byte unsigned little-endian)
|
||||
|
||||
Note: ``value`` is defined in the consensus rules to be a nonnegative value <=
|
||||
``MAX_MONEY``, but all existing implementations parse this value as signed and
|
||||
|
@ -742,6 +774,14 @@ Rationale
|
|||
Several changes in this ZIP (relative to ZIP 243 [#zip-0243]_) were made to
|
||||
align with BIP 341 [#bip-0341]_:
|
||||
|
||||
- Two new commitments (``amounts_sig_digest`` and ``script_codes_sig_digest``)
|
||||
were added, to address difficulties in the case of a hardware wallet signing
|
||||
transparent inputs. ``script_codes_sig_digest`` helps the hardware wallet to
|
||||
determine the subset of inputs belonging to it [#bip-0341-scriptPubKey]_.
|
||||
``amounts_sig_digest`` prevents the transaction creator from lying to the
|
||||
hardware wallet about the transaction fee [#bip-0341-amount]_. Without these
|
||||
commitments, the hardware wallet would need to be sent every transaction
|
||||
containing an outpoint referenced in the transaction being signed.
|
||||
- The semantics of ``sequence_sig_digest`` were changed, to commit to ``nSequence``
|
||||
even if ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` is set. The rationale for this
|
||||
change is inherited from BIP 341 [#bip-0341-nSequence]_.
|
||||
|
@ -765,4 +805,7 @@ References
|
|||
.. [#zip-0243] `ZIP 243: Transaction Signature Validation for Sapling <zip-0243.rst>`_
|
||||
.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection <zip-0307.rst>`_
|
||||
.. [#bip-0341] `BIP 341: Taproot: SegWit version 1 spending rules <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki>`_
|
||||
.. [#bip-0341-scriptPubKey] `Why does the signature message commit to the scriptPubKey? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16>`_
|
||||
.. [#bip-0341-amount] `Why does the signature message commit to the amounts of all transaction inputs? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-17>`_
|
||||
.. [#bip-0341-nSequence] `Why does the signature message commit to all input nSequence if SIGHASH_SINGLE or SIGHASH_NONE are set? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-18>`_
|
||||
.. [#bdr-txout] `Bitcoin Developer Reference. TxOut: A Transaction Output <https://developer.bitcoin.org/reference/transactions.html#txout-a-transaction-output>`_
|
Loading…
Reference in New Issue