ZIP 244: Add new S.2 commitments to input amounts and scriptCodes

Co-authored-by: Daira Hopwood <daira@jacaranda.org>

zip-0244.rst

@@ -503,10 +503,12 @@ The construction of each component below depends upon the values of the
 
 This digest is a BLAKE2b-256 hash of the following values ::
 
-   S.2a: prevouts_sig_digest (32-byte hash)
+   S.2a: prevouts_sig_digest     (32-byte hash)
-   S.2b: sequence_sig_digest (32-byte hash)
+   S.2b: amounts_sig_digest      (32-byte hash)
-   S.2c: outputs_sig_digest  (32-byte hash)
+   S.2c: script_codes_sig_digest (32-byte hash)
-   S.2d: txin_sig_digest     (32-byte hash)
+   S.2d: sequence_sig_digest     (32-byte hash)
+   S.2e: outputs_sig_digest      (32-byte hash)
+   S.2f: txin_sig_digest         (32-byte hash)
 
 The personalization field of this hash is set to::
 
@@ -526,7 +528,37 @@ otherwise::
 
    BLAKE2b-256(``ZTxIdPrevoutHash``, [])
 
-S.2b: sequence_sig_digest
+S.2b: amounts_sig_digest
+''''''''''''''''''''''''
+If the ``SIGHASH_ANYONECANPAY`` flag is not set, the value of
+``amounts_sig_digest`` is a BLAKE2b-256 hash of the concatenation of the 8-byte
+signed little-endian representations of all ``value`` fields [#bdr-txout]_ for
+the coins spent by the transparent inputs to the transaction.
+
+The personalization field of this hash is set to::
+
+  "ZTxTrAmountsHash"
+
+If the ``SIGHASH_ANYONECANPAY`` flag is set, ``amounts_sig_digest`` is::
+
+  BLAKE2b-256("ZTxTrAmountsHash", [])
+
+S.2c: script_codes_sig_digest
+'''''''''''''''''''''''''''''
+If the ``SIGHASH_ANYONECANPAY`` flag is not set, the value of
+``script_codes_sig_digest`` is a BLAKE2b-256 hash of the concatenation of the
+field encodings (including leading ``CompactSize``) of all ``pk_script`` fields
+[#bdr-txout]_ for the coins spent by the transparent inputs to the transaction.
+
+The personalization field of this hash is set to::
+
+  "ZTxTrScriptsHash"
+
+If the ``SIGHASH_ANYONECANPAY`` flag is set, ``script_codes_sig_digest`` is::
+
+  BLAKE2b-256("ZTxTrScriptsHash", [])
+
+S.2d: sequence_sig_digest
 '''''''''''''''''''''''''
 This is a BLAKE2b-256 hash initialized with the personalization field value
 ``ZTxIdSequencHash``.
@@ -540,7 +572,7 @@ otherwise::
 
    BLAKE2b-256(``ZTxIdSequencHash``, [])
 
-S.2c: outputs_sig_digest
+S.2e: outputs_sig_digest
 ''''''''''''''''''''''''
 This is a BLAKE2b-256 hash initialized with the personalization field value
 ``ZTxIdOutputsHash``.
@@ -561,16 +593,16 @@ otherwise::
 
    BLAKE2b-256(``ZTxIdOutputsHash``, [])
 
-S.2d: txin_sig_digest
+S.2f: txin_sig_digest
 '''''''''''''''''''''
 This is a BLAKE2b-256 hash of the following properties of the transparent input being
 signed, initialized with the personalization field value ``Zcash___TxInHash`` (3
 underscores)::
 
-   S.2d.i:   prevout     (field encoding)
+   S.2f.i:   prevout     (field encoding)
-   S.2d.ii:  script_code (field encoding)
+   S.2f.ii:  script_code (field encoding)
-   S.2d.iii: value       (8-byte signed little-endian)
+   S.2f.iii: value       (8-byte signed little-endian)
-   S.2d.iv:  nSequence   (4-byte unsigned little-endian)
+   S.2f.iv:  nSequence   (4-byte unsigned little-endian)
 
 Note: ``value`` is defined in the consensus rules to be a nonnegative value <=
 ``MAX_MONEY``, but all existing implementations parse this value as signed and
@@ -742,6 +774,14 @@ Rationale
 Several changes in this ZIP (relative to ZIP 243 [#zip-0243]_) were made to
 align with BIP 341 [#bip-0341]_:
 
+- Two new commitments (``amounts_sig_digest`` and ``script_codes_sig_digest``)
+  were added, to address difficulties in the case of a hardware wallet signing
+  transparent inputs. ``script_codes_sig_digest`` helps the hardware wallet to
+  determine the subset of inputs belonging to it [#bip-0341-scriptPubKey]_.
+  ``amounts_sig_digest`` prevents the transaction creator from lying to the
+  hardware wallet about the transaction fee [#bip-0341-amount]_. Without these
+  commitments, the hardware wallet would need to be sent every transaction
+  containing an outpoint referenced in the transaction being signed.
 - The semantics of ``sequence_sig_digest`` were changed, to commit to ``nSequence``
   even if ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` is set. The rationale for this
   change is inherited from BIP 341 [#bip-0341-nSequence]_.
@@ -765,4 +805,7 @@ References
 .. [#zip-0243] `ZIP 243: Transaction Signature Validation for Sapling <zip-0243.rst>`_
 .. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection <zip-0307.rst>`_
 .. [#bip-0341] `BIP 341: Taproot: SegWit version 1 spending rules <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki>`_
+.. [#bip-0341-scriptPubKey] `Why does the signature message commit to the scriptPubKey? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16>`_
+.. [#bip-0341-amount] `Why does the signature message commit to the amounts of all transaction inputs? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-17>`_
 .. [#bip-0341-nSequence] `Why does the signature message commit to all input nSequence if SIGHASH_SINGLE or SIGHASH_NONE are set? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-18>`_
+.. [#bdr-txout] `Bitcoin Developer Reference. TxOut: A Transaction Output <https://developer.bitcoin.org/reference/transactions.html#txout-a-transaction-output>`_