mirror of https://github.com/zcash/zips.git
ZIP 244: Add new S.2 commitments to input amounts and scriptCodes
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2442192519
commit
daac926497
65
zip-0244.rst
65
zip-0244.rst
|
@ -503,10 +503,12 @@ The construction of each component below depends upon the values of the
|
||||||
|
|
||||||
This digest is a BLAKE2b-256 hash of the following values ::
|
This digest is a BLAKE2b-256 hash of the following values ::
|
||||||
|
|
||||||
S.2a: prevouts_sig_digest (32-byte hash)
|
S.2a: prevouts_sig_digest (32-byte hash)
|
||||||
S.2b: sequence_sig_digest (32-byte hash)
|
S.2b: amounts_sig_digest (32-byte hash)
|
||||||
S.2c: outputs_sig_digest (32-byte hash)
|
S.2c: script_codes_sig_digest (32-byte hash)
|
||||||
S.2d: txin_sig_digest (32-byte hash)
|
S.2d: sequence_sig_digest (32-byte hash)
|
||||||
|
S.2e: outputs_sig_digest (32-byte hash)
|
||||||
|
S.2f: txin_sig_digest (32-byte hash)
|
||||||
|
|
||||||
The personalization field of this hash is set to::
|
The personalization field of this hash is set to::
|
||||||
|
|
||||||
|
@ -526,7 +528,37 @@ otherwise::
|
||||||
|
|
||||||
BLAKE2b-256(``ZTxIdPrevoutHash``, [])
|
BLAKE2b-256(``ZTxIdPrevoutHash``, [])
|
||||||
|
|
||||||
S.2b: sequence_sig_digest
|
S.2b: amounts_sig_digest
|
||||||
|
''''''''''''''''''''''''
|
||||||
|
If the ``SIGHASH_ANYONECANPAY`` flag is not set, the value of
|
||||||
|
``amounts_sig_digest`` is a BLAKE2b-256 hash of the concatenation of the 8-byte
|
||||||
|
signed little-endian representations of all ``value`` fields [#bdr-txout]_ for
|
||||||
|
the coins spent by the transparent inputs to the transaction.
|
||||||
|
|
||||||
|
The personalization field of this hash is set to::
|
||||||
|
|
||||||
|
"ZTxTrAmountsHash"
|
||||||
|
|
||||||
|
If the ``SIGHASH_ANYONECANPAY`` flag is set, ``amounts_sig_digest`` is::
|
||||||
|
|
||||||
|
BLAKE2b-256("ZTxTrAmountsHash", [])
|
||||||
|
|
||||||
|
S.2c: script_codes_sig_digest
|
||||||
|
'''''''''''''''''''''''''''''
|
||||||
|
If the ``SIGHASH_ANYONECANPAY`` flag is not set, the value of
|
||||||
|
``script_codes_sig_digest`` is a BLAKE2b-256 hash of the concatenation of the
|
||||||
|
field encodings (including leading ``CompactSize``) of all ``pk_script`` fields
|
||||||
|
[#bdr-txout]_ for the coins spent by the transparent inputs to the transaction.
|
||||||
|
|
||||||
|
The personalization field of this hash is set to::
|
||||||
|
|
||||||
|
"ZTxTrScriptsHash"
|
||||||
|
|
||||||
|
If the ``SIGHASH_ANYONECANPAY`` flag is set, ``script_codes_sig_digest`` is::
|
||||||
|
|
||||||
|
BLAKE2b-256("ZTxTrScriptsHash", [])
|
||||||
|
|
||||||
|
S.2d: sequence_sig_digest
|
||||||
'''''''''''''''''''''''''
|
'''''''''''''''''''''''''
|
||||||
This is a BLAKE2b-256 hash initialized with the personalization field value
|
This is a BLAKE2b-256 hash initialized with the personalization field value
|
||||||
``ZTxIdSequencHash``.
|
``ZTxIdSequencHash``.
|
||||||
|
@ -540,7 +572,7 @@ otherwise::
|
||||||
|
|
||||||
BLAKE2b-256(``ZTxIdSequencHash``, [])
|
BLAKE2b-256(``ZTxIdSequencHash``, [])
|
||||||
|
|
||||||
S.2c: outputs_sig_digest
|
S.2e: outputs_sig_digest
|
||||||
''''''''''''''''''''''''
|
''''''''''''''''''''''''
|
||||||
This is a BLAKE2b-256 hash initialized with the personalization field value
|
This is a BLAKE2b-256 hash initialized with the personalization field value
|
||||||
``ZTxIdOutputsHash``.
|
``ZTxIdOutputsHash``.
|
||||||
|
@ -561,16 +593,16 @@ otherwise::
|
||||||
|
|
||||||
BLAKE2b-256(``ZTxIdOutputsHash``, [])
|
BLAKE2b-256(``ZTxIdOutputsHash``, [])
|
||||||
|
|
||||||
S.2d: txin_sig_digest
|
S.2f: txin_sig_digest
|
||||||
'''''''''''''''''''''
|
'''''''''''''''''''''
|
||||||
This is a BLAKE2b-256 hash of the following properties of the transparent input being
|
This is a BLAKE2b-256 hash of the following properties of the transparent input being
|
||||||
signed, initialized with the personalization field value ``Zcash___TxInHash`` (3
|
signed, initialized with the personalization field value ``Zcash___TxInHash`` (3
|
||||||
underscores)::
|
underscores)::
|
||||||
|
|
||||||
S.2d.i: prevout (field encoding)
|
S.2f.i: prevout (field encoding)
|
||||||
S.2d.ii: script_code (field encoding)
|
S.2f.ii: script_code (field encoding)
|
||||||
S.2d.iii: value (8-byte signed little-endian)
|
S.2f.iii: value (8-byte signed little-endian)
|
||||||
S.2d.iv: nSequence (4-byte unsigned little-endian)
|
S.2f.iv: nSequence (4-byte unsigned little-endian)
|
||||||
|
|
||||||
Note: ``value`` is defined in the consensus rules to be a nonnegative value <=
|
Note: ``value`` is defined in the consensus rules to be a nonnegative value <=
|
||||||
``MAX_MONEY``, but all existing implementations parse this value as signed and
|
``MAX_MONEY``, but all existing implementations parse this value as signed and
|
||||||
|
@ -742,6 +774,14 @@ Rationale
|
||||||
Several changes in this ZIP (relative to ZIP 243 [#zip-0243]_) were made to
|
Several changes in this ZIP (relative to ZIP 243 [#zip-0243]_) were made to
|
||||||
align with BIP 341 [#bip-0341]_:
|
align with BIP 341 [#bip-0341]_:
|
||||||
|
|
||||||
|
- Two new commitments (``amounts_sig_digest`` and ``script_codes_sig_digest``)
|
||||||
|
were added, to address difficulties in the case of a hardware wallet signing
|
||||||
|
transparent inputs. ``script_codes_sig_digest`` helps the hardware wallet to
|
||||||
|
determine the subset of inputs belonging to it [#bip-0341-scriptPubKey]_.
|
||||||
|
``amounts_sig_digest`` prevents the transaction creator from lying to the
|
||||||
|
hardware wallet about the transaction fee [#bip-0341-amount]_. Without these
|
||||||
|
commitments, the hardware wallet would need to be sent every transaction
|
||||||
|
containing an outpoint referenced in the transaction being signed.
|
||||||
- The semantics of ``sequence_sig_digest`` were changed, to commit to ``nSequence``
|
- The semantics of ``sequence_sig_digest`` were changed, to commit to ``nSequence``
|
||||||
even if ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` is set. The rationale for this
|
even if ``SIGHASH_SINGLE`` or ``SIGHASH_NONE`` is set. The rationale for this
|
||||||
change is inherited from BIP 341 [#bip-0341-nSequence]_.
|
change is inherited from BIP 341 [#bip-0341-nSequence]_.
|
||||||
|
@ -765,4 +805,7 @@ References
|
||||||
.. [#zip-0243] `ZIP 243: Transaction Signature Validation for Sapling <zip-0243.rst>`_
|
.. [#zip-0243] `ZIP 243: Transaction Signature Validation for Sapling <zip-0243.rst>`_
|
||||||
.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection <zip-0307.rst>`_
|
.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection <zip-0307.rst>`_
|
||||||
.. [#bip-0341] `BIP 341: Taproot: SegWit version 1 spending rules <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki>`_
|
.. [#bip-0341] `BIP 341: Taproot: SegWit version 1 spending rules <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki>`_
|
||||||
|
.. [#bip-0341-scriptPubKey] `Why does the signature message commit to the scriptPubKey? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16>`_
|
||||||
|
.. [#bip-0341-amount] `Why does the signature message commit to the amounts of all transaction inputs? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-17>`_
|
||||||
.. [#bip-0341-nSequence] `Why does the signature message commit to all input nSequence if SIGHASH_SINGLE or SIGHASH_NONE are set? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-18>`_
|
.. [#bip-0341-nSequence] `Why does the signature message commit to all input nSequence if SIGHASH_SINGLE or SIGHASH_NONE are set? <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-18>`_
|
||||||
|
.. [#bdr-txout] `Bitcoin Developer Reference. TxOut: A Transaction Output <https://developer.bitcoin.org/reference/transactions.html#txout-a-transaction-output>`_
|
Loading…
Reference in New Issue