Daira Hopwood
8e2215c577
ZIP 32: Fix an error in #588 ; "ZcashIP32_Sprout" was a personalization for BLAKE2b-512, not BLAKE2b-256.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-28 18:33:31 +00:00
Daira Hopwood
2a4ab049b9
Merge pull request #588 from daira/zip-32-remove-sprout-hd
...
ZIP 32: Remove Sprout-related specifications
2022-01-28 18:24:51 +00:00
Daira Hopwood
7bd2845dbd
ZIP 32: Remove Sprout-related specifications. fixes #581
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-28 17:44:15 +00:00
Deirdre Connolly
de6dcad4df
Merge pull request #587 from str4d/zip-244-coinbase-fix
...
ZIP 244: Fix ill-defined commitments for shielded coinbase
2022-01-26 16:20:01 -05:00
Jack Grigg
4075c18cc4
ZIP 244: Fix ill-defined commitments for shielded coinbase
...
In zcash/zips#577 we altered ZIP 244 to have shielded signatures commit
to the same data as transparent inputs, in transactions that contain
transparent components. However, the edge case of shielded coinbase was
not correctly handled; they contain both a consensus-required "dummy"
transparent input, and binding signatures which would be required to
commit to a `CTxOut` that does not exist.
We resolve this by partially reverting one of the zcash/zips#577 changes,
by having S.2 for coinbase transactions be identical to T.2. This reverts
binding signatures in coinbase transactions to effectively signing the
transaction ID.
At the same time, we also revert the same change for transactions with no
transparent inputs but some transparent outputs; these also now revert to
using the transaction ID for all shielded signatures (like fully-shielded
transactions). The hardware wallet edge case does not apply here, as all
input values are shielded and therefore directly committed to.
2022-01-24 22:46:41 +00:00
Daira Hopwood
43c8cae266
Merge pull request #576 from daira/internal-key-derivation
...
ZIPs 32 and 316: add internal key derivation for Sapling, Orchard, and P2PKH
2022-01-19 19:12:14 +00:00
Daira Hopwood
8734965d0c
ZIPs 32 and 316: Regenerate HTML.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:11:28 +00:00
Daira Hopwood
df0f9e6bee
ZIP 32: Wording improvements to avoid implying that we want an internal address/FVK for every
...
external address/FVK.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:09:56 +00:00
Daira Hopwood
8b8b3f7c5d
ZIP 316: UAs can be used in Payment Requests without any change to ZIP 321.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:52 +00:00
Daira Hopwood
c562b100f8
ZIP 316: add "Usage of Outgoing Viewing Keys" section.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:52 +00:00
Daira Hopwood
ca302f40ef
ZIPs 32 and 316: update and correct protocol spec references.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:52 +00:00
Daira Hopwood
2b5c860df5
ZIP 32: Add Sean Bowe, Kris Nuttycom and Ying Tong Lai to Credits.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:52 +00:00
Daira Hopwood
61223ae9b0
ZIP 32: Simplify Orchard internal key derivation diagram.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
d27d2fd836
ZIP 316: Clarify that UAs/UVKs MUST contain at least one shielded item. This is stronger than
...
the former requirement that a UA/UVK MUST NOT contain only P2SH or P2PKH items, due to the
existence of Typecodes that are not currently defined.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
4683507160
ZIP 316: add Deriving Internal Keys section, and minor cleanups.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
7b70d343b7
ZIP 316: link to the section of the protocol spec describing QR encoding.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
79e6a10f0a
ZIP 32: add internal key derivation for Sapling and Orchard.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
98515d003f
ZIP 32: cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
d2b0f2d861
ZIP 32: disambiguate ToScalar and DiversifyHash for Sapling vs Orchard.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 19:00:51 +00:00
Daira Hopwood
82c59282fe
Regenerate PDFs.
2022-01-19 18:16:51 +00:00
Daira Hopwood
81858fff41
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
6c32c7c7ea
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
dcc5532d61
In \crossref{sighash}, add a consensus rule that SIGHASH type encodings MUST be canonical
...
for v5 transactions.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
24cfab0b55
Add reference to [BCGGMTV2014] when discussing an example of an incorrect security claim.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
4ef578706b
In \crossref{internalh}, add a security argument for why the SHA-256-based commitment scheme
...
NoteCommit^Sprout is binding and hiding, under reasonable assumptions about SHA256Compress.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
0cdab5071b
In \crossref{joinsplit}, clarify that balance for JoinSplit transfers is enforced by the
...
JoinSplit statement, and that there is no consensus rule to check it directly.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
ac9dd97f77
Merge pull request #577 from str4d/574-changes-to-zip-244-transparent
...
[ZIP 244] Changes to transparent component of signature digest
2022-01-13 14:32:13 +00:00
Daira Hopwood
2ae8fc6cec
Minor wording nits.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-13 14:29:30 +00:00
Jack Grigg
1b30e57bde
ZIP 244: Commit to scriptPubKey in txin_sig_digest instead of scriptCode
...
This is a no-op for every scriptPubKey format except P2SH, where we now
commit to the digest of the redeemScript instead instead of redeemScript
directly.
2022-01-12 22:08:22 +00:00
Jack Grigg
509b7a2b0c
ZIP 244: Rename script_codes_sig_digest to scriptpubkeys_sig_digest
2022-01-12 16:00:23 +00:00
Jack Grigg
8e74c62a21
ZIP 244: Fix numbering of BIP 341 references
...
Co-authored-by: Kris Nuttycombe <kris@nutty.land>
2022-01-12 15:58:51 +00:00
Jack Grigg
9e12b49e03
Merge branch 'main' into 574-changes-to-zip-244-transparent
2022-01-12 15:58:36 +00:00
Daira Hopwood
aef6aad4fc
[Dark mode] Remove unimportant "!important" annotation in section anchor style.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-11 13:24:24 +00:00
Daira Hopwood
0ada3050af
[Dark mode] Fix the background colour of the section anchor image.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-11 13:19:12 +00:00
Daira Hopwood
3ba7b5f246
ZIP 243: clarify in "Backward compatibility" that the reason why the ZIP 243 sighash algorithm
...
is used for all transactions from Sapling activation, is that v3 transactions are no longer valid.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-11 13:09:11 +00:00
Kris Nuttycombe
30ff9f6ddb
Regenerate HTML
2022-01-07 16:46:10 -07:00
Deirdre Connolly
a3a86b4a44
Update zip-0244.rst
...
Co-authored-by: str4d <thestr4d@gmail.com>
2022-01-06 13:54:49 -05:00
Daira Hopwood
bdfe15bb3f
Apply suggestions from code review
...
Co-authored-by: Kris Nuttycombe <kris.nuttycombe@gmail.com>
2022-01-05 17:37:33 +00:00
Jack Grigg
2671741042
ZIP 244: Regenerate HTML
2022-01-04 00:54:16 +00:00
Jack Grigg
68b6147c02
ZIP 244: Reverse order of value and script_code in txin_sig_digest
...
This matches the order in which they are committed to in BIP 341 (and
also at the transaction level in S.2).
2022-01-04 00:52:07 +00:00
Jack Grigg
89f46c2d99
ZIP 244: Add hash_type to the S.2 digest input
...
This was committed to by the ZIP 143 and ZIP 243 transaction digest
algorithms, but had been accidentally omitted from ZIP 244. It is not a
security issue because the encoding of each layer uses sentinel values,
meaning we were indirectly committing to hash_type (unlike BIP 341, which
conditionally omits commitments based on hash_type and therefore needs to
directly commit to it). But not committing directly to hash_type would
complicate security analysis of the digest, and including it keeps the
transparent part of ZIP 244 closer to BIP 341.
We additionally import two new consensus rules from BIP 341 that apply
to hash_type.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Kris Nuttycom <nuttycom@electriccoin.co>
2022-01-04 00:45:47 +00:00
Jack Grigg
c2585a4fc9
ZIP 244: Extend S.2 to be used for shielded signatures
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 23:49:04 +00:00
Jack Grigg
daac926497
ZIP 244: Add new S.2 commitments to input amounts and scriptCodes
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 23:47:13 +00:00
Jack Grigg
2442192519
ZIP 244: Change semantics of `sequence_sig_digest`
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:39:38 +00:00
Daira Hopwood
8572075604
Regenerate PDFs.
2022-01-03 22:20:04 +00:00
Daira Hopwood
02adb44328
Set Change History entry date, and update version year to 2022.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
b57f6d1487
Correct the note about domain separators for PRF^expand in \crossref{abstractprfs},
...
and ensure that new domain separators for deriving internal keys from ZIPs 32 and 316 are included.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
cf1995c2ed
Fix stale links, and correct the accenting of [MÁEÁ2010].
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
59a220d59e
Change the types of cm_x, Uncommitted^Orchard, and ak in Orchard to { 0 .. q_P-1 },
...
avoiding type errors and reflecting the implementation in zcashd. This eliminates all uses of P_x
(except that ak in an Orchard full viewing key is still required to be a valid Pallas affine
x-coordinate). Also clarify the coordinate system whenever we refer to coordinates.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
b6e00e0d41
Refine the security argument in the note about partitioning oracle attacks.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00