In zcash/zips#577 we altered ZIP 244 to have shielded signatures commit
to the same data as transparent inputs, in transactions that contain
transparent components. However, the edge case of shielded coinbase was
not correctly handled; they contain both a consensus-required "dummy"
transparent input, and binding signatures which would be required to
commit to a `CTxOut` that does not exist.
We resolve this by partially reverting one of the zcash/zips#577 changes,
by having S.2 for coinbase transactions be identical to T.2. This reverts
binding signatures in coinbase transactions to effectively signing the
transaction ID.
At the same time, we also revert the same change for transactions with no
transparent inputs but some transparent outputs; these also now revert to
using the transaction ID for all shielded signatures (like fully-shielded
transactions). The hardware wallet edge case does not apply here, as all
input values are shielded and therefore directly committed to.
This is a no-op for every scriptPubKey format except P2SH, where we now
commit to the digest of the redeemScript instead instead of redeemScript
directly.
This was committed to by the ZIP 143 and ZIP 243 transaction digest
algorithms, but had been accidentally omitted from ZIP 244. It is not a
security issue because the encoding of each layer uses sentinel values,
meaning we were indirectly committing to hash_type (unlike BIP 341, which
conditionally omits commitments based on hash_type and therefore needs to
directly commit to it). But not committing directly to hash_type would
complicate security analysis of the digest, and including it keeps the
transparent part of ZIP 244 closer to BIP 341.
We additionally import two new consensus rules from BIP 341 that apply
to hash_type.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Kris Nuttycom <nuttycom@electriccoin.co>
This changes the specification of hashAuthDataRoot to state that leaves
of the Merkle tree used to construct hashAuthDataRoot should have the
null hash value, while empty internal nodes should be hashes of empty
leaves. It also defines an all-FFs placeholder value to be used for
pre-v5 transactions in this tree.
Co-authored-by: Kris Nuttycom <nuttycom@electriccoin.co>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Make the specification of the cases in which empty hashes are produced more
explicit, and less dependent upon how these rules are scoped.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
This change restructures the wire format of Sapling spend and output
descriptions to segregate authorizing data from the data describing the
effects of the transaction in a similar fashion as has been done for
Orchard. The result is now symmetric between Sapling and Orchard, and
also simplifies slightly the description of the computation of the
authorizing data commitment in ZIP 244.