zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zips/rendered/zip-0246.html

494 lines
45 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<title>ZIP 246: Digests for the Version 6 Transaction Format</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.16.11/dist/katex.min.css" integrity="sha384-nB0miv6/jRmo5UMMR1wu3Gz6NLsoTkbqJghGIsx//Rlm+ZU03BU6SQNC66uf4l5+" crossorigin="anonymous">
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.11/dist/katex.min.js" integrity="sha384-7zkQWkzuo3B5mTepMUcHkMB5jZaolc2xDwL6VFqjFALcbeS9Ggm/Yr2r3Dy4lfFg" crossorigin="anonymous"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.11/dist/contrib/auto-render.min.js" integrity="sha384-43gviWU0YVjaDtb/GhzOouOXtZMP/7XUzwPTstBeZFe/+rCMvRwr4yROQP43s0Xk" crossorigin="anonymous" onload="renderMathInElement(document.body);"></script>
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
<body>
<section>
<pre>ZIP: 246
Title: Digests for the Version 6 Transaction Format
Owners: Arya &lt;arya@zfnd.org&gt;
Conrado Gouvea &lt;conrado@zfnd.org&gt;
Daira-Emma Hopwood &lt;daira-emma@electriccoin.co&gt;
Jack Grigg &lt;str4d@electriccoin.co&gt;
Kris Nuttycombe &lt;kris@electriccoin.co&gt;
Status: Draft
Category: Consensus
Created: 2025-02-12
License: MIT</pre>
<section id="terminology"><h2><span class="section-heading">Terminology</span><span class="section-anchor"> <a rel="bookmark" href="#terminology"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in BCP 14 <a id="footnote-reference-1" class="footnote_reference" href="#bcp14">1</a> when, and only when, they appear in all capitals.</p>
<p>The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. <a id="footnote-reference-2" class="footnote_reference" href="#zip-0200">7</a></p>
<p>The term "field encoding" refers to the binary serialized form of a Zcash transaction field, as specified in section 7.1 of the Zcash protocol specification <a id="footnote-reference-3" class="footnote_reference" href="#protocol-txnencoding">6</a>.</p>
</section>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP defines the digest algorithms associated with the v6 transaction format.</p>
<p>This proposal also defines the new concept of "sighash versioning": where previously each transaction version had a single associated digest algorithm, going forward it will be possible for signers to use any digest algorithm within the closed set specified for a given transaction version (and made available in consensus via network upgrades).</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
<p>TODO: Motivate sighash versioning</p>
</section>
<section id="requirements"><h2><span class="section-heading">Requirements</span><span class="section-anchor"> <a rel="bookmark" href="#requirements"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<ul>
<li>Continue to support existing functionality of the protocol (multisig, signing modes for transparent inputs).</li>
<li>It should be possible to update this ZIP with additional digest versions after the first version has been deployed in a network upgrade.</li>
</ul>
</section>
<section id="non-requirements"><h2><span class="section-heading">Non-requirements</span><span class="section-anchor"> <a rel="bookmark" href="#non-requirements"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<section id="sighash-versioning"><h3><span class="section-heading">Sighash versioning</span><span class="section-anchor"> <a rel="bookmark" href="#sighash-versioning"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Rough summary:</p>
<ul>
<li>Sighash versions are numbered starting from 0 for each tx version.</li>
<li>v0 is by convention the "commit to everything" sighash digest. Other versions can commit to whatever makes sense for desired functionality within that tx version.</li>
<li>Have a single byte encoded alongside the signature (not appended the way transparent does) that permits the signer to specify which sighash version they are using.</li>
<li>Consensus rules choose the digest algorithm for each signer based on that byte.</li>
</ul>
</section>
<section id="v0-digests"><h3><span class="section-heading">v0 Digests</span><span class="section-anchor"> <a rel="bookmark" href="#v0-digests"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The v0 digests are based on the v5 transaction digest algorithm defined in ZIP 244 <a id="footnote-reference-4" class="footnote_reference" href="#zip-0244">16</a>.</p>
<section id="txid-digest"><h4><span class="section-heading">TxId Digest</span><span class="section-anchor"> <a rel="bookmark" href="#txid-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>The overall structure of the TxID digest is as follows; each name referenced here will either be referenced or described in detail below:</p>
<pre>txid_digest
├── header_digest *
├── transparent_digest
│   ├── prevouts_digest
│   ├── sequence_digest
│   └── outputs_digest
├── sapling_digest
│   ├── sapling_spends_digest
│   │   ├── sapling_spends_compact_digest
│   │   └── sapling_spends_noncompact_digest
│   ├── sapling_outputs_digest *
│   │   ├── sapling_outputs_compact_digest *
│   │   └── sapling_outputs_noncompact_digest *
│   └── valueBalance
├── orchard_digest *
│   ├── orchard_action_groups_digest *
│   │   ├── orchard_actions_compact_digest *
│   │   ├── orchard_actions_noncompact_digest *
│   │   ├── flagsOrchard
│   │   ├── anchorOrchard
│   │   ├── nAGExpiryHeight *
│   │   └── orchard_burn_digest *
│   └── valueBalanceOrchard
├── issuance_digest *
│   ├── issue_actions_digest *
│   │   ├── issue_notes_digest *
│   │   ├── assetDescHash *
│   │   └── flagsIssuance *
│   └── issuanceValidatingKey *
└── memo_digest *
   ├── nonce *
   └── memo_chunks_digest *
      └── memo_chunk_digest *</pre>
<p>Each node written as <code>snake_case</code> in this tree is a BLAKE2b-256 hash of its children, initialized with a personalization string specific to that branch of the tree. Nodes that are not themselves digests are written in <code>camelCase</code>. In the specification below, nodes of the tree are presented in depth-first order.</p>
<p>The nodes with a <code>*</code> have new definitions given below. All other nodes have the same definition as in ZIP 244 <a id="footnote-reference-5" class="footnote_reference" href="#zip-0244">16</a>.</p>
<section id="txid-digest-1"><h5><span class="section-heading">txid_digest</span><span class="section-anchor"> <a rel="bookmark" href="#txid-digest-1"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: sapling_digest (32-byte hash output)
T.4: orchard_digest (32-byte hash output)
T.5: issuance_digest (32-byte hash output)
T.6: memo_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p><code>ZcashTxHash_</code> has 1 underscore character.</p>
<p>As in ZIP 244 <a id="footnote-reference-6" class="footnote_reference" href="#zip-0244">16</a>, CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction.</p>
<section id="t-1-header-digest"><h6><span class="section-heading">T.1: header_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-1-header-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.1a: version (4-byte little-endian version identifier including overwinter flag)
T.1b: version_group_id (4-byte little-endian version group identifier)
T.1c: consensus_branch_id (4-byte little-endian consensus branch id)
T.1d: lock_time (4-byte little-endian nLockTime value)
T.1e: expiry_height (4-byte little-endian block height)
T.1f: fee (8-byte little-endian fee amount)
T.1g: burn_amount (8-byte little-endian burn amount)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdHeadersHash"</pre>
<section id="t-3b-sapling-outputs-digest"><h7><span class="section-heading">T.3b: sapling_outputs_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-3b-sapling-outputs-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>In the case that Sapling outputs are present, this digest is a BLAKE2b-256 hash of the following values</p>
<pre>T.3b.i: sapling_outputs_compact_digest (32-byte hash)
T.3b.ii: sapling_outputs_noncompact_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutputHash"</pre>
<p>In the case that the transaction has Sapling spends but no Sapling outputs, <code>sapling_outputs_digest</code> is</p>
<pre>BLAKE2b-256("ZTxIdSOutputHash", [])</pre>
<section id="t-3b-i-sapling-outputs-compact-digest"><h8><span class="section-heading">T.3b.i: sapling_outputs_compact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-3b-i-sapling-outputs-compact-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the subset of Sapling output information included in the ZIP-307 <a id="footnote-reference-7" class="footnote_reference" href="#zip-0307">19</a> <code>CompactBlock</code> format for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>T.3b.i.1: cmu (field encoding bytes)
T.3b.i.2: ephemeral_key (field encoding bytes)
T.3b.i.3: enc_ciphertext (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxId6SOutC_Hash" (1 underscore character)</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-8" class="footnote_reference" href="#zip-0230-sapling-output-field-encodings">13</a>.</p>
</section>
<section id="t-3b-ii-sapling-outputs-noncompact-digest"><h8><span class="section-heading">T.3b.ii: sapling_outputs_noncompact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-3b-ii-sapling-outputs-noncompact-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the remaining subset of Sapling output information <strong>not</strong> included in the ZIP 307 <a id="footnote-reference-9" class="footnote_reference" href="#zip-0307">19</a> <code>CompactBlock</code> format, excluding zkproof data, for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>T.3b.ii.1: cv (field encoding bytes)
T.3b.ii.3: out_ciphertext (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxId6SOutN_Hash" (1 underscore character)</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-10" class="footnote_reference" href="#zip-0230-sapling-output-field-encodings">13</a>.</p>
</section>
</section>
</section>
<section id="t-4-orchard-digest"><h6><span class="section-heading">T.4: orchard_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4-orchard-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values:</p>
<pre>T.4a: orchard_action_groups_digest (32-byte hash output)
T.4b: valueBalanceOrchard (64-bit signed little-endian)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdOrchardHash"</pre>
<p>In the case that the transaction has no OrchardZSA Action Groups, <code>orchard_digest</code> is</p>
<pre>BLAKE2b-256("ZTxIdOrchardHash", [])</pre>
<section id="t-4a-orchard-action-groups-digest"><h7><span class="section-heading">T.4a: orchard_action_groups_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-orchard-action-groups-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction. For each Action Group, the following elements are included in the hash:</p>
<pre>T.4a.i : orchard_actions_compact_digest (32-byte hash output)
T.4a.ii : orchard_actions_noncompact_digest (32-byte hash output)
T.4a.iii : flagsOrchard (1 byte)
T.4a.iv : anchorOrchard (32 bytes)
T.4a.v : nAGExpiryHeight (4 bytes)
T.4a.vi : orchard_burn_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdOrcActGHash"</pre>
<section id="t-4a-i-orchard-actions-compact-digest"><h8><span class="section-heading">T.4a.i: orchard_actions_compact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-i-orchard-actions-compact-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in an updated version of the ZIP-307 <a id="footnote-reference-11" class="footnote_reference" href="#zip-0307">19</a> <code>CompactBlock</code> format for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:</p>
<pre>T.4a.i.1 : nullifier (field encoding bytes)
T.4a.i.2 : cmx (field encoding bytes)
T.4a.i.3 : ephemeralKey (field encoding bytes)
T.4a.i.4 : encCiphertext (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxId6OActC_Hash" (1 underscore character)</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-12" class="footnote_reference" href="#zip-0230-orchard-action-field-encodings">11</a>.</p>
</section>
<section id="t-4a-ii-orchard-actions-noncompact-digest"><h8><span class="section-heading">T.4a.ii: orchard_actions_noncompact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-orchard-actions-noncompact-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information <strong>not</strong> intended for inclusion in an updated version of the the ZIP 307 <a id="footnote-reference-13" class="footnote_reference" href="#zip-0307">19</a> <code>CompactBlock</code> format, for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:</p>
<pre>T.4a.ii.1 : cv (field encoding bytes)
T.4a.ii.2 : rk (field encoding bytes)
T.4a.ii.3 : outCiphertext (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxId6OActN_Hash" (1 underscore character)</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-14" class="footnote_reference" href="#zip-0230-orchard-action-field-encodings">11</a>.</p>
</section>
</section>
<section id="t-4a-vi-orchard-burn-digest"><h7><span class="section-heading">T.4a.vi: orchard_burn_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-vi-orchard-burn-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the data from the burn fields of the transaction. For each tuple in the
<span class="math">\(\mathsf{assetBurn}\)</span>
set, the following elements are included in the hash:</p>
<pre>T.4b.i : assetBase (field encoding bytes)
T.4b.ii: valueBurn (64-bit unsigned little-endian)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdOrcBurnHash"</pre>
<p>In case the transaction does not perform the burning of any Assets (i.e. the
<span class="math">\(\mathsf{assetBurn}\)</span>
set is empty), the <code>orchard_burn_digest</code> is:</p>
<pre>BLAKE2b-256("ZTxIdOrcBurnHash", [])</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-15" class="footnote_reference" href="#zip-0230-orchard-asset-burn-field-encodings">12</a>.</p>
</section>
</section>
<section id="t-5-issuance-digest"><h6><span class="section-heading">T.5: issuance_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-5-issuance-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.5a: issue_actions_digest (32-byte hash output)
T.5b: issuanceValidatingKey (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSAIssueHash"</pre>
<p>In case the transaction has no issuance components, <code>issuance_digest</code> is:</p>
<pre>BLAKE2b-256("ZTxIdSAIssueHash", [])</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-16" class="footnote_reference" href="#zip-0230-transaction-field-encodings">9</a>.</p>
<section id="t-5a-issue-actions-digest"><h7><span class="section-heading">T.5a: issue_actions_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-issue-actions-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of Issue Action information for all Issuance Actions belonging to the transaction. For each Action, the following elements are included in the hash:</p>
<pre>T.5a.i : notes_digest (32-byte hash output)
T.5a.ii : assetDescHash (field encoding bytes)
T.5a.iii: flagsIssuance (1 byte)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdIssuActHash"</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-17" class="footnote_reference" href="#zip-0230-issue-actions-field-encodings">14</a>.</p>
<section id="t-5a-i-issue-notes-digest"><h8><span class="section-heading">T.5a.i: issue_notes_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-5a-i-issue-notes-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of Note information for all Notes belonging to the Issuance Action. For each Note, the following elements are included in the hash:</p>
<pre>T.5a.i.1: recipient (field encoding bytes)
T.5a.i.2: value (field encoding bytes)
T.5a.i.3: rho (field encoding bytes)
T.5a.i.4: rseed (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdIAcNoteHash"</pre>
<p>In case the transaction has no Issue Notes, <code>issue_notes_digest</code> is:</p>
<pre>BLAKE2b-256("ZTxIdIAcNoteHash", [])</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-18" class="footnote_reference" href="#zip-0230-issue-notes-field-encodings">15</a>.</p>
</section>
</section>
</section>
<section id="t-6-memo-digest"><h6><span class="section-heading">T.6: memo_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-6-memo-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.6a: nonce (field encoding bytes)
T.6b: memo_chunks_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdMemo___Hash" (3 underscore characters)</pre>
<p>In case the transaction has no memo chunks, <code>memo_digest</code> is:</p>
<pre>BLAKE2b-256("ZTxIdMemo___Hash", [])</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-19" class="footnote_reference" href="#zip-0230-transaction-field-encodings">9</a>.</p>
<section id="t-6b-memo-chunks-digest"><h7><span class="section-heading">T.6b: memo_chunks_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-6b-memo-chunks-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the concatenated <code>memo_chunk_digest</code> values of all memo chunks within the memo bundle.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdMemoCksHash"</pre>
<p>In the case that the transaction has transparent inputs but no transparent outputs, <code>outputs_digest</code> is</p>
<pre>BLAKE2b-256("ZTxIdMemoCksHash", [])</pre>
<section id="t-6b-i-memo-chunk-digest"><h8><span class="section-heading">T.6b.i: memo_chunk_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-6b-i-memo-chunk-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the field encoding of a single encrypted Memo Chunk.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdMemoCk_Hash" (1 underscore character)</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-20" class="footnote_reference" href="#zip-0230-issue-actions-field-encodings">14</a>.</p>
</section>
</section>
</section>
</section>
</section>
<section id="signature-digest"><h4><span class="section-heading">Signature Digest</span><span class="section-anchor"> <a rel="bookmark" href="#signature-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>The per-input transaction digest algorithm to generate the signature digest in ZIP 244 <a id="footnote-reference-21" class="footnote_reference" href="#zip-0244-sigdigest">17</a> is modified so that a signature digest is produced for each transparent input, each Sapling input, each OrchardZSA Action, and additionally for each Issuance Action. The modifications replace the <code>orchard_digest</code> in ZIP 244 with a new <code>orchard_digest</code>, and add a new branch, <code>issuance_digest</code>, for the Issuance Action information.</p>
<p>The overall structure of the hash is as follows. We omit the descriptions of the sections that do not change for the OrchardZSA protocol:</p>
<pre>signature_digest
├── header_digest
├── transparent_sig_digest
├── sapling_digest
├── orchard_digest
├── issuance_digest
└── memo_digest</pre>
<section id="signature-digest-1"><h5><span class="section-heading">signature_digest</span><span class="section-anchor"> <a rel="bookmark" href="#signature-digest-1"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>S.1: header_digest (32-byte hash output)
S.2: transparent_sig_digest (32-byte hash output)
S.3: sapling_digest (32-byte hash output)
S.4: orchard_digest (32-byte hash output)
S.5: issuance_digest (32-byte hash output)
S.6: memo_digest (32-byte hash output)</pre>
<p>The personalization field remains the same as in ZIP 244 <a id="footnote-reference-22" class="footnote_reference" href="#zip-0244">16</a>, namely:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p><code>ZcashTxHash_</code> has 1 underscore character.</p>
<section id="s-4-orchard-digest"><h6><span class="section-heading">S.4: orchard_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-4-orchard-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
<section id="s-5-issuance-digest"><h6><span class="section-heading">S.5: issuance_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-5-issuance-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to the <code>issuance_digest</code> specified for the transaction identifier in ZIP 227 <a id="citation-reference-1" class="citation_reference" href="#zip-0227-txiddigest">zip-0227-txiddigest</a>.</p>
</section>
<section id="s-6-memo-digest"><h6><span class="section-heading">S.6: memo_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-6-memo-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
</section>
</section>
<section id="authorizing-data-commitment"><h4><span class="section-heading">Authorizing Data Commitment</span><span class="section-anchor"> <a rel="bookmark" href="#authorizing-data-commitment"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>The transaction digest algorithm defined in ZIP 244 <a id="footnote-reference-23" class="footnote_reference" href="#zip-0244-authcommitment">18</a> which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, and the <code>orchard_auth_digest</code> in ZIP 244 is replaced with <code>orchard_auth_digest</code> to account for the presence of Action Groups.</p>
<p>We omit the descriptions of the sections that do not change for the OrchardZSA protocol:</p>
<pre>auth_digest
├── transparent_scripts_digest
├── sapling_auth_digest
├── orchard_auth_digest
└── issuance_auth_digest</pre>
<p>The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.</p>
<section id="auth-digest"><h5><span class="section-heading">auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>A.1: transparent_scripts_digest (32-byte hash output)
A.2: sapling_auth_digest (32-byte hash output)
A.3: orchard_auth_digest (32-byte hash output)
A.4: issuance_auth_digest (32-byte hash output)</pre>
<p>The personalization field of this hash remains the same as in ZIP 244.</p>
<section id="a-3-orchard-auth-digest"><h6><span class="section-heading">A.3: orchard_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-3-orchard-auth-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values:</p>
<pre>A.3a: orchard_action_groups_auth_digest (32-byte hash output)
A.3b: bindingSigOrchard (field encoding bytes)</pre>
<p>The personalization field of this hash is the same as in ZIP 244, that is:</p>
<pre>"ZTxAuthOrchaHash"</pre>
<p>In case that the transaction has no OrchardZSA Action Groups, <code>orchard_auth_digest</code> is:</p>
<pre>BLAKE2b-256("ZTxAuthOrchaHash", [])</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-24" class="footnote_reference" href="#zip-0230-transaction-field-encodings">9</a>.</p>
<section id="a-3a-orchard-action-groups-auth-digest"><h7><span class="section-heading">A.3a: orchard_action_groups_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-3a-orchard-action-groups-auth-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash of the <code>proofsOrchard</code> field of all OrchardZSA Action Groups belonging to the transaction; followed by the <code>spendAuthSigsOrchard</code> fields corresponding to every OrchardZSA Action in the OrchardZSA Action Group, for all OrchardZSA Action Groups belonging to the transaction:</p>
<pre>A.3a.i: proofsOrchard (field encoding bytes)
A.3a.ii: spendAuthSigsOrchard (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthOrcAGHash"</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-25" class="footnote_reference" href="#zip-0230-orchard-action-group-field-encodings">10</a>.</p>
</section>
</section>
</section>
<section id="a-4-issuance-auth-digest"><h5><span class="section-heading">A.4: issuance_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-4-issuance-auth-digest"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the <code>issueAuthSig</code> field of the transaction:</p>
<pre>A.4a: issueAuthSig (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthZSAOrHash"</pre>
<p>In the case that the transaction has no Orchard Actions, <code>issuance_auth_digest</code> is</p>
<pre>BLAKE2b-256("ZTxAuthZSAOrHash", [])</pre>
<p>The field encodings are specified in ZIP 230 <a id="footnote-reference-26" class="footnote_reference" href="#zip-0230-transaction-field-encodings">9</a>.</p>
</section>
</section>
</section>
</section>
<section id="rationale"><h2><span class="section-heading">Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#rationale"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="reference-implementation"><h2><span class="section-heading">Reference implementation</span><span class="section-anchor"> <a rel="bookmark" href="#reference-implementation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>TBD</p>
</section>
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<table id="bcp14" class="footnote">
<tbody>
<tr>
<th>1</th>
<td><a href="https://www.rfc-editor.org/info/bcp14">Information on BCP 14 — "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels" and "RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</a></td>
</tr>
</tbody>
</table>
<table id="protocol" class="footnote">
<tbody>
<tr>
<th>2</th>
<td><a href="protocol/protocol.pdf">Zcash Protocol Specification, Version 2024.5.1 or later [NU6]</a></td>
</tr>
</tbody>
</table>
<table id="protocol-spenddesc" class="footnote">
<tbody>
<tr>
<th>3</th>
<td><a href="protocol/protocol.pdf#spenddesc">Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.4: Spend Descriptions</a></td>
</tr>
</tbody>
</table>
<table id="protocol-outputdesc" class="footnote">
<tbody>
<tr>
<th>4</th>
<td><a href="protocol/protocol.pdf#outputdesc">Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.5: Output Descriptions</a></td>
</tr>
</tbody>
</table>
<table id="protocol-actiondesc" class="footnote">
<tbody>
<tr>
<th>5</th>
<td><a href="protocol/protocol.pdf#actiondesc">Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 4.6: Action Descriptions</a></td>
</tr>
</tbody>
</table>
<table id="protocol-txnencoding" class="footnote">
<tbody>
<tr>
<th>6</th>
<td><a href="protocol/protocol.pdf#txnencoding">Zcash Protocol Specification, Version 2022.3.8. Section 7.1: Transaction Encoding and Consensus</a></td>
</tr>
</tbody>
</table>
<table id="zip-0200" class="footnote">
<tbody>
<tr>
<th>7</th>
<td><a href="zip-0200.html">ZIP 200: Network Upgrade Mechanism</a></td>
</tr>
</tbody>
</table>
<table id="zip-0227-txiddigest" class="footnote">
<tbody>
<tr>
<th>8</th>
<td><a href="zip-0227.html">ZIP 227: Issuance of Zcash Shielded Assets: TODO (issuance digest anchor missing)</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-transaction-field-encodings" class="footnote">
<tbody>
<tr>
<th>9</th>
<td><a href="zip-0230.html#transaction-format">ZIP 230: Version 6 Transaction Format. Specification: Transaction Format</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-orchard-action-group-field-encodings" class="footnote">
<tbody>
<tr>
<th>10</th>
<td><a href="zip-0230.html#orchardzsa-action-group-description">ZIP 230: Version 6 Transaction Format. Specification: OrchardZSA Action Group Description</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-orchard-action-field-encodings" class="footnote">
<tbody>
<tr>
<th>11</th>
<td><a href="zip-0230.html#orchardzsa-action-description">ZIP 230: Version 6 Transaction Format. Specification: OrchardZSA Action Description</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-orchard-asset-burn-field-encodings" class="footnote">
<tbody>
<tr>
<th>12</th>
<td><a href="zip-0230.html#orchardzsa-asset-burn-description">ZIP 230: Version 6 Transaction Format. Specification: OrchardZSA Asset Burn Description</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-sapling-output-field-encodings" class="footnote">
<tbody>
<tr>
<th>13</th>
<td><a href="zip-0230.html#sapling-output-description-outputdescriptionv6">ZIP 230: Version 6 Transaction Format. Specification: Sapling Output Description (OutputDescriptionV6)</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-issue-actions-field-encodings" class="footnote">
<tbody>
<tr>
<th>14</th>
<td><a href="zip-0230.html#issuance-action-description">ZIP 230: Version 6 Transaction Format. Specification: Issuance Action Description</a></td>
</tr>
</tbody>
</table>
<table id="zip-0230-issue-notes-field-encodings" class="footnote">
<tbody>
<tr>
<th>15</th>
<td><a href="zip-0230.html#issue-note-description">ZIP 230: Version 6 Transaction Format. Specification: Issue Note Description</a></td>
</tr>
</tbody>
</table>
<table id="zip-0244" class="footnote">
<tbody>
<tr>
<th>16</th>
<td><a href="zip-0244.html">ZIP 244: Transaction Identifier Non-Malleability</a></td>
</tr>
</tbody>
</table>
<table id="zip-0244-sigdigest" class="footnote">
<tbody>
<tr>
<th>17</th>
<td><a href="zip-0244.html#signature-digest">ZIP 244: Transaction Identifier Non-Malleability: Signature Digest</a></td>
</tr>
</tbody>
</table>
<table id="zip-0244-authcommitment" class="footnote">
<tbody>
<tr>
<th>18</th>
<td><a href="zip-0244.html#authorizing-data-commitment">ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment</a></td>
</tr>
</tbody>
</table>
<table id="zip-0307" class="footnote">
<tbody>
<tr>
<th>19</th>
<td><a href="zip-0307.html">ZIP 307: Light Client Protocol for Payment Detection</a></td>
</tr>
</tbody>
</table>
</section>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink