zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zips/zip-0244.html

387 lines
42 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<title>ZIP 244: Transaction Identifier Non-Malleability</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
<body>
<section>
<pre>ZIP: 244
Title: Transaction Identifier Non-Malleability
Owners: Kris Nuttycombe &lt;kris@electriccoin.co&gt;
Daira Hopwood &lt;daira@electriccoin.co&gt;
Status: Proposed
Category: Consensus
Created: 2021-01-06
License: MIT
Discussions-To: &lt;<a href="https://github.com/zcash/zips/issues/411">https://github.com/zcash/zips/issues/411</a>&gt;</pre>
<section id="terminology"><h2><span class="section-heading">Terminology</span><span class="section-anchor"> <a rel="bookmark" href="#terminology"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The key words "MUST" and "MUST NOT" in this document are to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
<p>The terms "consensus branch", "epoch", and "network upgrade" in this document are to be interpreted as described in ZIP 200. <a id="id2" class="footnote_reference" href="#zip-0200">2</a></p>
<p>The term "field encoding" refers to the binary serialized form of a Zcash transaction field, as specified in section 7.1 of the Zcash protocol specification <a id="id3" class="footnote_reference" href="#protocol-consensus">7</a>.</p>
</section>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This proposal defines a new transaction digest algorithm for the &lt;TBD&gt; network upgrade onward, in order to introduce non-malleable transaction identifiers that commit to all transaction data except for attestations to transaction validity.</p>
<p>This proposal also defines a new transaction digest algorithm for signature validation, which shares all available structure produced during the construction of transaction identifiers, in order to minimize redundant data hashing in validation.</p>
<p>This proposal also defines a new name and semantics for the <code>hashLightClientRoot</code> field of the block header, to enable additional commitments to be represented in this hash and to provide a mechanism for future extensibility of the set of commitments represented.</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>In all cases, but particularly in order to support the use of transactions in higher-level protocols, any modification of the transaction that has not been explicitly permitted (such as via anyone-can-spend inputs) should invalidate attestations to spend authority or to the included outputs. Following the activation of this proposed change, transaction identifiers will be stable irrespective of any possible malleation of "witness data" such as proofs and transaction signatures.</p>
<p>In addition, by specifying a transaction identifier and signature algorithm that is decoupled from the serialized format of the transaction as a whole, this change makes it so that the wire format of transactions is no longer consensus-critical.</p>
</section>
<section id="requirements"><h2><span class="section-heading">Requirements</span><span class="section-anchor"> <a rel="bookmark" href="#requirements"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<ul>
<li>Continue to support existing functionality of the protocol (multisig, signing modes for transparent inputs).</li>
<li>Allow the use of transaction ids, and pairs of the form (transaction id, output index) as stable identifiers.</li>
<li>A sender must be able to recognize their own transaction, even given allowed forms of malleability such as recomputation of transaction signatures.</li>
<li>In the case of transparent inputs, it should be possible to create a transaction (B) that spends the outputs from a previous transaction (A) even before (A) has been mined. This should also be possible in the case that the creator of (B) does not wait for confirmations of (A). That is, (B) should remain valid so long as any variant of (A) is eventually mined.</li>
<li>It should not be possible for an attacker to malleate a transaction in a fashion that would result in the transaction being interpreted as a double-spend.</li>
<li>It should be possible in the future to upgrade the protocol in such a fashion that only non-malleable transactions are accepted.</li>
<li>It should be possible to use the transaction id unmodified as the value that is used to produce a signature hash in the case that the transaction contains no transparent inputs, or in the case that only the <code>SIGHASH_ALL</code> flag is used.</li>
</ul>
</section>
<section id="non-requirements"><h2><span class="section-heading">Non-requirements</span><span class="section-anchor"> <a rel="bookmark" href="#non-requirements"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>In order to support backwards-compatibility with parts of the ecosystem that have not yet upgraded to the non-malleable transaction format, it is not an initial requirement that all transactions be non-malleable.</p>
</section>
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<section id="digests"><h3><span class="section-heading">Digests</span><span class="section-anchor"> <a rel="bookmark" href="#digests"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>All digests are personalized BLAKE2b-256 hashes. In cases where no elements are available for hashing (for example, if there are no transparent inputs) the resulting hash will be over just the personalization string, providing domain separation even for empty data fields.</p>
<section id="txid-digest"><h4><span class="section-heading">TxId Digest</span><span class="section-anchor"> <a rel="bookmark" href="#txid-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A new transaction digest algorithm is defined that constructs the identifier for a transaction from a tree of hashes. Each branch of the tree of hashes will correspond to a specific subset of transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:</p>
<pre>txid_digest
├── header_digest
├── transparent_digest
│   ├── prevouts_digest
│   ├── sequence_digest
│   └── outputs_digest
├── sprout_digest
└── sapling_digest
   ├── sapling_spends_digest
│   ├── sapling_spends_compact_digest
│   └── sapling_spends_noncompact_digest
├── sapling_outputs_digest
│   ├── sapling_outputs_compact_digest
│   ├── sapling_outputs_memos_digest
│   └── sapling_outputs_noncompact_digest
  └── valueBalance</pre>
<p>Each node written as <code>snake_case</code> in this tree is a BLAKE2b-256 hash of its children, initialized with a personalization string specific to that branch of the tree. Nodes that are not themselves digests are written in <code>camelCase</code>. In the specification below, nodes of the tree are presented in depth-first order.</p>
<section id="id4"><h5><span class="section-heading">txid_digest</span><span class="section-anchor"> <a rel="bookmark" href="#id4"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: sprout_digest (32-byte hash output)
T.4: sapling_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p><code>ZcashTxHash_</code> has 1 underscore character.</p>
<p>As in ZIP 143 <a id="id5" class="footnote_reference" href="#zip-0143">5</a>, CONSENSUS_BRANCH_ID is the 4-byte little-endian encoding of the consensus branch ID for the epoch of the block containing the transaction. Domain separation of the transaction id hash across parallel consensus branches provides replay protection: transactions targeted for one consensus branch will not have the same transaction identifier on other consensus branches.</p>
<p>This signature hash personalization prefix has been changed to reflect the new role of this hash (relative to <code>ZcashSigHash</code> as specified in ZIP 143) as a transaction identifier rather than a commitment that is exclusively used for signature purposes. The previous computation of the transaction identifier was a SHA256d hash of the serialized transaction contents, and was not personalized.</p>
<section id="t-1-header-digest"><h6><span class="section-heading">T.1: header_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-1-header-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.1a: version (4-byte little-endian version identifier including overwinter flag)
T.1b: version_group_id (4-byte little-endian version group identifier)
T.1c: consensus_branch_id (4-byte little-endian consensus branch id)
T.1d: lock_time (4-byte little-endian nLockTime value)
T.1e: expiry_height (4-byte little-endian block height)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdHeadersHash"</pre>
</section>
<section id="t-2-transparent-digest"><h6><span class="section-heading">T.2: transparent_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2-transparent-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>T.2a: prevouts_digest (32-byte hash)
T.2b: sequence_digest (32-byte hash)
T.2c: outputs_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTranspaHash"</pre>
<section id="t-2a-prevouts-digest"><h7><span class="section-heading">T.2a: prevouts_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2a-prevouts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the field encoding of all <code>outpoint</code> field values of transparent inputs to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdPrevoutHash"</pre>
</section>
<section id="t-2b-sequence-digest"><h7><span class="section-heading">T.2b: sequence_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2b-sequence-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the 32-bit little-endian representation of all <code>nSequence</code> field values of transparent inputs to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSequencHash"</pre>
</section>
<section id="t-2c-outputs-digest"><h7><span class="section-heading">T.2c: outputs_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-2c-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>A BLAKE2b-256 hash of the field encodings of all <code>prevout</code> field values of transparent inputs belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdOutputsHash"</pre>
</section>
</section>
<section id="t-3-sprout-digest"><h6><span class="section-heading">T.3: sprout_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-3-sprout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the non-authorizing components of Sprout <code>JSDescription</code> values belonging to the transaction. For each <code>JSDescription</code>, the following elements are appended to the hash</p>
<pre>T.3a: vpub_old (8-byte signed little-endian)
T.3b: vpub_new (8-byte signed little-endian)
T.3c: anchor (32 bytes)
T.3d: nullifiers (2 x 32 bytes)
T.3e: commitments (2 x 32 bytes)
T.3f: ephemeral_key (32 bytes)
T.3g: random_seed (32 bytes)
T.3h: macs (2 x 32 bytes)
T.3i: ciphertexts (2 x 601 bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdJSplitsHash"</pre>
</section>
<section id="t-4-sapling-digest"><h6><span class="section-heading">T.4: sapling_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4-sapling-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>The digest of Sapling components is composed of two subtrees which are organized to permit easy interoperability with the <code>CompactBlock</code> representation of Sapling data specified by the ZIP 307 Light Client Protocol <a id="id6" class="footnote_reference" href="#zip-0307">6</a>.</p>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>T.4a: sapling_spends_digest (32-byte hash)
T.4b: sapling_outputs_digest (32-byte hash)
T.4c: valueBalance (64-bit signed little-endian)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSaplingHash"</pre>
<section id="t-4a-sapling-spends-digest"><h7><span class="section-heading">T.4a: sapling_spends_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-sapling-spends-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>T.4a.i: sapling_spends_compact_digest (32-byte hash)
T.4a.ii: sapling_spends_noncompact_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSSpendsHash"</pre>
<section id="t-4a-i-sapling-spends-compact-digest"><h8><span class="section-heading">T.4a.i: sapling_spends_compact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-i-sapling-spends-compact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the field encoding of all <code>nullifier</code> field values of Sapling shielded spends belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSSpendCHash"</pre>
</section>
<section id="t-4a-ii-sapling-spends-noncompact-digest"><h8><span class="section-heading">T.4a.ii: sapling_spends_noncompact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-sapling-spends-noncompact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the non-nullifier information for all Sapling shielded spends belonging to the transaction, excluding both zkproof data and spend authorization signature(s). For each spend, the following elements are included in the hash:</p>
<pre>T.4a.ii.1: cv (field encoding bytes)
T.4a.ii.2: anchor (field encoding bytes)
T.4a.ii.3: rk (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSSpendNHash"</pre>
</section>
</section>
<section id="t-4b-sapling-outputs-digest"><h7><span class="section-heading">T.4b: sapling_outputs_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4b-sapling-outputs-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>T.4a.i: sapling_outputs_compact_digest (32-byte hash)
T.4b.ii: sapling_outputs_memos_digest (32-byte hash)
T.4b.iii: sapling_outputs_noncompact_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutputHash"</pre>
<section id="t-4b-i-sapling-outputs-compact-digest"><h8><span class="section-heading">T.4b.i: sapling_outputs_compact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4b-i-sapling-outputs-compact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the subset of Sapling output information included in the ZIP-307 <a id="id7" class="footnote_reference" href="#zip-0307">6</a> <code>CompactBlock</code> format for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>T.4b.i.1: cmu (field encoding bytes)
T.4b.i.2: ephemeral_key (field encoding bytes)
T.4b.i.3: enc_ciphertext[..52] (First 52 bytes of field encoding)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutC__Hash" (2 underscore characters)</pre>
</section>
<section id="t-4a-ii-sapling-outputs-memos-digest"><h8><span class="section-heading">T.4a.ii: sapling_outputs_memos_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-ii-sapling-outputs-memos-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the subset of Sapling shielded memo field data for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>T.4b.ii.1: enc_ciphertext[52..564] (contents of the encrypted memo field)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutM__Hash" (2 underscore characters)</pre>
</section>
<section id="t-4a-iii-sapling-outputs-noncompact-digest"><h8><span class="section-heading">T.4a.iii: sapling_outputs_noncompact_digest</span><span class="section-anchor"> <a rel="bookmark" href="#t-4a-iii-sapling-outputs-noncompact-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h8>
<p>A BLAKE2b-256 hash of the remaining subset of Sapling output information <strong>not</strong> included in the ZIP 307 <a id="id8" class="footnote_reference" href="#zip-0307">6</a> <code>CompactBlock</code> format, excluding zkproof data, for all Sapling shielded outputs belonging to the transaction. For each output, the following elements are included in the hash:</p>
<pre>T.4b.iii.1: cv (field encoding bytes)
T.4b.iii.2: enc_ciphertext[564..] (post-memo suffix of field encoding)
T.4b.iii.3: out_ciphertext (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdSOutN__Hash" (2 underscore characters)</pre>
</section>
</section>
</section>
</section>
</section>
<section id="signature-digest"><h4><span class="section-heading">Signature Digest</span><span class="section-anchor"> <a rel="bookmark" href="#signature-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A new per-input transaction digest algorithm is defined that constructs a hash that may be signed by a transaction creator to commit to the effects of the transaction. In the case that the transaction consumes no transparent inputs, it should be possible to just sign the transaction identifier produced by the <code>TxId Digest</code> algorithm. In the case that transparent inputs are present, this algorithm follows closely the ZIP 143 <a id="id9" class="footnote_reference" href="#zip-0143">5</a> algorithm.</p>
<p>The overall structure of the hash is as follows; each name referenced here will be described in detail below:</p>
<pre>signature_digest
├── header_digest
├── transparent_sig_digest
├── sprout_digest
└── sapling_digest</pre>
<section id="id10"><h5><span class="section-heading">signature_digest</span><span class="section-anchor"> <a rel="bookmark" href="#id10"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>S.1: header_digest (32-byte hash output)
S.2: transparent_sig_digest (32-byte hash output)
S.3: sprout_digest (32-byte hash output)
S.4: sapling_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZcashTxHash_" || CONSENSUS_BRANCH_ID</pre>
<p><code>ZcashTxHash_</code> has 1 underscore character.</p>
<p>This value has the same personalization as the top hash of the transaction identifier digest tree, so that what is being signed in the case that there are no transparent inputs is just the transaction id.</p>
<section id="s-1-header-digest"><h6><span class="section-heading">S.1: header_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-1-header-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
<section id="s-2-transparent-sig-digest"><h6><span class="section-heading">S.2: transparent_sig_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2-transparent-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>If we are producing a hash for the signature over a transparent input, the value of the digest produced here depends upon the value of a <code>hash_type</code> flag as in ZIP 143 <a id="id11" class="footnote_reference" href="#zip-0143">5</a>.</p>
<p>The construction of each component below depends upon the values of the <code>hash_type</code> flag bits. Each component will be described separately</p>
<p>This digest is a BLAKE2b-256 hash of the following values</p>
<pre>S.2a: prevouts_sig_digest (32-byte hash)
S.2b: sequence_sig_digest (32-byte hash)
S.2c: outputs_sig_digest (32-byte hash)
S.2d: txin_sig_digest (32-byte hash)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxIdTranspaHash"</pre>
<section id="s-2a-prevouts-sig-digest"><h7><span class="section-heading">S.2a: prevouts_sig_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2a-prevouts-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value <code>ZTxIdPrevoutHash</code>.</p>
<p>If the <code>SIGHASH_ANYONECANPAY</code> flag is not set:</p>
<pre>identical to the value of ``prevouts_digest`` as specified for the
transaction identifier in section T.2a.</pre>
<p>otherwise:</p>
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
<section id="s-2b-sequence-sig-digest"><h7><span class="section-heading">S.2b: sequence_sig_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2b-sequence-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value <code>ZTxIdSequencHash</code>.</p>
<p>If the <code>SIGHASH_ANYONECANPAY</code> flag is not set, and the sighash type is neither <code>SIGHASH_SINGLE</code> nor <code>SIGHASH_NONE</code>:</p>
<pre>identical to the value of ``sequence_digest`` as specified for the
transaction identifier in section T.2b.</pre>
<p>otherwise:</p>
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
<section id="s-2c-outputs-sig-digest"><h7><span class="section-heading">S.2c: outputs_sig_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2c-outputs-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value <code>ZTxIdOutputsHash</code>.</p>
<p>If the sighash type is neither <code>SIGHASH_SINGLE</code> nor <code>SIGHASH_NONE</code>:</p>
<pre>identical to the value of ``outputs_digest`` as specified for the
transaction identifier in section T.2c.</pre>
<p>If the sighash type is <code>SIGHASH_SINGLE</code> and the signature hash is being computed for the transparent input at a particular index, and a transparent output appears in the transaction at that index:</p>
<pre>the hash is updated with the transaction serialized form of the
transparent output at that index, and finalized.</pre>
<p>If the sighash type is <code>SIGHASH_SINGLE</code> and the signature is being computed for a shielded input, or if the sighash type is <code>SIGHASH_NONE</code>:</p>
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
<section id="s-2d-txin-sig-digest"><h7><span class="section-heading">S.2d: txin_sig_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-2d-txin-sig-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h7>
<p>This is a BLAKE2b-256 hash initialized with the personalization field value <code>Zcash___TxInHash</code> (3 underscores).</p>
<p>If the signature hash is being computed for a transparent input, the hash is updated with the following properties of that input:</p>
<pre>S.2d.i: prevout (field encoding)
S.2d.ii: script_code (field encoding)
S.2d.iii: value (8-byte signed little-endian)
S.2d.iv: nSequence (4-byte unsigned little-endian)</pre>
<p>otherwise:</p>
<pre>the hash is immediately finalized, without being updated with any
additional data</pre>
</section>
</section>
<section id="s-3-sprout-digest"><h6><span class="section-heading">S.3: sprout_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-3-sprout-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
<section id="s-4-sapling-digest"><h6><span class="section-heading">S.4: sapling_digest</span><span class="section-anchor"> <a rel="bookmark" href="#s-4-sapling-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>Identical to that specified for the transaction identifier.</p>
</section>
</section>
</section>
<section id="authorizing-data-commitment"><h4><span class="section-heading">Authorizing Data Commitment</span><span class="section-anchor"> <a rel="bookmark" href="#authorizing-data-commitment"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h4>
<p>A new transaction digest algorithm is defined that constructs a digest which commits to the authorizing data of a transaction from a tree of BLAKE2b-256 hashes. The overall structure of the hash is as follows:</p>
<pre>auth_digest
├── transparent_scripts_digest
├── sprout_auth_digest
└── sapling_auth_digest</pre>
<p>Each node written as <code>snake_case</code> in this tree is a BLAKE2b-256 hash of authorizing data of the transaction.</p>
<p>The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.</p>
<section id="auth-digest"><h5><span class="section-heading">auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h5>
<p>A BLAKE2b-256 hash of the following values</p>
<pre>A1: transparent_scripts_digest (32-byte hash output)
A2: sprout_auth_digest (32-byte hash output)
A3: sapling_auth_digest (32-byte hash output)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthHash_" || CONSENSUS_BRANCH_ID</pre>
<p><code>ZTxAuthHash_</code> has 1 underscore character.</p>
<section id="a-1-transparent-scripts-digest"><h6><span class="section-heading">A.1: transparent_scripts_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-1-transparent-scripts-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of the Bitcoin script associated with each transparent input belonging to the transaction.</p>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthTransHash"</pre>
</section>
<section id="a-2-sprout-auth-digest"><h6><span class="section-heading">A.2: sprout_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-2-sprout-auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of the <code>zkproof</code> values of each <code>JSDescription</code> belonging to the transaction, followed by the <code>joinsplit_pubkey</code> and <code>joinsplit_sig</code>:</p>
<pre>A.2a: zkproofs (field encoding bytes)
A.2b: joinsplit_pubkey (field encoding bytes)
A.2b: joinsplit_sig (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthSprouHash"</pre>
</section>
<section id="a-3-sapling-auth-digest"><h6><span class="section-heading">A.3: sapling_auth_digest</span><span class="section-anchor"> <a rel="bookmark" href="#a-3-sapling-auth-digest"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h6>
<p>A BLAKE2b-256 hash of the field encoding of the Sapling <code>zkproof</code> value of each Sapling Spend Description, followed by the field encoding of the <code>spend_auth_sig</code> value of each Sapling Spend Description belonging to the transaction, followed by the field encoding of the <code>zkproof</code> field of each Sapling Output Description belonging to the transaction, followed by the field encoding of the binding signature:</p>
<pre>A.3a: spend_zkproofs (field encoding bytes)
A.3b: spend_auth_sigs (field encoding bytes)
A.3c: output_zkproofs (field encoding bytes)
A.3d: binding_sig (field encoding bytes)</pre>
<p>The personalization field of this hash is set to:</p>
<pre>"ZTxAuthSapliHash"</pre>
</section>
</section>
</section>
</section>
<section id="block-header-changes"><h3><span class="section-heading">Block Header Changes</span><span class="section-anchor"> <a rel="bookmark" href="#block-header-changes"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The nonmalleable transaction identifier specified by this ZIP will be used in the place of the current malleable transaction identifier within the Merkle tree committed to by the <code>hashMerkleRoot</code> value. However, this change now means that <code>hashMerkleRoot</code> is not sufficient to fully commit to the transaction data, including witnesses, that appear within the block.</p>
<p>As a consequence, we now need to add a new commitment to the block header. This commitment will be the root of a Merkle tree that has parallel structure to the tree committed to by <code>hashMerkleRoot</code> (a path through this Merkle tree to a transaction identifies the same transaction as that path reaches in the tree rooted at <code>hashMerkleRoot</code>), but where the leaves are hashes produced according to the <cite>Authorizing Data Commitment</cite> part of this specification.</p>
<p>This new commitment is named <code>hashAuthDataRoot</code> and is the root of a left-dense binary Merkle tree of transaction authorizing data commitments. Empty internal nodes and leaves in the Merkle tree (nodes without children) have the "null" hash value <code>[0u8; 32]</code>. Hashes in this tree are BLAKE2b-256 hashes personalized by the string <code>"ZcashAuthDatHash"</code>.</p>
<p>Changing the block header format to allow space for an additional commitment is somewhat invasive. Instead, the name and meaning of the <code>hashLightClientRoot</code> field, described in ZIP 221 <a id="id12" class="footnote_reference" href="#zip-0221">3</a>, is changed.</p>
<p><code>hashLightClientRoot</code> is renamed to <code>hashBlockCommitments</code>. The value of this hash is the BLAKE2b-256 hash personalized by the string <code>"ZcashBlockCommit"</code> of the following elements:</p>
<pre>hashLightClientRoot (as described in ZIP 221)
hashAuthDataRoot (as described below)
terminator [0u8;32]</pre>
<p>This representation treats the <code>hashBlockCommitments</code> value as a linked list of hashes terminated by arbitrary data. In the case of protocol upgrades where additional commitments need to be included in the block header, it is possible to replace this terminator with the hash of a newly defined structure which ends in a similar terminator. Fully validating nodes MUST always use the entire structure defined by the latest activated protocol version that they support.</p>
<p>The linked structure of this hash is intended to provide extensibility for use by light clients which may be connected to a third-party server that supports a later protocol version. Such a third party SHOULD provide a value that can be used instead of the all-zeros terminator to permit the light client to perform validation of the parts of the structure it needs.</p>
</section>
</section>
<section id="reference-implementation"><h2><span class="section-heading">Reference implementation</span><span class="section-anchor"> <a rel="bookmark" href="#reference-implementation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<ul>
<li><a href="https://github.com/zcash/librustzcash/pull/319/files">https://github.com/zcash/librustzcash/pull/319/files</a></li>
</ul>
</section>
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<table id="rfc2119" class="footnote">
<tbody>
<tr>
<th>1</th>
<td><a href="https://www.rfc-editor.org/rfc/rfc2119.html">RFC 2119: Key words for use in RFCs to Indicate Requirement Levels</a></td>
</tr>
</tbody>
</table>
<table id="zip-0200" class="footnote">
<tbody>
<tr>
<th>2</th>
<td><a href="zip-0200">ZIP 200: Network Upgrade Activation Mechanism</a></td>
</tr>
</tbody>
</table>
<table id="zip-0221" class="footnote">
<tbody>
<tr>
<th>3</th>
<td><a href="zip-0221">ZIP 221: FlyClient - Consensus Layer Changes</a></td>
</tr>
</tbody>
</table>
<table id="zip-0076" class="footnote">
<tbody>
<tr>
<th>4</th>
<td><a href="zip-0076">ZIP 76: Transaction Signature Validation before Overwinter</a></td>
</tr>
</tbody>
</table>
<table id="zip-0143" class="footnote">
<tbody>
<tr>
<th>5</th>
<td><a href="zip-0143">ZIP 143: Transaction Signature Validation for Overwinter</a></td>
</tr>
</tbody>
</table>
<table id="zip-0307" class="footnote">
<tbody>
<tr>
<th>6</th>
<td><a href="zip-0307">ZIP 307: Light Client Protocol for Payment Detection</a></td>
</tr>
</tbody>
</table>
<table id="protocol-consensus" class="footnote">
<tbody>
<tr>
<th>7</th>
<td><a href="protocol/protocol.pdf#txnencodingandconsensus">Zcash Protocol Specification, Version 2020.1.15. Section 7.1: Transaction Encoding and Consensus</a></td>
</tr>
</tbody>
</table>
</section>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink