From 636f441b93f950496daa337443c217c75ae9b9f9 Mon Sep 17 00:00:00 2001 From: Vivek Arte Date: Tue, 28 Jan 2025 17:08:43 +0530 Subject: [PATCH 1/4] making txid and sig digest changes --- rendered/zip-0226.html | 104 +++++++++++++++++++++++++---------------- rendered/zip-0227.html | 71 +++++++++++----------------- zips/zip-0226.rst | 97 ++++++++++++++++++++++++++------------ zips/zip-0227.rst | 38 +++------------ 4 files changed, 163 insertions(+), 147 deletions(-) diff --git a/rendered/zip-0226.html b/rendered/zip-0226.html index df0e652d3..33d2e95fa 100644 --- a/rendered/zip-0226.html +++ b/rendered/zip-0226.html @@ -459,59 +459,59 @@

The

OrchardZSA Transaction Structure

-

The transaction format for v6 transactions is described in ZIP 230 14.

+

The transaction format for v6 transactions is described in ZIP 230 13.

TxId Digest

-

The transaction digest algorithm defined in ZIP 244 15 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with modifications within the orchard_digest to account for the inclusion of the Asset Base. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.

+

The transaction digest algorithm defined in ZIP 244 14 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with replacement of the orchard_digest with a new orchard_zsa_digest to account for the inclusion of the Asset Base and the updated transaction format. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.

txid_digest

A BLAKE2b-256 hash of the following values:

T.1: header_digest       (32-byte hash output)
 T.2: transparent_digest  (32-byte hash output)
 T.3: sapling_digest      (32-byte hash output)
-T.4: orchard_digest      (32-byte hash output)  [UPDATED FOR ZSA]
+T.4: orchard_zsa_digest  (32-byte hash output)  [ADDED FOR ZSA]
 T.5: issuance_digest     (32-byte hash output)  [ADDED FOR ZSA]
-

The personalization field remains the same as in ZIP 244 15.

-

T.4: orchard_digest

+

The personalization field remains the same as in ZIP 244 14.

+

T.4: orchard_zsa_digest

When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values:

- 
T.4a: orchard_action_groups_digest   (32-byte hash output)          [ADDED FOR ZSA]
-T.4c: valueBalanceOrchard            (64-bit signed little-endian)
-

The personalization field of this hash is the same as in ZIP 244 15

+ 
T.4a: orchard_zsa_action_groups_digest   (32-byte hash output)
+T.4b: valueBalanceOrchard                (64-bit signed little-endian)
+

The personalization field of this hash is the same as for orchard_digest in ZIP 244 14

"ZTxIdOrchardHash"
-

In the case that the transaction has no OrchardZSA Action Groups, orchard_digest is

+

In the case that the transaction has no OrchardZSA Action Groups, orchard_zsa_digest is

BLAKE2b-256("ZTxIdOrchardHash", [])
-
T.4a: orchard_action_groups_digest
+
T.4a: orchard_zsa_action_groups_digest

A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction. For each Action Group, the following elements are included in the hash:

- 
T.4a.i   : orchard_actions_compact_digest      (32-byte hash output)
-T.4a.ii  : orchard_actions_memos_digest        (32-byte hash output)
-T.4a.iii : orchard_actions_noncompact_digest   (32-byte hash output)
+                        
T.4a.i   : orchard_zsa_actions_compact_digest      (32-byte hash output)
+T.4a.ii  : orchard_zsa_actions_memos_digest        (32-byte hash output)
+T.4a.iii : orchard_zsa_actions_noncompact_digest   (32-byte hash output)
 T.4a.iv  : orchard_zsa_burn_digest             (32-byte hash output)
-T.4a.v   : flagsOrchard                        (1 byte)
-T.4a.vi  : anchorOrchard                       (32 bytes)
-T.4a.vii : nAGExpiryHeight                     (4 bytes)

+T.4a.v   : flagsOrchard                            (1 byte)
+T.4a.vi  : anchorOrchard                           (32 bytes)
+T.4a.vii : nAGExpiryHeight                         (4 bytes)

The personalization field of this hash is set to:

"ZTxIdOrcActGHash"
-
T.4a.i: orchard_actions_compact_digest
+
T.4a.i: orchard_zsa_actions_compact_digest

A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in an updated version of the ZIP-307 17 CompactBlock format for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:

T.4a.i.1 : nullifier            (field encoding bytes)
 T.4a.i.2 : cmx                  (field encoding bytes)
 T.4a.i.3 : ephemeralKey         (field encoding bytes)
-T.4a.i.4 : encCiphertext[..84]  (First 84 bytes of field encoding)  [UPDATED FOR ZSA]
-

The personalization field of this hash is the same as in ZIP 244:

+T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) +

The personalization field of this hash is the same as for orchard_actions_compact_digest in ZIP 244:

"ZTxIdOrcActCHash"
-
T.4a.ii: orchard_actions_memos_digest
+
T.4a.ii: orchard_zsa_actions_memos_digest

A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:

- 
T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field)  [UPDATED FOR ZSA]
-

The personalization field of this hash remains identical to ZIP 244:

+ 
T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field)
+

The personalization field of this hash is identical to that for orchard_actions_memos_digest in ZIP 244:

"ZTxIdOrcActMHash"
-
T.4a.iii: orchard_actions_noncompact_digest
+
T.4a.iii: orchard_zsa_actions_noncompact_digest

A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information not intended for inclusion in an updated version of the the ZIP 307 17 CompactBlock format, for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:

T.4a.iii.1 : cv                    (field encoding bytes)
 T.4a.iii.2 : rk                    (field encoding bytes)
-T.4a.iii.3 : encCiphertext[596..]  (post-memo suffix of field encoding)  [UPDATED FOR ZSA]
+T.4a.iii.3 : encCiphertext[596..]  (post-memo suffix of field encoding)
 T.4a.iii.4 : outCiphertext         (field encoding bytes)
-

The personalization field of this hash is defined identically to ZIP 244:

+

The personalization field of this hash is defined just as for orchard_actions_noncompact_digest in ZIP 244:

"ZTxIdOrcActNHash"
T.4a.iv: orchard_zsa_burn_digest
@@ -524,7 +524,7 @@

The 
"ZTxIdOrcBurnHash"

In case the transaction does not perform the burning of any Assets (i.e. the \(\mathsf{assetBurn}\) - set is empty), the ''orchard_zsa_burn_digest'' is:

+ set is empty), the orchard_zsa_burn_digest is:

BLAKE2b-256("ZTxIdOrcBurnHash", [])

@@ -535,10 +535,34 @@

The

Signature Digest

-

The details of the changes to this algorithm are in ZIP 227 11.

+

The per-input transaction digest algorithm to generate the signature digest in ZIP 244 15 is modified so that a signature digest is produced for each transparent input, each Sapling input, each OrchardZSA Action, and additionally for each Issuance Action. The modifications replace the orchard_digest in ZIP 244 with a new orchard_zsa_digest, and add a new branch, issuance_digest, for the Issuance Action information.

+

The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

+ 
signature_digest
+├── header_digest
+├── transparent_sig_digest
+├── sapling_digest
+├── orchard_zsa_digest      [ADDED FOR ZSA]
+└── issuance_digest         [ADDED FOR ZSA]
+

signature_digest

+

A BLAKE2b-256 hash of the following values

+ 
S.1: header_digest          (32-byte hash output)
+S.2: transparent_sig_digest (32-byte hash output)
+S.3: sapling_digest         (32-byte hash output)
+S.4: orchard_zsa_digest     (32-byte hash output)  [ADDED FOR ZSA]
+S.5: issuance_digest        (32-byte hash output)  [ADDED FOR ZSA]
+

The personalization field remains the same as in ZIP 244 14, namely:

+ 
"ZcashTxHash_" || CONSENSUS_BRANCH_ID
+

ZcashTxHash_ has 1 underscore character.

+

S.4: orchard_zsa_digest

+

Identical to that specified for the transaction identifier.

+
+

S.5: issuance_digest

+

Identical to the issuance_digest specified for the transaction identifier in ZIP 227 zip-0227-txiddigest.

+
+

Authorizing Data Commitment

-

The transaction digest algorithm defined in ZIP 244 16 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, along with modifications within the orchard_auth_digest to account for the presence of Action Groups.

+

The transaction digest algorithm defined in ZIP 244 16 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, along with modifications within the orchard_auth_digest to account for the presence of Action Groups.

We highlight the changes for the OrchardZSA protocol via the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

auth_digest
 ├── transparent_scripts_digest
@@ -570,7 +594,7 @@ 
The

A.4: issuance_auth_digest

-

The details of the computation of this value are in ZIP 227 12.

+

The details of the computation of this value are in ZIP 227 11.

@@ -585,7 +609,7 @@

The

Other Considerations

Transaction Fees

-

The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 227 13.

+

The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 227 12.

Backward Compatibility

In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and OrchardZSA notes. As we specify above, there are three main reasons we can do this:

@@ -696,43 +720,43 @@

The - +
- +
11ZIP 227: Issuance of Zcash Shielded Assets: Signature DigestZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment
- +
- +
12ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data CommitmentZIP 227: Issuance of Zcash Shielded Assets: OrchardZSA Fee Calculation
- +
- +
13ZIP 227: Issuance of Zcash Shielded Assets: OrchardZSA Fee CalculationZIP 230: Version 6 Transaction Format
- +
- +
14ZIP 230: Version 6 Transaction FormatZIP 244: Transaction Identifier Non-Malleability
- +
- +
15ZIP 244: Transaction Identifier Non-MalleabilityZIP 244: Transaction Identifier Non-Malleability: Signature Digest
diff --git a/rendered/zip-0227.html b/rendered/zip-0227.html index d8171df05..ab12f24c2 100644 --- a/rendered/zip-0227.html +++ b/rendered/zip-0227.html @@ -356,7 +356,7 @@ \(\mathsf{rseed}: \mathbb{B}^{[\mathbb{Y}^{32}]}\) MUST be sampled uniformly at random by the issuer. -

The complete encoding of these fields into an IssueNote is defined in ZIP 230 16.

+

The complete encoding of these fields into an IssueNote is defined in ZIP 230 17.

Let \(\mathsf{Note^{Issue}}\) be the type of an Issue Note, i.e.

@@ -378,7 +378,7 @@

The \(\mathsf{finalize}\) boolean is set by the Issuer to signal that there will be no further issuance of the specific Custom Asset. As we will see in Specification: Consensus Rule Changes, transactions that attempt to issue further amounts of a Custom Asset that has previously been finalized will be rejected.

-

The complete encoding of these fields into an IssueAction is defined in ZIP 230 15.

+

The complete encoding of these fields into an IssueAction is defined in ZIP 230 16.

Issuance Bundle

An issuance bundle is the aggregate of all the issuance-related information. Specifically, contains all the issuance actions and the issuer signature on the transaction SIGHASH that validates the issuance itself. It contains the following fields:

@@ -395,7 +395,7 @@ \(\mathsf{isk}\!\) , that validates the issuance. -

The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 17.

+

The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 18.

Computation of ρ

We define a function @@ -760,7 +760,7 @@

TxId Digest - Issuance

-

This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 19, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

+

This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 20, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.

A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:

issuance_digest
 ├── issue_actions_digest
@@ -775,7 +775,7 @@
 T.5b: issuanceValidatingKey   (32 bytes)

The personalization field of this hash is set to:

"ZTxIdSAIssueHash"
-

In case the transaction has no issuance components, ''issuance_digest'' is:

+

In case the transaction has no issuance components, issuance_digest is:

BLAKE2b-256("ZTxIdSAIssueHash", [])

T.5a: issue_actions_digest

A BLAKE2b-256 hash of Issue Action information for all Issuance Actions belonging to the transaction. For each Action, the following elements are included in the hash:

@@ -793,7 +793,7 @@ T.5a.i.5: rseed (field encoding bytes)

The personalization field of this hash is set to:

"ZTxIdIAcNoteHash"
-

In case the transaction has no Issue Notes, ''issue_notes_digest'' is:

+

In case the transaction has no Issue Notes, issue_notes_digest is:

BLAKE2b-256("ZTxIdIAcNoteHash", [])
T.5a.i.1: recipient

This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 32.

@@ -830,29 +830,10 @@

Signature Digest

-

The per-input transaction digest algorithm to generate the signature digest in ZIP 244 20 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.

-

The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

- 
signature_digest
-├── header_digest
-├── transparent_sig_digest
-├── sapling_digest
-├── orchard_digest
-└── issuance_digest         [ADDED FOR ZSA]
-

signature_digest

-

A BLAKE2b-256 hash of the following values

- 
S.1: header_digest          (32-byte hash output)
-S.2: transparent_sig_digest (32-byte hash output)
-S.3: sapling_digest         (32-byte hash output)
-S.4: orchard_digest         (32-byte hash output)
-S.5: issuance_digest        (32-byte hash output)  [ADDED FOR ZSA]
-

The personalization field remains the same as in ZIP 244 19.

-

S.5: issuance_digest

-

Identical to that specified for the transaction identifier.

-
-
+

The changes to the signature digest are specified in ZIP 226 14.

Authorizing Data Commitment - Issuance

-

This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 14.

+

This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 15.

A.4: issuance_auth_digest

In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the issueAuthSig field of the transaction:

A.4a: issueAuthSig            (field encoding bytes)
@@ -863,7 +844,7 @@

OrchardZSA Fee Calculation

-

In addition to the parameters defined in the Fee calculation section of ZIP 317 21, the OrchardZSA protocol upgrade defines the following additional parameters:

+

In addition to the parameters defined in the Fee calculation section of ZIP 317 21, the OrchardZSA protocol upgrade defines the following additional parameters:

@@ -917,7 +898,7 @@
-

The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 33 and the global state. They are defined in the Fee calculation section of ZIP 317 21. Note that +

The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 33 and the global state. They are defined in the Fee calculation section of ZIP 317 21. Note that \(nOrchardActions\!\) , that is used in the computation of \(logical\_actions\!\) @@ -962,7 +943,7 @@

Bridging Assets

-

For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

+

For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.

Other Considerations

@@ -976,7 +957,7 @@ in order to properly keep track of the total supply for different Asset Identifiers. This is useful for wallets and other applications that need to keep track of the total supply of Assets.

Fee Structures

-

The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 18.

+

The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 19.

Test Vectors

@@ -1098,59 +1079,59 @@ - +
- +
14ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data CommitmentZIP 226: Transfer and Burn of Zcash Shielded Assets: Signature Digest
- +
- +
15ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction)ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment
- +
- +
16ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote)ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction)
- +
- +
17ZIP 230: Version 6 Transaction Format: Transaction FormatZIP 230: Version 6 Transaction Format: Issue Note (IssueNote)
- +
- +
18ZIP 230: Version 6 Transaction Format: OrchardZSA Fee CalculationZIP 230: Version 6 Transaction Format: Transaction Format
- +
- +
19ZIP 244: Transaction Identifier Non-MalleabilityZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation
- +
- +
20ZIP 244: Transaction Identifier Non-Malleability: Signature DigestZIP 244: Transaction Identifier Non-Malleability
diff --git a/zips/zip-0226.rst b/zips/zip-0226.rst index 9ee04c57f..895cf4a21 100644 --- a/zips/zip-0226.rst +++ b/zips/zip-0226.rst @@ -348,7 +348,7 @@ The transaction format for v6 transactions is described in ZIP 230 [#zip-0230]_. TxId Digest =========== -The transaction digest algorithm defined in ZIP 244 [#zip-0244]_ is modified by the OrchardZSA protocol to add a new branch for issuance information, along with modifications within the ``orchard_digest`` to account for the inclusion of the Asset Base. +The transaction digest algorithm defined in ZIP 244 [#zip-0244]_ is modified by the OrchardZSA protocol to add a new branch for issuance information, along with replacement of the ``orchard_digest`` with a new ``orchard_zsa_digest`` to account for the inclusion of the Asset Base and the updated transaction format. The details of these changes are described in this section, and highlighted using the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label. We omit the details of the sections that do not change for the OrchardZSA protocol. txid_digest @@ -358,47 +358,47 @@ A BLAKE2b-256 hash of the following values:: T.1: header_digest (32-byte hash output) T.2: transparent_digest (32-byte hash output) T.3: sapling_digest (32-byte hash output) - T.4: orchard_digest (32-byte hash output) [UPDATED FOR ZSA] + T.4: orchard_zsa_digest (32-byte hash output) [ADDED FOR ZSA] T.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA] The personalization field remains the same as in ZIP 244 [#zip-0244]_. -T.4: orchard_digest -``````````````````` +T.4: orchard_zsa_digest +``````````````````````` When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values:: - T.4a: orchard_action_groups_digest (32-byte hash output) [ADDED FOR ZSA] - T.4c: valueBalanceOrchard (64-bit signed little-endian) + T.4a: orchard_zsa_action_groups_digest (32-byte hash output) + T.4b: valueBalanceOrchard (64-bit signed little-endian) -The personalization field of this hash is the same as in ZIP 244 [#zip-0244]_ :: +The personalization field of this hash is the same as for ``orchard_digest`` in ZIP 244 [#zip-0244]_ :: "ZTxIdOrchardHash" -In the case that the transaction has no OrchardZSA Action Groups, ``orchard_digest`` is :: +In the case that the transaction has no OrchardZSA Action Groups, ``orchard_zsa_digest`` is :: BLAKE2b-256("ZTxIdOrchardHash", []) -T.4a: orchard_action_groups_digest -'''''''''''''''''''''''''''''''''' +T.4a: orchard_zsa_action_groups_digest +'''''''''''''''''''''''''''''''''''''' A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction. For each Action Group, the following elements are included in the hash:: - T.4a.i : orchard_actions_compact_digest (32-byte hash output) - T.4a.ii : orchard_actions_memos_digest (32-byte hash output) - T.4a.iii : orchard_actions_noncompact_digest (32-byte hash output) + T.4a.i : orchard_zsa_actions_compact_digest (32-byte hash output) + T.4a.ii : orchard_zsa_actions_memos_digest (32-byte hash output) + T.4a.iii : orchard_zsa_actions_noncompact_digest (32-byte hash output) T.4a.iv : orchard_zsa_burn_digest (32-byte hash output) - T.4a.v : flagsOrchard (1 byte) - T.4a.vi : anchorOrchard (32 bytes) - T.4a.vii : nAGExpiryHeight (4 bytes) + T.4a.v : flagsOrchard (1 byte) + T.4a.vi : anchorOrchard (32 bytes) + T.4a.vii : nAGExpiryHeight (4 bytes) The personalization field of this hash is set to:: "ZTxIdOrcActGHash" -T.4a.i: orchard_actions_compact_digest -...................................... +T.4a.i: orchard_zsa_actions_compact_digest +.......................................... A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in an updated version of the ZIP-307 [#zip-0307]_ ``CompactBlock`` format for all OrchardZSA @@ -408,29 +408,29 @@ in the hash:: T.4a.i.1 : nullifier (field encoding bytes) T.4a.i.2 : cmx (field encoding bytes) T.4a.i.3 : ephemeralKey (field encoding bytes) - T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) [UPDATED FOR ZSA] + T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) -The personalization field of this hash is the same as in ZIP 244:: +The personalization field of this hash is the same as for ``orchard_actions_compact_digest`` in ZIP 244:: "ZTxIdOrcActCHash" -T.4a.ii: orchard_actions_memos_digest -..................................... +T.4a.ii: orchard_zsa_actions_memos_digest +......................................... A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:: - T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field) [UPDATED FOR ZSA] + T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field) -The personalization field of this hash remains identical to ZIP 244:: +The personalization field of this hash is identical to that for ``orchard_actions_memos_digest`` in ZIP 244:: "ZTxIdOrcActMHash" -T.4a.iii: orchard_actions_noncompact_digest -........................................... +T.4a.iii: orchard_zsa_actions_noncompact_digest +............................................... A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information **not** intended for inclusion in an updated version of the the ZIP 307 [#zip-0307]_ ``CompactBlock`` @@ -439,10 +439,10 @@ the following elements are included in the hash:: T.4a.iii.1 : cv (field encoding bytes) T.4a.iii.2 : rk (field encoding bytes) - T.4a.iii.3 : encCiphertext[596..] (post-memo suffix of field encoding) [UPDATED FOR ZSA] + T.4a.iii.3 : encCiphertext[596..] (post-memo suffix of field encoding) T.4a.iii.4 : outCiphertext (field encoding bytes) -The personalization field of this hash is defined identically to ZIP 244:: +The personalization field of this hash is defined just as for ``orchard_actions_noncompact_digest`` in ZIP 244:: "ZTxIdOrcActNHash" @@ -461,7 +461,7 @@ The personalization field of this hash is set to:: "ZTxIdOrcBurnHash" In case the transaction does not perform the burning of any Assets (i.e. the -$\mathsf{assetBurn}$ set is empty), the ''orchard_zsa_burn_digest'' is:: +$\mathsf{assetBurn}$ set is empty), the ``orchard_zsa_burn_digest`` is:: BLAKE2b-256("ZTxIdOrcBurnHash", []) @@ -473,7 +473,42 @@ The details of the computation of this value are in ZIP 227 [#zip-0227-txiddiges Signature Digest ================ -The details of the changes to this algorithm are in ZIP 227 [#zip-0227-sigdigest]_. +The per-input transaction digest algorithm to generate the signature digest in ZIP 244 [#zip-0244-sigdigest]_ is modified so that a signature digest is produced for each transparent input, each Sapling input, each OrchardZSA Action, and additionally for each Issuance Action. +The modifications replace the ``orchard_digest`` in ZIP 244 with a new ``orchard_zsa_digest``, and add a new branch, ``issuance_digest``, for the Issuance Action information. + +The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:: + + signature_digest + ├── header_digest + ├── transparent_sig_digest + ├── sapling_digest + ├── orchard_zsa_digest [ADDED FOR ZSA] + └── issuance_digest [ADDED FOR ZSA] + +signature_digest +---------------- +A BLAKE2b-256 hash of the following values :: + + S.1: header_digest (32-byte hash output) + S.2: transparent_sig_digest (32-byte hash output) + S.3: sapling_digest (32-byte hash output) + S.4: orchard_zsa_digest (32-byte hash output) [ADDED FOR ZSA] + S.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA] + +The personalization field remains the same as in ZIP 244 [#zip-0244]_, namely:: + + "ZcashTxHash_" || CONSENSUS_BRANCH_ID + +``ZcashTxHash_`` has 1 underscore character. + +S.4: orchard_zsa_digest +``````````````````````` +Identical to that specified for the transaction identifier. + +S.5: issuance_digest +```````````````````` +Identical to the ``issuance_digest`` specified for the transaction identifier in ZIP 227 [zip-0227-txiddigest]_. + Authorizing Data Commitment =========================== @@ -594,11 +629,11 @@ References .. [#zip-0227-consensus] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Consensus Rule Changes `_ .. [#zip-0227-note-commitment-order] `ZIP 227: Issuance of Zcash Shielded Assets: Addition to the Note Commitment Tree `_ .. [#zip-0227-txiddigest] `ZIP 227: Issuance of Zcash Shielded Assets: TxId Digest - Issuance `_ -.. [#zip-0227-sigdigest] `ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest `_ .. [#zip-0227-authcommitment] `ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment `_ .. [#zip-0227-orchardzsa-fee-calculation] `ZIP 227: Issuance of Zcash Shielded Assets: OrchardZSA Fee Calculation `_ .. [#zip-0230] `ZIP 230: Version 6 Transaction Format `_ .. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ +.. [#zip-0244-sigdigest] `ZIP 244: Transaction Identifier Non-Malleability: Signature Digest `_ .. [#zip-0244-authcommitment] `ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment `_ .. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection `_ .. [#protocol-notes] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes `_ diff --git a/zips/zip-0227.rst b/zips/zip-0227.rst index 1234ef77c..291c48df8 100644 --- a/zips/zip-0227.rst +++ b/zips/zip-0227.rst @@ -488,7 +488,9 @@ This section details the construction of the subtree of hashes in the transactio Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 [#zip-0226-txiddigest]_. As in ZIP 244 [#zip-0244]_, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used. -A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:: +A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. +Each branch of the subtree will correspond to a specific subset of issuance transaction data. +The overall structure of the hash is as follows; each name referenced here will be described in detail below:: issuance_digest ├── issue_actions_digest @@ -510,7 +512,7 @@ The personalization field of this hash is set to:: "ZTxIdSAIssueHash" -In case the transaction has no issuance components, ''issuance_digest'' is:: +In case the transaction has no issuance components, ``issuance_digest`` is:: BLAKE2b-256("ZTxIdSAIssueHash", []) @@ -540,7 +542,7 @@ The personalization field of this hash is set to:: "ZTxIdIAcNoteHash" -In case the transaction has no Issue Notes, ''issue_notes_digest'' is:: +In case the transaction has no Issue Notes, ``issue_notes_digest`` is:: BLAKE2b-256("ZTxIdIAcNoteHash", []) @@ -583,33 +585,7 @@ A byte encoding of issuance validating key for the bundle as defined in the `Iss Signature Digest ================ -The per-input transaction digest algorithm to generate the signature digest in ZIP 244 [#zip-0244-sigdigest]_ is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. -For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly. - -The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:: - - signature_digest - ├── header_digest - ├── transparent_sig_digest - ├── sapling_digest - ├── orchard_digest - └── issuance_digest [ADDED FOR ZSA] - -signature_digest ----------------- -A BLAKE2b-256 hash of the following values :: - - S.1: header_digest (32-byte hash output) - S.2: transparent_sig_digest (32-byte hash output) - S.3: sapling_digest (32-byte hash output) - S.4: orchard_digest (32-byte hash output) - S.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA] - -The personalization field remains the same as in ZIP 244 [#zip-0244]_. - -S.5: issuance_digest -```````````````````` -Identical to that specified for the transaction identifier. +The changes to the signature digest are specified in ZIP 226 [#zip-0226-sigdigest]_. Authorizing Data Commitment - Issuance ====================================== @@ -765,13 +741,13 @@ References .. [#zip-0226-notestructure] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Note Structure & Commitment `_ .. [#zip-0226-assetburn] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Additional Consensus Rules for the assetBurn set `_ .. [#zip-0226-txiddigest] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - TxId Digest `_ +.. [#zip-0226-sigdigest] `ZIP 226: Transfer and Burn of Zcash Shielded Assets: Signature Digest `_ .. [#zip-0226-authcommitment] `ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment `_ .. [#zip-0230-issuance-action-description] `ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction) `_ .. [#zip-0230-issue-note] `ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote) `_ .. [#zip-0230-transaction-format] `ZIP 230: Version 6 Transaction Format: Transaction Format `_ .. [#zip-0230-orchardzsa-fee-calculation] `ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation `_ .. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability `_ -.. [#zip-0244-sigdigest] `ZIP 244: Transaction Identifier Non-Malleability: Signature Digest `_ .. [#zip-0317-fee-calc] `ZIP 317: Proportional Transfer Fee Mechanism, Fee calculation `_ .. [#bip-0043] `BIP 43: Purpose Field for Deterministic Wallets `_ .. [#bip-0340] `BIP 340: Schnorr Signatures for secp256k1 `_ From ce66f4ef641e5f89054ec2ad6174c3f2f210cf8b Mon Sep 17 00:00:00 2001 From: Vivek Arte Date: Tue, 28 Jan 2025 17:22:00 +0530 Subject: [PATCH 2/4] making auth data commitment changes --- rendered/zip-0226.html | 20 ++++++++++---------- zips/zip-0226.rst | 24 ++++++++++++------------ 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/rendered/zip-0226.html b/rendered/zip-0226.html index 33d2e95fa..d40bea078 100644 --- a/rendered/zip-0226.html +++ b/rendered/zip-0226.html @@ -462,7 +462,7 @@

The

The transaction format for v6 transactions is described in ZIP 230 13.

TxId Digest

-

The transaction digest algorithm defined in ZIP 244 14 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with replacement of the orchard_digest with a new orchard_zsa_digest to account for the inclusion of the Asset Base and the updated transaction format. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.

+

The transaction digest algorithm defined in ZIP 244 14 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with replacement of the orchard_digest with a new orchard_zsa_digest to account for the inclusion of the Asset Base and the updated transaction format. The details of these changes are described in this section, and highlighted using the [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.

txid_digest

A BLAKE2b-256 hash of the following values:

T.1: header_digest       (32-byte hash output)
@@ -562,30 +562,30 @@ 
The

Authorizing Data Commitment

-

The transaction digest algorithm defined in ZIP 244 16 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, along with modifications within the orchard_auth_digest to account for the presence of Action Groups.

-

We highlight the changes for the OrchardZSA protocol via the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

+

The transaction digest algorithm defined in ZIP 244 16 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, and the orchard_auth_digest in ZIP 244 is replaced with orchard_zsa_auth_digest to account for the presence of Action Groups.

+

We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:

auth_digest
 ├── transparent_scripts_digest
 ├── sapling_auth_digest
-├── orchard_auth_digest         [UPDATED FOR ZSA]
+├── orchard_zsa_auth_digest     [ADDED FOR ZSA]
 └── issuance_auth_digest        [ADDED FOR ZSA]

The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.

auth_digest

A BLAKE2b-256 hash of the following values

A.1: transparent_scripts_digest (32-byte hash output)
 A.2: sapling_auth_digest        (32-byte hash output)
-A.3: orchard_auth_digest        (32-byte hash output)  [UPDATED FOR ZSA]
+A.3: orchard_zsa_auth_digest    (32-byte hash output)  [ADDED FOR ZSA]
 A.4: issuance_auth_digest       (32-byte hash output)  [ADDED FOR ZSA]

The personalization field of this hash remains the same as in ZIP 244.

-

A.3: orchard_auth_digest

+

A.3: orchard_zsa_auth_digest

In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values:

- 
A.3a: orchard_action_groups_auth_digest  (32-byte hash output)  [ADDED FOR ZSA]
-A.3b: bindingSigOrchard                  (field encoding bytes)
+ 
A.3a: orchard_zsa_action_groups_auth_digest  (32-byte hash output)
+A.3b: bindingSigOrchard                      (field encoding bytes)

The personalization field of this hash is the same as in ZIP 244, that is:

"ZTxAuthOrchaHash"
-

In case that the transaction has no OrchardZSA Action Groups, orchard_auth_digest is:

+

In case that the transaction has no OrchardZSA Action Groups, orchard_zsa_auth_digest is:

BLAKE2b-256("ZTxAuthOrchaHash", [])
-
A.3a: orchard_action_groups_auth_digest
+
A.3a: orchard_zsa_action_groups_auth_digest

This is a BLAKE2b-256 hash of the proofsOrchard and spendAuthSigsOrchard fields of all OrchardZSA Action Groups belonging to the transaction:

A.3a.i:  proofsOrchard               (field encoding bytes)
 A.3a.ii: spendAuthSigsOrchard        (field encoding bytes)
diff --git a/zips/zip-0226.rst b/zips/zip-0226.rst index 895cf4a21..abab90105 100644 --- a/zips/zip-0226.rst +++ b/zips/zip-0226.rst @@ -349,7 +349,7 @@ TxId Digest =========== The transaction digest algorithm defined in ZIP 244 [#zip-0244]_ is modified by the OrchardZSA protocol to add a new branch for issuance information, along with replacement of the ``orchard_digest`` with a new ``orchard_zsa_digest`` to account for the inclusion of the Asset Base and the updated transaction format. -The details of these changes are described in this section, and highlighted using the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label. We omit the details of the sections that do not change for the OrchardZSA protocol. +The details of these changes are described in this section, and highlighted using the ``[ADDED FOR ZSA]`` text label. We omit the details of the sections that do not change for the OrchardZSA protocol. txid_digest ----------- @@ -514,14 +514,14 @@ Authorizing Data Commitment =========================== The transaction digest algorithm defined in ZIP 244 [#zip-0244-authcommitment]_ which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. -There is a new branch added for issuance information, along with modifications within the ``orchard_auth_digest`` to account for the presence of Action Groups. +There is a new branch added for issuance information, and the ``orchard_auth_digest`` in ZIP 244 is replaced with ``orchard_zsa_auth_digest`` to account for the presence of Action Groups. -We highlight the changes for the OrchardZSA protocol via the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:: +We highlight the changes for the OrchardZSA protocol via the ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:: auth_digest ├── transparent_scripts_digest ├── sapling_auth_digest - ├── orchard_auth_digest [UPDATED FOR ZSA] + ├── orchard_zsa_auth_digest [ADDED FOR ZSA] └── issuance_auth_digest [ADDED FOR ZSA] The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block. @@ -532,30 +532,30 @@ A BLAKE2b-256 hash of the following values :: A.1: transparent_scripts_digest (32-byte hash output) A.2: sapling_auth_digest (32-byte hash output) - A.3: orchard_auth_digest (32-byte hash output) [UPDATED FOR ZSA] + A.3: orchard_zsa_auth_digest (32-byte hash output) [ADDED FOR ZSA] A.4: issuance_auth_digest (32-byte hash output) [ADDED FOR ZSA] The personalization field of this hash remains the same as in ZIP 244. -A.3: orchard_auth_digest -```````````````````````` +A.3: orchard_zsa_auth_digest +```````````````````````````` In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values:: - A.3a: orchard_action_groups_auth_digest (32-byte hash output) [ADDED FOR ZSA] - A.3b: bindingSigOrchard (field encoding bytes) + A.3a: orchard_zsa_action_groups_auth_digest (32-byte hash output) + A.3b: bindingSigOrchard (field encoding bytes) The personalization field of this hash is the same as in ZIP 244, that is:: "ZTxAuthOrchaHash" -In case that the transaction has no OrchardZSA Action Groups, ``orchard_auth_digest`` is:: +In case that the transaction has no OrchardZSA Action Groups, ``orchard_zsa_auth_digest`` is:: BLAKE2b-256("ZTxAuthOrchaHash", []) -A.3a: orchard_action_groups_auth_digest -''''''''''''''''''''''''''''''''''''''' +A.3a: orchard_zsa_action_groups_auth_digest +''''''''''''''''''''''''''''''''''''''''''' This is a BLAKE2b-256 hash of the ``proofsOrchard`` and ``spendAuthSigsOrchard`` fields of all OrchardZSA Action Groups belonging to the transaction:: From 8144de6386d11b80fd7f877da1456ca61e45885b Mon Sep 17 00:00:00 2001 From: Vivek Arte Date: Tue, 28 Jan 2025 20:03:57 +0530 Subject: [PATCH 3/4] adding action_groups_auth_digest changes --- rendered/zip-0226.html | 2 +- zips/zip-0226.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rendered/zip-0226.html b/rendered/zip-0226.html index d40bea078..1d4fe1112 100644 --- a/rendered/zip-0226.html +++ b/rendered/zip-0226.html @@ -586,7 +586,7 @@

The

In case that the transaction has no OrchardZSA Action Groups, orchard_zsa_auth_digest is:

BLAKE2b-256("ZTxAuthOrchaHash", [])
A.3a: orchard_zsa_action_groups_auth_digest
-

This is a BLAKE2b-256 hash of the proofsOrchard and spendAuthSigsOrchard fields of all OrchardZSA Action Groups belonging to the transaction:

+

This is a BLAKE2b-256 hash of the proofsOrchard field of all OrchardZSA Action Groups belonging to the transaction; followed by the spendAuthSigsOrchard fields corresponding to every OrchardZSA Action in the OrchardZSA Action Group, for all OrchardZSA Action Groups belonging to the transaction:

A.3a.i:  proofsOrchard               (field encoding bytes)
 A.3a.ii: spendAuthSigsOrchard        (field encoding bytes)

The personalization field of this hash is set to:

diff --git a/zips/zip-0226.rst b/zips/zip-0226.rst index abab90105..04046678a 100644 --- a/zips/zip-0226.rst +++ b/zips/zip-0226.rst @@ -557,7 +557,7 @@ In case that the transaction has no OrchardZSA Action Groups, ``orchard_zsa_auth A.3a: orchard_zsa_action_groups_auth_digest ''''''''''''''''''''''''''''''''''''''''''' -This is a BLAKE2b-256 hash of the ``proofsOrchard`` and ``spendAuthSigsOrchard`` fields of all OrchardZSA Action Groups belonging to the transaction:: +This is a BLAKE2b-256 hash of the ``proofsOrchard`` field of all OrchardZSA Action Groups belonging to the transaction; followed by the ``spendAuthSigsOrchard`` fields corresponding to every OrchardZSA Action in the OrchardZSA Action Group, for all OrchardZSA Action Groups belonging to the transaction:: A.3a.i: proofsOrchard (field encoding bytes) A.3a.ii: spendAuthSigsOrchard (field encoding bytes) From 1a993bdc8a014068e1dca8e270987cedf2008417 Mon Sep 17 00:00:00 2001 From: Vivek Arte Date: Tue, 18 Feb 2025 20:28:17 +0530 Subject: [PATCH 4/4] fixing minor spacing error --- rendered/zip-0226.html | 2 +- zips/zip-0226.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rendered/zip-0226.html b/rendered/zip-0226.html index 1d4fe1112..3ab4b7163 100644 --- a/rendered/zip-0226.html +++ b/rendered/zip-0226.html @@ -484,7 +484,7 @@

The 
T.4a.i   : orchard_zsa_actions_compact_digest      (32-byte hash output)
 T.4a.ii  : orchard_zsa_actions_memos_digest        (32-byte hash output)
 T.4a.iii : orchard_zsa_actions_noncompact_digest   (32-byte hash output)
-T.4a.iv  : orchard_zsa_burn_digest             (32-byte hash output)
+T.4a.iv  : orchard_zsa_burn_digest                 (32-byte hash output)
 T.4a.v   : flagsOrchard                            (1 byte)
 T.4a.vi  : anchorOrchard                           (32 bytes)
 T.4a.vii : nAGExpiryHeight                         (4 bytes)
diff --git a/zips/zip-0226.rst b/zips/zip-0226.rst index 04046678a..cfa9759ae 100644 --- a/zips/zip-0226.rst +++ b/zips/zip-0226.rst @@ -387,7 +387,7 @@ For each Action Group, the following elements are included in the hash:: T.4a.i : orchard_zsa_actions_compact_digest (32-byte hash output) T.4a.ii : orchard_zsa_actions_memos_digest (32-byte hash output) T.4a.iii : orchard_zsa_actions_noncompact_digest (32-byte hash output) - T.4a.iv : orchard_zsa_burn_digest (32-byte hash output) + T.4a.iv : orchard_zsa_burn_digest (32-byte hash output) T.4a.v : flagsOrchard (1 byte) T.4a.vi : anchorOrchard (32 bytes) T.4a.vii : nAGExpiryHeight (4 bytes)