OrchardZSA Transaction Structure 
- The transaction format for v6 transactions is described in ZIP 230 14.
+The transaction format for v6 transactions is described in ZIP 230 13.
TxId Digest
- The transaction digest algorithm defined in ZIP 244 15 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with modifications within the orchard_digest to account for the inclusion of the Asset Base. The details of these changes are described in this section, and highlighted using the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.
The transaction digest algorithm defined in ZIP 244 14 is modified by the OrchardZSA protocol to add a new branch for issuance information, along with replacement of the orchard_digest with a new orchard_zsa_digest to account for the inclusion of the Asset Base and the updated transaction format. The details of these changes are described in this section, and highlighted using the [ADDED FOR ZSA] text label. We omit the details of the sections that do not change for the OrchardZSA protocol.
txid_digest
A BLAKE2b-256 hash of the following values:
T.1: header_digest (32-byte hash output) T.2: transparent_digest (32-byte hash output) T.3: sapling_digest (32-byte hash output) -T.4: orchard_digest (32-byte hash output) [UPDATED FOR ZSA] +T.4: orchard_zsa_digest (32-byte hash output) [ADDED FOR ZSA] T.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA]-
The personalization field remains the same as in ZIP 244 15.
-T.4: orchard_digest
+ The personalization field remains the same as in ZIP 244 14.
+T.4: orchard_zsa_digest
When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values:
-T.4a: orchard_action_groups_digest (32-byte hash output) [ADDED FOR ZSA] -T.4b: orchard_zsa_burn_digest (32-byte hash output) [ADDED FOR ZSA] -T.4c: valueBalanceOrchard (64-bit signed little-endian)-
The personalization field of this hash is the same as in ZIP 244 15
+T.4a: orchard_zsa_action_groups_digest (32-byte hash output) +T.4b: valueBalanceOrchard (64-bit signed little-endian)+
The personalization field of this hash is the same as for orchard_digest in ZIP 244 14
"ZTxIdOrchardHash"-
In the case that the transaction has no OrchardZSA Action Groups, orchard_digest is
In the case that the transaction has no OrchardZSA Action Groups, orchard_zsa_digest is
BLAKE2b-256("ZTxIdOrchardHash", [])
- T.4a: orchard_action_groups_digest
+ T.4a: orchard_zsa_action_groups_digest
A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction. For each Action Group, the following elements are included in the hash:
-T.4a.i : orchard_actions_compact_digest (32-byte hash output) -T.4a.ii : orchard_actions_memos_digest (32-byte hash output) -T.4a.iii: orchard_actions_noncompact_digest (32-byte hash output) -T.4a.iv : flagsOrchard (1 byte) -T.4a.v : anchorOrchard (32 bytes) -T.4a.vi : nAGExpiryHeight (4 bytes)+
T.4a.i : orchard_zsa_actions_compact_digest (32-byte hash output) +T.4a.ii : orchard_zsa_actions_memos_digest (32-byte hash output) +T.4a.iii : orchard_zsa_actions_noncompact_digest (32-byte hash output) +T.4a.iv : orchard_zsa_burn_digest (32-byte hash output) +T.4a.v : flagsOrchard (1 byte) +T.4a.vi : anchorOrchard (32 bytes) +T.4a.vii : nAGExpiryHeight (4 bytes)
The personalization field of this hash is set to:
"ZTxIdOrcActGHash"-
T.4a.i: orchard_actions_compact_digest
+ T.4a.i: orchard_zsa_actions_compact_digest
A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in an updated version of the ZIP-307 17 CompactBlock format for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:
T.4a.i.1 : nullifier (field encoding bytes) T.4a.i.2 : cmx (field encoding bytes) T.4a.i.3 : ephemeralKey (field encoding bytes) -T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) [UPDATED FOR ZSA]-
The personalization field of this hash is the same as in ZIP 244:
+T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) +The personalization field of this hash is the same as for orchard_actions_compact_digest in ZIP 244:
"ZTxIdOrcActCHash"
T.4a.ii: orchard_actions_memos_digest
+ T.4a.ii: orchard_zsa_actions_memos_digest
A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:
-T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field) [UPDATED FOR ZSA]-
The personalization field of this hash remains identical to ZIP 244:
+T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field)+
The personalization field of this hash is identical to that for orchard_actions_memos_digest in ZIP 244:
"ZTxIdOrcActMHash"
T.4a.iii: orchard_actions_noncompact_digest
+ T.4a.iii: orchard_zsa_actions_noncompact_digest
A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information not intended for inclusion in an updated version of the the ZIP 307 17 CompactBlock format, for all OrchardZSA Actions belonging to the Action Group. For each Action, the following elements are included in the hash:
T.4a.iii.1 : cv (field encoding bytes) T.4a.iii.2 : rk (field encoding bytes) -T.4a.iii.3 : encCiphertext[596..] (post-memo suffix of field encoding) [UPDATED FOR ZSA] +T.4a.iii.3 : encCiphertext[596..] (post-memo suffix of field encoding) T.4a.iii.4 : outCiphertext (field encoding bytes)-
The personalization field of this hash is defined identically to ZIP 244:
+The personalization field of this hash is defined just as for orchard_actions_noncompact_digest in ZIP 244:
"ZTxIdOrcActNHash"
T.4b: orchard_zsa_burn_digest
- A BLAKE2b-256 hash of the data from the burn fields of the transaction. For each tuple in the - \(\mathsf{assetBurn}\) - set, the following elements are included in the hash:
-T.4b.i : assetBase (field encoding bytes) -T.4b.ii: valueBurn (field encoding bytes)-
The personalization field of this hash is set to:
-"ZTxIdOrcBurnHash"-
In case the transaction does not perform the burning of any Assets (i.e. the - \(\mathsf{assetBurn}\) - set is empty), the ''orchard_zsa_burn_digest'' is:
-BLAKE2b-256("ZTxIdOrcBurnHash", [])
- T.4b.i: assetBase
- The Asset Base being burnt encoded as the 32-byte representation of a point on the Pallas curve.
-T.4b.ii: valueBurn
- Value of the Asset Base being burnt encoded as little-endian 8-byte representation of 64-bit unsigned integer (e.g. u64 in Rust) raw value.
+T.4a.iv: orchard_zsa_burn_digest
+ A BLAKE2b-256 hash of the data from the burn fields of the transaction. For each tuple in the + \(\mathsf{assetBurn}\) + set, the following elements are included in the hash:
+T.4a.iv.1 : assetBase (field encoding bytes) +T.4a.iv.2 : valueBurn (field encoding bytes)+
The personalization field of this hash is set to:
+"ZTxIdOrcBurnHash"+
In case the transaction does not perform the burning of any Assets (i.e. the
+ \(\mathsf{assetBurn}\)
+ set is empty), the orchard_zsa_burn_digest is:
BLAKE2b-256("ZTxIdOrcBurnHash", [])
The
Signature Digest
- The details of the changes to this algorithm are in ZIP 227 11.
+The per-input transaction digest algorithm to generate the signature digest in ZIP 244 15 is modified so that a signature digest is produced for each transparent input, each Sapling input, each OrchardZSA Action, and additionally for each Issuance Action. The modifications replace the orchard_digest in ZIP 244 with a new orchard_zsa_digest, and add a new branch, issuance_digest, for the Issuance Action information.
The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:
signature_digest +├── header_digest +├── transparent_sig_digest +├── sapling_digest +├── orchard_zsa_digest [ADDED FOR ZSA] +└── issuance_digest [ADDED FOR ZSA]+
signature_digest
+ A BLAKE2b-256 hash of the following values
+S.1: header_digest (32-byte hash output) +S.2: transparent_sig_digest (32-byte hash output) +S.3: sapling_digest (32-byte hash output) +S.4: orchard_zsa_digest (32-byte hash output) [ADDED FOR ZSA] +S.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA]+
The personalization field remains the same as in ZIP 244 14, namely:
+"ZcashTxHash_" || CONSENSUS_BRANCH_ID+
ZcashTxHash_ has 1 underscore character.
S.4: orchard_zsa_digest
+ Identical to that specified for the transaction identifier.
+S.5: issuance_digest
+ Identical to the issuance_digest specified for the transaction identifier in ZIP 227 zip-0227-txiddigest.
Authorizing Data Commitment
- The transaction digest algorithm defined in ZIP 244 16 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, along with modifications within the orchard_auth_digest to account for the presence of Action Groups.
We highlight the changes for the OrchardZSA protocol via the [UPDATED FOR ZSA] or [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:
The transaction digest algorithm defined in ZIP 244 16 which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section. There is a new branch added for issuance information, and the orchard_auth_digest in ZIP 244 is replaced with orchard_zsa_auth_digest to account for the presence of Action Groups.
We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:
auth_digest ├── transparent_scripts_digest ├── sapling_auth_digest -├── orchard_auth_digest [UPDATED FOR ZSA] +├── orchard_zsa_auth_digest [ADDED FOR ZSA] └── issuance_auth_digest [ADDED FOR ZSA]
The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.
auth_digest
A BLAKE2b-256 hash of the following values
A.1: transparent_scripts_digest (32-byte hash output) A.2: sapling_auth_digest (32-byte hash output) -A.3: orchard_auth_digest (32-byte hash output) [UPDATED FOR ZSA] +A.3: orchard_zsa_auth_digest (32-byte hash output) [ADDED FOR ZSA] A.4: issuance_auth_digest (32-byte hash output) [ADDED FOR ZSA]
The personalization field of this hash remains the same as in ZIP 244.
-A.3: orchard_auth_digest
+ A.3: orchard_zsa_auth_digest
In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values:
-A.3a: orchard_action_groups_auth_digest (32-byte hash output) [ADDED FOR ZSA] -A.3b: bindingSigOrchard (field encoding bytes)+
A.3a: orchard_zsa_action_groups_auth_digest (32-byte hash output) +A.3b: bindingSigOrchard (field encoding bytes)
The personalization field of this hash is the same as in ZIP 244, that is:
"ZTxAuthOrchaHash"-
In case that the transaction has no OrchardZSA Action Groups, orchard_auth_digest is:
In case that the transaction has no OrchardZSA Action Groups, orchard_zsa_auth_digest is:
BLAKE2b-256("ZTxAuthOrchaHash", [])
- A.3a: orchard_action_groups_auth_digest
- This is a BLAKE2b-256 hash of the proofsOrchard and spendAuthSigsOrchard fields of all OrchardZSA Action Groups belonging to the transaction:
A.3a: orchard_zsa_action_groups_auth_digest
+ This is a BLAKE2b-256 hash of the proofsOrchard field of all OrchardZSA Action Groups belonging to the transaction; followed by the spendAuthSigsOrchard fields corresponding to every OrchardZSA Action in the OrchardZSA Action Group, for all OrchardZSA Action Groups belonging to the transaction:
A.3a.i: proofsOrchard (field encoding bytes) A.3a.ii: spendAuthSigsOrchard (field encoding bytes)
The personalization field of this hash is set to:
@@ -576,7 +594,7 @@The
A.4: issuance_auth_digest
- The details of the computation of this value are in ZIP 227 12.
+The details of the computation of this value are in ZIP 227 11.
The
Other Considerations
Transaction Fees
- The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 227 13.
+The fee mechanism for the upgrades proposed in this ZIP will follow the mechanism described in ZIP 317 for the OrchardZSA protocol upgrade, and are described in ZIP 227 12.
Backward Compatibility
In order to have backward compatibility with the ZEC notes, we have designed the circuit to support both ZEC and OrchardZSA notes. As we specify above, there are three main reasons we can do this:
@@ -702,43 +720,43 @@The -
| 11 | -ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest | +ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment |
|---|
| 12 | -ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment | +ZIP 227: Issuance of Zcash Shielded Assets: OrchardZSA Fee Calculation |
|---|
| 13 | -ZIP 227: Issuance of Zcash Shielded Assets: OrchardZSA Fee Calculation | +ZIP 230: Version 6 Transaction Format |
|---|
| 14 | -ZIP 230: Version 6 Transaction Format | +ZIP 244: Transaction Identifier Non-Malleability |
|---|
| 15 | -ZIP 244: Transaction Identifier Non-Malleability | +ZIP 244: Transaction Identifier Non-Malleability: Signature Digest |
|---|
The complete encoding of these fields into an IssueNote is defined in ZIP 230 16.
The complete encoding of these fields into an IssueNote is defined in ZIP 230 17.
Let \(\mathsf{Note^{Issue}}\) be the type of an Issue Note, i.e.
@@ -373,7 +373,7 @@The \(\mathsf{finalize}\) boolean is set by the Issuer to signal that there will be no further issuance of the specific Custom Asset. As we will see in Specification: Consensus Rule Changes, transactions that attempt to issue further amounts of a Custom Asset that has previously been finalized will be rejected.
-The complete encoding of these fields into an IssueAction is defined in ZIP 230 15.
The complete encoding of these fields into an IssueAction is defined in ZIP 230 16.
Issuance Bundle
An issuance bundle is the aggregate of all the issuance-related information. Specifically, contains all the issuance actions and the issuer signature on the transaction SIGHASH that validates the issuance itself. It contains the following fields:
@@ -390,7 +390,7 @@ \(\mathsf{isk}\!\) , that validates the issuance. -The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 17.
+The issuance bundle is added within the transaction format as a new bundle. The detailed encoding of the issuance bundle as a part of the V6 transaction format is defined in ZIP 230 18.
Computation of ρ
We define a function @@ -757,7 +757,7 @@
TxId Digest - Issuance
- This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 19, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.
+This section details the construction of the subtree of hashes in the transaction digest that corresponds to issuance transaction data. Details of the overall changes to the transaction digest due to the OrchardZSA protocol can be found in ZIP 226 13. As in ZIP 244 20, the digests are all personalized BLAKE2b-256 hashes, and in cases where no elements are available for hashing, a personalized hash of the empty byte array is used.
A new issuance transaction digest algorithm is defined that constructs the subtree of the transaction digest tree of hashes for the issuance portion of a transaction. Each branch of the subtree will correspond to a specific subset of issuance transaction data. The overall structure of the hash is as follows; each name referenced here will be described in detail below:
issuance_digest ├── issue_actions_digest @@ -772,7 +772,7 @@ T.5b: issuanceValidatingKey (32 bytes)
The personalization field of this hash is set to:
"ZTxIdSAIssueHash"-
In case the transaction has no issuance components, ''issuance_digest'' is:
+In case the transaction has no issuance components, issuance_digest is:
BLAKE2b-256("ZTxIdSAIssueHash", [])
T.5a: issue_actions_digest
A BLAKE2b-256 hash of Issue Action information for all Issuance Actions belonging to the transaction. For each Action, the following elements are included in the hash:
@@ -790,7 +790,7 @@ T.5a.i.5: rseed (field encoding bytes)The personalization field of this hash is set to:
"ZTxIdIAcNoteHash"-
In case the transaction has no Issue Notes, ''issue_notes_digest'' is:
+In case the transaction has no Issue Notes, issue_notes_digest is:
BLAKE2b-256("ZTxIdIAcNoteHash", [])
T.5a.i.1: recipient
This is the raw encoding of an Orchard shielded payment address as defined in the protocol specification 32.
@@ -827,29 +827,10 @@Signature Digest
- The per-input transaction digest algorithm to generate the signature digest in ZIP 244 20 is modified so that a signature digest is produced for each transparent input, each Sapling input, each Orchard action, and additionally for each Issuance Action. For Issuance Actions, this algorithm has the exact same output as the transaction digest algorithm, thus the txid may be signed directly.
-The overall structure of the hash is as follows. We highlight the changes for the OrchardZSA protocol via the [ADDED FOR ZSA] text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol:
signature_digest -├── header_digest -├── transparent_sig_digest -├── sapling_digest -├── orchard_digest -└── issuance_digest [ADDED FOR ZSA]-
signature_digest
- A BLAKE2b-256 hash of the following values
-S.1: header_digest (32-byte hash output) -S.2: transparent_sig_digest (32-byte hash output) -S.3: sapling_digest (32-byte hash output) -S.4: orchard_digest (32-byte hash output) -S.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA]-
The personalization field remains the same as in ZIP 244 19.
-S.5: issuance_digest
- Identical to that specified for the transaction identifier.
-The changes to the signature digest are specified in ZIP 226 14.
Authorizing Data Commitment - Issuance
- This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 14.
+This section covers the construction of the subtree of hashes in the authorizing data commitment that corresponds to issuance transaction data. Details of the overall changes to the authorizing data commitment due to the OrchardZSA protocol can be found in ZIP 226 15.
A.4: issuance_auth_digest
In the case that Issuance Actions are present, this is a BLAKE2b-256 hash of the field encoding of the issueAuthSig field of the transaction:
A.4a: issueAuthSig (field encoding bytes)@@ -860,7 +841,7 @@
OrchardZSA Fee Calculation
- In addition to the parameters defined in the Fee calculation section of ZIP 317 21, the OrchardZSA protocol upgrade defines the following additional parameters:
+In addition to the parameters defined in the Fee calculation section of ZIP 317 21, the OrchardZSA protocol upgrade defines the following additional parameters:
The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 33 and the global state. They are defined in the Fee calculation section of ZIP 317 21. Note that +
The other inputs to this formula are taken from transaction fields defined in the Zcash protocol specification 33 and the global state. They are defined in the Fee calculation section of ZIP 317 21. Note that \(nOrchardActions\!\) , that is used in the computation of \(logical\_actions\!\) @@ -959,7 +940,7 @@
Bridging Assets
- For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.
+For bridging purposes, the secure method of off-boarding Assets is to burn an Asset with the burning mechanism in ZIP 226 10. Users should be aware of issuers that demand the Assets be sent to a specific address on the Zcash chain to be redeemed elsewhere, as this may not reflect the real reserve value of the specific Wrapped Asset.
Other Considerations
@@ -973,7 +954,7 @@
in order to properly keep track of the total supply for different Asset Identifiers. This is useful for wallets and other applications that need to keep track of the total supply of Assets.
Fee Structures
- The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 18.
+The fee mechanism described in this ZIP will follow the mechanism described in ZIP 317, and is described in ZIP 230 19.
Test Vectors
@@ -1095,59 +1076,59 @@
| 14 | -ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment | +ZIP 226: Transfer and Burn of Zcash Shielded Assets: Signature Digest |
|---|
| 15 | -ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction) | +ZIP 226: Transfer and Burn of Zcash Shielded Assets - Authorizing Data Commitment |
|---|
| 16 | -ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote) | +ZIP 230: Version 6 Transaction Format: Issuance Action Description (IssueAction) |
|---|
| 17 | -ZIP 230: Version 6 Transaction Format: Transaction Format | +ZIP 230: Version 6 Transaction Format: Issue Note (IssueNote) |
|---|
| 18 | -ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation | +ZIP 230: Version 6 Transaction Format: Transaction Format |
|---|
| 19 | -ZIP 244: Transaction Identifier Non-Malleability | +ZIP 230: Version 6 Transaction Format: OrchardZSA Fee Calculation |
|---|
| 20 | -ZIP 244: Transaction Identifier Non-Malleability: Signature Digest | +ZIP 244: Transaction Identifier Non-Malleability |
|---|
int64variesnAssetBurncompactSize40 * nAssetBurnvAssetBurnAssetBurn[nAssetBurn]64bindingSigOrchardbyte[64 * nActionsOrchard]variesnAssetBurncompactSize40 * nAssetBurnvAssetBurnAssetBurn[nAssetBurn]The encoding of OrchardZSAAction is described below.
The encodings of OrchardZSAAction and AssetBurn are described below.
- The proofs aggregated in
proofsOrchardZSA, and the elements ofvSpendAuthSigsOrchard, each have a 1:1 correspondence to the elements ofvActionsOrchardand MUST be ordered such that the proof or signature at a given index corresponds to theOrchardZSAActionat the same index.