[ZIP 230, ZIP 246] v6 transaction format and sighash#987
Conversation
It can always be derived, and would need to be re-derived for verification purposes anyway.
This performs various improvements to the naming of the branches of the TxID and Signature Digests, and the Authorizing Data Commitment, as initially suggested in the review of QED-it/zcash-test-vectors#24. (adapted from commit QED-it/zips@8662fd6)
Rationale: these are long enough as it is, and ZSAs are an augmentation to the existing Orchard pool, not a new pool of funds.
str4d
force-pushed
the
v6-tx-format-and-sighash
branch
from
b15642a to
b0d8fbd
Compare
Signed-off-by: Daira-Emma Hopwood <daira@jacaranda.org>
clean up some formatting. Signed-off-by: Daira-Emma Hopwood <daira@jacaranda.org>
There was a problem hiding this comment.
One of the changes relevant for the sighash and transaction format is the move of the burn field information into the action groups.
Note that this is independent of any subsequent versioning etc for Swaps specific changes, it is natural to have the burn information a part of each Action Group.
I've made those changes as suggestions in this review, along with a few smaller suggestions.
Co-authored-by: Vivek Arte <46618816+vivek-arte@users.noreply.github.com>
| - Sighash versions are numbered starting from 0 for each tx version. | ||
| - v0 is by convention the "commit to everything" sighash digest. Other versions can commit to whatever makes sense for desired functionality within that tx version. | ||
| - Have a single byte encoded alongside the signature (not appended the way transparent does) that permits the signer to specify which sighash version they are using. | ||
| - Consensus rules choose the digest algorithm for each signer based on that byte. |
There was a problem hiding this comment.
We should clarify that the consensus rules choose from the available digest algorithms for the (consensus_branch_id, transaction_version) tuple under question (both of which are committed to by the transaction, and can therefore be checked non-contextually). For the NU7 consensus branch ID, there will only be one available digest version for v6 transactions (the v0 digests).
|
|
||
| - Sighash versions are numbered starting from 0 for each tx version. | ||
| - v0 is by convention the "commit to everything" sighash digest. Other versions can commit to whatever makes sense for desired functionality within that tx version. | ||
| - Have a single byte encoded alongside the signature (not appended the way transparent does) that permits the signer to specify which sighash version they are using. |
There was a problem hiding this comment.
In ZIP Sync, we discussed how this should be represented. We identified that one of the issues we have with how transparent sighash types are handled is that they are considered authorizing data (they are appended to signatures and are thus part of the signature, chosen at signing time by the signer). We decided that for sighash versioning, we'd prefer them to be effecting data. This means:
- For Sapling
spendAuthSig, this would be an extra byte on the Spend Description. - For Orchard
spendAuthSig, this would be an extra byte on the Action Description. - For
bindingSigs, we place an extra byte in the corresponding bundles. - For transparent, due to the lack of a 1:1 between inputs and signatures (as an arbitrary number of signatures can exist within a
scriptSig), this would be an extra byte on the CTxIn that is used for every signature authorizing the input.- @daira doesn't think we need it at the per-input level for transparent (Ya Ain't Gonna Need It), while @str4d says this is useful for symmetry (the effecting data is then consistently at the per-input level) and that we are trying to create a design that doesn't restrict what kinds of sighash digest algorithms we might want to create in future. @nuttycom is happy to have it at the per-input level for now, and we can adjust if we discover difficulties.
- Note that there is no requirement for future sighash digest algorithms to pay any attention to the
sighash_typeappended to each signature. It is entirely fine for us to treat that as a v0-specific behaviour (or even decide to phase it out in future transaction versions, though we are explicitly choosing to keep it for the v6 transaction's v0 digest algorithm).
There was a problem hiding this comment.
I rather strongly don't want very much if any additional complexity or work associated with transparent features.
| | 1 |``flagsOrchard`` |``byte`` |As defined in Section 7.1 of the Protocol Specification | | ||
| | | | |[#protocol-txnencoding]_. | |
There was a problem hiding this comment.
These should reference ZIP 225, or a more precise reference within the protocol spec, instead of section 7.1.
| @@ -222,86 +203,111 @@ Transaction Format | |||
|
|
|||
There was a problem hiding this comment.
At line 191, change SpendDescriptionV6 to SpendDescriptionV5, and add an extra bullet point:
* There is no ``SpendDescriptionV6`` because the format of Sapling Spend descriptions
has not changed from ``SpendDescriptionV5`` [#zip-0225]_.
| @@ -315,31 +321,39 @@ We introduce the ``nAGExpiryHeight`` field in this transaction format in order t | |||
| For the OrchardZSA protocol, which does not make use of an additional expiry height for transactions, we set the value of ``nAGExpiryHeight`` to be ``0`` by consensus. | |||
There was a problem hiding this comment.
We need to ensure that a conformance requirement exists within the specification that requires nAGExpiryHeight to be zero as of NU7.
However, the consistency between nAGExpiryHeight and the overall transaction expiry height should be specified here (though not in the rationale section.)
nuttycom
force-pushed
the
v6-tx-format-and-sighash
branch
from
2755ae9 to
a5b5756
Compare
Reviewed with @str4d, @arya, @SamHSmith Co-authored-by: Vivek Arte <46618816+vivek-arte@users.noreply.github.com>
str4d
force-pushed
the
v6-tx-format-and-sighash
branch
from
a5b5756 to
2225f87
Compare
|
Force-pushed to undo the render, and fix my review comments. |
| ``vSpendAuthSigsOrchard``, each have a 1:1 correspondence to the elements of | ||
| ``vActionsOrchard`` and MUST be ordered such that the proof or signature at a given | ||
| index corresponds to the ``OrchardZSAAction`` at the same index. | ||
| * If thee value of ``nAGExpiryHeight`` is nonzero, it MUST be consistent with |
There was a problem hiding this comment.
| * If thee value of ``nAGExpiryHeight`` is nonzero, it MUST be consistent with | |
| * If the value of ``nAGExpiryHeight`` is nonzero, it MUST be consistent with |
There was a problem hiding this comment.
Please also regenerate README.rst.
There was a problem hiding this comment.
I don't think that the .rst generation should be a blocker for PRs merging; having CI do the publishing ensures that the zips.z.cash render is up to date, and regenerating the .rst can be done opportunistically, out-of-band. We will not expect third-party contributors to do this regeneration, in any case.
nuttycom
left a comment
nuttycom
left a comment
There was a problem hiding this comment.
ACK for interim merge; there will be follow-up PRs for ZIP 246 regardless.
| +-----------------------------+------------------------------+------------------------------------------------+---------------------------------------------------------------------+ | ||
| | 8 |``fee`` |``uint64`` |The fee to be paid by this transaction, in zatoshis. | | ||
| +-----------------------------+------------------------------+------------------------------------------------+---------------------------------------------------------------------+ | ||
| | 8 |``burnAmount`` |``uint64`` |The value to be burned in this transaction, in zatoshis. | |
There was a problem hiding this comment.
nit: Is this field name changing, or are we still calling it "burning"?
| | 32 |``AssetBase`` |``byte[32]`` |For the OrchardZSA protocol, this is the encoding of the Asset Base | | ||
| | | | |:math:`\mathsf{AssetBase^{Orchard}}\!`. | | ||
| +-----------------------------+------------------------------+------------------------------------------------+---------------------------------------------------------------------+ | ||
| | 8 |``valueBurn`` |``uint64`` |The amount being burnt. The value is checked by consensus to be | |
There was a problem hiding this comment.
Given that this is a burn, in contrast to the ZSF deposit, I think it's important to have different naming.
| T.4a.i : orchard_actions_compact_digest (32-byte hash output) | ||
| T.4a.ii : orchard_actions_noncompact_digest (32-byte hash output) |
There was a problem hiding this comment.
TODO: all that we need here is the noncompact digest.
| T.3b.i: sapling_outputs_compact_digest (32-byte hash) | ||
| T.3b.ii: sapling_outputs_noncompact_digest (32-byte hash) |
There was a problem hiding this comment.
TODO: all we need is the noncompact digest.
| +-----------------------------+------------------------------+------------------------------------------------+---------------------------------------------------------------------+ | ||
| | 8 |``fee`` |``uint64`` |The fee to be paid by this transaction, in zatoshis. | | ||
| +-----------------------------+------------------------------+------------------------------------------------+---------------------------------------------------------------------+ | ||
| | 8 |``burnAmount`` |``uint64`` |The value to be burned in this transaction, in zatoshis. | |
There was a problem hiding this comment.
| | 8 |``burnAmount`` |``uint64`` |The value to be burned in this transaction, in zatoshis. | | |
| | 8 |``zip233Amount`` |``uint64`` |The value to be removed from circulation in this transaction, in | | |
| | | | |zatoshis. | |
There was a problem hiding this comment.
This change can be made in a future PR, to avoid foramtting issues.
The merge of zcash#987 happened to delete the table entry for the Asset Base in the Issue Note. We are adding it back here.
This PR performs the change from zcash/zips#987 to remove the asset base from the issue note description. It also makes the follow-on reorderings suggested in zcash/zips#1086 and zcash/zips#1088. The test vectors are updated in QED-it/zcash-test-vectors#36 and copied in from there. --------- Co-authored-by: Constance Beguier <constance@qed-it.com>
5 participants
Incomplete todo list: