Skip to content

[ZIP 230, ZIP 246] v6 transaction format and sighash #987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nuttycom merged 30 commits into from
May 20, 2025
Merged

[ZIP 230, ZIP 246] v6 transaction format and sighash #987

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
8862ae2
ZIP 230: Reorganise `ActionGroupDescription` to group effecting data
str4d Feb 4, 2025
cdf76fb
ZIP 230: Constrain parser for `nAGExpiryHeight` and clarify `0`
str4d Feb 4, 2025
80ac162
ZIP 230: Remove AssetBase from issuance bundle encoding
str4d Feb 11, 2025
c0c20fb
ZIP 246: Initial empty ZIP structure for v6 transaction digests
str4d Feb 11, 2025
7a112c7
Updating digest names (#95)
vivek-arte Feb 18, 2025
a34a5eb
Move-only: Move sighash content from ZIP 226 to ZIP 246
str4d Feb 25, 2025
5ab748a
Move-only: Move sighash content from ZIP 227 to ZIP 246
str4d Feb 11, 2025
457a04c
Replace moved content in ZIPs 226 and 227 with a reference
str4d Feb 11, 2025
f44713e
ZIP 246: Refer to ZIP 230 for field encodings
str4d Feb 25, 2025
8df0c17
ZIP 246: Fix heading levels and a bug from #975
str4d Feb 25, 2025
dba350f
ZIP 246: Remove `_zsa` internal suffix from digest names
str4d Feb 25, 2025
5ec91f9
Integrate ZIP 231 changes into ZIPs 230 and 246
str4d Feb 26, 2025
07fa7c3
Integrate ZIPs 233 and 2002 into ZIPs 230 and 246
str4d Feb 26, 2025
2220b35
Clear out some trailing whitespace
str4d Feb 26, 2025
aa7436e
ZIP 317: Fix rendering of conventional fee formula
daira Feb 26, 2025
39d74ed
ZIP 317: Integrate fee changes from ZIP 227
str4d Feb 26, 2025
b0d8fbd
ZIP 317: Integrate fee changes from ZIP 231
str4d Feb 26, 2025
edba0a0
Improve formatting of ZIP 317.
daira Feb 27, 2025
001cdd8
ZIP 230: make all the table columns the same width in the source, and
daira Feb 27, 2025
3d6f118
Apply minor editorial suggestions
daira Feb 28, 2025
e9369af
adding the rst changes for the addition of burn fields into the Actio…
vivek-arte Mar 11, 2025
91a8e53
fixing order of fields in Action Group
vivek-arte Mar 18, 2025
4a419cf
Apply suggestions to ZIP 246 from ZIP review
vivek-arte Mar 18, 2025
2258c31
adding rationale for the placement of burn fields inside Action Groups
vivek-arte Mar 18, 2025
bb69fe9
updating TxId Digest tree
vivek-arte Mar 18, 2025
e978277
moving the rationale for the burn field positioning inside action gro…
vivek-arte Mar 18, 2025
ffc4c32
Merge pull request #991 from QED-it/adding_burn_to_ag_987
str4d Apr 29, 2025
2225f87
Apply suggestions from code review
nuttycom Apr 29, 2025
86ffb0f
Merge branch 'main' into v6-tx-format-and-sighash
str4d May 13, 2025
936571a
Merge branch 'main' into v6-tx-format-and-sighash
str4d May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.template
View file
Open in desktop
Copy link
Copy Markdown
Collaborator

@daira daira May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also regenerate README.rst.

Copy link
Copy Markdown
Contributor

@nuttycom nuttycom May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that the .rst generation should be a blocker for PRs merging; having CI do the publishing ensures that the zips.z.cash render is up to date, and regenerating the .rst can be done opportunistically, out-of-band. We will not expect third-party contributors to do this regeneration, in any case.

Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ The following ZIPs are under consideration for inclusion in NU7:
- `ZIP 233: Network Sustainability Mechanism: Burning <zip-0233.md>`__
- `ZIP 234: Network Sustainability Mechanism: Issuance Smoothing <zip-0234.md>`__
- `ZIP 235: Network Sustainability Mechanism: Burn 60% of Transaction Fees <zip-0235.md>`__
- `ZIP 246: Digests for the Version 6 Transaction Format <zip-0246.rst>`__
- `ZIP 2002: Explicit Fees <zip-2002.rst>`__
- `ZIP 2003: Disallow version 4 transactions <zip-2003.rst>`__
- `ZIP 2004: Remove the dependency of consensus on note encryption <zip-2004.rst>`__
Expand Down
2 changes: 1 addition & 1 deletion static/css/style.css
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -420,7 +420,7 @@ div.math {
overflow-y: hidden;
margin: 2.6rem 1rem 2.6rem 1rem;
text-align: center;
padding: 0;
padding: 2rem;
}

a, a:visited {
Expand Down
207 changes: 7 additions & 200 deletions zips/zip-0226.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,206 +345,14 @@ OrchardZSA Transaction Structure
The transaction format for v6 transactions is described in ZIP 230 [#zip-0230]_.


TxId Digest
===========

The transaction digest algorithm defined in ZIP 244 [#zip-0244]_ is modified by the OrchardZSA protocol to add a new branch for issuance information, along with modifications within the ``orchard_digest`` to account for the inclusion of the Asset Base.
The details of these changes are described in this section, and highlighted using the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label. We omit the details of the sections that do not change for the OrchardZSA protocol.

txid_digest
-----------
A BLAKE2b-256 hash of the following values::

T.1: header_digest (32-byte hash output)
T.2: transparent_digest (32-byte hash output)
T.3: sapling_digest (32-byte hash output)
T.4: orchard_digest (32-byte hash output) [UPDATED FOR ZSA]
T.5: issuance_digest (32-byte hash output) [ADDED FOR ZSA]

The personalization field remains the same as in ZIP 244 [#zip-0244]_.

T.4: orchard_digest
```````````````````
When OrchardZSA Actions Groups are present in the transaction, this digest is a BLAKE2b-256 hash of the following values::

T.4a: orchard_action_groups_digest (32-byte hash output) [ADDED FOR ZSA]
T.4b: orchard_zsa_burn_digest (32-byte hash output) [ADDED FOR ZSA]
T.4c: valueBalanceOrchard (64-bit signed little-endian)

The personalization field of this hash is the same as in ZIP 244 [#zip-0244]_ ::

"ZTxIdOrchardHash"

In the case that the transaction has no OrchardZSA Action Groups, ``orchard_digest`` is ::

BLAKE2b-256("ZTxIdOrchardHash", [])

T.4a: orchard_action_groups_digest
''''''''''''''''''''''''''''''''''

A BLAKE2b-256 hash of the subset of OrchardZSA Action Groups information for all OrchardZSA Action Groups belonging to the transaction.
For each Action Group, the following elements are included in the hash::

T.4a.i : orchard_actions_compact_digest (32-byte hash output)
T.4a.ii : orchard_actions_memos_digest (32-byte hash output)
T.4a.iii: orchard_actions_noncompact_digest (32-byte hash output)
T.4a.iv : flagsOrchard (1 byte)
T.4a.v : anchorOrchard (32 bytes)
T.4a.vi : nAGExpiryHeight (4 bytes)

The personalization field of this hash is set to::

"ZTxIdOrcActGHash"


T.4a.i: orchard_actions_compact_digest
......................................

A BLAKE2b-256 hash of the subset of OrchardZSA Action information intended to be included in
an updated version of the ZIP-307 [#zip-0307]_ ``CompactBlock`` format for all OrchardZSA
Actions belonging to the Action Group. For each Action, the following elements are included
in the hash::

T.4a.i.1 : nullifier (field encoding bytes)
T.4a.i.2 : cmx (field encoding bytes)
T.4a.i.3 : ephemeralKey (field encoding bytes)
T.4a.i.4 : encCiphertext[..84] (First 84 bytes of field encoding) [UPDATED FOR ZSA]

The personalization field of this hash is the same as in ZIP 244::

"ZTxIdOrcActCHash"


T.4a.ii: orchard_actions_memos_digest
.....................................

A BLAKE2b-256 hash of the subset of Orchard shielded memo field data for all OrchardZSA
Actions belonging to the Action Group. For each Action, the following elements are included
in the hash::

T.4a.ii.1: encCiphertext[84..596] (contents of the encrypted memo field) [UPDATED FOR ZSA]

The personalization field of this hash remains identical to ZIP 244::

"ZTxIdOrcActMHash"


T.4a.iii: orchard_actions_noncompact_digest
...........................................

A BLAKE2b-256 hash of the remaining subset of OrchardZSA Action information **not** intended
for inclusion in an updated version of the the ZIP 307 [#zip-0307]_ ``CompactBlock``
format, for all OrchardZSA Actions belonging to the Action Group. For each Action,
the following elements are included in the hash::

T.4a.iii.1 : cv (field encoding bytes)
T.4a.iii.2 : rk (field encoding bytes)
T.4a.iii.3 : encCiphertext[596..] (post-memo suffix of field encoding) [UPDATED FOR ZSA]
T.4a.iii.4 : outCiphertext (field encoding bytes)

The personalization field of this hash is defined identically to ZIP 244::

"ZTxIdOrcActNHash"


T.4b: orchard_zsa_burn_digest
'''''''''''''''''''''''''''''

A BLAKE2b-256 hash of the data from the burn fields of the transaction. For each tuple in
the $\mathsf{assetBurn}$ set, the following elements are included in the hash::

T.4b.i : assetBase (field encoding bytes)
T.4b.ii: valueBurn (field encoding bytes)

The personalization field of this hash is set to::

"ZTxIdOrcBurnHash"

In case the transaction does not perform the burning of any Assets (i.e. the
$\mathsf{assetBurn}$ set is empty), the ''orchard_zsa_burn_digest'' is::

BLAKE2b-256("ZTxIdOrcBurnHash", [])

T.4b.i: assetBase
.................
The Asset Base being burnt encoded as the 32-byte representation of a point on the
Pallas curve.

T.4b.ii: valueBurn
..................
Value of the Asset Base being burnt encoded as little-endian 8-byte representation
of 64-bit unsigned integer (e.g. u64 in Rust) raw value.


T.5: issuance_digest
````````````````````
The details of the computation of this value are in ZIP 227 [#zip-0227-txiddigest]_.

Signature Digest
================

The details of the changes to this algorithm are in ZIP 227 [#zip-0227-sigdigest]_.

Authorizing Data Commitment
===========================

The transaction digest algorithm defined in ZIP 244 [#zip-0244-authcommitment]_ which commits to the authorizing data of a transaction is modified by the OrchardZSA protocol to have the structure specified in this section.
There is a new branch added for issuance information, along with modifications within the ``orchard_auth_digest`` to account for the presence of Action Groups.

We highlight the changes for the OrchardZSA protocol via the ``[UPDATED FOR ZSA]`` or ``[ADDED FOR ZSA]`` text label, and we omit the descriptions of the sections that do not change for the OrchardZSA protocol::

auth_digest
├── transparent_scripts_digest
├── sapling_auth_digest
├── orchard_auth_digest [UPDATED FOR ZSA]
└── issuance_auth_digest [ADDED FOR ZSA]

The pair (Transaction Identifier, Auth Commitment) constitutes a commitment to all the data of a serialized transaction that may be included in a block.

auth_digest
-----------
A BLAKE2b-256 hash of the following values ::

A.1: transparent_scripts_digest (32-byte hash output)
A.2: sapling_auth_digest (32-byte hash output)
A.3: orchard_auth_digest (32-byte hash output) [UPDATED FOR ZSA]
A.4: issuance_auth_digest (32-byte hash output) [ADDED FOR ZSA]

The personalization field of this hash remains the same as in ZIP 244.


A.3: orchard_auth_digest
````````````````````````

In the case that OrchardZSA Action Groups are present, this is a BLAKE2b-256 hash of the following values::

A.3a: orchard_action_groups_auth_digest (32-byte hash output) [ADDED FOR ZSA]
A.3b: bindingSigOrchard (field encoding bytes)

The personalization field of this hash is the same as in ZIP 244, that is::

"ZTxAuthOrchaHash"

In case that the transaction has no OrchardZSA Action Groups, ``orchard_auth_digest`` is::

BLAKE2b-256("ZTxAuthOrchaHash", [])

A.3a: orchard_action_groups_auth_digest
'''''''''''''''''''''''''''''''''''''''

This is a BLAKE2b-256 hash of the ``proofsOrchard`` and ``spendAuthSigsOrchard`` fields of all OrchardZSA Action Groups belonging to the transaction::

A.3a.i: proofsOrchard (field encoding bytes)
A.3a.ii: spendAuthSigsOrchard (field encoding bytes)

The personalization field of this hash is set to::

"ZTxAuthOrcAGHash"

A.4: issuance_auth_digest
`````````````````````````
Modifications relative to ZIP 244 [#zip-0244]_
==============================================

The details of the computation of this value are in ZIP 227 [#zip-0227-authcommitment]_.
Relative to the sighash algorithm defined in ZIP 244 [#zip-0244]_, the sighash algorithm
that applies to v6 transactions differs by altering the Orchard bundle within
the tree hash to match the corresponding OrchardZSA changes. See ZIP 246 [#zip-0246]_
for details.


Security and Privacy Considerations
Expand Down Expand Up @@ -604,12 +412,11 @@ References
.. [#zip-0227-consensus] `ZIP 227: Issuance of Zcash Shielded Assets: Specification: Consensus Rule Changes <zip-0227.html#specification-consensus-rule-changes>`_
.. [#zip-0227-note-commitment-order] `ZIP 227: Issuance of Zcash Shielded Assets: Addition to the Note Commitment Tree <zip-0227.html#addition-to-the-note-commitment-tree>`_
.. [#zip-0227-txiddigest] `ZIP 227: Issuance of Zcash Shielded Assets: TxId Digest - Issuance <zip-0227.html#txid-digest-issuance>`_
.. [#zip-0227-sigdigest] `ZIP 227: Issuance of Zcash Shielded Assets: Signature Digest <zip-0227.html#signature-digest>`_
.. [#zip-0227-authcommitment] `ZIP 227: Issuance of Zcash Shielded Assets: Authorizing Data Commitment <zip-0227.html#authorizing-data-commitment-issuance>`_
.. [#zip-0227-orchardzsa-fee-calculation] `ZIP 227: Issuance of Zcash Shielded Assets: OrchardZSA Fee Calculation <zip-0227.html#orchardzsa-fee-calculation>`_
.. [#zip-0230] `ZIP 230: Version 6 Transaction Format <zip-0230.html>`_
.. [#zip-0244] `ZIP 244: Transaction Identifier Non-Malleability <zip-0244.html>`_
.. [#zip-0244-authcommitment] `ZIP 244: Transaction Identifier Non-Malleability: Authorizing Data Commitment <zip-0244.html#authorizing-data-commitment>`_
.. [#zip-0246] `ZIP 246: Digests for the Version 6 Transaction Format <zip-0246.html>`_
Comment on lines 412 to +419
Copy link
Copy Markdown
Collaborator

@daira daira Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW it is preferred for the URL to reference the source file (the link will be updated in the rendered HTML).

.. [#zip-0307] `ZIP 307: Light Client Protocol for Payment Detection <zip-0307.rst>`_
.. [#protocol-notes] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.2: Notes <protocol/protocol.pdf#notes>`_
.. [#protocol-actions] `Zcash Protocol Specification, Version 2024.5.1 [NU6]. Section 3.7: Action Transfers and their Descriptions <protocol/protocol.pdf#actions>`_
Expand Down
Loading