Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Releases: ark-forge/proof-spec

v2.1.0 — Canonical JSON chain hash (security fix)

10 Mar 17:04
@desiorac desiorac

Choose a tag to compare

What changed

This release documents the new canonical JSON chain hash algorithm, fixing a preimage ambiguity vulnerability present in the legacy string concatenation formula.

Security fix — preimage ambiguity in chain hash

The legacy formula concatenated variable-length fields without separators:

SHA256(request_hash + response_hash + transaction_id + timestamp + ...)

Two different inputs could produce the same concatenated string (e.g. "ab"+"cd" = "a"+"bcd"), creating a theoretical collision path.

The new formula uses canonical JSON serialization:

SHA256(canonical_json({
 "buyer_fingerprint": ...,
 "request_hash": ...,
 "response_hash": ...,
 "seller": ...,
 "timestamp": ...,
 "transaction_id": ...,
 # optional: "upstream_timestamp", "receipt_content_hash"
}))

Field boundaries are explicit — no ambiguity possible.

Proof spec_version mapping

spec_version Algorithm Status
"1.1" String concatenation Legacy — still verifiable
"2.0" String concatenation + receipt Legacy — still verifiable
"1.2" Canonical JSON Current
"2.1" Canonical JSON + receipt Current

Changes

  • SPEC.md: Section 2 documents current algorithm (canonical JSON) + legacy backward compat; Section 5 updated with Python verifier for current algorithm
  • test-vectors.json: 2 new vectors (canonical_json_v1_2, canonical_json_v2_1_upstream_and_receipt) — 9 total
  • check_consistency.py: routes by algorithm field per vector

Backward compatibility

All existing proofs (spec_version "1.1", "2.0") remain fully verifiable using the legacy path documented in Section 2. No migration required for existing proofs.

Assets 2
Loading

v2.0.0 — Receipt content hash in chain hash

28 Feb 21:53
@desiorac desiorac

Choose a tag to compare

What's new

Spec v2.0.0 — extends the chain hash formula with an optional receipt_content_hash field for external payment receipt verification.

Changes

  • Chain hash formula: appends receipt_content_hash (SHA-256 of raw receipt bytes) when present
  • spec_version: "2.0" when receipt is bound, "1.1" otherwise
  • Full backward compatibility: v1.1 proofs verify identically
  • 7 test vectors (added with_receipt and free_tier_with_receipt)
  • check_consistency.py updated for v2.0 vectors

Chain hash v2.0

SHA256(request_hash + response_hash + payment_id + timestamp + buyer + seller + upstream_timestamp + receipt_content_hash)

Links

Loading

AltStyle によって変換されたページ (->オリジナル) /