What changed
This release documents the new canonical JSON chain hash algorithm, fixing a preimage ambiguity vulnerability present in the legacy string concatenation formula.
Security fix — preimage ambiguity in chain hash
The legacy formula concatenated variable-length fields without separators:
SHA256(request_hash + response_hash + transaction_id + timestamp + ...)
Two different inputs could produce the same concatenated string (e.g. "ab"+"cd" = "a"+"bcd"), creating a theoretical collision path.
The new formula uses canonical JSON serialization:
SHA256(canonical_json({
"buyer_fingerprint": ...,
"request_hash": ...,
"response_hash": ...,
"seller": ...,
"timestamp": ...,
"transaction_id": ...,
# optional: "upstream_timestamp", "receipt_content_hash"
}))Field boundaries are explicit — no ambiguity possible.
Proof spec_version mapping
spec_version |
Algorithm | Status |
|---|---|---|
"1.1" |
String concatenation | Legacy — still verifiable |
"2.0" |
String concatenation + receipt | Legacy — still verifiable |
"1.2" |
Canonical JSON | Current |
"2.1" |
Canonical JSON + receipt | Current |
Changes
- SPEC.md: Section 2 documents current algorithm (canonical JSON) + legacy backward compat; Section 5 updated with Python verifier for current algorithm
- test-vectors.json: 2 new vectors (
canonical_json_v1_2,canonical_json_v2_1_upstream_and_receipt) — 9 total - check_consistency.py: routes by
algorithmfield per vector
Backward compatibility
All existing proofs (spec_version "1.1", "2.0") remain fully verifiable using the legacy path documented in Section 2. No migration required for existing proofs.