diff --git a/doc/taproot-sighash.mediawiki b/doc/taproot-sighash.mediawiki
index c4d8b82edb4..6ef4afef058 100644
--- a/doc/taproot-sighash.mediawiki
+++ b/doc/taproot-sighash.mediawiki
@@ -3,7 +3,7 @@
This document is a modified copy of [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP-0341] which describes the signature hash used for Taproot outputs in Elements.
Items which differ from BIP-0341 are indicated with '''''NEW'''''.
-In addition to the changes in this document, the three tagged hash tags ''TapLeaf'', ''TapBranch'' and ''TapSighash'' in BIPs 341 and 342 are suffixed with /elements.
+In addition to the changes in this document, the four tagged hash tags ''TapLeaf'', ''TapBranch'', ''TapTweak'' and ''TapSighash'' in BIPs 341 and 342 are suffixed with /elements.
==== Common signature message ====
@@ -14,7 +14,7 @@ The parameter ''hash_type'' is an 8-bit unsigned value. The SIGHASH
* Using SIGHASH_SINGLE without a "corresponding output" (an output with the same index as the input being verified).
'''''NEW''''' If the input under consideration is a pegin input, the fields ''nAsset'', ''nValue'' and ''scriptPubKey'', where they appear, are taken from the pegin witness data. The asset used is the asset ID on the sidechain, not that on the parent chain (if any).
-
+'''''NEW''''' The epoch field prepended before signature hash is completely dropped. If there are new updates to the taproot signature hashes in elements, they will use new tagged hashes instead of incrementing epochs
'''''NEW''''' The fields ''nNonce'', ''nAsset'' and ''nValue'' are serialized in a fixed-length format, which consists of their ordinary 1/9/33 byte encoding followed by sufficiently many 0 to pad the length out to 33. When we refer to ''extended CTxOut format'' below, we mean the fields ''nAsset'', ''nValue'', ''nNonce'' serialized in that order in fixed-length format, followed by the ordinary length-prefixed ''scriptPubKey''.
The parameter ''ext_flag'' is an integer in range 0-127, and is used for indicating (in the message) that extensions are added at the end of the message['''What extensions use the ''ext_flag'' mechanism?''' [https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki BIP-0342] reuses the same common signature message algorithm, but adds BIP-0342-specific data at the end, which is indicated using ''ext_flag = 1''.].
@@ -23,8 +23,8 @@ If the parameters take acceptable values, the message is the concatenation of th
* '''''NEW''''' Blockchain data: (Rationale: Signatures cannot be reused across different Elements instances even if pubkeys are reused.)
-** ''parent_genesis_block'' (32): the hash of the blockchain's genesis block
-** ''parent_peg_asset'' (32): the asset ID on the parent chain of the pegged asset, or 32 zero bytes if the parent chain does not support Confidential Assets
+** ''genesis_block'' (32): the hash of the blockchain's genesis block
+** ''genesis_block'' (32): the genesis hash again
* Control:
** ''hash_type'' (1).
* Transaction data:
@@ -32,25 +32,26 @@ If the parameters take acceptable values, the message is the concatenation of th
** ''nLockTime'' (4): the ''nLockTime'' of the transaction.
** If the ''hash_type & 0x80'' does not equal SIGHASH_ANYONECANPAY:
*** '''''NEW''''' ''sha_outpoint_flags'' (32): the SHA256 of the serialization of the concatenation of one byte per input of the input's outpoint flags shifted right by 24 bits. (The byte for an pegin input would be 0x40. The byte for an issuance input would be 0x80. The byte for both a pegin and issuance would be 0xc0.)
-*** ''sha_prevouts'' (32): the SHA256 of the serialization of all input outpoints.
-*** '''''NEW''''' ''sha_amounts_assets'' (32): the SHA256 of the serialization of all output ''nAsset'' fields followed by ''nValue'' fields
+*** ''sha_prevouts'' (32): the SHA256 of the serialization of all input outpoints. Each prevout output index is the masked version containing outpoint flags
+*** '''''NEW''''' ''sha_asset_amounts'' (32): the SHA256 of the serialization of all output ''nAsset'' fields followed by ''nValue'' fields
+*** '''''NEW''''' ''sha_nonces'' (32): the SHA256 of the serialization of all output ''nNonce'' fields.
*** ''sha_scriptpubkeys'' (32): the SHA256 of the serialization of all spent output ''scriptPubKey''s.
*** ''sha_sequences'' (32): the SHA256 of the serialization of all input ''nSequence''.
*** '''''NEW''''' ''sha_issuances'' (32): the SHA256 of the serialization of the concatenation of all input ''assetIssuance'' or 130 '0x00' bytes for inputs with no issuance
** If ''hash_type & 3'' does not equal SIGHASH_NONE or SIGHASH_SINGLE:
*** ''sha_outputs'' (32): the SHA256 of the serialization of all outputs in extended CTxOut format.
-*** '''''NEW''''' ''sha_output_witnesses'' (32): the SHA256 of the serialization of all output witnesses (rangeproof and surjection proof) in CTxWitness format.
+*** '''''NEW''''' ''sha_output_witnesses'' (32): the SHA256 of the serialization of all output witnesses (rangeproof and surjection proof) in CTxOutWitness format.
* Data about this input:
** ''spend_type'' (1): equal to ''(ext_flag * 2) + annex_present'', where ''annex_present'' is 0 if no annex is present, or 1 otherwise (the original witness stack has two or more witness elements, and the first byte of the last element is ''0x50'')
** If ''hash_type & 0x80'' equals SIGHASH_ANYONECANPAY:
*** '''''NEW''''' ''outpoint_flag'' (1): the input's outpoint flags shifted right by 24 bits. (Compare ''sha_outpoint_flags'' above.)
-*** ''outpoint'' (36): the COutPoint of this input (32-byte hash + 4-byte little-endian).
-*** '''''NEW''''' ''nAsset'' (33): assetID of the previous output spent by this input, in fixed-length format
+*** ''outpoint'' (36): the COutPoint of this input (32-byte hash + 4-byte little-endian) where the output index includes the outpoint flags.
+*** '''''NEW''''' ''nAsset'' (33): (possibly confidential) assetID of the previous output spent by this input, in fixed-length format
*** '''''NEW''''' ''nValue'' (33): (possibly confidential) amount of the previous output spent by this input, in fixed-length format
*** '''''NEW''''' ''nNonce'' (33): (possibly confidential) nonce of the previous output spent by this input, in fixed-length format
*** ''scriptPubKey'' (35): ''scriptPubKey'' of the previous output spent by this input, serialized as script inside CTxOut. Its size is always 35 bytes.
*** ''nSequence'' (4): ''nSequence'' of this input.
-*** '''''NEW''''' ''asset_issuance'' (130): if ''outpoint_flag & 0x80 == 0x80'': asset issuance data of this input; otherwise 130 zero bytes
+*** '''''NEW''''' ''asset_issuance'' (130): if ''outpoint_flag & 0x80 == 0x80'': asset issuance(fields for ''nInflationKeys'' and ''nAmount'' are serialized in fixed-length format) data of this input; otherwise 130 zero bytes
** If ''hash_type & 0x80'' does not equal SIGHASH_ANYONECANPAY:
*** ''input_index'' (4): index of this input in the transaction input vector. Index of the first input is 0.
** If an annex is present (the lowest bit of ''spend_type'' is set):
@@ -58,7 +59,7 @@ If the parameters take acceptable values, the message is the concatenation of th
* Data about this output:
** If ''hash_type & 3'' equals SIGHASH_SINGLE:
*** ''sha_single_output'' (32): the SHA256 of the corresponding output in extended CTxOut format.
-*** '''''NEW''''' ''sha_single_output_witness'' (32): the SHA256 of the serialization of the corresponding output witnesses (rangeproof and surjection proof) in CTxWitness format.
+*** '''''NEW''''' ''sha_single_output_witness'' (32): the SHA256 of the serialization of the corresponding output witnesses (rangeproof and surjection proof) in CTxOutWitness format.
-The total length of ''SigMsg()'' is ''473'' bytes for ANYONECANPAY sighashes, ''366'' bytes for non-ANYONECANPAY sighashes, and both numbers are reduced by 64 bytes for SIGHASH_NONE sighashes. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction.
+The total length of ''SigMsg()'' is ''443'' bytes for ANYONECANPAY sighashes, ''366'' bytes for non-ANYONECANPAY sighashes, and both numbers are reduced by 64 bytes for SIGHASH_NONE sighashes. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction.