PoC

What will all this look like in the first version?

Description of initial PoC version that will be deployed to testnet only.

Id and secrets

In order to deposit any funds to the Shielder some on-chain transaction must be sent. Thus we assume that a user already has some native account with a corresponding private key (essentially, some 32 random bytes). For the sake of simplicity, we use this key as the user ID in the Shielder system. Note that there are no checks performed relating to the corresponding on-chain account - essentially, you can use arbitrary 32 bytes.

All other (operational) secrets, namely nullifiers and trapdoors, are generated as the Keccak256 hash of id || nonce || label, where:

id is the private key, as stated above
nonce is the counter of how many Shielder operations have been already done using id
label is a byte string, either b"nullifier" or b"trapdoor"

Account

In the PoC version, for the sake of simplicity, we only allow for shielding native AZERO tokens. Therefore, the only information (apart from operational secrets) kept in a note is the current shielded AZERO balance.

Recovery and account tracking

If you lose your shielded state (e.g., due to losing your device or accidentally deleting the state file), you can still recover your funds as long as you have your ID.

All Shielder transactions share a common property - every such action invalidates some nullifier. For deposits and withdrawals we just publish the hash of the nullifier of our current note. For the new-account action, we publish the hash of our ID, which can be seen as a special pre-nullifier. Shielder contract maintains a registry of all used (hashes of) nullifiers to prevent double spending or creating multiple accounts for the same ID. This is implemented as a mapping from a used nullifier hash to a block number when it was published.

Thanks to this design we can easily derive a recovery procedure as follows. Starting with a nonce 0, we repeatedly ask the contract whether a corresponding nullifier has already been spent, and if so, we can fetch the proper block, find our transaction and update the local state.

This also helps with account tracking. Since a user can interact with the Shielder from many different devices, we must always ensure, that the local state is up-to-date. Therefore, anytime our app is turned on, we check if the nullifier for the current note has been already spent. If so, then we just have to fetch latest transactions and update the state.

Relations

Preliminaries / Recap

Scalar is a type for some fixed finite field elements.

hash function is a hashing function from a sequence of Scalar elements into a single Scalar value.

AMOUNT_BOUND is some limit on the amounts handled by the Shielder, so that arithmetic operations do not overflow in the field. E.g. 2^128

MERKLE_HEIGHT is the height of the Merkle tree kept in the contract.

MERKLE_ARITY is the arity of the Merkle tree kept in the contract.

New Account

relation PoC::NewAccount

inputs:
    - h_note:          Scalar
    - h_id:            Scalar
    - initial_deposit: Scalar

witnesses:
    - id:        Scalar
    - nullifier: Scalar
    - trapdoor:  Scalar

assumptions:
    - initial_deposit <= AMOUNT_BOUND

constraints:
    // id is correctly exposed as a public input
    - h_id = hash(id)
    // note is well-formed
    - h_note = hash(id, nullifier, trapdoor, hash(initial_deposit))
    
suggestions:
    - nullifier = hash(id, 0, 0)
    - trapdoor  = hash(id, 0, 1)

Deposit

relation PoC::Deposit

inputs:
    - merkle_root:     Scalar
    - h_nullifier_old: Scalar
    - h_note_new:      Scalar
    - value:           Scalar

witnesses:
    - id:                  Scalar
    - nullifier_old:       Scalar
    - trapdoor_old:        Scalar
    - account_balance_old: Scalar
    - merkle_path:         [[Scalar; MERKLE_ARITY]; MERKLE_HEIGHT]
    - nullifier_new:       Scalar
    - trapdoor_new:        Scalar

assumptions:
    - value <= AMOUNT_BOUND
    - account_balance_old <= AMOUNT_BOUND

constraints:
    // new value satisfies the bound
    - account_balance_old + value <= AMOUNT_BOUND
    // old nullifier is correctly exposed as a public input
    - h_nullifier_old = hash(nullifier_old)
    // new note is well-formed
    - h_note_new = hash(id, nullifier_new, trapdoor_new, hash(account_balance_old + value))
    // membership proof is valid
    - merkle_path is a valid path to merkle_root
    // membership proof relates to the old note
    - hash(id, nullifier_old, trapdoor_old, account_balance_old) is belongs to the first layer of merkle_path
    

suggestions:
    - nullifier_old = hash(id, n, 0)
    - nullifier_new = hash(id, n+1, 0)
    - trapdoor_old = hash(id, n, 1)
    - trapdoor_new = hash(id, n+1, 1)

Withdraw

relation PoC::Withdraw

inputs:
    - merkle_root:        Scalar
    - h_nullifier_old:    Scalar
    - h_note_new:         Scalar
    - value:              Scalar
    - relayer:            Scalar
    - fee:                Scalar
    - withdrawal_address: Scalar

witnesses:
    - id:                  Scalar
    - nullifier_old:       Scalar
    - trapdoor_old:        Scalar
    - account_balance_old: Scalar
    - merkle_path:         [[Scalar; MERKLE_ARITY]; MERKLE_HEIGHT]
    - nullifier_new:       Scalar
    - trapdoor_new:        Scalar

assumptions:
    - value <= AMOUNT_BOUND
    - fee <= AMOUNT_BOUND
    - account_balance_old <= AMOUNT_BOUND

constraints:
    // new value satisfies the bound
    - account_balance_old >= value + fee
    // old nullifier is correctly exposed as a public input
    - h_nullifier_old = hash(nullifier_old)
    // new note is well-formed
    - h_note_new = hash(id, nullifier_new, trapdoor_new, hash(account_balance_old - value - fee))
    // membership proof is valid
    - merkle_path is a valid path to merkle_root
    // membership proof relates to the old note
    - hash(id, nullifier_old, trapdoor_old, account_balance_old) is belongs to the first layer of merkle_path
    

suggestions:
    - nullifier_old = hash(id, n, 0)
    - nullifier_new = hash(id, n+1, 0)
    - trapdoor_old = hash(id, n, 1)
    - trapdoor_new = hash(id, n+1, 1)

PreviousVersioning NextVersion 0.1.0

Last updated 5 days ago

Was this helpful?

relation PoC::NewAccount inputs: - h_note: Scalar - h_id: Scalar - initial_deposit: Scalar witnesses: - id: Scalar - nullifier: Scalar - trapdoor: Scalar assumptions: - initial_deposit <= AMOUNT_BOUND constraints: // id is correctly exposed as a public input - h_id = hash(id) // note is well-formed - h_note = hash(id, nullifier, trapdoor, hash(initial_deposit)) suggestions: - nullifier = hash(id, 0, 0) - trapdoor = hash(id, 0, 1)

relation PoC::Deposit inputs: - merkle_root: Scalar - h_nullifier_old: Scalar - h_note_new: Scalar - value: Scalar witnesses: - id: Scalar - nullifier_old: Scalar - trapdoor_old: Scalar - account_balance_old: Scalar - merkle_path: [[Scalar; MERKLE_ARITY]; MERKLE_HEIGHT] - nullifier_new: Scalar - trapdoor_new: Scalar assumptions: - value <= AMOUNT_BOUND - account_balance_old <= AMOUNT_BOUND constraints: // new value satisfies the bound - account_balance_old + value <= AMOUNT_BOUND // old nullifier is correctly exposed as a public input - h_nullifier_old = hash(nullifier_old) // new note is well-formed - h_note_new = hash(id, nullifier_new, trapdoor_new, hash(account_balance_old + value)) // membership proof is valid - merkle_path is a valid path to merkle_root // membership proof relates to the old note - hash(id, nullifier_old, trapdoor_old, account_balance_old) is belongs to the first layer of merkle_path suggestions: - nullifier_old = hash(id, n, 0) - nullifier_new = hash(id, n+1, 0) - trapdoor_old = hash(id, n, 1) - trapdoor_new = hash(id, n+1, 1)

relation PoC::Withdraw inputs: - merkle_root: Scalar - h_nullifier_old: Scalar - h_note_new: Scalar - value: Scalar - relayer: Scalar - fee: Scalar - withdrawal_address: Scalar witnesses: - id: Scalar - nullifier_old: Scalar - trapdoor_old: Scalar - account_balance_old: Scalar - merkle_path: [[Scalar; MERKLE_ARITY]; MERKLE_HEIGHT] - nullifier_new: Scalar - trapdoor_new: Scalar assumptions: - value <= AMOUNT_BOUND - fee <= AMOUNT_BOUND - account_balance_old <= AMOUNT_BOUND constraints: // new value satisfies the bound - account_balance_old >= value + fee // old nullifier is correctly exposed as a public input - h_nullifier_old = hash(nullifier_old) // new note is well-formed - h_note_new = hash(id, nullifier_new, trapdoor_new, hash(account_balance_old - value - fee)) // membership proof is valid - merkle_path is a valid path to merkle_root // membership proof relates to the old note - hash(id, nullifier_old, trapdoor_old, account_balance_old) is belongs to the first layer of merkle_path suggestions: - nullifier_old = hash(id, n, 0) - nullifier_new = hash(id, n+1, 0) - trapdoor_old = hash(id, n, 1) - trapdoor_new = hash(id, n+1, 1)