$$ \newcommand{\Leg}[3][]{\left(\frac{#2\mathstrut}{#3}\right)_{\mkern-6mu#1}} $$ :::warning Seedbox ::: :::warning Transaction ::: # ZeroPool description ## ZeroPool keys All group elements are implemented on BabyJubJub curve $E(F_r)$. All subgroup points $(x,y)$ could be [compressed](#Subgroup-compression-and-decompression) to $x$ coordinate without data loss for serialization. $G$ is prime order subgroup generator on BabyJubJub curve. $F_s$ is scalar field of $G$. $\sigma$ -- spending key (should be stored on trusted devices, like hardware wallets) $A = \sigma G$ - intermediate key (available in proving machine, but still secret, using for EdDSA verifier) $\eta = \text{Hash}(A\text{.x})$ -- intermediate key (available in proving machine, but still secret, using for encryption&decryption) $d$ -- diversifier $G_d=\text{ToSubGroupHash}_{E(F_r)}(d)$ -- diversified generator. $(d, P_d)$ -- diversified public key, where $P_d=\eta G_d$. ## Signature All transactions should be signed via EDDSA by spending key $\sigma$ . Signatures should be used in prover only without any disclosing, because $\eta$ could be obtained from the signature. ### Sign $$r := \text{Hash}(\sigma, M),\\ S := r + \text{Hash}(R,A\text{.x},M)\sigma,\\ R := rG$$ ### Verify Verify signature $(S,R)$ with public key $A=\sigma G$ with the following equation: $$SG-\text{Hash}(R,A\text{.x},M)A = R,\\ \text{Hash}(A\text{.x}) = \eta,\\ A\ \text{in subgroup}.$$ ## Accounts and notes Merkle tree with Node and Account leaves is used.  Account: $(\eta, i, b, e, t)$, where - $i$ is spent offset. Notes with position lesser than $i$ considered to be spent for this account. `u48` - $b$ is balance `u64` - $e$ is integral of balance for all time. Can be used to make rewards for liquidity providers. `u112` - $t$ is salt `u80` Note: $(d, P_d\text{.x}, b, t)$, where - $d$ is diversifier, `u80` - $P_d$ is diversified public key, subgroup element - $b$ is balance `u64` - $t$ is salt `u80` ### Nullifiers Nullifier is unique commitment, depending from the account and protecting from accounts double spendings. $\text{Nullifier}(\text{Account}):=\text{Hash}(\text{Hash}(\text{Account}), \text{Account.}\eta)$ ### Tx hasing $\text{Hash}(\text{tx}) := \text{MutliHash}([\text{Hash}(\text{tx.in.Account}), \text{Hash}(\text{tx.in.Note}_i)..., \text{tx_output_root_hash}])$, where $\text{tx_output_root_hash}$ - Merkle root of output account and notes subtree. ## Circuit Circuit proves the following conditions: 1. Input notes are unique 2. Output notes are unique or blank (all fields equal zero) 3. Tx is signed and the signer is owner of input account, output account, and input notes. 4. Nullifiers are corresponding to notes 5. out_commitment is root of Merkle subtree of output account and notes 6. Input accout and notes should be inside anonymity set (have a valid merkle proofs) or blank (all fields of account excluding $\eta$ are zeros, balance of note is zero) 7. All no-blank input notes are corresponding the following equation $\text{tx.in.Account.i} \leq \text{pos}(\text{tx.in.Note}_k) < \text{tx.out.Account.i}$, where $\text{pos}$ is position of the note in the Merkle tree. 8. Public balance and energy changes and size of anonymity set should be stored at special public $\delta$ input as little endinan (b:i64, e:i96, i:u32), two's complement is used for signed types. After unpacking negative values should be represended as corresponding field elements. 9. Sum of all balances (with negative signs for outputs) should be zero. 10. The following equation for energy: $\delta\text{.e} + (\text{tx.out.Account.i} - \text{tx.in.Account.i}) \text{tx.in.Account.b} +\\ \sum_k (\text{tx.out.Account.i}- \text{pos}(\text{tx.in.Note}_k))\text{tx.in.Note}_k\text{.b} +\\ \text{tx.in.Account.e} - \text{tx.out.Account.e} = 0$ 11. Account indexes are limited: $\text{tx.in.Account.i} \leq \text{tx.out.Account.i} \leq \delta\text{.i}$ We use this circuit to build privacy transactions engine with the following properties: 1. Nobody can forge balance and energy from nowhere 2. Any unspent note or account with existing owner is spendable 3. Nobody can mine energy more than integral value of his balance inside the pool (including cases with splitting the balance to multiple accounts and notes) ## Encryption All ephemeral keys should be used only once. ### Notes ecnryption $a_i=\text{random}()$ - ephemeral secret key $A_i= a_i \text{ToSubGroupHash}_{E(F_r)}(\text{Note}_i\text{.d})$ - ephemeral public key, derived from diversified generator for the current note $D_i = a_i \text{Note}_i\text{.P}_d$ - ECDH shared secret $\text{key}_i = \text{keccak256}(D_i\text{.x})$ $\text{ciphertext}_i=\text{symcipher}_{\text{key}_i}(\text{Note}_i)$ To publish: $(\text{Hash}(\text{Note}_i),A_i, \text{ciphertext}_i)$ ### Account encryption $\text{key}_a = \text{random}()$ $\text{ciphertext}_a=\text{symcipher}_{\text{key}_a}(\text{Account})$ To publish: $(\text{Hash}(\text{Account}), \text{ciphertext}_a)$ ### Shared secrets encryption $a_p=\text{random}()$ - ephemeral secret key $A_p=a_pG$ - ephemeral public key $D_p=\eta A_p$ - ECDH shared secret $\text{payload} = \text{key}_a\|\text{key}_0 \| \text{key}_1 \| ...$ $\text{key}_p = \text{keccak256}(D_p\text{.x})$ $\text{ciphertext}_p=\text{symcipher}_{\text{key}_p}(\text{payload})$ To publish: $(A_p, \text{ciphertext}_p)$ ### Memo block sequence Memo should be published on each transaction with the following sequence: `account hash, note hashes, ECDH memo, account memo, notes memo, tx type specific memo` #### Tx type specific memo encryption ##### Deposit * fee: `u64` amount, transfered to the relayer ##### Transfer * fee: `u64` amount, transfered to the relayer ##### Withdrawal * fee: `u64` amount, transfered to the relayer * address: chain-specific, `u160` for EVM ### Complience To proof source of income transaction, user could disclosure corresponding to the note ECDH shared secret. To disclose receivers of the transfer, user could disclose corresponding ECDH for each note or for the payload. To disclose account balance, user can disclose account ECDH shared secret. ## Address representation Address is text representation of diversified public key, computing by formula: $\text{data}=\text{bytes}(d)\|\text{bytes}(P_d\text{.x})$ $\text{addressrepr}=\text{base58}(\text{data}\|\text{checksum}(\text{data}))$ ## SNARK proofs - Merkle tree proof - Nullifier is valid - Sums are equal - Signatures are valid ## Functions ### ToGroupMap (on BabyJubJub curve) Based on https://arxiv.org/pdf/0706.1448.pdf. Function maps scalar $t$ to point $(x, y)$ on BabyJubJub curve in Montgomery representation. $$ y^2 = g(x) = B^{-1}(x^3 + Ax^2+x) $$ It is known that $$\exists x_0: u=g(x_0),\ \Leg{u}{r}=-1$$ where $r$ is an order of firled $F_r$, $\Leg{u}{r}$ is the Legendre symbol. Having such $u$ we can find two values for $x$ $$ x(t) =\left[\begin{array}{l l} -\frac{1}{A} \left(1+\frac{1}{t^2u}\right), \\ -\frac{1}{A}(1+t^2u) \\ \end{array}\right. $$ Exactly for one $x$ value $\Leg{g(x)}{r}=1$. Using it we can find $$y=\pm\sqrt{g(x)}$$ There are two possible values for $y$. To fix squaring bias, let's require that $(yt \mod r)$ is even. $\text{ToGroupMap}_{E(F_r)}(t) := \text{ToTwistedEdwards}((x,y))$, assuming $t \neq 0$. ### ToSubGroupHash (on BabyJubJub crurve) $\text{ToSubGroupHash}_{E(F_r)}(t) := 8 \cdot \text{ToGroupMap}_{E(F_r)}(\text{Hash}(t))$, where $\text{Hash}$ is poseidon hash function. ### Checksum $\text{checksum}(m)=\text{keccak256}(m)[0..4]$ ## Symcipher Each key should be used only once, otherwise the scheme is unsecure. $\text{symcipher}_\text{key}(\text{data})=\text{ChaCha20Poly1305}_\text{key}^{\text{keccak256}(\text{key})[0..12]}(\text{data})$ ## Subgroup compression and decompression On BabyJubJub curve following expression takes the place: $(x, y) + (0, -1) = (-x, -y)$, That means that for fixed $x$ no more than one subgroup element exists. We can serialize $(x, y)$ point as $x$ only, and recover it as a point with correct $y$ sign. ### MultiHash Poseidon based sponge hash from https://eprint.iacr.org/2019/458.pdf. # Components ## Relayer Gas payments are potentially trails of breadcrumbs, and user can be deanonymized by his gas payments. That's why we use relayers in ZeroPool. Relayers are some kind of anonymous gas stations with additional functionality, providing tx data to clients. ### Auction Relayers participate in autcion to buy out time intervals at the pool. ### API * `GET/transactions(limit:uint64, [offset:uint64])` Get list of base64-encoded borsh-serialized transactions * `POST/transaction` Send public zkSNARK inputs, proof, memo block and optional data, borsh-serialized and base64 encoded * `GET/info` Get number of transactions, number of final transactions and current time interval for this relayer