@@ -283,7 +283,7 @@ disclosing the transaction details (accounts invonved, amounts of tokens
283283transferred) we use zkSNARKs. In this section, we define the zkSNARK constraint
284284system used.
285285
286- Public inputs:
286+ #### Public Inputs
287287
2882881 . ` old_root ` , the current Merkle tree root that serves at the commitment of
289289 the accounts and notes sequence state before the transaction.
@@ -295,20 +295,64 @@ Public inputs:
295295 that this transaction either involves a deposit into ZeroPool from an
296296 account on the underlying blockchain or a withdrawal).
297297
298- Secret inputs:
298+ #### Secret Inputs
299299
3003001 . User's verifying $A$ and intermediate $\eta$ keys.
301- 2 . The values of input account and notes.
302- 3 . Merkle proofs pointing at the hashes of input accounts and notes in the
303- sequence bound by ` old_root ` committment.
304- 4 . The values of the output account and notes.
305- 5 . Index of the left-most zero leaf in the Merkle tree (the position from which
306- the output account and notes will be written to the sequence).
307- 6 . The signature of all the above produced using user's spending key $\sigma$.
308301
309- Conditions checked :
302+ 1 . Transaction :
310303
311- 1 . …
304+ 1 . The values of input account and notes, $\textsf{in\_ account}$ and $\textsf{in\_ notes}[ \textsf{INPUT}] $.
305+ 1 . Merkle proofs pointing at the hashes of input accounts
306+ and notes in the sequence bound by ` old_root ` committment.
307+ 1 . The values of the output account and notes, $\textsf{out\_ account}$ and $\textsf{out\_ notes}[ \textsf{OUTPUT}] $.
308+ 1 . Index of the left-most zero leaf in the Merkle tree
309+ (the position from which the output account and notes will be written to the sequence).
310+
311+ 1 . The signature of the transaction above produced using user's spending key $\sigma$.
312+
313+
314+ ::: info
315+
316+ Note that the spending key $\sigma$ which is necessary to create transactions
317+ is not part of (public or secret) inputs to zkSNARK constraint system.
318+ This means that $\sigma$ can be stored on a separate hardware ledger (capable of signing)
319+ providing an extra level of security in case the device that computes zkSNARK proofs is compromised.
320+
321+ :::
322+
323+ #### Conditions Checked
324+
325+ 1 . Input notes are unique or blank (all fields equal zero).
326+ Output notes are unique or blank.
327+
328+ 1 . Keys:
329+
330+ - Transaction's signature is correct (checked using verifying key $A$).
331+ - The intermediate key $\eta$ is the one derived from $A$,
332+ (the mapping $A \mapsto \eta$ is deterministic).
333+ - The $\eta$ is owner of input and output accounts —
334+ checked using $\textsf{account}.\eta$ field.
335+ - The $\eta$ is the owner of input notes (but not necessary owner of output notes).
336+ This is checked by looking at note's diversified address $(d, P_d)$
337+ and checking that it's associated with $\eta$.
338+
339+ 1 . The public nullifier for input account is computed correctly.
340+
341+ 1 . Inputs Merkle proofs:
342+
343+ - The input account is either blank
344+ (meaning that it's being created for the first time)
345+ or has a valid Merkle proof showing that it's present in the sequence.
346+
347+ - The input notes are either blank (unused) or have valid Merkle proofs.
348+
349+ 1 . Spent note index only moves forward, $\textsf{in\_ account}.i \leq \textsf{out\_ account}.i$.
350+
351+ 1 . The positions of all non-blank input notes in the sequence (proven by Merkle proofs above)
352+ must be between $\textsf{in\_ account}.i$ and $\textsf{out\_ account}.i$.
353+
354+ 1 . Difference between input (account and notes) balances
355+ and output (account and notes) balances should be equal to ` delta ` .
312356
313357### Steps to Create a Transaction
314358
0 commit comments