Signing a Transaction

To prove an input account ownership
Transactions in zkBob are signed by the spending key
σ\sigma
. To verify a transaction signature the prover should use an intermediate key A.

Transaction hashing

A client application should sign a 'composite' transaction hash instead of full transaction data. The transaction hash is calculated from the input and output hashes:
H=Hashsponge(Hashaccount(Accin),Hashnote(Note0in),Hashnote(Note1in),Hashnote(Note2in),TxCommit)H = Hash_{sponge}(Hash_{account}(Acc^\text{in}), Hash_{note}(Note_0^\text{in}), Hash_{note}(Note_1^\text{in}), Hash_{note}(Note_2^\text{in}), TxCommit)
where
  • HashHash
    is a Poseidon multi-hash (sponged) routine in the different modes
  • AccinAcc^\text{in}
    is an input account
  • NoteiinNote_i^\text{in}
    is an input notes,
  • TxCommitTxCommit
    - is a transaction commitment hash (Merkle subtree root). It depends on transaction output account and notes.

Signing

Next, a client uses the account spending key to sign a transaction hash
HH
:
r=Blake2s(σ,H)r = Blake2s(\sigma, H)
, where
Blake2sBlake2s
is the 256-bit hash function
R=rGR = rG
,
A=σGA=\sigma G
(moving
rr
and
σ\sigma
to the JubJub Elliptic curve field)
S=r+Hasheddsa(R.x,A.x,H)σS = r + Hash_{eddsa}(R.x, A.x, H)\sigma
The output signature
(S,R)(S, R)
will be sent with a intermediate key
A=σGA = \sigma G

Verifying

To verify a transaction signature a validator should perform the following computations:
SG==R+Hasheddsa(R.x,A.x,H)ASG == R + Hash_{eddsa}(R.x, A.x, H)A