Signing a Transaction

To prove an input account ownership

Transactions in zkBob are signed by the spending key σ\sigmaσ
. To verify a transaction signature the prover should use an intermediate key A.
Transaction hashing
A client application should sign a 'composite' transaction hash instead of full transaction data. The transaction hash is calculated from the input and output hashes:
​H=Hashsponge(Hashaccount(Accin),Hashnote(Note0in),Hashnote(Note1in),Hashnote(Note2in),TxCommit)H = Hash_{sponge}(Hash_{account}(Acc^\text{in}), Hash_{note}(Note_0^\text{in}), Hash_{note}(Note_1^\text{in}), Hash_{note}(Note_2^\text{in}), TxCommit)H=Hashsponge​(Hashaccount​(Accin),Hashnote​(Note0in​),Hashnote​(Note1in​),Hashnote​(Note2in​),TxCommit)
 
where
​HashHashHash
 is a Poseidon multi-hash (sponged) routine in the different modes
​AccinAcc^\text{in}Accin
is an input account
​NoteiinNote_i^\text{in}Noteiin​
is an input notes,
​TxCommitTxCommitTxCommit
 - is a transaction commitment hash (Merkle subtree root). It depends on transaction output account and notes.
Signing
Next, a client uses the account spending key to sign a transaction hash HHH
:
​r=Blake2s(σ,H)r = Blake2s(\sigma, H)r=Blake2s(σ,H)
, where​Blake2sBlake2sBlake2s
 is the 256-bit hash function ​
​R=rGR = rGR=rG
, A=σGA=\sigma GA=σG
 (moving rrr
 and σ\sigmaσ
 to the JubJub Elliptic curve field)
​S=r+Hasheddsa(R.x,A.x,H)σS = r + Hash_{eddsa}(R.x, A.x, H)\sigmaS=r+Hasheddsa​(R.x,A.x,H)σ
​
The output signature (S,R)(S, R)(S,R)
 will be sent with a intermediate key A=σGA = \sigma GA=σG
​
Verifying
To verify a transaction signature a validator should perform the following computations:
​SG==R+Hasheddsa(R.x,A.x,H)ASG == R + Hash_{eddsa}(R.x, A.x, H)ASG==R+Hasheddsa​(R.x,A.x,H)A
​
​

Nullifiers

The Transaction Lifecycle

Last modified 1yr ago