Double-spending protection

The nullifier is a unique value calculated on the transaction input account. It is included in the public transaction portion. The nullifier depends on the input account, the intermediate key η\eta and the account position in the Merke tree (pathpath):

Nullifier(Accin)=Hashnullifier(Hashaccount(Accin),I)Nullifier(Acc^\text{in}) = Hash_{nullifier}(Hash_{account}(Acc^\text{in}), I)

where IIis intermediate nullifier hash calculated as:

I=Hashinh(Hashaccount(Accin),η,path)I = Hash_{inh}(Hash_{account}(Acc^{in}), \eta, path)

HashnullifierHash_{nullifier}, HashinhHash_{inh} and HashaccountHash_{account} is a PoseidonPoseidon hash functions

There is an archive on the contract side which holds nullifiers. In the case of account double-spending the nullifiers for the same accounts will equal one another. In this case the contract will reject a second transaction with the repeated nullifier value.

A nullifier pre-image could be safely disclosed without opening any sensitive data, like an intermediate key η\eta used for encryption and decryption. For example the nullifier disclosure could be useful in compliance reports to prove account-chain linkage.

Last updated