zkBob Keys

Different key types
zkBob is based on complex cryptography. There are several keys needed for private transactions. The relationship between these keys is presented in the scheme below.
  • Spending key (
    σ\sigma
    ) is the top secret key. It is used to derive other keys and to sign transactions. At a high level it is just a random 256-bit number which should be stored securely on the client side. The simplest way to get a spending key is to produce a random number. But in a production client software implementation more complex approaches should be used (e.g. hierarchical deterministic wallets). Concrete approaches for spending key derivation by a client are not discussed here.
  • Transaction verifier key (
    AA
    ) is used for transaction signature verification. It's derived from the spending key and multiplied by the generator point in the JubJub elliptic curve field:
    A=σGA = \sigma G
  • Intermediate key (
    η\eta
    ) is derived from the
    AA
    key by the
    PoseidonPoseidon
    hash function
    :
    η=Hash(A.x)\eta = Hash(A.x)
    . It is used in several cases:
    • to calculate the account nullifier
    • to derive the outgoing viewing key (
      κ\kappa
      )
    • to decrypt incoming notes
  • Receiving key is used to decrypt incoming notes in the memo block. It is a combination of the intermediate key and ephemeral key generated for each note.
  • Outgoing viewing key (
    κ\kappa
    ) is used to decrypt the whole memo block in the transaction which is initiated by itself. The key is derived from the intermediate key by the keccak hash function:
    κ=keccak256(η,"this is the suffix for the symmetric encryption key")\kappa = keccak_{256}(\eta, \text{"this is the suffix for the symmetric encryption key"})
  • Private payment address
    (d,Pd)(d, P_d)
    - is a set of random diversifiers
    dd
    and point
    Pd=ηGp=ηToSubGroupHashE(Fr)(d)P_d = \eta G_p = \eta \text{ToSubGroupHash}_{E(F_r)}(d)