zkBob Keys

Different key types

zkBob is based on complex cryptography. There are several keys needed for private transactions. The relationship between these keys is presented in the scheme below.

  • Spending key (σ\sigma) is the top secret key. It is used to derive other keys and to sign transactions. At a high level it is just a random 256-bit number which should be stored securely on the client side. The simplest way to get a spending key is to produce a random number. But in a production client software implementation more complex approaches should be used (e.g. hierarchical deterministic wallets). Concrete approaches for spending key derivation by a client are not discussed here.

  • Transaction verifier key (AA) is used for transaction signature verification. It's derived from the spending key and multiplied by the generator point in the JubJub elliptic curve field: A=σGA = \sigma G

  • Intermediate key (η\eta) is derived from the AA key by the PoseidonPoseidon hash function:η=Hash(A.x)\eta = Hash(A.x). It is used in several cases:

    • to calculate the account nullifier

    • to derive the outgoing viewing key (κ\kappa)

    • to decrypt incoming notes

  • Receiving key is used to decrypt incoming notes in the memo block. It is a combination of the intermediate key and ephemeral key generated for each note.

  • Outgoing viewing key (κ\kappa) is used to decrypt the whole memo block in the transaction which is initiated by itself. The key is derived from the intermediate key by the keccak hash function: κ=keccak256(η,"this is the suffix for the symmetric encryption key")\kappa = keccak_{256}(\eta, \text{"this is the suffix for the symmetric encryption key"})

  • Private payment address (d,Pd)(d, P_d) - is a set of random diversifiers dd and point Pd=ηGp=ηToSubGroupHashE(Fr)(d)P_d = \eta G_p = \eta \text{ToSubGroupHash}_{E(F_r)}(d)

Last updated