zkBob Keys

Different key types
zkBob is based on complex cryptography. There are several keys needed for private transactions. The relationship between these keys is presented in the scheme below.
Spending key (σ\sigmaσ
) is the top secret key. It is used to derive other keys and to sign transactions. At a high level it is just a random 256-bit number which should be stored securely on the client side. The simplest way to get a spending key is to produce a random number. But in a production client software implementation more complex approaches should be used (e.g. hierarchical deterministic wallets). Concrete approaches for spending key derivation by a client are not discussed here.
Transaction verifier key (AAA
) is used for transaction signature verification. It's derived from the spending key and multiplied by the generator point in the JubJub elliptic curve field: A=σGA = \sigma GA=σG
​
Intermediate key (η\etaη
) is derived from the AAA
 key by the PoseidonPoseidonPoseidon
 hash function:η=Hash(A.x)\eta = Hash(A.x)η=Hash(A.x)
. It is used in several cases:
to calculate the account nullifier​
to derive the outgoing viewing key (κ\kappaκ
)
to decrypt incoming notes
Receiving key is used to decrypt incoming notes in the memo block. It is a combination of the intermediate key and ephemeral key generated for each note.
Outgoing viewing key (κ\kappaκ
) is used to decrypt the whole memo block in the transaction which is initiated by itself. The key is derived from the intermediate key by the keccak hash function: κ=keccak256(η,"this is the suffix for the symmetric encryption key")\kappa = keccak_{256}(\eta, \text{"this is the suffix for the symmetric encryption key"})κ=keccak256​(η,"this is the suffix for the symmetric encryption key")
​
Private payment address (d,Pd)(d, P_d)(d,Pd​)
 - is a set of random diversifiers ddd
 and point Pd=ηGp=ηToSubGroupHashE(Fr)(d)P_d = \eta G_p = \eta \text{ToSubGroupHash}_{E(F_r)}(d)Pd​=ηGp​=ηToSubGroupHashE(Fr​)​(d)
​
REST API
Address derivation
Last modified 3mo ago