Comment on page
Technical Specifications

Let us take a deep dive into some of the concepts involving the cryptography under the hood which enables the confidential transfers
Primitives
Pedersen commitments
The cryptographic commitments are perfectly hiding, which makes them distinct from encryptions. They do not contain any information that can be decrypted by someone with a key. Rather, they serve as a hidden fingerprint for the committed information, similar to how a server can send a hash of a file before sharing the file. The hash is a unique fingerprint that can be measured from the file, but the file cannot be obtained from the hash. Cryptographic commitments can only be “opened” or “unblinded” given the unique information that was committed and a secret value called the blinding factor. If CCC
 is a commitment to a message mmm
 using blinding factor rrr
, then CCC
 can be uniquely computed from mmm
 and rrr
, and the knowledge of rrr
 is proof that CCC
 was a commitment to mmm
. In Findora’s blinded asset records, the blinding factors are shared with the new asset owner (i.e. transfer recipient) using a method similar to a Diffie-Hellman key exchange. This user derives the blinding factors from blind share and its private key corresponding to public key. The user needs these blinding factors in order to check that the decrypted contents of the record are correct (i.e. as approved by the validators) and will also need to use them to transfer ownership of the asset in a future transaction.
As before, let G\mathbb{G}G
 denote the Ristretto group, i.e. the group of points on the Ristretto curve. Let ppp
 be the order of this group. For independent group generators g1,g2,h∈Gg_1,g_2,h\in \mathbb{G}g1​,g2​,h∈G
 and a pair (a,b)∈Fp2(a,b)\in \mathbb{F}_p^2(a,b)∈Fp2​
 representing the asset type and amount, the commitment to this pair is given by g1ag2bhrg_1^{a}g_2^{b}h^rg1a​g2b​hr
 where rrr
 is a random element in Fp\mathbb{F}_pFp​
.
Findora uses the Ristretto group, which is a quotient group built from the elliptic curve group on Curve25519. This group has order 8p8p8p
 for the prime: p=2252+27742317777372353535851937790883648493.p =2^{252} +27742317777372353535851937790883648493.p=2252+27742317777372353535851937790883648493.
​
The Ristretto quotient group is the unique quotient group of order ppp
.
Range proofs via inner product arguments
Let Cv=gvhrC_v = g^{v} h^rCv​=gvhr
 be a commitment to a value vvv
. To show that vvv
 lies in the range [0,2n−1][0,2^{n}-1][0,2n−1]
, it suffices for the Prover to show that he knows a vector aL=(a0,⋯ ,an−1)\mathbf{a}L = (a_0,\cdots,a{n-1})aL=(a0​,⋯,an−1)
 such that:
​⟨aL;,;2n⟩=v\langle \mathbf{a}L;,; \mathbf{2}^n \rangle = v⟨aL;,;2n⟩=v
, which shows that v=∑i=0nai⋅2iv = \sum{i=0}^n a_i\cdot 2^iv=∑i=0nai​⋅2i
​
​aL∘(1n−aL)=0n\mathbf{a}_L \circ (\mathbf{1}^n - \mathbf{a}_L) = \mathbf{0}^naL​∘(1n−aL​)=0n
, which shows that the entries of aL\mathbf{a}_LaL​
 lie in 0,1n{0,1 }^n0,1n
.
In other words, this shows that the $n$ entries of aL\mathbb{a}_LaL​
 represent the bit decomposition of vvv
.
For randomly generated challenges y,z∈Fpy, z\in \mathbb{F}_py,z∈Fp​
, it suffices to show that,
​z2⋅⟨aL,2n⟩+z⋅⟨aL−1n−aR,yn⟩+⟨aL,aR∘yn⟩=z2⋅vz^2 \cdot \langle \mathbf {a}_L \hspace{3pt} , \hspace{3pt} \mathbf {2}^n \rangle + z \cdot \langle \mathbf {a}_L - \mathbf {1}^n - \mathbf {a}_R \hspace{3pt} , \hspace{3pt} \mathbf {y}^n \rangle + \langle \mathbf {a}_L \hspace{3pt} , \hspace{3pt} \mathbf {a}_R \circ \mathbf {y}^n \rangle = z^2 \cdot v \hspace{20pt}z2⋅⟨aL​,2n⟩+z⋅⟨aL​−1n−aR​,yn⟩+⟨aL​,aR​∘yn⟩=z2⋅v
​
where aR=1n−aL\mathbf {a}_R = \mathbf{1}^n - \mathbf{a}_LaR​=1n−aL​
​
Proof Generation
The XfrProofs data structure contains a zero-knowledge proof that the blinded output records are valid with respect to the blinded input records. Since the fees are denominated in the FRA token, it is necessary to prove in zero-knowledge that:
for every asset type other than FRA, the sum of the inputs is the same as the sum of the outputs
the sum of the inputs corresponding to the FRA asset is the same as the sum of the outputs plus the fees for the transaction.
Note that for some particular asset types, there might be fees, thus for that cases it proves that sum of output amounts for that asset type in the output asset records plus fees equals the sum of input amounts for the same asset type in the input records). To be more precise, if there are n (n≥1)(n \geq 1)(n≥1)
 inputs records and m (m≥1)(m \geq 1)(m≥1)
 output records,
​αi\alpha_iαi​
 is the amount in the iii
th input record
​βj\beta_jβj​
 is the amount in the jjj
th output record
​Input[τ]Input[\tau]Input[τ]
 the set of input indices with asset type matching τ\tauτ
​
​Output[τ]Output[\tau]Output[τ]
 the set of output indices with asset type matching τ\tauτ
​
​T\mathcal{T}T
 is the complete set of types other than FRA in output records
Then XfrProofs prove that
for all τ∈T;;∑i∈Input[τ]αi=∑j∈Output[τ]βj\tau \in \mathcal{T} ;; \sum_{i \in Input[\tau]} \alpha_i = \sum_{j \in Output[\tau]} \beta_jτ∈T;;∑i∈Input[τ]​αi​=∑j∈Output[τ]​βj​
​
when asset type matches FRAFRAFRA
 (i.e τ=FRA\tau = FRAτ=FRA
). Fees must be considered. Hence the equation becomes as follows
​∑i∈Input[FRA]αi=∑j∈Output[FRA]βj+Fees\sum_{i \in Input[FRA]} \alpha_i = \sum_{j \in Output[FRA]} \beta_j + Fees∑i∈Input[FRA]​αi​=∑j∈Output[FRA]​βj​+Fees
​
The randomness in the Pedersen commitments is communicated to the receiver in the form of text encrypted with the receiver's public key. The receiver then decrypts this text using his private key. The security of this scheme hinges on the hardness of the Discrete logarithm problem (DLP). The proof of the amount-sum equality relies on the homomorphic property of Pedersen commitments.
Proving Commitment Equality
A confidential transaction can - and usually does - have multiple associated Pedersen commitments to (asset type, amount) pairs. To prove the so-called amount-sum equality, it is necessary to verifiably reveal which of the commitments correspond to the same asset type, without actually revealing this asset type. To show that two Pedersen commitments C1=g1a1g2b1hr1C_1 = g_1^{a_1}g_2^{b_1}h^{r_1}C1​=g1a1​​g2b1​​hr1​
, C2=g1a2g2b2hr2C_2 = g_1^{a_2}g_2^{b_2}h^{r_2}C2​=g1a2​​g2b2​​hr2​
 are such that a1=a2a_1 = a_2a1​=a2​
, it suffices to show that the quotient C1⋅C2−1C_1\cdot C_2^{-1}C1​⋅C2−1​
 is of the form g2xhyg_2^{x}h^yg2x​hy
 for some x,yx,yx,y
 known to the Prover. Using an aggregation trick, this proof can be kept constant-sized when the Prover needs to show that the asset type committed in C1C_1C1​
is the same as the asset type committed in C2,⋯ ,CnC_2,\cdots,C_nC2​,⋯,Cn​
.
Proving the Amount-Sum Equality
Given input commitments C1in,⋯ ,CminC_1^{\mathrm{in}},\cdots, C_m^{\mathrm{in}}C1in​,⋯,Cmin​
 and output commitments C1out,⋯ ,CnoutC_1^{\mathrm{out}},\cdots, C_n^{\mathrm{out}}C1out​,⋯,Cnout​
 verifiably corresponding to the same asset type, a Prover shows that the input and output amounts sum up to the same value by proving in zero-knowledge that the element C~:=(∏i=1mCiin)⋅(∏j=1nCjout)−1\widetilde{C}:= (\prod_{i=1}^m C_i^{\mathrm{in}})\cdot (\prod_{j=1}^n C_j^{\mathrm{out}})^{-1}C:=(∏i=1m​Ciin​)⋅(∏j=1n​Cjout​)−1
 is of the form g1a(m−n)hrg_1^{a(m-n)}h^{r}g1a(m−n)​hr
 (or g1a(m−n)g2feeshrg_1^{a(m-n)}g_2^{\mathrm{fees}}h^{r}g1a(m−n)​g2fees​hr
 in case the asset_type is FRA) where rrr
 is some integer known to the Prover and aaa
 is the common asset-type committed in the commitments Ciin,CjoutC_i^{\mathrm{in}}, C_j^{\mathrm{out}}Ciin​,Cjout​
.
To prevent double-spends on the blockchain in tandem with maintaining confidentiality, it is necessary for the sender of a transaction to prove in zero-knowledge that the amounts committed are all non-negative. This requires a zero-knowledge range proof to convince a Verifier that the amounts are non-negative. Findora's confidential transfer is accompanied by proofs that the committed amounts lie in the range [0,264−1][0, 2^{64}-1][0,264−1]
. These proofs are constructed using the Bulletproofs scheme.
Bulletproofs are particularly suited for range proofs on small ranges: the proof for a 646464
-bit range is less than 1KB and takes only milliseconds to both create and verify. Bulletproofs have a batching mode where a range proof from mmm
 points is only 64log⁡(m)64\log(m)64log(m)
 bytes larger than a range proof for a single point (e.g. a batch proof for 100 points is less than 500 bytes larger). Bulletproofs also have a batch verification mode where the amortized time to verify many range proofs is approximately 0.34 ms per proof.
Proof Verification
During the verification of confidential transfer at the validators' end, the validity of the XfrNote is checked. This is done in batches to increase the efficiency. The following is the hierarchy of the steps:
Verifying if the signatures associated with the transaction are valid
Batch verifying the bodies
Verifying the Asset Records if the amounts and asset types are correct
Verifying the batched range proof for the confidential amounts
Verifying the delegated Schnorr proofs for the confidential asset types
Verifying the batched asset mixing proofs for checking the amount sum equality for multiple assets
Verifying the Asset Tracing proofs
For the equality of committed asset types, the Verifier's task boils down to verifying Schnorr proofs of knowledge of discrete logarithms. The proofs are batched so that the communication complexity and the verification time stay constant.
To verify the range proofs, the Verifier performs a sequence of inner product checks. The Verifier uses the same hashing algorithm as the Prover to get the independent group generators in G\mathbb{G}G
. This makes his runtime O(n)\mathbf{O}(n)O(n)
.
Concepts
Next - Key Concepts
Prism++ Transfer
Last modified 2mo ago