Technical Specifications

Let us take a deep dive into some of the concepts involving the cryptography under the hood which enables the confidential transfers

Primitives

Pedersen commitments

Range proofs via inner product arguments

Proof Generation

The XfrProofs data structure contains a zero-knowledge proof that the blinded output records are valid with respect to the blinded input records. Since the fees are denominated in the FRA token, it is necessary to prove in zero-knowledge that:

  • for every asset type other than FRA, the sum of the inputs is the same as the sum of the outputs

  • the sum of the inputs corresponding to the FRA asset is the same as the sum of the outputs plus the fees for the transaction.

Then XfrProofs prove that

The randomness in the Pedersen commitments is communicated to the receiver in the form of text encrypted with the receiver's public key. The receiver then decrypts this text using his private key. The security of this scheme hinges on the hardness of the Discrete logarithm problem (DLP). The proof of the amount-sum equality relies on the homomorphic property of Pedersen commitments.

Proving Commitment Equality

Proving the Amount-Sum Equality

Proof Verification

During the verification of confidential transfer at the validators' end, the validity of the XfrNote is checked. This is done in batches to increase the efficiency. The following is the hierarchy of the steps:

  • Verifying if the signatures associated with the transaction are valid

  • Batch verifying the bodies

    • Verifying the Asset Records if the amounts and asset types are correct

      • Verifying the batched range proof for the confidential amounts

      • Verifying the delegated Schnorr proofs for the confidential asset types

      • Verifying the batched asset mixing proofs for checking the amount sum equality for multiple assets

    • Verifying the Asset Tracing proofs

For the equality of committed asset types, the Verifier's task boils down to verifying Schnorr proofs of knowledge of discrete logarithms. The proofs are batched so that the communication complexity and the verification time stay constant.

Last updated