Comment on page

Technical Specifications

Let us take a deep dive into some of the concepts involving the cryptography under the hood which enables the confidential transfers


Pedersen commitments
The cryptographic commitments are perfectly hiding, which makes them distinct from encryptions. They do not contain any information that can be decrypted by someone with a key. Rather, they serve as a hidden fingerprint for the committed information, similar to how a server can send a hash of a file before sharing the file. The hash is a unique fingerprint that can be measured from the file, but the file cannot be obtained from the hash. Cryptographic commitments can only be “opened” or “unblinded” given the unique information that was committed and a secret value called the blinding factor. If
is a commitment to a message
using blinding factor
, then
can be uniquely computed from
, and the knowledge of
is proof that
was a commitment to
. In Findora’s blinded asset records, the blinding factors are shared with the new asset owner (i.e. transfer recipient) using a method similar to a Diffie-Hellman key exchange. This user derives the blinding factors from blind share and its private key corresponding to public key. The user needs these blinding factors in order to check that the decrypted contents of the record are correct (i.e. as approved by the validators) and will also need to use them to transfer ownership of the asset in a future transaction.
As before, let
denote the Ristretto group, i.e. the group of points on the Ristretto curve. Let
be the order of this group. For independent group generators
g1,g2,hGg_1,g_2,h\in \mathbb{G}
and a pair
(a,b)Fp2(a,b)\in \mathbb{F}_p^2
representing the asset type and amount, the commitment to this pair is given by
is a random element in
Findora uses the Ristretto group, which is a quotient group built from the elliptic curve group on Curve25519. This group has order
for the prime:
p=2252+27742317777372353535851937790883648493.p =2^{252} +27742317777372353535851937790883648493.
The Ristretto quotient group is the unique quotient group of order

Range proofs via inner product arguments

Cv=gvhrC_v = g^{v} h^r
be a commitment to a value
. To show that
lies in the range
, it suffices for the Prover to show that he knows a vector
aL=(a0,,an1)\mathbf{a}L = (a_0,\cdots,a{n-1})
such that:
  • aL;,;2n=v\langle \mathbf{a}L;,; \mathbf{2}^n \rangle = v
    , which shows that
    v=i=0nai2iv = \sum{i=0}^n a_i\cdot 2^i
  • aL(1naL)=0n\mathbf{a}_L \circ (\mathbf{1}^n - \mathbf{a}_L) = \mathbf{0}^n
    , which shows that the entries of
    lie in
    0,1n{0,1 }^n
In other words, this shows that the $n$ entries of
represent the bit decomposition of
For randomly generated challenges
y,zFpy, z\in \mathbb{F}_p
, it suffices to show that,
z2aL,2n+zaL1naR,yn+aL,aRyn=z2vz^2 \cdot \langle \mathbf {a}_L \hspace{3pt} , \hspace{3pt} \mathbf {2}^n \rangle + z \cdot \langle \mathbf {a}_L - \mathbf {1}^n - \mathbf {a}_R \hspace{3pt} , \hspace{3pt} \mathbf {y}^n \rangle + \langle \mathbf {a}_L \hspace{3pt} , \hspace{3pt} \mathbf {a}_R \circ \mathbf {y}^n \rangle = z^2 \cdot v \hspace{20pt}
aR=1naL\mathbf {a}_R = \mathbf{1}^n - \mathbf{a}_L

Proof Generation

The XfrProofs data structure contains a zero-knowledge proof that the blinded output records are valid with respect to the blinded input records. Since the fees are denominated in the FRA token, it is necessary to prove in zero-knowledge that:
  • for every asset type other than FRA, the sum of the inputs is the same as the sum of the outputs
  • the sum of the inputs corresponding to the FRA asset is the same as the sum of the outputs plus the fees for the transaction.
Note that for some particular asset types, there might be fees, thus for that cases it proves that sum of output amounts for that asset type in the output asset records plus fees equals the sum of input amounts for the same asset type in the input records). To be more precise, if there are n
(n1)(n \geq 1)
inputs records and m
(m1)(m \geq 1)
output records,
  • αi\alpha_i
    is the amount in the
    th input record
  • βj\beta_j
    is the amount in the
    th output record
  • Input[τ]Input[\tau]
    the set of input indices with asset type matching
  • Output[τ]Output[\tau]
    the set of output indices with asset type matching
  • T\mathcal{T}
    is the complete set of types other than FRA in output records
Then XfrProofs prove that
for all
τT;;iInput[τ]αi=jOutput[τ]βj\tau \in \mathcal{T} ;; \sum_{i \in Input[\tau]} \alpha_i = \sum_{j \in Output[\tau]} \beta_j
when asset type matches
τ=FRA\tau = FRA
). Fees must be considered. Hence the equation becomes as follows
iInput[FRA]αi=jOutput[FRA]βj+Fees\sum_{i \in Input[FRA]} \alpha_i = \sum_{j \in Output[FRA]} \beta_j + Fees
The randomness in the Pedersen commitments is communicated to the receiver in the form of text encrypted with the receiver's public key. The receiver then decrypts this text using his private key. The security of this scheme hinges on the hardness of the Discrete logarithm problem (DLP). The proof of the amount-sum equality relies on the homomorphic property of Pedersen commitments.

Proving Commitment Equality

A confidential transaction can - and usually does - have multiple associated Pedersen commitments to (asset type, amount) pairs. To prove the so-called amount-sum equality, it is necessary to verifiably reveal which of the commitments correspond to the same asset type, without actually revealing this asset type. To show that two Pedersen commitments
C1=g1a1g2b1hr1C_1 = g_1^{a_1}g_2^{b_1}h^{r_1}
C2=g1a2g2b2hr2C_2 = g_1^{a_2}g_2^{b_2}h^{r_2}
are such that
a1=a2a_1 = a_2
, it suffices to show that the quotient
C1C21C_1\cdot C_2^{-1}
is of the form
for some
known to the Prover. Using an aggregation trick, this proof can be kept constant-sized when the Prover needs to show that the asset type committed in
is the same as the asset type committed in

Proving the Amount-Sum Equality

Given input commitments
C1in,,CminC_1^{\mathrm{in}},\cdots, C_m^{\mathrm{in}}
and output commitments
C1out,,CnoutC_1^{\mathrm{out}},\cdots, C_n^{\mathrm{out}}
verifiably corresponding to the same asset type, a Prover shows that the input and output amounts sum up to the same value by proving in zero-knowledge that the element
C~:=(i=1mCiin)(j=1nCjout)1\widetilde{C}:= (\prod_{i=1}^m C_i^{\mathrm{in}})\cdot (\prod_{j=1}^n C_j^{\mathrm{out}})^{-1}
is of the form
in case the asset_type is FRA) where
is some integer known to the Prover and
is the common asset-type committed in the commitments
Ciin,CjoutC_i^{\mathrm{in}}, C_j^{\mathrm{out}}
To prevent double-spends on the blockchain in tandem with maintaining confidentiality, it is necessary for the sender of a transaction to prove in zero-knowledge that the amounts committed are all non-negative. This requires a zero-knowledge range proof to convince a Verifier that the amounts are non-negative. Findora's confidential transfer is accompanied by proofs that the committed amounts lie in the range
[0,2641][0, 2^{64}-1]
. These proofs are constructed using the Bulletproofs scheme.
Bulletproofs are particularly suited for range proofs on small ranges: the proof for a
-bit range is less than 1KB and takes only milliseconds to both create and verify. Bulletproofs have a batching mode where a range proof from
points is only
bytes larger than a range proof for a single point (e.g. a batch proof for 100 points is less than 500 bytes larger). Bulletproofs also have a batch verification mode where the amortized time to verify many range proofs is approximately 0.34 ms per proof.

Proof Verification

During the verification of confidential transfer at the validators' end, the validity of the XfrNote is checked. This is done in batches to increase the efficiency. The following is the hierarchy of the steps:
  • Verifying if the signatures associated with the transaction are valid
  • Batch verifying the bodies
    • Verifying the Asset Records if the amounts and asset types are correct
      • Verifying the batched range proof for the confidential amounts
      • Verifying the delegated Schnorr proofs for the confidential asset types
      • Verifying the batched asset mixing proofs for checking the amount sum equality for multiple assets
    • Verifying the Asset Tracing proofs
For the equality of committed asset types, the Verifier's task boils down to verifying Schnorr proofs of knowledge of discrete logarithms. The proofs are batched so that the communication complexity and the verification time stay constant.
To verify the range proofs, the Verifier performs a sequence of inner product checks. The Verifier uses the same hashing algorithm as the Prover to get the independent group generators in
. This makes his runtime