JoinSplit Circuit

Details of JoinSplit circuit, including PIs, encodings, and constraints (in english)

Last updated 1 year ago

Details of JoinSplit circuit, including PIs, encodings, and constraints (in english)

Prove that all of the following are true:

both input notes exist in the commitment tree
the user owns both input notes
all four notes are for the same asset
the total value of the input notes equals the total value of the output notes plus the amount being unwrapped (the "public spend")
the owner of those assets could produce a valid signature over the hash of an associated .

The JoinSplit circuit has a total of 13 public inputs:

operationDigest: The hash of the the JoinSplit is associated with. The hash is computed outside the circuit using keccak256 and is reduced modulo $p$ to an element of $\mathbb{F}_p$ .
encodedAssetId: The the field of the encoded asset being spent
encodedAssetAddrWithSignBits: The field of the encoded asset being spent, but with the sign bits corresponding to refundAddrH1CompressedY and refundAddrH2CompressedY packed-in.
refundAddrH1CompressedY: The Y-coordinate of the of the first component of the refund address in the associated operation
refundAddrH2CompressedY: The Y-coordinate of the of the second component of the refund address in the associated operation
newNoteACommitment: The note commitment for the first output note
newNoteBCommitment: The note commitment for the second output note
commitmentTreeRoot: The current
publicSpend: The amount to unwrap publicly
nullifierA: The nullifier for the first input note
nullifierB: The nullifier for the second input note
senderCommitment: A blinded commitment to the sender of the operation. This allows the recipient to know the canonical address of whoever is paying them.
joinSplitInfoCommitment: A blinded commitment to the details of the JoinSplit (sender, recipient, notes being spent, etc.) enabling individuals to selectively disclose transaction details if they want to.

vk and vkNonce correctly correspond to spendPk
senderCanonAddr is indeed the canonical address corresponding to vk
the signature (c, z) is a valid signature of opDigest
MembershipProofA.leaf is the note commitment for oldNoteA
MembershipProofB.leaf is the note commitment for oldNoteB, or oldNoteB.value = 0 (we don't care about oldNoteB if its value is 0)
MembershipProofA is a valid Merkle membership proof against commitmentTreeRoot
MembershipProofB is a valid Merkle membership proof against commitmentTreeRoot, or oldNoteB.value = 0 (we don't care about oldNoteB if its value is 0)
oldNoteA.value + oldNoteB.value = newNoteA.value + newNoteB.value + publicSpend
newNoteACommitment is the correct note commitment for newNoteA
newNoteBCommitment is the note commitment for newNoteB
senderCommitment is computed correctly
joinSplitInfoCommitment is computed correctly

Last updated 1 year ago

Prove that all of the following are true:

both input notes exist in the commitment tree
the user owns both input notes
all four notes are for the same asset
the total value of the input notes equals the total value of the output notes plus the amount being unwrapped (the "public spend")
the owner of those assets could produce a valid signature over the hash of an associated .

The JoinSplit circuit has a total of 13 public inputs:

operationDigest: The hash of the the JoinSplit is associated with. The hash is computed outside the circuit using keccak256 and is reduced modulo $p$ to an element of $\mathbb{F}_p$ .
encodedAssetId: The the field of the encoded asset being spent
encodedAssetAddrWithSignBits: The field of the encoded asset being spent, but with the sign bits corresponding to refundAddrH1CompressedY and refundAddrH2CompressedY packed-in.
refundAddrH1CompressedY: The Y-coordinate of the of the first component of the refund address in the associated operation
refundAddrH2CompressedY: The Y-coordinate of the of the second component of the refund address in the associated operation
newNoteACommitment: The note commitment for the first output note
newNoteBCommitment: The note commitment for the second output note
commitmentTreeRoot: The current
publicSpend: The amount to unwrap publicly
nullifierA: The nullifier for the first input note
nullifierB: The nullifier for the second input note
senderCommitment: A blinded commitment to the sender of the operation. This allows the recipient to know the canonical address of whoever is paying them.
joinSplitInfoCommitment: A blinded commitment to the details of the JoinSplit (sender, recipient, notes being spent, etc.) enabling individuals to selectively disclose transaction details if they want to.

vk: the
vkNonce: the
spendPK: the
(c, z): a of opDigest
oldNoteA: an representing the first input note
oldNoteB: an representing the second input note
newNoteA: an representing the first output note
newNoteB: an representing the second output note
MembershipProofA: a Merkle membership proof for oldNoteA's in the commitment tree
MembershipProofB: a Merkle membership proof for oldNoteB's in the commitment tree
receiverCanonAddr: the canonical address of the receiver
senderCanonAddr: the canonical address of the receiver

vk and vkNonce correctly correspond to spendPk
senderCanonAddr is indeed the canonical address corresponding to vk
the signature (c, z) is a valid signature of opDigest
oldNoteA.owner and oldNoteB.owner are well-formed
oldNoteA.owner and oldNoteB.owner are both by vk
the refund address provided via refundAddrH1CompressedY, refundAddrH2CompressedY, and their associated sign bits from encodedAssetAddrWithSignBits is a valid owned by vk
MembershipProofA.leaf is the note commitment for oldNoteA
MembershipProofB.leaf is the note commitment for oldNoteB, or oldNoteB.value = 0 (we don't care about oldNoteB if its value is 0)
MembershipProofA is a valid Merkle membership proof against commitmentTreeRoot
MembershipProofB is a valid Merkle membership proof against commitmentTreeRoot, or oldNoteB.value = 0 (we don't care about oldNoteB if its value is 0)
newNoteA.owner is the sender's
newNoteB.owner is the receiver's
oldNoteA.value + oldNoteB.value = newNoteA.value + newNoteB.value + publicSpend
newNoteACommitment is the correct note commitment for newNoteA
newNoteBCommitment is the note commitment for newNoteB
senderCommitment is computed correctly
joinSplitInfoCommitment is computed correctly