Comment on page
JoinSplit Circuit
Details of JoinSplit circuit, including PIs, encodings, and constraints (in english)
Prove that all of the following are true:
- 1.both input notes exist in the commitment tree
- 2.the user owns both input notes
- 3.all four notes are for the same asset
- 4.the total value of the input notes equals the total value of the output notes plus the amount being unwrapped (the "public spend")
- 5.
The JoinSplit circuit has a total of 13 public inputs:
- 1.
operationDigest
: The hash of the operation the JoinSplit is associated with. The hash is computed outside the circuit usingkeccak256
and is reduced moduloto an element of. - 2.
- 3.
encodedAssetAddrWithSignBits
: TheencodedAssetAddr
field of the encoded asset being spent, but with the sign bits corresponding torefundAddrH1CompressedY
andrefundAddrH2CompressedY
packed-in. - 4.
refundAddrH1CompressedY
: The Y-coordinate of the compressed encoding of the first component of the refund address in the associated operation - 5.
refundAddrH2CompressedY
: The Y-coordinate of the compressed encoding of the second component of the refund address in the associated operation - 6.
newNoteACommitment
: The note commitment for the first output note - 7.
newNoteBCommitment
: The note commitment for the second output note - 8.
- 9.
publicSpend
: The amount to unwrap publicly - 10.
nullifierA
: The nullifier for the first input note - 11.
nullifierB
: The nullifier for the second input note - 12.
senderCommitment
: A blinded commitment to the sender of the operation. This allows the recipient to know the canonical address of whoever is paying them. - 13.
joinSplitInfoCommitment
: A blinded commitment to the details of the JoinSplit (sender, recipient, notes being spent, etc.) enabling individuals to selectively disclose transaction details if they want to.
receiverCanonAddr
: the canonical address of the receiversenderCanonAddr
: the canonical address of the receiver
vk
andvkNonce
correctly correspond tospendPk
senderCanonAddr
is indeed the canonical address corresponding tovk
- the signature
(c, z)
is a valid signature ofopDigest
- the refund address provided via
refundAddrH1CompressedY
,refundAddrH2CompressedY
, and their associated sign bits fromencodedAssetAddrWithSignBits
is a valid stealth address owned byvk
MembershipProofA.leaf
is the note commitment foroldNoteA
MembershipProofB.leaf
is the note commitment foroldNoteB
, oroldNoteB.value = 0
(we don't care aboutoldNoteB
if its value is0
)MembershipProofA
is a valid Merkle membership proof againstcommitmentTreeRoot
MembershipProofB
is a valid Merkle membership proof againstcommitmentTreeRoot
, oroldNoteB.value = 0
(we don't care aboutoldNoteB
if its value is0
)oldNoteA.value + oldNoteB.value = newNoteA.value + newNoteB.value + publicSpend
newNoteACommitment
is the correct note commitment fornewNoteA
newNoteBCommitment
is the note commitment fornewNoteB
senderCommitment
is computed correctlyjoinSplitInfoCommitment
is computed correctly
Last modified 24d ago