From 251c58186f69bd2ff04151d40e5b266ef620495f Mon Sep 17 00:00:00 2001 From: Tal Derei Date: Tue, 7 May 2024 08:20:21 -0700 Subject: [PATCH] opaque --- docs/adrs/003-action-views.md | 49 +++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/docs/adrs/003-action-views.md b/docs/adrs/003-action-views.md index db4a46387e..3ffac431bf 100644 --- a/docs/adrs/003-action-views.md +++ b/docs/adrs/003-action-views.md @@ -1,37 +1,40 @@ -# ADR 003: Visible and opaque fields in action views +# ADR 003: opaque and opaque fields in action views -https://github.com/penumbra-zone/web/issues/875. +The visible view is if you have a viewing key, the opaque view is public. https://github.com/penumbra-zone/web/issues/875. -## 1. [Spend](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.shielded_pool.v1#penumbra.core.component.shielded_pool.v1.Spend) +## 1. [Spend View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.shielded_pool.v1#penumbra.core.component.shielded_pool.v1.Spend) - `SpendBody` - - $balance \ commitment$: ***visible*** field since the homomorphic pedersen commitment to the value of the input note has hiding and binding properties. - - $nullifier$: ***visible*** field since the nullifier is a $F_q$ element and reveals nothing about the note commitment it nullifies. - - $spend \ verification \ key$: ***visible*** field since the randomized verification key **rk** was derived from the spend authorization key $ak \isin \mathbb G$ given a witnessed spend authorization randomizer $\alpha \isin \mathbb F_r$, and $rk = ak+[α]B_{SpendAuth​}$ where the discrete log is hard over a large prime field. + - $balance \ commitment$: ***opaque*** field since the homomorphic pedersen commitment to the value of the input note has hiding and binding properties. + - $nullifier$: ***opaque*** field since the nullifier is a $F_q$ element and reveals nothing about the note commitment it nullifies. + - $spend \ verification \ key$: ***opaque*** field since the randomized verification key **rk** was derived from the spend authorization key $ak \isin \mathbb G$ given a witnessed spend authorization randomizer $\alpha \isin \mathbb F_r$, and $rk = ak+[α]B_{SpendAuth​}$ where the discrete log is hard over a large prime field. - `SpendAuthSignature` - - $authorization \ signature$: ***visible*** field since this is a Schnorr signature where the randomized verification key is derived from the verification key which is a group element $A = [a]B_D$, where scalar $a∈F_r$ is the signing key and $B_d$ is the generator. The randomized signing is $[r]A$, where r is a random 251-bit prime scalar field element for the decaf377 curve. Solving $[r]A$ is a hard discrete log problem over a large prime field. + - $authorization \ signature$: ***opaque*** field since this is a Schnorr signature where the randomized verification key is derived from the verification key which is a group element $A = [a]B_D$, where scalar $a∈F_r$ is the signing key and $B_d$ is the generator. The randomized signing is $[r]A$, where r is a random 251-bit prime scalar field element for the decaf377 curve. Solving $[r]A$ is a hard discrete log problem over a large prime field. - `ZKSpendProof` - - $proof$: ***visible*** field where the Groth16 proof is defined over the BLS12-377 prime field. + - $proof$: ***opaque*** field where the Groth16 proof is defined over the BLS12-377 prime field. -## 2. [Output](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.shielded_pool.v1#penumbra.core.component.shielded_pool.v1.Output) + + + +## 2. [Output View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.shielded_pool.v1#penumbra.core.component.shielded_pool.v1.Output) - `OutputBody` - $NotePayload$ - - $note \ commitment$: ***visible*** field since the output note commitment is a $F_q$ element derived from a secure rate-5 Poseidon hashing scheme and blinded by a $F_q$ element. - - $ephemral \ key$: ***visible*** field since revealing the public key used to decrypt the note reveals nothing about the associated secret key, where $epk = [esk]B_d$. - - $note \ ciphertext$: ***visible*** field since the note ciphertext is generated using a symmetric encryption ChaCha20Poly1305 algorithm. - - $balance \ commitment$: ***visible*** field (refer to the explanation in the [Spend section](#1-spend)) - - $wrapped \ memo \ key$: ***visible*** field since the encrypted key for decrypting the memo was encrypted using the per-action payload key, which in-turn is a BLAKE2b-512 hash of various public keys, commitments, and shared-secret. The shared secret is derived between sender and recipient by performing a secure Diffie-Hellman key exchange. - - $ovk \ wrapped \ key$: ***visible*** field since it's encrypted using the sender’s outgoing cipher key, which itself is a BLAKE2b-512 hash of public keys and commitments. + - $note \ commitment$: ***opaque*** field since the output note commitment is a $F_q$ element derived from a secure rate-5 Poseidon hashing scheme and blinded by a $F_q$ element. + - $ephemral \ key$: ***opaque*** field since revealing the public key used to decrypt the note reveals nothing about the associated secret key, where $epk = [esk]B_d$. + - $note \ ciphertext$: ***opaque*** field since the note ciphertext is generated using a symmetric encryption ChaCha20Poly1305 algorithm. + - $balance \ commitment$: ***opaque*** field (refer to the explanation in the [Spend section](#1-spend)) + - $wrapped \ memo \ key$: ***opaque*** field since the encrypted key for decrypting the memo was encrypted using the per-action payload key, which in-turn is a BLAKE2b-512 hash of various public keys, commitments, and shared-secret. The shared secret is derived between sender and recipient by performing a secure Diffie-Hellman key exchange. + - $ovk \ wrapped \ key$: ***opaque*** field since it's encrypted using the sender’s outgoing cipher key, which itself is a BLAKE2b-512 hash of public keys and commitments. - `ZKOutputProof` - - $proof$: ***visible*** field where the Groth16 proof is defined over the BLS12-377 prime field. + - $proof$: ***opaque*** field where the Groth16 proof is defined over the BLS12-377 prime field. -## 3. [Swap](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.dex.v1#penumbra.core.component.dex.v1.Swap) +## 3. [Swap View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.dex.v1#penumbra.core.component.dex.v1.Swap) - `ZKSwapProof` - - $proof$: ***visible*** field where the Groth16 proof is defined over the BLS12-377 prime field. + - $proof$: ***opaque*** field where the Groth16 proof is defined over the BLS12-377 prime field. - `SwapBody` - - $trading \ pair$: ***visible*** field where the swap inputs and outputs are shown in the public view since (1) inputs are public because they are in the clear, and (2) outputs are also known because they can be computed by anyone with the BSOD. - - $amount$: ***visible*** field since one of the local invariants for a swap is that the swap reveals the amounts of those assets. - - $balance \ commitment$: ***visible*** field (refer to the explanation in the [Spend section](#1-spend)) + - $trading \ pair$: ***opaque*** field where the swap inputs and outputs are shown in the public view since (1) inputs are public because they are in the clear, and (2) outputs are also known because they can be computed by anyone with the BSOD. + - $amount$: ***opaque*** field since one of the local invariants for a swap is that the swap reveals the amounts of those assets. + - $balance \ commitment$: ***opaque*** field (refer to the explanation in the [Spend section](#1-spend)) - `SwapPayload` - - $swap commitment$: ***visible*** field since the swap commitment is a $F_q$ element derived from a secure Poseidon hashing scheme and blinded by a $F_q$ element. - - $encrypted swap$: ***visible*** field since the swap ciphertext is encrypted symmetrically using the payload key and reveals no more information about the swap that isn't already public. \ No newline at end of file + - $swap commitment$: ***opaque*** field since the swap commitment is a $F_q$ element derived from a secure Poseidon hashing scheme and blinded by a $F_q$ element. + - $encrypted swap$: ***opaque*** field since the swap ciphertext is encrypted symmetrically using the visible payload key and reveals no more information about the swap that isn't already public. \ No newline at end of file