-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
49 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,40 +1,57 @@ | ||
| # ADR 003: opaque and opaque fields in action views | ||
| # ADR 003: opaque and opaque fields in views | ||
|
|
||
| The visible view is if you have a viewing key, the opaque view is public. https://github.com/penumbra-zone/web/issues/875. | ||
| Auditing the views, which are what the end-user will see. The <u><u>***visible***</u></u> view requires a viewing key, the <u><u>***opaque***</u></u> view is public. https://github.com/penumbra-zone/web/issues/875. Fields tagged as <u><u>***opaque***</u></u> are optionally also <u><u>***visible***</u></u> fields, but the opposite is false. For each view, we enumerate the protobuf fields and mark them accordingly. | ||
|
|
||
| ## 1. [Spend View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.shielded_pool.v1#penumbra.core.component.shielded_pool.v1.Spend) | ||
|
|
||
| - `SpendBody` | ||
| - $balance \ commitment$: <u><u>***opaque***</u></u> field since the homomorphic pedersen commitment to the value of the input note has hiding and binding properties. | ||
| - $nullifier$: <u>***opaque***</u> field since the nullifier is a $F_q$ element and reveals nothing about the note commitment it nullifies. | ||
| - $spend \ verification \ key$: <u>***opaque***</u> field since the randomized verification key **rk** was derived from the spend authorization key $ak \isin \mathbb G$ given a witnessed spend authorization randomizer $\alpha \isin \mathbb F_r$, and $rk = ak+[α]B_{SpendAuth}$ where the discrete log is hard over a large prime field. | ||
| - `SpendAuthSignature` | ||
| - $authorization \ signature$: <u>***opaque***</u> field since this is a Schnorr signature where the randomized verification key is derived from the verification key which is a group element $A = [a]B_D$, where scalar $a∈F_r$ is the signing key and $B_d$ is the generator. The <u>randomized</u> signing is $[r]A$, where r is a random 251-bit prime scalar field element for the decaf377 curve. Solving $[r]A$ is a hard discrete log problem over a large prime field. | ||
| - `ZKSpendProof` | ||
| - $proof$: <u>***opaque***</u> field where the Groth16 proof is defined over the BLS12-377 prime field. | ||
|
|
||
|
|
||
|
|
||
| Components: | ||
| - `Spend` | ||
| - `SpendBody` | ||
| - $balance \ commitment$: <u><u>***opaque***</u></u> field since the homomorphic pedersen commitment to the value of the input note has hiding and binding properties. | ||
| - $nullifier$: <u>***opaque***</u> field since the nullifier is a $F_q$ element and reveals nothing about the note commitment it nullifies. | ||
| - $spend \ verification \ key$: <u>***opaque***</u> field since the randomized verification key **rk** was derived from the spend authorization key $ak \isin \mathbb G$ given a witnessed spend authorization randomizer $\alpha \isin \mathbb F_r$, and $rk = ak+[α]B_{SpendAuth}$ where the discrete log is hard over a large prime field. | ||
| - `SpendAuthSignature` | ||
| - $authorization \ signature$: <u>***opaque***</u> field since this is a Schnorr signature where the randomized verification key is derived from the verification key which is a group element $A = [a]B_D$, where scalar $a∈F_r$ is the signing key and $B_d$ is the generator. The <u>randomized</u> signing is $[r]A$, where r is a random 251-bit prime scalar field element for the decaf377 curve. Solving $[r]A$ is a hard discrete log problem over a large prime field. | ||
| - `ZKSpendProof` | ||
| - $proof$: <u>***opaque***</u> field where the Groth16 proof is defined over the BLS12-377 prime field. | ||
| - `NoteView` - <u>***visible***</u> field since it contains address and value views that meant to remain hidden. | ||
|
|
||
| ## 2. [Output View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.shielded_pool.v1#penumbra.core.component.shielded_pool.v1.Output) | ||
| - `OutputBody` | ||
| - $NotePayload$ | ||
| - $note \ commitment$: <u>***opaque***</u> field since the output note commitment is a $F_q$ element derived from a secure rate-5 Poseidon hashing scheme and blinded by a $F_q$ element. | ||
| - $ephemral \ key$: <u>***opaque***</u> field since revealing the public key used to decrypt the note reveals nothing about the associated secret key, where $epk = [esk]B_d$. | ||
| - $note \ ciphertext$: <u>***opaque***</u> field since the note ciphertext is generated using a symmetric encryption ChaCha20Poly1305 algorithm. | ||
| - $balance \ commitment$: <u>***opaque***</u> field (refer to the explanation in the [Spend section](#1-spend)) | ||
| - $wrapped \ memo \ key$: <u>***opaque***</u> field since the encrypted key for decrypting the memo was encrypted using the per-action payload key, which in-turn is a BLAKE2b-512 hash of various public keys, commitments, and shared-secret. The shared secret is derived between sender and recipient by performing a secure Diffie-Hellman key exchange. | ||
| - $ovk \ wrapped \ key$: <u>***opaque***</u> field since it's encrypted using the sender’s outgoing cipher key, which itself is a BLAKE2b-512 hash of public keys and commitments. | ||
| - `ZKOutputProof` | ||
| - $proof$: <u>***opaque***</u> field where the Groth16 proof is defined over the BLS12-377 prime field. | ||
|
|
||
| - `Output` | ||
| - `OutputBody` | ||
| - $NotePayload$ | ||
| - $note \ commitment$: <u>***opaque***</u> field since the output note commitment is a $F_q$ element derived from a secure rate-5 Poseidon hashing scheme and blinded by a $F_q$ element. | ||
| - $ephemral \ public \ key$: <u>***opaque***</u> field since revealing the public key used to decrypt the note reveals nothing about the associated secret key, where $epk = [esk]B_d$. | ||
| - $note \ ciphertext$: <u>***opaque***</u> field since the note ciphertext is generated using a symmetric encryption ChaCha20Poly1305 algorithm. | ||
| - $balance \ commitment$: <u>***opaque***</u> field (refer to the same explanation in the [Spend section](#1-spend)) | ||
| - $wrapped \ memo \ key$: <u>***opaque***</u> field since the encrypted key for decrypting the memo was encrypted using the per-action payload key, which in-turn is a BLAKE2b-512 hash of various public keys, commitments, and shared-secret. The shared secret is derived between sender and recipient by performing a secure Diffie-Hellman key exchange. | ||
| - $ovk \ wrapped \ key$: <u>***opaque***</u> field since it's encrypted using the sender’s outgoing cipher key, which itself is a BLAKE2b-512 hash of public keys and commitments. | ||
| - `ZKOutputProof` | ||
| - $proof$: <u>***opaque***</u> field where the Groth16 proof is defined over the BLS12-377 prime field. | ||
| - `NoteView` - <u>***visible***</u> field (refer to the same explanation in the [Spend section](#1-spend)) | ||
| - `PayloadKey` - <u>***visible***</u> field since payload keys provide decryption capabilities of encrypted data -- decrypts an encrypted note ciphertext using payload key and ephemeral public key in action's note payload. | ||
|
|
||
| ## 3. [Swap View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5:penumbra.core.component.dex.v1#penumbra.core.component.dex.v1.Swap) | ||
| - `ZKSwapProof` | ||
| - $proof$: <u>***opaque***</u> field where the Groth16 proof is defined over the BLS12-377 prime field. | ||
| - `SwapBody` | ||
| - $trading \ pair$: <u>***opaque***</u> field where the swap inputs and outputs are shown in the public view since (1) inputs are public because they are in the clear, and (2) outputs are also known because they can be computed by anyone with the BSOD. | ||
| - $amount$: <u>***opaque***</u> field since one of the local invariants for a swap is that the swap reveals the amounts of those assets. | ||
| - $balance \ commitment$: <u>***opaque***</u> field (refer to the explanation in the [Spend section](#1-spend)) | ||
| - `SwapPayload` | ||
| - $swap commitment$: <u>***opaque***</u> field since the swap commitment is a $F_q$ element derived from a secure Poseidon hashing scheme and blinded by a $F_q$ element. | ||
| - $encrypted swap$: <u>***opaque***</u> field since the swap ciphertext is encrypted symmetrically using the visible payload key and reveals no more information about the swap that isn't already public. | ||
|
|
||
| - `Swap` | ||
| - `ZKSwapProof` | ||
| - $proof$: <u>***opaque***</u> field where the Groth16 proof is defined over the BLS12-377 prime field. | ||
| - `SwapBody` | ||
| - $trading \ pair$: <u>***opaque***</u> field where the swap inputs and outputs are shown in the public view since (1) inputs are public because they are in the clear, and (2) outputs are also known because they can be computed by anyone with the BSOD. | ||
| - $amount$: <u>***opaque***</u> field since one of the local invariants for a swap is that the swap reveals the amounts of those assets. | ||
| - $balance \ commitment$: <u>***opaque***</u> field (refer to the same explanation in the [Spend section](#1-spend)) | ||
| - `SwapPayload` | ||
| - $swap \ commitment$: <u>***opaque***</u> field since the swap commitment is a $F_q$ element derived from a secure Poseidon hashing scheme and blinded by a $F_q$ element. | ||
| - $encrypted \ swap$: <u>***opaque***</u> field since the swap ciphertext is encrypted symmetrically using the visible payload key and reveals no more information about the swap that isn't already public. | ||
| - `BatchSwapOutputData` - <u>***opaque***</u> field since the BSOD in the TxP does not leak any information about the specific output notes that the view service computes for the swap using the BSOD. Computing the output notes already assumes decrypting the swap ciphertext. | ||
| - `ValueView` - <u>***opaque***</u> field since the swap values are in the clear. | ||
| - `Metadata` - <u>***opaque***</u> field and the metadata is reported on-chain. | ||
| - `SwapPlaintext` - <u>***visible***</u> field since the decrypted swap ciphertext enables, alongside the BSOD, to retrieve output notes, which amonst other fields includes the private address controlling the note. | ||
| - `TransactionId` - <u>***visible***</u> field since it's associated with a commitment that will eventually be nullified, and since nullifiers are public, revealing the transaction ID creates a link between the commitment and the nullifier that commitment nullifies. | ||
| - `NoteView` - <u>***visible***</u> field since it consists of sensitive fields like the claim address which need to remain hidden. | ||
|
|
||
|
|
||
| ## 4. [Swap Claim View](https://buf.build/penumbra-zone/penumbra/docs/78be1d64b1cb484ba4bc666d54dc76c5/penumbra.core.component.dex.v1#penumbra.core.component.dex.v1.SwapClaim) | ||
|
|
||
| - `Swap Claim` |