ZEOS Orchard

This is the main application of the ZEOS protocol for private and untraceable transactions on the EOS Blockchain. This application will be deployed to the EOS Mainnet.

Description

This repository is a fork of Zcash Orchard. The application enables Zcash-like shielded transactions of fungible and non-fungible tokens on the EOS blockchain. Check out the Whitepaper for more Information.

This application is built on EOSIO and Liquidapps' DAPP Network services.

Getting Started

To setup the full workspace clone the dependencies rustzeos, halo2, pasta_curves, reddsa, the smart contract and the JS wallet as well:

mkdir zeos
cd zeos
git clone https://github.com/mschoenebeck/rustzeos.git
git clone https://github.com/mschoenebeck/halo2.git
git clone https://github.com/mschoenebeck/pasta_curves.git
git clone https://github.com/mschoenebeck/reddsa.git
git clone https://github.com/mschoenebeck/thezeostoken.git
git clone https://github.com/mschoenebeck/zeos-verifier.git
cd thezeostoken && git checkout orchard && cd ..
git clone https://github.com/mschoenebeck/zeos-wallet.git
cd zeos-wallet && git checkout orchard && cd ..

Clone this repository:

git clone https://github.com/mschoenebeck/zeos-orchard.git
cd zeos-orchard

Build the project as Rust library:

cargo build

Dependencies

Rust Toolchain

Help

If you need help join us on Telegram.

Authors

Matthias Schönebeck

License

You may use this package under the Bootstrap Open Source Licence, version 1.0, or at your option, any later version. See the file COPYING for more details, and LICENSE-BOSL for the terms of the Bootstrap Open Source Licence, version 1.0.

The purpose of the BOSL is to allow commercial improvements to the package while ensuring that all improvements are open source. See here for why the BOSL exists.

Acknowledgments

Big thanks to the Electric Coin Company for developing, documenting and maintaining this awesome open source codebase for zk-SNARKs!

Zcash Protocol Specification

Introduction

The protocol presented here is a fork of the Zcash Orchard Shielded Protocol, but tailored for EOSIO/Antelope blockchains and their asset classes. One of the key differences to Zcash is that the ZEOS Orchard Shielded Protocol is implemented as a smart contract on a general purpose blockchain (rather than as a stand-alone application on its own blockchain). Deployed on a public blockchain like the EOS mainnet, it exists as one of many applications in a diverse ecosystem. This makes it desirable to enable not only private peer-to-peer transactions, as with Zcash, but also private peer-to-contract transactions.

This makes the ZEOS Orchard Shielded Protocol much more sophisticated than the original version of Zcash. After all, there is only one fungible token on the Zcash blockchain - the native Zcash cryptocurrency - and no smart contracts at all. On EOSIO/Antelope blockchains, however, there are countless tokens with different symbols and precision, which are even issued and managed by different smart contracts. Finally, there are even different token types, such as fungible and non-fungible tokens.

This increased complexity in an environment of general-purpose blockchains such as EOSIO/Antelope also inevitably increases the requirements for a protocol for private transactions on such smart contract platforms. The ZEOS Orchard Shielded Protocol provides a fully comprehensive solution for user privacy in such an environment. Implemented and deployed as an application on a public blockchain such as EOS, it allows users to remain completely anonymous in their daily interactions with decentralized applications.

The ZEOS Orchard Shielded Protocol enables private DeFi on EOSIO/Antelope blockchains.

Preliminaries

This work is based on a thorough study of the following protocols and applications:

Nightfall: A protocol for private peer-to-peer transactions on Ethereum based on zk-SNARK.
Zcash Sprout
Zcash Sapling
Zcash Orchard

Related Research:

Monero: A protocol for private peer-to-peer transactions based on Stealth Addresses, Ring Signatures, and RingCT.
Dero: A protocol for private peer-to-peer transactions based on Homomorphic Encryption.

Zcash Protocol Specification

Since the protocol presented here is a fork of the Zcash Orchard Shielded Protocol the same specification applies almost everywhere. Only differences/extensions of the original protocol are specified here. Thus there are a lot of references to the original Zcash Protocol Specification.

ZEOS Whitepaper

The ZEOS whitepaper contains a first version of the concepts specified here. However, it was written in regards to the Groth16 proving system while the protocol presented here is based on the Halo2 proving system. The concepts described there are still mostly valid though.

Terminology

The terminology used is based on that of Nightfall and Zcash. The abbreviation 'UTXO' means 'Unspent Transaction Output' and is used interchangably with the term 'note'. The terms 'mint' and 'burn' refer to the creation (mint) or nullification (burn) of UTXOs (aka notes). The term 'ZEOS smart contract' refers to an EOSIO/Antelope smart contract that implements the ZEOS Orchard Shielded Protocol as specified here.

Introduction Video

The following video gives a short introduction to the features of the Zcash Orchard Shielded Protocol by the leading developers Sean Bowe and Daira Hopwood.

Overview

The ZEOS Orchard Shielded Protocol specifies a non-traceable UTXO transaction model implemented in an EOSIO/Antelope smart contract. This means that private ZEOS wallets do not exist directly in blockchain RAM - like EOSIO/Antelope accounts, for example - but only in the form of UTXOs that are assigned to specific wallet addresses. Users can therefore - as with any legacy cryptocurrency - simply create a new ZEOS wallet by picking a large random number (aka private key).

All assets held in private ZEOS wallets are actually in custody of the ZEOS smart contract. In order to transfer an asset from a transparent EOS account to a private ZEOS wallet, it is actually transferred to the ZEOS smart contract, while at the same time a (private) UTXO is minted, assigned to a private ZEOS wallet address specified by the user. UTXOs can then be transferred completely anonymously between ZEOS wallets without their ownership being traceable on chain.

The only data managed by the ZEOS smart contract are cryptographic commitments of valid UTXOs and their nullifiers. The validity of commitments and nullifiers is proven to the public using zero knowledge proofs (more precisely: zk-SNARKs) without revealing any sensitive information about the private UTXOs themselves.

Analogous to minting, UTXOs can also be burned in order to transfer assets from private ZEOS wallets back to a transparent EOS accounts. By burning the corresponding UTXO, the underlying asset is freed from custody of the ZEOS smart contract and transferred to an EOS account specified by the user. Using mint and burn actions, assets can be moved between transparent EOS accounts and private ZEOS wallets.

Privacy therefore only exists for assets "inside" the ZEOS application - i.e. only for assets in custody of the ZEOS smart contract and represented by UTXOs in private ZEOS wallets. The underlying EOSIO/Antelope blockchain remains transparent, of course. However, the introduction of a so-called authenticator token enables private token deposits and withdrawals. This means that users are able to interact directly from their ZEOS wallets with third party smart contracts of the same EOSIO/Antelope blockchain - as long as those contracts implement the necessary interface of the ZEOS Orchard Shielded Protocol.

The introduction of the authenticator token and the private deposits and withdrawals it enables make the ZEOS Orchard Shielded Protocol a truly universal privacy solution for EOSIO/Antelope blockchains that offers users of private ZEOS wallets almost the same blockchain experience as users of transparent EOS accounts - but with complete privacy.

See the ZEOS Whitepaper for more information about the concepts of the protocol presented here.

Keys & Addresses

The entire underlying cryptography of the protocol is identical to Zcash Orchard and is precisely specified in the Zcash Protocol Specification. The key and address derivation is thus also exactly identical to Zcash Orchard. The only difference is that there are no transparent UTXOs in the ZEOS Orchard Shielded Protocol and thus no unshielded transactions. The newly introduced concept of 'Unified Payment Addresses' in Zcash is therefore not adopted. In ZEOS there are only 'Shielded Payment Addresses'.

For a detailed explanation of all key components, please refer to the Zcash Protocol Specification, section 3.1 and section 4.2.3 respectively. In this document only the most important parts are briefly discussed. All key components are 32 bytes long.

Spending Key

The Spending Key $sk$ is a randomly chosen number from which all further key material is derived. Since the introduction of BIP 32 and ZIP 32, respectively, spending keys are usually derived deterministically from long, human readable seed phrases via pseudo-random function.

Full Viewing Key

The Full Viewing Key $fvk$ is the actual set of keys needed to generate private transactions. It is derived directly from the Spending Key and consists of three sub-keys:

$ak$ - Spend Validating Key
$nk$ - Nullifier Deriving Key
$rivk$ - $Commit^{ivk}$ Randomness

This key represents the minimum authority needed to spend UTXOs.

Incoming Viewing Key

The Incoming Viewing Key $ivk$ can be used to detect incoming payments (i.e. received UTXOs), but not to spend them. This key can be used, for example, for payment terminals to be able to confirm successfully received payments to customers.

In addition, each UTXO has a unique Viewing Key that can be shared by the sender with others in order to prove that a transmitted UTXO has been received.

Outgoing Viewing Key

The Outgoing Viewing Key $ovk$ can be used to detect all sent payments (i.e. spent UTXOs) of a wallet.

Shielded Payment Address

An Orchard Shielded Payment Address is 43 bytes long and consists of:

$d$ - Diversifier (10 bytes)
$p k_{d}$ - Diversified Transmission Key (33 bytes)

Since Zcash Orchard it is possible to deterministically derive several diversified payment addresses from one and the same spending authority. A group of such addresses share the same Full Viewing Key, Incoming Viewing Key and Outgoing Viewing Key.

UTXOs (aka Notes)

While there is only one fungible token in Zcash - the native cryptocurrency ZEC - there is significantly more token diversity in EOSIO/Antelope ecosystems. The ZEOS Orchard Shielded Protocol defines three different UTXO types:

Fungible Token (FT) Fungible tokens on EOSIO/Antelope blockchains are defined by the amount, symbol, and code of the smart contract (aka EOS account name) that issues them.
Non-Fungible Token (NFT) NFTs on EOSIO/Antelope Blockchains mainly follow the AtomicAssets token standard and are thus defined by a unique identifier and code of the smart contract (aka EOS account name) that issues them. The latter is the atomicassets smart contract in most cases, but can also be a custom NFT contract that follows the same standard.
Authenticator Token (AT) These tokens represent a permission to access specific assets in custody of a specific smart contract. They are characterized by the code of the respective smart contract and their $NoteCommit$ value.

Tuple

To cover all three ZEOS token types, the Zcash Orchard Note Tuple (as defined in Section 3.2 of the Zcash Protocol Specification is extended to the following structure:

$d$ is the diversifier of the recipient’s shielded payment address
$p k_{d}$ is the diversified transmission key of the recipient’s shielded payment address
$d1$ is an integer representing either the amount of the UTXO (fungible token) or the lower 64 bits of an identifier (non-fungible token)
$d2$ is an integer representing either the symbol of the UTXO (fungible token) or the upper 64 bits of an identifier (non-fungible token)
$sc$ is an integer representing the code of the issuing smart contract
$nft$ is a boolean determining if this UTXO is a fungible token (FT) or non-fungible token (NFT or AT)
$ρ$ is randomness used to derive the nullifier of the UTXO
$ψ$ is additional randomness used in deriving the nullifier
$rcm$ is a random commitment trapdoor as defined in section 4.1.8 of the Zcash Protocol Specification

Note: In addition to the above listed attributes each UTXO struct contains a header field (64 bit) and a memo field (512 bytes).

Commitment

When UTXOs are created (through minting or transfer), only a cryptographic commitment called $NoteCommit$ to the tupel attributes listed above is publicly disclosed and added to a global data structure called Commitment Tree. This allows the sensitive information such as amount, symbol, and recipient of the UTXO to be kept secret, while the commitment is used by the zk-SNARK proof to verify that the UTXO's secret information is valid.

Since the UTXO tuple has been extended for the ZEOS Orchard Shielded Protocol, the definition of the UTXO Commitment must also be modified. The original $NoteCommit$ is defined in section 5.4.8.4 of the Zcash Protocol Specification. It is changed to:

$NoteCommit_{rcm}^{Orchard} (g ⋆_{d}, pk ⋆_{d}, d1, ρ, ψ, d2, sc, nft) := SinsemillaCommit_{rcm} ("z.cash:Orchard-NoteCommit", g ⋆_{d} ∣∣ pk ⋆_{d} ∣∣ I2LEBSP_{64} (d1) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) ∣∣ I2LEBSP_{64} (d2) ∣∣ I2LEBSP_{1} (nft) ∣∣ I2LEBSP_{64} (sc))$

Nullifier

Each UTXO has a unique nullifier which is deterministically derived from the UTXO tuple. Spending a UTXO invalidates it by publicly revealing the associated nullifier and adding it to the global set of all nullifiers called Nullifier Set. Analogous to the UTXO commitment, this way the sensitive information (amount, symbol, receiver) of the UTXO can be kept secret, while the nullifier is used by the zk-SNARK proof to check whether the nullifier is valid. That is, whether it actually nullifies an existing valid UTXO. Furthermore, the smart contract must check if the nullifier does not yet exist in the global set of all nullifiers to avoid double spends.

The exact function for deriving the nullifier is defined in section 4.16 of the Zcash Protocol Specification.

$DeriveNullifie r_{nk} (ρ, ψ, cm) = Extrac t_{P} ([(PR F_{nk}^{nfOrchard} (ρ) + ψ) mod q_{P}] K^{Orchard} + cm)$

where $cm$ is the $NoteCommit$ value of the corresponding UTXO.

No modification is required, since it depends only on the UTXO randomness as well as its commitment. The latter has already been adapted to the new UTXO tuple structure (see Commitment).

In-band secret distribution of UTXOs

The sender of a UTXO must be able to transmit the sensitive information (i.e. the UTXO tuple) to the receiver. After all, these are required so that receivers of UTXOs can successfully spend them. Thus, a private communication channel is needed through which the sensitive UTXO tuples can be transmitted.

For this purpose, Zcash Orchard - like all existing privacy coins in the crypto space - uses the underlying blockchain itself: Each UTXO tuple is encrypted and its ciphertext uploaded to the blockchain where it can be fetched and decrypted by the receiver. For the ZEOS Orchard Shielded Protocol a global data structure called Transmitted UTXO Ciphertext List is maintained by the ZEOS smart contract in which UTXO ciphertexts can be added.

The use of this communication channel is optional. It is important to keep in mind that all encrypted UTXOs added to that list become part of the underlying EOSIO/Antelope blockchain history which never forgets. At some point in the future the currently used encryption scheme might become unsafe and thus privately transmitted UTXO ciphertexts using this on chain communication channel might become traceable. This is a general problem all privacy cryptocurrencies in existence today suffer from.

The exact encryption scheme based on Incoming, Outgoing and Full Viewing Key is described in section 4.19 of the Zcash Protocol Specification and is adopted exactly the same way for the ZEOS Orchard Shielded Protocol.

Global Data Sets

The ZEOS smart contract maintains the following global data sets which define the state of the UTXO transaction model.

Commitment Tree

The UTXO Commitment Tree is a merkle tree managed by the ZEOS smart contract. It is instantiated with the Sinsemilla hash function, which can be efficiently implemented in Halo 2 arithmetic circuits. The leaves of the tree contain all existing and thus valid UTXO commitments. Thus, each UTXO that is newly created either by minting or transfer has an associated commitment leaf in the merkle tree. The number of leaves in the tree defines the size of the so-called anonymity set, which is directly determined by the depth of the tree.

The tree is always filled from left to right. Depending on the depth of the tree, there is room for a certain amount of leaves per tree. When a tree is full, it 'overflows' to the right into a new, empty tree. Each time one or more leaves are added, the root of the tree is updated.

Commitment Tree Root Set

In addition to the tree itself, the ZEOS smart contract maintains a set of merkle nodes in which all valid tree roots that have ever been created are being recorded. This way, the anonymity set of the protocol can be easily configured via the merkle tree depth, without having to worry about how many trees exist at a given time or to which tree a certain leaf (aka UTXO commitment) belongs.

For a UTXO to be valid, the following must be true: There exists (or existed) a merkle path that leads (or led) to a valid merkle root. This must be proven via zero knowledge proof for a UTXO in order to be spent.

The Commitment Tree itself as well as the Commitment Tree Roots set are both part of the global UTXO transaction state.

Nullifier Set

The UTXO Nullifier Set maintains a list of all nullifiers that have been publicly exposed. Each nullifier invalidates a particular UTXO which prevents double spending. The validity of nullifiers must be proven via zero knowledge proof in order to be able to spend UTXOs.

The Nullifier Set is part of the global UTXO transaction state.

Transmitted UTXO Ciphertext List

This global list of transmitted UTXO ciphertexts is used for the In-band secret distribution of UTXOs. It is not part of the global UTXO transaction state and its usage is optional.

Arithmetic Circuit

Every privacy protocol based on zk-SNARKs is built around a so-called arithmetic circuit, which defines the constraint system based on which all zero knowledge proofs are generated. It is essentially a mathematical function $C$ that takes a set of private inputs $ω$ and a set of public inputs $x$ and either resolves to $1$ (valid inputs) or $0$ (invalid inputs). The arithmetic circuit forms the core of any privacy protocol and should be designed to be as optimal as possible. In Halo 2, the complexity (i.e. the size) of the circuit is directly correlated to the proof verification time as well as the proof size. Thus, the cost (i.e. blockchain resources) of private transactions is directly determined by the complexity of the arithmetic circuit.

The circuits of all three Zcash protocols - Sprout, Sapling and Orchard - are fundamentally different from each other. This is mainly due to the use of different zk-SNARK proving systems, in which cryptographic "gadgets" - i.e. arithmetic implementations of hash functions or elliptic curve cryptography - have different complexity (i.e. number of constraints).

The Zcash Orchard Shielded Protocol, for example, is based on the Halo 2 Proving System and a PLONKish Arithmetization in which lookup tables can be used. This allows the Sinsemilla hash function, which was developed specifically for this protocol, to be implemented highly efficiently within the circuit. This is crucial for the complexity of the circuit, since for each UTXO that is issued, the valid merkle path must be proven, resulting in a concatenation of multiple Sinsemilla gadgets within the circuit. Since the merkle path accounts for the vast majority of the complexity of the entire circuit, the choice of an efficiently implementable hash function is crucial.

For example, in the protocol evolution from Zcash Sprout to Zcash Sapling, the hash function used in the Merkle tree was changed from Sha256 to Blake2s, since the latter leads to a significantly lower number of constraints in a Groth16 proving system (over the curves Bls12-381/Jubjub) and R1CS arithmetization. There are a number of interesting discussions on this topic by Zcash developers on Github.

The arithmetic circuit is of critical importance to the protocol, as it defines exactly what a valid UTXO transaction is. In the following, we will first roughly explain the arithmetic circuit of the Zcash Orchard Shielded Protocol and then describe the changes that lead to the design of the ZEOS Orchard Shielded Protocol arithmetic circuit.

Notation

The following notation is used to formally express arithmetic circuits and their context.

$ω$ : The private inputs of an arithmetic circuit
$x$ : The public inputs of an arithmetic circuit
$C$ : An arithmetic circuit $C : (ω, x) \to {0, 1}$
$π_{C, ω, x}$ : A proof for a circuit $C$ created with arguments $(ω, x)$

Zcash Action Circuit

A Zcash Orchard transaction is defined as a sequence of one or more actions. The Zcash Orchard circuit defines what a valid action is. It is important to note that in addition to shielded UTXOs, Zcash also has a transparent value pool (i.e. the Zcash protocol also allows for transparent, traceable transactions).

The general idea is as follows: Each action allows the spending of up to one UTXO ( $not e_{old}$ ) and the creation of up to one new UTXO ( $not e_{new}$ ). To balance the value difference between them there is a balancing value ( $v_{net}$ ).

The equation applies:

$not e_{old} .v = not e_{new} .v + v_{net}$

where $.v$ refers to the value (i.e. the amount of ZEC) of a UTXO as defined in section 3.2 (p.14) of the Zcash Protocol Specification.

The value $v_{net}$ thus expresses whether the UTXO transfer of a single Orchard action results in a positive or negative value surplus. Over the entire transaction - i.e. over the sum of all actions - $v_{net}$ must obviously result in zero. This means that the sum of all inputs of a transaction must be equal to the sum of all outputs.

However, the actual value surplus of an action remains secret - just like the private inputs of the circuit (i.e. the sensitive UTXO data). Instead, only a so-called $ValueCommit$ of $v_{net}$ is published, which is specified in section 5.4.8.3 of the Zcash Protocol Specification.

The $ValueCommit$ is a Pedersen Commitment that has special cryptographic properties such as homomorphic addition. This property allows for the $v_{net}$ values of all actions of the same transaction to be balanced without having to disclose the actual differences $v_{net}$ of individual actions publicly: The homomorphically encrypted $ValueCommit$ of all individual actions can be summed up and eventually balanced with a single transparent value from the transparent value pool (in case the sum is not zero). See section 4.14 of the Zcash Protocol Specification to learn more about the final balancing value of a shielded transaction.

A shielded transaction in Zcash Orchard therefore either generates a transparent output ( $v_{net} > 0$ ), or it consumes a transparent input ( $v_{net} < 0$ ), or $v_{net}$ equals zero, in which case it is a fully shielded transaction with no inputs or outputs from the transparent value pool.

The flexibility of this circuit design therefore allows the four different types of actions:

transparent → shielded ( $not e_{old} = 0$ , resembles a mint).
shielded → transparent ( $not e_{new} = 0$ , resembles a burn)
shielded → shielded ( $v_{net} = 0$ , resembles a shielded transfer)
mixed → mixed (either mint + shielded transfer or burn + shielded transfer)

The following schematic shows a highly simplified representation of the Zcash Orchard top level arithmetic circuit, reduced to the essential components. The black inputs are the private inputs of the arithmetic circuit and the blue inputs are the public inputs. Only if all equality gates (==) resolve to true the output of the circuit is $1$ , otherwise it is $0$ .

The circuit is divided into three areas, which are highlighted in different colors:

Area A contains all the logic regarding $not e_{old}$ . This is by far the most complex part of the circuit, since the validity of $not e_{old}$ as well as the validity of $spend_auth$ must be proven here. Specifically, it must be proven that:

There exists a sister path $auth_path$ to the $NoteCommit$ of $not e_{old}$ , which leads to a valid $ROOT$ of the merkle tree (i.e. $not e_{old}$ is a valid UTXO).
The address of the UTXO $not e_{old}$ can be derived from $spend_auth$ (i.e. $spend_auth$ is indeed the correct private key to $not e_{old}$ ).
The nullifier is valid (i.e. $NF$ is indeed the nullifier of $not e_{old}$ ).

Area B proves that $CM_NEW$ is indeed the correct $NoteCommit$ to the newly created UTXO $not e_{new}$ .

Area C proves that $CV_NET$ actually represents the correct $ValueCommit$ (aka Pedersen commitment) of the value surplus $v_{net}$ .

Modifications

However, for the ZEOS Orchard Shielded Protocol, the Zcash Orchard action circuit needs to be slightly adapted. Firstly, because there are no transparent transactions and therefore no transparent value pool in ZEOS. Furthermore, there is not only one, but countless different value pools in ZEOS because of the token diversity in EOSIO/Antelope ecosystems. Finally, there are numerous different fungible tokens as well as NFTs, which have no value pool at all because of their uniqueness.

Therefore the following approach is chosen:

$not e_{old}$ is renamed to $not e_{a}$
$not e_{new}$ is renamed to $not e_{b}$
the difference value $v_{net}$ is converted into a third UTXO $not e_{c}$
the $ValueCommit$ of $v_{net}$ then becomes a $NoteCommit$ of $not e_{c}$

The previous equation of the Zcash Orchard action circuit thus becomes:

$not e_{a} .d1 = not e_{b} .d1 + not e_{c} .d1$

where $.d1$ refers to the value (FT) or ID (NFT) of a UTXO as defined in UTXO Tuple.

Interestingly, the above equation works for both fungible and non-fungible tokens: In case of fungible token transfers, $not e_{c} .d1$ represents the change that (normally) goes back into the sender's wallet. In case of NFT transfers, however, $not e_{c} .d1$ is necessarily zero, since an NFT cannot be split. But if $not e_{c} .d1$ equals zero, it follows from the above equation that $not e_{a} .d1 = not e_{b} .d1$ which corresponds exactly to the desired NFT transfer from $not e_{a}$ to $not e_{b}$ .

In addition to above equations, the following conditions must hold:

$not e_{a} .d2 = not e_{b} .d2 = not e_{c} .d2$ $not e_{a} .sc = not e_{b} .sc = not e_{c} .sc$

The equality of all $.d2$ values enforces that either all UTXOs in the circuit must have the same token symbol (FT) or that the upper 64 bits of an ID must match (in case of NFT, but then $not e_{c} .d2$ must equal zero). The equality of all $.sc$ values enforces that all UTXOs in the circuit represent tokens issued by the same smart contract.

However, introducing $not e_{c}$ and replacing the $ValueCommit$ with a $NoteCommit$ comes with the trade-off that value surpluses of multiple actions of the same transaction can no longer be balanced with each other, since a $NoteCommit$ is no Pedersen commitment and therefore does not have homomorphic properties. This means that in the ZEOS Orchard Shielded Protocol every single action must be balanced out to zero surplus using $not e_{c}$ , i.e. the inputs of an action ( $not e_{a}$ ) must equal the outputs of the same action ( $not e_{b} + not e_{c}$ ).

ZEOS Action Circuit

As in Zcash Orchard there is only one circuit which is used to generate proofs for all privacy actions. The ZEOS Orchard circuit, $C_{zeos}$ , is very similar to the Zcash Orchard circuit. It can be divided into three parts: A, B and C. Each circuit part represents a UTXO and the action circuit describes their relationship to each other. There are two main configurations for this circuit.

It is either:

$A = B + C$

$A = C = 0$

The first configuration is used for all transfer and burn actions. UTXO $A$ represents the note which is being spent by the action. UTXO $B$ represents the receiving part of the action whereas UTXO $C$ represents the 'change' which goes usually back into the wallet of the sender (spender of UTXO $A$ ). Hence the relation $A = B + C$ between the UTXOs.

In case of NFT transfers (or burns) UTXO $C$ is always zero which enforces $A = B$ . This statement must be true for NFT transfers since NFTs are not divisable.

The second configuration is used for minting notes only. The configuration $A = B = 0$ effectively disables the circuit parts $A$ and $C$ leaving only part $B$ enabled.

Private Inputs ( $ω$ )

The following list contains all private inputs to the top level ZEOS action circuit.

Note $A$ (action input):

$path$ : Authentication path of note commitment A. The sister path of note commitment A which is required in order to calculate it's merkle plath.
$pos$ : Position of note commitment A inside the merkle tree. Specifically this is the leaf index of note commitment A.
$g_{d}_{a}$ : Address diversify hash of note A. Deterministically derived from a diversifier index (see p. 37 Zcash Protocol Specification).
$p k_{d}_{a}$ : Address public key of note A. Derived from Incoming Viewing Key and diversify hash (see p. 14 and 37 Zcash Protocol Specification).
$d1_{a}$ : Either the value of note A (fungible token) or the (lower 64 bits of the) unique identifier of note A (non-fungible token).
$d2_{a}$ : Either the symbol code of note A (fungible token) or the (upper 64 bits of the) unique identifier of note A (non-fungible token).
$ρ_{a}$ : Randomness to derive nullifier of note A (equals nullifier of note that was spent in order to create note A) (see p. 14 Zcash Protocol Specification)
$ψ_{a}$ : Additional randomness to derive nullifier of note A (see p. 14 Zcash Protocol Specification)
$rcm_{a}$ : Random commitment trapdoor of note commitment A (see p. 14 and 28 Zcash Protocol Specification)
$cm_{a}$ : Note commit of note A (see p. 28 Zcash Protocol Specification).
$α$ : Randomness to derive a spend authorization signature for note A (see p. 55 Zcash Protocol Specification).
$ak$ : Spend Validating Key which is part of the Full Viewing Key components (see p. 36 and 116 Zcash Protocol Specification).
$nk$ : Nullifier Deriving Key which is part of the Full Viewing Key components (see p. 36 and 116 Zcash Protocol Specification).
$rivk$ : Randomness which is part of the Full Viewing Key components to derive corresponding Incoming Viewing Key of the address diversify hash of note A (see p. 36, 37 and 116 Zcash Protocol Specification).

Note $B$ (action output):

$g_{d}_{b}$ : Address diversify hash of note B.
$p k_{d}_{b}$ : Address public key of note B.
$d1_{b}$ : Either the value of note B (fungible token) or the (lower 64 bits of the) unique identifier of note B (non-fungible token).
$d2_{b}$ : Either the symbol code of note B (fungible token) or the (upper 64 bits of the) unique identifier of note B (non-fungible token).
$sc_{b}$ : The code of the smart contract issuing notes A, B and C.
$ρ_{b}$ : Randomness to derive nullifier of note B (equals nullifier of note A).
$ψ_{b}$ : Additional randomness to derive nullifier of note B.
$rcm_{b}$ : Random commitment trapdoor of note commitment B.
$acc_{b}$ : Code of EOS account in which this note is 'burned'.

Note $C$ (action output):

$g_{d}_{c}$ : Address diversify hash of note C.
$p k_{d}_{c}$ : Address public key of note C.
$d1_{c}$ : Value of note C (fungible token only).
$ψ_{c}$ : Additional randomness to derive nullifier of note C.
$rcm_{c}$ : Random commitment trapdoor of note commitment C.
$acc_{c}$ : Code of EOS account in which this note is 'burned'.

Public Inputs ( $x$ )

The following list contains all public inputs to the top level ZEOS action circuit.

$ANCHOR$ : Merkle tree root of authentication path of note A (see p. 17 to 19 Zcash Protocol Specification).
$NF$ : Nullifier of note A (see p. 56 Zcash Protocol Specification).
$RK_{X}$ : Spend Authority (x component) of ( $α$ , $ak$ ) (see p. 61 Zcash Protocol Specification).
$RK_{Y}$ : Spend Authority (y component).
$NFT$ : Indicates if notes in circuit represent NFTs or fungible tokens.
$B_{d 1}$ : Exposes value (fungible token) or unique id (non-fungible token) of note B in case of MINT or BURN.
$B_{d 2}$ : Exposes symbol (fungible token) or unique id (non-fungible token) of note B in case of MINT or BURN.
$B_{sc}$ : Exposes smart contract code of note B in case of MINT or BURN.
$C_{d 1}$ : Exposes value of note C in case of BURNFT2 (fungible tokens only).
$CM_{B}$ : Note commitment of note B.
$CM_{C}$ : Note commitment of note C.
$ACC_{B}$ : Code of EOS account into which note B is 'burned'.
$ACC_{C}$ : Code of EOS account into which note C is 'burned'.

Circuit Internal Signals

The following signals are circuit-internal only.

$root$ : Derived root of merkle path of note A.
$cm_{a}^{'}$ : Derived commitment of note A.
$p k_{d}_{a}^{'}$ : Derived address public key of note A.
$rk_{x}$ : Derived spend authority (x component) of note A.
$rk_{y}$ : Derived spend authority (y component) of note A.
$nf_{a}$ : Derived nullifier of note A.
$cm_{b}$ : Derived commitment of note B.
$cm_{c}$ : Derived commitment of note C.

Constraints

Constraining an arithmetic circuit in Halo 2 is very similar to integrated circuit design in computer engineering. All Constraints are expressed as mathematical equations evaluating to zero. The logical AND becomes a multiplication and the logical OR becomes an addition.

The following statements for private and public inputs must hold.

The global statement 'either $A = B + C$ or $A = C = 0$ ' results in the following constraint for the note values $d1_{a}, d1_{b}, d1_{c}$ :

$(d1_{a} - d1_{b} - d1_{c}) \cdot (d1_{a} + d1_{c}) = 0$

For circuit part A the following constraints must hold:

$d1_{a} \cdot (root - ANCHOR) = 0$
$d1_{a} \cdot (cm_{a} - cm_{a}^{'}) = 0$
$d1_{a} \cdot (p k_{d}_{a} - p k_{d}_{a}^{'}) = 0$
$d1_{a} \cdot (rk_{x} - RK_{x}) = 0$
$d1_{a} \cdot (rk_{y} - RK_{y}) = 0$
$d1_{a} \cdot (d2_{a} - d2_{b}) = 0$
$d1_{a} \cdot (nf_{a} + ρ_{b} - 2 \cdot NF) = 0$

For circuit part B the following constraints must hold:

$B_{d 1} \cdot (B_{d 1} - d1_{b}) = 0$
$B_{d 1} \cdot (B_{d 2} - d2_{b}) = 0$
$B_{d 1} \cdot (B_{sc} - sc_{b}) = 0$
$CM_{B} \cdot (CM_{B} - cm_{b}) = 0$
$ACC_{B} - acc_{b} = 0$

For circuit part C the following constraints must hold:

$NFT \cdot d1_{c} = 0$
$C_{d 1} \cdot (C_{d 1} - d1_{c}) = 0$
$CM_{C} \cdot (CM_{C} - cm_{c}) = 0$
$ACC_{C} - acc_{c} = 0$

Valid Circuit Configurations

The following table lists the zactions and the corresponding configurations of the circuit's public inputs $x$ .

$ZAction M I NTFT M I NTNFT / B U RN A T TR A NSFERFT TR A NSFERNFT B U RNFT B U RNFT 2 B U RNNFT ANCHOR 00 root root root root root NF 00 nf_{a} nf_{a} nf_{a} nf_{a} nf_{a} R K_{x} 00 rk_{x} rk_{x} rk_{x} rk_{x} rk_{x} R K_{y} 00 rk_{y} rk_{y} rk_{y} rk_{y} rk_{y} NFT 0101001 B_{d 1} d1_{b} d1_{b} 00 d1_{b} d1_{b} d1_{b} B_{d 2} d2_{b} d2_{b} 00 d2_{b} d2_{b} d2_{b} B_{sc} sc_{b} sc_{b} 00 sc_{b} sc_{b} sc_{b} C_{d 1} 00000 d1_{c} 0 CM_{B} cm_{b} cm_{b} cm_{b} cm_{b} 000 CM_{C} 00 cm_{c} 0 cm_{c} 00 ACC_{B} 0000 acc_{b} acc_{b} acc_{b} ACC_{C} 00000 acc_{c} 0$

MINTFT

$ANCHOR 0 NF 0 R K_{x} 0 R K_{y} 0 NFT 0 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} cm_{b} CM_{C} 0 ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = NF = R K_{x} = R K_{y} = 0$
$\Rightarrow d1_{a} = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $CM_{B} = cm_{b}$
$\Rightarrow d1_{b} \neq = 0$ because of internal signal (7)

Given: $d1_{a} = 0, d1_{b} \neq = 0$
$\Rightarrow d1_{c} = 0$ because of constraint (1)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

MINTNFT/BURNAT

Note: The actions MINTNFT and BURNAT share the exact same circuit configuration. $ANCHOR 0 NF 0 R K_{x} 0 R K_{y} 0 NFT 1 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} cm_{b} CM_{C} 0 ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = NF = R K_{x} = R K_{y} = 0$
$\Rightarrow d1_{a} = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $CM_{B} = cm_{b}$
$\Rightarrow d1_{b} \neq = 0$ because of internal signal (7)

Given: $NFT = 1, d1_{a} = 0, d1_{b} \neq = 0$
$\Rightarrow d1_{c} = 0$ because of constraints (1) and (14)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

TRANSFERFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 0 B_{d 1} 0 B_{d 2} 0 B_{sc} 0 C_{d 1} 0 C M_{B} cm_{b} CM_{C} cm_{c} ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $d1_{a} \neq = 0$
$\Rightarrow d1_{a} = d1_{b} + d1_{c}$ because of constraint (1)
$\Rightarrow d2_{a} = d2_{b}$ because of constraint (7)
$\Rightarrow ρ_{b} = nf_{a}$ because of constraint (8)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

TRANSFERNFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 1 B_{d 1} 0 B_{d 2} 0 B_{sc} 0 C_{d 1} 0 C M_{B} cm_{b} CM_{C} 0 ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $NFT = 1$
$\Rightarrow d1_{c} = 0$ because of constraint (14)

Given: $d1_{a} \neq = 0, d1_{c} = 0$
$\Rightarrow d1_{a} = d1_{b}$ because of constraint (1)

Given: $d1_{a} \neq = 0$
$\Rightarrow d2_{a} = d2_{b}$ because of constraint (7)
$\Rightarrow ρ_{b} = nf_{a}$ because of constraint (8)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

BURNFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 0 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} 0 CM_{C} cm_{c} ACC_{B} acc_{b} ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

BURNFT2

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 0 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} d1_{c} C M_{B} 0 CM_{C} 0 ACC_{B} acc_{b} ACC_{C} acc_{c}$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

BURNNFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 1 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} 0 CM_{C} 0 ACC_{B} acc_{b} ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $NFT = 1$
$\Rightarrow d1_{c} = 0$ because of constraint (14)

Given: $d1_{a} \neq = 0, d1_{c} = 0$
$\Rightarrow d1_{a} = d1_{b}$ because of constraint (1)

Given $d1_{a} \neq = 0$
$\Rightarrow d2_{a} = d2_{b}$ because of constraint (7)
$\Rightarrow ρ_{b} = nf_{a}$ because of constraint (8)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

NoteCommit Chip

Besides the changes in the top level design, the $NoteCommit$ chip has to be adapted to the new UTXO tuple. However, these adaptations are not trivial.

The Sinsemilla hash function operates on multiples of 10 bits of the input message. However, since this is an implementation within an arithmetic circuit (and not an integrated circuit) there are no bits and bytes, only field elements (aka large numbers) as input signals. Thus, the various elements of the UTXO tuple must first be decomposed so that they can be concatenated into chunks of 10 bits and the message parts finally digested as 10 bit chunks. This requires canonicity checks for the value ranges of all message parts.

Compare the original version of this chip from the Zcash Orchard Shielded Protocol.

Message decomposition

$SinsemillaCommit$ is used in the $NoteCommit$ function. The input to $SinsemillaCommit$ is:

$g ⋆_{d} ∣∣ pk ⋆_{d} ∣∣ I2LEBSP_{64} (d1) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) ∣∣ I2LEBSP_{64} (d2) ∣∣ I2LEBSP_{1} (nft) ∣∣ I2LEBSP_{64} (sc),$

where:

$g ⋆_{d}, pk ⋆_{d}$ are representations of Pallas curve points, with $255$ bits used for the $x$ -coordinate and $1$ bit used for the $y$ -coordinate.
$ρ, ψ$ are Pallas base field elements.
$d1$ is a $64$ -bit value.
$ℓ_{base}^{Orchard p} = 255.$
$d2$ is a $64$ -bit value.
$nft$ is a $1$ -bit value.
$sc$ is a $64$ -bit value.

Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into chunks:

$g ⋆_{d} pk ⋆_{d} I2LEBSP_{64} (d1) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) I2LEBSP_{64} (d2) I2LEBSP_{1} (nft) I2LEBSP_{64} (sc) = a ∣∣ b_{0} ∣∣ b_{1} ∣∣ b_{2} = (bits 0..=249 of x (g_{d})) ∣∣ (bits 250..=253 of x (g_{d})) ∣∣ (bit 254 of x (g_{d})) ∣∣ (\tilde{y} bit of g_{d}) = b_{3} ∣∣ c ∣∣ d_{0} ∣∣ d_{1} = (bits 0..=3 of x (p k_{d})) ∣∣ (bits 4..=253 of x (p k_{d})) ∣∣ (bit 254 of x (p k_{d})) ∣∣ (\tilde{y} bit of p k_{d}) = d_{2} ∣∣ d_{3} ∣∣ e_{0} = (bits 0..=7 of d1) ∣∣ (bits 8..=57 of d1) ∣∣ (bits 58..=63 of d1) = e_{1} ∣∣ f ∣∣ g_{0} = (bits 0..=3 of ρ) ∣∣ (bits 4..=253 of ρ) ∣∣ (bit 254 of ρ) = g_{1} ∣∣ g_{2} ∣∣ h_{0} ∣∣ h_{1} = (bits 0..=8 of ψ) ∣∣ (bits 9..=248 of ψ) ∣∣ (bits 249..=253 of ψ) ∣∣ (bit 254 of ψ) = h_{2} ∣∣ h_{3} = (bits 0..=3 of d2) ∣∣ (bits 4..=63 of d2) = i_{0} = (bit 0 of nft) = i_{1} ∣∣ i_{2} ∣∣ j_{0} ∣∣ j_{1} = (bits 0..=8 of sc) ∣∣ (bits 9..=58 of sc) ∣∣ (bits 59..=63 of sc)$

Then we recompose the chunks into message pieces:

$Length (bits) 250102506010250250706010 Piece a b = b_{0} ∣∣ b_{1} ∣∣ b_{2} ∣∣ b_{3} c d = d_{0} ∣∣ d_{1} ∣∣ d_{2} ∣∣ d_{3} e = e_{0} ∣∣ e_{1} f g = g_{0} ∣∣ g_{1} ∣∣ g_{2} h = h_{0} ∣∣ h_{1} ∣∣ h_{2} ∣∣ h_{3} i = i_{0} ∣∣ i_{1} ∣∣ i_{2} j = j_{0} ∣∣ j_{1}$

where $j_{1}$ is 5 zero bits (corresponding to the padding applied by the Sinsemilla $pad$ function).

Each message piece is constrained by $SinsemillaHash$ to its stated length. Additionally:

$g_{d}$ and $p k_{d}$ are witnessed and checked to be valid elliptic curve points.
$d1$ is witnessed as a field element, but its decomposition is sufficient to constrain it to be a 64-bit value.
$d2$ is witnessed as a field element, but its decomposition is sufficient to constrain it to be a 64-bit value.
$sc$ is witnessed as a field element, but its decomposition is sufficient to constrain it to be a 64-bit value.
$nft$ is witnessed as a field element, but its decomposition is sufficient to constrain it to be a 1-bit value.
$ρ$ and $ψ$ are witnessed as field elements, so we know they are canonical.

However, we need additional constraints to enforce that:

The chunks are the correct bit lengths (or else they could overlap in the decompositions and allow the prover to witness an arbitrary $SinsemillaCommit$ message).
The chunks contain the canonical decompositions of $g_{d}$ , $p k_{d}$ , $ρ$ , and $ψ$ (or else the prover could witness multiple equivalent inputs to $SinsemillaCommit$ ).

Some of these constraints are implemented with a reusable circuit gadget, $short_lookup_range_check ()$ . We define custom gates for the remainder. Since these gates use simple boolean selectors activated on different rows, their selectors are eligible for combining, reducing the overall proof size.

Message piece decomposition

We check the decomposition of each message piece in its own region. There is no need to check the whole pieces:

$a$ ( $250$ bits) is witnessed and constrained outside the gate;
$c$ ( $250$ bits) is witnessed and constrained outside the gate;
$f$ ( $250$ bits) is witnessed and constrained outside the gate;

The following helper gates are defined:

$bool_check (x) = x \cdot (1 - x)$ .
$short_lookup_range_check ()$ is a short lookup range check.

$b = b_{0} ∣∣ b_{1} ∣∣ b_{2} ∣∣ b_{3}$

$b$ has been constrained to be $10$ bits by the Sinsemilla hash.

Region layout

$A_{6} b A_{7} b_{0} b_{2} A_{8} b_{1} b_{3} q_{NoteCommit, b} 10$

Constraints

$Degree 332 Constraint q_{NoteCommit, b} \cdot bool_check (b_{1}) = 0 q_{NoteCommit, b} \cdot bool_check (b_{2}) = 0 q_{NoteCommit, b} \cdot (b - (b_{0} + b_{1} \cdot 2^{4} + b_{2} \cdot 2^{5} + b_{3} \cdot 2^{6})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (b_{0}, 4)$
$short_lookup_range_check (b_{3}, 4)$

$d = d_{0} ∣∣ d_{1} ∣∣ d_{2} ∣∣ d_{3}$

$d$ has been constrained to be $60$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} d A_{7} d_{0} d_{2} A_{8} d_{1} d_{3} q_{NoteCommit, d} 10$

Constraints

$Degree 332 Constraint q_{NoteCommit, d} \cdot bool_check (d_{0}) = 0 q_{NoteCommit, d} \cdot bool_check (d_{1}) = 0 q_{NoteCommit, d} \cdot (d - (d_{0} + d_{1} \cdot 2 + d_{2} \cdot 2^{2} + d_{3} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (d_{2}, 8)$
$d_{3}$ is equality-constrained to $z_{d, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (d)$ , constrained by the hash to be $50$ bits.

$e = e_{0} ∣∣ e_{1}$

$e$ has been constrained to be $10$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} e A_{7} e_{0} A_{8} e_{1} q_{NoteCommit, e} 1$

Constraints

$Degree 2 Constraint q_{NoteCommit, e} \cdot (e - (e_{0} + e_{1} \cdot 2^{6})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (e_{0}, 6)$
$short_lookup_range_check (e_{1}, 4)$

$g = g_{0} ∣∣ g_{1} ∣∣ g_{2}$

$g$ has been constrained to be $250$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} g g_{1} A_{7} g_{0} g_{2} q_{NoteCommit, g} 10$

Constraints

$Degree 32 Constraint q_{NoteCommit, g} \cdot bool_check (g_{0}) = 0 q_{NoteCommit, g} \cdot (g - (g_{0} + g_{1} \cdot 2 + g_{2} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (g_{1}, 9)$
$g_{2}$ is equality-constrained to $z_{g, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (g)$ , constrained by the hash to be 240 bits.

$h = h_{0} ∣∣ h_{1} ∣∣ h_{2} ∣∣ h_{3}$

$h$ has been constrained to be $70$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} h A_{7} h_{0} h_{2} A_{8} h_{1} h_{3} q_{NoteCommit, h} 10$

Constraints

$Degree 32 Constraint q_{NoteCommit, h} \cdot bool_check (h_{1}) = 0 q_{NoteCommit, h} \cdot (h - (h_{0} + h_{1} \cdot 2^{5} + h_{2} \cdot 2^{6} + h_{3} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (h_{0}, 5)$
$short_lookup_range_check (h_{2}, 4)$
$short_lookup_range_check (h_{3}, 60)$
$h_{3}$ is equality-constrained to $z_{h, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (h)$ , constrained by the hash to be 60 bits.

$i = i_{0} ∣∣ i_{1} ∣∣ i_{2}$

$i$ has been constrained to be $60$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} i i_{1} A_{7} i_{0} i_{2} q_{NoteCommit, i} 10$

Constraints

$Degree 32 Constraint q_{NoteCommit, i} \cdot bool_check (i_{0}) = 0 q_{NoteCommit, i} \cdot (i - (i_{0} + i_{1} \cdot 2 + i_{2} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (i_{1}, 9)$
$short_lookup_range_check (i_{2}, 50)$
$i_{2}$ is equality-constrained to $z_{i, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (i)$ , constrained by the hash to be 50 bits.

$j = j_{0} ∣∣ j_{1}$

$j$ has been constrained to be $10$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} j A_{7} j_{0} q_{NoteCommit, i} 1$

Constraints

$Degree 2 Constraint q_{NoteCommit, j} \cdot (j - j_{0}) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (j_{0}, 5)$

Field element checks

All message pieces and subpieces have been range-constrained by the earlier decomposition gates. They are now used to:

constrain each field element $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d}))$ , $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d}))$ , $I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ)$ , and $I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ)$ to be 255-bit values, with top bits $b_{1}$ , $d_{0}$ , $g_{0}$ , and $h_{1}$ respectively.
constrain $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) = x (g_{d}) (mod q_{P}) = x (p k_{d}) (mod q_{P}) = ρ (mod q_{P}) = ψ (mod q_{P})$ where $q_{P}$ is the Pallas base field modulus.
check that these are indeed canonically-encoded field elements, i.e. $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) < q_{P} < q_{P} < q_{P} < q_{P}$

The Pallas base field modulus has the form $q_{P} = 2^{254} + t_{P}$ , where $t_{P} = 0x224698fc094cf91b992d30ed00000001$ is 126 bits. We therefore know that if the top bit is not set, then the remaining bits will always comprise a canonical encoding of a field element. Thus the canonicity checks below are enforced if and only if the corresponding top bit is set to 1.

In the constraints below we use a base- $2^{10}$ variant of the method used in libsnark (originally from [SVPBABW2012, Appendix C.1]) for range constraints $0 \leq x < t$ :

Let $t^{'}$ be the smallest power of $2^{10}$ greater than $t$ .

Enforce $0 \leq x < t^{'}$ .

Let $x^{'} = x + t^{'} - t$ .

Enforce $0 \leq x^{'} < t^{'}$ .

$x (g_{d})$ with $b_{1} = 1 ⟹ x (g_{d}) \geq 2^{254}$

Recall that $x (g_{d}) = a + 2^{250} \cdot b_{0} + 2^{254} \cdot b_{1}$ . When the top bit $b_{1}$ is set, we check that $x (g_{d})_{0.. = 253} < t_{P}$ :

$b_{1} = 1 ⟹ b_{0} = 0.$

Since $b_{1} = 1 ⟹ x (g_{d})_{0.. = 253} < t_{P} < 2^{126},$ we know that $x (g_{d})_{126.. = 253} = 0,$ and in particular $b_{0} := x (g_{d})_{250.. = 253} = 0.$
$b_{1} = 1 ⟹ 0 \leq a < t_{P} .$

To check that $a < t_{P}$ , we use two constraints:

a) $0 \leq a < 2^{130}$ . This is expressed in the custom gate as $b_{1} \cdot z_{a, 13} = 0,$ where $z_{a, 13}$ is the index-13 running sum output by $SinsemillaHash (a) .$

b) $0 \leq a + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $a^{'} = a + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{a^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $b_{1} \cdot z_{a^{'}, 13} = 0.$

Region layout

$ρ$ with $g_{0} = 1 ⟹ ρ \geq 2^{254}$

Recall that $ρ = e_{1} + 2^{4} \cdot f + 2^{254} \cdot g_{0}$ . When the top bit $g_{0}$ is set, we check that $ρ_{0.. = 253} < t_{P}$ :

$g_{0} = 1 ⟹ 0 \leq e_{1} + 2^{4} \cdot f < t_{P} .$

To check that $0 \leq e_{1} + 2^{4} \cdot f < t_{P},$ we use two constraints:

a) $0 \leq e_{1} + 2^{4} \cdot f < 2^{140} .$ $e_{1}$ is already constrained individually to be a $4$ -bit value. $z_{f, 13}$ is the index-13 running sum output by $SinsemillaHash (f) .$ By constraining $g_{0} \cdot z_{f, 13} = 0,$ we constrain $e_{1} + 2^{4} \cdot f < 2^{134} < 2^{140} .$

b) $0 \leq e_{1} + 2^{4} \cdot f + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $e_{1} f^{'} = e_{1} + 2^{4} \cdot f + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{e_{1} f^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $g_{0} \cdot z_{e_{1} f^{'}, 14} = 0.$

Region layout

$y$ -coordinate checks

Note that only the $\tilde{y}$ LSB of the $y$ -coordinates $y (g_{d}), y (p k_{d})$ was input to the hash, while the other bits of the $y$ -coordinate were unused. However, we must still check that the witnessed $\tilde{y}$ bit matches the original point's $y$ -coordinate. The checks for $y (g_{d}), y (p k_{d})$ will follow the same format. For each $y$ -coordinate, we witness:

$y = LSB ∣∣ k_{0} ∣∣ k_{1} ∣∣ k_{2} ∣∣ k_{3} = LSB ∣∣ (bits 1.. = 9 of y) ∣∣ (bits 10.. = 249 of y) ∣∣ (bits 250.. = 253 of y) ∣∣ (bit 254 of y),$

where $LSB$ is $b_{2}$ for $y (g_{d})$ , and $d_{1}$ for $y (p k_{d})$ . Let $j = LSB + 2 \cdot k_{0} + 2^{10} \cdot k_{1} .$ We decompose $j$ to be $250$ bits using a strict $25 -$ word ten-bit lookup. The running sum outputs allow us to susbstitute $k_{1} = z_{j, 1} .$

Recall that $b_{2} = \tilde{y} (g_{d})$ and $d_{1} = \tilde{y} (p k_{d})$ were pieces input to the Sinsemilla hash and have already been boolean-constrained. $k_{0}$ and $k_{2}$ are constrained outside this gate to $9$ and $4$ bits respectively. To constrain the remaining chunks, we use the following constraints:

$Degree 3 Constraint q_{NoteCommit, y} \cdot bool_check (k_{3}) = 0$

Then, to check that the decomposition was correct: $Degree 22 Constraint q_{NoteCommit, y} \cdot (j - (LSB + k_{0} \cdot 2 + k_{1} \cdot 2^{10})) = 0 q_{NoteCommit, y} \cdot (y - (j + k_{2} \cdot 2^{250} + k_{3} \cdot 2^{254})) = 0$

$y (g_{d})$ with $k_{3} = 1 ⟹ y (g_{d}) \geq 2^{254}$

In these cases, we check that $y (g_{d})_{0.. = 253} < t_{P}$ :

$k_{3} = 1 ⟹ k_{2} = 0.$

Since $k_{3} = 1 ⟹ y (g_{d})_{0.. = 253} < t_{P} < 2^{126},$ we know that $y (g_{d})_{126.. = 253} = 0,$ and in particular $k_{2} := y (g_{d})_{250.. = 253} = 0.$
$k_{3} = 1 ⟹ 0 \leq j < t_{P} .$

To check that $j < t_{P}$ , we use two constraints:

a) $0 \leq j < 2^{130}$ . This is expressed in the custom gate as $k_{3} \cdot z_{j, 13} = 0,$ where $z_{j, 13}$ is the index-13 running sum output by the $10$ -bit lookup decomposition of $j$ .

b) $0 \leq j + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $j^{'} = j + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{j^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $k_{3} \cdot z_{j^{'}, 13} = 0.$

Region layout

$A_{5} y j A_{6} \tilde{y} k_{1} A_{7} k_{0} z_{j, 13} A_{8} k_{2} j^{'} A_{9} k_{3} z_{j^{'}, 13} q_{NoteCommit, y} 10$

Constraints

$Degree 3323 Constraint q_{NoteCommit, y} \cdot k_{3} \cdot k_{2} = 0 q_{NoteCommit, y} \cdot k_{3} \cdot z_{j, 13} = 0 q_{NoteCommit, y} \cdot (j + 2^{130} - t_{P} - j^{'}) = 0 q_{NoteCommit, y} \cdot k_{3} \cdot z_{j^{'}, 13} = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (k_{0}, 9)$
$short_lookup_range_check (k_{2}, 4)$

$y (p k_{d})$

This can be checked in exactly the same way as $y (g_{d})$ , with $b_{2}$ replaced by $d_{1}$ .

ZEOS Actions (ZActions)

Analogous to EOSIO/Antelope actions ZEOS privacy actions (aka zactions) change the global state of the UTXO transaction model, specifically of the Commitment Tree, Commitment Tree Root Set and Nullifier Set. The only exceptions are MINTAT and BURNAT which are used to mint and burn authenticator tokens and only change the state of the third party smart contract they are associated with (see Private Deposits & Withdrawals for more details).

Tuple

Analogous to the EOSIO/Antelope action struct, a zaction struct is defined. The tuple contains the following elements:

$type$ : The type of zaction to be executed (see Types below)
$x$ : The public inputs of this zaction (see public inuts tuple under ZEOS Action Circuit)
$memo$ : A memo field used in BURN actions to set the memo for the resulting EOSIO/Antelope token transfer action

Based on this zaction tuple and in analogy to EOSIO/Antelope transactions, a ztransaction is defined as a sequence of zactions.

Types

Based on the constraint system of the ZEOS Orchard action circuit $C_{zeos}$ the following privacy actions (i.e. zactions) are defined:

MINTFT: Mints a new UTXO representing a fungible asset.
MINTNFT: Mints a new UTXO representing a non-fungible asset.
MINTAT: Mints a new UTXO representing a permission.
TRANSFERFT: Transfers a UTXO representing a fungible asset.
TRANSFERNFT: Transfers a UTXO representing a non-fungible asset.
BURNFT: Burns a UTXO representing a fungible asset.
BURNFT2: Burns a UTXO representing a fungible asset with two different receivers.
BURNNFT: Burns a UTXO representing a non-fungible asset.
BURNAT: Burns a UTXO representing a permission.

MINTFT

Mints a new fungible UTXO. This effectively moves a fungible asset from a transparent EOSIO/Antelope account into a private ZEOS wallet. For this operation only part B of the ZEOS Action Circuit $C_{zeos}$ is used since only one new UTXO is created by this action.

Privacy Implications

This action provides only limited privacy protection:

sender: traceable - the sender's EOSIO/Antelope account
asset: traceable - quantity of the asset's smart contract's transfer action
memo: untraceable - hidden in UTXO ciphertext
receiver: untraceable - hidden in UTXO ciphertext

Flow

The following steps specify the flow of MINTFT.

Step 0

The fungible EOSIO/Antelope asset $b$ to be transferred is defined by the tuple:

$amount$ : The amount of asset $b$ as specified in the EOSIO developer documentation
$symbol$ : The symbol of asset $b$ as specified in the EOSIO developer documentation
$code$ : The EOSIO/Antelope account of the smart contract that issues asset $b$

Step 1

Create a new UTXO tuple $not e_{b}$ representing the fungible asset $b$ :

$d =$ Diversifier index of the receiving ZEOS wallet address
$p k_{d} =$ Public key of the receiving ZEOS wallet address
$d1 = b.amount$
$d2 = b.symbol$
$sc = b.code$
$nft = 0$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

Step 2

Calculate the diversified transmission key of the receiving ZEOS wallet address (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{b}} = DiversifyHas h^{Orchard} (not e_{b} .d)$

Step 3

Calculate the $NoteCommit$ of $not e_{b}$ (see UTXO Commitment):

$c m_{not e_{b}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{b}}, not e_{b} . p k_{d}, not e_{b} .d1, not e_{b} . ρ, not e_{b} . ψ, not e_{b} .d2, not e_{b} .sc, not e_{b} .nft)$

Step 4

Set the private inputs $ω$ of the arithmetic circuit:

$path = 0$
$pos = 0$
$g_{d}_{a} = 0$
$p k_{d}_{a} = 0$
$d1_{a} = 0$
$d2_{a} = 0$
$ρ_{a} = 0$
$ψ_{a} = 0$
$rcm_{a} = 0$
$cm_{a} = 0$
$α = 0$
$ak = 0$
$nk = 0$
$rivk = 0$
$g_{d}_{b} = g_{d}_{not e_{b}}$
$p k_{d}_{b} = not e_{b} . p k_{d}$
$d1_{b} = not e_{b} .d1$
$d2_{b} = not e_{b} .d2$
$sc_{b} = not e_{b} .sc$
$ρ_{b} = not e_{b} . ρ$
$ψ_{b} = not e_{b} . ψ$
$rcm_{b} = not e_{b} .rcm$
$acc_{b} = 0$
$g_{d}_{c} = 0$
$p k_{d}_{c} = 0$
$d1_{c} = 0$
$ψ_{c} = 0$
$rcm_{c} = 0$
$acc_{c} = 0$

Step 5

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = 0$
$NF = 0$
$RK_{X} = 0$
$RK_{Y} = 0$
$NFT = 0$
$B_{d 1} = not e_{b} .d1$
$B_{d 2} = not e_{b} .d2$
$B_{sc} = not e_{b} .sc$
$C_{d 1} = 0$
$CM_{B} = c m_{not e_{b}}$
$CM_{C} = 0$
$ACC_{B} = 0$
$ACC_{C} = 0$

Step 6

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 7

Generate UTXO ciphertext $not e_{b}_{enc}$ of $not e_{b}$ for the receiver of the UTXO (see section 4.19.1 of the Zcash Protocol Specification)

Step 8

Transfer asset $b$ to the ZEOS smart contract. On reception, the ZEOS smart contract stores it in an asset buffer until MINTFT is executed.

Step 9

Execute the MINTFT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{b}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Does the UTXO $not e_{b}$ represent the correct asset $b$ which is held in the asset buffer? I.e. are the following statements true:
- $b.amount = x . B_{d 1}$
- $b.symbol = x . B_{d 2}$
- $b.code = x . B_{sc}$
Is the NFT flag unset ( $x . NFT = 0$ )?

Step 10

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . C M_{B}$ , the note commitment of $not e_{b}$ , to the next free leaf of the Commitment Tree
Add the new root of the Commitment Tree to the Commitment Tree Root Set
Add ciphertext $not e_{b}_{enc}$ to the Transmitted UTXO Ciphertext List

If $false$ , cancel execution.

MINTNFT

Mints a new non-fungible UTXO. This effectively moves a non-fungible asset from a transparent EOSIO/Antelope account into a private ZEOS wallet. For this operation only part B of the ZEOS Action Circuit $C_{zeos}$ is used since only one new UTXO is created by this action.

Since EOSIO/Antelope does not specify a standard for non-fungible tokens the token standard of AtomicAssets is applied.

Privacy Implications

This action provides only limited privacy protection:

sender: traceable - the sender's EOSIO/Antelope account
asset: traceable - asset id of the asset's smart contract's transfer¹ action
memo: untraceable - hidden in UTXO ciphertext
receiver: untraceable - hidden in UTXO ciphertext

¹ refers to the transfer action of the AtomicAssets smart contract

Flow

The following steps specify the flow of MINTNFT.

Step 0

The non-fungible EOSIO/Antelope asset $b$ to be transferred is defined by the tuple:

$id$ : The id of asset $b$ as specified in the AtomicAssets developer documentation
$code$ : The EOSIO/Antelope account of the AtomicAssets smart contract that issues asset $b$

Step 1

Create a new UTXO tuple $not e_{b}$ representing the non-fungible asset $b$ :

$d =$ Diversifier index of the receiving ZEOS wallet address
$p k_{d} =$ Public key of the receiving ZEOS wallet address
$d1 = b.id$
$d2 = 0$
$sc = b.code$
$nft = 1$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

Step 2

Calculate the diversified transmission key of the receiving ZEOS wallet address (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{b}} = DiversifyHas h^{Orchard} (not e_{b} .d)$

Step 3

Calculate the $NoteCommit$ of $not e_{b}$ (see UTXO Commitment):

$c m_{not e_{b}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{b}}, not e_{b} . p k_{d}, not e_{b} .d1, not e_{b} . ρ, not e_{b} . ψ, not e_{b} .d2, not e_{b} .sc, not e_{b} .nft)$

Step 4

Set the private inputs $ω$ of the arithmetic circuit:

$path = 0$
$pos = 0$
$g_{d}_{a} = 0$
$p k_{d}_{a} = 0$
$d1_{a} = 0$
$d2_{a} = 0$
$ρ_{a} = 0$
$ψ_{a} = 0$
$rcm_{a} = 0$
$cm_{a} = 0$
$α = 0$
$ak = 0$
$nk = 0$
$rivk = 0$
$g_{d}_{b} = g_{d}_{not e_{b}}$
$p k_{d}_{b} = not e_{b} . p k_{d}$
$d1_{b} = not e_{b} .d1$
$d2_{b} = not e_{b} .d2$
$sc_{b} = not e_{b} .sc$
$ρ_{b} = not e_{b} . ρ$
$ψ_{b} = not e_{b} . ψ$
$rcm_{b} = not e_{b} .rcm$
$acc_{b} = 0$
$g_{d}_{c} = 0$
$p k_{d}_{c} = 0$
$d1_{c} = 0$
$ψ_{c} = 0$
$rcm_{c} = 0$
$acc_{c} = 0$

Step 5

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = 0$
$NF = 0$
$RK_{X} = 0$
$RK_{Y} = 0$
$NFT = 1$
$B_{d 1} = not e_{b} .d1$
$B_{d 2} = not e_{b} .d2$
$B_{sc} = not e_{b} .sc$
$C_{d 1} = 0$
$CM_{B} = c m_{not e_{b}}$
$CM_{C} = 0$
$ACC_{B} = 0$
$ACC_{C} = 0$

Step 6

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 7

Generate UTXO ciphertext $not e_{b}_{enc}$ of $not e_{b}$ for the receiver of the UTXO (see section 4.19.1 of the Zcash Protocol Specification)

Step 8

Transfer asset $b$ to the ZEOS smart contract. On reception, the ZEOS smart contract stores it in an asset buffer until MINTNFT is executed.

Step 9

Execute the MINTNFT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{b}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Does the UTXO $not e_{b}$ represent the correct asset $b$ which is held in the asset buffer? I.e. are the following statements true:
- $b.id = x . B_{d 1}$
- $0 = x . B_{d 2}$ ¹
- $b.code = x . B_{sc}$
Is the NFT flag set ( $x . NFT = 1$ )?

¹NFTs of smart contracts following the AtomicAssets standard have a 64 Bit unique identifier only, thus no upper 64 Bits.

Step 10

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . C M_{B}$ , the note commitment of $not e_{b}$ , to the next free leaf of the Commitment Tree
Add the new root of the Commitment Tree to the Commitment Tree Root Set
Add ciphertext $not e_{b}_{enc}$ to the Transmitted UTXO Ciphertext List

If $false$ , cancel execution.

MINTAT

Mints a new authenticator token. This action does not require a zero knowledge proof. Authenticator tokens do not (directly) represent real assets and thus have no leaves in the merkle tree. Instead, the corresponding $NoteCommit$ of an authenticator token is used as an identifier for third party smart contracts where assets are privately deposited. By proving knowledge of the secret randomness of an authenticator token, the deposited assets asociated with this token can be withdrawn from the third party smart contract at a later point in time.

Privacy Implications

No assets are being moved by this action.

Flow

The following steps specify the flow of MINTAT.

Step 1

Create a new UTXO tuple $not e_{b}$ representing the permission:

$d =$ Diversifier index of the ZEOS wallet address which owns this permission
$p k_{d} =$ Public key of the ZEOS wallet address which owns this permission
$d1 = 0$
$d2 = 0$
$sc =$ EOSIO/Antelope account of the third party smart contract where this permission is valid
$nft = 1$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

Step 2

Generate UTXO ciphertext $not e_{b}_{enc}$ of $not e_{b}$ for the owner of the permission (see section 4.19.1 of the Zcash Protocol Specification)

Step 3

Execute the MINTAT action of the ZEOS smart contract. This action takes the following arguments:

$not e_{b}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{b}$

Step 4

The ZEOS smart contract performs the following operations:

Add ciphertext $not e_{b}_{enc}$ to the Transmitted UTXO Ciphertext List

TRANSFERFT

Transfers (part of) a fungible UTXO. This effectively moves a certain balance of a fungible asset from one private ZEOS wallet to another. For this operation the entire ZEOS Action Circuit $C_{zeos}$ is used since one existing UTXO is being spent while two new UTXOs are being created by this action.

Privacy Implications

This action provides full privacy protection:

sender: untraceable - hidden in zk-SNARK
asset: untraceable - hidden in UTXO ciphertext
memo: untraceable - hidden in UTXO ciphertext
receiver: untraceable - hidden in UTXO ciphertext

Flow

The following steps specify the flow of TRANSFERFT.

Step 0

The UTXO $not e_{a}$ represents an amount of a fungible EOSIO/Antelope asset from which a certain (partial) $amoun t_{b}$ is to be transmitted. Therefore the following must apply: $not e_{a} .d1 >= amoun t_{b}$ .

Step 1

Create a new UTXO tuple $not e_{b}$ representing the receiving $amoun t_{b}$ of the asset:

$d =$ Diversifier index of the receiving ZEOS wallet address
$p k_{d} =$ Public key of the receiving ZEOS wallet address
$d1 = amoun t_{b}$
$d2 = not e_{a} .d2$
$sc = not e_{a} .sc$
$nft = 0$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

Create a new UTXO tuple $not e_{c}$ representing the 'change' to $amoun t_{b}$ of $not e_{a}$ :

$d =$ Diversifier index of the sending¹ ZEOS wallet address
$p k_{d} =$ Public key of the sending¹ ZEOS wallet address
$d1 = not e_{a} .d1 - amoun t_{b}$
$d2 = not e_{a} .d2$
$sc = not e_{a} .sc$
$nft = 0$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

¹ Note that it is also possible to choose a third wallet address for $not e_{c}$ instead of the sender's address.

Step 2

Calculate the diversified transmission keys of all ZEOS wallet addresses involved (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{a}} = DiversifyHas h^{Orchard} (not e_{a} .d)$
$g_{d}_{not e_{b}} = DiversifyHas h^{Orchard} (not e_{b} .d)$
$g_{d}_{not e_{c}} = DiversifyHas h^{Orchard} (not e_{c} .d)$

Step 3

Calculate the Commitment of all three UTXOs $not e_{a}$ , $not e_{b}$ and $not e_{c}$ :

$c m_{not e_{a}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{a}}, not e_{a} . p k_{d}, not e_{a} .d1, not e_{a} . ρ, not e_{a} . ψ, not e_{a} .d2, not e_{a} .sc, not e_{a} .nft)$
$c m_{not e_{b}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{b}}, not e_{b} . p k_{d}, not e_{b} .d1, not e_{b} . ρ, not e_{b} . ψ, not e_{b} .d2, not e_{b} .sc, not e_{b} .nft)$
$c m_{not e_{c}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{c}}, not e_{c} . p k_{d}, not e_{c} .d1, not e_{c} . ρ, not e_{c} . ψ, not e_{c} .d2, not e_{c} .sc, not e_{c} .nft)$

Step 4

Calculate the $root$ of the Commitment Tree based on the sister path of $c m_{not e_{a}}$ .

Step 5

Calculate the Nullifier $n f_{a}$ of $not e_{a}$ :

$n f_{a} = DeriveNullifie r_{nk} (not e_{a} . ρ, not e_{a} . ψ, c m_{not e_{a}})$

Step 6

Choose a random value $α^{'}$ and calculate the Spend Authority $r k^{'}$ for this action (see section 4.17.4 of the Zcash Protocol Specification):

$α^{'} =$ Choose a random value
$r k^{'} = SpendAuthSi g^{Orchard} .RandomizePublic (α^{'}, ak^{P})$

where $ak$ is the Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key.

Step 7

Set the private inputs $ω$ of the arithmetic circuit:

$path =$ sister path of $c m_{not e_{a}}$ in the Commitment Tree
$pos =$ leaf index of $c m_{not e_{a}}$ in the Commitment Tree
$g_{d}_{a} = g_{d}_{not e_{a}}$
$p k_{d}_{a} = not e_{a} . p k_{d}$
$d1_{a} = not e_{a} .d1$
$d2_{a} = not e_{a} .d2$
$ρ_{a} = not e_{a} . ρ$
$ψ_{a} = not e_{a} . ψ$
$rcm_{a} = not e_{a} .rcm$
$cm_{a} = c m_{not e_{a}}$
$α = α^{'}$
$ak =$ Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key
$nk =$ Nullifier Deriving Key of $not e_{a}$ which is part of the Full Viewing Key
$rivk =$ $Commit^{ivk}$ Randomness of $not e_{a}$ which is part of the Full Viewing Key
$g_{d}_{b} = g_{d}_{not e_{b}}$
$p k_{d}_{b} = not e_{b} . p k_{d}$
$d1_{b} = not e_{b} .d1$
$d2_{b} = not e_{b} .d2$
$sc_{b} = not e_{b} .sc$
$ρ_{b} = not e_{b} . ρ$
$ψ_{b} = not e_{b} . ψ$
$rcm_{b} = not e_{b} .rcm$
$acc_{b} = 0$
$g_{d}_{c} = g_{d}_{not e_{c}}$
$p k_{d}_{c} = not e_{c} . p k_{d}$
$d1_{c} = not e_{c} .d1$
$ψ_{c} = not e_{c} . ψ$
$rcm_{c} = not e_{c} .rcm$
$acc_{c} = 0$

Step 8

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = root$
$NF = n f_{a}$
$RK_{X} = r k^{'}_{x}$
$RK_{Y} = r k^{'}_{y}$
$NFT = 0$
$B_{d 1} = 0$
$B_{d 2} = 0$
$B_{sc} = 0$
$C_{d 1} = 0$
$CM_{B} = c m_{not e_{b}}$
$CM_{C} = c m_{not e_{c}}$
$ACC_{B} = 0$
$ACC_{C} = 0$

Step 9

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 10

Generate UTXO ciphertexts $not e_{b}_{enc}$ of $not e_{b}$ and $not e_{c}_{enc}$ of $not e_{c}$ for the receivers of the UTXOs (see section 4.19.1 of the Zcash Protocol Specification)

Step 11

Execute the TRANSFERFT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{b}$
$not e_{c}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{c}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Is the NFT flag unset ( $x . NFT = 0$ )?

Step 12

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . NF$ , the nullifier of $not e_{a}$ to the Nullifier Set
Add $x . C M_{B}$ , the note commitment of $not e_{b}$ , to the next free leaf of the Commitment Tree
Add $x . C M_{C}$ , the note commitment of $not e_{c}$ , to the next free leaf of the Commitment Tree
Add the new root of the Commitment Tree to the Commitment Tree Root Set
Add ciphertext $not e_{b}_{enc}$ to the Transmitted UTXO Ciphertext List
Add ciphertext $not e_{c}_{enc}$ to the Transmitted UTXO Ciphertext List

If $false$ , cancel execution.

TRANSFERNFT

Transfers a non-fungible UTXO. This effectively moves a non-fungible asset from one private ZEOS wallet to another. For this operation only part A and B of the ZEOS Action Circuit $C_{zeos}$ is used since one existing UTXO is being spent while one new UTXO is being created by this action.

Privacy Implications

This action provides full privacy protection:

sender: untraceable - hidden in zk-SNARK
asset: untraceable - hidden in UTXO ciphertext
memo: untraceable - hidden in UTXO ciphertext
receiver: untraceable - hidden in UTXO ciphertext

Flow

The following steps specify the flow of TRANSFERNFT.

Step 0

The UTXO $not e_{a}$ represents a non-fungible EOSIO/Antelope asset to be transmitted.

Step 1

Create a new UTXO tuple $not e_{b}$ representing the non-fungible asset $not e_{a}$ at the receiving address with new randomness:

$d =$ Diversifier index of the receiving ZEOS wallet address
$p k_{d} =$ Public key of the receiving ZEOS wallet address
$d1 = not e_{a} .d1$
$d2 = not e_{a} .d2$
$sc = not e_{a} .sc$
$nft = 1$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

Step 2

Calculate the diversified transmission keys of all ZEOS wallet addresses involved (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{a}} = DiversifyHas h^{Orchard} (not e_{a} .d)$
$g_{d}_{not e_{b}} = DiversifyHas h^{Orchard} (not e_{b} .d)$

Step 3

Calculate the Commitment of the two UTXOs $not e_{a}$ and $not e_{b}$ :

$c m_{not e_{a}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{a}}, not e_{a} . p k_{d}, not e_{a} .d1, not e_{a} . ρ, not e_{a} . ψ, not e_{a} .d2, not e_{a} .sc, not e_{a} .nft)$
$c m_{not e_{b}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{b}}, not e_{b} . p k_{d}, not e_{b} .d1, not e_{b} . ρ, not e_{b} . ψ, not e_{b} .d2, not e_{b} .sc, not e_{b} .nft)$

Step 4

Calculate the $root$ of the Commitment Tree based on the sister path of $c m_{not e_{a}}$ .

Step 5

Calculate the Nullifier $n f_{a}$ of $not e_{a}$ :

$n f_{a} = DeriveNullifie r_{nk} (not e_{a} . ρ, not e_{a} . ψ, c m_{not e_{a}})$

Step 6

Choose a random value $α^{'}$ and calculate the Spend Authority $r k^{'}$ for this action (see section 4.17.4 of the Zcash Protocol Specification):

$α^{'} =$ Choose a random value
$r k^{'} = SpendAuthSi g^{Orchard} .RandomizePublic (α^{'}, ak^{P})$

where $ak$ is the Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key.

Step 7

Set the private inputs $ω$ of the arithmetic circuit:

$path =$ sister path of $c m_{not e_{a}}$ in the Commitment Tree
$pos =$ leaf index of $c m_{not e_{a}}$ in the Commitment Tree
$g_{d}_{a} = g_{d}_{not e_{a}}$
$p k_{d}_{a} = not e_{a} . p k_{d}$
$d1_{a} = not e_{a} .d1$
$d2_{a} = not e_{a} .d2$
$ρ_{a} = not e_{a} . ρ$
$ψ_{a} = not e_{a} . ψ$
$rcm_{a} = not e_{a} .rcm$
$cm_{a} = c m_{not e_{a}}$
$α = α^{'}$
$ak =$ Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key
$nk =$ Nullifier Deriving Key of $not e_{a}$ which is part of the Full Viewing Key
$rivk =$ $Commit^{ivk}$ Randomness of $not e_{a}$ which is part of the Full Viewing Key
$g_{d}_{b} = g_{d}_{not e_{b}}$
$p k_{d}_{b} = not e_{b} . p k_{d}$
$d1_{b} = not e_{b} .d1$
$d2_{b} = not e_{b} .d2$
$sc_{b} = not e_{b} .sc$
$ρ_{b} = not e_{b} . ρ$
$ψ_{b} = not e_{b} . ψ$
$rcm_{b} = not e_{b} .rcm$
$acc_{b} = 0$
$g_{d}_{c} = 0$
$p k_{d}_{c} = 0$
$d1_{c} = 0$
$ψ_{c} = 0$
$rcm_{c} = 0$
$acc_{c} = 0$

Step 8

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = root$
$NF = n f_{a}$
$RK_{X} = r k^{'}_{x}$
$RK_{Y} = r k^{'}_{y}$
$NFT = 1$
$B_{d 1} = 0$
$B_{d 2} = 0$
$B_{sc} = 0$
$C_{d 1} = 0$
$CM_{B} = c m_{not e_{b}}$
$CM_{C} = 0$
$ACC_{B} = 0$
$ACC_{C} = 0$

Step 9

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 10

Generate UTXO ciphertext $not e_{b}_{enc}$ of $not e_{b}$ for the receiver of the UTXOs (see section 4.19.1 of the Zcash Protocol Specification)

Step 11

Execute the TRANSFERNFT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{b}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Is the NFT flag set ( $x . NFT = 1$ )?

Step 12

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . NF$ , the nullifier of $not e_{a}$ to the Nullifier Set
Add $x . C M_{B}$ , the note commitment of $not e_{b}$ , to the next free leaf of the Commitment Tree
Add the new root of the Commitment Tree to the Commitment Tree Root Set
Add ciphertext $not e_{b}_{enc}$ to the Transmitted UTXO Ciphertext List

If $false$ , cancel execution.

BURNFT

Burns (part of) a fungible UTXO. This effectively moves a certain balance of a fungible asset from a private ZEOS wallet to a transparent EOSIO/Antelope account. For this operation the entire ZEOS Action Circuit $C_{zeos}$ is used since one existing UTXO is being spent, part of its balance is publicly revealed and one new UTXO is being created by this action.

Privacy Implications

This action provides only limited privacy protection:

sender: untraceable - hidden in zk-SNARK
asset: traceable - quantity of the asset's smart contract's transfer action
memo: traceable - memo of the asset's smart contract's transfer action
receiver: traceable - the receiver's EOSIO/Antelope account

Flow

The following steps specify the flow of BURNFT.

Step 0

The UTXO $not e_{a}$ represents an amount of a fungible EOSIO/Antelope asset from which a certain (partial) $amoun t_{b}$ is to be transmitted to the EOSIO/Antelope account $accoun t_{b}$ . Therefore the following must apply: $not e_{a} .d1 >= amoun t_{b}$ .

Step 1

Create a new UTXO tuple $not e_{c}$ representing the 'change' to $amoun t_{b}$ of $not e_{a}$ :

$d =$ Diversifier index of the sending¹ ZEOS wallet address
$p k_{d} =$ Public key of the sending¹ ZEOS wallet address
$d1 = not e_{a} .d1 - amoun t_{b}$
$d2 = not e_{a} .d2$
$sc = not e_{a} .sc$
$nft = 0$
$ρ =$ Choose a random value
$ψ =$ Choose a random value
$rcm =$ Choose a random value

¹ Note that it is also possible to choose a third wallet address for $not e_{c}$ instead of the sender's address.

Step 2

Calculate the diversified transmission keys of all ZEOS wallet addresses involved (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{a}} = DiversifyHas h^{Orchard} (not e_{a} .d)$
$g_{d}_{not e_{c}} = DiversifyHas h^{Orchard} (not e_{c} .d)$

Step 3

Calculate the Commitment of the two UTXOs $not e_{a}$ and $not e_{c}$ :

$c m_{not e_{a}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{a}}, not e_{a} . p k_{d}, not e_{a} .d1, not e_{a} . ρ, not e_{a} . ψ, not e_{a} .d2, not e_{a} .sc, not e_{a} .nft)$
$c m_{not e_{c}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{c}}, not e_{c} . p k_{d}, not e_{c} .d1, not e_{c} . ρ, not e_{c} . ψ, not e_{c} .d2, not e_{c} .sc, not e_{c} .nft)$

Step 4

Calculate the $root$ of the Commitment Tree based on the sister path of $c m_{not e_{a}}$ .

Step 5

Calculate the Nullifier $n f_{a}$ of $not e_{a}$ :

$n f_{a} = DeriveNullifie r_{nk} (not e_{a} . ρ, not e_{a} . ψ, c m_{not e_{a}})$

Step 6

Choose a random value $α^{'}$ and calculate the Spend Authority $r k^{'}$ for this action (see section 4.17.4 of the Zcash Protocol Specification):

$α^{'} =$ Choose a random value
$r k^{'} = SpendAuthSi g^{Orchard} .RandomizePublic (α^{'}, ak^{P})$

where $ak$ is the Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key.

Step 7

Set the private inputs $ω$ of the arithmetic circuit:

$path =$ sister path of $c m_{not e_{a}}$ in the Commitment Tree
$pos =$ leaf index of $c m_{not e_{a}}$ in the Commitment Tree
$g_{d}_{a} = g_{d}_{not e_{a}}$
$p k_{d}_{a} = not e_{a} . p k_{d}$
$d1_{a} = not e_{a} .d1$
$d2_{a} = not e_{a} .d2$
$ρ_{a} = not e_{a} . ρ$
$ψ_{a} = not e_{a} . ψ$
$rcm_{a} = not e_{a} .rcm$
$cm_{a} = c m_{not e_{a}}$
$α = α^{'}$
$ak =$ Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key
$nk =$ Nullifier Deriving Key of $not e_{a}$ which is part of the Full Viewing Key
$rivk =$ $Commit^{ivk}$ Randomness of $not e_{a}$ which is part of the Full Viewing Key
$g_{d}_{b} = 0$
$p k_{d}_{b} = 0$
$d1_{b} = amoun t_{b}$
$d2_{b} = not e_{a} .d2$
$sc_{b} = not e_{a} .sc$
$ρ_{b} = n f_{a}$
$ψ_{b} = 0$
$rcm_{b} = 0$
$acc_{b} = accoun t_{b}$
$g_{d}_{c} = g_{d}_{not e_{c}}$
$p k_{d}_{c} = not e_{c} . p k_{d}$
$d1_{c} = not e_{c} .d1$
$ψ_{c} = not e_{c} . ψ$
$rcm_{c} = not e_{c} .rcm$
$acc_{c} = 0$

Step 8

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = root$
$NF = n f_{a}$
$RK_{X} = r k^{'}_{x}$
$RK_{Y} = r k^{'}_{y}$
$NFT = 0$
$B_{d 1} = amoun t_{b}$
$B_{d 2} = not e_{a} .d2$
$B_{sc} = not e_{a} .sc$
$C_{d 1} = 0$
$CM_{B} = 0$
$CM_{C} = c m_{not e_{c}}$
$ACC_{B} = accoun t_{b}$
$ACC_{C} = 0$

Step 9

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 10

Generate UTXO ciphertext $not e_{c}_{enc}$ of $not e_{c}$ for the receiver of the UTXO (see section 4.19.1 of the Zcash Protocol Specification)

Generate an additional UTXO ciphertext $not e_{b}_{enc}^{burn}$ of $amoun t_{b}$ which is burned and therefore has the BURN flag set. This ciphertext is created only for the sender's wallet transaction history to detect burned UTXOs when scanning the ZEOS smart contract's state.

Step 11

Execute the BURNFT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{c}_{enc}$ : The UTXO ciphertext which is transmitted to the receiver of $not e_{c}$
$not e_{b}_{enc}^{burn}$ : The UTXO ciphertext which indicates the 'burned' $amoun t_{b}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Is the NFT flag unset ( $x . NFT = 0$ )?

Step 12

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . NF$ , the nullifier of $not e_{a}$ to the Nullifier Set
Add $x . C M_{C}$ , the note commitment of $not e_{c}$ , to the next free leaf of the Commitment Tree
Add the new root of the Commitment Tree to the Commitment Tree Root Set
Add ciphertext $not e_{c}_{enc}$ to the Transmitted UTXO Ciphertext List
Add ciphertext $not e_{b}_{enc}^{burn}$ to the Transmitted UTXO Ciphertext List
Transfer $amoun t_{b}$ of asset represented by $not e_{a}$ into the EOSIO/Antelope account $accoun t_{b}$ .

If $false$ , cancel execution.

BURNFT2

Burns a fungible UTXO. This effectively moves the entire amount of a fungible UTXO from a private ZEOS wallet into two different transparent EOSIO/Antelope accounts. For this operation the entire ZEOS Action Circuit $C_{zeos}$ is used since one existing UTXO is being spent and its amount publicly revealed by this action.

Privacy Implications

This action provides only limited privacy protection:

sender: untraceable - hidden in zk-SNARK
asset: traceable - quantity of the asset's smart contract's transfer actions
memo: traceable - memo of the asset's smart contract's transfer actions
receiver: traceable - the receiver's EOSIO/Antelope accounts

Flow

The following steps specify the flow of BURNFT2.

Step 0

The UTXO $not e_{a}$ represents an amount of a fungible EOSIO/Antelope asset from which a certain (partial) $amoun t_{b}$ is to be transmitted to the EOSIO/Antelope $accoun t_{b}$ and the remaining $amoun t_{c}$ is to be transmitted to the EOSIO/Antelope $accoun t_{c}$ . Therefore the following must apply: $not e_{a} .d1 = amoun t_{b} + amoun t_{c}$ .

Step 1

Calculate the diversified transmission keys of all ZEOS wallet addresses involved (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{a}} = DiversifyHas h^{Orchard} (not e_{a} .d)$

Step 2

Calculate the Commitment of the UTXO $not e_{a}$ :

$c m_{not e_{a}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{a}}, not e_{a} . p k_{d}, not e_{a} .d1, not e_{a} . ρ, not e_{a} . ψ, not e_{a} .d2, not e_{a} .sc, not e_{a} .nft)$

Step 3

Calculate the $root$ of the Commitment Tree based on the sister path of $c m_{not e_{a}}$ .

Step 4

Calculate the Nullifier $n f_{a}$ of $not e_{a}$ :

$n f_{a} = DeriveNullifie r_{nk} (not e_{a} . ρ, not e_{a} . ψ, c m_{not e_{a}})$

Step 5

Choose a random value $α^{'}$ and calculate the Spend Authority $r k^{'}$ for this action (see section 4.17.4 of the Zcash Protocol Specification):

$α^{'} =$ Choose a random value
$r k^{'} = SpendAuthSi g^{Orchard} .RandomizePublic (α^{'}, ak^{P})$

where $ak$ is the Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key.

Step 6

Set the private inputs $ω$ of the arithmetic circuit:

$path =$ sister path of $c m_{not e_{a}}$ in the Commitment Tree
$pos =$ leaf index of $c m_{not e_{a}}$ in the Commitment Tree
$g_{d}_{a} = g_{d}_{not e_{a}}$
$p k_{d}_{a} = not e_{a} . p k_{d}$
$d1_{a} = not e_{a} .d1$
$d2_{a} = not e_{a} .d2$
$ρ_{a} = not e_{a} . ρ$
$ψ_{a} = not e_{a} . ψ$
$rcm_{a} = not e_{a} .rcm$
$cm_{a} = c m_{not e_{a}}$
$α = α^{'}$
$ak =$ Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key
$nk =$ Nullifier Deriving Key of $not e_{a}$ which is part of the Full Viewing Key
$rivk =$ $Commit^{ivk}$ Randomness of $not e_{a}$ which is part of the Full Viewing Key
$g_{d}_{b} = 0$
$p k_{d}_{b} = 0$
$d1_{b} = amoun t_{b}$
$d2_{b} = not e_{a} .d2$
$sc_{b} = not e_{a} .sc$
$ρ_{b} = n f_{a}$
$ψ_{b} = 0$
$rcm_{b} = 0$
$acc_{b} = accoun t_{b}$
$g_{d}_{c} = 0$
$p k_{d}_{c} = 0$
$d1_{c} = amoun t_{c}$
$ψ_{c} = 0$
$rcm_{c} = 0$
$acc_{c} = accoun t_{c}$

Step 7

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = root$
$NF = n f_{a}$
$RK_{X} = r k^{'}_{x}$
$RK_{Y} = r k^{'}_{y}$
$NFT = 0$
$B_{d 1} = amoun t_{b}$
$B_{d 2} = not e_{a} .d2$
$B_{sc} = not e_{a} .sc$
$C_{d 1} = amoun t_{c}$
$CM_{B} = 0$
$CM_{C} = 0$
$ACC_{B} = accoun t_{b}$
$ACC_{C} = accoun t_{c}$

Step 8

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 9

Generate UTXO ciphertexts $not e_{b}_{enc}^{burn}$ of $amoun t_{b}$ and $not e_{c}_{enc}^{burn}$ of $amoun t_{c}$ which are burned and therefore have the BURN flag set. These ciphertexts are created only for the sender's wallet transaction history to detect burned UTXOs when scanning the ZEOS smart contract's state (see section 4.19.1 of the Zcash Protocol Specification).

Step 10

Execute the BURNFT2 action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}^{burn}$ : The UTXO ciphertext which indicates the 'burned' $amoun t_{b}$
$not e_{c}_{enc}^{burn}$ : The UTXO ciphertext which indicates the 'burned' $amoun t_{c}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Is the NFT flag unset ( $x . NFT = 0$ )?

Step 11

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . NF$ , the nullifier of $not e_{a}$ to the Nullifier Set
Add ciphertext $not e_{b}_{enc}^{burn}$ to the Transmitted UTXO Ciphertext List
Add ciphertext $not e_{c}_{enc}^{burn}$ to the Transmitted UTXO Ciphertext List
Transfer $amoun t_{b}$ of asset represented by $not e_{a}$ into the EOSIO/Antelope account $accoun t_{b}$ .
Transfer $amoun t_{c}$ of asset represented by $not e_{a}$ into the EOSIO/Antelope account $accoun t_{c}$ .

If $false$ , cancel execution.

BURNNFT

Burns a non-fungible UTXO. This effectively moves a non-fungible asset from a private ZEOS wallet to a transparent EOSIO/Antelope account. For this operation only part A and B of the ZEOS Action Circuit $C_{zeos}$ is used since one existing UTXO is being spent and is publicly revealed by this action.

Privacy Implications

This action provides only limited privacy protection:

sender: untraceable - hidden in zk-SNARK
asset: traceable - asset id of the asset's smart contract's transfer¹ action
memo: traceable - memo of the asset's smart contract's transfer¹ action
receiver: traceable - the receiver's EOSIO/Antelope account

¹ refers to the transfer action of the AtomicAssets smart contract

Flow

The following steps specify the flow of BURNNFT.

Step 0

The UTXO $not e_{a}$ represents a non-fungible EOSIO/Antelope asset which is to be transmitted to the EOSIO/Antelope account $accoun t_{b}$ .

Step 1

Calculate the diversified transmission keys of all ZEOS wallet addresses involved (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{a}} = DiversifyHas h^{Orchard} (not e_{a} .d)$

Step 2

Calculate the Commitment of the UTXO $not e_{a}$ :

$c m_{not e_{a}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{a}}, not e_{a} . p k_{d}, not e_{a} .d1, not e_{a} . ρ, not e_{a} . ψ, not e_{a} .d2, not e_{a} .sc, not e_{a} .nft)$

Step 3

Calculate the $root$ of the Commitment Tree based on the sister path of $c m_{not e_{a}}$ .

Step 4

Calculate the Nullifier $n f_{a}$ of $not e_{a}$ :

$n f_{a} = DeriveNullifie r_{nk} (not e_{a} . ρ, not e_{a} . ψ, c m_{not e_{a}})$

Step 5

Choose a random value $α^{'}$ and calculate the Spend Authority $r k^{'}$ for this action (see section 4.17.4 of the Zcash Protocol Specification):

$α^{'} =$ Choose a random value
$r k^{'} = SpendAuthSi g^{Orchard} .RandomizePublic (α^{'}, ak^{P})$

where $ak$ is the Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key.

Step 6

Set the private inputs $ω$ of the arithmetic circuit:

$path =$ sister path of $c m_{not e_{a}}$ in the Commitment Tree
$pos =$ leaf index of $c m_{not e_{a}}$ in the Commitment Tree
$g_{d}_{a} = g_{d}_{not e_{a}}$
$p k_{d}_{a} = not e_{a} . p k_{d}$
$d1_{a} = not e_{a} .d1$
$d2_{a} = not e_{a} .d2$
$ρ_{a} = not e_{a} . ρ$
$ψ_{a} = not e_{a} . ψ$
$rcm_{a} = not e_{a} .rcm$
$cm_{a} = c m_{not e_{a}}$
$α = α^{'}$
$ak =$ Spend Validating Key of $not e_{a}$ which is part of the Full Viewing Key
$nk =$ Nullifier Deriving Key of $not e_{a}$ which is part of the Full Viewing Key
$rivk =$ $Commit^{ivk}$ Randomness of $not e_{a}$ which is part of the Full Viewing Key
$g_{d}_{b} = 0$
$p k_{d}_{b} = 0$
$d1_{b} = not e_{a} .d1$
$d2_{b} = not e_{a} .d2$
$sc_{b} = not e_{a} .sc$
$ρ_{b} = n f_{a}$
$ψ_{b} = 0$
$rcm_{b} = 0$
$acc_{b} = accoun t_{b}$
$g_{d}_{c} = 0$
$p k_{d}_{c} = 0$
$d1_{c} = 0$
$ψ_{c} = 0$
$rcm_{c} = 0$
$acc_{c} = 0$

Step 7

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = root$
$NF = n f_{a}$
$RK_{X} = r k^{'}_{x}$
$RK_{Y} = r k^{'}_{y}$
$NFT = 1$
$B_{d 1} = not e_{a} .d1$
$B_{d 2} = not e_{a} .d2$
$B_{sc} = not e_{a} .sc$
$C_{d 1} = 0$
$CM_{B} = 0$
$CM_{C} = 0$
$ACC_{B} = accoun t_{b}$
$ACC_{C} = 0$

Step 8

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 9

Generate UTXO ciphertext $not e_{b}_{enc}^{burn}$ of $not e_{a}$ which is burned and therefore has the BURN flag set. This ciphertext is created only for the sender's wallet transaction history to detect burned UTXOs when scanning the ZEOS smart contract's state (see section 4.19.1 of the Zcash Protocol Specification).

Step 10

Execute the BURNNFT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}^{burn}$ : The UTXO ciphertext which indicates the 'burned' $not e_{a}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Is the NFT flag set ( $x . NFT = 1$ )?

Step 11

If $true$ , the ZEOS smart contract performs the following operations:

Add $x . NF$ , the nullifier of $not e_{a}$ to the Nullifier Set
Add ciphertext $not e_{b}_{enc}^{burn}$ to the Transmitted UTXO Ciphertext List
Transfer the non-fungible asset represented by $not e_{a}$ into the EOSIO/Antelope account $accoun t_{b}$ .

If $false$ , cancel execution.

BURNAT

Burns an authenticator token. The zero knowledge proof required for this action is identical to the one of the MINTNFT action. The only difference is that it does not create a new leaf in the merkle tree. Instead it just proves knowledge of the spend authority of the address and of the secret randomness the authenticator token was minted with. This gives access to privately withdraw assets from a third party smart contract where they have been deposited using the authenticator token's note commitment value as an identifier.

Privacy Implications

No assets are being moved by this action.

Flow

The following steps specify the flow of BURNAT.

Step 0

The UTXO $not e_{b}$ is an authenticator token representing a permission.

Step 1

Calculate the diversified transmission key of the ZEOS wallet address owning the permission (see section 5.4.1.6 of the Zcash Protocol Specification):

$g_{d}_{not e_{b}} = DiversifyHas h^{Orchard} (not e_{b} .d)$

Step 2

Calculate the $NoteCommit$ of $not e_{b}$ (see UTXO Commitment):

$c m_{not e_{b}} = NoteCommit_{rcm}^{Orchard} (g_{d}_{not e_{b}}, not e_{b} . p k_{d}, not e_{b} .d1, not e_{b} . ρ, not e_{b} . ψ, not e_{b} .d2, not e_{b} .sc, not e_{b} .nft)$

Step 3

Set the private inputs $ω$ of the arithmetic circuit:

$path = 0$
$pos = 0$
$g_{d}_{a} = 0$
$p k_{d}_{a} = 0$
$d1_{a} = 0$
$d2_{a} = 0$
$ρ_{a} = 0$
$ψ_{a} = 0$
$rcm_{a} = 0$
$cm_{a} = 0$
$α = 0$
$ak = 0$
$nk = 0$
$rivk = 0$
$g_{d}_{b} = g_{d}_{not e_{b}}$
$p k_{d}_{b} = not e_{b} . p k_{d}$
$d1_{b} = not e_{b} .d1$
$d2_{b} = not e_{b} .d2$
$sc_{b} = not e_{b} .sc$
$ρ_{b} = not e_{b} . ρ$
$ψ_{b} = not e_{b} . ψ$
$rcm_{b} = not e_{b} .rcm$
$acc_{b} = 0$
$g_{d}_{c} = 0$
$p k_{d}_{c} = 0$
$d1_{c} = 0$
$ψ_{c} = 0$
$rcm_{c} = 0$
$acc_{c} = 0$

Step 4

Set the public inputs $x$ of the arithmetic circuit:

$ANCHOR = 0$
$NF = 0$
$RK_{X} = 0$
$RK_{Y} = 0$
$NFT = 1$
$B_{d 1} = not e_{b} .d1$
$B_{d 2} = not e_{b} .d2$
$B_{sc} = not e_{b} .sc$
$C_{d 1} = 0$
$CM_{B} = c m_{not e_{b}}$
$CM_{C} = 0$
$ACC_{B} = 0$
$ACC_{C} = 0$

Step 5

Generate $π_{C_{zeos}, ω, x}$ a proof of knowledge of satisfying arguments $(ω, x)$ so that $C_{zeos} (ω, x) = 1$

The pair $(π_{C_{zeos}, ω, x}, x)$ is the zk-SNARK which attests to knowledge of private inputs $ω$ without revealing them.

Step 6

Generate UTXO ciphertext $not e_{b}_{enc}^{burn}$ of $not e_{b}$ which is burned and therefore has the BURN flag set. This ciphertext is created only for the sender's wallet transaction history to detect burned UTXOs when scanning the ZEOS smart contract's state (see section 4.19.1 of the Zcash Protocol Specification).

Step 7

Execute the BURNAT action of the ZEOS smart contract. This action takes the following arguments:

$π_{C_{zeos}, ω, x}$ : The zero knowledge proof of satisfying arguments $(ω, x)$
$x$ : The public inputs of the zero knowledge proof $π_{C_{zeos}, ω, x}$
$not e_{b}_{enc}^{burn}$ : The UTXO ciphertext which indicates the 'burned' permission $not e_{b}$

The ZEOS smart contract then performs the following checks:

Is the zero knowledge proof $π_{C_{zeos}, ω, x}$ valid?
Is the NFT flag set ( $x . NFT = 1$ )?

Step 8

If $true$ , the ZEOS smart contract performs the following operations:

Add ciphertext $not e_{b}_{enc}^{burn}$ to the Transmitted UTXO Ciphertext List

If $false$ , cancel execution.

Private Deposits and Withdrawals

Based on the ZActions defined in the previous section it is now possible to specify a concept for private interactions with EOSIO/Antelope smart contracts using the ZEOS wallet instead of EOSIO/Antelope accounts. The following sections specify the processes of private token deposits and withdrawals involving a third party smart contract. Check out pages 22 to 26 of the ZEOS Whitepaper for a first introduction of the concept.

Private Deposit of fungible tokens

The way token deposits work on EOSIO/Antelope blockchains is by using notification handler. This is a callback function which is executed by the receiving smart contract on incoming token transfers. Within the handler function, it can then be determined from which EOS account the transaction was sent and thus the token amount can be assigned to the corresponding user.

In order to do such a deposit privately using a ZEOS wallet the BURNFT (or BURNNFT for NFTs) action is being utilized. Executing this action effectively moves an asset from a private ZEOS wallet (i.e. from custody of the ZEOS smart contract) into an EOSIO/Antelope account specified by the user. If the receiving account has a smart contract with a notification handler deployed it will be able to handle the deposit in almost the same way traditional deposits work.

Flow

The following steps describe the flow of actions for a private deposit into a third party smart contract on EOSIO/Antelope.

Step 0

The (non-)fungible asset to be deposited to the third party smart contract is being held in a private ZEOS wallet.

Step 1

The MINTAT action is executed to create a new authenticator token. The UTXO created by this action, $not e_{auth}$ , has the $NoteCommit$ value $c m_{auth}$ . As specified in MINTAT the attribute $not e_{auth} . sc$ is set to the EOSIO/Antelope account (code) of the third party smart contract.

Step 2

Encode the 32 bytes long $NoteCommit$ value of the authenticator token $c m_{auth}$ as a string. Using a memory efficient encoding like base85 this will result in an ASCII string of exactly 40 bytes.

$st r_{c m_{auth}} := base85.encode (c m_{auth})$

Step 3

The BURNFT (or BURNNFT) action is executed to move the (non-)fungible asset to be deposited from the private ZEOS wallet into the account of the third party smart contract. The 40 bytes long string-encoded $NoteCommit$ value of the previously minted authenticator token $st r_{c m_{auth}}$ is being used as a memo for the EOSIO/Antelope transfer action resulting from the BURNFT (BURNNFT) action.

Step 4

The notification handler of the receiving third party smart contract now needs to distinguish between incoming transfers from either the ZEOS smart contract or other EOSIO/Antelope accounts:

If the sending EOSIO/Antelope account is the ZEOS smart contract:

Read the memo field and decode the first 40 bytes which contains $st r_{c m_{auth}}$ to retrieve the $NoteCommit$ value of the user's authenticator token: $c m_{auth} := base85.decode (st r_{c m_{auth}})$
Use the lower 64 bits of $c m_{auth}$ as primary key to book the (non-)fungible asset to be deposited in a seperate multi-index table for private deposits (i.e. not the same table used for traditional token deposits via EOSIO/Antelope accounts)

Else:

Book the deposited (non-)fungible asset using the EOSIO/Antelope account name in the conventional manner (traditional EOSIO/Antelope token deposit)

Note that for security reasons it is important to use two different multi-index tables: One for traditional token deposits (i.e. transparent EOSIO/Antelope deposits) and one for private token deposits. That is to prevent attackers from creating an EOSIO/Antelope account with the exact lower 64 Bits of an authenticator token's $NoteCommit$ value and thus being able to illegitimately withdraw privately deposited assets.

Private Withdrawal of fungible tokens

In order to privately withdraw assets from a third party smart contract back into a private ZEOS wallet a private withdrawal action needs to be implemented by the third party smart contract. This action takes the following parameters:

The public inputs $x_{auth}$ of a BURNAT action (containing the $NoteCommit$ value of the corresponding authenticator token $c m_{auth}$ )
A zero knowledge proof $π_{C_{zeos}, ω_{auth}, x_{auth}}$ of satisfying arguments to execute BURNAT
The public inputs $x_{mint}$ of a MINTFT or MINTNFT action (containing the necessary information (amount/id, symbol, code) of the corresponding asset to be withdrawn)
A zero knowledge proof $π_{C_{zeos}, ω_{mint}, x_{mint}}$ of satisfying arguments to execute MINTFT or MINTNFT action

Flow

The following steps describe the flow of actions for a private withdrawal from a third party smart contract on EOSIO/Antelope.

Step 0

The (non-)fungible asset to be withdrawn from the third party smart contract is being held in a multi-index table booked under the lower 64 bits of a $NoteCommit$ value $c m_{auth}$ as primary key.

Step 1

The private withdrawal action of the third party smart contract is executed with the above listed parameters generated by the user.

Step 2

Within the private withdrawal action the third party contract performs the following steps:

Check if $x_{auth} .B_{sc}$ matches the EOSIO/Antelope account name of the third party smart contract (i.e. was the authenticator token created for this contract?)
Extract the lower 64 bits of the $NoteCommit$ value of the authenticator token $c m_{auth}$ from the public inputs $x_{auth} . CM_{B}$ and use it as primary key to find the corresponding asset inside the multi-index table of privately deposited assets
If key doesn't exist, cancel execution
If key does exist, check if:
- $x_{mint} .B_{d 1}$ matches the deposited asset's amount (or id in case of NFT)
- $x_{mint} .B_{d 2}$ matches the deposited asset's symbol (or 0 in case of NFT)
- $x_{mint} .B_{sc}$ matches the deposited asset's smart contract code
Execute the BURNAT action of the ZEOS smart contract as an inline action with $(π_{C_{zeos}, ω_{auth}, x_{auth}}, x_{auth})$ to authorize the withdrawal (if it fails, execution cancels)
Transfer the (non-)fungible asset to be withdrawn to the ZEOS smart contract (where it is stored in the asset buffer)
Execute the MINTFT (or MINTNFT) action of the ZEOS smart contract as an inline action with $(π_{C_{zeos}, ω_{mint}, x_{mint}}, x_{mint})$ to create the corresponding UTXO in the private ZEOS wallet of the user

Proof Bundling in EOSIO/Antelope Transactions

The Halo 2 proving system comes with a powerful feature called Recursive Proof Composition. It allows for multiple zero knowledge proofs of the same arithmetic circuit to be bundled together into a single proof bundle. This feature of Halo 2 can be exploited to scale private transactions on EOSIO/Antelope blockchains.

Groth16 versus Halo2

Some notes on performance: The currently widely adopted Groth16 proving system is heavily optimized in regards to verification time and proof size which is both small and even constant for any zk-SNARK independent of the complexity of the underlying arithmetic circuit. This means that Groth16 proof verification time scales linearly with the number of proofs to be verified.

With Halo2's recursive proof composition, however, the verification time of multiple zk-SNARKs bundled together scales logarithmically with the number of proofs. While a single proof verification in Halo2 is more expensive than in Groth16, the overall performance of Halo2 can significantly increase and even beat Groth16 in case of multiple proofs being bundled and verified together. This is even true for a single-threaded Halo2 verifier but in contrast to Groth16 the proof verification in Halo2 can even be performed multi-threaded.

For a more detailed explanation of the benefits of Halo2 checkout the Technical Explainer. For use cases of complex privacy transactions on EOSIO/Antelope containing multiple zk-SNARKs refer to the ZEOS Whitepaper pages 34 to 37.

Concept for EOSIO/Antelope Transactions

In order to exploit the recursive proof composition feature of Halo2 for EOSIO/Antelope transactions the following concept is introduced.

The Problem

The ZEOS privacy actions (aka ZActions) all depend on a tuple of zero knowledge proof and corresponding public inputs $(π_{C_{zeos}, ω, x}, x)$ in order to be executed. Each zaction is then executed as a seperate EOSIO/Antelope action in which the corresponding proof is verified independently from all other ZActions of the same EOSIO/Antelope transaction. In order to take advantage of the recursive proof composition feature of Halo2, the proofs of all ZActions of the same EOSIO/Antelope transaction are bundled into a single proof bundle $Π$ which then depends on the set of public inputs $X$ of all ZActions in that particular transaction.

$Π_{C_{zeos}, Ω, X} = i = 1 \sum n π_{C_{zeos}, ω_{i}, x_{i}}$

where:

$\sum$ is the composition function to bundle multiple zero knowledge proofs
$n$ is the number of ZActions to be executed
$Ω$ is the set of private inputs $(ω_{1}, ω_{2}, ..., ω_{n})$
$X$ is the set of public inputs $(x_{1}, x_{2}, ..., x_{n})$

But if the proofs of all ZActions of an EOSIO/Antelope transaction were to be composed into a single proof bundle, there is also only one single EOSIO/Antelope action to verify this proof bundle and thus validates all subsequent ZActions. But if that is the case, then all subsequent ZActions need to be able to reference their public inputs from this one EOSIO/Antelope action that verifies the bundle.

After all, it can't be trusted that the user executes the subsequent ZActions with the same public inputs that were used to verify the proof bundle.

Since EOSIO/Antelope actions are executed independently from each other, there is no (direct) way, to enforce the execution of two independent EOSIO/Antelope actions with the same input parameters. To prevent fraudulent actions (like verifying the proof bundle using one set of public inputs $X$ but then execute the subsequent ZActions using a different set of public inputs $Y$ ) it needs to be guaranteed by the ZEOS smart contract that the proof bundle is verified with the very same public inputs that are used to execute the subsequent ZActions.

The following graphics illustrate the problem. The first picture shows a transaction execution without proof composition where each zaction verifies its own zero knowledge proof $π_{i}$ using the corresponding public inputs $x_{i}$ .

The second picture shows the same transaction using proof composition where the first action verifies the zero knowledge proof bundle $Π$ using the valid set of public inputs $X$ but the subsequent ZActions are executed using a different, fraudulent set of public inputs $Y$ . This way an attacker is able to defraud the system by executing invalid ZActions.

The Solution

It needs to be guaranteed that subsequent ZActions which are validated by the proof bundle are executed with the exact same public inputs as the proof bundle was verified with. In order to achieve this, the following concept is introduced.

The exec action

The ZEOS smart contract features an 'exec' action which takes a sequence of ZActions (i.e. a ztransaction) as parameter and executes them one by one. This EOSIO/Antelope action is only executable by the ZEOS smart contract itself, to ensure it is only executed if the proof bundle that validates the sequence of zactions is verified within the same transaction.

Third party smart contracts

As described in Private Deposits & Withdrawals all third party smart contracts which choose to implement private withdrawals depend on executing ZActions as EOSIO/Antelope inline actions. To be able to support those third party private withdrawal actions they need to follow certain design guidelines which make them look very similar to the exec action of the ZEOS smart contract:

They take a sequence of ZActions as their first action parameter
They are only executable by the ZEOS smart contract
They need to be whitelisted by the ZEOS smart contract

The begin and step actions

Two more actions are introduced as part of the ZEOS smart contract:

begin: This action takes a Halo 2 proof bundle and a sequence of packed EOSIO/Antelope actions. The packed actions within the sequence need to be whitelisted by the ZEOS smart contract, may contain a sequence of ZActions as their first action parameter and are ready to be executed, after the proof bundle has been verified. In addition to that the begin action takes a sequence of encrypted UTXO ciphertexts, $note s_{enc}$ , which is neglected here.
step: Each 'step' action is a placeholder which executes exactly one of the packed EOSIO/Antelope actions from the sequence of actions passed to 'begin'. It is a wrapper that executes an EOSIO/Antelope action and, if applicable, the 'exec' action right afterwards with the sequence of ZActions which is serialized as the first parameter of the preceding EOSIO/Antelope action. The number of 'step' actions in the EOSIO/Antelop transaction must equal the number of EOSIO/Antelope actions in the sequence passed to 'begin'.

The following example is given to illustrate the concept:

begin

This action initiates a sequence of step actions.

Parameters

$Π_{C_{zeos}, Ω, X}$ : A proof bundle validating all zactions within this EOSIO/Antelope transaction
$tx$ : A sequence of EOSIO/Antelope actions to be executed within this EOSIO/Antelope transaction
$note s_{enc}$ : A sequence of encrypted UTXO ciphertexts to be added to the Transmitted UTXO Ciphertext List as part of the In-band secret distribution of UTXOs

Flow

The following steps specify the flow of 'begin'.

Step 0

The 'begin' action is called as part of an EOSIO/Antelope transaction.

Step 1

The currently executing EOSIO/Antelope transaction is scanned by looping through all actions contained in this transaction. The following checks are performed:

There is only one 'begin' action within the entire EOSIO/Antelope transaction
The number of 'step' actions within the transaction equals the number of actions contained in the sequence $tx$ passed as parameter
The sequence of 'step' actions is continuous and succeed the 'begin' action

Step 2

Loop through all actions within the sequence $tx$ and perform the following steps:

Is this action whitelisted by the ZEOS smart contract? If $false$ : cancel execution
Does this action depend on a sequence of zactions? If $true$ :
- Loop through all zactions of this action and collect public inputs $x$ by adding them to the set of public inputs $X$

Step 3

Verify the Halo2 proof bundle $Π_{C_{zeos}, Ω, X}$ with the set of public inputs $X$ collected in the previous step. If proof verification fails, cancel execution.

Step 4

Check if the number of encrypted UTXO ciphertexts in $note s_{enc}$ matches the number of expected UTXO ciphertexts based on the zactions in this transaction. If so, add the sequence $note s_{enc}$ to the global set of Transmitted UTXO Ciphertext List.

Step 5

Add all UTXO commitments $CM_{B}$ and $CM_{C}$ contained in the set of public inputs $X$ which are not related to authenticator tokens to the Commitment Tree. Add the new root of the tree to the Commitment Tree Root Set.

Step 6

Copy the sequence of EOSIO/Antelope actions $tx$ into the ZEOS smart contract's transaction buffer. This is a singleton which buffers the sequence of actions, \mathsf{tx}, for actual execution in the upcoming 'step' actions.

step

This action is just a placeholder for one of the EOSIO/Antelope actions in the sequence of actions passed as a parameter to the preceeding begin action. It is part of a sequence of 'step' actions succeeding the execution of a begin action. It is used to execute exactly one of the actions in the transaction buffer of the ZEOS smart contract.

Parameters

None.

Flow

The following steps specify the flow of 'step'.

Step 0

The 'step' action is called as part of an EOSIO/Antelope transaction.

Step 1

Check if the transaction buffer of the ZEOS smart contract is initialized. If not, 'begin' hasn't been executed and execution must cancel.

Step 2

Pop the next EOSIO/Antelope action to be executed from the transaction buffer and execute it as an inline action.

Step 3

If the EOSIO/Antelope action which was just executed in the previous step is not the exec action of the ZEOS smart contract itself, check if it depends on a sequence $ztx$ of zactions. If so, execute exec with the sequence of zactions $ztx$ of the actual EOSIO/Antelope action (executed in step 2) as an inline action.

The third party smart contract action from step 2 can thus be assured that the sequence of zactions (which was just processed by the third party contract in step 2) is actually executed right after the action itself.

Step 4

If this was the last action in the transaction buffer, reset the buffer.

exec

This action executes a sequence of ZActions.

Parameters

$ztx$ : A sequence of zaction tuples

Flow

The following steps specify the flow of 'exec'.

Step 0

The 'exec' action is always executed as an inline action of a step action which always follows the execution of a begin, where the proof bundle is verified which validates all subsequent zactions.

Step 1

Let $za$ loop through the sequence of zactions $ztx$ and check $za.type$ :

if MINTFT execute step 9 and step 10 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Do the public inputs of this zaction represent the correct asset $b$ which is held in the asset buffer? I.e. are the following statements true:
  - $b.amount = za . x . B_{d 1}$
  - $b.symbol = za . x . B_{d 2}$
  - $b.code = za . x . B_{sc}$
- Check if the NFT flag is unset ( $x . NFT = 0$ )?
- The UTXO commitment is already added to the Commitment Tree by the begin action
- The new root of the Commitment Tree is already added to the Commitment Tree Root Set by the begin action
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action
if MINTNFT execute step 9 and step 10 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Do the public inputs of this zaction represent the correct asset $b$ which is held in the asset buffer? I.e. are the following statements true:
  - $b.id = za . x . B_{d 1}$
  - $0 = za . x . B_{d 2}$
  - $b.code = za . x . B_{sc}$
- Check if the NFT flag is set ( $x . NFT = 1$ )?
- The UTXO commitment is already added to the Commitment Tree by the begin action
- The new root of the Commitment Tree is already added to the Commitment Tree Root Set by the begin action
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action
if MINTAT execute step 4 of the corresponding action flow:
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action
if TRANSFERFT execute step 11 and step 12 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Check if the NFT flag is unset ( $x . NFT = 0$ )?
- Add $za . x . NF$ to the Nullifier Set
- The UTXO commitments are already added to the Commitment Tree by the begin action
- The new root of the Commitment Tree is already added to the Commitment Tree Root Set by the begin action
- The UTXO ciphertexts are already added to the Transmitted UTXO Ciphertext List by the begin action
if TRANSFERNFT execute step 11 and step 12 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Check if the NFT flag is set ( $x . NFT = 1$ )?
- Add $za . x . NF$ to the Nullifier Set
- The UTXO commitment is already added to the Commitment Tree by the begin action
- The new root of the Commitment Tree is already added to the Commitment Tree Root Set by the begin action
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action
if BURNFT execute step 11 and step 12 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Check if the NFT flag is unset ( $x . NFT = 0$ )?
- Add $za . x . NF$ to the Nullifier Set
- The UTXO commitment is already added to the Commitment Tree by the begin action
- The new root of the Commitment Tree is already added to the Commitment Tree Root Set by the begin action
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action
- Continue to loop $ztx$ with $za$ and perform above steps to sum up all the amounts $za . x . B_{d 1}$ while:
  - $za.type$ equals BURNFT
  - $za . x . B_{d 2}$ remains the same (i.e. same token symbol)
  - $za . x . B_{sc}$ remains the same (i.e. same token contract)
- Transfer the sum of all amounts as one EOSIO/Antelope 'transfer' action of smart contract $za . x . B_{sc}$ using $za . memo$ as the memo into the EOSIO/Antelope account $za . x . ACC_{B}$ . The loop ensures that burning multiple UTXOs of the same currency is combined into one EOSIO/Antelope transfer action.
if BURNFT2 execute step 10 and step 11 of the corresponding action flow:
- TODO: Not yet finalized.
if BURNNFT execute step 10 and step 11 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Check if the NFT flag is set ( $x . NFT = 1$ )?
- Add $za . x . NF$ to the Nullifier Set
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action
- Transfer the non-fungible asset ( $za . x . B_{d 1}$ , $za . x . B_{d 2}$ , $za . x . B_{sc}$ ) into the EOSIO/Antelope account $za . x . ACC_{B}$ .
if BURNAT execute step 7 and step 8 of the corresponding action flow:
- The zero knowledge proof is already verified by the begin action
- Check if the NFT flag is set ( $x . NFT = 1$ )?
- The UTXO ciphertext is already added to the Transmitted UTXO Ciphertext List by the begin action

ZEOS Application

The ZEOS Application implements the ZEOS Orchard Shielded Protocol on the EOS public blockchain. At it's core there is the ZEOS smart contract maintaining all Global Datasets and a library for browser-based user interfaces which allows for easy creation of private transactions according to the ZEOS Orchard Shielded Protocol.

Technology

In order to be able to implement the protocol on the EOS public blockchain services of LiquidApps are being utilized as it turned out that the zk-SNARK verification is too computationally expensive to be executed directly on chain (at this point in time). To work around this current limitation the vcpu service of LiquidApps is utilized to execute zero knowledge proof verification off chain simultaneously on a network of DSPs. The same applies to the merkle path calculations of the Commitment Tree which are too expensive to be executed on chain as well because of the Sinsemilla hash function. For the Commitment Tree itself the vram service is utilized to save RAM costs. Since the merkle tree is kind of a 'write-only' data structure of which only the roots are required to verify its state on chain the using vram to store all merkle nodes is a perfect fit for this data structure. The same applies to the Transmitted UTXO Ciphertext List which is used for the In-band secret distribution of UTXOs. For the verifying key as well as all zero knowledge proofs the LiquidStorage service is utilized. It is possible to use cheap off chain storage for both, verifying key and proofs, since the proof verification is performed off chain using vcpu.

ZEOS Orchard Library

The ZEOS Orchard Library is a fork of the Zcash Orchard Library. It is a Rust implementation encapsulating the entire application logic required in order to create private transactions according to the ZEOS Orchard Shielded Protocol. At its core is the implementation of the ZEOS Action Circuit from which proving and verifying keys are derived. The proving key is required by client applications to create zero knowledge proofs for private transactions while the verifying key is required by the ZEOS smart contract in order to verify zero knowledge proofs of private transactions. In addition to all the logic related to zk-SNARKs it provides functions to scan the global UTXO state of the ZEOS smart contract and synchronize client applications local state. In contrast to the original Zcash library the ZEOS Orchard library is build to be used in Javascript browser applications compiled to WebAssembly.

Github Repository: ZEOS Orchard

ZEOS smart contract

id: eosio::name
vk: std::string

id: uint64_t
block_number: uint64_t
leaf_index: uint64_t
encrypted_note: TransmittedNoteCiphertext

The ZEOS Book