ZEOS Action Circuit

As in Zcash Orchard there is only one circuit which is used to generate proofs for all privacy actions. The ZEOS Orchard circuit, $C_{zeos}$ , is very similar to the Zcash Orchard circuit. It can be divided into three parts: A, B and C. Each circuit part represents a UTXO and the action circuit describes their relationship to each other. There are two main configurations for this circuit.

It is either:

$A = B + C$

$A = C = 0$

The first configuration is used for all transfer and burn actions. UTXO $A$ represents the note which is being spent by the action. UTXO $B$ represents the receiving part of the action whereas UTXO $C$ represents the 'change' which goes usually back into the wallet of the sender (spender of UTXO $A$ ). Hence the relation $A = B + C$ between the UTXOs.

In case of NFT transfers (or burns) UTXO $C$ is always zero which enforces $A = B$ . This statement must be true for NFT transfers since NFTs are not divisable.

The second configuration is used for minting notes only. The configuration $A = B = 0$ effectively disables the circuit parts $A$ and $C$ leaving only part $B$ enabled.

Private Inputs ( $ω$ )

The following list contains all private inputs to the top level ZEOS action circuit.

Note $A$ (action input):

$path$ : Authentication path of note commitment A. The sister path of note commitment A which is required in order to calculate it's merkle plath.
$pos$ : Position of note commitment A inside the merkle tree. Specifically this is the leaf index of note commitment A.
$g_{d}_{a}$ : Address diversify hash of note A. Deterministically derived from a diversifier index (see p. 37 Zcash Protocol Specification).
$p k_{d}_{a}$ : Address public key of note A. Derived from Incoming Viewing Key and diversify hash (see p. 14 and 37 Zcash Protocol Specification).
$d1_{a}$ : Either the value of note A (fungible token) or the (lower 64 bits of the) unique identifier of note A (non-fungible token).
$d2_{a}$ : Either the symbol code of note A (fungible token) or the (upper 64 bits of the) unique identifier of note A (non-fungible token).
$ρ_{a}$ : Randomness to derive nullifier of note A (equals nullifier of note that was spent in order to create note A) (see p. 14 Zcash Protocol Specification)
$ψ_{a}$ : Additional randomness to derive nullifier of note A (see p. 14 Zcash Protocol Specification)
$rcm_{a}$ : Random commitment trapdoor of note commitment A (see p. 14 and 28 Zcash Protocol Specification)
$cm_{a}$ : Note commit of note A (see p. 28 Zcash Protocol Specification).
$α$ : Randomness to derive a spend authorization signature for note A (see p. 55 Zcash Protocol Specification).
$ak$ : Spend Validating Key which is part of the Full Viewing Key components (see p. 36 and 116 Zcash Protocol Specification).
$nk$ : Nullifier Deriving Key which is part of the Full Viewing Key components (see p. 36 and 116 Zcash Protocol Specification).
$rivk$ : Randomness which is part of the Full Viewing Key components to derive corresponding Incoming Viewing Key of the address diversify hash of note A (see p. 36, 37 and 116 Zcash Protocol Specification).

Note $B$ (action output):

$g_{d}_{b}$ : Address diversify hash of note B.
$p k_{d}_{b}$ : Address public key of note B.
$d1_{b}$ : Either the value of note B (fungible token) or the (lower 64 bits of the) unique identifier of note B (non-fungible token).
$d2_{b}$ : Either the symbol code of note B (fungible token) or the (upper 64 bits of the) unique identifier of note B (non-fungible token).
$sc_{b}$ : The code of the smart contract issuing notes A, B and C.
$ρ_{b}$ : Randomness to derive nullifier of note B (equals nullifier of note A).
$ψ_{b}$ : Additional randomness to derive nullifier of note B.
$rcm_{b}$ : Random commitment trapdoor of note commitment B.
$acc_{b}$ : Code of EOS account in which this note is 'burned'.

Note $C$ (action output):

$g_{d}_{c}$ : Address diversify hash of note C.
$p k_{d}_{c}$ : Address public key of note C.
$d1_{c}$ : Value of note C (fungible token only).
$ψ_{c}$ : Additional randomness to derive nullifier of note C.
$rcm_{c}$ : Random commitment trapdoor of note commitment C.
$acc_{c}$ : Code of EOS account in which this note is 'burned'.

Public Inputs ( $x$ )

The following list contains all public inputs to the top level ZEOS action circuit.

$ANCHOR$ : Merkle tree root of authentication path of note A (see p. 17 to 19 Zcash Protocol Specification).
$NF$ : Nullifier of note A (see p. 56 Zcash Protocol Specification).
$RK_{X}$ : Spend Authority (x component) of ( $α$ , $ak$ ) (see p. 61 Zcash Protocol Specification).
$RK_{Y}$ : Spend Authority (y component).
$NFT$ : Indicates if notes in circuit represent NFTs or fungible tokens.
$B_{d 1}$ : Exposes value (fungible token) or unique id (non-fungible token) of note B in case of MINT or BURN.
$B_{d 2}$ : Exposes symbol (fungible token) or unique id (non-fungible token) of note B in case of MINT or BURN.
$B_{sc}$ : Exposes smart contract code of note B in case of MINT or BURN.
$C_{d 1}$ : Exposes value of note C in case of BURNFT2 (fungible tokens only).
$CM_{B}$ : Note commitment of note B.
$CM_{C}$ : Note commitment of note C.
$ACC_{B}$ : Code of EOS account into which note B is 'burned'.
$ACC_{C}$ : Code of EOS account into which note C is 'burned'.

Circuit Internal Signals

The following signals are circuit-internal only.

$root$ : Derived root of merkle path of note A.
$cm_{a}^{'}$ : Derived commitment of note A.
$p k_{d}_{a}^{'}$ : Derived address public key of note A.
$rk_{x}$ : Derived spend authority (x component) of note A.
$rk_{y}$ : Derived spend authority (y component) of note A.
$nf_{a}$ : Derived nullifier of note A.
$cm_{b}$ : Derived commitment of note B.
$cm_{c}$ : Derived commitment of note C.

Constraints

Constraining an arithmetic circuit in Halo 2 is very similar to integrated circuit design in computer engineering. All Constraints are expressed as mathematical equations evaluating to zero. The logical AND becomes a multiplication and the logical OR becomes an addition.

The following statements for private and public inputs must hold.

The global statement 'either $A = B + C$ or $A = C = 0$ ' results in the following constraint for the note values $d1_{a}, d1_{b}, d1_{c}$ :

$(d1_{a} - d1_{b} - d1_{c}) \cdot (d1_{a} + d1_{c}) = 0$

For circuit part A the following constraints must hold:

$d1_{a} \cdot (root - ANCHOR) = 0$
$d1_{a} \cdot (cm_{a} - cm_{a}^{'}) = 0$
$d1_{a} \cdot (p k_{d}_{a} - p k_{d}_{a}^{'}) = 0$
$d1_{a} \cdot (rk_{x} - RK_{x}) = 0$
$d1_{a} \cdot (rk_{y} - RK_{y}) = 0$
$d1_{a} \cdot (d2_{a} - d2_{b}) = 0$
$d1_{a} \cdot (nf_{a} + ρ_{b} - 2 \cdot NF) = 0$

For circuit part B the following constraints must hold:

$B_{d 1} \cdot (B_{d 1} - d1_{b}) = 0$
$B_{d 1} \cdot (B_{d 2} - d2_{b}) = 0$
$B_{d 1} \cdot (B_{sc} - sc_{b}) = 0$
$CM_{B} \cdot (CM_{B} - cm_{b}) = 0$
$ACC_{B} - acc_{b} = 0$

For circuit part C the following constraints must hold:

$NFT \cdot d1_{c} = 0$
$C_{d 1} \cdot (C_{d 1} - d1_{c}) = 0$
$CM_{C} \cdot (CM_{C} - cm_{c}) = 0$
$ACC_{C} - acc_{c} = 0$

Valid Circuit Configurations

The following table lists the zactions and the corresponding configurations of the circuit's public inputs $x$ .

$ZAction M I NTFT M I NTNFT / B U RN A T TR A NSFERFT TR A NSFERNFT B U RNFT B U RNFT 2 B U RNNFT ANCHOR 00 root root root root root NF 00 nf_{a} nf_{a} nf_{a} nf_{a} nf_{a} R K_{x} 00 rk_{x} rk_{x} rk_{x} rk_{x} rk_{x} R K_{y} 00 rk_{y} rk_{y} rk_{y} rk_{y} rk_{y} NFT 0101001 B_{d 1} d1_{b} d1_{b} 00 d1_{b} d1_{b} d1_{b} B_{d 2} d2_{b} d2_{b} 00 d2_{b} d2_{b} d2_{b} B_{sc} sc_{b} sc_{b} 00 sc_{b} sc_{b} sc_{b} C_{d 1} 00000 d1_{c} 0 CM_{B} cm_{b} cm_{b} cm_{b} cm_{b} 000 CM_{C} 00 cm_{c} 0 cm_{c} 00 ACC_{B} 0000 acc_{b} acc_{b} acc_{b} ACC_{C} 00000 acc_{c} 0$

MINTFT

$ANCHOR 0 NF 0 R K_{x} 0 R K_{y} 0 NFT 0 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} cm_{b} CM_{C} 0 ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = NF = R K_{x} = R K_{y} = 0$
$\Rightarrow d1_{a} = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $CM_{B} = cm_{b}$
$\Rightarrow d1_{b} \neq = 0$ because of internal signal (7)

Given: $d1_{a} = 0, d1_{b} \neq = 0$
$\Rightarrow d1_{c} = 0$ because of constraint (1)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

MINTNFT/BURNAT

Note: The actions MINTNFT and BURNAT share the exact same circuit configuration. $ANCHOR 0 NF 0 R K_{x} 0 R K_{y} 0 NFT 1 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} cm_{b} CM_{C} 0 ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = NF = R K_{x} = R K_{y} = 0$
$\Rightarrow d1_{a} = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $CM_{B} = cm_{b}$
$\Rightarrow d1_{b} \neq = 0$ because of internal signal (7)

Given: $NFT = 1, d1_{a} = 0, d1_{b} \neq = 0$
$\Rightarrow d1_{c} = 0$ because of constraints (1) and (14)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

TRANSFERFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 0 B_{d 1} 0 B_{d 2} 0 B_{sc} 0 C_{d 1} 0 C M_{B} cm_{b} CM_{C} cm_{c} ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $d1_{a} \neq = 0$
$\Rightarrow d1_{a} = d1_{b} + d1_{c}$ because of constraint (1)
$\Rightarrow d2_{a} = d2_{b}$ because of constraint (7)
$\Rightarrow ρ_{b} = nf_{a}$ because of constraint (8)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

TRANSFERNFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 1 B_{d 1} 0 B_{d 2} 0 B_{sc} 0 C_{d 1} 0 C M_{B} cm_{b} CM_{C} 0 ACC_{B} 0 ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $NFT = 1$
$\Rightarrow d1_{c} = 0$ because of constraint (14)

Given: $d1_{a} \neq = 0, d1_{c} = 0$
$\Rightarrow d1_{a} = d1_{b}$ because of constraint (1)

Given: $d1_{a} \neq = 0$
$\Rightarrow d2_{a} = d2_{b}$ because of constraint (7)
$\Rightarrow ρ_{b} = nf_{a}$ because of constraint (8)

Given: $ACC_{B} = 0$
$\Rightarrow acc_{b} = 0$ because of constraint (13)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

BURNFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 0 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} 0 CM_{C} cm_{c} ACC_{B} acc_{b} ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

BURNFT2

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 0 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} d1_{c} C M_{B} 0 CM_{C} 0 ACC_{B} acc_{b} ACC_{C} acc_{c}$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

BURNNFT

$ANCHOR root NF nf_{a} R K_{x} rk_{x} R K_{y} rk_{y} NFT 1 B_{d 1} d1_{b} B_{d 2} d2_{b} B_{sc} sc_{b} C_{d 1} 0 C M_{B} 0 CM_{C} 0 ACC_{B} acc_{b} ACC_{C} 0$

Given: $ANCHOR = root, NF = nf_{a}, RK_{x} = rk_{x}, RK_{y} = rk_{y}$
$\Rightarrow d1_{a} \neq = 0$ because of internal signals (1), (4), (5), (6) and constraints (2), (5), (6) and (8)

Given: $NFT = 1$
$\Rightarrow d1_{c} = 0$ because of constraint (14)

Given: $d1_{a} \neq = 0, d1_{c} = 0$
$\Rightarrow d1_{a} = d1_{b}$ because of constraint (1)

Given $d1_{a} \neq = 0$
$\Rightarrow d2_{a} = d2_{b}$ because of constraint (7)
$\Rightarrow ρ_{b} = nf_{a}$ because of constraint (8)

Given: $ACC_{C} = 0$
$\Rightarrow acc_{c} = 0$ because of constraint (17)

The ZEOS Book