Delegator Vote Descriptions

Each delegator vote contains an DelegatorVoteBody and a zk-SNARK delegator vote proof.

Delegator Vote zk-SNARK Statements

The delegator vote proof demonstrates the properties enumerated below for the following private witnesses known by the prover:

Note amount $v$ (interpreted as an $F_{q}$ ) and asset ID $\in G$
Note blinding factor $rc m \in F_{q}$ used to blind the note commitment
Address associated with the note being spent, consisting of diversified basepoint $B_{d} \in G$ , transmission key $p k_{d} \in G$ , and clue key $c k_{d} \in F_{q}$
Note commitment $c m \in F_{q}$
Spend authorization randomizer used for generating the randomized spend authorization key $α \in F_{r}$
Spend authorization key $ak \in G$
Nullifier deriving key $nk \in F_{q}$
Merkle proof of inclusion for the note commitment, consisting of a position pos and an authentication path consisting of 72 $F_{q}$ elements (3 siblings each per 24 levels)

And the corresponding public inputs:

Merkle anchor $\in F_{q}$ of the state commitment tree
Balance commitment $c v \in G$ to the value balance
Nullifier $n f$ of the note to be spent
Randomized verification key $r k \in G$
The start position start_pos of the proposal being voted on

Start Position Verification

The zk-SNARK certifies that the position of the staked note pos is less than the position of the proposal being voted on:

pos < start_pos

This demonstrates that the staked note used in voting existed prior to the proposal.

The zk-SNARK also certifies that the commitment index of the start position is zero.

Note Commitment Integrity

The zk-SNARK certifies that the note commitment $c m$ was derived as:

$c m = ha s h_{6} (d s, (rc m, v, I D, B_{d}, p k_{d}, c k_{d}))$ .

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q

Balance Commitment Integrity

The zk-SNARK certifies that the public input balance commitment $c v$ was derived from the witnessed values as:

$c v = [v] G_{v} + [v] G_{v}$

where $G_{v}$ is a constant generator and $G_{v}$ is an asset-specific generator point derived as described in Value Commitments. For delegator votes, $[v] = 0$ .

Nullifier Integrity

The zk-SNARK certifies that the revealed nullifier $n f$ was derived as:

$n f = ha s h_{3} (d s, (nk, c m, p os))$

using the witnessed values above and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.nullifier")) mod q

as described in Nullifiers.

Diversified Address Integrity

The zk-SNARK certifies that the diversified address $p k_{d}$ associated with the note was derived as:

$p k_{d} = [i v k] B_{d}$

where $B_{d}$ is the witnessed diversified basepoint and $i v k$ is the incoming viewing key computed using a rate-2 Poseidon hash from the witnessed $nk$ and $ak$ as:

ivk = hash_2(from_le_bytes(b"penumbra.derive.ivk"), nk, decaf377_s(ak)) mod r

as described in Viewing Keys.

Spend Authority

The zk-SNARK certifies that for the randomized verification key $r k$ was derived using the witnessed $ak$ and spend auth randomizer $α$ as:

$r k = ak + [α] B_{Sp e n d A u t h}$

where $B_{Sp e n d A u t h}$ is the conventional decaf377 basepoint as described in The Decaf377 Group.

The Penumbra Protocol