Each output contains an OutputBody and a zk-SNARK output proof.
Clients using the ephemeral public key provided in an output body to decrypt a note payload MUST check:
The output proof demonstrates the properties enumerated below for the private witnesses known by the prover:
- Note amount (interpreted as an ) and asset
- Blinding factor used to blind the note commitment
- Diversified basepoint corresponding to the address
- Transmission key corresponding to the address
- Clue key corresponding to the address
- Blinding factor used to blind the balance commitment
And the corresponding public inputs:
- Balance commitment to the value balance
- Note commitment
The zk-SNARK certifies that the public input note commitment was derived as:
using the above witnessed values and where
ds is a constant domain separator:
ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q
The zk-SNARK certifies that the public input balance commitment was derived from the witnessed values as:
where is a constant generator and is an asset-specific generator point derived as described in Value Commitments.
The zk-SNARK certifies that the diversified basepoint is not identity.
Note that we do not check the integrity of the ephemeral public key in the zk-SNARK. Instead this check should be performed at note decryption time as described above.