Output Descriptions

Each output contains an OutputBody and a zk-SNARK output proof.

Clients using the ephemeral public key provided in an output body to decrypt a note payload MUST check:

Output zk-SNARK Statements

The output proof demonstrates the properties enumerated below for the private witnesses known by the prover:

  • Note amount (interpreted as an ) and asset ID
  • Blinding factor used to blind the note commitment
  • Diversified basepoint corresponding to the address
  • Transmission key corresponding to the address
  • Clue key corresponding to the address
  • Blinding factor used to blind the balance commitment

And the corresponding public inputs:

  • Balance commitment to the value balance
  • Note commitment

Note Commitment Integrity

The zk-SNARK certifies that the public input note commitment was derived as:

.

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q

Balance Commitment Integrity

The zk-SNARK certifies that the public input balance commitment was derived from the witnessed values as:

where is a constant generator and is an asset-specific generator point derived as described in Value Commitments.

Diversified Base is not Identity

The zk-SNARK certifies that the diversified basepoint is not identity.

Note that we do not check the integrity of the ephemeral public key in the zk-SNARK. Instead this check should be performed at note decryption time as described above.