# Output Descriptions

Each output contains an OutputBody and a zk-SNARK output proof.

Clients using the ephemeral public key provided in an output body to decrypt a note payload MUST check:

## Output zk-SNARK Statements

The output proof demonstrates the properties enumerated below for the private witnesses known by the prover:

• Note amount (interpreted as an ) and asset ID
• Blinding factor used to blind the note commitment
• Diversified basepoint corresponding to the address
• Transmission key corresponding to the address
• Clue key corresponding to the address
• Blinding factor used to blind the balance commitment

And the corresponding public inputs:

• Balance commitment to the value balance
• Note commitment

### Note Commitment Integrity

The zk-SNARK certifies that the public input note commitment was derived as:

.

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q

### Balance Commitment Integrity

The zk-SNARK certifies that the public input balance commitment was derived from the witnessed values as:

where is a constant generator and is an asset-specific generator point derived as described in Value Commitments.

### Diversified Base is not Identity

The zk-SNARK certifies that the diversified basepoint is not identity.

Note that we do not check the integrity of the ephemeral public key in the zk-SNARK. Instead this check should be performed at note decryption time as described above.