Output Descriptions

Each output contains an OutputBody and a zk-SNARK output proof.

Output Body

The body of an Output has four parts:

A NotePayload, which consists of the note commitment, the NoteCiphertext, and an ephemeral public key used to encrypt the note;
A balance commitment, which commits to the value balance of the output note;
The ovk wrapped key, which enables the sender to later decrypt the NoteCiphertext using their OutgoingViewingKey;
The wrapped memo key, which enables one who can decrypt the NoteCiphertext to additionally decrypt the MemoCiphertext on the tranasction.

Invariants

The invariants that the Output upholds are described below.

Local Invariants

The created output note is spendable by the recipient if its nullifier has not been revealed.

1.1 The output note is bound to the recipient.

1.2 The output note can be spent only by the recipient.
The output data in the transaction does not reveal the amount, asset type, sender identity, or recipient identity.

2.1 The output data included in a transaction preserves this property.

2.2 The note commitment integrity check and the balance commitment integrity check are done in zero-knowledge.
The balance contribution of the value of the note is private.

Local Justification

The created note is spendable only by the recipient if its nullifier has not been revealed since:

1.1 The note commitment binds the note to the typed value and the address of the recipient.

1.2 Each note has a unique note commitment if the note blinding factor is unique for duplicate (recipient, typed value) pairs. Duplicate note commitments are allowed on chain since they commit to the same (recipient, typed value, randomness) tuple¹.
The privacy of the note data is enforced via:

2.1 The output note, which includes the amount, asset, and address of the recipient, is symmetrically encrypted to a key that only the recipient and sender can derive, as specified in Transaction Cryptography. The return (sender) address can optionally be included in the symmetrically encrypted memo field of the transaction, which can be decrypted by any output in that transaction as specified in Transaction Cryptography. The sender or recipient can authorize other parties to view the contents of the note by disclosure of these symmetric keys.

2.2 The note commitment scheme used for property 1 preserves privacy via the hiding property of the note commitment scheme. The sender demonstrates knowledge of the opening of the note commitment in zero-knowledge.
The balance contribution of the value of the note is hidden via the hiding property of the balance commitment scheme. Knowledge of the opening of the balance commitment is done in zero-knowledge.

1.1 This action contributes the value of the output note, which is summed as part of the transaction value balance. Value is not created due to system level invariant 1, which ensures that transactions contribute a 0 value balance.

Note Decryption Checks

Clients using the ephemeral public key $e p k$ provided in an output body to decrypt a note payload MUST check:

$e p k = [es k] B_{d}$

This check exists to mitigate a potential attack wherein an attacker attempts to link together a target’s addresses. Given that the attacker knows the address of the target, an attacker can send a note encrypted using the $B_{d}$ of a second address they suspect the target controls. If the target does control both addresses, then the target will be able to decrypt this note. If the target responds to the attacker out of band confirming the payment was received, the attacker has learned the target does control both addresses. To avoid this, client software checks the correct diversified basepoint is used during note decryption. See ZIP 212 for further details.

Output zk-SNARK Statements

The output proof demonstrates the properties enumerated below for the private witnesses known by the prover:

Note amount $v$ (interpreted as an $F_{q}$ , constrained to fit in 128 bits) and asset ID $\in F_{q}$
Blinding factor $rc m \in F_{q}$ used to blind the note commitment
Diversified basepoint $B_{d} \in G$ corresponding to the address
Transmission key $p k_{d} \in G$ corresponding to the address
Clue key $c k_{d} \in F_{q}$ corresponding to the address
Blinding factor $v \in F_{r}$ used to blind the balance commitment

And the corresponding public inputs:

Balance commitment $c v \in G$ to the value balance
Note commitment $c m \in F_{q}$

Note Commitment Integrity

The zk-SNARK certifies that the public input note commitment $c m$ was derived as:

$c m = ha s h_{6} (d s, (rc m, v, I D, B_{d}, p k_{d}, c k_{d}))$ .

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q

Balance Commitment Integrity

The zk-SNARK certifies that the public input balance commitment $c v$ was derived from the witnessed values as:

$c v = [- v] G_{v} + [v] G_{v}$

where $G_{v}$ is a constant generator and $G_{v}$ is an asset-specific generator point derived in-circuit as described in Assets and Values.

The asset-specific generator is derived in-circuit instead of witnessed to avoid a malicious prover witnessing the negation of a targeted asset-specific generator. See Section 0.3 of the MASP specification for more details of this attack.

Diversified Base is not Identity

The zk-SNARK certifies that the diversified basepoint $B_{d}$ is not identity.

Note that we do not check the integrity of the ephemeral public key $e p k$ in the zk-SNARK. Instead this check should be performed at note decryption time as described above.

Duplicate note commitments are allowed such that nodes do not need to maintain a database of all historical commitments and check for distinctness. They simply maintain the state commitment tree, adding new state commitments as they appear. Two notes with the same typed value and address will not have the same commitment due to the randomness provided by the note blinding factor.

The Penumbra Protocol