Transaction Constraints

In this section, we describe the concrete constraints for the transactions.

Abstract

The transaction constraints consist of smaller pieces of constraints. There are three types of constraints we have as following.

Constraint TypeChecking ConditionStatic or Dynamic
Common TransactionBasic transactions object for example gas, signature and so onStatic
Confidential TransferConfidential transfer conditionStatic
Confidential Smart ContractConfidential smart contract conditionDynamic

The Common Transaction checks the basic transactions constraints and used for every transaction. When the users transfer assets, they need to generate the proof satisfying both Common Transaction and Confidential Transfer constraints. This consists of static constraints so the condition that the proof needs to satisfy are always same so we can modularize easily. However, when the users execute the smart contract, they need to generate the proof satisfying both Common Transaction and Confidential Smart Contract constraints. This consists of static and dynamic constraints so the condition that the proof needs to satisfy are always different.

We would like to describe the constraints more detail and how we generate the proof for dynamic constraints.

Process

Every transaction needs to be attached the proof which satisfies the constraints. The proof is generated by proving key according to plonk protocol. The blockchain needs to setup the parameters and the user needs to generate key pair as following.

ItemDescription
xuser private key
yuser public key
srssetup parameters
srandomness used for setup
setup()setup function
Ffield
Gelliptic curve group
gelliptic curve generator
dpolynomial degree
pkproving key
vkverification key

Setup

Setup the paramaters used for generate and verify proof.

$$ g ∈ G $$ $$ setup(d, s) = [g, [s] g, [s^2] g, ... , [s^{d-1}] g] = (pk, vk) $$

Key Pair

Generate the key pair for sign the transaction.

$$ x ∈ F $$ $$ y = g^x $$

Common Transaction Constraints

Every transaction has common object items and this Common Transaction Constraints checks these condition. The transaction object items are following.

ItemDescription
sourcetransactor
targetdestination address
inputtransaction data
valuemessage value
gasLimitgas limit of transaction
gasPricegas price of transaction
nonceuser account nonce

The Common Transaction Constraints checks that the value, gasLimit and gasPrice are valid. We use following function to generate proof and signature.

FunctionDescription
enc()ElGamal encryption
sign()sign transaction with private key
prove()proof generation

Encrypt Variables

First of all, the number should be encrypted by ElGamal.

$$ enc(x, value, gasLimit, gasPrice, nonce) = value_{enc}, gasLimit_{enc}, gasPrice_{enc}, nonce_{enc} $$

Generate Proof and Signature

Generate the proof with proving key and prove that this common params satisfy the statement.

$$ π = Prove(pk, statement_{common_constraint}[value_{enc}, gasLimit_{enc}, gasPrice_{enc}, nonce_{enc}]) $$

Generate the signature with private key and prevent front-running attack.

$$ σ = Sign(x, value_{enc}, gasLimit_{enc}, gasPrice_{enc}, nonce_{enc}, π) $$

Confidential Smart Contract

This Confidential Transfer Constraints checks that the users smart constract execution is valid. The condition that users proof needs to satisfy is different for each contracts so it's provided by Dapp owner as the same with that the Ethererum Dapp owner provides the ABI of smart contract. When the developers finish implementing the smart contract, the smart contract is compiled and output the Wasm binary and constraints metadata. The constraints metadata is the polynomials expressing the smart contract constraints. The users need the metadata, their secret key and srs when they generate the proof.