Transfer verifier circuit overview
This circuit is used to built a private transactions engine with the following properties:
- It is not possible for anyone to forge balances.
- Any unspent note or account with an existing owner is spendable.
The circuit proves the following conditions:
- Input notes are unique.
- Output notes are unique or blank (all fields equal zero).
- Tx is signed and the signer is the owner of input account, output account, and input notes.
- Nullifiers correspond to notes.
- out_commitment is the root of Merkle subtree of output account and notes.
- Input account and notes should be inside anonymity set (have valid merkle proofs) or blank (all fields of account excluding η are zeros, balance of note is zero).
- All non-blank input notes correspond to the following equation\
tx.in.Account.i≤pos(tx.in.Note)<tx.out.Account.i\ where pos is the position of the note in the Merkle tree.
- Public balance, XP changes, and the size of anonymity set should be stored at special public δ input as little endian (b:i64, e:i96, i:u32), two’s complement is used for signed types. After unpacking, negative values should be represented as corresponding field elements.
- Sum of all balances (with negative signs for outputs) should be zero.
- Account indexes are limited:\
- The following equation for XP:\
XP is referred to as energy in the zeropool library. While accounts accumulate XP there is no current application for accumulated XP in v1 of the protocol.