Skip to main content

Signing a Transaction

Transactions in ZeroPool are signed by the spending key σ\sigma. To verify a transaction signature the prover should use an intermediate key A.

Transaction hashing

A client application should sign a 'composite' transaction hash instead of full transaction data. The transaction hash is calculated from the input and output hashes:

H=Hashsponge(Hashaccount(Accin),Hashnote(Note0in),Hashnote(Note1in),Hashnote(Note2in),TxCommit)H = Hash_{sponge}(Hash_{account}(Acc^\text{in}), Hash_{note}(Note_0^\text{in}), Hash_{note}(Note_1^\text{in}), Hash_{note}(Note_2^\text{in}), TxCommit)

where

  • HashHash is a Poseidon multi-hash (sponged) routine in the different modes
  • AccinAcc^\text{in}is an input account
  • NoteiinNote_i^\text{in}is an input notes,
  • TxCommitTxCommit - is a transaction commitment hash (Merkle subtree root). It depends on transaction output account and notes.

Signing

Next, a client uses the account spending key to sign a transaction hash HH:

r=Blake2s(σ,H)r = Blake2s(\sigma, H), whereBlake2sBlake2s is the 256-bit hash function

R=rGR = rG, A=σGA=\sigma G (moving rr and σ\sigma to the JubJub Elliptic curve field)

S=r+Hasheddsa(R.x,A.x,H)σS = r + Hash_{eddsa}(R.x, A.x, H)\sigma

The output signature (S,R)(S, R) will be sent with a intermediate key A=σGA = \sigma G

Verifying

To verify a transaction signature a validator should perform the following computations:

SG==R+Hasheddsa(R.x,A.x,H)ASG == R + Hash_{eddsa}(R.x, A.x, H)A