[zk-token-sdk](docs) Update docs to include a brief description of how fee sigma proof is computed (#32288)

* function docs to focus on the action they perform

* update docs for fee sigma proof

* add link to zk token proof doc

* Apply suggestions from code review

Co-authored-by: Tyera <tyera@solana.com>

---------

Co-authored-by: Tyera <tyera@solana.com>
This commit is contained in:
samkim-crypto 2023-06-28 09:55:55 +09:00 committed by GitHub
parent 4bc8f90182
commit 5624aaa1e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 60 additions and 34 deletions

View File

@ -41,7 +41,7 @@ pub struct BatchedGroupedCiphertext2HandlesValidityProof(GroupedCiphertext2Handl
#[allow(non_snake_case)] #[allow(non_snake_case)]
#[cfg(not(target_os = "solana"))] #[cfg(not(target_os = "solana"))]
impl BatchedGroupedCiphertext2HandlesValidityProof { impl BatchedGroupedCiphertext2HandlesValidityProof {
/// Batched grouped ciphertext validity proof constructor. /// Creates a batched grouped ciphertext validity proof.
/// ///
/// The function simply batches the input openings and invokes the standard grouped ciphertext /// The function simply batches the input openings and invokes the standard grouped ciphertext
/// validity proof constructor. /// validity proof constructor.
@ -66,7 +66,7 @@ impl BatchedGroupedCiphertext2HandlesValidityProof {
)) ))
} }
/// Batched grouped ciphertext validity proof verifier. /// Verifies a batched grouped ciphertext validity proof.
/// ///
/// The function does *not* hash the public keys, commitment, or decryption handles into the /// The function does *not* hash the public keys, commitment, or decryption handles into the
/// transcript. For security, the caller (the main protocol) should hash these public /// transcript. For security, the caller (the main protocol) should hash these public

View File

@ -45,7 +45,7 @@ pub struct CiphertextCiphertextEqualityProof {
#[allow(non_snake_case)] #[allow(non_snake_case)]
#[cfg(not(target_os = "solana"))] #[cfg(not(target_os = "solana"))]
impl CiphertextCiphertextEqualityProof { impl CiphertextCiphertextEqualityProof {
/// The ciphertext-ciphertext equality proof constructor. /// Creates a ciphertext-ciphertext equality proof.
/// ///
/// The function does *not* hash the public key, ciphertext, or commitment into the transcript. /// The function does *not* hash the public key, ciphertext, or commitment into the transcript.
/// For security, the caller (the main protocol) should hash these public components prior to /// For security, the caller (the main protocol) should hash these public components prior to
@ -120,8 +120,7 @@ impl CiphertextCiphertextEqualityProof {
} }
} }
/// The ciphertext-ciphertext equality proof verifier. The proof is with respect to two /// Verifies a ciphertext-ciphertext equality proof.
/// ciphertexts.
/// ///
/// * `source_pubkey` - The ElGamal pubkey associated with the first ciphertext to be proved /// * `source_pubkey` - The ElGamal pubkey associated with the first ciphertext to be proved
/// * `destination_pubkey` - The ElGamal pubkey associated with the second ciphertext to be proved /// * `destination_pubkey` - The ElGamal pubkey associated with the second ciphertext to be proved

View File

@ -49,7 +49,7 @@ pub struct CiphertextCommitmentEqualityProof {
#[allow(non_snake_case)] #[allow(non_snake_case)]
#[cfg(not(target_os = "solana"))] #[cfg(not(target_os = "solana"))]
impl CiphertextCommitmentEqualityProof { impl CiphertextCommitmentEqualityProof {
/// Equality proof constructor. The proof is with respect to a ciphertext and commitment. /// Creates a ciphertext-commitment equality proof.
/// ///
/// The function does *not* hash the public key, ciphertext, or commitment into the transcript. /// The function does *not* hash the public key, ciphertext, or commitment into the transcript.
/// For security, the caller (the main protocol) should hash these public components prior to /// For security, the caller (the main protocol) should hash these public components prior to
@ -120,7 +120,7 @@ impl CiphertextCommitmentEqualityProof {
} }
} }
/// Equality proof verifier. The proof is with respect to a single ciphertext and commitment. /// Verifies a ciphertext-commitment equality proof.
/// ///
/// * `source_pubkey` - The ElGamal pubkey associated with the ciphertext to be proved /// * `source_pubkey` - The ElGamal pubkey associated with the ciphertext to be proved
/// * `source_ciphertext` - The main ElGamal ciphertext to be proved /// * `source_ciphertext` - The main ElGamal ciphertext to be proved

View File

@ -1,6 +1,14 @@
//! The sigma proofs for transfer fees. //! The fee sigma proof.
//! //!
//! TODO: Add detail on how the fee is calculated. //! A fee sigma proof certifies that an ElGamal ciphertext encrypts a properly computed transfer fee.
//!
//! A detailed description of how transfer fees and proofs are calculated is provided in the [`ZK
//! Token proof program`] documentation.
//!
//! The protocol guarantees computational soundness (by the hardness of discrete log) and perfect
//! zero-knowledge in the random oracle model.
//!
//! [`ZK Token proof program`]: https://edge.docs.solana.com/developing/runtime-facilities/zk-token-proof
#[cfg(not(target_os = "solana"))] #[cfg(not(target_os = "solana"))]
use { use {
@ -27,9 +35,9 @@ use {
/// Fee sigma proof. /// Fee sigma proof.
/// ///
/// The proof consists of two main components: `fee_max_proof` and `fee_equality_proof`. If the fee /// The proof consists of two main components: `fee_max_proof` and `fee_equality_proof`. If the fee
/// surpasses the maximum fee bound, then the `fee_max_proof` should properly be generated and /// is greater than the maximum fee bound, then the `fee_max_proof` is properly generated and
/// `fee_equality_proof` should be simulated. If the fee is below the maximum fee bound, then the /// `fee_equality_proof` is simulated. If the fee is smaller than the maximum fee bound, the
/// `fee_equality_proof` should be properly generated and `fee_max_proof` should be simulated. /// `fee_equality_proof` is properly generated and `fee_max_proof` is simulated.
#[derive(Clone)] #[derive(Clone)]
pub struct FeeSigmaProof { pub struct FeeSigmaProof {
/// Proof that the committed fee amount equals the maximum fee bound /// Proof that the committed fee amount equals the maximum fee bound
@ -45,8 +53,36 @@ impl FeeSigmaProof {
/// Creates a fee sigma proof assuming that the committed fee is greater than the maximum fee /// Creates a fee sigma proof assuming that the committed fee is greater than the maximum fee
/// bound. /// bound.
/// ///
/// Note: the proof is generated twice via `create_proof_fee_above_max` and /// A transfer fee amount `fee_amount` for a `transfer_amount` is determined by two parameters:
/// `create_proof_fee_below_max` to enforce constant time execution. /// - the `fee_rate_basis_point`, which defines the fee rate in units of 0.01%,
/// - the `max_fee`, which defines the cap amount for a transfer fee.
///
/// This means that there are two cases to consider. If `fee_amount >= max_fee`, then the
/// `fee_amount` must always equal `max_fee`.
///
/// If `fee_amount < max_fee`, then assuming that there is no division rounding, the
/// `fee_amount` must satisfy the relation `transfer_amount * (fee_rate_basis_point /
/// 10_000) = fee_amount` or equivalently, `(transfer_amount * fee_rate_basis_point) - (10_000
/// * fee_amount) = 0`. More generally, let `delta_fee = (transfer_amount *
/// fee_rate_basis_point) - (10_000 * fee_amount)`. Then assuming that a division rounding
/// could occur, the `delta_fee` must satisfy the bound `0 <= delta_fee < 10_000`.
///
/// If `fee_amount >= max_fee`, then `fee_amount = max_fee` and therefore, the prover can
/// generate a proof certifying that a fee commitment exactly encodes `max_fee`. If
/// `fee_amount < max_fee`, then the prover can create a commitment to `delta_fee` and
/// create a range proof certifying that the committed value satisfies the bound `0 <=
/// delta_fee < 10_000`.
///
/// Since the type of proof that a prover generates reveals information about the transfer
/// amount and transfer fee, the prover must generate and include both types of proof. If
/// `fee_amount >= max_fee`, then the prover generates a valid `fee_max_proof`, but commits
/// to 0 as the "claimed" delta value and simulates ("fakes") a proof (`fee_equality_proof`)
/// that this is valid. If `fee_amount > max_fee`, then the prover simulates a
/// `fee_max_proof`, and creates a valid `fee_equality_proof` certifying that the claimed delta
/// value is equal to the "real" delta value.
///
/// Note: In the implementation, the proof is generated twice via `create_proof_fee_above_max`
/// and `create_proof_fee_below_max` to enforce that the function executes in constant time.
/// ///
/// * `(fee_amount, fee_commitment, fee_opening)` - The amount, Pedersen commitment, and /// * `(fee_amount, fee_commitment, fee_opening)` - The amount, Pedersen commitment, and
/// opening of the transfer fee /// opening of the transfer fee
@ -85,7 +121,7 @@ impl FeeSigmaProof {
let below_max = u64::ct_gt(&max_fee, &fee_amount); let below_max = u64::ct_gt(&max_fee, &fee_amount);
// choose one of `proof_fee_above_max` or `proof_fee_below_max` according to whether the // choose one of `proof_fee_above_max` or `proof_fee_below_max` according to whether the
// fee amount surpasses max fee // fee amount is greater than `max_fee` or not
let fee_max_proof = FeeMaxProof::conditional_select( let fee_max_proof = FeeMaxProof::conditional_select(
&proof_fee_above_max.fee_max_proof, &proof_fee_above_max.fee_max_proof,
&proof_fee_below_max.fee_max_proof, &proof_fee_below_max.fee_max_proof,
@ -259,7 +295,7 @@ impl FeeSigmaProof {
} }
} }
/// Fee sigma proof verifier. /// Verifies a fee sigma proof
/// ///
/// * `fee_commitment` - The Pedersen commitment of the transfer fee /// * `fee_commitment` - The Pedersen commitment of the transfer fee
/// * `delta_commitment` - The Pedersen commitment of the "real" delta value /// * `delta_commitment` - The Pedersen commitment of the "real" delta value
@ -443,6 +479,7 @@ impl ConditionallySelectable for FeeEqualityProof {
} }
} }
/// Selects one of two Ristretto points in constant time.
#[allow(clippy::needless_range_loop)] #[allow(clippy::needless_range_loop)]
fn conditional_select_ristretto( fn conditional_select_ristretto(
a: &CompressedRistretto, a: &CompressedRistretto,

View File

@ -1,19 +1,9 @@
//! Collection of sigma proofs (more precisely, "arguments") that are used in the Solana zk-token //! Collection of sigma proofs that are used in the ZK Token proof program.
//! protocol.
//! //!
//! The module contains implementations of the following proof systems that work on Pedersen //! Formal documentation and security proofs for the sigma proofs in this module can be found in
//! commitments and twisted ElGamal ciphertexts: //! [`ZK Token proof`] program documentation.
//! - Equality proof: can be used to certify that a twisted ElGamal ciphertext encrypts the same
//! message as either a Pedersen commitment or another ElGamal ciphertext.
//! - Validity proof: can be used to certify that a twisted ElGamal ciphertext is a properly-formed
//! ciphertext with respect to a pair of ElGamal public keys.
//! - Zero-balance proof: can be used to certify that a twisted ElGamal ciphertext encrypts the
//! message 0.
//! - Fee proof: can be used to certify that an ElGamal ciphertext properly encrypts a transfer
//! fee.
//! //!
//! We refer to the zk-token paper for the formal details and security proofs of these argument //! [`ZK Token proof`]: https://edge.docs.solana.com/developing/runtime-facilities/zk-token-proof
//! systems.
pub mod batched_grouped_ciphertext_validity_proof; pub mod batched_grouped_ciphertext_validity_proof;
pub mod ciphertext_ciphertext_equality_proof; pub mod ciphertext_ciphertext_equality_proof;

View File

@ -41,7 +41,7 @@ pub struct PubkeyValidityProof {
#[allow(non_snake_case)] #[allow(non_snake_case)]
#[cfg(not(target_os = "solana"))] #[cfg(not(target_os = "solana"))]
impl PubkeyValidityProof { impl PubkeyValidityProof {
/// Public-key proof constructor. /// Creates a public key validity proof.
/// ///
/// The function does *not* hash the public key and ciphertext into the transcript. For /// The function does *not* hash the public key and ciphertext into the transcript. For
/// security, the caller (the main protocol) should hash these public key components prior to /// security, the caller (the main protocol) should hash these public key components prior to
@ -80,7 +80,7 @@ impl PubkeyValidityProof {
Self { Y, z } Self { Y, z }
} }
/// Public-key proof verifier. /// Verifies a public key validity proof.
/// ///
/// * `elgamal_pubkey` - The ElGamal public key to be proved /// * `elgamal_pubkey` - The ElGamal public key to be proved
/// * `transcript` - The transcript that does the bookkeeping for the Fiat-Shamir heuristic /// * `transcript` - The transcript that does the bookkeeping for the Fiat-Shamir heuristic

View File

@ -41,7 +41,7 @@ pub struct ZeroBalanceProof {
#[allow(non_snake_case)] #[allow(non_snake_case)]
#[cfg(not(target_os = "solana"))] #[cfg(not(target_os = "solana"))]
impl ZeroBalanceProof { impl ZeroBalanceProof {
/// Zero-balance proof constructor. /// Creates a zero-balance proof.
/// ///
/// The function does *not* hash the public key and ciphertext into the transcript. For /// The function does *not* hash the public key and ciphertext into the transcript. For
/// security, the caller (the main protocol) should hash these public components prior to /// security, the caller (the main protocol) should hash these public components prior to
@ -88,7 +88,7 @@ impl ZeroBalanceProof {
Self { Y_P, Y_D, z } Self { Y_P, Y_D, z }
} }
/// Zero-balance proof verifier. /// Verifies a zero-balance proof.
/// ///
/// * `elgamal_pubkey` - The ElGamal pubkey associated with the ciphertext to be proved /// * `elgamal_pubkey` - The ElGamal pubkey associated with the ciphertext to be proved
/// * `ciphertext` - The main ElGamal ciphertext to be proved /// * `ciphertext` - The main ElGamal ciphertext to be proved