zkerc20

接口定義：

interface zkERC20 {
    event CreateConfidentialNote(address indexed _owner, bytes _metadata);
    event DestroyConfidentialNote(address indexed _owner, bytes32 _noteHash);

    function cryptographyEngine() external view returns (address);  //返回驗證此令牌的零知識證明的智能合約的地址
    function confidentialIsApproved(address _spender, bytes32 _noteHash) external view returns (bool); 
    //該功能允許票據持有人批准批准的地址“使用”一個零知識的票據從confidentialTransferFrom 轉移。
    function confidentialTotalSupply() external view returns (uint256);  //所有機密令牌總和
    function publicToken() external view returns (address);    //對應erc20地址
    function supportsProof(uint16 _proofId) external view returns (bool);
    //此函數返回此令牌是否支持特定的零知識證明ID。密碼引擎可以支持多個零知識證明。令牌創建者可能希望只支持這些證明的一個子集。
    function scalingFactor() external view returns (uint256);

    function confidentialApprove(bytes32 _noteHash, address _spender, bool _status, bytes _signature) public;
    function confidentialTransfer(bytes _proofData) public;
    //1 confidentialTransfer 
    //2 
    Successfully execute cryptographyEngine.validateProof(1, proofData)
If this proof is valid, then for every note being consumed in the transaction, the note owner has provided a satisfying ECDSA signature
Examine the output of cryptographyEngine.validateProof (createdNotes, destroyedNotes, publicOwner, publicValue) and validate the following:
Every Note in destroyedNotes exists in the token's note registry
Every Note in createdNotes does not exist in the token's note registry


    function confidentialTransferFrom(uint16 _proofId, bytes _proofOutput) public;
}

zk-ERC20中“價值”的基本單位:零知識note

與傳統餘額不同，值是通過由notes表示的uxto樣式的模型來表示的。一份說明有下列公開資料:

• 一個公鑰，它包含一個加密的票據值表示
• note “擁有者”的以太坊地址
• Note元數據——Note所有者需要的額外數據，但在任何智能契約邏輯中都不使用

note 有如下私人信息：

• 查看密鑰，可用於解密note
• 支出的私鑰
• 一個值——表示這張票據包含的令牌數量

Public notes, private values: rationale behind the note construct

note的所有者字段是公共的，以便於使用，因爲我們希望傳統的Ethereum私鑰能夠針對零知識票據和零知識開銷證明進行簽名。可以使用monero風格的隱式地址協議來確保紙幣所有者的Ethereum地址不包含關於紙幣真正所有者的標識信息。

The zero-knowledge note registry

符合zkERC20標準的令牌必須具有存儲令牌未使用的零知識筆記集的方法。密碼引擎通過以下元組來識別notes:

1 A bytes32 _noteHash variable, a keccak256 hash of a note’s encrypted data
2 A address _owner variable, an address that defines a note’s owner
3 A bytes _notedata variable, the notedata is a combination of the note’s public key and the note metadata. When implemented using the AZTEC protocol, secp256k1 and bn128 group elements that allows a note owner to recover and decrypt the note.

An example implementation of zkERC20 represents this as a mapping from noteHash to owner: mapping(bytes32 => address) noteRegistry;. The metadata is required for logging purposes only, the noteHash and owner variables alone are enough to define a unique note.

Confidential Transfers

發送機密消息的操作需要零知識證明，由給定的zk-ERC20契約偵聽的加密引擎進行驗證。這個證明的語義會隨證明ID的不同而不同。例如，在兩個零知識資產之間部分填充訂單所需的零知識證明和單邊“join-split”事務所需的零知識證明是不同的證明，具有不同的驗證邏輯。密碼引擎支持的每一個證明都有以下共同特徵:

zkdai
:https://cn.etherscan.com/address/0xc5c0B2E7a265c96D29aE1E4e70Cd542deDc87aee#code

AZTEC:
https://github.com/AztecProtocol/AZTEC

tornadocash:
https://github.com/tornadocash/tornado-core/blob/master/contracts/ERC20Tornado.sol

電路：
https://zhuanlan.zhihu.com/p/53765211
ZoKrates :

https://hackernoon.com/zokrates-zksnarks-on-ethereum-made-easy-ql5oc3638

https://rinkeby.etherscan.io/tx/0x36eb10e163878654b05dd72e74d2fb08abefd8c3f381ce1c26639656aa991693

code:
https://github.com/yurenju/aztec-demo/blob/master/src/demo.js