接口定義:
interface zkERC20 {
event CreateConfidentialNote(address indexed _owner, bytes _metadata);
event DestroyConfidentialNote(address indexed _owner, bytes32 _noteHash);
function cryptographyEngine() external view returns (address); //返回驗證此令牌的零知識證明的智能合約的地址
function confidentialIsApproved(address _spender, bytes32 _noteHash) external view returns (bool);
//該功能允許票據持有人批准批准的地址“使用”一個零知識的票據從confidentialTransferFrom 轉移。
function confidentialTotalSupply() external view returns (uint256); //所有機密令牌總和
function publicToken() external view returns (address); //對應erc20地址
function supportsProof(uint16 _proofId) external view returns (bool);
//此函數返回此令牌是否支持特定的零知識證明ID。密碼引擎可以支持多個零知識證明。令牌創建者可能希望只支持這些證明的一個子集。
function scalingFactor() external view returns (uint256);
function confidentialApprove(bytes32 _noteHash, address _spender, bool _status, bytes _signature) public;
function confidentialTransfer(bytes _proofData) public;
//1 confidentialTransfer
//2
Successfully execute cryptographyEngine.validateProof(1, proofData)
If this proof is valid, then for every note being consumed in the transaction, the note owner has provided a satisfying ECDSA signature
Examine the output of cryptographyEngine.validateProof (createdNotes, destroyedNotes, publicOwner, publicValue) and validate the following:
Every Note in destroyedNotes exists in the token's note registry
Every Note in createdNotes does not exist in the token's note registry
function confidentialTransferFrom(uint16 _proofId, bytes _proofOutput) public;
}
zk-ERC20中“價值”的基本單位:零知識note
與傳統餘額不同,值是通過由notes表示的uxto樣式的模型來表示的。一份說明有下列公開資料:
- 一個公鑰,它包含一個加密的票據值表示
- note “擁有者”的以太坊地址
- Note元數據——Note所有者需要的額外數據,但在任何智能契約邏輯中都不使用
note 有如下私人信息:
- 查看密鑰,可用於解密note
- 支出的私鑰
- 一個值——表示這張票據包含的令牌數量
Public notes, private values: rationale behind the note construct
note的所有者字段是公共的,以便於使用,因爲我們希望傳統的Ethereum私鑰能夠針對零知識票據和零知識開銷證明進行簽名。可以使用monero風格的隱式地址協議來確保紙幣所有者的Ethereum地址不包含關於紙幣真正所有者的標識信息。
The zero-knowledge note registry
符合zkERC20標準的令牌必須具有存儲令牌未使用的零知識筆記集的方法。密碼引擎通過以下元組來識別notes:
1 A bytes32 _noteHash variable, a keccak256 hash of a note’s encrypted data
2 A address _owner variable, an address that defines a note’s owner
3 A bytes _notedata variable, the notedata is a combination of the note’s public key and the note metadata. When implemented using the AZTEC protocol, secp256k1 and bn128 group elements that allows a note owner to recover and decrypt the note.
An example implementation of zkERC20 represents this as a mapping from noteHash to owner: mapping(bytes32 => address) noteRegistry;. The metadata is required for logging purposes only, the noteHash and owner variables alone are enough to define a unique note.
Confidential Transfers
發送機密消息的操作需要零知識證明,由給定的zk-ERC20契約偵聽的加密引擎進行驗證。這個證明的語義會隨證明ID的不同而不同。例如,在兩個零知識資產之間部分填充訂單所需的零知識證明和單邊“join-split”事務所需的零知識證明是不同的證明,具有不同的驗證邏輯。密碼引擎支持的每一個證明都有以下共同特徵:
zkdai
:https://cn.etherscan.com/address/0xc5c0B2E7a265c96D29aE1E4e70Cd542deDc87aee#code
AZTEC:
https://github.com/AztecProtocol/AZTEC
tornadocash:
https://github.com/tornadocash/tornado-core/blob/master/contracts/ERC20Tornado.sol
電路:
https://zhuanlan.zhihu.com/p/53765211
ZoKrates :
https://hackernoon.com/zokrates-zksnarks-on-ethereum-made-easy-ql5oc3638
https://rinkeby.etherscan.io/tx/0x36eb10e163878654b05dd72e74d2fb08abefd8c3f381ce1c26639656aa991693
code:
https://github.com/yurenju/aztec-demo/blob/master/src/demo.js