zkerc20

接口定义：

interface zkERC20 {
    event CreateConfidentialNote(address indexed _owner, bytes _metadata);
    event DestroyConfidentialNote(address indexed _owner, bytes32 _noteHash);

    function cryptographyEngine() external view returns (address);  //返回验证此令牌的零知识证明的智能合约的地址
    function confidentialIsApproved(address _spender, bytes32 _noteHash) external view returns (bool); 
    //该功能允许票据持有人批准批准的地址“使用”一个零知识的票据从confidentialTransferFrom 转移。
    function confidentialTotalSupply() external view returns (uint256);  //所有机密令牌总和
    function publicToken() external view returns (address);    //对应erc20地址
    function supportsProof(uint16 _proofId) external view returns (bool);
    //此函数返回此令牌是否支持特定的零知识证明ID。密码引擎可以支持多个零知识证明。令牌创建者可能希望只支持这些证明的一个子集。
    function scalingFactor() external view returns (uint256);

    function confidentialApprove(bytes32 _noteHash, address _spender, bool _status, bytes _signature) public;
    function confidentialTransfer(bytes _proofData) public;
    //1 confidentialTransfer 
    //2 
    Successfully execute cryptographyEngine.validateProof(1, proofData)
If this proof is valid, then for every note being consumed in the transaction, the note owner has provided a satisfying ECDSA signature
Examine the output of cryptographyEngine.validateProof (createdNotes, destroyedNotes, publicOwner, publicValue) and validate the following:
Every Note in destroyedNotes exists in the token's note registry
Every Note in createdNotes does not exist in the token's note registry


    function confidentialTransferFrom(uint16 _proofId, bytes _proofOutput) public;
}

zk-ERC20中“价值”的基本单位:零知识note

与传统余额不同，值是通过由notes表示的uxto样式的模型来表示的。一份说明有下列公开资料:

• 一个公钥，它包含一个加密的票据值表示
• note “拥有者”的以太坊地址
• Note元数据——Note所有者需要的额外数据，但在任何智能契约逻辑中都不使用

note 有如下私人信息：

• 查看密钥，可用于解密note
• 支出的私钥
• 一个值——表示这张票据包含的令牌数量

Public notes, private values: rationale behind the note construct

note的所有者字段是公共的，以便于使用，因为我们希望传统的Ethereum私钥能够针对零知识票据和零知识开销证明进行签名。可以使用monero风格的隐式地址协议来确保纸币所有者的Ethereum地址不包含关于纸币真正所有者的标识信息。

The zero-knowledge note registry

符合zkERC20标准的令牌必须具有存储令牌未使用的零知识笔记集的方法。密码引擎通过以下元组来识别notes:

1 A bytes32 _noteHash variable, a keccak256 hash of a note’s encrypted data
2 A address _owner variable, an address that defines a note’s owner
3 A bytes _notedata variable, the notedata is a combination of the note’s public key and the note metadata. When implemented using the AZTEC protocol, secp256k1 and bn128 group elements that allows a note owner to recover and decrypt the note.

An example implementation of zkERC20 represents this as a mapping from noteHash to owner: mapping(bytes32 => address) noteRegistry;. The metadata is required for logging purposes only, the noteHash and owner variables alone are enough to define a unique note.

Confidential Transfers

发送机密消息的操作需要零知识证明，由给定的zk-ERC20契约侦听的加密引擎进行验证。这个证明的语义会随证明ID的不同而不同。例如，在两个零知识资产之间部分填充订单所需的零知识证明和单边“join-split”事务所需的零知识证明是不同的证明，具有不同的验证逻辑。密码引擎支持的每一个证明都有以下共同特征:

zkdai
:https://cn.etherscan.com/address/0xc5c0B2E7a265c96D29aE1E4e70Cd542deDc87aee#code

AZTEC:
https://github.com/AztecProtocol/AZTEC

tornadocash:
https://github.com/tornadocash/tornado-core/blob/master/contracts/ERC20Tornado.sol

电路：
https://zhuanlan.zhihu.com/p/53765211
ZoKrates :

https://hackernoon.com/zokrates-zksnarks-on-ethereum-made-easy-ql5oc3638

https://rinkeby.etherscan.io/tx/0x36eb10e163878654b05dd72e74d2fb08abefd8c3f381ce1c26639656aa991693

code:
https://github.com/yurenju/aztec-demo/blob/master/src/demo.js