Analysis of the JoinSplit circuit

JoinSplit circuit inputs

• operationDigest

• pubEncodedAssetId

• pubEncodedAssetAddrWithSignBits

• refundAddrH1CompressedY

• refundAddrH2CompressedY

• vk (viewing key)

• spendPubkey

• vkNonce

• c, z (operation signature)

• encodedAssetId

• encodedAssetAddr

• refundAddrH1X

• refundAddrH1Y

• refundAddrH2X

• refundAddrH2Y

• oldNoteAOwnerH1X

• oldNoteAOwnerH1Y

• oldNoteAOwnerH2X

• oldNoteAOwnerH2Y

• oldNoteANonce

• oldNoteAValue

• pathA

• siblingsA

• oldNoteBOwnerH1X

• oldNoteBOwnerH1Y

• oldNoteBOwnerH2X

• oldNoteBOwnerH2Y

• oldNoteBNonce

• oldNoteBValue

• pathB

• siblingsB

• newNoteAValue

• receiverCanonAddr

• newNoteBValue

Circuit outputs

• newNoteACommitment

• newNoteBCommitment

• commitmentTreeRoot

• publicSpend

• nullifierA

• nullifierB

• senderCommitment

• joinSplitInfoCommitment

Constraints

• The spendPubkey is a valid Baby Jubjub curve point of order l.

• The vk is derived correctly from spendPubkey and vkNonce.

• oldNoteA.owner.H1 and oldNoteA.owner.H2 are valid BabyJubJub curve points, and H1 is an order-l point.

• The oldNoteB.owner.H1 and oldNoteB.owner.H2 are valid BabyJubJub curve points, and H1 is an order-l point.

• Constrain that H2 = [vk]H1 for oldNoteA and oldNoteB.

• Range check note values to account for arithmetic overflows.

• Compute and constrain public spend.

• Constrain note commitments for both old notes.

• Check Merkle inclusion proof for oldNoteA.

• Check Merkle inclusion proof for oldNoteB if and only if it holds nonzero value.

• Constrain nullifier derivation for nullifierA and nullifierB.

• Constrain new note commitments.