Assessment reports>Nocturne>Threat Model>Analysis of the JoinSplit circuit

Analysis of the JoinSplit circuit

JoinSplit circuit inputs

  • operationDigest

  • pubEncodedAssetId

  • pubEncodedAssetAddrWithSignBits

  • refundAddrH1CompressedY

  • refundAddrH2CompressedY

  • vk (viewing key)

  • spendPubkey

  • vkNonce

  • c, z (operation signature)

  • encodedAssetId

  • encodedAssetAddr

  • refundAddrH1X

  • refundAddrH1Y

  • refundAddrH2X

  • refundAddrH2Y

  • oldNoteAOwnerH1X

  • oldNoteAOwnerH1Y

  • oldNoteAOwnerH2X

  • oldNoteAOwnerH2Y

  • oldNoteANonce

  • oldNoteAValue

  • pathA

  • siblingsA

  • oldNoteBOwnerH1X

  • oldNoteBOwnerH1Y

  • oldNoteBOwnerH2X

  • oldNoteBOwnerH2Y

  • oldNoteBNonce

  • oldNoteBValue

  • pathB

  • siblingsB

  • newNoteAValue

  • receiverCanonAddr

  • newNoteBValue

Circuit outputs

  • newNoteACommitment

  • newNoteBCommitment

  • commitmentTreeRoot

  • publicSpend

  • nullifierA

  • nullifierB

  • senderCommitment

  • joinSplitInfoCommitment

Constraints

  • The spendPubkey is a valid Baby Jubjub curve point of order l.

  • The vk is derived correctly from spendPubkey and vkNonce.

  • oldNoteA.owner.H1 and oldNoteA.owner.H2 are valid BabyJubJub curve points, and H1 is an order-l point.

  • The oldNoteB.owner.H1 and oldNoteB.owner.H2 are valid BabyJubJub curve points, and H1 is an order-l point.

  • Constrain that H2 = [vk]H1 for oldNoteA and oldNoteB.

  • Range check note values to account for arithmetic overflows.

  • Compute and constrain public spend.

  • Constrain note commitments for both old notes.

  • Check Merkle inclusion proof for oldNoteA.

  • Check Merkle inclusion proof for oldNoteB if and only if it holds nonzero value.

  • Constrain nullifier derivation for nullifierA and nullifierB.

  • Constrain new note commitments.

Zellic © 2023Back to top ↑