Zellic - Audit Reports

The following paragraph complements finding ref↗ and describes the equation that implements one of the two ZK arguments involved in withdrawal transactions. This ZK argument asserts that the plaintext value of a given ciphertext (consisting of a Pedersen commitment and decryption handle) is the same as that of a different Pedersen commitment.

Prerequisite definitions:

$O$ is the point at infinity
$G$ is the Ristretto base point
$H$ is the auxiliary point used for construction of the Pedersen commitment scheme
public keys $P_{i}$ are represented as $P_{i} = a_{i} H + b_{i} G$
- legitimate public keys are derived from a secret $k_{i}$ as $P_{i} = k_{i}^{- 1} H$ , so $a_{i} = k_{i}^{- 1}$ and $b_{i} = 0$
- rogue public keys could have a nonzero $b_{i} G$ term
encrypted values are represented as a tuple $E_{i} = (C_{i}; D_{i})$ , where
- $C_{i} = m_{i} G + r_{i} H$
- $D_{i} = r_{i} P$
- $m_{i}$ is the plaintext
- $r_{i}$ is an arbitrary (normally random) scalar
- $P$ is the public key of the recipient of the ciphertext

The equality argument is constructed, referring to

the legitimate public key $P_{L} = a_{L} H + b_{L} G$
- this is the pubkey associated with the confidential account
- $b_{L}$ might not be zero when leveraging issue ref↗
the rogue public key $P_{R} = a_{R} H + b_{R} G$
- this public key can differ from the legitimate public key when leveraging issue ref↗
the encrypted balance $E_{S} = (C_{S}; D_{S}) = (m_{S} G + r_{S} H; r_{S} P_{1})$
the Pedersen commitment $C_{D} = m_{D} G + r_{D} H$

The values provided must satisfy the following relationship:

z_{S} P_{R} - cH - Y_{0} + w z_{X} G + w z_{S} D_{S} - w c C_{S} - w Y_{1} + w^{2} z_{X} G + w^{2} z_{R} H - w^{2} c C_{D} - w^{2} Y_{2} = O

The following additional values have been introduced:

witness variables $c$ and $w$
- the relationship must hold for any possible value of these variables
scalars $z_{S}$ , $z_{X}$ and $z_{R}$
- these scalars are completely free and can be set arbitrarily
points $Y_{i} = p_{i} H + q_{i} G$ , for $i \in 0, 1, 2$
- these points cannot depend on the value of any witness variable

The relationship can be expanded by expressing all the points as a sum of their two components $x H$ and $y G$ :

(z_{S} a_{R} - c - p_{0} + w z_{S} r_{S} a_{L} - w c r_{S} - w p_{1} + w^{2} z_{R} - w^{2} c r_{D} - w^{2} p_{2}) H + (z_{S} b_{R} - q_{0} + w z_{X} + w z_{S} r_{S} b_{L} - w c m_{S} - w q_{1} + w^{2} z_{X} - w^{2} c m_{D} - w^{2} q_{2}) G = O

We can set up the following system of equations from the two scalar components of the relationship:

{z_{S} a_{R} - c - p_{0} + w z_{S} r_{S} a_{L} - w c r_{S} - w p_{1} + w^{2} z_{R} - w^{2} c r_{D} - w^{2} p_{2} \equiv 0 (mod or d (H)) z_{S} b_{R} - q_{0} + w z_{X} + w z_{S} r_{S} b_{L} - w c m_{S} - w q_{1} + w^{2} z_{X} - w^{2} c m_{D} - w^{2} q_{2} \equiv 0 (mod or d (G))

The system can be manipulated to obtain the following,

{(z_{R} - c r_{D} - p_{2}) w^{2} + (z_{S} r_{S} a_{L} - c r_{S} - p_{1}) w + (z_{S} a_{R} - c - p_{0}) \equiv 0 (mod or d (H)) (z_{X} - c m_{D} - q_{2}) w^{2} + (z_{S} r_{S} b_{L} - c m_{S} - q_{1} + z_{X}) w + (z_{S} b_{R} - q_{0}) \equiv 0 (mod or d (G))

which is satisfied if the following system of equations is satisfied:

⎩ ⎨ ⎧ z_{R} - c r_{D} - p_{2} \equiv 0 (mod or d (H)) z_{S} r_{S} a_{L} - c r_{S} - p_{1} \equiv 0 (mod or d (H)) z_{S} a_{R} - c - p_{0} \equiv 0 (mod or d (H)) z_{X} - c m_{D} - q_{2} \equiv 0 (mod or d (G)) z_{S} r_{S} b_{L} - c m_{S} - q_{1} + z_{X} \equiv 0 (mod or d (G)) z_{S} b_{R} - q_{0} \equiv 0 (mod or d (G))