Shielded Spending Key

Overview

The Shielded Spending Key is the core secret required to generate Zero-Knowledge Proofs (ZKPs) for spending UTXOs within the Umbra shielded pool. Unlike the L1 Interaction Key which operates on the L1's transparent layer, the Shielded Spending Key operates entirely within the ZK circuit domain.

This key represents full spending authority over all shielded UTXOs associated with the corresponding User Commitment. Loss of this key results in permanent, irrecoverable loss of funds.

---

Technical Specification

Why BN254?

The BN254 curve (also known as alt_bn128) is chosen for its:

---

Purpose

The Shielded Spending Key serves two critical functions in the Umbra protocol:

1. Claiming Ownership of a UTXO - Proving you have the right to spend a specific UTXO
2. Creating Nullifier Hashes - Preventing double-spending while preserving privacy

Both functions are essential and work together to enable private, secure transactions.

---

Purpose 1: Claiming Ownership of a UTXO

Every UTXO in the Unified Mixer Pool is cryptographically locked to a specific User Commitment. The User Commitment is a hash that binds together three keys: the L1 Interaction Key, the Shielded Spending Key, and the Master Viewing Key (see User Commitment Tree).

To spend a UTXO, you must prove-without revealing any secrets-that you know the preimages that hash to the User Commitment embedded in that UTXO.

The Ownership Problem

When you want to spend a UTXO, you face a fundamental challenge:

• The UTXO contains a commitment (a hash) that identifies the owner
• You need to prove you are the owner
• But you cannot reveal your Shielded Spending Key (or it could be stolen)
• And you cannot reveal which specific UTXO you're spending (or you lose privacy)

The Zero-Knowledge Solution

The Shielded Spending Key enables a zero-knowledge proof that demonstrates:

1. "I know a Shielded Spending Key..." - You possess the secret key
2. "...that, when combined with the other commitment preimages..." - Together with L1 key and MVK
3. "...hashes to a User Commitment..." - Following the Poseidon hash tree structure
4. "...that matches one of the UTXOs in the global set" - The UTXO exists and belongs to you

What the Proof Reveals

Why This Matters

Similar to Tornado Cash or ZCash, the specific UTXO being claimed is never revealed on-chain. An observer sees:

• A zero-knowledge proof (valid/invalid)
• A nullifier (to prevent double-spending)
• New output commitments

But they cannot determine:

• Which UTXO was spent
• Who the sender was
• Any transaction history or patterns

Without the Shielded Spending Key, it is cryptographically impossible to claim a UTXO. Even if you know a UTXO belongs to a specific User Commitment, you cannot spend it without the corresponding Shielded Spending Key.

---

Purpose 2: Creating Nullifier Hashes

The second critical function of the Shielded Spending Key is nullifier generation. Nullifiers are the mechanism that prevents double-spending in privacy-preserving systems.

The Double-Spend Problem

In a transparent blockchain, preventing double-spends is straightforward: each UTXO is explicitly marked as spent or unspent. But in a privacy-preserving system:

• You cannot reveal which UTXO you're spending
• So you cannot mark a specific UTXO as "spent"
• How do you prevent someone from spending the same UTXO twice?

The Nullifier Solution

A nullifier is a deterministic, unique identifier for each UTXO that:

1. Can only be computed by the UTXO's owner (who knows the Shielded Spending Key)
2. Is unique to each UTXO (no two UTXOs produce the same nullifier)
3. Reveals nothing about which UTXO it corresponds to
4. Is published on-chain when the UTXO is spent

Nullifier Computation

The nullifier is computed using the Poseidon PRF with the Shielded Spending Key as the secret:

$$\text{Nullifier} = \text{PoseidonPRF}_{\text{SpendingKey}}(\text{UTXOCommitment}, \text{LeafIndex})$$

Where:

• SpendingKey - Your Shielded Spending Key (the PRF secret)
• UTXOCommitment - The commitment hash of the UTXO being spent
• LeafIndex - The position of the UTXO in the global commitment tree

Why This Construction Works

The Nullifier Set

The protocol maintains an on-chain nullifier set-a record of all nullifiers that have been published:

1. When you spend a UTXO, your nullifier is included in the transaction
2. The protocol checks if this nullifier has been seen before
3. If yes: reject (this is a double-spend attempt)
4. If no: accept and add the nullifier to the set

Privacy Preservation

The key insight is that the nullifier:

• Is deterministic: The same UTXO always produces the same nullifier
• Is unlinkable: No one can determine which UTXO the nullifier corresponds to
• Requires the secret: Only the owner can compute it

This means:

• If someone tries to spend the same UTXO twice, they produce the same nullifier → rejected
• But observers cannot tell which UTXOs have been spent (only that some UTXOs have been)
• The anonymity set remains intact

Example: Double-Spend Prevention

Scenario: Alice owns a UTXO and tries to spend it twice.

1. First spend: Alice computes nullifier $N_1$ from her UTXO and Spending Key
2. Transaction accepted, $N_1$ added to nullifier set
3. Second spend attempt: Alice tries to spend the same UTXO
4. She must compute the nullifier again: it's deterministic, so she gets $N_1$ again
5. Protocol checks: $N_1$ already in nullifier set → Transaction rejected

Alice cannot produce a different nullifier for the same UTXO because:

• The nullifier is deterministically derived from the UTXO data and her Spending Key
• She cannot change the UTXO data (it's fixed)
• She cannot change her Spending Key (or the ownership proof would fail)

---

Key Generation

The Shielded Spending Key can be generated randomly or derived deterministically from a master seed. Both approaches are valid as long as the key is a cryptographically secure random value within the BN254 scalar field.

All Umbra keys (Shielded Spending Key, Master Viewing Key, L1 Keypair, and X25519 Keypair) can either be derived deterministically from a single master seed or managed as fully independent keys-both approaches provide equivalent cryptographic security.

---

Spending a UTXO: Complete Flow

To spend a UTXO, the owner must provide a zero-knowledge proof that demonstrates both purposes simultaneously:

The ZK circuit verifies:

1. Ownership: The provided preimages (including Spending Key) hash to a valid User Commitment that matches a UTXO in the global set
2. Nullifier Correctness: The nullifier was correctly computed from the Spending Key and UTXO data
3. No Double-Spend: The nullifier is not in the nullifier set (checked on-chain)

All of this is proven without revealing:

• The Shielded Spending Key
• Which UTXO is being spent
• The User Commitment
• Any linkage between transactions

---

Both Keys Required

Spending a UTXO requires both the Shielded Spending Key and the Master Viewing Key:

Without either key, spending is impossible. This is enforced at the cryptographic level-the ZK circuit requires both as private inputs.

---

Summary