Umbra Privacy LogoUmbra Privacy
Transaction Lifecycle

Deposit and Commitment Creation

Protocol for creating cryptographic commitments, linkers, and zero-knowledge proofs for deposit transactions

Protocol Description

A deposit transaction creates three primary on-chain artifacts: a cryptographic commitment (C)(C), a cryptographic linker (LD)(L_D), and a zero-knowledge proof (πD)(\pi_D) attesting to their consistency.

Commitment Structure

The commitment CC is a nested hash that binds the user to all public and private details of the deposit.

CPoseidon(V,I,Poseidon(s,n,pkU,low,pkU,high),pkSOL,1,pkSOL,2,amount,pkmint,1,pkmint,2,Y,M,D,h,m,s)C \triangleq \text{Poseidon}( V, I, \text{Poseidon}( s, n, pk_{U, \text{low}}, pk_{U, \text{high}} ), pk_{SOL, 1}, pk_{SOL, 2}, \text{amount}, pk_{\text{mint}, 1}, pk_{\text{mint}, 2}, Y, M, D, h, m, s )

Commitment Components

  • V, I: Version and index parameters
  • Inner Hash: Poseidon(s,n,pkU,low,pkU,high)\text{Poseidon}(s, n, pk_{U, \text{low}}, pk_{U, \text{high}})
    • ss: Random secret for hiding
    • nn: Nullifier for double-spend prevention
    • pkU,low,pkU,highpk_{U, \text{low}}, pk_{U, \text{high}}: Recipient Umbra address (split)
  • Public Keys: pkSOL,1,pkSOL,2pk_{\text{SOL}, 1}, pk_{\text{SOL}, 2} (depositor's Solana keys)
  • Amount: Deposit amount
  • Mint Keys: pkmint,1,pkmint,2pk_{\text{mint}, 1}, pk_{\text{mint}, 2} (token mint information)
  • Timestamp: Y,M,D,h,m,sY, M, D, h, m, s (year, month, day, hour, minute, second)

Deposit Linker Hash

The linker hash LDL_D allows a viewer with the ITK to link a transaction to a recipient.

LDPoseidon(kITK,D,pkU,low,pkU,high)L_D \triangleq \text{Poseidon}(k_{ITK, D}, pk_{U, \text{low}}, pk_{U, \text{high}})

Linker Components

  • ITK: Individual Transaction Key for deposit kITK,Dk_{\text{ITK}, D}
  • Recipient Address: pkU,low,pkU,highpk_{U, \text{low}}, pk_{U, \text{high}} (same as in commitment)
  • Purpose: Enables authorized viewers to link deposits to recipients

Deposit Proof Statement

A ZK-SNARK proof πD\pi_D is generated and submitted with each deposit. It proves knowledge of a private witness ww for a set of public inputs xx.

Private Witness (w)(w)

Consists only of the secret inputs:

  • The Solana MVK (kMVK,SOL)(k_{\text{MVK}, \text{SOL}})
  • The recipient Umbra public key (pkU)(pk_U)
  • The random secret (s)(s)
  • The nullifier (n)(n)

Public Inputs (x)(x)

Consist of all other transaction parameters:

  • The final commitment (C)(C)
  • The linker hash (LD)(L_D)
  • The on-chain commitment to the MVK (MVK_commitment)(\text{MVK\_commitment})
  • The timestamp
  • The depositor's Solana public key
  • The amount
  • Other public parameters

Proof Demonstrates

  1. MVK Knowledge: The public MVK_commitment\text{MVK\_commitment} is a valid commitment to the private MVK, kMVK,SOLk_{\text{MVK}, \text{SOL}}
  2. ITK Derivation: The Individual Transaction Key kITK,Dk_{\text{ITK}, D} was correctly derived from kMVK,SOLk_{\text{MVK}, \text{SOL}} and the public timestamp\text{timestamp}
  3. Linker Integrity: The public linker hash LDL_D was correctly computed using the derived kITK,Dk_{\text{ITK}, D} and the recipient Umbra address pkUpk_U
  4. Commitment Consistency: The public commitment CC was correctly computed using the same recipient Umbra address pkUpk_U that was used to create the linker hash

Security Analysis

Security Proof: Deposit Security

Assumptions: Poseidon is a collision-resistant hash function; the ZK-SNARK system is zero-knowledge and sound.

Argument:

  1. Commitment Hiding/Binding: The inclusion of the random secret ss ensures CC is hiding. Collision resistance ensures it is binding.
  2. Linker Privacy: LDL_D is a PRF output keyed by the secret kITK,Dk_{\text{ITK}, D}. To an observer, it is indistinguishable from random noise.
  3. Deposit Integrity: The soundness of the ZK-SNARK πD\pi_D guarantees that a malicious depositor cannot create a proof where the linker and commitment are for different recipient addresses.

Properties

Commitment Properties

  • Hiding: Random secret ss prevents commitment revelation
  • Binding: Collision resistance ensures commitment binding
  • Comprehensive: Includes all transaction parameters
  • Verifiable: Publicly verifiable without revealing secrets

Linker Properties

  • Private: Only derivable by holders of the ITK
  • Consistent: Uses same recipient address as commitment
  • Unlinkable: Appears random without the ITK
  • Authorized Access: Enables authorized transaction viewing

Proof Properties

  • Zero-Knowledge: Reveals no private information
  • Sound: Cannot prove false statements
  • Consistency: Ensures linker and commitment match
  • Verifiable: Publicly verifiable proof validity

Registration of MVKs On-Chain

Protocol rule for mandatory on-chain registration of encrypted Master Viewing Keys as a prerequisite for transactions

Encrypted Balance Claim

Protocol for claiming encrypted balances using nullifier hashes, claim linkers, and zero-knowledge proofs

On this page

Protocol DescriptionCommitment StructureCommitment ComponentsDeposit Linker HashLinker ComponentsDeposit Proof StatementPrivate Witness (w)(w)Public Inputs (x)(x)Proof DemonstratesSecurity AnalysisSecurity Proof: Deposit SecurityPropertiesCommitment PropertiesLinker PropertiesProof Properties