From 32bf65a1d8be7b9acde583b27da79f7ec9458403 Mon Sep 17 00:00:00 2001 From: zero Date: Tue, 30 Jan 2024 10:38:44 +0100 Subject: [PATCH] DEP 0003: Token Mint Authorization --- doc/src/SUMMARY.md | 5 +-- doc/src/dep/0003.md | 80 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 doc/src/dep/0003.md diff --git a/doc/src/SUMMARY.md b/doc/src/SUMMARY.md index a6f3da5de..427256c90 100644 --- a/doc/src/SUMMARY.md +++ b/doc/src/SUMMARY.md @@ -65,8 +65,9 @@ # DEP -- [DEP 0001: Version Message Info](dep/0001.md) -- [DEP 0002: Smart Contract Composability](dep/0002.md) +- [DEP 0001: Version Message Info (accepted)](dep/0001.md) +- [DEP 0002: Smart Contract Composability (deprecated)](dep/0002.md) +- [DEP 0003: Token Mint Authorization (draft)](dep/0003.md) # Specs diff --git a/doc/src/dep/0003.md b/doc/src/dep/0003.md new file mode 100644 index 000000000..84660bf54 --- /dev/null +++ b/doc/src/dep/0003.md @@ -0,0 +1,80 @@ +# DEP 0003: Token Mint Authorization + +``` +status: draft +``` + +## Current Situation + +`Money::token_mint_v1()` allows minting a given token with the token ID +calculated as a commitment to the public key as +$$ T = \t{PoseidonHash}(69 || \mathcal{X}(P) || \mathcal{Y}(P)) $$ +The ability to freeze minting tokens is offered. Let $Γ$ be the set of +frozen token IDs. When attempting to call mint, if $T ∈ Γ$, then the contract +will fail. + +The amount being minted is publicly visible in the params. + +## Motivation: Limitations of Current Approach + +The main issue is contracts are unable to issue tokens. The current design +mandates the holder of a public key to issue the token. + +Secondarily the token ID and amount being minted is visible breaking anonymity. + +To fix the first issue, a basic fix would be allow setting an auth parent +contract for a specific token ID, but this does not fix the second issue. + +## Proposal: Introspective Params + +The authors preferred design goes for maximum generality, while +preserving existing functionality. + +Firstly the token ID is changed to be calculated as +$$ T = \t{PoseidonHash}(\t{auth\_parent}, \t{user\_data}, b) $$ +where $b$ is a blinding factor. + +### `Money::token_mint_v1()` + +We now define `Money::token_mint_v1()`. Let the params be coins $𝐂 = (Cᵢ)$ +and `auth_parent`. +For each coin $Cᵢ$, let there be corresponding proofs $πᵢ$ such that + +**Token ID integrity**   $T$ is calculated correctly committing to +`auth_parent`. + +**User data commitment**   $U = \t{PoseidonHash}(u, bᵤ)$ + +**Coin commitment integrity**   $Cᵢ = \t{PoseidonHash}(…, T, …)$ + +Additionally the contract checks that `auth_parent` is the function ID of +the parent caller. + +The sole purpose of this call is to create a set of coins whose token ID +is a valid commitment, containing the field `auth_parent` which is publicly +revealed. Then it checks the parent caller matches this field. + +### `Money::auth_mint_v1()` + +In the interests of preserving the current functionality with minimal changes, +we provide a default auth module for use with token minting. + +This provides an upgrade path to a future design with stronger anonymity +guarantees such as hiding the token ID from the network. + +The contract performs the following checks: + +* Reveals the token ID $T$ publicly. +* Checks $T ∉ Γ$, the set of frozen token IDs. +* Constructs a pedersen commit $V$ to the value in the coin, along with a proof. + This allows auditing the supply since all commitments are linked publicly with + the token ID. +* Unwrap the `user_data` exported from `Money::token_mint_v1()` which should + be a commitment to the public key. Prove ownership of the public key. + +### `Money::auth_mint_freeze_v1()` + +Adds the token ID $T$ to the set of frozen token IDs $Γ$. +The caller must prove ownership of the public key which is set in the +`user_data` field of the token ID. +