From dd757db0a2627679268c92d7500cbf51878dfce8 Mon Sep 17 00:00:00 2001 From: ertosns Date: Mon, 16 Oct 2023 12:58:45 +0300 Subject: [PATCH] [doc/architecture/consensus] add burn/mint spec, update proposal.md --- doc/src/architecture/consensus/burn.md | 41 +++++++ .../consensus/consensus_contracts.md | 115 ------------------ doc/src/architecture/consensus/mint.md | 31 +++++ doc/src/architecture/consensus/proposal.md | 63 ++++++++++ 4 files changed, 135 insertions(+), 115 deletions(-) create mode 100644 doc/src/architecture/consensus/burn.md delete mode 100644 doc/src/architecture/consensus/consensus_contracts.md create mode 100644 doc/src/architecture/consensus/mint.md diff --git a/doc/src/architecture/consensus/burn.md b/doc/src/architecture/consensus/burn.md new file mode 100644 index 000000000..043513801 --- /dev/null +++ b/doc/src/architecture/consensus/burn.md @@ -0,0 +1,41 @@ +# leadership burn proof + +proof of burn of staked coin. + +$$ X = $$ +$$ W = $$ +$$ \mathcal{L}= \{X:W\in \mathcal{R}\} $$ + +| Public Input | Description | +|--------------|------------------------------------------------------------| +| sn[^1] | nullifier is hash of nonce nonce, and sk | +| ep | epoch index | +| $pk_x$ | coin public key pk affine x coordinate | +| $pk_y$ | coin public key pk affine y coordinate | +| root | root of coins commitments tree | +|$cm_x^{value}$| value commitment affine x coordinate | +|$cm_y^{value}$| value commitment affine y coordinate | + + + +| Witnesses | Description | +|--------------|------------------------------------------------------------| +| value | coin value $\in \mathbb{Z}$ or u64 | +| ep | epoch index | +| nonce[^2] | random nonce derived from previous coin | +| $value_{blind}$ | blinding scalar for value commitment | +| sk | coin secret key | +| $\tau$ | C position rooted by root | +| path | path of C at position $\tau$ | + + + +| Functions | Description | +|--------------|------------------------------------------------------------| +| pk | commitment to sk | +| C | $hash(pk_x||pk_y||value||ep|nonce)$ | +| $cm^{value}$ | commitment to value | + + +[^1]: if you read this after zerocash which crypsinous is based off, both papers calls nullifiers serial numbers. and serial number is nonce, `sn` in the table below can be called `nullifier` in our contract using zcash sapling terminology which is used in our money contract (sapling contract). +[^2]: if you read this after zerocash which crypsinous is based off, both papers calls nullifiers serial numbers. and serial number is nonce, `nonce` can be called `input/output serial` in our contracts using zcash sapling terminology which is used in our money contract (sapling contract). diff --git a/doc/src/architecture/consensus/consensus_contracts.md b/doc/src/architecture/consensus/consensus_contracts.md deleted file mode 100644 index 762e288bd..000000000 --- a/doc/src/architecture/consensus/consensus_contracts.md +++ /dev/null @@ -1,115 +0,0 @@ -# consensus -## leadership burn proof - -proof of burn of staked coin. - -$$ X = $$ -$$ W = $$ -$$ \mathcal{L}= \{X:W\in \mathcal{R}\} $$ - -| Public Input | Description | -|--------------|------------------------------------------------------------| -| sn | nullifier is hash of nonce nonce, and sk | -| ep | epoch index | -| $pk_x$ | coin public key pk affine x coordinate | -| $pk_y$ | coin public key pk affine y coordinate | -| root | root of coins commitments tree | -|$cm_x^{value}$| value commitment affine x coordinate | -|$cm_y^{value}$| value commitment affine y coordinate | - -| Witnesses | Description | -|--------------|------------------------------------------------------------| -| value | coin value $\in \mathbb{Z}$ or u64 | -| ep | epoch index | -| nonce | random nonce derived from previous coin | -| $value_{blind}$ | blinding scalar for value commitment | -| sk | coin secret key | -| $\tau$ | C position rooted by root | -| path | path of C at position $\tau$ | - -| Functions | Description | -|--------------|------------------------------------------------------------| -| pk | commitment to sk | -| C | $hash(pk_x||pk_y||value||ep|nonce)$ | -| $cm^{value}$ | commitment to value | - -## leadership mint proof - -$$ X = $$ - $$ W = $$ - $$ \mathcal{L}= \{X:W\in \mathcal{R}\} $$ - -| Public Input | Description | -|--------------|------------------------------------------------------------| -| ep | epoch index | -| C | coin commitment -|$cm_x^{value}$| value commitment affine x coordinate | -|$cm_y^{value}$| value commitment affine y coordinate | - -| Witnesses | Description | -|--------------|------------------------------------------------------------| -| $pk_x$ | coin public key pk affine x coordinate | -| $pk_y$ | coin public key pk affine y coordinate | -| value | coin value $\in \mathbb{Z}$ or u64 | -| ep | epoch index | -| nonce | random nonce derived from previous coin | -| $value_{blind}$ | blinding scalar for value commitment | - -| Functions | Description | -|--------------|------------------------------------------------------------| -| pk | commitment to sk | -| C | $hash(pk_x||pk_y||value||ep|nonce)$ | -| $cm^{value}$ | commitment to value | - -## leardership proof - -$$ X = $$ -$$ W = $$ -$$ \mathcal{L}= \{X:W\in \mathcal{R}\} $$ - -| Public Input | Description | -|------------------|------------------------------------------------------------| -| sn | nullifier is hash of nonce nonce, and sk | -| ep | epoch index | -| $pk_x$ | coin public key pk affine x coordinate | -| $pk_y$ | coin public key pk affine y coordinate | -| root | root of coins commitments tree | -|$cm_x^{value}$ | value commitment affine x coordinate | -|$cm_y^{value}$ | value commitment affine y coordinate | -| reward | lottery reward value $\in \mathbb{Z}$ of type u64 | -|$cm_x^{value^{out}}$| value commitment affine x coordinate | -|$cm_y^{value^{out}}$| value commitment affine y coordinate | -| $C^{out}$ | coin commitment | -| $\mu_y$ | random, deterministic PRF output | -| $\mu_{\rho}$ | random, deterministic PRF output | -| $\rho$ | on-chain entropy as hash of nonce, and $\mu_{\rho}$ | -| $\sigma_1$ | target function approximation first term coefficient | -| $\sigma_2$ | target function approximation second term coefficient | - - -| Witnesses | Description | -|------------------|------------------------------------------------------------| -| sk | coin secret key derived from previous coin sk | -| nonce | random nonce derived from previous coin | -| value | coin value $\in \mathbb{Z}$ or u64 | -| ep | epoch index | -| reward | lottery reward value $\in \mathbb{Z}$ of type u64 | -| $value_{blind}$ | blinding scalar for value commitment | -| $\tau$ | C position rooted by root | -| path | path of C at position $\tau$ | -|$value_{blind}^{out}$| blinding scalar for value commitment of newly minted coin | -| $\mu_y$ | random, deterministic PRF output | -| $\mu_{\rho}$ | random, deterministic PRF output | -| $\sigma_1$ | target function approximation first term coefficient | -| $\sigma_2$ | target function approximation second term coefficient | -| headstart | competitive advantage added to target T | - - -| Functions | Description | -|--------------|------------------------------------------------------------| -| $value^{out}$ | value + reward | -| $nonce^{out}$| $hash(sk||nonce)$ | -| $sk^{out}$ | $hash(sk)$ | -| $pk^{out}$ | commitment to $sk^{out}$ | -| $C^{out}$ | $hash(pk_x^{out}||pk_y^{out}||value^{out}||ep|nonce^{out})$| -| $cm^{value}$ | commitment to $value^{out}$ | diff --git a/doc/src/architecture/consensus/mint.md b/doc/src/architecture/consensus/mint.md new file mode 100644 index 000000000..b5d524308 --- /dev/null +++ b/doc/src/architecture/consensus/mint.md @@ -0,0 +1,31 @@ +# leadership mint proof + +$$ X = $$ +$$ W = $$ +$$ \mathcal{L}= \{X:W\in \mathcal{R}\} $$ + +| Public Input | Description | +|--------------|------------------------------------------------------------| +| ep | epoch index | +| C | coin commitment | +|$cm_x^{value}$| value commitment affine x coordinate | +|$cm_y^{value}$| value commitment affine y coordinate | + +| Witnesses | Description | +|---------------|------------------------------------------------------------| +| $pk_x$ | coin public key pk affine x coordinate | +| $pk_y$ | coin public key pk affine y coordinate | +| value | coin value $\in \mathbb{Z}$ or u64 | +| ep | epoch index | +| nonce[^1] | random nonce derived from previous coin | +|$value_{blind}$| blinding scalar for value commitment | +----------------------------------------------------------------------------------- + + +| Functions | Description | +|--------------|------------------------------------------------------------| +| pk | commitment to sk | +| C | $hash(pk_x||pk_y||value||ep|nonce)$ | +| $cm^{value}$ | commitment to value | + +[^1]: if you read this after zerocash which crypsinous is based off, both papers calls nullifiers serial numbers. and serial number is nonce, `sn` in the table below can be called `nullifier` in our contract using zcash sapling terminology which is used in our money contract (sapling contract). diff --git a/doc/src/architecture/consensus/proposal.md b/doc/src/architecture/consensus/proposal.md index f31c09ef1..5398a1670 100644 --- a/doc/src/architecture/consensus/proposal.md +++ b/doc/src/architecture/consensus/proposal.md @@ -18,6 +18,66 @@ burn their competing coin, prove they're the winner, and then mint a new coin that includes the block reward and is eligible to compete in upcoming future slots. + +$$ X = $$ +$$ W = $$ +$$ \mathcal{L}= \{X:W\in \mathcal{R}\} $$ + + +| Public Input | Description | +|--------------------|------------------------------------------------------------| +| sn[^1] | nullifier is hash of nonce nonce, and sk | +| ep | epoch index | +| $pk_x$ | coin public key pk affine x coordinate | +| $pk_y$ | coin public key pk affine y coordinate | +| root | root of coins commitments tree | +|$cm_x^{value}$ | value commitment affine x coordinate | +|$cm_y^{value}$ | value commitment affine y coordinate | +| reward | lottery reward value $\in \mathbb{Z}$ of type u64 | +|$cm_x^{value^{out}}$| value commitment affine x coordinate | +|$cm_y^{value^{out}}$| value commitment affine y coordinate | +| $C^{out}$ | coin commitment | +| $\mu_y$ | random, deterministic PRF output | +| $\mu_{\rho}$ | random, deterministic PRF output | +| $\rho$ | on-chain entropy as hash of nonce, and $\mu_{\rho}$ | +| $\sigma_1$ | target function approximation first term coefficient | +| $\sigma_2$ | target function approximation second term coefficient | +----------------------------------------------------------------------------------- + + + +| Witnesses | Description | +|---------------------|------------------------------------------------------------| +| sk | coin secret key derived from previous coin sk | +| nonce[^2] | random nonce derived from previous coin | +| value | coin value $\in \mathbb{Z}$ or u64 | +| ep | epoch index | +| reward | lottery reward value $\in \mathbb{Z}$ of type u64 | +| $value_{blind}$ | blinding scalar for value commitment | +| $\tau$ | C position rooted by root | +| path | path of C at position $\tau$ | +|$value_{blind}^{out}$| blinding scalar for value commitment of newly minted coin | +| $\mu_y$ | random, deterministic PRF output | +| $\mu_{\rho}$ | random, deterministic PRF output | +| $\sigma_1$ | target function approximation first term coefficient | +| $\sigma_2$ | target function approximation second term coefficient | +| headstart | competitive advantage added to target T | +----------------------------------------------------------------------------------- + +Table: if you read this after zerocash which crypsinous is based off, both papers calls nullifiers serial numbers. and serial number is nonce, `sn` in the table below can be called `nullifier` in our contract, similarly `nonce` can be called `input/output serial` using zcash sapling terminology which is used in our money contract (sapling contract). + + + +| Functions | Description | +|--------------|------------------------------------------------------------| +| $value^{out}$| value + reward | +| $nonce^{out}$| $hash(sk||nonce)$ | +| $sk^{out}$ | $hash(sk)$ | +| $pk^{out}$ | commitment to $sk^{out}$ | +| $C^{out}$ | $hash(pk_x^{out}||pk_y^{out}||value^{out}||ep|nonce^{out})$| +| $cm^{value}$ | commitment to $value^{out}$ | + + ```rust,no_run,no_playground {{#include ../../../../src/contract/consensus/src/model.rs:ConsensusProposalParams}} ``` @@ -67,3 +127,6 @@ function. This takes the state update produced by nullifier to the set of seen nullifiers, adds the minted coin to the set of coins and appends it to the Merkle tree of all coins in the consensus state. + +[^1]: if you read this after zerocash which crypsinous is based off, both papers calls nullifiers serial numbers. and serial number is nonce, `sn` in the table below can be called `nullifier` in our contract using zcash sapling terminology which is used in our money contract (sapling contract). +[^2]: if you read this after zerocash which crypsinous is based off, both papers calls nullifiers serial numbers. and serial number is nonce, `nonce` can be called `input/output serial` in our contracts using zcash sapling terminology which is used in our money contract (sapling contract).