Convert Circuit

Convert Circuit Description

The high-level description of Convert can be found Brun and mint.

The Convert provides a mechanism that burning and minting of assets can be enabled by adding Convert Value Vommitments in transaction and ensuring the homomorphic sum of Spend, Output and Convert value commitments to be zero.

The Convert value commitment is constructed from AllowedConversion which was published earlier in AllowedConversion Tree. The AllowedConversion defines the allowed conversion assets. The AllowedConversion Tree is a merkle hash tree stored in the ledger.

AllowedConversion

An AllowedConversion is a compound asset type in essence, which contains distinct asset types and the corresponding conversion ratios.

AllowedConversion is an array of tuple ${(t_{1}, v_{1}^{r a t i o}), (t_{2}, v_{2}^{r a t i o}) ... (t_{n}, v_{n}^{r a t i o})}$

$t$ : $B^{l_{t}}$ is a bytestring representing the asset identifier of the note.
$v^{r a t i o}$ : $v^{r a t i o}$ is a signed 64-bit integer in the range ${- 2^{63} .. 2^{63} - 1}$ .

Calculate:

$v b_{i} := re p r_{J} (PR F^{v c g M A SP} (t_{i}))$
$v b^{a ll o w e d co n v ers i o n} = Σ_{1}^{n} ([v_{i}^{r a t i o}] v b_{i})$
$c m^{a ll o w e d co n v ers i o n} = PedersenHashToPoint (^{''} M A SP__P H^{''}, [1]^{6} ∣∣ v b^{a ll o w e d co n v ers i o n})$

Note that PedersenHashToPoint is used the same as in NoteCommitment for now.

An AllowedConversion can be issued, removed and modified as public conversion rule by consensus authorization and stored in AllowedConversion Tree as leaf node.

An AllowedConversion can be used by proving the existence in AllowedConversion Tree(must use the latest root anchor), and then generating a Convert Value Commitment to be used in transaction.

Convert Value Commitment

Convert Value Commitment is a tuple $(v b^{a ll o w e d co n v ers i o n}, v^{co n v er t}, rc v^{co n v er t})$

$v^{co n v er t}$ : $v^{co n v er t}$ is an unsigned integer representing the value of conversion in range ${0.. 2^{64} - 1}$ .

Choose independent uniformly random commitment trapdoors:

$rc v^{co n v er t}$ $\leftarrow ValueCommit .GenTrapdoor ()$

Check that $h_{J} re p r_{J} (PR F^{v c g M A SP} (v b^{a ll o w e d co n v ers i o n}))$ is of type $K A^{S a pl in g} . P u b l i c P r im e O r d er$ , i.e. it is a valid ctEdwards Curve point on the JubjubCurve (as defined in the original Sapling specification) not equal to $O_{J}$ . If it is equal to $O_{J}$ , $v b^{a ll o w e d co n v ers i o n}$ is an invalid asset identifier.

Calculate

$c v^{co n v er t} = [v^{co n v er t} h_{J}] v b^{a ll o w e d co n v ers i o n} + [rc v^{co n v er t}] GroupHash_{URS}^{J^{(r) *}} (^{''} M A SP__r_^{''},^{''} r^{''})$

Note that $GroupHash_{URS}^{J^{(r) *}} (^{''} M A SP__r_^{''},^{''} r^{''})$ is used the same as in NoteCommitment for now.

AllowedConversion Tree

AllowedConversion Tree has the same structure as Note Commitment Tree and is an independent tree stored in ledger.

$MerkleDept h^{Convert}$ : 32(for now)
leaf node: $c m^{a ll o w e d co n v ers i o n}$

Convert Statement

The Convert circuit has 47358 constraints.

Let $l_{M er k l e S a pl in g}$ , $l_{sc a l a r}$ , $ValueCommit$ , $PedersenHashToPoint$ , $GroupHash_{URS}^{J^{(r) *}}$ , $J$ be as defined in the original Sapling specification.

A valid instance of $π_{co n v er t}$ assures that given a primary input:

$r t^{co n v er t} : B^{l_{M er k l e S a pl in g}}$
$c v^{co n v er t} : ValueCommit.Output$

the prover knows an auxiliary input:

$p a t h : B^{[l_{M er k l e}] [M er k l eDe pt h^{C o n v er t}]}$
$p os : (0.. 2^{M er k l eDe pt h^{C o n v er t}} - 1)$
$c m^{a ll o w e d co n v ers i o n} : B^{M er k l e S a pl in g}$
$v b^{a ll o w e d co n v ers i o n} : J$
$rc v^{co n v er t} : {0.. 2^{l_{sc a l a r}} - 1})$
$v^{co n v er t} : {0.. 2^{l_{co n v er t_v a l u e}} - 1}$

such that the following conditions hold:

AllowedConversion cm integrity: $c m^{a ll o w e d co n v ers i o n} = PedersenHashToPoint (^{''} M A SP__P H^{''}, [1]^{6} ∣∣ v b^{a ll o w e d co n v ers i o n})$
Merkle path validity: Either $v^{co n v er t}$ is 0; or $(p a t h, p os)$ is a valid Merkle path of depth $M er k l eDe pt h^{C o n v er t}$ , as as defined in the original Sapling specification, from $c m^{a ll o w e d co n v ers i o n}$ to the anchor $r t^{co n v er t}$
Small order checks: $v b^{a ll o w e d co n v ers i o n}$ is not of small order, i.e. $[h_{J}] v b^{a ll o w e d co n v ers i o n} \neq = O_{J}$ .
Convert Value Commitment integrity: $c v^{co n v er t} = [v^{co n v er t} h_{J}] v b^{a ll o w e d co n v ers i o n} + [rc v^{co n v er t}] GroupHash_{URS}^{J^{(r) *}} (^{''} M A SP__r_^{''},^{''} r^{''})$

Return $(c v^{co n v er t}, r t^{co n v er t}, π_{co n v er t})$

Notes:

Public and auxiliary inputs MUST be constrained to have the types specified. In particular, see the original Sapling specification, for required validity checks on compressed representations of Jubjub curve points. The ValueCommit.Output type also represents points, i.e. $J$ .
In the Merkle path validity check, each layer does not check that its input bit sequence is a canonical encoding(in { $0.. r_{S} - 1$ }) of the integer from the previous layer.

Incentive Description

Incentive system provide a mechanism in which the old asset(input) is burned, the new asset(output) is minted with the same quantity and incentive asset(reward) is minted with the convert ratio meanwhile.

Incentive AllowedConversion Tree

As described in Convert circuit, the AllowedConversion Tree is an independent merkle tree in the ledger and contains all the Incentive AllowedConversions.

Incentive AllowedConversion Struct

In general, there are three items in Incentive AllowedConversion Struct(but not mandatory？),i.e. input, output and reward. And each item has an asset type and a quantity(i64, for the convert ratio).

Note that the absolute value of input and output must be consistent in incentive system. The quantity of input is negative and the quantity of output is positive.

To guarantee the input and output to be open as the same asset type in future unshielding transactions, the input and output assets have the same prefix description(e.g. BTC_1, BTC_2...BTC_n). And to prevent repeated shielding and unshielding and encourage long-term contribution to privacy pool, the postfix timestamp is used to distinct the input and output assets. The timestamp is depended on the update period and can be defined flexibly(e.g. date, epoch num). When new timestamp occurs, the AllowedConversion will be updated to support all the "history asset" conversion to the latest one.

Incentive AllowedConversion Operatioin

Incentive AllowedConversion is governed by incentive system, who will be in charge of issuing new incentive plan, updating(modifying) to the latest timestamp and destroying the disabled.

Issue
- Issue a new incentive plan for new asset.
- Issue for the last latest AllowedConversion when new timestamp occurs.
Update
- For every new timestamp occurs, updating the existing AllowedConversion. Keep the input still, update the output to the latest asset and modify the reward quantity according to the ratio.
Destroy
- Detele the AllowedConversion from the tree.
Query Service
- A service for querying the latest AllowedConversion, return (anchor, path, AllowedConversion).

Workflow from User's Perspective

Shielding transaction
- Query the latest timestamp for target asset(non-latest will be rejected in tx execution)
- Construct a target shielded note and shielding tx
- Add the note to shielded pool if tx executes successfully(check the prefix and the latest timestamp).
Converting transaction
- Construct spend notes from shielded notes
- Construct convert notes(query the latest AllowedConversion)
- Construct output notes
- Construct convert tx
- Get incentive output notes with latest timestamp and rewards if tx executes successfully
Unshielding transaction
- Construct unshielding transaction
- Get unshielded note if tx executes successfully(check the prefix)

Anoma Specifications