Model

Let $Bulla$ be defined as in the section Bulla Commitments.

Let $P_{p}, F_{p}$ be defined as in the section Pallas and Vesta.

Coin

The coin contains the main parameters that define the Money::transfer() operation:

The public key $PK$ serves a dual role.
1. Protects receiver privacy from the sender since the corresponding secret key is used in the nullifier.
2. Authorizes the creation of the nullifier by the receiver.
The core parameters are the value $v$ and the token ID $τ$ .
The blinding factor $b$ is randomly selected, and guarantees uniqueness of the coin which is used in the nullifier.
To enable protocol owned liquidity, we define the spend hook $SH$ which adds a constraint that when the coin is spent, it must be called by the contract specified. The user data $UD$ can then be used by the parent contract to store additional parameters in the coin. If the parameter length exceeds the size of $F_{p}$ then a commit can be used here instead.

Define the coin attributes $Attrs_{Coin} . PK Attrs_{Coin} . v Attrs_{Coin} . τ Attrs_{Coin} . SH Attrs_{Coin} . UD Attrs_{Coin} . b \in P_{p} \in N_{64} \in F_{p} \in F_{p} \in F_{p} \in F_{p}$

pub struct CoinAttributes {
    pub public_key: PublicKey,
    pub value: u64,
    pub token_id: TokenId,
    pub spend_hook: FuncId,
    pub user_data: pallas::Base,
    /// Simultaneously blinds the coin and ensures uniqueness
    pub blind: BaseBlind,
}

$Coin : Attrs_{Coin} \to F_{p}$ $Coin (p) = Bulla (X (p . PK), Y (p . PK), N_{64} 2 F_{p} (p . v), p . τ, p . SH, p . UD, p . b)$

Define the clear input attributes $MoneyClearInput . v MoneyClearInput . T MoneyClearInput . v_{blind} MoneyClearInput . t_{blind} MoneyClearInput . Z \in N_{64} \in P_{p} \in F_{q} \in F_{p} \in P_{p}$

/// A contract call's clear input
pub struct ClearInput {
    /// Input's value (amount)
    pub value: u64,
    /// Input's token ID
    pub token_id: TokenId,
    /// Blinding factor for `value`
    pub value_blind: ScalarBlind,
    /// Blinding factor for `token_id`
    pub token_blind: BaseBlind,
    /// Public key for the signature
    pub signature_public: PublicKey,
}

Input

Define the input attributes $MoneyInput . V MoneyInput . T MoneyInput . N MoneyInput . R MoneyInput . h MoneyInput . U MoneyInput . Z \in P_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in P_{p}$

/// A contract call's anonymous input
pub struct Input {
    /// Pedersen commitment for the input's value
    pub value_commit: pallas::Point,
    /// Commitment for the input's token ID
    pub token_commit: pallas::Base,
    /// Revealed nullifier
    pub nullifier: Nullifier,
    /// Revealed Merkle root
    pub merkle_root: MerkleNode,
    /// Encrypted user data field. An encrypted commitment to arbitrary data.
    /// When spend hook is nonzero, then this field may be used to pass data
    /// to the invoked contract.
    pub user_data_enc: pallas::Base,
    /// Public key for the signature
    pub signature_public: PublicKey,
}

Output

Let $AeadEncNote$ be defined as in In-band Secret Distribution.

Define the output attributes $MoneyOutput . V MoneyOutput . T MoneyOutput . C MoneyOutput . note \in P_{p} \in F_{p} \in F_{p} \in AeadEncNote$

/// A contract call's anonymous output
pub struct Output {
    /// Pedersen commitment for the output's value
    pub value_commit: pallas::Point,
    /// Commitment for the output's token ID
    pub token_commit: pallas::Base,
    /// Minted coin
    pub coin: Coin,
    /// AEAD encrypted note
    pub note: AeadEncryptedNote,
}

The DarkFi Book

Model

Coin

Inputs and Outputs

Clear Input

Input

Output