Note

Note {
  version: Felt,
  key: AffinePointCompressed,
  R: AffinePointCompressed,
  commitment: AffinePointCompressed,
  enc_amount: Felt,
  message_id: Option<U256>
}

AffinePointCompressed {
    x: Felt,
    y_parity: bool,
}

Encrypted amount

In order to remain hidden to everyone that look at the note apart from the spender and the receiver, the amount on the note needs to be encrypted.

The amount is encrypted as follows: $$dh_key = r * K^v$$ $$domain_separator = poseidon_hash("amount",poseidon_hash(dh_key.x, dh_key.y))$$ $$enc_amount = v^{domain_separator}$$

The receiver will be able to compute the hash of the shared key, compute the inverse and then multiply the inverse with the enc_value and get the actual note's value

Commitment

A Note contains a Pedersen Commitment that force the spender of the note to not overspend more than the note's value.

The commitment C is computed as follows:

$C = bG + vH$

For:

• $G$ - Generator of the STARK Curve
• $H$ - Is the hash-to-curve point for each token generated according to the 6.6.2. Simplified Shallue-van de Woestijne-Ulas Method algorithm. The relation between G and H should be unknown. The H point is chain-specific, testnet value will be different from mainnet to avoid any possibility of a replay-attack.
• $v$ - the value represented as Felt
• $b$ - blinding factor

The blinding factor b is computed by the spender of the note as follows:

$$dh_key = r * K^v$$ $$b = poseidon_hash("blinding", poseidon_hash(dh_key.x, dh_key.y))$$

The receiver now have the value of $b$, he can then compute $[bG]$ and subtract it from the commitment. What's left is the $[vH]$ point. The receiver now can compute the inverse of $v$, and multiply the $[v*H]$ with the inverse, $v^{-1}$ and get the point $H$ that will correspond to a token address.

Balance input and output commitments

Pedersen commitments are additively homomorphic, this means that we can add the input commitments and it should equal output commitments, with small changes. Let's say we have $m$ input notes with their corresponding commitments, and we have $n$ output notes with their corresponding commitments.

This means that the input commitments equals to: $$ \sum_{i=0}^m C^{in}i = \sum{i=0}^m [b^{in}i*G] + \sum{i=0}^m [v^{in}_i*H] $$

And the output commitments equals to: $$ \sum_{i=0}^n C^{out}i = \sum{i=0}^n [b^{out}i*G] + \sum{i=0}^n [v^{out}_i*H] $$

We need to make sure that the input amounts equals output amounts such that subtracting one from the other equals 0: $$ \sum_{i=0}^m C^{in}i - \sum{i=0}^n C^{out}i $$ $$ = (\sum{i=0}^m [b^{in}i*G] - \sum{i=0}^n [b^{out}i*G]) + (\sum{i=0}^m [v^{in}i*H] - \sum{i=0}^n [v^{out}_i*H]) $$

$$ = (\sum_{i=0}^m b^{in}_i - \sum_{i=0}^n b^{out}_i) + (\sum_{i=0}^m v^{in}_i - \sum_{i=0}^n v^{out}_i) $$

$$ = 0 $$

If the spender is honest, the amount factors $(\sum_{i=0}^m [v^{in}i*H] - \sum{i=0}^n [v^{out}i*H])$ will cancel each other and we are left just with the sum of the blinding factors $\sum{i=0}^m [b^{in}i*G] - \sum{i=0}^n [b^{out}_i*G]$.

This sum will not cancel out because the blinding factors are not meant to cancel each other. But we can do something about that. The spender know the blind factors and we can add a new value to cancel each others. The spender should prove that he know the scalar value for the new point that we add, let's call this new term $Z$, and it will equal $\sum_{i=0}^m G^{in}i - \sum{i=0}^n G^{out}_i$. What's left to do by the spender is to prove that he know the scalar $z$ for the point $Z = [z*G]$ and the easiest way to do is to sign a message using $z$ as the private key. Note that user can't just compute the point and then compute the scalar for that point, he must know the value for each blinding factor to do that.

Let's recap and see that now everything should be fine. Our commitments now looks like this:

$$ \sum_{i=0}^m C^{in}_i - \sum_{i=0}^n C^{out}_i - Z = 0 $$