Anonymous Assets
Bit Bank network allows for the issuance and transfer of anonymous assets with an arbitrary number of parameters. These tokens are anonymous, relying on zero-knowledge proofs to ensure validity without revealing any other information.
New tokens are created and destroyed every time you send an anonymous transaction. To send a transaction on Bit Bank, you must first issue a credential that commits to some value you have in your wallet. This is called the Mint phase. Once the credential is spent, it destroys itself: what is called the Burn.
Through this process, the link between inputs and outputs is broken.
Mint
During the Mint phase we create a new coin C , which is bound to the public key P. The coin C is publicly revealed on the blockchain and added to the merkle tree, which is stored locally on the Bit Bank wallet.
We do this using the following process:
Let v be the coin's value. Generate random rC, rV and serial ρ.
Create a commitment to these parameters in zero-knowledge:
Check that the value commitment is constructed correctly:
Reveal C and V. Add C to the Merkle tree.
Burn
When we spend the coin, we must ensure that the value of the coin cannot be double spent. We call this the Burn phase. The process relies on a N nullifier, which we create using the secret key x for the public key P. Nullifiers are unique per coin and prevent double spending. R is the Merkle root. v is the coin's value.
Generate a random number rV.
Check that the secret key corresponds to a public key:
Check that the public key corresponds to a coin which is in the merkle tree R:
Check that the value commitment is constructed correctly:
Reveal N, V and R. Check R is a valid Merkle root. Check N does not exist in the nullifier set.
The zero-knowledge proof confirms that N binds to an unrevealed value C, and that this coin is in the Merkle tree, without linking N to C. Once the nullifier is produced the coin becomes unspendable.
Adding values
Assets on Bit Bank can have any number of values or attributes. This is achieved by creating a credential C and hashing any number of values and checking that they are valid in zero-knowledge.
We check that the sum of the inputs equals the sum of the outputs. This means that:
And that B is a valid point on the curve G2.
This proves that B=0G1+bG2=bG2 where b is a secret blinding factor for the amounts.
Diagram
Last updated