Scheme

Vest
Withdraw
Forfeit

Let $Params_{VC}, Bulla_{VC}$ be defined as in Vesting Configuration Model.

Let $Coin$ be defined as in the section Coin.

Let $P_{p}, F_{p}, X, Y, B ⁶⁴ 2 F ₚ$ be defined as in the section Pallas and Vesta.

Let $t_{0} = BlockWindow \in F_{p}$ be the current blockwindow as defined in Blockwindow.

Let $PoseidonHash$ be defined as in the section PoseidonHash Function.

Let $ElGamal.Encrypt, ElGamalEncNote_{k}$ be defined as in the section Verifiable In-Band Secret Distribution.

Denote the Vesting contract ID by $CID_{V} \in F_{p}$ and its Exec function spend hook by $SH_{V} \in F_{p}$ .

Vest

This function creates a vesting configuration bulla $B_{VC}$ . We commit to the vesting configuration params and then add the bulla to the set, along with the vested coin $Coin$ minted by the child Money::transfer() call. Each vesting configuration keeps track of its minted coins, to ensure that only those can be burned in next actions, creating a sequence of coins, enabling the contract to keep track of remaining balances anonymously. Additionally, we verify the minted vesting coin is encrypted for the configuration shared secret key, ensuring both parties have access to it.

Wallet builder: TODO: add client path
WASM VM code: TODO: add entrypoint path
ZK proof: TODO: add proof path

Function Params

Define the vest function params $B_{VC} SPK \in im (Bulla_{VC}) \in P_{p}$

TODO: Add call params path

Contract Statement

Vesting configuration bulla uniqueness whether $B_{VC}$ already exists. If yes then fail.

Let there be a prover auxiliary witness inputs: $V A x V P K S x τ T C S E V b_{VC} b_{Coin} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in N_{64} \in N_{64} \in N_{64} \in N_{64} \in N_{64} \in F_{p} \in F_{p}$

Attach a proof $π$ such that the following relations hold:

Proof that start blockwindow is greater than current blockwindow $S > t_{0}$ .

Proof that end blockwindow is greater than start blockwindow $E > S$ .

Proof that total is greater than cliff $T >= C$ .

Proof that blockwindow value is valid $T == (E - S) * V + C$ .

Proof of vesting authority public key ownership $VAPK = DerivePubKey (V A x)$ .

Proof of shared secret public key ownership $SPK = DerivePubKey (S x)$ .

Vesting configuration bulla integrity $B = Bulla_{VC} (X (p . VAPK), Y (p . VAPK), X (p . VPK), Y (p . VPK), X (p . SPK), Y (p . SPK), t, T, C, S, E, V, b_{VC})$

Minted vested coin integrity $C o in = PoseidonHash (X (p . SPK), Y (p . SPK), T, t, CID_{V}, SH_{V}, B, b_{Coin})$

Verifiable vested coin note encryption let $n = (c . v, c . τ, c . SH, c . UD, c . n)$ , and verify $a = ElGamal . Encrypt (n, esk, d . SPK)$ .

Signatures

There should be a single signature attached, which uses $SPK$ as the signature public key.

Withdraw

This function enables the vestee to withdraw the corresponding unlocked value up to that blockwindow. The child Money::transfer() call must contain a single input, the vested coin we burn, and two outputs. The first one being the withdrawed one while the second one is the remaining vested balance coin. Both coins values are verified by the vesting configuration rules, and we store the second one as the current vested coin, to burn in next actions. Additionally, we verify the second/vested coin is encrypted for the configuration shared secret key, ensuring both parties have access to it.

Wallet builder: TODO: add client path
WASM VM code: TODO: add entrypoint path
ZK proof: TODO: add proof path

Function Params

Define the withdraw function params $B_{VC} SPK \in im (Bulla_{VC}) \in P_{p}$

TODO: Add call params path

Contract Statement

Vesting configuration bulla existance whether $B_{VC}$ exists. If no then fail.

Burned vested coin existance whether the burned coin $BCoin$ matches the vesting configuration record one. If no then fail.

Let there be a prover auxiliary witness inputs: $V A P K V x S x τ T C S E V b_{VC} B v b_{BCoin} x_{c} C v b_{Coin} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in N_{64} \in N_{64} \in N_{64} \in N_{64} \in N_{64} \in F_{p} \in N_{64} \in F_{p} \in F_{p} \in N_{64} \in F_{p}$

Attach a proof $π$ such that the following relations hold:

Proof of vestee public key ownership $VPK = DerivePubKey (V x)$ .

Proof of shared secret public key ownership $SPK = DerivePubKey (S x)$ .

Vesting configuration bulla integrity $B = Bulla_{VC} (X (p . VAPK), Y (p . VAPK), X (p . VPK), Y (p . VPK), X (p . SPK), Y (p . SPK), t, T, C, C b, S, E, V, b_{VC})$

Proof that current blockwindow is greater than start blockwindow $t_{0} >= S$ .

TODO: cond_select statement to pick current or end blockwindow

Proof of withdraw amount correctness $C u rre n tBl oc k w in d o w = C o n d S e l ec t (Bl oc k w in d o wC o n d, t_{0}, E); Bl oc k w in d o w s P a sse d = C u rre n tBl oc k w in d o w - S; A v ai l ab l e = (Bl oc k w in d o w s P a sse d * V) + C; Wi t h d r a w n = T - B v; Wi t h d r a wlC o inVa l u e = A v ai l ab l e - Wi t h d r a w n; V es t in g C han g e Va l u e = T - (Wi t h d r a w n + Wi t h d r a wlC o inVa l u e);$

Verify the child Money::transfer() call correctnes:

Burned vested coin integrity $BC o in = PoseidonHash (X (p . SPK), Y (p . SPK), B v, t, CID_{V}, SH_{V}, B, b_{Coin})$

Burned vested coin nullifier integrity $N = PoseidonHash (x_{c}, BC o in)$

Minted vested coin integrity $C o in = PoseidonHash (X (p . SPK), Y (p . SPK), V es t in g C han g e Va l u e, t, CID_{V}, SH_{V}, B, b_{Coin})$

Verifiable vested coin note encryption let $n = (c . v, c . τ, c . SH, c . UD, c . n)$ , and verify $a = ElGamal . Encrypt (n, esk, d . SPK)$ .

Signatures

There should be a single signature attached, which uses $SPK$ as the signature public key.

Forfeit

This function enables the vesting authority to forfeit a vesting configuration, withdrawing the rest of vested value. The child Money::transfer() call must containg a single input, the vested coin we burn, and a single output, the newlly minted coin. Both coins values are verified by the vesting configuration rules, and we remove the vesting configuration bulla $B_{VC}$ entry from the set.

Wallet builder: TODO: add client path
WASM VM code: TODO: add entrypoint path
ZK proof: TODO: add proof path

Function Params

Define the vest function params $B_{VC} SPK \in im (Bulla_{VC}) \in P_{p}$

TODO: Add call params path

Contract Statement

Vesting configuration bulla existance whether $B_{VC}$ exists. If no then fail.

Burned vested coin existance whether the burned coin $BCoin$ matches the vesting configuration record one. If no then fail.

Let there be a prover auxiliary witness inputs: $V A x V P K S x τ T C S E V b_{VC} b_{BCoin} x_{c} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in N_{64} \in N_{64} \in N_{64} \in N_{64} \in N_{64} \in F_{p} B v \in F_{p} \in F_{p} \in N_{64}$

Attach a proof $π$ such that the following relations hold:

Proof of vesting authority public key ownership $VAPK = DerivePubKey (V A x)$ .

Proof of shared secret public key ownership $SPK = DerivePubKey (S x)$ .

Vesting configuration bulla integrity $B = Bulla_{VC} (X (p . VAPK), Y (p . VAPK), X (p . VPK), Y (p . VPK), X (p . SPK), Y (p . SPK), t, T, C, S, E, V, b_{VC})$

Proof of forfeit amount correctness $F or f e i t Va l u e = T - B v$

Verify the child Money::transfer() call correctnes:

Burned vested coin integrity $BC o in = PoseidonHash (X (p . SPK), Y (p . SPK), F or f e i t Va l u e, t, CID_{V}, SH_{V}, B, b_{Coin})$

Burned vested coin nullifier integrity $N = PoseidonHash (x_{c}, BC o in)$

Minted coin integrity let $c . CID, c . SH, c . UD$ be the vesting authority chosen Contract ID, spend hook and user data for the minted coin, and verify $C o in = PoseidonHash (X (p . VAPK), Y (p . VAPK), F or f e i t Va l u e, t, CID, SH, UD, b_{Coin})$

Signatures

There should be a single signature attached, which uses $SPK$ as the signature public key.

Keyboard shortcuts

The DarkFi Book