To help bootstrap a usable ZkVM system we probably need a simpler "send to address" feature that can be used by the sender w/o interaction with the recipient, just like it works in Bitcoin, Stellar and Ethereum.
In ZkVM case, the asset flavor and qty are encrypted values using a Pedersen Commitment scheme.
Proposal
Recipient provides a pair of ristretto255 elements: address predicate A and encryption key K. Recipient holds corresponding secret scalars a and k.
Sender creates a random nonce n (scalar for ristretto255) and corresponding pubkey N=n*B, where B is a standard ristretto255 base point.
Sender computes secret Merlin/STROBE instance t seeded with DH operation encode(n * K).
Sender derives from t blinding factors for flavor and quantity, and also a 40-byte one-time pad p for symmetric encryption of the flavor and qty. There is no need for AEAD cipher since Pedersen commitments themselves provide integrity check.
Sender XORs one-time pad p with 32-byte flavor, then 8-byte qty as a ciphertext c.
Sender encodes c (40 bytes) and N (32 bytes) in the txlog as a data entry.
Recipient detects a transaction with the expected address, reads c and N from the txlog.
Recipient restores secret transcript t seeding it with DH operation encode(N*k), using their secret scalar k.
Recipient derives blinding factors for flv and qty, and the pad p from t.
Recipient decrypts flavor and quantity from string c, and checks that their commitments are correct w.r.t. to value and blinding factors.
Recipient records the blinding factors in its wallet DB for later use when the values are going to be spent.
Note: to avoid expensive blockchain scanning, this proposal ignores the issue of linkable addresses and assumes the recipient generates a fresh unique address for each payment request. This proposal does not implement stealth address scheme.
Problem
To help bootstrap a usable ZkVM system we probably need a simpler "send to address" feature that can be used by the sender w/o interaction with the recipient, just like it works in Bitcoin, Stellar and Ethereum.
In ZkVM case, the asset
flavorandqtyare encrypted values using a Pedersen Commitment scheme.Proposal
Aand encryption keyK. Recipient holds corresponding secret scalarsaandk.n(scalar for ristretto255) and corresponding pubkeyN=n*B, whereBis a standard ristretto255 base point.tseeded with DH operationencode(n * K).tblinding factors for flavor and quantity, and also a 40-byte one-time padpfor symmetric encryption of the flavor and qty. There is no need for AEAD cipher since Pedersen commitments themselves provide integrity check.pwith 32-byte flavor, then 8-byte qty as a ciphertextc.c(40 bytes) andN(32 bytes) in the txlog as adataentry.candNfrom the txlog.tseeding it with DH operationencode(N*k), using their secret scalark.pfromt.c, and checks that their commitments are correct w.r.t. to value and blinding factors.Note: to avoid expensive blockchain scanning, this proposal ignores the issue of linkable addresses and assumes the recipient generates a fresh unique address for each payment request. This proposal does not implement stealth address scheme.