Expand description
Generates the zero-knowledge proofs required for a confidential burn.
A confidential burn operation removes tokens from a user’s confidential balance and decreases the token’s total supply. This process requires three distinct zero-knowledge proofs to ensure the operation is valid, the user is solvent, and the token supply is updated correctly.
§Protocol Flow and Proof Components
-
Encrypt Burn Amount: The burn amount is encrypted in a grouped (twisted) ElGamal ciphertext. This single operation prepares the
burn_amountto be simultaneously subtracted from the user’s account and recorded in the mint’spending_burnaccumulator, which will later be subtracted from the total supply. -
Homomorphic Calculation: The client homomorphically computes their new encrypted balance by subtracting the source-encrypted component of the
burn_amountfrom their currentavailable_balanceciphertext. -
Generate Proofs: The user generates three proofs:
-
Batched Grouped Ciphertext Validity Proof: This proof certifies that the grouped ElGamal ciphertext for the
burn_amountis well-formed and was correctly encrypted for the source, supply, and auditor public keys. -
Ciphertext-Commitment Equality Proof: This proof provides the cryptographic link needed for the solvency check. After the user’s new balance is computed homomorphically, the prover no longer knows the associated Pedersen opening. To perform a range proof, the prover creates a new Pedersen commitment for their
remaining_balance(for which they know the opening) and uses this proof to certify that the ciphertext and the new commitment hide the same value. -
Range Proof (
BatchedRangeProofU128): This proof is the core solvency check. It certifies that the user’sremaining_balanceis non-negative (i.e., in the range[0, 2^64)), which makes it cryptographically impossible to burn more tokens than one possesses. It also proves theburn_amountitself is a valid 48-bit number.
-
Structs§
- Burn
Proof Data - The proof data required for a confidential burn instruction