Module transfer_with_fee

Generates the zero-knowledge proofs required for a confidential transfer with a fee.

A confidential transfer with a fee is more complex than a simple transfer. It requires five distinct zero-knowledge proofs to ensure the validity of the transfer, the solvency of the sender, and the correctness of the fee amount according to the on-chain mint configuration.

Protocol Flow and Proof Components

1. Fee Calculation: The client first calculates the required fee based on the transfer amount and the on-chain fee parameters (rate and maximum cap).

2. Encrypt Amounts: The gross transfer amount and the fee amount are each split into low and high bit components. These components are then encrypted into separate grouped (twisted) ElGamal ciphertexts with the appropriate decryption handles for the involved parties (source, destination, auditor, and withdraw authority).

3. Generate Proofs: The sender generates five proofs that work in concert:

   • Transfer Amount Ciphertext Validity Proof (BatchedGroupedCiphertext3HandlesValidityProofData): Certifies that the grouped ElGamal ciphertext for the gross transfer amount is well-formed.

   • Fee Ciphertext Validity Proof (BatchedGroupedCiphertext2HandlesValidityProofData): Certifies that the grouped ElGamal ciphertext for the transfer fee is well-formed.

   • Fee Calculation Proof (PercentageWithCapProofData): It’s a “one-of-two” proof that certifies either:

     1. The fee_amount is exactly equal to the on-chain maximum_fee.
     2. The fee_amount was correctly calculated as a percentage of the transfer_amount, according to the on-chain fee_rate_basis_points.

     Note: The proof certifies that the transfer fee is a valid percentage of the transfer amount or that the fee is exactly the maximum fee. While the sender is expected to choose the lower of these two options, the proof does not enforce this choice.

   • Range Proof (BatchedRangeProofU256Data): This expanded range proof ensures the solvency of the entire transaction by certifying that all critical monetary values are non-negative. This includes the sender’s remaining balance, the gross transfer amount, the fee amount, and the net transfer amount that the destination receives.

   • Ciphertext-Commitment Equality Proof (CiphertextCommitmentEqualityProofData): Identical in purpose to the simple transfer, this proof links the sender’s remaining balance (as a homomorphically computed ElGamal ciphertext) to a new Pedersen commitment. This commitment is then used in the Range Proof to prove the sender’s solvency.

Structs

TransferWithFeeProofData

The proof data required for a confidential transfer instruction when the mint is extended for fees

Functions

transfer_with_fee_split_proof_data