Note Encryption and Decryption
The note plaintext is where d
is the diversifier of the note owner, v
is the plaintext value of the note, rcm
is the randomness used for the note commitment and memo. The note plaintext is encrypted using a symmetric key and becomes in the Output Description
. The sender of the transaction knows the full address of the recipient, (, ), and creates this shared secret by doing:
- Sender chooses a random number to create an ephemeral secret key (esk)
- Create an ephemeral public key (epk) by using scalar multiplication between the diversifier of the recipient represented as a field point and esk. This ephemeral public key is a publicly known component of the Output Description and is seen by everyone.
- Note: is the diversifier,
d
, represented as a field a point on the JubJub curve so we can do scalar multiplication (elliptic curve multiplication) using it
- Note: is the diversifier,
- Derive
shared_secret
using Diffie Hellman Key Exchange between and (diversified public address of the recipient)- The public key portion of the full public address, , is derived by multiplying the diversifier with the incoming view key
(ivk)
, meaning - Therefore, each party has the same information to get to the shared secret
- Remember that where is the diversifier
- The sender calculates
- The recipient calculates
- The public key portion of the full public address, , is derived by multiplying the diversifier with the incoming view key
- Now that each party has a shared secret they both can calculate using their own secret information and the ephemeral public key, to get the symmetric encryption key to encrypt the note plaintext, we hash the shared secret with the ephemeral public key
- Using the encryption_key the sender uses symmetric encryption to calculate that is part of the Output Description
- Anyone who possesses the recipient’s incoming view key (ivk) can decrypt and see the plaintext value of the note as they can calculate the
shared_secret
and get the symmetric encryption key - To make the sender’s outgoing viewing key (ovk) useful, we also include as part of the Output Description
- Remember that the sender calculates their
shared_secret
using and so that is the necessary information we need to hide in - Here we also create a symmetric encryption key, by hashing (using Blake2b) the value commitment
(cv)
, the field element version of the note commitment(cmu)
, and the ephemeral public key(epk)
- symmetric_encryption_key = Black2b_hasher(buffer = ovk, cv, cmu, epk)
- Notice that the symmetric_encryption_key is created using all public values and the sender’s outgoing viewing key (ovk) so one must have access to the outgoing view key to decrypt the note sent by the sender
- Now that the sender has their symmetric_encryption_key they can create by using the symmetric_encryption_key to encrypt and encrypt
- = SymmetricEncrypt(key=symmetric_encryption_key,
esk
concatenated with )
- = SymmetricEncrypt(key=symmetric_encryption_key,
- Remember that the sender calculates their
- Anyone who possesses the recipient’s incoming view key (ivk) can decrypt and see the plaintext value of the note as they can calculate the