New UTXO & nullifier structure about zkopru HOT 3 CLOSED

The solution described above increases the complexity of the system because the sender also requires the jubjub point of the recipient for the DH key exchange(the shared key is used to encrypt leaf data.) Furthermore, the wallet should manage the nullifier_seed together which means if a user only has the private key without the nullifier seed, the user loses UTXOs.

Therefore we can only modify the nullifier computation logic using the EdDSA signature just like

nullifier = hash(EdDSA, leaf_index)

This makes sense because

1. EdDSA's signature is derived from the private key, therefore the sender cannot know unless the signer reveals it. It means the sender can infer the nullifier.
2. EdDSA signature does not allow malleability by the specification. https://tools.ietf.org/html/rfc8032#section-8.4
   Therefore, there is no possibility of double-spending caused by the signature malleability that can allow multiple nullifiers for one UTXO.

But currently, this is not sure that the current circom circuit supports the non-malleability of the EdDSA.
This feature will be part of the Burrito version.

from zkopru.

We've decided to change the UTXO & nullifier's detail structure to follow ZCash's viewing key & spending key structure.

p = random() // spending key
n = ff(sha3(p)) // nullifier seed, viewing key
N = n*G // public nullifier seed, public viewing key
s = random() // tx sender's ephemeral key
K = s*N // shared secret key for chacha20 encryption/decryption
P = poseidon(p*G, n) // public spending key
utxo = poseidon(P, data, salt)
nullifier = poseidon(n, index)

Account shares (P, N) and store (p, n)
For the effective account restoration protocol, we can derive nullifier seed n from p for example (n = ff(sha3(p))

from zkopru.

closed by #44

from zkopru.