Twilight
Search…
Intermediary Accounts
as defined in QuisQuis by Mieklejohn et.al. (2018)

# ​$Input'$

Accounts from
$Input → Input'$
are shuffled with a specific permutation
$\psi_1$
s.t. the sender account is on index
$[1]$
, receiver accounts are on index
$[2,t]$
and rest of the accounts, that are part of the anonymity set, over the index
$[t+1,n]$
.
$Input$
accounts are then updated using a vector of random scalar values
$\vec{\tau}$
for all the public keys in the input and a single random scalar
$\rho_1$
, for all the zero balance commitments using the updated public keys.
$Input'_i=UpdateAcc(Input_{\psi_{1(i)}}, 0); (\vec{\tau},\rho_1)$
The property of
$UpdateAcc()$
guarantees that the updated accounts cannot be linked back to their parent accounts.

# ​$Acc_\delta$

Public keys from the
$Input'$
accounts are used to commit on a value vector
$\vec{v}=(-v,+v,0,0,...,0) \ s.t. \ \sum_i{v_i}=0$
, where
$\vec{v}$
is arranged in the same permutation
$\psi_1$
as
$Input'$
.
$Acc_\delta=(pk_{i_{input'}},Com_{i_{input'}}(v_i,r_i))$
In QuisQuis, they use the same random scalar to commit on equal values in
$Acc_\delta$
and
$Acc_\epsilon$
.

# ​$Acc_\epsilon$

Epsilon accounts are also a commitment over
$\vec{v}=(-v,+v,0,0,...,0)$
but with globally available generator points g and h . These accounts help the verifier to check the dot product of all commitments is an identity elements s.t.
$\prod_{i=1}^{n} {Com_{\epsilon_i}}=(1,1)$
In order for the above to be true, the prover does a trick with the blinding factor, where it sets the last random scalar as
$r_n=-\sum_{i=1}^{n-1}r_i$
.

# ​$Output'$

Intuitively, these accounts are the product of the commitments from
$Input'$
and
$Acc_\delta$
s.t.
$Com_{input'} \cdot Com_\delta → Com_{output'}$
. The public keys for all three account types remain the same
$pk_{input'}=pk_{\epsilon}=pk_{output'}$
.
For example, if value in sender's
$Input'$
account is
$5$
and the value committed in the
$Acc_\delta$
is
$-2$
. Then the dot product of the above commitments will result in a commitment of
$v=5-2=3$
following the additive homomorphic property of the commitments.