layout: wip
title: Full-Chain Membership Proofs + Spend Authorization + Linkability Development CCS
author: kayabaNerve
date: April 13, 2024
amount: 920 XMR
milestones:
- name: Provide a specification of the circuit and high-level protocol
funds: 80 XMR
done:
status: unfinished
- name: Productionize the crate for the arithmetic circuit proof
funds: 160 XMR
done:
status: unfinished
- name: Productionize the crate for the Elliptic Curve Divisor Library
funds: 80 XMR
done:
status: unfinished
- name: Implement the gadgets
funds: 320 XMR
done:
status: unfinished
- name: Implement the circuit
funds: 200 XMR
done:
status: unfinished
- name: Implement the Generalized Schnorr Protocol
funds: 40 XMR
done:
status: unfinished
- name: Implement multisig for the Generalized Schnorr Protocol
funds: 40 XMR
done:
status: unfinished
payouts:
- date:
amount:
- date:
amount:
- date:
amount:
- date:
amount:
- date:
amount:
- date:
amount:
- date:
amount:This CCS is to develop Full-Chain Membership Proofs (a trustless solution) into Monero under RingCT, replacing the existing CLSAG. This is distinct from prior intents to integrate FCMPs into Monero with Seraphis, and was prior discussed in a MRL meeting with well reception. That same meeting organized the funding of security proofs for Generalized Bulletproofs, a critical component for FCMPs (under both this proposal and Seraphis). This builds upon the work prior done on FCMPs, and does most of the ground work for FCMPs with Seraphis as well.
The exact deliverables will be:
- A document detailing the arithmetic circuit (a 'ZK program') and necessary integration work
- A ready-for-auditing Rust implementation of an amenable (trustless, formally proven, sufficiently performant) arithmetic circuit proof (currently expected to be Generalized Bulletproofs)
- A Rust library for calculating elliptic curve divisors
- The FCMP proof, as necessary for usage with RingCT
- The GSP (Generalized Schnorr Protocol) proof acting as the signature, with multisignature functionality
Milestones
The milestones are unordered, barring the first to provide a specification. The gadgets will be specified as a series of constraints in a non-machine-interpretable manner intended to allow human understanding and review of the flow and composition. With the definition of the proofs (largely modelled as black boxes to the protocol), all of the supporting infrastructure will also be defined as necessary to comprehend the integration into Monero and new privacy protocol created.
"Productionize the crate for the arithmetic circuit proving system" means to develop the arithmetic circuit proof implementation to the point I endorse auditing it. With those audits, the crate would be eligible for usage in production. Any audits of the implementation would only be sane after the proof implemented is formalized, with security proofs. Currently, the proposed proof is GBPs, and security proofs for it are actively being worked on. If they fail to be proven, this milestone is worded in such a way an alternative proof (with acceptable properties, from being trustless to sufficiently performant to building upon sufficiently accepted academia) may also be accepted. If there are no alternative proofs acceptable, this milestone will be considered not possible at this time, and for the purposes of this CCS, 'failed'.
"Productionize the crate for the Elliptic Curve Divisor Library" means to develop the crate for calculation of divisors into a point it can be audited.
"Implement the gadgets" means to implement the prior-specified gadgets, and all supporting code for them, such that they are ready for soundness proofs, formal verification, auditing, and etc.
"Implement the circuit" means to implement the prior-specified circuit, and supporting high-level functions, to the degree described for the gadgets. This will also include an implementation of the towering curve cycle, Helios and Selene, though not one expected to be performant enough for deployment.