Direct-Path Minimum Irreducible Private Relation v1¶
Status: frozen for TKT-P3-51
Scope: fixed confidential-transfer statement only (1 spend, 1 receiver, 1 sender change)
1) Purpose¶
Freeze the smallest private relation that must be proved for wallet-direct confidential transfer on BCH, while keeping already-frozen protocol boundaries unchanged.
This freeze is implementation-driving and does not redefine PIv1, PBv1, OFm2/v2, tokenized continuation invariants, wallet recovery behavior, or verifier ABI.
2) Direct-Path Budget Context (Normative)¶
- The direct-path BCH ceiling is the per-input unlocking-bytecode limit:
10,000bytes. - The broader
100 KBtransaction envelope belongs to staged/chunked/aggregated fallback architectures, not wallet-direct proof carriage. - This document optimizes for direct-path viability by proving only irreducible private facts.
3) Host vs Prover Invariant Matrix (Normative)¶
| Invariant Family | Host-Side Forever | Prover-Side Forever | Notes |
|---|---|---|---|
| PIv1 canonical parse/checks | MUST | MUST NOT | Host validates canonical bytes and fields. |
| PBv1 canonical parse/checks | MUST | MUST NOT | Host validates section ordering, limits, and digests. |
Transcript commitment discipline (hashPIv1, hashPBv1, section root bindings) |
MUST | MUST NOT | Prover consumes only frozen public anchors already committed by host-visible artifacts. |
| Transport binding checks (payload/hints chunk commitments) | MUST | MUST NOT | Prover must not bypass or weaken host transport rules. |
| OFm2/v2 recomputation from real BCH outputs | MUST | MUST NOT | Host binds proof to transaction reality. |
Tokenized continuation shell checks (category/capability continuity, fixed carrier sats profile rule, commitment=stateOut32) |
MUST | MUST NOT | Carrier semantics remain host/covenant checks. |
| Malformed carrier/section reject logic | MUST | MUST NOT | Reject policy remains host/parser responsibility. |
| Note ownership (spent note authorization) | MUST NOT | MUST | Private witness relation fact. |
| Note inclusion in pre-state root | MUST NOT | MUST | Private witness relation fact. |
| Nullifier correctness | MUST NOT | MUST | Private witness relation fact. |
| Receiver note creation correctness | MUST NOT | MUST | Private witness relation fact. |
| Sender change note creation correctness | MUST NOT | MUST | Private witness relation fact. |
| Committed-value conservation | MUST NOT | MUST | Private witness relation fact; visible BCH sats are not confidential amount semantics. |
Transition consistency against stateIn32, stateOut32, outputFingerprint32 |
MUST (anchor equality to tx reality) | MUST (confidential relation consistency to same anchors) | Shared boundary, distinct responsibilities. |
4) Minimum Irreducible Private Relation (Normative)¶
For one fixed confidential-transfer statement, the prover must show:
Given public anchors:
shardId32stateIn32stateOut32outputFingerprint32
there exists private witness material establishing all of the following simultaneously:
- The spent note is owned by the spender under the frozen note ownership rule.
- The spent note is included in the pre-state note root committed by
stateIn32. - The nullifier is correctly derived from the spent note witness under frozen nullifier formulas.
- The receiver note commitment is correctly formed from private transfer data.
- The sender change note commitment is correctly formed from private transfer data.
- Committed-value conservation holds in confidential state (spend = receiver + change under frozen fee policy assumptions).
- The post-state commitments represented by
stateOut32are consistent with: - the pre-state commitment (
stateIn32) - exactly one nullifier insertion
- the receiver/change note update
- binding to the same
outputFingerprint32anchor validated by host output reality checks.
No additional private relation facts are required for direct-path v1.
5) outputFingerprint32 Rule (Normative)¶
outputFingerprint32 is a public relation anchor only.
- Host/covenant recomputes OFm2/v2 from real BCH outputs.
- Prover consumes that anchor as public input and proves confidential relation consistency to the same anchor.
outputFingerprint32is not the source of confidential amount semantics.- Visible BCH output satoshis are carrier/fee values, not confidential transfer amount representation.
6) Transcript, Carrier, and Corpus Reconciliation (Normative)¶
The minimized relation must remain compatible with:
- PIv1 semantics
- PBv1 envelope structure
- section ordering and digest rules
- transcript commitment rules
- transport binding rules
Canonical fixture/corpus reuse is mandatory:
fixtures/phase3/confidential_transfer_v2_no_receiver_marker.jsonfixtures/phase3/confidential_transfer_real_proof_corpus_v1.json
No parallel “cleaner” proving fixture may supersede these active artifacts.
7) Forbidden Verifier-Input Drift (Normative)¶
Final verifier semantics remain:
- public inputs + proof artifact only
The implementation must not introduce disguised witness channels, including:
- witness hashes
- hidden constraint hashes derived from private witness
- sidecar digests that widen the frozen verifier ABI
- backend-specific convenience commitments outside the frozen public boundary
8) Open Clarifications for Next Ticket¶
These do not reopen protocol boundaries, but must be made explicit during direct-path size feasibility work:
- Canonical internal encoding for note-inclusion path elements in the prover runtime (ordering/endian/field lifting) to avoid backend drift.
- Canonical internal encoding for committed-value arithmetic limbs used in relation constraints (to keep prover/runtime parity deterministic).
Neither clarification changes PIv1/PBv1/ABI; both are internal prover-engineering lock-ins for TKT-P3-52 and TKT-P3-53.