Preventing Sanctioned Deposit Addresses from Transacting

[akileshtangella]

Let $g$ be the generator of some group $\mathbb{G}$ for which the discrete logarithm problem is hard.

The note formed from deposit $i$ will store the polynomial $r_i (x - D_i)$, where $r_i$ is some randomly sampled field element. Actually, we represent the polynomial by storing the powers of $g$ of the coefficients of the polynomial: $(g^{r_i}, g^{-r_iD_i})$. The reason for this is to hide $D_i$.

When joining input notes, we multiply the corresponding polynomials in the input notes and store them in the new output note.

To be more precise, when joining deposit 1 and deposit 2, we store the powers of $g$ of the coefficients of the polynomial $r_1 r_2 (x - D_1)(x - D_2)$ in the output note.

Note that the polynomial stored in a note vanishes exactly on the deposit addresses from which its funds originated.

So to transact, we just have to prove that the polynomial in the output note does not vanish on the sanctioned deposit addresses.