Accountable Anonymity for Public Money (DRAFT v0.1)

Seven contributions, in the order the paper builds them:

• The non-deniable-receipt invariant (Def. def:ndr): a security definition for payment systems whose new clause is collusion resistance: even a willing payer and payee cannot construct an accepted payment with no receipt. Accountability is bilateral, held by the counterparties; there is no system-wide opener.
• The compulsion calculus (Sec. #sec:compulsion): the invariant, composed with issuer-blindness (the KYC issuer cannot trace even its own certified clients; Thm. thm:issuer-blind), yields three properties we believe are jointly new for a payment system: evidence exists for every payment; only the direct participants hold it; and it is refusable: without a participant's keys, surrendered or compelled, the ledger is computationally silent forever. We argue this is the right cryptographic substrate for due process, and the right failure mode under unjust process.
• Identity-M binding (Sec. #sec:identity-m): the inversion that makes the rest practical. One gadget (prove a re-encryption of a registered Identity under a target identity point) instantiated three ways covers the whole realisable design space. Note spend authorization keys on identity, so a lost account key is recoverable with no custodian, and the binding survives the time gap between an anonymous payer and an anonymous payee.
• A complete, shipped construction of all three realisable flavours – addressed/public (A1), addressed/private (A2), bearer/public (B1) – on Ethereum: Groth16 batch mint, flavour-agnostic spend, and spend-time composition of a deposit sigma, a bound set-membership proof, and a note-to-ciphertext tie, every verifier real and measured (Sec. #sec:eval).
• The forced taxonomy (Thm. thm:b2): the fourth flavour – a bearer note from a hidden issuer – is impossible, by an information-theoretic argument.
• The cost of anonymity, located (Sec. #sec:cost): the receipt is nearly free when one party is named at the binding moment. When both are anonymous, the obvious cheap coupling is vacuous (Lem. lem:vacuous), and a collusion-resistant receipt requires zero-knowledge registry set-membership under a single-binding-step restriction (Prop. prop:necessity). The shipped system takes exactly the branch the proposition permits, and we measure it.
• A reproducible artifact: contracts, circuits, and verifiers, open and test-covered – over 400 Foundry tests, 330 wallet tests, an end-to-end suite where every verifier is the real Groth16 artifact – and the paper's own claims carry executable witnesses (Appendix #sec:appendix) that re-run on each build.

The model's three properties: no one can reconstruct who paid whom from the chain; nothing on chain reveals either party's Identity to outsiders; and the two parties can always identify each other. The first two must hold against the strongest adversary available: the issuer itself, which knows every identity it ever certified.

One definition carries the accountability half of the paper. Its first two clauses are standard: receipts can always be produced, and never forged. The third is the new one: even a payer and payee working together cannot make an accepted payment that leaves no receipt.

Completeness alone protects a self-interested recipient; the third clause is what forbids a willing pair. Symmetric statements bind the recipient's identity toward the payer (Theorem thm:mutual gives the per-flavour content).

The KYC issuer is the system's only trust anchor, and the natural objection to any accountable privacy claim is that the issuer is a bulk-deanonymisation backdoor. It is not. Issuance is address-blind: the issuer signs the identity scalar \( m = H(\mathrm{id}) \) once (a PS credential over \( m \) alone) and is thereafter done. The client derives each on-chain account offline (a fresh key pair \( (sk, pk) \), a self-formed ElGamal credential \( E_{\mathrm{addr}} = (rG,\ M + r\,pk) \), and a rerandomised credential \( \sigma' \)), without the issuer ever seeing \( pk \). The issuer's view is therefore, per certified client \( i \), the tuple \( (\mathrm{id}_i, m_i, M_i, \sigma_i) \) (the plaintext identity) plus public chain state. It holds no chain addresses.

This is what no trusted opener means here: the closest thing to an authority cannot open transactions in bulk, even against itself. Under compulsion it can only verify a link some party surrenders – map a receipt-disclosed \( M \) to the real person – never produce one. Two caveats bound the theorem:

• Computational, not information-theoretic. The plaintext lock is DDH; only the credential lock is statistical. A discrete-log break – in particular a quantum computer running Shor against \( \mathbb{G}_1 \) – turns the harvested \( \{M_i\} \) plus the archived chain into a wholesale, retroactive deanonymisation of past identity-bound traffic. The breached or compelled issuer's KYC records are precisely that harvest corpus. Migration of the identity substrate ahead of cryptanalytic risk is a deployment obligation, not an afterthought (Sec. #sec:discussion).
• Retroactive, not prospective. Address-blind issuance protects past registrations unconditionally against future issuer compromise; but a coerced issuer can change the protocol going forward (demand \( pk \) at KYC, record addresses, backdoor credentials). Issuer-blindness is a statement about issuances already performed under the honest protocol.

The invariant and issuer-blindness, composed, induce a precise answer to the question who can a court reach, and what happens when they refuse? We state it as three properties. Call a party's opening material for a payment the secrets from which an accepting receipt can be computed: the note opening (its randomness \( \rho \) and identity payload) together with, per flavour, the holder's identity scalar or account key needed to decrypt the counterparty ciphertext.

Propositions prop:exist–prop:refusal follow from the privacy theorems (Sec. #sec:security) plus issuer-blindness. Their content is the composition – constitutional design more than cryptography:

• Due process is fully served. Evidence exists for every payment (no colluding pair can prevent it), it convicts only the guilty (non-frameability: a receipt cannot be forged against an innocent party; Corollary cor:noframe), and a court always has a specific person to direct an order at. Investigation proceeds the way warrants are supposed to work: from a known participant, one named counterparty at a time, each step producing sound evidence.
• Bulk surveillance is not for sale. There is no database to subpoena, breach, or buy. The marginal cost of surveilling one more citizen is coercing one more citizen: publicly, individually, through legal process directed at a person who can see it happening. The system makes population-scale financial monitoring not illegal but unimplementable.
• The last word belongs to the citizen. Refusal has personal legal cost (contempt, adverse inference), as it should, under legitimate process. But it is effective: a citizen facing an unjust order, or a population facing a judiciary that has begun criminalising beliefs, can withhold or destroy keys, and the archived ledger stays dark regardless of what any institution is later compelled to do. The privacy floor survives institutional capture because no institution was ever load-bearing.

Two honest edges. First, receipts are bilateral: your counterparty's copy is beyond your control, by design. A criminal cannot silence their victim's receipt by destroying their own. Refusal protects a payment only when every participant elects it; exactly the case the property is for: consensual acts the regime of the day has criminalised. Second, destroying your keys also destroys your evidence: the standing ability to prove what you paid and to whom. Refusal-resilience is an option with a price, chosen by its holder – not a default that degrades accountability for anyone else (Def. def:ndr holds for every accepted payment regardless).

The pool is a Tornado-style Merkle tree of note commitments, hashed with Poseidon (a hash designed to be cheap inside proof circuits), keeping a rolling window of recent roots and a set of spent nullifiers – one-way serial numbers, revealed only at spend, that make a double-spend detectable without linking the spend to its note. A note is the opening tuple; its on-chain commitment is

\[ cm = \mathrm{Poseidon}_5(\mathrm{flavor},\ v,\ \rho,\ idHash,\ \mathrm{predicate}), \]

where \( \rho \) is the note's secret randomness and \( idHash \) is a Poseidon hash of the flavour's identity payload – the commitment to everything the note says about its parties. Batch mints are proven by a Groth16 SNARK (proofs a few hundred bytes, constant gas to verify; one circuit per pinned batch size \( N \)) that opens every commitment, range-checks the values, sums them to the public escrowed total, and folds the leaves into the attested new root. The contract escrows exactly the proven total in the same atomic call.

Spends are proven by a single flavour-agnostic circuit: the prover shows knowledge of an opening of some tree leaf under a recent root, with public \( (\mathsf{root},\ nf,\ \mathrm{face},\ \mathrm{recipient},\ \mathrm{chainid}) \), where the nullifier

\[ nf = \mathrm{Poseidon}_3(\rho,\ idHash,\ 4242) \]

is one derivation for every flavour (the constant keeps nullifier preimages distinct from commitment preimages). Double-spends are rejected by set membership. No account key enters the hash: spend authorization is layered per flavour on top of the nullifier. That is what makes key-loss recovery and account-agnostic deposit possible (Sec. #sec:identity-m) – and what creates the binding obligation the rest of this section meets.

What \( idHash \) commits, and which direction of the gadget runs at which moment, defines the flavour:

with the per-flavour ciphertexts (all ElGamal over identity points):

• A2 (addressed, private issuer). The issuer encrypts its own registered identity under the recipient's identity point: \( eIss = (r'G,\ M_{I} + r' M_{\mathrm{rec}}) \), decryptable by \( m_{\mathrm{rec}} \) alone; the note value rides in \( eNote = (r_n G,\ vG + r_n M_{\mathrm{rec}}) \). At mint, a blinded re-encryption sigma (verifyIssuerReenc) proves \( eIss \) re-encrypts the minting account's registered identity – the anti-framing anchor – without revealing it. Each leaf's \( eIss \) is also a public input of the A2 mint SNARK (the leaf-tie): no leaf can lack a binding, and no binding can float to another leaf.
• A1 (addressed, public issuer). The issuer is named openly (a Schnorr signature over the batch under their registered key, checked at mint), and the recipient's identity is encrypted under itself: \( eRec = (r'G,\ M_{\mathrm{rec}} + r' M_{\mathrm{rec}}) \), so exactly the addressed identity can open and answer for it.
• B1 (bearer, public issuer). No recipient exists at mint (Theorem thm:b2 makes this the only coherent bearer cell); at spend the depositor encrypts their own identity under the public issuer's key, \( eDepForIss = (rG,\ M_{\mathrm{dep}} + r\,pk_{\mathrm{iss}}) \), and proves it carries the same identity their payout account is bound to.

Every addressed deposit (spendCoupledA1, spendCoupledA2) verifies, in one transaction, the flavour-agnostic note proof plus three mutually-bound gates:

1. The deposit-coupling sigma (verifyDepositCoupling; EIP-196, Ethereum's native curve arithmetic): the depositing account msg.sender is registered and bound to a scalar \( m \), and the supplied ciphertext \( eEnc \) decrypts under \( m \) to the point blinded inside the commitment \( P_I = M + bH \) – a perfectly-hiding Pedersen-style point published by the sigma.
2. The bound membership proof (identity_membership_g1tie, Groth16): \( P_I \)'s underlying point is a member of the registry accumulator \( \mathsf{rt_{id}} \). Bound does the work: the verifier derives its public inputs from the same \( P_I \) the sigma committed, so the two gates cannot be answered with different points.
3. The note \( \leftrightarrow \) eEnc tie (note_binding / note_binding_a1, Groth16): the ciphertext the first two gates verified is keyed to the identity material committed in the \( idHash \) behind this spend's nullifier – the gate is about this note, not a depositor-substituted ciphertext. The tie shares the nullifier with the spend proof and \( P_I \) with the sigma.

// inside Notes._spendCoupled (abridged; A2 passes a1Layout=false, A1 true):
require(spendVerifier.verifySpend(proof, root, nullifier, face, recipient, chainid));
require(reg.verifyDepositCoupling(msg.sender, eEnc, dc), "bad deposit coupling");
//                                                  dc.P_I --- the same point ---v
_verifyIdentityMembership(membershipProof, dc.P_I.X, dc.P_I.Y);
_verifyNoteBinding(noteBindingProof, nullifier, a1Layout, face,
                   eEnc, dc.P_I.X, dc.P_I.Y);

The composition discipline – every proof's public inputs derived on chain from the same objects (msg.sender, \( eEnc \), \( P_I \), the nullifier, the face), never taken from the prover's bytes – is what makes the gates impossible to decouple under collusion. We commend the pattern to designers beyond this system. For B1 the depositor-binding sigma (an Okamoto-style proof coupling the payout account, \( eDepForIss \), and \( P_{\mathrm{dep}} = M_{\mathrm{dep}} + bH \)) replaces gate 1, the same bound membership is gate 2, and no tie is needed (the depositor names itself; there is nothing to substitute).

For A2, \( eEnc \) is a fresh re-encryption of the committed \( eIss \) (same plaintext, new randomness): re-using the mint-time ciphertext – a public input of Notes.mint – would link spend to mint and destroy the flavour's anonymity. Hence the tie proves re-encryption equivalence, never equality. For A1, the committed payload has no second ciphertext, so the tie runs through the note's own value ciphertext with the face public; the next subsection explains why that public face is not incidental but the soundness linchpin.

ElGamal ciphertexts are not key-committing: given the randomness \( r_n \) (which travels with the opening), the "key" of \( eNote = (r_n G,\ C_n) \) can be re-explained as any \( m' \) by absorbing the difference into a free plaintext, \( V' = C_n - (r_n m')G \). A binding circuit that witnesses the plaintext freely therefore proves nothing about the addressed identity. The A1 tie pins the plaintext publicly: its statement fixes \( eNote.C = (v + r_n m_{\mathrm{rec}})G \) with \( v \) a public input that the contract sets to the spend's face – itself bound to the note's committed value by the spend SNARK over the same nullifier. With \( v \) and \( r_n = \log_G eNote.R \) determined,

\[ m_{\mathrm{rec}} = (\log_G eNote.C - v)\cdot r_n^{-1} \]

is unique: only the identity the note was addressed to can satisfy the relation (Theorem thm:tie, A1 clause; executable witness in Appendix #sec:appendix). The observation generalises: when a binding must travel through a non-committing encryption, publishing the plaintext's already-public component is the cheapest commitment.

A receipt is a four-link proof chain, every link checkable by a third party from public state plus the holder's disclosed material: (a) opening – the disclosed tuple re-hashes to a commitment; (b) minted – that commitment is a leaf under a historical root; (c) issuer – the flavour's issuer binding (Schnorr in the clear, or the decrypted-and-membership-certified \( eIss \)); (d) paid – the nullifier consumed and face transferred. The recipient-naming direction is the spend-side composition above. Link (c) is where the invariant lives or dies; Sec. #sec:cost is about keeping it alive when the issuer is anonymous.

Because the material behind the chain is held by both parties – the issuer created the identity payload at mint, the recipient was handed it with the note, and the spend event publishes the rest – either party can assemble the receipt: the depositor's copy and the issuer's "I paid X" copy differ only in who proves their own account-to-identity tie. Once the parties' identity preimages are disclosed in the receipt, every note-side check is deterministic (re-hash the payload, decrypt the addressed ciphertexts), which is what makes the two copies verify identically. The end-user serialization of this chain – a printable, re-scannable slip – is Sec. #sec:receipt-artifact.

A direct transfer between registered accounts gets collusion-resistance free: the mandatory approve handshake reads both parties' registered records in a single call – both anchors co-present, both named. A2 splits the anchors in time by demand of its privacy goal: the issuer's anchor is live only at mint, the recipient's only at spend, and unlinkability forbids any public value from bridging them. The A2 mint binding is, line for line, the approve handshake with one change: the recipient's identity is blinded. That one change is the entire gap – it surrenders the phrase "under the recipient's registered key" – and everything that follows is the price of buying the phrase back without un-blinding anything.

The lemma is the formal autopsy of an entire class of cheap designs, and the second motivation (after key loss) for the Identity-M inversion: binding to a key is worthless, because keys are free and ElGamal does not commit to them. The binding must reach a registered identity ; the issuer, holding no recipient secret, can assert registration only as a set-membership statement.

Proposition prop:necessity permits exactly two homes for the membership proof, and the system's own history visited both. An earlier design (retained in the retired drafting skeleton of this paper) placed it at mint: a per-leaf circuit opening the issuer's credential, proving the recipient's account-keyed credential a member of an account registry, and coupling the payload under the recipient's account key – at roughly \( 10^6 \) R1CS per leaf, on top of the account-pinning brittleness of Sec. #sec:identity-m. The shipped system takes the spend branch, and the Identity-M inversion is what makes the branch practical:

• The membership moves to where its prover is. At spend the depositor is live, holds \( m_{\mathrm{rec}} \), and can prove membership of the relevant point – the issuer's decrypted identity for A2 (closing the clause exactly as the proposition demands), the recipient's own for A1. The proof is per-spend, not per-minted-leaf, and proving cost lands on the interested party's own hardware; the chain only ever verifies.
• The statement splits along its natural seam. Account-binding and decryption-to-a-committed-point are sigma-protocol material (Theorem thm:coupling; ~90K gas to verify); only set-membership and the note tie need SNARKs at all. The composition is re-joined by deriving every public input from the shared objects – the discipline of Sec. #sec:construction.
• Relocation creates one new obligation, and it is dischargeable. Binding at spend means the verified ciphertext is the depositor's submission, so it must be tied to the note being spent – otherwise a stolen opening redeems with a self-addressed ciphertext, and a coalition substitutes a nameable one for an un-nameable commitment. That obligation is Theorem thm:tie's two circuits, including the A1 face-pinning trick – the genuinely new constraint engineering this relocation demanded.

The result: the doubly-anonymous flavour, predicted expensive, costs a measured \( \sim\!340\mathrm{K} \) gas of extra verification per spend over the bearer flavour (Sec. #sec:eval) and seconds of off-chain proving – practical today. Whether restriction (iii) can be dropped – whether a binding amortised across steps, a two-party mint with a blinded recipient contribution, or a witness-encryption construction evades set-membership entirely – remains the paper's central open problem (Sec. #sec:discussion): an unconditional impossibility would prove the SNARK necessary; a loophole would be a cheaper design.

Before the tie circuits shipped, the design contemplated an economic backstop: an honest A2 recipient verifies the binding at delivery (decrypt \( eIss \), check the registered identity) before accepting. An audit regime with penalty \( L \) and probability \( q \) then makes verify-then-accept dominant whenever \( qL \) exceeds the collusion benefit – and, by Corollary cor:noframe, the residual off-equilibrium outcome is only ever an un-nameable note held by an always-identifiable depositor, never a framed third party. With the tie enforced on chain the mechanism no longer carries weight, but we record it: delivery-time verification remains good wallet practice, and the analysis explains why even a deployment that lags the verifier rollout degrades to a bounded, recipient-borne risk rather than an open hole.

The invariant's deliverable is not a theorem but an artifact a citizen can hold. The wallet serializes the verified proof chain as AB-RCPT/1: a canonical, bit-reproducible byte string, wrapped into a plain-text payload sized for an 80mm thermal printer – a literal cash-register slip whose face names both parties in the clear and whose payload re-verifies offline from its own re-scanned text (albertabuck verify -), or anchors to any node for the chain facts.

Two design points carry the civic claims. First, the slip names persons, not keys: it embeds each party's full canonical_identity_data preimage, and verification recomputes \( M = \mathrm{keccak}(\text{data}) \cdot G \) against the named identity point – so "my counterparty is who they say they are" is a hash check, not a promise, and the accounts printed beside the names are pinned by the same proofs (the issuer bindings fold the minting account into their transcripts; the spend event anchors the payout account). Second, for Notes the receipt is bilateral by construction: the Identity-M payload behind the leaf's idHash is held by both parties, so the depositor prints their copy and the issuer prints an "I paid X" copy – for B1, naming the depositor by verifiably decrypting the spend event's eDepForIss – and both verify identically, because once the receipt has disclosed the identity preimages every note leg is a deterministic re-check. Eight golden renders (the five kinds plus the three issuer-side Note receipts) are pinned byte-for-byte in the test suite; the recipient's copy for an A2 note – a payment whose issuer no observer, subpoena, or breached KYC issuer could name – reads:

                 ALBERTA  BUCK
         P A Y M E N T   R E C E I P T
------------------------------------------------
  Receipt  fo6idsp2dmel
------------------------------------------------
FROM (payer) (PRIVATE IDENTITY)
 Bob Smith
Corporate Registration - Alberta, Canada
 acct 0x0b0b000000000000000000000000000000000b0b
 idpt 0x0cef52e77ea5..0ae1f916d96b
------------------------------------------------
TO (payee - you) (PRIVATE IDENTITY)
 Alice Johnson
Alberta Identity Card - Alberta, Canada
 acct 0x0a11ce00000000000000000000000000000a11ce
 idpt 0x07a0b762be40..d418d7bf5e7c
------------------------------------------------
TRANSACTION
 Type    Note spend - A2 addressed, private issuer
 Amount              0.000250  BUCK
 When        2026-05-28 20:10  UTC
 Chain 1    Block 1234599    Log 1
 Tx      0xa2a2a2a2a2a2..a2a2a2a2a2a2
 Mint    0xaaaaaaaaaaaa..aaaaaaaaaaaa
------------------------------------------------
VERIFICATION
 status @ issue: VALID
 receipt  fo6idsp2dmel
------------------------------------------------
      a record, not a bearer instrument

This is the compulsion calculus (Sec. #sec:compulsion) made tangible: standing, court-grade provenance for every payment a citizen was party to – against fraud, theft, or commerce conducted with their stolen credentials – produced from their own records, without anyone's permission, forgeable by no one; while the same payment remains noise to every non-party, from the chain-analytics firm to the compelled issuer. That pairing is the shift the system exists to make: the capability to prove moves to the individuals who transacted, and the capability to watch is withdrawn from everyone else. The slip itself is a record, not a bearer instrument: it moves no funds, and discloses only what its holder chooses to disclose, one payment at a time.

Full-call gas for one mint (batch of one) and one coupled spend, per flavour, from the end-to-end suite (chain id 1, Cancun):

Isolated per-phase verification gas:

The cost structure tells the paper's story in numbers. Both addressed flavours pay the tie – the price of "only \( M_{\mathrm{rec}} \) can spend", about 330K over bearer – while issuer anonymity costs only the mint-side delta (~120K, the blinded re-encryption binding): A2's spend is within half a percent of A1's. Set-membership, the provably necessary ingredient, is one constant 253K Groth16 verify regardless of registry size. Prover side: the tie circuits are 2.4M (A2) and 2.86M (A1) non-linear R1CS constraints – the unit of circuit size – in fixed-base-only EC arithmetic (the A1 relation needs no witnessed point limbs at all, since every point is a known multiple of \( G \)). They prove in seconds under rapidsnark on commodity Apple-silicon hardware, witness generation via the circom C++ calculator. Distribution cost concentrates the same way: the tie proving keys are 1.4 GB (A2) and 1.6 GB (A1) one-time wallet downloads, while every other prover artifact (mint, spend, membership keys and witness generators) is 2–19 MB – and the trusted-setup transcript never ships to wallets at all. All verification is constant-gas on chain; no participant ever waits on another's prover.

The same vectors flow through three independent implementations – the Python wallet reference (py_ecc-style BN254 arithmetic), the circom witness generators, and the Solidity verifiers – and the test suites assert byte-for-byte agreement: over 400 Foundry tests (including 18 on the tie verifiers alone and the 9-test all-real-verifier end-to-end lifecycle) and 350+ wallet tests (among them byte-pinned golden renders of all eight receipt kinds, from both Note parties' sides). The companion documents are executable: the walkthrough document runs every cryptographic step of all three flavours in one seeded session, and this paper's appendix witnesses re-run on each build. Honesty items: Groth16 needs a one-time trusted setup whose secret randomness must be destroyed, and ours currently uses development entropy – a production Powers-of-Tau ceremony is a deployment prerequisite. Formal verification of the circuits (beyond witness/constraint testing) is planned, not performed.

import random
from alberta_buck.wallet.bn254 import G1, ORDER, mul, add, neg, eq, rand_scalar
from alberta_buck.wallet.elgamal import elgamal_encrypt, elgamal_decrypt
from alberta_buck.wallet.unilateral_a2 import (
    IdentityTree, mint_unilateral_a2, make_receipt, verify_receipt,
)

_seed = random.Random(0xACC0)                # one deterministic transcript
rng   = lambda: _seed.getrandbits(256)
CHAINID = 1

def account(m):                    # a registered account bound to identity m
    sk = rand_scalar(rng); pk = mul(G1, sk)
    return dict(m=m, M=mul(G1, m), sk=sk, pk=pk,
                E=elgamal_encrypt(mul(G1, m), pk, rand_scalar(rng)))
def pt(P):
    return f"({int(P[0]) % 10**8:>8d}..., {int(P[1]) % 10**8:>8d}...)"
def dec(R, C, sk):                 # ElGamal decrypt on raw points
    return add(C, neg(mul(R, sk)))

m_iss, m_rec = rand_scalar(rng), rand_scalar(rng)
issuer, rec  = account(m_iss), account(m_rec)
M_rec = rec["M"]
tree = IdentityTree()
for a in (issuer, rec):
    tree.insert(a["M"])
print(f"issuer Identity    M_I   = {pt(issuer['M'])}")
print(f"recipient Identity M_rec = {pt(M_rec)}")
print(f"registry root            = {hex(tree.root())[:20]}...")

issuer Identity    M_I   = (24518486..., 10011201...)
recipient Identity M_rec = (48294773..., 86086204...)
registry root            = 0x21b0a34077b3d8355c...

The attack object the lemma constructs: a note spendable by \( D \) whose issuer payload is keyed to a bogus key, satisfying the naive same-key constraint via the free witness.

sk_D, pk_D = rec["sk"], rec["pk"]
M_D        = rec["M"]
pk_bogus   = mul(G1, rand_scalar(rng))
r_n, r_p   = rand_scalar(rng), rand_scalar(rng)

# Free witness absorbs the constraint:  M_rec' = M_D + r_n*(pk_D - pk_bogus)
M_rec_free = add(M_D, mul(add(pk_D, neg(pk_bogus)), r_n))
E_note = (mul(G1, r_n), add(M_rec_free, mul(pk_bogus, r_n)))   # "same key" pk_bogus
eIss   = (mul(G1, r_p), add(issuer["M"], mul(pk_bogus, r_p)))  # also under pk_bogus

assert eq(dec(*E_note, sk_D), M_D)            # note still decrypts for D: spendable
assert not eq(dec(*eIss, sk_D), issuer["M"])  # compelled sk_D cannot name the issuer
print("naive key-equality coupling: SATISFIED by the adversary, yet")
print(f"  E_note decrypts under sk_D to M_D : True   (note spendable by D)")
print(f"  eIss   decrypts under sk_D to M_I : False  (receipt destroyed)")
print("-> binding to 'a key' is vacuous; the binding must reach a REGISTERED identity")

naive key-equality coupling: SATISFIED by the adversary, yet
  E_note decrypts under sk_D to M_D : True   (note spendable by D)
  eIss   decrypts under sk_D to M_I : False  (receipt destroyed)
-> binding to 'a key' is vacuous; the binding must reach a REGISTERED identity

The honest A2 path: the recipient alone produces a receipt naming both parties. The colluding path: an \( eIss \) keyed to a throwaway point decrypts to garbage that is not a registry member – the membership gate has no witness, so the note cannot be spent.

note = mint_unilateral_a2(issuer["sk"], issuer["E"], M_rec,
                          v=1000, rho=rand_scalar(rng),
                          issuer=0xA11CE, chainid=CHAINID, rng=rng)
receipt = make_receipt(m_rec, note, issuer=0xA11CE, chainid=CHAINID,
                       tree=tree, rng=rng)
res = verify_receipt(receipt, issuer["pk"], issuer["E"], tree.root(), tree)
assert res.valid and eq(res.issuer_M, issuer["M"]) and eq(res.recipient_M, M_rec)
print(f"A2 receipt: {res.reason} -- names issuer {pt(res.issuer_M)}")
print(f"            and recipient {pt(res.recipient_M)}, value {res.value}")

# Collusion: key eIss to a throwaway point.
pk_throw  = mul(G1, rand_scalar(rng))
eIss_bad  = elgamal_encrypt(issuer["M"], pk_throw, rand_scalar(rng))
M_garbage = elgamal_decrypt(eIss_bad, m_rec)
print(f"colluding eIss decrypts under m_rec to {pt(M_garbage)}")
print(f"  registered identity? {tree.contains(M_garbage)} -> membership unprovable;"
      f" deposit gate reverts: un-nameable => un-spendable")

A2 receipt: VALID -- names issuer (24518486..., 10011201...)
            and recipient (48294773..., 86086204...), value 1000
colluding eIss decrypts under m_rec to (87647643..., 90375864...)
  registered identity? False -> membership unprovable; deposit gate reverts: un-nameable => un-spendable

The colluders can build a tie witness over their bogus ciphertext (they know its randomness) – but its \( idHash \) is not the spent note's, so the in-circuit nullifier disagrees with the one the spend consumed, and the on-chain public-input derivation rejects the proof.

from alberta_buck.wallet.note_binding import make_note_binding_witness

s, b = rand_scalar(rng), rand_scalar(rng)
w_honest = make_note_binding_witness(
    rho=note.opening.rho, eNote=note.eNote, eIssCommitted=note.eIss,
    s=s, m_rec=m_rec, b=b, M_I=note.M_I, r_iss=note.r_prime)

r_bad = rand_scalar(rng)
eIss_sub = elgamal_encrypt(issuer["M"], M_rec, r_bad)       # nameable substitute
w_sub = make_note_binding_witness(
    rho=note.opening.rho, eNote=note.eNote, eIssCommitted=eIss_sub,
    s=rand_scalar(rng), m_rec=m_rec, b=b, M_I=issuer["M"], r_iss=r_bad)

print(f"spent note's nullifier      = {hex(int(w_honest['nullifier']))[:20]}...")
print(f"substituted-tie nullifier   = {hex(int(w_sub['nullifier']))[:20]}...")
assert w_sub["nullifier"] != w_honest["nullifier"]
print("-> public-input mismatch: a substituted ciphertext cannot bind THIS spend")

spent note's nullifier      = 0x1e63df3688a6e7f638...
substituted-tie nullifier   = 0x21cbb7dfd6effd1be5...
-> public-input mismatch: a substituted ciphertext cannot bind THIS spend

The production A1 witness builder asserts the full relation: it builds for the addressed identity, and refuses for any other – even for a thief holding the complete opening including the note randomness – because the public face leaves no free plaintext to absorb the re-keying.

from alberta_buck.wallet.unilateral_a1 import mint_unilateral_a1
from alberta_buck.wallet.note_binding import make_note_binding_a1_witness

k = rand_scalar(rng)
sigma_R, sigma_s = mul(G1, k), (k + rand_scalar(rng) * rand_scalar(rng)) % ORDER
note_a1 = mint_unilateral_a1(M_rec, v=100, rho=rand_scalar(rng),
                             m_issuer=m_iss, sigma_R=sigma_R, sigma_s=sigma_s,
                             rng=rng)
t, b1 = rand_scalar(rng), rand_scalar(rng)
w_a1 = make_note_binding_a1_witness(
    rho=note_a1.opening.rho, eNote=note_a1.eNote, v=note_a1.opening.v,
    m_issuer=m_iss, sigma_R=sigma_R, sigma_s=sigma_s,
    r_note=note_a1.r_note, m_rec=m_rec, t=t, b=b1)
print(f"A1 tie witness for the ADDRESSED identity: built "
      f"(public face v = {w_a1['v']})")

m_thief = rand_scalar(rng)        # thief holds the WHOLE opening, incl. r_note
try:
    make_note_binding_a1_witness(
        rho=note_a1.opening.rho, eNote=note_a1.eNote, v=note_a1.opening.v,
        m_issuer=m_iss, sigma_R=sigma_R, sigma_s=sigma_s,
        r_note=note_a1.r_note, m_rec=m_thief, t=t, b=b1)
    print("thief witness: BUILT (must not happen!)")
except AssertionError as exc:
    print(f"A1 tie witness for a thief identity: REFUSED ({exc})")

A1 tie witness for the ADDRESSED identity: built (public face v = 100)
A1 tie witness for a thief identity: REFUSED (eNote.C != v*G + rn*M_rec)

The on-chain halves of every claim are exercised by the repository's suites; the end-to-end lifecycle (real batch mint, real spend, real sigma, real bound membership, real tie, per flavour) reproduces with:

$ make nix-snark-note-binding nix-snark-note-binding-a1   # tie circuits + setups
$ make nix-snark-e2e-fixtures                             # all-real-verifier fixtures
$ nix develop --command forge test --match-contract NotesE2E -vv
[PASS] ... 9 tests: lifecycle, double-spend revert, per-phase gas, x3 flavours