转移 Token

如何将代币从一个token account机密转账至另一个token account

要将代币从一个token account机密转账至另一个token account，发送方和接收方都必须拥有配置了 ConfidentialTransferAccount 状态并已获批准进行机密转账的token account。发送方的token account还必须具有可用的机密余额以供转账。

要机密转账代币：

在客户端创建三个证明：

相等性证明 (CiphertextCommitmentEqualityProofData)：验证转账后新的可用余额密文与其对应的 Pedersen 承诺相匹配，确保来源账户的新可用余额被正确计算为 new_balance = current_balance - transfer_amount。

密文有效性证明 (BatchedGroupedCiphertext3HandlesValidityProofData)：验证转账金额密文已为三方（来源方、目标方和审计方）正确生成，确保转账金额已在各方公钥下正确加密。

范围证明 (BatchedRangeProofU128Data)：验证新的可用余额和转账金额（拆分为低位/高位）均为非负数且在指定范围内。
对每个证明：
- 调用 ZK ElGamal 证明程序以验证证明数据。
- 将证明相关的元数据存储在证明"上下文状态"账户中，以供其他指令使用。
调用 ConfidentialTransferInstruction::Transfer 指令，并提供证明上下文状态账户。
关闭证明上下文状态账户，以找回用于创建它们的 SOL。

下图展示了将代币从发送方的token account转账至接收方的token account的步骤。

Transfer Tokens

所需指令

要将代币从一个token account机密转账至另一个token account，您必须：

在客户端生成相等性证明、密文有效性证明和范围证明
调用 Zk ElGamal 证明程序以验证证明并初始化"上下文状态"账户
调用 ConfidentialTransferInstruction::Transfer 指令，并提供三个证明账户。
关闭三个证明账户以找回 rent。

下方的 Rust 示例使用 spl-token-confidential-transfer-proof-generation crate 生成证明，通过 ZK ElGamal Proof 程序将每个证明验证到上下文状态账户中，在转账指令中引用这三个账户，并在之后关闭它们。TypeScript 示例使用 @solana-program/token-2022/confidential 中的 getConfidentialTransferInstructionPlan 辅助函数，该函数将相同的证明账户、转账和关闭操作组装为一个多交易指令计划。

示例代码

以下示例将代币从一个账户机密转账至另一个账户。两个账户必须已配置为支持机密转账，且发送方必须拥有可用的机密余额。

机密转账依赖于 ZK ElGamal Proof 程序，该程序已在主网和开发网上启用。标准的 solana-test-validator 不会启用该程序，但主网分叉的本地 validator（如 Surfpool）会启用。请在上述环境之一（代码使用开发网）中使用已充值的付款方运行示例，并将占位符替换为您的铸币地址以及发送方和接收方账户。

Rust



const ZK_PROOF_PROGRAM_ID: Pubkey =
    solana_pubkey::pubkey!("ZkE1Gama1Proof11111111111111111111111111111");

fn main() -> Result<()> {
    let rpc_client = RpcClient::new_with_commitment(
        String::from("https://api.devnet.solana.com"),
        CommitmentConfig::confirmed(),
    );

    // Sender = fee payer = token account owner. Both the sender and recipient
    // accounts must already be configured for confidential transfers, and the
    // sender must have an available confidential balance (deposit then apply
    // pending balance beforehand).
    let sender = load_keypair()?;
    let amount: u64 = 100;

    // Setup: create confidential accounts and fund the sender.
    let recipient_keypair = Keypair::new();
    let (mint, sender_token_account, recipient_token_account) =
        setup_transfer_accounts(&rpc_client, &sender, &recipient_keypair, amount)?;

    // Read the recipient's ElGamal public key from their confidential account.
    let recipient_acc = rpc_client.get_account(&recipient_token_account)?;
    let recipient_state = StateWithExtensions::<TokenAccount>::unpack(&recipient_acc.data)?;
    let recipient_elgamal_pubkey: ElGamalPubkey = recipient_state
        .get_extension::<ConfidentialTransferAccount>()?
        .elgamal_pubkey
        .try_into()
        .map_err(|e| anyhow::anyhow!("recipient ElGamal pubkey: {e:?}"))?;

    // Read the optional auditor ElGamal public key from the mint.
    let mint_acc = rpc_client.get_account(&mint)?;
    let mint_state = StateWithExtensions::<Mint>::unpack(&mint_acc.data)?;
    let mint_ext = mint_state.get_extension::<ConfidentialTransferMint>()?;
    let auditor_elgamal_pubkey: Option<ElGamalPubkey> =
        Option::<PodElGamalPubkey>::from(mint_ext.auditor_elgamal_pubkey)
            .map(|pod| {
                ElGamalPubkey::try_from(pod).map_err(|e| anyhow::anyhow!("auditor pubkey: {e:?}"))
            })
            .transpose()?;

    // Derive the sender's keys and read their current confidential balance.
    let (sender_elgamal, sender_aes) =
        derive_confidential_keys(&sender, &sender_token_account.to_bytes())
            .map_err(|e| anyhow::anyhow!("derive confidential keys: {e}"))?;

    let sender_acc = rpc_client.get_account(&sender_token_account)?;
    let sender_state = StateWithExtensions::<TokenAccount>::unpack(&sender_acc.data)?;
    let sender_ext = sender_state.get_extension::<ConfidentialTransferAccount>()?;
    let current_available: ElGamalCiphertext = sender_ext
        .available_balance
        .try_into()
        .map_err(|e| anyhow::anyhow!("available balance: {e:?}"))?;
    let current_decryptable: AeCiphertext = sender_ext
        .decryptable_available_balance
        .try_into()
        .map_err(|e| anyhow::anyhow!("decryptable balance: {e:?}"))?;

    // Generate the three transfer proofs (equality, ciphertext-validity, range).
    let proof_data = transfer_split_proof_data(
        &current_available,
        &current_decryptable,
        amount,
        &sender_elgamal,
        &sender_aes,
        &recipient_elgamal_pubkey,
        auditor_elgamal_pubkey.as_ref(),
    )
    .map_err(|e| anyhow::anyhow!("transfer_split_proof_data: {e}"))?;

    // Create one context state account per proof, owned by the ZK program.
    let equality_account = Keypair::new();
    let validity_account = Keypair::new();
    let range_account = Keypair::new();
    let equality_size = size_of::<ProofContextState<CiphertextCommitmentEqualityProofContext>>();
    let validity_size =
        size_of::<ProofContextState<BatchedGroupedCiphertext3HandlesValidityProofContext>>();
    let range_size = size_of::<ProofContextState<BatchedRangeProofContext>>();
    let create = |account: &Keypair, space: usize| -> Result<Instruction> {
        Ok(system_instruction::create_account(
            &sender.pubkey(),
            &account.pubkey(),
            rpc_client.get_minimum_balance_for_rent_exemption(space)?,
            space as u64,
            &ZK_PROOF_PROGRAM_ID,
        ))
    };
    let equality_create_ix = create(&equality_account, equality_size)?;
    let validity_create_ix = create(&validity_account, validity_size)?;
    let range_create_ix = create(&range_account, range_size)?;

    // The sender is the context-state authority for all three proof accounts.
    let authority: Address = sender.pubkey().to_bytes().into();
    let equality_verify_ix = ProofInstruction::VerifyCiphertextCommitmentEquality
        .encode_verify_proof(
            Some(ContextStateInfo {
                context_state_account: &Address::from(equality_account.pubkey().to_bytes()),
                context_state_authority: &authority,
            }),
            &proof_data.equality_proof_data,
        );
    let validity_verify_ix = ProofInstruction::VerifyBatchedGroupedCiphertext3HandlesValidity
        .encode_verify_proof(
            Some(ContextStateInfo {
                context_state_account: &Address::from(validity_account.pubkey().to_bytes()),
                context_state_authority: &authority,
            }),
            &proof_data
                .ciphertext_validity_proof_data_with_ciphertext
                .proof_data,
        );
    let range_verify_ix = ProofInstruction::VerifyBatchedRangeProofU128.encode_verify_proof(
        Some(ContextStateInfo {
            context_state_account: &Address::from(range_account.pubkey().to_bytes()),
            context_state_authority: &authority,
        }),
        &proof_data.range_proof_data,
    );

    // Transaction 1: create all three accounts and verify the validity proof.
    send_tx(
        &rpc_client,
        &[
            equality_create_ix,
            validity_create_ix,
            range_create_ix,
            validity_verify_ix,
        ],
        &[&sender, &equality_account, &validity_account, &range_account],
    )?;
    // Transaction 2: verify the range proof (the largest, on its own).
    send_tx(&rpc_client, &[range_verify_ix], &[&sender])?;

    // Compute the sender's new decryptable available balance after the transfer.
    let current_plaintext = current_decryptable
        .decrypt(&sender_aes)
        .context("decrypt available balance")?;
    let new_plaintext = current_plaintext
        .checked_sub(amount)
        .context("insufficient available balance")?;
    let new_decryptable: PodAeCiphertext = sender_aes.encrypt(new_plaintext).into();

    let auditor_lo = proof_data
        .ciphertext_validity_proof_data_with_ciphertext
        .ciphertext_lo;
    let auditor_hi = proof_data
        .ciphertext_validity_proof_data_with_ciphertext
        .ciphertext_hi;

    let transfer_ix = inner_transfer(
        &spl_token_2022::id(),
        &sender_token_account,
        &mint,
        &recipient_token_account,
        &new_decryptable,
        &auditor_lo,
        &auditor_hi,
        &sender.pubkey(),
        &[],
        ProofLocation::ContextStateAccount(&equality_account.pubkey()),
        ProofLocation::ContextStateAccount(&validity_account.pubkey()),
        ProofLocation::ContextStateAccount(&range_account.pubkey()),
    )?;

    // Transaction 3: verify the equality proof, run the transfer, and close the
    // three proof accounts to reclaim their rent.
    let close = |account: &Keypair| {
        close_context_state(
            ContextStateInfo {
                context_state_account: &Address::from(account.pubkey().to_bytes()),
                context_state_authority: &authority,
            },
            &authority,
        )
    };
    let instructions = [
        equality_verify_ix,
        transfer_ix,
        close(&equality_account),
        close(&validity_account),
        close(&range_account),
    ];
    let blockhash = rpc_client.get_latest_blockhash()?;
    let transaction = Transaction::new_signed_with_payer(
        &instructions,
        Some(&sender.pubkey()),
        &[&sender],
        blockhash,
    );
    let signature = rpc_client.send_and_confirm_transaction(&transaction)?;

    println!("Transferred {amount} tokens confidentially: {signature}");
    Ok(())
}

Typescript



const client = await createClient()
  .use(signerFromFile(join(homedir(), ".config/solana/id.json")))
  .use(
    solanaRpc({
      rpcUrl: "https://api.devnet.solana.com",
      maxConcurrency: 1
    })
  )
  // Temporary custom plugin to skip the default compute-budget estimate
  // so proof instructions fit within the transaction message cap.

// The Solana CLI default keypair, used as fee payer, mint authority, and sender.
const owner = client.payer;
const recipient = await generateKeyPairSigner();
const depositAmount = 100n;
const amount = 25n;
const decimals = 2;

// Setup: create source and destination confidential accounts, then fund source.
const mint = await createConfidentialMint(client, owner, decimals);
const auditorElgamalPubkey = await getAuditorElgamalPubkey(client, mint);
const sourceToken = await createConfidentialTokenAccount(client, owner, mint);
const destinationToken = await createConfidentialTokenAccount(
  client,
  recipient,
  mint
);
await mintPublicTokens(client, owner, mint, sourceToken, depositAmount);
await depositTokens(client, owner, mint, sourceToken, depositAmount, decimals);
await applyPendingBalance(client, owner, mint, sourceToken);

// Derive the sender's recoverable ElGamal and AES keys, bound to (owner, mint).
const { elgamalKeypair: sourceElgamalKeypair, aesKey } =
  await deriveConfidentialKeys(owner, mint);

// The helper reads the recipient key from the destination account; pass the
// configured auditor key so the proof matches the mint configuration.
const sourceTokenAccount = (await fetchToken(client.rpc, sourceToken)).data;
const destinationTokenAccount = (await fetchToken(client.rpc, destinationToken))
  .data;

// Builds the proof context-state accounts, the transfer, and the closes as a
// multi-transaction plan (the three proofs are too large for one transaction).
const plan = await getConfidentialTransferInstructionPlan({
  rpc: client.rpc,
  payer: owner,
  authority: owner,
  mint,
  sourceToken,
  sourceTokenAccount,
  destinationToken,
  destinationTokenAccount,
  auditorElgamalPubkey,
  amount,
  sourceElgamalKeypair,
  aesKey
});

const result = await client.sendTransactions(plan);
const summary = summarizeTransactionPlanResult(result);
const signature =
  summary.successfulTransactions[summary.successfulTransactions.length - 1]
    .context.signature;
console.log(`Transferred ${amount} tokens confidentially: ${signature}`);