I’ll try to make this as concise as possible without losing too much accuracy:
Value is carried by “notes” which specify an amount and a public key. To each note there is cryptographically associated a commitment, and a nullifier (so that there is a 1:1:1 relation between notes, commitments, and nullifiers). However, it is not possible to correlate a commitment with its nullifier without knowledge of the note. Computing the nullifier requires the associated private key. An unspent valid note, at a given point on the block chain, is one for which the commitment has been publicly revealed on the block chain prior to that point, but the nullifier has not.
Transactions can contain “transparent” inputs, outputs, and scripts, which all work basically as in Bitcoin. They also contain a sequence of zero or more “JoinSplits”. Each JoinSplit takes in a transparent value and up to two input notes, and produces a transparent value and up to two output notes. The nullifiers of the input notes are revealed (thus preventing them from being spent again) and the commitments of the output notes are revealed (this allowing them to be spent in future). Each JoinSplit also includes a computationally sound zero-knowledge proof-of-knowledge (SNARK) which proves all of the following:
- The inputs and outputs balance (individually for each JoinSplit).
- For each input note of non-zero value, some revealed commitment exists for that note.
- The prover knew the private keys of the input notes.
- The nullifiers and commitments are computed correctly.
- The private keys of the input notes are cryptographically linked to a signature over the whole transaction, in such a way that the transaction cannot be modified by a party who did not know these private keys.
- Each output note is generated in such a way that its nullifier will not collide with the nullifier of any other note.
Outside the SNARK, it is also checked that the nullifiers for the input notes had not already been revealed (i.e. they had not already been spent).
A payment address includes two public keys: one that matches the public key of notes sent to that address, and another for a key-private asymmetric encryption scheme. “Key-private” means essentially that ciphertexts look like random data and do not reveal information about which key they were encrypted to, except to a holder of the corresponding private key. This is used to communicate encrypted output notes on the block chain to their intended recipient, who can use the corresponding private “viewing key” to scan the block chain for notes addressed to them.