LogoLogo
  • WELCOME TO ALEPH ZERO
  • EXPLORE
    • About Aleph Zero
    • AlephBFT Consensus
    • The Economy of Aleph Zero
    • Where to Buy AZERO
    • Decentralized Governance on Aleph Zero
    • Ecosystem
    • Aleph Zero Foundation Treasury Management
    • Community
    • Glossary
    • Audit & Research Papers
  • USE
    • Wallets
    • Explorer
    • Ledger
    • Telegram Notifications
    • Aleph Zero Signer
      • General introduction
      • What does Signer do?
      • What are Sub-accounts and Sub-account paths?
      • Why is it critical to store your Secret Phrase in a safe place?
      • How to forget and restore accounts?
      • What are Networks?
      • What are Trusted apps?
    • Dashboard
      • Dashboard basics
      • Overview
    • Stake
      • Staking Basics
      • Staking Menu Overview
      • How to Start Staking with the Aleph Zero Dashboard
      • How to Start Staking With the Developer Wallet
      • How to start staking using Ledger hardware wallet
      • How to Change Nominations
      • How to Stop Staking
      • Staking Rewards
      • Validators
      • Commission and Foundation Nodes
      • Proxy Accounts
    • Validate
      • Validating Overview
      • Hardware requirements
      • Running an Aleph Node on Testnet
        • Downloading and running the node
        • Verifying your setup
        • Customizing your setup
        • Building and running from source [advanced]
          • Building from source
          • Set environment variables
          • Download DB snapshot
          • Running the binary
        • Appendix: Ports, addresses, validators, and archivists
      • Running an Aleph Node on Mainnet
        • Running the node
        • Building and running from source [advanced]
      • Setting your identity
      • Making the node validate
      • Securing your validator
      • Troubleshooting
      • Elections and Rewards Math
      • Testnet Validator Airdrop
      • Foundation Nomination Program
    • Using the EVM-layer
    • Governance
      • Token
      • Multisig Accounts
  • BUILD
    • Aleph Zero smart contracts basics
      • Setting up a Testnet account
      • Installing required tools
      • Creating your first contract
      • Deploying your contract to Aleph Zero Testnet
      • Extending your contract
    • Cross contract calls
      • Using references
      • Using dynamic calls
    • Migrating from Solidity
    • Writing e2e tests with ink-wrapper
    • Aleph Zero Signer integration
    • Front-end app: smart contract interaction
    • Security Course by Kudelski Security
      • ink! Developers Security Guideline
      • Lesson 1 - Getting started with ink!
      • Lesson 2 - Threat Assessment
      • Lesson 3 - Integer Overflow
      • Lesson 4 - Signed-integer
      • Lesson 5 - Role-Based Access Control
      • Lesson 6 - Address Validation
      • Lesson 7 - Smart Contract Control
    • Development on EVM-layer
  • PROTOCOL DETAILS
    • Shielder
      • Overview
      • Design against Bad Actors
      • Preliminaries - ZK-relations
      • Notes and Accounts
      • ZK-ID and Registrars
      • Anonymity Revokers
      • PoW Anonymity Revoking
      • Relayers
      • Deterministic Secret Management
      • SNARK-friendly Symmetric Encryption
      • SNARK-friendly Asymmetric Encryption
      • Cryptography
      • Token shortlist
      • User Wallet
      • Versioning
      • PoC
      • Version 0.1.0
      • Version 0.2.0
    • Common DEX
      • Common Whitepaper - Differences
      • Dutch Auctions
  • FAQ
  • Tutorials
    • Withdrawing coins from exchanges
      • How to withdraw your AZERO coins from KuCoin
      • How to withdraw your AZERO coins from MEXC Global
      • How to withdraw your AZERO coins from HTX
  • Setting up or restoring a wallet
    • How to set up or recover your AZERO account using Aleph Zero Signer
    • How to set up or recover your AZERO account using the official mainnet web wallet
    • How to set up or recover your AZERO account using Nova Wallet
    • How to set up or recover your AZERO account using SubWallet
    • How to set up or recover your AZERO account using Talisman
  • Staking
    • How to stake via a direct nomination using the Aleph Zero Dashboard
    • How to stake via a nomination pool using the Aleph Zero Dashboard
    • How to destroy a nomination pool via the Aleph Zero Dashboard
Powered by GitBook
On this page
  • Proof System
  • Elliptic Curve
  • Snark-Friendly Hash
  • Snak-Friendly Encryption

Was this helpful?

  1. PROTOCOL DETAILS
  2. Shielder

Cryptography

PreviousSNARK-friendly Asymmetric EncryptionNextToken shortlist

Last updated 1 month ago

Was this helpful?

This page motivates the choices made regarding cryptography in Shielder. Some of these choices are not 100% final and are subject to change.

Proof System

We use the Ultraplonk proof system instantiated using a KZG commitment scheme. The concrete implementation will be a variant of Halo2 (see and ). Rationale:

  • We need a reasonably small proof and fast verifier because these are submitted by regular users as part of transactions so gas-efficiency of the verifier plays an important role. This rules out the original Halo2 with IPA as a polynomial commitment () as the verifier's work is not polylogarithmic. Similarly hash-based proof systems are still quite expensive when it comes to verification and proof size, hence we decided against.

  • The prover also needs to be efficient, because regular users are supposed to generate proofs in browsers (or even on mobile).

  • A serious alternative to Ultraplonk is certainly Groth16, which is still state-of-the art and many projects are using it. We decided against mainly for these reasons:

    • We feel that there is lots of innovation and progress around plonk-based proof systems, while Groth16 seems to be just a fully optimized local-optimum.

    • Groth16 is less flexible than Plonk and certainly makes it harder to add custom adjustments that could be necessary for certain features.

    • The per-circuit trusted setup makes Groth16 a little problematic in practice, since every update to the system requires a new ceremony, whereas plonk-based systems have a universal setup.

Elliptic Curve

We need an elliptic curve which supports pairings to be able to use KZG commitments. For the time being we decided to use BN256, at least until support for the BLS12 family of curves is added to Halo2. The final choice will be one of BLS12-381 or BLS12-377 because of increased security level in comparison to BN* and the partial support for recursion in BLS12-377 that we might at some point find useful. It is worth noting that the choice of the Elliptic Curve is probably the only choice that is final and cannot be changed once the system is deployed. That's because the Curve determines the field that our arithmetization (circuits, plonkish tables) will be defined over. Once we have some state committed to chain that uses a particular field to express, it will be close to impossible to move it to another field. That's why the choice of the proof system can be always altered, whereas the curve is chosen once and for all.

Snark-Friendly Hash

We use the Poseidon Hash or one of its more modern versions in our initial implementation.

Snak-Friendly Encryption

See SNARK-friendly Symmetric Encryption and SNARK-friendly Asymmetric Encryption

https://github.com/zcash/halo2
https://github.com/privacy-scaling-explorations/halo2
https://github.com/zcash/halo2
https://eprint.iacr.org/2019/458
https://eprint.iacr.org/2023/323