LogoLogo
  • WELCOME TO ALEPH ZERO
  • EXPLORE
    • About Aleph Zero
    • AlephBFT Consensus
    • The Economy of Aleph Zero
    • Where to Buy AZERO
    • Decentralized Governance on Aleph Zero
    • Ecosystem
    • Aleph Zero Foundation Treasury Management
    • Community
    • Glossary
    • Audit & Research Papers
  • USE
    • Wallets
    • Explorer
    • Ledger
    • Telegram Notifications
    • Aleph Zero Signer
      • General introduction
      • What does Signer do?
      • What are Sub-accounts and Sub-account paths?
      • Why is it critical to store your Secret Phrase in a safe place?
      • How to forget and restore accounts?
      • What are Networks?
      • What are Trusted apps?
    • Dashboard
      • Dashboard basics
      • Overview
    • Stake
      • Staking Basics
      • Staking Menu Overview
      • How to Start Staking with the Aleph Zero Dashboard
      • How to Start Staking With the Developer Wallet
      • How to start staking using Ledger hardware wallet
      • How to Change Nominations
      • How to Stop Staking
      • Staking Rewards
      • Validators
      • Commission and Foundation Nodes
      • Proxy Accounts
    • Validate
      • Validating Overview
      • Hardware requirements
      • Running an Aleph Node on Testnet
        • Downloading and running the node
        • Verifying your setup
        • Customizing your setup
        • Building and running from source [advanced]
          • Building from source
          • Set environment variables
          • Download DB snapshot
          • Running the binary
        • Appendix: Ports, addresses, validators, and archivists
      • Running an Aleph Node on Mainnet
        • Running the node
        • Building and running from source [advanced]
      • Setting your identity
      • Making the node validate
      • Securing your validator
      • Troubleshooting
      • Elections and Rewards Math
      • Testnet Validator Airdrop
      • Foundation Nomination Program
    • Using the EVM-layer
    • Governance
      • Token
      • Multisig Accounts
  • BUILD
    • Aleph Zero smart contracts basics
      • Setting up a Testnet account
      • Installing required tools
      • Creating your first contract
      • Deploying your contract to Aleph Zero Testnet
      • Extending your contract
    • Cross contract calls
      • Using references
      • Using dynamic calls
    • Migrating from Solidity
    • Writing e2e tests with ink-wrapper
    • Aleph Zero Signer integration
    • Front-end app: smart contract interaction
    • Security Course by Kudelski Security
      • ink! Developers Security Guideline
      • Lesson 1 - Getting started with ink!
      • Lesson 2 - Threat Assessment
      • Lesson 3 - Integer Overflow
      • Lesson 4 - Signed-integer
      • Lesson 5 - Role-Based Access Control
      • Lesson 6 - Address Validation
      • Lesson 7 - Smart Contract Control
    • Development on EVM-layer
  • PROTOCOL DETAILS
    • Shielder
      • Overview
      • Design against Bad Actors
      • Preliminaries - ZK-relations
      • Notes and Accounts
      • ZK-ID and Registrars
      • Anonymity Revokers
      • PoW Anonymity Revoking
      • Relayers
      • Deterministic Secret Management
      • SNARK-friendly Symmetric Encryption
      • SNARK-friendly Asymmetric Encryption
      • Cryptography
      • Token shortlist
      • User Wallet
      • Versioning
      • PoC
      • Version 0.1.0
      • Version 0.2.0
    • Common DEX
      • Common Whitepaper - Differences
      • Dutch Auctions
  • FAQ
  • Tutorials
    • Withdrawing coins from exchanges
      • How to withdraw your AZERO coins from KuCoin
      • How to withdraw your AZERO coins from MEXC Global
      • How to withdraw your AZERO coins from HTX
  • Setting up or restoring a wallet
    • How to set up or recover your AZERO account using Aleph Zero Signer
    • How to set up or recover your AZERO account using the official mainnet web wallet
    • How to set up or recover your AZERO account using Nova Wallet
    • How to set up or recover your AZERO account using SubWallet
    • How to set up or recover your AZERO account using Talisman
  • Staking
    • How to stake via a direct nomination using the Aleph Zero Dashboard
    • How to stake via a nomination pool using the Aleph Zero Dashboard
    • How to destroy a nomination pool via the Aleph Zero Dashboard
Powered by GitBook
On this page
  • Grumpkin Curve
  • ElGamal Encryption
  • Encoding into the message space

Was this helpful?

  1. PROTOCOL DETAILS
  2. Shielder

SNARK-friendly Asymmetric Encryption

PreviousSNARK-friendly Symmetric EncryptionNextCryptography

Last updated 3 months ago

Was this helpful?

For the use in anonymity revoking we require a SNARK-friendly asymmetric encryption. Recall that we use the BN254 curve for our cryptography. Let's denote the scalar field of BN254 by Fr\mathbb{F}_rFr​ — a prime field with relements. In pseudocode we use the Scalar type — this is exactly the same as Fr\mathbb{F}_rFr​

Grumpkin Curve

For asymmetric encryption we use the familiar ElGamal cryptosystem, however to make it snark-friendly we need a specific choice of the group we work with. Specifically let GGG be the Grumpkin elliptic curve — see . This group has the following properties:

  • The base field of Grumpkin is x2x^2x2Fr\mathbb{F}_rFr​ thus in other words, the group consists of pairs (affine coordinates) or triples (projective coordinates) of elements of Fr\mathbb{F}_rFr​ that satisfy a certain simply arithmetic condition. Similarly, the group operation is defined in terms of a small constant number of arithmetic operations in Fr\mathbb{F}_r Fr​.

  • The cardinality of G G G is ∣G∣=p|G|=p∣G∣=p with p pp being a prime, roughly p≈2254p\approx 2^{254}p≈2254.

ElGamal Encryption

Let us denote any canonical generator of GGG by ggg (this is in principle any element of the group that is not the identity element, but it is typically chosen in a specific way). The ElGamal cryptosystem that we use is characterized by the following procedures.

  1. Key generation. The procedure KeyGen()outputs the private key x∈Fpx\in \mathbb{F}_px∈Fp​ uniformly at random. Moreover, the public key is then computed h=gx∈Gh=g^x \in Gh=gx∈G and published.

  2. Encryption. Any party having access to the public key hhh can encrypt a message mmm. We assume the messages come from GGG itself. Enc(h,m)=(gr,hrm)∈G2\mathrm{Enc}(h, m) = (g^r, h^rm) \in G^2Enc(h,m)=(gr,hrm)∈G2

    where r rr is chosen uniformly at random from Fp\mathbb{F}_pFp​.

  3. Decryption. The private key holder, given the ciphertext (c1, c2) computes: Dec(x,(c1,c2)):=c2⋅c1−x\mathrm{Dec}(x, (c_1, c_2)):= c_2\cdot c_1^{-x}Dec(x,(c1​,c2​)):=c2​⋅c1−x​

    and as one can easily verify, the original message mmm is recovered this way.

Encoding into the message space

Note that the message space in ElGamal above is a little weird — points on the Grumpkin Curve GGG. In circuits we deal with elements in Fr\mathbb{F}_rFr​ hence ideally we would like to encode elements of Fr\mathbb{F}_rFr​ into GGG. That task however is unfortunately not that simple, because the encoding must be also snark-friendly. Recall that

G={(x,y)∈Fr:y2=x3−17}G=\{(x, y)\in \mathbb{F}_r: y^2=x^3 - 17\}G={(x,y)∈Fr​:y2=x3−17}

The simplest encoding would be then x↦(x,y)x\mapsto (x, y)x↦(x,y) with yyy chosen so as to make this point on curve. This however doesn't work, because not every element xxx is the first coordinate of some grumpkin element. However, it ALMOST works, in the sense that for a random xxx the probability that yyy exists is close to 1/2. This way half of all scalars can be trivially encoded into GGG.

In our application of ElGamal, we need to encrypt key(id) a scalar element that is pseudorandomly generated from id. We require that id has this property that key(id) is encodeable as a group element in the sense above, otherwise the idis considered invalid. A user can use only a valid id for its account because validity is checked in the first transaction.

Grumpkin