Knowledge Base
  • Introduction
  • SHIELDING
    • Shielded pools
    • Key generation process
    • Privacy best practices
  • Fraud protection
  • Web App – User Guide
  • SMART YIELD
    • How does Smart Yield work?
    • Governance Model
    • Shielding
  • COMMON ECONOMY
    • The Economy of Common
    • CMN Token
    • CMN Tokenomics and Vesting Schedules
    • CMN Airdrops
    • Shared Fees and Reward Economics of Common
  • Wallet (Extension)
    • Introduction
    • Getting Started
    • Usage
    • Settings
  • DEX and Bridge (Aleph Zero WASM layer 1)
    • Account
      • How to Connect Your Wallet
      • Video Guide: How to Connect Your Wallet
      • How to Check Your Balance
      • Video Guide: How to Check Your Balance
    • Swap
      • How to Swap Tokens
      • Video Guide: How to Swap Tokens
    • Farm
      • How to Farm
      • Video Guide: How to Farm
    • Pool
      • Explaining Liquidity Pools
      • Video guide: Explaining Liquidity Pools
      • Managing Liquidity Pools with Custom Tokens
      • Video Guide: Managing Liquidity Pools with Custom Tokens
    • Bridge
      • How to Bridge With Most
        • Ethereum to Aleph Zero WASM
        • Aleph Zero WASM to Aleph Zero EVM
      • Video Guide: How to Bridge With MOST?
      • Bridging 10,000+ AZERO from Aleph Zero WASM to EVM
  • Protocol Details
    • Shielder
    • Overview
    • Design Against Bad Actors
    • Preliminaries: ZK Relations
    • Notes and Accounts
    • ZK-ID and Registrars
    • Anonymity Revokers
    • PoW Anonymity Revoking
    • Relayers
    • Deterministic Secret Management
    • SNARK-friendly Symmetric Encryption
    • SNARK-friendly Asymmetric Encryption
    • Cryptography
    • Token Shortlist
    • User Wallet
    • Versioning
    • PoC
    • Version 0.1.0
    • Version 0.2.0
Powered by GitBook
On this page

Was this helpful?

  1. Protocol Details

SNARK-friendly Asymmetric Encryption

PreviousSNARK-friendly Symmetric EncryptionNextCryptography

Last updated 5 days ago

Was this helpful?

For the use in anonymity revoking we require a SNARK-friendly asymmetric encryption. Recall that we use the BN254 curve for our cryptography. Let's denote the scalar field of BN254 by Fr\mathbb{F}_rFr​​ — a prime field with relements. In pseudocode we use the Scalar type — this is exactly the same as Fr\mathbb{F}_rFr​.​

Grumpkin Curve

For asymmetric encryption we use the familiar ElGamal cryptosystem, however to make it snark-friendly we need a specific choice of the group we work with. Specifically let GGG be the Grumpkin elliptic curve — see . This group has the following properties:

  • The base field of Grumpkin is x2x^2x2Fr\mathbb{F}_rFr​​ thus in other words, the group consists of pairs (affine coordinates) or triples (projective coordinates) of elements of Fr\mathbb{F}_rFr​​ that satisfy a certain simply arithmetic condition. Similarly, the group operation is defined in terms of a small constant number of arithmetic operations in Fr\mathbb{F}_rFr​​.

  • The cardinality of GGG is ∣G∣=p∣G∣=p∣G∣=p with ppp being a prime, roughly p≈2254p≈2254p≈2254.

ElGamal Encryption

Let us denote any canonical generator of GG by gg (this is in principle any element of the group that is not the identity element, but it is typically chosen in a specific way). The ElGamal cryptosystem that we use is characterized by the following procedures.

  1. Key generation. The procedure KeyGen()outputs the private key x∈Fpx∈\mathbb{F}_px∈Fp​​ uniformly at random. Moreover, the public key is then computed h=gx∈Gh=g^x∈Gh=gx∈G and published.

  2. Encryption. Any party having access to the public key hhh can encrypt a message mmm. We assume the messages come from GGG itself. Enc(h,m)=(gr,hrm)∈G2Enc(h,m)=(g^r,h^rm)∈G^2Enc(h,m)=(gr,hrm)∈G2

    where rrr is chosen uniformly at random from Fp\mathbb{F}_pFp​​.

  3. Decryption. The private key holder, given the ciphertext (c1, c2) computes: Dec(x,(c1,c2)):=c2⋅c1−xDec(x,(c_1,c_2)):=c_2⋅c_1^{−x}Dec(x,(c1​,c2​)):=c2​⋅c1−x​

    and as one can easily verify, the original message mmm is recovered this way.

Encoding into the message space

Note that the message space in ElGamal above is a little weird — points on the Grumpkin Curve GGG. In circuits we deal with elements in Fr\mathbb{F}_rFr​​ hence ideally we would like to encode elements of Fr\mathbb{F}_rFr​​ into GGG. That task however is unfortunately not that simple, because the encoding must be also snark-friendly. Recall that

G=(x,y)∈Fr:y2=x3−17G={(x,y)∈\mathbb{F}_r:y^2=x^3−17}G=(x,y)∈Fr​:y2=x3−17

The simplest encoding would be then x↦(x,y)x↦(x,y)x↦(x,y) with yyy chosen so as to make this point on curve. This however doesn't work, because not every element xxx is the first coordinate of some grumpkin element. However, it ALMOST works, in the sense that for a random xxx the probability that yyy exists is close to 1/2. This way half of all scalars can be trivially encoded into GGG.

In our application of ElGamal, we need to encrypt key(id) a scalar element that is pseudorandomly generated from id. We require that id has this property that key(id) is encodeable as a group element in the sense above, otherwise the idis considered invalid. A user can use only a valid id for its account because validity is checked in the first transaction.

Grumpkin