Zerocaf: A library built for EC operations in Zero Knowledge.

Overview

Dusk-Zerocaf Build Status codecov GitHub closed issues Crates.io

WARNING: WIP Repo.

Fast, efficient and bulletproof-friendly cryptographic operations.

This repository contains an implementation of the Sonny curve over the Ristretto Scalar field: a pure Rust implementation designed by Dusk team.

Special thanks to Isis Agora Lovecruft and Henry de Valence for their implementation of Curve25519-dalek library, which has been so useful in order to get some of the basic arithmetic ops and the structure of our library.

Ristretto curve

Ristretto is a technique for constructing prime order elliptic curve groups with non-malleable encodings.

The Ristretto protocol arose as an extension of Mike Hamburg's Decaf approach to cofactor elimination, which is applicable to curves of cofactor 4, whereas the Ristretto is designed for non-prime-order curves of cofactor 8 or 4. Ristretto was designed by the dalek-cryprography team, specifically, Henry de Valence and Isis Agora Lovecruft to whom we greatly appreciate their work and dedication.

Ristretto Scalar Field And Bulletproofs.

Originally designed to abstract non-prime-order curves into prime-order scalar fields, the Ristretto abstraction would have been far too inefficient to implement for Bulletproofs zero-knowledge proof. Therefore the Ristretto scalar field is used to solve all negative impacts of using cofactors equalling 8 on the Ristretto curve.. The strategy is to use a Ristretto embedded curve (also called Sonny Curve), as the initial operations within zerocaf are performed therein. zerocaf opens up new opportunities for the use cases of zero-knowledge proofs inside the Dusk Network protocol as well as making a Bulletproof-integrated ring signature substitute possible, with orders of magnitude performance improvements compared to the fastest ringsig implementation.

Within this library, the implementation of the Ristretto to construct the curve with desired properties is made possible by defining the curve over the scalar field, using only a thin abstraction layer, which in turn allows for systems that use signatures to be safely extended with zero-knowledge protocols. These zero-knowledge protocols are utilised with no additional cryptographic assumptions and minimal changes in the code. The Ristretto scalar field is Bulletproof friendly, which makes it possible to use both cryptographic protocols in tandem with one another, as they are centric to contemporary applications of elliptic curve operations.

Details

Curve parameters:

Variable Value Explanation
Equation Edwards -x²+y²=1-$\frac{126296}{126297}$x²y² -
a -1 -
d $-\frac{126296}{126297}$ -
B $\frac{3}{5}$ Edwards Basepoint Y-coordinate With X > 0

Montgomery y²=x³+505186*x²+x
u(P) 4
A 505186

Weierstrass y²=x³+ax+b
a 7237005577332262213973186563042994240857116359379907606001950828033483786813
b 445582015604702849664
Variable Value Explanation
G 2²⁵² + 115924404605461509904689566245241897752 Curve order
p 2²⁵² + 27742317777372353535851937790883648493 Prime of the field
r 2²⁴⁹ + 15114490550575682688738086195780655237219 Prime of the Sub-Group

Encoding / Decoding tools

In order to work with our points along the curve, or any non trivial computuaions, for example those with tough notations - there has been a set of tools and examples which have been created to make facilitate the Encoding/Decoding processes. These can be found at: tools/src/main.rs

Examples

num_from_bytes_le(&[76, 250, 187, 243, 105, 92, 117, 70, 234, 124, 126, 180, 87, 149, 62, 249, 16, 149, 138, 56, 26, 87, 14, 76, 251, 39, 168, 74, 176, 202, 26, 84]);
// Prints: 38041616210253564751207933125345413214423929536328854382158537130491690875468
    
let res = to_field_elem_51(&"1201935917638644956968126114584555454358623906841733991436515590915937358637");
println!("{:?}", res);
// Gives us: [939392471225133, 1174884015108736, 2226020409917912, 1948943783348399, 46747909865470]

hex_bytes_le("120193591763864495696812611458455545435862390684173399143651559091593735863735685683568356835683");
// Prints: Encoding result -> [63, 41, b7, c, b, 79, 94, 7b, 21, d2, fe, 7b, c8, 89, c9, 7f, 76, c8, 9b, a3, 58, 18, 39, a, f2, d2, 7c, 17, ed, 7f, 6, c4, 9d, 44, f3, 7c, 85, c2, 67, e]
// Put the 0x by yourseleves and if there's any value alone like `c` padd it with a 0 on the left like: `0x0c`

from_radix_to_radix_10("1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab", 16u32);
// Prints: 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787

When performing operations with large values, such as: 2²⁵² - 121160309657751286123858757838224683208, it is recomended to compute them through SageMath, as the user interface adheres to these types of functions. From SageMath, they can be converted in a consistent format and easily compiled into Rust.

Roadmap:

Note: the refactoring relations are expressed as indentations

  • Build Scalar Arithmetics and Scalar Struct definition.
    • Find the proper radix value for FieldElement.
    • Add the required constants for computation.
      • Implement Addition.
      • implement Subtraction.
      • Implement Byte-encoding/decoding.
      • Implement From for uint native types.
      • Implement Ord, PartialOrd, Eq & PartialEq.
      • Implement Multiplication on u64-backend with u128 usage.
      • Implement Squaring.
      • Implement Half for even numbers.
      • Implement Modular Negation.
      • Implement Montgomery_reduction.
      • Define Montgomery_reduction algorithm.
  • Create FieldElement Struct and implement the basic operations we need on a u64 backend.
    • Find the proper radix value for FieldElement.
    • Add basic and needed constants.
    • Implement Reduce function to make the FieldElements fit on a 5 u64-bit limbs.
      • Implement Addition.
      • Implement Subtraction.
      • Implement Byte-encoding/decoding.
      • Implement From for uint native types.
      • Implement Ord, PartialOrd, Eq & PartialEq.
      • Implement Multiplication on u64-backend with u128 usage.
      • Implement Squaring.
      • Implement Half for even numbers
      • Implement Modular Negation.
      • Implement Montgomery_reduction.
      • Define Montgomery_reduction algorithm.
      • Implement Modular inversion.
      • Research about addition chains inversion methods.
    • Add proper tests for every function.
  • Implement Edwards Points
    • Implement Twisted Edwards Extended Coordiantes.
      • Implement Point Addition.
      • Implement Point Subtraction.
      • Implement Point Doubling.
      • Implement Scalar Mul.
      • Implement from_bytes conversions.
      • Implement to byte conversions.
      • Implement compressed Edwards point Y-coordinate.
    • Implement Twisted Edwards Projective Coordiates.
      • Implement Point Addition.
      • Implement Point Subtraction.
      • Implement Point Doubling.
      • Implement Scalar Mul.
      • Implement from_bytes conversions.
      • Implement to byte conversions.
      • Implement compressed Edwards point Y-coordinate.
    • Represent Edwards points as Ristretto points using wrapping type or struct.
    • Cargo doc testing and improvement.
    • Decide the best use cases of the various Edwards coordinate types (compressed, standard, extended, projective).
    • Benchmark different implementations and algorithms.
  • Implement Ristretto Mapping.
    • Implement 4coset debugging function.
    • Build and test torsion points.
    • Implement Ecoding & Decoding algorithms.
    • Implement Equalty testing.
    • Implement Elligator-ristretto-flavour.
    • Test all of the algorithms implemented.
Comments
  • #ITEM 1 - Document proofs for save Curve criteria

    #ITEM 1 - Document proofs for save Curve criteria

    This issue lives under the item: https://gitlab.dusk.network/dusk-org/tech/issues/1

    Create a document to show that Doppio meets the safe curve criteria. Listed at https://safecurves.cr.yp.to/

    opened by LukePearson1 9
  • #ITEM 2 - Ristretto Implementation over Sean's Doppio Curve

    #ITEM 2 - Ristretto Implementation over Sean's Doppio Curve

    Since the curve that Sean provided in:

    Provides values for the Twisted Edwards form that aren't suitable for a Ristretto protocol implementation we have two options:

    • Find an isomorphic twist that allows us to mantain the same orders for the Finite Field and also the Sub group, and at the same time, gives a & d values that are suitable for a Ristretto implementation.

    • Choice a diferent curve. This will force us to:

      • Find the new order of the Sub group and refactor the Scalar implementation to work over the new order and implement Decaf or Ristretto depending on the co-factor that the new curve provides.

    It seems that @Bounce23 found an isomorphic twist that can do the job. We will update here the discussions.

    help wanted research discussion 
    opened by CPerezz 6
  • Ristretto Basepoint issues on Compression/Decompression process.

    Ristretto Basepoint issues on Compression/Decompression process.

    The standard behavior of the RistrettoPoint works like:

    RistrettoPoint --> compression --> CompressedRistretto CompressedRistretto --> decompression --> RistrettoPoint

    Obviously, the expected behavior for a point compression followed by a point decompression is to obtain the same exact point in Twisted Edwards Extended Coordinates. We should obtain the same RistrettoPoint we used as input.

    Also, with the equality formulas that appear on: https://ristretto.group/formulas/equality.html this statement mentioned above should happen always.

    So after making some tests, I verified that:

     #[test]
     fn point_comp_decomp_equivalence() {
            // This should give the RISTRETTO_BASEPOINT. 
            assert!(constants::RISTRETTO_BASEPOINT.compress().decompress().unwrap() ==       constants::RISTRETTO_BASEPOINT);
        }
    
    //This test does not pass and it should.
    

    This happened on: e8066b52 and my ideas are:

    • The Basepoint is not the one on it's 4-coset that would be encoded as RistettoPoint.
    • The compression/decompression processes are not working as expected.
    • The point really pertains to the coset and current equalty does not catch it.
    bug review needed 
    opened by CPerezz 5
  • #ITEM 1 - Review Phase 1 of Kalinski's algorithm.

    #ITEM 1 - Review Phase 1 of Kalinski's algorithm.

    Since the algorithm implemented on #9 was passing the tests, we thought that Phase I was working correctly.

    But while working on #14 we realized the function only works for the tested value surprisingly ..

    So now it's time to find the bug that it's affecting Phase I of the Kalinski's algorithm.

    opened by CPerezz 5
  • #ITEM 1- Implement Savas & Koç Montgomery modular inverse algorithm

    #ITEM 1- Implement Savas & Koç Montgomery modular inverse algorithm

    This issue is under the item: https://gitlab.dusk.network/dusk-org/tech/issues/1.

    The goal is to implement: Montgomery inversion - Erkay Sava ̧s & Çetin Kaya Koç J Cryptogr Eng (2018) 8:201–210 https://doi.org/10.1007/s13389-017-0161-x

    And benchmark the algo vs. Kalinski's one implemented on #9 .

    Addition chais are probably a higher performance solution. Maybe @Bounce23 can bring some light researching a bit.

    enhancement research 
    opened by CPerezz 5
  • Add Ristretto skeleton fully tested.

    Add Ristretto skeleton fully tested.

    This PR aims to implement:

    • RistrettoPoint definition as a wrapper over EdwardsPoint.
    • RistrettoPoint ops support (as fast as EdwardsPoint ops are).
    • RistrettoPoint Equality testing improvements to the EdwardsPoint one.
    • Elligator-ristretto-flavour support for RistrettoPoints.
    • Uniformly distributed random point generation.
    • ValidityCheck trait for debug purposes.
    • 4-coset representation functions.
    enhancement review needed 
    opened by CPerezz 4
  • ITEM 2 - Provide support for Point Operations expressed in Projective Coordinates.

    ITEM 2 - Provide support for Point Operations expressed in Projective Coordinates.

    This issue lives under the item: https://gitlab.dusk.network/dusk-org/tech/issues/2

    Following the notes on the paper: Source: 2008 Hisil–Wong–Carter–Dawson, we need to give support for all of the Twisted Edwards Point Operations.

    The list will be:

    • Point Addition.
    • Point Subtraction.
    • Point Doubling.
    • Scalar Multiplication per Point.

    It's also important to follow the guidelines explained in #47 to enable easier further implementations.

    enhancement good first issue 
    opened by CPerezz 4
  • Implement Montgomery modular inverse algorithm

    Implement Montgomery modular inverse algorithm

    After continuous review of the possible algorithms, the decided algorithm will be the one implemented by 'E. Savas, C. K. Koc', :- 'http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.75.8377&rep=rep1&type=pdf'

    The chosen Montgomery modular inverse algorithm divides the fore computation into two parts, Phase 1 & Phase 2.

    Problems to address:

    • Outline values for both phases s.t. they multiply to 1 (mod p)
    • Determine whether the output values will be even or odd. Initial even values must be divided by 2 and then 2p is used for modulo
    opened by LukePearson1 4
  • Implement conversion between FieldElement & RistrettoScalar

    Implement conversion between FieldElement & RistrettoScalar

    Another important step on the implementation is to create the conversion FieldElement <-> RistrettoScalar.

    RistrettoScalar struct was implemented by Dalek devs on Curve25519. So we can maybe review it and pick it or implement it by ourselves.

    enhancement review needed 
    opened by CPerezz 4
  • Knowledge of a secret key

    Knowledge of a secret key

    Create a code snippet that works as follows:

    Given a Scalar a that, provided only a · G, you prove you know a without revealing a.

    Preferably with bulletproofs

    research blocking 
    opened by vlopes11 3
  • Code alteration

    Code alteration

    This pull request is mostly covering refactoring and doing a replacement of the code in line with the new curve model, as well as a change in terms. Whether this is kept open or not, as I continue to commit is not very important. However just ensure that the same refactoring isn't done on other forks, as it would be unecessary.

    Whilst perusing, I have come across 4 aspects in the code which I would like to go through with @CPerezz before making changes.


    Extra work that has been done in addition to refactoring, includes:

    • Showing the curve derivation constants and the modified script
    • Build python script for new point operations with Sonny curve
    opened by LukePearson1 3
  • Implement ff traits on Scalar type

    Implement ff traits on Scalar type

    Describe what you want implemented Implement https://github.com/zkcrypto/ff traits on Scalar type

    Describe "Why" this is needed A clear and concise description of why you need this to be implemented We would like to use Sonny for circuits in https://github.com/microsoft/Spartan. Spartan requires scalars to implement the ff traits. If we implement the traits in Spartan then we need to create a wrapper type.

    Describe alternatives you've considered Implement Scalar wrapper that implements traits in Spartan.

    Additional context The source on github also seems to be out of sync with the crate with the same version number published to crates.io. Can we get a new release?

    Thanks.

    opened by arthurgreef 0
  • Implement Scalar::from_bytes_wide

    Implement Scalar::from_bytes_wide

    Describe what you want implemented Scalar::from_bytes_wide.

    Describe "Why" this is needed A clear and concise description of why you need this to be implemented We would like to use Sonny for circuits in https://github.com/microsoft/Spartan.

    Describe alternatives you've considered curve25519-dalek but that library is not ZK friendly.

    Additional context The source on github also seems to be out of sync with the crate with the same version number published to crates.io. Can we get a new release?

    Thanks.

    opened by arthurgreef 0
  • Finish Zerocaf paper

    Finish Zerocaf paper

    The Zerocaf paper is now centric around Fq arithmetic inside of Fq circuits. This is to be finished and put into Review prior to an IACR.

    This Epic will have to include iterations of each of the sections and then their individual review.

    area:cryptography area:documentation need:documentation team:R&D Epic 
    opened by LukePearson1 0
  •  Implement Into_Iter for EdwardsPoint and RistrettoPoint

    Implement Into_Iter for EdwardsPoint and RistrettoPoint

    It would be nice to have an implementation that returns an iterator over the 4 coordinates of a RistrettoPoint or an EdwardsPoint.

    Ex:

    use zerocaf::edwards::EdwardsPoint;
    use zerocaf::traits::Identity();
    let identity = EdwardsPoint::Identity();
    identity.into_iter().map(|coordinate| do_something_with_cooord(coordinate)).collect();
    
    good first issue end_user_utility team:R&D 
    opened by CPerezz 0
  • #ITEM 2 - Finnish docs and examples for Ristretto release

    #ITEM 2 - Finnish docs and examples for Ristretto release

    Currently, we need to:

    • Add some docs about how Ristretto works and some code examples on the ristretto.rs file.
    • Review all of the library comments in order to make sure that they are correct.
    • Refactor the examples of the library and include a ECDH one.
    enhancement documentation team:R&D 
    opened by CPerezz 2
Releases(v0.2.0)
  • v0.2.0(Jul 26, 2019)

    This version implements:

    • Extra operations needed for FieldElement and Scalar as mod_sqrt or mod_pow.

    • Usage of Twisted Edwards Extended Coordinates operations. #33

    • Usage of Twisted Edwards Projective Coordinates operations. #56

    • Usage of Twisted Edwards Affine Coordinates for point comparison. #66

    • Implementation of Compressed points which compress the sign of the x-coordinate of an EdwardsPoint. #69 #30

    • Implement Point generation from a Y coordinate of the curve. #57

    • Implement Random Point generation over Doppio. #51

    • Docs and examples for all of the implemented modules. #52 #54 #70 #72

    Source code(tar.gz)
    Source code(zip)
    dusk-zerocaf-0.2.0.tar.gz(20.00 MB)
    dusk-zerocaf-0.2.0.zip(24.91 MB)
Owner
Dusk Network
Dusk Network is a privacy-oriented blockchain protocol, that anyone can use to create zero-knowledge dApps.
Dusk Network
The Zero Knowledge Whitelist Tool is a powerful utility for managing an address whitelist using Zero-Knowledge (ZK) proofs.

zk_whitelist: A Zero Knowledge Whitelist Tool The Zero Knowledge Whitelist Tool is a powerful utility for managing an address whitelist using Zero-Kno

Nikos Koumbakis 4 Nov 21, 2023
RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture.

RISC Zero WARNING: This software is still experimental, we do not recommend it for production use (see Security section). RISC Zero is a zero-knowledg

RISC Zero 653 Jan 3, 2023
STARK - SNARK recursive zero knowledge proofs, combinaison of the Winterfell library and the Circom language

STARK - SNARK recursive proofs The point of this library is to combine the SNARK and STARK computation arguments of knowledge, namely the Winterfell l

Victor Colomb 68 Dec 5, 2022
A Software Development Kit (SDK) for Zero-Knowledge Transactions

Aleo SDK The Aleo SDK is a developer framework to make it simple to create a new account, craft a transaction, and broadcast it to the network. Table

Aleo 270 Jan 5, 2023
Zero-Knowledge Assembly language and compiler

zkAsm A Zero-Knowledge circuit assembly language, designed to represent Zero-Knowledge circuits in a compressed format, to be stored on blockchains. I

null 1 Dec 30, 2021
Noir is a domain specific language for zero knowledge proofs

The Noir Programming Language Noir is a Domain Specific Language for SNARK proving systems. It has been designed to use any ACIR compatible proving sy

null 404 Jan 1, 2023
OpenZKP - pure Rust implementations of Zero-Knowledge Proof systems.

OpenZKP OpenZKP - pure Rust implementations of Zero-Knowledge Proof systems. Overview Project current implements ?? the Stark protocol (see its readme

0x 529 Jan 5, 2023
Vector OLE and zero-knowledge for Z2k.

Mozzarella Benchmarking Code This repository contains the code developed for the benchmarking experiments in our paper: "Moz $\mathbb{Z}_{2^k}$ arella

null 7 Dec 20, 2022
Safeguard your financial privacy with zero-knowledge proofs.

Spinner The Spinner project (https://spinner.cash) takes a privacy first approach to protect users crypto assets. It is a layer-2 protocol built on th

Spinner 21 Dec 28, 2022
Zero Knowledge Light Client Implementation by Zpoken team.

zkp for chain state Prerecusites This project requires using the nightly Rust toolchain, which can be used by default in this way: rustup default nigh

Zpoken 40 Mar 6, 2023
A fast zero-knowledge proof friendly Move language runtime environment.

zkMove Lite zkMove Lite is a lightweight zero-knowledge proof friendly Move language virtual machine. Move bytecode is automatically "compiled" into c

YoungRocks 43 May 20, 2023
Spartan2: High-speed zero-knowledge SNARKs.

Spartan2: High-speed zero-knowledge SNARKs. Spartan is a high-speed zkSNARK, where a zkSNARK is type cryptographic proof system that enables a prover

Microsoft 7 Jul 28, 2023
Implementation of zero-knowledge proof circuits for Tendermint.

Tendermint X Implementation of zero-knowledge proof circuits for Tendermint. Overview Tendermint X's core contract is TendermintX, which stores the he

Succinct 3 Nov 8, 2023
A pure-Rust implementation of group operations on Ristretto and Curve25519

curve25519-dalek A pure-Rust implementation of group operations on Ristretto and Curve25519. curve25519-dalek is a library providing group operations

dalek cryptography 611 Dec 25, 2022
Lockstitch is an incremental, stateful cryptographic primitive for symmetric-key cryptographic operations in complex protocols.

Lockstitch is an incremental, stateful cryptographic primitive for symmetric-key cryptographic operations (e.g. hashing, encryption, message authentication codes, and authenticated encryption) in complex protocols.

Coda Hale 3 Dec 27, 2022
Composable proof transcripts for public-coin arguments of knowledge

Merlin: composable proof transcripts for public-coin arguments of knowledge Merlin is a STROBE-based transcript construction for zero-knowledge proofs

dalek cryptography 99 Dec 22, 2022
Built for Perpetual Protocol v2 Curie on Optimism chain. This CLI tool was built with Rust.

Perpetual Protocol CLI for Perp v2 Curie This tool is to provide a simple, fast and efficient way to interact Perpetual Protocol contracts from your t

Brendan Wenzel 4 Jan 11, 2023
Experiments on blockchain technology (also known as Hashed & Zero-trust Verifiable Linked List)

AngeloChain Experiments on blockchain technology (also known as Hashed & Zero-trust Verifiable Linked List) ⚠️ Before We Get Started Before we get sta

Angelo 1 Jan 20, 2022
Parser and test runner for testing compatable common Ethereum full node tests against Polygon Zero's EVM.

EVM Test Parses and runs compatible common Ethereum tests from ethereum/tests against Polygon Zero's EVM. Note: This repo is currently very early in d

Mir Protocol 3 Nov 4, 2022