Skip to content

Commit

Permalink
docs: minor fixes in keys
Browse files Browse the repository at this point in the history
  • Loading branch information
benesjan committed Apr 3, 2024
1 parent 0d5eac6 commit b4e27d4
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 6 deletions.
1 change: 1 addition & 0 deletions circuits/cpp/build-wasm/_deps/gtest-src
Submodule gtest-src added at 703bd9
1 change: 1 addition & 0 deletions circuits/cpp/build-wasm/_deps/msgpack-c/src/msgpack-c
Submodule msgpack-c added at af447c
6 changes: 3 additions & 3 deletions yellow-paper/docs/addresses-and-keys/keys-requirements.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,15 +96,15 @@ A nullifier public key might have the benefit (in Aztec) that a user could (opti

- This presumes that within a circuit, the nk (not a public key; still secret!) would be derived from an nsk, and the nk would be injected into the nullifier.
- BUT, of course, it would be BAD if the nk were derivable as a bip32 normal child, because then everyone would be able to derive the nk from the master key, and be able to view whenever a note is nullified!
- The nk would need to ba a hardened key (derivable only from a secret).
- The nk would need to be a hardened key (derivable only from a secret).

Given that it's acceptable to ZCash Orchard, we accept that a nullifier master secret key may be 'seen' by Aztec software.

### Auditability

Some app developers will wish to give users the option of sharing private transaction details with a trusted 3rd party.

> Note: The block hashes tree will enable a user to prove many things about their historical transaction history, including historical encrypted event logs. This feature will open up exciting audit patterns, where a user will be able to provably respond to questions without necessarily revealing their private data. However, sometimes this might be an inefficient pattern; in particular when a user is asked to prove a negative statement (e.g. "prove that you've never owned a rock NFT"). Proving such negative statements might require the user to execute an enormous recursive function to iterate through the entire tx history of the network, for example: proving that, out of all the encrypted events that the user _can_ decrypt, none of them relate to ownership of a rock NFT. Given this (possibly huge) inefficiency, these key requirements include the more traditional ability to share certain keys with a trusted 3rd party.
> Note: The [archive](./../state/archive.md) will enable a user to prove many things about their transaction history, including historical encrypted logs. This feature will open up exciting audit patterns, where a user will be able to provably respond to questions without necessarily revealing their private data. However, sometimes this might be an inefficient pattern; in particular when a user is asked to prove a negative statement (e.g. "prove that you've never owned a rock NFT"). Proving such negative statements might require the user to execute an enormous recursive function to iterate through the entire tx history of the network, for example: proving that, out of all the encrypted events that the user _can_ decrypt, none of them relate to ownership of a rock NFT. Given this (possibly huge) inefficiency, these key requirements include the more traditional ability to share certain keys with a trusted 3rd party.
**Requirements:**

Expand Down Expand Up @@ -149,7 +149,7 @@ Given that this is our best-known approach, we include some requirements relatin

**Requirements:**

- A user Bob can non-interactively generate a sequence of tags for some other user Alice, and non-interactively communicate that sequencer of tags to Alice.
- A user Bob can non-interactively generate a sequence of tags for some other user Alice, and non-interactively communicate that sequence of tags to Alice.
- If a shared secret (that is used for generating a sequence of tags) is leaked, Bob can non-interactively generate and communicate a new sequence of tags to Alice, without requiring Bob nor Alice to rotate their keys.
- Note: if the shared secret is leaked through Bob/Alice accidentally leaking one of their keys, then they might need to actually rotate their keys.

Expand Down
6 changes: 3 additions & 3 deletions yellow-paper/docs/addresses-and-keys/precompiles.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The rationale for precompiled contracts is to provide a set of vetted primitives

## Encryption and tagging precompiles

All precompiles in the address range `ENCRYPTION_PRECOMPILE_ADDRESS_RANGE` are reserved for encryption and tagging. Application contracts can expected to call into these contracts with note plaintext(s), recipient address(es), and public key(s). To facilitate forward compatibility, all unassigned addresses within the range expose the functions below as no-ops, meaning that no actions will be executed when calling into them.
All precompiles in the address range `ENCRYPTION_PRECOMPILE_ADDRESS_RANGE` are reserved for encryption and tagging. Application contracts are expected to call into these contracts with note plaintext(s), recipient address(es), and public key(s). To facilitate forward compatibility, all unassigned addresses within the range expose the functions below as no-ops, meaning that no actions will be executed when calling into them.

<!-- Q: How is this 'no-op' functionality achieved? -->

Expand Down Expand Up @@ -70,7 +70,7 @@ Encrypts and tags the given plaintext using the provided public keys, and return
encrypt_and_broadcast(public_keys_hash: Field, encryption_type: EncryptionType, recipient: AztecAddress, plaintext: Field[MAX_PLAINTEXT_LENGTH]): Field[MAX_TAGGED_CIPHERTEXT_LENGTH]
```

Encrypts and tags the given plaintext using the provided public keys, broadcasts them as an event, and returns the encrypted note prefixed with its tag for note discovery. This functions should be invoked via a [delegate call](../calls/delegate-calls.md), so that the broadcasted event is emitted as if it were from the caller contract.
Encrypts and tags the given plaintext using the provided public keys, broadcasts them as an event, and returns the encrypted note prefixed with its tag for note discovery. These functions should be invoked via a [delegate call](../calls/delegate-calls.md), so that the broadcasted event is emitted as if it were from the caller contract.

```
encrypt<N>([call_context: CallContext, public_keys_hash: Field, encryption_type: EncryptionType, recipient: AztecAddress, plaintext: Field[MAX_PLAINTEXT_LENGTH] ][N]): Field[MAX_CIPHERTEXT_LENGTH][N]
Expand Down Expand Up @@ -130,7 +130,7 @@ This is the cheapest approach in terms of calldata cost, and the simplest to imp

### Delegated trial decryption

Delegated trial decryption relies on a tag added to each note, generated used the recipient's tagging public key. The holder of the corresponding tagging private key can trial-decrypt each tag, and if decryption is successful, proceed to decrypt the contents of the note using the associated decryption scheme.
Delegated trial decryption relies on a tag added to each note, generated using the recipient's tagging public key. The holder of the corresponding tagging private key can trial-decrypt each tag, and if decryption is successful, proceed to decrypt the contents of the note using the associated decryption scheme.

This allows a user to share their tagging private key with a trusted service provider, who then proceeds to trial decrypt all possible note tags on their behalf. This scheme is simple for the user, but requires trust on a third party.

Expand Down
4 changes: 4 additions & 0 deletions yellow-paper/docs/public-vm/gen/_instruction-set.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ Addition (a + b)
- **bOffset**: memory offset of the operation's right input
- **dstOffset**: memory offset specifying where to store operation's result
- **Expression**: `M[dstOffset] = M[aOffset] + M[bOffset] mod 2^k`
- **Details**: Wraps on overflow
- **Tag checks**: `T[aOffset] == T[bOffset] == inTag`
- **Tag updates**: `T[dstOffset] = inTag`
- **Bit-size**: 128
Expand All @@ -520,6 +521,7 @@ Subtraction (a - b)
- **bOffset**: memory offset of the operation's right input
- **dstOffset**: memory offset specifying where to store operation's result
- **Expression**: `M[dstOffset] = M[aOffset] - M[bOffset] mod 2^k`
- **Details**: Wraps on undeflow
- **Tag checks**: `T[aOffset] == T[bOffset] == inTag`
- **Tag updates**: `T[dstOffset] = inTag`
- **Bit-size**: 128
Expand All @@ -541,6 +543,7 @@ Multiplication (a * b)
- **bOffset**: memory offset of the operation's right input
- **dstOffset**: memory offset specifying where to store operation's result
- **Expression**: `M[dstOffset] = M[aOffset] * M[bOffset] mod 2^k`
- **Details**: Wraps on overflow
- **Tag checks**: `T[aOffset] == T[bOffset] == inTag`
- **Tag updates**: `T[dstOffset] = inTag`
- **Bit-size**: 128
Expand Down Expand Up @@ -1208,6 +1211,7 @@ context.machineState.pc = loc`}
- **Details**: Target location is an immediate value (a constant in the bytecode).
- **Bit-size**: 48

[![](./images/bit-formats/INTERNALCALL.png)](./images/bit-formats/INTERNALCALL.png)

### <a id='isa-section-internalreturn'/>`INTERNALRETURN`
Return from an internal call. Pop from the internal call stack and jump to the popped location.
Expand Down

0 comments on commit b4e27d4

Please sign in to comment.