Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AIP-46][Discussion] New modules for ElGamal, Pedersen and Bulletproofs over Ristretto255 #222

Closed
mstraka100 opened this issue Aug 8, 2023 · 0 comments
Closed

[AIP-46][Discussion] New modules for ElGamal, Pedersen and Bulletproofs over Ristretto255 #222

mstraka100 opened this issue Aug 8, 2023 · 0 comments
Labels
accepted
Milestone
aptos-node-v1.7

Comments

@mstraka100
Copy link
Contributor

AIP Discussion

This AIP proposes extending the suite of cryptographic operations in Move with three new Move modules:

  • ElGamal encryption[^elgamal] (over Ristretto255)
  • Pedersen commitments[^pedersen] (over Ristretto255)
  • A Bulletproofs[^bulletproofs] ZK range proof verifier (for Pedersen commitments over Ristretto255)

In addition, this AIP also proposes adding several new functions to the existing ristretto255 module[^ristretto255]:

  1. A native function point cloning, called point_clone
  2. A native function for double scalar multiplications, called double_scalar_mul
  3. A non-native function for creating scalars from u32 values, called new_scalar_from_u32
  4. A non-native function for converting a CompressedRistretto to a sequence of bytes, called compressed_point_to_bytes
  5. A non-native function for return a point by hashing the Ristretto255 basepoint, called hash_to_point_base

Lastly, this AIP proposes deprecating two previous functions by renaming them to be more clear:

  1. Deprecate new_point_from_sha512 for new_point_from_sha2_512
  2. Deprecate new_scalar_from_sha512 for new_scalar_from_sha2_512

Motivation

The impetus for this change is to provide a more extensive suite of cryptographic tools for Move developers. Specifically:

  • ElGamal is an additively-homomorphic, rerandomizable encryption scheme for “small” field elements (e.g. 40-bit wide - larger elements can be used but will not be easily decryptable).
  • Pedersen commitments are information-theoretic hiding, computationally-binding, homomorphic commitments to field elements.
  • Bulletproofs is a zero-knowledge range proofs (ZKRP): i.e., a zero-knowledge proof that a secret value $v$ in a Pedersen commitment $g^v h^r$ is in specific range $v\in [0, 2^n]$.

These new modules will enable a wider-variety of cryptographic dapps:

  • Bulletproofs are useful for confidential transactions, digital identity systems (e.g., proving you are below 18 years old), proofs of solvency[^provisions], reputation systems (e.g., proving your reputation is high enough), etc.
  • ElGamal encyption is useful for confidential transactions, or for applications needing private, homomorphically-additive values, such as randomized shuffles in card-based games.
  • Pedersen commitments are useful for confidential transactions, for auctioning protocols, for RANDAO-like protocols to generate randomness, etc.
  • Lastly, the new functions added to the Ristretto255 module fix a few limitations in the code.

Read more about it here: AIP-46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted
Projects
None yet
Milestone
aptos-node-v1.7
Development

No branches or pull requests
2 participants
@thepomeranian @mstraka100