Skip to content

jat9292/babyjubjub-utils

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

babygiant

babygiant

 
 

nextjs-app

nextjs-app

 
 

out

out

 
 

test

test

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

index.js

index.js

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

worker_babygiant.js

worker_babygiant.js

 
 

worker_babygiant_node.js

worker_babygiant_node.js

 
 

Repository files navigation

babyjubjub-utils

Node package implementing utility functions for interacting with the Baby Jubjub curve and the noir-elgamal Noir package.

This package can be used in a NodeJS backend as well as inside a browser.

The baby-step giant-step algorithm (discrete logarithm computation) for the last step of decryption has been optimized via conversion to WASM and parallelization with Web Workers.

Read the documentation in this Readme after the Table of Contents. Alternatively the JSDocs can be read in the html page.

Several examples on how to use the package are available in the tests.

⚠️ Warning: the current implementation of the baby-step giant-step algorithm in the last step of decryption could be vulnerable to timing attacks, as the running time depends on the input. Please keep this in mind and apply extra caution if you wish to use it in production.

How to install

Create a JS project with npm, then install the babyjubjub-utils via :

npm i babyjubjub-utils

How to use in a front-end

If you want to use the entirety of the functions available in a front-end, it is important to configure your module bundler correctly as this package relies on some WASM and multithreading features for decryption.

As an example, see this simple Next JS project that we provided within the repository. It is doing key generation, encryption and decryption on the client side. The most crucial part is the way we set up the next.config.js file to make it compatible with the babyjubjub-utils package.

babyjubjub-utils

Table of Contents

Point

Type: Object

Properties

  • x bigint The X coordinate.
  • y bigint The Y coordinate.

KeyPair

Type: Object

Properties

  • privateKey bigint The private key.
  • publicKey Point The public key in uncompressed format, i.e a point on Baby Jubjub.

EncryptedValue

Type: Object

Properties

  • C1 Point C1 is the first part of the ciphertext, a point in Baby Jubjub. Same notations as on wikipedia.
  • C2 Point C2 is the second part of the ciphertext, a point in Baby Jubjub. Same notations as on wikipedia.
  • randomness bigint randomness parameter. Warning: should stay private and owned by the encryptor, but he could use it as a private input in the circuits.

privateToPublicKey

Converts a private key to its corresponding public key point on the Baby Jubjub curve.

Parameters

  • privateKey bigint The private key. Warning: should be a BigInt sampled randomly between 0 and l-1, where l is the order of the bigprime subgroup of Baby Jubjub. i.e l=2736030358979909402780800718157159386076813972158567259200215660948447373041

Returns Point The public key point with x and y coordinates which corresponds to the private key.

generatePrivateAndPublicKey

Generates randomly a pair of private/public keys on Baby Jubjub.

Returns KeyPair The generated private key and its associated uncompressed/unpacked public key.

elgamalEncrypt

Encrypts a plaintext value between 0 and 2**40-1=1099511627775 for a specific publicKey. The returned ciphertext using ElGamal encryption is a pair of Baby Jubjub points (C1,C2).

Parameters

  • publicKey Point The public key. Warning: The developer must ensures that this point is a valid public key, i.e a point on the big prime subgroup of Baby Jubjub.
  • plaintext number The plaintext. Warning: should be a number between 0 and 2**40-1=1099511627775 if you want to be able to decrypt it later using the baby-step giant-step algorithm.

Returns EncryptedValue The encryption of plaintext. (C1,C2) is the ciphertext composed of two Baby Jubjub points, and randomness is the big integer used as randomness during encryption which should stay private for the encryptor.

elgamalDecryptEmbedded

Decrypts the ciphertext in an embedded form, i.e as a point on the Baby Jubjub curve defined by G^(plaintext), G is the generator point. You would still need to appy the Baby-step Giant-step algorithm via the compute_dlog function, to get back the original unencrypted value.

Parameters

  • privateKey bigint The privatekey key. Warning: Please make sure to use the correct private key, or else the decryption will lead to an incorrect result.
  • C1 Point the first part of the ciphertext, a point in Baby Jubjub. Same notations as on wikipedia.
  • C2 Point the second part of the ciphertext, a point in Baby Jubjub. Same notations as on wikipedia.

Returns Point The decrypted value in embedded form.

addPoints

Adds two points on the Baby Jubjub curve. Could be used for homomorphic addition of ciphertexts, eg : (C1,C2)+(C1',C2')=((C1+C1'),(C2+C2'))

Parameters

  • P1 Point First point. Warning: The developer must ensures that this point is on the Baby Jubjub curve.
  • P2 Point Second point. Warning: The developer must ensures that this point is on the Baby Jubjub curve.

Returns Point The resulting point from addition, i.e P1+P2.

packPoint

Packs a public key, from uncompressed form (i.e a point on the big subgroup of Baby Jubjub) to a compressed form (i.e a BigInt)

Parameters

  • publicKey Point The uncompressed/unpacked public key. Warning: The developer must ensures that this point is on the Baby Jubjub curve, and more specifically in its big prime subgroup.

Returns bigint The resulting compressed/packed public key.

unpackPoint

Unpacks a packed public key, this is the opposite of packPoint

Parameters

  • packedPublicKey bigint The packed public key. Warning: The developer must ensures that it is a valid public key.

Returns Point The resulting compressed/packed public key.

bigintToBytes32

Converts a bigint to a string in hex format with 0s padded on the left if needed, to later cast it easily as a bytes32 in Solidity or Noir.

Parameters

  • bigInt bigint The big integer. Warning: The developer must ensures that it is a valid uint256/bytes32.

Returns string The resulting hex string.

elgamalEncryptPacked

This function is identical to elgamalEncrypt except that it takes the public key in packed form instead of its unpacked form. Encrypts a plaintext value between 0 and 2**40-1=1099511627775 for a specific packed publicKey. The returned ciphertext using ElGamal encryption is a pair of Baby Jubjub points (C1,C2).

Parameters

  • packedPublicKey bigint The public key. Warning: The developer must ensures that this point is a valid packed public key.
  • plaintext number The plaintext. Warning: should be a number between 0 and 2**40-1=1099511627775 if you want to be able to decrypt it later using the baby-step giant-step algorithm.

Returns EncryptedValue The encryption of plaintext. (C1,C2) is the ciphertext composed of two Baby Jubjub points, and randomness is the big integer used as randomness during encryption which should stay private for the encryptor.

compute_dlog

This function solves the discrete logarithm problem by applying the baby-step giant-step algorithm (optimized implementation in WASM). It is used to convert the decrypted value from its embedded form to its original integer value. ⚠️ Warning: the current implementation of the baby-step giant-step algorithm could be vulnerable to timing attacks, as the running time depends on the input. Please keep this in mind and apply extra caution if you wish to use it in production.

Parameters

  • decryptedEmbedded Point The decrypted value in embedded form, i.e typically the point outputed by elgamalDecryptEmbedded.
  • numberOfWorkers number The number of workers used for parallelization. For faster computation we recommend between 5 to 8 workers, if the client has enough cores.

Returns number The integer corresponding the original unencrypted value. Warning: The decryption will fail if the original value was outside the [0,2**40-1] range or if a wrong private key was used during the first step of decryption.

elgamalDecrypt

This function is identical to elgamalDecryptEmbedded followed by compute_dlog, so it returns directly the original unencrypted value as an integer, instead of its embedding on Baby Jubjub. ⚠️ Warning: the current implementation of compute_dlog could be vulnerable to timing attacks, as the running time depends on the input. Please keep this in mind and apply extra caution if you wish to use it in production.

Parameters

  • privateKey bigint The privatekey key. Warning: Please make sure to use the correct private key, or else the decryption will fail or lead to an incorrect result.
  • C1 Point the first part of the ciphertext, a point in Baby Jubjub. Same notations as on wikipedia.
  • C2 Point the second part of the ciphertext, a point in Baby Jubjub. Same notations as on wikipedia.
  • numberOfWorkers number The number of workers used for parallelization during the computation of the discrete logarithm. For faster computation we recommend between 5 to 8 workers, if the client has enough cores.

Returns number The integer corresponding the original unencrypted value. Warning: The decryption will fail if the original value was outside the [0,2**40-1] range or if a wrong private key was used.

About

Node package implementing JS utils functions for interacting with the Baby Jubjub curve and the noir-elgamal Noir package.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages