Skip to content

Commit

Permalink
qip-0007: Ristretto Curve25519
Browse files Browse the repository at this point in the history
  • Loading branch information
alanorwick committed Nov 22, 2023
1 parent 1f46bdd commit c3b2e43
Showing 1 changed file with 106 additions and 0 deletions.
106 changes: 106 additions & 0 deletions qip-00010.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
# QIP-0010 : Ristretto Curve25519

```
**Layer:** Cryptography
**Title:** Ristretto Curve25519
**Author:** alanorwick <[email protected]>
**Comments-Summary:** No comments yet.
**Comments-URI:** [https://github.com/quainetwork/qips/wiki/Comments:QIP-0004](https://github.com/quainetwork/qips/wiki/Comments:QIP-0004)
**Status:** Draft
**Type:** Standards Track
**Created:** 2023-09-15
**License:** BSD-2-Clause
```


## Abstract

QIP-0010 defines Ristretto Curve25519 as a valid elliptic curve algorithm on Quai Network.

## Copyright

This QIP is licensed under the BSD 2-clause license.

## Motivation
The integration of Ristretto will enhance the Quai Network’s security, speed, and capability. Further motivations for the selection of Ristretto are as follows:
- Cofactor Elimination: Ristretto is a prime-order group construction that enables the usage of curves like Curve25519 (which have small cofactors) safely in cryptographic protocols. This eliminates complexities and potential vulnerabilities associated with cofactor-related issues.
- Versatility and Privacy: The use of Ristretto enhances privacy and versatility, particularly in applications requiring complex cryptographic constructs, such as zero-knowledge proofs, where the prime-order group property is essential.
- Uniform Encoding and Decoding: Ristretto provides a uniform and non-malleable encoding and decoding mechanism. This feature is essential for systems that require consistent and secure methods to represent and process elliptic curve points, reducing the risk of subtle vulnerabilities in cryptographic applications.
- Consistent Group Operations: Ristretto ensures consistent group operations, free from edge cases associated with non-prime-order groups. This consistency is key to building more reliable and secure cryptographic protocols, as it standardizes behaviors across different implementations and use cases.


## Specification

### Key Derivation:
### Seed and Key Formats: Describe the format for seeds and keys, including length and any encoding specifics.
- Seed Format
- Length: 32 bytes.
- Derivation: Randomly generated or from a BIP-39 mnemonic phrase.
- MiniSecretKey Format
- Length: 32 bytes.
- Encoding: Byte array, often in hexadecimal format.
- SecretKey Format
- Length: 64 bytes (32-byte scalar part and 32-byte nonce).
- Expansion: From MiniSecretKey.
- PublicKey Format
- Length: 32 bytes.
- Derivation: From SecretKey or MiniSecretKey.
- Encoding: 32-byte array, convertible to hex or other formats.
- Keypair Format
- Composition: SecretKey (64 bytes) + PublicKey (32 bytes).
- Encoding: Concatenated byte array of SecretKey and PublicKey.

#### Public/Private Key Generation
1. Entropy Acquisition
Source: Obtain entropy, which is typically a byte array derived from a BIP-39 mnemonic phrase.
Validation: Ensure the entropy length matches the standard BIP-39 word lengths (12, 15, 18, 21, 24 words).
2. MiniSecretKey Generation
Seed Generation: Convert the entropy into a seed. This involves hashing the entropy (and optionally a password) using a key derivation function like PBKDF2 with HMAC-SHA512.
MiniSecretKey Creation: Derive a MiniSecretKey from the seed. This key acts as the private key in the sr25519 scheme.
4. SecretKey Expansion (Optional)
Uniform Expansion: Optionally, expand the MiniSecretKey to a SecretKey for additional functionalities like nonce generation for signing.
Ed25519-style Expansion: Alternatively, use Ed25519-style expansion to convert the MiniSecretKey into a SecretKey, applying specific bit manipulations for compatibility with Ed25519 standards.
4. PublicKey Derivation
From SecretKey: Derive the public key from the SecretKey (or directly from MiniSecretKey if not expanded). This involves elliptic curve point multiplication operations to transform the scalar key into a curve point, representing the public key.
5. Keypair Assembly
Combination: Combine the SecretKey (or MiniSecretKey) and the derived public key to form a complete keypair. This keypair is used for cryptographic operations such as digital signing and verification.

Examples of private and public key generation implementation can be found in [go-schnorrkel](https://github.com/ChainSafe/go-schnorrkel/blob/master/keys.go)

#### MiniSecretKey vs SecretKey
MiniSecretKey
1. Basic Private Key: The MiniSecretKey is essentially a basic form of the private key. It's typically a 32-byte scalar derived directly from the entropy (often obtained from a BIP-39 mnemonic phrase) or generated randomly.
2. Direct Entropy Derivation: It is directly derived from entropy and is the most fundamental private key representation in sr25519.
3. Purpose: The primary purpose of a MiniSecretKey is to act as a seed from which a more functional SecretKey can be expanded. It is the raw material for generating a full private key (SecretKey) and corresponding public key.

SecretKey
1. Expanded Private Key: A SecretKey is an expanded form of the MiniSecretKey. It typically includes additional data like a nonce for use in the signing process.
2. Expansion Process: The SecretKey is derived from a MiniSecretKey through an expansion process. This process can be uniform or can follow the Ed25519 style, which involves bit manipulation and hashing (like SHA512) of the MiniSecretKey.
3. Functionality: The SecretKey is more functional than a MiniSecretKey. It's not only used for signing messages but also contains additional information necessary for secure and effective signing, such as a nonce.
4. Security Aspects: The expansion process often involves additional security measures, like clamping in the Ed25519 expansion, which further secures the key against certain types of attacks.

#### Curve Parameters:
The parameters of the Curve25519, as specified for sr25519, are derived from the [Ristretto255](https://github.com/gtank/ristretto255/blob/master/ristretto255.go) construction. These parameters are critical in extending a Curve25519 implementation to provide the sr25519 functionality. The field has an order of `p`, the Curve25519 prime `2^255-19`, as specified in [RFC 7748](https://datatracker.ietf.org/doc/html/rfc7748#section-4.1). Below are the essential parameters:
- D (Edwards d parameter):
- 37095705934669439343138083508754565189542113879843219016388785533085940283555
- This is the Edwards d parameter for Curve25519, crucial for the curve's structure.

- SQRT_M1 (Square Root of Minus One):
- 19681161376707505956807079304988542015446066515923890162744021073123829784752
- Represents the square root of -1 within the field.

- SQRT_AD_MINUS_ONE (Square Root of a*d - 1):
- 25063068953384623474111414158702152701244531502492656460079210480752610430750235
- A pre-calculated square root used in elliptic curve operations.

- INVSQRT_A_MINUS_D (Inverse Square Root of a - d):
- 5446930700890931692099581386874514160539359729292745692120531289631721017578
- Used in various point operations, representing the inverse square root of a - d.

- ONE_MINUS_D_SQ (One Minus d Squared):
- 11598430216687798791937755218555866479373577597154176544398797208761111806838
- Represents 1 - d^2, used in elliptic curve point calculations.

- D_MINUS_ONE_SQ (d Minus One Squared):
- 40440834346308536858101042469323190826248399146238708352240133220865137265952
- Calculated as (d - 1)^2, this parameter is vital for certain mathematical operations on the curve.

0 comments on commit c3b2e43

Please sign in to comment.