# Cryptographic Schemes

## PoseidonHash Function

Poseidon is a circuit friendly permutation hash function described in the paper GKRRS2019.

ParameterSetting
S-box
Full rounds8
Partial rounds56

Our usage matches that of the halo2 library. Namely using a sponge configuration with addition which defines the function

## Bulla Commitments

Given an abstract hash function such as PoseidonHash, we use a variant of the commit-and-reveal scheme to define anonymized representations of objects on chain. Contracts then operate with these anonymous representations which we call bullas.

Let represent object parameters, then we can define where is a random blinding factor.

Then the bulla (on chain anonymized representation) can be used in contracts with ZK proofs to construct statements on .

## Pallas and Vesta

DarkFi uses the elliptic curves Pallas and Vesta that form a 2-cycle. We denote Pallas by and Vesta by . Set the following values:

We now construct the base field for each curve and as and . Let be the Weierstrauss normal form of an elliptic curve. We define and . Then we instantiate Pallas as and . Now we note the 2-cycle behaviour as

Let be the group of points with on .

Let be the group of points with on .

Arithmetic is mainly done in circuits with and .

### Coordinate Extractor for Pallas

Let be defined as above.

Define such that

Note: There is no so . Likewise there is no so .

### Hashing to

Define as the matching decoding of modulo the canonical class in little endian byte format.

Let there by a uniform hash function with , and a map converting to the canonical representation of the class in .

Let be the composition of functions, then has a non-uniform range. However increasing the size of relative to diminises the statistical significance of any overlap. For this reason we define the conversion from for hash functions.

### PubKey Derivation

Let be the constant NULLIFIER_K defined in src/sdk/src/crypto/constants/fixed_bases/nullifier_k.rs. Since the scalar field of is prime, all points in the group except the identity are generators.

We declare the function . This map is injective since .

Define the function

### Point Serialization

The maximum value of fits within 255 bits, with the last bit of being unused. We use this bit to store the sign of the -coordinate.

We compute the sign of for by dividing into even and odd sets. Let .

We define as follows. Let , then

Security note: apart from the case when , this function is mostly constant time. In cases such as key agreement, where constant time decryption is desirable and is mostly guaranteed, this provides a strong approximation.

## Group Hash

Let be the hash to curve function defined in ZCash Protocol Spec, section 5.4.9.8. The first input element acts as the domain separator to distinguish uses of the group hash for different purposes, while the second input is the actual message.

The main components are:

Then is calculated as follows:

Let

Assert

Let

For

Let

Return

## BLAKE2b Hash Function

BLAKE2 is defined by ANWW2013. Define the BLAKE2b variant as

## Homomorphic Pedersen Commitments

Let be defined as in Group Hash.

Let be defined as in Pubkey Derivation.

When instantiating value commitments, we require the homomorphic property.

Define:

This scheme is a computationally binding and perfectly hiding commitment scheme.

## Incremental Merkle Tree

Let be the merkle depth.

The incremental merkle tree is fixed depth of used to store items. It is an append-only set for which items can be proved to be inside within ZK. The root value is a commitment to the entire tree.

Denote combining two nodes to produce a parent by the operator . Denote by where , the function which swaps both arguments before calling , that is

We correspondingly define the types and a function to calculate the root given a leaf, its position and the path,

## Symmetric Encryption

Let be an authenticated one-time symmetric encryption scheme instantiated as AEAD_CHACHA20_POLY1305 from RFC 7539. We use a nonce of with a 32-byte key.

Let represent keys, for plaintext data and for ciphertexts.

is the encryption algorithm.

is the decryption algorithm, such that for any and , we have we use to represent the decryption of an invalid ciphertext.

Security requirement: must be one-time secure. One-time here means that an honest protocol participant will almost surely encrypt only one message with a given key; however, the adversary may make many adaptive chosen ciphertext queries for a given key.

## Key Agreement

Let be defined as in the section Pallas and Vesta.

A key agreement scheme is a cryptographic protocol in which two parties agree on a shared secret, each using their private key and the other party's public key.

Let be defined as .

## Key Derivation

Let be defined as in the section BLAKE2b Hash Function.

Let be defined as in the section Pallas and Vesta.

A Key Derivation Function is defined for a particular key agreement scheme and authenticated one-time symmetric encryption scheme; it takes the shared secret produced by the key agreement and additional arguments, and derives a key suitable for the encryption scheme.

takes as input the shared Diffie-Hellman secret and the ephemeral public key . It derives keys for use with .

## In-band Secret Distribution

Let be defined as in the section Symmetric Encryption.

Let be defined as in the section Key Agreement.

Let be defined as in the section Key Derivation.

Let be defined as in the section Pallas and Vesta.

To transmit secrets securely to a recipient without requiring an out-of-band communication channel, we use the key derivation function together with symmetric encryption.

Denote where is the space of ephemeral public keys and is the ciphertext space.

See AeadEncryptedNote in src/sdk/src/crypto/note.rs.

### Encryption

We let denote the recipient's public key. Let denote the plaintext note to be encrypted.

Let be the randomly generated ephemeral secret key.

Let

Let

Let

Let

Return

### Decryption

We denote the recipient's secret key with . Let denote the ciphertext note to be decrypted.

The recipient receives the ephemeral public key used to decrypt the ciphertext note .

Let

Let

Let . If then return , otherwise return .

## Verifiable In-Band Secret Distribution

Let be defined as in the section PoseidonHash Function.

This scheme is verifiable inside ZK using the Pallas and Vesta curves.

Let . Denote the plaintext space and ciphertext with where .

Denote where is the space of ephemeral public keys and is the ciphertext space.

See ElGamalEncryptedNote in src/sdk/src/crypto/note.rs.

### Encryption

We let denote the recipient's public key. Let denote the plaintext note to be encrypted.

Define by as follows:

Let be the randomly generated ephemeral secret key.

Let

Let

Let

For then compute:

Let

Let

Return where

### Decryption

We denote the recipient's secret key with . The recipient receives the ephemeral public key used to decrypt the ciphertext note .

Define by as follows:

Let

Let

For then compute:

Let

Let

Return