welcome icon indicating copy to clipboard operation
welcome copied to clipboard

Published 20 hours ago • verified publisher icon AleoHQ

Clarify some details of view key generation.

Open acoglio opened this issue 1 year ago • 4 comments

In the description of view key generation, it is not clear to me what the following things are, exactly:

  • The ppaccount_sig value.
  • The ppaccount_cm value.
  • The AccountSignature.GeneratePublicKey function.
  • The AcountCommitment.Commit function.

acoglio avatar Jun 08 '23 06:06 acoglio

Hi @acoglio. Taking a look at this now-- would you be able to provide definitions of the referenced values and functions?

moAlobaidi avatar Jun 13 '23 16:06 moAlobaidi

Hey @acoglio I also need some clarity on what these are. I'll follow-up with the protocol team e.g., @raychu86 and @howardwu and update this issue with their thoughts. It may take a few days, though.

ghost avatar Jun 13 '23 18:06 ghost

From @raychu86:

Compute pk_sig := G^sk_sig.
Compute pr_sig := G^r_sig.
Compute sk_prf := HashToScalar(pk_sig || pr_sig).
Compute view_key := sk_sig + r_sig + sk_prf

The G^ and HashtoScalar here are done with public parameters, which is abbreviated pp .

In code its:

pub static ref GENERATOR_G: Vec<Group<Testnet3>> =
Testnet3::new_bases("AleoAccountEncryptionAndSignatureScheme0");

pub static ref POSEIDON_4: Poseidon4<Testnet3> = Poseidon4::
<Testnet3>::setup("AleoPoseidon4").expect("Failed to setup Poseidon4");

And then Address is derived from a view key like this: Compute address := G^view_key

cc @moAlobaidi @acoglio

ghost avatar Jun 13 '23 23:06 ghost

@moAlobaidi @aharshbe Thank you for helping to track this down. (And no, I don't know the definitions; I opened this issue both to get the doc improved and to understand the details myself.) I have some follow-up questions:

  • How is the generator G computed exactly? I.e. what does Testnet3::new_bases() do? Presumably it's calculating a curve point according to some hashing algorithm, so the question is what that is.
  • Each of sk_sig and r_sig is a sequence of 32 bytes, resulting from BLAKE2s, but their use as exponents in G^sk_pig and G^r_sig needs them to be integers. Are the 32 bytes converted to integers in little or big endian order?
  • In HashToScalar(pk_sig || pr_sig), is || concatenation, or bitwise 'or'?
  • What hash function is HashToScalar exactly?
  • In sk_sig + r_sig + sk_prf, what are the exact meaning of +? Are sk_sig and the other (32-byte sequences from BLAKE2s) added as (little or big endian) integers?

(As discussed at today's meeting, this level of detail may or may not be the goal for this developer documentation. The purpose of my questions is to get to an informal but precise specification, which would hypothetically suffice for a well-informed developer to implement account creation and other protocol calculations without looking at our Rust code.)

acoglio avatar Jun 14 '23 16:06 acoglio