Suyash Bagad
Cryptography Engineer
Aztec Crash Course
First step towards Aztec 3.0
February 2023
UTXO and Account Models
UTXO Model
Recap
- Zero Knowledge Proof using 3-colourable graph
- Password management
- Use of encryption and hashing in Aztec
Plaintext
Encryption \((\text{AES})\)
Hashing \((\text{SHA-}256)\)
Groups
- \(\textcolor{pink}{\text{Associativity}}\): For any \(G_1, G_2, G_3 \in \mathbb{G}\)
- \(G_1 + (G_2 + G_3) = (G_1 + G_2) + G_3\)
-
\(\textcolor{lightblue}{\text{Identity}}\): There exists \(\mathcal{O} \in \mathbb{G}\) such that for any \(G \in \mathbb{G}\)
- \(\mathcal{O} + G = G + \mathcal{O} = G\)
-
\(\textcolor{orange}{\text{Inverse}}\): For every \(G \in \mathbb{G}\), there exists \(I \in \mathbb{G}\) such that:
- \(I + G = G + I = \mathcal{O}\)
\left( \mathbb{G}, + \right)
Binary operation
A set of elements \(\{G_1, G_2, \dots\}\)
Groups
\(\textcolor{pink}{\text{Associativity}}\) \(\hspace{1.5cm}\textcolor{lightblue}{\text{Identity}}\) \(\hspace{1.5cm}\textcolor{orange}{\text{Inverse}}\)
\left( \mathbb{G} \hspace{2cm}, + \hspace{0.8cm} \right)
\(=\{0, 1, 2, \dots, 7\}\)
\(\text{ mod }8\)
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
\(1+(2+4) = \)
Groups
\(\textcolor{pink}{\text{Associativity}}\) \(\hspace{1.5cm}\textcolor{lightblue}{\text{Identity}}\) \(\hspace{1.5cm}\textcolor{orange}{\text{Inverse}}\)
\left( \mathbb{G} \hspace{2cm}, + \hspace{0.8cm} \right)
\(=\{0, 1, 2, \dots, 7\}\)
\(\text{ mod }8\)
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
\(1+(2+4) = \)
Groups
\(\textcolor{pink}{\text{Associativity}}\) \(\hspace{1.5cm}\textcolor{lightblue}{\text{Identity}}\) \(\hspace{1.5cm}\textcolor{orange}{\text{Inverse}}\)
\left( \mathbb{G} \hspace{2cm}, + \hspace{0.8cm} \right)
\(=\{0, 1, 2, \dots, 7\}\)
\(\text{ mod }8\)
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
\(1+(2+4) = \)
\(7\)
\(=(1+2)+4\)
Groups
\(\textcolor{pink}{\text{Associativity}}\) \(\hspace{1.5cm}\textcolor{lightblue}{\text{Identity}}\) \(\hspace{1.5cm}\textcolor{orange}{\text{Inverse}}\)
\left( \mathbb{G} \hspace{2cm}, + \hspace{0.8cm} \right)
\(=\{0, 1, 2, \dots, 7\}\)
\(\text{ mod }8\)
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
\(1+(2+4) = \)
\(7\)
\(=(1+2)+4\)
\(4+0 = 0 + 4 = 4\)
Groups
\(\textcolor{pink}{\text{Associativity}}\) \(\hspace{1.5cm}\textcolor{lightblue}{\text{Identity}}\) \(\hspace{1.5cm}\textcolor{orange}{\text{Inverse}}\)
\left( \mathbb{G} \hspace{2cm}, + \hspace{0.8cm} \right)
\(=\{0, 1, 2, \dots, 7\}\)
\(\text{ mod }8\)
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
\(1+(2+4) = \)
\(7\)
\(=(1+2)+4\)
\(4+0 = 0 + 4 = 4\)
\((3 + x) \text{ mod }8 = 0\)
Groups
\(\textcolor{pink}{\text{Associativity}}\) \(\hspace{1.5cm}\textcolor{lightblue}{\text{Identity}}\) \(\hspace{1.5cm}\textcolor{orange}{\text{Inverse}}\)
\left( \mathbb{G} \hspace{2cm}, + \hspace{0.8cm} \right)
\(=\{0, 1, 2, \dots, 7\}\)
\(\text{ mod }8\)
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
\(1+(2+4) = \)
\(7\)
\(=(1+2)+4\)
\(4+0 = 0 + 4 = 4\)
\((3 + x) \text{ mod }8 = 0\)
\(\implies x =5\)
Groups
- Finite groups: finite number of elements
- Order of the group: the size of the set (Prev example \(|\mathbb{G}|=8\))
- Cyclic groups: given a generator \(G \in \mathbb{G}\)
\(\mathbb{G}=\{G, 2G, 3G, 4G, \dots\}\)
- In the previous example, \(G=1\)
- For a prime ordered group, every non-zero element is a generator!
\(\mathbb{G}=\{0, 1, 2,3,4\}\)
\(1\)
\(2\)
\(3\)
\(4\)
\(G\)
\(2G\)
\(3G\)
\(4G\)
\(5G\)
\(2\)
\(3\)
\(4\)
\(0\)
\(0\)
\(4\)
\(1\)
\(3\)
\(0\)
\(4\)
\(1\)
\(2\)
\(2\)
\(0\)
\(1\)
\(3\)
Elliptic Curves over Reals
- The set \(E\) of real solutions \((x,y)\) of the equation
y^2 = x^3 + ax + b
- \(E\) also includes the "point at infinity": \(\mathcal{O}\). Also, \(4a^3 + 27b^2 \neq 0.\)
\(y^{2}=x^{3}-2x\)
\(y^{2\ }=x^{3}-x+2\)
Point Addition
Fields
\left( \mathbb{F}, +, * \right)
Addition operator
A set of elements \(\{f_1, f_2, \dots\}\)
Multiplication operator
- \(\mathbb{F}\) is an Abelian group under \(+\) with identity \(\mathcal{O}_{+}=0\)
- \(\mathbb{F} \setminus \{0\}\) is an Abelian group under \(*\) with identity \(\mathcal{O}_{*}=1\)
- \(\mathbb{F}\) is distributive, i.e. for any \(a,b,c\in \mathbb{F}\)
\(a * (b+c) = a*b \ + \ a*c\)
- A finite field has a finite size!
Prime Field
- A field \(\mathbb{F}\) with a prime order is a prime field
- Example: \(\mathbb{F}_p := \{0, 1, 2, 3, \dots, p-1\}\) for a prime \(p\)
- \(+\) and \(*\) are defined as
\(x + y = (x+y) \text{ mod }p\)
\(x * y = (xy) \text{ mod }p\)
- In a field, division is done as: \(\frac{a}{b} = a * b^{-1}\)
Elliptic Curves over Finite Fields
- The set \(E\) of solutions \((x,y)\in \mathbb{F}^2\) of the equation
y^2 = x^3 + ax + b
\(y^2 = x^3+10x+2\) over \(\mathbb{F}_{11}\)
\(y^2 = x^3+9x\) over \(\mathbb{F}_{11}\)
Point Addition over \(\mathbb{F}_p\)
\(y^2 = x^3+10x+2\) over \(\mathbb{F}_{11}\)
\((3,2) + (6,5) = \)
\((3,9)\)
Point Addition over \(\mathbb{F}_p\)
\(y^2 = x^3+10x+2\) over \(\mathbb{F}_{11}\)
\((3,2) + (6,5) = \)
\((3,9)\)
\((3,9)+(5,10) = \)
\((6,6)\)
Bitcoin's EC: \(\texttt{secp256k1}\)
- \(y^2=x^3+7\) over \((x,y)\in \mathbb{F}_p^2\) where
p=2^{256} - 2^{32}-2^9-2^8-2^7-2^6-2^4-1
\(n =\texttt{FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141}\)
- The set \(E \cup \{\mathcal{O}\}\) is of size
- A private key is \(s \in \{1, 2, 3, \dots, n-1\}\)
- Public key is \(sP = \underbrace{P+P+\dots+P}_{s\text{ times}}\) where \(P \in E\) is group generator
\(P:\)
Summary
- Simple examples of ECC basic
- Groups, prime-ordered groups
- Fields, prime-ordered fields
- Elliptic curve over Reals
- Elliptic curve over finite fields
- Real-life numbers for Bitcoin's elliptic curve
- In the next discussion:
- Schnorr signatures
- Discrete Log Problem
- How hard is it to break ECC?
Aztec Crash Course
By Suyash Bagad
Aztec Crash Course
A brief presentation on all things Aztec as a buildup towards Aztec 3.0.
