Cryptographic Assumptions
Cryptographic Assumptions
Section titled “Cryptographic Assumptions”Overview
Section titled “Overview”This document details the cryptographic assumptions underlying the SIP protocol, including hardness assumptions, security levels, known attacks, and parameter justifications.
Elliptic Curve: secp256k1
Section titled “Elliptic Curve: secp256k1”Parameters
Section titled “Parameters”Field: F_p where p = 2^256 - 2^32 - 977Curve: y² = x³ + 7 (Koblitz curve)Order: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141Cofactor: h = 1Generator: G (standard secp256k1 generator)Hardness Assumptions
Section titled “Hardness Assumptions”-
Elliptic Curve Discrete Logarithm Problem (ECDLP)
- Given G and P = kG, finding k is computationally infeasible
- Security level: ~128 bits (best known attack: Pollard’s rho)
- Required for: commitment hiding, stealth address unlinkability
-
Computational Diffie-Hellman (CDH)
- Given G, aG, bG, computing abG is infeasible without knowing a or b
- Reduces to ECDLP
- Required for: stealth address generation (ECDH key exchange)
Known Attacks
Section titled “Known Attacks”| Attack | Complexity | Mitigation |
|---|---|---|
| Pollard’s rho | O(√n) ≈ 2^128 | None needed (sufficient security) |
| Baby-step giant-step | O(√n) space/time | None needed |
| Invalid curve attack | Variable | Point validation on all inputs |
| Small subgroup attack | N/A | Cofactor = 1, not applicable |
| Twist attack | Variable | Point validation |
Parameter Justification
Section titled “Parameter Justification”- secp256k1 choice: Bitcoin-proven, 15+ years of analysis, efficient implementations
- 128-bit security: NIST recommended minimum for 2030+ timeframe
- Cofactor 1: Simplifies implementation, no subgroup attacks
Pedersen Commitments
Section titled “Pedersen Commitments”Construction
Section titled “Construction”Commitment: C = v·G + r·H
Where:- v: value (secret)- r: blinding factor (random, 256-bit)- G: standard secp256k1 generator- H: NUMS (Nothing Up My Sleeve) generatorH Generator (NUMS Construction)
Section titled “H Generator (NUMS Construction)”// H is derived deterministically from a fixed domain string using a// try-and-increment hash-to-curve, so nobody knows log_G(H).const H_DOMAIN = 'SIP-PEDERSEN-GENERATOR-H-v1'// For counter = 0, 1, 2, ...: hash `${H_DOMAIN}:${counter}` with SHA-256// and attempt to decode the digest as a valid curve point; the first// success becomes H.H = tryAndIncrement(H_DOMAIN)
// Properties:// 1. Nobody knows discrete log of H with respect to G// 2. Construction is deterministic and verifiable// 3. Follows industry best practice (see Zcash, Mimblewimble)Security Properties
Section titled “Security Properties”-
Perfectly Hiding
- For any two values v₁, v₂, commitments are indistinguishable
- Information-theoretic: holds even against unbounded adversary
- Proof: For any v, C can be opened to any value with appropriate r
-
Computationally Binding
- Cannot find (v₁, r₁) ≠ (v₂, r₂) such that commit(v₁, r₁) = commit(v₂, r₂)
- Reduces to ECDLP: finding collision implies knowing log_G(H)
- Security: 128 bits under ECDLP assumption
-
Additively Homomorphic
- C₁ + C₂ = commit(v₁ + v₂, r₁ + r₂)
- Enables balance proofs without revealing amounts
Known Attacks
Section titled “Known Attacks”| Attack | Applicable | Mitigation |
|---|---|---|
| Related blinding | Yes if blinding reused | Fresh random blinding per commitment |
| Blinding bias | Yes if PRNG weak | Rejection sampling for uniform distribution |
| H backdoor | Yes if H = kG known | NUMS construction, verifiable derivation |
Stealth Addresses (EIP-5564 Style)
Section titled “Stealth Addresses (EIP-5564 Style)”Construction
Section titled “Construction”Recipient publishes: (K_spend, K_view) - stealth meta-addressSender generates: r (ephemeral private key) R = r·G (ephemeral public key) S = r·K_view (shared secret via ECDH) s = H(S) (scalar derivation) P = K_spend + s·G (stealth address)
Recipient computes: S' = k_view·R (same shared secret) s' = H(S') p = k_spend + s' (stealth private key)Consistency: S = r·K_view = k_view·R (ECDH on the viewing key), and
P = K_spend + s·G = (k_spend + s)·G = p·G. Deriving the stealth private key
p requires both recipient private keys (k_view to recover S, and
k_spend as the base scalar), while detection needs only k_view plus the
spending public key K_spend — compute S = k_view·R, then check whether
K_spend + H(S)·G == P. This matches the implementation in
stealth/secp256k1.ts and the canonical stealth-address formula
A = K_spend + H(S)·G in security-properties.
Security Properties
Section titled “Security Properties”-
Unlinkability
- Different stealth addresses for same recipient are unlinkable
- Even with multiple payments, no common factor reveals recipient
-
Ephemeral Key Privacy
- R reveals nothing about recipient without k_view
- Observers cannot compute shared secret
-
View Key Separation
- k_view allows scanning without spending capability
- Provides audit/compliance path
Assumptions
Section titled “Assumptions”- CDH: Required for ECDH security
- Random Oracle Model: Hash function modeled as random oracle
- Fresh Ephemeral Keys: New r for each payment
View Tag Optimization
Section titled “View Tag Optimization”view_tag = first byte of H(S)- Reduces scanning computation by 256x
- Small information leakage: reveals 8 bits about shared secret
- Acceptable trade-off for scanning efficiency
Hash Functions
Section titled “Hash Functions”SHA-256
Section titled “SHA-256”Used for:
- NUMS generator derivation
- Shared secret to scalar derivation
- Proof hashing
Properties:
- 128-bit collision resistance
- 256-bit preimage resistance
- Standard construction, extensively analyzed
Assumed Properties
Section titled “Assumed Properties”- Preimage Resistance: Given h = H(m), finding m is infeasible
- Second Preimage Resistance: Given m₁, finding m₂ ≠ m₁ with H(m₁) = H(m₂) is infeasible
- Collision Resistance: Finding any m₁ ≠ m₂ with H(m₁) = H(m₂) is infeasible
- Random Oracle Behavior: H behaves as random function (heuristic)
ZK Proof System (Noir/Barretenberg)
Section titled “ZK Proof System (Noir/Barretenberg)”Framework
Section titled “Framework”- Backend: Barretenberg (Aztec)
- Language: Noir
- Proof System: UltraHonk
Assumptions
Section titled “Assumptions”-
Soundness: Malicious prover cannot convince verifier of false statement
- Based on: q-DLOG assumption, algebraic group model
- Security level: Depends on constraint system
-
Zero-Knowledge: Verifier learns nothing beyond statement truth
- Based on: Hiding property of commitment scheme
- Computational zero-knowledge
-
Trusted Setup: Universal SRS (Structured Reference String)
- Barretenberg uses BN254 curve
- Powers-of-tau ceremony (Aztec ceremony + Hermez contributions)
Circuit Constraints
Section titled “Circuit Constraints”| Circuit | ACIR Opcodes | Tests | Purpose |
|---|---|---|---|
| Funding Proof | 972 | 5 | Prove balance ≥ minimum |
| Validity Proof | 1,113 | 6 | Verify intent authorization |
| Fulfillment Proof | 1,691 | 8 | Verify fulfillment correctness |
Counts are ACIR opcodes from the compiled Noir circuits (3,776 total). The Barretenberg gate count after lowering is higher and differs per backend.
Random Number Generation
Section titled “Random Number Generation”Source
Section titled “Source”crypto.getRandomValues(new Uint8Array(32))Properties Required
Section titled “Properties Required”- Unpredictability: Each bit has 50% probability
- Independence: No correlation between outputs
- Backtracking Resistance: Past outputs don’t reveal future
Platform Security
Section titled “Platform Security”| Platform | Source | Quality |
|---|---|---|
| Browser | Web Crypto API → OS CSPRNG | High |
| Node.js | crypto.randomBytes → OS CSPRNG | High |
| Mobile | OS secure random | High |
Failure Modes
Section titled “Failure Modes”- PRNG seeding failure → Predictable outputs
- Mitigation: Rejection sampling + validation
Security Level Summary
Section titled “Security Level Summary”| Component | Security Level | Basis |
|---|---|---|
| ECDLP | 128 bits | secp256k1 curve |
| Commitments | 128 bits | Binding reduces to ECDLP |
| Commitments | ∞ (perfect) | Hiding is information-theoretic |
| Stealth addresses | 128 bits | CDH assumption |
| SHA-256 | 128 bits | Collision resistance |
| ZK Proofs | ~128 bits | UltraHonk soundness |
Implementation Notes
Section titled “Implementation Notes”Constant-Time Operations
Section titled “Constant-Time Operations”The @noble/curves library provides:
- Constant-time scalar multiplication
- Constant-time point addition
- Constant-time comparison
This prevents timing side-channel attacks.
Validation Requirements
Section titled “Validation Requirements”- All points must be validated on curve before use
- Scalars must be in valid range [1, n-1]
- Commitments must be non-identity point
- Proofs must be verified before acceptance