Cryptography

Cryptography in Move

Cryptography plays an integral role in ensuring the security, integrity, confidentiality, and immutability of data in blockchain systems. The Endless adapter for Move provides developers with an array of cryptographic primitives to cater to this need. This document delves into the cryptographic functionalities offered by Move on Endless and elucidates the principles that drive their design.

Cryptographic primitives

Move, through the Endless adapter, encompasses several fundamental cryptographic tools:

1. Cryptographic Hash Functions – Algorithms that produce a fixed-size output (hash) from variable-sized input data. Supported functions include SHA2-256, SHA3-256, Keccak256, and Blake2b-256.

2. Digital Signature Verification – Algorithms for signing a message to ensure its integrity, authenticate its sender, ensure non-repudiation, or any combination thereof. Supported signature schemes include Ed25519, ECDSA, and BLS.

3. Elliptic Curve Arithmetic – Elliptic curves are one of the building blocks of advanced cryptographic primitives, such as digital signatures, public-key encryption or verifiable secret sharing. Supported curves include Ristretto255 and BLS12-381.

4. Zero-Knowledge Proofs (ZKP) – These cryptographic techniques enable a party to prove that a relation $R(x; w)$ is satisfied on a public statement $x$ without leaking the secret witness $w$ that makes it hold. Currently, we support Groth16 ZKP verification and Bulletproofs ZK range proof verification.

Three fundamental principles guide the design and integration of the Endless cryptographic extensions into Move:

1. Economic Gas Usage – Striving to minimize gas costs for Move developers by implementing key primitives as Move native functions. For example, see the module for .

2. Type-Safe APIs – Ensuring that APIs are resistant to common mistakes, type-safety enhances code reliability and promotes an efficient development process. For an example, see the .

3. Empowerment of Developers – In instances where native functions are unavailable, we empower developers to build their own cryptographic primitives on top of abstract cryptographic building blocks such as finite fields and Abelian groups. Refer to the module for more insights.

Continue reading to delve a bit deeper and uncover some of the intricacies behind these extensions, as well as the range of applications they empower. For the most comprehensive understanding of this subject, refer to the .

Cryptographic hash functions

Developers can now use more cryptographic hash functions in Move via the module:

All hash functions have the same security properties (e.g., one-wayness, collision resistance, etc.), but their security levels are different.

Digital signature verification

Developers can now use a type-safe API for verifying many kinds of digital signatures in Move:

The digital signature modules above can be used to build smart contract-based wallets, secure claiming mechanisms for airdrops, or any digital-signature-based access-control mechanism for dapps.

The right choice of a signature scheme in your dapp could depend on many factors:

1. Backwards-compatibility

   • If your dapp's user base predominantly uses a particular signing mechanism, it would be prudent to support that mechanism for ease of transition and adoption.

     • Example: If users mainly sign using Ed25519, it becomes a logical choice.

2. Ease-of-implementation

   • While theoretically sound, complex protocols may be challenging to implement in practice.

     • Example: Even though $t$-out-of-$n$ threshold protocols for Ed25519 exist, their intricacy on the signer's side might push developers toward MultiEd25519 due to its more straightforward signing implementation.

3. Efficiency

   • Depending on the dapp's requirements, you might prioritize one aspect of efficiency over another.

     • Signature size vs. public key size: Some applications might prioritize a smaller signature footprint, while others might emphasize a compact PK.

     • Signing time vs. verification time: For certain dapps, the signing speed might be more crucial, while for others, rapid signature verification could be the priority.

4. Security analysis

   • It is essential to consider the underlying assumptions and potential vulnerabilities of a signature scheme.

     • Example: ECDSA's security is proven under strong assumptions such as the Generic Group Model (GGM).

     • Malleability concerns: Some signature schemes are susceptible to malleability, where a valid signature, $\sigma$, can be mauled into a different yet still valid signature, $\sigma$, for the same message $m$.

5. Versatility

   • The adaptability and flexibility of signature schemes are important to consider, so you may properly accommodate the cryptographic needs of your dapp.

     • Example: $t$-out-of-$n$ threshold BLS signatures are very simple to implement.

Elliptic curve arithmetic

While the hash function and digital signature modules should provide enough functionality for most applications, some applications will require more powerful cryptography. Normally, developers of such applications would have to wait until their desired cryptographic functionality is implemented efficiently as a Move native function in the Endless Move framework. Instead, we expose basic building blocks that developers can use to implement their own cryptographic primitives directly in the Move language and do so efficiently.

Specifically, we currently expose low-level arithmetic operations on two popular elliptic curve groups and their associated finite fields:

These modules support low-level operations such as:

• scalar multiplication of elliptic curve points

• multi-scalar multiplications (MSMs)

• pairings

• scalar addition, multiplication, inversion

• hashing to a scalar or to a point

• and many more

Examples of powerful applications that can be built on top include:

1. Validity rollups – See the groth16 zkSNARK verifier example.

2. Randomness-based games – See the drand verifier example.

3. Privacy-preserving applications – See the veiled_coin example.

Ristretto255 arithmetic

This module has proven useful for implementing several cryptographic primitives:

1. Zero-knowledge $\Sigma$-protocols – See the veiled_coin example.

Generic elliptic curve arithmetic

What is better than one curve? More curves!

As an example, a Move developer can implement the popular Boneh-Lynn-Shacham (BLS) signature scheme generically over any curve by using type arguments for the curve type in their implementation:

use std::option;
use endless_std::crypto_algebra::{eq, pairing, one, deserialize, hash_to};

/// Example of a BLS signature verification function that works over any pairing-friendly
/// group triple `Gr1`, `Gr2`, `GrT` where signatures are in `Gr1` and PKs in `Gr2`.
/// Points are serialized using the format in `FormatG1` and `FormatG2` and the hashing
/// method is `HashMethod`.
///
/// WARNING: This example is type-unsafe and probably not a great fit for production code.
public fun bls_verify_sig<Gr1, Gr2, GrT, FormatG1, FormatG2, HashMethod>(
    dst:        vector<u8>,
    signature:  vector<u8>,
    message:    vector<u8>,
    public_key: vector<u8>): bool
{
    let sig  = option::extract(&mut deserialize<Gr1, FormatG1>(&signature));
    let pk   = option::extract(&mut deserialize<Gr2, FormatG2>(&public_key));
    let hash = hash_to<Gr1, HashMethod>(&dst, &message);

    // Checks if $e(H(m), pk) = e(sig, g_2)$, where $g_2$ generates $\mathbb{G}_2$
    eq(
        &pairing<Gr1, Gr2, GrT>(&hash, &pk),
        &pairing<Gr1, Gr2, GrT>(&sig, &one<Gr2>())
    )
}

use endless_std::bls12381_algebra::{
    G1, G2, Gt, FormatG1Compr, FormatG2Compr, HashG1XmdSha256SswuRo
};

// Aborts with code 1 if the MinSig BLS signature over the BLS12-381 curve fails to verify.
assert(
    bls_verify_sig<G1, G2, Gt, FormatG1Compr, FormatG2Compr, HashG1XmdSha256SswuRo>(
        dst, signature, message, public_key
    ),
    1
);

For more use cases of the crypto_algebra module, check out some Move examples:

1. Verifying Groth16 zkSNARK proofs over any curve

2. Verifying randomness from the drand beacon

Building powerful cryptographic applications

Veiled coins

Specifically, users can veil their balance, keeping it hidden from everyone, including validators. Furthermore, a user can send a veiled transaction that hides the transaction amount from everybody, including validators. An important caveat is that veiled transactions do not hide the identities of the sender or the recipient.

Groth16 zkSNARK verifier

Verifying randomness from the drand beacon

Another application that can be built on top of drand is time-lock encryption, which allows users to encrypt information such that it can only be decrypted in a future block. We do not currently have an implementation but the reader is encouraged to write one!