Quai Network: Implementation of Ristretto Signing Curve

Overview

Ristretto is a prime order elliptic curve technique ensuring non-malleable encodings. The integration of Ristretto will enhance the Quai Network’s security, speed, and capability.

Benefits:

• Enhanced Security: Prevent various elliptic curve related attacks.
• High-Speed Transactions: Utilize the efficiency of Curve25519 in combination with Ristretto.
• Unique Encodings: Ensure non-malleability across cryptographic operations.
• Privacy Potential: Enables the introduction of advanced privacy-preserving protocols like Confidential Transactions or the ZK-STARKs.
• Community Support: Rely on a well-researched and widely adopted cryptographic foundation.

Curve25519 and secp256k1 (current Quai curve) are two different elliptic curves used in public-key cryptography.

Definition and Shape:

• Curve25519: It’s defined over the prime field 2^255 - 19 and uses Montgomery form. Its equation is (y^2 = x^3 + 486662x^2 + x).
• secp256k1: It’s defined over the prime field 2^256 - 2^32 - 977 and uses short Weierstrass form. Its equation is (y^2 = x^3 + 7).

Implementations

1. ristretto255

• The recommended pure go implementation of ristretto255 over filippo.io/edwards25519.

2. ChainSafe implementation of go-schnorrkel

• Compatible with the substrate-bip39 implementation
• Schnorr Signatures over Ristretto255 in pure Go
• Utilizes the above ristretto255
• Used by tendermint
• Used by polkadot

3. go-ristretto

Questions

1. Do we want to have a prefix on public to an address as encoded base58? (Polkadot does this)

• a modification of Base-58-check from Bitcoin with some minor changes. Notably, the format contains an address type prefix that identifies an address belonging to a specific network. For example: Polkadot addresses always start with the number 1.

2. How do we want to convert a pubkey to an address?
3. How do we define the mapping? Like this? https://github.com/paritytech/ss58-registry/blob/main/ss58-registry.json
4. Are we okay with putting public keys in the tx data themselves?
5. Do we even want to support secp256k at all?
6. Do we want to have a SigningContext?
7. Do we want to utilize Schnorr Signature Aggregation?

References

Polkadot Accounts In-Depth

Regarding the question about generating addresses prefixes that identify the network, this is a very nice tool to visualize how bitcoin implements it (from the private key up to the b58 address):

Nice, I’ve been leaning towards the idea of b58 encoding to derive shard addresses. This is helpful to see.