# Cryptographic Primitives

Cryptographic primitives used in Labyrinth

## Elliptic Curve Cryptography (ECC)

Our protocol uses the ECC operations on a specific curve called the **Baby JubJub Elliptic Curve**. The reason for the choice of the curve is that it is specifically designed for use in the Zero Knowledge Proofs (ZKPs) which is the basis privacy facet of the protocol. Baby JubJub is defined in detail in EIP-2494.

## Zero-Knowledge Proofs (ZKPs)

Labyrinth's whole privacy facet is centered around the extensive use of ZKPs. It uses a particular type of ZKPs called zkSNARK (Zero-Knowledge Succinct Argument Of Knowledge) attributed to its constant size of small proofs and faster verification. Specifically, we utilize the groth16 protocol for generating proof with such properties (zkSNARKs), which makes it a favorable choice for environments like smart contract platforms or blockchains.

## Hashing Algorithm

The protocol requires the usage of hashing one or more variables at different stages. For any usage of hashing that appears inside a ZK circuit (i.e. needs to be proved), we utilize **Poseidon Hash**. Detailed information about it can be found in its research paper. Our protocol specifically uses implementation as laid out here in Circomlib.

Other than that, we use keccak256 hashing algorithm, at places where it does not require any proving by using it in a ZK circuit.

## Digital Signatures

The protocol uses a Schnorr signature scheme where digital signatures are required and must be implemented in a circuit. We use an implementation of the Schnorr signature over the Baby JubJub curve with Poseidon as a choice for the hash function. Schnorr signatures are efficient and generate shorter signatures, hence a good choice for use in ZK applications.

## Threshold Cryptography

A threshold cryptosystem is a cryptosystem that allows a group of entities to share a secret key in such a way that a particular size of subset of this group can perform cryptographic operations, such as encryption, decryption, and digital signatures.

If $n$ is the number of entities involved and $t$ is the minimum subset size ($t \leq n$) to perform the cryptographic operation then the system is called $(t, n)$-threshold system. It is possible to define operations like $(t, n)$-encryption schemes and $(t, n)$-signature schemes.

It has multiple benefits over traditional cryptosystems, such as in terms of improved security, reduced risk of fraud, and increased fault tolerance.

## Encryption Schemes

We mainly use two encryption schemes, depending on the contexts where the encryption algorithm needs to be executed.

`chacha20poly1305`

is a fast stream cipher that has been standardized in RFC 8439. We use this encryption to encrypt transaction-related data. The resulting ciphertext is solely for use as a reference for the user to be able to use it to perform future transactions spending its assets.`El Gamal`

is an asymmetric key encryption scheme that uses public key cryptography. It is based on the Diffie-Hellman key exchange protocol. The choice for this scheme (defined on Baby JubJub) in our protocol arises from the need for an in-circuit efficient encryption mechanism. We need this property for the provable El Gamal encryption of some transactions by users for compliance purposes.

Last updated