1.2 Accounts

This is where the previous chapter 0.3 on Elliptic Curve Cryptography will be super useful, make sure you have it in mind.

Aleo Fundamental Objects

Let's start with defining some useful mathematical objects.

Fields

We'll start with the most fundamental object. Since the underlying constraint system of Aleo is R1CS, programs are essentially represented as sets of linear equations over a field. This makes elements of this field very special. They are simply called fields, for short, and represent elements of base field of the elliptic curve that Aleo accounts are based upon.

Every other types that are available on Aleo are derived from this one, in order for the instructions that involve those extra types to be reduced to linear equations over the base field.

This means that using field directly is generally the most optimal way to write a program constraint-wise.

Fields are the elements of Z/pZ\mathbb{Z}/p\mathbb{Z} with:

p=8444461749428370424248824938781546531375899335154063827935233455917409239041p=8444461749428370424248824938781546531375899335154063827935233455917409239041

Group

For reference here are the elliptic curves used in Aleo:

Edwards BLS12

BLS12-377

Curve Type

Twisted Edwards

Barreto-Lynn-Scott

Scalar Field Size

251 bits

253 bits

Base Field Size

253 bits

377 bits

G1 Compressed Size*

32 bytes

48 bytes

G2 Compressed Size*

N/A

96 bytes

Group elements represent points from a specific sub-group of the group of points on the Edwards BLS12 elliptic curve. This sub-group is generated by a generator point noted G1.

Scalar

The sub-group described above has order:

q=2111115437357092606062206234695386632838870926408408195193685246394721360383q= 2111115437357092606062206234695386632838870926408408195193685246394721360383

This means that when adding the generator GG with itself successively: G+G+...+GG+G+...+G, by definition, we end up reaching every element of the group, 1G,2G,...1\cdot G, 2\cdot G,... until reaching qG=0q\cdot G=0. This set of integer by which we can multiply GG is hence simply the field Z/qZ\mathbb{Z} / q\mathbb{Z}, called the set of scalar.

Accounts

Traditional Accounts

On traditional blockchains accounts can be simply made the following way, once an appropriate elliptic curve has been chosen, with fast scalar multiplication and hard ECDLP:

  • User generates a uniformly random 256 bits number ss.

  • It can be encoded in a human friendly way, by representing it a sequence of 24 words taken from a list of 2048 possible words. Since 204824=(211)24=22642048^{24}=(2^{11})^{24}=2^{264} we can store 264 bits of information using that sentence of words (called seed phrase).

  • User then carefully saves that sequence. Any number of accounts (ai,Ai)(a_i,A_i) can be generated with it:

    • Generate private key

    • Generate address Ai=aiGA_i=a_i\cdot G

Aleo Accounts

On Aleo things are done a bit differently in order to include privacy features. Instead of having just a private key and an address, accounts also have two extra keys called the View Key and Compute Key.

Private Key: The private key's, as with traditional chains, is used to authenticate transactions.

Address: The address serves as an identifier for users accounts. If you want to a user to send you some assets, you simply give him you address. Although, with just your address, this user will not be able to see all your past private transactions and the private state that involves your account.

View Key: The view key is used to decrypt all the private state on chain owned by your account. With it you can discover all your private holdings and state.

Compute Key: The compute key is used for proving a zkVM execution. It can be provided when delegating a transaction proof for instance.

Account Generation

  • User generates a uniformly random field element ss (the seed that can be encoded as words as above).

  • Private Key:

    User computes a signature secret key (scalar):

    • sksig=hash_to_scalar(C1s)sk_{sig} = \text{hash\_to\_scalar}(C_1 | s)

    and a signature randomizer (scalar):

    • rsig=hash_to_scalar(C2s)r_{sig} = \text{hash\_to\_scalar}(C_2|s)

    Where C1C_1\text{} and C2C_2 are constants.

  • Compute Key:

    User computes signature public key (group):

    • pksig=sksigGpk_{sig} = sk_{sig} \cdot G

    and a signature public randomizer (group):

    • prsig=rsigGpr_{sig} = r_{sig} \cdot G

    and a pseudo random secret key (scalar):

    • skprf=hash_to_scalar(pksigprsig)sk_{prf} = \text{hash\_to\_scalar}(pk_{sig}|pr_{sig})

  • View Key (scalar):

    • vk=sksig+rsig+skprfvk=sk_{sig} + r_{sig} + sk_{prf}

  • Address (group):

    • A=vkGA = vk \cdot G

Previous1.1 Aleo FundamentalsNext1.3 Concepts

Last updated