chore(docs): docs keys page update#11449
Conversation
rahul-kothari
left a comment
rahul-kothari
left a comment
There was a problem hiding this comment.
nice!! Think hyperlinks are missing
content is great thanks Lisa!!
| ### Incoming viewing keys | ||
|
|
||
| During private function execution these keys are obtained via an oracle call from PXE. | ||
| The incoming viewing public key (`Ivpk`) is used by the sender to encrypt a note for the recipient. The corresponding incoming viewing secret key (`ivsk`) is used by the recipient to decrypt the note. |
There was a problem hiding this comment.
nt: here we use Ivpk (capital I) and later we use ivsk (small i). Do public keys usually start off with capital letters? If not can we make it consistent?
Same for esk/Epk - again maybe this is a convention I never knew
There was a problem hiding this comment.
Yes, I got from @iAmMichaelConnor – this is a convention that all secret keys start with small letter and public – with a large letter.
|
|
||
| This also allows per-application auditability. | ||
| A user may choose to disclose their incoming and outgoing viewing keys for a given application to an auditor or regulator (or for 3rd party interfaces, e.g. giving access to a block explorer to display my activity), as a means to reveal all their activity within that context, while retaining privacy across all other applications in the network. | ||
| Address keys are used for account address derivation. |
There was a problem hiding this comment.
link to approrpiate place in the docs that also talks about addresses/accounts
| This mechanisms prevents double-spends, since nullifiers are checked by the protocol to be unique. | ||
| Now, in order to preserve privacy, a third party should not be able to link a note hash to its nullifier - this link is enforced by the note implementation. | ||
| Therefore, calculating the nullifier for a note requires a secret from its owner. | ||
| Thanks to the native account abstraction, authorization logic can be implemented in an alternative way using Google authorization credentials, vanilla password logic or Face ID mechanism. In all these cases signing keys are not relevant. |
There was a problem hiding this comment.
link to the concept docs that talk about account abstraction on Aztec
and also backlink from that page to here, since we should talk about signing keys there too!
| #### Using an immutable private note | ||
|
|
||
| Used to compute tags in a tagging note discovery scheme. | ||
| Similar to using a private note, but using an immutable private note removes the need to nullify the note on every read. This generates no nullifiers and commitments per transaction. However, it does not allow the user to rotate their key if they lose it. |
There was a problem hiding this comment.
add the code snippet like you did with is_valid_impl
|
|
||
| Usually, an account contract will validate a signature of the incoming payload against a known signing public key. | ||
| :::note | ||
| By Shared Mutable we mean privately readable publicly mutable state. |
There was a problem hiding this comment.
link to shared mutable in docs
| ### Keys derivation | ||
|
|
||
| Similar to using a private note, but using an immutable private note removes the need to nullify the note on every read. This generates less nullifiers and commitments per transaction, and does not enforce an order across transactions. However, it does not allow the user to rotate their key should they lose it. | ||
| All key pairs are derived using elliptic curve public-key cryptography on the [Grumpkin curve](https://hackmd.io/@aztec-network/ByzgNxBfd#2-Grumpkin---A-curve-on-top-of-BN-254-for-SNARK-efficient-group-operations). Where the secret key is represented as a scalar and the public key is represented as an elliptic curve point multiplied by that scalar. |
There was a problem hiding this comment.
can we check that the hackMD is accessible publicly?
Better yet can we just move it to this doc rather than hyperlinking to some hgackMD?
There was a problem hiding this comment.
Changed for GitHub repo link instead. Doesn't seem relevant to introduce the definition of EC here.
| The address private key is an exception and derived in a way described above in the section “Address keys”. | ||
|
|
||
| A compromise between the two solutions above is to use shared state. This would not generate additional nullifiers and commitments for each transaction while allowing the user to rotate their key. However, this causes every transaction to now have a time-to-live determined by the frequency of the mutable shared state, as well as imposing restrictions on how fast keys can be rotated due to minimum delays. | ||
| ### The special case of escrow contracts |
| public_keys_hash := poseidon2("az_public_keys_hash", Npk_m, Ivpk_m, Ovpk_m, Tpk_m) | ||
| address := poseidon2("az_contract_address_v1", public_keys_hash, partial_address) | ||
| ``` | ||
| App-siloed keys are derived in PXE every time the user interacts with the application. |
There was a problem hiding this comment.
mention siloing derivation? Or hyperlink ot protocol page where we have it
Co-authored-by: Rahul Kothari <rahul.kothari.201@gmail.com>
critesjosh
changed the title
| Above we mentioned that the notes typically contain `Npk_m`. | ||
| It might seem like a mistake given that the notes are nullified with `nsk_app`. | ||
| This is intentional and instead of directly trying to derive `Npk_m` from `nsk_app` we instead verify that both of the keys were derived from the same `nsk_m` in our protocol circuits. | ||
| Address keys are a pair of keys `AddressPublicKey` and `address_sk` where `address_sk` is a scalar defined as `address_sk = pre_address + ivsk` and `AddressPublicKey` is an elliptic curve point. `pre_address` can be thought of as a hash of all account’s key pairs and functions in the account contract: `pre_address := poseidon2(public_keys_hash, partial_address)` where `partial_address := poseidon2(contract_class_id, salted_initialization_hash)` and `public_keys_hash := poseidon2(Npk_m, Ivpk_m, Ovpk_m, Tpk_m)`. |
There was a problem hiding this comment.
What is the relationship between the address_sk and the AddressPublicKey point? Is it just AddressPublicKey = address_sk * G?
There was a problem hiding this comment.
Yes, that's correct. I added it explicitely.
|
|
||
| This also allows per-application auditability. | ||
| A user may choose to disclose their incoming and outgoing viewing keys for a given application to an auditor or regulator (or for 3rd party interfaces, e.g. giving access to a block explorer to display my activity), as a means to reveal all their activity within that context, while retaining privacy across all other applications in the network. | ||
| ### Address keys |
There was a problem hiding this comment.
It might be good to move this section above the section on 'Incoming view keys' since you explain where address_sk and AddressPublicKey come from in here, and you reference them above.
Co-authored-by: josh crites <jc@joshcrites.com>
Co-authored-by: josh crites <jc@joshcrites.com>
|
closing in favor of #11665 |
4 participants
New version of the keys page.