Why is custom cryptography primitives essential for development on the blockchain?


Blockchain is a new technology based on cryptography, economics and network science. For the general public, cryptography is not an easy subject to get close to, and even among the three disciplines mentioned above, we feel that the subject has the most sense of distance. However, friends living in the blockchain circle will often hear thatBlockchain is a trust machineIn the world of blockchain, it may be said that “in the world of blockchain, it is”In Math we TrustIt can be seen that cryptography is the same fundamental and important existence for blockchain technology.

Well, here’s the question:

  • Where does blockchain use cryptography?
  • Why is cryptography crucial to blockchain technology?

Where is cryptography used in the blockchain?

First of all, if you are a blockchain user, there may be a note in a corner of your room, on which 12 unknown words are copied. Some people still have many, and even some big holders will engrave these 12 English words on steel plates and lock them in the safe.

Yes, why do these 12 mnemonics, or a long string of garbled private keys, represent your ownership of assets?

The principle behind this is actually cryptography.

Our keys, addresses and wallets are all implemented through cryptographyBy using the asymmetric encryption technology elliptic curve algorithm (ECC), we can verify whether the private key held by someone matches a public key. By this way, we can prove whether the person is the holder of the encrypted asset, because other people who do not have the private key can not unlock the asset except those who own the private key.

Here we use bitcoin to illustrate the principle of private key, public key and address generation. A bitcoin wallet contains a series of key pairs, and each key pair includes a private key and a public key. The private key is usually a random number of 256 bits. Based on the private key, we can use the elliptic curve of secp256k1 standard to generate a public key. Based on the public key, we can use a one-way hash function sha256 and ripemd160 to generate the bitcoin address, and then use base58 check code to change the bitcoin address into a simpler form. For example, the mnemonic words we often use are random English words generated based on BiP 39 standard. If you don’t have a private key or mnemonic, you can’t use this encrypted asset.

Why is custom cryptography primitives essential for development on the blockchain?

Generation process of public key and address of bitcoin

(picture taken from bitcoin)

When we have the key pair that can be paired, we can verify the ownership of assets on various types of wallets or clients, and use various assets through this client. For example, the simplest BTC transfer, or a more advanced use of a wallet to sign a smart contract transaction: for example, use the ETH in the wallet such as metamask, imtoken or alphawallet to buy encrypted cat, or borrow on the platform of defi, and exchange some erc20 token with uniswap.

In addition to basic verification such as transfer, now even the identity authentication of some platforms can use public and private keys for login verification, or verify that you are the owner of an asset to prove various rights and interests. In short,The cryptography behind the public-private key verification system is the pass for users to enjoy the blockchain world

In the blockchain, there is another cryptography usage scenario that can not be ignored, which is the transaction ordering in the blockAnd Merkle tree, etc. Bitcoin encrypts every transaction with sha256 algorithm, where the encryption algorithm ensures the security of the blockchain and is almost impossible to be tampered with. Cryptography is used in both basic scenarios of bitcoin use, and even many people speculate that Nakamoto may be a big Cryptologist, so he can use cryptography in this peer-to-peer cash system incisively and vividly.

Of course, in addition to the core functions of block generation and public-private key verification, cryptography can be used in privacy protection and even expansion.

How does the public chain use cryptography?

  • Wow, is this a new public chain?
  • Does it have a wallet?
  • Another set of new addresses and a new set of mnemonics…

If a user is willing to take good care of his assets and invest in different public chains, I believe they will have similar experience and several different mnemonics or private keys. But in the end, what they can save is probably only the most important position assets. Some people even forget to back up the mnemonics of some assets.

In the long run, the problems of blockchain asset management also lead to the increasingly high threshold of blockchain. So in order to solve this problem, some wallets have put forward a lot of optimization schemes. Some wallets can even be a single mnemonic of an identity wallet and can manage multiple assets. However, there are still many groups of different addresses that must be managed by users.Such a problem may be more serious for many new public chains, because if users want to try the application on the chain through their web pages or mobile phone wallets, users will increase the cost of managing public and private keysWhat’s more, they are not as user-defined as the password of the mailbox, which is neither smooth nor fragrant.

But why do blockchains have such restrictions?

This limitation is due to the fact that many public chains have written many usage scenarios of cryptographic primitives into the consensus layer,Therefore, in these public chains, such as public-private key signature, client-side verification, block generated hash and commonly used encryption algorithms, are basically embedded in the consensus layer. For example, the verification of the address and the signature used in the transaction are all written in the underlying protocol, so it will become very difficult to change. In addition, the performance of virtual machines in many public chains is not enough to support flexible deployment of cryptographic primitives. Therefore, for such public chains, if the underlying virtual machines do not support a cryptographic primitive in advance, it may be difficult for the scenario based on the primitive to be directly used by developers.

If you want to change, the only way is hard bifurcation!

Take Ethereum as an example. What cryptographic scenarios are written into the consensus layer of Ethereum?

In addition to the encrypted signature of the block and the hash of Merkle tree, there are transaction signatures and client verification. If anyone wants to make changes on these points, such as replacing the Ethereum public and private key hash algorithm keccak-256 with other signature algorithms, the only way is to propose an EIP (Ethereum improvement proposal), and then wait and pray that the proposal will be put into the hard fork. Because the content written in the protocol layer is the rule that all users of the whole network must follow.

However, hard fork often takes a very long time. Take EIP 152 as an example, this is a proposal put forward in 2016 to add the signature algorithm blake2 to Ethereum, but it was not added to the upgraded content until the Istanbul proposal at the end of 2019,It took three years

From the example of EIP 152, we will find another limitation,That is, it is almost impossible to use cryptographic primitives that virtual machines do not support on Ethereum。 Because the performance of Ethereum virtual machine is a big limitation, simple operation can consume a lot of gas.

Therefore, if we review the previous bifurcations on Ethereum, we can find that since the hard fork upgrade of homestead, Ethereum has continuously added all the cryptographic primitives that may be commonly used, such as sha256 hash and ripenmd160hash, into the underlying virtual machine by precompiling. This can also be seen in Byzantium or Istanbul upgrades. Ethereum uses hard bifurcations to precompile cryptographic primitives and gas pricing of their operations.

If the pre compiled contract is not implemented in the node first, then the smart contract deployment of many signature algorithms will cost very high gas cost, which makes it impossible to deploy at all. For example, EIP 196 and EIP 197 are adopted because it foresees that zksnark needs a large number of gas for chain operation. Therefore, these encryption algorithms, such as elliptic curve addition, multiplication and pairing verification, are compiled into the underlying EVM in order to save the computing costs. Therefore, we can say that in addition to the pre compiled signature algorithm on Ethereum, the rest of the encryption algorithm is basically unable to use.

The use of these fixed cryptography methods is a great limitation for developers.

Since both transaction and client signature verification are written into the consensus layer, the verification tools and processes must follow the specified encryption algorithm. If we still need to create a new set of bitcoin accounts, for example, in Ethereum.

For developers who want to bring a good user experience, this will produce a lot of restrictions, and need to make up for the unfriendly user experience brought about by the solidified infrastructure in other ways. For example, after creating mnemonics, we can use faceid (such as imtoken) in some wallets. For example, in ABC wallet, users can log in only by using the six character verification code in the mobile phone. When you really feel that you need to export the private key or mnemonics, then export and backup them.

These are good ways that developers try to improve the user experience. However, for each new public chain, the essence of key pair management is to have a new set of address and key. This problem has always existed.

The problem that the above-mentioned public-private key verification methods are not flexible enough may not be obvious in bitcoin, Ethereum and other relatively advanced public chains, because they already have existing users, and these users are also tortured and used to it. However, for the recently rising public chain, if there is the same entry friction cost as the previous public chain, it will set obstacles for users and affect whether developers want to develop on this public chain.

A public chain with learning costs for users has inherent barriers in acquiring users. Even if these public chains have other highlights, they may not be so attractive to developers because they know that many users may be scared away by these unfriendly user experiences.

In addition, the problem that cryptographic primitives can not be used flexibly is not only the preservation of public and private keys. For developers,If they want to use more advanced cryptographic primitives to ensure privacy and security in the future, they will also face the challenge of not deploying the underlying virtual functions and supporting signature verification。 Of course, it will also affect the hot topic: cross chain, because different chains use different cryptographic primitives. This is why many isomorphic cross chain solutions (COSMOS / Polkadot) are feasible, but the heterogeneous cross chain solutions are stagnant.

How does nervos design differ?

In nervos CKB, there are no other hard coded cryptographic primitives except transaction sorting. The verification of asset ownership is done through the lock script in the cell. The verification rules and the cryptographic primitives used can be customized. Therefore, almost all cryptographic primitives can be flexibly used by developers.

To paraphrase the words of Professor cipher, a researcher at nervos, it is:In CKB, in addition to the most basic transaction sorting, the rest is the content of the application layer。 This gives developers great development flexibility to carry out various kinds of development, such as freer account verification methods.

Because in the ckb-vm based on risc-v, what is required is a set of verification rules that can comply with risc-v coding, so developers have a lot of space to freely sprinkle. The following figure shows the difference in flexibility between nervos and other public chains that can support smart contracts. The content of the application layer represents the content that can be customized, and the protocol layer represents the content that can be changed after “forking”.

Why is custom cryptography primitives essential for development on the blockchain?

Take lay2, the gnnats team of nervos as an example, why can the PW SDK developed by them use the address of Ethereum or even ENS to receive CKB? Because on CKB, the address is the application layer content that developers can play with at will. In theory, as long as there are cell with verification rules and encryption algorithm library of asymmetric encryption, this address generation rule can be verified. For example, we can use the rule of 256-shca to verify the signature of escca-256 and other shek-3 in the future.

Therefore, it is completely feasible for any developer to add more advanced encryption algorithm as the unlocking rule for his assets on CKB in the future. Because anyone can deploy all kinds of cryptographic primitives on CKB, and through optimization to save storage space and reduce the cycle required for verification to reduce the cost of deployment, so that any advanced cryptographic primitives can be used without waiting for hard fork.

The future of blockchain that may be seen on CKB: user experience directly approaching the Internet

Based on flexible cryptographic primitives,We can say that in the future, the authentication rules that many Internet users are used to can also be written in the form that risc-v can read and be deployed to the chainSuch as PGP key verification or fingerprint unlocking. If there is a script on the chain that can correspond to the authentication standard they use, and there is a trusted environment that can support this kind of verification, then such a convenient use method is really possible in the future.

If we look at the application layer in the future, there will be more scenarios that will use various algorithms of cryptography.

In the past two years, in the area of layered expansion (layer 2), in addition to the original lightning network, state channel and other side chain solutions, a new cryptography expansion application has emerged: rollup, which uses signature algorithm to compress transactions.

At present, the most popular way to compress transactions on rollup is zero knowledge proof (zkp), also known as zkrollup. In the future, if there are other more advanced zero knowledge proof solutions on rollup, or use other de signature algorithms (such as BLS), for CKB, as long as developers can think of a low-cost implementation method, ckb-vm can be directly verified without hard fork. Because this does not involve the content of the consensus layer, and ckb-vm is more efficient than EVM. At present, amby lab is also developing a zero knowledge proof base that can be used on CKB, which can be used by developers in the future.

In addition, because CKB can support flexible cryptography primitives, CKB also has greater inherent advantages in cross chain asset transfer of blockchain than other public chains. It conducts transaction verification from different chains, which gives CKB more opportunities to complete heterogeneous cross chain asset circulation and transfer.

Since the advent of Nakamoto’s bitcoin white paper, blockchain is a new technology that can prove consensus with cryptography in a centralized environment. This is something that cannot be done on the Internet. But in order to use blockchain on a large scale, what we need to do is not to let users compromise on the experience, but as Frank of lay2 team said:We need an infrastructure that is capable of supporting developers to open their doors“, so that the blockchain will not become the plaything of a few geeks or insiders because of the inflexibility of the underlying facilities.

If the public chain can flexibly support various cryptographic primitives, so that developers can have higher flexibility, then they can skip the slow process of “educating users”. Because just like the Internet, although we are all people who are not happy with the Internet, for pure C-end users, they still don’t need to know how many layers the Internet is divided into, or what’s going on with P2P networks.

Similarly, pure C-end users of blockchain do not need to know the underlying knowledge of blockchain when using blockchain technology,What we need to do is to create an infrastructure with Internet experience, blockchain credentials, plus security and decentralizationAnd nervos CKB, which has a high degree of programming flexibility, is forging ahead on this road.

Thanks to the county magistrate of lay2, Zhipeng and shidizi of secbit for their opinions and Inspiration on this article


  • https://ethresear.ch/t/when-d…
  • https://github.com/ethereum/g…
  • https://medium.com/cryptocow/…