Skip to main content

Cryptographic Primitives

Platus uses Baby Jubjub for elliptic curve operations, Poseidon for in-circuit hashing, and hybrid post-quantum encryption combining ECDH with ML-KEM-1024.

Reference: Baby Jubjub Curve Specification

Elliptic Curve

Baby Jubjub Curve

Baby Jubjub is a twisted Edwards curve defined over a prime field Fp\mathbb{F}_p by the equation:

ax2+y2=1+dx2y2a x^2 + y^2 = 1 + d x^2 y^2

Parameters:

  • a=168700a = 168700
  • d=168696d = 168696
  • p=21888242871839275222246405745257275088548364400416034343698204186575808495617p = 21888242871839275222246405745257275088548364400416034343698204186575808495617
  • r=2736030358979909402780800718157159386076813972158567259200215660948447373041r = 2736030358979909402780800718157159386076813972158567259200215660948447373041
  • Curve order: 8r8r (cofactor h = 8)

Baby Jubjub is optimized for zk-SNARKs over BN254. See EIP-2494 for specification.

Point Operations

Points are validated to ensure:

  • They lie on the curve
  • They're in the prime-order subgroup

Serialization is little-endian: 64 bytes = x (32 bytes) || y (32 bytes).

Hash Functions

Poseidon

Used for all in-circuit hashing (commitments, nullifiers).

Constraint cost:

  • ~200 constraints per hash
  • Compare to ~40,000 for SHA-256

Outputs are field elements in Fr\mathbb{F}_r.

SHA-256 / SHA-512

Used outside circuits for:

  • Key derivation (HKDF-SHA256)
  • Nonce generation (SHA-512)
  • Classical cryptographic operations

Authenticated Encryption

Platus uses a Diffie–Hellman–based construction over Baby Jubjub:

  • Root shared key derivation: HKDF-SHA256
  • Authenticated encryption with associated data (AEAD): ChaCha20-Poly1305

For complete details: refer to Post-Quantum Security

Signatures

Schnorr-style signatures over Baby Jubjub with Poseidon challenge

Sign

  1. Derive scalar: s=SHA-512(sk)[0:32]s = \text{SHA-512}(sk)[0:32]

  2. Generate nonce: r=SHA-512(xvm)r = \text{SHA-512}(x \,\|\, v \,\|\, m) where x=SHA-512(sk)[32:64]x = \text{SHA-512}(sk)[32:64] and ( v ) is random.

  3. Compute commitment: R=[r]GR = [r]G

  4. Challenge: c=Poseidon(pk.x,R.x,R.y,m)c = \text{Poseidon}(pk.x, R.x, R.y, m)

  5. Response:z=rscmodrz = r - s c \bmod r

Signature: (c,z)(c, z)

Verify

  1. Compute: R=[z]G+[c]pkR' = [z]G + [c]pk

  2. Check: c=Poseidon(pk.x,R.x,R.y,m)c = \text{Poseidon}(pk.x, R'.x, R'.y, m)

Security Considerations

  • Nonce generation: Each signature uses a fresh nonce derived from SHA-512(x || v || m) where x is deterministic per-key entropy and v is random. This prevents nonce reuse while avoiding pure deterministic schemes vulnerable to fault attacks.

  • Challenge binding: The Poseidon challenge includes the public key, preventing signature reuse across different keys.

  • Scalar field operations: All arithmetic is performed modulo r (scalar field order), not the curve order.

  • Security: The signatures are secure under the assumption that discrete log problems are infeasible in the underlying elliptic curve.