Cryptography Overview

This section provides a brief overview the cryptographic identities and protocols we use

Introduction

This section provides definition of common cryptography terms used through the ARK Ecosystem product landscape. You will learn the importance of your passphrase and how it translates to private key, public key and wallet address generation. We also explain some common encryption algorithms and encoding protocols.

Passphrase

The passphrase is the master password (key) for your ARK tokens. Every ARK address has its own unique passphrase. With the passphrase you can sign transactions to send your ARK or vote for a delegate.

Do not lose it, and do not share it with others, or you could lose access to your ARK tokens. If you lose your passphrase, or if it is stolen, there is nothing we can do to help you. We CANNOT recover any lost passphrases.

A passphrase is a "key to the castle." It is used to directly calculate the PrivateKey of an ARK account and should never be shared, stored irresponsibly, or transmitted over the internet. The only person that should ever have access to a passphrase is the owner of its account.

We can technically use any word, phrase, or string as a passphrase which will result in a valid ARK Address or Wallet; however, it is heavily discouraged as the security of an address relies on the randomness of its Passphrase. Humans are bad at creating randomness, and entering sequences of random letters and numbers isn't easy to do accurately.

To promote usability while also maintaining security, ARK passphrases are implemented using the BIP39 Protocol. Simply, it's a mnemonic sentence constructed via randomly chosen words from a large wordlist. From here, that sentence or "Passphrase" is piped through a series of hashing, curve, and encoding algorithms to derive a PrivateKey / WIF, a PublicKey, and subsequently Addresses / Wallets and Signatures.

Cryptography overview

The following examples will be using test-fixtures from the ARK Core repo on GitHub.

Identities Test Fixtures:

{
"data": {
"privateKey": "d8839c2432bfd0a67ef10a804ba991eabba19f154a3d707917681d45822a5712",
"publicKey": "034151a3ec46b5670a682b0a63394f863587d1bc97483b1b6c70eb58e7f0aed192",
"address": "D61mfSggzbvQgTUe6JhYKH2doHaqJ3Dyib",
"wif": "SGq4xLgZKCGxs7bjmwnBrWcT4C1ADFEermj846KC97FSv1WFD1dA"
},
"passphrase": "this is a top secret passphrase"
}

Message Test Fixtures:

const fixture = {
data: {
publicKey:
"034151a3ec46b5670a682b0a63394f863587d1bc97483b1b6c70eb58e7f0aed192",
signature:
"304402200fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e02205ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8",
message: "Hello World"
},
passphrase: "this is a top secret passphrase"
};

To learn more about randomness, visit the Wiki's on Randomness and Random Number Generation

PrivateKey

A PrivateKey is a 256-bit integer represented by a 32-byte Hex-encoded string of 64 characters obtained via SHA256 hashing of a Passphrase.

PrivateKey Generation Steps

To understand the significance of this large number, consider the following:

Passphrase:

"this is a top secret passphrase"

PrivateKey HEX (base 16) / SHA256 of Passphrase:

d8839c2432bfd0a67ef10a804ba991eabba19f154a3d707917681d45822a5712

PrivateKey DEC(base 10 encoded):

97932109907804210295451942024598204992707895659209392543371974078748689061650

The DEC representation is the "base 10" interpretation of our PrivateKey and gives us a little insight into the size of the numbers we're dealing with "under the hood". This large integer is also referred to as a "BigNumber" or UINT256.

WIF (PrivateKey)

WIF stands for "Wallet Import Format", and is a BASE58-encoded PrivateKey prepended by a network prefix-byte (0xaa for ARK Mainnet & Devnet Network).

WIF Encoding

It's essentially a more useable/human-readable PrivateKey and should be treated with the same diligence with regards to storage and security.

PublicKey

A PublicKey is like an ID or Passport. It is a mathematical proof of identity and is derived from a PrivateKey via ECDSA and SECP256K1 computation.

PublicKey Generation Steps

ARK also uses "Point Compression" to obtain compressed PublicKeys that are 33-bytes in length.

Address / Wallet

An ARK address is shareable much like an e-mail address. It is the destination to which ARK tokens can be sent, and is obtained from a PublicKey via a combination of RIPEMD160 hashing and Base58Check encoding prefixed by a single network byte.

Since an address is derived from a PublicKey, that means it is also mathematically tied to a PrivateKey and Passphrase.

ARK Address Generation Steps

Network Prefixes

Network

dec

hex

Prefix

Example address

Mainnet

30

0x17

A

AewxfHQobSc49a4radHp74JZCGP8LRe4xA

Devnet

23

0x1E

D

D61mfSggzbvQgTUe6JhYKH2doHaqJ3Dyib

Address Prefix Table

The following is a full prefix-byte table for custom Address construction and is provided for informational purposes. While this would not be used for ARK Mainnet or Devnet, it CAN be used for custom networks.

dec

hex

Prefix

0

0x00

1

1

0x01

Q-Z, a-k, m-o

2

0x02

o-z, or 2

3

0x03

2

4

0x04

2 or 3

5 - 6

0x05 - 0x06

3

7

0x07

3 or 4

8

0x08

4

9

0x09

4 or 5

10 - 11

0x0A - 0x0B

5

12

0x0C

5 or 6

13

0x0D

6

14

0xE

6 or 7

15 - 16

0x0F - 0x10

7

17

0x11

7 or 8

18

0x12

8

19

0x13

8 or 9

20 -21

0x14 - 0x15

9

22

0x16

9 or A

23

0x17

A

24

0x18

A or B

25 - 26

0x19 - 0x1A

B

27

0x1B

B or C

28

0x1C

C

29

0x1D

C or D

30 - 31

0x1E - 0x1F

D

32

0x20

D or E

33

0x21

E

34

0x22

E or F"

35 - 36

0x23 - 0x24

F

37

0x25

F or G

38

0x26

G

39

0x27

G or H

40 - 41

0x28 - 0x29

H

42

0x2A

H or J

43

0x2B

J

44

0x2C

J or K

45 - 46

0x2D - 0x2E

K

47

0x2F

K or L

48

0x30

L

49

0x31

L or M

50 - 51

0x32 - 0x33

M

52

0x34

M or N

53

0x35

N

54

0x36

N or P

55 - 56

0x37 - 0x38

P

57

0x39

P or Q

58

0x3A

Q

59

0x3B

Q or R

60 - 61

0x3C - 0x3D

R

62

0x3E

R or S

63

0x3F

S

64

0x40

S or T

65 - 66

0x41 - 0x42

T

67

0x43

T or U

68

0x44

U

69

0x45

U or V

70 - 71

0x46 - 0x47

V

72

0x48

V or W

73

0x49

W

74

0x4A

W or X

75 - 76

0x4B - 0x4C

X

77

0x4D

X or Y

78

0x4E

Y

79

0x4F

Y or Z

80 - 81

0x50 - 0x51

Z

82

0x52

Z ora

83

0x53

a

84

0x54

a or b

85

0x55

b

86

0x56

b or c

87 - 88

0x57 - 0x58

c

89

0x59

c or d

90

0x5A

d

91

0x5B

d or e

92 - 93

0x5C - 0x5D

e

94

0x5E

e or f

95

0x5F

f

96

0x60

f or g

97 - 98

0x61 - 0x62

g

99

0x63

g or h

100

0x64

h

101

0x65

h or i

102 - 103

0x66 - 0x67

i

104

0x68

i or j

105

0x69

j

106

0x6A

j or k

107 - 108

0x6B - 0x6C

k

109

0x6D

k or m

110

0x6E

m

111

0x6F

m or n

112 - 113

0x70 - 0x71

n

114

0x72

n or o

115

0x73

o

116

0x74

o or p

117 - 118

0x75 - 0x76

p

119

0x77

p or q

120

0x78

q

121

0x79

q or r

122 - 123

0x7A

r

124

0x7B

r or s

125

0x7C

s

126

0x7D

s or t

127 - 128

0x7F - 0x80

t

129

0x81

t or u

130

0x82

u

131

0x83

u or v

132 - 133

0x84 - 0x85

v

134

0x86

v or w

135

0x87

w

136

0x88

w or x

137 - 138

0x89 - 0x8A

x

139

0x8B

x or y

140

0x8C

y

141

0x8D

y or z

142 - 143

0x8E - 0x8F

z

144

0x90

z or 2

145 - 255

0x91 - 0xFF

2

Adapted from: https://en.bitcoin.it/wiki/List_of_address_prefixes

Signature

A Signature is essentially proof that a message or transaction was "signed" by a particular PrivateKey / Passphrase.

Remember that this same PrivateKey also has a matching PublicKey. That means a Signature is computationally linked to its corresponding PublicKey using ECDSA and SECP256K1 standards.

Signing Process Example

ARK Signatures use DER Encoding.

Algorithms

ECDSA

ECDSA is a "Digital Signature Algorithm" variant based on and "Modular Arithmetic".

It is a standard to sign and verify transactions/messages and Signatures using Elliptical Curve Cryptography.

ECDSA Equation

y2 = x3 + ax + b

SECP256K1

SECP256K1 defines the set of ECDSA parameters used to produce output "deterministically", meaning the same input will always result in the same output. Additionally, no two inputs will ever produce the same output; It is also hard to reverse. This is known as the Discrete Logarithm Problem and is the basis for Curve Cryptography.

Curve Parameters

a = 0

b = 7

SECP256K1 Equation

y2 = x3 + (0)x + (7)

y2 = x3 + 7

Can the reader say what two numbers multiplied together will produce the number 8616460799? I think it unlikely that anyone but myself will ever know.

~ William S Jevons, The Principles of Science, 1874

Encoding

DER

An ARK Signature is DER Encoded using BIP66 standards.

Upon obtaining a Signature from the ECDSA/SECP256K1 algorithm, it will first be in its raw form known as an "r" and "s" value.

Signature: DER (X.690 : ASN.1) Encoding

Signature (r, s):

(0fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e, 5ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8)

In our example, the "r" and "s" values are each 32-bytes in length. Each of the "r" and "s" sequence identifiers are also 1-byte in length. Additionally, the slots for the size of "r" and "s" each occupy 1-byte.

This means that the length of the "r" and "s" values is 64-bytes. The (r,s) section identifiers and their sizes occupy a total of 4-bytes.

The total length of our signature is 68-bytes (0x44 in hex).

Identifier

Size (dec)

Size (hex)

r sequence

1

0x1

r size

1

0x1

r-value:

32

0x20

s sequence

1

0x1

s size

1

0x1

s-value

32

0x20

total length

68

0x44

The very first byte of an encoded signature is the sequence identifier 30.

To encode the (r, s) values, we place 30 as the leading byte, followed by the total signature length (0x44 in this example).

We then place the sequence identifier for "r" (02), proceeded by the size of "r" in hex (0x20), proceeded by the r-value itself (0fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e).

Finally, we place the sequence identifier for "s" (02), proceeded by the size of "s" in hex (0x20), proceeded by the s-value itself (5ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8).

DER Encoded Signature:

304402200fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e02205ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8

BASE58check

Base58Check encoding is used to produce human readable/typeable text from a hash.

It is used to encode a PrivateKey and is also the final step to encoding an ARK address.

Hashing

RIPEMD160

RIPEMD160 is a subset of the RIPEMD family of cryptographic hash functions.

As its name suggests, RIPEMD160 hashes are 160-bits in length.

SHA256

SHA256 is a subset of the SHA-2 family of cryptographic hash functions.

As its name suggests, SHA256 hashes are 256-bits in length.