Cryptography

PAGE STATUS: early draft

Hashing with BLAKE3

Mosaic uses BLAKE3 ^rat in unkeyed hashing mode, producing a 512-bit digest. The entire digest is used within the EdDSA ed25519 signing algorithm, and a prefix of this digest is used within the record Id.

Refer to the BLAKE3 github page

Digital Signature with EdDSA ed25519

We use EdDSA with the ed25519 curve ^rat in a non-standard way. In particular

We use ed25519ph, pre-hashed. We substitute BLAKE3 for SHA-512.
We provide a context string of "Mosaic".
We require very specific public key and signature validation checks. In particular:
- Public keys should be rejected if they are one of 8 small order points.
- Signatures must be rejected if s is not within the range 0..L-1.
- Signatures must be rejected if R or A are non-canonical (e.g. verify that |R| >= L and |A| >= L)
- Always use cofactor verification (8(S · B) − 8R − 8(h · A) = 0) not the non-cofactor one, even when not in batch mode.

Encryption

Encryption is NOT YET DEFINED at the Mosaic Core level, but may be in the future.

Notes on how we might do it: * Use ECIES * Do the diffie-hellman between * an ephemeral keypair generated by the sender and used only once, and * one of the recipient's x25519 public keys (published in their key schedule), which is not ephemeral but may nonetheless be frequently rolled over by the recipient.

In order for a user to decrypt on any of their devices, they must share the x25519 public key's secret to all of their devices. In order to preserve signing security, these keys are separate from ed25519 signing keys. See keyschedule marker 0x2.