# [Penumbra] Q4 2022 Cryptography Status We had previously broken up the cryptography work into two subprojects: * [Finalizing the primitives/keys/addresses](https://github.com/orgs/penumbra-zone/projects/8) * [Reifying the complete system in zero knowledge](https://github.com/orgs/penumbra-zone/projects/9/views/1) ## Finalizing Primitives ### Current status * We have finalized the crypto primitives (decaf377, poseidon377) * We have finalized the key/address derivation * We have integrated the pieces we need to support FMD in the future (FMD clues are in transactions, etc.) * We lifted the memo up to the tx level and added another layer of key wrapping to enable this ### Next steps to complete Symmetric cleanup: 1. [Use rseed mechanism](https://github.com/penumbra-zone/penumbra/issues/1688) 2. [Possibly rework swap encryption](https://github.com/penumbra-zone/penumbra/issues/1747) 3. [Clean up symmetric API](https://github.com/penumbra-zone/penumbra/issues/1716) Other issues: * [Review and add tests for fee commitment signs](https://github.com/penumbra-zone/penumbra/issues/1746) * [Clue parameter selection](https://github.com/penumbra-zone/penumbra/issues/1087) Open questions: * Do we need to do some scanning benchmarking for specific devices that will be available at mainnet launch? i.e. iOS devices? This impacts how much additional time should be spent on e.g. FMD. * For mainnet launch we will not have the iOS app. This is less important for FMD and more for the fee mechanics. ## Reify complete system in zero knowledge ### Current status Definition of Gadget: It just means a reusable bit of functionality. We have implemented low level r1cs gadgets for decaf377 and poseidon377. We've implemented high level r1cs gadgets for all the functionality we need for the spend and output proofs: value commitment integrity, merkle path integrity, nullifier integrity, ephemeral public key integrity, checking generator points are not identity, randomized verification key integrity.  Using the r1cs gadgets above we have Groth16 proofs for spends and outputs, though we are still using the transparent proofs in testnets. ### Goals/Next steps [Integration work](https://github.com/penumbra-zone/penumbra/issues/711): * Mechanism for providing (and updating) per-circuit verifying and proving keys to pd and pcli respectively * Replace transparent spend and output proofs with their ZK versions Optimization and benchmarking work: * Constraint benchmarking: How many constraints per high-level gadget? * [Placeholder] Optimization work on gadgets based on the above benchmarking to reduce prover time (likely this will result in work on the poseidon r1cs impl) * Documentation: Write out all integrity checks in the spec and why they are needed Reify remaining proofs as the logic is finalized: * New gadget: Check position var (FpVar) is within some range (i.e. block or epoch). Seems very straightforward using: https://docs.rs/ark-r1cs-std/latest/ark_r1cs_std/fields/fp/enum.FpVar.html#method.enforce_cmp: proof that vote_start_height - note_creation_height is in range [0, 2^64) or so * [Undelegation](https://github.com/penumbra-zone/penumbra/issues/1090) * [SwapClaim](https://github.com/penumbra-zone/penumbra/issues/1093) * [Swap](https://github.com/penumbra-zone/penumbra/issues/1092) * [Vote](https://github.com/penumbra-zone/penumbra/issues/1095) [Placeholder for internal and/or external audit] Final steps prior to mainnet: * Do [final setup](https://github.com/penumbra-zone/penumbra/issues/712) based on powers of tau ceremony Research tasks: * Recursion: Can we use one level of recursion instead of [SpendN and OutputN](https://github.com/penumbra-zone/penumbra/issues/1503) actions? * Medium to Long term (i.e. post mainnet): Explore the path to migrating to a system with a universal or transparent setup. This would involve rewriting the gadgets above for a PLONKish arithmetization. ] * Open question whether we want to migrate to another system due to our current team capacity. A lot of optimization work (e.g. implementing custom gates) needs to be done to get proving time down to a reasonable level, plus the size of proofs will be a lot larger.