Cryptographic Assumptions
Every cryptographic system relies on assumptions — mathematical problems believed to be hard, security parameters believed to be sufficient, and construction properties believed to hold. This page enumerates the specific assumptions underlying Specter's data privacy protocol, their strength, and their known vulnerabilities.
If any of these assumptions is broken, the corresponding protocol component fails. Understanding which assumptions support which components is essential for evaluating the protocol's security posture and planning migration paths.
BN254 Elliptic Curve
The BN254 curve (also known as alt-bn128 or bn256) is the elliptic curve used for all Groth16 proof generation and verification in Specter. It was chosen because it is the curve supported by Ethereum's ecPairing precompile (0x08), enabling efficient on-chain proof verification.
Security Level
BN254 provides approximately 100-110 bits of security against classical attacks (revised downward from the original 128-bit estimate due to advances in the Number Field Sieve for computing discrete logarithms on pairing-friendly curves). For practical purposes, this remains computationally infeasible for classical adversaries.
Hardness Assumptions
| Assumption | Description | Used For |
|---|---|---|
| Elliptic Curve Discrete Log (ECDLP) | Given points P and Q = kP, computing k is infeasible | Foundation of all BN254-based cryptography |
| Decisional Linear (DLIN) | Given (P, aP, bP, cP), deciding if c = a+b is infeasible | Bilinear pairing security |
| Bilinear Diffie-Hellman (BDH) | Computing e(P,Q)^{abc} from (aP, bQ, cP) is infeasible | Pairing-based proof verification |
| Knowledge of Exponent (KEA) | An adversary that outputs (C, Y) where Y = xC must "know" x | Groth16 soundness (extractability) |
Quantum Vulnerability
BN254 is vulnerable to Shor's algorithm on a sufficiently large quantum computer. Shor's algorithm solves the elliptic curve discrete log problem in polynomial time, which would break:
- Groth16 proof soundness (an adversary could forge proofs)
- ECDH key agreement in the stealth address system
- Any scheme relying on the hardness of ECDLP on BN254
Specter's quantum commitment layer (Keccak-256 based) provides a defense-in-depth against this future threat. See the Threat Model for details.
Migration Path
If BN254 security is deemed insufficient (either due to quantum advances or classical cryptanalysis improvements), the protocol can migrate to:
- BLS12-381: ~120-bit security, widely supported, already used in Ethereum 2.0
- BW6-761: ~128-bit security, supports efficient proof composition
- Lattice-based curves: Full quantum resistance (research stage)
Groth16 Proof System
Groth16 is the zero-knowledge proof system used for all commit-reveal proofs in Specter. It was chosen for its minimal proof size (3 group elements, ~128 bytes) and fast verification (a single pairing check).
Soundness Assumptions
| Assumption | Description | Implication if Broken |
|---|---|---|
| q-Power Knowledge of Exponent (q-PKE) | An adversary given powers of a secret s in both source groups must "know" the polynomial it computes | Adversary could forge proofs without knowing the witness |
| q-Strong Diffie-Hellman (q-SDH) | Computing (c, g^{1/(s+c)}) from (g, g^s, g^{s^2}, ..., g^{s^q}) is infeasible | Adversary could produce valid-looking proofs for false statements |
| Generic Group Model (GGM) | Adversary interacts with group elements only via generic operations | Model-dependent; real-world attacks may exploit algebraic structure |
Trusted Setup Requirement
Groth16 requires a circuit-specific trusted setup ceremony that generates a structured reference string (SRS). The setup produces:
- A proving key (used to generate proofs)
- A verification key (used to verify proofs on-chain)
- Toxic waste (secret randomness that MUST be destroyed)
If the toxic waste is not destroyed — if any single participant in the ceremony retains their contribution — they can forge proofs for any statement. This is the most critical trust assumption in the protocol.
Mitigation: Multi-party computation (MPC) ceremonies ensure that the toxic waste is destroyed as long as at least one participant is honest and destroys their randomness. Specter's Phase 2 roadmap includes a public MPC ceremony. See Trusted Setup for full details.
Proof Properties
| Property | Guarantee | Assumption |
|---|---|---|
| Completeness | An honest prover with a valid witness always produces an accepted proof | None (information-theoretic) |
| Soundness | No polynomial-time adversary can produce a proof for a false statement | q-PKE, q-SDH |
| Zero-Knowledge | The proof reveals nothing about the witness beyond the statement's truth | Simulation-based; holds in the random oracle model |
| Succinctness | Proof size is constant (3 group elements) regardless of circuit size | By construction |
Poseidon Hash Function
Poseidon is the algebraic hash function used for all commitment hashes, nullifier derivations, Merkle tree nodes, access tags, and token identifiers in Specter.
Security Model
Poseidon is designed to be secure as a collision-resistant hash function and pseudorandom function over the BN254 scalar field. Its security relies on the algebraic hardness of the underlying permutation.
Attack Resistance
| Attack Class | Description | Poseidon Defense |
|---|---|---|
| Grobner basis attacks | Solve the polynomial system representing the hash | Full rounds ensure high algebraic degree (degree 5^R after R rounds) |
| Interpolation attacks | Recover the permutation polynomial via interpolation | Requires degree > field size; conservative round count prevents this |
| Differential cryptanalysis | Exploit input-output differential patterns | Wide trail strategy in the linear layer; analyzed bounds on differential probability |
| Linear cryptanalysis | Exploit linear approximations of the S-box | S-box x^5 has optimal nonlinearity over prime fields |
| Algebraic attacks | Exploit the low-degree S-box structure | Partial rounds add non-uniform structure; full rounds dominate security margin |
Round Structure
Poseidon uses a combination of full rounds and partial rounds:
- Full rounds (
R_F): Every state element passes through the S-box (x^5). Provides security against statistical attacks. - Partial rounds (
R_P): Only one state element passes through the S-box. Provides security against algebraic attacks at lower cost.
The parameters used in Specter (e.g., t=5, R_F=8, R_P=57 for 4-input Poseidon) provide a security margin of ~2x over the minimum rounds required by the original Poseidon paper's security analysis.
Assumption Summary
The security of Poseidon assumes that the algebraic degree of the round function grows exponentially with the number of rounds, making it infeasible to solve the resulting polynomial system. This is a relatively new assumption compared to SHA-256 or Keccak — Poseidon has been analyzed since 2019, while SHA-256 has been analyzed since 2001. The conservative parameter choices are designed to account for this shorter analysis history.
Keccak-256
Keccak-256 (the algorithm underlying SHA-3) is used in Specter's quantum commitment layer. When a commitment is created, a Keccak-256 hash of the commitment data is also stored. This provides a post-quantum binding guarantee.
Security Properties
| Property | Classical Security | Post-Quantum Security |
|---|---|---|
| Collision resistance | 128 bits | 128 bits (Grover's provides no advantage for collision search) |
| Preimage resistance | 256 bits | 128 bits (Grover's algorithm halves the security) |
| Second preimage resistance | 256 bits | 128 bits |
Why Keccak-256 for Quantum Defense?
Keccak-256 is a symmetric primitive — its security is based on the combinatorial structure of the sponge construction, not on any algebraic hardness assumption. Quantum computers provide only a quadratic speedup (Grover's algorithm) against symmetric primitives, reducing 256-bit security to 128-bit — still computationally infeasible.
By contrast, BN254 and Groth16 rely on the elliptic curve discrete log problem, which Shor's algorithm solves in polynomial time. The Keccak-256 quantum commitment layer ensures that even if BN254 is broken, the commitment binding property remains intact.
AES-256-GCM
AES-256-GCM is used for passphrase encryption of Phantom Keys and Phantom Identities at rest. When a user encrypts a Phantom Identity PNG or a Phantom Key with a passphrase, the underlying secrets are encrypted with AES-256-GCM.
Security Properties
| Property | Value |
|---|---|
| Key size | 256 bits |
| Classical security | 256 bits |
| Post-quantum security | 128 bits (Grover's algorithm) |
| Mode | Galois/Counter Mode (authenticated encryption) |
| Nonce | 96-bit random nonce per encryption |
| Authentication | 128-bit authentication tag (integrity + authenticity) |
AES-256-GCM provides authenticated encryption — it guarantees both confidentiality (an attacker cannot read the plaintext) and integrity (an attacker cannot modify the ciphertext without detection). This is critical for Phantom Identity PNGs, where a modified ciphertext could cause the user to recover a wrong private key.
PBKDF2-SHA256
PBKDF2-SHA256 derives the AES-256 encryption key from the user's passphrase. It is a key derivation function designed to be deliberately slow, making brute-force passphrase guessing expensive.
Parameters
| Parameter | Value | Rationale |
|---|---|---|
| Hash function | SHA-256 | Widely analyzed, conservative choice |
| Iteration count | 100,000 | ~100ms on modern hardware per guess |
| Salt | 128-bit random | Prevents rainbow table attacks |
| Output | 256-bit key | Matches AES-256 key size |
Brute-Force Resistance
At 100,000 iterations, a single passphrase guess costs approximately 100ms on a modern CPU. An attacker trying 10 billion passphrases per second on specialized hardware faces:
| Passphrase Entropy | Guesses Required | Time at 10^10 guesses/sec |
|---|---|---|
| 40 bits | ~10^12 | ~100 seconds |
| 60 bits | ~10^18 | ~3 years |
| 80 bits | ~10^24 | ~3 million years |
| 128 bits | ~10^38 | Heat death of the universe |
Recommendation: Passphrases should have at least 60 bits of entropy (approximately 5 random words from a large dictionary) for meaningful security.
Migration Consideration
PBKDF2 is a conservative choice but is less resistant to GPU/ASIC acceleration than memory-hard KDFs like Argon2id. A future protocol version may migrate to Argon2id for stronger brute-force resistance.
Assumption Dependency Map
The following diagram shows which protocol components depend on which cryptographic assumptions:
If ECDLP on BN254 is broken (e.g., by quantum computers), Groth16 proofs and stealth addresses fail, but commitments (Poseidon), the quantum layer (Keccak), and encryption (AES) remain secure. This is the foundation of Specter's defense-in-depth strategy.