Cryptography Overview


This section provides definition of common cryptography terms used through the ARK Ecosystem product landscape. You will learn the importance of your passphrase and how it translates to private key, public key and wallet address generation. We also explain some common encryption algorithms and encoding protocols.



The passphrase is the master password (key) for your ARK tokens. Every ARK address has its own unique passphrase. With the passphrase you can sign transactions to send your ARK or vote for a delegate.

Do not lose it, and do not share it with others, or you could lose access to your ARK tokens. If you lose your passphrase, or if it is stolen, there is nothing we can do to help you. We CANNOT recover any lost passphrases.

A passphrase is a “key to the castle.” It is used to directly calculate the PrivateKey of an ARK account and should never be shared, stored irresponsibly, or transmitted over the internet. The only person that should ever have access to a passphrase is the owner of its account.

We can technically use any word, phrase, or string as a passphrase which will result in a valid ARK Address or Wallet; however, it is heavily discouraged as the security of an address relies on the randomness of its Passphrase. Humans are bad at creating randomness, and entering sequences of random letters and numbers isn’t easy to do accurately.

To promote usability while also maintaining security, ARK passphrases are implemented using the BIP39 Protocol . Simply, it’s a mnemonic sentence constructed via randomly chosen words from a large wordlist . From here, that sentence or “Passphrase” is piped through a series of hashing, curve, and encoding algorithms to derive a PrivateKey / WIF, a PublicKey, and subsequently Addresses / Wallets and Signatures.

Cryptography overviewCryptography overview

The following examples will be using test-fixtures from the ARK Core repo on GitHub .

Identities Test Fixtures:

2 "data": {
3 "privateKey": "d8839c2432bfd0a67ef10a804ba991eabba19f154a3d707917681d45822a5712",
4 "publicKey": "034151a3ec46b5670a682b0a63394f863587d1bc97483b1b6c70eb58e7f0aed192",
5 "address": "D61mfSggzbvQgTUe6JhYKH2doHaqJ3Dyib",
6 "wif": "SGq4xLgZKCGxs7bjmwnBrWcT4C1ADFEermj846KC97FSv1WFD1dA"
7 },
8 "passphrase": "this is a top secret passphrase"

Message Test Fixtures:

1const fixture = {
2 data: {
3 publicKey:
4 "034151a3ec46b5670a682b0a63394f863587d1bc97483b1b6c70eb58e7f0aed192",
5 signature:
6 "304402200fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e02205ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8",
7 message: "Hello World"
8 },
9 passphrase: "this is a top secret passphrase"

To learn more about randomness, visit the Wiki’s on Randomness and Random Number Generation


A PrivateKey is a 256-bit integer represented by a 32-byte Hex-encoded string of 64 characters obtained via SHA256 hashing of a Passphrase.

PrivateKey Generation StepsPrivateKey Generation Steps

To understand the significance of this large number, consider the following:


1"this is a top secret passphrase"

PrivateKey HEX (base 16) / SHA256 of Passphrase:


PrivateKey DEC(base 10 encoded):


The DEC representation is the “base 10” interpretation of our PrivateKey and gives us a little insight into the size of the numbers we’re dealing with “under the hood”. This large integer is also referred to as a “BigNumber” or UINT256.

WIF (PrivateKey)

WIF stands for “Wallet Import Format”, and is a BASE58-encoded PrivateKey prepended by a network prefix-byte (0xaa for ARK Mainnet & Devnet Network). The compression byte indicates that ARK uses compressed PublicKeys.

WIF EncodingWIF Encoding

It’s essentially a more usable/human-readable PrivateKey and should be treated with the same diligence with regards to storage and security.


A PublicKey is like an ID or Passport. It is a mathematical proof of identity and is derived from a PrivateKey via ECDSA and SECP256K1 computation.

PublicKey Generation StepsPublicKey Generation Steps

ARK also uses “Point Compression” to obtain compressed PublicKeys that are 33-bytes in length.

Address / Wallet

An ARK address is shareable much like an e-mail address. It is the destination to which ARK tokens can be sent, and is obtained from a PublicKey via a combination of RIPEMD160 hashing and Base58Check encoding prefixed by a single network byte.

Since an address is derived from a PublicKey, that means it is also mathematically tied to a PrivateKey and Passphrase.

ARK Address Generation StepsARK Address Generation Steps

Network Prefixes

Network dec hex Prefix Example address
Mainnet 23 0x17 A AewxfHQobSc49a4radHp74JZCGP8LRe4xA
Devnet 30 0x1E D D61mfSggzbvQgTUe6JhYKH2doHaqJ3Dyib

Address Prefix Table

The following is a full prefix-byte table for custom Address construction and is provided for informational purposes. While this would not be used for ARK Mainnet or Devnet, it CAN be used for custom networks.

dec hex Prefix
0 0x00 1
1 0x01 Q-Z, a-k, m-o
2 0x02 o-z, or 2
3 0x03 2
4 0x04 2 or 3
5 - 6 0x05 - 0x06 3
7 0x07 3 or 4
8 0x08 4
9 0x09 4 or 5
10 - 11 0x0A - 0x0B 5
12 0x0C 5 or 6
13 0x0D 6
14 0xE 6 or 7
15 - 16 0x0F - 0x10 7
17 0x11 7 or 8
18 0x12 8
19 0x13 8 or 9
20 -21 0x14 - 0x15 9
22 0x16 9 or A
23 0x17 A
24 0x18 A or B
25 - 26 0x19 - 0x1A B
27 0x1B B or C
28 0x1C C
29 0x1D C or D
30 - 31 0x1E - 0x1F D
32 0x20 D or E
33 0x21 E
34 0x22 E or F"
35 - 36 0x23 - 0x24 F
37 0x25 F or G
38 0x26 G
39 0x27 G or H
40 - 41 0x28 - 0x29 H
42 0x2A H or J
43 0x2B J
44 0x2C J or K
45 - 46 0x2D - 0x2E K
47 0x2F K or L
48 0x30 L
49 0x31 L or M
50 - 51 0x32 - 0x33 M
52 0x34 M or N
53 0x35 N
54 0x36 N or P
55 - 56 0x37 - 0x38 P
57 0x39 P or Q
58 0x3A Q
59 0x3B Q or R
60 - 61 0x3C - 0x3D R
62 0x3E R or S
63 0x3F S
64 0x40 S or T
65 - 66 0x41 - 0x42 T
67 0x43 T or U
68 0x44 U
69 0x45 U or V
70 - 71 0x46 - 0x47 V
72 0x48 V or W
73 0x49 W
74 0x4A W or X
75 - 76 0x4B - 0x4C X
77 0x4D X or Y
78 0x4E Y
79 0x4F Y or Z
80 - 81 0x50 - 0x51 Z
82 0x52 Z ora
83 0x53 a
84 0x54 a or b
85 0x55 b
86 0x56 b or c
87 - 88 0x57 - 0x58 c
89 0x59 c or d
90 0x5A d
91 0x5B d or e
92 - 93 0x5C - 0x5D e
94 0x5E e or f
95 0x5F f
96 0x60 f or g
97 - 98 0x61 - 0x62 g
99 0x63 g or h
100 0x64 h
101 0x65 h or i
102 - 103 0x66 - 0x67 i
104 0x68 i or j
105 0x69 j
106 0x6A j or k
107 - 108 0x6B - 0x6C k
109 0x6D k or m
110 0x6E m
111 0x6F m or n
112 - 113 0x70 - 0x71 n
114 0x72 n or o
115 0x73 o
116 0x74 o or p
117 - 118 0x75 - 0x76 p
119 0x77 p or q
120 0x78 q
121 0x79 q or r
122 - 123 0x7A r
124 0x7B r or s
125 0x7C s
126 0x7D s or t
127 - 128 0x7F - 0x80 t
129 0x81 t or u
130 0x82 u
131 0x83 u or v
132 - 133 0x84 - 0x85 v
134 0x86 v or w
135 0x87 w
136 0x88 w or x
137 - 138 0x89 - 0x8A x
139 0x8B x or y
140 0x8C y
141 0x8D y or z
142 - 143 0x8E - 0x8F z
144 0x90 z or 2
145 - 255 0x91 - 0xFF 2

Adapted from:


A Signature is essentially proof that a message or transaction was “signed” by a particular PrivateKey / Passphrase.

Remember that this same PrivateKey also has a matching PublicKey. That means a Signature is computationally linked to its corresponding PublicKey using ECDSA and SECP256K1 standards.

Signing Process ExampleSigning Process Example

ARK Signatures use DER Encoding.



ECDSA is a “Digital Signature Algorithm” variant based on and “Modular Arithmetic” .

It is a standard to sign and verify transactions/messages and Signatures using Elliptical Curve Cryptography .

ECDSA Equation
y2 = x3 + ax + b


SECP256K1 defines the set of ECDSA parameters used to produce output “deterministically”, meaning the same input will always result in the same output. Additionally, no two inputs will ever produce the same output; It is also hard to reverse. This is known as the Discrete Logarithm Problem and is the basis for Curve Cryptography.

Curve Parameters
a = 0
b = 7
SECP256K1 Equation
y2 = x3 + (0)x + (7)
y2 = x3 + 7

Can the reader say what two numbers multiplied together will produce the number 8616460799? I think it unlikely that anyone but myself will ever know.

~ William S Jevons, The Principles of Science, 1874



An ARK Signature is DER Encoded using BIP66 standards.

Upon obtaining a Signature from the ECDSA/SECP256K1 algorithm, it will first be in its raw form known as an “r” and “s” value.

Signature: DER (X.690 : ASN.1) EncodingSignature: DER (X.690 : ASN.1) Encoding

Signature (r, s):

1(0fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e, 5ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8)

In our example, the “r” and “s” values are each 32-bytes in length. Each of the “r” and “s” sequence identifiers are also 1-byte in length. Additionally, the slots for the size of “r” and “s” each occupy 1-byte.

This means that the length of the “r” and “s” values is 64-bytes. The (r,s) section identifiers and their sizes occupy a total of 4-bytes.

The total length of our signature is 68-bytes (0x44 in hex).

Identifier Size (dec) Size (hex)
r sequence 1 0x1
r size 1 0x1
r-value: 32 0x20
s sequence 1 0x1
s size 1 0x1
s-value 32 0x20
total length 68 0x44

The very first byte of an encoded signature is the sequence identifier 30.

To encode the (r, s) values, we place 30 as the leading byte, followed by the total signature length (0x44 in this example).

We then place the sequence identifier for “r” (02), proceeded by the size of “r” in hex (0x20), proceeded by the r-value itself (0fb4adddd1f1d652b544ea6ab62828a0a65b712ed447e2538db0caebfa68929e).

Finally, we place the sequence identifier for “s” (02), proceeded by the size of “s” in hex (0x20), proceeded by the s-value itself (5ecb2e1c63b29879c2ecf1255db506d671c8b3fa6017f67cfd1bf07e6edd1cc8).

DER Encoded Signature:



Base58Check encoding is used to produce human readable/typeable text from a hash.

It is used to encode a PrivateKey and is also the final step to encoding an ARK address.



RIPEMD160 is a subset of the RIPEMD family of cryptographic hash functions .

As its name suggests, RIPEMD160 hashes are 160-bits in length.


SHA256 is a subset of the SHA-2 family of cryptographic hash functions .

As its name suggests, SHA256 hashes are 256-bits in length.

Last updated 2 years ago
Edit Page