1.5 KiB
Signature
Current signature scheme used is proof-based signatures using Plonky2 proofs, following https://eprint.iacr.org/2024/1553 and https://jdodinh.io/assets/files/m-thesis.pdf. This comes from Polygon Miden's RPO STARK-based signatures.
In future iterations we may replace it by other signature schemes (either elliptic curve based scheme on a Golilocks-prime friendly curve, or a lattice based scheme).
generate_params()
pp: plonky2 circuit prover params
vp: plonky2 circuit verifier params
return (pp, vp)
keygen()
secret key: $sk \xleftarrow{R} \mathbb{F}^4$
public key: pk := H(sk) 1
return (sk, pk)
sign(pp, sk, m)
$pk := H(sk)$
$s := H(pk, m)$
$\pi = plonky2.Prove(pp, sk, pk, m, s)$
return (sig:=\pi)
verify(vp, sig, pk, m)
$\pi = sig$
$s := H(pk, m)$
return plonky2.Verify(vp, \pi, pk, m, s)
Plonky2 circuit
private inputs: $(sk)$
public inputs: $(pk, m, s)$
$pk \stackrel{!}{=} H(sk)$
s \stackrel{!}{=} H(pk, m)
-
The 2024/1553 paper uses
pk:=H(sk||0^4)to have as input (to the hash) 8 field elements, to be able to reuse the same instance of the RPO hash as the one they use later in the signature (where it hashes 8 field elements). ↩︎