Signing Scheme

Our spending key pairs produce Schnorr signatures and operate over the Grumpkin curve. Spending key pairs are used to generate spend authorization signatures which are private circuit inputs and authorize spending of UTXOs as part of our circuit's state transition function.

With

• $G$ being the Grumpkin generator
• $p$ the Grumpkin base field size
• $q$ the Grumpkin scalar field size
• $s$ the spending private key
• $M$ a 32-byte message hash
• $D$ a domain constant

signature generation proceeds as follows:

$$\begin{aligned} P &= sG \\ k &\xleftarrow{\$} \mathbb{F}_q^* \\ R &= kG \\ c &= Poseidon2(R_x, R_y, P_x, P_y, M \bmod p, D) \bmod q \\ z &= k + sc \pmod q \\ &\quad\text{Return} (R, z) \end{aligned}$$

Verification

$$zG \stackrel{?}{=} R + cP$$

In the SDK, the challenge domain separator is derived from a message-specific domain tag, and signatures are encoded as:

$$R_x \parallel R_y \parallel z$$

Within Bermuda, this Schnorr scheme is the base primitive for spending authorization signatures. It also serves as the foundation for threshold signing flows described in FROST and DKG.