Skip to main content

Signing Scheme

Our spending key pairs produce Schnorr signatures and operate over the Grumpkin curve. Spending key pairs are used to generate spend authorization signatures which are private circuit inputs and authorize spending of UTXOs as part of our circuit's state transition function.

With

  • GG being the Grumpkin generator
  • pp the Grumpkin base field size
  • ss the spending private key
  • MM a 32-byte message hash
  • D0D_{0}, D1D_{1} domain constants

signature generation proceeds as follows:

P=sGk=min0i<256{Blake2s(D0sMi)modp0}R=kGe=Poseidon2(Rx,Px,Py,Mmodp,HashToField(D1))σ=kseReturn(σ,e)\begin{aligned} P &= sG \\ k &= \min_{0 \leq i < 256} \{ Blake2s(D_{0}\|s\|M\|i) \bmod p \neq 0 \} \\ R &= kG \\ e &= Poseidon2(R_x, P_x, P_y, M \bmod p, HashToField(D_{1})) \\ \sigma &= k - s e \\ &\quad\text{Return} (\sigma, e) \end{aligned}

Tweaks

In order to make the Schnorr signatures deterministic we tweaked kk by deriving it from a Blake2s hash of a.o. the message and private key rather than through a PRNG.

Moreover, the choice of Grumpkin is deliberate in order to exploit the 2-cycle of curves between Grumpkin (spending key pair) and BN254 (proof system) which makes in-circuit signature verification very efficient.