Signature

For POD2 signatures, we use Schnorr signature over the EcGFp5 curve.

Older version

The previously used signature scheme was proof-based signatures using Plonky2 proofs, following https://eprint.iacr.org/2024/1553 and https://jdodinh.io/assets/files/m-thesis.pdf. This came from Polygon Miden's RPO STARK-based signatures.

This was replaced by the elliptic curve Schnorr signature presented above, keeping the description here in case it were useful in the future.

The scheme was as follows:

generate_params()

$pp$ : plonky2 circuit prover params
$v p$ : plonky2 circuit verifier params
return $(pp, v p)$

keygen()

secret key: $s k R F^{4}$
public key: $p k := H (s k)$ ¹
return $(s k, p k)$

sign(pp, sk, m)

$p k := H (s k)$
$s := H (p k, m)$
$π = pl o nk y 2. P ro v e (pp, s k, p k, m, s)$
return $(s i g := π)$

verify(vp, sig, pk, m)

$π = s i g$
$s := H (p k, m)$
return $pl o nk y 2. V er i f y (v p, π, p k, m, s)$

Plonky2 circuit

private inputs: $(s k)$
public inputs: $(p k, m, s)$
$p k =! H (s k)$
$s =! H (p k, m)$

The 2024/1553 paper uses $p k := H (s k ∣∣ 0^{4})$ to have as input (to the hash) 8 field elements, to be able to reuse the same instance of the RPO hash as the one they use later in the signature (where it hashes 8 field elements).

POD2-docs