-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate Falcon DSA into Miden VM #1048
Comments
Here is my very preliminary thinking on this: First, we'd need to introduce a new advice injector - maybe something like Second, we'd need to modify the advice provider to help with signature generation. One option for this is to add fn falcon_sign(&self, pub_key: Word, msg: Word) -> Result<Vec<Felt>, ExecutionError> Where the returned vector would be a concatenation of The default implementation of this method could panic or maybe try to look up the relevant private key in the advice map and generate the signature. A more "production-grade" implementation would probably override this method so that private key is not stored in the advice provider. One question with this approach is whether having a method specifically for Falcon signature is too "narrow". In the future we will probably have other signature schemes, and maybe it makes sense to make this a bit more general from the start. For example, the method could be something like: fn sign(&self, alg: SignatureKind, pub_key: Word, msg: Word) -> Result<Vec<Felt>, ExecutionError> Where, pub enum SignatureKind {
RpoFalcon512,
} |
Makes sense! |
I was thinking that in such cases we'd need to provide a specialized implementation of the advice provider which overrides the For example, let's say we are implementing a wallet which needs to make a call to some external component (via an RPC or something else) to generate a signature. We'd create a new |
That clarifies things, thank you! |
Closed by #1068. |
As the Falcon DSA is practically done #1000, we need to add some support for it to be useful. Things are still not clear but I think that we should think about supporting the following flow:
PK
and a digest of a messageMSG
, the VM receives via the advice provider the pre-image ofPK
, which is the coefficients of a polynomialh
.NONCE
and a signature represented as a polynomials2
, also via the advice provider.pi
representing the product ofh
ands2
inThe MASM code implementing the verification procedure will then go one to:
h
hashes toPK
.c
that is the hash-to-point ofNONCE || MSG
using RPO.pi
is indeed the product ofh
ands2
inThe main question, I believe, is how to accommodate the above flow using the current infrastructure or whether there is a need for something more.
The text was updated successfully, but these errors were encountered: