You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ERCS/erc-7524.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -90,9 +90,7 @@ The length of the input to $\mathsf{htc}$ is always 65 bytes.
90
90
91
91
Note that in this scheme, we compute $h$ as the hash of the message and $pk$, not the message and $r$. This is to make our scheme deterministic.
92
92
93
-
### Signature verification
94
-
95
-
### Non-ZK
93
+
### Signature verification (non-ZK)
96
94
97
95
********************Note: Non-ZK signature verification is not part of the proposal but relevant for an intuitive understanding of the ZK signature verification.********************
98
96
@@ -106,7 +104,9 @@ b. $h^s \cdot \mathsf{nul}^{-c} \stackrel{?}{=} z$
106
104
c. $c \stackrel{?}{=} c'$
107
105
4. Accept if all of the above is true.
108
106
109
-
### In ZK
107
+
Now we move onto the ZK signature verification specs.
108
+
109
+
### Version 1: Verifier Optimized
110
110
111
111
In a situation where there is a verifier who must *not* know the signer's $pk$, but the signer must nevertheless prove that they know $sk$ corresponding to the signature given $m$, a zero-knowledge proof is required.
112
112
@@ -130,9 +130,9 @@ It also establishes the following constraints:
130
130
- $h^s \cdot \mathsf{nul}^{-c} = z$
131
131
- $c = c'$
132
132
133
-
### Version 2: Computing hashes outside the circuit
133
+
### Version 2: Prover Optimized
134
134
135
-
Currently, SHA-256 hashing operations are particularly expensive with groth16 proofs in the browser. In the context of PLUME, the computation of $c$ is a bottleneck for efficient proof times, so one modification suggested by the Poseidon team was to move this computation outside the circuit in the verifier.
135
+
Currently, SHA-256 hashing operations are particularly expensive with zk proofs in the browser. In the context of PLUME, the computation of $c$ is a bottleneck for efficient proof times, so one modification suggested by the Poseidon team was to move this hash computation outside the circuit, into the verifier.
136
136
137
137
To do this, we make $z$ and $g^r$ public signals in the circuit and update the definition of $c$ to $c = \text{sha256}([\text{nul}, g^r, z])$. The updated protocol is as follows.
138
138
@@ -160,7 +160,7 @@ Due to SHA-256 being a native precompile on Ethereum, this operation will still
160
160
161
161
### Version 3:
162
162
163
-
There may be a more efficient V3 in the future.
163
+
There may be a more efficient V3 in the future, perhaps via removing indifferentiability from hash_to_curve.
164
164
165
165
## Rationale
166
166
@@ -185,7 +185,7 @@ For a few possible simpler algorithm designs that were considered, see blog.aayu
185
185
186
186
## Reference Implementation
187
187
188
-
The GitHub repository `plume-sig/zk-nuliifier-sig` contains the reference implementation in several languages including Rust and Javascript. There is a sample PR to Metamask Core as well.
188
+
The GitHub repository `plume-sig/zk-nuliifier-sig` contains the reference implementation in several languages including Rust and Javascript. There is a sample PR to Metamask Core as well, and a PR to Taho Core incoming.
0 commit comments