Introduction

This document is WORK IN PROGRESS. While the document
has this warning, check with your local cryptographer
whether the final solution is correct for your 
particular use case.

This document forms the IOG Cryptography Handbook, which aims to provide a go-to for engineers having to make a choice on which implementations to use for given cryptographic primitives. This document contains a specification of all the cryptographic primitives being used in production, or in testing phase, and at least a reference to the ongoing efforts of other cryptographic primitives.

The target audience for the Handbook is everyone working on a project associated with an IOG product, or within the Cardano ecosystem. This is also the set of target contributors for the Handbook! Anyone can submit a change proposal as a PR (see 'Contributing').

Purpose

The purpose of this handbook is both descriptive and to list existing implementations:

Firstly, it lists particular implementations for given cryptographic primitives that are being used, or have been reviewed, by IOG matter experts.
Secondly, it describes the cryptographic primitives in detail (or points interested reader to further material), to allow engineers to choose alternative implementation which are compatible with the primitives used by IOG.

Goals

The goals of the Handbook are to:

Provide a place to record all cryptographic libraries being used in IOG projects.
Present a sufficient level of detail of the cryptographic primitives to allow engineers to make independent decisions without having to contact matter experts or look into the source code.
Encourage consistency across the organization in order to minimize cognitive overheads from unnecessary differences.
Avoid implementing of primitives that already exist and/or are being used in IOG.
List common mistakes when handling with these type of libraries.

Non-goals

The following are explicitly not goals of the Handbook:

The recommended libraries are by no means flawless. As in any piece of software, the libraries hereby listed can have bugs.
Provide an exhaustive list of all available implementations in all languages. We only have a limited number of cryptographers, and this list will grow as we look into existing implementation of used primitives.

The Handbook is very new and will gradually acquire more content over time. We hope to improve all of this over time!

Contributing

If a project needs a particular primitive, which is not present in this document, the mechanism to include is simple. Add an issue to the repo, specifying why such a primitive is of interest, and how it would be used. To make the discussion more effective, it is also of interest to link references to the specification, or available implementations.

Ed25519

Ed25519 is the signature scheme being used in Cardano, and supported in Plutus. Ed25519 is an instantiation of the EdDSA over the Edwards25519 elliptic curve.

Implementation and bindings

We currently relly in the implementation available in version 1.0.18 of libsodium. We have analysed, and recommend, bindings in the following languages:

Haskell: Available in cardano-base
Rust: Made available by the original author of libsodium
Javascript: Made available by the original author of libsodium (among others)

There also exist other implementations that offer a compatible signing algorithm which do not require the full usage of libsodium. The list we have analaysed and recommend is the following:

Rust: ed25519-dalek, using the verify_strict() function.
Javascript: tweetnacl-js, though the verification criteria of this library is more permissive, meaning that a valid signature for tweetnacl-js might not be valid for Cardano.

Common mistakes

An ed25519 signature consists of two values $(R, s)$ , where $R$ is an elliptic curve point and $s \in Z_{q}$ is a scalar. A common mistake when deserialising the scalar $s$ is to compute it modulo $q$ in case that $s$ is larger than $q$ . This must be avoided, specifically in consensus critical scenarios.

Another common mistake is what criteria to use when deserialising an elliptic curve point. If none of the libraries listed above are used, the engineer should carefully read the sections below to understand the details, and the verification criteria used in Cardano.

KES

In Cardano, nodes use Key Evolving Signatures (KES). This is another asymmetric key cryptographic scheme, also relying on the use of public and private key pairs. These signature schemes provide forward cryptographic security, meaning that a compromised key does not make it easier for an adversary to forge a signature that allegedly had been signed in the past.

In KES, the public verification key stays constant, but the corresponding private key evolves incrementally. For this reason, KES signing keys are indexed by integers representing the step in the key's evolution. Since the private key evolves incrementally in a KES scheme, the ledger rules require the pool operators to evolve their keys every time a certain number of slots have passed. The details of when these keys are evolved are out of the scope of this document, and the reader is directed to the ledger spec.

Implementation and bindings

The Cardano compatible KES implementations are

Haskell: Available in cardano-base
Rust: Available in crates.io

The particular instantiation used in Cardano is of depth 6. An improvement on the representation of signatures is being worked on, and planned to be included in the next HF. This compact representation is available in both the Haskell library and the rust counterpart.

Note: The secret key representations of both libraries are not compatible. A padding strategy can be made to use Haskell generated data in Rust, but not vice-versa. To see this padding trick, you can look in the interoperability tests of the rust library.

Common mistakes

The main building block of KES is its underlying signature scheme, Ed25519. We refer the reader to the common mistakes section of Ed25519.

BIP32-ed25519

BIP32-ed25519 is an adaptation of the BIP32 proposal for deterministic key generation for the Ed25519 curve which has non-linear key space.

Implementation and bindings

We currently have two implementations of BIP32:

C: Available in cardano-crypto
Rust: Implemented by Vincent Hanquez, here.

The preferred implementation is that of Rust, but both are safe to use.

For the C implementation, we have bindings in the following languages:

Haskell: Available in cardano-crypto

Common mistakes

As the underlying signature algorithm is ed25519, we refer the reader to common mistakes of that section.

ECDSA

ECDSA is one of signature schemes supported natively in Plutus, together with ed25519 and Schnorr. In particular, the natively supported ECDSA algorithm works over curve SECP256k1, enabling support for Bitcoin's and Ethereum's native signatures.

Implementation and bindings

We currently relly in Bitcoin's implementation available in secp256k1. We have analysed, and recommend, bindings in the following languages:

Haskell: Available in cardano-base

Common mistakes

An ECDSA signature consists of two values $(r, s)$ , where are scalars. A problem of using ECDSA in consensus critical contexts, is that the signature algorithm (as defined in the standard) is malleable. Specifically, given a valid signature $(r, s)$ , the tuple $(r, - s)$ is also a valid signature. To avoid problems resulting from this malleability, the implementation we use checks that the $s < p /2$ , where $p$ is the order of the prime order group. More details of such a check in the spec section.

Another common problem of verifying ECDSA signatures is that the hashing of the message must be performed by the verifier itself, rather than accepting a hashed message. This can be dangerous. Therefore, the verifier, before proceeding with verification, hashes the message.

Schnorr

Schnorr is one of signature schemes supported natively in Plutus, together with ed25519 and ECDSA. In particular, the natively supported ECDSA algorithm works over curve SECP256k1, enabling support for Bitcoin's and Ethereum's native signatures. Schnorr signature scheme is also adopted by MuSig2 (Simple Two-Round Schnorr Multisignatures) which will be integrated to Hydra.

Implementation and binding

We currently relly in Bitcoin's implementation available in secp256k1. We have analysed, and recommend, bindings in the following languages:

Haskell: Available in cardano-base

MuSig2

This API also relies on secp256k1 that is compatible with BIP-340 producing 64-byte Schnorr signatures.

C: Available in musig2. Note that this API is still in progress.

VRF-ed25519

Verifiable Random Functions ( $VRF$ ) allow key-pair owners, $(s k_{VRF}, v k_{VRF})$ , to evaluate a pseudorandom function in a provable way given a randomness seed. Any party with access to the verification key, $v k_{VRF}$ , the randomness seed, the proof and the generated randomness can indeed verify that the value is computed as expected. The VRF specification has changed overtime in Cardano, and the nodes use a different algorith, pre-Babbage and post-Babbage (if there exists a reference to the HF, we should point it out). We expose both specifications, and the motivations for such a change.

Implementation and bindings

We currently rely in the implementation available in the fork of libsodium. We have analysed, and recommend, bindings in the following languages:

Haskell: Available in cardano-base

Notation

In this section we introduce some generic notation used throughout the spec. The primitive-specific notation is introduced in the respective sections.

We denote by $E (F_{p})$ the finite abelian group based on an elliptic curve over a finite prime-order field $F_{p}$ (note that we simplify the notation and drop the explicit dependency on $F_{p}$ and security parameter $κ$ ). Most importantly, we assume the order of the group $E$ to be of the form $cofvar \cdot q$ for some small cofactor $cofvar$ (sometimes equal to 1) and large prime number $q$ , and that the (hence) unique (sub)group $G$ of order $q$ is generated by a known base point $G$ , i.e., $G = ⟨ G ⟩$ , in which the computational Diffie-Hellman (CDH) problem is believed to be hard. We use $H$ to denote a cryptographically safe hash function, modeled as a random oracle, $H : {0, 1}^{a} \to {0, 1}^{ℓ (κ)} .$ for any value of $a$ (we tried using $*$ but the katex compiler was not happy with it).

An elliptic curve point can be determined using the y-coordinate and the sign of the $x$ -coordinate, meaning that an elliptic curve point can be represented using $s = ⌈ lo g_{2} (p)⌉ + 1$ bits. All elements in $F_{p}$ or $F_{q}$ are serialised in little-endian form. Elliptic curve points are encoded using their $y$ -coordinate followed by the sign bit of the $x$ coordinate. An element $x$ in $F_{p}$ is negative if the enconding of $x$ is lexicographically larger than the encoding of $- x$

Ed25519

Ed25519 is the signature scheme being used in Cardano, and supported in Plutus. Ed25519 is an instantiation of the EdDSA over the Edwards25519 elliptic curve.

Generalised specification

This section presents the generalized signature system EdDSA, and in the parameter section, we present the specific parameters used in Cardano. EdDSA is parametrized with the following parameters. An integer $b \geq 10$ , a cryptographic hash function $H$ producing a $2 b$ -bit output, and a finite abelian group based on an elliptic curve. An EdDSA, signature consists of the following three algorithms:

$KeyGen (1^{λ})$ takes as input the security parameter $λ$ and returns a key-pair $(x, v k)$ . First, it chooses $x \leftarrow {0, 1}^{b}$ . Next, let $(h_{0}, h_{1}, \dots, h_{2 b - 1}) \leftarrow H (x)$ , and compute the signing key, $s k \leftarrow 2^{b - 2} + \sum_{3 \leq i \leq b - 3} 2^{i} h_{i}$ . Finally, compute $v k \leftarrow s k \cdot G$ , and return $(x, v k)$ .
$Sign (x, v k, m)$ takes as input a keypair $(x, v k)$ and a message $m$ , and returns a signature $σ$ . Let $r \leftarrow H (h_{b}, \dots, h_{2 b - 1}, m)$ , and interpret the result as a little-endian integer in ${0, 1, \dots, 2^{2 b} - 1}$ . Let $R \leftarrow r \cdot G$ , and $S \leftarrow (r + H (R, A, M) \cdot s k) mod q$ . Return $σ \leftarrow (R, S)$ .
$Verify (m, v k, σ)$ takes as input a message $m$ , a verification key $v k$ and a signature $σ$ , and returns $r \in {true, false}$ depending on whether the signature is valid or not. The algorithm returns $true$ if the following equation holds and $false$ otherwise: $S \cdot G = R + H (R, v k, m) \cdot v k .$

Parameters of instantiation

In this section we set to describe the concrete instantiation of the algorithm presented above. Not only we describe the Curves and Hash functions used, but we also specify how deserialization happens, as this results in important differences of the acceptance criteria of valid signatures. The algorithm we use is Ed25519¹. However, our implementation slightly differs in the deserialization criteria. The details are as follows:

Parameter $b$ : We set $b = 256$
Curve: We define the curve, and by consequence the finite prime order field, security parameter, cofactor, prime order subgroup and generator. In particular, we use Edwards25519 which is birationally equivalent to Curve25519².
Hash: As a hashing algorithm we use SHA512.
Deserialization: A signature is represented by 64 bytes: the first 32 bytes, $b_{[..32]}$ , represent the point $R$ , and the final 32 bytes, $b_{[32..]}$ , represent the scalar $S$ . A public key is also represented as 32 bytes, $b_{p k}$ . Deserialization is valid only if:
- $b_{[32..]}$ , read as a little-endian integer, is smaller than $q$ .
- $b_{[..32]}$ does not represent a low order point (by checking against a precomputed blacklist of size $cofvar$ ).
- $b_{p k}$ does not represent a low order point (by checking against a precomputed blacklist of size $cofvar$ ), and when read as a little-endian integer, it is smaller than $p$ .

Bernstein, Duif, Lange, Schwabe and Yang, High-Speed High-Security Signatures

Bernstein, Curve25519: New Diffie-Hellman Speed Records

KES

Generalised specification

We use the iterated sum construction from Section 4.3 of MMM¹. A KES signature algorithm is parametrized by four algorithms, $KeyGen, Sign, Update$ and $Verify$ . The sum construction depends on two signing algorithms, $Σ_{0} = (KeyGen_{0}, Sign_{0}, Update_{0}, Verify_{0})$ and $Σ_{1} = (KeyGen_{1}, Sign_{1}, Update_{1}, Verify_{1})$ , which are forward-secure with $T_{0}$ and $T_{1}$ time periods respectively. As specified in the paper, any digital signature algorithm can be considered as a forward-secure signature algorithm with 1 time period. We use two specialized versions of the key generation, one to generate the public part, and another to generate the secret part, $P KeyGen, S KeyGen$ respectively. The KES algorithm uses a length doubling pseudorandom generator, $F : {0, 1}^{λ} \to {0, 1}^{λ} \times {0, 1}^{λ}$ , where given a random seed, $s$ , returns two random seeds of the same size $s_{1}, s_{2}$ . The sum construction begins by generating a signing algorithm with two periods by merging two instances of the base signature, and proceeds recursively until the desired level of periods is reached.

The Chang hard fork will bring optimizations to the KES signature size, and we therefore have different verification criteria pre and post-Chang. Both instances use a tree of depth 6. For ease of exposure, we compare both constructions using a simple binary tree of depth 3 (see figure below). Consider each node as a KES instance with $2^{n}$ periods, where $n$ is the height of the node with respect to the leafs. For instance, A is a KES instance with $8$ periods, while node D is a KES instance with $2$ periods. Note that each KES instance is created by two child instances with half the periods. The only relevant details for compatibility on how KES algorithm works is signature generation and signature verification, however we provide a description of the other functions. The details on how the keys are managed are details of implementation which will not be covered here.

digraph keys {
  { 
     A, F, G, J, K, L, M, N, O, t [ shape = box, color = "black" ];
     B, D [ shape = box, color = "black", style = "filled", fillcolor = "green" ];
     C, E, H, I [ shape = box, color = "red", style = "filled", fillcolor = "green" ];
   };
   
   A -> B;
   A -> C;
   B -> D;
   B -> E;
   C -> F;
   C -> G;
   D -> H;
   D -> I;
   E -> J;
   E -> K;
   F -> L;
   F -> M;
   G -> N;
   G -> O;
   H -> t
}

In green, we have the nodes for which we need to store the public key in a signature during pre-babbage eras. With red borders we have the nodes for which we need to store the public keys in post-babbage eras.

Pre-Chang

The signing instances of nodes H-O are single period KES instances, and nodes A-G are defined by recursively calling on the algorithms presented above. In pre-Chang eras the signatures are computed in a naive manner, meaning that a signature is represented (recursively) as the underlying signature and the two public keys, $σ = (σ^{'}, v k_{0}, v k_{1})$ . So for instance, the signature in node A of period 0 contains the signature of node B, $σ_{b}$ , the public key of node B $v k_{b}$ (which is a hash of $v k_{d}$ and $v k_{e}$ ) and the public key of node C $v k_{c}$ (which is a hash of $v k_{f}$ and $v k_{g}$ ). Signature $σ_{b}$ in turn contains signature of node D $σ_{d}$ , the public key of node D $v k_{d}$ (which is a hash of $v k_{h}$ and $v k_{i}$ ) and public key of node E $v k_{e}$ (which is a hash of $v k_{j}$ and $v k_{k}$ ). The signature of node D, $σ_{d}$ contains in turn the signature of node H, $σ_{h}$ , the public key of node H, $v k_{h}$ and the public key of node I $v k_{i}$ . Verification of the signature works in the naive recursive manner. We check that $H (v k_{b}, v k_{c}) = v k_{a}$ , and $H (v k_{d}, v k_{e}) = v k_{b}$ , and $H (v k_{h}, v k_{i}) = v k_{d}$ , and finally that $Verify (m, v k_{h}, σ_{h}) = true$ . More specifically:

$KeyGen (r)$ takes as input a random seed. It then extends the seed into two parts, $(r_{0}, r_{1}) \leftarrow F (r)$ , and uses each seed to generate the key material of the next layer. In particular $(s k_{0}, v k_{0}) \leftarrow KeyGen (r_{0})$ and $v k_{1} \leftarrow P KeyGen (r_{1})$ . Finally, it computes the pair's public key $v k \leftarrow H (v k_{0}, v k_{1})$ and returns $(⟨ s k_{0}, r_{1}, v k_{0}, v k_{1} ⟩, v k)$ . \item $Sign (t, ⟨ s k^{'}, r_{1}, v k_{0}, v k_{1} s k ⟩, m)$ takes as input a time period $t$ , a signing key $s k$ and a message. If $t < T_{0}$ , then it computes the signature using the first signature algorithm, $σ^{'} \leftarrow Sign_{0} (t, s k^{'}, m)$ , otherwise it uses the other $σ^{'} \leftarrow Sign_{1} (t - T_{0}, s k^{'}, m)$ . Finally, returns $(⟨ σ^{'}, v k_{0}, v k_{1} ⟩, t)$ .
$Update (t, ⟨, s k^{'}, r_{1}, v k_{0}, v k_{1} ⟩ s k)$ takes as input a time period $t$ , and a signing key $s k$ . If $t + 1 < T_{0}$ , then $s k^{'} \leftarrow Update_{0} (t, s k^{'})$ . Otherwise, it checks if its changing the key generation algorithm. Specifically, if $t + 1 = T_{0}$ , then $s k^{'} \leftarrow S KeyGen_{1} (r_{1})$ and sets the seed to zero $r_{1} \leftarrow 0$ . Otherwise, $s k^{'} \leftarrow Update_{1} (t - T_{0}, s k^{'})$ .
$Verify (v k, m, ⟨ σ^{'}, v k_{0}, v k_{1} ⟩ σ, t)$ takes as input a verification key, $v k$ , a message, $m$ , a signature, $σ$ , and a time period, $t$ . First, it checks that $H (v k_{0}, v k_{1}) = v k$ . If that is not the case, it returns $false$ . Otherwise, if $t < T_{0}$ then $Verify_{0} (v k_{0}, m, σ, t)$ , else $Verify_{1} (v k_{1}, m, σ, t - T_{0})$ . If verification fails, it returns $false$ , otherwise it returns $true$ .

Post-Chang

The naive definition of the signature used in Pre-Chang results in poor performance with respect to the signature size. We don't need to verify the hash equality at each level, and we simply need to do so at the root. In the Chang hardfork we introduced such an optimization. In particular, instead of storing both public keys in each signature, we only store the one of the branch that we are not in. For the case of the KES instances with 1 period, the KES signature contains not only the underlying signature, but also the public key, which allows us to re-walk the merkle path. Again, assume we are in period 0. Then, the signature in node A of period 0 contains the signature of node B, $σ_{b}$ , and the public key of node C $v k_{c}$ (which is a hash of $v k_{f}$ and $v k_{g}$ ). Signature $σ_{b}$ in turn contains signature of node D $σ_{d}$ and public key of node E $v k_{e}$ (which is a hash of $v k_{j}$ and $v k_{k}$ ). The signature of node D, $σ_{d}$ contains in turn the signature of node H, $σ_{h}$ , and the public key of node I $v k_{i}$ . In this case, $σ_{h} = (σ_{0, h}, v k_{h})$ , where $σ_{0, h}$ is the underlying signature. Verification of the signature works going up the tree, rather than down. We check $Verify (m, v k_{h}, σ_{0, h}) = true$ . Then we compute the expected key of node D, $v k_{d}^{'} \leftarrow H (v k_{h}, v k_{i})$ . Then we use that to compute the expected key of node B, $v k_{b}^{'} \leftarrow H (v k_{d}^{'}, v k_{e})$ . Finally, we check that the leaf indeed is part of the merkle tree by checking that $H (v k_{b}^{'}, v k_{c}) = v k_{a}$ . To derive the missing public key, we introduce a new function, $DeriveVerKey$ .

Specifically, post-Chang KES signature algorithm modifies the $Sign$ and $Verify$ algorithms, and introduces $DeriveVerKey$ as follows:

$KeyGen (r)$ takes as input a random seed. It then extends the seed into two parts, $(r_{0}, r_{1}) \leftarrow F (r)$ , and uses each seed to generate the key material of the next layer. In particular $(s k_{0}, v k_{0}) \leftarrow KeyGen (r_{0})$ and $v k_{1} \leftarrow P KeyGen (r_{1})$ . Finally, it computes the pair's public key $v k \leftarrow H (v k_{0}, v k_{1})$ and returns $(⟨ s k_{0}, r_{1}, v k_{0}, v k_{1} ⟩, v k)$ .
$Sign (t, ⟨ s k^{'}, r_{1}, v k_{0}, v k_{1} s k ⟩, m)$ takes as input a time period $t$ , a signing key $s k$ and a message. If $t < T_{0}$ , then it computes the signature using the first signature algorithm, $σ^{'} \leftarrow Sign_{0} (t, s k^{'}, m)$ and lets $v k_{c} = v k_{1}$ , otherwise it uses the other $σ^{'} \leftarrow Sign_{1} (t - T_{0}, s k^{'}, m)$ , and lets $v k_{c} = v k_{0}$ . Finally, returns $(⟨ σ^{'}, v k ⟩, t)$ .
$Update (t, ⟨, s k^{'}, r_{1}, v k_{0}, v k_{1} ⟩ s k)$ takes as input a time period $t$ , and a signing key $s k$ . If $t + 1 < T_{0}$ , then $s k^{'} \leftarrow Update_{0} (t, s k^{'})$ . Otherwise, it checks if its changing the key generation algorithm. Specifically, if $t + 1 = T_{0}$ , then $s k^{'} \leftarrow S KeyGen_{1} (r_{1})$ and sets the seed to zero $r_{1} \leftarrow 0$ . Otherwise, $s k^{'} \leftarrow Update_{1} (t - T_{0}, s k^{'})$ .
$DeriveVerKey (⟨ σ^{'}, v k_{c} ⟩ σ, m, t)$ takes as input a signature $σ$ and a period $t$ . If $t < T_{0}$ , then $(v k_{n}, res) = DeriveVerKey (σ^{'}, m, t)$ and return $(H (v k_{n}, v k_{c}), res)$ , otherwise $v k_{n} = DeriveVerKey (σ^{'}, m, t - T_{0})$ and return $(H (v k_{c}, v k_{n}), res)$ .
$Verify (v k, m, ⟨ σ^{'}, v k_{c} ⟩ σ, t)$ takes as input a verification key, $v k$ , a message, $m$ , a signature, $σ$ , and a time period, $t$ . First, it computes $v k_{n} \leftarrow DeriveVerKey (⟨ σ^{'}, v k_{c} ⟩ σ, m, t)$ , and then, if $t < T_{0}$ , check that $H (v k_{n}, v k_{c}) = v k$ , otherwise, check that $H (v k_{c}, v k_{n}) = v k$ . If verification fails, it returns $false$ , otherwise it returns $true$ .

For this recursive explanation to be complete, we need to define what happens when we call $DeriveVerKey$ on a leaf signature. Recall that the signature of a leaf contains not only the underlying signature, but also the public key with which it is signed. The derive function at the leaf takes as input $(⟨ σ^{'}, v k_{c} ⟩ σ, m, t)$ . It proceeds by verifying the leaf signature. Parse $σ^{'} = (σ_{0}, v k)$ , and compute the result $res \leftarrow Verify (m, v k, σ_{0})$ . If $t = 0$ , then return $(H (v k, v k_{c}), res)$ , else return $(H (v k_{c}, v k), res)$ .

Parameters of instantiation

The instantiation of both eras is the same. The underlying signature scheme is Ed25519. Regarding $P KeyGen$ and $S KeyGen$ , in Cardano, these functions simply call a seeded version of Ed25519's $KeyGen$ and extract the public or private part. As a hashing function we use Blake2b². Defining the pseudo random function $F$ is not required for compatibility purposes, as it is only used for private key material. However, for sake of completeness, we specify that the cardano node uses Blake2b as a length doubling pseudorandom generator.

Malkin, Micciancio and Miner, Composition and Efficiency Tradeoffs for Forward-Secure Digital Signatures

Aumasson, The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)

ECDSA

ECDSA, together with Schnorr, were two new signature algorithms introduced in Plutus during Cardano's Valentine upgrade.

Generalised specification

This section presents the generalized signature system ECDSA, and in the parameter section, we present the specific parameters used in Cardano. ECDSA is parametrized with the following parameters. An ECDSA signature consists of the following three algorithms:

$KeyGen (1^{λ})$ takes as input the security parameter $λ$ and returns a key-pair $(x, v k)$ . First, it chooses $x \leftarrow Z_{q}$ . Finally, compute $v k \leftarrow x \cdot G$ , and return $(x, v k)$ .
$Sign (x, v k, m)$ takes as input a keypair $(x, v k)$ and a message $m$ , and returns a signature $σ$ . Let $k \leftarrow Z_{q}$ . Compute $K = k \cdot * g e n er a t or$ and interpret the result as its two individual coordinates $(K_{x}, K_{y})$ . Next, compute $r \leftarrow K_{x} mod q$ . If $r = 0$ , generate a new $k$ and start over. Finally compute $s = k^{- 1} (z + r * x) mod q$ . If $s = 0$ , generate a new $k$ and start over. Otherwise, return $σ = (r, s)$ .
$Verify (m, v k, σ)$ takes as input a message $m$ , a verification key $v k$ and a signature $σ$ , and returns $r \in {true, false}$ depending on whether the signature is valid or not. The algorithm returns $true$ if the following conditions hold and $false$ otherwise:
- $r$ and $s$ are between $1$ and $q - 1$ .
- Compute $u_{1} = z \cdot s^{- 1} mod q$ and $u_{2} = r \cdot s^{- 1} mod q$ . Compute $(x, y) = u_{1} \cdot G + u_{2} \cdot G$ , and ensure it is not equal to the point at infinity. Checks that $r = x mod q$ .

Parameters of instantiation

The above is the standard definition, and in cardano we instantiate it over curve SECP256k1. However, such a signature algorithm enables malleability. Given a valid signature $(r, s)$ , if one sets $s^{'} = q - s$ , then the pair $(r, s^{'})$ is also a valid signature, as a point $P$ and its negative $P^{'}$ share the same x-coordinate. This can be problematic in consensus critical contexts. To that end, we follow Bitcoin's modification of only accepting signatures with small values of $s$ , i.e. with $s < p /2$ .

The signatures generated using Haskell's bindings (see here) use hash function SHA256. However, Plutus built-in function takes as input the hashed message, meaning that the signer and verifier can agree which hash function to use in their protocol.

While we follow the verification criteria used in Bitcoin, we do not follow their serialisation convention, DER-encoding, which results in variable sized signatures up to 72 bytes (instead of the 64 byte encoding we describe in this document).

More precisely, the following is what is the specification used in the plutus built-in functions:

The verification key must correspond to the (x, y) coordinates of a point on the SECP256k1 curve, where x, y are unsigned integers in big-endian form.
The verification key must correspond to a result produced by secp256k1_ec_pubkey_serialize, when given a length argument of 33, and the SECP256K1_EC_COMPRESSED flag. This implies all of the following:
- The verification key is 33 bytes long.
- The first byte corresponds to the parity of the y coordinate; this is 0x02 if y is even, and 0x03 otherwise.
- The remaining 32 bytes are the bytes of the x coordinate.
The input to verify must be a 32-byte hash of the message to be checked. We assume that the caller of verifyEcdsaSecp256k1Signature receives the message and hashes it, rather than accepting a hash directly: doing so can be dangerous. Typically, the hashing function used would be SHA256; however, this is not required, as only the length is checked.
The signature must correspond to two unsigned integers in big-endian form; henceforth r and s.

The signature must correspond to a result produced by secp256k1_ecdsa_serialize_compact. This implies all of the following:

The signature is 64 bytes long.
The first 32 bytes are the bytes of r.
The last 32 bytes are the bytes of s.

    ┏━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━┓
    ┃ r <32 bytes> │ s <32 bytes>  ┃
    ┗━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━┛
    <--------- signature ---------->

Schnorr

Schnorr, together with ECDSA, were two new signature algorithms introduced in Plutus during Cardano's Valentine upgrade. MuSig2 is a two-round multi-signature scheme will be integrated to Hydra.

Generalised specification

This section presents the generalized signature system ECDSA and MuSig2. In the [parameter] (#parameters-of-instantiation) section, we present the specific parameters used in Cardano and MuSig2 C implementation.

A Schnorr signature consists of the following three algorithms:

$KeyGen (1^{λ})$ takes as input the security parameter $λ$ and returns a key-pair $(x, v k)$ . First, it chooses $x \leftarrow Z_{q}$ . Finally, compute $v k \leftarrow x \cdot G$ , and return $(x, v k)$ .
$Sign (x, v k, m)$ takes as input a keypair $(x, v k)$ and a message $m$ , and returns a signature $σ$ . Let $r \leftarrow Z_{q}$ . Compute $R = r \cdot G$ , then compute $c \leftarrow H (R, v k, m)$ , and finally compute $s = r + c \cdot x$ . The signature is $σ \leftarrow (R, s)$ .
$Verify (m, v k, σ)$ takes as input a message $m$ , a verification key $v k$ and a signature $σ$ , and returns $result \in {true, false}$ depending on whether the signature is valid or not. The algorithm returns $true$ if $s \cdot G = R + c \cdot v k$

Let $N$ be the number of signers and $V$ be the number of nonces. A two-round multi-signature scheme MuSig2 that outputs an ordinary Schnorr signature includes the following steps:

$KeyGen (1^{λ})$ takes as input the security parameter $λ$ and returns a key-pair $(x, v k)$ . First, it chooses $x \leftarrow Z_{q}$ . Finally, compute $v k \leftarrow x \cdot G$ , and return $(x, v k)$ .
$BatchComm (1^{λ})$ takes as input the security parameter $λ$ and returns $V$ key-pairs ${(r_{1}, R_{1}), \dots, (r_{V}, R_{V})}$ . First, it chooses the nonces $r_{j} \leftarrow Z_{q}$ . Finally, computes the commitments $R_{j} \leftarrow r_{j} \cdot G$ , and returns the list including $V$ tuples of nonces and commitments.
$AggrPubKey ({v k_{1}, \dots, v k_{N}}, v k_{s})$ takes the list of public keys and the signer's public key, returns the aggregate public key $X$ and $a_{s}$ . First creates $L = (v k_{1} ∣∣ v k_{2} ∣∣ \dots ∣∣ v k_{N})$ . Computes $a_{i} = H_{a gg} (L ∣∣ v k_{i})$ for $i = 1 \dots N$ . Finally, generates the aggregate public key by $X = Σ_{i = 1}^{N} (a_{i} \cdot v k_{i})$ and the signer keeps her own $a_{s}$ .
$AggrComm ({R_{11}, R_{12}, \dots, R_{1 V}, \dots, R_{N 1}, \dots, R_{N V}})$ takes the list of all signers' commitment lists, returns the list of aggregate commitments. ${R_{j} = Σ_{i = 1}^{N} (R_{ij})}_{j = 1.. V}$ .
$Sign (x_{s}, v k_{s}, m, X, (R_{1}, \dots, R_{V}), (r_{s 1}, \dots, r_{s V}))$ takes as input the keypair of the signer, a message $m$ , aggregate public key, the list of commitments and the list of nonces of the signer. Returns a signature $σ$ . First, creates $b = H_{n o n} (X ∣∣ (R_{1}, \dots, R_{V}) ∣∣ m) \in Z_{q}$ . Computes $R = Σ_{j = 1}^{V} (R_{j}^{r^{j - 1}})$ and $c = H_{s i g} (X ∣∣ R ∣∣ m)$ . The single signature is calculated as $σ_{s} = c a_{s} x_{s} + Σ_{i = 1}^{V} (r_{s j} b^{j - 1})$ .
$AggrSig ({σ_{1}, \dots, σ_{N}}, R)$ takes the list of all signers' single signatures and aggregate commitment, returns the aggregate signature $(R, σ)$ where $σ = Σ_{i = 1}^{N} (σ_{i})$ .
$Verify (m, X, σ, R)$ takes as input a message, aggregate verification key, aggregate signature, and aggregate commitment. Computes $c = H_{s i g} (X ∣∣ R ∣∣ m)$ and accepts the signature if $σ \cdot G = R + c \cdot X$ .

Parameters of instantiation

The above is the standard definition, and in cardano we instantiate it over curve SECP256k1. Moreover, we follow BIP-0340. The following are the two specifications of the above algorithm required for compatibility. Citing literally BIP-0340:

We use implicit Y coordinates. We encode an elliptic curve point with 32 bytes, and we implicitly choose the Y coordinate that is even[6].
We use tagged hashed of SHA256 for the challenge computation. More precisely, in order to compute H(R, vk, m), one computes SHA256(SHA256("BIP0340/challenge")||SHA256("BIP0340/challenge") || R || vk || m).

More precisely, the following is what is the specification used in the plutus built-in functions:

The verification key must correspond to the (x, y) coordinates of a point on the SECP256k1 curve, where x, y are unsigned integers in big-endian form.
The verification key must correspond to a result produced by secp256k1_xonly_pubkey_serialize. This implies all of the following:
- The verification key is 32 bytes long.
- The bytes of the signature correspond to the x coordinate.
The input to verify is the message to be checked; this can be of any length, and can contain any bytes in any position.
The signature must correspond to a point R on the SECP256k1 curve, and an unsigned integer s in big-endian form.

The signature must follow the BIP-340 standard for encoding. This implies all the following:

The signature is 64 bytes long.
The first 32 bytes are the bytes of the x coordinate of R, as a big-endian unsigned integer.
The last 32 bytes are the bytes of s.

    ┏━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━┓
    ┃ R <32 bytes> │ s <32 bytes>  ┃
    ┗━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━┛
    <--------- signature ---------->

VRF-ed25519

Generalised specification

We use an additional hash function to that introduced in the Notation section. In particular one that maps a binary input to an element of the group $G$ , $H_{s 2 c} : {0, 1}^{*} \to G$ .

Pre Babbage

A $VRF$ function, in pre-Babbage eras, is defined by the following three algorithms:

$VrfKeyGen (1^{λ})$ follows the exact same procedure as $KeyGen (1^{λ})$ described in ed25519. Output key pair $(x, v k_{VRF})$ . We refer to the signing key $s k$ in the Ed25519 section as $s k_{VRF}$ .
$GenerateProof (x, v k_{VRF}, m)$ takes as input a keypair $(x, v k_{VRF})$ and a message $m$ , and returns the $VRF$ randomness $β$ together with a proof $Π$ . Use $x$ to derive $s k_{VRF}$ . Let $H \leftarrow H_{s 2 c} (v k_{VRF}, m)$ . Let $Γ \leftarrow s k_{VRF} \cdot H$ . Compute $r$ as defined in procedure $Sign$ as in ed25519. Let $c \leftarrow H (H ∣∣ Γ ∣∣ k \cdot G ∣∣ k \cdot H) [..128]$ . Compute $s \leftarrow (r + c \cdot s k_{VRF}) mod q$ . Finally, return the proof $Π \leftarrow (Γ, c, s)$ and the randomness $β \leftarrow H (suite_string ∣∣ 0 x 03 ∣∣ cofvar \cdot Γ ∣∣ 0 x 00)$ .
$Verify (m, v k_{VRF}, Π)$ takes as input a message $m$ , a verification key $v k_{VRF}$ and a vrf proof $Π$ , and returns $β$ or $false$ . It parses the proof as $(Γ, c, s) = Π$ , and computes $H \leftarrow H_{s 2 c} (v k_{VRF}, m)$ . Let $U \leftarrow s \cdot G - c \cdot v k_{VRF}$ and $V \leftarrow s \cdot H - c \cdot Γ$ . Compute the challenge $c^{'} \leftarrow H (H ∣∣ Γ ∣∣ U ∣∣ V) [..128]$ . If $c^{'} = c$ , then return $β \leftarrow H (suite_string ∣∣ 0 x 03 ∣∣ cofvar \cdot Γ ∣∣ 0 x 00)$ , otherwise, return $false$ .

Post Babbage

A $VRF$ function, in post-Babbage eras, is defined by the following three algorithms:

$VrfKeyGen (1^{λ})$ follows the exact same procedure as $KeyGen (1^{λ})$ described in ed25519. Output key pair $(x, v k_{VRF})$ . We refer to the signing key $s k$ in the Ed25519 section as $s k_{VRF}$ .
$GenerateProof (x, v k_{VRF}, m)$ takes as input a keypair $(x, v k_{VRF})$ and a message $m$ , and returns the $VRF$ randomness $β$ together with a proof $Π$ . Use $x$ to derive $s k_{VRF}$ . Let $H \leftarrow H_{s 2 c} (v k_{VRF}, m)$ . Let $Γ \leftarrow s k_{VRF} \cdot H$ . Compute $r$ as defined in procedure $Sign$ as in ed25519. Let $c \leftarrow H (H ∣∣ Γ ∣∣ k \cdot G ∣∣ k \cdot H)$ . Compute $s \leftarrow (r + c \cdot s k_{VRF}) mod q$ . Finally, return the proof $Π \leftarrow (Γ, k \cdot G, k \cdot H, s)$ and the randomness $β \leftarrow H (suite_string ∣∣ 0 x 03 ∣∣ cofvar \cdot Γ ∣∣ 0 x 00)$ .
$Verify (m, v k_{VRF}, Π)$ takes as input a message $m$ , a verification key $v k_{VRF}$ and a vrf proof $Π$ , and returns $β$ or $false$ . It parses the proof as $(Γ, U, V, s) = Π$ , and computes $H \leftarrow H_{s 2 c} (v k_{VRF}, m)$ . Next, compute $c \leftarrow H (H ∣∣ Γ ∣∣ k \cdot G ∣∣ k \cdot H) [..128]$ . Finally, if $U = s \cdot G - c \cdot v k_{VRF}$ and $V = s \cdot H - c \cdot Γ$ , then return $β = H (suite_string ∣∣ 0 x 03 ∣∣ cofvar \cdot Γ ∣∣ 0 x 00)$ , otherwise, return $false$ .

This change allows for batch verification of proofs, which achieve up to a times two improvement in verification time, in exchange of a larger proof.

Parameters of instantiation

Some of the concrete parameter instantiations also differ between pre-Babbage and post-Babbage eras. We begin by describing those which coincide, and follow with a separate description for the ones that differ.

Parameter $ℓ (κ)$ and suite $suite_string$ : We set $ℓ (κ) = 512$ . We choose the suite $ECVRF_EDWARDS25519_SHA512_ELL2$ , as defined in the standard draft¹. This sets the parameter $suite_string$ as $0 x 04$ and the following parameters.
Curve: We define the curve, and by consequence the finite prime order field, security parameter, cofactor, prime order subgroup and generator, as described in the ed25519 paper². In particular, we use Edwards25519 which is birationally equivalent to Curve25519.
Hash: As a hashing algorithm we use SHA512.

Pre Babbage

We proceed with the specifications on pre-Babbage eras.

Draft version: pre-Babbage eras are build on top of Version 03 of the standards draft³.
Deserialization: A $VRF$ proof is represented by 80 bytes: the first 32 bytes, $b_{[..32]}$ , represent the point $Γ$ , the following 16 bytes, $b_{[32..48]}$ , represent the scalar $c$ , and the final 32 bytes, $b_{[48..]}$ , represent the scalar $s$ . A public key is also represented as 32 bytes, $b_{p k}$ . Deserialization is valid only if:
- $b_{[..32]}$ when read as a little-endian integer, it is smaller than $p$ .
- $b_{p k}$ does not represent a low order point (by checking against a precomputed blacklist of size $cofvar$ , and when read as a little-endian integer, it is smaller than $p$ .
Hash to curve $H_{s 2 c}$ : Elligator mapping, over a scalar computed by hashing $suite_string ∣∣ 0 x 01 ∣∣ v k_{VRF} ∣∣ m$ . The mechanism is described in Section~5.4.1.2 of version 3 of the draft. Note that for implementing the mechanism as described in the draft, the sign bit is cleared before calling the elligator function, meaning that the latter always works with sign = 0 (see $_vrf_ietfdraft03_hash_to_curve_elligator2_25519$ function). See Appendix A.4 of version 3 of the draft for test vectors.

Post Babbage

We finalize with the specifications of post-Babbage eras.

Draft version: post-Babbage eras are build on top of a batch-compatible version of Version 10 of the standards draft⁴. The specific construction is described in the technical spec studying the security of batch compatibility⁵.
Deserialization: A $VRF$ proof is represented by 128 bytes: the first 32 bytes, $b_{[..32]}$ , represent the point $Γ$ , the following 32 bytes, $b_{[32..64]}$ , represent the point $U$ , the following 32 bytes, $b_{[64..96]}$ , represent the point $V$ , and the final 32 bytes, $b_{[96..]}$ , represent the scalar $s$ . A public key is also represented as 32 bytes, $b_{p k}$ . Deserialization is valid only if:
- $b_{[..32]}$ when read as a little-endian integer, it is smaller than $p$ .
- $b_{[96..]}$ when read as a little-endian integer, is smaller than $q$ .
- $b_{p k}$ does not represent a low order point (by checking against a precomputed blacklist of size $cofvar$ , and when read as a little-endian integer, it is smaller than $p$ .
Hash to curve $H_{s 2 c}$ : Hash to curve algorithm as defined in the hash to curve standard⁶, version 12, Section 6.8.2 (non uniform version). For test vectors, one can use those presented in Appendix J.5.2 of that same document. Reference implementation can be found in the libsodium fork.

Goldberg, Reyzin, Papadopoulos and Včelák, Verifiable Random Functions (VRFs); version 15

Bernstein, Duif, Lange, Schwabe and Yang, High-Speed High-Security Signatures

Goldberg, Reyzin, Papadopoulos and Včelák, Verifiable Random Functions (VRFs); version 03

⁵

Badertscher, Gazi, Querejeta-Azurmendi and Russell, On UC-Secure Range Extension and Batch Verification for ECVRF

⁶

Faz-Hernández, Scott, Sullivan, Wahby and Wood, Hashing to Elliptic Curves