You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/leios-design/README.md
+33-2Lines changed: 33 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -727,7 +727,25 @@ The requirements are organized into two main categories: **core functionality**,
727
727
728
728
- **Proof-of-Possession**
729
729
- The `blst` C library does not provide a direct interface for generating a proof of possession ($PoP$).
730
-
- This functionality must be implemented manually in `cardano-base`, leveraging the existing `blst` bindings to construct a $PoP$ from the available primitives.
730
+
- This functionality must be implemented manually in `cardano-base`, leveraging the existing `blst` bindings and will be exposed as part of the BLS signing interface.
731
+
- For each BLS keypair `(sk_bls, pk_bls)`, let `pk_bytes` be the canonical compressed encoding of `pk_bls`.
732
+
- The PoP is defined as a BLS signature over the fixed message: `msg_pop = “PoP” || pk_bytes` where `"PoP"` is a fixed ASCII tag. This ensures that PoP messages are clearly separated from vote messages and cannot be confused with them.
733
+
- PoP generation and verification are performed through dedicated PoP helper functions in the BLS signing module. Although the exact API shape differs by implementation language, the logical interface follows:
734
+
```
735
+
pop = derive_pop(sk_bls, context_pop)
736
+
ok = verify_pop(pk_bls, pop, context_pop)
737
+
```
738
+
where `context_pop` provides the domain-separation settings (e.g., DST).
739
+
- The PoP and vote-signature domains must be distinct.
740
+
Leios **must** use a PoP-specific domain separation tag (`DST_POP`) that differs from the tag used for vote signatures (`DST_VOTE`).
741
+
This prevents PoPs from being repurposed as votes and preserves the security separation between registration and voting.
742
+
- The current BLS implementation in Cardano uses the base domain-separation tag: `“BLS_DST_CARDANO_BASE_V1”`
743
+
744
+
For Leios, we recommend deriving protocol-specific DSTs from this base value, for example:
745
+
```
746
+
DST_POP = “BLS_DST_CARDANO_BASE_LEIOS_POP_V1”
747
+
DST_VOTE = “BLS_DST_CARDANO_BASE_LEIOS_VOTE_V1”
748
+
```
731
749
732
750
- **Public key derivation**
733
751
- Implement deterministic derivation of the public key ($pk$) from the corresponding secret key ($sk$) for the selected BLS variant.
@@ -747,8 +765,18 @@ The requirements are organized into two main categories: **core functionality**,
747
765
748
766
- **Aggregation**
749
767
750
-
The core cryptographic feature of Leios EB certificates is the ability to aggregate signatures from persistent voters. By combining multiple signatures into a single compact representation, we achieve significant space efficiency within EB blocks. This aggregation also enables more efficient verification, as a single pairing check can replace many individual ones—saving numerous expensive pairing operations while requiring only a few lightweight point additions in $G_1$ or $G_2$.
768
+
The Leios EB certificate contains a single aggregated BLS signature over the message
769
+
```
770
+
msg_vote = (election_id, EB_hash)
771
+
```
772
+
All valid votes from both **persistent** and **non-persistent** voters can be combined into the same aggregated signature.
773
+
774
+
- **Persistent voters**
775
+
These are always eligible and require only their public key and signature.
751
776
777
+
- **Non-persistent voters**
778
+
These voters succeed in a sortition and must also provide an eligibility proof.
779
+
752
780
To support this functionality, several helper functions should be implemented:
753
781
- A function to aggregate multiple public keys into a single aggregated key.
754
782
- A function to aggregate multiple signatures into a single aggregated signature.
@@ -780,6 +808,9 @@ The requirements are organized into two main categories: **core functionality**,
780
808
#### Performance and quality
781
809
- **Performance benchmarks**
782
810
- Benchmark single-verify, aggregate-verify, and batch-verify; report the impact of batching vs individual verification.
811
+
- Ensure that certificate generation and certificate verification both fit comfortably within protocol deadlines.
812
+
- Provide comparable measurements across implementations (Haskell, Rust, and future node variants).
813
+
- Track performance evolution over time on stable, dedicated hardware.
783
814
784
815
- **Rust parity**
785
816
- Compare performance against the Rust implementation; document gaps and ensure functional parity on vectors.
0 commit comments