Struct Signature 

pub struct Signature { /* private fields */ }

A deterministic Falcon512 Poseidon2 signature over a message.

The signature is a pair of polynomials (s1, s2) in (Z_p[x]/(phi))^2 a nonce r, and a public key polynomial h where:

• p := 12289
• phi := x^512 + 1

The signature verifies against a public key pk if and only if:

1. s1 = c - s2 * h
2. |s1|^2 + |s2|^2 <= SIG_L2_BOUND

where |.| is the norm and:

• c = HashToPoint(r || message)
• pk = Poseidon2::hash(h)

Here h is a polynomial representing the public key and pk is its digest using the Poseidon2 hash function. c is a polynomial that is the hash-to-point of the message being signed.

To summarize the main points of differences with the reference implementation, we have that:

1. the hash-to-point algorithm is made deterministic by using a fixed nonce r. This fixed nonce is formed as nonce_version_byte || preversioned_nonce where preversioned_nonce is a 39-byte string that is defined as: i. a byte representing log_2(512), followed by ii. the UTF8 representation of the string “FALCON-POSEIDON2-DET”, followed by iii. the required number of 0_u8 padding to make the total length equal 39 bytes. Note that the above means in particular that only the nonce_version_byte needs to be serialized when serializing the signature. This reduces the deterministic signature compared to the reference implementation by 39 bytes.
2. the RNG used in the trapdoor sampler (i.e., the ffSampling algorithm) is ChaCha20Rng seeded with the Blake3 hash of log_2(512) || sk || message.

The signature is serialized as:

1. A header byte specifying the algorithm used to encode the coefficients of the s2 polynomial together with the degree of the irreducible polynomial phi. For Falcon512 Poseidon2, the header byte is set to 10111001 to differentiate it from the standardized instantiation of the Falcon signature.
2. 1 byte for the nonce version.
3. 625 bytes encoding the s2 polynomial above.

In addition to the signature itself, the polynomial h is also serialized with the signature as:

1. 1 byte representing the log2(512) i.e., 9.
2. 896 bytes for the public key itself.

The total size of the signature (including the extended public key) is 1524 bytes.

Implementations

impl Signature

pub fn new(nonce: Nonce, h: PublicKey, s2: SignaturePoly) -> Signature

Creates a new signature from the given nonce, public key polynomial, and signature polynomial.

pub fn public_key(&self) -> &PublicKey

Returns the public key polynomial h.

pub fn sig_poly(&self) -> &Polynomial<FalconFelt>

Returns the polynomial representation of the signature in Z_p[x]/(phi).

pub fn nonce(&self) -> &Nonce

Returns the nonce component of the signature.

pub fn verify(&self, message: Word, pub_key: &PublicKey) -> bool

Returns true if this signature is a valid signature for the specified message generated against the secret key matching the specified public key commitment.

Trait Implementations

impl Clone for Signature

fn clone(&self) -> Signature

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Signature

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl Deserializable for Signature

fn read_from<R>(source: &mut R) -> Result<Signature, DeserializationError>

where R: ByteReader,

Reads a sequence of bytes from the provided source, attempts to deserialize these bytes into Self, and returns the result.

fn min_serialized_size() -> usize

Returns the minimum serialized size for one instance of this type.

fn read_from_bytes(bytes: &[u8]) -> Result<Self, DeserializationError>

Attempts to deserialize the provided bytes into Self and returns the result.

fn read_from_bytes_with_budget( bytes: &[u8], budget: usize, ) -> Result<Self, DeserializationError>

Deserializes Self from bytes with a byte budget limit.

impl PartialEq for Signature

fn eq(&self, other: &Signature) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serializable for Signature

fn write_into<W>(&self, target: &mut W)

where W: ByteWriter,

Serializes self into bytes and writes these bytes into the target.

fn to_bytes(&self) -> Vec<u8>

Serializes self into a vector of bytes.

fn get_size_hint(&self) -> usize

Returns an estimate of how many bytes are needed to represent self.

impl Eq for Signature

impl StructuralPartialEq for Signature