Module MinSig.Pop

Follow section 3.3.

A proof of possession scheme uses a separate public key validation step, called a proof of possession, to defend against rogue key attacks. This enables an optimization to aggregate signature verification for the case that all signatures are on the same message.

type proof = Stdlib.Bytes.t
val sign : sk -> Stdlib.Bytes.t -> signature

Equivalent to core_sign with the DST given in the specification, section 4.2.3

val verify : pk -> Stdlib.Bytes.t -> signature -> bool

Equivalent to core_verify with the DST given in the specification section 4.2.3

val pop_prove : ?msg:pk -> sk -> proof

pop_prove ?msg sk implements the algorithm described in section 3.3.2. If msg is provided, will provide a proof for msg instead of the public key of sk.

val pop_verify : pk -> ?msg:pk -> proof -> bool

pop_verify pk ?msg proof implements the algorithm described in section 3.3.3. If msg is provided, will verify the proof against msg instead of pk.

val aggregate_verify : (pk * proof) list -> Stdlib.Bytes.t -> signature -> bool

aggregate_verify pks msg aggregated_signature performs a aggregate signature verification. It supposes the same message msg has been signed. It implements the FastAggregateVerify algorithm specified in section 3.3.4