ghostchain/ghost-exodus-draft
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Description

Uncle Stretch 2025-10-07 20:18:59 +02:00
parent 8a58174fe1
commit 3d3dac128f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Description.md

@ -4,7 +4,7 @@
We present EXODUS, an algorithm that lets N signers aggregate their public keys and signatures so a verifier needs to check only a single signature. The verifier can also exclude missing signers, enabling EXODUS to operate as a tofn scheme. EXODUS combines compact signature aggregation with signerspecific coefficient hashing and explicit transcript binding to provide a practical, secure, and flexible multisignature primitive: it produces signatures indistinguishable in size and verification cost from a singleparty signature while preventing roguekey and substitution attacks by deterministically deriving each participants weight from a canonical encoding of the signer set and domain data; it preserves full signer autonomy because no aggregated private key or secretsharing is ever created.
_Note: EXODUS does not use Shamir Secret Sharing or any Distributed SecretSharing scheme during aggregation. Each signer remains fully independent — no aggregated private key is ever constructed or stored. Instead, the aggregate public key is deterministically derived from the validators' session public keys using signerspecific coefficients computed from a binding encoding of the participant set and session transcript. This preserves simple key management, avoids keyreconstruction or trusted dealers, and ensures the aggregate key and resulting signature accurately reflect exactly state of the current validator set.
_Note_: EXODUS does not use Shamir Secret Sharing or any Distributed SecretSharing scheme during aggregation. Each signer remains fully independent — no aggregated private key is ever constructed or stored. Instead, the aggregate public key is deterministically derived from the validators' session public keys using signerspecific coefficients computed from a binding encoding of the participant set and session transcript. This preserves simple key management, avoids keyreconstruction or trusted dealers, and ensures the aggregate key and resulting signature accurately reflect exactly state of the current validator set.
Below is a concise, stepbystep verifier procedure and the verification formulas. This section focuses exclusively on the verifiers responsibilities; the signature aggregation internals are omitted here.