ghostchain/ghost-exodus-draft
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Description

Uncle Stretch 2025-10-07 20:07:37 +02:00
commit 8a58174fe1
1 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
Description.md Normal file

@ -0,0 +1,65 @@
# EXODUS - EXchange Of Digital Uniformed Signatures
## Abstract
We present EXODUS, an algorithm that lets N signers aggregate their public keys and signatures so a verifier needs to check only a single signature. The verifier can also exclude missing signers, enabling EXODUS to operate as a tofn scheme. EXODUS combines compact signature aggregation with signerspecific coefficient hashing and explicit transcript binding to provide a practical, secure, and flexible multisignature primitive: it produces signatures indistinguishable in size and verification cost from a singleparty signature while preventing roguekey and substitution attacks by deterministically deriving each participants weight from a canonical encoding of the signer set and domain data; it preserves full signer autonomy because no aggregated private key or secretsharing is ever created.
_Note: EXODUS does not use Shamir Secret Sharing or any Distributed SecretSharing scheme during aggregation. Each signer remains fully independent — no aggregated private key is ever constructed or stored. Instead, the aggregate public key is deterministically derived from the validators' session public keys using signerspecific coefficients computed from a binding encoding of the participant set and session transcript. This preserves simple key management, avoids keyreconstruction or trusted dealers, and ensures the aggregate key and resulting signature accurately reflect exactly state of the current validator set.
Below is a concise, stepbystep verifier procedure and the verification formulas. This section focuses exclusively on the verifiers responsibilities; the signature aggregation internals are omitted here.
## Verifier prerequisites
* Stores only the aggregated public key (stateless as much as possible).
* Should be as minimal as possible to fit in the EVM limitations.
* Because of EVM nature, all numbers are 256 bit.
## Verifier terminology
* $taggedhash$ - domain-separated SHA-256 hash, bytes concatenated.
* $G$ - generator base point for the elliptic curve.
* $H_{\text{agg}}$ - description here.
* $m$ - number of missing signers.
## Verifier inputs
* $R$ - aggregated public nonce.
* $s$ - partially aggregated signature or fully aggreagated signature if there's no missing signers.
* $message$ - encoded transaction call for EVM.
* $a_{\text{il}}$ - first aggregation coefficient of neighbor when signer i is missing.
* $a_{\text{ir}}$ - second aggregation coefficient of neighbor when signer i is missing.
* $X_i$ - public key of the missing signer i.
* $R_{\text{i1}}$ - first public nonce of the missing signer i.
* $R_{\text{i2}}$ - second public nonce of the missing signer i.
## Verifier computes
$$ msg = keccak256(message) $$
$$ a_i = taggedhash(a_il, a_ir, taggedhash(X_i)) $$
$$ b = taggedhash(H_{\text{agg}}, (R_x, R_y), msg) $$
$$ d = taggedhash(msg, (R_y, R_x), H_{\text{agg}}) $$
$$ e = taggedhash(H_agg, R_x, msg) $$
<br />
$$ Verify $$
$$ s*G + \sum_i^m (e*(a_i * X_i) + b*R_{\text{i1}} + d*R_{\text{i2}}) = R + e*H_{\text{agg}} $$
$$ OR $$
$$ s*G - e*H_{\text{agg}}= R - \sum_i^m (e*(a_i * X_i) + b*R_{\text{i1}} + d*R_{\text{i2}}) $$
## Reporting issues and feedback
If you find any issue with code and/or the formula, please report it via one of the links below or open an issue on the website if you have an account. Contributions, extensions, and questions are welcome.
Email: support@ghostchain.io
* [Twitter](https://x.com/realGhostChain)
* [Telegram](https://t.me/realGhostChain)
* [Discord](https://discord.com/invite/CvYP7vrqN3)