Cryptographic assumptions

zkSNARK layer

OpenAC’s PoC uses Spartan2 (transparent SNARK) via ecdsa-spartan2. Underlying Spartan publication: Spartan: Efficient and general-purpose zkSNARKs without trusted setup — IACR ePrint 2020/127.

Soundness / zero-knowledge statements inherit the proof system’s assumptions in the standard way (Paper — soundness and zero-knowledge).

Issuer PKI

ES256 verification assumes correct issuer public key material and secure binding to the issuer identifier the wallet intends to display.

Curves & signatures

OpenAC uses two curves at different layers; conflating them is a common source of confusion:

Layer	Curve	Role
Issuer signature ($\sigma_I$) and device signature ($\sigma_{\mathit{ch}}$)	P-256 / secp256r1 (NIST P-256)	ECDSA signing of the SD-JWT and of the verifier nonce. Hard-coded in wallet-unit-poc/circom/circuits/jwt.circom and the SDK's EcdsaPublicKey { kty: "EC", crv: "P-256", ... }.
Spartan2 proving curve $\mathbb{G}$	Tom256 (T256)	Cycle partner of P-256: its scalar field equals P-256's base field, which makes in-circuit P-256 ECDSA cheap. Used by wallet-unit-poc/ecdsa-spartan2 for the Pedersen vector commitment and the Spartan2 IPA.

The paper names the proving curve Tom256 (T256); the codebase configures Circom and the witnesscalc_adapter with the corresponding prime under the alias secq256r1 (a P-256 cycle curve whose scalar field equals P-256's base field). See wallet-unit-poc/circom/circomkit.json ("prime": "secq256r1") and the ecdsa-spartan2 Cargo dependency on witnesscalc-adapter branch secq256r1-support. The repository's CLI is named ecdsa-spartan2 after the Spartan2 backend, not after the curve.

In paper notation: $\mathbb{G}$ is the Tom256 group of prime order $q$ used in $C = \prod g_i^{m_i} h^r$; $\mathbb{F} = \mathbb{F}_q$ is its scalar field; the messages $m_i$ (numerically encoded credential attributes) live in $\mathbb{F}$, while P-256 group elements only appear inside the circuit as in-circuit ECDSA verification.

KaTeX — security parameter

Let $\lambda$ denote the computational security parameter controlling negligible soundness error (as in the paper's PPT formulation).

$$\Pr[\text{forge}] \le \mathrm{negl}(\lambda)$$

(Formal theorem statements: see Paper — security.)