Signature Encoding
Tidecoin identifies the post-quantum signature scheme through the public key, not by adding a scheme byte to every signature. A serialized PQ public key starts with a one-byte scheme prefix. The verifier reads that prefix, selects the corresponding scheme, and interprets the signature bytes with that scheme’s verifier.
This page is the byte-layout reference for PQ keys and signatures. For the canonical scheme registry, see Scheme Registry. For the cryptographic background, see Falcon and ML-DSA.
Public key layout
Serialized PQ public keys use this layout:
scheme_prefix || raw_scheme_public_key| Field | Size | Meaning |
|---|---|---|
scheme_prefix | 1 byte | One of the registered scheme IDs. |
raw_scheme_public_key | Scheme-specific | The public key bytes consumed by the scheme implementation. |
Known prefixes:
| Prefix | Scheme | Raw public key bytes | Serialized public key bytes |
|---|---|---|---|
0x07 | Falcon-512 | 897 | 898 |
0x08 | Falcon-1024 | 1,793 | 1,794 |
0x09 | ML-DSA-44 | 1,312 | 1,313 |
0x0A | ML-DSA-65 | 1,952 | 1,953 |
0x0B | ML-DSA-87 | 2,592 | 2,593 |
The experimental prefix range is 0xF0 through 0xFF. Those values are
reserved for experiments and must not be treated as mainnet-compatible
scheme assignments.
Signature layout
The signature passed to the scheme verifier is scheme-specific signature data. The scheme is selected from the prefixed public key.
For script spend paths that carry a standard sighash byte, the stack item has this practical layout:
scheme_signature || sighash_typeThe sighash byte is consumed by the script/signature-hash layer. It is not part of the raw Falcon or ML-DSA signature verified by the PQ scheme.
Signature sizes
| Scheme | Raw signature bytes | Script signature bytes with sighash | Size behavior |
|---|---|---|---|
| Falcon-512 | 666 padded, up to 752 maximum | 667 padded, up to 753 maximum | Falcon supports multiple internal encodings. |
| Falcon-1024 | 1,280 padded, up to 1,462 maximum | 1,281 padded, up to 1,463 maximum | Current signing path uses compressed PQClean API; padded size is used for fixed verification sizing. |
| ML-DSA-44 | 2,420 | 2,421 | Fixed size. |
| ML-DSA-65 | 3,309 | 3,310 | Fixed size. |
| ML-DSA-87 | 4,627 | 4,628 | Fixed size. |
The maximum script signature helper in the node is the maximum known raw signature size plus one sighash byte. The maximum script public key helper is the maximum known raw public key size plus one scheme prefix.
Falcon internal formats
Falcon signatures have an internal format byte in the Falcon signature encoding. Tidecoin’s code and documentation distinguish three Falcon forms:
| Format | Code | Size behavior | Notes |
|---|---|---|---|
| Compressed | 1 | Variable length | Compact representation. Falcon-512 averages around 652 bytes and has a 752-byte maximum; Falcon-1024 has a 1,462-byte maximum. |
| Padded | 2 | Fixed length | 666 bytes for Falcon-512, 1,280 bytes for Falcon-1024. |
| Constant-time | 3 | Fixed larger representation | Useful for implementation analysis; not the normal transaction size target. |
Legacy Falcon-512 signatures use the historical Falcon header byte
0x39. Falcon-1024 uses 0x3A. Strict verification uses the standard
PQClean verification path gated by consensus flags.
ML-DSA encoding
ML-DSA signatures are fixed-size scheme signatures. There is no Tidecoin scheme prefix inside the signature bytes and no Falcon-style compressed versus padded distinction. The verifier knows whether it is checking ML-DSA-44, ML-DSA-65, or ML-DSA-87 from the public-key prefix.
Parsing rules
A parser should apply these checks in order:
- Read the serialized public key prefix.
- Look up the prefix in the registered scheme table.
- Check that the raw public key length matches the selected scheme.
- Remove the sighash byte from script signatures where the script path defines one.
- Check the raw signature length against the selected scheme.
- Verify the raw signature against the transaction digest using the selected scheme and the active verification mode.
Unknown prefixes, prefixes not allowed at the current height, malformed public-key lengths, malformed signature lengths, and legacy Falcon signatures under strict verification must fail.
Source of truth
| Topic | Source |
|---|---|
| Prefixes and size helpers | ../tidecoin/src/pq/pq_scheme.h |
| Prefixed public-key verification dispatch | ../tidecoin/src/pubkey.cpp, ../tidecoin/src/pq/pq_api.h |
| Signing dispatch | ../tidecoin/src/key.cpp, ../tidecoin/src/pq/pq_api.h |
| Script verification flags | ../tidecoin/src/script/interpreter.h |
See also: Scheme Registry, Verification Modes, Falcon, ML-DSA.