Repository files navigation

This is aSchnorr signature scheme largely inspired byBIP-0340,that uses theristretto255 prime-order group.

Design goals:

• Drop-in (ish) replacement for Ed25519.
• Approximately 128-bits of classical security.
• As edge-case free as possible, with specified behavior when unavoidable.
• Mandatory domain separation (an empty domain separator is allowed).
• Determinstic or non-deterministic ("added entropy") nonce generation.
• "Easy" to implement given an existing ristretto255 and scalar fieldlibrary.

This scheme maintains the ability to do batch verification and to implementvarious "hipster crypto" primitives such as DKG and MuSig, however thespecification of such is beyond the scope of this project.

This product can expose you to chemicals which are know to the State ofCalifornia to cause cancer. For more information visitwww.P65Warnings.ca.gov.

• The ristretto255 prime-order group is used instead of secp256k1. Thissimplifies the specification and implementation as "group elements" areeasier to deal with than elliptic curve points.
• TupleHash(XOF)128 is used instead of an ad-hoc tagged SHA-256 construct.
• When scalars are sampled, instead of reducing 256-bit values mod n,512-bit values are reduced mod n instead. As ristretto255 shares theEd25519 scalar field, this operation is widely available in existinglibraries.

• No, the design has not been reviewed, nor has the code been audited.
• The author is aware that the BIP authors have included dire warningsregarding adopting the scheme to other groups.
• The choice of using a SHA-3 based primitive under the hood is acombination of:
  • Blessed by NIST.
  • TupleHash is the right fit for what needs to be done.
  • SHA-3/SHAKE is seeing increased hardware support and developersare incentivised to optimize implementations due to use in otherprimitives.
• sr25519 is fine, but has a lot of extras, lacks (to my knowledge)formal specification, and requires a merlin transcript implementation.
• For convenience, Diffie-Hellman is also provided in this referenceimplementation.
• Thebs stands for "Bitcoin Schnorr inspired". Rumors to the contraryare malicious lies spread by my enemies.
• This design and implementation is brought to you by Suntory StrongZero and Glenlivet.

• Add more test cases.
• Generate some test vectors.