Schnorrkel implements Schnorr signature on Ristretto compressed Ed25519 points, as well as related protocols like HDKD, MuSig, and a VRF.
Ristretto implements roughly section 7 of Mike Hamburg's Decaf paper to provides the 2-torsion free points of the Ed25519 curve as a prime order group. (related)
We employ the merlin strategy of type specific hashing methods with sound domain seperation. These wrap Mike Hamburg's STROBE128 construction for symmetric cryptography, itself based on Keccak.
In practice, all our methods consume either a merlin::Transcript
which developers create handily by feeding data to context specific builders. We do however also support &mut merlin::Transcript
like the merlin
crate prefers. We shall exploit this in future to adapt schnorrkel to better conform with the dalek ecosystem's zero-knowledge proof tooling.
Aside from some naive sequential VRF construction, we currently only support the three-round MuSig for Schnorr multi-signatures, due to all other Schnorr signatures being saomewhat broken. In future, we should develop secure schemes like mBCJ from section 5.1 starting page 21 of https://eprint.iacr.org/2018/417 however mBCJ itself works by proof-of-possesion, while a delinearized variant sounds more applicable.