[curves] Schnorrkel

Jeff Burdges burdges at gnunet.org
Sat Jun 22 15:25:29 PDT 2019

At some point last fall I started playing around with an ed25519-dalek fork, and it kinda snowballed..

We now have a crate that implements an NSEC5 style VRF and 3-round trip Schnorr multi-signatures, using Ristretto for the group and recommending merlin (STROBE) for hashing:  https://github.com/w3f/schnorrkel/


It attempts to strike a reasonable balance between missuse resistance and flexibility, so we expose the DLEQ proofs underlying the VRF, but address malleability aggressively to support “HDKD", and session type are used for multi-signatures.  We expect to add a 2-round trip multi-signature akin to mBCJ eventually, but adapted for more realistic use cases than the published mBCJ.

I’d love to get feedback either in the mailing list or in the issues https://github.com/w3f/schnorrkel/issues where some interesting discussion topics remain open.

There is nothing here that really requires Ristretto of course, but it’s good to have the basics handy in Ristretto, since no map from Ristretto to Ed25519 will be standardised.  And merlin makes everything far more readable.

And the only bit twiddling is to support batch verification of both schnorrkel and ed25519 signatures without knowing which is which in advance:  https://github.com/w3f/schnorrkel/blob/master/src/sign.rs#L81  ;)


p.s.  We’re hiring cryptography researchers:

More information about the Curves mailing list