c255b3: schnorr signatures using curve25519 and blake3.

Note: This is not Ed25519, if you want Ed25519, please use the excellent ed25519-dalek crate.

Warning! This is an alpha version of a (slightly) novel cryptographic primitive. It has not been audited and you may encounter breaking API and cryptographic changes until the first stable version! Use at your own risk!

This is a mostly straight-forward parameterization of Schnorr signatures with Curve25519 and Blake3. The two deviations from the scheme are:

• The keyed version of Blake3 is used to provide domain separation.
• The random variable k is deterministic by default, a Blake3 hash of the message keyed with a derivitive of the private key and domain.

Why?

The initial motivation was preparing for embedded versions of [converge]. We already use the Blake3 hash function for bulk data, and adding SHA512 just for Ed25519 signatures just isn't necessary.

That said, there are other benefits:

• proper application-specific domain separation for signatures
• support for non-deterministic signatures with application-supplied nonces
• well specified secret and public keys
• a much faster hash function

License

This project is dedicated to the public domain, see the UNLICENSE for details.