# c255b3: schnorr signatures using curve25519 and blake3.
Note: This is not [Ed25519], if you want Ed25519, please use the excellent [ed25519-dalek] crate.
Warning! This is an alpha version of a (slightly) novel cryptographic primitive.
It has not been audited and you may encounter breaking API and cryptographic changes until the first stable version!
Use at your own risk!
[ed25519-dalek]: https://crates.io/crates/ed25519-dalek
This is a mostly straight-forward parameterization of [Schnorr signatures][Schnorr] with [Curve25519] and [Blake3].
The two deviations from the scheme are:
- The keyed version of Blake3 is used to provide domain separation.
- The random variable `k` is deterministic by default, a Blake3 hash of the message keyed with a derivitive of the private key and domain.
[Schnorr]: https://en.wikipedia.org/wiki/Schnorr_signature
[Curve25519]: https://en.wikipedia.org/wiki/Curve25519
[Ed25519]: https://en.wikipedia.org/wiki/Ed25519
[Blake3]: https://github.com/BLAKE3-team/BLAKE3
## Why?
The initial motivation was preparing for embedded versions of [converge].
We already use the Blake3 hash function for bulk data,
and adding SHA512 just for Ed25519 signatures just isn't necessary.
That said, there are other benefits:
- proper application-specific domain separation for signatures
- support for non-deterministic signatures with application-supplied nonces
- well specified secret and public keys
- a [*much* faster][Blake3] hash function
## License
This project is dedicated to the public domain, see the [UNLICENSE](./UNLICENSE) for details.