Winternitz one-time signatures with BIP-39 keypair derivation.
no_std (no alloc). The signer and mnemonic paths
([WinternitzKeypair], [WinternitzPrivkey]) compile only off-Solana;
verification ([WinternitzSignature], [WinternitzPubkey],
[WinternitzRoot]) builds everywhere.
Security
Winternitz is a one-time signature scheme. Signing two different
messages with the same privkey scalars allows an attacker to forge a third
signature. Use [WinternitzKeypair::sign_and_increment] to enforce
position advancement after every signature.
Derivation uses a custom magic string "Winternitz seed" and is
not BIP-32 compatible — keys derived here will not match any standard
Bitcoin/Solana wallet.
Parameters
All public types take a const generic N (number of message scalars).
N must be even and in 16..=32; the constraint is enforced at compile
time. N = 32 gives 256-bit message-hash security.