Crate schnorrkel

source ·
Expand description

Schnorr signature variants using Ristretto point compression.


Creating a signature on a message is simple.

First, we need to generate a Keypair, which includes both public and secret halves of an asymmetric key. To do so, we need a cryptographically secure pseudorandom number generator (CSPRNG).

use rand::{Rng, rngs::OsRng};
use schnorrkel::{Keypair,Signature};

let keypair: Keypair = Keypair::generate_with(OsRng);

We can now use this keypair to sign a message:

let context = signing_context(b"this signature does this thing");
let message: &[u8] = "This is a test of the tsunami alert system.".as_bytes();
let signature: Signature = keypair.sign(context.bytes(message));

As well as to verify that this is, indeed, a valid signature on that message:

assert!(keypair.verify(context.bytes(message), &signature).is_ok());

Anyone else, given the public half of the keypair can also easily verify this signature:

use schnorrkel::PublicKey;
let public_key: PublicKey = keypair.public;
assert!(public_key.verify(context.bytes(message), &signature).is_ok());


PublicKeys, MiniSecretKeys, Keypairs, and Signatures can be serialised into byte-arrays by calling .to_bytes(). It’s perfectly acceptable and safe to transfer and/or store those bytes. (Of course, never transfer your secret key to anyone else, since they will only need the public key to verify your signatures!)


let public_key_bytes: [u8; PUBLIC_KEY_LENGTH] = public_key.to_bytes();
let secret_key_bytes: [u8; SECRET_KEY_LENGTH] = keypair.secret.to_bytes();
let keypair_bytes:    [u8; KEYPAIR_LENGTH]    = keypair.to_bytes();
let signature_bytes:  [u8; SIGNATURE_LENGTH]  = signature.to_bytes();

And similarly, decoded from bytes with ::from_bytes():

let public_key: PublicKey = PublicKey::from_bytes(&public_key_bytes)?;
let secret_key: SecretKey = SecretKey::from_bytes(&secret_key_bytes)?;
let keypair:    Keypair   = Keypair::from_bytes(&keypair_bytes)?;
let signature:  Signature = Signature::from_bytes(&signature_bytes)?;

Using Serde

If you prefer the bytes to be wrapped in another serialisation format, all types additionally come with built-in serde support by building schnorrkell via:

$ cargo build --features="serde"

They can be then serialised into any of the wire formats which serde supports. For example, using bincode:

use bincode::{serialize};

let encoded_public_key: Vec<u8> = serialize(&public_key).unwrap();
let encoded_signature: Vec<u8> = serialize(&signature).unwrap();

After sending the encoded_public_key and encoded_signature, the recipient may deserialise them and verify:

use bincode::{deserialize};

let message: &[u8] = "This is a test of the tsunami alert system.".as_bytes();
let decoded_public_key: PublicKey = deserialize(&encoded_public_key).unwrap();
let decoded_signature: Signature = deserialize(&encoded_signature).unwrap();

assert!( public_key.verify(context.bytes(message), &signature).is_ok() );



  • Adaptor signature-based implicit certificate scheme for Ristretto
  • Schnorr signature contexts and configuration, adaptable to most Schnorr signature schemes.
  • Implementation of “hierarchical deterministic key derivation” (HDKD) for Schnorr signatures on Ristretto
  • Errors which may occur when parsing keys and/or signatures to or from wire formats.
  • Schnorr signatures on the 2-torsion free subgroup of ed25519, as provided by the Ristretto point compression.
  • musigDeprecated
    Implementation for Ristretto Schnorr signatures of “Simple Schnorr Multi-Signatures with Applications to Bitcoin” by Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille
  • Ristretto point tooling
  • Schnorr signature creation and verification, including batch verification.
  • Implementation of a Verifiable Random Function (VRF) using Ristretto points and Schnorr DLEQ proofs.



  • Verify a batch of signatures on messages with their respective public_keys.
  • Verify a batch of signatures on messages with their respective public_keys.
  • Verify a batch of signatures on messages with their respective public_keys.