Expand description
Winternitz one-time signatures with BIP-39 keypair derivation.
no_std (no alloc). The signer and mnemonic paths
(WinternitzKeypair, WinternitzPrivkey) compile only off-Solana;
verification (WinternitzSignature, WinternitzPubkey,
WinternitzRoot) builds everywhere.
§Security
Winternitz is a one-time signature scheme. Signing two different
messages with the same privkey scalars allows an attacker to forge a third
signature. Use WinternitzKeypair::sign_and_increment to enforce
position advancement after every signature.
Derivation uses a custom magic string "Winternitz seed" and is
not BIP-32 compatible — keys derived here will not match any standard
Bitcoin/Solana wallet.
§Parameters
All public types take a const generic N (number of message scalars).
N must be even and in 16..=32; the constraint is enforced at compile
time. N = 32 gives 256-bit message-hash security.
Structs§
- Winternitz
Keypair - Hierarchical Winternitz keypair derived from a BIP-39 mnemonic.
- Winternitz
Privkey - Private Winternitz key:
Nmessage scalars and 2 checksum scalars, each 32 bytes. Zeroized on drop. - Winternitz
Pubkey - Public Winternitz key:
Nmessage scalars followed by 2 checksum scalars, each 32 bytes. Total size is(N + 2) * 32bytes. - Winternitz
Root - 32-byte commitment to a
WinternitzPubkey— the domain-separated Merkle root over its scalars. This is the value verifiers store; signatures are validated against it. - Winternitz
Signature - Winternitz one-time signature:
Nmessage scalars and 2 checksum scalars, each 32 bytes. Total size is(N + 2) * 32bytes.
Enums§
- Winternitz
Error - Errors returned by this crate.