Expand description

Schnorr signature variants using Ristretto point compression.


Creating a signature on a message is simple.

First, we need to generate a Keypair, which includes both public and secret halves of an asymmetric key. To do so, we need a cryptographically secure pseudorandom number generator (CSPRNG).

use rand::{Rng, rngs::OsRng};
use schnorrkel::{Keypair,Signature};

let keypair: Keypair = Keypair::generate_with(OsRng);

We can now use this keypair to sign a message:

let context = signing_context(b"this signature does this thing");
let message: &[u8] = "This is a test of the tsunami alert system.".as_bytes();
let signature: Signature = keypair.sign(context.bytes(message));

As well as to verify that this is, indeed, a valid signature on that message:

assert!(keypair.verify(context.bytes(message), &signature).is_ok());

Anyone else, given the public half of the keypair can also easily verify this signature:

use schnorrkel::PublicKey;
let public_key: PublicKey = keypair.public;
assert!(public_key.verify(context.bytes(message), &signature).is_ok());


PublicKeys, MiniSecretKeys, Keypairs, and Signatures can be serialised into byte-arrays by calling .to_bytes(). It’s perfectly acceptible and safe to transfer and/or store those bytes. (Of course, never transfer your secret key to anyone else, since they will only need the public key to verify your signatures!)


let public_key_bytes: [u8; PUBLIC_KEY_LENGTH] = public_key.to_bytes();
let secret_key_bytes: [u8; SECRET_KEY_LENGTH] = keypair.secret.to_bytes();
let keypair_bytes:    [u8; KEYPAIR_LENGTH]    = keypair.to_bytes();
let signature_bytes:  [u8; SIGNATURE_LENGTH]  = signature.to_bytes();

And similarly, decoded from bytes with ::from_bytes():

let public_key: PublicKey = PublicKey::from_bytes(&public_key_bytes)?;
let secret_key: SecretKey = SecretKey::from_bytes(&secret_key_bytes)?;
let keypair:    Keypair   = Keypair::from_bytes(&keypair_bytes)?;
let signature:  Signature = Signature::from_bytes(&signature_bytes)?;

Using Serde

If you prefer the bytes to be wrapped in another serialisation format, all types additionally come with built-in serde support by building schnorrkell via:

$ cargo build --features="serde"

They can be then serialised into any of the wire formats which serde supports. For example, using bincode:

use bincode::{serialize};

let encoded_public_key: Vec<u8> = serialize(&public_key).unwrap();
let encoded_signature: Vec<u8> = serialize(&signature).unwrap();

After sending the encoded_public_key and encoded_signature, the recipient may deserialise them and verify:

use bincode::{deserialize};

let message: &[u8] = "This is a test of the tsunami alert system.".as_bytes();
let decoded_public_key: PublicKey = deserialize(&encoded_public_key).unwrap();
let decoded_signature: Signature = deserialize(&encoded_signature).unwrap();

assert!( public_key.verify(context.bytes(message), &signature).is_ok() );


pub use crate::keys::*;
pub use crate::context::signing_context;
pub use crate::sign::Signature;
pub use crate::sign::SIGNATURE_LENGTH;
pub use crate::errors::SignatureError;
pub use crate::errors::SignatureResult;


Elliptic curve Qu-Vanstone implicit certificate scheme (ECQV) for Ristretto

Schnorr signature contexts and configuration, adaptable to most Schnorr signature schemes.

Implementation of “hierarchical deterministic key derivation” (HDKD) for Schnorr signatures on Ristretto

Errors which may occur when parsing keys and/or signatures to or from wire formats.

Schnorr signatures on the 2-torsion free subgroup of ed25519, as provided by the Ristretto point compression.

Implementation for Ristretto Schnorr signatures of “Simple Schnorr Multi-Signatures with Applications to Bitcoin” by Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille https://eprint.iacr.org/2018/068

Ristretto point tooling

Schnorr signature creation and verification, including batch verification.

Implementation of a Verifiable Random Function (VRF) using Ristretto points and Schnorr DLEQ proofs.


Verify a batch of signatures on messages with their respective public_keys.

Verify a batch of signatures on messages with their respective public_keys.

Verify a batch of signatures on messages with their respective public_keys.