feat!: remove default Schnorr functionality #180
Conversation
AaronFeickert
force-pushed
the
no-morr-default-schnorr
branch
from
448833d
to
a54f332
Compare
|
I disagree here. As mentioned out in #178, I feel that API ergonomics is important. Newcomers to the library are going to be confused with an API requiring Domain separation and will use a default anyway. Those looking for it will see it in the function signature and will be able to provide their own domains. |
|
A lot of tests have been removed -- is there a reason for the decrease in coverage? |
I think implementation snafus like this are indicative of the risk of providing "a Schnorr signature". The implementer is always free to ignore the recommendation of distinct domain separation, but this API change at least forces them to make a decision. Coupled with the fact that there is no "default" signature by any common standard, I think it's an annoyance whose safety benefit outweighs the inconvenience. I understand where you're coming from, but respectfully disagree with the conclusion. Frankly, an implementer who is confused by domain separation should probably take a moment to investigate first. |
Some were specific to FFI or WASM, and naturally went away. An "invalid scalar" test didn't really make sense, and was nixed. A couple of other tests dealt specifically with the default separator, and are no longer relevant or were modified accordingly. |
|
One point to keep in mind is that "raw" signatures, in which the caller is responsible for challenge generation, have no inherent notion of domain separation. Currently, it's probably easiest simply to use the default separator type, since it plays no role in generating the Fiat-Shamir challenge. These are used (for good reason) in several places within the |
AaronFeickert
force-pushed
the
no-morr-default-schnorr
branch
from
3f589c1
to
3c0a3dd
Compare
Removes default Schnorr signature functionality by requiring domain separation. Closes #178.
Previously, the Schnorr signature API permitted the use of a default domain separator. This introduces significant risk, as reuse of signatures across contexts can be dangerous. Further, as there are no widely-used standards for Schnorr-type signatures over the Ristretto group, there is no particularly good choice for such a domain separator.
This PR does several things:
SchnorrSignaturebe provided with a domain separator via trait bound, which was previously optionalRistrettoSchnorrWithDomainRistrettoSchnorrtoRistrettoSchnorr<H>to require a domain separatorIt also removes all existing WASM and FFI signing and verification functionality for Schnorr signatures, since this previously used the default domain separator and there is no way to make them properly generic. Applications needing Schnorr signatures using WASM or FFI should define specific functions that use the updated types to provide a domain separator.
BREAKING CHANGE: Makes several type changes to
SchnorrSignature,RistrettoSchnorr, andRistrettoSchnorrWithDomainthat are breaking.