Enum schnorrkel::keys::ExpansionMode
source · pub enum ExpansionMode {
Uniform,
Ed25519,
}
Expand description
Methods for expanding a MiniSecretKey
into a SecretKey
.
Our SecretKey
s consist of a scalar and nonce seed, both 32 bytes,
what EdDSA/Ed25519 calls an extended secret key. We normally create
SecretKey
s by expanding a MiniSecretKey
, what Esd25519 calls
a SecretKey
. We provide two such methods, our suggested approach
produces uniformly distribted secret key scalars, but another
approach retains the bit clamping form Ed25519.
Variants§
Uniform
Expand the MiniSecretKey
into a uniformly distributed
SecretKey
.
We produce the SecretKey
using merlin and far more uniform
sampling, which might benefits some future protocols, and
might reduce binary size if used throughout.
We slightly prefer this method, but some existing code uses
Ed25519
mode, so users cannot necessarily use this mode
if they require compatability with existing systems.
Ed25519
Expand this MiniSecretKey
into a SecretKey
using
ed25519-style bit clamping.
Ristretto points are represented by Ed25519 points internally so conceivably some future standard might expose a mapping from Ristretto to Ed25519, which makes this mode useful. At present, there is no such exposed mapping however because two such mappings actually exist, depending upon the branch of the inverse square root chosen by a Ristretto implementation. There is however a concern that such a mapping would remain a second class citizen, meaning implementations differ and create incompatibility.
We weakly recommend against employing this method. We include it primarily because early Ristretto documentation touted the relationship with Ed25519, which led to some deployments adopting this expansion method.