3.8.1 Document RFC 8032 compatibility

crypto/schnorr/src/lib.rs

@@ -20,6 +20,13 @@ pub mod aggregate;
 mod tests;
 
 /// A Schnorr signature of the form (R, s) where s = r + cx.
+///
+/// These are intended to be strict. It is generic over Ciphersuite which is for PrimeGroups,
+/// and mandates canonical encodings in its read function.
+///
+/// RFC 8032 has an alternative verification formula, 8R = 8s - 8cX, which is intended to handle
+/// torsioned nonces/public keys. Due to this library's strict requirements, such signatures will
+/// not be verifiable with this library.
 #[allow(non_snake_case)]
 #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
 pub struct SchnorrSignature<C: Ciphersuite> {

crypto/schnorr/src/tests.rs

@@ -54,7 +54,7 @@ pub(crate) fn batch_verify<C: Ciphersuite>() {
     for (i, sig) in sigs.iter().enumerate() {
       sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]);
     }
-    batch.verify_with_vartime_blame().unwrap();
+    batch.verify_vartime_with_vartime_blame().unwrap();
   }
 
   // Shift 1 from s from one to another and verify it fails
@@ -70,7 +70,7 @@ pub(crate) fn batch_verify<C: Ciphersuite>() {
       }
       sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]);
     }
-    if let Err(blame) = batch.verify_with_vartime_blame() {
+    if let Err(blame) = batch.verify_vartime_with_vartime_blame() {
       assert!((blame == 1) || (blame == 2));
     } else {
       panic!("Batch verification considered malleated signatures valid");