Design goals
No random nonce needed (deterministic). Constant-time by construction. Fast on general CPUs. Small keys + signatures.
Advertisement
Key generation
Random 32-byte seed. Derive scalar + prefix via SHA-512. Public key = scalar · base_point.
Advertisement
Sign / verify
Sign uses deterministic nonce from prefix + message. Verify: check A · s == R + hash · P.
Batch verification
Verify N signatures with 1 large exponentiation. 2-3× speedup for TLS servers processing many client certs.