Design goals

No random nonce needed (deterministic). Constant-time by construction. Fast on general CPUs. Small keys + signatures.

Advertisement

Key generation

Random 32-byte seed. Derive scalar + prefix via SHA-512. Public key = scalar · base_point.

Advertisement

Sign / verify

Sign uses deterministic nonce from prefix + message. Verify: check A · s == R + hash · P.

Batch verification

Verify N signatures with 1 large exponentiation. 2-3× speedup for TLS servers processing many client certs.