Lace-009 · Signatures

Tags: record, crypto

Purpose

Seal records need portable authorship proof that survives transport boundaries: a verifier signs a specific Plex-record digest, and any implementation can check the signature from record bytes alone. This spec defines verifier, signing-secret, and signature rules used by Seal records in the current .H3 suite. It signs a 32-byte BLAKE3 digest with secp256k1 Schnorr arithmetic and encodes public protocol values with B64A.

This document is for record and crypto implementors. After reading it, an implementor should be able to generate verifier text, derive signing material, produce signatures, and verify Seal-record signatures consistently across languages.

Defines

Key generation, signing-secret derivation, signing, and verification.

Text forms identify verifier and signing values

Verifier: V.<b64a>.H3, where payload is a 32-byte public x-coordinate.
Signing secret: &.<b64a>.H3, where payload is 32 bytes of secret derivation material.
Signature: 64 signature bytes encoded with B64A.

A verifier is public. A signing secret is private local material used to derive a signing scalar.

Parameters define the current signature system

Curve: secp256k1.
Generator: G.
Order: n.
Field prime: p.
Message input: msg32, a 32-byte BLAKE3 digest of signed bytes.
Integer encoding: bytes(x), the 32-byte big-endian encoding of a scalar or field element.

BLAKE3 derive-key context strings:

Context	Use
`lace-🖧/adhoc-key`	signing-secret derivation
`lace-🖧/aux`	signing auxiliary randomness tag
`lace-🖧/nonce`	nonce tag
`lace-🖧/challenge`	challenge tag

derive_key(context, input) means the first 32 bytes of BLAKE3 derive-key output for that context and input. Context strings are encoded as the exact UTF-8 bytes of the displayed text.

Signer generation produces an even-y verifier

Implementations MUST generate random signing scalars as follows:

Choose random 32-byte d0 with 0 < d0 < n.
Compute P = d0*G.
If P.y is odd, set d = n - d0; otherwise set d = d0.
The signing scalar is d and verifier bytes are bytes((d*G).x).

The even-y convention makes one verifier text correspond to one public point.

Signing-secret derivation maps secret text to a scalar

To derive signing material from a signing secret payload, implementations MUST:

Reject payloads whose decoded length is not exactly 32 bytes.
Use BLAKE3 XOF derive mode with context lace-🖧/adhoc-key.
Read 32-byte candidates until one satisfies 0 < d0 < n.
Apply the same even-y normalization used by signer generation.

Signing binds a digest to a verifier

Inputs are signing scalar d, verifier x-coordinate Px, message digest msg32, and fresh nonzero 32-byte auxRand32.

Implementations MUST sign as follows:

t = derive_key("lace-🖧/aux", auxRand32).
mask = t xor bytes(d).
k0 = derive_key("lace-🖧/nonce", mask || Px || msg32) mod n; reject zero.
Compute R = k0*G; use k = n-k0 when R.y is odd, else k = k0.
e = derive_key("lace-🖧/challenge", bytes(R.x) || Px || msg32) mod n.
s = (k + e*d) mod n.
Signature bytes are bytes(R.x) || bytes(s).

auxRand32 MUST be unique per signature and MUST NOT be all zero.

Verification accepts only the matching signature

Inputs are verifier x-coordinate Px, signature r||s, and message digest msg32.

Implementations MUST verify as follows:

Reject Px >= p, r >= p, or s >= n.
Recover point P from Px using the even-y root; reject Px values that do not identify a secp256k1 point.
Compute e = derive_key("lace-🖧/challenge", bytes(r) || Px || msg32) mod n.
Compute R' = s*G - e*P.
Reject infinity or odd R'.y.
Accept only when R'.x == r.

Implementations MUST use constant-time scalar and point operations.

Rejection examples

Reject examples include an empty signing secret, all-zero auxiliary value, Px >= p, Px with no curve point, r >= p, s >= n, odd recovered R', and any signature whose recomputed R'.x differs from r.