Remove type parameters from Message and Signature, and remove unused Slice type

"Secret messages" was a nice idea - it made it possible to have constant time
verification of signatures so you didn't leak via side channel which signature
you were verifying. But since almost no one has this peculiar requirement it
created more friction than it was worth.

This simplifies the API by:
- Removing the secrecy type parameter from both Message and Signature types, making them always public
- Removing the unused Slice type from secp256kfun which was part of the secrecy marking system but wasn't being used

Author: LLFourn

CHANGELOG.md

@@ -12,6 +12,8 @@
   - `hash_to_curve_rfc9381_tai` - RFC 9381 VRF try-and-increment format
 - Add `Message::new` for BIP340-compliant domain separation using 33-byte padded prefix
 - Deprecate `Message::plain` which uses non-standard 64-byte prefix
+- Remove type parameters from `Message` and `Signature` types (always public now)
+- Remove unused `Slice` type from secp256kfun
 
 ## v0.11.0
 

schnorr_fun/README.md

@@ -39,7 +39,7 @@ let schnorr = Schnorr::<Sha256, _>::new(nonce_gen.clone());
 // Generate your public/private key-pair
 let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
 // Sign a variable length message
-let message = Message::<Public>::plain("the-times-of-london", b"Chancellor on brink of second bailout for banks");
+let message = Message::new("the-times-of-london", b"Chancellor on brink of second bailout for banks");
 // Sign the message with our keypair
 let signature = schnorr.sign(&keypair, message);
 // Get the verifier's key

schnorr_fun/benches/bench_schnorr.rs

@@ -20,7 +20,7 @@ fn sign_schnorr(c: &mut Criterion) {
     {
         let keypair = schnorr.new_keypair(*SK);
         group.bench_function("fun::schnorr_sign", |b| {
-            b.iter(|| schnorr.sign(&keypair, Message::<Public>::raw(MESSAGE)))
+            b.iter(|| schnorr.sign(&keypair, Message::raw(MESSAGE)))
         });
     }
 
@@ -40,19 +40,14 @@ fn verify_schnorr(c: &mut Criterion) {
     let mut group = c.benchmark_group("schnorr_verify");
     let keypair = schnorr.new_keypair(*SK);
     {
-        let message = Message::<Public>::raw(MESSAGE);
+        let message = Message::raw(MESSAGE);
         let sig = schnorr.sign(&keypair, message);
         let verification_key = &keypair.public_key();
         group.bench_function("fun::schnorr_verify", |b| {
             b.iter(|| schnorr.verify(verification_key, message, &sig))
         });
 
-        {
-            let sig = sig.set_secrecy::<Secret>();
-            group.bench_function("fun::schnorr_verify_ct", |b| {
-                b.iter(|| schnorr.verify(verification_key, message, &sig))
-            });
-        }
+        // Constant-time verification is no longer supported after removing type parameters
     }
 
     {

schnorr_fun/src/adaptor/encrypted_signature.rs

@@ -47,11 +47,8 @@ mod test {
         let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
         let kp = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
         let encryption_key = Point::random(&mut rand::thread_rng());
-        let encrypted_signature = schnorr.encrypted_sign(
-            &kp,
-            &encryption_key,
-            Message::<Public>::plain("test", b"foo"),
-        );
+        let encrypted_signature =
+            schnorr.encrypted_sign(&kp, &encryption_key, Message::new("test", b"foo"));
         let serialized = bincode::encode_to_vec(
             bincode::serde::Compat(&encrypted_signature),
             bincode::config::standard(),

schnorr_fun/src/adaptor/mod.rs

@@ -23,7 +23,7 @@
 //! let verification_key = signing_keypair.public_key();
 //! let decryption_key = Scalar::random(&mut rand::thread_rng());
 //! let encryption_key = schnorr.encryption_key_for(&decryption_key);
-//! let message = Message::<Public>::plain("text-bitcoin", b"send 1 BTC to Bob");
+//! let message = Message::new("text-bitcoin", b"send 1 BTC to Bob");
 //!
 //! // Alice knows: signing_keypair, encryption_key
 //! // Bob knows: decryption_key, verification_key
@@ -68,7 +68,7 @@ pub trait EncryptedSign {
         &self,
         signing_keypair: &KeyPair<EvenY>,
         encryption_key: &Point<Normal, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
     ) -> EncryptedSignature;
 }
 
@@ -81,7 +81,7 @@ where
         &self,
         signing_key: &KeyPair<EvenY>,
         encryption_key: &Point<Normal, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
     ) -> EncryptedSignature {
         let (x, X) = signing_key.as_tuple();
         let Y = encryption_key;
@@ -139,7 +139,7 @@ pub trait Adaptor {
         &self,
         verification_key: &Point<EvenY, impl Secrecy>,
         encryption_key: &Point<impl PointType, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
     ) -> bool;
 
@@ -179,7 +179,7 @@ pub trait Adaptor {
         &self,
         encryption_key: &Point<impl Normalized, impl Secrecy>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
-        signature: &Signature<impl Secrecy>,
+        signature: &Signature,
     ) -> Option<Scalar>;
 }
 
@@ -195,7 +195,7 @@ where
         &self,
         verification_key: &Point<EvenY, impl Secrecy>,
         encryption_key: &Point<impl PointType, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
     ) -> bool {
         let EncryptedSignature {
@@ -236,7 +236,7 @@ where
         &self,
         encryption_key: &Point<impl PointType, impl Secrecy>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
-        signature: &Signature<impl Secrecy>,
+        signature: &Signature,
     ) -> Option<Scalar> {
         if signature.R != encrypted_signature.R {
             return None;
@@ -298,7 +298,7 @@ mod test {
         let signing_keypair = schnorr.new_keypair(secret_key);
         let verification_key = signing_keypair.public_key();
         let encryption_key = schnorr.encryption_key_for(&decryption_key);
-        let message = Message::<Public>::new("test", b"give 100 coins to Bob".as_ref());
+        let message = Message::new("test", b"give 100 coins to Bob".as_ref());
 
         let encrypted_signature =
             schnorr.encrypted_sign(&signing_keypair, &encryption_key, message);

schnorr_fun/src/frost/chilldkg.rs

@@ -101,7 +101,7 @@ pub mod simplepedpop {
             let secret_poly = poly::scalar::generate(threshold as usize, rng);
             let pop_keypair = KeyPair::new_xonly(secret_poly[0]);
             // XXX The thing that's singed differs from the spec
-            let pop = schnorr.sign(&pop_keypair, Message::<Public>::empty());
+            let pop = schnorr.sign(&pop_keypair, Message::empty());
             let com = poly::scalar::to_point_poly(&secret_poly);
 
             let shares = share_receivers
@@ -201,7 +201,7 @@ pub mod simplepedpop {
             }
 
             let (first_coeff_even_y, _) = input.com[0].into_point_with_even_y();
-            if !schnorr.verify(&first_coeff_even_y, Message::<Public>::empty(), &input.pop) {
+            if !schnorr.verify(&first_coeff_even_y, Message::empty(), &input.pop) {
                 return Err("☠ pop didn't verify");
             }
             *entry = Some(input);
@@ -324,7 +324,7 @@ pub mod simplepedpop {
     {
         for (key_contrib, pop) in &agg_input.key_contrib {
             let (first_coeff_even_y, _) = key_contrib.into_point_with_even_y();
-            if !schnorr.verify(&first_coeff_even_y, Message::<Public>::empty(), pop) {
+            if !schnorr.verify(&first_coeff_even_y, Message::empty(), pop) {
                 return Err(ReceiveShareError::InvalidPop);
             }
         }
@@ -606,7 +606,7 @@ pub mod encpedpop {
         {
             schnorr.sign(
                 keypair,
-                Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::new("BIP DKG/cert", self.cert_bytes().as_ref()),
             )
         }
 
@@ -620,7 +620,7 @@ pub mod encpedpop {
         ) -> bool {
             schnorr.verify(
                 &cert_key,
-                Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::new("BIP DKG/cert", self.cert_bytes().as_ref()),
                 &signature,
             )
         }

schnorr_fun/src/frost/mod.rs

@@ -30,7 +30,7 @@
 //! let xonly_shared_key = shared_key.into_xonly(); // this is the key signatures will be valid under
 //! let xonly_my_secret_share = my_secret_share.into_xonly();
 //! # let xonly_secret_share3 = secret_share3.into_xonly();
-//! let message =  Message::plain("my-app", b"chancellor on brink of second bailout for banks");
+//! let message =  Message::new("my-app", b"chancellor on brink of second bailout for banks");
 //! // Generate nonces for this signing session (and send them to coordinator somehow)
 //! // ⚠ session_id MUST be different for every signing attempt to avoid nonce reuse (if using deterministic nonces).
 //! let session_id = b"signing-ominous-message-about-banks-attempt-1".as_slice();
@@ -446,7 +446,7 @@ mod test {
         let session = frost.coordinator_sign_session(
             &frost_poly.into_xonly(),
             BTreeMap::from_iter([(s!(1).public(), nonce), (s!(2).public(), malicious_nonce)]),
-            Message::<Public>::new("test", b"hello"),
+            Message::new("test", b"hello"),
         );
 
         assert_eq!(session.final_nonce(), *G);

schnorr_fun/src/frost/shared_key.rs

@@ -231,7 +231,7 @@ impl<T: PointType, Z: ZeroChoice> SharedKey<T, Z> {
 }
 
 impl SharedKey<Normal> {
-    /// Convert the key into a BIP340 "x-only" SharedKey.
+    /// Convert the key into a [BIP340] "x-only" SharedKey.
     ///
     /// This is the [BIP340] compatible version of the key which you can put in a segwitv1 output.
     ///

schnorr_fun/src/message.rs

@@ -1,18 +1,13 @@
 use secp256kfun::{
-    Slice,
     digest::{self},
     hash::HashInto,
-    marker::*,
 };
 
 /// A message to be signed.
-///
-/// The `S` parameter is a [`Secrecy`] which is used when signing a verifying to check whether the
-/// challenge scalar produced with the message should be secret.
 #[derive(Debug, Clone, Copy, PartialEq)]
-pub struct Message<'a, S = Public> {
+pub struct Message<'a> {
     /// The message bytes
-    pub bytes: Slice<'a, S>,
+    pub bytes: &'a [u8],
     /// The optional application tag to separate the signature from other applications.
     #[deprecated(
         since = "0.11.0",
@@ -26,12 +21,12 @@ pub struct Message<'a, S = Public> {
 }
 
 #[allow(deprecated)]
-impl<'a, S: Secrecy> Message<'a, S> {
+impl<'a> Message<'a> {
     /// Create a raw message with no domain separation. The message bytes will be passed straight into the
     /// challenge hash. Usually, you only use this when signing a pre-hashed message.
     pub fn raw(bytes: &'a [u8]) -> Self {
         Message {
-            bytes: Slice::from(bytes),
+            bytes,
             app_tag: None,
             bip340_domain_sep: None,
         }
@@ -51,8 +46,8 @@ impl<'a, S: Secrecy> Message<'a, S> {
     ///
     /// # Example
     /// ```
-    /// use schnorr_fun::{Message, fun::marker::Public};
-    /// let message = Message::<Public>::new("my-app/sign", b"hello world");
+    /// use schnorr_fun::Message;
+    /// let message = Message::new("my-app/sign", b"hello world");
     /// ```
     pub fn new(domain_sep: &'static str, bytes: &'a [u8]) -> Self {
         assert!(!domain_sep.is_empty(), "domain separator must not be empty");
@@ -61,7 +56,7 @@ impl<'a, S: Secrecy> Message<'a, S> {
             "domain separator must be 33 bytes or less"
         );
         Message {
-            bytes: Slice::from(bytes),
+            bytes,
             app_tag: None,
             bip340_domain_sep: Some(domain_sep),
         }
@@ -88,7 +83,7 @@ impl<'a, S: Secrecy> Message<'a, S> {
         assert!(app_tag.len() <= 64, "tag must be 64 bytes or less");
         assert!(!app_tag.is_empty(), "tag must not be empty");
         Message {
-            bytes: Slice::from(bytes),
+            bytes,
             app_tag: Some(app_tag),
             bip340_domain_sep: None,
         }
@@ -102,15 +97,15 @@ impl<'a, S: Secrecy> Message<'a, S> {
     /// Length of the message as it is hashed
     pub fn len(&self) -> usize {
         match (self.app_tag, self.bip340_domain_sep) {
-            (Some(_), _) => 64 + self.bytes.as_inner().len(),
-            (_, Some(_)) => 33 + self.bytes.as_inner().len(), // BIP340 style uses 33-byte prefix
-            (None, None) => self.bytes.as_inner().len(),
+            (Some(_), _) => 64 + self.bytes.len(),
+            (_, Some(_)) => 33 + self.bytes.len(), // BIP340 style uses 33-byte prefix
+            (None, None) => self.bytes.len(),
         }
     }
 }
 
 #[allow(deprecated)]
-impl<S> HashInto for Message<'_, S> {
+impl HashInto for Message<'_> {
     fn hash_into(self, hash: &mut impl digest::Update) {
         if let Some(prefix) = self.app_tag {
             let mut padded_prefix = [0u8; 64];
@@ -122,7 +117,7 @@ impl<S> HashInto for Message<'_, S> {
             padded_prefix[..domain_sep.len()].copy_from_slice(domain_sep.as_bytes());
             hash.update(&padded_prefix);
         }
-        hash.update(self.bytes.as_inner());
+        hash.update(self.bytes);
     }
 }
 
@@ -134,13 +129,13 @@ mod test {
     #[test]
     fn bip340_domain_separation() {
         // Test that BIP340 domain separation uses 33-byte prefix
-        let msg = Message::<Public>::new("test", b"hello");
+        let msg = Message::new("test", b"hello");
 
         // Expected: "test" padded to 33 bytes + "hello"
         let mut expected_hash = Sha256::default();
         let mut padded_prefix = [0u8; 33];
         padded_prefix[..4].copy_from_slice(b"test");
-        expected_hash.update(&padded_prefix);
+        expected_hash.update(padded_prefix);
         expected_hash.update(b"hello");
 
         let mut actual_hash = Sha256::default();
@@ -154,20 +149,20 @@ mod test {
 
     #[test]
     fn message_new_fixed_key_signature() {
-        use crate::{fun::s, new_with_deterministic_nonces};
+        use crate::{Signature, fun::prelude::*, new_with_deterministic_nonces};
         use core::str::FromStr;
 
         // Fixed test to ensure Message::new domain separation doesn't accidentally change
         let schnorr = new_with_deterministic_nonces::<Sha256>();
         let secret_key = s!(42);
         let keypair = schnorr.new_keypair(secret_key);
 
-        let message = Message::<Public>::new("test-app", b"test message");
+        let message = Message::new("test-app", b"test message");
         let signature = schnorr.sign(&keypair, message);
 
         // This signature was generated with the current implementation and should never change
         // to ensure backwards compatibility
-        let expected_sig = crate::Signature::<Public>::from_str(
+        let expected_sig = Signature::from_str(
             "5c49762df465f21993af631caedb3e478793142e15f200e70511e5af71387e52a3b9b6af189fa4b28a767254f2a8977f2e9db1866ad4dfbb083bb4fbd8dfe82e"
         ).unwrap();