HPPR-009 · HSB3 Signatures

HSB3 is a BIP-340 style Schnorr signature over secp256k1.

HSB3 uses BLAKE3-256 for all hashing and key derivation tags. Reference code lives in rust/libs/hsb3.

Parameters

• Curve: secp256k1 (y^2 = x^3 + 7 mod p)
• Order: n
• Generator: G
• Hash primitive: BLAKE3.derive_key
• Tags:
  • hppr-🖧/aux
  • hppr-🖧/nonce
  • hppr-🖧/challenge

Helper notation:

• bytes(x): 32-byte big-endian encoding of scalar or field element
• beInt(b): integer from 32-byte big-endian bytes
• tagged(tag, msg): first 32 bytes of derive_key(tag, msg)

Key Generation

1. Draw random 32-byte d0; reject 0 and d0 >= n.
2. Set d = d0, compute P = d*G.
3. If P.y is odd, set d = n - d and recompute P.
4. Private key is d; public key is bytes(P.x).

The even-y convention is mandatory.

Deterministic Key Derivation

Derive a keypair from arbitrary secret bytes.

1. Initialize BLAKE3 derive mode with tag hppr-🖧/adhoc-key.
2. Feed secret bytes.
3. Enter XOF mode.
4. Rejection sample 32-byte candidates until 0 < d0 < n.
5. Apply the same even-y normalization as key generation.

Conformance:

• MUST use tag hppr-🖧/adhoc-key exactly
• MUST use XOF rejection sampling
• MUST apply even-y convention
• MUST reject empty secret

Ring1 Adhoc Derivation (Argon2id)

Ring1 secret tokens derive through Argon2id first.

Token format:

V.<b64a>.H3

Argon2id inputs:

• password: UTF-8 original secret
• salt: first 16 bytes of BLAKE3.derive_key("hppr-🖧/phc-salt", "<ring1>/<repo-vkey>")
• params: $argon2id$v=19$m=<m>,t=<t>,p=<p>$
• output length: 32

If HELLO omits PHC, defaults are m=12288, t=3, p=1.

Then derive HSB3 key from:

<derived-token>/<ring1>/<repo-vkey>

Signing

Inputs:

• msg32: BLAKE3-256 digest of message bytes
• private key d
• auxRand32: fresh random 32 bytes

Rules:

• auxRand32 MUST be unique per signature
• explicit all-zero aux input is invalid

Algorithm:

1. t = tagged(aux, auxRand32)
2. mask = t xor bytes(d)
3. k0 = tagged(nonce, mask || Px || msg32) mod n; reject k0 = 0
4. R = k0*G; if R.y odd then k = n-k0, else k = k0
5. e = tagged(challenge, bytes(R.x) || Px || msg32) mod n
6. s = (k + e*d) mod n
7. signature bytes are bytes(R.x) || bytes(s)

Text form uses B64A.

Verification

Inputs: signature r||s, public key Px, and msg32.

1. Parse r, s; reject r >= p or s >= n.
2. Recover P from Px and take even-y root.
3. e = tagged(challenge, bytes(r) || Px || msg32) mod n
4. R' = s*G - e*P; reject infinity or odd y.
5. Accept iff R'.x == r.

Conformance

Implementations:

• MUST use the three UTF-8 tags exactly
• MUST use BLAKE3-256 message digests
• MUST preserve even-y convention in keygen/sign/verify
• MUST emit 64-byte signatures and 32-byte public keys
• MUST reject invalid scalars and coordinates
• MUST use constant-time scalar and point operations
• MUST NOT reuse auxRand32