Jeff Burdges

You gain forward security: A compromised signing key cannot be used to fake signatures either forward or backward in time. In fact, these signing key can be truly automated as...

Yes, I didn't meant to derail too much, just mentioned it as an aside. And yes SPHINCS is a nice choice for large things.

Apologies, but I'm confused. When would safe code mutate a `&[u8]` that some unknown function gave it? Wouldn't only a `&mut [u8]` have that problem? I understand that a function...

I miss-read your statement up thread as saying that marking the function as `unsafe` changed the compiler's behavior in some more subtle way. In this case, the `unsafe` just reminds...

I suppose @ubsan means `std::cell::Cell` but to answer the question.. `Cell` is not [`Sync`](https://doc.rust-lang.org/std/marker/trait.Sync.html). `AtomicU8` is `Sync`, but not stable, and rather expensive. If you want `mmap` then you likely...

It's possible https://github.com/w3f/schnorrkel/commit/8150ef6333df6238d8d861aec74bf7ccd87119aa#diff-b4aea3e418ccdb71239b96952d9cddb6R260-R280 might help if you care in the short term, but waiting for dependencies to converge sounds better.

I have not yet looked at the code here, but since we came up with roughly the same protocol in https://eprint.iacr.org/2020/1245, as did blockstream guys in https://eprint.iacr.org/2020/1261, and did a...

https://github.com/arkworks-rs/algebra/tree/master/curves/ed25519 We should've a curve25519-dalek wrapper though, because curve25519-dalek is much faster than arkworks. Arkworks exploits multi-threading, which curve25519-dalek lacks, but if you system is pegged anyways then curve25519-dalek remains...

We do have ed25519 here, but the problem here is the lack of a curve25519-dalek wrapper. A zk prover team might only care aobut their benchmarks on dedicated prover nodes....

https://github.com/nikkolasg/ark-blst looks relevant