This specification describes Data Integrity cryptographic suites for use when creating or verifying a digital signature using the the secp256k1 instantiation of the Schnorr Signature Algorithm as defined in [[BIP340]].

Introduction

This specification defines a cryptographic suite for the purpose of creating, verifying proofs for Schnorr signatures over secp256k1 in conformance with the Data Integrity [[VC-DATA-INTEGRITY]] specification.

The suites described in this specification use the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] or the JSON Canonicalization Scheme [[RFC8785]] to transform an input document into its canonical form. The canonical representation is then hashed and signed with a detached signature algorithm.

Terminology

Terminology used throughout this document is defined in the Terminology section of the [[[VC-DATA-INTEGRITY]]] specification.

A conforming proof is any concrete expression of the data model that complies with the normative statements in this specification. Specifically, all relevant normative statements in Sections [[[#data-model]]] and [[[#algorithms]]] of this document MUST be enforced.

A conforming processor is any algorithm realized as software and/or hardware that generates or consumes a conforming proof. Conforming processors MUST produce errors when non-conforming documents are consumed.

This document contains examples of JSON and JSON-LD data. Some of these examples are invalid JSON, as they include features such as inline comments (`//`) explaining certain portions and ellipses (`...`) indicating the omission of information that is irrelevant to the example. These parts would have to be removed in order to treat the examples as valid JSON or JSON-LD.

Data Model

The following sections outline the data model that is used by this specification to express verification methods, such as cryptographic public keys, and data integrity proofs, such as digital signatures.

Verification Methods

This cryptographic suite is used to verify Data Integrity Proofs [[VC-DATA-INTEGRITY]] produced using secp256k1 cryptographic key material. The encoding formats for those key types are provided in this section. Lossless cryptographic key transformation processes that result in equivalent cryptographic key material MAY be used for the processing of digital signatures.

Multikey

The Multikey format, defined in [[[CID]]], is used to express public keys for the cryptographic suites defined in this specification.

The `publicKeyMultibase` value of the verification method MUST be a a base-58-btc Multibase encoding of a Multikey encoded secp256k1 x-only public key. The Multikey encoding of a secp256k1 x-only 256-bit public key MUST start with the two-byte prefix 0xe14a (the varint expression of 0x2561) followed by the 32-byte x-only public key data. The resulting 34-byte value MUST then be encoded using the base-58-btc alphabet, according to Section 2.4 Multibase of [[[CID]]], and then prepended with the base-58-btc Multibase header (z). Any other encoding MUST NOT be allowed.

Developers are advised to not accidentally publish a representation of a private key. Implementations of this specification will raise errors if they encounter a Multikey prefix value other than `0xe14a` in a `publicKeyMultibase` value. 

{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "z66PwJnYvwJLhGrVc8vcuUkKs99sKCzYRM2HQ2gDCGTAStHk"
}
          

{
  "id": "did:example:123",
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/multikey/v1"
  ],
  "verificationMethod": [
    {
      "id": "did:example:123#initialKey",
      "type": "Multikey",
      "controller": "did:example:123",
      "publicKeyMultibase": "z66PwJnYvwJLhGrVc8vcuUkKs99sKCzYRM2HQ2gDCGTAStHk"
    }
  ],
  "authentication": [
    "did:example:123#initialKey"
  ],
  "assertionMethod": [
    "did:example:123#initialKey"
  ],
  "capabilityInvocation": [
    "did:example:123#initialKey"
  ],
  "capabilityDelegation": [
    "did:example:123#initialKey"
  ]
}

TODO: Do we want to define a secretKeyMultibase value for secp256k1 keys?

Developers are advised to prevent accidental publication of a representation of a secret key, and to not export the `secretKeyMultibase` property by default, when serializing key pairs to Multikey.

Proof Representations

This section details the proof representation formats that are defined by this specification.

DataIntegrityProof

A proof contains the attributes specified in the Proofs section of [[VC-DATA-INTEGRITY]] with the following restrictions.

The `type` property MUST be `DataIntegrityProof`.

The `cryptosuite` property of the proof MUST be `schnorr-secp256k1-jcs-2025` or `schnorr-secp256k1-rdfc-2025`.

The `proofValue` property of the proof MUST be a detached Schnorr signature produced according to [[BIP340]], encoded using the base-64-url header and alphabet as described in the Multibase section of [[[controller-document]]]. 

{
  "@context": [
    {"myWebsite": "https://vocabulary.example/myWebsite"},
    "https://www.w3.org/ns/credentials/v2"
  ],
  "myWebsite": "https://hello.world.example/",
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "schnorr-secp256k1-jcs-2024",
    "verificationMethod": "did:btc1:k1q2ddta4gt5n7u6d3xwhdyua57t6awrk55ut82qvurfm0qnrxx5nw7vnsy65#initialKey",
    "proofPurpose": "assertionMethod",
    "proofValue": "zsxM9je5iKynKyN6rRPi9QjTWpG6inJ1umwGfnCo4fiu4MqYf46PLd4TE2wVZvdZegDuC6xL6n3Kj8S1PbC8tmTm"
  }
}

TODO: Make example a valid proof. Currently it is a realy proof, but not over that content

Algorithms

The following section describes multiple Data Integrity cryptographic suites that use the Schnorr Signature for secp256k1 Algorithm [[BIP340]].

Instantiate Cryptosuite

This algorithm is used to configure a cryptographic suite to be used by the Add Proof and Verify Proof functions in [[[VC-DATA-INTEGRITY]]]. The algorithm takes an options object ([=map=] |options|) as input and returns a [=data integrity cryptographic suite instance|cryptosuite instance=] ([=struct=] |cryptosuite|).

  1. Initialize |cryptosuite| to an empty [=struct=].
  2. If |options|.|type| does not equal `DataIntegrityProof`, return |cryptosuite|.
  3. If |options|.|cryptosuite| is `schnorr-secp256k1-rdfc-2025`:
    1. Set |cryptosuite|.|createProof| to the algorithm in Section [[[#create-proof-schnorr-secp256k1-rdfc-2025]]].
    2. Set |cryptosuite|.|verifyProof| to the algorithm in Section [[[#verify-proof-schnorr-secp256k1-rdfc-2025]]].
  4. If |options|.|cryptosuite| is `schnorr-secp256k1-jcs-2025`:
    1. Set |cryptosuite|.|createProof| to the algorithm in Section [[[#create-proof-schnorr-secp256k1-jcs-2025]]].
    2. Set |cryptosuite|.|verifyProof| to the algorithm in Section [[[#verify-proof-schnorr-secp256k1-jcs-2025]]].
  5. Return |cryptosuite|.

schnorr-secp256k1-rdfc-2025

The `schnorr-secp256k1-rdfc-2025` cryptographic suite takes an input document, canonicalizes the document using the RDF Dataset Canonicalization algorithm [[RDF-CANON]], and then cryptographically hashes and signs the output resulting in the production of a data integrity proof. The algorithms in this section also include the verification of such a data integrity proof.

When the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] is used, implementations will detect dataset poisoning by default, and abort processing upon such detection.

Create Proof (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an unsecured data document ([=map=] |unsecuredDocument|), and a set of proof options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, is produced as output.

  1. Let |proof| be a clone of the proof options, |options|.
  2. Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-schnorr-secp256k1-rdfc-2025]]] with |options| passed as a parameter.
  3. Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument|, |proofConfig|, and |options| passed as parameters.
  4. Let |hashData| be the result of running the algorithm in Section [[[#hashing-schnorr-secp256k1-rdfc-2025]]] with |transformedData| and |proofConfig| passed as a parameters.
  5. Let |proofBytes| be the result of running the algorithm in Section [[[#proof-serialization-schnorr-secp256k1-rdfc-2025]]] with |hashData| and |options| passed as parameters.
  6. Let |proof|.|proofValue| be a base58-btc-encoded Multibase value of the |proofBytes|.
  7. Return |proof| as the [=data integrity proof=].

Verify Proof (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to verify a [=data integrity proof=] given an secured data document. Required inputs are an secured data document ([=map=] |securedDocument|). This algorithm returns a verification result, which is a [=struct=] whose [=struct/items=] are:

verified
`true` or `false`
verifiedDocument
if [=verification result/verified=] is `false`, Null; otherwise, an [=unsecured data document=]
  1. Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value removed.
  2. Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with `proofValue` removed.
  3. Let |proofBytes| be the Multibase decoded base58-btc value in |securedDocument|.|proof|.|proofValue|.
  4. Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument| and |proofOptions| passed as parameters.
  5. Let |proofConfig| be the result of running the algorithm in Section with |unsecuredDocument| and |proofOptions| passed as parameters.
  6. Let |hashData| be the result of running the algorithm in Section [[[#hashing-schnorr-secp256k1-rdfc-2025]]] with |transformedData| and |proofConfig| passed as a parameters.
  7. Let |verified:boolean| be the result of running the algorithm in Section [[[#proof-verification-schnorr-secp256k1-rdfc-2025]]] algorithm on |hashData|, |proofBytes|, and |proofConfig|.
  8. Return a [=verification result=] with [=struct/items=]:
    [=verified=]
    |verified|
    [=verifiedDocument=]
    if |verified| is `true`, |unsecuredDocument|; otherwise, Null

Transformation (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section [[[#hashing-schnorr-secp256k1-rdfc-2025]]].

Required inputs to this algorithm are an unsecured data document (`unsecuredDocument`) and transformation options (`options`). The transformation options MUST contain a type identifier for the cryptographic suite (`type`) and a cryptosuite identifier (`cryptosuite`). A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

  1. If `options`.`type` is not set to the string `DataIntegrityProof` and `options`.`cryptosuite` is not set to the string `schnorr-secp256k1-rdfc-2025`, an error MUST be raised that SHOULD convey an error type of PROOF_TRANSFORMATION_ERROR.
  2. Let |canonicalDocument| be the result of converting |unsecuredDocument| to RDF statements, applying the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] to the result, and then serializing the result to a serialized canonical form [[RDF-CANON]].
  3. Return `canonicalDocument` as the transformed data document.

Hashing (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-schnorr-secp256k1-rdfc-2025]]] or Section [[[#proof-verification-schnorr-secp256k1-rdfc-2025]]].

The required inputs to this algorithm are a transformed data document (`transformedDocument`) and canonical proof configuration (`canonicalProofConfig`). A single hash data value represented as series of bytes is produced as output.

  1. Let `bytesToHash` be the result of concatenating the `canonicalProofConfig` with the `transformedDocument`.
  2. Let `hashData` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `bytesToHash`. `hashData` will be exactly 32 bytes in size.
  3. Return `hashData` as the hash data.

Proof Configuration (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are the document (|unsecuredDocument|) and the proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MUST contain a cryptosuite identifier (`cryptosuite`). A proof configuration object is produced as output.

  1. Let |proofConfig| be a clone of the |options| object.
  2. If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or |proofConfig|.|cryptosuite| is not set to `schnorr-secp256k1-rdfc-2025`, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
  3. If |proofConfig|.|created| is present and set to a value that is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
  4. Set |proofConfig|.`@context `to |unsecuredDocument|.@context.
  5. Let |canonicalProofConfig| be the result of applying the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] to the |proofConfig|.
  6. Return |canonicalProofConfig|.

Proof Serialization (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to serialize a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (`hashData`) and proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MAY contain a cryptosuite identifier (`cryptosuite`). A single digital proof value represented as series of bytes is produced as output.

  1. Let |privateKeyBytes| be the result of retrieving the private key bytes (or a signing interface enabling the use of the private key bytes) associated with the verification method identified by the |options|.|verificationMethod| value..
  2. Let `proofBytes` be the result of applying the secp266k1 Schnorr Digital Signature Algorithm [[BIP340]], with `hashData` as the data to be signed using the private key specified by `privateKeyBytes`. `proofBytes` will be exactly 64 bytes in size.
  3. Return `proofBytes` as the digital proof.

Proof Verification (schnorr-secp256k1-rdfc-2025)

The following algorithm specifies how to verify a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (`hashData`), a digital signature (`proofBytes`) and proof options (`options`). A verification result represented as a boolean value is produced as output.

  1. Let `publicKeyBytes` be the result of retrieving the public key bytes associated with the `options`.`verificationMethod` value as described in the [[[controller-document]]] specification, Section 3.3: Retrieve Verification Method.
  2. Let `verificationResult` be the result of applying the verification algorithm for the Schnorr Signatures for secp256k1 Algorithm [[BIP340]] with `hashData` as the data to be verified against the `proofBytes` using the public key specified by `publicKeyBytes`.
  3. Return `verificationResult` as the verification result.

schnorr-secp256k1-jcs-2025

The `schnorr-secp256k1-jcs-2025` cryptographic suite takes an input document, canonicalizes the document using the JSON Canonicalization Scheme [[RFC8785]], and then cryptographically hashes and signs the output resulting in the production of a data integrity proof.

Create Proof (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an unsecured data document ([=map=] |unsecuredDocument|), and a set of proof options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, is produced as output.

  1. Let |proof| be a clone of the proof options, |options|.
  2. If `unsecuredDocument`.@context is present, set `proof`.@context to `unsecuredDocument`.@context.
  3. Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-schnorr-secp256k1-jcs-2025]]] with |proof| passed as the proof options parameter.
  4. Let |transformedData| be the result of running the algorithm in Section [[[#transformation-schnorr-secp256k1-jcs-2025]]] with |unsecuredDocument| and |options| passed as parameters.
  5. Let |hashData| be the result of running the algorithm in Section [[[#hashing-schnorr-secp256k1-jcs-2025]]] with |transformedData| and |proofConfig| passed as a parameters.
  6. Let |proofBytes| be the result of running the algorithm in Section [[[#proof-serialization-schnorr-secp256k1-jcs-2025]]] with |hashData| and |options| passed as parameters.
  7. Let |proof|.|proofValue| be a base58-btc-encoded Multibase value of the |proofBytes|.
  8. Return |proof| as the [=data integrity proof=].

Verify Proof (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to verify a [=data integrity proof=] given an secured data document. Required inputs are an secured data document ([=map=] |securedDocument|). This algorithm returns a [=verification result=], which is a [=struct=] whose [=struct/items=] are:

[=verification result/verified=]
`true` or `false`
[=verification result/verifiedDocument=]
if [=verification result/verified=] is `true`, an [=unsecured data document=]; otherwise Null
  1. Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value removed.
  2. Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with `proofValue` removed.
  3. Let |proofBytes| be the Multibase decoded base58-btc value in |securedDocument|.|proof|.|proofValue|.
  4. If |proofOptions|.@context exists:
    1. Check that the |securedDocument|.@context starts with all values contained in the |proofOptions|.@context in the same order. Otherwise, set |verified| to `false` and skip to the last step.
    2. Set |unsecuredDocument|.@context equal to |proofOptions|.@context.
  5. Let |transformedData| be the result of running the algorithm in Section [[[#transformation-schnorr-secp256k1-jcs-2025]]] with |unsecuredDocument| and |proofOptions| passed as parameters.
  6. Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-schnorr-secp256k1-jcs-2025]]] with |proofOptions| passed as the parameter.
  7. Let |hashData| be the result of running the algorithm in Section [[[#hashing-schnorr-secp256k1-jcs-2025]]] with |transformedData| and |proofConfig| passed as a parameters.
  8. Let |verified:boolean| be the result of running the algorithm in Section [[[#proof-verification-schnorr-secp256k1-jcs-2025]]] on |hashData|, |proofBytes|, and |proofConfig|.
  9. Return a [=verification result=] with [=struct/items=]:
    [=verified=]
    |verified|
    [=verifiedDocument=]
    if |verified| is `true`, |unsecuredDocument|; otherwise, Null

Transformation (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section [[[#hashing-schnorr-secp256k1-jcs-2025]]].

Required inputs to this algorithm are an unsecured data document (`unsecuredDocument`) and transformation options (`options`). The transformation options MUST contain a type identifier for the cryptographic suite (`type`) and a cryptosuite identifier (`cryptosuite`). A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

  1. If `options`.`type` is not set to the string `DataIntegrityProof` and `options`.`cryptosuite` is not set to the string `schnorr-secp256k1-jcs-2025`, an error MUST be raised that SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
  2. Let `canonicalDocument` be the result of applying the JSON Canonicalization Scheme [[RFC8785]] to a JSON serialization of the `unsecuredDocument`.
  3. Return `canonicalDocument` as the transformed data document.

Hashing (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-schnorr-secp256k1-jcs-2025]]] or Section [[[#proof-verification-schnorr-secp256k1-jcs-2025]]].

The required inputs to this algorithm are a transformed data document (`transformedDocument`) and canonical proof configuration (`canonicalProofConfig`). A single hash data value represented as series of bytes is produced as output.

  1. Let `bytesToHash` be the result of concatenating the `canonicalProofConfig` with the `transformedDocument`.
  2. Let `hashData` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `bytesToHash`. `hashData` will be exactly 32 bytes in size.
  3. Return `hashData` as the hash data.

Proof Configuration (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MUST contain a cryptosuite identifier (`cryptosuite`). A proof configuration object is produced as output.

  1. Let `proofConfig` be a clone of the `options` object.
  2. If `proofConfig`.`type` is not set to `DataIntegrityProof` or `proofConfig`.`cryptosuite` is not set to `schnorr-secp256k1-jcs-2025`, an error MUST be raised that SHOULD convey an error type of PROOF_GENERATION_ERROR.
  3. If |proofConfig|.|created| is set to a value that is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
  4. Let `canonicalProofConfig` be the result of applying the JSON Canonicalization Scheme [[RFC8785]] to the `proofConfig`.
  5. Return `canonicalProofConfig`.

Proof Serialization (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to serialize a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (`hashData`) and proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MAY contain a cryptosuite identifier (`cryptosuite`). A single digital proof value represented as series of bytes is produced as output.

  1. Let |privateKeyBytes| be the result of retrieving the private key bytes (or a signing interface enabling the use of the private key bytes) associated with the verification method identified by the |options|.|verificationMethod| value.
  2. Let `proofBytes` be the result of applying the Schnorr Signatures for secp256k1 algorithm [[BIP340]], with `hashData` as the data to be signed using the private key specified by `privateKeyBytes`. `proofBytes` will be exactly 64 bytes in size.
  3. Return `proofBytes` as the digital proof.

Proof Verification (schnorr-secp256k1-jcs-2025)

The following algorithm specifies how to verify a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (`hashData`), a digital signature (`proofBytes`) and proof options (`options`). A verification result represented as a boolean value is produced as output.

  1. Let `publicKeyBytes` be the result of retrieving the public key bytes associated with the `options`.`verificationMethod` value as described in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Retrieving Cryptographic Material.
  2. Let `verificationResult` be the result of applying the verification algorithm for the Schnorr secp256k1 digital signature algorithm [[BIP340]], with `hashData` as the data to be verified against the `proofBytes` using the public key specified by `publicKeyBytes`.
  3. Return `verificationResult` as the verification result.

Security Considerations

Before reading this section, readers are urged to familiarize themselves with general security advice provided in the Security Considerations section of the Data Integrity specification.

The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.

TODO: Security Properties of BIP340 Schnorr Secp256k1 Implementations

Privacy Considerations

Before reading this section, readers are urged to familiarize themselves with general privacy advice provided in the Privacy Considerations section of the Data Integrity specification.

The following section describes privacy considerations that developers implementing this specification should be aware of in order to avoid violating privacy assumptions.

Selective and Unlinkable Disclosure

The cryptographic suites described in this specification do not support [=selective disclosure=] or [=unlinkable disclosure=]. If [=selective disclosure=] is a desired feature, readers might find the [[[?VC-DI-ECDSA]]] specification useful. If [=unlinkable disclosure=] is of interest, the [[[?VC-DI-BBS]]] specification provides an unlinkable digital signature mechanism.

Test Vectors

TODO: Representation: schnorr-secp256k1-rdfc-2025

TODO: Representation: schnorr-secp256k1-jcs-2025

Revision History

This section contains the substantive changes that have been made to this specification over time.

Acknowledgements