diff git a/asn.1/Circulex.asn b/asn.1/Circulex.asn
index 4a52401..cea5fc3 100644
 a/asn.1/Circulex.asn
+++ b/asn.1/Circulex.asn
@@ 1,414 +1,370 @@
Circulex
DEFINITIONS
AUTOMATIC TAGS ::=
BEGIN
IMPORTS Nanosecond FROM TAI64N;
 Generally useful things
LimitedString ::= UTF8String (SIZE (0 .. 255))
NonnegativeInteger ::= INTEGER (0 .. MAX)
PositiveInteger ::= INTEGER (1 .. MAX)
TimeLabel ::= Nanosecond
 Hashes
HashAlgorithm ::= SEQUENCE {
algorithm OCTET STRING,
outputLength PositiveInteger
}
Hash ::= SEQUENCE {
algorithm OCTET STRING,
body OCTET STRING
}
 Signatures
 Ristretto255Element ::= OCTET STRING (SIZE (32))
 Ristretto255Key ::= Ristretto255Element
 Ristretto255Signature ::= SEQUENCE {
 bigR Ristretto255Element,
 bigS OCTET STRING (SIZE (32))
 }

 SignatureScheme ::= ENUMERATED {
 experimental,
 ristretto255shake256,
+ SignatureScheme ::= CHOICE {
+ experimental OCTET STRING,
+ ristretto255shake256 NULL,
...
}
 SIGNATURES ::= CLASS {
 &scheme SignatureScheme UNIQUE,
 &KeyType,
 &SignatureType
 } WITH SYNTAX { &scheme, &KeyType, &SignatureType }

 Signatures SIGNATURES ::= {
 {
 experimental,
 OCTET STRING,
 OCTET STRING
 }  {
 ristretto255shake256,
 Ristretto255Key,
 Ristretto255Signature
 }, ...
 }

PublicKey ::= SEQUENCE {
 scheme SIGNATURES.&scheme ({Signatures}),
 key SIGNATURES.&KeyType ({Signatures}{@scheme})
+ scheme SignatureScheme,
+ key OCTET STRING
}
Signable ::= CHOICE {
experimental OCTET STRING,
hintBody HintBody,
paymentPath SignablePath,
completeAgreement SignablePath,
...
}
 Identifying and commmunicating with other participants
PeerID ::= OCTET STRING
MultiAddress ::= OCTET STRING
Identity ::= CHOICE {
experimental OCTET STRING,
libp2p PeerID,
...
}
ContactDetails ::= SEQUENCE {
identity Identity,
addresses SEQUENCE OF MultiAddress
}
 Requesting payment (outofband)
Currency ::= SEQUENCE {
experimental OCTET STRING,
standard UTF8String
(SIZE (3) ^ FROM ("A".."Z")),
userDefined LimitedString,
...
}
Amount ::= SEQUENCE {
currency Currency,
numerator INTEGER,
denominator PositiveInteger
}
Target ::= SEQUENCE {
participant Identity OPTIONAL,
currency Currency OPTIONAL,
payload Amount OPTIONAL
}
PaymentRequest ::= SEQUENCE {
payee ContactDetails,
amount Amount,
paywiseTarget Target,
reference LimitedString OPTIONAL
}
 Path types
CommonTransactionParameters ::= SEQUENCE {
completionDeadline TimeLabel,
finalityDeadline TimeLabel,
initiatorPublicKey PublicKey
}
SimplePath ::= SEQUENCE {
talkwise BOOLEAN,
 keys SEQUENCE OF SIGNATURES.&KeyType ({Signatures})
+ keys OCTET STRING
}
SignedSimplePath ::= SEQUENCE {
maximumLength PositiveInteger,
commonParameters CommonTransactionParameters,
 path SimplePath (CONSTRAINED BY {
  The &KeyType of the keys of this path MUST correspond with the
  scheme of the initiatorPublicKey in the commonParameters,
  according to the Signatures table.
 }),
 signatures SEQUENCE OF SIGNATURES.&SignatureType ({Signatures})
 (CONSTRAINED BY {
  &SignatureType MUST correspond with the scheme of the
  initiatorPublicKey in the commonParameters, according to the
  Signatures table.
 })
+ path SimplePath,
+ signatures OCTET STRING
}
PathType ::= ENUMERATED {
experimental,
simple,
...
}
PATHTYPES ::= CLASS {
&pathType PathType UNIQUE,
&PathParameters,
&UnsignedPath,
&SignedPath
} WITH SYNTAX {&pathType, &PathParameters, &UnsignedPath, &SignedPath}
PathTypes PATHTYPES ::= {
{experimental, OCTET STRING, OCTET STRING, OCTET STRING } 
{simple, PositiveInteger, SimplePath, SignedSimplePath},
...
}
SpecificPathType ::= SEQUENCE {
pathType PATHTYPES.&pathType ({PathTypes}),
parameters PATHTYPES.&PathParameters ({PathTypes}{@pathType})
}
TransactionIdentifier ::= SEQUENCE {
specificPathType SpecificPathType,
commonParameters CommonTransactionParameters
}
SignablePath ::= SEQUENCE {
transaction TransactionIdentifier,
path PATHTYPES.&UnsignedPath ({PathTypes})
(CONSTRAINED BY {
 &UnsignedPath MUST correspond with the pathType of the
 specificPathType of the transaction, according to the
 PathTypes table.
})
}
SignedPaymentPath ::= SEQUENCE {
pathType PATHTYPES.&pathType ({PathTypes}),
signedPath PATHTYPES.&SignedPath ({PathTypes}{@pathType})
}
 Invitation
Invitation ::= SEQUENCE {
mediumTermKeys SEQUENCE OF PublicKey,
pathTypes SEQUENCE OF SpecificPathType,
bandwidthLimit NonnegativeInteger,
relays SEQUENCE OF ContactDetails,
sentAt TimeLabel
}
 Statement
StatementSubject ::= SEQUENCE {
fromTime TimeLabel,
toTime TimeLabel,
currency Currency
}
Range ::= SEQUENCE {
minimum INTEGER OPTIONAL,
maximum INTEGER OPTIONAL
}
Statement ::= SEQUENCE {
subject StatementSubject,
denominator PositiveInteger,
openingBalance INTEGER,
closingBalance INTEGER,
agreements SEQUENCE OF PublicKey,
balanceLimits Range,
transactionSizes Range,
maximumOutstanding NonnegativeInteger OPTIONAL,
durationOutstanding NonnegativeInteger OPTIONAL,
sentAt TimeLabel
}
 Relay offer
RelayOffer ::= SEQUENCE {
signatureSchemes SEQUENCE OF SignatureScheme,
pathTypes SEQUENCE OF SpecificPathType,
validUntil TimeLabel,
bandwidthLimit NonnegativeInteger
}
 Ping
Ping ::= SEQUENCE {
sentAt TimeLabel,
padding OCTET STRING
}
 Pong
Pong ::= SEQUENCE {
pingSentAt TimeLabel,
receivedAt TimeLabel
}
 Relay request
RelayRequestContext ::= CHOICE {
until TimeLabel,
transaction TransactionIdentifier
}
RelayRequest ::= SEQUENCE {
context RelayRequestContext,
destinations SEQUENCE OF ContactDetails
}
 Latency report
LatencyProbability ::= SEQUENCE {
latency INTEGER,
probability REAL (0 .. 1)
}
LatencyProfile ::= SEQUENCE {
destination Identity,
profile SEQUENCE OF LatencyProbability
}
LatencyReport ::= SEQUENCE {
requestContext RelayRequestContext,
latencyProfiles SEQUENCE OF LatencyProfile
}
 Hint
HintSubject ::= SEQUENCE {
talkwise BOOLEAN,
transaction TransactionIdentifier
}
HintBody ::= SEQUENCE {
subject HintSubject,
target Target
}
Hint ::= SEQUENCE {
body HintBody,
 signature SIGNATURES.&SignatureType ({Signatures})
 (CONSTRAINED BY {
  &SignatureType MUST correspond with the scheme of the
  initiatorPublicKey in the commonParameters of the transaction
  in the subject of the body of the Hint, according to the
  Signatures table.
 })
+ signature OCTET STRING
}
 Partial agreement
PaymentSpecification ::= SEQUENCE {
record BOOLEAN,
amount Amount,
reference LimitedString OPTIONAL
}
BilateralAgreement ::= SEQUENCE {
deadline TimeLabel,
talkwiseInvitation Hash,
reversalDeadline TimeLabel,
paywiseInvitation Hash,
payments SEQUENCE (SIZE (1 .. MAX)) OF PaymentSpecification
}
UnsignedPartialAgreement ::= SEQUENCE {
agreement BilateralAgreement,
path SignablePath
}
PartialAgreement ::= SEQUENCE {
agreement BilateralAgreement,
path SignedPaymentPath
}
 Complete agreements
CompleteAgreement ::= SEQUENCE {
path SignedPaymentPath,
 finalSignature SIGNATURES.&SignatureType ({Signatures})
 (CONSTRAINED BY {
  &SignatureType MUST correspond with the SignatureScheme
  specified by the path, according to the Signatures table.
 })
+ finalSignature OCTET STRING
}
 Receipt
Receipt ::= SEQUENCE {
receivedAt TimeLabel,
agreement CompleteAgreement
}
 Tally
Tally ::= SEQUENCE {
transaction TransactionIdentifier,
receiptsSent INTEGER (0 .. 3)
}
 Missing information request
MessageType ::= ENUMERATED {
experimental,
invitation,
statement,
relayOffer,
ping,
pong,
relayRequest,
latencyReport,
relayRejection,
hint,
partialAgreement,
completeAgreement,
receipt,
tally,
missingInformation,
...
}
REQUESTABLE ::= CLASS {
&type MessageType UNIQUE,
&IdentifiedBy
} WITH SYNTAX {
&type,
&IdentifiedBy
}
Requestable REQUESTABLE ::= {
{experimental, OCTET STRING } 
{invitation, Hash } 
{statement, StatementSubject } 
{hint, HintSubject } 
{partialAgreement, PublicKey } 
{receipt, TransactionIdentifier } 
{tally, TransactionIdentifier },
...
}
MissingInformation ::= SEQUENCE {
type REQUESTABLE.&type ({Requestable}),
identifiedBy REQUESTABLE.&IdentifiedBy ({Requestable}{@type})
}
 Messages
SENDABLE ::= CLASS {
&type MessageType UNIQUE,
&BodyType
} WITH SYNTAX {
&type,
&BodyType
}
Sendable SENDABLE ::= {
{experimental, OCTET STRING } 
{invitation, Invitation } 
{statement, Statement } 
{relayOffer, RelayOffer } 
{ping, Ping } 
{pong, Pong } 
{relayRequest, RelayRequest } 
{latencyReport, LatencyReport } 
{relayRejection, SEQUENCE OF Identity } 
{hint, Hint } 
{partialAgreement, PartialAgreement } 
{receipt, Receipt } 
{tally, Tally } 
{missingInformation, MissingInformation },
...
}
Message ::= SEQUENCE {
context ENUMERATED {unquoted, quotingMe, quotingYou} DEFAULT unquoted,
type SENDABLE.&type ({Sendable}),
body SENDABLE.&BodyType ({Sendable}{@type})
}
END
diff git a/signatures.tex b/signatures.tex
index 2fcdebf..ec364f7 100644
 a/signatures.tex
+++ b/signatures.tex
@@ 1,172 +1,169 @@
\subsection{Signature scheme}\seclabel{signatures}
Although
circulex allows future flexibility in
the choice of signature scheme,
only one signature scheme is
specified for use in this version of circulex;
it's inspired by \emph{EdDSA for more curves} \cite{eddsamore},
but uses ristretto255 \cite{ristretto} as the underlying group.
Let $\ell = 2^{252} + 27742317777372353535851937790883648493$,
the order of the ristretto255 group;
let $B$ denote its standard basepoint.
The canonical encoding of an element $A$ of the group is
denoted $\underline{A}$.
A scalar $S$ for the group is an integer modulo $\ell$, and is
encoded as $\underline{S}$ using
the usual \num{256}bit littleendian encoding of
$\lbrace 0, 1, \ldots, \ell  1\rbrace$.
Let $H$ denote \shake{} with \num{512} bits of output \cite{sha3};
when its output is to be used as an integer,
it is to be interpreted as the littleendian encoding of
an integer in $\lbrace 0, 1, \ldots, 2^{512}  1 \rbrace$.
For integers $i$ and $j$ such that $0 \leq i < j \leq 512$,
let $h_i(x)$ denote bit $i$ of the output of $H(x)$
(the first bit being counted as bit $0$)
and $h_{i,j}(x)$ denote the part of the output of $H(x)$
from bit $i$ to bit $j  1$, inclusive,
so that
$h_{0,512}(x) = H(x)$,
$h_{i,i+1}(x) = h_i(x)$, and
$h_{i,j}(x) \ h_{j,k}(x) = h_{i,k}(x)$
for $0 \leq i < j < k \leq 512$.
Let $s(x) = 2^{251} + \sum_{0 \leq i < 251} 2^i h_i(x)$,
so that $s(x)$ is a nonzero scalar.
When an instance wants to generate a public key for itself
(either a mediumterm one or a temporary one),
it generates a new secret key $k$ and
calculates its corresponding public key
$\underline{A} = \underline{s(k)B}$.
Along with $k$, the scalar $s(k)$ \must{} be kept secret.
When the instance generates $k$, it \must{}
choose it randomly (or pseudorandomly) using
a uniform distribution over a set of
at least $2^{256}$ options.
Choices of different secret keys \must{} be
probabilistically independent of each other.
An instance \shouldnot{} reuse a public key when it's
unnecessary to do so.
An instance can also, whenever it wants to, generate a public key
for one of its peers, such that only that peer is able to
create signatures that are valid under that public key.
For this purpose, each instance is \required{} to have
 for each peer it is willing to have as a neighbour in a transaction 
a mediumterm secret key;
the corresponding public key \must{} be known to
the relevant peer.
It is \recommended{} that these mediumterm keys are regularly changed, to
minimize the impact of any unwitting disclosure of the secret keys.
Suppose instance $0$ has
mediumterm key pair $\left(\underline{A_0}, k_0\right)$,
and instance $1$ has
mediumterm key pair $\left(\underline{A_1}, k_1\right)$;
each instance's mediumterm public key is known to the other instance.
Each instance \must{} verify that
the other's public key is not $0$.
Instance $i$ calculates a group element $A_{i,1i}$ as follows:
$A_{i,1i} = s(k_i)A_{1i}$.
It follows that $A_{1,0} = A_{0,1}$ because
$s(k_1)A_0 = s(k_1)s(k_0)B = s(k_0)s(k_1)B = s(k_0)A_1$;
this is a shared secret group element for instances $0$ and $1$,
and they \must{} keep it secret.
Suppose instance $1$ wishes to provide instance $0$ with
a temporary public key $\underline{T}$ in a way that
enables instance $0$ (and only instance $0$) to
construct signatures that pass verification under $\underline{T}$.
Instance $1$ generates some data $x$
and sends it to instance $0$.
Each instance calculates
$T = s\left(\underline{A_{0,1}} \middle\ x\right)A_0$;
only instance $0$ knows a discrete logarithm of $T$ base $B$,
specifically
$t = s\left(\underline{A_{0,1}} \middle\ x\right)s(k_0)$,
which \must{} be kept secret.
Given a message $M$ on which instance $0$ wishes to construct a signature that
passes verification under the public key $\underline{T}$, it calculates
$r = H(h_{256,512}(k_0) \ x \ M)$.
(Notice the inclusion of $x$ in the input of $H$;
without it, instance $1$ might be able to induce instance $0$ to
sign the same message multiple times with the same value of $r$,
but with different values of $t$,
leading to the discovery of $s(k_0)$ by instance $1$.)
Instance $0$ then calculates $R = rB$ and
$S
=
\left(r
+ H
\left( \underline{R}
\middle\ \underline{T}
\middle\ M
\right)
t
\right)
\mod \ell$
and outputs the signature
$\left(\underline{R} \middle\ \underline{S}\right)$.
If an instance with key pair $\left(\underline{A}, k\right)$
wishes to construct a signature that
passes verification under $\underline{A}$
(rather than under a public key generated for it by a peer),
it proceeds as in the previous paragraph, but with
$T = A$, $t = s(k)$, and $x$ being empty,
so that $r = H(h_{256,512}(k) \ M)$.
When an instance wishes to verify that
a purported signature $\left(\underline{R}, \underline{S}\right)$
on a message $M$
is valid under a public key $\underline{T}$,
it parses
$\underline{R}$ and $\underline{T}$ as
group elements $R$ and $T$, respecively,
and $\underline{S}$ as a scalar $S$.
It then checks that
$0 \leq S < \ell$ and
$S B = R + H\left(\underline{R} \ \underline{T} \ M\right) T$.
If the inequalities and the equality all hold,
the signature is valid;
otherwise it is invalid.
The warnings in \emph{\eddsa{} for more curves}
(\cite{eddsamore}, page \num3)
regarding different choices of $r$ \should{} be heeded;
implementers \shouldnot{} succumb to the temptation to
create signatures using other choices of $r$,
which may be accidentally repeated or too easily guessable,
leading to an attacker discovering the signer's secret scalar and
forging signatures.
The ASN.1 definitions for the above signature scheme are:
\nextlines{7}
In the encoding of a signature
$\left(\underline{R}, \underline{S}\right)$
as a \textasn{Ristretto255Signature},
the elements are:
\begin{asndescription}
 \item[bigR] The encoding $\underline{R}$ of $R$.
 \item[bigS] The encoding $\underline{S}$ of $S$.
\end{asndescription}

For signature schemes generally:
\nextlines{28}
+The ASN.1 definitions for signature schemes generally are:
+\nextlines{6}
+When using the \textasn{experimental} alternative,
+the octet string \should{} contain
+a code that is believed to be unique to that experiment,
+in order to distinguish it from other experiments.
+The experiment \may{} also prescribe
+other data to be included in the octet string,
+such as signature scheme parameters.
+\nextlines{4}
The elements of a \textasn{PublicKey} are:
\begin{asndescription}
\item[scheme]
The signature scheme to be used with this public key.
\item[key] The public key itself.
\end{asndescription}
The message $M$ for which a signature is created \must{} be
the COER encoding of a \textasn{Signable} object.
\nextlines{7}
See below for the definitions of
\textasn{HintBody} and \textasn{SignablePath},
as well as further conditions restricting
the circumstances under which signatures may be created.
diff git a/transaction.tex b/transaction.tex
index d3f427f..d3b9fd8 100644
 a/transaction.tex
+++ b/transaction.tex
@@ 1,49 +1,49 @@
\subsection{Transaction identifier}
All \emph{transaction identifiers} contain
\emph{common transaction parameters} as follows:
\VerbatimInput[firstline=114,lastline=119]{asn.1/Circulex.asn}
+\VerbatimInput[firstline=89,lastline=94]{asn.1/Circulex.asn}
The elements have the following meanings:
\begin{asndescription}
\item[completionDeadline]
The \emph{completion deadline} of
the transaction 
that is, the time at which the initiator wishes to
construct a complete agreement for this transaction.
An instance that might have already received a
complete agreement for a transaction
after its completion deadline \mustnot{} make any
new commitments regarding that transaction that
it consequently might not be able to keep.
An easy way to satisfy this prohibition is simply to
refrain from sending any
partial agreements or latency reports for a transaction
after its completion deadline.
\item[finalityDeadline]
The \emph{finality deadline} of the transaction 
the time by which
the disposition of the transaction will be finalized.
Reversal deadlines in partial agreements for this transaction
\mustnot{} be later than the finality deadline.
\item[initiatorPublicKey]
A temporary public key belonging to
the initiator of the transaction.
Instances \shouldnot{} use the same public key for
more than one transaction.
\end{asndescription}
DEPRECATED PARAGRAPH!
A \emph{transaction identifier} consists of
the following \num{48} bytes:
\begin{binarydescription}
\item[\bytes{0}{3}]
A number determining
the length of a valid complete agreement for the transaction,
and thereby specifying the maximum number of
bilateral agreements that can be included in the transaction.
\item[\bytes{4}{15}]
\item[\bytes{16}{47}]
\end{binarydescription}
Partial agreements and complete agreements are considered to
belong to the same transaction if and only if
they have identical transaction identifiers.