Struct ed25519_zebra::PublicKey

pub struct PublicKey { /* fields omitted */ }

A valid Ed25519 public key.

This type holds decompressed state used in signature verification; if the public key may not be used immediately, it is probably better to use PublicKeyBytes, which is a refinement type for [u8; 32].

Zcash-specific consensus properties

Ed25519 checks are described in §5.4.5 of the Zcash protocol specification. However, it is not clear that the protocol specification matches the implementation in libsodium 1.0.15 used by zcashd. Note that the precise version is important because libsodium changed validation rules in point releases.

The spec says that a public key A is

a point of order l on the Ed25519 curve, in the encoding specified by…

but libsodium 1.0.15 does not check this. Instead it only checks whether the encoding of A is an encoding of a point on the curve and that the encoding is not all zeros. This implementation matches the libsodium behavior. This has implications for signature verification behaviour, as noted in the PublicKey::verify documentation.

Methods

impl PublicKey

pub fn verify(&self, signature: &Signature, msg: &[u8]) -> Result<(), Error>

Verify a purported signature on the given msg.

Zcash-specific consensus properties

Ed25519 checks are described in §5.4.5 of the Zcash protocol specification. However, it is not clear that the protocol specification matches the implementation in libsodium 1.0.15 used by zcashd. Note that the precise version is important because libsodium changed validation rules in point releases.

Ed25519 permits implementations to choose whether or not to multiply by the cofactor in the verification check. The Zcash spec does not say whether cofactor multiplication is performed, but the verification function used by zcashd does not perform cofactor multiplication, so this implementation does not either.

The spec says that the signature's R value

MUST represent a point on the Ed25519 curve of order at least l

but libsodium 1.0.15 does not seem to check this directly. Instead it recomputes the expected R value and then compares its encoding against the provided encoding of R. This implementation does the same check.

R is recomputed as R <- [s]B - [k]A. This is of low order if and only if s = 0 and [k]A is of low order. Assuming that k, computed as a hash output, is uncontrollable, [k]A is of low order if and only if A is of low order. However, as noted in the PublicKey docs, public key validation does not ensure that A is of order at least l, only that its encoding is nonzero.

Trait Implementations

impl Clone for PublicKey

fn clone(&self) -> PublicKey

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Copy for PublicKey

impl Debug for PublicKey

fn fmt(&self, f: &mut Formatter) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for PublicKey

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error> where
    __D: Deserializer<'de>, 

Deserialize this value from the given Serde deserializer.

impl<'a> From<&'a SecretKey> for PublicKey

fn from(sk: &'a SecretKey) -> PublicKey

Performs the conversion.

impl From<PublicKey> for PublicKeyBytes

fn from(pk: PublicKey) -> PublicKeyBytes

Performs the conversion.

impl From<PublicKey> for [u8; 32]

fn from(pk: PublicKey) -> [u8; 32]

Performs the conversion.

impl Serialize for PublicKey

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error> where
    __S: Serializer, 

Serialize this value into the given Serde serializer.

impl TryFrom<[u8; 32]> for PublicKey

type Error = Error

The type returned in the event of a conversion error.

fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error>

Performs the conversion.

impl TryFrom<PublicKeyBytes> for PublicKey

type Error = Error

The type returned in the event of a conversion error.

fn try_from(bytes: PublicKeyBytes) -> Result<Self, Self::Error>

Performs the conversion.