[−][src]Struct ed25519_zebra::PublicKey
A valid Ed25519 public key.
This type holds decompressed state used in signature verification; if the
public key may not be used immediately, it is probably better to use
PublicKeyBytes
, which is a refinement type for [u8; 32]
.
Zcash-specific consensus properties
Ed25519 checks are described in §5.4.5 of the Zcash protocol
specification. However, it is not clear that the protocol specification
matches the implementation in libsodium
1.0.15
used by zcashd
. Note
that the precise version is important because libsodium
changed validation
rules in point releases.
The spec says that a public key A
is
a point of order
l
on the Ed25519 curve, in the encoding specified by…
but libsodium
1.0.15
does not check this. Instead it only checks whether
the encoding of A
is an encoding of a point on the curve and that the
encoding is not all zeros. This implementation matches the libsodium
behavior. This has implications for signature verification behaviour, as noted
in the PublicKey::verify
documentation.
Methods
impl PublicKey
[src]
pub fn verify(&self, signature: &Signature, msg: &[u8]) -> Result<(), Error>
[src]
Verify a purported signature
on the given msg
.
Zcash-specific consensus properties
Ed25519 checks are described in §5.4.5 of the Zcash protocol
specification. However, it is not clear that the protocol specification
matches the implementation in libsodium
1.0.15
used by zcashd
. Note
that the precise version is important because libsodium
changed validation
rules in point releases.
Ed25519 permits implementations to choose whether or not to multiply by the
cofactor in the verification check. The Zcash spec does not say whether
cofactor multiplication is performed, but the verification function used by
zcashd
does not perform cofactor multiplication, so this implementation
does not either.
The spec says that the signature's R
value
MUST represent a point on the Ed25519 curve of order at least
l
but libsodium
1.0.15
does not seem to check this directly. Instead it
recomputes the expected R
value and then compares its encoding against the
provided encoding of R
. This implementation does the same check.
R
is recomputed as R <- [s]B - [k]A
. This is of low order if and only if
s = 0
and [k]A
is of low order. Assuming that k
, computed as a hash
output, is uncontrollable, [k]A
is of low order if and only if A
is of
low order. However, as noted in the PublicKey
docs, public key validation
does not ensure that A
is of order at least l
, only that its encoding is
nonzero.
Trait Implementations
impl Clone for PublicKey
[src]
impl Copy for PublicKey
[src]
impl Debug for PublicKey
[src]
impl<'de> Deserialize<'de> for PublicKey
[src]
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error> where
__D: Deserializer<'de>,
[src]
__D: Deserializer<'de>,
impl<'a> From<&'a SecretKey> for PublicKey
[src]
impl From<PublicKey> for PublicKeyBytes
[src]
fn from(pk: PublicKey) -> PublicKeyBytes
[src]
impl From<PublicKey> for [u8; 32]
[src]
impl Serialize for PublicKey
[src]
fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error> where
__S: Serializer,
[src]
__S: Serializer,
impl TryFrom<[u8; 32]> for PublicKey
[src]
type Error = Error
The type returned in the event of a conversion error.
fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error>
[src]
impl TryFrom<PublicKeyBytes> for PublicKey
[src]
Auto Trait Implementations
impl RefUnwindSafe for PublicKey
impl Send for PublicKey
impl Sync for PublicKey
impl Unpin for PublicKey
impl UnwindSafe for PublicKey
Blanket Implementations
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> DeserializeOwned for T where
T: Deserialize<'de>,
[src]
T: Deserialize<'de>,
impl<T> From<T> for T
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T> Same<T> for T
type Output = T
Should always be Self
impl<T> ToOwned for T where
T: Clone,
[src]
T: Clone,
type Owned = T
The resulting type after obtaining ownership.
fn to_owned(&self) -> T
[src]
fn clone_into(&self, target: &mut T)
[src]
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = Infallible
The type returned in the event of a conversion error.
fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,
type Error = <U as TryFrom<T>>::Error
The type returned in the event of a conversion error.
fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>
[src]
impl<V, T> VZip<V> for T where
V: MultiLane<T>,
V: MultiLane<T>,