miden_core::crypto::dsa::eddsa_25519_sha512

Struct PublicKey

pub struct PublicKey { /* private fields */ }

Implementations§

Source §

impl PublicKey

Source

pub fn to_commitment(&self) -> Word

Returns a commitment to the public key using the RPO256 hash function.

The commitment is computed by first converting the public key to field elements (4 bytes per element), and then computing a sequential hash of the elements.

Source

pub fn verify(&self, message: Word, signature: &Signature) -> bool

Verifies a signature against this public key and message.

Source

pub fn compute_challenge_k( &self, message: Word, signature: &Signature, ) -> [u8; 64]

Computes the Ed25519 challenge hash from a message and signature.

This method computes the 64-byte hash SHA-512(R || A || message) where:

R is the signature’s R component (first 32 bytes)
A is the public key
message is the message bytes

The resulting 64-byte hash can be passed to verify_with_unchecked_k() which will reduce it modulo the curve order L to produce the challenge scalar.

§Use Case

This method is useful when you want to separate the hashing phase from the elliptic curve verification phase. You can:

Compute the hash using this method (hashing phase)
Verify using verify_with_unchecked_k(hash, signature) (EC phase)

This is equivalent to calling verify() directly, but allows the two phases to be executed separately or in different environments.

§Arguments

message - The message that was signed
signature - The signature to compute the challenge hash from

§Returns

A 64-byte hash that will be reduced modulo L in verify_with_unchecked_k()

§Example

let k_hash = public_key.compute_challenge_k(message, &signature);
let is_valid = public_key.verify_with_unchecked_k(k_hash, &signature).is_ok();
// is_valid should equal public_key.verify(message, &signature)

§Not Ed25519ph / RFC 8032 Prehash

This helper reproduces the standard Ed25519 challenge H(R || A || M) used when verifying signatures. It does not implement the RFC 8032 Ed25519ph variant, which prepends a domain separation string and optional context before hashing. Callers that require the Ed25519ph flavour must implement the additional domain separation logic themselves.

Source

pub fn verify_with_unchecked_k( &self, k_hash: [u8; 64], signature: &Signature, ) -> Result<(), UncheckedVerificationError>

Verifies a signature using a pre-computed challenge hash.

§⚠️ CRITICAL SECURITY WARNING ⚠️

THIS METHOD IS EXTREMELY DANGEROUS AND EASY TO MISUSE.

This method bypasses the standard Ed25519 verification process by accepting a pre-computed challenge hash instead of computing it from the message. This breaks Ed25519’s security properties in the following ways:

§Security Risks:

Signature Forgery: An attacker who can control the hash value can forge signatures for arbitrary messages without knowing the private key.
Breaks Message Binding: Standard Ed25519 cryptographically binds the signature to the message via the hash H(R || A || message). Accepting arbitrary hashes breaks this binding.
Bypasses Standard Protocol: If the hash is not computed correctly as SHA-512(R || A || message), this method bypasses standard Ed25519 verification and the signature will not be compatible with Ed25519 semantics.

§When This Might Be Used:

This method is only appropriate in very specific scenarios where:

You have a trusted computation environment that computes the hash correctly as SHA-512(R || A || message) (see compute_challenge_k())
You need to separate the hashing phase from the EC verification phase (e.g., for different execution environments or performance optimization)
You fully understand the security implications and have a threat model that accounts for them

When the hash is computed correctly, this method implements standard Ed25519 verification.

§Standard Usage:

For normal Ed25519 verification, use verify() instead.

§Performance

This helper decompresses the signature’s R component before performing group arithmetic and reuses the cached Edwards form of the public key. Expect it to be slower than calling verify() directly.

§Arguments

k_hash - A 64-byte hash (typically computed as SHA-512(R || A || message))
signature - The signature to verify

§Returns

Ok(()) if the verification equation [s]B = R + [k]A holds, or an error describing why the verification failed.

§Warning

Do NOT use this method unless you fully understand Ed25519’s cryptographic properties, have a specific need for this low-level operation, and are feeding it the exact SHA-512(R || A || message) output (without the Ed25519ph domain separation string).