miden_crypto/dsa/eddsa_25519/

mod.rs

//! Ed25519 (EdDSA) signature implementation using Curve25519 and SHA-512 to hash
//! the messages when signing.

use alloc::{string::ToString, vec::Vec};

use ed25519_dalek::{Signer, Verifier};
use miden_crypto_derive::{SilentDebug, SilentDisplay};
use rand::{CryptoRng, RngCore};
use thiserror::Error;

use crate::{
    Felt, SequentialCommit, Word,
    ecdh::x25519::{EphemeralPublicKey, SharedSecret},
    utils::{
        ByteReader, ByteWriter, Deserializable, DeserializationError, Serializable,
        bytes_to_packed_u32_elements,
    },
    zeroize::{Zeroize, ZeroizeOnDrop},
};

#[cfg(test)]
mod tests;

// CONSTANTS
// ================================================================================================

/// Length of secret key in bytes
const SECRET_KEY_BYTES: usize = 32;
/// Length of public key in bytes
pub(crate) const PUBLIC_KEY_BYTES: usize = 32;
/// Length of signature in bytes
const SIGNATURE_BYTES: usize = 64;

// SECRET KEY
// ================================================================================================

/// Secret key for EdDSA (Ed25519) signature verification over Curve25519.
#[derive(Clone, SilentDebug, SilentDisplay)]
pub struct SecretKey {
    inner: ed25519_dalek::SigningKey,
}

impl SecretKey {
    /// Generates a new random secret key using the OS random number generator.
    #[cfg(feature = "std")]
    #[allow(clippy::new_without_default)]
    pub fn new() -> Self {
        let mut rng = rand::rng();

        Self::with_rng(&mut rng)
    }

    /// Generates a new secret key using RNG.
    pub fn with_rng<R: CryptoRng + RngCore>(rng: &mut R) -> Self {
        let mut seed = [0u8; SECRET_KEY_BYTES];
        rand::RngCore::fill_bytes(rng, &mut seed);

        let inner = ed25519_dalek::SigningKey::from_bytes(&seed);

        // Zeroize the seed to prevent leaking secret material
        seed.zeroize();

        Self { inner }
    }

    /// Gets the corresponding public key for this secret key.
    pub fn public_key(&self) -> PublicKey {
        PublicKey { inner: self.inner.verifying_key() }
    }

    /// Signs a message (Word) with this secret key.
    pub fn sign(&self, message: Word) -> Signature {
        let message_bytes: [u8; 32] = message.into();
        let sig = self.inner.sign(&message_bytes);
        Signature { inner: sig }
    }

    /// Computes a Diffie-Hellman shared secret from this secret key and the ephemeral public key
    /// generated by the other party.
    pub fn get_shared_secret(&self, pk_e: EphemeralPublicKey) -> SharedSecret {
        let shared = self.to_x25519().diffie_hellman(&pk_e.inner);
        SharedSecret::new(shared)
    }

    /// Converts this Ed25519 secret key into an [`x25519_dalek::StaticSecret`].
    ///
    /// This conversion allows using the same underlying scalar from the Ed25519 secret key
    /// for X25519 Diffie-Hellman key exchange. The returned `StaticSecret` can then be used
    /// in key agreement protocols to establish a shared secret with another party's
    /// X25519 public key.
    fn to_x25519(&self) -> x25519_dalek::StaticSecret {
        let mut scalar_bytes = self.inner.to_scalar_bytes();
        let static_secret = x25519_dalek::StaticSecret::from(scalar_bytes);

        // Zeroize the temporary scalar bytes
        scalar_bytes.zeroize();

        static_secret
    }
}

// SAFETY: The inner `ed25519_dalek::SigningKey` already implements `ZeroizeOnDrop`,
// which ensures that the secret key material is securely zeroized when dropped.
impl ZeroizeOnDrop for SecretKey {}

impl PartialEq for SecretKey {
    fn eq(&self, other: &Self) -> bool {
        use subtle::ConstantTimeEq;
        self.inner.to_bytes().ct_eq(&other.inner.to_bytes()).into()
    }
}

impl Eq for SecretKey {}

// PUBLIC KEY
// ================================================================================================

#[derive(Debug, Clone, PartialEq, Eq)]
pub struct PublicKey {
    pub(crate) inner: ed25519_dalek::VerifyingKey,
}

impl PublicKey {
    /// Returns a commitment to the public key using the RPO256 hash function.
    ///
    /// The commitment is computed by first converting the public key to field elements (4 bytes
    /// per element), and then computing a sequential hash of the elements.
    pub fn to_commitment(&self) -> Word {
        <Self as SequentialCommit>::to_commitment(self)
    }

    /// Verifies a signature against this public key and message.
    pub fn verify(&self, message: Word, signature: &Signature) -> bool {
        let message_bytes: [u8; 32] = message.into();
        self.inner.verify(&message_bytes, &signature.inner).is_ok()
    }

    /// Convert to a X25519 public key which can be used in a DH key exchange protocol.
    ///
    /// # ⚠️ Security Warning
    ///
    /// **Do not reuse the same secret key for both Ed25519 signatures and X25519 key exchange.**
    /// This conversion is primarily intended for sealed box primitives where an Ed25519 public key
    /// is used to generate the shared key for encryption given an ephemeral X25519 key pair.
    ///
    /// In all other uses, prefer generating dedicated X25519 keys directly.
    pub(crate) fn to_x25519(&self) -> x25519_dalek::PublicKey {
        let mont_point = self.inner.to_montgomery();
        x25519_dalek::PublicKey::from(mont_point.to_bytes())
    }
}

impl SequentialCommit for PublicKey {
    type Commitment = Word;

    fn to_elements(&self) -> Vec<Felt> {
        bytes_to_packed_u32_elements(&self.to_bytes())
    }
}

#[derive(Debug, Error)]
pub enum PublicKeyError {
    #[error("Could not verify with given public key and signature")]
    VerificationFailed,
}

// SIGNATURE
// ================================================================================================

/// EdDSA (Ed25519) signature
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Signature {
    inner: ed25519_dalek::Signature,
}

impl Signature {
    /// Verify against (message, public key).
    pub fn verify(&self, message: Word, pub_key: &PublicKey) -> bool {
        pub_key.verify(message, self)
    }
}

// SERIALIZATION / DESERIALIZATION
// ================================================================================================

impl Serializable for SecretKey {
    fn write_into<W: ByteWriter>(&self, target: &mut W) {
        target.write_bytes(&self.inner.to_bytes());
    }
}

impl Deserializable for SecretKey {
    fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
        let mut bytes: [u8; SECRET_KEY_BYTES] = source.read_array()?;
        let inner = ed25519_dalek::SigningKey::from_bytes(&bytes);
        bytes.zeroize();

        Ok(Self { inner })
    }
}

impl Serializable for PublicKey {
    fn write_into<W: ByteWriter>(&self, target: &mut W) {
        target.write_bytes(&self.inner.to_bytes());
    }
}

impl Deserializable for PublicKey {
    fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
        let bytes: [u8; PUBLIC_KEY_BYTES] = source.read_array()?;
        let inner = ed25519_dalek::VerifyingKey::from_bytes(&bytes).map_err(|_| {
            DeserializationError::InvalidValue("Invalid Ed25519 public key".to_string())
        })?;
        Ok(Self { inner })
    }
}

impl Serializable for Signature {
    fn write_into<W: ByteWriter>(&self, target: &mut W) {
        target.write_bytes(&self.inner.to_bytes())
    }
}

impl Deserializable for Signature {
    fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
        let bytes: [u8; SIGNATURE_BYTES] = source.read_array()?;
        let inner = ed25519_dalek::Signature::from_bytes(&bytes);
        Ok(Self { inner })
    }
}