Struct PublicKey 

pub struct PublicKey { /* private fields */ }

Implementations

impl PublicKey

pub fn to_commitment(&self) -> Word

Returns a commitment to the public key using the Poseidon2 hash function.

The commitment is computed by first converting the public key to field elements (4 bytes per element), and then computing a sequential hash of the elements.

pub fn verify(&self, message: Word, signature: &Signature) -> bool

Verifies a signature against this public key and message.

pub fn compute_challenge_k( &self, message: Word, signature: &Signature, ) -> [u8; 64]

Computes the Ed25519 challenge hash from a message and signature.

This method computes the 64-byte hash SHA-512(R || A || message) where:

• R is the signature’s R component (first 32 bytes)
• A is the public key
• message is the message bytes

The resulting 64-byte hash can be passed to verify_with_unchecked_k() which will reduce it modulo the curve order L to produce the challenge scalar.

Use Case

This method is useful when you want to separate the hashing phase from the elliptic curve verification phase. You can:

1. Compute the hash using this method (hashing phase)
2. Verify using verify_with_unchecked_k(hash, signature) (EC phase)

This is equivalent to calling verify() directly, but allows the two phases to be executed separately or in different environments.

Arguments

• message - The message that was signed
• signature - The signature to compute the challenge hash from

Returns

A 64-byte hash that will be reduced modulo L in verify_with_unchecked_k()

Example

let k_hash = public_key.compute_challenge_k(message, &signature);
let is_valid = public_key.verify_with_unchecked_k(k_hash, &signature).is_ok();
// is_valid should equal public_key.verify(message, &signature)

Not Ed25519ph / RFC 8032 Prehash

This helper reproduces the standard Ed25519 challenge H(R || A || M) used when verifying signatures. It does not implement the RFC 8032 Ed25519ph variant, which prepends a domain separation string and optional context before hashing. Callers that require the Ed25519ph flavour must implement the additional domain separation logic themselves.

pub fn verify_with_unchecked_k( &self, k_hash: [u8; 64], signature: &Signature, ) -> Result<(), UncheckedVerificationError>

Verifies a signature using a pre-computed challenge hash.

⚠️ CRITICAL SECURITY WARNING ⚠️

THIS METHOD IS EXTREMELY DANGEROUS AND EASY TO MISUSE.

This method bypasses the standard Ed25519 verification process by accepting a pre-computed challenge hash instead of computing it from the message. This breaks Ed25519’s security properties in the following ways:

Security Risks:

1. Signature Forgery: An attacker who can control the hash value can forge signatures for arbitrary messages without knowing the private key.

2. Breaks Message Binding: Standard Ed25519 cryptographically binds the signature to the message via the hash H(R || A || message). Accepting arbitrary hashes breaks this binding.

3. Bypasses Standard Protocol: If the hash is not computed correctly as SHA-512(R || A || message), this method bypasses standard Ed25519 verification and the signature will not be compatible with Ed25519 semantics.

When This Might Be Used:

This method is only appropriate in very specific scenarios where:

• You have a trusted computation environment that computes the hash correctly as SHA-512(R || A || message) (see compute_challenge_k())
• You need to separate the hashing phase from the EC verification phase (e.g., for different execution environments or performance optimization)
• You fully understand the security implications and have a threat model that accounts for them

When the hash is computed correctly, this method implements standard Ed25519 verification.

Standard Usage:

For normal Ed25519 verification, use verify() instead.

Performance

This helper decompresses the signature’s R component before performing group arithmetic and reuses the cached Edwards form of the public key. Expect it to be slower than calling verify() directly.

Arguments

• k_hash - A 64-byte hash (typically computed as SHA-512(R || A || message))
• signature - The signature to verify

Returns

Ok(()) if the verification equation [s]B = R + [k]A holds, or an error describing why the verification failed.

Warning

Do NOT use this method unless you fully understand Ed25519’s cryptographic properties, have a specific need for this low-level operation, and are feeding it the exact SHA-512(R || A || message) output (without the Ed25519ph domain separation string).

Trait Implementations

impl Clone for PublicKey

fn clone(&self) -> PublicKey

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for PublicKey

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl Deserializable for PublicKey

fn read_from<R>(source: &mut R) -> Result<PublicKey, DeserializationError>

where R: ByteReader,

Reads a sequence of bytes from the provided source, attempts to deserialize these bytes into Self, and returns the result.

fn min_serialized_size() -> usize

Returns the minimum serialized size for one instance of this type.

fn read_from_bytes(bytes: &[u8]) -> Result<Self, DeserializationError>

Attempts to deserialize the provided bytes into Self and returns the result.

fn read_from_bytes_with_budget( bytes: &[u8], budget: usize, ) -> Result<Self, DeserializationError>

Deserializes Self from bytes with a byte budget limit.

impl PartialEq for PublicKey

fn eq(&self, other: &PublicKey) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl SequentialCommit for PublicKey

type Commitment = Word

A type of the commitment which must be derivable from Word.

fn to_elements(&self) -> Vec<Goldilocks>

Returns a representation of the object as a sequence of fields elements.

fn to_commitment(&self) -> Self::Commitment

Computes the commitment to the object.

impl Serializable for PublicKey

fn write_into<W>(&self, target: &mut W)

where W: ByteWriter,

Serializes self into bytes and writes these bytes into the target.

fn to_bytes(&self) -> Vec<u8>

Serializes self into a vector of bytes.

fn get_size_hint(&self) -> usize

Returns an estimate of how many bytes are needed to represent self.

impl Eq for PublicKey

impl StructuralPartialEq for PublicKey