Struct schnorrkel::keys::PublicKey

pub struct PublicKey(_);

A Ristretto Schnorr public key.

Internally, these are represented as a RistrettoPoint, meaning an Edwards point with a static guarantee to be 2-torsion free.

At present, we decompress PublicKeys into this representation during deserialization, which improves error handling, but costs a compression during signing and verifiaction.

Methods

impl PublicKey

pub fn as_compressed(&self) -> &CompressedRistretto

Access the compressed Ristretto form

pub fn into_compressed(self) -> CompressedRistretto

Extract the compressed Ristretto form

pub fn as_point(&self) -> &RistrettoPoint

Access the point form

pub fn into_point(self) -> RistrettoPoint

Extract the point form

pub fn from_compressed(
    compressed: CompressedRistretto
) -> SignatureResult<PublicKey>

Decompress into the PublicKey format that also retains the compressed form.

pub fn from_point(point: RistrettoPoint) -> PublicKey

Compress into the PublicKey format that also retains the uncompressed form.

pub fn to_bytes(&self) -> [u8; 32]

Convert this public key to a byte array.

pub fn from_bytes(bytes: &[u8]) -> SignatureResult<PublicKey>

Construct a PublicKey from a slice of bytes.

Warning

The caller is responsible for ensuring that the bytes passed into this method actually represent a curve25519_dalek::ristretto::CompressedRistretto and that said compressed point is actually a point on the curve.

Example

use schnorrkel::PublicKey;
use schnorrkel::PUBLIC_KEY_LENGTH;
use schnorrkel::SignatureError;

let public_key_bytes: [u8; PUBLIC_KEY_LENGTH] = [
   215,  90, 152,   1, 130, 177,  10, 183, 213,  75, 254, 211, 201, 100,   7,  58,
    14, 225, 114, 243, 218, 166,  35,  37, 175,   2,  26, 104, 247,   7,   81, 26];

let public_key = PublicKey::from_bytes(&public_key_bytes)?;

Returns

A Result whose okay value is an EdDSA PublicKey or whose error value is an SignatureError describing the error that occurred.

impl PublicKey

pub fn verify<T: SigningTranscript>(&self, t: T, signature: &Signature) -> bool

Verify a signature by this public key on a transcript.

Requires a SigningTranscript, normally created from a SigningContext and a message, as well as the signature to be verified.

pub fn verify_simple(
    &self,
    ctx: &'static [u8],
    msg: &[u8],
    signature: &Signature
) -> bool

Verify a signature by this public key on a message.

impl PublicKey

pub fn vrfs_merge<B>(&self, ps: &[B]) -> VRFInOut where
    B: Borrow<VRFInOut>, 

Merge VRF input and output pairs from the same signer, using constant time arithmetic.

There is sadly no constant time 128 bit multiplication in dalek, making this variant somewhat slower than necessary. It should only impact signers in niche scenarios however, so this slower variant should normally be unnecessary.

TODO: Add constant time 128 bit batched multiplication to dalek. TODO: Is rand_chacha's gen::<u128>() standardizable enough to prefer it over merlin for the output?

pub fn vrfs_merge_vartime<B>(&self, ps: &[B]) -> VRFInOut where
    B: Borrow<VRFInOut>, 

Merge VRF input and output pairs from the same signer, using variable time arithmetic

You should use this variant when verifying VRF proofs batched by the singer. You could usually use this variant even when producing proofs, provided the set being signed is not secret.

impl PublicKey

pub fn dleq_verify<T>(
    &self,
    t: T,
    p: &VRFInOut,
    proof: &VRFProof
) -> SignatureResult<VRFProofBatchable> where
    T: SigningTranscript, 

Verify DLEQ proof that points_out consists of all points in points_in raised to the same private exponent as self.

We also return an enlarged VRFProofBatchable instead of true so that verifiers can forward batchable proofs.

In principle, one might provide "blindly verifiable" VRFs that avoid requiring self here, but naively such constructions risk the same flaws as DLEQ based blind signatures, and this version exploits the slightly faster basepoint arithmetic.

pub fn vrf_verify<T: SigningTranscript>(
    &self,
    t: T,
    out: &VRFOutput,
    proof: &VRFProof
) -> SignatureResult<(VRFInOut, VRFProofBatchable)>

Verify VRF proof for one single input transcript and corresponding output.

pub fn vrfs_verify<T, I, O>(
    &self,
    transcripts: I,
    outs: &[O],
    proof: &VRFProof
) -> SignatureResult<(Box<[VRFInOut]>, VRFProofBatchable)> where
    T: SigningTranscript,
    I: IntoIterator<Item = T>,
    O: Borrow<VRFOutput>, 

Verify a common VRF short proof for several input transcripts and corresponding outputs.

impl PublicKey

pub fn accept_ecqv_cert<T>(
    &self,
    t: T,
    seed_secret_key: &SecretKey,
    cert_secret: ECQVCertSecret
) -> SignatureResult<(ECQVCertPublic, SecretKey)> where
    T: SigningTranscript, 

Accept an ECQV implicit certificate

We request an ECQV implicit certificate by first creating an ephemeral Keypair and sending the public portion to the issuer as seed_public_key. An issuer issues the certificat by replying with the ECQVCertSecret created by issue_ecqv_cert.

Aside from the issuer PublicKey supplied as self, you provide (1) a digest h that incorporates both the context and the certificate requester's identity, (2) the seed_secret_key corresponding to the seed_public_key they sent to the issuer by the certificate recipient in their certificate request, and (3) the ECQVCertSecret send by the issuer to the certificate requester. We return both your certificate's new SecretKey as well as an ECQVCertPublic from which third parties may derive corresponding public key from h and the issuer's public key.

impl PublicKey

pub fn open_ecqv_cert<T>(
    &self,
    t: T,
    cert_public: &ECQVCertPublic
) -> SignatureResult<PublicKey> where
    T: SigningTranscript, 

Trait Implementations

impl Derivation for PublicKey

fn derived_key<T>(&self, t: T, cc: ChainCode) -> (PublicKey, ChainCode) where
    T: SigningTranscript + Clone, 

Derive key with subkey identified by a byte array presented as a hash, and a chain code.

fn derived_key_simple<B: AsRef<[u8]>>(
    &self,
    cc: ChainCode,
    i: B
) -> (Self, ChainCode)

Derive key with subkey identified by a byte array and a chain code. We do not include a context here becuase the chain code could serve this purpose. We support only Shake256 here for simplicity, and the reasons discussed in lib.rs, and https://github.com/rust-lang/rust/issues/36887

impl Copy for PublicKey

impl Debug for PublicKey

fn fmt(&self, f: &mut Formatter) -> Result

Formats the value using the given formatter.

impl PartialEq<PublicKey> for PublicKey

fn eq(&self, other: &PublicKey) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &PublicKey) -> bool

This method tests for !=.

impl Eq for PublicKey

impl Ord for PublicKey

fn cmp(&self, other: &PublicKey) -> Ordering

This method returns an Ordering between self and other.

fn max(self, other: Self) -> Self

Compares and returns the maximum of two values.

fn min(self, other: Self) -> Self

Compares and returns the minimum of two values.

fn clamp(self, min: Self, max: Self) -> Self

🔬 This is a nightly-only experimental API. (clamp)

Returns max if self is greater than max, and min if self is less than min. Otherwise this will return self. Panics if min > max.

impl PartialOrd<PublicKey> for PublicKey

fn partial_cmp(&self, other: &PublicKey) -> Option<Ordering>

This method returns an ordering between self and other values if one exists.

fn lt(&self, other: &PublicKey) -> bool

This method tests less than (for self and other) and is used by the < operator.

fn le(&self, other: &PublicKey) -> bool

This method tests less than or equal to (for self and other) and is used by the <= operator.

fn gt(&self, other: &PublicKey) -> bool

This method tests greater than (for self and other) and is used by the > operator.

fn ge(&self, other: &PublicKey) -> bool

This method tests greater than or equal to (for self and other) and is used by the >= operator.

impl From<SecretKey> for PublicKey

fn from(source: SecretKey) -> PublicKey

Performs the conversion.

impl Hash for PublicKey

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given [Hasher].

fn hash_slice<H>(data: &[Self], state: &mut H) where
    H: Hasher, 

Feeds a slice of this type into the given [Hasher].

impl Clone for PublicKey

fn clone(&self) -> PublicKey

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Default for PublicKey

fn default() -> PublicKey

Returns the "default value" for a type.

impl AsRef<[u8]> for PublicKey

fn as_ref(&self) -> &[u8]

Performs the conversion.