[−][src]Struct ed25519_dalek::Signature
An ed25519 signature.
Note
These signatures, unlike the ed25519 signature reference implementation, are "detached"—that is, they do not include a copy of the message which has been signed.
Fields
R: CompressedEdwardsY
R
is an EdwardsPoint
, formed by using an hash function with
512-bits output to produce the digest of:
- the nonce half of the
ExpandedSecretKey
, and - the message to be signed.
This digest is then interpreted as a Scalar
and reduced into an
element in ℤ/lℤ. The scalar is then multiplied by the distinguished
basepoint to produce R
, and EdwardsPoint
.
s: Scalar
s
is a Scalar
, formed by using an hash function with 512-bits output
to produce the digest of:
- the
r
portion of thisSignature
, - the
PublicKey
which should be used to verify thisSignature
, and - the message to be signed.
This digest is then interpreted as a Scalar
and reduced into an
element in ℤ/lℤ.
Methods
impl Signature
[src]
pub fn to_bytes(&self) -> [u8; 64]
[src]
Convert this Signature
to a byte array.
pub fn from_bytes(bytes: &[u8]) -> Result<Signature, SignatureError>
[src]
Construct a Signature
from a slice of bytes.
Scalar Malleability Checking
As originally specified in the ed25519 paper (cf. the "Malleability" section of the README in this repo), no checks whatsoever were performed for signature malleability.
Later, a semi-functional, hacky check was added to most libraries to
"ensure" that the scalar portion, s
, of the signature was reduced mod \ell
, the order of the basepoint:
if signature.s[31] & 224 != 0 { return Err(); }
This bit-twiddling ensures that the most significant three bits of the scalar are not set:
>>> 0b00010000 & 224
0
>>> 0b00100000 & 224
32
>>> 0b01000000 & 224
64
>>> 0b10000000 & 224
128
However, this check is hacky and insufficient to check that the scalar is
fully reduced mod \ell = 2^252 + 27742317777372353535851937790883648493
as
it leaves us with a guanteed bound of 253 bits. This means that there are
2^253 - 2^252 + 2774231777737235353585193779088364849311
remaining scalars
which could cause malleabilllity.
RFC8032 states:
To verify a signature on a message M using public key A, [...] first split the signature into two 32-octet halves. Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid.
However, by the time this was standardised, most libraries in use were
only checking the most significant three bits. (See also the
documentation for PublicKey.verify_strict
.)
Trait Implementations
impl Clone for Signature
[src]
fn clone(&self) -> Self
[src]
fn clone_from(&mut self, source: &Self)
1.0.0[src]
impl Copy for Signature
[src]
impl Debug for Signature
[src]
impl Eq for Signature
[src]
fn assert_receiver_is_total_eq(&self)
[src]
impl PartialEq<Signature> for Signature
[src]
impl StructuralEq for Signature
[src]
impl StructuralPartialEq for Signature
[src]
Auto Trait Implementations
impl RefUnwindSafe for Signature
impl Send for Signature
impl Sync for Signature
impl Unpin for Signature
impl UnwindSafe for Signature
Blanket Implementations
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> From<T> for T
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T> Same<T> for T
type Output = T
Should always be Self
impl<T> ToOwned for T where
T: Clone,
[src]
T: Clone,
type Owned = T
The resulting type after obtaining ownership.
fn to_owned(&self) -> T
[src]
fn clone_into(&self, target: &mut T)
[src]
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = !
The type returned in the event of a conversion error.
fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,
type Error = <U as TryFrom<T>>::Error
The type returned in the event of a conversion error.
fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>
[src]
impl<V, T> VZip<V> for T where
V: MultiLane<T>,
V: MultiLane<T>,