master
1const std = @import("std");
2const crypto = std.crypto;
3const debug = std.debug;
4const fmt = std.fmt;
5const mem = std.mem;
6
7const Sha512 = crypto.hash.sha2.Sha512;
8
9const EncodingError = crypto.errors.EncodingError;
10const IdentityElementError = crypto.errors.IdentityElementError;
11const NonCanonicalError = crypto.errors.NonCanonicalError;
12const SignatureVerificationError = crypto.errors.SignatureVerificationError;
13const KeyMismatchError = crypto.errors.KeyMismatchError;
14const WeakPublicKeyError = crypto.errors.WeakPublicKeyError;
15
16/// Ed25519 (EdDSA) signatures.
17pub const Ed25519 = struct {
18 /// The underlying elliptic curve.
19 pub const Curve = std.crypto.ecc.Edwards25519;
20
21 /// Length (in bytes) of optional random bytes, for non-deterministic signatures.
22 pub const noise_length = 32;
23
24 const CompressedScalar = Curve.scalar.CompressedScalar;
25 const Scalar = Curve.scalar.Scalar;
26
27 /// An Ed25519 secret key.
28 pub const SecretKey = struct {
29 /// Length (in bytes) of a raw secret key.
30 pub const encoded_length = 64;
31
32 bytes: [encoded_length]u8,
33
34 /// Return the seed used to generate this secret key.
35 pub fn seed(self: SecretKey) [KeyPair.seed_length]u8 {
36 return self.bytes[0..KeyPair.seed_length].*;
37 }
38
39 /// Return the raw public key bytes corresponding to this secret key.
40 pub fn publicKeyBytes(self: SecretKey) [PublicKey.encoded_length]u8 {
41 return self.bytes[KeyPair.seed_length..].*;
42 }
43
44 /// Create a secret key from raw bytes.
45 pub fn fromBytes(bytes: [encoded_length]u8) !SecretKey {
46 return SecretKey{ .bytes = bytes };
47 }
48
49 /// Return the secret key as raw bytes.
50 pub fn toBytes(sk: SecretKey) [encoded_length]u8 {
51 return sk.bytes;
52 }
53
54 // Return the clamped secret scalar and prefix for this secret key
55 fn scalarAndPrefix(self: SecretKey) struct { scalar: CompressedScalar, prefix: [32]u8 } {
56 var az: [Sha512.digest_length]u8 = undefined;
57 var h = Sha512.init(.{});
58 h.update(&self.seed());
59 h.final(&az);
60
61 var s = az[0..32].*;
62 Curve.scalar.clamp(&s);
63
64 return .{ .scalar = s, .prefix = az[32..].* };
65 }
66 };
67
68 /// A Signer is used to incrementally compute a signature.
69 /// It can be obtained from a `KeyPair`, using the `signer()` function.
70 pub const Signer = struct {
71 h: Sha512,
72 scalar: CompressedScalar,
73 nonce: CompressedScalar,
74 r_bytes: [Curve.encoded_length]u8,
75
76 fn init(scalar: CompressedScalar, nonce: CompressedScalar, public_key: PublicKey) (IdentityElementError || KeyMismatchError || NonCanonicalError || WeakPublicKeyError)!Signer {
77 const r = try Curve.basePoint.mul(nonce);
78 const r_bytes = r.toBytes();
79
80 var t: [64]u8 = undefined;
81 t[0..32].* = r_bytes;
82 t[32..].* = public_key.bytes;
83 var h = Sha512.init(.{});
84 h.update(&t);
85
86 return Signer{ .h = h, .scalar = scalar, .nonce = nonce, .r_bytes = r_bytes };
87 }
88
89 /// Add new data to the message being signed.
90 pub fn update(self: *Signer, data: []const u8) void {
91 self.h.update(data);
92 }
93
94 /// Compute a signature over the entire message.
95 pub fn finalize(self: *Signer) Signature {
96 var hram64: [Sha512.digest_length]u8 = undefined;
97 self.h.final(&hram64);
98 const hram = Curve.scalar.reduce64(hram64);
99
100 const s = Curve.scalar.mulAdd(hram, self.scalar, self.nonce);
101
102 return Signature{ .r = self.r_bytes, .s = s };
103 }
104 };
105
106 /// An Ed25519 public key.
107 pub const PublicKey = struct {
108 /// Length (in bytes) of a raw public key.
109 pub const encoded_length = 32;
110
111 bytes: [encoded_length]u8,
112
113 /// Create a public key from raw bytes.
114 pub fn fromBytes(bytes: [encoded_length]u8) NonCanonicalError!PublicKey {
115 try Curve.rejectNonCanonical(bytes);
116 return PublicKey{ .bytes = bytes };
117 }
118
119 /// Convert a public key to raw bytes.
120 pub fn toBytes(pk: PublicKey) [encoded_length]u8 {
121 return pk.bytes;
122 }
123
124 fn signWithNonce(public_key: PublicKey, msg: []const u8, scalar: CompressedScalar, nonce: CompressedScalar) (IdentityElementError || NonCanonicalError || KeyMismatchError || WeakPublicKeyError)!Signature {
125 var st = try Signer.init(scalar, nonce, public_key);
126 st.update(msg);
127 return st.finalize();
128 }
129
130 fn computeNonceAndSign(public_key: PublicKey, msg: []const u8, noise: ?[noise_length]u8, scalar: CompressedScalar, prefix: []const u8) (IdentityElementError || NonCanonicalError || KeyMismatchError || WeakPublicKeyError)!Signature {
131 var h = Sha512.init(.{});
132 if (noise) |*z| {
133 h.update(z);
134 }
135 h.update(prefix);
136 h.update(msg);
137 var nonce64: [64]u8 = undefined;
138 h.final(&nonce64);
139
140 const nonce = Curve.scalar.reduce64(nonce64);
141
142 return public_key.signWithNonce(msg, scalar, nonce);
143 }
144 };
145
146 /// A Verifier is used to incrementally verify a signature.
147 /// It can be obtained from a `Signature`, using the `verifier()` function.
148 pub const Verifier = struct {
149 h: Sha512,
150 s: CompressedScalar,
151 a: Curve,
152 expected_r: Curve,
153
154 pub const InitError = NonCanonicalError || EncodingError || IdentityElementError;
155
156 fn init(sig: Signature, public_key: PublicKey) InitError!Verifier {
157 const r = sig.r;
158 const s = sig.s;
159 try Curve.scalar.rejectNonCanonical(s);
160 const a = try Curve.fromBytes(public_key.bytes);
161 try a.rejectIdentity();
162 try Curve.rejectNonCanonical(r);
163 const expected_r = try Curve.fromBytes(r);
164 try expected_r.rejectIdentity();
165
166 var h = Sha512.init(.{});
167 h.update(&r);
168 h.update(&public_key.bytes);
169
170 return Verifier{ .h = h, .s = s, .a = a, .expected_r = expected_r };
171 }
172
173 /// Add new content to the message to be verified.
174 pub fn update(self: *Verifier, msg: []const u8) void {
175 self.h.update(msg);
176 }
177
178 fn isIdentity(p: Curve) bool {
179 return p.x.isZero() and p.y.equivalent(p.z);
180 }
181
182 pub const VerifyError = WeakPublicKeyError || IdentityElementError ||
183 SignatureVerificationError;
184
185 /// Verify that the signature is valid for the entire message.
186 ///
187 /// This function uses cofactored verification for broad interoperability.
188 /// It aligns single-signature verification with common batch verification approaches.
189 ///
190 /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range,
191 /// or SignatureVerificationError if the signature is invalid for the given message and key.
192 pub fn verify(self: *Verifier) VerifyError!void {
193 var hram64: [Sha512.digest_length]u8 = undefined;
194 self.h.final(&hram64);
195 const hram = Curve.scalar.reduce64(hram64);
196 const sb_ah = (try Curve.basePoint.mulDoubleBasePublic(
197 Curve.scalar.mul8(self.s),
198 self.a.clearCofactor().neg(),
199 hram,
200 ));
201 const check = sb_ah.sub(self.expected_r.clearCofactor());
202 if (!isIdentity(check)) {
203 return error.SignatureVerificationFailed;
204 }
205 }
206
207 /// Verify that the signature is valid for the entire message using cofactorless verification.
208 ///
209 /// This function performs strict verification without cofactor multiplication,
210 /// checking the exact equation: [s]B = R + [H(R,A,m)]A
211 ///
212 /// This is more restrictive than the cofactored `verify()` method and may reject
213 /// specially crafted signatures that would be accepted by cofactored verification.
214 /// But it will never reject valid signatures created using the `sign()` method.
215 ///
216 /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range,
217 /// or SignatureVerificationError if the signature is invalid for the given message and key.
218 pub fn verifyStrict(self: *Verifier) VerifyError!void {
219 var hram64: [Sha512.digest_length]u8 = undefined;
220 self.h.final(&hram64);
221 const hram = Curve.scalar.reduce64(hram64);
222 const sb_ah = (try Curve.basePoint.mulDoubleBasePublic(
223 self.s,
224 self.a.neg(),
225 hram,
226 ));
227 const check = sb_ah.sub(self.expected_r);
228 if (!isIdentity(check)) {
229 return error.SignatureVerificationFailed;
230 }
231 }
232 };
233
234 /// An Ed25519 signature.
235 pub const Signature = struct {
236 /// Length (in bytes) of a raw signature.
237 pub const encoded_length = Curve.encoded_length + @sizeOf(CompressedScalar);
238
239 /// The R component of an EdDSA signature.
240 r: [Curve.encoded_length]u8,
241 /// The S component of an EdDSA signature.
242 s: CompressedScalar,
243
244 /// Return the raw signature (r, s) in little-endian format.
245 pub fn toBytes(sig: Signature) [encoded_length]u8 {
246 var bytes: [encoded_length]u8 = undefined;
247 bytes[0..Curve.encoded_length].* = sig.r;
248 bytes[Curve.encoded_length..].* = sig.s;
249 return bytes;
250 }
251
252 /// Create a signature from a raw encoding of (r, s).
253 /// EdDSA always assumes little-endian.
254 pub fn fromBytes(bytes: [encoded_length]u8) Signature {
255 return Signature{
256 .r = bytes[0..Curve.encoded_length].*,
257 .s = bytes[Curve.encoded_length..].*,
258 };
259 }
260
261 /// Create a Verifier for incremental verification of a signature.
262 pub fn verifier(sig: Signature, public_key: PublicKey) Verifier.InitError!Verifier {
263 return Verifier.init(sig, public_key);
264 }
265
266 pub const VerifyError = Verifier.InitError || Verifier.VerifyError;
267
268 /// Verify the signature against a message and public key.
269 ///
270 /// This function uses cofactored verification for broad interoperability.
271 /// It aligns single-signature verification with common batch verification approaches.
272 ///
273 /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range,
274 /// or SignatureVerificationError if the signature is invalid for the given message and key.
275 pub fn verify(sig: Signature, msg: []const u8, public_key: PublicKey) VerifyError!void {
276 var st = try sig.verifier(public_key);
277 st.update(msg);
278 try st.verify();
279 }
280
281 /// Verify the signature against a message and public key using cofactorless verification.
282 ///
283 /// This performs strict verification without cofactor multiplication,
284 /// checking the exact equation: [s]B = R + [H(R,A,m)]A
285 ///
286 /// This is more restrictive than the standard `verify()` method and may reject
287 /// specially crafted signatures that would be accepted by cofactored verification.
288 /// But it will never reject valid signatures created using the `sign()` method.
289 ///
290 /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range,
291 /// or SignatureVerificationError if the signature is invalid for the given message and key.
292 pub fn verifyStrict(sig: Signature, msg: []const u8, public_key: PublicKey) VerifyError!void {
293 var st = try sig.verifier(public_key);
294 st.update(msg);
295 try st.verifyStrict();
296 }
297 };
298
299 /// An Ed25519 key pair.
300 pub const KeyPair = struct {
301 /// Length (in bytes) of a seed required to create a key pair.
302 pub const seed_length = noise_length;
303
304 /// Public part.
305 public_key: PublicKey,
306 /// Secret scalar.
307 secret_key: SecretKey,
308
309 /// Deterministically derive a key pair from a cryptograpically secure secret seed.
310 ///
311 /// To create a new key, applications should generally call `generate()` instead of this function.
312 ///
313 /// As in RFC 8032, an Ed25519 public key is generated by hashing
314 /// the secret key using the SHA-512 function, and interpreting the
315 /// bit-swapped, clamped lower-half of the output as the secret scalar.
316 ///
317 /// For this reason, an EdDSA secret key is commonly called a seed,
318 /// from which the actual secret is derived.
319 pub fn generateDeterministic(seed: [seed_length]u8) IdentityElementError!KeyPair {
320 var az: [Sha512.digest_length]u8 = undefined;
321 var h = Sha512.init(.{});
322 h.update(&seed);
323 h.final(&az);
324 const pk_p = Curve.basePoint.clampedMul(az[0..32].*) catch return error.IdentityElement;
325 const pk_bytes = pk_p.toBytes();
326 var sk_bytes: [SecretKey.encoded_length]u8 = undefined;
327 sk_bytes[0..seed_length].* = seed;
328 sk_bytes[seed_length..].* = pk_bytes;
329 return KeyPair{
330 .public_key = PublicKey.fromBytes(pk_bytes) catch unreachable,
331 .secret_key = try SecretKey.fromBytes(sk_bytes),
332 };
333 }
334
335 /// Generate a new, random key pair.
336 ///
337 /// `crypto.random.bytes` must be supported by the target.
338 pub fn generate() KeyPair {
339 var random_seed: [seed_length]u8 = undefined;
340 while (true) {
341 crypto.random.bytes(&random_seed);
342 return generateDeterministic(random_seed) catch {
343 @branchHint(.unlikely);
344 continue;
345 };
346 }
347 }
348
349 /// Create a key pair from an existing secret key.
350 ///
351 /// Note that with EdDSA, storing the seed, and recovering the key pair
352 /// from it is recommended over storing the entire secret key.
353 /// The seed of an exiting key pair can be obtained with
354 /// `key_pair.secret_key.seed()`, and the secret key can then be
355 /// recomputed using `SecretKey.generateDeterministic()`.
356 pub fn fromSecretKey(secret_key: SecretKey) (NonCanonicalError || EncodingError || IdentityElementError)!KeyPair {
357 // It is critical for EdDSA to use the correct public key.
358 // In order to enforce this, a SecretKey implicitly includes a copy of the public key.
359 // With runtime safety, we can still afford checking that the public key is correct.
360 if (std.debug.runtime_safety) {
361 const pk_p = try Curve.fromBytes(secret_key.publicKeyBytes());
362 const recomputed_kp = try generateDeterministic(secret_key.seed());
363 if (!mem.eql(u8, &recomputed_kp.public_key.toBytes(), &pk_p.toBytes())) {
364 return error.NonCanonical;
365 }
366 }
367 return KeyPair{
368 .public_key = try PublicKey.fromBytes(secret_key.publicKeyBytes()),
369 .secret_key = secret_key,
370 };
371 }
372
373 /// Sign a message using the key pair.
374 /// The noise can be null in order to create deterministic signatures.
375 /// If deterministic signatures are not required, the noise should be randomly generated instead.
376 /// This helps defend against fault attacks.
377 pub fn sign(key_pair: KeyPair, msg: []const u8, noise: ?[noise_length]u8) (IdentityElementError || NonCanonicalError || KeyMismatchError || WeakPublicKeyError)!Signature {
378 if (!mem.eql(u8, &key_pair.secret_key.publicKeyBytes(), &key_pair.public_key.toBytes())) {
379 return error.KeyMismatch;
380 }
381 const scalar_and_prefix = key_pair.secret_key.scalarAndPrefix();
382 return key_pair.public_key.computeNonceAndSign(
383 msg,
384 noise,
385 scalar_and_prefix.scalar,
386 &scalar_and_prefix.prefix,
387 );
388 }
389
390 /// Create a Signer, that can be used for incremental signing.
391 /// Note that the signature is not deterministic.
392 /// The noise parameter, if set, should be something unique for each message,
393 /// such as a random nonce, or a counter.
394 pub fn signer(key_pair: KeyPair, noise: ?[noise_length]u8) (IdentityElementError || KeyMismatchError || NonCanonicalError || WeakPublicKeyError)!Signer {
395 if (!mem.eql(u8, &key_pair.secret_key.publicKeyBytes(), &key_pair.public_key.toBytes())) {
396 return error.KeyMismatch;
397 }
398 const scalar_and_prefix = key_pair.secret_key.scalarAndPrefix();
399 var h = Sha512.init(.{});
400 h.update(&scalar_and_prefix.prefix);
401 var noise2: [noise_length]u8 = undefined;
402 crypto.random.bytes(&noise2);
403 h.update(&noise2);
404 if (noise) |*z| {
405 h.update(z);
406 }
407 var nonce64: [64]u8 = undefined;
408 h.final(&nonce64);
409 const nonce = Curve.scalar.reduce64(nonce64);
410
411 return Signer.init(scalar_and_prefix.scalar, nonce, key_pair.public_key);
412 }
413 };
414
415 /// A (signature, message, public_key) tuple for batch verification
416 pub const BatchElement = struct {
417 sig: Signature,
418 msg: []const u8,
419 public_key: PublicKey,
420 };
421
422 /// Verify several signatures in a single operation, much faster than verifying signatures one-by-one
423 pub fn verifyBatch(comptime count: usize, signature_batch: [count]BatchElement) (SignatureVerificationError || IdentityElementError || WeakPublicKeyError || EncodingError || NonCanonicalError)!void {
424 var r_batch: [count]CompressedScalar = undefined;
425 var s_batch: [count]CompressedScalar = undefined;
426 var a_batch: [count]Curve = undefined;
427 var expected_r_batch: [count]Curve = undefined;
428
429 for (signature_batch, 0..) |signature, i| {
430 const r = signature.sig.r;
431 const s = signature.sig.s;
432 try Curve.scalar.rejectNonCanonical(s);
433 const a = try Curve.fromBytes(signature.public_key.bytes);
434 try a.rejectIdentity();
435 try Curve.rejectNonCanonical(r);
436 const expected_r = try Curve.fromBytes(r);
437 try expected_r.rejectIdentity();
438 expected_r_batch[i] = expected_r;
439 r_batch[i] = r;
440 s_batch[i] = s;
441 a_batch[i] = a;
442 }
443
444 var hram_batch: [count]Curve.scalar.CompressedScalar = undefined;
445 for (signature_batch, 0..) |signature, i| {
446 var h = Sha512.init(.{});
447 h.update(&r_batch[i]);
448 h.update(&signature.public_key.bytes);
449 h.update(signature.msg);
450 var hram64: [Sha512.digest_length]u8 = undefined;
451 h.final(&hram64);
452 hram_batch[i] = Curve.scalar.reduce64(hram64);
453 }
454
455 var z_batch: [count]Curve.scalar.CompressedScalar = undefined;
456 for (&z_batch) |*z| {
457 crypto.random.bytes(z[0..16]);
458 @memset(z[16..], 0);
459 }
460
461 var zs_sum = Curve.scalar.zero;
462 for (z_batch, 0..) |z, i| {
463 const zs = Curve.scalar.mul(z, s_batch[i]);
464 zs_sum = Curve.scalar.add(zs_sum, zs);
465 }
466 zs_sum = Curve.scalar.mul8(zs_sum);
467
468 var zhs: [count]Curve.scalar.CompressedScalar = undefined;
469 for (z_batch, 0..) |z, i| {
470 zhs[i] = Curve.scalar.mul(z, hram_batch[i]);
471 }
472
473 const zr = (try Curve.mulMulti(count, expected_r_batch, z_batch)).clearCofactor();
474 const zah = (try Curve.mulMulti(count, a_batch, zhs)).clearCofactor();
475
476 const zsb = try Curve.basePoint.mulPublic(zs_sum);
477 if (zr.add(zah).sub(zsb).rejectIdentity()) |_| {
478 return error.SignatureVerificationFailed;
479 } else |_| {}
480 }
481
482 /// Ed25519 signatures with key blinding.
483 pub const key_blinding = struct {
484 /// Length (in bytes) of a blinding seed.
485 pub const blind_seed_length = 32;
486
487 /// A blind secret key.
488 pub const BlindSecretKey = struct {
489 prefix: [64]u8,
490 blind_scalar: CompressedScalar,
491 blind_public_key: BlindPublicKey,
492 };
493
494 /// A blind public key.
495 pub const BlindPublicKey = struct {
496 /// Public key equivalent, that can used for signature verification.
497 key: PublicKey,
498
499 /// Recover a public key from a blind version of it.
500 pub fn unblind(blind_public_key: BlindPublicKey, blind_seed: [blind_seed_length]u8, ctx: []const u8) (IdentityElementError || NonCanonicalError || EncodingError || WeakPublicKeyError)!PublicKey {
501 const blind_h = blindCtx(blind_seed, ctx);
502 const inv_blind_factor = Scalar.fromBytes(blind_h[0..32].*).invert().toBytes();
503 const pk_p = try (try Curve.fromBytes(blind_public_key.key.bytes)).mul(inv_blind_factor);
504 return PublicKey.fromBytes(pk_p.toBytes());
505 }
506 };
507
508 /// A blind key pair.
509 pub const BlindKeyPair = struct {
510 blind_public_key: BlindPublicKey,
511 blind_secret_key: BlindSecretKey,
512
513 /// Create an blind key pair from an existing key pair, a blinding seed and a context.
514 pub fn init(key_pair: Ed25519.KeyPair, blind_seed: [blind_seed_length]u8, ctx: []const u8) (NonCanonicalError || IdentityElementError)!BlindKeyPair {
515 var h: [Sha512.digest_length]u8 = undefined;
516 Sha512.hash(&key_pair.secret_key.seed(), &h, .{});
517 Curve.scalar.clamp(h[0..32]);
518 const scalar = Curve.scalar.reduce(h[0..32].*);
519
520 const blind_h = blindCtx(blind_seed, ctx);
521 const blind_factor = Curve.scalar.reduce(blind_h[0..32].*);
522
523 const blind_scalar = Curve.scalar.mul(scalar, blind_factor);
524 const blind_public_key = BlindPublicKey{
525 .key = try PublicKey.fromBytes((Curve.basePoint.mul(blind_scalar) catch return error.IdentityElement).toBytes()),
526 };
527
528 var prefix: [64]u8 = undefined;
529 prefix[0..32].* = h[32..64].*;
530 prefix[32..64].* = blind_h[32..64].*;
531
532 const blind_secret_key = BlindSecretKey{
533 .prefix = prefix,
534 .blind_scalar = blind_scalar,
535 .blind_public_key = blind_public_key,
536 };
537 return BlindKeyPair{
538 .blind_public_key = blind_public_key,
539 .blind_secret_key = blind_secret_key,
540 };
541 }
542
543 /// Sign a message using a blind key pair, and optional random noise.
544 /// Having noise creates non-standard, non-deterministic signatures,
545 /// but has been proven to increase resilience against fault attacks.
546 pub fn sign(key_pair: BlindKeyPair, msg: []const u8, noise: ?[noise_length]u8) (IdentityElementError || KeyMismatchError || NonCanonicalError || WeakPublicKeyError)!Signature {
547 const scalar = key_pair.blind_secret_key.blind_scalar;
548 const prefix = key_pair.blind_secret_key.prefix;
549
550 return (try PublicKey.fromBytes(key_pair.blind_public_key.key.bytes))
551 .computeNonceAndSign(msg, noise, scalar, &prefix);
552 }
553 };
554
555 /// Compute a blind context from a blinding seed and a context.
556 fn blindCtx(blind_seed: [blind_seed_length]u8, ctx: []const u8) [Sha512.digest_length]u8 {
557 var blind_h: [Sha512.digest_length]u8 = undefined;
558 var hx = Sha512.init(.{});
559 hx.update(&blind_seed);
560 hx.update(&[1]u8{0});
561 hx.update(ctx);
562 hx.final(&blind_h);
563 return blind_h;
564 }
565 };
566};
567
568test "key pair creation" {
569 var seed: [32]u8 = undefined;
570 _ = try fmt.hexToBytes(seed[0..], "8052030376d47112be7f73ed7a019293dd12ad910b654455798b4667d73de166");
571 const key_pair = try Ed25519.KeyPair.generateDeterministic(seed);
572 var buf: [256]u8 = undefined;
573 try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{X}", .{&key_pair.secret_key.toBytes()}), "8052030376D47112BE7F73ED7A019293DD12AD910B654455798B4667D73DE1662D6F7455D97B4A3A10D7293909D1A4F2058CB9A370E43FA8154BB280DB839083");
574 try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{X}", .{&key_pair.public_key.toBytes()}), "2D6F7455D97B4A3A10D7293909D1A4F2058CB9A370E43FA8154BB280DB839083");
575}
576
577test "signature" {
578 var seed: [32]u8 = undefined;
579 _ = try fmt.hexToBytes(seed[0..], "8052030376d47112be7f73ed7a019293dd12ad910b654455798b4667d73de166");
580 const key_pair = try Ed25519.KeyPair.generateDeterministic(seed);
581
582 const sig = try key_pair.sign("test", null);
583 var buf: [128]u8 = undefined;
584 try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{X}", .{&sig.toBytes()}), "10A442B4A80CC4225B154F43BEF28D2472CA80221951262EB8E0DF9091575E2687CC486E77263C3418C757522D54F84B0359236ABBBD4ACD20DC297FDCA66808");
585 try sig.verify("test", key_pair.public_key);
586 try std.testing.expectError(error.SignatureVerificationFailed, sig.verify("TEST", key_pair.public_key));
587}
588
589test "batch verification" {
590 for (0..16) |_| {
591 const key_pair = Ed25519.KeyPair.generate();
592 var msg1: [32]u8 = undefined;
593 var msg2: [32]u8 = undefined;
594 crypto.random.bytes(&msg1);
595 crypto.random.bytes(&msg2);
596 const sig1 = try key_pair.sign(&msg1, null);
597 const sig2 = try key_pair.sign(&msg2, null);
598 var signature_batch = [_]Ed25519.BatchElement{
599 Ed25519.BatchElement{
600 .sig = sig1,
601 .msg = &msg1,
602 .public_key = key_pair.public_key,
603 },
604 Ed25519.BatchElement{
605 .sig = sig2,
606 .msg = &msg2,
607 .public_key = key_pair.public_key,
608 },
609 };
610 try Ed25519.verifyBatch(2, signature_batch);
611
612 signature_batch[1].sig = sig1;
613 try std.testing.expectError(error.SignatureVerificationFailed, Ed25519.verifyBatch(signature_batch.len, signature_batch));
614 }
615}
616
617test "test vectors" {
618 const Vec = struct {
619 msg_hex: []const u8,
620 public_key_hex: *const [64:0]u8,
621 sig_hex: *const [128:0]u8,
622 expected: ?anyerror,
623 };
624
625 const entries = [_]Vec{
626 Vec{
627 .msg_hex = "8c93255d71dcab10e8f379c26200f3c7bd5f09d9bc3068d3ef4edeb4853022b6",
628 .public_key_hex = "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa",
629 .sig_hex = "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a0000000000000000000000000000000000000000000000000000000000000000",
630 .expected = error.WeakPublicKey, // 0
631 },
632 Vec{
633 .msg_hex = "9bd9f44f4dcc75bd531b56b2cd280b0bb38fc1cd6d1230e14861d861de092e79",
634 .public_key_hex = "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa",
635 .sig_hex = "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04",
636 .expected = error.WeakPublicKey, // 1
637 },
638 Vec{
639 .msg_hex = "aebf3f2601a0c8c5d39cc7d8911642f740b78168218da8471772b35f9d35b9ab",
640 .public_key_hex = "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
641 .sig_hex = "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa8c4bd45aecaca5b24fb97bc10ac27ac8751a7dfe1baff8b953ec9f5833ca260e",
642 .expected = null, // 2 - small order R is acceptable
643 },
644 Vec{
645 .msg_hex = "9bd9f44f4dcc75bd531b56b2cd280b0bb38fc1cd6d1230e14861d861de092e79",
646 .public_key_hex = "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d",
647 .sig_hex = "9046a64750444938de19f227bb80485e92b83fdb4b6506c160484c016cc1852f87909e14428a7a1d62e9f22f3d3ad7802db02eb2e688b6c52fcd6648a98bd009",
648 .expected = null, // 3 - mixed orders
649 },
650 Vec{
651 .msg_hex = "e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec4011eaccd55b53f56c",
652 .public_key_hex = "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d",
653 .sig_hex = "160a1cb0dc9c0258cd0a7d23e94d8fa878bcb1925f2c64246b2dee1796bed5125ec6bc982a269b723e0668e540911a9a6a58921d6925e434ab10aa7940551a09",
654 .expected = null, // 4 - cofactored verification
655 },
656 Vec{
657 .msg_hex = "e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec4011eaccd55b53f56c",
658 .public_key_hex = "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d",
659 .sig_hex = "21122a84e0b5fca4052f5b1235c80a537878b38f3142356b2c2384ebad4668b7e40bc836dac0f71076f9abe3a53f9c03c1ceeeddb658d0030494ace586687405",
660 .expected = null, // 5 - cofactored verification
661 },
662 Vec{
663 .msg_hex = "85e241a07d148b41e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec40",
664 .public_key_hex = "442aad9f089ad9e14647b1ef9099a1ff4798d78589e66f28eca69c11f582a623",
665 .sig_hex = "e96f66be976d82e60150baecff9906684aebb1ef181f67a7189ac78ea23b6c0e547f7690a0e2ddcd04d87dbc3490dc19b3b3052f7ff0538cb68afb369ba3a514",
666 .expected = error.NonCanonical, // 6 - S > L
667 },
668 Vec{
669 .msg_hex = "85e241a07d148b41e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec40",
670 .public_key_hex = "442aad9f089ad9e14647b1ef9099a1ff4798d78589e66f28eca69c11f582a623",
671 .sig_hex = "8ce5b96c8f26d0ab6c47958c9e68b937104cd36e13c33566acd2fe8d38aa19427e71f98a473474f2f13f06f97c20d58cc3f54b8bd0d272f42b695dd7e89a8c22",
672 .expected = error.NonCanonical, // 7 - S >> L
673 },
674 Vec{
675 .msg_hex = "9bedc267423725d473888631ebf45988bad3db83851ee85c85e241a07d148b41",
676 .public_key_hex = "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
677 .sig_hex = "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03be9678ac102edcd92b0210bb34d7428d12ffc5df5f37e359941266a4e35f0f",
678 .expected = error.IdentityElement, // 8 - non-canonical R
679 },
680 Vec{
681 .msg_hex = "9bedc267423725d473888631ebf45988bad3db83851ee85c85e241a07d148b41",
682 .public_key_hex = "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
683 .sig_hex = "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffca8c5b64cd208982aa38d4936621a4775aa233aa0505711d8fdcfdaa943d4908",
684 .expected = error.IdentityElement, // 9 - non-canonical R
685 },
686 Vec{
687 .msg_hex = "e96b7021eb39c1a163b6da4e3093dcd3f21387da4cc4572be588fafae23c155b",
688 .public_key_hex = "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
689 .sig_hex = "a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dca5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04",
690 .expected = error.IdentityElement, // 10 - small-order A
691 },
692 Vec{
693 .msg_hex = "39a591f5321bbe07fd5a23dc2f39d025d74526615746727ceefd6e82ae65c06f",
694 .public_key_hex = "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
695 .sig_hex = "a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dca5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04",
696 .expected = error.IdentityElement, // 11 - small-order A
697 },
698 };
699 for (entries) |entry| {
700 var msg: [64 / 2]u8 = undefined;
701 const msg_len = entry.msg_hex.len / 2;
702 _ = try fmt.hexToBytes(msg[0..msg_len], entry.msg_hex);
703 var public_key_bytes: [32]u8 = undefined;
704 _ = try fmt.hexToBytes(&public_key_bytes, entry.public_key_hex);
705 const public_key = Ed25519.PublicKey.fromBytes(public_key_bytes) catch |err| {
706 try std.testing.expectEqual(entry.expected.?, err);
707 continue;
708 };
709 var sig_bytes: [64]u8 = undefined;
710 _ = try fmt.hexToBytes(&sig_bytes, entry.sig_hex);
711 const sig = Ed25519.Signature.fromBytes(sig_bytes);
712 if (entry.expected) |error_type| {
713 try std.testing.expectError(error_type, sig.verify(msg[0..msg_len], public_key));
714 } else {
715 try sig.verify(msg[0..msg_len], public_key);
716 }
717 }
718}
719
720test "with blind keys" {
721 const BlindKeyPair = Ed25519.key_blinding.BlindKeyPair;
722
723 // Create a standard Ed25519 key pair
724 const kp = Ed25519.KeyPair.generate();
725
726 // Create a random blinding seed
727 var blind: [32]u8 = undefined;
728 crypto.random.bytes(&blind);
729
730 // Blind the key pair
731 const blind_kp = try BlindKeyPair.init(kp, blind, "ctx");
732
733 // Sign a message and check that it can be verified with the blind public key
734 const msg = "test";
735 const sig = try blind_kp.sign(msg, null);
736 try sig.verify(msg, blind_kp.blind_public_key.key);
737
738 // Unblind the public key
739 const pk = try blind_kp.blind_public_key.unblind(blind, "ctx");
740 try std.testing.expectEqualSlices(u8, &pk.toBytes(), &kp.public_key.toBytes());
741}
742
743test "signatures with streaming" {
744 const kp = Ed25519.KeyPair.generate();
745
746 var signer = try kp.signer(null);
747 signer.update("mes");
748 signer.update("sage");
749 const sig = signer.finalize();
750
751 try sig.verify("message", kp.public_key);
752
753 var verifier = try sig.verifier(kp.public_key);
754 verifier.update("mess");
755 verifier.update("age");
756 try verifier.verify();
757}
758
759test "key pair from secret key" {
760 const kp = Ed25519.KeyPair.generate();
761 const kp2 = try Ed25519.KeyPair.fromSecretKey(kp.secret_key);
762 try std.testing.expectEqualSlices(u8, &kp.secret_key.toBytes(), &kp2.secret_key.toBytes());
763 try std.testing.expectEqualSlices(u8, &kp.public_key.toBytes(), &kp2.public_key.toBytes());
764}
765
766test "cofactored vs cofactorless verification" {
767 const msg_hex = "65643235353139766563746f72732033";
768 const public_key_hex = "86e72f5c2a7215151059aa151c0ee6f8e2155d301402f35d7498f078629a8f79";
769 const sig_hex = "fa9dde274f4820efb19a890f8ba2d8791710a4303ceef4aedf9dddc4e81a1f11701a598b9a02ae60505dd0c2938a1a0c2d6ffd4676cfb49125b19e9cb358da06";
770
771 var msg: [16]u8 = undefined;
772 _ = try fmt.hexToBytes(&msg, msg_hex);
773
774 var pk_bytes: [32]u8 = undefined;
775 _ = try fmt.hexToBytes(&pk_bytes, public_key_hex);
776 const pk = try Ed25519.PublicKey.fromBytes(pk_bytes);
777
778 var sig_bytes: [64]u8 = undefined;
779 _ = try fmt.hexToBytes(&sig_bytes, sig_hex);
780 const sig = Ed25519.Signature.fromBytes(sig_bytes);
781
782 try sig.verify(&msg, pk);
783
784 try std.testing.expectError(
785 error.SignatureVerificationFailed,
786 sig.verifyStrict(&msg, pk),
787 );
788}
789
790test "regular signature verifies with both verify and verifyStrict" {
791 const kp = Ed25519.KeyPair.generate();
792 const msg = "test message";
793 const sig = try kp.sign(msg, null);
794 try sig.verify(msg, kp.public_key);
795 try sig.verifyStrict(msg, kp.public_key);
796}