2 use core
::ops
::{Deref, DerefMut}
;
5 #[cfg(feature = "blind-keys")]
6 use super::edwards25519
::{ge_scalarmult, sc_invert, sc_mul}
;
7 use super::edwards25519
::{
8 ge_scalarmult_base
, is_identity
, sc_muladd
, sc_reduce
, sc_reduce32
, sc_reject_noncanonical
,
11 use super::error
::Error
;
15 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
16 pub struct PublicKey([u8; PublicKey
::BYTES
]);
19 /// Number of raw bytes in a public key.
20 pub const BYTES
: usize = 32;
22 /// Creates a public key from raw bytes.
23 pub fn new(pk
: [u8; PublicKey
::BYTES
]) -> Self {
27 /// Creates a public key from a slice.
28 pub fn from_slice(pk
: &[u8]) -> Result
<Self, Error
> {
29 let mut pk_
= [0u8; PublicKey
::BYTES
];
30 if pk
.len() != pk_
.len() {
31 return Err(Error
::InvalidPublicKey
);
33 pk_
.copy_from_slice(pk
);
34 Ok(PublicKey
::new(pk_
))
38 impl Deref
for PublicKey
{
39 type Target
= [u8; PublicKey
::BYTES
];
41 /// Returns a public key as bytes.
42 fn deref(&self) -> &Self::Target
{
47 impl DerefMut
for PublicKey
{
48 /// Returns a public key as mutable bytes.
49 fn deref_mut(&mut self) -> &mut Self::Target
{
55 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
56 pub struct SecretKey([u8; SecretKey
::BYTES
]);
59 /// Number of bytes in a secret key.
60 pub const BYTES
: usize = 32 + PublicKey
::BYTES
;
62 /// Creates a secret key from raw bytes.
63 pub fn new(sk
: [u8; SecretKey
::BYTES
]) -> Self {
67 /// Creates a secret key from a slice.
68 pub fn from_slice(sk
: &[u8]) -> Result
<Self, Error
> {
69 let mut sk_
= [0u8; SecretKey
::BYTES
];
70 if sk
.len() != sk_
.len() {
71 return Err(Error
::InvalidSecretKey
);
73 sk_
.copy_from_slice(sk
);
74 Ok(SecretKey
::new(sk_
))
77 /// Returns the public counterpart of a secret key.
78 pub fn public_key(&self) -> PublicKey
{
79 let mut pk
= [0u8; PublicKey
::BYTES
];
80 pk
.copy_from_slice(&self[Seed
::BYTES
..]);
84 /// Returns the seed of a secret key.
85 pub fn seed(&self) -> Seed
{
86 Seed
::from_slice(&self[0..Seed
::BYTES
]).unwrap()
89 /// Returns `Ok(())` if the given public key is the public counterpart of
91 /// Returns `Err(Error::InvalidPublicKey)` otherwise.
92 /// The public key is recomputed (not just copied) from the secret key,
93 /// so this will detect corruption of the secret key.
94 pub fn validate_public_key(&self, pk
: &PublicKey
) -> Result
<(), Error
> {
95 let kp
= KeyPair
::from_seed(self.seed());
97 return Err(Error
::InvalidPublicKey
);
103 impl Drop
for SecretKey
{
109 impl Deref
for SecretKey
{
110 type Target
= [u8; SecretKey
::BYTES
];
112 /// Returns a secret key as bytes.
113 fn deref(&self) -> &Self::Target
{
118 impl DerefMut
for SecretKey
{
119 /// Returns a secret key as mutable bytes.
120 fn deref_mut(&mut self) -> &mut Self::Target
{
126 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
128 /// Public key part of the key pair.
130 /// Secret key part of the key pair.
134 /// An Ed25519 signature.
135 #[derive(Copy, Clone, Eq, PartialEq, Hash)]
136 pub struct Signature([u8; Signature
::BYTES
]);
138 impl fmt
::Debug
for Signature
{
139 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
140 f
.write_fmt(format_args
!("{:x?}", &self.0))
144 impl AsRef
<[u8]> for Signature
{
145 fn as_ref(&self) -> &[u8] {
151 /// Number of raw bytes in a signature.
152 pub const BYTES
: usize = 64;
154 /// Creates a signature from raw bytes.
155 pub fn new(bytes
: [u8; Signature
::BYTES
]) -> Self {
159 /// Creates a signature key from a slice.
160 pub fn from_slice(signature
: &[u8]) -> Result
<Self, Error
> {
161 let mut signature_
= [0u8; Signature
::BYTES
];
162 if signature
.len() != signature_
.len() {
163 return Err(Error
::InvalidSignature
);
165 signature_
.copy_from_slice(signature
);
166 Ok(Signature
::new(signature_
))
170 impl Deref
for Signature
{
171 type Target
= [u8; Signature
::BYTES
];
173 /// Returns a signture as bytes.
174 fn deref(&self) -> &Self::Target
{
179 impl DerefMut
for Signature
{
180 /// Returns a signature as mutable bytes.
181 fn deref_mut(&mut self) -> &mut Self::Target
{
186 /// The state of a streaming verification operation.
188 pub struct VerifyingState
{
189 hasher
: sha512
::Hash
,
190 signature
: Signature
,
194 impl Drop
for VerifyingState
{
196 Mem
::wipe(self.signature
.0);
200 impl VerifyingState
{
201 fn new(pk
: &PublicKey
, signature
: &Signature
) -> Result
<Self, Error
> {
202 let r
= &signature
[0..32];
203 let s
= &signature
[32..64];
204 sc_reject_noncanonical(s
)?
;
205 if is_identity(pk
) || pk
.iter().fold(0, |acc
, x
| acc
| x
) == 0 {
206 return Err(Error
::WeakPublicKey
);
208 let a
= match GeP3
::from_bytes_negate_vartime(pk
) {
211 return Err(Error
::InvalidPublicKey
);
214 let mut hasher
= sha512
::Hash
::new();
216 hasher
.update(&pk
[..]);
219 signature
: *signature
,
224 /// Appends data to the message being verified.
225 pub fn absorb(&mut self, chunk
: impl AsRef
<[u8]>) {
226 self.hasher
.update(chunk
)
229 /// Verifies the signature and return it.
230 pub fn verify(&self) -> Result
<(), Error
> {
231 let mut expected_r_bytes
= [0u8; 32];
232 expected_r_bytes
.copy_from_slice(&self.signature
[0..32]);
234 GeP3
::from_bytes_vartime(&expected_r_bytes
).ok_or(Error
::InvalidSignature
)?
;
235 let s
= &self.signature
[32..64];
237 let mut hash
= self.hasher
.finalize();
238 sc_reduce(&mut hash
);
240 let r
= GeP2
::double_scalarmult_vartime(hash
.as_ref(), self.a
, s
);
241 if (expected_r
- GeP3
::from(r
)).has_small_order() {
244 Err(Error
::SignatureMismatch
)
250 /// Verify the signature of a multi-part message (streaming).
251 pub fn verify_incremental(&self, signature
: &Signature
) -> Result
<VerifyingState
, Error
> {
252 VerifyingState
::new(self, signature
)
255 /// Verifies that the signature `signature` is valid for the message
257 pub fn verify(&self, message
: impl AsRef
<[u8]>, signature
: &Signature
) -> Result
<(), Error
> {
258 let mut st
= VerifyingState
::new(self, signature
)?
;
264 /// The state of a streaming signature operation.
266 pub struct SigningState
{
267 hasher
: sha512
::Hash
,
272 impl Drop
for SigningState
{
275 Mem
::wipe(self.nonce
);
280 fn new(nonce
: [u8; 64], az
: [u8; 64], pk_
: &[u8]) -> Self {
281 let mut prefix
: [u8; 64] = [0; 64];
282 let r
= ge_scalarmult_base(&nonce
[0..32]);
283 prefix
[0..32].copy_from_slice(&r
.to_bytes()[..]);
284 prefix
[32..64].copy_from_slice(pk_
);
286 let mut st
= sha512
::Hash
::new();
296 /// Appends data to the message being signed.
297 pub fn absorb(&mut self, chunk
: impl AsRef
<[u8]>) {
298 self.hasher
.update(chunk
)
301 /// Computes the signature and return it.
302 pub fn sign(&self) -> Signature
{
303 let mut signature
: [u8; 64] = [0; 64];
304 let r
= ge_scalarmult_base(&self.nonce
[0..32]);
305 signature
[0..32].copy_from_slice(&r
.to_bytes()[..]);
306 let mut hram
= self.hasher
.finalize();
307 sc_reduce(&mut hram
);
309 &mut signature
[32..64],
319 /// Sign a multi-part message (streaming API).
320 /// It is critical for `noise` to never repeat.
321 pub fn sign_incremental(&self, noise
: Noise
) -> SigningState
{
322 let seed
= &self[0..32];
323 let pk
= &self[32..64];
325 let mut hash_output
= sha512
::Hash
::hash(seed
);
326 hash_output
[0] &= 248;
327 hash_output
[31] &= 63;
328 hash_output
[31] |= 64;
331 let mut st
= sha512
::Hash
::new();
332 #[cfg(feature = "random")]
334 let additional_noise
= Noise
::generate();
335 st
.update(additional_noise
.as_ref());
337 st
.update(noise
.as_ref());
339 let nonce
= st
.finalize();
340 SigningState
::new(nonce
, az
, pk
)
343 /// Computes a signature for the message `message` using the secret key.
344 /// The noise parameter is optional, but recommended in order to mitigate
346 pub fn sign(&self, message
: impl AsRef
<[u8]>, noise
: Option
<Noise
>) -> Signature
{
347 let seed
= &self[0..32];
348 let pk
= &self[32..64];
350 let mut hash_output
= sha512
::Hash
::hash(seed
);
351 hash_output
[0] &= 248;
352 hash_output
[31] &= 63;
353 hash_output
[31] |= 64;
357 let mut hasher
= sha512
::Hash
::new();
358 if let Some(noise
) = noise
{
359 hasher
.update(&noise
[..]);
360 hasher
.update(&az
[..]);
362 hasher
.update(&az
[32..64]);
364 hasher
.update(&message
);
365 let mut hash_output
= hasher
.finalize();
366 sc_reduce(&mut hash_output
[0..64]);
369 let mut st
= SigningState
::new(nonce
, az
, pk
);
371 let signature
= st
.sign();
373 #[cfg(feature = "self-verify")]
375 PublicKey
::from_slice(pk
)
376 .expect("Key length changed")
377 .verify(message
, &signature
)
378 .expect("Newly created signature cannot be verified");
386 /// Number of bytes in a key pair.
387 pub const BYTES
: usize = SecretKey
::BYTES
;
389 /// Generates a new key pair.
390 #[cfg(feature = "random")]
391 pub fn generate() -> KeyPair
{
392 KeyPair
::from_seed(Seed
::default())
395 /// Generates a new key pair using a secret seed.
396 pub fn from_seed(seed
: Seed
) -> KeyPair
{
397 if seed
.iter().fold(0, |acc
, x
| acc
| x
) == 0 {
398 panic
!("All-zero seed");
401 let hash_output
= sha512
::Hash
::hash(&seed
[..]);
402 KeyPair
::split(&hash_output
, false, true)
404 let pk
= ge_scalarmult_base(&scalar
).to_bytes();
405 let mut sk
= [0u8; 64];
406 sk
[0..32].copy_from_slice(&*seed
);
407 sk
[32..64].copy_from_slice(&pk
);
414 /// Creates a key pair from a slice.
415 pub fn from_slice(bytes
: &[u8]) -> Result
<Self, Error
> {
416 let sk
= SecretKey
::from_slice(bytes
)?
;
417 let pk
= sk
.public_key();
418 Ok(KeyPair { pk, sk }
)
422 pub fn clamp(scalar
: &mut [u8]) {
428 /// Split a serialized representation of a key pair into a secret scalar and
430 pub fn split(bytes
: &[u8; 64], reduce
: bool
, clamp
: bool
) -> ([u8; 32], [u8; 32]) {
431 let mut scalar
= [0u8; 32];
432 scalar
.copy_from_slice(&bytes
[0..32]);
434 Self::clamp(&mut scalar
);
437 sc_reduce32(&mut scalar
);
439 let mut prefix
= [0u8; 32];
440 prefix
.copy_from_slice(&bytes
[32..64]);
444 /// Check that the public key is valid for the secret key.
445 pub fn validate(&self) -> Result
<(), Error
> {
446 self.sk
.validate_public_key(&self.pk
)
450 impl Deref
for KeyPair
{
451 type Target
= [u8; KeyPair
::BYTES
];
453 /// Returns a key pair as bytes.
454 fn deref(&self) -> &Self::Target
{
459 impl DerefMut
for KeyPair
{
460 /// Returns a key pair as mutable bytes.
461 fn deref_mut(&mut self) -> &mut Self::Target
{
466 /// Noise, for non-deterministic signatures.
467 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
468 pub struct Noise([u8; Noise
::BYTES
]);
471 /// Number of raw bytes for a noise component.
472 pub const BYTES
: usize = 16;
474 /// Creates a new noise component from raw bytes.
475 pub fn new(noise
: [u8; Noise
::BYTES
]) -> Self {
479 /// Creates noise from a slice.
480 pub fn from_slice(noise
: &[u8]) -> Result
<Self, Error
> {
481 let mut noise_
= [0u8; Noise
::BYTES
];
482 if noise
.len() != noise_
.len() {
483 return Err(Error
::InvalidSeed
);
485 noise_
.copy_from_slice(noise
);
486 Ok(Noise
::new(noise_
))
490 impl Deref
for Noise
{
491 type Target
= [u8; Noise
::BYTES
];
493 /// Returns the noise as bytes.
494 fn deref(&self) -> &Self::Target
{
499 impl DerefMut
for Noise
{
500 /// Returns the noise as mutable bytes.
501 fn deref_mut(&mut self) -> &mut Self::Target
{
506 #[cfg(feature = "random")]
507 impl Default
for Noise
{
508 /// Generates random noise.
509 fn default() -> Self {
510 let mut noise
= [0u8; Noise
::BYTES
];
511 getrandom
::getrandom(&mut noise
).expect("RNG failure");
516 #[cfg(feature = "random")]
518 /// Generates random noise.
519 pub fn generate() -> Self {
524 #[cfg(feature = "traits")]
526 use ::ed25519
::signature
as ed25519_trait
;
528 use super::{PublicKey, SecretKey, Signature}
;
530 impl ed25519_trait
::Signature
for Signature
{
531 fn from_bytes(bytes
: &[u8]) -> Result
<Self, ed25519_trait
::Error
> {
532 let mut bytes_
= [0u8; Signature
::BYTES
];
533 bytes_
.copy_from_slice(bytes
);
534 Ok(Signature
::new(bytes_
))
538 impl ed25519_trait
::Signer
<Signature
> for SecretKey
{
539 fn try_sign(&self, message
: &[u8]) -> Result
<Signature
, ed25519_trait
::Error
> {
540 Ok(self.sign(message
, None
))
544 impl ed25519_trait
::Verifier
<Signature
> for PublicKey
{
548 signature
: &Signature
,
549 ) -> Result
<(), ed25519_trait
::Error
> {
550 #[cfg(feature = "std")]
552 self.verify(message
, signature
)
553 .map_err(|e
| ed25519_trait
::Error
::from_source(e
))
556 #[cfg(not(feature = "std"))]
558 self.verify(message
, signature
)
559 .map_err(|_
| ed25519_trait
::Error
::new())
567 let kp
= KeyPair
::from_seed([42u8; 32].into());
568 let message
= b
"Hello, World!";
569 let signature
= kp
.sk
.sign(message
, None
);
570 assert
!(kp
.pk
.verify(message
, &signature
).is_ok());
571 assert
!(kp
.pk
.verify(b
"Hello, world!", &signature
).is_err());
575 196, 182, 1, 15, 182, 182, 231, 166, 227, 62, 243, 85, 49, 174, 169, 9, 162, 196, 98,
576 104, 30, 81, 22, 38, 184, 136, 253, 128, 10, 160, 128, 105, 127, 130, 138, 164, 57, 86,
577 94, 160, 216, 85, 153, 139, 81, 100, 38, 124, 235, 210, 26, 95, 231, 90, 73, 206, 33,
578 216, 171, 15, 188, 181, 136, 7,
583 #[cfg(feature = "blind-keys")]
587 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
588 pub struct Blind([u8; Blind
::BYTES
]);
590 impl From
<[u8; 32]> for Blind
{
591 fn from(blind
: [u8; 32]) -> Self {
597 /// Number of raw bytes in a blind.
598 pub const BYTES
: usize = 32;
600 /// Creates a blind from raw bytes.
601 pub fn new(blind
: [u8; Blind
::BYTES
]) -> Self {
605 /// Creates a blind from a slice.
606 pub fn from_slice(blind
: &[u8]) -> Result
<Self, Error
> {
607 let mut blind_
= [0u8; Blind
::BYTES
];
608 if blind
.len() != blind_
.len() {
609 return Err(Error
::InvalidBlind
);
611 blind_
.copy_from_slice(blind
);
612 Ok(Blind
::new(blind_
))
616 impl Drop
for Blind
{
622 #[cfg(feature = "random")]
623 impl Default
for Blind
{
624 /// Generates a random blind.
625 fn default() -> Self {
626 let mut blind
= [0u8; Blind
::BYTES
];
627 getrandom
::getrandom(&mut blind
).expect("RNG failure");
632 #[cfg(feature = "random")]
634 /// Generates a random blind.
635 pub fn generate() -> Self {
640 impl Deref
for Blind
{
641 type Target
= [u8; Blind
::BYTES
];
643 /// Returns a blind as bytes.
644 fn deref(&self) -> &Self::Target
{
649 impl DerefMut
for Blind
{
650 /// Returns a blind as mutable bytes.
651 fn deref_mut(&mut self) -> &mut Self::Target
{
656 /// A blind public key.
657 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
658 pub struct BlindPublicKey([u8; PublicKey
::BYTES
]);
660 impl Deref
for BlindPublicKey
{
661 type Target
= [u8; BlindPublicKey
::BYTES
];
663 /// Returns a public key as bytes.
664 fn deref(&self) -> &Self::Target
{
669 impl DerefMut
for BlindPublicKey
{
670 /// Returns a public key as mutable bytes.
671 fn deref_mut(&mut self) -> &mut Self::Target
{
676 impl BlindPublicKey
{
677 /// Number of bytes in a blind public key.
678 pub const BYTES
: usize = PublicKey
::BYTES
;
680 /// Creates a blind public key from raw bytes.
681 pub fn new(bpk
: [u8; PublicKey
::BYTES
]) -> Self {
685 /// Creates a blind public key from a slice.
686 pub fn from_slice(bpk
: &[u8]) -> Result
<Self, Error
> {
687 let mut bpk_
= [0u8; PublicKey
::BYTES
];
688 if bpk
.len() != bpk_
.len() {
689 return Err(Error
::InvalidPublicKey
);
691 bpk_
.copy_from_slice(bpk
);
692 Ok(BlindPublicKey
::new(bpk_
))
695 /// Unblinds a public key.
696 pub fn unblind(&self, blind
: &Blind
, ctx
: impl AsRef
<[u8]>) -> Result
<PublicKey
, Error
> {
697 let pk_p3
= GeP3
::from_bytes_vartime(&self.0).ok_or(Error
::InvalidPublicKey
)?
;
698 let mut hx
= sha512
::Hash
::new();
699 hx
.update(&blind
[..]);
701 hx
.update(ctx
.as_ref());
702 let hash_output
= hx
.finalize();
703 let (blind_factor
, _
) = KeyPair
::split(&hash_output
, true, false);
704 let inverse
= sc_invert(&blind_factor
);
705 Ok(PublicKey(ge_scalarmult(&inverse
, &pk_p3
).to_bytes()))
708 /// Verifies that the signature `signature` is valid for the message
712 message
: impl AsRef
<[u8]>,
713 signature
: &Signature
,
714 ) -> Result
<(), Error
> {
715 PublicKey
::new(self.0).verify(message
, signature
)
719 impl From
<PublicKey
> for BlindPublicKey
{
720 fn from(pk
: PublicKey
) -> Self {
725 impl From
<BlindPublicKey
> for PublicKey
{
726 fn from(bpk
: BlindPublicKey
) -> Self {
731 /// A blind secret key.
732 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
733 pub struct BlindSecretKey
{
734 pub prefix
: [u8; 2 * Seed
::BYTES
],
735 pub blind_scalar
: [u8; 32],
736 pub blind_pk
: BlindPublicKey
,
739 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
740 pub struct BlindKeyPair
{
741 /// Public key part of the blind key pair.
742 pub blind_pk
: BlindPublicKey
,
743 /// Secret key part of the blind key pair.
744 pub blind_sk
: BlindSecretKey
,
747 impl BlindSecretKey
{
748 /// Computes a signature for the message `message` using the blind
749 /// secret key. The noise parameter is optional, but recommended
750 /// in order to mitigate fault attacks.
751 pub fn sign(&self, message
: impl AsRef
<[u8]>, noise
: Option
<Noise
>) -> Signature
{
753 let mut hasher
= sha512
::Hash
::new();
754 if let Some(noise
) = noise
{
755 hasher
.update(&noise
[..]);
756 hasher
.update(self.prefix
);
758 hasher
.update(self.prefix
);
760 hasher
.update(&message
);
761 let mut hash_output
= hasher
.finalize();
762 sc_reduce(&mut hash_output
[0..64]);
765 let mut signature
: [u8; 64] = [0; 64];
766 let r
= ge_scalarmult_base(&nonce
[0..32]);
767 signature
[0..32].copy_from_slice(&r
.to_bytes()[..]);
768 signature
[32..64].copy_from_slice(&self.blind_pk
.0);
769 let mut hasher
= sha512
::Hash
::new();
770 hasher
.update(signature
.as_ref());
771 hasher
.update(&message
);
772 let mut hram
= hasher
.finalize();
773 sc_reduce(&mut hram
);
775 &mut signature
[32..64],
780 let signature
= Signature(signature
);
782 #[cfg(feature = "self-verify")]
784 PublicKey
::from_slice(&self.blind_pk
.0)
785 .expect("Key length changed")
786 .verify(message
, &signature
)
787 .expect("Newly created signature cannot be verified");
793 impl Drop
for BlindSecretKey
{
795 Mem
::wipe(self.prefix
);
796 Mem
::wipe(self.blind_scalar
);
801 /// Returns a blind version of the public key.
802 pub fn blind(&self, blind
: &Blind
, ctx
: impl AsRef
<[u8]>) -> Result
<BlindPublicKey
, Error
> {
803 let (blind_factor
, _prefix2
) = {
804 let mut hx
= sha512
::Hash
::new();
805 hx
.update(&blind
[..]);
807 hx
.update(ctx
.as_ref());
808 let hash_output
= hx
.finalize();
809 KeyPair
::split(&hash_output
, true, false)
811 let pk_p3
= GeP3
::from_bytes_vartime(&self.0).ok_or(Error
::InvalidPublicKey
)?
;
813 ge_scalarmult(&blind_factor
, &pk_p3
).to_bytes(),
819 /// Returns a blind version of the key pair.
820 pub fn blind(&self, blind
: &Blind
, ctx
: impl AsRef
<[u8]>) -> BlindKeyPair
{
821 let seed
= self.sk
.seed();
822 let (scalar
, prefix1
) = {
823 let hash_output
= sha512
::Hash
::hash(&seed
[..]);
824 KeyPair
::split(&hash_output
, false, true)
827 let (blind_factor
, prefix2
) = {
828 let mut hx
= sha512
::Hash
::new();
829 hx
.update(&blind
[..]);
831 hx
.update(ctx
.as_ref());
832 let hash_output
= hx
.finalize();
833 KeyPair
::split(&hash_output
, true, false)
836 let blind_scalar
= sc_mul(&scalar
, &blind_factor
);
837 let blind_pk
= ge_scalarmult_base(&blind_scalar
).to_bytes();
839 let mut prefix
= [0u8; 2 * Seed
::BYTES
];
840 prefix
[0..32].copy_from_slice(&prefix1
);
841 prefix
[32..64].copy_from_slice(&prefix2
);
842 let blind_pk
= BlindPublicKey
::new(blind_pk
);
846 blind_sk
: BlindSecretKey
{
856 #[cfg(feature = "blind-keys")]
857 pub use blind_keys
::*;
860 #[cfg(feature = "blind-keys")]
861 fn test_blind_ed25519() {
862 use ct_codecs
::{Decoder, Hex}
;
864 let kp
= KeyPair
::generate();
865 let blind
= Blind
::new([69u8; 32]);
866 let blind_kp
= kp
.blind(&blind
, "ctx");
867 let message
= b
"Hello, World!";
868 let signature
= blind_kp
.blind_sk
.sign(message
, None
);
869 assert
!(blind_kp
.blind_pk
.verify(message
, &signature
).is_ok());
870 let recovered_pk
= blind_kp
.blind_pk
.unblind(&blind
, "ctx").unwrap();
871 assert
!(recovered_pk
== kp
.pk
);
873 let kp
= KeyPair
::from_seed(
876 "875532ab039b0a154161c284e19c74afa28d5bf5454e99284bbcffaa71eebf45",
885 "3b5983605b277cd44918410eb246bb52d83adfc806ccaa91a60b5b2011bc5973",
892 let blind
= Blind
::from_slice(
894 "c461e8595f0ac41d374f878613206704978115a226f60470ffd566e9e6ae73bf",
900 let blind_kp
= kp
.blind(&blind
, "ctx");
903 "246dcd43930b81d5e4d770db934a9fcd985b75fd014bc2a98b0aea02311c1836",
907 blind_kp
.blind_pk
.as_ref()
910 let message
= Hex
::decode_to_vec("68656c6c6f20776f726c64", None
).unwrap();
911 let signature
= blind_kp
.blind_sk
.sign(message
, None
);
912 assert_eq
!(Hex
::decode_to_vec("947bacfabc63448f8955dc20630e069e58f37b72bb433ae17f2fa904ea860b44deb761705a3cc2168a6673ee0b41ff7765c7a4896941eec6833c1689315acb0b",
913 None
).unwrap(), signature
.as_ref());
917 fn test_streaming() {
918 let kp
= KeyPair
::generate();
922 let mut st
= kp
.sk
.sign_incremental(Noise
::default());
925 let signature
= st
.sign();
929 let mut st
= kp
.pk
.verify_incremental(&signature
).unwrap();
932 assert
!(st
.verify().is_ok());
936 #[cfg(feature = "random")]
937 fn test_ed25519_invalid_keypair() {
938 let kp1
= KeyPair
::generate();
939 let kp2
= KeyPair
::generate();
942 kp1
.sk
.validate_public_key(&kp2
.pk
).unwrap_err(),
943 Error
::InvalidPublicKey
946 kp2
.sk
.validate_public_key(&kp1
.pk
).unwrap_err(),
947 Error
::InvalidPublicKey
949 assert
!(kp1
.sk
.validate_public_key(&kp1
.pk
).is_ok());
950 assert
!(kp2
.sk
.validate_public_key(&kp2
.pk
).is_ok());
951 assert
!(kp1
.validate().is_ok());