zecfoundation
/
ed25519-zebra
mirror of https://github.com/ZcashFoundation/ed25519-zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
ed25519-zebra/README.md

94 lines
3.6 KiB
Markdown
Raw Permalink Normal View History

Add dependency and build status badges Add dependency and build status badges to the README.md file.
2021-09-07 14:35:13 -07:00
[![Build status](https://github.com/ZcashFoundation/ed25519-zebra/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/ZcashFoundation/ed25519-zebra/actions/workflows/main.yml?query=branch%3Amain)
[![dependency status](https://deps.rs/repo/github/ZcashFoundation/ed25519-zebra/status.svg)](https://deps.rs/repo/github/ZcashFoundation/ed25519-zebra)
Add README
2020-01-22 12:08:03 -08:00
Zcash-flavored Ed25519 for use in [Zebra][zebra].
Zcash uses Ed25519 for [JoinSplit signatures][zcash_protocol_jssig] with
Update README
2020-01-23 17:26:17 -08:00
particular validation rules around edge cases in Ed25519 signatures. Ed25519,
as specified in [RFC8032], does not specify behaviour around these edge cases
and so does not require conformant implementations to agree on whether a
signature is valid. For most applications, these edge cases are irrelevant,
but in Zcash, nodes must be able to reach consensus on which signatures would
be valid, so these validation behaviors are *consensus-critical*.
Because the Ed25519 validation rules are consensus-critical for Zcash, Zebra
requires an Ed25519 library that implements the Zcash-flavored validation rules
specifically, and since it is unreasonable to expect an upstream dependency to
maintain Zcash-specific behavior, this crate provides an Ed25519 implementation
matching the Zcash consensus rules exactly.
Add README
2020-01-22 12:08:03 -08:00
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases.
2020-07-06 19:40:20 -07:00
However, this library may be of independent interest, as it implements
ZIP215, a set of precisely specified validation rules for Ed25519 that make
individual verification consistent with batch verification and are
v3.0.0
2021-10-12 10:21:12 -07:00
backwards-compatible with all existing Ed25519 signatures. Any non-Zcash users
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases.
2020-07-06 19:40:20 -07:00
should use the ZIP215 rules:
```toml
Update references to the major version number and to Canopy activation in the README (#84) * README.md: update references to the major version. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> * README.md: update the reference to Zcash Canopy activation. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> --------- Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
2023-06-12 09:45:19 -07:00
ed25519-zebra = "4"
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases.
2020-07-06 19:40:20 -07:00
```
Release 1.0.0-pre.0
2020-06-26 11:27:00 -07:00
## ZIP 215 and changes to Zcash-flavored Ed25519
[Zcash Improvement Proposal 215][ZIP215] changes validation criteria for
Update references to the major version number and to Canopy activation in the README (#84) * README.md: update references to the major version. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> * README.md: update the reference to Zcash Canopy activation. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> --------- Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
2023-06-12 09:45:19 -07:00
Ed25519 signatures in Zcash after its activation (which occurred in the
Canopy network upgrade at mainnet block height 1046400). These changes remove
the dependence on validation rules inherited from a specific point release of
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases.
2020-07-06 19:40:20 -07:00
`libsodium` and make individual verification consistent with batch
verification. More details and motivation are available in the text of [ZIP215].
Release 1.0.0-pre.0
2020-06-26 11:27:00 -07:00
The `1.x` series of this crate implements the legacy, pre-ZIP-215 validation
v3.0.0
2021-10-12 10:21:12 -07:00
criteria; the `2.x+` series of this crate implements the post-ZIP-215
Fix typo
2020-10-04 06:16:24 -07:00
validation criteria. Users (like Zebra or zcashd) who need to handle the
Release 1.0.0-pre.0
2020-06-26 11:27:00 -07:00
upgrade can use both versions simultaneously using cargo renaming, e.g.,
```toml
ed25519-zebra-legacy = { package = "ed25519-zebra", version = "1" }
Update references to the major version number and to Canopy activation in the README (#84) * README.md: update references to the major version. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> * README.md: update the reference to Zcash Canopy activation. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> --------- Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
2023-06-12 09:45:19 -07:00
ed25519-zebra-zip215 = { package = "ed25519-zebra", version = "4" }
Release 1.0.0-pre.0
2020-06-26 11:27:00 -07:00
```
Add examples.
2020-01-24 12:55:43 -08:00
## Example
```
use std::convert::TryFrom;
use rand::thread_rng;
use ed25519_zebra::*;
let msg = b"Zcash";
Change terminology to signing and verification keys. (#20) These are better names than secret and public keys, because they concisely describe the functional *role* of the key material, not just whether or not the key is revealed.
2020-06-15 20:45:25 -07:00
// Signer's context
let (vk_bytes, sig_bytes) = {
// Generate a signing key and sign the message
let sk = SigningKey::new(thread_rng());
let sig = sk.sign(msg);
// Types can be converted to raw byte arrays with From/Into
let sig_bytes: [u8; 64] = sig.into();
let vk_bytes: [u8; 32] = VerificationKey::from(&sk).into();
Add examples.
2020-01-24 12:55:43 -08:00
Change terminology to signing and verification keys. (#20) These are better names than secret and public keys, because they concisely describe the functional *role* of the key material, not just whether or not the key is revealed.
2020-06-15 20:45:25 -07:00
(vk_bytes, sig_bytes)
};
Add examples.
2020-01-24 12:55:43 -08:00
// Verify the signature
assert!(
Change terminology to signing and verification keys. (#20) These are better names than secret and public keys, because they concisely describe the functional *role* of the key material, not just whether or not the key is revealed.
2020-06-15 20:45:25 -07:00
VerificationKey::try_from(vk_bytes)
.and_then(|vk| vk.verify(&sig_bytes.into(), msg))
Add examples.
2020-01-24 12:55:43 -08:00
.is_ok()
);
```
add DEVELOPERS.md; commit lockfile (#99)
2023-11-22 09:50:54 -08:00
## Developers guide
See [DEVELOPERS.md](DEVELOPERS.md).
Add LICENSE files (#51) Add LICENSE files to state MIT or Apache 2.0 as the licenses of this repository. This closes #33.
2021-10-10 16:44:57 -07:00
## License
ed25519-zebra is distributed under the terms of both the MIT license
and the Apache License (Version 2.0).
See [LICENSE-APACHE](LICENSE-APACHE) and [LICENSE-MIT](LICENSE-MIT).
Add README
2020-01-22 12:08:03 -08:00
[zcash_protocol_jssig]: https://zips.z.cash/protocol/protocol.pdf#concretejssig
[RFC8032]: https://tools.ietf.org/html/rfc8032
[zebra]: https://github.com/ZcashFoundation/zebra
fix documentation about batching
2023-03-14 11:57:25 -07:00
[ZIP215]: https://zips.z.cash/zip-0215