ed25519-zebra/README.md

[![Build status](https://github.com/ZcashFoundation/ed25519-zebra/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/ZcashFoundation/ed25519-zebra/actions/workflows/main.yml?query=branch%3Amain)
[![dependency status](https://deps.rs/repo/github/ZcashFoundation/ed25519-zebra/status.svg)](https://deps.rs/repo/github/ZcashFoundation/ed25519-zebra)

Zcash-flavored Ed25519 for use in [Zebra][zebra].

Zcash uses Ed25519 for [JoinSplit signatures][zcash_protocol_jssig] with
particular validation rules around edge cases in Ed25519 signatures.  Ed25519,
as specified in [RFC8032], does not specify behaviour around these edge cases
and so does not require conformant implementations to agree on whether a
signature is valid.  For most applications, these edge cases are irrelevant,
but in Zcash, nodes must be able to reach consensus on which signatures would
be valid, so these validation behaviors are *consensus-critical*.

Because the Ed25519 validation rules are consensus-critical for Zcash, Zebra
requires an Ed25519 library that implements the Zcash-flavored validation rules
specifically, and since it is unreasonable to expect an upstream dependency to
maintain Zcash-specific behavior, this crate provides an Ed25519 implementation
matching the Zcash consensus rules exactly.

However, this library may be of independent interest, as it implements
ZIP215, a set of precisely specified validation rules for Ed25519 that make
individual verification consistent with batch verification and are
backwards-compatible with all existing Ed25519 signatures. Any non-Zcash users
should use the ZIP215 rules:
```toml
ed25519-zebra = "4"
```

## ZIP 215 and changes to Zcash-flavored Ed25519

[Zcash Improvement Proposal 215][ZIP215] changes validation criteria for
Ed25519 signatures in Zcash after its activation (which occurred in the
Canopy network upgrade at mainnet block height 1046400). These changes remove
the dependence on validation rules inherited from a specific point release of
`libsodium` and make individual verification consistent with batch
verification. More details and motivation are available in the text of [ZIP215].

The `1.x` series of this crate implements the legacy, pre-ZIP-215 validation
criteria; the `2.x+` series of this crate implements the post-ZIP-215
validation criteria.  Users (like Zebra or zcashd) who need to handle the
upgrade can use both versions simultaneously using cargo renaming, e.g.,
```toml
ed25519-zebra-legacy = { package = "ed25519-zebra", version = "1" }
ed25519-zebra-zip215 = { package = "ed25519-zebra", version = "4" }
```

## Example

```
use std::convert::TryFrom;
use rand::thread_rng;
use ed25519_zebra::*;

let msg = b"Zcash";

// Signer's context
let (vk_bytes, sig_bytes) = {
    // Generate a signing key and sign the message
    let sk = SigningKey::new(thread_rng());
    let sig = sk.sign(msg);

    // Types can be converted to raw byte arrays with From/Into
    let sig_bytes: [u8; 64] = sig.into();
    let vk_bytes: [u8; 32] = VerificationKey::from(&sk).into();

    (vk_bytes, sig_bytes)
};

// Verify the signature
assert!(
    VerificationKey::try_from(vk_bytes)
        .and_then(|vk| vk.verify(&sig_bytes.into(), msg))
        .is_ok()
);
```

## Developers guide


See [DEVELOPERS.md](DEVELOPERS.md).

## License

ed25519-zebra is distributed under the terms of both the MIT license
and the Apache License (Version 2.0).

See [LICENSE-APACHE](LICENSE-APACHE) and [LICENSE-MIT](LICENSE-MIT).


[zcash_protocol_jssig]: https://zips.z.cash/protocol/protocol.pdf#concretejssig
[RFC8032]: https://tools.ietf.org/html/rfc8032
[zebra]: https://github.com/ZcashFoundation/zebra
[ZIP215]: https://zips.z.cash/zip-0215
Add dependency and build status badges Add dependency and build status badges to the README.md file. 2021-09-07 14:35:13 -07:00			`[![Build status](https://github.com/ZcashFoundation/ed25519-zebra/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/ZcashFoundation/ed25519-zebra/actions/workflows/main.yml?query=branch%3Amain)`
			`[![dependency status](https://deps.rs/repo/github/ZcashFoundation/ed25519-zebra/status.svg)](https://deps.rs/repo/github/ZcashFoundation/ed25519-zebra)`

Add README 2020-01-22 12:08:03 -08:00			`Zcash-flavored Ed25519 for use in [Zebra][zebra].`

			`Zcash uses Ed25519 for [JoinSplit signatures][zcash_protocol_jssig] with`
Update README 2020-01-23 17:26:17 -08:00			`particular validation rules around edge cases in Ed25519 signatures. Ed25519,`
			`as specified in [RFC8032], does not specify behaviour around these edge cases`
			`and so does not require conformant implementations to agree on whether a`
			`signature is valid. For most applications, these edge cases are irrelevant,`
			`but in Zcash, nodes must be able to reach consensus on which signatures would`
			`be valid, so these validation behaviors are consensus-critical.`

			`Because the Ed25519 validation rules are consensus-critical for Zcash, Zebra`
			`requires an Ed25519 library that implements the Zcash-flavored validation rules`
			`specifically, and since it is unreasonable to expect an upstream dependency to`
			`maintain Zcash-specific behavior, this crate provides an Ed25519 implementation`
			`matching the Zcash consensus rules exactly.`
Add README 2020-01-22 12:08:03 -08:00
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases. 2020-07-06 19:40:20 -07:00			`However, this library may be of independent interest, as it implements`
			`ZIP215, a set of precisely specified validation rules for Ed25519 that make`
			`individual verification consistent with batch verification and are`
v3.0.0 2021-10-12 10:21:12 -07:00			`backwards-compatible with all existing Ed25519 signatures. Any non-Zcash users`
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases. 2020-07-06 19:40:20 -07:00			`should use the ZIP215 rules:`
			```toml
Update references to the major version number and to Canopy activation in the README (#84) * README.md: update references to the major version. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> * README.md: update the reference to Zcash Canopy activation. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> --------- Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> 2023-06-12 09:45:19 -07:00			`ed25519-zebra = "4"`
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases. 2020-07-06 19:40:20 -07:00			```

Release 1.0.0-pre.0 2020-06-26 11:27:00 -07:00			`## ZIP 215 and changes to Zcash-flavored Ed25519`

			`[Zcash Improvement Proposal 215][ZIP215] changes validation criteria for`
Update references to the major version number and to Canopy activation in the README (#84) * README.md: update references to the major version. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> * README.md: update the reference to Zcash Canopy activation. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> --------- Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> 2023-06-12 09:45:19 -07:00			`Ed25519 signatures in Zcash after its activation (which occurred in the`
			`Canopy network upgrade at mainnet block height 1046400). These changes remove`
			`the dependence on validation rules inherited from a specific point release of`
Implement ZIP 215 validation rules. (#24) * Implement ZIP 215 validation rules. These have the effect that batched and singleton verification are now equivalent. * Add ZIP 215 conformance tests. This test constructs signatures on the message "Zcash" using small-order verification keys, some with canonical and some with non-canonical encodings of points. All of these signatures should pass verification under the ZIP 215 rules, but most of them should fail verification under legacy rules. These tests exercise all of the special-case behaviors from the specific version of libsodium used by Zcashd: * the all-zero check for the verification key; * the excluded point encodings for the signature's R value; * the choice to test equality of the encoded bytes of the recomputed R value rather than on the projective coordinates of the two points. Running ``` cargo test -- --nocapture ``` will print a hex-formatted list of the test cases, which can also be found here: https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 * Update spec links. Thanks to @ebfull for pointing this out. * No ... there is another. @ebfull pointed out that two test cases were duplicates. The cause was that I misread the RFC8032 check was checking for the non-canonical encoding of the identity point that NCC Group apparently brought up. Carefully analyzing all the cases instead of assuming reveals there is another non-canonically encoded point (of order 2). * Change formatting of printed test cases. 2020-07-06 19:40:20 -07:00			`libsodium` and make individual verification consistent with batch
			`verification. More details and motivation are available in the text of [ZIP215].`
Release 1.0.0-pre.0 2020-06-26 11:27:00 -07:00
			The `1.x` series of this crate implements the legacy, pre-ZIP-215 validation
v3.0.0 2021-10-12 10:21:12 -07:00			criteria; the `2.x+` series of this crate implements the post-ZIP-215
Fix typo 2020-10-04 06:16:24 -07:00			`validation criteria. Users (like Zebra or zcashd) who need to handle the`
Release 1.0.0-pre.0 2020-06-26 11:27:00 -07:00			`upgrade can use both versions simultaneously using cargo renaming, e.g.,`
			```toml
			`ed25519-zebra-legacy = { package = "ed25519-zebra", version = "1" }`
Update references to the major version number and to Canopy activation in the README (#84) * README.md: update references to the major version. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> * README.md: update the reference to Zcash Canopy activation. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> --------- Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org> 2023-06-12 09:45:19 -07:00			`ed25519-zebra-zip215 = { package = "ed25519-zebra", version = "4" }`
Release 1.0.0-pre.0 2020-06-26 11:27:00 -07:00			```

Add examples. 2020-01-24 12:55:43 -08:00			`## Example`

			```
			`use std::convert::TryFrom;`
			`use rand::thread_rng;`
			`use ed25519_zebra::*;`

			`let msg = b"Zcash";`

Change terminology to signing and verification keys. (#20) These are better names than secret and public keys, because they concisely describe the functional role of the key material, not just whether or not the key is revealed. 2020-06-15 20:45:25 -07:00			`// Signer's context`
			`let (vk_bytes, sig_bytes) = {`
			`// Generate a signing key and sign the message`
			`let sk = SigningKey::new(thread_rng());`
			`let sig = sk.sign(msg);`

			`// Types can be converted to raw byte arrays with From/Into`
			`let sig_bytes: [u8; 64] = sig.into();`
			`let vk_bytes: [u8; 32] = VerificationKey::from(&sk).into();`
Add examples. 2020-01-24 12:55:43 -08:00
Change terminology to signing and verification keys. (#20) These are better names than secret and public keys, because they concisely describe the functional role of the key material, not just whether or not the key is revealed. 2020-06-15 20:45:25 -07:00			`(vk_bytes, sig_bytes)`
			`};`
Add examples. 2020-01-24 12:55:43 -08:00
			`// Verify the signature`
			`assert!(`
Change terminology to signing and verification keys. (#20) These are better names than secret and public keys, because they concisely describe the functional role of the key material, not just whether or not the key is revealed. 2020-06-15 20:45:25 -07:00			`VerificationKey::try_from(vk_bytes)`
			`.and_then(\|vk\| vk.verify(&sig_bytes.into(), msg))`
Add examples. 2020-01-24 12:55:43 -08:00			`.is_ok()`
			`);`
			```

add DEVELOPERS.md; commit lockfile (#99) 2023-11-22 09:50:54 -08:00			`## Developers guide`


			`See [DEVELOPERS.md](DEVELOPERS.md).`

Add LICENSE files (#51) Add LICENSE files to state MIT or Apache 2.0 as the licenses of this repository. This closes #33. 2021-10-10 16:44:57 -07:00			`## License`

			`ed25519-zebra is distributed under the terms of both the MIT license`
			`and the Apache License (Version 2.0).`

			`See [LICENSE-APACHE](LICENSE-APACHE) and [LICENSE-MIT](LICENSE-MIT).`


Add README 2020-01-22 12:08:03 -08:00			`[zcash_protocol_jssig]: https://zips.z.cash/protocol/protocol.pdf#concretejssig`
			`[RFC8032]: https://tools.ietf.org/html/rfc8032`
			`[zebra]: https://github.com/ZcashFoundation/zebra`
fix documentation about batching 2023-03-14 11:57:25 -07:00			`[ZIP215]: https://zips.z.cash/zip-0215`