struct Signature [src]

An Ed25519 signature.

Fields

r: [Curve.encoded_length]u8The R component of an EdDSA signature.

s: CompressedScalarThe S component of an EdDSA signature.

Members

encoded_length (Constant)
fromBytes (Function)
toBytes (Function)
verifier (Function)
verify (Function)
VerifyError (Error Set)
verifyStrict (Function)

Source

  pub const Signature = struct {
    /// Length (in bytes) of a raw signature.
    pub const encoded_length = Curve.encoded_length + @sizeOf(CompressedScalar);

    /// The R component of an EdDSA signature.
    r: [Curve.encoded_length]u8,
    /// The S component of an EdDSA signature.
    s: CompressedScalar,

    /// Return the raw signature (r, s) in little-endian format.
    pub fn toBytes(sig: Signature) [encoded_length]u8 {
        var bytes: [encoded_length]u8 = undefined;
        bytes[0..Curve.encoded_length].* = sig.r;
        bytes[Curve.encoded_length..].* = sig.s;
        return bytes;
    }

    /// Create a signature from a raw encoding of (r, s).
    /// EdDSA always assumes little-endian.
    pub fn fromBytes(bytes: [encoded_length]u8) Signature {
        return Signature{
            .r = bytes[0..Curve.encoded_length].*,
            .s = bytes[Curve.encoded_length..].*,
        };
    }

    /// Create a Verifier for incremental verification of a signature.
    pub fn verifier(sig: Signature, public_key: PublicKey) Verifier.InitError!Verifier {
        return Verifier.init(sig, public_key);
    }

    pub const VerifyError = Verifier.InitError || Verifier.VerifyError;

    /// Verify the signature against a message and public key.
    ///
    /// This function uses cofactored verification for broad interoperability.
    /// It aligns single-signature verification with common batch verification approaches.
    ///
    /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range,
    /// or SignatureVerificationError if the signature is invalid for the given message and key.
    pub fn verify(sig: Signature, msg: []const u8, public_key: PublicKey) VerifyError!void {
        var st = try sig.verifier(public_key);
        st.update(msg);
        try st.verify();
    }

    /// Verify the signature against a message and public key using cofactorless verification.
    ///
    /// This performs strict verification without cofactor multiplication,
    /// checking the exact equation: [s]B = R + [H(R,A,m)]A
    ///
    /// This is more restrictive than the standard `verify()` method and may reject
    /// specially crafted signatures that would be accepted by cofactored verification.
    /// But it will never reject valid signatures created using the `sign()` method.
    ///
    /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range,
    /// or SignatureVerificationError if the signature is invalid for the given message and key.
    pub fn verifyStrict(sig: Signature, msg: []const u8, public_key: PublicKey) VerifyError!void {
        var st = try sig.verifier(public_key);
        st.update(msg);
        try st.verifyStrict();
    }
}  