In our project, we need to verify Ed25519 signatures according to the criteria outlined in ZIP215.
The current implementation uses different verification criteria. For example
both verify and verify_strictuse the verification equation without the cofactors, i.e., [S]B = R + [k]A, while ZIP215 says that the equation with the cofactors must be used (i.e., [8][S]B = [8]R + [8][k]A) and the one without "MUST NOT" be used.
the current implementation rejects non-canonical encodings of R, while under the ZIP215 rules "it is not required that A and R are canonical encodings".
Would you be open to having a verification method that follows the ZIP215 rules, e.g., verify_zip215? If so, would it help if we contribute a respective PR?
In our project, we need to verify Ed25519 signatures according to the criteria outlined in ZIP215.
The current implementation uses different verification criteria. For example
verify
andverify_strict
use the verification equation without the cofactors, i.e.,[S]B = R + [k]A
, while ZIP215 says that the equation with the cofactors must be used (i.e.,[8][S]B = [8]R + [8][k]A
) and the one without "MUST NOT" be used.R
, while under the ZIP215 rules "it is not required that A and R are canonical encodings".Would you be open to having a verification method that follows the ZIP215 rules, e.g.,
verify_zip215
? If so, would it help if we contribute a respective PR?It seems we are not the first ones interested in such a feature. For example, there was https://github.com/dalek-cryptography/ed25519-dalek/issues/152, but it was closed without comment.