fspreiss
commented
2 months ago Re-filed as https://github.com/dalek-cryptography/curve25519-dalek/issues/664, as the repo has moved.
Closed fspreiss closed 2 months ago
fspreiss
commented
2 months ago Re-filed as https://github.com/dalek-cryptography/curve25519-dalek/issues/664, as the repo has moved.
In our project, we need to verify Ed25519 signatures according to the criteria outlined in ZIP215.
The current implementation uses different verification criteria. For example
verifyandverify_strictuse the verification equation without the cofactors, i.e.,[S]B = R + [k]A, while ZIP215 says that the equation with the cofactors must be used (i.e.,[8][S]B = [8]R + [8][k]A) and the one without "MUST NOT" be used.R, while under the ZIP215 rules "it is not required that A and R are canonical encodings".Would you be open to having a verification method that follows the ZIP215 rules, e.g.,
verify_zip215? If so, would it help if we contribute a respective PR?It seems we are not the first ones interested in such a feature. For example, there was https://github.com/dalek-cryptography/ed25519-dalek/issues/152, but it was closed without comment.