# [−][src]Struct ed25519_dalek::Signature

pub struct Signature { /* fields omitted */ }

An ed25519 signature.

# Note

These signatures, unlike the ed25519 signature reference implementation, are "detached"—that is, they do not include a copy of the message which has been signed.

## Methods

### impl Signature[src]

#### pub fn to_bytes(&self) -> [u8; 64][src]

Convert this Signature to a byte array.

#### pub fn from_bytes(bytes: &[u8]) -> Result<Signature, SignatureError>[src]

Construct a Signature from a slice of bytes.

# Scalar Malleability Checking

As originally specified in the ed25519 paper (cf. the "Malleability" section of the README in this repo), no checks whatsoever were performed for signature malleability.

Later, a semi-functional, hacky check was added to most libraries to "ensure" that the scalar portion, s, of the signature was reduced mod \ell, the order of the basepoint:

if signature.s[31] & 224 != 0 {
return Err();
}

This bit-twiddling ensures that the most significant three bits of the scalar are not set:

>>> 0b00010000 & 224
0
>>> 0b00100000 & 224
32
>>> 0b01000000 & 224
64
>>> 0b10000000 & 224
128


However, this check is hacky and insufficient to check that the scalar is fully reduced mod \ell = 2^252 + 27742317777372353535851937790883648493 as it leaves us with a guanteed bound of 253 bits. This means that there are 2^253 - 2^252 + 2774231777737235353585193779088364849311 remaining scalars which could cause malleabilllity.

RFC8032 states:

To verify a signature on a message M using public key A, [...] first split the signature into two 32-octet halves. Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid.

However, by the time this was standardised, most libraries in use were only checking the most significant three bits. (See also the documentation for PublicKey.verify_strict.)

## Blanket Implementations

### impl<T> Same<T> for T

#### type Output = T

Should always be Self

### impl<T> ToOwned for T where    T: Clone, [src]

#### type Owned = T

The resulting type after obtaining ownership.

### impl<T, U> TryFrom<U> for T where    U: Into<T>, [src]

#### type Error = !

The type returned in the event of a conversion error.

### impl<T, U> TryInto<U> for T where    U: TryFrom<T>, [src]

#### type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.