…s-cleanup

Also fixes CI not running on all branches

Co-authored-by: Anthony Ramine <[email protected]>

GitHub Actions runners are not guaranteed to have the necessary CPU
features in order for these tests to work.

Uses a `--target x86_64-unknown-linux-gnu` directive when compiling so
the `target_feature` flags don't apply to build scripts.

* Docs unlink from dalek.rs

* Link katex assets to jsdelivr

Co-authored-by: Michael Rosenberg <[email protected]>

…raphy#231)

Rust editions 2018+ do not require `extern crate` except for linking
`alloc` and `std`.

As suggested in dalek-cryptography#453 it is sometimes feasible to
select the backend bits via an override.

This change provides `cfg(curve25519_dalek_bits)`
to override the bits used in serial or fiat target backend.

As proposed in dalek-cryptography#442 this makes `rand_core` an
optional feature that is not covered by the
SemVer public API stability guarantees.

Co-authored-by: Michael Rosenberg <[email protected]>

As proposed in dalek-cryptography#442 this makes `digest` an
optional feature that is not covered by the
SemVer public API stability guarantees.

Co-authored-by: Michael Rosenberg <[email protected]>

All of the existing usages of `std` can be replaced with `alloc`.

They are legacy usages from before when liballoc was stabilized.

Gated random() construtors on cfg(test)

…tography#451)

Addresses issue dalek-cryptography#448 that Scalar::bits may leave unzeroed bits on the stack

…-cryptography#461)

Previously `cargo test --no-default-features` would succeed but with
warnings. This commit fixes all of those warnings and tests
`--no-default-features` in CI to ensure that in perpetuity.

* Restructure README and CHANGELOG
* Explain semver policy
* Specify feature flags and backends more explicitly
* Remove nightly from the CI bc that didn't belong there
* Add @pinkforest to thankyou list

Co-authored-by: pinkforest <[email protected]>

…raphy#455)

Crate features are intended to be additive, whereas only 1-of-N possible
backends can be selected.

Features can also be activated by transitive dependencies, which leads
to a problem of different dependences selecting conflicting backends.
Using `--cfg` instead moves all backend selection control to the
toplevel executable.

This commit switches to the following RUSTFLAGS to enable backends:

- `--cfg curve25519_dalek_backend="fiat"`: uses `fiat-crypto`
- `--cfg curve25519_dalek_backend="simd"`: uses nightly-only SIMD

…graphy#465)

build.rs was using cfg(target) but it has to evaluate this from env TARGET
as build.rs cfg(target) in build context is the builder host and not the target.

This change fixes curve25519_dalek_bits lottery to determine the correct
automatic curve25119_dalek_bits with the help of platforms crate.

As discussed in dalek-cryptography#456 this also prepares for well known defaults for wasm and
arm serial backend via cfg(curve25519_dalek_bits = "64")

If the wasm32 or armv7 are going to be u64 serial by default these will be
followed up on later.

dalek-cryptography#236)

curve25519-dalek:

- Enables `digest` and `rand_core` features
- Removes transitive `nightly`, `simd_backend`, and `std` features

ed25519:

- `AsRef` impl for `Signature` has been removed; uses `to_bytes`
- Uses `try_from` for `InternalSignature` conversion

This is a convenience/marker trait for types which impl `CryptoRng` +
`RngCore` which makes the type signatures a little more readable.

It was introduced in `rand_core` v0.6.4 (now pinned as the minimum
version)

…yptography#467)

Co-authored-by: Michael Rosenberg <[email protected]>

…tography#470)

For the field element types `FieldElement` and `Scalar`, use inherent
constants instead of (non-const) functions to return these constant
values.

It's likely the original functions predate support for inherent
constants, but now that they're available, they're a better fit for
these sort of constant values.

…ptography#472)

This is helpful for implementing `ff::PrimeField::from_repr`.
Also changes `Scalar::is_canonical` to return `Choice`.

Co-authored-by: str4d <[email protected]>

Also sets code font size in docs back to normal (no longer small)

Fixed docs.rs flags in Cargo.toml

…is-my-bestie

Fix clippy for build.rs

Adds optional integration with `ed25519::pkcs8` with support for
decoding/encoding `Keypair` from/to PKCS#8-encoded documents as well as
`PublicKey` from/to SPKI-encoded documents.

Includes test vectors generated for the `ed25519` crate from:
https://github.com/RustCrypto/signatures/tree/master/ed25519/tests/examples

…ease-pre5

Fix docs.rs release pre.5

…k-cryptography#242)

* Rename `signing` and `verifying` modules

Renames the following modules:

- `keypair` => `signing`
- `public` => `verifying`

Renaming these in an individual commit preserves the commit history.

This is in anticipation of renaming the following per dalek-cryptography#225:

- `Keypair` => `SigningKey`
- `PublicKey` => `VerifyingKey`

* Rename `Keypair` => `SigningKey`; `PublicKey` => `VerifyingKey`

As proposed in dalek-cryptography#225, renames key types after their roles:

- `SigningKey` produces signatures
- `VerifyingKey` verifies signatures

The `SecretKey` type is changed to a type alias for `[u8; 32]`, which
matches the RFC8032 definition:

https://www.rfc-editor.org/rfc/rfc8032#section-5.1.5

> The private key is 32 octets (256 bits, corresponding to b) of
> cryptographically secure random data.

Change from_bytes methods to take `&[u8; N]` argument (with `N`
appropriate for given type) rather than `&[u8]`.  This harmonises
the convention with SigningKey and ed25519::Signature; helps type
inference; and allows users to assert bytes size to be asserted at
compile time.

Creating from a slice is still possible via `TryFrom<&[u8]>` trait.

This is an API breaking change.  The simplest way to update existing
code is to replace Foo::from_bytes with Foo::try_from.  This should
cover majority of uses.

Change from_bytes methods to take fixed-size array argument

…key-docs-coverage

Fix `SigningKey` from/to_bytes docs +coverage

- Add Clippy to CI
- Rename InternalError variants without redundant Error suffix
- Rename to_bytes to as_bytes on well known naming
- Fix Redundant refs
- Fix redundant lifetimes
- Fix late declarations

- Zeros out `SigningKey::secret_key` on drop
- Adds the `ZeroizeOnDrop` marker trait to `SigningKey`

…aphy#246)

This enables activating the `alloc` and `std` features without
unnecessarily pulling in optional dependencies like `rand` and `serde`.

It also fixes tests for `--no-default-features` (w\ `--lib` only)

* Make `zeroize` an optional dependency

The `zeroize` crate provides a defense against memory read oracles which
typically arise from memory unsafety.

Pure Rust programs may not benefit from `zeroize`, and in certain cases
the unsafe code used by `zeroize` may be more concerning.

This commit makes `zeroize` into an optional feature so users may elect
to disable it if they so desire.

* Added zeroize feature flag to README

Co-authored-by: Michael Rosenberg <[email protected]>

Previously `alloc` implicitly activated `zeroize` via `zeroize/alloc`.

This commit switches to weak feature activation as added in Rust 1.60,
only activating `zeroize/alloc` if the `zeroize` dependency is
explicitly activated (which it is by default).

The migration to GitHub Actions occurred quite awhile ago and Travis CI
is no longer used

We currently don't have any checks that this crate builds on a `no_std`
target.

While `curve25519-dalek` itself doesn't link `std`, it uses dependencies
which could potentially link `std`, so it's important to have a job to
check that the crate builds on a `no_std` target to ensure feature
activation doesn't accidentally flip on the `std` feature of one of
those dependencies unintentionally.

This adds a job which checks the crate builds on a `thumbv7em-none-eabi`
target which has no `std` implementation.

The recommendation to set this has been removed from the Rust API
guidelines:

rust-lang/api-guidelines#230

It used to be used by docs.rs, but docs.rs now unconditionally sets the
`--extern-html-root-url` parameter of rustdoc which overrides it, making
it no longer needed and superfluous.

This action is located at:
https://github.com/RustCrypto/actions/blob/master/cross-install/action.yml
It's used across the RustCrypto project for installing `cross` in CI.
Installation is performed by fetching a pinned binary release from:
https://github.com/cross-rs/cross/releases/
This eliminates problems that might occur when using `cargo install`
such as:
https://github.com/dalek-cryptography/curve25519-dalek/actions/runs/3786735408/jobs/6437902657
It's also marginally faster.

…phy#488)

* Make basepoint table constants static references

This ensures they have a fixed address and aren't duplicated across
compilation units.

Since they were already always borrowed, this changes the static values
to be `&'static` addresses to ensure they're always borrowed rather than
potentially copied.

* rustfmt

* Fixed bench when `batch` feature is not present

* Added bench build regression test to CI

* Fixed batch build more generally

* Simplified batch cfg gates in benches

* Updated criterion

* Made CI batch-nondeterministic test use nostd

* Fix batch_deterministic build

* Removed bad compile error when batch and batch_deterministic are selected

Calls the inherent `SigningKey::verifying_key` method using `From`
conversions.

This replaces vestigial impl for `SecretKey` which is now an alias for
`[u8; 32]`.

Does a pass on adding `const` to methods where it's possible.

Combines `verify_prehashed` and `verify_strict` to allow strict
verification with prehashed values.

* Add `basepoint-tables` crate feature

Feature-gates the inclusion of basepoint tables under a
`basepoint-tables` feature, with the goal of reducing code size for e.g.
embedded applications.

* Add `mul_base` method to `EdwardsPoint` and `RistrettoPoint`

Provides fixed-base scalar multiplication which optionally uses
precomputed basepoint tables when the `basepoint-tables` feature is
enabled, providing 4X better performance.

Falls back on variable-base scalar multiplication in the event the
feature is disabled.

Co-authored-by: Michael Rosenberg <[email protected]>

…phy#260)

Updates to the latest upstream changes in `curve25519-dalek`, including
using the new `EdwardsPoint::mul_base` API.

To keep the build deterministic, this also checks in Cargo.lock, which
pins `curve25519-dalek` to a particular git commit SHA which can be
updated using `cargo update -p curve25519-dalek`.

We can potentially remove `Cargo.lock` again after a crate release.

Defaults to on

As discussed in dalek-cryptography#497, adds a function which "clamps" a 256-bit input into a
valid scalar by clearing and setting bits, as used by Ed25519 and X25519

Also removed `batch_deterministic` feature

* Make rand_core optional
* Bench requires features rand_core

Release notes: RustCrypto/signatures#622

* Added and cleaned up some verification docs

Co-authored-by: Michael Rosenberg <[email protected]>

digest isn't yet stable but we have use it in the public API.

This makes the digest API optional to use in opt-in basis by
feature gating this via an optional digest feature.

API items now feature-gated:

- `pub use ed25519_dalek::Digest`
- `SigningKey::sign_prehashed(D: prehashed_message, ..)`
- `SigningKey::verify_prehashed(D: prehahed_message, ..)`
- `VerifyingKey::verify_prehashed(D: prehashed_message, ..)`
- `VerifyingKey::verify_prehashed_strict(D: prehashed_message, ..)`

Also no longer re-exporting `sha2::Sha512`

…#499)

This is the name we adopted for a similar feature in @RustCrypto.

It's a bit less jargony and also leaves the door open in the future to
other types of precomputed tables.

…ography#495)

The `from_slice` methods on `CompressedEdwardsY` and
`CompressedRistretto` both previously panicked if the slice was the
wrong length.

This changes them to be fallible, returning `TryFromSliceError` in the
event the slice is the wrong length.

It also adds a `TryFrom<&[u8]>` impl for each of these types which calls
the corresponding `from_slice` method.

Feature-gates `AFFINE_ODD_MULTIPLES_OF_BASEPOINT`

Feature-gated tables out of vector vartime aA + bB procedure

…alek-cryptography#251)

* Add on-by-default `fast` crate feature

Disabling the feature reduces overall code size at the cost of
performance, which is useful for e.g. embedded users.

This feature transitively enables the `basepoint-tables` feature in
`curve25519-dalek` where the basepoint tables are actually defined.

* Consolidated a lot of verification code

* Bump `curve25519-dalek`; use `precomputed-tables` feature

The feature name changed in dalek-cryptography#499

Co-authored-by: Michael Rosenberg <[email protected]>

* Impl `signature::Digest*` traits for Ed25519ph

Adds the following trait impls:

- impl DigestSigner for SigningKey
- impl DigestVerifier for VerifyingKey

These traits can be used to create and verify Ed25519 signatures,
thunking to `SigningKey::sign_prehashed` and
`VerifyingKey::verify_prehashed` respectively.

* Add rustdoc comments for trait impls

* CI: test `cargo doc` build

Ensure it's free of warnings

* Fix rustdoc build

* Made all signature R comparisons byte-wise

* Use Scalar::from_bits_clamped rather than manually clamping

* Added clippy lints and comments for use of unwrap()

* Clarify use of unused

The original v2.0.0 release has been yanked.

This release includes a different infallible parsing API which can be
used to eliminate some usages of `unwrap()`.

* Add `Context` type

Adds a generic type which can be used with `SigningKey` and
`VerifyingKey` for storing a context string value along with the key for
use with `DigestSigner` and `DigestVerifier`.

* Added Context tests, docs, and re-exports

* Added docs about SHA-512 for prehashing; re-re-exported Sha512

Co-authored-by: Tony Arcieri <[email protected]>
Co-authored-by: Michael Rosenberg <[email protected]>

Eliminates the `patch.crates-io` directive by using the latest RC
release of `curve25519-dalek` on crates.io

Updates curve25519-dalek dep to use 4.0.0-rc.0
This includes several feature flag updates and some
minor API changes.

Re-exports the following commonly used types from their respective
modules to the toplevel of the crate, which makes them easier to access:

- `EdwardsPoint`
- `MontgomeryPoint`
- `RistrettoPoint`
- `Scalar`

* Fixed-based Montgomery scalar multiplication

Adds `MontgomeryPoint::mul_base` as an API for fixed-base scalar
multiplication which allows for potential future optimizations.

As a baseline implementation, it uses the variable base scalar
multiplication implementation.

This follows the existing `EdwardsPoint::mul_base` and
`RistrettoPoint::mul_base` APIs.

* Added Montgomery mul_base bench

* Switched MontgomeryPoint::mul_base to use EdwardsPoint::mul_base

---------

Co-authored-by: Michael Rosenberg <[email protected]>

* Implemented VerifyingKey::is_weak

* Added unit test for VerifyingKey::is_weak