Struct schnorrkel::keys::SecretKey
source · pub struct SecretKey { /* private fields */ }
Expand description
A secret key for use with Ristretto Schnorr signatures.
Internally, these consist of a scalar mod l along with a seed for nonce generation. In this way, we ensure all scalar arithmetic works smoothly in operations like threshold or multi-signatures, or hierarchical deterministic key derivations.
We keep our secret key serializaion “almost” compatable with EdDSA “expanded” secret key serializaion by multiplying the scalar by the cofactor 8, as integers, and dividing on deserializaion. We do not however attempt to keep the scalar’s high bit set, especially not during hierarchical deterministic key derivations, so some Ed25519 libraries might compute the public key incorrectly from our secret key.
Implementations§
source§impl SecretKey
impl SecretKey
sourcepub fn to_bytes(&self) -> [u8; 64]
pub fn to_bytes(&self) -> [u8; 64]
Convert this SecretKey
into an array of 64 bytes with.
Returns an array of 64 bytes, with the first 32 bytes being the secret scalar represented canonically, and the last 32 bytes being the seed for nonces.
§Examples
use schnorrkel::{MiniSecretKey, SecretKey};
let mini_secret_key: MiniSecretKey = MiniSecretKey::generate();
let secret_key: SecretKey = mini_secret_key.expand(MiniSecretKey::UNIFORM_MODE);
let secret_key_bytes: [u8; 64] = secret_key.to_bytes();
let bytes: [u8; 64] = secret_key.to_bytes();
let secret_key_again: SecretKey = SecretKey::from_bytes(&bytes[..]).unwrap();
assert_eq!(&bytes[..], & secret_key_again.to_bytes()[..]);
sourcepub fn from_bytes(bytes: &[u8]) -> SignatureResult<SecretKey>
pub fn from_bytes(bytes: &[u8]) -> SignatureResult<SecretKey>
Construct an SecretKey
from a slice of bytes.
§Examples
use schnorrkel::{MiniSecretKey, SecretKey, ExpansionMode, SignatureError};
let mini_secret_key: MiniSecretKey = MiniSecretKey::generate();
let secret_key: SecretKey = mini_secret_key.expand(MiniSecretKey::ED25519_MODE);
let bytes: [u8; 64] = secret_key.to_bytes();
let secret_key_again: SecretKey = SecretKey::from_bytes(&bytes[..]).unwrap();
assert_eq!(secret_key_again, secret_key);
sourcepub fn to_ed25519_bytes(&self) -> [u8; 64]
pub fn to_ed25519_bytes(&self) -> [u8; 64]
Convert this SecretKey
into an array of 64 bytes, corresponding to
an Ed25519 expanded secret key.
Returns an array of 64 bytes, with the first 32 bytes being the secret scalar shifted ed25519 style, and the last 32 bytes being the seed for nonces.
sourcepub fn from_ed25519_bytes(bytes: &[u8]) -> SignatureResult<SecretKey>
pub fn from_ed25519_bytes(bytes: &[u8]) -> SignatureResult<SecretKey>
Construct an SecretKey
from a slice of bytes, corresponding to
an Ed25519 expanded secret key.
§Example
use schnorrkel::{SecretKey, SECRET_KEY_LENGTH};
use hex_literal::hex;
let secret = hex!("28b0ae221c6bb06856b287f60d7ea0d98552ea5a16db16956849aa371db3eb51fd190cce74df356432b410bd64682309d6dedb27c76845daf388557cbac3ca34");
let public = hex!("46ebddef8cd9bb167dc30878d7113b7e168e6f0646beffd77d69d39bad76b47a");
let secret_key = SecretKey::from_ed25519_bytes(&secret[..]).unwrap();
assert_eq!(secret_key.to_public().to_bytes(), public);
sourcepub fn generate_with<R>(csprng: R) -> SecretKey
pub fn generate_with<R>(csprng: R) -> SecretKey
Generate an “unbiased” SecretKey
directly from a user
suplied csprng
uniformly, bypassing the MiniSecretKey
layer.
sourcepub fn generate() -> SecretKey
pub fn generate() -> SecretKey
Generate an “unbiased” SecretKey
directly,
bypassing the MiniSecretKey
layer.
sourcepub fn to_keypair(self) -> Keypair
pub fn to_keypair(self) -> Keypair
Derive the PublicKey
corresponding to this SecretKey
.
source§impl SecretKey
impl SecretKey
sourcepub fn sign<T: SigningTranscript>(
&self,
t: T,
public_key: &PublicKey,
) -> Signature
pub fn sign<T: SigningTranscript>( &self, t: T, public_key: &PublicKey, ) -> Signature
Sign a transcript with this SecretKey
.
Requires a SigningTranscript
, normally created from a
SigningContext
and a message, as well as the public key
corresponding to self
. Returns a Schnorr signature.
We employ a randomized nonce here, but also incorporate the transcript like in a derandomized scheme, but only after first extending the transcript by the public key. As a result, there should be no attacks even if both the random number generator fails and the function gets called with the wrong public key.
sourcepub fn sign_doublecheck<T>(
&self,
t: T,
public_key: &PublicKey,
) -> SignatureResult<Signature>where
T: SigningTranscript + Clone,
pub fn sign_doublecheck<T>(
&self,
t: T,
public_key: &PublicKey,
) -> SignatureResult<Signature>where
T: SigningTranscript + Clone,
Sign a message with this SecretKey
, but doublecheck the result.
sourcepub fn sign_simple(
&self,
ctx: &[u8],
msg: &[u8],
public_key: &PublicKey,
) -> Signature
pub fn sign_simple( &self, ctx: &[u8], msg: &[u8], public_key: &PublicKey, ) -> Signature
Sign a message with this SecretKey
.
sourcepub fn sign_simple_doublecheck(
&self,
ctx: &[u8],
msg: &[u8],
public_key: &PublicKey,
) -> SignatureResult<Signature>
pub fn sign_simple_doublecheck( &self, ctx: &[u8], msg: &[u8], public_key: &PublicKey, ) -> SignatureResult<Signature>
Sign a message with this SecretKey
, but doublecheck the result.
source§impl SecretKey
impl SecretKey
sourcepub fn vrf_create_from_point(&self, input: RistrettoBoth) -> VRFInOut
pub fn vrf_create_from_point(&self, input: RistrettoBoth) -> VRFInOut
Evaluate the VRF-like multiplication on an uncompressed point, probably not useful in this form.
sourcepub fn vrf_create_from_compressed_point(
&self,
input: &VRFPreOut,
) -> SignatureResult<VRFInOut>
pub fn vrf_create_from_compressed_point( &self, input: &VRFPreOut, ) -> SignatureResult<VRFInOut>
Evaluate the VRF-like multiplication on a compressed point, useful for proving key exchanges, OPRFs, or sequential VRFs.
We caution that such protocols could provide signing oracles
and note that vrf_create_from_point
cannot check for
problematic inputs like attach_input_hash
does.
source§impl SecretKey
impl SecretKey
sourcepub fn hard_derive_mini_secret_key<B: AsRef<[u8]>>(
&self,
cc: Option<ChainCode>,
i: B,
) -> (MiniSecretKey, ChainCode)
pub fn hard_derive_mini_secret_key<B: AsRef<[u8]>>( &self, cc: Option<ChainCode>, i: B, ) -> (MiniSecretKey, ChainCode)
Vaguely BIP32-like “hard” derivation of a MiniSecretKey
from a SecretKey
We do not envision any “good reasons” why these “hard”
derivations should ever be used after the soft Derivation
trait. We similarly do not believe hard derivations
make any sense for ChainCode
s or ExtendedKey
s types.
Yet, some existing BIP32 workflows might do these things,
due to BIP32’s de facto standardization and poor design.
In consequence, we provide this method to do “hard” derivations
in a way that should work with all BIP32 workflows and any
permissible mutations of SecretKey
. This means only that
we hash the SecretKey
’s scalar, but not its nonce because
the secret key remains valid if the nonce is changed.
Trait Implementations§
source§impl ConstantTimeEq for SecretKey
impl ConstantTimeEq for SecretKey
source§impl Derivation for SecretKey
impl Derivation for SecretKey
source§fn derived_key<T>(&self, t: T, cc: ChainCode) -> (SecretKey, ChainCode)where
T: SigningTranscript,
fn derived_key<T>(&self, t: T, cc: ChainCode) -> (SecretKey, ChainCode)where
T: SigningTranscript,
SigningTranscript
, and a chain code.source§impl PartialEq for SecretKey
impl PartialEq for SecretKey
impl Eq for SecretKey
Auto Trait Implementations§
impl Freeze for SecretKey
impl RefUnwindSafe for SecretKey
impl Send for SecretKey
impl Sync for SecretKey
impl Unpin for SecretKey
impl UnwindSafe for SecretKey
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§default unsafe fn clone_to_uninit(&self, dst: *mut T)
default unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)