Verifying signatures using ZIP215 criteria

[fspreiss]

In our project, we need to verify Ed25519 signatures according to the criteria outlined in ZIP215.

The current implementation uses different verification criteria. For example

• both verify and verify_strict use the verification equation without the cofactors, i.e., [S]B = R + [k]A, while ZIP215 says that the equation with the cofactors must be used (i.e., [8][S]B = [8]R + [8][k]A) and the one without "MUST NOT" be used.
• the current implementation rejects non-canonical encodings of R, while under the ZIP215 rules "it is not required that A and R are canonical encodings".

Would you be open to having a verification method that follows the ZIP215 rules, e.g., verify_zip215? If so, would it help if we contribute a respective PR?

It seems we are not the first ones interested in such a feature. For example, there was dalek-cryptography/ed25519-dalek#152, but it was closed without comment.

[tarcieri]

I have #843 open which I think is the missing piece for ZIP-215, but I still need to add test vectors, and it would be great if others could take a look at the implementation as well

[burdges]

It's good if it lands here, but just fyi..

https://github.com/penumbra-zone/ed25519-consensus
https://github.com/ZcashFoundation/ed25519-zebra

[tarcieri]

Yeah, there are definitely plenty of options already available, though in my motivating use case I need ed25519-dalek's expanded secret key support and it would be nice not to have to pull in two Ed25519 libraries