## High Priority - [x] Fix broken `pkcs8` feature activation in `curve25519/solana-ed25519/Cargo.toml`. - `cargo check -p solana-ed25519 --no-default-features --features pkcs8` currently fails. - fix: #41 - [x] Fix broken `serde` feature activation in `curve25519/solana-ed25519/Cargo.toml`. - Downstream-style builds with `--features serde` fail. - fix: #42 - [x] Validate SPKI algorithm/OID when decoding public-key DER. - A DER/SPKI key labeled as another algorithm can currently be accepted if it contains usable 32-byte key material. - Replace `unwrap()` paths with proper error handling. - fix: #43 - [ ] Enforce or redesign the 128-bit scalar precondition for `vartime_triple_base_mul_128_128_256`. - Current code only uses `debug_assert!`. - Full-width scalars panic in debug builds and can produce incorrect release-build results. - fix: #44 ## Medium Priority - [ ] Make `SwPoint::to_edwards` reject off-curve affine inputs or clearly document the precondition. - Current code can construct an `EdwardsPoint` from malformed `SwPoint` coordinates. - fix: #46 - [ ] Handle or document exceptional Edwards/SW conversion cases. - In particular, the Edwards point `(0, -1)` maps to a short-Weierstrass point that `to_edwards` rejects. - fix: #46 - [ ] Fix or document the affine identity encoding asymmetry. - `from_affine_le_bytes(0, 0)` returns identity. - `to_affine_le_bytes(identity)` returns `None`. - fix: #46 ## Low Priority - [x] Update `VerificationKeyBytes` documentation. - It is a length-checked encoded-key container, not proof that the bytes are a valid Ed25519 verification key. - fix: #47 - [x] Fix `verify_dalek` documentation or implementation. - Docs claim exact `ed25519-dalek` behavior, but implementation adds legacy blacklist and all-zero public-key checks. - fix: #47 - [x] Fix stale HEEA docs/comments. - `verify_heea` is referenced but does not exist. - `heea_decompose` docs do not match the implementation. - fix: #47 - [ ] Return a more accurate batch-verification error for malformed verification keys. - Current batch verification maps verification-key decompression failure to `InvalidSignature`. - [x] Align or document the serial/vector `b_lo_naf` window-size difference. - fix: #47 - [ ] Consider requiring `CryptoRng + RngCore` for `EdwardsPoint::random`. - This would match `Scalar::random` and `RistrettoPoint::random`. - [ ] Consider implementing `core::ops::Add` for `SwPoint`. - `SwPoint` has an inherent `add` method but no `+` operator support. - [ ] Reduce duplicated lookup-table construction logic across serial/vector backends. ## Not Tracked As A Bug - `verify` accepting more signatures than `verify_dalek` appears intentional because `verify` is documented as ZIP-215/Zebra-style verification.
High Priority
Fix broken
pkcs8feature activation incurve25519/solana-ed25519/Cargo.toml.cargo check -p solana-ed25519 --no-default-features --features pkcs8currently fails.Fix broken
serdefeature activation incurve25519/solana-ed25519/Cargo.toml.--features serdefail.Validate SPKI algorithm/OID when decoding public-key DER.
unwrap()paths with proper error handling.Enforce or redesign the 128-bit scalar precondition for
vartime_triple_base_mul_128_128_256.debug_assert!.Medium Priority
Make
SwPoint::to_edwardsreject off-curve affine inputs or clearly document the precondition.EdwardsPointfrom malformedSwPointcoordinates.Handle or document exceptional Edwards/SW conversion cases.
(0, -1)maps to a short-Weierstrass point thatto_edwardsrejects.Fix or document the affine identity encoding asymmetry.
from_affine_le_bytes(0, 0)returns identity.to_affine_le_bytes(identity)returnsNone.Low Priority
Update
VerificationKeyBytesdocumentation.Fix
verify_dalekdocumentation or implementation.ed25519-dalekbehavior, but implementation adds legacy blacklist and all-zero public-key checks.Fix stale HEEA docs/comments.
verify_heeais referenced but does not exist.heea_decomposedocs do not match the implementation.Return a more accurate batch-verification error for malformed verification keys.
InvalidSignature.Align or document the serial/vector
b_lo_nafwindow-size difference.Consider requiring
CryptoRng + RngCoreforEdwardsPoint::random.Scalar::randomandRistrettoPoint::random.Consider implementing
core::ops::AddforSwPoint.SwPointhas an inherentaddmethod but no+operator support.Reduce duplicated lookup-table construction logic across serial/vector backends.
Not Tracked As A Bug
verifyaccepting more signatures thanverify_dalekappears intentional becauseverifyis documented as ZIP-215/Zebra-style verification.