diff --git a/src/chaum_pedersen_signature.rs b/src/chaum_pedersen_signature.rs
index ab4709a..e217953 100644
--- a/src/chaum_pedersen_signature.rs
+++ b/src/chaum_pedersen_signature.rs
@@ -13,7 +13,7 @@ use crate::dual_scalar_mul::DualScalarMultiplication;
 use crate::engine::EngineBLS;
 use crate::nugget::{NuggetBLS, NuggetPublicKey, NuggetSignature};
 use crate::serialize::SerializableToBytes;
-use crate::{Message, SecretKeyVT};
+use crate::{Message, SecretKey, SecretKeyVT};
 
 pub type DLEQProof<E> = (<E as EngineBLS>::Scalar, <E as EngineBLS>::Scalar);
 pub type ChaumPedersenSignature<E> = NuggetSignature<E>;
@@ -322,10 +322,12 @@ where
         &self,
         message_point_as_bytes: &Vec<u8>,
     ) -> <<E as EngineBLS>::PublicKeyGroup as PrimeGroup>::ScalarField {
-        let secret_key_as_bytes = self.to_bytes();
-
         let mut secret_key_hasher = H::default();
+
+        let mut secret_key_as_bytes = self.to_bytes();
         secret_key_hasher.update(secret_key_as_bytes.as_slice());
+        ::zeroize::Zeroize::zeroize(secret_key_as_bytes.as_mut_slice());
+
         let hashed_secret_key = secret_key_hasher.finalize_fixed_reset().to_vec();
 
         let hasher = <DefaultFieldHasher<H> as HashToField<
@@ -336,6 +338,53 @@ where
     }
 }
 
+/// Side-channel-protected variant: BLS signing goes through
+/// `SecretKey::seeded_sign` (resplits the key with deterministic
+/// randomness), while DLEQ proof generation and witness derivation
+/// delegate to the vartime form, which is acceptable because they
+/// operate over auxiliary scalars rather than the long-term key.
+impl<E: EngineBLS, S: CurveGroup, H: FixedOutputReset + Default + Clone>
+    ChaumPedersenSigner<E, S, H> for SecretKey<E>
+where
+    S: PrimeGroup<ScalarField = E::Scalar> + SerializableToBytes,
+{
+    fn generate_cp_signature(&mut self, message: &Message) -> ChaumPedersenSignature<E> {
+        let bls_signature = self.seeded_sign(message);
+        let dleq = <Self as ChaumPedersenSigner<E, S, H>>::generate_dleq_proof(
+            self,
+            message,
+            bls_signature.0,
+        );
+        NuggetSignature(bls_signature.0, dleq)
+    }
+
+    fn generate_dleq_proof(
+        &mut self,
+        message: &Message,
+        bls_signature: E::SignatureGroup,
+    ) -> DLEQProof<E> {
+        <SecretKeyVT<E> as ChaumPedersenSigner<E, S, H>>::generate_dleq_proof(
+            &mut self.into_vartime(),
+            message,
+            bls_signature,
+        )
+    }
+
+    fn generate_witness_scaler(
+        &self,
+        _message_point_as_bytes: &Vec<u8>,
+    ) -> <<E as EngineBLS>::PublicKeyGroup as PrimeGroup>::ScalarField {
+        // Unreachable: `generate_dleq_proof` for `SecretKey` delegates to
+        // the `SecretKeyVT` impl, which calls its own `generate_witness_scaler`.
+        // Trait coherence forces us to provide a body here, but no caller
+        // ever lands on it.
+        unimplemented!(
+            "SecretKey::generate_witness_scaler is never called; \
+             dleq generation delegates to SecretKeyVT"
+        )
+    }
+}
+
 #[cfg(all(test, feature = "std"))]
 mod tests {
     use rand::thread_rng;
diff --git a/src/engine.rs b/src/engine.rs
index 0c7dfa2..7079bcd 100644
--- a/src/engine.rs
+++ b/src/engine.rs
@@ -32,7 +32,7 @@ use ark_ec::{
 };
 use ark_ff::field_hashers::{DefaultFieldHasher, HashToField};
 use ark_ff::{Field, PrimeField, UniformRand, Zero};
-use ark_serialize::CanonicalSerialize;
+use ark_serialize::{CanonicalSerialize, Valid};
 use rand::Rng;
 use rand_core::RngCore;
 
@@ -198,8 +198,7 @@ pub trait EngineBLS {
             signature,
         )];
         Self::final_exponentiation(Self::miller_loop(inputs.into_iter().map(|t| t).chain(&lhs)))
-            .unwrap()
-            == (PairingOutput::<Self::Engine>::zero()) //zero is the target_field::one !!
+            == Some(PairingOutput::<Self::Engine>::zero()) //zero is the target_field::one !!
     }
 
     /// Prepared negative of the generator of the public key curve.
@@ -219,6 +218,17 @@ pub trait EngineBLS {
         Self::PublicKeyPrepared::from(g_affine)
     }
 
+    /// Reject public keys that are the identity element or not in the
+    /// prime-order subgroup. Defends verification against inputs that
+    /// bypass the deserialization-time check — e.g. direct tuple-struct
+    /// construction, or aggregates that sum to the identity.
+    ///
+    /// Implements `KeyValidate` from
+    /// <https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-06.html#name-validating-public-keys>.
+    fn validate_public_key(g: &Self::PublicKeyGroupAffine) -> bool {
+        !g.is_zero() && g.check().is_ok()
+    }
+
     /// Process the signature to be use in pairing. This has to be
     /// implemented by the type of BLS system implementing the engine
     /// by calling either prepare_g1 or prepare_g2 based on which group
diff --git a/src/experimental/bit.rs b/src/experimental/bit.rs
index 27c91b5..1f04db7 100644
--- a/src/experimental/bit.rs
+++ b/src/experimental/bit.rs
@@ -632,7 +632,9 @@ mod tests {
             .collect::<Vec<_>>();
 
         let mut bitsig1 = BitSignedMessage::<ZBLS, _>::new(pop.clone(), &msg1);
-        assert!(bitsig1.verify()); // verifiers::verify_with_distinct_messages(&dms,true)
+        // Empty aggregate: the summed public key is the identity element,
+        // which `validate_public_key` rejects per IETF KeyValidate.
+        assert!(!bitsig1.verify());
         for (i, sig) in sigs1.iter().enumerate().take(2) {
             assert!(bitsig1.add(sig).is_ok() == (i < 4));
             assert!(bitsig1.verify()); // verifiers::verify_with_distinct_messages(&dms,true)
@@ -687,7 +689,9 @@ mod tests {
 
         let mut countsig = CountSignedMessage::<ZBLS, _>::new(pop.clone(), msg1);
         assert!(countsig.signers.len() == 1);
-        assert!(countsig.verify()); // verifiers::verify_with_distinct_messages(&dms,true)
+        // Empty aggregate: the summed public key is the identity element,
+        // which `validate_public_key` rejects per IETF KeyValidate.
+        assert!(!countsig.verify());
         assert!(countsig.add_bitsig(&bitsig1).is_ok());
         assert!(bitsig1.signature == countsig.signature);
         assert!(countsig.signers.len() == 1);
diff --git a/src/experimental/schnorr_pop.rs b/src/experimental/schnorr_pop.rs
index e06371d..b486f8f 100644
--- a/src/experimental/schnorr_pop.rs
+++ b/src/experimental/schnorr_pop.rs
@@ -41,11 +41,13 @@ impl<E: EngineBLS, H: FixedOutputReset + Default + Clone + 'static> BLSSchnorrPo
     //The pseudo random witness is generated similar to eddsa witness
     //hash(secret_key|publick_key)
     fn witness_scalar(&self) -> <<E as EngineBLS>::PublicKeyGroup as PrimeGroup>::ScalarField {
-        let secret_key_as_bytes = self.secret.to_bytes();
+        let mut secret_key_as_bytes = self.secret.to_bytes();
         let public_key_as_bytes = <E as EngineBLS>::public_key_point_to_byte(&self.public.0);
 
         let mut secret_key_hasher = H::default();
         secret_key_hasher.update(secret_key_as_bytes.as_slice());
+        ::zeroize::Zeroize::zeroize(secret_key_as_bytes.as_mut_slice());
+
         let hashed_secret_key = secret_key_hasher.finalize_fixed_reset().to_vec();
 
         let hasher = <DefaultFieldHasher<H> as HashToField<
diff --git a/src/lib.rs b/src/lib.rs
index c97a2e6..d839f4f 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -215,7 +215,8 @@ impl Message {
     fn cipher_suite<E: EngineBLS>(&self) -> Vec<u8> {
         let id = match self.2 {
             MessageType::ProofOfPossession => PROOF_OF_POSSESSION_ID,
-            _ => NORMAL_MESSAGE_SIGNATURE_ID,
+            MessageType::NormalAssumingPoP => NORMAL_MESSAGE_SIGNATURE_ID,
+            MessageType::NormalBasic => NORMAL_MESSAGE_SIGNATURE_ID,
         };
 
         let h2c_suite_id = [
@@ -228,7 +229,7 @@ impl Message {
         let sc_tag = match self.2 {
             MessageType::ProofOfPossession => POP_MESSAGE,
             MessageType::NormalAssumingPoP => NORMAL_MESSAGE_SIGNATURE_ASSUMING_POP,
-            _ => NORMAL_MESSAGE_SIGNATURE_BASIC,
+            MessageType::NormalBasic => NORMAL_MESSAGE_SIGNATURE_BASIC,
         };
 
         [id, &h2c_suite_id[..], sc_tag].concat()
diff --git a/src/nugget.rs b/src/nugget.rs
index 0c7df81..734f36f 100644
--- a/src/nugget.rs
+++ b/src/nugget.rs
@@ -25,7 +25,7 @@ use crate::chaum_pedersen_signature::{ChaumPedersenSigner, ChaumPedersenVerifier
 use crate::dual_scalar_mul::DualScalarMultiplication;
 use crate::chaum_pedersen_signature::DLEQProof;
 use crate::serialize::SerializableToBytes;
-use crate::single::{Keypair, KeypairVT, PublicKey, SecretKeyVT, Signature};
+use crate::single::{Keypair, KeypairVT, PublicKey, SecretKey, SecretKeyVT, Signature};
 use crate::{EngineBLS, Message, Signed};
 
 /// Wrapper for a point in the signature group which is supposed to
@@ -89,6 +89,26 @@ where
     }
 }
 
+/// Side-channel-protected variant: signing goes through the
+/// `ChaumPedersenSigner` impl for `SecretKey`, so the resplit happens
+/// on the split key (no `into_vartime` conversion is done here).
+impl<E: EngineBLS, S: CurveGroup> NuggetBLS<E, S> for SecretKey<E>
+where
+    S: PrimeGroup<ScalarField = E::Scalar> + SerializableToBytes,
+{
+    fn into_public_key_in_signature_group(&self) -> PublicKeyInSignatureGroup<E> {
+        NuggetBLS::<E, S>::into_public_key_in_signature_group(&self.into_vartime())
+    }
+
+    fn into_public_key_in_sister_group(&self) -> PublicKeyInSisterGroup<S> {
+        self.into_vartime().into_public_key_in_sister_group()
+    }
+
+    fn sign(&mut self, message: &Message) -> NuggetSignature<E> {
+        ChaumPedersenSigner::<E, S, Sha256>::generate_cp_signature(self, &message)
+    }
+}
+
 impl<E: EngineBLS, S: CurveGroup> NuggetBLS<E, S> for KeypairVT<E>
 where
     S: PrimeGroup<ScalarField = E::Scalar> + SerializableToBytes,
@@ -112,16 +132,16 @@ where
     S: PrimeGroup<ScalarField = E::Scalar> + SerializableToBytes,
 {
     fn into_public_key_in_signature_group(&self) -> PublicKeyInSignatureGroup<E> {
-        NuggetBLS::<E, S>::into_public_key_in_signature_group(&self.into_vartime())
+        NuggetBLS::<E, S>::into_public_key_in_signature_group(&self.secret)
     }
 
     fn into_public_key_in_sister_group(&self) -> PublicKeyInSisterGroup<S> {
-        self.into_vartime().into_public_key_in_sister_group()
+        NuggetBLS::<E, S>::into_public_key_in_sister_group(&self.secret)
     }
 
     /// Sign a message using a Seedabale RNG created from a seed derived from the message and key
     fn sign(&mut self, message: &Message) -> NuggetSignature<E> {
-        NuggetBLS::<E, S>::sign(&mut self.into_vartime(), message)
+        NuggetBLS::<E, S>::sign(&mut self.secret, message)
     }
 }
 
diff --git a/src/nugget_pop.rs b/src/nugget_pop.rs
index c05f2f3..9ec7126 100644
--- a/src/nugget_pop.rs
+++ b/src/nugget_pop.rs
@@ -92,7 +92,11 @@ impl<E: EngineBLS, H: FixedOutputReset + Default + Clone + 'static>
         let mut randomized_pub_in_g1 = public_key_in_signature_group;
         randomized_pub_in_g1 *= randomization_coefficient;
         let signature = E::prepare_signature(self.0 + randomized_pub_in_g1);
-        let prepared_public_key = E::prepare_public_key(public_key_of_prover.1);
+        let Some(prepared_public_key) =
+            crate::verifiers::validate_and_prepare_public_key::<E>(public_key_of_prover.1)
+        else {
+            return false;
+        };
         let prepared = [
             (
                 prepared_public_key.clone(),
@@ -162,12 +166,13 @@ where
 #[cfg(all(test, feature = "std"))]
 mod tests {
     use crate::double_nugget::DoubleNuggetBLS;
-    use crate::engine::TinyBLS381;
+    use crate::engine::{EngineBLS, TinyBLS381};
     use crate::serialize::SerializableToBytes;
     use crate::single::Keypair;
     use crate::{nugget_pop::NuggetBLSPoP, NuggetDoublePublicKey};
     use crate::{ProofOfPossession, ProofOfPossessionGenerator};
 
+    use ark_ff::Zero;
     use rand::thread_rng;
     use sha2::Sha256;
 
@@ -324,4 +329,35 @@ mod tests {
             NuggetBLSnCPPoP<TinyBLS381>,
         >();
     }
+
+    /// A keypair with secret scalar zero and identity public key.
+    /// `SecretKeyVT::sign` returns `sk * H(msg) = identity` for such
+    /// a keypair, so the PoP produced by `generate_pok` is itself
+    /// identity. The pairing equation in `NuggetBLSPoP::verify` then
+    /// reduces to `identity == identity`, so without `validate_public_key`
+    /// the verifier would accept — rejection here is attributable to
+    /// the public key check.
+    #[test]
+    fn nugget_bls_pop_rejects_identity_pk() {
+        use crate::single::{PublicKey, SecretKeyVT};
+        let mut keypair = Keypair::<TinyBLS381> {
+            public: PublicKey::<TinyBLS381>(
+                <TinyBLS381 as EngineBLS>::PublicKeyGroup::zero(),
+            ),
+            secret: SecretKeyVT::<TinyBLS381>(<TinyBLS381 as EngineBLS>::Scalar::zero())
+                .into_split(thread_rng()),
+        };
+        let pop = <Keypair<TinyBLS381> as ProofOfPossessionGenerator<
+            TinyBLS381,
+            Sha256,
+            NuggetDoublePublicKey<TinyBLS381>,
+            NuggetBLSPoP<TinyBLS381>,
+        >>::generate_pok(&mut keypair);
+        let double_pk = DoubleNuggetBLS::into_nugget_double_public_key(&keypair);
+        assert!(!<NuggetBLSPoP<TinyBLS381> as ProofOfPossession<
+            TinyBLS381,
+            Sha256,
+            NuggetDoublePublicKey<TinyBLS381>,
+        >>::verify(&pop, &double_pk));
+    }
 }
diff --git a/src/single.rs b/src/single.rs
index 7b826b3..6eeb967 100644
--- a/src/single.rs
+++ b/src/single.rs
@@ -45,6 +45,7 @@ use sha3::{
 };
 
 use digest::Digest;
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 use core::iter::once;
 
@@ -54,8 +55,8 @@ use crate::{EngineBLS, Message, Signed};
 
 /// Secret signing key lacking the side channel protections from
 /// key splitting.  Avoid using directly in production.
-#[derive(CanonicalSerialize, CanonicalDeserialize)]
-pub struct SecretKeyVT<E: EngineBLS>(pub E::Scalar);
+#[derive(CanonicalSerialize, CanonicalDeserialize, Zeroize, ZeroizeOnDrop)]
+pub struct SecretKeyVT<E: EngineBLS>(#[zeroize] pub E::Scalar);
 
 impl<E: EngineBLS> Clone for SecretKeyVT<E> {
     fn clone(&self) -> Self {
@@ -163,10 +164,11 @@ impl<E: EngineBLS> SecretKeyVT<E> {
 
 /// Secret signing key including the side channel protections from
 /// key splitting.
+#[derive(ZeroizeOnDrop)]
 pub struct SecretKey<E: EngineBLS> {
-    key: [E::Scalar; 2],
-    old_unsigned: E::SignatureGroup,
-    old_signed: E::SignatureGroup,
+    #[zeroize] key: [E::Scalar; 2],
+    #[zeroize] old_unsigned: E::SignatureGroup,
+    #[zeroize] old_signed: E::SignatureGroup,
 }
 
 impl<E: EngineBLS> Clone for SecretKey<E> {
@@ -269,6 +271,30 @@ impl<E: EngineBLS> SecretKey<E> {
         self.sign_once(message)
     }
 
+    /// Sign deterministically, reseeding the resplit RNG from a hash
+    /// of both key halves and the message.
+    pub fn seeded_sign(&mut self, message: &Message) -> Signature<E> {
+        let mut serialized_part1 = [0u8; 32];
+        let mut serialized_part2 = [0u8; 32];
+        self.key[0]
+            .serialize_compressed(&mut serialized_part1[..])
+            .unwrap();
+        self.key[1]
+            .serialize_compressed(&mut serialized_part2[..])
+            .unwrap();
+
+        let seed_digest = Sha256::new()
+            .chain_update(serialized_part1)
+            .chain_update(serialized_part2)
+            .chain_update(message.0);
+
+        ::zeroize::Zeroize::zeroize(&mut serialized_part1);
+        ::zeroize::Zeroize::zeroize(&mut serialized_part2);
+
+        let seed: [u8; 32] = seed_digest.finalize().into();
+        self.sign(message, StdRng::from_seed(seed))
+    }
+
     /// Derive our public key from our secret key
     ///
     /// We do not resplit for side channel protections here since
@@ -458,7 +484,11 @@ impl<E: EngineBLS> Signature<E> {
 
     /// Verify a single BLS signature
     pub fn verify(&self, message: &Message, publickey: &PublicKey<E>) -> bool {
-        let publickey = E::prepare_public_key(publickey.0);
+        let Some(publickey) =
+            crate::verifiers::validate_and_prepare_public_key::<E>(publickey.0)
+        else {
+            return false;
+        };
         // TODO: Bentchmark these two variants
         // Variant 1.  Do not batch any normalizations
         let message = E::prepare_signature(message.hash_to_signature_curve::<E>());
@@ -601,23 +631,7 @@ impl<E: EngineBLS> Keypair<E> {
 
     /// Sign a message using a Seedabale RNG created from a seed derived from the message and key
     pub fn sign(&mut self, message: &Message) -> Signature<E> {
-        let mut serialized_part1 = [0u8; 32];
-        let mut serialized_part2 = [0u8; 32];
-        self.secret.key[0]
-            .serialize_compressed(&mut serialized_part1[..])
-            .unwrap();
-        self.secret.key[1]
-            .serialize_compressed(&mut serialized_part2[..])
-            .unwrap();
-
-        let seed_digest = Sha256::new()
-            .chain_update(serialized_part1)
-            .chain_update(serialized_part2)
-            .chain_update(message.0);
-
-        let seed: [u8; 32] = seed_digest.finalize().into();
-
-        self.sign_with_rng::<StdRng>(message, SeedableRng::from_seed(seed))
+        self.secret.seeded_sign(message)
     }
 
     #[cfg(feature = "std")]
@@ -992,4 +1006,25 @@ mod tests {
             random_seed.as_slice(),
         );
     }
+
+    /// Keypair with secret=0, public=identity produces an identity
+    /// signature, so the pairing equation reduces to `identity == identity`
+    /// — an unprotected `Signature::verify` would accept. Rejection here
+    /// is attributable to `validate_public_key`.
+    #[test]
+    fn signature_verify_rejects_identity_pk() {
+        use ark_ff::Zero;
+        use rand::{rngs::StdRng, SeedableRng};
+
+        type EB = UsualBLS<Bls12_381, ark_bls12_381::Config>;
+
+        let mut keypair = Keypair::<EB> {
+            public: PublicKey::<EB>(<EB as EngineBLS>::PublicKeyGroup::zero()),
+            secret: SecretKeyVT::<EB>(<EB as EngineBLS>::Scalar::zero())
+                .into_split(StdRng::from_seed([0u8; 32])),
+        };
+        let s = keypair.signed_message(&Message::new(b"ctx", b"test message"));
+        assert!(!s.signature.verify(&s.message, &s.publickey));
+        assert!(!Signed::verify(&s));
+    }
 }
diff --git a/src/verifiers.rs b/src/verifiers.rs
index 20fbb05..927a410 100644
--- a/src/verifiers.rs
+++ b/src/verifiers.rs
@@ -37,6 +37,22 @@ pub type SignatureAffine<E> = <<E as EngineBLS>::SignatureGroup as CurveGroup>::
 
 // ── Shared helpers ──────────────────────────────────────────────────
 
+/// Validate a public key with `EngineBLS::validate_public_key` and, on
+/// success, return the prepared form. Returns `None` if the public key
+/// is the identity element or not in the prime-order subgroup. All
+/// verifier paths should go through this wrapper so the check cannot
+/// be skipped by callers constructing `PublicKey` directly or by
+/// aggregates that sum to the identity.
+pub fn validate_and_prepare_public_key<E: EngineBLS>(
+    g: impl Into<PublicKeyAffine<E>>,
+) -> Option<E::PublicKeyPrepared> {
+    let g_affine: PublicKeyAffine<E> = g.into();
+    if !E::validate_public_key(&g_affine) {
+        return None;
+    }
+    Some(E::prepare_public_key(g_affine))
+}
+
 /// Verify from fully normalized (affine) inputs.
 /// All public keys, messages, and the signature must already be in affine form.
 /// This prepares the pairing inputs and calls `verify_prepared`.
@@ -46,11 +62,13 @@ fn verify_normalized<E: EngineBLS>(
     affine_signature: SignatureAffine<E>,
 ) -> bool {
     let prepared_sig = E::prepare_signature(affine_signature);
-    let prepared = affine_publickeys
-        .iter()
-        .zip(affine_messages)
-        .map(|(pk, m)| (E::prepare_public_key(*pk), E::prepare_signature(*m)))
-        .collect::<Vec<_>>();
+    let mut prepared = Vec::with_capacity(affine_publickeys.len());
+    for (pk, m) in affine_publickeys.iter().zip(affine_messages) {
+        let Some(prepared_pk) = validate_and_prepare_public_key::<E>(*pk) else {
+            return false;
+        };
+        prepared.push((prepared_pk, E::prepare_signature(*m)));
+    }
     E::verify_prepared(prepared_sig, prepared.iter())
 }
 
@@ -143,15 +161,18 @@ fn normalize_messages_and_signature<E: EngineBLS>(
 /// Simple unoptimized BLS signature verification.  Useful for testing.
 pub fn verify_unoptimized<S: Signed>(s: S) -> bool {
     let signature = S::E::prepare_signature(s.signature().0);
-    let prepared = s
-        .messages_and_publickeys()
-        .map(|(message, public_key)| {
-            (
-                S::E::prepare_public_key(public_key.borrow().0),
-                S::E::prepare_signature(message.borrow().hash_to_signature_curve::<S::E>()),
-            )
-        })
-        .collect::<Vec<(_, _)>>();
+    let mut prepared = Vec::new();
+    for (message, public_key) in s.messages_and_publickeys() {
+        let Some(prepared_pk) =
+            validate_and_prepare_public_key::<S::E>(public_key.borrow().0)
+        else {
+            return false;
+        };
+        prepared.push((
+            prepared_pk,
+            S::E::prepare_signature(message.borrow().hash_to_signature_curve::<S::E>()),
+        ));
+    }
     S::E::verify_prepared(signature, prepared.iter())
 }
 
@@ -365,13 +386,47 @@ fn verify_with_gaussian_elimination<S: Signed>(s: S) -> bool {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::{Keypair, Message, UsualBLS};
-    use ark_bls12_381::Bls12_381;
+    use crate::single::{SecretKeyVT, SignedMessage};
+    use crate::{Keypair, Message, PublicKey, UsualBLS};
+    use ark_bls12_381::{Bls12_381, Fq, G1Affine};
+    use ark_ec::AffineRepr;
+    use ark_ff::{UniformRand, Zero};
+    use ark_serialize::Valid;
     use rand::rngs::StdRng;
     use rand::SeedableRng;
 
     type EB = UsualBLS<Bls12_381, ark_bls12_381::Config>;
 
+    /// Keypair with secret scalar zero and identity public key. The
+    /// produced signature is also identity, so every pairing equation
+    /// reduces to `identity == identity` and an unprotected verifier
+    /// would accept. Any rejection observed in the verifier tests
+    /// below is therefore attributable to `validate_public_key`.
+    fn identity_keypair() -> Keypair<EB> {
+        Keypair {
+            public: PublicKey::<EB>(<EB as EngineBLS>::PublicKeyGroup::zero()),
+            secret: SecretKeyVT::<EB>(<EB as EngineBLS>::Scalar::zero())
+                .into_split(StdRng::from_seed([0u8; 32])),
+        }
+    }
+
+    fn identity_signed() -> SignedMessage<EB> {
+        identity_keypair().signed_message(&Message::new(b"ctx", b"test message"))
+    }
+
+    /// A G1 point on the curve but outside the prime-order subgroup.
+    fn non_subgroup_g1() -> G1Affine {
+        let mut rng = StdRng::from_seed([42u8; 32]);
+        loop {
+            let x = Fq::rand(&mut rng);
+            if let Some(point) = G1Affine::get_point_from_x_unchecked(x, false) {
+                if point.check().is_err() {
+                    return point;
+                }
+            }
+        }
+    }
+
     #[test]
     fn verify_simple_single_signature() {
         let good = Message::new(b"ctx", b"test message");
@@ -401,4 +456,30 @@ mod tests {
         let signed = keypair.signed_message(&good);
         assert!(verify_unoptimized(&signed));
     }
+
+    #[test]
+    fn verify_simple_rejects_identity_pk() {
+        assert!(!verify_simple(&identity_signed()));
+    }
+
+    #[test]
+    fn verify_unoptimized_rejects_identity_pk() {
+        assert!(!verify_unoptimized(&identity_signed()));
+    }
+
+    #[test]
+    fn verify_with_distinct_messages_rejects_identity_pk() {
+        assert!(!verify_with_distinct_messages(&identity_signed(), true));
+    }
+
+    #[test]
+    fn validate_and_prepare_public_key_rejects_identity() {
+        let identity = PublicKeyAffine::<EB>::zero();
+        assert!(validate_and_prepare_public_key::<EB>(identity).is_none());
+    }
+
+    #[test]
+    fn validate_and_prepare_public_key_rejects_non_subgroup() {
+        assert!(validate_and_prepare_public_key::<EB>(non_subgroup_g1()).is_none());
+    }
 }