// Verify determines whether or not the signature is on the given hash and
// belongs to the public key.
func Verify(sig *Signature, pk *eckey.PublicKey, hash []byte) error {
// Deserialize public key
pkx, pky := pk.Coords()
// Compute sG + ePK = (k-er)G + erG = kG
sGx, sGy := eckey.S256.ScalarBaseMult(sig[SignatureSize/2:])
ePKx, ePKy := eckey.S256.ScalarMult(pkx, pky, sig[:SignatureSize/2])
kGx, kGy := eckey.S256.Add(sGx, sGy, ePKx, ePKy)
// Serialize point
kG, err := eckey.NewPublicKeyCoords(kGx, kGy)
if err != nil {
return err
}
// Compute non-interactive challenge
e := util.Hash256d(append([]byte(hash), kG[:]...))
// Compare digest with first half of signature
for i, b := range e {
if sig[i] != b {
return ErrECSchnorrVerify
}
}
return nil
}
func keyPairFromTestCase(test ecTestCase) (*eckey.SecretKey, *eckey.PublicKey) {
d, _ := new(big.Int).SetString(test.D, 10)
x, _ := new(big.Int).SetString(test.X, 16)
y, _ := new(big.Int).SetString(test.Y, 16)
// Serialize secret key
sk, _ := eckey.NewSecretKeyInt(d)
// Serialize public key
pk, _ := eckey.NewPublicKeyCoords(x, y)
return sk, pk
}