// Prove returns the vrf value and a proof such that Verify(pk, m, vrf, proof) // == true. The vrf value is the same as returned by Compute(m, sk). func Prove(m []byte, sk *[SecretKeySize]byte) (vrf, proof []byte) { x, skhr := expandSecret(sk) var cH, rH [64]byte var r, c, minusC, t, grB, hrB, iiB [32]byte var ii, gr, hr edwards25519.ExtendedGroupElement hm := hashToCurve(m) edwards25519.GeScalarMult(&ii, x, hm) ii.ToBytes(&iiB) hash := sha3.NewShake256() hash.Write(skhr[:]) hash.Write(sk[32:]) // public key, as in ed25519 hash.Write(m) hash.Read(rH[:]) hash.Reset() edwards25519.ScReduce(&r, &rH) edwards25519.GeScalarMultBase(&gr, &r) edwards25519.GeScalarMult(&hr, &r, hm) gr.ToBytes(&grB) hr.ToBytes(&hrB) hash.Write(grB[:]) hash.Write(hrB[:]) hash.Write(m) hash.Read(cH[:]) hash.Reset() edwards25519.ScReduce(&c, &cH) edwards25519.ScNeg(&minusC, &c) edwards25519.ScMulAdd(&t, x, &minusC, &r) proof = make([]byte, ProofSize) copy(proof[:32], c[:]) copy(proof[32:64], t[:]) copy(proof[64:96], iiB[:]) hash.Write(iiB[:]) // const length: Size hash.Write(m) vrf = make([]byte, Size) hash.Read(vrf[:]) return }
// Sign signs the message with privateKey and returns a signature. func Sign(privateKey *[PrivateKeySize]byte, message []byte) *[SignatureSize]byte { h := sha512.New() h.Write(privateKey[:32]) var digest1, messageDigest, hramDigest [64]byte var expandedSecretKey [32]byte h.Sum(digest1[:0]) copy(expandedSecretKey[:], digest1[:]) expandedSecretKey[0] &= 248 expandedSecretKey[31] &= 63 expandedSecretKey[31] |= 64 h.Reset() h.Write(digest1[32:]) h.Write(message) h.Sum(messageDigest[:0]) var messageDigestReduced [32]byte edwards25519.ScReduce(&messageDigestReduced, &messageDigest) var R edwards25519.ExtendedGroupElement edwards25519.GeScalarMultBase(&R, &messageDigestReduced) var encodedR [32]byte R.ToBytes(&encodedR) h.Reset() h.Write(encodedR[:]) h.Write(privateKey[32:]) h.Write(message) h.Sum(hramDigest[:0]) var hramDigestReduced [32]byte edwards25519.ScReduce(&hramDigestReduced, &hramDigest) var s [32]byte edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced) signature := new([64]byte) copy(signature[:], encodedR[:]) copy(signature[32:], s[:]) return signature }