// Verify returns true iff sig is a valid signature of message by publicKey.
func Verify(publicKey *[PublicKeySize]byte, message []byte, sig *[SignatureSize]byte) bool {
if sig[63]&224 != 0 {
return false
}
var A edwards25519.ExtendedGroupElement
if !A.FromBytes(publicKey) {
return false
}
edwards25519.FeNeg(&A.X, &A.X)
edwards25519.FeNeg(&A.T, &A.T)
h := sha512.New()
h.Write(sig[:32])
h.Write(publicKey[:])
h.Write(message)
var digest [64]byte
h.Sum(digest[:0])
var hReduced [32]byte
edwards25519.ScReduce(&hReduced, &digest)
var R edwards25519.ProjectiveGroupElement
var b [32]byte
copy(b[:], sig[32:])
edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
var checkR [32]byte
R.ToBytes(&checkR)
return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
}
// Prove returns the vrf value and a proof such that Verify(pk, m, vrf, proof)
// == true. The vrf value is the same as returned by Compute(m, sk).
func Prove(m []byte, sk *[SecretKeySize]byte) (vrf, proof []byte) {
x, skhr := expandSecret(sk)
var cH, rH [64]byte
var r, c, minusC, t, grB, hrB, iiB [32]byte
var ii, gr, hr edwards25519.ExtendedGroupElement
hm := hashToCurve(m)
edwards25519.GeScalarMult(&ii, x, hm)
ii.ToBytes(&iiB)
hash := sha3.NewShake256()
hash.Write(skhr[:])
hash.Write(sk[32:]) // public key, as in ed25519
hash.Write(m)
hash.Read(rH[:])
hash.Reset()
edwards25519.ScReduce(&r, &rH)
edwards25519.GeScalarMultBase(&gr, &r)
edwards25519.GeScalarMult(&hr, &r, hm)
gr.ToBytes(&grB)
hr.ToBytes(&hrB)
hash.Write(grB[:])
hash.Write(hrB[:])
hash.Write(m)
hash.Read(cH[:])
hash.Reset()
edwards25519.ScReduce(&c, &cH)
edwards25519.ScNeg(&minusC, &c)
edwards25519.ScMulAdd(&t, x, &minusC, &r)
proof = make([]byte, ProofSize)
copy(proof[:32], c[:])
copy(proof[32:64], t[:])
copy(proof[64:96], iiB[:])
hash.Write(iiB[:]) // const length: Size
hash.Write(m)
vrf = make([]byte, Size)
hash.Read(vrf[:])
return
}
// Sign signs the message with privateKey and returns a signature.
func Sign(privateKey *[PrivateKeySize]byte, message []byte) *[SignatureSize]byte {
h := sha512.New()
h.Write(privateKey[:32])
var digest1, messageDigest, hramDigest [64]byte
var expandedSecretKey [32]byte
h.Sum(digest1[:0])
copy(expandedSecretKey[:], digest1[:])
expandedSecretKey[0] &= 248
expandedSecretKey[31] &= 63
expandedSecretKey[31] |= 64
h.Reset()
h.Write(digest1[32:])
h.Write(message)
h.Sum(messageDigest[:0])
var messageDigestReduced [32]byte
edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
var R edwards25519.ExtendedGroupElement
edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
var encodedR [32]byte
R.ToBytes(&encodedR)
h.Reset()
h.Write(encodedR[:])
h.Write(privateKey[32:])
h.Write(message)
h.Sum(hramDigest[:0])
var hramDigestReduced [32]byte
edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
var s [32]byte
edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
signature := new([64]byte)
copy(signature[:], encodedR[:])
copy(signature[32:], s[:])
return signature
}
// Verify returns true iff vrf=Compute(m, sk) for the sk that corresponds to pk.
func Verify(pkBytes, m, vrfBytes, proof []byte) bool {
if len(proof) != ProofSize || len(vrfBytes) != Size || len(pkBytes) != PublicKeySize {
return false
}
var pk, c, cRef, t, vrf, iiB, ABytes, BBytes [32]byte
copy(vrf[:], vrfBytes)
copy(pk[:], pkBytes)
copy(c[:32], proof[:32])
copy(t[:32], proof[32:64])
copy(iiB[:], proof[64:96])
hash := sha3.NewShake256()
hash.Write(iiB[:]) // const length
hash.Write(m)
var hCheck [Size]byte
hash.Read(hCheck[:])
if !bytes.Equal(hCheck[:], vrf[:]) {
return false
}
hash.Reset()
var P, B, ii, iic edwards25519.ExtendedGroupElement
var A, hmtP, iicP edwards25519.ProjectiveGroupElement
if !P.FromBytesBaseGroup(&pk) {
return false
}
if !ii.FromBytesBaseGroup(&iiB) {
return false
}
edwards25519.GeDoubleScalarMultVartime(&A, &c, &P, &t)
A.ToBytes(&ABytes)
hm := hashToCurve(m)
edwards25519.GeDoubleScalarMultVartime(&hmtP, &t, hm, &[32]byte{})
edwards25519.GeDoubleScalarMultVartime(&iicP, &c, &ii, &[32]byte{})
iicP.ToExtended(&iic)
hmtP.ToExtended(&B)
edwards25519.GeAdd(&B, &B, &iic)
B.ToBytes(&BBytes)
var cH [64]byte
hash.Write(ABytes[:]) // const length
hash.Write(BBytes[:]) // const length
hash.Write(m)
hash.Read(cH[:])
edwards25519.ScReduce(&cRef, &cH)
return cRef == c
}
