forked from rot256/pblind
-
Notifications
You must be signed in to change notification settings - Fork 1
/
validate.go
61 lines (44 loc) · 1.28 KB
/
validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package pblind
import (
"crypto/elliptic"
"crypto/subtle"
"math/big"
)
func (pk PublicKey) Check(sig Signature, info Info, msg []byte) bool {
curve := pk.curve
params := curve.Params()
// check that numbers are valid scalars
badScalar := false
badScalar = badScalar || isScalarBad(params, sig.P)
badScalar = badScalar || isScalarBad(params, sig.W)
badScalar = badScalar || isScalarBad(params, sig.O)
badScalar = badScalar || isScalarBad(params, sig.G)
if badScalar {
return false
}
// verify
lhs := big.NewInt(0)
lhs.Add(sig.W, sig.G)
lhs.Mod(lhs, params.N)
hin := make([]byte, 0, 1024)
// || p*g + w*y
func() {
x1, y1 := curve.ScalarBaseMult(sig.P.Bytes())
x2, y2 := curve.ScalarMult(pk.x, pk.y, sig.W.Bytes())
x3, y3 := curve.Add(x1, y1, x2, y2)
hin = append(hin, elliptic.Marshal(curve, x3, y3)...)
}()
// || o*g + g*z
func() {
x1, y1 := curve.ScalarBaseMult(sig.O.Bytes())
x2, y2 := curve.ScalarMult(info.x, info.y, sig.G.Bytes())
x3, y3 := curve.Add(x1, y1, x2, y2)
hin = append(hin, elliptic.Marshal(curve, x3, y3)...)
}()
// || z || msg
hin = append(hin, elliptic.Marshal(curve, info.x, info.y)...)
hin = append(hin, msg...)
hsh := hashToScalar(curve, hin)
cmp := subtle.ConstantTimeCompare(lhs.Bytes(), hsh.Bytes())
return cmp == 1
}