int
goldilocks_verify (
const uint8_t signature[GOLDI_SIGNATURE_BYTES],
const uint8_t *message,
uint64_t message_len,
const struct goldilocks_public_key_t *pubkey
) {
if (!goldilocks_check_init()) {
return GOLDI_EUNINIT;
}
struct field_t pk;
word_t s[GOLDI_FIELD_WORDS];
mask_t succ = field_deserialize(&pk,pubkey->opaque);
if (!succ) return GOLDI_EINVAL;
succ = barrett_deserialize(s, &signature[GOLDI_FIELD_BYTES], &curve_prime_order);
if (!succ) return GOLDI_EINVAL;
word_t challenge[GOLDI_FIELD_WORDS];
goldilocks_derive_challenge(challenge, pubkey->opaque, signature, message, message_len);
struct field_t eph;
struct tw_extensible_t pk_text;
/* deserialize [nonce]G */
succ = field_deserialize(&eph, signature);
if (!succ) return GOLDI_EINVAL;
succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk);
if (!succ) return GOLDI_EINVAL;
linear_combo_var_fixed_vt( &pk_text,
challenge, GOLDI_SCALAR_BITS,
s, GOLDI_SCALAR_BITS,
goldilocks_global.wnafs, WNAF_PRECMP_BITS );
untwist_and_double_and_serialize( &pk, &pk_text );
field_sub(&eph, &eph, &pk);
field_bias(&eph, 2);
succ = field_is_zero(&eph);
return succ ? 0 : GOLDI_EINVAL;
}
struct goldilocks_precomputed_public_key_t *
goldilocks_precompute_public_key (
const struct goldilocks_public_key_t *pub
) {
struct goldilocks_precomputed_public_key_t *precom;
precom = (struct goldilocks_precomputed_public_key_t *)
malloc(sizeof(*precom));
if (!precom) return NULL;
struct tw_extensible_t pk_text;
struct field_t pk;
mask_t succ = field_deserialize(&pk, pub->opaque);
if (!succ) {
free(precom);
return NULL;
}
succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk);
if (!succ) {
free(precom);
return NULL;
}
succ = precompute_fixed_base(&precom->table, &pk_text,
COMB_N, COMB_T, COMB_S, NULL);
if (!succ) {
free(precom);
return NULL;
}
memcpy(&precom->pub,pub,sizeof(*pub));
return precom;
}
