def verify(self, vk, M, sig):
mid = cldiv(self.l_G, 8)
(Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j)
R = Point.from_bytes(Rbar)
S = leos2ip(Sbar)
c = h_star(Rbar + M)
return R and S < r_j and self.P_g * Fr(S) == R + vk * c
def __init__(self, rand):
self.cv = find_group_hash(b'TVRandPt', rand.b(32))
self.anchor = Fq(leos2ip(rand.b(32)))
self.nullifier = rand.b(32)
self.rk = Point.rand(rand)
self.proof = GrothProof(rand)
self.spendAuthSig = rand.b(64) # Invalid
def group_hash(D, M):
digest = blake2s(person=D)
digest.update(CRS)
digest.update(M)
p = Point.from_bytes(digest.digest())
if not p:
return None
q = p * JUBJUB_COFACTOR
if q == Point.ZERO:
return None
return q