def verify(self, vk, M, sig): mid = cldiv(self.l_G, 8) (Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j) R = Point.from_bytes(Rbar) S = leos2ip(Sbar) c = h_star(Rbar + M) return R and S < r_j and self.P_g * Fr(S) == R + vk * c
def __init__(self, rand): self.cv = find_group_hash(b'TVRandPt', rand.b(32)) self.anchor = Fq(leos2ip(rand.b(32))) self.nullifier = rand.b(32) self.rk = Point.rand(rand) self.proof = GrothProof(rand) self.spendAuthSig = rand.b(64) # Invalid
def group_hash(D, M): digest = blake2s(person=D) digest.update(CRS) digest.update(M) p = Point.from_bytes(digest.digest()) if not p: return None q = p * JUBJUB_COFACTOR if q == Point.ZERO: return None return q