def verify(self, vk, M, sig): mid = cldiv(self.l_G, 8) (Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j) R = Point.from_bytes(Rbar) S = Fr.from_bytes(Sbar) c = h_star(Rbar + M) return R and S.s == leos2ip(Sbar) and self.P_g * S == R + vk * c
def ivk(self): return Fr.from_bytes(crh_ivk(bytes(self.ak()), bytes(self.nk())))
def nsk(self): return Fr.from_bytes(prf_expand(self.data, b'\1'))