def verify(self, vk, M, sig):
mid = cldiv(self.l_G, 8)
(Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j)
R = Point.from_bytes(Rbar)
S = Fr.from_bytes(Sbar)
c = h_star(Rbar + M)
return R and S.s == leos2ip(Sbar) and self.P_g * S == R + vk * c
def ivk(self):
return Fr.from_bytes(crh_ivk(bytes(self.ak()), bytes(self.nk())))
def nsk(self):
return Fr.from_bytes(prf_expand(self.data, b'\1'))
