def verify(self, vk, M, sig):
mid = cldiv(self.l_G, 8)
(Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j)
R = Point.from_bytes(Rbar)
S = leos2ip(Sbar)
c = h_star(Rbar + M)
return R and S < r_j and self.P_g * Fr(S) == R + vk * c
def group_hash(D, M):
digest = blake2s(person=D)
digest.update(CRS)
digest.update(M)
p = Point.from_bytes(digest.digest())
if not p:
return None
q = p * JUBJUB_COFACTOR
if q == Point.ZERO:
return None
return q