def verify(self, vk, M, sig):
mid = cldiv(self.l_G, 8)
(Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j)
R = Point.from_bytes(Rbar)
S = leos2ip(Sbar)
c = h_star(Rbar + M)
return R and S < r_j and self.P_g * Fr(S) == R + vk * c
def pedersen_hash_to_point(D, M):
# Pad M to a multiple of 3 bits
Mdash = M + [0] * ((-len(M)) % 3)
assert (len(Mdash) // 3) * 3 == len(Mdash)
n = cldiv(len(Mdash), 3 * c)
Msegs = [Mdash[i:i + (3 * c)] for i in range(0, len(Mdash), 3 * c)]
assert len(Msegs) == n
return sum(
[I_D_i(D, i) * encode_segment(Msegs[i - 1]) for i in range(1, n + 1)],
Point.ZERO)
def ff1_aes256_decrypt(key, tweak, x):
n = len(x)
t = len(tweak)
assert minlen <= n and n <= maxlen
assert t <= maxTlen
u = n // 2
v = n - u
assert u == v
A = x[:u]
B = x[u:]
assert radix == 2
b = cldiv(v, 8)
d = 4 * cldiv(b, 4) + 4
assert d <= 16
P = bytes([1, 2, 1, 0, 0, radix, 10, u % 256, 0, 0, 0, n, 0, 0, 0, t])
for i in range(9, -1, -1):
Q = tweak + b'\0' * ((-t - b - 1) % 16) + bytes([i]) + bebs2osp(A)
y = beos2ip(aes_cbcmac(key, P + Q)[:d])
c = (NUM_2(B) - y) % (1 << u)
C = STR_2(u, c)
B = A
A = C
return A + B