-
Notifications
You must be signed in to change notification settings - Fork 13
/
mixinnet_signature.go
118 lines (96 loc) · 2.54 KB
/
mixinnet_signature.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package mixin
import (
"bytes"
"crypto/sha512"
"encoding/hex"
"fmt"
"strconv"
"github.com/fox-one/mixin-sdk-go/edwards25519"
)
type (
Signature [64]byte
)
func (privateKey *Key) Sign(message []byte) Signature {
var digest1, messageDigest, hramDigest [64]byte
var expandedSecretKey [32]byte
copy(expandedSecretKey[:], privateKey[:])
h := sha512.New()
h.Write(privateKey[:32])
h.Sum(digest1[:0])
h.Reset()
h.Write(digest1[32:])
h.Write(message)
h.Sum(messageDigest[:0])
var messageDigestReduced [32]byte
edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
var R edwards25519.ExtendedGroupElement
edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
var encodedR [32]byte
R.ToBytes(&encodedR)
pub := privateKey.Public()
h.Reset()
h.Write(encodedR[:])
h.Write(pub[:])
h.Write(message)
h.Sum(hramDigest[:0])
var hramDigestReduced [32]byte
edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
var s [32]byte
edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
var signature Signature
copy(signature[:], encodedR[:])
copy(signature[32:], s[:])
return signature
}
func (publicKey *Key) VerifyWithChallenge(message []byte, sig Signature, hReduced [32]byte) bool {
var A edwards25519.ExtendedGroupElement
var publicKeyBytes [32]byte
copy(publicKeyBytes[:], publicKey[:])
if !A.FromBytes(&publicKeyBytes) {
return false
}
edwards25519.FeNeg(&A.X, &A.X)
edwards25519.FeNeg(&A.T, &A.T)
var R edwards25519.ProjectiveGroupElement
var s [32]byte
copy(s[:], sig[32:])
if !edwards25519.ScMinimal(&s) {
return false
}
edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &s)
var checkR [32]byte
R.ToBytes(&checkR)
return bytes.Equal(sig[:32], checkR[:])
}
func (publicKey *Key) Verify(message []byte, sig Signature) bool {
h := sha512.New()
h.Write(sig[:32])
h.Write(publicKey[:])
h.Write(message)
var digest [64]byte
h.Sum(digest[:0])
var hReduced [32]byte
edwards25519.ScReduce(&hReduced, &digest)
return publicKey.VerifyWithChallenge(message, sig, hReduced)
}
func (s Signature) String() string {
return hex.EncodeToString(s[:])
}
func (s Signature) MarshalJSON() ([]byte, error) {
return []byte(strconv.Quote(s.String())), nil
}
func (s *Signature) UnmarshalJSON(b []byte) error {
unquoted, err := strconv.Unquote(string(b))
if err != nil {
return err
}
data, err := hex.DecodeString(string(unquoted))
if err != nil {
return err
}
if len(data) != len(s) {
return fmt.Errorf("invalid signature length %d", len(data))
}
copy(s[:], data)
return nil
}