public static Signature Sign(SigningTranscript st, SecretKey secretKey, PublicKey publicKey, RandomGenerator rng)
{
st.SetProtocolName(GetStrBytes("Schnorr-sig"));
st.CommitPoint(GetStrBytes("sign:pk"), publicKey.Key);
var r = st.WitnessScalar(GetStrBytes("signing"), secretKey.nonce, rng);
var tbl = new RistrettoBasepointTable();
var R = tbl.Mul(r).Compress();
st.CommitPoint(GetStrBytes("sign:R"), R);
Scalar k = st.ChallengeScalar(GetStrBytes("sign:c")); // context, message, A/public_key, R=rG
k.Recalc();
secretKey.key.Recalc();
r.Recalc();
var scalar = k.ScalarInner * secretKey.key.ScalarInner + r.ScalarInner;
var s = new Scalar {
ScalarBytes = scalar.ToBytes()
};
s.Recalc();
return(new Signature {
R = R, S = s
});
}
internal static bool Verify(SigningTranscript st, Signature sig, PublicKey publicKey)
{
st.SetProtocolName(GetStrBytes("Schnorr-sig"));
st.CommitPoint(GetStrBytes("pk"), publicKey.Key);
st.CommitPoint(GetStrBytes("no"), sig.R);
var k = st.ChallengeScalar(GetStrBytes("")); // context, message, A/public_key, R=rG
var ep = publicKey.GetEdwardsPoint().Negate();
var R = RistrettoPoint.VartimeDoubleScalarMulBasepoint(k, ep, sig.S);
return(new RistrettoPoint(R).Compress().Equals(sig.R));
}
