Skip to content

Commit

Permalink
Make StreamVerifier use ComputeR
Browse files Browse the repository at this point in the history
This allows it to use the same implementation as non-stream signature
verification.
  • Loading branch information
mkj committed Jun 12, 2023
1 parent 915fb7d commit f1b7303
Showing 1 changed file with 11 additions and 24 deletions.
35 changes: 11 additions & 24 deletions src/verifying/stream.rs
Original file line number Diff line number Diff line change
@@ -1,55 +1,42 @@
use curve25519_dalek::{edwards::EdwardsPoint, scalar::Scalar};
use sha2::{Digest, Sha512};
use curve25519_dalek::edwards::CompressedEdwardsY;
use sha2::Sha512;

use crate::verifying::ComputeR;
use crate::{signature::InternalSignature, InternalError, SignatureError, VerifyingKey};

/// An IUF verifier for ed25519.
///
/// Created with [`VerifyingKey::verify_stream()`] or [`SigningKey::verify_stream()`].
///
/// [`SigningKey::verify_stream()`]: super::SigningKey::verify_stream()
#[derive(Debug)]
#[allow(non_snake_case)]
pub struct StreamVerifier {
/// Public key to verify with.
pub(crate) public_key: VerifyingKey,

/// Candidate signature to verify against.
pub(crate) signature: InternalSignature,

/// Hash state.
pub(crate) hasher: Sha512,
cr: ComputeR<Sha512>,
sig_R: CompressedEdwardsY,
}

impl StreamVerifier {
/// Constructs new stream verifier.
///
/// Seeds hash state with public key and signature components.
pub(crate) fn new(public_key: VerifyingKey, signature: InternalSignature) -> Self {
let mut hasher = Sha512::new();
hasher.update(signature.R.as_bytes());
hasher.update(public_key.as_bytes());

Self {
public_key,
hasher,
signature,
cr: ComputeR::new(&public_key, signature, None),
sig_R: signature.R,
}
}

/// Digest message chunk.
pub fn update(&mut self, chunk: impl AsRef<[u8]>) {
self.hasher.update(&chunk);
self.cr.update(chunk.as_ref());
}

/// Finalize verifier and check against candidate signature.
#[allow(non_snake_case)]
pub fn finalize_and_verify(self) -> Result<(), SignatureError> {
let minus_A: EdwardsPoint = -self.public_key.point;
let k = Scalar::from_hash(self.hasher);
let R =
EdwardsPoint::vartime_double_scalar_mul_basepoint(&k, &(minus_A), &self.signature.s);
let expected_R = self.cr.finish();

if R.compress() == self.signature.R {
if expected_R == self.sig_R {
Ok(())
} else {
Err(InternalError::Verify.into())
Expand Down

0 comments on commit f1b7303

Please sign in to comment.