snarkvm_console_account/signature/verify.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158
// Copyright 2024 Aleo Network Foundation
// This file is part of the snarkVM library.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use super::*;
impl<N: Network> Signature<N> {
/// Verifies (challenge == challenge') && (address == address') where:
/// challenge' := HashToScalar(G^response pk_sig^challenge, pk_sig, pr_sig, address, message)
pub fn verify(&self, address: &Address<N>, message: &[Field<N>]) -> bool {
// Ensure the number of field elements does not exceed the maximum allowed size.
if message.len() > N::MAX_DATA_SIZE_IN_FIELDS as usize {
eprintln!("Cannot sign the signature: the signed message exceeds maximum allowed size");
return false;
}
// Retrieve pk_sig.
let pk_sig = self.compute_key.pk_sig();
// Retrieve pr_sig.
let pr_sig = self.compute_key.pr_sig();
// Compute `g_r` := (response * G) + (challenge * pk_sig).
let g_r = N::g_scalar_multiply(&self.response) + (pk_sig * self.challenge);
// Construct the hash input as (r * G, pk_sig, pr_sig, address, message).
let mut preimage = Vec::with_capacity(4 + message.len());
preimage.extend([g_r, pk_sig, pr_sig, **address].map(|point| point.to_x_coordinate()));
preimage.extend(message);
// Hash to derive the verifier challenge, and return `false` if this operation fails.
let candidate_challenge = match N::hash_to_scalar_psd8(&preimage) {
// Output the computed candidate challenge.
Ok(candidate_challenge) => candidate_challenge,
// Return `false` if the challenge errored.
Err(_) => return false,
};
// Derive the address from the compute key, and return `false` if this operation fails.
let candidate_address = match Address::try_from(self.compute_key) {
// Output the computed candidate address.
Ok(candidate_address) => candidate_address,
// Return `false` if the address errored.
Err(_) => return false,
};
// Return `true` if the candidate challenge and address are correct.
self.challenge == candidate_challenge && *address == candidate_address
}
/// Verifies a signature for the given address and message (as bytes).
pub fn verify_bytes(&self, address: &Address<N>, message: &[u8]) -> bool {
// Convert the message into bits, and verify the signature.
self.verify_bits(address, &message.to_bits_le())
}
/// Verifies a signature for the given address and message (as bits).
pub fn verify_bits(&self, address: &Address<N>, message: &[bool]) -> bool {
// Pack the bits into field elements.
match message.chunks(Field::<N>::size_in_data_bits()).map(Field::from_bits_le).collect::<Result<Vec<_>>>() {
Ok(fields) => self.verify(address, &fields),
Err(error) => {
eprintln!("Failed to verify signature: {error}");
false
}
}
}
}
#[cfg(test)]
#[cfg(feature = "private_key")]
mod tests {
use super::*;
use snarkvm_console_network::MainnetV0;
type CurrentNetwork = MainnetV0;
const ITERATIONS: u64 = 100;
#[test]
fn test_sign_and_verify() -> Result<()> {
let rng = &mut TestRng::default();
for i in 0..ITERATIONS {
// Sample an address and a private key.
let private_key = PrivateKey::<CurrentNetwork>::new(rng)?;
let address = Address::try_from(&private_key)?;
// Check that the signature is valid for the message.
let message: Vec<_> = (0..i).map(|_| Uniform::rand(rng)).collect();
let signature = Signature::sign(&private_key, &message, rng)?;
assert!(signature.verify(&address, &message));
// Check that the signature is invalid for an incorrect message.
let failure_message: Vec<_> = (0..i).map(|_| Uniform::rand(rng)).collect();
if message != failure_message {
assert!(!signature.verify(&address, &failure_message));
}
}
Ok(())
}
#[test]
fn test_sign_and_verify_bytes() -> Result<()> {
let rng = &mut TestRng::default();
for i in 0..ITERATIONS {
// Sample an address and a private key.
let private_key = PrivateKey::<CurrentNetwork>::new(rng)?;
let address = Address::try_from(&private_key)?;
// Check that the signature is valid for the message.
let message: Vec<_> = (0..i).map(|_| Uniform::rand(rng)).collect();
let signature = Signature::sign_bytes(&private_key, &message, rng)?;
assert!(signature.verify_bytes(&address, &message));
// Check that the signature is invalid for an incorrect message.
let failure_message: Vec<_> = (0..i).map(|_| Uniform::rand(rng)).collect();
if message != failure_message {
assert!(!signature.verify_bytes(&address, &failure_message));
}
}
Ok(())
}
#[test]
fn test_sign_and_verify_bits() -> Result<()> {
let rng = &mut TestRng::default();
for i in 0..ITERATIONS {
// Sample an address and a private key.
let private_key = PrivateKey::<CurrentNetwork>::new(rng)?;
let address = Address::try_from(&private_key)?;
// Check that the signature is valid for the message.
let message: Vec<_> = (0..i).map(|_| Uniform::rand(rng)).collect();
let signature = Signature::sign_bits(&private_key, &message, rng)?;
assert!(signature.verify_bits(&address, &message));
// Check that the signature is invalid for an incorrect message.
let failure_message: Vec<_> = (0..i).map(|_| Uniform::rand(rng)).collect();
if message != failure_message {
assert!(!signature.verify_bits(&address, &failure_message));
}
}
Ok(())
}
}