Add signature verification.

4 files changed, 67 insertions, 3 deletions

diff --git a/README.md b/README.md
index 9fffa1b..6948ce2 100644
--- a/README.md
+++ b/README.md
@@ -9,8 +9,9 @@ multiplication).  Also, there are possibly better BS algorithms by now.
 
 ## How it works
 
-A simple program that signs something in memory (while printing some diagnostic
-messages) and discards the result can be invoke like this.
+This implementation includes a simple program that generates a keypair, signs
+something in memory (while printing some diagnostic messages), verifies the
+signature and discards everything.  It can be invoked like this.
 
 ```
 $ make run_blind_sig_example
@@ -34,6 +35,7 @@ User retries with new alpha.
 User retries with new alpha.
 User successfully obtained signature.
 Signer acknowledged success in signing.
+Signature verified successfully.
 Done, cleaning up.
 $ make run_blind_sig_example
 guix shell qemu -- qemu-x86_64 -cpu max blind_sig_example
@@ -58,6 +60,7 @@ Restart triggered by signer from step 3.
 Restart triggered by signer from step 3.
 User successfully obtained signature.
 Signer acknowledged success in signing.
+Signature verified successfully.
 Done, cleaning up.
 ```
 
diff --git a/pqcrypto_blind_sig.c b/pqcrypto_blind_sig.c
index 5ad7ad9..9370361 100644
--- a/pqcrypto_blind_sig.c
+++ b/pqcrypto_blind_sig.c
@@ -1120,4 +1120,48 @@ out:
  *** Signature verification.
  ***/
 
-/* TODO! */
+bool blind_sig_verify(blind_sig_t const sig, blind_sig_pub_key_t const pub_key,
+		      blind_sig_ctx_t const ctx) {
+	blind_sig_n_bit_buf_t commitment;
+	fmpz_poly_t epsilon;
+	fmpz_poly_t transformed_z;
+	bool result = true;
+
+	blind_sig_n_bit_buf_init(commitment, ctx);
+	fmpz_poly_init(epsilon);
+	fmpz_poly_init(transformed_z);
+
+	for (ulong i = 0; i < ctx->m; i++) {
+		if (!poly_all_abs_leq(*sig->z + i, ctx->d_g))
+			goto failed_verification;
+	}
+
+	ctx->public_commitment_function(*commitment, sig->message->buf,
+					sig->message->bytes, *sig->randomness,
+					ctx->n);
+
+	poly_mul_in_ring(epsilon, sig->epsilon, pub_key->key_poly,
+			 ctx->poly_ring_ctx);
+	fmpz_poly_neg(epsilon, epsilon);
+
+	apply_homomorphism(transformed_z, sig->z, ctx);
+
+	poly_add_in_ring(epsilon, epsilon, transformed_z, ctx->poly_ring_ctx);
+
+	apply_hash(epsilon, epsilon, commitment, ctx);
+
+	if (!fmpz_poly_equal(epsilon, sig->epsilon))
+		goto failed_verification;
+
+	goto out;
+
+failed_verification:
+	result = false;
+
+out:
+	blind_sig_n_bit_buf_t_clear(commitment, ctx);
+	fmpz_poly_clear(epsilon);
+	fmpz_poly_clear(transformed_z);
+
+	return result;
+}
diff --git a/pqcrypto_blind_sig.h b/pqcrypto_blind_sig.h
index 2193bf2..fb8e1e9 100644
--- a/pqcrypto_blind_sig.h
+++ b/pqcrypto_blind_sig.h
@@ -250,4 +250,13 @@ void blind_sig_proto_p5_init_do(blind_sig_proto_p5_t result,
 				blind_sig_proto_p4_t const p4_result,
 				blind_sig_ctx_t const ctx);
 
+
+
+/***
+ *** Signature verification function stub.
+ ***/
+
+bool blind_sig_verify(blind_sig_t const sig, blind_sig_pub_key_t const pub_key,
+		      blind_sig_ctx_t const ctx);
+
 #endif /* PQCRYPTO_BLIND_SIG_H */
diff --git a/pqcrypto_blind_sig_example.c b/pqcrypto_blind_sig_example.c
index be3bb33..f471f8f 100644
--- a/pqcrypto_blind_sig_example.c
+++ b/pqcrypto_blind_sig_example.c
@@ -86,6 +86,14 @@ p1:
 		goto p1;
 	}
 
+/* verification: */
+	if (!p4_result->needs_restart) {
+		if (blind_sig_verify(sig, pub_key, ctx))
+			fprintf(stderr, "Signature verified successfully.\n");
+		else
+			fprintf(stderr, "Signature not valid.\n");
+	}
+
 /* out: */
 	if (!p4_result->needs_restart)
 		blind_sig_clear(sig, ctx);