in src/cg21/cg21_sign.c [22:125]
int CG21_SIGN_ROUND1(octet *msg,
const CG21_PRESIGN_ROUND4_STORE_2 *pre,
CG21_SIGN_ROUND1_STORE *store,
CG21_SIGN_ROUND1_OUTPUT *out){
/* ---------STEP 1: obtain R_x ----------
* r: get x component of R
*/
ECP_SECP256K1 R;
BIG_256_56 q;
BIG_256_56 x;
BIG_256_56 y;
// Curve order
BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
if (!ECP_SECP256K1_fromOctet(&R, pre->R))
{
return CG21_INVALID_ECP;
}
// get rx, ry of R
ECP_SECP256K1_get(x, y, &R);
// r = rx mod q
BIG_256_56_mod(x, q);
if (BIG_256_56_iszilch(x))
{
return CG21_SIGN_r_IS_ZERO;
}
// store r component of signature
store->r->len=EGS_SECP256K1;
BIG_256_56_toBytes(store->r->val,x);
BIG_256_56_zero(x);
BIG_256_56_zero(y);
/* ---------STEP 2: compute sigma ----------
* sigma: km + r\chi mod q
*/
char hm[SHA256_HASH_SIZE];
octet HM = {0,sizeof(hm),hm};
// hash message and store it in HM
ehashit(HASH_TYPE_SECP256K1, msg, -1, NULL, &HM, MODBYTES_256_56);
BIG_256_56 m;
BIG_256_56 r;
BIG_256_56 k;
BIG_256_56 chi;
BIG_256_56 km;
BIG_256_56 rchi;
BIG_256_56 sigma;
// Load values
BIG_256_56_fromBytes(m, HM.val);
BIG_256_56_fromBytes(r, store->r->val);
BIG_256_56_fromBytes(k, pre->k->val);
BIG_256_56_fromBytes(chi, pre->chi->val);
// km = k.m mod q
BIG_256_56_modmul(km, k, m, q);
// rchi = r.chi mod q
BIG_256_56_modmul(rchi, r, chi, q);
// s = km + rchi mod q
BIG_256_56_add(sigma, km, rchi);
BIG_256_56_mod(sigma, q);
if (BIG_256_56_iszilch(sigma))
{
// clean memory
BIG_256_56_zero(r);
BIG_256_56_zero(k);
BIG_256_56_zero(chi);
BIG_256_56_zero(km);
BIG_256_56_zero(rchi);
return CG21_SIGN_SIGMA_IS_ZERO;
}
// store and output result
store->i = pre->i;
out->i = pre->i;
store->sigma->len = EGS_SECP256K1;
BIG_256_56_toBytes(store->sigma->val, sigma);
OCT_copy(out->sigma, store->sigma);
BIG_256_56_zero(r);
BIG_256_56_zero(k);
BIG_256_56_zero(chi);
BIG_256_56_zero(km);
BIG_256_56_zero(rchi);
BIG_256_56_zero(sigma);
return CG21_OK;
}