in src/cg21/cg21_keygen.c [195:257]
int CG21_KEY_GENERATE_ROUND3_1(const CG21_KEYGEN_ROUND1_output *r1_out,
CG21_KEYGEN_ROUND1_STORE_PUB *r2_out,
const CG21_KEYGEN_ROUND1_STORE_PRIV *myPriv,
const SSS_shares *r2_share,
const CG21_KEYGEN_SID *sid,
CG21_KEYGEN_ROUND3_STORE *r3){
char v[SHA256];
octet V = {0, sizeof(v), v};
char cc[myPriv->t][EFS_SECP256K1 + 1];
octet CC[myPriv->t];
init_octets((char *)cc, CC, EFS_SECP256K1 + 1, myPriv->t);
int rc;
// compute V
CG21_KEYGEN_ROUND1_GEN_V(r2_out, sid, &V);
// check whether V is given from round 1 is equal to the computed version
rc = OCT_comp(&V, r1_out->V);
if (rc==0){
return CG21_V_IS_NOT_VERIFIED;
}
// unpack VSS checks from r2_out->packed_checks into CC
rc = CG21_unpack(r2_out->packed_checks, myPriv->t, CC, EFS_SECP256K1 + 1);
if (rc!=CG21_OK){
return rc;
}
// check whether the given partial PK is equal to the free term in the exponent
rc = OCT_comp(&CC[0], r2_out->X);
if (rc==0){
return CG21_Xs_ARE_NOT_EQUAL;
}
// Check that given shared secrets have same x-coord
// myPriv->i refers to the ID of the player running this script, but this ID is stored in the index myPriv->i-1
// since IDs start from 1, but indices start from 0
rc = OCT_comp(r2_share->X, myPriv->shares.X+(myPriv->i-1));
if (rc==0){
return CG21_WRONG_SHARE_IS_GIVEN;
}
// VSS Verification for the received share
rc = VSS_verify_shares(myPriv->t, r2_share->X, r2_share->Y, CC);
if (rc != VSS_OK)
{
return rc;
}
// pack packed-vss octets into one octet
OCT_joctet(r3->packed_all_checks, r2_out->packed_checks);
//pack received Y from point(X,Y) into one octet
OCT_joctet(r3->packed_share_Y, r2_share->Y);
r3->n = myPriv->n;
r3->t = myPriv->t;
return CG21_OK;
}