in src/cg21/cg21_presign.c [602:664]
int CG21_PRESIGN_OUTPUT_2_1(const CG21_PRESIGN_ROUND3_OUTPUT *r3hisOutput,
const CG21_PRESIGN_ROUND3_OUTPUT *r3myOutput,
CG21_PRESIGN_ROUND4_STORE_1 *r4Store,
int status){
/*
* status = 0 first call
* status = 1 neither first call, nor last call
* status = 2 last call
* status = 3 first and last call (t=2)
* ---------STEP 1: compute delta and Delta ----------
* delta: \sum delta_i
* Delta: \prod Delta_j
*/
BIG_256_56 sum;
if (status==0 || status ==3){
OCT_copy(r4Store->Delta, r3myOutput->Delta);
OCT_copy(r4Store->delta, r3myOutput->delta);
}
// \prod Delta_j
CG21_ADD_TWO_PK(r4Store->Delta, r3hisOutput->Delta);
BIG_256_56_fromBytesLen(sum, r4Store->delta->val, r4Store->delta->len);
CG21_MTA_ACCUMULATOR_ADD(sum, r3hisOutput->delta);
BIG_256_56_toBytes(r4Store->delta->val, sum);
r4Store->delta->len = EGS_SECP256K1;
BIG_256_56_zero(sum);
/*
* ---------STEP 2: check g^\delta == \prod \Delta_j -----------
*/
if (status==2 || status ==3){
ECP_SECP256K1 G;
BIG_256_56 s;
char tt[EFS_SECP256K1 + 1];
octet deltaG = {0, sizeof(tt), tt};
ECP_SECP256K1_generator(&G);
BIG_256_56_fromBytesLen(s, r4Store->delta->val, r4Store->delta->len);
ECP_SECP256K1_mul(&G, s);
ECP_SECP256K1_toOctet(&deltaG, &G, true);
BIG_256_56_zero(s);
ECP_SECP256K1_inf(&G);
int rc = OCT_comp(r4Store->Delta, &deltaG);
OCT_clear(&deltaG);
if (rc==0){
return CG21_PRESIGN_DELTA_NOT_VALID;
}
}
return CG21_OK;
}