in src/hidden_dlog.c [235:283]
int HDLOG_verify(BIG_1024_58 *N, BIG_1024_58 *B0, BIG_1024_58 *B1, HDLOG_iter_values RHO, const octet *E, HDLOG_iter_values T)
{
int i;
int mask;
BIG_1024_58 ws[FFLEN_2048];
BIG_1024_58 dws[2 * FFLEN_2048];
BIG_1024_58 ND[FFLEN_2048];
BIG_1024_58 PT_mem[N_SIZE][FFLEN_2048];
BIG_1024_58 *PT[N_SIZE];
for (i = 0; i < N_SIZE; i++)
{
PT[i] = PT_mem[i];
}
FF_2048_invmod2m(ND, N, FFLEN_2048);
FF_2048_bi_precompute(&B0, PT, 1, N_WINDOW, N, ND, FFLEN_2048);
for (i = 0; i < HDLOG_CHALLENGE_SIZE; i++)
{
mask = 0x80;
while (mask)
{
FF_2048_bi_pow(ws, PT, (BIG_1024_58 **)(&T), 1, N_WINDOW, N, ND, FFLEN_2048, FFLEN_2048);
// No need to be constant time over the value of E
// since it is public
if (E->val[i] & mask)
{
FF_2048_mul(dws, ws, B1, FFLEN_2048);
FF_2048_dmod(ws, dws, N, FFLEN_2048);
}
if (FF_2048_comp(ws, *RHO, FFLEN_2048))
{
return HDLOG_FAIL;
}
// Advance mask and iter values
mask>>=1;
RHO++;
T++;
}
}
return HDLOG_OK;
}