in src/shamir.c [317:366]
int VSS_verify_shares(int k, const octet *X_j, const octet * Y_j, const octet *C)
{
int rc;
ECP_SECP256K1 G;
ECP_SECP256K1 V;
BIG_256_56 x;
BIG_256_56 xn;
BIG_256_56 q;
DBIG_256_56 w;
BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
BIG_256_56_fromBytesLen(x, X_j->val, X_j->len);
// Initialize accumulator and exponent
rc = ECP_SECP256K1_fromOctet(&V, C);
if (rc != 1)
{
return VSS_INVALID_CHECKS;
}
BIG_256_56_one(xn);
for (int i = 1; i < k; i++)
{
rc = ECP_SECP256K1_fromOctet(&G, C+i);
if (rc != 1)
{
return VSS_INVALID_CHECKS;
}
BIG_256_56_mul(w, xn, x);
BIG_256_56_dmod(xn, w, q);
ECP_SECP256K1_mul(&G, xn);
ECP_SECP256K1_add(&V, &G);
}
// Compute ground truth
ECP_SECP256K1_generator(&G);
BIG_256_56_fromBytesLen(x, Y_j->val, Y_j->len);
ECP_SECP256K1_mul(&G, x);
if (!ECP_SECP256K1_equals(&G, &V))
{
return VSS_INVALID_SHARES;
}
return VSS_OK;
}