//! DSA signatures on a prime-order cyclic group.
dbg(GEN, ORDER);
gen = || {
sk = rand_scalar();
#{ sk, pk: GEN ^ sk }
};
sign = |message, sk| {
k = rand_scalar();
r = (GEN ^ k).to_scalar();
s = (hash_to_scalar(message) + sk * r) / k;
#{ r, s }
};
verify = |{ r, s }, message, pk| {
(u1, u2) = (hash_to_scalar(message) / s, r / s);
(GEN ^ u1 * pk ^ u2).to_scalar() == r
};
// Test!
{ sk, pk } = gen();
{ pk: other_pk } = gen();
5.while(|i| i != 0, |i| {
message = rand_scalar();
dbg(message);
signature = message.sign(sk);
dbg(signature);
assert(signature.verify(message, pk));
assert(!signature.verify(message, other_pk));
assert(!signature.verify(rand_scalar(), pk));
i - 1
});