Transcript challenge bytes. (#1399)

Signed-off-by: iceseer <iceseer@gmail.com>
qdrvm · Nov 22, 2022 · a635da3 · a635da3
1 parent d4505e2
commit a635da3
Showing 1 changed file with 33 additions and 15 deletions.
diff --git a/core/primitives/transcript.hpp b/core/primitives/transcript.hpp
@@ -10,28 +10,28 @@
 
 namespace kagome::primitives {
 
+  template <typename T>
+  inline void decompose(const T &value, uint8_t (&dst)[sizeof(value)]) {
+    static_assert(std::is_pod_v<T>, "T must be pod!");
+    static_assert(!std::is_reference_v<T>, "T must not be a reference!");
+
+    for (size_t i = 0; i < sizeof(value); ++i) {
+#if __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__
+      dst[sizeof(value) - i - 1] =
+#else
+      dst[i] =
+#endif
+          static_cast<uint8_t>((value >> (8 * i)) & 0xff);
+    }
+  }
+
   /**
    * C++ implementation of
    * https://github.com/dalek-cryptography/merlin
    */
   class Transcript final {
     Strobe strobe_;
 
-    template <typename T>
-    inline void decompose(const T &value, uint8_t (&dst)[sizeof(value)]) {
-      static_assert(std::is_pod_v<T>, "T must be pod!");
-      static_assert(!std::is_reference_v<T>, "T must not be a reference!");
-
-      for (size_t i = 0; i < sizeof(value); ++i) {
-#if __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__
-        dst[sizeof(value) - i - 1] =
-#else
-        dst[i] =
-#endif
-            static_cast<uint8_t>((value >> (8 * i)) & 0xff);
-      }
-    }
-
    public:
     Transcript() = default;
 
@@ -67,6 +67,24 @@ namespace kagome::primitives {
       append_message(label, tmp);
     }
 
+    /// Fill the supplied buffer with the verifier's challenge bytes.
+    ///
+    /// The `label` parameter is metadata about the challenge, and is
+    /// also appended to the transcript.  See the [Transcript
+    /// Protocols](https://merlin.cool/use/protocol.html) section of
+    /// the Merlin website for details on labels.
+    template <typename T, size_t N, typename K, size_t M>
+    void challenge_bytes(const T (&label)[N], K (&dest)[M]) {
+      const uint32_t data_len = sizeof(dest);
+      strobe_.metaAd<false>(label);
+
+      uint8_t tmp[sizeof(data_len)];
+      decompose(data_len, tmp);
+
+      strobe_.metaAd<true>(tmp);
+      strobe_.template prf<false>(dest);
+    }
+
     auto data() {
       return strobe_.data();
     }