Generalize the RSig function

[claucece]

Why

As we are currently implementing the revision number 2 of the OTRv4 specification, we need to include a consistent way of using the RSig function.

Reference

Please, refer to the "Ring Signature Authentication" section of the OTRv4 spec and issue 99 of it.

Tasks

• [x] Check how RSig and RVerf are working on the auth.c file.
• [x] Check if those functions can be generalized and do so if needed.
• [x] Check if this can be part of otrv4 toolkit.
• [x] Generalize it for the Prekey Server as well.

Open questions

• Is this part of the otrv4 toolkit?

[olabini]

It would be good if RSig can be general enough that the OTRv4 prekey server can use it too.

[claucece]

It would be good if RSig can be general enough that the OTRv4 prekey server can use it too.

True. I'll add that task :)

[claucece]

This still needs the constant time scalar selection, right? Should we inform Mike?

[juniorz]

Not really. We do constant time scalar selection using elliptic curve arithmetic wizardry.

We did not write a test for goldilocks_448_scalar_cond_sel to demonstrate the problem, or did anything on the goldilocks library.

[juniorz]

But ideally, yes. It would be handy to have a constant time select for scalars that works.

[claucece]

Ok.. I'll try to do a test for goldilocks and send the results to Mike.. is it good?