//! DSA signatures on a prime-order cyclic group.

dbg(GEN, ORDER);

PublicKey = #{
    verify: |self, message, { r, s }| {
        (u1, u2) = (hash_to_scalar(message) / s, r / s);
        (GEN ^ u1 * self ^ u2).to_scalar() == r
    },
};

SecretKey = #{
    sign: |self, message| {
        k = rand_scalar();
        r = (GEN ^ k).to_scalar();
        s = (hash_to_scalar(message) + self * r) / k;
        #{ r, s }
    },
    public_key: |self| GEN ^ self,
};

gen = || {
    sk = rand_scalar();
    #{ sk, pk: {SecretKey.public_key}(sk) }
};

// Test!
{ sk, pk } = gen();
{ pk: other_pk } = gen();

while(5, |i| i != 0, |i| {
    message = rand_scalar();
    dbg(message);
    signature = sk.{SecretKey.sign}(message);
    dbg(signature);

    assert(pk.{PublicKey.verify}(message, signature));
    assert(!other_pk.{PublicKey.verify}(message, signature));
    assert(!pk.{PublicKey.verify}(rand_scalar(), signature));

    i - 1
});