//! Schnorr signatures on a prime-order cyclic group.

dbg(GEN, ORDER);

PublicKey = #{
    verify: |self, message, { e, s }| {
        R = GEN ^ s * self ^ e;
        e == hash_to_scalar(R, message)
    },
};

SecretKey = #{
    sign: |self, message| {
        r = rand_scalar();
        R = GEN ^ r;
        e = hash_to_scalar(R, message);
        #{ e, s: r - self * e }
    },
    public_key: |self| GEN ^ self,
};

gen = || {
    sk = rand_scalar();
    #{ sk, pk: {SecretKey.public_key}(sk) }
};

// Test!
{ sk, pk } = gen();
{ pk: other_pk } = gen();

while(5, |i| i != 0, |i| {
    message = rand_scalar();
    dbg(message);
    signature = sk.{SecretKey.sign}(message);
    dbg(signature);

    assert(pk.{PublicKey.verify}(message, signature));
    assert(!other_pk.{PublicKey.verify}(message, signature));
    assert(!pk.{PublicKey.verify}(rand_scalar(), signature));

    i - 1
});