algorand · algorandskiy · Oct 6, 2022 · Sep 28, 2022 · Sep 30, 2022 · Sep 30, 2022
diff --git a/crypto/batchverifier.go b/crypto/batchverifier.go
@@ -109,26 +109,34 @@ func (b *BatchVerifier) getNumberOfEnqueuedSignatures() int {
 }
 
 // Verify verifies that all the signatures are valid. in that case nil is returned
-// if the batch is zero an appropriate error is return.
 func (b *BatchVerifier) Verify() error {
+	_, err := b.VerifyWithFeedback()
+	return err
+}
+
+// VerifyWithFeedback verifies that all the signatures are valid.
+// if all sigs are valid, nil will be returned for err (failed will have all false)
+// if some signatures are invalid, true will be set in failed at the corresponding indexes, and
+// ErrBatchVerificationFailed for err
+func (b *BatchVerifier) VerifyWithFeedback() (failed []bool, err error) {
 	if b.getNumberOfEnqueuedSignatures() == 0 {
-		return nil
+		return nil, nil
 	}
-
 	var messages = make([][]byte, b.getNumberOfEnqueuedSignatures())
 	for i, m := range b.messages {
 		messages[i] = HashRep(m)
 	}
-	if batchVerificationImpl(messages, b.publicKeys, b.signatures) {
-		return nil
+	allValid, failed := batchVerificationImpl(messages, b.publicKeys, b.signatures)
+	if allValid {
+		return failed, nil
 	}
-	return ErrBatchVerificationFailed
-
+	return failed, ErrBatchVerificationFailed
 }
 
 // batchVerificationImpl invokes the ed25519 batch verification algorithm.
 // it returns true if all the signatures were authentically signed by the owners
-func batchVerificationImpl(messages [][]byte, publicKeys []SignatureVerifier, signatures []Signature) bool {
+// otherwise, returns false, and sets the indexes of the failed sigs in failed
+func batchVerificationImpl(messages [][]byte, publicKeys []SignatureVerifier, signatures []Signature) (allSigsValid bool, failed []bool) {
 
 	numberOfSignatures := len(messages)
 
@@ -164,5 +172,10 @@ func batchVerificationImpl(messages [][]byte, publicKeys []SignatureVerifier, si
 		C.size_t(len(messages)),
 		(*C.int)(unsafe.Pointer(valid)))
 
-	return allValid == 0
+	failed = make([]bool, numberOfSignatures)
+	for i := 0; i < numberOfSignatures; i++ {
+		cint := *(*C.int)(unsafe.Pointer(uintptr(valid) + uintptr(i*C.sizeof_int)))
+		failed[i] = (cint == 0)
+	}
+	return allValid == 0, failed
 }
diff --git a/crypto/batchverifier_test.go b/crypto/batchverifier_test.go
@@ -17,6 +17,7 @@
 package crypto
 
 import (
+	"math/rand"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -123,4 +124,72 @@ func TestEmpty(t *testing.T) {
 	partitiontest.PartitionTest(t)
 	bv := MakeBatchVerifier()
 	require.NoError(t, bv.Verify())
+
+	failed, err := bv.VerifyWithFeedback()
+	require.NoError(t, err)
+	require.Empty(t, failed)
+}
+
+// TestBatchVerifierIndividualResults tests that VerifyWithFeedback
+// returns the correct failed signature indexes
+func TestBatchVerifierIndividualResults(t *testing.T) {
+	partitiontest.PartitionTest(t)
+
+	for i := 1; i < 64*2+3; i++ {
+		n := i
+		bv := MakeBatchVerifierWithHint(n)
+		var s Seed
+		badSigs := make([]bool, n, n)
+		hasBadSig := false
+		for i := 0; i < n; i++ {
+			msg := randString()
+			RandBytes(s[:])
+			sigSecrets := GenerateSignatureSecrets(s)
+			sig := sigSecrets.Sign(msg)
+			if rand.Float32() > 0.5 {
+				// make a bad sig
+				sig[0] = sig[0] + 1
+				badSigs[i] = true
+				hasBadSig = true
+			}
+			bv.EnqueueSignature(sigSecrets.SignatureVerifier, msg, sig)
+		}
+		require.Equal(t, n, bv.getNumberOfEnqueuedSignatures())
+		failed, err := bv.VerifyWithFeedback()
+		if hasBadSig {
+			require.ErrorIs(t, err, ErrBatchVerificationFailed)
+		} else {
+			require.NoError(t, err)
+		}
+		require.Equal(t, len(badSigs), len(failed))
+		for i := range badSigs {
+			require.Equal(t, badSigs[i], failed[i])
+		}
+	}
+}
+
+// TestBatchVerifierIndividualResultsAllValid tests that VerifyWithFeedback
+// returns the correct failed signature indexes when all are valid
+func TestBatchVerifierIndividualResultsAllValid(t *testing.T) {
+	partitiontest.PartitionTest(t)
+
+	for i := 1; i < 64*2+3; i++ {
+		n := i
+		bv := MakeBatchVerifierWithHint(n)
+		var s Seed
+		for i := 0; i < n; i++ {
+			msg := randString()
+			RandBytes(s[:])
+			sigSecrets := GenerateSignatureSecrets(s)
+			sig := sigSecrets.Sign(msg)
+			bv.EnqueueSignature(sigSecrets.SignatureVerifier, msg, sig)
+		}
+		require.Equal(t, n, bv.getNumberOfEnqueuedSignatures())
+		failed, err := bv.VerifyWithFeedback()
+		require.NoError(t, err)
+		require.Equal(t, bv.getNumberOfEnqueuedSignatures(), len(failed))
+		for _, f := range failed {
+			require.False(t, f)
+		}
+	}
 }
diff --git a/crypto/onetimesig.go b/crypto/onetimesig.go
@@ -319,12 +319,12 @@ func (v OneTimeSignatureVerifier) Verify(id OneTimeSignatureIdentifier, message
 		Batch:    id.Batch,
 	}
 
-	return batchVerificationImpl(
+	allValid, _ := batchVerificationImpl(
 		[][]byte{HashRep(batchID), HashRep(offsetID), HashRep(message)},
 		[]PublicKey{PublicKey(v), PublicKey(batchID.SubKeyPK), PublicKey(offsetID.SubKeyPK)},
 		[]Signature{Signature(sig.PK2Sig), Signature(sig.PK1Sig), Signature(sig.Sig)},
 	)
-
+	return allValid
 }
 
 // DeleteBeforeFineGrained deletes ephemeral keys before (but not including) the given id.