static val_ptr v_field_cast(val_ptr v, tree_ptr t) {
// TODO: Check args, x is an element.
val_ptr x = tree_eval((tree_ptr)darray_at(t->child, 0));
element_ptr e = x->elem;
if (e->field == M) {
if (v->field == M) return x;
element_ptr e2 = element_new(v->field);
if (element_is0(e)) // if 'set0' is not 'set1' in base field of GT, but we hope 'GT(0)' calls 'set1', we may directly call 'element_set0' here
element_set0(e2);
else if (element_is1(e)) // reason is same as above
element_set1(e2);
else
element_set_multiz(e2, (multiz)e->data);
x->elem = e2;
return x;
}
if (v->field == M) {
// Map to/from integer. TODO: Map to/from multiz instead.
mpz_t z;
mpz_init(z);
element_to_mpz(z, e);
element_clear(e);
element_init(e, v->field);
element_set_mpz(e, z);
mpz_clear(z);
}
return x;
}
static int cc_is_almost_coddh(element_ptr a, element_ptr b,
element_ptr c, element_ptr d,
pairing_t pairing) {
int res = 0;
element_t t0, t1, t2;
element_t cx, cy;
element_t dx, dy;
pptr p = pairing->data;
element_init(cx, p->Fqd);
element_init(cy, p->Fqd);
element_init(dx, p->Fqd);
element_init(dy, p->Fqd);
element_init(t0, p->Fqk);
element_init(t1, p->Fqk);
element_init(t2, p->Fqk);
// Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
// where v is the quadratic nonresidue used to construct the twist.
element_mul(cx, curve_x_coord(c), p->nqrinv);
element_mul(dx, curve_x_coord(d), p->nqrinv);
// v^-3/2 = v^-2 * v^1/2
element_mul(cy, curve_y_coord(c), p->nqrinv2);
element_mul(dy, curve_y_coord(d), p->nqrinv2);
cc_miller_no_denom_fn(t0, pairing->r, a, dx, dy);
cc_miller_no_denom_fn(t1, pairing->r, b, cx, cy);
cc_tatepower(t0, t0, pairing);
cc_tatepower(t1, t1, pairing);
element_mul(t2, t0, t1);
if (element_is1(t2)) res = 1; // We were given g, g^x, h, h^-x.
else {
// Cheaply check the other case.
element_invert(t1, t1);
element_mul(t2, t0, t1);
if (element_is1(t2)) res = 1; // We were given g, g^x, h, h^x.
}
element_clear(cx);
element_clear(cy);
element_clear(dx);
element_clear(dy);
element_clear(t0);
element_clear(t1);
element_clear(t2);
return res;
}
//TODO: untested
static int even_curve_is_sqr(element_ptr e) {
mpz_t z;
element_t e1;
int result;
mpz_init(z);
element_init(e1, e->field);
mpz_sub_ui(z, e->field->order, 1);
mpz_fdiv_q_2exp(z, z, 1);
element_pow_mpz(e1, e, z);
result = element_is1(e1);
mpz_clear(z);
element_clear(e1);
return result;
}
static int generic_is_almost_coddh(element_ptr a, element_ptr b,
element_ptr c, element_ptr d, pairing_t pairing) {
int res = 0;
element_t t0, t1;
element_init(t0, pairing->GT);
element_init(t1, pairing->GT);
element_pairing(t0, a, d);
element_pairing(t1, b, c);
if (!element_cmp(t0, t1)) {
res = 1;
} else {
element_mul(t0, t0, t1);
if (element_is1(t0)) res = 1;
}
element_clear(t0);
element_clear(t1);
return res;
}
int bb_verify(unsigned char *sig, unsigned int hashlen, unsigned char *hash, bb_public_key_t pk)
{
element_t sigma, r;
element_t m;
element_t t0, t1, t2;
int res;
int len;
pairing_ptr pairing = pk->param->pairing;
element_init(m, pairing->Zr);
element_from_hash(m, hash, hashlen);
element_init(sigma, pairing->G1);
len = element_from_bytes_x_only(sigma, sig);
element_init(r, pairing->Zr);
element_from_bytes(r, sig + len);
element_init(t0, pairing->G2);
element_init(t1, pairing->G2);
element_init(t2, pairing->GT);
element_pow_zn(t0, pk->g2, m);
element_pow_zn(t1, pk->v, r);
element_mul(t0, t0, t1);
element_mul(t0, t0, pk->u);
element_pairing(t2, sigma, t0);
if (!element_cmp(t2, pk->z)) {
res = 1;
} else {
element_mul(t2, t2, pk->z);
res = element_is1(t2);
}
element_clear(t0);
element_clear(t1);
element_clear(t2);
element_clear(m);
element_clear(sigma);
element_clear(r);
return res;
}
static int curve_cmp(element_ptr a, element_ptr b) {
if (a == b) {
return 0;
} else {
// If we're working with a quotient group we must account for different
// representatives of the same coset.
curve_data_ptr cdp = (curve_data_ptr)a->field->data;
if (cdp->quotient_cmp) {
element_t e;
element_init_same_as(e, a);
element_div(e, a, b);
element_pow_mpz(e, e, cdp->quotient_cmp);
int result = !element_is1(e);
element_clear(e);
return result;
}
return point_cmp((point_ptr)a->data, (point_ptr)b->data);
}
}
static int fq_is1(element_ptr e) {
eptr p = e->data;
return element_is1(p->x) && element_is0(p->y);
}
static int mulg_is1(element_ptr x) {
return element_is1(x->data);
}
void Manager::KeyGeneration(string & PK, string & IK, string & OK)
{
element_t gt_new;
element_t g_new;
element_t X_new;
element_t Y_new;
element_t h_new;
element_t y1_new;
element_t y2_new;
element_t y3_new;
//issuer secret
element_t x_new;
element_t y_new;
//open secret
element_t x1_new;
element_t x2_new;
element_t x3_new;
element_t x4_new;
element_t x5_new;
//init public key
element_init_G1(g_new, pairing);
element_init_GT(gt_new, pairing);
element_init_G1(X_new, pairing);
element_init_G1(Y_new, pairing);
element_init_GT(h_new, pairing);
element_init_GT(y1_new, pairing);
element_init_GT(y2_new, pairing);
element_init_GT(y3_new, pairing);
//init issuer key
element_init_Zr(x_new, pairing);
element_init_Zr(y_new, pairing);
//init open key
element_init_Zr(x1_new, pairing);
element_init_Zr(x2_new, pairing);
element_init_Zr(x3_new, pairing);
element_init_Zr(x4_new, pairing);
element_init_Zr(x5_new, pairing);
//set tmp variables
element_t temp_y1;
element_t temp_y2;
element_init_GT(temp_y1, pairing);
element_init_GT(temp_y2, pairing);
//generate system parameters
element_random(g_new);
element_pairing(gt_new,g_new,g_new);
//generate private keys of group manager
element_random(x_new);
element_random(y_new);
//compute X Y
element_pow_zn(X_new,g_new,x_new);
element_pow_zn(Y_new,g_new,y_new);
//generate h != 1
do
{
element_random(h_new);
}
while(element_is1(h_new));
//rand of secret set x1...x5
element_random(x1_new);
element_random(x2_new);
element_random(x3_new);
element_random(x4_new);
element_random(x5_new);
//compute y1
element_pow_zn(temp_y1,gt_new,x1_new);
element_pow_zn(temp_y2,h_new,x2_new);
element_mul(y1_new,temp_y1,temp_y2);
//compute y2
element_pow_zn(temp_y1,gt_new,x3_new);
element_pow_zn(temp_y2,h_new,x4_new);
element_mul(y2_new,temp_y1,temp_y2);
//compute y3
element_pow_zn(y3_new,gt_new,x5_new);
//Write keys
PK=GroupPublicKeyToString(g_new, gt_new, X_new, Y_new, h_new, y1_new, y2_new, y3_new);
IK=SecretIssuerKeyToString(x_new,y_new);
OK=SecretOpenKeyToString(x1_new,x2_new,x3_new,x4_new,x5_new);
//clear elements
//clear public key
element_clear(g_new);
element_clear(gt_new);
element_clear(X_new);
element_clear(Y_new);
element_clear(h_new);
element_clear(y1_new);
element_clear(y2_new);
element_clear(y3_new);
//clear issuer key
element_clear(x_new);
element_clear(y_new);
//clear open key
element_clear(x1_new);
element_clear(x2_new);
element_clear(x3_new);
element_clear(x4_new);
element_clear(x5_new);
//clear tmps
element_clear(temp_y1);
element_clear(temp_y2);
}
int main(int argc, char* argv[]) {
QTextStream err(stderr, QIODevice::WriteOnly);
if(argc != 2) {
err << "Usage: " << argv[0] << " qbits\n";
return 1;
}
int qbits;
QTextStream in(argv[1], QIODevice::ReadOnly);
in >> qbits;
if(qbits < 10) {
err << "qbits must be greater than 10\n";
return 1;
}
QTextStream out(stdout, QIODevice::WriteOnly);
out << "--- PBC Parameter Utility ---\n";
out << "r < q (for prime r and q)\n";
out << "Bits: " << qbits << "\n";
out << "\n\n";
out.flush();
pbc_param_t params;
pairing_t pairing;
const int rbits = qbits-8;
pbc_param_init_a_gen(params, rbits, qbits);
pbc_param_out_str(stdout, params);
pairing_init_pbc_param(pairing, params);
element_t gen1;
element_t neg1;
element_t gent;
element_t tmp, tmp2;
element_init_G1(tmp, pairing);
element_init_G1(tmp2, pairing);
element_init_Zr(neg1, pairing);
element_init_G1(gen1, pairing);
element_init_G1(gent, pairing);
// neg1 = 1
element_set1(neg1);
// neg1 = -1 mod r
element_neg(neg1, neg1);
do {
element_random(gen1);
// tmp = gen1^-1
element_pow_zn(tmp, gen1, neg1);
// tmp = (gen1^-1)*gen1 == gen1^r
element_mul(tmp2, tmp, gen1);
} while (!element_is1(tmp2));
element_fprintf(stdout, "g1 = %B\n", gen1);
do {
element_random(gent);
// tmp = gen1^-1
element_pow_zn(tmp, gent, neg1);
// tmp = (gen1^-1)*gen1 == gen1^r
element_mul(tmp2, tmp, gent);
} while (!element_is1(tmp2));
element_fprintf(stdout, "gT = %B\n", gent);
element_clear(gen1);
element_clear(gent);
element_clear(tmp);
element_clear(tmp2);
element_clear(neg1);
pbc_param_clear(params);
pairing_clear(pairing);
return 0;
}
// Requires cofactor is even. TODO: This seems to contradict a comment below.
// Requires in != out.
// Mangles in.
static void lucas_even(element_ptr out, element_ptr in, mpz_t cofactor) {
if (element_is1(in)) {
element_set(out, in);
return;
}
element_t temp;
element_init_same_as(temp, out);
element_ptr in0 = element_x(in);
element_ptr in1 = element_y(in);
element_ptr v0 = element_x(out);
element_ptr v1 = element_y(out);
element_ptr t0 = element_x(temp);
element_ptr t1 = element_y(temp);
size_t j;
element_set_si(t0, 2);
element_double(t1, in0);
element_set(v0, t0);
element_set(v1, t1);
j = mpz_sizeinbase(cofactor, 2) - 1;
for (;;) {
if (!j) {
element_mul(v1, v0, v1);
element_sub(v1, v1, t1);
element_square(v0, v0);
element_sub(v0, v0, t0);
break;
}
if (mpz_tstbit(cofactor, j)) {
element_mul(v0, v0, v1);
element_sub(v0, v0, t1);
element_square(v1, v1);
element_sub(v1, v1, t0);
} else {
element_mul(v1, v0, v1);
element_sub(v1, v1, t1);
element_square(v0, v0);
element_sub(v0, v0, t0);
}
j--;
}
// Assume cofactor = (q^2 - q + 1) / r is odd
// thus v1 = V_k, v0 = V_{k-1}
// U = (P v1 - 2 v0) / (P^2 - 4)
element_double(v0, v0);
element_mul(in0, t1, v1);
element_sub(in0, in0, v0);
element_square(t1, t1);
element_sub(t1, t1, t0);
element_sub(t1, t1, t0);
element_halve(v0, v1);
element_div(v1, in0, t1);
element_mul(v1, v1, in1);
element_clear(temp);
}
