void G2::restore(char *bytes)
{
int i,j,n=(1<<WINDOW_SIZE);
int bytes_per_big=(MIRACL/8)*(get_mip()->nib-1);
int len=n*2*bytes_per_big;
Big x,y,B;
if (mtable!=NULL) return;
mtable=new ECn[1<<WINDOW_SIZE];
B=getB();
B=-B;
ecurve((Big)-3,B,get_modulus(),MR_PROJECTIVE); // move to twist
for (i=j=0;i<n;i++)
{
x=from_binary(bytes_per_big,&bytes[j]);
j+=bytes_per_big;
y=from_binary(bytes_per_big,&bytes[j]);
j+=bytes_per_big;
mtable[i].set(x,y);
}
B=-B;
ecurve((Big)-3,B,get_modulus(),MR_PROJECTIVE); // move back
delete [] bytes;
}
void PFC::hash_and_map(G2& w,char *ID)
{
Big x0=H1(ID);
*B=-(*B);
ecurve((Big)-3,*B,*mod,MR_PROJECTIVE); // move to twist
while (!w.g.set(x0,x0)) x0+=1;
w.g*=(*mod+1+*trace)/(*ord);
*B=-(*B);
ecurve((Big)-3,*B,*mod,MR_PROJECTIVE); // move back
}
void PFC::random(G2& w)
{
Big x0=rand(*mod);
*B=-(*B);
ecurve((Big)-3,*B,*mod,MR_PROJECTIVE); // move to twist
while (!w.g.set(x0,x0)) x0+=1;
w.g*=(*mod+1+*trace)/(*ord);
*B=-(*B);
ecurve((Big)-3,*B,*mod,MR_PROJECTIVE); // move back
}
int main()
{
ifstream common("common.ecs"); /* construct file I/O streams */
ifstream public_key("public.ecs");
ifstream message;
ifstream signature;
ECn G,Pub;
int bits,ep;
Big a,b,p,q,x,y,v,u1,u2,r,s,h;
char ifname[13],ofname[13];
miracl *mip=&precision;
/* get public data */
common >> bits;
mip->IOBASE=16;
common >> p >> a >> b >> q >> x >> y;
mip->IOBASE=10;
ecurve(a,b,p,MR_PROJECTIVE);
G=ECn(x,y);
/* get public key of signer */
public_key >> ep >> x;
Pub=ECn(x,ep); // decompress
/* get message */
cout << "signed file = " ;
cin.sync();
cin.getline(ifname,13);
strcpy(ofname,ifname);
strip(ofname);
strcat(ofname,".ecs");
message.open(ifname,ios::binary|ios::in|ios::nocreate);
if (!message)
{ /* no message */
cout << "Unable to open file " << ifname << "\n";
return 0;
}
h=hash(message);
signature.open(ofname,ios::in|ios::nocreate);
if (!signature)
{ /* no signature */
cout << "signature file " << ofname << " does not exist\n";
return 0;
}
signature >> r >> s;
if (r>=q || s>=q)
{
cout << "Signature is NOT verified\n";
return 0;
}
s=inverse(s,q);
u1=(h*s)%q;
u2=(r*s)%q;
G=mul(u2,Pub,u1,G);
G.get(v);
v%=q;
if (v==r) cout << "Signature is verified\n";
else cout << "Signature is NOT verified\n";
return 0;
}
int main(int argc, char *argv[])
{
int iy,i;
char *line = new char[512];//buffer needs char instead of const char
ofstream fout;
ifstream fin;
time_t seed;
Big tempB,a,b,p,q,x,y,s1,s2;
ECn g;
miracl *mip=&precision;
time(&seed);
irand((long)seed); /* change parameter for different values */
//cout << "Adding EC-ElGamal ciphertexts...." << endl;
a=-3;
mip->IOBASE=16;
b=ecb;
p=ecp;
q=ecq;// order
ecurve(a,b,p,MR_BEST); // means use PROJECTIVE if possible, else AFFINE coordinates
x=ecx;
y=ecy;
g=ECn(x,y);
//Read cipher and multiply
i = 0;
mip->IOBASE=64;
fin.open(PFILE);
s1 = 0;
s2 = 0;
while(fin.getline(line,512)){
x = line;
fin.getline(line,512);
y = line;
//"add" (could not fine add mod)
s1 += x;
s2 += y;
i++;
}
fin.close();
// a stupid way to mod q
x = 1;
s2 = modmult(s2,x,q);
fout.open(TFILE);
fout<<s1<<endl<<s2<<endl;
fout.close();
//free buffer
delete [] line;
return 0;
}
PFC::PFC(int s)
{
int mod_bits,words;
if (s!=80)
{
cout << "No suitable curve available" << endl;
exit(0);
}
mod_bits=2*s;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
x=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
frob=new ZZn2;
*B=curveB;
S=s;
*x=param;
Big X=*x;
*mod=X*X+1;
*npoints=X*X-X+1;
*trace=X+1;
*cof=X*X+X+1;
*ord=*npoints;
ecurve(-3,*B,*mod,MR_PROJECTIVE);
set_frobenius_constant(*frob);
Big sru=pow((ZZn)-2,(*mod-1)/6); // x^6+2 is irreducible
set_zzn3(-2,sru);
mip->TWIST=MR_QUADRATIC; // twisted curve E'(ZZn3)
}
PFC::PFC(int s, csprng *rng)
{
int mod_bits,words;
if (s!=80)
{
cout << "No suitable curve available" << endl;
exit(0);
}
mod_bits=512;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
*B=Btext;
*cof=COFtext;
*ord=pow((Big)2,159)+pow((Big)2,17)+1;
*npoints=*cof*(*ord);
S=s;
*mod=MODtext;
*trace=*mod+1-*npoints;
ecurve(-3,*B,*mod,MR_PROJECTIVE);
RNG=rng;
}
PFC::PFC(int s, csprng *rng)
{
int mod_bits,words;
if (s!=80 && s!=128)
{
cout << "No suitable curve available" << endl;
exit(0);
}
if (s==80) mod_bits=512;
if (s==128) mod_bits=1536;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
mod=new Big;
cof=new Big;
ord=new Big;
Big A=-3;
Big B=0;
if (s==80)
{
*cof=param_80;
*ord=pow((Big)2,159)+pow((Big)2,17)+1;
}
if (s==128)
{
*cof=param_128;
*ord=pow((Big)2,255)+pow((Big)2,41)+1;
}
S=s;
*mod=2*(*cof)*(*ord)-1;
ecurve(A,B,*mod,MR_PROJECTIVE);
RNG=rng;
}
int main(int argc, char *argv[])
{
int m,iy,i,j, n = 2, l = 2;
char *line = new char[512];//buffer needs char instead of const char
ofstream fout;
ifstream fin;
time_t seed;
Big tempB,a,b,p,x,y;
ECn g,s1,s2;
miracl *mip=&precision;
time(&seed);
irand((long)seed); /* change parameter for different values */
if(argc ==3){
n=atoi(argv[1]);
l=atoi(argv[2]);
}
//we need to read all the ciphertexts in
ECn *c1 = new ECn[n];
ECn *c2 = new ECn[n];
cout << "Producing EC-ElGamal Ballots...." << endl;
a=-3;
mip->IOBASE=16;
b=ecb;
p=ecp;
ecurve(a,b,p,MR_BEST); // means use PROJECTIVE if possible, else AFFINE coordinates
x=ecx;
y=ecy;
g=ECn(x,y);
//Read cipher and ballot transpose
mip->IOBASE=64;
fin.open(CFILE);
for(i = 0;i<n;i++){
fin.getline(line,512);
x = line;
fin.getline(line,512);
iy = atoi(line);
c1[i] = ECn(x,iy); //decompress
fin.getline(line,512);
x = line;
fin.getline(line,512);
iy = atoi(line);
c2[i] = ECn(x,iy); //decompress
}
fin.close();
fin.open(BFILE);
fout.open(EBFILE);
for(j=0;j<l;j++){
for(i = 0;i<n;i++){
fin>>m;
if(i == 0){
s1 = m*c1[i];
s2 = m*c2[i];
}
else{
s1 += m*c1[i];
s2 += m*c2[i];
}
}
//write
iy = s1.get(x);
fout<<x<<endl<<iy<<endl;
iy = s2.get(x);
fout<<x<<endl<<iy<<endl;
}
fin.close();
fout.close();
//free buffer
delete [] line;
delete [] c1;
delete [] c2;
return 0;
}
int main()
{
miracl *mip=&precision;
Big s,x,q,p,t,A,B,cf,X,Y,sru,n,best_s,f;
Big T,P,F,m1,m2;
ECn W;
ECn2 Q;
ZZn2 r;
mip->IOBASE=16;
int i,ns,sign,best_ham=1000;
sign=1; // 1= positive, 2=negative for +/- x solutions
s="1400000000000000";
ns=1;
for (i=0;i<100;i++)
{
forever
{
forever
{
sign=3-sign; // always looking for +ve x solutions.
if (sign==1) s+=1;
if (sign==1) x=5+30*s;
else x=5-30*s;
t=(2*pow(x,3) - 11*x + 15)/15;
q=(pow(x,4) - 8*pow(x,2) + 25)/450;
cf=(5*x*x+10*x+25)/2;
n=cf*q;
p=cf*q+t-1; // avoids overflow..
if (p%8!=5) continue; // p will be 1 mod 4
if (!prime(q)) continue;
if (!prime(p)) continue;
break;
}
T=t*t-2*p;
P=p*p;
F=(4*P-T*T);
F=sqrt(F);
m1=P+1-F; // Wrong Curve
m2=P+1+F;
A=0; B=0;
forever
{
A+=1;
do
{
X=rand(p);
Y=sqrt(X*X*X+A*X,p);
} while (Y==0);
ecurve(A,B,p,MR_AFFINE);
W.set(X,Y);
W*=cf;
if ((q*W).iszero()) break;
}
mip->TWIST=MR_QUARTIC_M;
do
{
r=randn2();
} while (!Q.set(r));
Q*=(m2/q);
if ((q*Q).iszero()) break;
mip->TWIST=MR_QUARTIC_D;
do
{
r=randn2();
} while (!Q.set(r));
Q*=(m2/q);
if ((q*Q).iszero()) break;
cout << "Something wrong!" << endl;
exit(0);
}
cout << "solution " << ns << endl;
cout << "irreducible polynomial = X^4 - [0,1]" << endl;
if (sign==1)
{
cout << "s= +" << s << endl;
cout << "s%12= " << s%12 << endl;
}
else
{
cout << "s= -" << s << endl;
cout << "s%12= " << 12-(s%12) << endl;
}
cout << "x= " << x << " ham(x)= " << ham(x) << endl;
cout << "p= " << p << " bits(p)= " << bits(p) << endl;
cout << "q= " << q << " bits(q)= " << bits(q) << endl;
cout << "n= " << n << endl;
cout << "t= " << t << endl;
cout << "cf= " << cf << endl;
//cout << "W= " << W << endl;
cout << "q*W= " << q*W << endl;
mip->IOBASE=10;
cout << "E(Fp): y^2=x^3+" << A << "x" << endl;
mip->IOBASE=16;
if (mip->TWIST==MR_QUARTIC_M) cout << "Twist type M" << endl;
if (mip->TWIST==MR_QUARTIC_D) cout << "Twist type D" << endl;
//cout << "Q= " << Q << endl;
Q*=q;
cout << "check - if right twist should be O - q*Q= " << Q << endl;
if (ham(x)<best_ham) {best_ham=ham(x);best_s=s;}
cout << "So far minimum hamming weight of x= " << best_ham << endl;
cout << "for seed= " << best_s << endl << endl;
ns++;
}
return 0;
}
BOOL BaseOT::Miracl_Init(int secparam, BYTE* seed) {
//secparam = 163;
m_SecParam = secparam;
miracl *mip = mirsys(secparam, 2);
//miracl *mip=mirsys(MR_ROUNDUP(abs(163),4),16);
char *ecp = NULL, *ecb = NULL, *ecx = ecx160, *ecy = ecy160;
m_BB = new Big();
m_BA = new Big();
m_BP = new Big();
switch (secparam)
{
case 160:
ecp = ecp160; ecb = ecb160; ecx = ecx160; ecy = ecy160; break;
case 163:
ecx = ecx163; ecy = ecy163; m_nM = 163; m_nA = 7; m_nB = 6; m_nC = 3; *m_BA = 1; break;
case 192:
ecp = ecp192; ecb = ecb192; ecx = ecx192; ecy = ecy192; break;
case 224:
ecp = ecp224; ecb = ecb224; ecx = ecx224; ecy = ecy224; break;
case 233:
ecx = ecx233; ecy = ecy233; m_nM = 233; m_nA = 74; m_nB = 0; m_nC = 0; *m_BA = 0; break;
case 256:
ecp = ecp256; ecb = ecb256; ecx = ecx256; ecy = ecy256; break;
case 283:
ecx = ecx283; ecy = ecy283; m_nM = 283; m_nA = 12; m_nB = 7; m_nC = 5; *m_BA = 0; break;
default:
ecp = ecp192; ecb = ecb192; ecx = ecx192; ecy = ecy192; m_SecParam = 192; break;
}
//seed the miracl rnd generator
irand((long)(*seed));
//Change the base to read in the parameters
mip->IOBASE = 16;
*m_BB = 1;
if(m_SecParam == 160 || m_SecParam == 192 || m_SecParam == 224 || m_SecParam == 256)
{
mip->IOBASE = 16;
*m_BA = -3;
*m_BB = ecb;
*m_BP = ecp;
ecurve(*m_BA, *m_BB, *m_BP, MR_BEST);
m_bUsePrimeField = true;
}
else
{
ecurve2_init(m_nM, m_nA, m_nB, m_nC, m_BA->getbig(), m_BB->getbig(), false, MR_BEST);
m_bUsePrimeField = false;
}
m_X = new Big();
m_Y = new Big();
*m_X = ecx;
*m_Y = ecy;
//change the base back
mip->IOBASE = 10;
return true;
}
BOOL MiraclInit(SECLVL lvl, BYTE* seed, fparams* params) {
//secparam = 163;
/* switch(lvl.ecckcbits)
{
#ifdef OTEXT_USE_PRIMEFIELD
case ST: m_nSecParam = 160; break;
case MT: m_nSecParam = 224; break;
case LT: m_nSecParam = 256; break;
default: m_nSecParam = 160; break;
#else
case ST.ecckcbits: m_nSecParam = 163; break;
case MT.ecckcbits: m_nSecParam = 233; break;
case LT.ecckcbits: m_nSecParam = 283; break;
default: m_nSecParam = 163; break;
#endif
}*/
#ifdef OTEXT_USE_PRIMEFIELD
params->secparam = lvl.ecckcbits;
#else
params->secparam= lvl.ecckcbits;
#endif
miracl *mip = mirsys(params->secparam, 2);
//miracl *mip=mirsys(MR_ROUNDUP(abs(163),4),16);
char *ecp = NULL, *ecb = NULL, *ecx = ecx160, *ecy = ecy160;
params->eccparams.BB = new Big();
params->eccparams.BA = new Big();
params->eccparams.BP = new Big();
#ifdef OTEXT_USE_PRIMEFIELD
if(lvl.eccpfbits == ST.eccpfbits)
{
ecp = ecp160; ecb = ecb160; ecx = ecx160; ecy = ecy160;
} else if(lvl.eccpfbits == MT.eccpfbits)
{
ecp = ecp224; ecb = ecb224; ecx = ecx224; ecy = ecy224;
} else if(lvl.eccpfbits == LT.eccpfbits)
{
ecp = ecp256; ecb = ecb256; ecx = ecx256; ecy = ecy256;
} else //Short term security
{
ecp = ecp160; ecb = ecb160; ecx = ecx160; ecy = ecy160;
}
/*switch (lvl.eccpfbits)
{
case ST.eccpfbits:
ecp = ecp160; ecb = ecb160; ecx = ecx160; ecy = ecy160; break;
case MT.eccpfbits:
ecp = ecp224; ecb = ecb224; ecx = ecx224; ecy = ecy224; break;
case LT.eccpfbits:
ecp = ecp256; ecb = ecb256; ecx = ecx256; ecy = ecy256; break;
default: //Short term security
ecp = ecp160; ecb = ecb160; ecx = ecx160; ecy = ecy160; break;
}*/
#else
if(lvl.ecckcbits == ST.ecckcbits)
{
ecx = ecx163; ecy = ecy163; params->eccparams.m = 163; params->eccparams.a = 7;
params->eccparams.b = 6; params->eccparams.c = 3; *(params->eccparams.BA) = 1;
} else if(lvl.ecckcbits == MT.ecckcbits)
{
ecx = ecx233; ecy = ecy233; params->eccparams.m = 233; params->eccparams.a = 74;
params->eccparams.b = 0; params->eccparams.c = 0; *(params->eccparams.BA) = 0;
} else if(lvl.ecckcbits == LT.ecckcbits)
{
ecx = ecx283; ecy = ecy283; params->eccparams.m = 283; params->eccparams.a = 12;
params->eccparams.b = 7; params->eccparams.c = 5; *(params->eccparams.BA) = 0;
} else //Short term security
{
ecx = ecx163; ecy = ecy163; params->eccparams.m = 163; params->eccparams.a = 7;
params->eccparams.b = 6; params->eccparams.c = 3; *(params->eccparams.BA) = 1;
}
/*switch (lvl.ecckcbits)
{
case ST.ecckcbits:
ecx = ecx163; ecy = ecy163; m_nM = 163; m_nA = 7; m_nB = 6; m_nC = 3; *m_BA = 1; break;
case MT.ecckcbits:
ecx = ecx233; ecy = ecy233; m_nM = 233; m_nA = 74; m_nB = 0; m_nC = 0; *m_BA = 0; break;
case LT.ecckcbits:
ecx = ecx283; ecy = ecy283; m_nM = 283; m_nA = 12; m_nB = 7; m_nC = 5; *m_BA = 0; break;
default:
ecx = ecx163; ecy = ecy163; m_nM = 163; m_nA = 7; m_nB = 6; m_nC = 3; *m_BA = 1; break;
}*/
#endif
//seed the miracl rnd generator
irand((long)(*seed));
//Change the base to read in the parameters
mip->IOBASE = 16;
*(params->eccparams.BB) = 1;
#ifdef OTEXT_USE_PRIMEFIELD
mip->IOBASE = 16;
*(m_ECCField.BA) = -3;
*(m_ECCField.BB) = ecb;
*(m_ECCField.BP) = ecp;
ecurve(*(m_ECCField.BA), *(m_ECCField.BB), *(m_ECCField.BP), MR_BEST);
#else
ecurve2_init(params->eccparams.m, params->eccparams.a, params->eccparams.b, params->eccparams.c,
params->eccparams.BA->getbig(), params->eccparams.BB->getbig(), false, MR_BEST);
#endif
params->eccparams.X = new Big();
params->eccparams.Y = new Big();
*(params->eccparams.X) = ecx;
*(params->eccparams.Y) = ecy;
//cout << "params->eccparams.X : " << (*params->eccparams.X) << endl;
//reset the base representation
//mip->IOBASE = 10;
//For ECC, a coordinate is transferred as well as a 1/-1
params->elebytelen = (params->secparam+7)/8 + 1;
return true;
}
PFC::PFC(int s, csprng *rng)
{
int i,j,mod_bits,words;
if (s!=128 && s!=192)
{
cout << "No suitable curve available" << endl;
exit(0);
}
if (s==128) mod_bits=256;
if (s==192) mod_bits=768;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
x=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
for (i=0;i<4;i++)
{
WB[i]=new Big;
for (j=0;j<4;j++)
{
BB[i][j]=new Big;
}
}
for (i=0;i<2;i++)
{
W[i]=new Big;
for (j=0;j<2;j++)
{
SB[i][j]=new Big;
}
}
Beta=new ZZn;
frob=new ZZn2;
Big A=0;
*B=curveB;
if (s==128) *x=param_128;
if (s==192) *x=param_192;
S=s;
Big X=*x;
*mod=36*pow(X,4)+36*pow(X,3)+24*X*X+6*X+1;
*trace=6*X*X+1;
*npoints=*mod+1-*trace;
*cof=*mod-1+*trace;
*ord=*npoints;
ecurve(A,*B,*mod,MR_PROJECTIVE);
// Big Lambda=-(36*pow(x,3)+18*x*x+6*x+2); // cube root of unity mod q
*Beta=-(18*pow(X,3)+18*X*X+9*X+2); // cube root of unity mod p
set_frobenius_constant(*frob);
// Use standard Gallant-Lambert-Vanstone endomorphism method for G1
*W[0]=6*X*X+4*X+1; // This is first column of inverse of SB (without division by determinant)
*W[1]=-(2*X+1);
*SB[0][0]=6*X*X+2*X;
*SB[0][1]=-(2*X+1);
*SB[1][0]=-(2*X+1);
*SB[1][1]=-(6*X*X+4*X+1);
// Use Galbraith & Scott Homomorphism idea for G2 & GT ... (http://eprint.iacr.org/2008/117.pdf EXample 5)
*WB[0]=2*X*X+3*X+1; // This is first column of inverse of BB (without division by determinant)
*WB[1]=12*X*X*X+8*X*X+X;
*WB[2]=6*X*X*X+4*X*X+X;
*WB[3]=-2*X*X-X;
*BB[0][0]=X+1; *BB[0][1]=X; *BB[0][2]=X; *BB[0][3]=-2*X;
*BB[1][0]=2*X+1; *BB[1][1]=-X; *BB[1][2]=-(X+1); *BB[1][3]=-X;
*BB[2][0]=2*X; *BB[2][1]=2*X+1; *BB[2][2]=2*X+1; *BB[2][3]=2*X+1;
*BB[3][0]=X-1; *BB[3][1]=4*X+2; *BB[3][2]=-(2*X-1); *BB[3][3]=X-1;
mip->TWIST=MR_SEXTIC_D; // map Server to point on twisted curve E(Fp2)
RNG = rng;
}
PFC::PFC(int s, csprng *rng)
{
int i,j,mod_bits,words;
if (s!=192)
{
cout << "No suitable curve available" << endl;
exit(0);
}
mod_bits=(8*s)/3;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
x=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
for (i=0;i<6;i++)
{
WB[i]=new Big;
for (j=0;j<6;j++)
{
BB[i][j]=new Big;
}
}
for (i=0;i<2;i++)
{
W[i]=new Big;
for (j=0;j<2;j++)
{
SB[i][j]=new Big;
}
}
S=s;
Beta=new ZZn;
frob=new ZZn;
*B=curveB;
*x=param;
Big X=*x;
*trace=(pow(X,4) + 16*X + 7)/7;
*ord=(pow(X,6) + 37*pow(X,3) + 343)/343;
*cof=(49*X*X+245*X+343)/3;
*npoints=*cof*(*ord);
*mod=*cof*(*ord)+*trace-1;
ecurve(0,*B,*mod,MR_PROJECTIVE);
Big BBeta=(3*pow(X,7)-7*pow(X,6)+46*pow(X,5)+68*pow(X,4)-308*pow(X,3)+189*X*X+145*X-3192)/56;
BBeta+=X*(pow(X,7)/28);
BBeta/=3;
Big sru=*mod-BBeta; // sixth root of unity = -Beta
set_zzn3(NR,sru);
*Beta=BBeta;
set_frobenius_constant(*frob);
// Use standard Gallant-Lambert-Vanstone endomorphism method for G1
*W[0]=(X*X*X)/343; // This is first column of inverse of SB (without division by determinant)
*W[1]=(18*X*X*X+343)/343;
*SB[0][0]=(X*X*X)/343;
*SB[0][1]=-(18*X*X*X+343)/343;
*SB[1][0]=(19*X*X*X+343)/343;
*SB[1][1]=(X*X*X)/343;
// Use Galbraith & Scott Homomorphism idea for G2 & GT ... (http://eprint.iacr.org/2008/117.pdf)
*WB[0]=5*pow(X,3)/49+2; // This is first column of inverse of BB (without division by determinant)
*WB[1]=-(X*X)/49;
*WB[2]=pow(X,4)/49+3*X/7;
*WB[3]=-(17*pow(X,3)/343+1);
*WB[4]=-(pow(X,5)/343+2*(X*X)/49);
*WB[5]=5*pow(X,4)/343+2*X/7;
*BB[0][0]=1; *BB[0][1]=0; *BB[0][2]=5*X/7; *BB[0][3]=1; *BB[0][4]=0; *BB[0][5]=-X/7;
*BB[1][0]=-5*X/7; *BB[1][1]=-2; *BB[1][2]=0; *BB[1][3]=X/7; *BB[1][4]=1; *BB[1][5]=0;
*BB[2][0]=0; *BB[2][1]=2*X/7; *BB[2][2]=1; *BB[2][3]=0; *BB[2][4]=X/7; *BB[2][5]=0;
*BB[3][0]=1; *BB[3][1]=0; *BB[3][2]=X; *BB[3][3]=2; *BB[3][4]=0; *BB[3][5]=0;
*BB[4][0]=-X; *BB[4][1]=-3; *BB[4][2]=0; *BB[4][3]=0; *BB[4][4]=1; *BB[4][5]=0;
*BB[5][0]=0; *BB[5][1]=-X; *BB[5][2]=-3; *BB[5][3]=0; *BB[5][4]=0; *BB[5][5]=1;
mip->TWIST=MR_SEXTIC_D; // map Server to point on twisted curve E(Fp3)
RNG=rng;
}
int main()
{
miracl *mip=&precision;
Big s,x,q,p,t,A,B,cf,X,Y,sru,n,best_s,f,tau[5],TAU;
Big T,P,F,m1,m2,m3,m4;
BOOL got_one;
ECn W;
ECn4 Q;
ZZn4 XX,YY,r;
ZZn2 xi;
int i,ns,sign,best_ham=1000;
mip->IOBASE=16;
s="E000000000000000";
ns=1;
forever
{
s+=1;
for (sign=1;sign<=2;sign++)
{
if (sign==1) x=s;
else x=-s;
if (x<0 || ham(x)>7) continue; // filter out difficult or poor solutions
t=1+x;
p=1+x+x*x-pow(x,4)+2*pow(x,5)-pow(x,6)+pow(x,8)-2*pow(x,9)+pow(x,10);
q=1-pow(x,4)+pow(x,8);
if (p%3!=0) continue;
p/=3;
if (p%8==1) continue;
if (!prime(p)) continue;
if (!prime(q)) continue;
modulo(p);
if (p%8==5) xi.set(0,1);
if (p%8==3) xi.set(1,1);
if (p%8==7) xi.set(2,1);
// make sure its irreducible
if (pow(xi,(p*p-1)/2)==1) {/*cout << "Failed - not a square" << endl; */ continue;}
if (pow(xi,(p*p-1)/3)==1) {/*cout << "Failed - not a cube" << endl; */ continue;} // make sure that x^6-c is irreducible
n=p+1-t;
cf=n/q;
tau[0]=2; // count points on twist over extension p^4
tau[1]=t;
for (i=1;i<4;i++ ) tau[i+1]=t*tau[i]-p*tau[i-1];
P=p*p*p*p;
TAU=tau[4];
F=(4*P-TAU*TAU)/3;
F=sqrt(F);
m2=P+1-(3*F+TAU)/2;
// cout << "m2%q= " << m2%q << endl;
B=1; // find curve equation
forever
{
B+=1;
if (B==2)
{
X=-1; Y=1;
}
else if (B==3)
{
X=1; Y=2;
}
else if (B==8)
{
X=1; Y=3;
}
else if (B==15)
{
X=1; Y=4;
}
else
{
do
{
X=rand(p);
Y=sqrt(X*X*X+B,p);
} while (Y==0);
}
ecurve(0,B,p,MR_AFFINE);
W.set(X,Y);
W*=cf;
if ((q*W).iszero()) break;
}
mip->TWIST=MR_SEXTIC_M; // is it an M-type twist...?
do
{
r=randn4();
} while (!Q.set(r));
got_one=FALSE;
Q*=(m2/q);
if ((q*Q).iszero()) got_one=TRUE;
// cout << "m1*Q= " << m1*Q << endl;
// cout << "m1%q= " << m1%q << endl;
else
{
mip->TWIST=MR_SEXTIC_D; // no, so it must be D-type.
do
{
r=randn4();
} while (!Q.set(r));
Q*=(m2/q);
if ((q*Q).iszero()) got_one=TRUE;
}
if (!got_one) {cout << "Bad twist" << endl; exit(0);} // Huh?
if (mip->TWIST==MR_SEXTIC_M) continue; // not interested just now
cout << "solution " << ns << endl;
cout << "x= " << x << " ham(x)= " << ham(x) << endl;
cout << "p= " << p << " bits(p)= " << bits(p) << endl;
cout << "q= " << q << " bits(q)= " << bits(q) << endl;
cout << "n= " << n << endl;
cout << "t= " << t << endl;
cout << "cf= " << cf << endl;
cout << "W= " << W << endl;
cout << "q*W= " << q*W << endl;
mip->IOBASE=10;
cout << "E(Fp): y^2=x^3+" << B << endl;
cout << "(p-1)%24= " << (p-1)%24 << endl;
cout << "p%8= " << p%8 << endl;
mip->IOBASE=16;
if (mip->TWIST==MR_SEXTIC_M) cout << "Twist type M" << endl;
if (mip->TWIST==MR_SEXTIC_D) cout << "Twist type D" << endl;
Q*=q;
cout << "check - if right twist should be O - q*Q= " << Q << endl;
if (ham(x)<best_ham) {best_ham=ham(x);best_s=s;}
cout << "So far minimum hamming weight of x= " << best_ham << endl;
cout << "for seed= " << best_s << endl;
cout << endl;
ns++;
}
}
return 0;
}
int main()
{
miracl* mip=&precision;
ECn Alice,Bob,sA,sB;
ECn3 B6,Server,sS;
ZZn6 sp,ap,bp;
ZZn6 res,XX,YY;
ZZn2 X;
ZZn3 Qx,Qy;
Big a,b,s,ss,p,q,x,y,B,cf,t,sru,T;
int i,A;
time_t seed;
int qnr;
mip->IOBASE=16;
x="-D285DA0CFEF02F06F812"; // MNT elliptic curve parameters (Thanks to Drew Sutherland)
p=x*x+1;
q=x*x-x+1;
t=x+1;
cf=x*x+x+1;
T=t-1;
// cout << "t-1= " << T << endl;
// cout << "p%24= " << p%24 << endl;
time(&seed);
irand((long)seed);
A=-3;
B="77479D33943B5B1F590B54258B72F316B3261D45";
ecurve(A,B,p,MR_PROJECTIVE);
set_frobenius_constant(X);
sru=pow((ZZn)-2,(p-1)/6); // x^6+2 is irreducible
set_zzn3(-2,sru);
mip->IOBASE=16;
mip->TWIST=MR_QUADRATIC; // map Server to point on twisted curve E(Fp3)
//See ftp://ftp.computing.dcu.ie/pub/resources/crypto/twists.pdf
ss=rand(q); // TA's super-secret
cout << "Mapping Server ID to point" << endl;
Server=hash_and_map3((char *)"Server");
// Multiply by the cofactor - thank you NTL!
// Server*=(p-1);
// Server*=(p+1+t);
cofactor(Server,x,X);
cout << "Mapping Alice & Bob ID's to points" << endl;
Alice=hash_and_map((char *)"Alice");
Bob= hash_and_map((char *)"Robert");
cout << "Alice, Bob and the Server visit Trusted Authority" << endl;
sS=ss*Server;
sA=ss*Alice;
sB=ss*Bob;
cout << "Alice and Server Key Exchange" << endl;
a=rand(q); // Alice's random number
s=rand(q); // Server's random number
if (!ate(Server,sA,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
ap=powu(res,a);
if (!ate(sS,Alice,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=powu(res,s);
cout << "Alice Key= " << H2(powu(sp,a)) << endl;
cout << "Server Key= " << H2(powu(ap,s)) << endl;
cout << "Bob and Server Key Exchange" << endl;
b=rand(q); // Bob's random number
s=rand(q); // Server's random number
if (!ate(Server,sB,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
bp=powu(res,b);
if (!ate(sS,Bob,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=powu(res,s);
cout << "Bob's Key= " << H2(powu(sp,b)) << endl;
cout << "Server Key= " << H2(powu(bp,s)) << endl;
return 0;
}
int main()
{
miracl* mip=&precision;
ECn Alice,Bob,sA,sB;
ECn3 B6,Server,sS;
ZZn6 sp,ap,bp;
ZZn6 res;
ZZn2 X;
Big a,b,s,ss,p,q,x,y,B,cf,t,sru,T;
int i,A;
time_t seed;
mip->IOBASE=16;
x="-D285DA0CFEF02F06F812"; // MNT elliptic curve parameters (Thanks to Drew Sutherland)
p=x*x+1;
q=x*x-x+1;
t=x+1;
cf=x*x+x+1;
T=t-1;
// cout << "t-1= " << T << endl;
// cout << "p%24= " << p%24 << endl;
time(&seed);
irand((long)seed);
A=-3;
B="77479D33943B5B1F590B54258B72F316B3261D45";
#ifdef AFFINE
ecurve(A,B,p,MR_AFFINE);
#endif
#ifdef PROJECTIVE
ecurve(A,B,p,MR_PROJECTIVE);
#endif
set_frobenius_constant(X);
sru=pow((ZZn)-2,(p-1)/6); // x^6+2 is irreducible
set_zzn3(-2,sru);
mip->IOBASE=16;
mip->TWIST=MR_QUADRATIC; // map Server to point on twisted curve E(Fp3)
ss=rand(q); // TA's super-secret
cout << "Mapping Server ID to point" << endl;
Server=hash_and_map3((char *)"Server");
cofactor(Server,x,X);
cout << "Mapping Alice & Bob ID's to points" << endl;
Alice=hash_and_map((char *)"Alice");
Bob= hash_and_map((char *)"Robert");
cout << "Alice, Bob and the Server visit Trusted Authority" << endl;
sS=G2_mul(Server,ss,x,X);
sA=ss*Alice;
sB=ss*Bob;
cout << "Alice and Server Key Exchange" << endl;
a=rand(q); // Alice's random number
s=rand(q); // Server's random number
if (!ecap(sA,Server,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
ap=GT_pow(res,a,x,X);//powu(res,a);
if (!ecap(Alice,sS,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=GT_pow(res,s,x,X);
cout << "Alice Key= " << H2(powu(sp,a)) << endl;
cout << "Server Key= " << H2(powu(ap,s)) << endl;
cout << "Bob and Server Key Exchange" << endl;
b=rand(q); // Bob's random number
s=rand(q); // Server's random number
if (!ecap(sB,Server,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
bp=GT_pow(res,b,x,X);
if (!ecap(Bob,sS,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=GT_pow(res,s,x,X);
cout << "Bob's Key= " << H2(powu(sp,b)) << endl;
cout << "Server Key= " << H2(powu(bp,s)) << endl;
return 0;
}
