static void e_pairing_clear(pairing_t pairing) { field_clear(pairing->GT); e_pairing_data_ptr p = pairing->data; field_clear(p->Fq); field_clear(p->Eq); element_clear(p->R); pbc_free(p); mpz_clear(pairing->phikonr); mpz_clear(pairing->r); field_clear(pairing->Zr); }
void tear_down(void) { pbc_free(data); element_clear(e0); element_clear(e1); element_clear(e2); element_clear(a); element_clear(b); element_clear(a2); element_clear(b2); element_clear(a3); element_clear(b3); element_clear(a6); element_clear(b6); field_clear(f97_6); field_clear(f97_3); field_clear(f97_2); field_clear(f97); }
void pbc_param_init_d_gen(pbc_param_ptr p, pbc_cm_ptr cm) { d_param_init(p); d_param_ptr param = p->data; field_t Fq, Fqx, Fqd; element_t irred, nqr; int d = cm->k / 2; int i; compute_cm_curve(param, cm); field_init_fp(Fq, param->q); field_init_poly(Fqx, Fq); element_init(irred, Fqx); do { poly_random_monic(irred, d); } while (!poly_is_irred(irred)); field_init_polymod(Fqd, irred); // Find a quadratic nonresidue of Fqd lying in Fq. element_init(nqr, Fqd); do { element_random(((element_t *) nqr->data)[0]); } while (element_is_sqr(nqr)); param->coeff = pbc_realloc(param->coeff, sizeof(mpz_t) * d); for (i=0; i<d; i++) { mpz_init(param->coeff[i]); element_to_mpz(param->coeff[i], element_item(irred, i)); } element_to_mpz(param->nqr, ((element_t *) nqr->data)[0]); element_clear(nqr); element_clear(irred); field_clear(Fqx); field_clear(Fqd); field_clear(Fq); }
/* computation of $c <- U ^ {3^{3m} - 1}$ * This is the algorithm 6 in the paper above. */ static void algorithm6(element_t c, element_t u) { element_ptr u0 = ITEM(u,0,0), u1 = ITEM(u,0,1), u2 = ITEM(u,1,0), u3 = ITEM(u,1,1), u4 = ITEM(u,2,0), u5 = ITEM(u,2,1); field_ptr f = FIELD(u0); /*GF(3^m)*/ field_t f3; /*GF(3^{3*m})*/ field_init_gf33m(f3, f); element_t v0, v1, m0, m1, m2, a0, a1, i; element_init(v0, f3); element_init(v1, f3); element_init(m0, f3); element_init(m1, f3); element_init(m2, f3); element_init(a0, f3); element_init(a1, f3); element_init(i, f3); element_set(element_item(v0, 0), u0); element_set(element_item(v0, 1), u2); element_set(element_item(v0, 2), u4); element_set(element_item(v1, 0), u1); element_set(element_item(v1, 1), u3); element_set(element_item(v1, 2), u5); element_mul(m0, v0, v0); element_mul(m1, v1, v1); element_mul(m2, v0, v1); element_sub(a0, m0, m1); element_add(a1, m0, m1); element_invert(i, a1); element_mul(v0, a0, i); element_mul(v1, m2, i); element_set(ITEM(c,0,0), element_item(v0, 0)); element_set(ITEM(c,1,0), element_item(v0, 1)); element_set(ITEM(c,2,0), element_item(v0, 2)); element_set(ITEM(c,0,1), element_item(v1, 0)); element_set(ITEM(c,1,1), element_item(v1, 1)); element_set(ITEM(c,2,1), element_item(v1, 2)); element_clear(v0); element_clear(v1); element_clear(m0); element_clear(m1); element_clear(m2); element_clear(a0); element_clear(a1); element_clear(i); field_clear(f3); }
static void eta_T_3_pairing_clear(pairing_t pairing) { mpz_clear(pairing->r); field_clear(pairing->Zr); field_clear(pairing->GT); field_clear(pairing->G1); pbc_free(pairing->G1); pairing_data_ptr dp = pairing->data; field_clear(dp->gf3m); field_clear(dp->gf32m); field_clear(dp->gf36m); mpz_clear(dp->n2); pbc_free(dp); }
static void f_pairing_clear(pairing_t pairing) { field_clear(pairing->GT); f_pairing_data_ptr p = pairing->data; element_clear(p->negalpha); element_clear(p->negalphainv); mpz_clear(p->tateexp); element_clear(p->xpowq2); element_clear(p->xpowq6); element_clear(p->xpowq8); field_clear(p->Etwist); field_clear(p->Eq); field_clear(p->Fq12); field_clear(p->Fq2x); field_clear(p->Fq2); field_clear(p->Fq); pbc_free(p); mpz_clear(pairing->r); field_clear(pairing->Zr); }
//============================================ // //============================================ int main(void) { Field f; field_init(f, "bn254_fp6"); test_feature(f); test_arithmetic_operation(f); test_sqrt(f); //test_frob(f); test_io(f); field_clear(f); fprintf(stderr, "ok\n"); return 0; }
static void d_pairing_clear(pairing_t pairing) { field_clear(pairing->GT); pptr p = pairing->data; if (p->k == 6) { element_clear(p->xpowq); element_clear(p->xpowq2); mpz_clear(pairing->phikonr); } else { mpz_clear(p->tateexp); } field_clear(p->Etwist); field_clear(p->Eq); element_clear(p->nqrinv); element_clear(p->nqrinv2); field_clear(p->Fqk); field_clear(p->Fqd); field_clear(p->Fqx); field_clear(p->Fq); field_clear(pairing->Zr); mpz_clear(pairing->r); pbc_free(p); }
int main(void) { field_t c; field_t Z19; element_t P, Q, R; mpz_t q, z; element_t a, b; int i; field_t Z19_2; field_t c2; element_t P2, Q2, R2; element_t a2; mpz_init(q); mpz_init(z); mpz_set_ui(q, 19); field_init_fp(Z19, q); element_init(a, Z19); element_init(b, Z19); element_set_si(a, 1); element_set_si(b, 6); mpz_set_ui(q, 18); field_init_curve_ab(c, a, b, q, NULL); element_init(P, c); element_init(Q, c); element_init(R, c); printf("Y^2 = X^3 + X + 6 over F_19\n"); //(0,+/-5) is a generator element_set0(a); curve_from_x(R, a); for (i=1; i<19; i++) { mpz_set_si(z, i); element_mul_mpz(Q, R, z); element_printf("%dR = %B\n", i, Q); } mpz_set_ui(z, 6); element_mul_mpz(P, R, z); //P has order 3 element_printf("P = %B\n", P); for (i=1; i<=3; i++) { mpz_set_si(z, i); element_mul_mpz(Q, R, z); tate_3(a, P, Q, R); element_printf("e_3(P,%dR) = %B\n", i, a); } element_double(P, R); //P has order 9 element_printf("P = %B\n", P); for (i=1; i<=9; i++) { mpz_set_si(z, i); //we're supposed to use multiples of R //but 2R works just as well and it allows us //to use R as the offset every time element_mul_mpz(Q, P, z); tate_9(a, P, Q, R); element_printf("e_9(P,%dP) = %B\n", i, a); } //to do the pairing on all of E(F_19) we need to move to F_19^2 //or compute the rational function explicitly printf("moving to F_19^2\n"); field_init_fi(Z19_2, Z19); //don't need to tell it the real order field_init_curve_ab_map(c2, c, element_field_to_fi, Z19_2, q, NULL); element_init(P2, c2); element_init(Q2, c2); element_init(R2, c2); element_init(a2, Z19_2); element_set0(a2); curve_from_x(P2, a2); element_random(R2); element_printf("P = %B\n", P2); for (i=1; i<=18; i++) { mpz_set_si(z, i); element_mul_mpz(Q2, P2, z); tate_18(a2, P2, Q2, R2, P2); element_printf("e_18(P,%dP) = %B\n", i, a2); } element_clear(P2); element_clear(Q2); element_clear(R2); element_clear(a2); field_clear(c2); field_clear(Z19_2); field_clear(c); element_clear(a); element_clear(b); element_clear(P); element_clear(Q); element_clear(R); field_clear(Z19); mpz_clear(q); mpz_clear(z); return 0; }
int main(int argc, char **argv) { for (;;) { int c = getopt(argc, argv, "y"); if (c == -1) break; switch (c) { case 'y': option_easy = 1; option_prompt = "> "; break; default: fprintf(stderr, "unrecognized option: %c\n", c); break; } } field_init_z(Z); field_init_multiz(M); symtab_init(tab); builtin(fun_rnd); builtin(fun_random); builtin(fun_ord); builtin(fun_order); builtin(fun_nextprime); builtin(fun_sqrt); builtin(fun_inv); builtin(fun_type); builtin(fun_pairing); builtin(fun_zmod); builtin(fun_poly); builtin(fun_polymod); builtin(fun_extend); builtin(fun_exit); builtin(fun_CHECK); builtin(fun_init_pairing_a); builtin(fun_init_pairing_d); builtin(fun_init_pairing_e); builtin(fun_init_pairing_f); builtin(fun_init_pairing_g); builtin(fun_init_pairing_i); run_init_pairing_a(NULL); symtab_put(reserved, val_new_field(M), "M"); symtab_put(reserved, val_new_field(Z), "Z"); if (argc > optind) { FILE *fp = fopen(argv[optind], "r"); if (!fp) pbc_die("fopen failed on %s", argv[optind]); YY_BUFFER_STATE st = yy_create_buffer(fp, YY_BUF_SIZE); yy_switch_to_buffer(st); yywrapfun = yywrap_return1; yyparse(); yy_delete_buffer(st); } else { yywrapfun = yywrap_readline; yywrap(); while (!end_of_input) { if (2 == yyparse()) pbc_die("parser out of memory"); } putchar('\n'); } symtab_clear(tab); field_clear(M); return 0; }
void pbc_param_init_f_gen(pbc_param_t p, int bits) { f_init(p); f_param_ptr fp = p->data; //36 is a 6-bit number int xbit = (bits - 6) / 4; //TODO: use binary search to find smallest appropriate x mpz_t x, t; mpz_ptr q = fp->q; mpz_ptr r = fp->r; mpz_ptr b = fp->b; field_t Fq, Fq2, Fq2x; element_t e1; element_t f; field_t c; element_t P; mpz_init(x); mpz_init(t); mpz_setbit(x, xbit); for (;;) { mpz_mul(t, x, x); mpz_mul_ui(t, t, 6); mpz_add_ui(t, t, 1); tryminusx(q, x); mpz_sub(r, q, t); mpz_add_ui(r, r, 1); if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break; tryplusx(q, x); mpz_sub(r, q, t); mpz_add_ui(r, r, 1); if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break; mpz_add_ui(x, x, 1); } field_init_fp(Fq, q); element_init(e1, Fq); for (;;) { element_random(e1); field_init_curve_b(c, e1, r, NULL); element_init(P, c); element_random(P); element_mul_mpz(P, P, r); if (element_is0(P)) break; element_clear(P); field_clear(c); } element_to_mpz(b, e1); element_clear(e1); field_init_quadratic(Fq2, Fq); element_to_mpz(fp->beta, field_get_nqr(Fq)); field_init_poly(Fq2x, Fq2); element_init(f, Fq2x); // Find an irreducible polynomial of the form f = x^6 + alpha. // Call poly_set_coeff1() first so we can use element_item() for the other // coefficients. poly_set_coeff1(f, 6); for (;;) { element_random(element_item(f, 0)); if (poly_is_irred(f)) break; } //extend F_q^2 using f = x^6 + alpha //see if sextic twist contains a subgroup of order r //if not, it's the wrong twist: replace alpha with alpha^5 { field_t ctest; element_t Ptest; mpz_t z0, z1; mpz_init(z0); mpz_init(z1); element_init(e1, Fq2); element_set_mpz(e1, fp->b); element_mul(e1, e1, element_item(f, 0)); element_neg(e1, e1); field_init_curve_b(ctest, e1, r, NULL); element_init(Ptest, ctest); element_random(Ptest); //I'm not sure what the #E'(F_q^2) is, but //it definitely divides n_12 = #E(F_q^12). It contains a //subgroup of order r if and only if //(n_12 / r^2)P != O for some (in fact most) P in E'(F_q^6) mpz_pow_ui(z0, q, 12); mpz_add_ui(z0, z0, 1); pbc_mpz_trace_n(z1, q, t, 12); mpz_sub(z1, z0, z1); mpz_mul(z0, r, r); mpz_divexact(z1, z1, z0); element_mul_mpz(Ptest, Ptest, z1); if (element_is0(Ptest)) { mpz_set_ui(z0, 5); element_pow_mpz(element_item(f, 0), element_item(f, 0), z0); } element_clear(e1); element_clear(Ptest); field_clear(ctest); mpz_clear(z0); mpz_clear(z1); } element_to_mpz(fp->alpha0, element_x(element_item(f, 0))); element_to_mpz(fp->alpha1, element_y(element_item(f, 0))); element_clear(f); field_clear(Fq2x); field_clear(Fq2); field_clear(Fq); mpz_clear(t); mpz_clear(x); }
// Computes a curve and sets fp to the field it is defined over using the // complex multiplication method, where cm holds the appropriate information // (e.g. discriminant, field order). static void compute_cm_curve(d_param_ptr param, pbc_cm_ptr cm) { element_t hp, root; field_t fp, fpx; field_t cc; field_init_fp(fp, cm->q); field_init_poly(fpx, fp); element_init(hp, fpx); mpz_t *coefflist; int n = (int)pbc_hilbert(&coefflist, cm->D); // Temporarily set the coefficient of x^{n-1} to 1 so hp has degree n - 1, // allowing us to use poly_coeff(). poly_set_coeff1(hp, n - 1); int i; for (i = 0; i < n; i++) { element_set_mpz(element_item(hp, i), coefflist[i]); } pbc_hilbert_free(coefflist, n); // TODO: Remove x = 0, 1728 roots. // TODO: What if there are no roots? //printf("hp "); //element_out_str(stdout, 0, hp); //printf("\n"); element_init(root, fp); poly_findroot(root, hp); //printf("root = "); //element_out_str(stdout, 0, root); //printf("\n"); element_clear(hp); field_clear(fpx); // The root is the j-invariant of the desired curve. field_init_curve_j(cc, root, cm->n, NULL); element_clear(root); // We may need to twist it. { // Pick a random point P and twist the curve if it has the wrong order. element_t P; element_init(P, cc); element_random(P); element_mul_mpz(P, P, cm->n); if (!element_is0(P)) field_reinit_curve_twist(cc); element_clear(P); } mpz_set(param->q, cm->q); mpz_set(param->n, cm->n); mpz_set(param->h, cm->h); mpz_set(param->r, cm->r); element_to_mpz(param->a, curve_field_a_coeff(cc)); element_to_mpz(param->b, curve_field_b_coeff(cc)); param->k = cm->k; { mpz_t z; mpz_init(z); // Compute order of curve in F_q^k. // n = q - t + 1 hence t = q - n + 1 mpz_sub(z, param->q, param->n); mpz_add_ui(z, z, 1); pbc_mpz_trace_n(z, param->q, z, param->k); mpz_pow_ui(param->nk, param->q, param->k); mpz_sub_ui(z, z, 1); mpz_sub(param->nk, param->nk, z); mpz_mul(z, param->r, param->r); mpz_divexact(param->hk, param->nk, z); mpz_clear(z); } field_clear(cc); field_clear(fp); }