void DecryptKEM_using_product(global_broadcast_params_t gbp,
priv_key_t mykey, element_t key,
ct_t myct)
{
if(!gbp) {
printf("ACK! You gave me no broadcast params! I die.\n");
return;
}
if(!mykey) {
printf("ACK! You gave me no private key info I die.\n");
return;
}
if(!myct) {
printf("ACK! No struct cipher text to decode I die.\n");
return;
}
if(!key) {
printf("ACK! No place to put my key! I die.\n");
return;
}
if(!mykey->decr_prod) {
printf("ACK! Calculate decryption prodcut before ");
printf("calling this function! I die.\n");
return;
}
element_t temp;
element_t temp2;
element_t di_de;
element_t temp3;
element_init(temp, gbp->pairing->GT);
element_init(temp2, gbp->pairing->GT);
element_init(di_de, gbp->pairing->G1);
element_init(temp3, gbp->pairing->GT);
//Generate the numerator
element_pairing(temp, myct->C1, mykey->g_i);
//G1 element in denom
element_mul(di_de, mykey->g_i_gamma, mykey->decr_prod);
//Generate the denominator
element_pairing(temp2, di_de, myct->C0);
//Invert the denominator
element_invert(temp3, temp2);
element_init(key, gbp->pairing->GT);
//multiply the numerator by the inverted denominator
element_mul(key, temp, temp3);
}
static void GT_random(element_ptr e) {
element_t a, b;
element_init(a, e->field->pairing->G1);
element_init(b, e->field->pairing->G1);
element_random(a);
element_random(b);
element_pairing(e, a, b);
element_clear(a);
element_clear(b);
}
static int generic_is_almost_coddh(element_ptr a, element_ptr b,
element_ptr c, element_ptr d, pairing_t pairing) {
int res = 0;
element_t t0, t1;
element_init(t0, pairing->GT);
element_init(t1, pairing->GT);
element_pairing(t0, a, d);
element_pairing(t1, b, c);
if (!element_cmp(t0, t1)) {
res = 1;
} else {
element_mul(t0, t0, t1);
if (element_is1(t0)) res = 1;
}
element_clear(t0);
element_clear(t1);
return res;
}
int main(int argc, char **argv) {
if(argc < 3){
fprintf(stderr,"Wrong input arguments!");
fprintf(stderr,"Please input <./curve><supersinuglar><rbits><qbits> or <./curve><ordinary><bits>\n");
}else{
//initialization
pairing_t pairing;
element_t g,h,temp1;
int rbits, qbits;
if(!strcmp(argv[1],"supersingular")&&argc==4){//to generate supersingualr curve
rbits = atoi(argv[2]);
qbits = atoi(argv[3]);
generateSupersingular(&pairing,rbits,qbits);
printf("generate supersingular curve...");
}else if(!strcmp(argv[1],"ordinary")&&argc==3){//to generate ordinary curve
rbits = atoi(argv[2]);
generateOrdinary(&pairing,256);
printf("generate ordinary curve...");
}else{
fprintf(stderr,"Wrong input arguments!");
fprintf(stderr,"Please input <./curve><supersinuglar><rbits><qbits> or <./curve><ordinary><bits>\n");
return 0;
}
if(pairing_is_symmetric(pairing)){
printf("pairing is symmetric\n");
}else{
printf("pairing is NOT symmetric\n");
}
FILE *fTime = fopen("curve.txt","w+");
clock_t start,end;//start:the start of pairing, end:the end of pairing
float difftime=0.0;
int loopnum = 100;//the numbers for the while-loop
int i;//the index for the for-loop
element_init_G1(g, pairing);
element_init_G2(h, pairing);
element_init_GT(temp1, pairing);
element_random(g);
element_random(h);
for(i = 0;i<100;i++){
while(loopnum--){
start = clock();
element_pairing(temp1, g, h);
end = clock();
}
difftime = (float)(end-start)/CLOCKS_PER_SEC;
printf("The time of using pairing is %f\n",difftime);
fprintf(fTime,"%f\r\n",difftime);
difftime = 0.0;
loopnum = 100;
}
}//end of main-else
return 0;
}
void BroadcastKEM_using_product(global_broadcast_params_t gbp,
broadcast_system_t sys,
ct_t myct, element_t key)
{
if(!gbp) {
printf("ACK! You gave me no broadcast params! I die.\n");
return;
}
if(!sys) {
printf("ACK! You gave me no broadcast system! I die.\n");
return;
}
if(!myct) {
printf("ACK! No struct to store return vals! I die.\n");
return;
}
element_t t;
element_init_Zr(t, gbp->pairing);
element_random(t);
element_init(key, gbp->pairing->GT);
element_init(myct->C0, gbp->pairing->G2);
element_init(myct->C1, gbp->pairing->G1);
//COMPUTE K
element_pairing(key, gbp->gs[gbp->num_users-1], gbp->gs[0]);
element_pow_zn(key, key, t);
//COMPUTE C0
element_pow_zn(myct->C0, gbp->g, t);
//COMPUTE C1
if(DEBUG && 0) {
printf("\npub_key = ");
element_out_str(stdout, 0, sys->pub_key);
printf("\nencr_prod = ");
element_out_str(stdout, 0, sys->encr_prod);
}
element_mul(myct->C1, sys->pub_key, sys->encr_prod);
if(DEBUG && 0) {
printf("\npub_key = ");
element_out_str(stdout, 0, sys->pub_key);
printf("\nencr_prod = ");
element_out_str(stdout, 0, sys->encr_prod);
printf("\nhdr_c1 = ");
element_out_str(stdout, 0, myct->C1);
printf("\n");
}
element_pow_zn(myct->C1, myct->C1, t);
element_clear(t);
}
// USER JOIN PHASE 5 - user key generation (Join)
int xsgs_user_join_phase5(XSGS_PUBLIC_KEY* gpk, XSGS_USER_CERT* ucert,
XSGS_USER_KEY* uk, XSGS_JOIN_PHASE4* jpd4) {
int ret;
pairing_ptr pairing = gpk->pairing;
field_ptr Fp = pairing->Zr;
element_t gt1, gt2, y_neg, g1;
element_init(ucert->x, Fp);
element_set(ucert->x, jpd4->x);
// check A^(x + gamma) = G1 * H^y
// i.e.: e(A, G2)^x * e(A, W) * e(H, G2)^-y == e(G1, G2)
element_init(y_neg, Fp);
element_init_G1(g1, pairing);
element_init_GT(gt1, pairing);
element_init_GT(gt2, pairing);
// gt1 = e(A, G2)^x * e(A, W) * e(H, G2)^-y
// = e(A^x * H^-y, G2) * e(A, W)
element_neg(y_neg, uk->y);
element_pow_naf2(g1, ucert->A, ucert->x, gpk->H, y_neg);
element_pairing(gt1, g1, gpk->G2);
element_pairing(gt2, ucert->A, gpk->W);
element_mul(gt1, gt1, gt2);
// gt2 = e(G1, G2)
element_pairing(gt2, gpk->G1, gpk->G2);
// check gt1 == gt2
ret = element_cmp(gt1, gt2);
element_clear(g1);
element_clear(y_neg);
element_clear(gt1);
element_clear(gt2);
return ret;
}
//Called in file encryption function to generate C0,C1,C0',C1' and EK
//returns CT,EK
void EK_CT_generate(char *gamma, int *shared_users, int num_users, unsigned char *pps, ct CT, element_t EK, char *t_str)
{
global_broadcast_params_t gbs;
element_t t;
int j;
//Global Setup of gbs params
setup_global_broadcast_params(&gbs, pps);
element_set_str(gbs->gamma, gamma, PBC_CONVERT_BASE); //it is important to set user gamma here else a random value will be used
//pick a random value of t from Zr
element_init_Zr(t, gbs->pairing);
element_random(t);
element_snprint(t_str,MAX_ELEMENT_LEN,t);
//compute C0=g^t
element_init(CT->OC0, gbs->pairing->G1);
element_pow_zn(CT->OC0, gbs->g, t);
//compute C1=(g^gamma)x(g[num_users+1-j]) for j in all shared users
element_init(CT->OC1, gbs->pairing->G1);
element_pow_zn(CT->OC1, gbs->g, gbs->gamma); //at this step C1 = g^gamma = v as given in paper
for(j=0;j<num_users;j++)
element_mul(CT->OC1, CT->OC1, gbs->gs[(gbs->num_users)-shared_users[j]]);
element_pow_zn(CT->OC1, CT->OC1, t);
//Duplicate C0'=C0
element_init(CT->C0, gbs->pairing->G1);
element_set(CT->C0,CT->OC0);
//Duplicate C1'=C1
element_init(CT->C1, gbs->pairing->G1);
element_set(CT->C1,CT->OC1);
//COMPUTE EK = e(g[n], g[1])^(t)
element_init(EK, gbs->pairing->GT);
element_pairing(EK, gbs->gs[0],gbs->gs[gbs->num_users-1]); //at this step EK = e(g[1],g[n])
element_pow_zn(EK,EK,t); //EK = e(g[1],g[n])^t
//free the memory for global broadcast params
element_clear(t);
FreeGBP(gbs);
return;
}
void consumerShares(signed long int *codeword){
pairing_t pairing;
element_t g, r, a, e_g_g, share;
char *argv = "./param/a.param";
char s[16384];
signed long int temp_share;
FILE *fp = stdin;
fp = fopen(argv, "r");
if (!fp)
pbc_die("error opening %s\n", argv);
size_t count = fread(s, 1, 16384, fp);
if(!count)
pbc_die("read parameter failure\n");
fclose(fp);
if(pairing_init_set_buf(pairing, s, count))
pbc_die("pairing init failed\n");
if(!pairing_is_symmetric(pairing)) pbc_die("pairing is not symmetric\n");
element_init_G1(g, pairing);
element_init_Zr(r, pairing);
element_init_Zr(a, pairing);
element_init_Zr(share, pairing);
element_init_GT(e_g_g, pairing);
//find the generator of the group
element_set(g, ((curve_data_ptr)((a_pairing_data_ptr)
pairing->data)->Eq->data)->gen);
element_random(r);
element_random(a);
//compute e(g, g)
element_pairing(e_g_g, g, g);
//compute e(g, g)^r
element_pow_zn(e_g_g, e_g_g, r);
//compute e(g,g)^ra
element_pow_zn(e_g_g, e_g_g, a);
temp_share = codeword[0];
//transfer signed long int type ecret shares to an element_t type before we do the power of
//e_g_g
element_set_si(share, temp_share);
element_pow_zn(e_g_g, e_g_g, share);
}
int bb_verify(unsigned char *sig, unsigned int hashlen, unsigned char *hash, bb_public_key_t pk)
{
element_t sigma, r;
element_t m;
element_t t0, t1, t2;
int res;
int len;
pairing_ptr pairing = pk->param->pairing;
element_init(m, pairing->Zr);
element_from_hash(m, hash, hashlen);
element_init(sigma, pairing->G1);
len = element_from_bytes_x_only(sigma, sig);
element_init(r, pairing->Zr);
element_from_bytes(r, sig + len);
element_init(t0, pairing->G2);
element_init(t1, pairing->G2);
element_init(t2, pairing->GT);
element_pow_zn(t0, pk->g2, m);
element_pow_zn(t1, pk->v, r);
element_mul(t0, t0, t1);
element_mul(t0, t0, pk->u);
element_pairing(t2, sigma, t0);
if (!element_cmp(t2, pk->z)) {
res = 1;
} else {
element_mul(t2, t2, pk->z);
res = element_is1(t2);
}
element_clear(t0);
element_clear(t1);
element_clear(t2);
element_clear(m);
element_clear(sigma);
element_clear(r);
return res;
}
void bb_gen(bb_public_key_t pk, bb_private_key_t sk, bb_sys_param_t param)
{
pairing_ptr pairing = param->pairing;
pk->param = sk->param = param;
element_init(sk->x, pairing->Zr);
element_init(sk->y, pairing->Zr);
element_random(sk->x);
element_random(sk->y);
element_init(pk->g1, param->pairing->G1);
element_init(pk->g2, param->pairing->G2);
element_init(pk->z, param->pairing->GT);
element_random(pk->g2);
element_random(pk->g1);
element_init(pk->u, param->pairing->G2);
element_init(pk->v, param->pairing->G2);
element_pow_zn(pk->u, pk->g2, sk->x);
element_pow_zn(pk->v, pk->g2, sk->y);
element_pairing(pk->z, pk->g1, pk->g2);
}
bool Manager::JoinMember(string request, string & respond)
{
//elements
element_t Pi1;
element_t Pi2;
element_t Sk;
element_t R;
element_init_G1(Pi1,pairing);
element_init_GT(Pi2, pairing);
element_init_Zr(Sk, pairing);
element_init_G1(R,pairing);
//read & check SoK
string hash;
string hash_check;
RequestFromString(request,hash,Sk,Pi1);
//check Pi1 is point of curve
if(element_item_count(Pi1)!=2)
{
element_clear(Pi1);
element_clear(Pi2);
element_clear(Sk);
element_clear(R);
return 1;//failure
}
element_t tmp1, tmp2;
element_t c_Hsok;
element_init_G1(tmp1, pairing);
element_init_G1(tmp2, pairing);
element_init_Zr(c_Hsok, pairing);
element_from_hash(c_Hsok,(void*)hash.c_str(),hash.length());
element_pow_zn(tmp1,g,Sk);
element_pow_zn(tmp2,Pi1,c_Hsok);
element_div(R,tmp1,tmp2);
hash_check=Helper::Hash_g_R(g,R);
if(hash.compare(hash_check))
{
element_clear(Pi1);
element_clear(Pi2);
element_clear(Sk);
element_clear(R);
element_clear(tmp1);
element_clear(tmp2);
element_clear(c_Hsok);
return 1;//failure
}
//generate r_issuer
element_t issuer_r;
element_init_Zr(issuer_r, pairing);
element_random(issuer_r);
//create a b c
element_t ai;
element_t bi;
element_t ci;
element_t temp_ci1;
element_t temp_ci2;
//init
element_init_G1(ai, pairing);
element_init_G1(bi, pairing);
element_init_G1(ci, pairing);
element_init_G1(temp_ci1, pairing);
element_init_G1(temp_ci2, pairing);
//compute ai bi ci
element_pow_zn(ai,g,issuer_r);//ai
element_pow_zn(bi,ai,y);//bi
element_pow_zn(temp_ci1,ai,x);
element_pow_zn(temp_ci2,Pi1,issuer_r);
element_pow_zn(temp_ci2,temp_ci2,x);
element_pow_zn(temp_ci2,temp_ci2,y);
element_mul(ci,temp_ci1,temp_ci2);//ci
//create RESPOND
respond=MemberSecretToString(ai,bi,ci);
//compute Pi2
element_pairing(Pi2,Pi1,g);
//Write_to_reg_list
AddToRegistrationList(Pi1, Pi2);
//clear elements
element_clear(issuer_r);
element_clear(Pi1);
element_clear(Pi2);
element_clear(temp_ci1);
element_clear(temp_ci2);
element_clear(tmp1);
element_clear(tmp2);
element_clear(c_Hsok);
element_clear(Sk);
element_clear(R);
element_clear(ai);
element_clear(bi);
element_clear(ci);
return 0;//success
}
static val_ptr run_pairing(val_ptr v[]) {
element_ptr x = v[0]->elem;
element_ptr e = element_new(x->field->pairing->GT);
element_pairing(e, x, v[1]->elem);
return val_new_element(e);
}
void pbc_decrypt(struct crypto *pbc, int tl, int *nse, int ts,
int use_caching, int use_product)
{
/* e(C_0, K_0) -> pairing(C, K[i])
* e(C_{i1}, K_{i1}) -> pairing(Ci[i], Ki[i])
* e(C_{i2}, K_{i2}) -> pairing(Ci[i], Ki[i])
*/
element_t C, K[ts], Ci[tl], Ki[tl], R, A, B, M, T;
int num_mul=0, num_pair=0;
struct timeval st, en;
int i, j;
/* -------------------- setup --------------------- */
gettimeofday(&st, NULL);
element_init_G1(C, pbc->pairing);
element_random(C);
for (i = 0; i < ts; i++) {
element_init_G2(K[i], pbc->pairing);
element_random(K[i]);
}
for (i = 0; i < tl; i++) {
element_init_G1(Ci[i], pbc->pairing);
element_random(Ci[i]);
}
for (i = 0; i < tl; i++) {
element_init_G2(Ki[i], pbc->pairing);
element_random(Ki[i]);
}
element_init_GT(R, pbc->pairing);
element_init_GT(A, pbc->pairing);
element_init_GT(B, pbc->pairing);
element_init_GT(M, pbc->pairing);
element_init_GT(T, pbc->pairing);
gettimeofday(&en, NULL);
printf("Setup: %lu us\n", time_diff(&st, &en));
printf("tl=%d ts=%d|", tl, ts);
for (i = 0; i < ts; i++)
printf("%d ", nse[i]);
printf("\n");
/* ------------------ decryption ------------------ */
gettimeofday(&st, NULL);
/* e(C0, K0) across all tokens */
if (use_caching) {
pairing_pp_t pp;
pairing_pp_init(pp, C, pbc->pairing);
for (i = 0; i < ts; i++)
pairing_pp_apply(R, K[i], pp);
pairing_pp_clear(pp);
} else
for (i = 0; i < ts; i++) {
pairing_apply(R, C, K[i], pbc->pairing);
num_pair++;
}
/* prod{e(Ci1, Ki1)}prod{e(Ci2, Ki2)} across all tokens */
if (use_product) {
for (i = 0; i < ts; i++) {
if (!nse[i])continue;
element_prod_pairing(A, Ci, Ki, nse[i]);
element_prod_pairing(B, Ci, Ki, nse[i]);
element_mul(M, A, B);
}
} else
for (i = 0; i < ts; i++) {
element_set1(A);
for (j = 0; j < nse[i]; j++) {
element_pairing(T, Ci[j], Ki[j]);
element_mul(A, A, T);
num_pair++;
num_mul++;
}
element_set1(B);
for (j = 0; j < nse[i]; j++) {
element_pairing(T, Ci[j], Ki[j]);
element_mul(B, B, T);
num_pair++;
num_mul++;
}
element_mul(M, A, B);
num_mul++;
}
gettimeofday(&en, NULL);
printf("Decryption: %lu us\n", time_diff(&st, &en));
if (use_caching || use_product) {
num_pair = -1;
num_mul = -1;
}
printf("Used %d pairings and %d multiplications\n", num_pair, num_mul);
/* ------------------- cleanup -------------------- */
gettimeofday(&st, NULL);
element_clear(T);
element_clear(M);
element_clear(B);
element_clear(A);
element_clear(R);
element_clear(C);
for (i = 0; i < ts; i++)
element_clear(K[i]);
for (i = 0; i < tl; i++)
element_clear(Ci[i]);
for (i = 0; i < tl; i++)
element_clear(Ki[i]);
gettimeofday(&en, NULL);
printf("Cleanup: %lu us\n", time_diff(&st, &en));
}
void BSActivity(unsigned char *da, unsigned char *db, unsigned char *dc, unsigned char *dcu) {
//signature decompress
//printf("Verifying....\n");
element_t cu, A, B, C;
element_init_G1(A, pairing);
element_init_G1(B, pairing);
element_init_G1(C, pairing);
element_init_Zr(cu, pairing2);
element_from_bytes_compressed(A, da);
element_from_bytes_compressed(B, db);
element_from_bytes_compressed(C, dc);
element_from_bytes(cu, dcu);
pbc_free(da);
pbc_free(db);
pbc_free(dc);
pbc_free(dcu);
//verification I
element_t exbcu;
element_t tmp1, tmp2, right, left;
element_init_GT(exbcu, pairing);
element_init_GT(tmp1, pairing);
element_init_GT(tmp2, pairing);
element_init_GT(right, pairing);
element_init_GT(left, pairing);
element_pairing(tmp1, X, A);
element_pairing(tmp2, X, B);
element_pow_zn(exbcu, tmp2, cu);
element_mul(left, tmp1, exbcu);
element_pairing(right, g, C);
if (!element_cmp(left, right)) {
//printf("part 1 verifies\n");
} else {
printf("*BUG* part 1 does not verify *BUG*\n");
}
//verification II
element_pairing(left, A, Y);
element_pairing(right, g, B);
if (!element_cmp(left, right)) {
//printf("part 2 verifies\n");
} else {
printf("*BUG* part 2 does not verify *BUG*\n");
}
if(ifsize) {
int totalsize = sizeof(tmp1) + sizeof(tmp2) + sizeof(right) + sizeof(left) +
sizeof(A) + sizeof(B) + sizeof(C) + sizeof(cu);
printf("Memory used at base station is %d bytes. \n", totalsize);
}
element_clear(exbcu);
element_clear(tmp1);
element_clear(tmp2);
element_clear(right);
element_clear(left);
element_clear(A);
element_clear(B);
element_clear(C);
element_clear(cu);
return;
}
bool Manager::Verification(string signature, char*mes, int len_mes)
{
//compare variables
bool cmp_value_1=0;
bool cmp_value_2=0;
//elements
element_t T1,T2,T3,T4;
element_t T5, T6, T7;
element_t c_H;
element_t H;
element_t Sp;
element_t Sm;
element_t Sv;
//init
element_init_GT(T1, pairing);
element_init_GT(T2, pairing);
element_init_GT(T3, pairing);
element_init_GT(T4, pairing);
element_init_G1(T5, pairing);
element_init_G1(T6, pairing);
element_init_G1(T7, pairing);
element_init_Zr(Sp,pairing);
element_init_Zr(Sm,pairing);
element_init_Zr(Sv,pairing);
element_init_Zr(H, pairing);
element_init_Zr(c_H, pairing);
SignatureFromString(signature, c_H,Sp,Sm,Sv,T1,T2,T3,T4,T5,T6,T7);
//heshing
Helper::Hash_T1_T2_T3(H,T1,T2,T3);
//compute R1'
element_t tmp_1;
element_t tmp_2;
element_t tmp_3;
element_t R1_;
element_init_GT(R1_, pairing);
element_init_GT(tmp_1, pairing);
element_init_GT(tmp_2, pairing);
element_init_GT(tmp_3, pairing);
element_pairing(tmp_1, g, T7);
element_pow_zn(tmp_2, tmp_1, Sp);
element_pairing(tmp_1, X, T6);
element_pow_zn(tmp_3, tmp_1, Sm);
element_div(R1_, tmp_2, tmp_3);
element_pairing(tmp_3, X, T5);
element_pow_zn(tmp_3, tmp_3, c_H);
element_div(R1_, R1_, tmp_3);
//compute R2'
element_t R2_;
element_init_GT(R2_, pairing);
element_pow_zn(R2_, gt, Sv);
element_pow_zn(tmp_1, T1, c_H);
element_div(R2_, R2_, tmp_1);
//compute R3'
element_t R3_;
element_init_GT(R3_, pairing);
element_pow_zn(tmp_1, h, Sv);
element_pow_zn(tmp_2, T2, c_H);
element_sub(R3_, tmp_1, tmp_2);
//compute R4'
element_t R4_;
element_init_GT(R4_, pairing);
element_pow_zn(tmp_1, y1, Sv);
element_pow_zn(tmp_2, gt, Sm);
element_mul(tmp_3, tmp_1, tmp_2);
element_pow_zn(tmp_1,T3, c_H);
element_sub(R4_, tmp_3, tmp_1);
//compute R5'
element_t R5_;
element_init_GT(R5_, pairing);
element_t tmp_pow;
element_init_Zr(tmp_pow, pairing);
element_t tmp_div;
element_init_GT(tmp_div, pairing);
element_pow_zn(R5_, y2, Sv);
element_pow_zn(tmp_div,y3,H);
element_pow_zn(tmp_div,tmp_div,Sv);
element_mul(R5_,R5_,tmp_div);
element_pow_zn(tmp_div,T4, c_H);
element_div(R5_, R5_, tmp_div);
//check c_H == c_H'
element_t check_c_H;
element_init_Zr(check_c_H, pairing);
Helper::Hash_C(check_c_H,R1_,R2_,R3_,R4_,R5_,g,gt,X,Y,h,y1,y2,y3,mes,len_mes);
//check e(T 5 , Y ) == e(g, T 6 )
element_t check_1;
element_init_GT(check_1, pairing);
element_t check_2;
element_init_GT(check_2, pairing);
element_pairing(check_1, T5,Y);
element_pairing(check_2, g,T6);
//cmp_value_1
cmp_value_1=element_cmp(check_c_H,c_H);//0==ok
//cmp_value_2
cmp_value_2=element_cmp(check_1,check_2);//0==ok
//clear elements
element_clear(T1);
element_clear(T2);
element_clear(T3);
element_clear(T4);
element_clear(T5);
element_clear(T6);
element_clear(T7);
element_clear(Sp);
element_clear(Sm);
element_clear(Sv);
element_clear(H);
element_clear(c_H);
element_clear(R1_);
element_clear(R2_);
element_clear(R3_);
element_clear(R4_);
element_clear(R5_);
element_clear(tmp_1);
element_clear(tmp_2);
element_clear(tmp_3);
element_clear(tmp_pow);
element_clear(tmp_div);
element_clear(check_c_H);
element_clear(check_1);
element_clear(check_2);
if(cmp_value_1||cmp_value_2)
return 0;
else
return 1;
}
void Manager::KeyGeneration(string & PK, string & IK, string & OK)
{
element_t gt_new;
element_t g_new;
element_t X_new;
element_t Y_new;
element_t h_new;
element_t y1_new;
element_t y2_new;
element_t y3_new;
//issuer secret
element_t x_new;
element_t y_new;
//open secret
element_t x1_new;
element_t x2_new;
element_t x3_new;
element_t x4_new;
element_t x5_new;
//init public key
element_init_G1(g_new, pairing);
element_init_GT(gt_new, pairing);
element_init_G1(X_new, pairing);
element_init_G1(Y_new, pairing);
element_init_GT(h_new, pairing);
element_init_GT(y1_new, pairing);
element_init_GT(y2_new, pairing);
element_init_GT(y3_new, pairing);
//init issuer key
element_init_Zr(x_new, pairing);
element_init_Zr(y_new, pairing);
//init open key
element_init_Zr(x1_new, pairing);
element_init_Zr(x2_new, pairing);
element_init_Zr(x3_new, pairing);
element_init_Zr(x4_new, pairing);
element_init_Zr(x5_new, pairing);
//set tmp variables
element_t temp_y1;
element_t temp_y2;
element_init_GT(temp_y1, pairing);
element_init_GT(temp_y2, pairing);
//generate system parameters
element_random(g_new);
element_pairing(gt_new,g_new,g_new);
//generate private keys of group manager
element_random(x_new);
element_random(y_new);
//compute X Y
element_pow_zn(X_new,g_new,x_new);
element_pow_zn(Y_new,g_new,y_new);
//generate h != 1
do
{
element_random(h_new);
}
while(element_is1(h_new));
//rand of secret set x1...x5
element_random(x1_new);
element_random(x2_new);
element_random(x3_new);
element_random(x4_new);
element_random(x5_new);
//compute y1
element_pow_zn(temp_y1,gt_new,x1_new);
element_pow_zn(temp_y2,h_new,x2_new);
element_mul(y1_new,temp_y1,temp_y2);
//compute y2
element_pow_zn(temp_y1,gt_new,x3_new);
element_pow_zn(temp_y2,h_new,x4_new);
element_mul(y2_new,temp_y1,temp_y2);
//compute y3
element_pow_zn(y3_new,gt_new,x5_new);
//Write keys
PK=GroupPublicKeyToString(g_new, gt_new, X_new, Y_new, h_new, y1_new, y2_new, y3_new);
IK=SecretIssuerKeyToString(x_new,y_new);
OK=SecretOpenKeyToString(x1_new,x2_new,x3_new,x4_new,x5_new);
//clear elements
//clear public key
element_clear(g_new);
element_clear(gt_new);
element_clear(X_new);
element_clear(Y_new);
element_clear(h_new);
element_clear(y1_new);
element_clear(y2_new);
element_clear(y3_new);
//clear issuer key
element_clear(x_new);
element_clear(y_new);
//clear open key
element_clear(x1_new);
element_clear(x2_new);
element_clear(x3_new);
element_clear(x4_new);
element_clear(x5_new);
//clear tmps
element_clear(temp_y1);
element_clear(temp_y2);
}
int main(int argc, char **argv) {
pairing_t pairing;
pbc_demo_pairing_init(pairing, argc, argv);
if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
double time1, time2;
element_t P, Ppub, x, S, H, t1, t2, t3, t4;
element_init_Zr(x, pairing);
element_init_Zr(H, pairing);
element_init_Zr(t1, pairing);
element_init_G1(S, pairing);
element_init_G1(P, pairing);
element_init_G1(Ppub, pairing);
element_init_G1(t2, pairing);
element_init_GT(t3, pairing);
element_init_GT(t4, pairing);
printf("ZSS short signature schema\n");
printf("KEYGEN\n");
time1 = pbc_get_time();
element_random(x);
element_random(P);
element_mul_zn(Ppub, P, x);
element_printf("P = %B\n", P);
element_printf("x = %B\n", x);
element_printf("Ppub = %B\n", Ppub);
printf("SIGN\n");
element_from_hash(H, "Message", 7);
element_add(t1, H, x);
element_invert(t1, t1);
element_mul_zn(S, P, t1);
printf("Signature of message \"Message\" is:\n");
element_printf("S = %B\n", S);
printf("VERIFY\n");
element_from_hash(H, "Message", 7);
element_mul_zn(t2, P, H);
element_add(t2, t2, Ppub);
element_pairing(t3, t2, S);
element_pairing(t4, P, P);
element_printf("e(H(m)P + Ppub, S) = %B\n", t3);
element_printf("e(P, P) = %B\n", t4);
if (!element_cmp(t3, t4)) printf("Signature is valid\n");
else printf("Signature is invalid\n");
time2 = pbc_get_time();
printf("All time = %fs\n", time2 - time1);
element_clear(P);
element_clear(Ppub);
element_clear(x);
element_clear(S);
element_clear(H);
element_clear(t1);
element_clear(t2);
element_clear(t3);
element_clear(t4);
pairing_clear(pairing);
return 0;
}
// USER JOIN PHASE 3 - user key generation (Join)
int xsgs_user_join_phase3(XSGS_PUBLIC_KEY* gpk, XSGS_USER_CERT* ucert,
XSGS_JOIN_PHASE1* jpd1, XSGS_JOIN_PHASE2* jpd2, XSGS_JOIN_PHASE3* jpd3,
char* usk_pem_filename) {
int ret;
pairing_ptr pairing = gpk->pairing;
field_ptr Fp = pairing->Zr;
element_t B, D, R1, R2, h, g1, gt;
// B = e(G1 * C, G2) / e(A, W) = e(G1 * C, G2) * e(A^-1, W)
element_init_GT(B, pairing);
element_init_G1(g1, pairing);
element_init_GT(gt, pairing);
element_mul(g1, gpk->G1, jpd1->C);
element_pairing(B, g1, gpk->G2);
element_invert(g1, jpd2->A);
element_pairing(gt, g1, gpk->W);
element_mul(B, B, gt);
// D = e(A, G2)
element_init_GT(D, pairing);
element_pairing(D, jpd2->A, gpk->G2);
// verifies A e Group1, Checks V
element_init(h, Fp);
element_from_hash(h, jpd1->U.hash, JOIN_HASH_BITS / 8);
element_neg(h, h);
// R1 = B^s * T1^h
element_init_GT(R1, pairing);
element_pow_naf2(R1, B, jpd2->V.s, jpd2->V.T1, h);
// R2 = D^s * T2^h
element_init_GT(R2, pairing);
element_pow_naf2(R2, D, jpd2->V.s, jpd2->V.T2, h);
// clear tmp
element_clear(g1);
element_clear(gt);
element_clear(h);
// h = H(B, D, T1, T2, R1, R2)
DWORD data_len = element_length_in_bytes(B) + element_length_in_bytes(D)
+ element_length_in_bytes(jpd2->V.T1)
+ element_length_in_bytes(jpd2->V.T2) + element_length_in_bytes(R1)
+ element_length_in_bytes(R2);
BYTE* data_buf = (BYTE*) malloc(data_len);
data_buf += element_to_bytes(data_buf, B);
data_buf += element_to_bytes(data_buf, D);
data_buf += element_to_bytes(data_buf, jpd2->V.T1);
data_buf += element_to_bytes(data_buf, jpd2->V.T2);
data_buf += element_to_bytes(data_buf, R1);
data_buf += element_to_bytes(data_buf, R2);
data_buf -= data_len;
BYTE* hash = (BYTE*) malloc(JOIN_HASH_BITS / 8);
xsgs_hash(data_buf, data_len * 8, hash, JOIN_HASH_BITS);
free(data_buf);
element_clear(B);
element_clear(D);
element_clear(R1);
element_clear(R2);
// compare hashes
ret = memcmp(jpd2->V.hash, hash, JOIN_HASH_BITS / 8);
free(hash);
if (!ret) {
element_init_G1(ucert->A, pairing);
element_set(ucert->A, jpd2->A);
// S = sign(A)
DWORD msg_len = element_length_in_bytes(ucert->A);
BYTE* msg = (BYTE*) malloc(msg_len);
element_to_bytes(msg, ucert->A);
ret = xsgs_rsa_sign(usk_pem_filename, msg, msg_len, &(jpd3->S.sig), &(jpd3->S.len));
free(msg);
}
// return ( S = (rsa signature length, rsa signature) )
return ret;
}
int main(int argc, char **argv) {
pairing_t pairing;
double time1, time2;
element_t P, a, b, c, Ka, Kb, Kc, t1, t2, t3, t4, t5, t6;
pbc_demo_pairing_init(pairing, argc, argv);
if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
element_init_G1(P, pairing);
element_init_G1(t1, pairing);
element_init_G1(t2, pairing);
element_init_G1(t3, pairing);
element_init_Zr(a, pairing);
element_init_Zr(b, pairing);
element_init_Zr(c, pairing);
element_init_GT(t4, pairing);
element_init_GT(t5, pairing);
element_init_GT(t6, pairing);
element_init_GT(Ka, pairing);
element_init_GT(Kb, pairing);
element_init_GT(Kc, pairing);
time1 = pbc_get_time();
printf("Joux key agreement between A, B and C.\n");
element_random(P);
element_random(a);
element_random(b);
element_random(c);
element_mul_zn(t1, P, a);
printf("A sends B and C: aP\n");
element_printf("aP = %B\n", t1);
element_mul_zn(t2, P, b);
printf("B sends A and C: bP\n");
element_printf("bP = %B\n", t2);
element_mul_zn(t3, P, c);
printf("C sends A and B: cP\n");
element_printf("cP = %B\n", t3);
element_pairing(t4, t2, t3);
element_pow_zn(Ka, t4, a);
element_printf("Ka = %B\n", Ka);
element_pairing(t5, t1, t3);
element_pow_zn(Kb, t5, b);
element_printf("Kb = %B\n", Kb);
element_pairing(t6, t1, t2);
element_pow_zn(Kc, t6, c);
element_printf("Kc = %B\n", Kc);
printf("Shared key K = Ka = Kb = Kc\n");
time2 = pbc_get_time();
printf("All time = %fs\n", time2 - time1);
element_clear(P);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(Ka);
element_clear(Kb);
element_clear(Kc);
element_clear(t1);
element_clear(t2);
element_clear(t3);
element_clear(t4);
element_clear(t5);
element_clear(t6);
pairing_clear(pairing);
return 0;
}
// USER JOIN PHASE 2 - user key generation (Join)
int xsgs_user_join_phase2(XSGS_PUBLIC_KEY* gpk, XSGS_USER_DB_ENTRY* udbe,
XSGS_ISSUER_KEY* ik, XSGS_PAILLIER_PUBKEY* ppk, XSGS_JOIN_PHASE1* jpd1,
XSGS_JOIN_PHASE2* jpd2) {
int ret;
pairing_ptr pairing = gpk->pairing;
field_ptr Fp = pairing->Zr;
mpz_t r1, h; //, t;
element_t R1, R2, g1, B, D, zp, gt, hp;
mpz_init(h);
mpz_from_hash(h, jpd1->U.hash, JOIN_HASH_BITS / 8);
// 1. verify C e G1 and check U
// R1 = g^s * c^h mod n^2
mpz_init(r1);
mpz_powm2(r1, ppk->g, jpd1->U.s, jpd1->U.c, h, ppk->n_squared);
// R2 = H^s * C^h
element_init_G1(R2, pairing);
element_pow_naf2_mpz(R2, gpk->H, jpd1->U.s, jpd1->C, h);
mpz_clear(h);
// h = H(g, n, c, C, H, R1, R2)
DWORD data_len = mpz_length_in_bytes(ppk->g)
+ mpz_length_in_bytes(ppk->n_squared)
+ mpz_length_in_bytes(jpd1->U.c) + element_length_in_bytes(jpd1->C)
+ element_length_in_bytes(gpk->H) + mpz_length_in_bytes(r1)
+ element_length_in_bytes(R2);
BYTE* data_buf = (BYTE*) malloc(data_len);
data_buf += mpz_to_bytes(data_buf, ppk->g);
data_buf += mpz_to_bytes(data_buf, ppk->n_squared);
data_buf += mpz_to_bytes(data_buf, jpd1->U.c);
data_buf += element_to_bytes(data_buf, jpd1->C);
data_buf += element_to_bytes(data_buf, gpk->H);
data_buf += mpz_to_bytes(data_buf, r1);
data_buf += element_to_bytes(data_buf, R2);
data_buf -= data_len;
BYTE* hash = (BYTE*) malloc(JOIN_HASH_BITS / 8);
xsgs_hash(data_buf, data_len * 8, hash, JOIN_HASH_BITS);
free(data_buf);
mpz_clear(r1);
element_clear(R2);
// compare hashes
ret = memcmp(jpd1->U.hash, hash, JOIN_HASH_BITS / 8);
free(hash);
if (!ret) {
element_t r;
// initialization
element_init(udbe->UCert.x, Fp);
element_init_G1(udbe->UCert.A, pairing);
element_init_G1(udbe->C, pairing);
element_init_G1(jpd2->A, pairing);
element_init_G1(g1, pairing);
element_init_GT(B, pairing);
element_init_GT(gt, pairing);
element_init(zp, Fp);
// save jpd1->C to ubde->C
element_set(udbe->C, jpd1->C);
// 2. x eR Zp and
element_random(udbe->UCert.x);
// A <- (G1 * C)^{1/(gamma + x)}
element_add(zp, ik->gamma, udbe->UCert.x);
element_invert(zp, zp);
element_mul(jpd2->A, gpk->G1, jpd1->C);
element_pow_naf(jpd2->A, jpd2->A, zp);
element_set(udbe->UCert.A, jpd2->A);
// 3. B <- e(G1 * C, G2) / e(A, W) = e(G1 * C, G2) * e(A^-1, W)
element_mul(g1, gpk->G1, jpd1->C);
element_pairing(B, g1, gpk->G2);
element_invert(g1, jpd2->A);
element_pairing(gt, g1, gpk->W);
element_mul(B, B, gt);
element_clear(g1);
element_clear(zp);
element_clear(gt);
// 4. D <- e(A, G2)
element_init_GT(D, pairing);
element_pairing(D, jpd2->A, gpk->G2);
// 5. V <- NIZKPoKDL(B, D)
// T1 = B^gamma
element_init_GT(jpd2->V.T1, pairing);
element_pow_zn(jpd2->V.T1, B, ik->gamma);
// T2 = D^gamma
element_init_GT(jpd2->V.T2, pairing);
element_pow_zn(jpd2->V.T2, D, ik->gamma);
// r eR Zp
element_init(r, Fp);
element_random(r);
// R1 = B^r
element_init_GT(R1, pairing);
element_pow_zn(R1, B, r);
// R2 = D^r
element_init_GT(R2, pairing);
element_pow_zn(R2, D, r);
// h = H(B, D, T1, T2, R1, R2)
data_len = element_length_in_bytes(B) + element_length_in_bytes(D)
+ element_length_in_bytes(jpd2->V.T1)
+ element_length_in_bytes(jpd2->V.T2)
+ element_length_in_bytes(R1) + element_length_in_bytes(R2);
data_buf = (BYTE*) malloc(data_len);
data_buf += element_to_bytes(data_buf, B);
data_buf += element_to_bytes(data_buf, D);
data_buf += element_to_bytes(data_buf, jpd2->V.T1);
data_buf += element_to_bytes(data_buf, jpd2->V.T2);
data_buf += element_to_bytes(data_buf, R1);
data_buf += element_to_bytes(data_buf, R2);
data_buf -= data_len;
jpd2->V.hash = (BYTE*) malloc(JOIN_HASH_BITS / 8);
xsgs_hash(data_buf, data_len * 8, jpd2->V.hash, JOIN_HASH_BITS);
element_init(hp, Fp);
element_from_hash(hp, jpd1->U.hash, JOIN_HASH_BITS / 8);
free(data_buf);
element_clear(B);
element_clear(D);
element_clear(R1);
element_clear(R2);
// s = r - hash * gamma mod p
element_init(jpd2->V.s, Fp);
element_mul(jpd2->V.s, hp, ik->gamma);
element_add(jpd2->V.s, r, jpd2->V.s);
element_clear(r);
element_clear(hp);
}
// return (A, V = (T1, T2, hash, s) )
return ret;
}
int main(int argc, char **argv) {
pairing_t pairing;
element_t g1;
element_t s, r;
element_t id;
element_t pri_id;
element_t gID;
element_t Ppub;
element_t C1;
element_t gIDr;
pbc_demo_pairing_init(pairing, argc, argv);
element_init_G1(g1, pairing);
element_init_Zr(s, pairing);
element_init_Zr(r, pairing);
element_init_G1(id, pairing);
element_init_G1(pri_id, pairing);
element_init_GT(gID, pairing);
element_init_G1(Ppub, pairing);
element_init_G1(C1, pairing);
element_init_GT(gIDr, pairing);
double t0, t1, ttotal, ttotalpp;
element_random(g1);
element_random(s);
element_random(r);
element_random(id);
element_pow_zn(Ppub, g1, s);
ttotal = 0.0;
t0 = pbc_get_time();
element_pow_zn(pri_id, id, s);
element_pairing(gID, id, Ppub);
element_pow_zn(gIDr, gID, r);
t1 = pbc_get_time();
int i = 0;
int n = 1000;
for(i; i<n; i++)
{
t0 = pbc_get_time();
element_pow_zn(C1, g1, r);
t1 = pbc_get_time();
ttotal += t1 - t0;
}
printf("if we only have one user and the user is cached, average enc time = %f\n", ttotal / n);
i = 0;
ttotal = 0.0;
for(i; i<n; i++)
{
element_random(id);
t0 = pbc_get_time();
element_pow_zn(pri_id, id, s);
element_pairing(gID, id, Ppub);
element_pow_zn(gIDr, gID, r);
element_pow_zn(C1, g1, r);
t1 = pbc_get_time();
ttotal += t1 - t0;
}
printf("100 diff users, average enc time = %f\n", ttotal / n);
//dec
ttotal = 0.0;
element_t gIDr_prime;
element_init_GT(gIDr_prime, pairing);
i = 0;
for(i; i<n; i++)
{
element_random(pri_id);
element_random(C1);
t0 = pbc_get_time();
element_pairing(gIDr_prime, pri_id, C1);
t1 = pbc_get_time();
ttotal += t1 - t0;
}
printf("dec random messages, average dec time = %f\n", ttotal / n);
/*if (!element_cmp(gIDr_prime, gIDr)) {
printf("----------Confirm----------------\n");}
else{
printf("----------damn--------\n");
}*/
}