/* computing of $(-t^2 +u*s -t*p -p^2)^3$
* The algorithm is by J.Beuchat et.al, in the paper of "Algorithms and Arithmetic Operators for Computing
* the $eta_T$ Pairing in Characteristic Three", algorithm 4 in the appendix */
static void algorithm4a(element_t S, element_t t, element_t u) {
field_ptr f = FIELD(t);
element_t e1, c0, c1, m0, v0, v2;
element_init(e1, f);
element_init(c0, f);
element_init(c1, f);
element_init(m0, f);
element_init(v0, f);
element_init(v2, f);
element_set1(e1);
element_cubic(c0, t); // c0 == t^3
element_cubic(c1, u);
element_neg(c1, c1); // c1 == -u^3
element_mul(m0, c0, c0); // m0 == c0^2
element_neg(v0, m0); // v0 == -c0^2
element_sub(v0, v0, c0); // v0 == -c0^2 -c0
element_sub(v0, v0, e1); // v0 == -c0^2 -c0 -1
element_set1(v2);
element_sub(v2, v2, c0); // v2 == 1 -c0
// v1 == c1
// S == [[v0, v1], [v2, f3m.zero()], [f3m.two(), f3m.zero()]]
element_set(ITEM(S,0,0), v0);
element_set(ITEM(S,0,1), c1);
element_set(ITEM(S,1,0), v2);
element_set0(ITEM(S,1,1));
element_neg(ITEM(S,2,0), e1);
element_set0(ITEM(S,2,1));
element_clear(e1);
element_clear(c0);
element_clear(c1);
element_clear(m0);
element_clear(v0);
element_clear(v2);
}
static void fq_set_multiz(element_ptr e, multiz m) {
eptr p = e->data;
if (multiz_is_z(m)) {
element_set_multiz(p->x, m);
element_set0(p->y);
return;
}
element_set_multiz(p->x, multiz_at(m, 0));
if (2 > multiz_count(m)) element_set0(p->y);
else element_set_multiz(p->y, multiz_at(m, 1));
}
void
pbgp_ibe_signature_init(setup_params_t *setup, ibe_signature_t **sign)
{
assert(setup);
*sign = xmalloc(sizeof (ibe_signature_t));
element_init_G1((*sign)->u, setup->pairing);
element_init_G1((*sign)->v, setup->pairing);
element_init_G1((*sign)->w, setup->pairing);
element_set0((*sign)->u);
element_set0((*sign)->v);
element_set0((*sign)->w);
}
static void do_vert(element_ptr z, element_ptr V, element_ptr Q)
{
element_ptr Vx = curve_x_coord(V);
element_ptr Qx = curve_x_coord(Q);
element_ptr Qy = curve_y_coord(Q);
element_t a, b, c;
element_init_same_as(a, Vx);
element_init_same_as(b, Vx);
element_init_same_as(c, Vx);
//a = 1
//b = 0;
//c = -Vx
element_set1(a);
element_set0(b);
element_neg(c, Vx);
element_printf("vert at %B: %B %B %B\n", Vx, a, b, c);
element_mul(a, a, Qx);
element_mul(b, b, Qy);
element_add(c, c, a);
element_add(z, c, b);
element_printf("vert eval = %B\n", z);
element_clear(a);
element_clear(b);
element_clear(c);
}
void CipherText::langrange(element_t* ys, int index, int k, int num){
element_t delta;
element_t numerator;
element_t denominator;
element_t temp;
element_init_Zr(delta, *(this->p));
element_init_Zr(numerator, *(this->p));
element_init_Zr(denominator, *(this->p));
element_init_Zr(temp, *(this->p));
element_init_Zr(ys[index], *(this->p));
element_set0(ys[index]);
int i, j;
for(i = 0; i < k; i++){
//compute the langrange coefficent l
element_set1(delta);
for(j = 0; j < k; j++){
if( j != i){
element_set_si(numerator, index - j);
element_set_si(denominator, i - j);
element_div(numerator, numerator, denominator);
element_mul(delta, delta, numerator);
}
}
element_mul(temp, ys[i], delta);
element_add(ys[index], ys[index], temp);
}
}
static val_ptr v_field_cast(val_ptr v, tree_ptr t) {
// TODO: Check args, x is an element.
val_ptr x = tree_eval((tree_ptr)darray_at(t->child, 0));
element_ptr e = x->elem;
if (e->field == M) {
if (v->field == M) return x;
element_ptr e2 = element_new(v->field);
if (element_is0(e)) // if 'set0' is not 'set1' in base field of GT, but we hope 'GT(0)' calls 'set1', we may directly call 'element_set0' here
element_set0(e2);
else if (element_is1(e)) // reason is same as above
element_set1(e2);
else
element_set_multiz(e2, (multiz)e->data);
x->elem = e2;
return x;
}
if (v->field == M) {
// Map to/from integer. TODO: Map to/from multiz instead.
mpz_t z;
mpz_init(z);
element_to_mpz(z, e);
element_clear(e);
element_init(e, v->field);
element_set_mpz(e, z);
mpz_clear(z);
}
return x;
}
/* Computes Shares
*
* @param1: msp
* @param2: input vector[s, r1, r2, ...]
* @param3: output vector
*/
void computeShares(MSP* msp, element_t* input_array, element_t* output_array){
int i = 0;
int j = 0;
element_t tmp_sum, tmp_product;
element_init_same_as(tmp_sum, input_array[0] );
element_init_same_as(tmp_product,tmp_sum);
element_set0(tmp_sum);
for(i=0; i < (msp->rows); i++){
for(j=0; j < msp->cols; j++){
element_mul_si(tmp_product, (input_array)[j],(msp->matrix)[i][j]);
element_add(tmp_sum, tmp_sum, tmp_product);
}
element_set(output_array[i], tmp_sum);
element_set0(tmp_sum);
}
element_clear(tmp_sum);
element_clear(tmp_product);
}
static int fq_set_str(element_ptr e, const char *s, int base) {
const char *cp = s;
element_set0(e);
while (*cp && isspace(*cp)) cp++;
if (*cp++ != '[') return 0;
eptr p = e->data;
cp += element_set_str(p->x, cp, base);
while (*cp && isspace(*cp)) cp++;
if (*cp++ != ',') return 0;
cp += element_set_str(p->y, cp, base);
if (*cp++ != ']') return 0;
return (int)(cp - s);
}
static int curve_from_bytes(element_t e, unsigned char *data) {
point_ptr P = (point_ptr)e->data;
int len;
P->inf_flag = 0;
len = element_from_bytes(P->x, data);
len += element_from_bytes(P->y, data + len);
//if point does not lie on curve, set it to O
if (!curve_is_valid_point(e)) {
element_set0(e);
}
return len;
}
static int curve_set_str(element_ptr e, const char *s, int base) {
point_ptr p = (point_ptr)e->data;
const char *cp = s;
element_set0(e);
while (*cp && isspace(*cp)) cp++;
if (*cp == 'O') {
return cp - s + 1;
}
p->inf_flag = 0;
if (*cp != '[') return 0;
cp++;
cp += element_set_str(p->x, cp, base);
while (*cp && isspace(*cp)) cp++;
if (*cp != ',') return 0;
cp++;
cp += element_set_str(p->y, cp, base);
if (*cp != ']') return 0;
if (!curve_is_valid_point(e)) {
element_set0(e);
return 0;
}
return cp - s + 1;
}
static void curve_set_multiz(element_ptr a, multiz m) {
if (multiz_is_z(m)) {
if (multiz_is0(m)) {
element_set0(a);
return;
}
pbc_warn("bad multiz");
return;
} else {
if (multiz_count(m) < 2) {
pbc_warn("multiz has too few coefficients");
return;
}
point_ptr p = (point_ptr)a->data;
p->inf_flag = 0;
element_set_multiz(p->x, multiz_at(m, 0));
element_set_multiz(p->y, multiz_at(m, 1));
}
}
void window(element_t ap,element_t p,int a,pairing_t pairing)
{
static const int W = 1;
static const int D = 1<<W;
element_t dp[D];
for(int i=0;i<D;i++)
element_init_G1(dp[i],pairing);
pre_process(dp,p,D);
element_set0(ap);
for(int i = 32/W-1;i>=0;i--)
{
int tmp = (a>>(i*W)) & ((1<<W)-1);
for(int j=0;j<W;j++) element_double(ap,ap);
if(tmp)
element_add(ap,ap,dp[tmp]);
}
}
// in1, in2 are from E(F_q), out from F_q^2.
// Pairing via elliptic nets (see Stange).
static void e_pairing_ellnet(element_ptr out, element_ptr in1, element_ptr in2,
pairing_t pairing) {
const element_ptr a = curve_a_coeff(in1);
const element_ptr b = curve_b_coeff(in1);
element_ptr x = curve_x_coord(in1);
element_ptr y = curve_y_coord(in1);
element_ptr x2 = curve_x_coord(in2);
element_ptr y2 = curve_y_coord(in2);
//notation: cmi means c_{k-i}, ci means c_{k+i}
element_t cm3, cm2, cm1, c0, c1, c2, c3, c4;
element_t dm1, d0, d1;
element_t A, B, C;
element_init_same_as(cm3, x);
element_init_same_as(cm2, x);
element_init_same_as(cm1, x);
element_init_same_as(c0, x);
element_init_same_as(c1, x);
element_init_same_as(c2, x);
element_init_same_as(c3, x);
element_init_same_as(c4, x);
element_init_same_as(C, x);
element_init_same_as(dm1, out);
element_init_same_as(d0, out);
element_init_same_as(d1, out);
element_init_same_as(A, x);
element_init_same_as(B, out);
// c1 = 2y
// cm3 = -2y
element_double(c1, y);
element_neg(cm3, c1);
//use c0, cm1, cm2, C, c4 as temp variables for now
//compute c3, c2
element_square(cm2, x);
element_square(C, cm2);
element_mul(cm1, b, x);
element_double(cm1, cm1);
element_square(c4, a);
element_mul(c2, cm1, cm2);
element_double(c2, c2);
element_mul(c0, a, C);
element_add(c2, c2, c0);
element_mul(c0, c4, cm2);
element_sub(c2, c2, c0);
element_double(c0, c2);
element_double(c0, c0);
element_add(c2, c2, c0);
element_mul(c0, cm1, a);
element_square(c3, b);
element_double(c3, c3);
element_double(c3, c3);
element_add(c0, c0, c3);
element_double(c0, c0);
element_mul(c3, a, c4);
element_add(c0, c0, c3);
element_sub(c2, c2, c0);
element_mul(c0, cm2, C);
element_add(c3, c0, c2);
element_mul(c3, c3, c1);
element_double(c3, c3);
element_mul(c0, a, cm2);
element_add(c0, c0, cm1);
element_double(c0, c0);
element_add(c0, c0, C);
element_double(c2, c0);
element_add(c0, c0, c2);
element_sub(c2, c0, c4);
// c0 = 1
// cm2 = -1
element_set1(c0);
element_neg(cm2, c0);
// c4 = c_5 = c_2^3 c_4 - c_3^3 = c1^3 c3 - c2^3
element_square(C, c1);
element_mul(c4, C, c1);
element_mul(c4, c4, c3);
element_square(C, c2);
element_mul(C, C, c2);
element_sub(c4, c4, C);
//compute A, B, d1 (which is d_2 since k = 1)
element_sub(A, x, x2);
element_double(C, x);
element_add(C, C, x2);
element_square(cm1, A);
element_mul(cm1, C, cm1);
element_add(d1, y, y2);
element_square(d1, d1);
element_sub(B, cm1, d1);
element_invert(B, B);
element_invert(A, A);
element_sub(d1, y, y2);
element_mul(d1, d1, A);
element_square(d1, d1);
element_sub(d1, C, d1);
// cm1 = 0
// C = (2y)^-1
element_set0(cm1);
element_invert(C, c1);
element_set1(dm1);
element_set1(d0);
element_t sm2, sm1;
element_t s0, s1, s2, s3;
element_t tm2, tm1;
element_t t0, t1, t2, t3;
element_t e0, e1;
element_t u, v;
element_init_same_as(sm2, x);
element_init_same_as(sm1, x);
element_init_same_as(s0, x);
element_init_same_as(s1, x);
element_init_same_as(s2, x);
element_init_same_as(s3, x);
element_init_same_as(tm2, x);
element_init_same_as(tm1, x);
element_init_same_as(t0, x);
element_init_same_as(t1, x);
element_init_same_as(t2, x);
element_init_same_as(t3, x);
element_init_same_as(e0, x);
element_init_same_as(e1, x);
element_init_same_as(u, d0);
element_init_same_as(v, d0);
int m = mpz_sizeinbase(pairing->r, 2) - 2;
for (;;) {
element_square(sm2, cm2);
element_square(sm1, cm1);
element_square(s0, c0);
element_square(s1, c1);
element_square(s2, c2);
element_square(s3, c3);
element_mul(tm2, cm3, cm1);
element_mul(tm1, cm2, c0);
element_mul(t0, cm1, c1);
element_mul(t1, c0, c2);
element_mul(t2, c1, c3);
element_mul(t3, c2, c4);
element_square(u, d0);
element_mul(v, dm1, d1);
if (mpz_tstbit(pairing->r, m)) {
//double-and-add
element_mul(e0, t0, sm2);
element_mul(e1, tm2, s0);
element_sub(cm3, e0, e1);
element_mul(cm3, cm3, C);
element_mul(e0, t0, sm1);
element_mul(e1, tm1, s0);
element_sub(cm2, e0, e1);
element_mul(e0, t1, sm1);
element_mul(e1, tm1, s1);
element_sub(cm1, e0, e1);
element_mul(cm1, cm1, C);
element_mul(e0, t1, s0);
element_mul(e1, t0, s1);
element_sub(c0, e0, e1);
element_mul(e0, t2, s0);
element_mul(e1, t0, s2);
element_sub(c1, e0, e1);
element_mul(c1, c1, C);
element_mul(e0, t2, s1);
element_mul(e1, t1, s2);
element_sub(c2, e0, e1);
element_mul(e0, t3, s1);
element_mul(e1, t1, s3);
element_sub(c3, e0, e1);
element_mul(c3, c3, C);
element_mul(e0, t3, s2);
element_mul(e1, t2, s3);
element_sub(c4, e0, e1);
element_mul(out, u, t0);
element_mul(dm1, v, s0);
element_sub(dm1, dm1, out);
element_mul(out, u, t1);
element_mul(d0, v, s1);
element_sub(d0, d0, out);
element_mul(d0, d0, A);
element_mul(out, u, t2);
element_mul(d1, v, s2);
element_sub(d1, d1, out);
element_mul(d1, d1, B);
} else {
//double
element_mul(e0, tm1, sm2);
element_mul(e1, tm2, sm1);
element_sub(cm3, e0, e1);
element_mul(e0, t0, sm2);
element_mul(e1, tm2, s0);
element_sub(cm2, e0, e1);
element_mul(cm2, cm2, C);
element_mul(e0, t0, sm1);
element_mul(e1, tm1, s0);
element_sub(cm1, e0, e1);
element_mul(e0, t1, sm1);
element_mul(e1, tm1, s1);
element_sub(c0, e0, e1);
element_mul(c0, c0, C);
element_mul(e0, t1, s0);
element_mul(e1, t0, s1);
element_sub(c1, e0, e1);
element_mul(e0, t2, s0);
element_mul(e1, t0, s2);
element_sub(c2, e0, e1);
element_mul(c2, c2, C);
element_mul(e0, t2, s1);
element_mul(e1, t1, s2);
element_sub(c3, e0, e1);
element_mul(e0, t3, s1);
element_mul(e1, t1, s3);
element_sub(c4, e0, e1);
element_mul(c4, c4, C);
element_mul(out, u, tm1);
element_mul(dm1, v, sm1);
element_sub(dm1, dm1, out);
element_mul(out, u, t0);
element_mul(d0, v, s0);
element_sub(d0, d0, out);
element_mul(out, u, t1);
element_mul(d1, v, s1);
element_sub(d1, d1, out);
element_mul(d1, d1, A);
}
if (!m) break;
m--;
}
element_invert(c1, c1);
element_mul(d1, d1, c1);
element_pow_mpz(out, d1, pairing->phikonr);
element_clear(dm1);
element_clear(d0);
element_clear(d1);
element_clear(cm3);
element_clear(cm2);
element_clear(cm1);
element_clear(c0);
element_clear(c1);
element_clear(c2);
element_clear(c3);
element_clear(c4);
element_clear(sm2);
element_clear(sm1);
element_clear(s0);
element_clear(s1);
element_clear(s2);
element_clear(s3);
element_clear(tm2);
element_clear(tm1);
element_clear(t0);
element_clear(t1);
element_clear(t2);
element_clear(t3);
element_clear(e0);
element_clear(e1);
element_clear(A);
element_clear(B);
element_clear(C);
element_clear(u);
element_clear(v);
}
int main(void) {
field_t c;
field_t Z19;
element_t P, Q, R;
mpz_t q, z;
element_t a, b;
int i;
field_t Z19_2;
field_t c2;
element_t P2, Q2, R2;
element_t a2;
mpz_init(q);
mpz_init(z);
mpz_set_ui(q, 19);
field_init_fp(Z19, q);
element_init(a, Z19);
element_init(b, Z19);
element_set_si(a, 1);
element_set_si(b, 6);
mpz_set_ui(q, 18);
field_init_curve_ab(c, a, b, q, NULL);
element_init(P, c);
element_init(Q, c);
element_init(R, c);
printf("Y^2 = X^3 + X + 6 over F_19\n");
//(0,+/-5) is a generator
element_set0(a);
curve_from_x(R, a);
for (i=1; i<19; i++) {
mpz_set_si(z, i);
element_mul_mpz(Q, R, z);
element_printf("%dR = %B\n", i, Q);
}
mpz_set_ui(z, 6);
element_mul_mpz(P, R, z);
//P has order 3
element_printf("P = %B\n", P);
for (i=1; i<=3; i++) {
mpz_set_si(z, i);
element_mul_mpz(Q, R, z);
tate_3(a, P, Q, R);
element_printf("e_3(P,%dR) = %B\n", i, a);
}
element_double(P, R);
//P has order 9
element_printf("P = %B\n", P);
for (i=1; i<=9; i++) {
mpz_set_si(z, i);
//we're supposed to use multiples of R
//but 2R works just as well and it allows us
//to use R as the offset every time
element_mul_mpz(Q, P, z);
tate_9(a, P, Q, R);
element_printf("e_9(P,%dP) = %B\n", i, a);
}
//to do the pairing on all of E(F_19) we need to move to F_19^2
//or compute the rational function explicitly
printf("moving to F_19^2\n");
field_init_fi(Z19_2, Z19);
//don't need to tell it the real order
field_init_curve_ab_map(c2, c, element_field_to_fi, Z19_2, q, NULL);
element_init(P2, c2);
element_init(Q2, c2);
element_init(R2, c2);
element_init(a2, Z19_2);
element_set0(a2);
curve_from_x(P2, a2);
element_random(R2);
element_printf("P = %B\n", P2);
for (i=1; i<=18; i++) {
mpz_set_si(z, i);
element_mul_mpz(Q2, P2, z);
tate_18(a2, P2, Q2, R2, P2);
element_printf("e_18(P,%dP) = %B\n", i, a2);
}
element_clear(P2);
element_clear(Q2);
element_clear(R2);
element_clear(a2);
field_clear(c2);
field_clear(Z19_2);
field_clear(c);
element_clear(a);
element_clear(b);
element_clear(P);
element_clear(Q);
element_clear(R);
field_clear(Z19);
mpz_clear(q);
mpz_clear(z);
return 0;
}
void element_field_to_quadratic(element_ptr r, element_ptr a) {
eptr p = r->data;
element_set(p->x, a);
element_set0(p->y);
}
/**
* In this scheme every signer can aggregate a signature on a different message.
*
* This __cannot__ verify multiple messages from the same AS.
*
* We have __one__ signer -> __one__ message but as the message could be the same
* for every signer, we can aggregate on it.
*
* @param store here we insert all the messages and all the signers
* (as we __must__ verify every message of every signer)
*
* @return 0 if verify = success.
*
*/
int
pbgp_ibe_verify(setup_params_t *setup, ibe_signature_t *sign, store_t *store)
{
assert(sign && setup && store);
element_t sumID, sumCi, sumTot, Pubi0,
Pubi1, Pm, t1, p1, p2, e1, e2, ci;
pairing_pp_t pp1, pp2, pp3;
element_init_G1(sumID, setup->pairing);
element_init_G1(sumCi, setup->pairing);
element_init_G1(sumTot, setup->pairing);
element_init_G1(Pubi0, setup->pairing);
element_init_G1(Pubi1, setup->pairing);
element_init_G1(Pm, setup->pairing);
element_init_G1(t1, setup->pairing);
element_init_GT(p1, setup->pairing);
element_init_GT(p2, setup->pairing);
element_init_GT(e1, setup->pairing);
element_init_GT(e2, setup->pairing);
element_init_Zr(ci, setup->pairing);
element_set0(sumID);
element_set0(sumCi);
//
// For each ASNUM in the list
//
store_iterator_t *iterator = pbgp_store_iterator_open(store);
store_key_t key = STORE_KEY_INIT;
while (1)
{
uint32_t id = 0;
size_t ksize = 0, dsize = 0;
// This mess is to avoid __any__ malloc call >:/
int ret = pbgp_store_iterator_uget_next_size(iterator, &ksize, &dsize);
if (ret != 0) {
break ;
}
// compute key data size
ksize -= STORE_KEY_METADATA_LENGTH;
if (sizeof(id) != ksize) {
continue ;
}
// key buffer
unsigned char kbuf[ksize];
memset (kbuf, 0, ksize);
key.data = kbuf;
key.dsize = sizeof(kbuf);
// data buffer
unsigned char message[dsize];
memset (message, 0, dsize);
// get asnum + message
ret = pbgp_store_iterator_uget_next(iterator, &key, message, &dsize);
if (ret != 0) {
break ;
}
char id0[BUFSIZ],
id1[BUFSIZ];
memcpy(&id, kbuf, sizeof id);
_ibe_get_id_pair(id, id0, sizeof (id0), id1, sizeof (id1));
//
// Computes public keys for this AS from its identity
//
unsigned char hash[EVP_MAX_MD_SIZE + 1];
// hash(id0)
memset(hash, 0, sizeof (hash));
_element_from_hash(Pubi0, hash, pbgp_rsa_uhash((unsigned char *) id0, strlen(id0), hash));
// hash(id1)
memset(hash, 0, sizeof (hash));
_element_from_hash(Pubi1, hash, pbgp_rsa_uhash((unsigned char *) id1, strlen(id1), hash));
// ci = hash(m)
memset(hash, 0, sizeof (hash));
element_from_hash(ci, hash, pbgp_rsa_uhash(message, dsize, hash));
// Computes sum(Pi_0) sum(ci * Pi_1)
element_mul_zn(t1, Pubi1, ci);
element_add(sumID, sumID, Pubi0);
element_add(sumCi, sumCi, t1);
}
pbgp_store_iterator_close(iterator);
element_add(sumTot, sumID, sumCi);
pairing_pp_init(pp1, sumTot, setup->pairing);
pairing_pp_init(pp2, sign->v, setup->pairing);
pairing_pp_init(pp3, sign->u, setup->pairing);
// e(Q = ibePub, sumTot)
pairing_pp_apply(p1, setup->ibePub, pp1);
// e(Tn = v, Pw)
pairing_pp_apply(p2, sign->w, pp2);
// e(Q = ibePub, sumTot) * e(Tn = v, Pw)
element_mul(e2, p1, p2);
// e(Sn = u, P)
pairing_pp_apply(e1, setup->g, pp3);
int rv = element_cmp(e1, e2);
pairing_pp_clear(pp1);
pairing_pp_clear(pp2);
pairing_pp_clear(pp3);
element_clear(sumID);
element_clear(sumCi);
element_clear(sumTot);
element_clear(t1);
element_clear(ci);
element_clear(Pubi0);
element_clear(Pubi1);
element_clear(Pm);
element_clear(p1);
element_clear(p2);
element_clear(e1);
element_clear(e2);
return rv;
}
static void gf33m_set1(element_t e) {
element_ptr e0 = GF33M(e)->_0, e1 = GF33M(e)->_1, e2 = GF33M(e)->_2;
element_set1(e0);
element_set0(e1);
element_set0(e2);
}
static void gf32m_set1(element_t e) {
element_ptr e0 = GF32M(e)->_0, e1 = GF32M(e)->_1;
element_set1(e0);
element_set0(e1);
}
/* this is the algorithm 4 in the paper of J.Beuchat et.al, "Algorithms and Arithmetic Operators for Computing
* the $eta_T$ Pairing in Characteristic Three" */
static void algorithm4(element_t c, element_ptr xp, element_ptr yp,
element_ptr xq, element_ptr yq) {
params *p = PARAM(xp);
unsigned int re = p->m % 12;
field_ptr f = FIELD(xp) /*GF(3^m)*/, f6 = FIELD(c) /*GF(3^{6*m})*/;
element_t e1, xpp, ypp, xqq, yqq, t, nt, nt2, v1, v2, a1, a2, R, u, S;
element_init(e1, f);
element_init(xpp, f);
element_init(ypp, f);
element_init(xqq, f);
element_init(yqq, f);
element_init(t, f);
element_init(nt, f);
element_init(nt2, f);
element_init(v1, f);
element_init(v2, f);
element_init(a1, f6);
element_init(a2, f6);
element_init(R, f6);
element_init(u, f);
element_init(S, f6);
element_set1(e1);
element_set(xpp, xp);
xp = xpp; // clone
element_add(xp, xp, e1); // xp == xp + b
element_set(ypp, yp);
yp = ypp; // clone
if (re == 1 || re == 11)
element_neg(yp, yp); // yp == -\mu*b*yp, \mu == 1 when re==1, or 11
element_set(xqq, xq);
xq = xqq; // clone
element_cubic(xq, xq); // xq == xq^3
element_set(yqq, yq);
yq = yqq; // clone
element_cubic(yq, yq); // yq == yq^3
element_add(t, xp, xq); // t == xp+xq
element_neg(nt, t); // nt == -t
element_mul(nt2, t, nt); // nt2 == -t^2
element_mul(v2, yp, yq); // v2 == yp*yq
element_mul(v1, yp, t); // v1 == yp*t
if (re == 7 || re == 11) { // \lambda == 1
element_t nyp, nyq;
element_init(nyp, f);
element_init(nyq, f);
element_neg(nyp, yp); // nyp == -yp
element_neg(nyq, yq); // nyq == -yq
element_set(ITEM(a1,0,0), v1);
element_set(ITEM(a1,0,1), nyq);
element_set(ITEM(a1,1,0), nyp);
element_clear(nyp);
element_clear(nyq);
} else { // \lambda == -1
element_neg(v1, v1); // v1 == -yp*t
element_set(ITEM(a1,0,0), v1);
element_set(ITEM(a1,0,1), yq);
element_set(ITEM(a1,1,0), yp);
}
// a2 == -t^2 +yp*yq*s -t*p -p^2
element_set(ITEM(a2,0,0), nt2);
element_set(ITEM(a2,0,1), v2);
element_set(ITEM(a2,1,0), nt);
element_neg(ITEM(a2,2,0), e1);
element_mul(R, a1, a2);
int i;
for (i = 0; i < (p->m - 1) / 2; i++) {
element_cubic(R, R);
element_cubic(xq, xq);
element_cubic(xq, xq);
element_sub(xq, xq, e1); // xq <= xq^9-b
element_cubic(yq, yq);
element_cubic(yq, yq);
element_neg(yq, yq); // yq <= -yq^9
element_add(t, xp, xq); // t == xp+xq
element_neg(nt, t); // nt == -t
element_mul(nt2, t, nt); // nt2 == -t^2
element_mul(u, yp, yq); // u == yp*yq
element_set0(S);
element_set(ITEM(S,0,0), nt2);
element_set(ITEM(S,0,1), u);
element_set(ITEM(S,1,0), nt);
element_neg(ITEM(S,2,0), e1);
element_mul(R, R, S);
}
element_set(c, R);
element_clear(e1);
element_clear(xpp);
element_clear(ypp);
element_clear(xqq);
element_clear(yqq);
element_clear(t);
element_clear(nt);
element_clear(nt2);
element_clear(v1);
element_clear(v2);
element_clear(a1);
element_clear(a2);
element_clear(R);
element_clear(u);
element_clear(S);
}
static void fq_set_si(element_ptr e, signed long int i) {
eptr p = e->data;
element_set_si(p->x, i);
element_set0(p->y);
}
static void fq_set_mpz(element_ptr e, mpz_t z) {
eptr p = e->data;
element_set_mpz(p->x, z);
element_set0(p->y);
}
void shipseystange(element_t z, element_t P, element_t Q)
{
mpz_t q1r;
mpz_init(q1r);
mpz_set_ui(q1r, 696);
element_ptr x = curve_x_coord(P);
element_ptr y = curve_y_coord(P);
element_ptr x2 = curve_x_coord(Q);
element_ptr y2 = curve_y_coord(Q);
element_t v0m1, v0m2, v0m3;
element_t v00, v01, v02, v03, v04;
element_t v1m1, v10, v11;
element_t t0, t1, t2;
element_t W20inv;
element_t Wm11inv;
element_t W2m1inv;
element_t sm2, sm1, s0, s1, s2, s3;
element_t pm2, pm1, p0, p1, p2, p3;
element_init_same_as(sm2, z);
element_init_same_as(sm1, z);
element_init_same_as(s0, z);
element_init_same_as(s1, z);
element_init_same_as(s2, z);
element_init_same_as(s3, z);
element_init_same_as(pm2, z);
element_init_same_as(pm1, z);
element_init_same_as(p0, z);
element_init_same_as(p1, z);
element_init_same_as(p2, z);
element_init_same_as(p3, z);
element_init_same_as(v0m3, z);
element_init_same_as(v0m2, z);
element_init_same_as(v0m1, z);
element_init_same_as(v00, z);
element_init_same_as(v01, z);
element_init_same_as(v02, z);
element_init_same_as(v03, z);
element_init_same_as(v04, z);
element_init_same_as(v1m1, z);
element_init_same_as(v10, z);
element_init_same_as(v11, z);
element_init_same_as(W20inv, z);
element_init_same_as(Wm11inv, z);
element_init_same_as(W2m1inv, z);
element_init_same_as(t0, z);
element_init_same_as(t1, z);
element_init_same_as(t2, z);
element_set0(v0m1);
element_set1(v00);
element_neg(v0m2, v00);
element_double(v01, y);
element_neg(v0m3, v01);
element_invert(W20inv, v01);
element_sub(Wm11inv, x, x2);
element_square(t1, Wm11inv);
element_invert(Wm11inv, Wm11inv);
element_double(t0, x);
element_add(t0, t0, x2);
element_mul(t1, t0, t1);
element_add(t0, y, y2);
element_square(t0, t0);
element_sub(t0, t0, t1);
element_invert(W2m1inv, t0);
/* Let P=(x,y) since A=1, B=0 we have:
* W(3,0) = 3x^4 + 6x^2 - 1
* W(4,0) = 4y(x^6 + 5x^4 - 5x^2 - 1)
*/
//t0 = x^2
element_square(t0, x);
//t1 = x^4
element_square(t1, t0);
//t2 = x^4 + 2 x^2
element_double(t2, t0);
element_add(t2, t2, t1);
//v02 = W(3,0)
element_double(v02, t2);
element_add(v02, v02, t2);
element_add(v02, v02, v0m2);
//t2 = x^4 - x^2
element_sub(t2, t1, t0);
//v03 = 5(x^4 - x^2)
element_double(v03, t2);
element_double(v03, v03);
element_add(v03, v03, t2);
//t2 = x^6
element_mul(t2, t0, t1);
//v03 = W(4,0)
element_add(v03, v03, t2);
element_add(v03, v03, v0m2);
element_double(v03, v03);
element_double(v03, v03);
element_mul(v03, v03, y);
//v04 = W(5,0) = W(2,0)^3 W(4,0) - W(3,0)^3
element_square(t0, v01);
element_mul(t0, t0, v01);
element_mul(v04, t0, v03);
element_square(t0, v02);
element_mul(t0, t0, v02);
element_sub(v04, v04, t0);
element_set1(v1m1);
element_set1(v10);
element_printf("x y: %B %B\n", x, y);
element_printf("x2 y2: %B %B\n", x2, y2);
element_sub(t0, x2, x);
element_sub(t1, y2, y);
element_div(t0, t1, t0);
element_square(t0, t0);
element_double(v11, x);
element_add(v11, v11, x2);
element_sub(v11, v11, t0);
element_printf("VEC1: %B %B %B\n", v1m1, v10, v11);
element_printf("VEC0: %B %B %B %B %B %B %B %B\n",
v0m3, v0m2, v0m1, v00, v01, v02, v03, v04);
//Double
element_square(sm2, v0m2);
element_square(sm1, v0m1);
element_square(s0, v00);
element_square(s1, v01);
element_square(s2, v02);
element_square(s3, v03);
element_mul(pm2, v0m3, v0m1);
element_mul(pm1, v0m2, v00);
element_mul(p0, v0m1, v01);
element_mul(p1, v00, v02);
element_mul(p2, v01, v03);
element_mul(p3, v02, v04);
element_mul(t0, pm1, sm2);
element_mul(t1, pm2, sm1);
element_sub(v0m3, t0, t1);
element_mul(t1, pm2, s0);
element_mul(t0, p0, sm2);
element_sub(v0m2, t0, t1);
element_mul(v0m2, v0m2, W20inv);
element_mul(t0, p0, sm1);
element_mul(t1, pm1, s0);
element_sub(v0m1, t0, t1);
element_mul(t1, pm1, s1);
element_mul(t0, p1, sm1);
element_sub(v00, t0, t1);
element_mul(v00, v00, W20inv);
element_mul(t0, p1, s0);
element_mul(t1, p0, s1);
element_sub(v01, t0, t1);
element_mul(t1, p0, s2);
element_mul(t0, p2, s0);
element_sub(v02, t0, t1);
element_mul(v02, v02, W20inv);
element_mul(t0, p2, s1);
element_mul(t1, p1, s2);
element_sub(v03, t0, t1);
element_mul(t1, p1, s3);
element_mul(t0, p3, s1);
element_sub(v04, t0, t1);
element_mul(v04, v04, W20inv);
element_square(t0, v10);
element_mul(t1, v1m1, v11);
element_mul(t2, pm1, t0);
element_mul(v1m1, t1, sm1);
element_sub(v1m1, v1m1, t2);
element_mul(t2, p0, t0);
element_mul(v10, t1, s0);
element_sub(v10, v10, t2);
element_mul(t2, p1, t0);
element_mul(v11, t1, s1);
element_sub(v11, v11, t2);
element_mul(v11, v11, Wm11inv);
element_printf("VEC1: %B %B %B\n", v1m1, v10, v11);
element_printf("VEC0: %B %B %B %B %B %B %B %B\n",
v0m3, v0m2, v0m1, v00, v01, v02, v03, v04);
//DoubleAdd
element_square(sm2, v0m2);
element_square(sm1, v0m1);
element_square(s0, v00);
element_square(s1, v01);
element_square(s2, v02);
element_square(s3, v03);
element_mul(pm2, v0m3, v0m1);
element_mul(pm1, v0m2, v00);
element_mul(p0, v0m1, v01);
element_mul(p1, v00, v02);
element_mul(p2, v01, v03);
element_mul(p3, v02, v04);
element_mul(t1, pm2, s0);
element_mul(t0, p0, sm2);
element_sub(v0m3, t0, t1);
element_mul(v0m3, v0m3, W20inv);
element_mul(t0, p0, sm1);
element_mul(t1, pm1, s0);
element_sub(v0m2, t0, t1);
element_mul(t1, pm1, s1);
element_mul(t0, p1, sm1);
element_sub(v0m1, t0, t1);
element_mul(v0m1, v0m1, W20inv);
element_mul(t0, p1, s0);
element_mul(t1, p0, s1);
element_sub(v00, t0, t1);
element_mul(t1, p0, s2);
element_mul(t0, p2, s0);
element_sub(v01, t0, t1);
element_mul(v01, v01, W20inv);
element_mul(t0, p2, s1);
element_mul(t1, p1, s2);
element_sub(v02, t0, t1);
element_mul(t1, p1, s3);
element_mul(t0, p3, s1);
element_sub(v03, t0, t1);
element_mul(v03, v03, W20inv);
element_mul(t0, p3, s2);
element_mul(t1, p2, s3);
element_sub(v04, t0, t1);
element_square(t0, v10);
element_mul(t1, v1m1, v11);
element_mul(t2, p0, t0);
element_mul(v1m1, t1, s0);
element_sub(v1m1, v1m1, t2);
element_mul(t2, p1, t0);
element_mul(v10, t1, s1);
element_sub(v10, v10, t2);
element_mul(v10, v10, Wm11inv);
element_mul(t2, t1, s2);
element_mul(v11, p2, t0);
element_sub(v11, v11, t2);
element_mul(v11, v11, W2m1inv);
element_printf("VEC1: %B %B %B\n", v1m1, v10, v11);
element_printf("VEC0: %B %B %B %B %B %B %B %B\n",
v0m3, v0m2, v0m1, v00, v01, v02, v03, v04);
element_div(z, v11, v01);
element_printf("prepow: %B\n", z);
element_pow_mpz(z, z, q1r);
mpz_clear(q1r);
}
static void fq_set1(element_ptr e) {
eptr p = e->data;
element_set1(p->x);
element_set0(p->y);
}
int main(void)
{
int i;
element_t g, h;
element_t w0, w1;
element_t a, b;
mpz_t prime, cofac;
mpz_init(prime);
mpz_init(order);
mpz_init(cofac);
mpz_set_ui(prime, 59);
field_init_fp(Fq, prime);
element_init(a, Fq);
element_init(b, Fq);
field_init_fi(Fq2, Fq);
element_set1(a);
element_set0(b);
mpz_set_ui(order, 5);
mpz_set_ui(cofac, 12);
field_init_curve_ab(E, a, b, order, cofac);
element_clear(a);
element_clear(b);
element_init(a, Fq2);
element_init(b, Fq2);
element_set1(a);
element_set0(b);
mpz_mul(cofac, cofac, cofac);
field_init_curve_ab(E2, a, b, order, NULL);
element_init(g, E2);
element_init(h, E2);
element_init(w0, Fq2);
element_init(w1, Fq2);
/*
do {
element_random(g);
} while (element_is1(g));
for (i=1; i<5; i++) {
element_mul(h, h, g);
element_printf("%d: %B\n", i, h);
element_printf("tangent = ");
do_tangent(h);
}
*/
element_set_str(g, "[[25,0],[30,0]", 0);
element_set_str(h, "[[34,0],[0,30]", 0);
weil(w0, g, h);
element_printf("weil: %B\n", w0);
element_set1(w1);
for (i=1; i<6; i++) {
element_mul(w1, w1, w0);
element_printf("%d: %B\n", i, w1);
}
fasterweil(w0, g, h);
element_printf("fasterweil: %B\n", w0);
element_set1(w1);
for (i=1; i<6; i++) {
element_mul(w1, w1, w0);
element_printf("%d: %B\n", i, w1);
}
fasterweil2(w0, g, h);
element_printf("fasterweil2: %B\n", w0);
tate(w0, g, h);
element_printf("tate: %B\n", w0);
element_set1(w1);
for (i=1; i<6; i++) {
element_mul(w1, w1, w0);
element_printf("%d: %B\n", i, w1);
}
shipseystange(w0, g, h);
element_printf("ss-tate: %B\n", w0);
element_set1(w1);
for (i=1; i<6; i++) {
element_mul(w1, w1, w0);
element_printf("%d: %B\n", i, w1);
}
return 0;
}
void KSET0(element_t out){
element_set0(out);
element_ptr re_out = element_x(out);
element_set0(element_item(re_out,0));
}
void test_secret_sharing(fenc_attribute_policy *policy, pairing_t pairing)
{
element_t secret, recovered_secret, tempZ, temp2Z;
FENC_ERROR err_code;
fenc_attribute_list attribute_list;
fenc_lsss_coefficient_list coefficient_list;
unsigned int i;
char *policy_str;
size_t str_len = 2048;
/* Print the policy. */
//fenc_attribute_policy_to_string(policy->root, NULL, &str_len, 100000);
fenc_attribute_policy_to_string(policy->root, NULL, 100000);
policy_str = (char*)SAFE_MALLOC(str_len);
fenc_attribute_policy_to_string(policy->root, policy_str, str_len);
//fenc_attribute_policy_to_string(policy->root, policy_str, &index, str_len);
printf("%s\n", policy_str);
/* Pick a random secret value. */
element_init_Zr(secret, pairing);
element_init_Zr(recovered_secret, pairing);
element_random(secret);
element_printf("Original secret: %B\n", secret);
/* Share the secret. The shares are placed within a newly-initialized attribute_list. */
memset(&attribute_list, 0, sizeof(fenc_attribute_list));
err_code = fenc_LSSS_calculate_shares_from_policy(&secret, policy, &attribute_list, pairing);
if (err_code != FENC_ERROR_NONE) {
printf("could not share secrets!\n");
return;
}
printf("\nCreated %d shares:\n", attribute_list.num_attributes);
for (i = 0; i < attribute_list.num_attributes; i++) {
element_printf("\t share %d:\t%B\n", i, attribute_list.attribute[i].share);
}
/* Take the resulting attribute_list and feed it as input to the coefficient recovery mechanism.
* Note that the coefficient recovery doesn't use the shares as input, it just looks at the
* attributes. */
err_code = LSSS_allocate_coefficient_list(&coefficient_list, attribute_list.num_attributes, pairing);
if (err_code != FENC_ERROR_NONE) {
printf("could not allocate coefficient list!\n");
return;
}
err_code = fenc_LSSS_calculate_coefficients_from_policy(policy, &attribute_list, &coefficient_list, pairing);
if (err_code != FENC_ERROR_NONE) {
printf("could not compute coefficients!\n");
return;
}
printf("\nComputed %d coefficients:\n", attribute_list.num_attributes);
for (i = 0; i < attribute_list.num_attributes; i++) {
if (coefficient_list.coefficients[i].is_set == TRUE) {
element_printf("\t coefficient %d: %B\n", i, coefficient_list.coefficients[i].coefficient);
} else {
printf("\t coefficient %d: <pruned>\n", i);
}
}
/* Now let's manually try to recover the secret. Unfortunately this requires some messy
* element arithmetic. */
printf("How many attributes in policy?: '%d'\n", attribute_list.num_attributes);
element_init_Zr(tempZ, pairing);
element_init_Zr(temp2Z, pairing);
element_set0(recovered_secret);
for (i = 0; i < attribute_list.num_attributes; i++) {
if (coefficient_list.coefficients[i].is_set == TRUE) {
element_mul(tempZ, coefficient_list.coefficients[i].coefficient, attribute_list.attribute[i].share);
element_add(temp2Z, tempZ, recovered_secret);
element_set(recovered_secret, temp2Z);
}
}
element_printf("Recovered secret: %B\n", recovered_secret);
element_clear(secret);
element_clear(recovered_secret);
element_clear(tempZ);
element_clear(temp2Z);
}
