// choose random curve
// if IsZero(Z), then X is non-trivial factor of ZZ_p::modulus()
void ECM_random_curve(EC_pCurve& curve, ZZ_p& X, ZZ_p& Z) {
ZZ sigma;
RandomBnd(sigma,ZZ_p::modulus()-6);
sigma+=6;
ZZ_p u,v;
u = sqr(to_ZZ_p(sigma))-5;
v = 4*to_ZZ_p(sigma);
ZZ_p C,Cd;
C = (v-u)*sqr(v-u)*(3*u+v);
Cd = 4*u*sqr(u)*v;
// make sure Cd is invertible
ZZ Cinv;
if (InvModStatus(Cinv,rep(Cd),ZZ_p::modulus())!=0) {
conv(X,Cinv);
clear(Z);
return;
}
C*=to_ZZ_p(Cinv);
C-=2;
// random curve
ZZ_pX f;
SetCoeff(f,3);
SetCoeff(f,2,C);
SetCoeff(f,1);
conv(curve,f);
curve.SetRepresentation(curve.MONTGOMERY);
// initial point
mul(X,u,sqr(u));
mul(Z,v,sqr(v));
}
NTL::ZZ_pX YASHE::keyGen() {
/**
* The secret key is computed as
*
* f' <- X_key
* f = (t*f' + 1) mod q
* secretKey = f
*
* Secret keys are randomly generated until
* an invertible key f^-1 is found
*/
NTL::ZZ_pX secretKey, secretKeyInv;
long inverseStatus;
do {
secretKey = pModulus * randomKeyPoly() + 1;
inverseStatus = InvModStatus(secretKeyInv, secretKey, cycloMod);
} while (inverseStatus == 1);
/**
* The public key is computed by
*
* g <- X_key
* h = (t*g*f^-1) mod q
* publicKey = h
*/
publicKey = MulMod(randomKeyPoly(), secretKeyInv, cycloMod);
publicKey *= pModulus;
/**
* The evaluation key is computed by
*
* e, s <- X_err
* gamma = (powersOfRadix(f) + e + h*s) mod q
* evaluationKey = gamma
*/
std::vector<NTL::ZZ_pX> evalKey;
powersOfRadix(evalKey, secretKey);
evalKeyMult.resize(decompSize);
for (long i = 0; i < decompSize; i++) {
evalKey[i] += randomErrPoly();
evalKey[i] += MulMod(publicKey, randomErrPoly(), cycloMod);
NTL::build(evalKeyMult[i], evalKey[i], cycloMod);
}
return secretKey;
}
// Процедура проверки подписи
void verifysign (ZZ &R, ZZ &r, ZZ &s, ZZ &e, Qxy &Q, Qxy &P, ZZ &q )
{
ZZ v, z1, z2;
Qxy C;
ZZ e1;
if (InvModStatus( v, e, q ))
{
cout << "\nError in signature\n";
goto end;
}
v = InvMod(e,q);
z1 = (s*v)%q;
z2 = (-r*v)%q;
C = P*z1 + Q*z2;
R = (conv<ZZ>(C.putx()))%q;
cout << "\nv (dec) = \n" << v << endl;
cout << "\nv (hex) = \n";
show_dec_in_hex (v, L);
cout << endl;
cout << "\nz1 (dec) = \n" << z1 << endl;
cout << "\nz1 (hex) = \n";
show_dec_in_hex (z1, L);
cout << endl;
cout << "\nz2 (dec) = \n" << z2 << endl;
cout << "\nz2 (hex) = \n";
show_dec_in_hex (z2, L);
cout << endl;
cout << "\nPoint C:\n";
C.putQxy();
cout << "\nR (dec) = \n" << R << endl;
cout << "\nR (hex) = \n";
show_dec_in_hex (R, L);
cout << endl;
end:
if ( r == R )
cout << "\nr = R\nSignature is OK";
else
cout << "\nSignature is FAILD";
cout << endl;
}
// Note: poly is passed by value, not by reference, so the calling routine
// keeps its original polynomial
long evalPolyTopLevel(ZZX poly, long x, long p, long k=0)
{
if (verbose)
cerr << "\n* evalPolyTopLevel: p="<<p<<", x="<<x<<", poly="<<poly;
if (deg(poly)<=2) { // nothing to optimize here
if (deg(poly)<1) return to_long(coeff(poly, 0));
DynamicPtxtPowers babyStep(x, p, deg(poly));
long ret = simplePolyEval(poly, babyStep, p);
totalDepth = babyStep.getDepth(deg(poly));
return ret;
}
// How many baby steps: set k~sqrt(n/2), rounded up/down to a power of two
// FIXME: There may be some room for optimization here: it may be possible
// to choose k as something other than a power of two and still maintain
// optimal depth, in principle we can try all possible values of k between
// the two powers of two and choose the one that goves the least number
// of multiplies, conditioned on minimum depth.
if (k<=0) {
long kk = (long) sqrt(deg(poly)/2.0);
k = 1L << NextPowerOfTwo(kk);
// heuristic: if k>>kk then use a smaler power of two
if ((k==16 && deg(poly)>167) || (k>16 && k>(1.44*kk)))
k /= 2;
}
cerr << ", k="<<k;
long n = divc(deg(poly),k); // deg(p) = k*n +delta
if (verbose) cerr << ", n="<<n<<endl;
DynamicPtxtPowers babyStep(x, p, k);
long x2k = babyStep.getPower(k);
// Special case when deg(p)>k*(2^e -1)
if (n==(1L << NextPowerOfTwo(n))) { // n is a power of two
DynamicPtxtPowers giantStep(x2k, p, n/2, babyStep.getDepth(k));
if (verbose)
cerr << "babyStep="<<babyStep<<", giantStep="<<giantStep<<endl;
long ret = degPowerOfTwo(poly, k, babyStep, giantStep, p, totalDepth);
if (verbose) {
cerr << " degPowerOfTwo("<<poly<<") returns "<<ret<<", depth="<<totalDepth<<endl;
if (ret != polyEvalMod(poly,babyStep[0], p)) {
cerr << " ## recursive call failed, ret="<<ret<<"!="
<< polyEvalMod(poly,babyStep[0], p)<<endl;
exit(0);
}
// cerr << " babyStep depth=[";
// for (long i=0; i<babyStep.size(); i++)
// cerr << babyStep.getDepth(i+1)<<" ";
// cerr << "]\n";
// cerr << " giantStep depth=[";
// for (long i=0; i<giantStep.size(); i++)
// cerr<<giantStep.getDepth(i+1)<<" ";
// cerr << "]\n";
}
return ret;
}
// If n is not a power of two, ensure that poly is monic and that
// its degree is divisible by k, then call the recursive procedure
ZZ topInv; // the inverse mod p of the top coefficient of poly (if any)
bool divisible = (n*k == deg(poly)); // is the degree divisible by k?
long nonInvertibe = InvModStatus(topInv, LeadCoeff(poly), to_ZZ(p));
// 0 if invertible, 1 if not
// FIXME: There may be some room for optimization below: instead of
// adding a term X^{n*k} we can add X^{n'*k} for some n'>n, so long
// as n' is smaller than the next power of two. We could save a few
// multiplications since giantStep[n'] may be easier to compute than
// giantStep[n] when n' has fewer 1's than n in its binary expansion.
long extra = 0; // extra!=0 denotes an added term extra*X^{n*k}
if (!divisible || nonInvertibe) { // need to add a term
// set extra = 1 - current-coeff-of-X^{n*k}
extra = SubMod(1, to_long(coeff(poly,n*k)), p);
SetCoeff(poly, n*k); // set the top coefficient of X^{n*k} to one
topInv = to_ZZ(1); // inverse of new top coefficient is one
}
long t = (extra==0)? divc(n,2) : n;
DynamicPtxtPowers giantStep(x2k, p, t, babyStep.getDepth(k));
if (verbose)
cerr << "babyStep="<<babyStep<<", giantStep="<<giantStep<<endl;
long y; // the value to return
long subDepth1 =0;
if (!IsOne(topInv)) {
long top = to_long(poly[n*k]); // record the current top coefficient
// cerr << ", top-coeff="<<top;
// Multiply by topInv modulo p to make into a monic polynomial
poly *= topInv;
for (long i=0; i<=n*k; i++) rem(poly[i], poly[i], to_ZZ(p));
poly.normalize();
y = recursivePolyEval(poly, k, babyStep, giantStep, p, subDepth1);
if (verbose) {
cerr << " recursivePolyEval("<<poly<<") returns "<<y<<", depth="<<subDepth1<<endl;
if (y != polyEvalMod(poly,babyStep[0], p)) {
cerr << "## recursive call failed, ret="<<y<<"!="
<< polyEvalMod(poly,babyStep[0], p)<<endl;
exit(0);
}
}
y = MulMod(y, top, p); // multiply by the original top coefficient
}
else {
y = recursivePolyEval(poly, k, babyStep, giantStep, p, subDepth1);
if (verbose) {
cerr << " recursivePolyEval("<<poly<<") returns "<<y<<", depth="<<subDepth1<<endl;
if (y != polyEvalMod(poly,babyStep[0], p)) {
cerr << "## recursive call failed, ret="<<y<<"!="
<< polyEvalMod(poly,babyStep[0], p)<<endl;
exit(0);
}
}
}
if (extra != 0) { // if we added a term, now is the time to subtract back
if (verbose) cerr << ", subtracting "<<extra<<"*X^"<<k*n;
extra = MulMod(extra, giantStep.getPower(n), p);
totalDepth = max(subDepth1, giantStep.getDepth(n));
y = SubMod(y, extra, p);
}
else totalDepth = subDepth1;
if (verbose) cerr << endl;
return y;
}
// Main entry point: Evaluate a cleartext polynomial on an encrypted input
void polyEval(Ctxt& ret, ZZX poly, const Ctxt& x, long k)
// Note: poly is passed by value, so caller keeps the original
{
if (deg(poly)<=2) { // nothing to optimize here
if (deg(poly)<1) { // A constant
ret.clear();
ret.addConstant(coeff(poly, 0));
} else { // A linear or quadratic polynomial
DynamicCtxtPowers babyStep(x, deg(poly));
simplePolyEval(ret, poly, babyStep);
}
return;
}
// How many baby steps: set k~sqrt(n/2), rounded up/down to a power of two
// FIXME: There may be some room for optimization here: it may be possible
// to choose k as something other than a power of two and still maintain
// optimal depth, in principle we can try all possible values of k between
// two consecutive powers of two and choose the one that gives the least
// number of multiplies, conditioned on minimum depth.
if (k<=0) {
long kk = (long) sqrt(deg(poly)/2.0);
k = 1L << NextPowerOfTwo(kk);
// heuristic: if k>>kk then use a smaler power of two
if ((k==16 && deg(poly)>167) || (k>16 && k>(1.44*kk)))
k /= 2;
}
#ifdef DEBUG_PRINTOUT
cerr << " k="<<k;
#endif
long n = divc(deg(poly),k); // n = ceil(deg(p)/k), deg(p) >= k*n
DynamicCtxtPowers babyStep(x, k);
const Ctxt& x2k = babyStep.getPower(k);
// Special case when deg(p)>k*(2^e -1)
if (n==(1L << NextPowerOfTwo(n))) { // n is a power of two
DynamicCtxtPowers giantStep(x2k, n/2);
degPowerOfTwo(ret, poly, k, babyStep, giantStep);
return;
}
// If n is not a power of two, ensure that poly is monic and that
// its degree is divisible by k, then call the recursive procedure
const ZZ p = to_ZZ(x.getPtxtSpace());
ZZ top = LeadCoeff(poly);
ZZ topInv; // the inverse mod p of the top coefficient of poly (if any)
bool divisible = (n*k == deg(poly)); // is the degree divisible by k?
long nonInvertibe = InvModStatus(topInv, top, p);
// 0 if invertible, 1 if not
// FIXME: There may be some room for optimization below: instead of
// adding a term X^{n*k} we can add X^{n'*k} for some n'>n, so long
// as n' is smaller than the next power of two. We could save a few
// multiplications since giantStep[n'] may be easier to compute than
// giantStep[n] when n' has fewer 1's than n in its binary expansion.
ZZ extra = ZZ::zero(); // extra!=0 denotes an added term extra*X^{n*k}
if (!divisible || nonInvertibe) { // need to add a term
top = to_ZZ(1); // new top coefficient is one
topInv = top; // also the new inverse is one
// set extra = 1 - current-coeff-of-X^{n*k}
extra = SubMod(top, coeff(poly,n*k), p);
SetCoeff(poly, n*k); // set the top coefficient of X^{n*k} to one
}
long t = IsZero(extra)? divc(n,2) : n;
DynamicCtxtPowers giantStep(x2k, t);
if (!IsOne(top)) {
poly *= topInv; // Multiply by topInv to make into a monic polynomial
for (long i=0; i<=n*k; i++) rem(poly[i], poly[i], p);
poly.normalize();
}
recursivePolyEval(ret, poly, k, babyStep, giantStep);
if (!IsOne(top)) {
ret.multByConstant(top);
}
if (!IsZero(extra)) { // if we added a term, now is the time to subtract back
Ctxt topTerm = giantStep.getPower(n);
topTerm.multByConstant(extra);
ret -= topTerm;
}
}
