static void e_pairing_clear(pairing_t pairing) {
field_clear(pairing->GT);
e_pairing_data_ptr p = pairing->data;
field_clear(p->Fq);
field_clear(p->Eq);
element_clear(p->R);
pbc_free(p);
mpz_clear(pairing->phikonr);
mpz_clear(pairing->r);
field_clear(pairing->Zr);
}
void tear_down(void) {
pbc_free(data);
element_clear(e0);
element_clear(e1);
element_clear(e2);
element_clear(a);
element_clear(b);
element_clear(a2);
element_clear(b2);
element_clear(a3);
element_clear(b3);
element_clear(a6);
element_clear(b6);
field_clear(f97_6);
field_clear(f97_3);
field_clear(f97_2);
field_clear(f97);
}
void pbc_param_init_d_gen(pbc_param_ptr p, pbc_cm_ptr cm) {
d_param_init(p);
d_param_ptr param = p->data;
field_t Fq, Fqx, Fqd;
element_t irred, nqr;
int d = cm->k / 2;
int i;
compute_cm_curve(param, cm);
field_init_fp(Fq, param->q);
field_init_poly(Fqx, Fq);
element_init(irred, Fqx);
do {
poly_random_monic(irred, d);
} while (!poly_is_irred(irred));
field_init_polymod(Fqd, irred);
// Find a quadratic nonresidue of Fqd lying in Fq.
element_init(nqr, Fqd);
do {
element_random(((element_t *) nqr->data)[0]);
} while (element_is_sqr(nqr));
param->coeff = pbc_realloc(param->coeff, sizeof(mpz_t) * d);
for (i=0; i<d; i++) {
mpz_init(param->coeff[i]);
element_to_mpz(param->coeff[i], element_item(irred, i));
}
element_to_mpz(param->nqr, ((element_t *) nqr->data)[0]);
element_clear(nqr);
element_clear(irred);
field_clear(Fqx);
field_clear(Fqd);
field_clear(Fq);
}
/* computation of $c <- U ^ {3^{3m} - 1}$
* This is the algorithm 6 in the paper above. */
static void algorithm6(element_t c, element_t u) {
element_ptr u0 = ITEM(u,0,0), u1 = ITEM(u,0,1), u2 = ITEM(u,1,0), u3 =
ITEM(u,1,1), u4 = ITEM(u,2,0), u5 = ITEM(u,2,1);
field_ptr f = FIELD(u0); /*GF(3^m)*/
field_t f3; /*GF(3^{3*m})*/
field_init_gf33m(f3, f);
element_t v0, v1, m0, m1, m2, a0, a1, i;
element_init(v0, f3);
element_init(v1, f3);
element_init(m0, f3);
element_init(m1, f3);
element_init(m2, f3);
element_init(a0, f3);
element_init(a1, f3);
element_init(i, f3);
element_set(element_item(v0, 0), u0);
element_set(element_item(v0, 1), u2);
element_set(element_item(v0, 2), u4);
element_set(element_item(v1, 0), u1);
element_set(element_item(v1, 1), u3);
element_set(element_item(v1, 2), u5);
element_mul(m0, v0, v0);
element_mul(m1, v1, v1);
element_mul(m2, v0, v1);
element_sub(a0, m0, m1);
element_add(a1, m0, m1);
element_invert(i, a1);
element_mul(v0, a0, i);
element_mul(v1, m2, i);
element_set(ITEM(c,0,0), element_item(v0, 0));
element_set(ITEM(c,1,0), element_item(v0, 1));
element_set(ITEM(c,2,0), element_item(v0, 2));
element_set(ITEM(c,0,1), element_item(v1, 0));
element_set(ITEM(c,1,1), element_item(v1, 1));
element_set(ITEM(c,2,1), element_item(v1, 2));
element_clear(v0);
element_clear(v1);
element_clear(m0);
element_clear(m1);
element_clear(m2);
element_clear(a0);
element_clear(a1);
element_clear(i);
field_clear(f3);
}
static void eta_T_3_pairing_clear(pairing_t pairing) {
mpz_clear(pairing->r);
field_clear(pairing->Zr);
field_clear(pairing->GT);
field_clear(pairing->G1);
pbc_free(pairing->G1);
pairing_data_ptr dp = pairing->data;
field_clear(dp->gf3m);
field_clear(dp->gf32m);
field_clear(dp->gf36m);
mpz_clear(dp->n2);
pbc_free(dp);
}
static void f_pairing_clear(pairing_t pairing) {
field_clear(pairing->GT);
f_pairing_data_ptr p = pairing->data;
element_clear(p->negalpha);
element_clear(p->negalphainv);
mpz_clear(p->tateexp);
element_clear(p->xpowq2);
element_clear(p->xpowq6);
element_clear(p->xpowq8);
field_clear(p->Etwist);
field_clear(p->Eq);
field_clear(p->Fq12);
field_clear(p->Fq2x);
field_clear(p->Fq2);
field_clear(p->Fq);
pbc_free(p);
mpz_clear(pairing->r);
field_clear(pairing->Zr);
}
//============================================
//
//============================================
int main(void)
{
Field f;
field_init(f, "bn254_fp6");
test_feature(f);
test_arithmetic_operation(f);
test_sqrt(f);
//test_frob(f);
test_io(f);
field_clear(f);
fprintf(stderr, "ok\n");
return 0;
}
static void d_pairing_clear(pairing_t pairing) {
field_clear(pairing->GT);
pptr p = pairing->data;
if (p->k == 6) {
element_clear(p->xpowq);
element_clear(p->xpowq2);
mpz_clear(pairing->phikonr);
} else {
mpz_clear(p->tateexp);
}
field_clear(p->Etwist);
field_clear(p->Eq);
element_clear(p->nqrinv);
element_clear(p->nqrinv2);
field_clear(p->Fqk);
field_clear(p->Fqd);
field_clear(p->Fqx);
field_clear(p->Fq);
field_clear(pairing->Zr);
mpz_clear(pairing->r);
pbc_free(p);
}
int main(void) {
field_t c;
field_t Z19;
element_t P, Q, R;
mpz_t q, z;
element_t a, b;
int i;
field_t Z19_2;
field_t c2;
element_t P2, Q2, R2;
element_t a2;
mpz_init(q);
mpz_init(z);
mpz_set_ui(q, 19);
field_init_fp(Z19, q);
element_init(a, Z19);
element_init(b, Z19);
element_set_si(a, 1);
element_set_si(b, 6);
mpz_set_ui(q, 18);
field_init_curve_ab(c, a, b, q, NULL);
element_init(P, c);
element_init(Q, c);
element_init(R, c);
printf("Y^2 = X^3 + X + 6 over F_19\n");
//(0,+/-5) is a generator
element_set0(a);
curve_from_x(R, a);
for (i=1; i<19; i++) {
mpz_set_si(z, i);
element_mul_mpz(Q, R, z);
element_printf("%dR = %B\n", i, Q);
}
mpz_set_ui(z, 6);
element_mul_mpz(P, R, z);
//P has order 3
element_printf("P = %B\n", P);
for (i=1; i<=3; i++) {
mpz_set_si(z, i);
element_mul_mpz(Q, R, z);
tate_3(a, P, Q, R);
element_printf("e_3(P,%dR) = %B\n", i, a);
}
element_double(P, R);
//P has order 9
element_printf("P = %B\n", P);
for (i=1; i<=9; i++) {
mpz_set_si(z, i);
//we're supposed to use multiples of R
//but 2R works just as well and it allows us
//to use R as the offset every time
element_mul_mpz(Q, P, z);
tate_9(a, P, Q, R);
element_printf("e_9(P,%dP) = %B\n", i, a);
}
//to do the pairing on all of E(F_19) we need to move to F_19^2
//or compute the rational function explicitly
printf("moving to F_19^2\n");
field_init_fi(Z19_2, Z19);
//don't need to tell it the real order
field_init_curve_ab_map(c2, c, element_field_to_fi, Z19_2, q, NULL);
element_init(P2, c2);
element_init(Q2, c2);
element_init(R2, c2);
element_init(a2, Z19_2);
element_set0(a2);
curve_from_x(P2, a2);
element_random(R2);
element_printf("P = %B\n", P2);
for (i=1; i<=18; i++) {
mpz_set_si(z, i);
element_mul_mpz(Q2, P2, z);
tate_18(a2, P2, Q2, R2, P2);
element_printf("e_18(P,%dP) = %B\n", i, a2);
}
element_clear(P2);
element_clear(Q2);
element_clear(R2);
element_clear(a2);
field_clear(c2);
field_clear(Z19_2);
field_clear(c);
element_clear(a);
element_clear(b);
element_clear(P);
element_clear(Q);
element_clear(R);
field_clear(Z19);
mpz_clear(q);
mpz_clear(z);
return 0;
}
int main(int argc, char **argv) {
for (;;) {
int c = getopt(argc, argv, "y");
if (c == -1) break;
switch (c) {
case 'y':
option_easy = 1;
option_prompt = "> ";
break;
default:
fprintf(stderr, "unrecognized option: %c\n", c);
break;
}
}
field_init_z(Z);
field_init_multiz(M);
symtab_init(tab);
builtin(fun_rnd);
builtin(fun_random);
builtin(fun_ord);
builtin(fun_order);
builtin(fun_nextprime);
builtin(fun_sqrt);
builtin(fun_inv);
builtin(fun_type);
builtin(fun_pairing);
builtin(fun_zmod);
builtin(fun_poly);
builtin(fun_polymod);
builtin(fun_extend);
builtin(fun_exit);
builtin(fun_CHECK);
builtin(fun_init_pairing_a);
builtin(fun_init_pairing_d);
builtin(fun_init_pairing_e);
builtin(fun_init_pairing_f);
builtin(fun_init_pairing_g);
builtin(fun_init_pairing_i);
run_init_pairing_a(NULL);
symtab_put(reserved, val_new_field(M), "M");
symtab_put(reserved, val_new_field(Z), "Z");
if (argc > optind) {
FILE *fp = fopen(argv[optind], "r");
if (!fp) pbc_die("fopen failed on %s", argv[optind]);
YY_BUFFER_STATE st = yy_create_buffer(fp, YY_BUF_SIZE);
yy_switch_to_buffer(st);
yywrapfun = yywrap_return1;
yyparse();
yy_delete_buffer(st);
}
else {
yywrapfun = yywrap_readline;
yywrap();
while (!end_of_input) {
if (2 == yyparse()) pbc_die("parser out of memory");
}
putchar('\n');
}
symtab_clear(tab);
field_clear(M);
return 0;
}
void pbc_param_init_f_gen(pbc_param_t p, int bits) {
f_init(p);
f_param_ptr fp = p->data;
//36 is a 6-bit number
int xbit = (bits - 6) / 4;
//TODO: use binary search to find smallest appropriate x
mpz_t x, t;
mpz_ptr q = fp->q;
mpz_ptr r = fp->r;
mpz_ptr b = fp->b;
field_t Fq, Fq2, Fq2x;
element_t e1;
element_t f;
field_t c;
element_t P;
mpz_init(x);
mpz_init(t);
mpz_setbit(x, xbit);
for (;;) {
mpz_mul(t, x, x);
mpz_mul_ui(t, t, 6);
mpz_add_ui(t, t, 1);
tryminusx(q, x);
mpz_sub(r, q, t);
mpz_add_ui(r, r, 1);
if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
tryplusx(q, x);
mpz_sub(r, q, t);
mpz_add_ui(r, r, 1);
if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
mpz_add_ui(x, x, 1);
}
field_init_fp(Fq, q);
element_init(e1, Fq);
for (;;) {
element_random(e1);
field_init_curve_b(c, e1, r, NULL);
element_init(P, c);
element_random(P);
element_mul_mpz(P, P, r);
if (element_is0(P)) break;
element_clear(P);
field_clear(c);
}
element_to_mpz(b, e1);
element_clear(e1);
field_init_quadratic(Fq2, Fq);
element_to_mpz(fp->beta, field_get_nqr(Fq));
field_init_poly(Fq2x, Fq2);
element_init(f, Fq2x);
// Find an irreducible polynomial of the form f = x^6 + alpha.
// Call poly_set_coeff1() first so we can use element_item() for the other
// coefficients.
poly_set_coeff1(f, 6);
for (;;) {
element_random(element_item(f, 0));
if (poly_is_irred(f)) break;
}
//extend F_q^2 using f = x^6 + alpha
//see if sextic twist contains a subgroup of order r
//if not, it's the wrong twist: replace alpha with alpha^5
{
field_t ctest;
element_t Ptest;
mpz_t z0, z1;
mpz_init(z0);
mpz_init(z1);
element_init(e1, Fq2);
element_set_mpz(e1, fp->b);
element_mul(e1, e1, element_item(f, 0));
element_neg(e1, e1);
field_init_curve_b(ctest, e1, r, NULL);
element_init(Ptest, ctest);
element_random(Ptest);
//I'm not sure what the #E'(F_q^2) is, but
//it definitely divides n_12 = #E(F_q^12). It contains a
//subgroup of order r if and only if
//(n_12 / r^2)P != O for some (in fact most) P in E'(F_q^6)
mpz_pow_ui(z0, q, 12);
mpz_add_ui(z0, z0, 1);
pbc_mpz_trace_n(z1, q, t, 12);
mpz_sub(z1, z0, z1);
mpz_mul(z0, r, r);
mpz_divexact(z1, z1, z0);
element_mul_mpz(Ptest, Ptest, z1);
if (element_is0(Ptest)) {
mpz_set_ui(z0, 5);
element_pow_mpz(element_item(f, 0), element_item(f, 0), z0);
}
element_clear(e1);
element_clear(Ptest);
field_clear(ctest);
mpz_clear(z0);
mpz_clear(z1);
}
element_to_mpz(fp->alpha0, element_x(element_item(f, 0)));
element_to_mpz(fp->alpha1, element_y(element_item(f, 0)));
element_clear(f);
field_clear(Fq2x);
field_clear(Fq2);
field_clear(Fq);
mpz_clear(t);
mpz_clear(x);
}
// Computes a curve and sets fp to the field it is defined over using the
// complex multiplication method, where cm holds the appropriate information
// (e.g. discriminant, field order).
static void compute_cm_curve(d_param_ptr param, pbc_cm_ptr cm) {
element_t hp, root;
field_t fp, fpx;
field_t cc;
field_init_fp(fp, cm->q);
field_init_poly(fpx, fp);
element_init(hp, fpx);
mpz_t *coefflist;
int n = (int)pbc_hilbert(&coefflist, cm->D);
// Temporarily set the coefficient of x^{n-1} to 1 so hp has degree n - 1,
// allowing us to use poly_coeff().
poly_set_coeff1(hp, n - 1);
int i;
for (i = 0; i < n; i++) {
element_set_mpz(element_item(hp, i), coefflist[i]);
}
pbc_hilbert_free(coefflist, n);
// TODO: Remove x = 0, 1728 roots.
// TODO: What if there are no roots?
//printf("hp ");
//element_out_str(stdout, 0, hp);
//printf("\n");
element_init(root, fp);
poly_findroot(root, hp);
//printf("root = ");
//element_out_str(stdout, 0, root);
//printf("\n");
element_clear(hp);
field_clear(fpx);
// The root is the j-invariant of the desired curve.
field_init_curve_j(cc, root, cm->n, NULL);
element_clear(root);
// We may need to twist it.
{
// Pick a random point P and twist the curve if it has the wrong order.
element_t P;
element_init(P, cc);
element_random(P);
element_mul_mpz(P, P, cm->n);
if (!element_is0(P)) field_reinit_curve_twist(cc);
element_clear(P);
}
mpz_set(param->q, cm->q);
mpz_set(param->n, cm->n);
mpz_set(param->h, cm->h);
mpz_set(param->r, cm->r);
element_to_mpz(param->a, curve_field_a_coeff(cc));
element_to_mpz(param->b, curve_field_b_coeff(cc));
param->k = cm->k;
{
mpz_t z;
mpz_init(z);
// Compute order of curve in F_q^k.
// n = q - t + 1 hence t = q - n + 1
mpz_sub(z, param->q, param->n);
mpz_add_ui(z, z, 1);
pbc_mpz_trace_n(z, param->q, z, param->k);
mpz_pow_ui(param->nk, param->q, param->k);
mpz_sub_ui(z, z, 1);
mpz_sub(param->nk, param->nk, z);
mpz_mul(z, param->r, param->r);
mpz_divexact(param->hk, param->nk, z);
mpz_clear(z);
}
field_clear(cc);
field_clear(fp);
}
