void cc_pairings_affine(element_ptr out, element_t in1[], element_t in2[],
int n_prod, pairing_t pairing) {
element_ptr Qbase;
element_t* Qx = pbc_malloc(sizeof(element_t)*n_prod);
element_t* Qy = pbc_malloc(sizeof(element_t)*n_prod);
pptr p = pairing->data;
int i;
for(i=0; i<n_prod; i++){
element_init(Qx[i], p->Fqd);
element_init(Qy[i], p->Fqd);
Qbase = in2[i];
// Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
// where v is the quadratic nonresidue used to construct the twist.
element_mul(Qx[i], curve_x_coord(Qbase), p->nqrinv);
// v^-3/2 = v^-2 * v^1/2
element_mul(Qy[i], curve_y_coord(Qbase), p->nqrinv2);
}
cc_millers_no_denom_affine(out, pairing->r, in1, Qx, Qy, n_prod);
cc_tatepower(out, out, pairing);
for(i=0; i<n_prod; i++){
element_clear(Qx[i]);
element_clear(Qy[i]);
}
pbc_free(Qx);
pbc_free(Qy);
}
static void fp_init(element_ptr e) {
fptr p = (fptr)e->field->data;
eptr ep;
e->data = pbc_malloc(sizeof(*ep));
ep = (eptr)e->data;
ep->flag = 0;
ep->d = (mp_limb_t*)pbc_malloc(p->bytes);
}
static val_ptr run_extend(val_ptr v[]) {
// TODO: Check v[1] is multiz poly.
field_ptr fx = (field_ptr)pbc_malloc(sizeof(*fx));
field_init_poly(fx, v[0]->field);
element_ptr poly = element_new(fx);
element_set_multiz(poly, (multiz)(v[1]->elem->data));
field_ptr f = (field_ptr)pbc_malloc(sizeof(*f));
field_init_polymod(f, poly);
element_free(poly);
return val_new_field(f);
}
void darray_remove_all(darray_ptr a)
{
a->max = max_init;
a->count = 0;
pbc_free(a->item);
a->item = pbc_malloc(sizeof(void *) * a->max);
}
static void gf32m_init(element_t e) {
e->data = pbc_malloc(sizeof(gf32m_s));
gf32m_ptr p = (gf32m_ptr) e->data;
field_ptr base = BASE(e);
element_init(p->_0, base);
element_init(p->_1, base);
}
static val_ptr eval_elem(tree_ptr t) {
// TODO: Write element_clone(), or at least element_new().
element_ptr e = (element_ptr)pbc_malloc(sizeof(*e));
element_init_same_as(e, t->elem);
element_set(e, t->elem);
return val_new_element(e);
}
static val_ptr run_order(val_ptr v[]) {
field_ptr f = v[0]->field;
element_ptr e = (element_ptr)pbc_malloc(sizeof(*e));
element_init(e, M);
element_set_mpz(e, f->order);
return val_new_element(e);
}
static val_ptr eval_define(tree_ptr t) {
val_ptr v = (val_ptr)pbc_malloc(sizeof(*v));
v->type = v_def;
v->def = t;
symtab_put(tab, v, ((tree_ptr)darray_at(t->child, 0))->id);
return v;
}
static inline void in(element_t elem, FILE *myfile) {
int sz;
fread(&sz, 4, 1, myfile);
unsigned char* data = pbc_malloc(sz);
fread(data, sz, 1, myfile);
element_from_bytes(elem, data);
pbc_free(data);
}
void setup_global_broadcast_params(global_broadcast_params_t *sys, int num_users)
{
global_broadcast_params_t gbs;
gbs = pbc_malloc(sizeof(struct global_broadcast_params_s));
// Setup curve in gbp
size_t count = strlen(PBC_PAIRING_PARAMS);
if (!count) pbc_die("input error");
if (pairing_init_set_buf(gbs->pairing, PBC_PAIRING_PARAMS, count))
pbc_die("pairing init failed");
gbs->num_users = num_users;
element_t *lgs;
int i;
lgs = pbc_malloc(2 * num_users * sizeof(element_t));
if(!(lgs)) {
printf("\nMalloc Failed\n");
printf("Didn't finish system setup\n\n");
}
//Set g as a chosen public value
element_init(gbs->g, gbs->pairing->G1);
i=element_set_str(gbs->g, PUBLIC_G, PBC_CONVERT_BASE);
//Get alpha from Zp as mentioned in the paper
element_init_Zr(gbs->alpha, gbs->pairing);
element_random(gbs->alpha); //pick random alpha value and later delete from memory
//i=element_set_str(gbs->alpha, PRIVATE_ALPHA, PBC_CONVERT_BASE); //alpha is initialised as secret and later removed from memory
//Make the 0th element equal to g^alpha
element_init(lgs[0], gbs->pairing->G1);
element_pow_zn(lgs[0],gbs->g, gbs->alpha);
//Fill in the gs and the hs arrays
for(i = 1; i < 2*num_users; i++) {
//raise alpha to one more power
element_init(lgs[i], gbs->pairing->G1);
element_pow_zn(lgs[i], lgs[i-1], gbs->alpha);
}
element_clear(lgs[num_users]); //remove g^(alpha^(n+1)) as it can leak info about parameters
//For simplicity & so code was easy to read
gbs->gs = lgs;
*sys = gbs;
}
static void sn_init(element_ptr e) {
field_ptr f = e->field->data;
e->data = pbc_malloc(sizeof(point_t));
point_ptr p = e->data;
element_init(p->x, f);
element_init(p->y, f);
p->inf_flag = 1;
}
tree_ptr tree_new_z(const char* s) {
element_ptr e = (element_ptr)pbc_malloc(sizeof(*e));
element_init(e, M);
element_set_str(e, s, 0);
tree_ptr t = tree_new(eval_elem);
t->elem = e;
return t;
}
static val_ptr fun_cmp(val_ptr v[], int(*fun)(int)) {
int i = element_cmp(v[0]->elem, v[1]->elem);
element_ptr e = (element_ptr)pbc_malloc(sizeof(*e));
element_init(e, M);
element_set_si(e, fun(i));
v[0]->elem = e;
return v[0];
}
static void point_init(element_t e) {
field_ptr f = BASE(e);
e->data = pbc_malloc(sizeof(struct point_s));
point_ptr p = DATA(e);
element_init(p->x, f);
element_init(p->y, f);
p->isinf = 1;
}
static void curve_init(element_ptr e) {
curve_data_ptr cdp = (curve_data_ptr)e->field->data;
point_ptr p;
e->data = pbc_malloc(sizeof(*p));
p = (point_ptr)e->data;
element_init(p->x, cdp->field);
element_init(p->y, cdp->field);
p->inf_flag = 1;
}
void field_init_fast_fp(field_ptr f, mpz_t prime) {
PBC_ASSERT(!mpz_fits_ulong_p(prime), "modulus too small");
fp_field_data_ptr p;
field_init(f);
f->init = fp_init;
f->clear = fp_clear;
f->set_si = fp_set_si;
f->set_mpz = fp_set_mpz;
f->out_str = fp_out_str;
f->add = fp_add;
f->sub = fp_sub;
f->set = fp_set;
f->mul = fp_mul;
f->mul_si = fp_mul_si;
f->square = fp_square;
f->doub = fp_double;
f->halve = fp_halve;
f->pow_mpz = fp_pow_mpz;
f->neg = fp_neg;
f->cmp = fp_cmp;
f->sign = mpz_odd_p(prime) ? fp_sgn_odd : fp_sgn_even;
f->invert = fp_invert;
f->random = fp_random;
f->from_hash = fp_from_hash;
f->is1 = fp_is1;
f->is0 = fp_is0;
f->set0 = fp_set0;
f->set1 = fp_set1;
f->is_sqr = fp_is_sqr;
f->sqrt = element_tonelli;
f->field_clear = fp_field_clear;
f->to_bytes = fp_to_bytes;
f->from_bytes = fp_from_bytes;
f->to_mpz = fp_to_mpz;
p = f->data = pbc_malloc(sizeof(fp_field_data_t));
p->limbs = mpz_size(prime);
p->bytes = p->limbs * sizeof(mp_limb_t);
p->primelimbs = pbc_malloc(p->bytes);
mpz_export(p->primelimbs, &p->limbs, -1, sizeof(mp_limb_t), 0, 0, prime);
mpz_set(f->order, prime);
f->fixed_length_in_bytes = (mpz_sizeinbase(prime, 2) + 7) / 8;
}
static val_ptr run_zmod(val_ptr v[]) {
element_ptr e = v[0]->elem;
mpz_t z;
mpz_init(z);
element_to_mpz(z, e);
field_ptr f = (field_ptr)pbc_malloc(sizeof(*f));
field_init_fp(f, z);
mpz_clear(z);
return val_new_field(f);
}
/* initialize the finite field as $GF(3^m)$, whose irreducible polynomial is with the degree of $m$ */
void field_init_gf3m(field_t f, unsigned m, unsigned t) {
params *p = (params *)pbc_malloc(sizeof(*p));
p->len = (m + (W - 1) + 1) / W; /* extra one bit for $_p$ */
p->m = m;
p->t = t;
p->p = (element_ptr)pbc_malloc(sizeof(*(p->p)));
p->p->field = f;
p->p->data = pbc_malloc(2 * sizeof(unsigned long) * p->len);
memset(p->p->data, 0, 2 * sizeof(unsigned long) * p->len);
unsigned long *p1 = (unsigned long *)p->p->data, *p2 = p1 + p->len;
p2[0] = 1; /* _p == x^m+x^t+2 */
unsigned int p_t = p->t;
p1[p_t / W] |= 1ul << (p_t % W);
p1[m / W] |= 1ul << (m % W);
field_init(f);
f->field_clear = field_clear_gf3m;
f->init = gf3m_init;
f->clear = gf3m_clear;
f->set = gf3m_assign;
f->set0 = gf3m_zero;
f->set1 = gf3m_one;
f->is0 = gf3m_is0;
f->is1 = gf3m_is1;
f->add = gf3m_add;
f->sub = gf3m_sub;
f->mul = gf3m_mult;
f->cubic = gf3m_cubic;
f->invert = gf3m_invert;
f->neg = gf3m_neg;
f->random = gf3m_random;
f->cmp = gf3m_cmp;
f->sqrt = gf3m_sqrt;
f->from_bytes = gf3m_from_bytes;
f->to_bytes = gf3m_to_bytes;
f->out_str = gf3m_out_str;
f->fixed_length_in_bytes = 2 * sizeof(unsigned long) * p->len;
f->data = p;
f->name = "GF(3^m)";
mpz_set_ui(f->order, 3);
mpz_pow_ui(f->order, f->order, p->m);
}
static inline void out(element_t elem, FILE *myfile)
{
int sz = element_length_in_bytes(elem);
fwrite(&sz, 4, 1, myfile);
unsigned char* data = pbc_malloc(sz);
if(!data) printf("DATA IS NULL\n");
element_to_bytes(data, elem);
fwrite(data, sz, 1, myfile);
pbc_free(data);
}
static inline int in(element_t elem, unsigned char *my_feed) {
int sz;
// fprintf(stderr, "Prepare reading sz\n");
memcpy(&sz, my_feed, 4);
// fprintf(stderr, "Size of pbc element: %d\n", sz);
unsigned char* data = pbc_malloc(sz);
memcpy(data, my_feed+4, sz);
element_from_bytes_compressed(elem, data);
pbc_free(data);
return sz+4;
}
//This function sets the global broadcast parameters downloaded as a file from the server
//Sets up the gamma value, dont forget to randomize gamma and store locally later please
void setup_global_broadcast_params(global_broadcast_params_t *sys,
unsigned char* gbs_header)
{
global_broadcast_params_t gbs;
gbs = pbc_malloc(sizeof(struct global_broadcast_params_s));
// Setup curve in gbp
size_t count = strlen(PBC_PAIRING_PARAMS);
if (pairing_init_set_buf(gbs->pairing, PBC_PAIRING_PARAMS, count))
pbc_die("pairing init failed");
int num_users;
memcpy(&num_users, gbs_header, 4);
gbs->num_users = num_users;
gbs_header= gbs_header+4;
element_t *lgs;
int i;
lgs = pbc_malloc(2 * num_users * sizeof(element_t));
//generate g from the file contents
element_init(gbs->g, gbs->pairing->G1);
gbs_header += in(gbs->g, gbs_header);
//Fill in the gi values in lgs[]
for(i = 0; i < 2*num_users; i++) {
element_init(lgs[i], gbs->pairing->G1);
if(i == num_users)
continue;
gbs_header += in(lgs[i], gbs_header);
}
element_init_Zr(gbs->gamma, gbs->pairing); //initialise gamma
element_random(gbs->gamma); //pick random value of gamma
//For simplicity & so code was easy to read
gbs->gs = lgs;
*sys = gbs;
return;
}
static val_ptr run_item(val_ptr v[]) {
mpz_t z;
mpz_init(z);
element_to_mpz(z, v[1]->elem);
int i = mpz_get_si(z);
mpz_clear(z);
element_ptr a = element_item(v[0]->elem, i);
element_ptr e = (element_ptr)pbc_malloc(sizeof(*e));
element_init_same_as(e, a);
element_set(e, a);
return val_new_element(e);
}
static void param_init(pbc_param_ptr p) {
static pbc_param_interface_t interface = {{
(void (*)(void *))eta_T_3_clear,
(void (*)(pairing_t, void *))eta_T_3_init_pairing,
(void (*)(FILE *, void *))eta_T_3_out_str,
}
};
p->api = interface;
params *param = p->data = pbc_malloc(sizeof(*param));
mpz_init(param->n);
mpz_init(param->n2);
}
static void record(element_t asum, element_t bsum, element_t snark,
darray_t hole, mpz_t counter) {
snapshot_ptr ss = pbc_malloc(sizeof(struct snapshot_s));
element_init_same_as(ss->a, asum);
element_init_same_as(ss->b, bsum);
element_init_same_as(ss->snark, snark);
element_set(ss->a, asum);
element_set(ss->b, bsum);
element_set(ss->snark, snark);
darray_append(hole, ss);
element_printf("snark %Zd: %B\n", counter, snark);
}
void symtab_put(symtab_t t, void *data, const char *key) {
int i, n = t->list->count;
entry_ptr e;
for (i=0; i<n; i++) {
e = t->list->item[i];
if (!strcmp(e->key, key)) goto doit;
}
e = pbc_malloc(sizeof(entry_t));
e->key = pbc_strdup(key);
darray_append(t->list, e);
doit:
e->data = data;
}
static val_ptr val_new_error(const char *msg, ...) {
va_list params;
char buf[80];
va_start(params, msg);
vsnprintf(buf, 80, msg, params);
va_end(params);
val_ptr v = (val_ptr)pbc_malloc(sizeof(*v));
v->type = v_error;
v->msg = pbc_strdup(buf);
return v;
}
static void eta_T_3_init_pairing(pairing_t pairing, params *p) {
mpz_init(pairing->r);
mpz_set(pairing->r, p->n);
field_init_fp(pairing->Zr, pairing->r);
pairing_data_ptr dp = pbc_malloc(sizeof(*dp));
mpz_init(dp->n2);
mpz_set(dp->n2, p->n2);
field_init_gf3m(dp->gf3m, p->m, p->t);
field_init_gf32m(dp->gf32m, dp->gf3m);
field_init_gf33m(dp->gf36m, dp->gf32m);
pairing_GT_init(pairing, dp->gf36m);
pairing->GT->name = "eta_T_3 group of roots of 1";
pairing->GT->random = GT_random;
pairing->G2 = pairing->G1 = pbc_malloc(sizeof(field_t));
field_init_eta_T_3(pairing->G1, dp->gf3m);
pairing->G1->pairing = pairing;
mpz_set(pairing->G1->order, p->n);
mpz_set(pairing->GT->order, p->n);
pairing->map = eta_T_pairing;
pairing->data = dp;
pairing->clear_func = eta_T_3_pairing_clear;
}
static void e_init(pbc_param_ptr p) {
static pbc_param_interface_t interface = {{
e_clear,
e_init_pairing,
e_out_str,
}};
p->api = interface;
e_param_ptr ep = p->data = pbc_malloc(sizeof(*ep));
mpz_init(ep->q);
mpz_init(ep->r);
mpz_init(ep->h);
mpz_init(ep->a);
mpz_init(ep->b);
}
int BCEEncrypt(byte *sys_params_path, byte *CT_C0_out, byte *CT_C1_out, byte *symmetric_key_out)
{
global_broadcast_params_t gbs;
broadcast_system_t sys;
ct_t shared_CT;
element_t symmetric_key;
int retlen;
if (sys_params_path == NULL)
return 1;
if (CT_C0_out == NULL)
return 2;
if (CT_C1_out == NULL)
return 3;
if (symmetric_key_out == NULL)
return 4;
LoadParams((char *) sys_params_path, &gbs, &sys);
shared_CT = (ct_t) pbc_malloc(sizeof(struct ciphertext_s));
BroadcastKEM_using_product(gbs, sys, shared_CT, symmetric_key);
retlen = element_to_bytes(CT_C0_out, shared_CT->C0);
if (retlen != CT_C0_LENGTH)
return 5;
retlen = element_to_bytes(CT_C1_out, shared_CT->C1);
if (retlen != CT_C1_LENGTH)
return 6;
retlen = element_to_bytes(symmetric_key_out, symmetric_key);
if (retlen != SYMMETRIC_KEY_LENGTH)
return 7;
element_random(symmetric_key);
element_clear(symmetric_key);
FreeCT(shared_CT);
pbc_free(shared_CT);
FreeBCS(sys);
pbc_free(sys);
FreeGBP(gbs);
pbc_free(gbs);
return 0;
}
void field_init_tiny_fp(field_ptr f, mpz_t prime) {
pbc_mpui *p;
PBC_ASSERT(mpz_fits_ulong_p(prime), "modulus too big");
field_init(f);
f->init = fp_init;
f->clear = fp_clear;
f->set_si = fp_set_si;
f->set_mpz = fp_set_mpz;
f->out_str = fp_out_str;
f->add = fp_add;
f->sub = fp_sub;
f->set = fp_set;
f->mul = fp_mul;
f->mul_si = fp_mul_si;
f->square = fp_square;
f->doub = fp_double;
f->pow_mpz = fp_pow_mpz;
f->neg = fp_neg;
f->cmp = fp_cmp;
f->sign = fp_sgn_odd;
f->invert = fp_invert;
f->random = fp_random;
f->from_hash = fp_from_hash;
f->is1 = fp_is1;
f->is0 = fp_is0;
f->set0 = fp_set0;
f->set1 = fp_set1;
f->is_sqr = fp_is_sqr;
f->sqrt = element_tonelli;
f->field_clear = fp_field_clear;
f->to_bytes = fp_to_bytes;
f->from_bytes = fp_from_bytes;
f->to_mpz = fp_to_mpz;
p = f->data = pbc_malloc(sizeof(pbc_mpui));
*p = mpz_get_ui(prime);
{
pbc_mpui l = 255;
f->fixed_length_in_bytes = 1;
while (l < *p) {
f->fixed_length_in_bytes++;
l <<= 8;
l += 255;
}
}
mpz_set(f->order, prime);
}
