PFC::PFC(int s)
{
int mod_bits,words;
if (s!=80)
{
cout << "No suitable curve available" << endl;
exit(0);
}
mod_bits=2*s;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
x=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
frob=new ZZn2;
*B=curveB;
S=s;
*x=param;
Big X=*x;
*mod=X*X+1;
*npoints=X*X-X+1;
*trace=X+1;
*cof=X*X+X+1;
*ord=*npoints;
ecurve(-3,*B,*mod,MR_PROJECTIVE);
set_frobenius_constant(*frob);
Big sru=pow((ZZn)-2,(*mod-1)/6); // x^6+2 is irreducible
set_zzn3(-2,sru);
mip->TWIST=MR_QUADRATIC; // twisted curve E'(ZZn3)
}
int main()
{
miracl* mip=&precision;
ECn Alice,Bob,sA,sB;
ECn3 B6,Server,sS;
ZZn6 sp,ap,bp;
ZZn6 res,XX,YY;
ZZn2 X;
ZZn3 Qx,Qy;
Big a,b,s,ss,p,q,x,y,B,cf,t,sru,T;
int i,A;
time_t seed;
int qnr;
mip->IOBASE=16;
x="-D285DA0CFEF02F06F812"; // MNT elliptic curve parameters (Thanks to Drew Sutherland)
p=x*x+1;
q=x*x-x+1;
t=x+1;
cf=x*x+x+1;
T=t-1;
// cout << "t-1= " << T << endl;
// cout << "p%24= " << p%24 << endl;
time(&seed);
irand((long)seed);
A=-3;
B="77479D33943B5B1F590B54258B72F316B3261D45";
ecurve(A,B,p,MR_PROJECTIVE);
set_frobenius_constant(X);
sru=pow((ZZn)-2,(p-1)/6); // x^6+2 is irreducible
set_zzn3(-2,sru);
mip->IOBASE=16;
mip->TWIST=MR_QUADRATIC; // map Server to point on twisted curve E(Fp3)
//See ftp://ftp.computing.dcu.ie/pub/resources/crypto/twists.pdf
ss=rand(q); // TA's super-secret
cout << "Mapping Server ID to point" << endl;
Server=hash_and_map3((char *)"Server");
// Multiply by the cofactor - thank you NTL!
// Server*=(p-1);
// Server*=(p+1+t);
cofactor(Server,x,X);
cout << "Mapping Alice & Bob ID's to points" << endl;
Alice=hash_and_map((char *)"Alice");
Bob= hash_and_map((char *)"Robert");
cout << "Alice, Bob and the Server visit Trusted Authority" << endl;
sS=ss*Server;
sA=ss*Alice;
sB=ss*Bob;
cout << "Alice and Server Key Exchange" << endl;
a=rand(q); // Alice's random number
s=rand(q); // Server's random number
if (!ate(Server,sA,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
ap=powu(res,a);
if (!ate(sS,Alice,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=powu(res,s);
cout << "Alice Key= " << H2(powu(sp,a)) << endl;
cout << "Server Key= " << H2(powu(ap,s)) << endl;
cout << "Bob and Server Key Exchange" << endl;
b=rand(q); // Bob's random number
s=rand(q); // Server's random number
if (!ate(Server,sB,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
bp=powu(res,b);
if (!ate(sS,Bob,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=powu(res,s);
cout << "Bob's Key= " << H2(powu(sp,b)) << endl;
cout << "Server Key= " << H2(powu(bp,s)) << endl;
return 0;
}
PFC::PFC(int s, csprng *rng)
{
int i,j,mod_bits,words;
if (s!=128 && s!=192)
{
cout << "No suitable curve available" << endl;
exit(0);
}
if (s==128) mod_bits=256;
if (s==192) mod_bits=768;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
x=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
for (i=0;i<4;i++)
{
WB[i]=new Big;
for (j=0;j<4;j++)
{
BB[i][j]=new Big;
}
}
for (i=0;i<2;i++)
{
W[i]=new Big;
for (j=0;j<2;j++)
{
SB[i][j]=new Big;
}
}
Beta=new ZZn;
frob=new ZZn2;
Big A=0;
*B=curveB;
if (s==128) *x=param_128;
if (s==192) *x=param_192;
S=s;
Big X=*x;
*mod=36*pow(X,4)+36*pow(X,3)+24*X*X+6*X+1;
*trace=6*X*X+1;
*npoints=*mod+1-*trace;
*cof=*mod-1+*trace;
*ord=*npoints;
ecurve(A,*B,*mod,MR_PROJECTIVE);
// Big Lambda=-(36*pow(x,3)+18*x*x+6*x+2); // cube root of unity mod q
*Beta=-(18*pow(X,3)+18*X*X+9*X+2); // cube root of unity mod p
set_frobenius_constant(*frob);
// Use standard Gallant-Lambert-Vanstone endomorphism method for G1
*W[0]=6*X*X+4*X+1; // This is first column of inverse of SB (without division by determinant)
*W[1]=-(2*X+1);
*SB[0][0]=6*X*X+2*X;
*SB[0][1]=-(2*X+1);
*SB[1][0]=-(2*X+1);
*SB[1][1]=-(6*X*X+4*X+1);
// Use Galbraith & Scott Homomorphism idea for G2 & GT ... (http://eprint.iacr.org/2008/117.pdf EXample 5)
*WB[0]=2*X*X+3*X+1; // This is first column of inverse of BB (without division by determinant)
*WB[1]=12*X*X*X+8*X*X+X;
*WB[2]=6*X*X*X+4*X*X+X;
*WB[3]=-2*X*X-X;
*BB[0][0]=X+1; *BB[0][1]=X; *BB[0][2]=X; *BB[0][3]=-2*X;
*BB[1][0]=2*X+1; *BB[1][1]=-X; *BB[1][2]=-(X+1); *BB[1][3]=-X;
*BB[2][0]=2*X; *BB[2][1]=2*X+1; *BB[2][2]=2*X+1; *BB[2][3]=2*X+1;
*BB[3][0]=X-1; *BB[3][1]=4*X+2; *BB[3][2]=-(2*X-1); *BB[3][3]=X-1;
mip->TWIST=MR_SEXTIC_D; // map Server to point on twisted curve E(Fp2)
RNG = rng;
}
PFC::PFC(int s, csprng *rng)
{
int i,j,mod_bits,words;
if (s!=192)
{
cout << "No suitable curve available" << endl;
exit(0);
}
mod_bits=(8*s)/3;
if (mod_bits%MIRACL==0)
words=(mod_bits/MIRACL);
else
words=(mod_bits/MIRACL)+1;
#ifdef MR_SIMPLE_BASE
miracl *mip=mirsys((MIRACL/4)*words,16);
#else
miracl *mip=mirsys(words,0);
mip->IOBASE=16;
#endif
B=new Big;
x=new Big;
mod=new Big;
ord=new Big;
cof=new Big;
npoints=new Big;
trace=new Big;
for (i=0;i<6;i++)
{
WB[i]=new Big;
for (j=0;j<6;j++)
{
BB[i][j]=new Big;
}
}
for (i=0;i<2;i++)
{
W[i]=new Big;
for (j=0;j<2;j++)
{
SB[i][j]=new Big;
}
}
S=s;
Beta=new ZZn;
frob=new ZZn;
*B=curveB;
*x=param;
Big X=*x;
*trace=(pow(X,4) + 16*X + 7)/7;
*ord=(pow(X,6) + 37*pow(X,3) + 343)/343;
*cof=(49*X*X+245*X+343)/3;
*npoints=*cof*(*ord);
*mod=*cof*(*ord)+*trace-1;
ecurve(0,*B,*mod,MR_PROJECTIVE);
Big BBeta=(3*pow(X,7)-7*pow(X,6)+46*pow(X,5)+68*pow(X,4)-308*pow(X,3)+189*X*X+145*X-3192)/56;
BBeta+=X*(pow(X,7)/28);
BBeta/=3;
Big sru=*mod-BBeta; // sixth root of unity = -Beta
set_zzn3(NR,sru);
*Beta=BBeta;
set_frobenius_constant(*frob);
// Use standard Gallant-Lambert-Vanstone endomorphism method for G1
*W[0]=(X*X*X)/343; // This is first column of inverse of SB (without division by determinant)
*W[1]=(18*X*X*X+343)/343;
*SB[0][0]=(X*X*X)/343;
*SB[0][1]=-(18*X*X*X+343)/343;
*SB[1][0]=(19*X*X*X+343)/343;
*SB[1][1]=(X*X*X)/343;
// Use Galbraith & Scott Homomorphism idea for G2 & GT ... (http://eprint.iacr.org/2008/117.pdf)
*WB[0]=5*pow(X,3)/49+2; // This is first column of inverse of BB (without division by determinant)
*WB[1]=-(X*X)/49;
*WB[2]=pow(X,4)/49+3*X/7;
*WB[3]=-(17*pow(X,3)/343+1);
*WB[4]=-(pow(X,5)/343+2*(X*X)/49);
*WB[5]=5*pow(X,4)/343+2*X/7;
*BB[0][0]=1; *BB[0][1]=0; *BB[0][2]=5*X/7; *BB[0][3]=1; *BB[0][4]=0; *BB[0][5]=-X/7;
*BB[1][0]=-5*X/7; *BB[1][1]=-2; *BB[1][2]=0; *BB[1][3]=X/7; *BB[1][4]=1; *BB[1][5]=0;
*BB[2][0]=0; *BB[2][1]=2*X/7; *BB[2][2]=1; *BB[2][3]=0; *BB[2][4]=X/7; *BB[2][5]=0;
*BB[3][0]=1; *BB[3][1]=0; *BB[3][2]=X; *BB[3][3]=2; *BB[3][4]=0; *BB[3][5]=0;
*BB[4][0]=-X; *BB[4][1]=-3; *BB[4][2]=0; *BB[4][3]=0; *BB[4][4]=1; *BB[4][5]=0;
*BB[5][0]=0; *BB[5][1]=-X; *BB[5][2]=-3; *BB[5][3]=0; *BB[5][4]=0; *BB[5][5]=1;
mip->TWIST=MR_SEXTIC_D; // map Server to point on twisted curve E(Fp3)
RNG=rng;
}
int main()
{
miracl* mip=&precision;
ECn Alice,Bob,sA,sB;
ECn3 B6,Server,sS;
ZZn6 sp,ap,bp;
ZZn6 res;
ZZn2 X;
Big a,b,s,ss,p,q,x,y,B,cf,t,sru,T;
int i,A;
time_t seed;
mip->IOBASE=16;
x="-D285DA0CFEF02F06F812"; // MNT elliptic curve parameters (Thanks to Drew Sutherland)
p=x*x+1;
q=x*x-x+1;
t=x+1;
cf=x*x+x+1;
T=t-1;
// cout << "t-1= " << T << endl;
// cout << "p%24= " << p%24 << endl;
time(&seed);
irand((long)seed);
A=-3;
B="77479D33943B5B1F590B54258B72F316B3261D45";
#ifdef AFFINE
ecurve(A,B,p,MR_AFFINE);
#endif
#ifdef PROJECTIVE
ecurve(A,B,p,MR_PROJECTIVE);
#endif
set_frobenius_constant(X);
sru=pow((ZZn)-2,(p-1)/6); // x^6+2 is irreducible
set_zzn3(-2,sru);
mip->IOBASE=16;
mip->TWIST=MR_QUADRATIC; // map Server to point on twisted curve E(Fp3)
ss=rand(q); // TA's super-secret
cout << "Mapping Server ID to point" << endl;
Server=hash_and_map3((char *)"Server");
cofactor(Server,x,X);
cout << "Mapping Alice & Bob ID's to points" << endl;
Alice=hash_and_map((char *)"Alice");
Bob= hash_and_map((char *)"Robert");
cout << "Alice, Bob and the Server visit Trusted Authority" << endl;
sS=G2_mul(Server,ss,x,X);
sA=ss*Alice;
sB=ss*Bob;
cout << "Alice and Server Key Exchange" << endl;
a=rand(q); // Alice's random number
s=rand(q); // Server's random number
if (!ecap(sA,Server,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
ap=GT_pow(res,a,x,X);//powu(res,a);
if (!ecap(Alice,sS,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=GT_pow(res,s,x,X);
cout << "Alice Key= " << H2(powu(sp,a)) << endl;
cout << "Server Key= " << H2(powu(ap,s)) << endl;
cout << "Bob and Server Key Exchange" << endl;
b=rand(q); // Bob's random number
s=rand(q); // Server's random number
if (!ecap(sB,Server,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
bp=GT_pow(res,b,x,X);
if (!ecap(Bob,sS,x,X,res)) cout << "Trouble" << endl;
if (!member(res,x,X))
{
cout << "Wrong group order - aborting" << endl;
exit(0);
}
sp=GT_pow(res,s,x,X);
cout << "Bob's Key= " << H2(powu(sp,b)) << endl;
cout << "Server Key= " << H2(powu(bp,s)) << endl;
return 0;
}
