void tate(element_t z, element_t P, element_t Q)
{
mpz_t q1r;
mpz_init(q1r);
mpz_set_ui(q1r, 696);
/*
millertate(z, P, Q);
element_printf("prepow: z = %B\n", z);
element_pow_mpz(z, z, q1r);
*/
{
element_t R, QR;
element_t z0;
element_init_same_as(R, P);
element_init_same_as(QR, P);
element_init_same_as(z0, z);
element_random(R);
element_add(QR, Q, R);
millertate(z, P, QR);
millertate(z0, P, R);
element_div(z, z, z0);
element_pow_mpz(z, z, q1r);
element_clear(R);
element_clear(QR);
}
mpz_clear(q1r);
}
// The final powering, where we standardize the coset representative.
static void cc_tatepower(element_ptr out, element_ptr in, pairing_t pairing) {
pptr p = pairing->data;
#define qpower(sign) { \
polymod_const_mul(e2, inre[1], p->xpowq); \
element_set(e0re, e2); \
polymod_const_mul(e2, inre[2], p->xpowq2); \
element_add(e0re, e0re, e2); \
element_add(e0re0, e0re0, inre[0]); \
\
if (sign > 0) { \
polymod_const_mul(e2, inim[1], p->xpowq); \
element_set(e0im, e2); \
polymod_const_mul(e2, inim[2], p->xpowq2); \
element_add(e0im, e0im, e2); \
element_add(e0im0, e0im0, inim[0]); \
} else { \
polymod_const_mul(e2, inim[1], p->xpowq); \
element_neg(e0im, e2); \
polymod_const_mul(e2, inim[2], p->xpowq2); \
element_sub(e0im, e0im, e2); \
element_sub(e0im0, e0im0, inim[0]); \
} \
}
if (p->k == 6) {
// See thesis, section 6.9, "The Final Powering", which gives a formula
// for the first step of the final powering when Fq6 has been implemented
// as a quadratic extension on top of a cubic extension.
element_t e0, e2, e3;
element_init(e0, p->Fqk);
element_init(e2, p->Fqd);
element_init(e3, p->Fqk);
element_ptr e0re = element_x(e0);
element_ptr e0im = element_y(e0);
element_ptr e0re0 = ((element_t *) e0re->data)[0];
element_ptr e0im0 = ((element_t *) e0im->data)[0];
element_t *inre = element_x(in)->data;
element_t *inim = element_y(in)->data;
// Expressions in the formula are similar, hence the following function.
qpower(1);
element_set(e3, e0);
element_set(e0re, element_x(in));
element_neg(e0im, element_y(in));
element_mul(e3, e3, e0);
qpower(-1);
element_mul(e0, e0, in);
element_invert(e0, e0);
element_mul(in, e3, e0);
element_set(e0, in);
// We use Lucas sequences to complete the final powering.
lucas_even(out, e0, pairing->phikonr);
element_clear(e0);
element_clear(e2);
element_clear(e3);
} else {
element_pow_mpz(out, in, p->tateexp);
}
#undef qpower
}
static void f_tateexp(element_t out) {
element_t x, y, epow;
f_pairing_data_ptr p = out->field->pairing->data;
element_init(x, p->Fq12);
element_init(y, p->Fq12);
element_init(epow, p->Fq2);
#define qpower(e1, e) { \
element_set(element_item(e1, 0), element_item(out, 0)); \
element_mul(element_item(e1, 1), element_item(out, 1), e); \
element_square(epow, e); \
element_mul(element_item(e1, 2), element_item(out, 2), epow); \
element_mul(epow, epow, e); \
element_mul(element_item(e1, 3), element_item(out, 3), epow); \
element_mul(epow, epow, e); \
element_mul(element_item(e1, 4), element_item(out, 4), epow); \
element_mul(epow, epow, e); \
element_mul(element_item(e1, 5), element_item(out, 5), epow); \
}
qpower(y, p->xpowq8);
qpower(x, p->xpowq6);
element_mul(y, y, x);
qpower(x, p->xpowq2);
element_mul(x, x, out);
element_invert(x, x);
element_mul(out, y, x);
element_clear(epow);
element_clear(x);
element_clear(y);
element_pow_mpz(out, out, p->tateexp);
#undef qpower
}
static void point_random(element_t a) {
point_ptr p = DATA(a);
element_ptr x = p->x, y = p->y;
field_ptr f = x->field;
p->isinf = 0;
element_t t, t2, e1;
element_init(t, f);
element_init(e1, f);
element_set1(e1);
element_init(t2, f);
do {
element_random(x);
if (element_is0(x))
continue;
element_cubic(t, x); // t == x^3
element_sub(t, t, x); // t == x^3 - x
element_add(t, t, e1); // t == x^3 - x + 1
element_sqrt(y, t); // y == sqrt(x^3 - x + 1)
element_mul(t2, y, y); // t2 == x^3 - x + 1
} while (element_cmp(t2, t)); // t2 != t
// make sure order of $a$ is order of $G_1$
pairing_ptr pairing = FIELD(a)->pairing;
pairing_data_ptr dp = pairing->data;
element_pow_mpz(a, a, dp->n2);
element_clear(t);
element_clear(t2);
element_clear(e1);
}
static void gf3m_sqrt(element_t e, element_t a) {
field_ptr f = e->field;
mpz_t t;
mpz_init(t); // t == (field_order + 1) / 4
mpz_set(t, f->order);
mpz_add_ui(t, t, 1);
mpz_tdiv_q_2exp(t, t, 2);
element_pow_mpz(e, a, t);
mpz_clear(t);
}
static void e_pairing(element_ptr out, element_ptr in1, element_ptr in2,
pairing_t pairing) {
e_pairing_data_ptr p = pairing->data;
element_ptr Q = in2;
element_t QR;
element_init(QR, p->Eq);
element_add(QR, Q, p->R);
e_miller_fn(out, in1, QR, p->R, p);
element_pow_mpz(out, out, pairing->phikonr);
element_clear(QR);
}
//TODO: untested
static int even_curve_is_sqr(element_ptr e) {
mpz_t z;
element_t e1;
int result;
mpz_init(z);
element_init(e1, e->field);
mpz_sub_ui(z, e->field->order, 1);
mpz_fdiv_q_2exp(z, z, 1);
element_pow_mpz(e1, e, z);
result = element_is1(e1);
mpz_clear(z);
element_clear(e1);
return result;
}
static void test_gf3m_sqrt(void) {
mpz_t t;
mpz_init(t);
mpz_sub_ui(t, a->field->order, 1); // t == field_order - 1
element_random(a);
element_pow_mpz(a, a, t);
EXPECT(!element_cmp(a, e1));
while(1){
element_random(a);
element_mul(b, a, a);
element_sqrt(b, b);
if(element_cmp(a, b)) {// a != b
element_neg(b, b);
if(!element_cmp(a, b)) break;
}
}
mpz_clear(t);
}
static int curve_cmp(element_ptr a, element_ptr b) {
if (a == b) {
return 0;
} else {
// If we're working with a quotient group we must account for different
// representatives of the same coset.
curve_data_ptr cdp = (curve_data_ptr)a->field->data;
if (cdp->quotient_cmp) {
element_t e;
element_init_same_as(e, a);
element_div(e, a, b);
element_pow_mpz(e, e, cdp->quotient_cmp);
int result = !element_is1(e);
element_clear(e);
return result;
}
return point_cmp((point_ptr)a->data, (point_ptr)b->data);
}
}
static void tate_18(element_ptr out, element_ptr P, element_ptr Q, element_ptr R, element_ptr S) {
mpz_t pow;
element_t PR;
element_t QS;
element_init(PR, P->field);
element_init(QS, P->field);
element_t outd;
element_init(outd, out->field);
mpz_init(pow);
mpz_set_ui(pow, (19*19-1)/18);
element_add(PR, P, R);
element_add(QS, Q, S);
if (element_is0(QS)) {
element_t S2;
element_init(S2, P->field);
element_double(S2, S);
miller(out, PR, S, S2, 18);
miller(outd, R, S, S2, 18);
element_clear(S2);
} else {
miller(out, PR, QS, S, 18);
miller(outd, R, QS, S, 18);
}
element_clear(PR);
element_clear(QS);
element_invert(outd, outd);
element_mul(out, out, outd);
element_pow_mpz(out, out, pow);
element_clear(outd);
mpz_clear(pow);
}
static void tate_3(element_ptr out, element_ptr P, element_ptr Q, element_ptr R) {
mpz_t six;
mpz_init(six);
mpz_set_ui(six, 6);
element_t QR;
element_t e0;
element_init(QR, P->field);
element_init(e0, out->field);
element_add(QR, Q, R);
//for subgroup size 3, -2P = P, hence
//the tangent line at P has divisor 3(P) - 3(O)
miller(out, P, QR, R, 3);
element_pow_mpz(out, out, six);
element_clear(QR);
element_clear(e0);
mpz_clear(six);
}
static void d_init_pairing(pairing_ptr pairing, void *data) {
d_param_ptr param = data;
pptr p;
element_t a, b;
element_t irred;
int d = param->k / 2;
int i;
if (param->k % 2) pbc_die("k must be even");
mpz_init(pairing->r);
mpz_set(pairing->r, param->r);
field_init_fp(pairing->Zr, pairing->r);
pairing->map = cc_pairing;
pairing->prod_pairings = cc_pairings_affine;
pairing->is_almost_coddh = cc_is_almost_coddh;
p = pairing->data = pbc_malloc(sizeof(*p));
field_init_fp(p->Fq, param->q);
element_init(a, p->Fq);
element_init(b, p->Fq);
element_set_mpz(a, param->a);
element_set_mpz(b, param->b);
field_init_curve_ab(p->Eq, a, b, pairing->r, param->h);
field_init_poly(p->Fqx, p->Fq);
element_init(irred, p->Fqx);
poly_set_coeff1(irred, d);
for (i = 0; i < d; i++) {
element_set_mpz(element_item(irred, i), param->coeff[i]);
}
field_init_polymod(p->Fqd, irred);
element_clear(irred);
p->Fqd->nqr = pbc_malloc(sizeof(element_t));
element_init(p->Fqd->nqr, p->Fqd);
element_set_mpz(((element_t *) p->Fqd->nqr->data)[0], param->nqr);
field_init_quadratic(p->Fqk, p->Fqd);
// Compute constants involved in the final powering.
if (param->k == 6) {
mpz_ptr q = param->q;
mpz_ptr z = pairing->phikonr;
mpz_init(z);
mpz_mul(z, q, q);
mpz_sub(z, z, q);
mpz_add_ui(z, z, 1);
mpz_divexact(z, z, pairing->r);
element_ptr e = p->xpowq;
element_init(e, p->Fqd);
element_set1(((element_t *) e->data)[1]);
element_pow_mpz(e, e, q);
element_init(p->xpowq2, p->Fqd);
element_square(p->xpowq2, e);
} else {
mpz_init(p->tateexp);
mpz_sub_ui(p->tateexp, p->Fqk->order, 1);
mpz_divexact(p->tateexp, p->tateexp, pairing->r);
}
field_init_curve_ab_map(p->Etwist, p->Eq, element_field_to_polymod, p->Fqd, pairing->r, NULL);
field_reinit_curve_twist(p->Etwist);
mpz_t ndonr;
mpz_init(ndonr);
// ndonr temporarily holds the trace.
mpz_sub(ndonr, param->q, param->n);
mpz_add_ui(ndonr, ndonr, 1);
// Negate it because we want the trace of the twist.
mpz_neg(ndonr, ndonr);
pbc_mpz_curve_order_extn(ndonr, param->q, ndonr, d);
mpz_divexact(ndonr, ndonr, param->r);
field_curve_set_quotient_cmp(p->Etwist, ndonr);
mpz_clear(ndonr);
element_init(p->nqrinv, p->Fqd);
element_invert(p->nqrinv, field_get_nqr(p->Fqd));
element_init(p->nqrinv2, p->Fqd);
element_square(p->nqrinv2, p->nqrinv);
pairing->G1 = p->Eq;
pairing->G2 = p->Etwist;
p->k = param->k;
pairing_GT_init(pairing, p->Fqk);
pairing->finalpow = cc_finalpow;
// By default use affine coordinates.
cc_miller_no_denom_fn = cc_miller_no_denom_affine;
pairing->option_set = d_pairing_option_set;
pairing->pp_init = d_pairing_pp_init;
pairing->pp_clear = d_pairing_pp_clear;
pairing->pp_apply = d_pairing_pp_apply;
pairing->clear_func = d_pairing_clear;
element_clear(a);
element_clear(b);
}
int main(void) {
mpz_t p, q, N, d;
mpz_t dmp1, dmq1;
mpz_t ipmq, iqmp;
mpz_t adq, adp;
field_t f;
element_t a, b;
double t0, t1, tnaive = 0, tcrt=0;
int i, n;
mpz_init(p);
mpz_init(q);
mpz_init(N);
mpz_init(d);
mpz_init(dmp1);
mpz_init(dmq1);
mpz_init(ipmq);
mpz_init(iqmp);
mpz_init(adp);
mpz_init(adq);
pbc_mpz_randomb(p, 512);
pbc_mpz_randomb(q, 512);
mpz_nextprime(p, p);
mpz_nextprime(q, q);
mpz_mul(N, p, q);
mpz_invert(ipmq, p, q);
mpz_invert(iqmp, q, p);
field_init_fp(f, N);
element_init(a, f);
element_init(b, f);
n = 10;
for (i=0; i<n; i++) {
pbc_mpz_random(d, N);
element_random(a);
t0 = pbc_get_time();
element_pow_mpz(b, a, d);
t1 = pbc_get_time();
tnaive += t1 - t0;
mpz_sub_ui(p, p, 1);
mpz_sub_ui(q, q, 1);
mpz_mod(dmp1, d, p);
mpz_mod(dmq1, d, q);
mpz_add_ui(p, p, 1);
mpz_add_ui(q, q, 1);
element_to_mpz(adq, a);
element_to_mpz(adp, a);
t0 = pbc_get_time();
mpz_powm(adp, adp, d, p);
mpz_powm(adq, adq, d, q);
/* textbook CRT
mpz_mul(adp, adp, q);
mpz_mul(adp, adp, iqmp);
mpz_mul(adq, adq, p);
mpz_mul(adq, adq, ipmq);
mpz_add(adp, adp, adq);
*/
// Garner's algorithm
mpz_sub(adq, adq, adp);
mpz_mul(adq, adq, ipmq);
mpz_mod(adq, adq, q);
mpz_mul(adq, adq, p);
mpz_add(adp, adp, adq);
t1 = pbc_get_time();
tcrt += t1 - t0;
element_set_mpz(b, adp);
}
printf("average RSA exp time = %lf\n", tnaive / n);
printf("average RSA exp time (CRT) = %lf\n", tcrt / n);
return 0;
}
static void mulg_pow_mpz(element_t x, element_t a, mpz_t n) {
element_pow_mpz(x->data, a->data, n);
}
// in1, in2 are from E(F_q), out from F_q^2.
// Pairing via elliptic nets (see Stange).
static void e_pairing_ellnet(element_ptr out, element_ptr in1, element_ptr in2,
pairing_t pairing) {
const element_ptr a = curve_a_coeff(in1);
const element_ptr b = curve_b_coeff(in1);
element_ptr x = curve_x_coord(in1);
element_ptr y = curve_y_coord(in1);
element_ptr x2 = curve_x_coord(in2);
element_ptr y2 = curve_y_coord(in2);
//notation: cmi means c_{k-i}, ci means c_{k+i}
element_t cm3, cm2, cm1, c0, c1, c2, c3, c4;
element_t dm1, d0, d1;
element_t A, B, C;
element_init_same_as(cm3, x);
element_init_same_as(cm2, x);
element_init_same_as(cm1, x);
element_init_same_as(c0, x);
element_init_same_as(c1, x);
element_init_same_as(c2, x);
element_init_same_as(c3, x);
element_init_same_as(c4, x);
element_init_same_as(C, x);
element_init_same_as(dm1, out);
element_init_same_as(d0, out);
element_init_same_as(d1, out);
element_init_same_as(A, x);
element_init_same_as(B, out);
// c1 = 2y
// cm3 = -2y
element_double(c1, y);
element_neg(cm3, c1);
//use c0, cm1, cm2, C, c4 as temp variables for now
//compute c3, c2
element_square(cm2, x);
element_square(C, cm2);
element_mul(cm1, b, x);
element_double(cm1, cm1);
element_square(c4, a);
element_mul(c2, cm1, cm2);
element_double(c2, c2);
element_mul(c0, a, C);
element_add(c2, c2, c0);
element_mul(c0, c4, cm2);
element_sub(c2, c2, c0);
element_double(c0, c2);
element_double(c0, c0);
element_add(c2, c2, c0);
element_mul(c0, cm1, a);
element_square(c3, b);
element_double(c3, c3);
element_double(c3, c3);
element_add(c0, c0, c3);
element_double(c0, c0);
element_mul(c3, a, c4);
element_add(c0, c0, c3);
element_sub(c2, c2, c0);
element_mul(c0, cm2, C);
element_add(c3, c0, c2);
element_mul(c3, c3, c1);
element_double(c3, c3);
element_mul(c0, a, cm2);
element_add(c0, c0, cm1);
element_double(c0, c0);
element_add(c0, c0, C);
element_double(c2, c0);
element_add(c0, c0, c2);
element_sub(c2, c0, c4);
// c0 = 1
// cm2 = -1
element_set1(c0);
element_neg(cm2, c0);
// c4 = c_5 = c_2^3 c_4 - c_3^3 = c1^3 c3 - c2^3
element_square(C, c1);
element_mul(c4, C, c1);
element_mul(c4, c4, c3);
element_square(C, c2);
element_mul(C, C, c2);
element_sub(c4, c4, C);
//compute A, B, d1 (which is d_2 since k = 1)
element_sub(A, x, x2);
element_double(C, x);
element_add(C, C, x2);
element_square(cm1, A);
element_mul(cm1, C, cm1);
element_add(d1, y, y2);
element_square(d1, d1);
element_sub(B, cm1, d1);
element_invert(B, B);
element_invert(A, A);
element_sub(d1, y, y2);
element_mul(d1, d1, A);
element_square(d1, d1);
element_sub(d1, C, d1);
// cm1 = 0
// C = (2y)^-1
element_set0(cm1);
element_invert(C, c1);
element_set1(dm1);
element_set1(d0);
element_t sm2, sm1;
element_t s0, s1, s2, s3;
element_t tm2, tm1;
element_t t0, t1, t2, t3;
element_t e0, e1;
element_t u, v;
element_init_same_as(sm2, x);
element_init_same_as(sm1, x);
element_init_same_as(s0, x);
element_init_same_as(s1, x);
element_init_same_as(s2, x);
element_init_same_as(s3, x);
element_init_same_as(tm2, x);
element_init_same_as(tm1, x);
element_init_same_as(t0, x);
element_init_same_as(t1, x);
element_init_same_as(t2, x);
element_init_same_as(t3, x);
element_init_same_as(e0, x);
element_init_same_as(e1, x);
element_init_same_as(u, d0);
element_init_same_as(v, d0);
int m = mpz_sizeinbase(pairing->r, 2) - 2;
for (;;) {
element_square(sm2, cm2);
element_square(sm1, cm1);
element_square(s0, c0);
element_square(s1, c1);
element_square(s2, c2);
element_square(s3, c3);
element_mul(tm2, cm3, cm1);
element_mul(tm1, cm2, c0);
element_mul(t0, cm1, c1);
element_mul(t1, c0, c2);
element_mul(t2, c1, c3);
element_mul(t3, c2, c4);
element_square(u, d0);
element_mul(v, dm1, d1);
if (mpz_tstbit(pairing->r, m)) {
//double-and-add
element_mul(e0, t0, sm2);
element_mul(e1, tm2, s0);
element_sub(cm3, e0, e1);
element_mul(cm3, cm3, C);
element_mul(e0, t0, sm1);
element_mul(e1, tm1, s0);
element_sub(cm2, e0, e1);
element_mul(e0, t1, sm1);
element_mul(e1, tm1, s1);
element_sub(cm1, e0, e1);
element_mul(cm1, cm1, C);
element_mul(e0, t1, s0);
element_mul(e1, t0, s1);
element_sub(c0, e0, e1);
element_mul(e0, t2, s0);
element_mul(e1, t0, s2);
element_sub(c1, e0, e1);
element_mul(c1, c1, C);
element_mul(e0, t2, s1);
element_mul(e1, t1, s2);
element_sub(c2, e0, e1);
element_mul(e0, t3, s1);
element_mul(e1, t1, s3);
element_sub(c3, e0, e1);
element_mul(c3, c3, C);
element_mul(e0, t3, s2);
element_mul(e1, t2, s3);
element_sub(c4, e0, e1);
element_mul(out, u, t0);
element_mul(dm1, v, s0);
element_sub(dm1, dm1, out);
element_mul(out, u, t1);
element_mul(d0, v, s1);
element_sub(d0, d0, out);
element_mul(d0, d0, A);
element_mul(out, u, t2);
element_mul(d1, v, s2);
element_sub(d1, d1, out);
element_mul(d1, d1, B);
} else {
//double
element_mul(e0, tm1, sm2);
element_mul(e1, tm2, sm1);
element_sub(cm3, e0, e1);
element_mul(e0, t0, sm2);
element_mul(e1, tm2, s0);
element_sub(cm2, e0, e1);
element_mul(cm2, cm2, C);
element_mul(e0, t0, sm1);
element_mul(e1, tm1, s0);
element_sub(cm1, e0, e1);
element_mul(e0, t1, sm1);
element_mul(e1, tm1, s1);
element_sub(c0, e0, e1);
element_mul(c0, c0, C);
element_mul(e0, t1, s0);
element_mul(e1, t0, s1);
element_sub(c1, e0, e1);
element_mul(e0, t2, s0);
element_mul(e1, t0, s2);
element_sub(c2, e0, e1);
element_mul(c2, c2, C);
element_mul(e0, t2, s1);
element_mul(e1, t1, s2);
element_sub(c3, e0, e1);
element_mul(e0, t3, s1);
element_mul(e1, t1, s3);
element_sub(c4, e0, e1);
element_mul(c4, c4, C);
element_mul(out, u, tm1);
element_mul(dm1, v, sm1);
element_sub(dm1, dm1, out);
element_mul(out, u, t0);
element_mul(d0, v, s0);
element_sub(d0, d0, out);
element_mul(out, u, t1);
element_mul(d1, v, s1);
element_sub(d1, d1, out);
element_mul(d1, d1, A);
}
if (!m) break;
m--;
}
element_invert(c1, c1);
element_mul(d1, d1, c1);
element_pow_mpz(out, d1, pairing->phikonr);
element_clear(dm1);
element_clear(d0);
element_clear(d1);
element_clear(cm3);
element_clear(cm2);
element_clear(cm1);
element_clear(c0);
element_clear(c1);
element_clear(c2);
element_clear(c3);
element_clear(c4);
element_clear(sm2);
element_clear(sm1);
element_clear(s0);
element_clear(s1);
element_clear(s2);
element_clear(s3);
element_clear(tm2);
element_clear(tm1);
element_clear(t0);
element_clear(t1);
element_clear(t2);
element_clear(t3);
element_clear(e0);
element_clear(e1);
element_clear(A);
element_clear(B);
element_clear(C);
element_clear(u);
element_clear(v);
}
static void e_finalpow(element_ptr e) {
element_pow_mpz(e->data, e->data, e->field->pairing->phikonr);
}
int main(int argc, char **argv) {
pairing_t pairing;
element_t g1, u1, up1, g2, u2, up2, r;
mpz_t r_mpz;
element_pp_t g1_pp, g2_pp;
double t0, t1;
int i, n;
printf("reading pairing from stdin...\n");
pbc_demo_pairing_init(pairing, argc, argv);
element_init(r, pairing->Zr);
element_init(g1, pairing->G1);
element_init(u1, pairing->G1);
element_init(up1, pairing->G1);
element_init(g2, pairing->G2);
element_init(u2, pairing->G2);
element_init(up2, pairing->G2);
element_random(r);
element_random(g1);
element_random(g2);
mpz_init(r_mpz);
element_to_mpz(r_mpz, r);
element_pp_init(g1_pp, g1);
element_pp_init(g2_pp, g2);
n = 100;
t0 = pbc_get_time();
for (i=0; i<n; i++) {
element_pow_mpz(u1, g1, r_mpz);
}
t1 = pbc_get_time();
printf("G1 exp:\t\t%fs\n", t1 - t0);
n = 100;
t0 = pbc_get_time();
for (i=0; i<n; i++) {
element_pow_mpz(u2, g2, r_mpz);
}
t1 = pbc_get_time();
printf("G2 exp:\t\t%fs\n", t1 - t0);
n = 100;
t0 = pbc_get_time();
for (i=0; i<n; i++) {
element_pp_pow(up1, r_mpz, g1_pp);
}
t1 = pbc_get_time();
printf("G1 pp exp:\t%fs\n", t1 - t0);
n = 100;
t0 = pbc_get_time();
for (i=0; i<n; i++) {
element_pp_pow(up2, r_mpz, g2_pp);
}
t1 = pbc_get_time();
printf("G2 pp exp:\t%fs\n", t1 - t0);
if (element_cmp(u1, up1)) {
printf("Oops 1!\n");
}
if (element_cmp(u2, up2)) {
printf("Oops 2!\n");
}
mpz_clear(r_mpz);
element_clear(g1);
element_clear(u1);
element_clear(up1);
element_clear(g2);
element_clear(u2);
element_clear(up2);
element_clear(r);
element_pp_clear(g1_pp);
element_pp_clear(g2_pp);
pairing_clear(pairing);
return 0;
}
int main(int argc, char *argv[])
{
///list all the files in the directory///
DIR *d;
FILE *fpub, *fpriv, *fciph, *fplain, *ftag, *fpairing, *ftemp, *frand;//, *fp6, *fp7;
paillier_pubkey_t *pub;
paillier_prvkey_t *priv;
paillier_get_rand_t get_rand;
paillier_plaintext_t *plain;
paillier_ciphertext_t *cipher, *cipher_copy;
paillier_tag* tag;
mpz_t tag_sig, *rand_prf;
gmp_randstate_t rand;
char *len;
struct stat st= {0};
unsigned char *data;
int count=0, count1=0, gbytes, n, no_copies=10;
struct dirent *dir;
///pairing parameters
pairing_t pairing;
//pairing_t p;
//printf("setting pairing parameters\n");
//pairing_init_set_str(pairing, param_str);
// printf("after pairing setup\n");
element_t g, h, u, temp_pow, test1, test2;
element_t public_key, sig;
element_t secret_key;
///end of pairing parameters
//initialize pairing parametrs
pbc_demo_pairing_init(pairing, argc, argv);
element_init_G2(g, pairing);
element_init_G1(u, pairing);
element_init_G1(test1, pairing);
element_init_G2(test2, pairing);
element_init_G1(temp_pow, pairing);
element_init_G2(public_key, pairing);
// element_from_hash(h, "hashofmessage", 13);
element_init_G1(h, pairing);
element_init_G1(sig, pairing);
element_init_Zr(secret_key, pairing);
//end of pairing parameters initialization
//set up pairing parameters
//generate system parameters
element_random(g);
// n = pairing_length_in_bytes_x_only_G1(pairing);
// data = pbc_malloc(n);
// gbytes = pairing_length_in_bytes_G2(pairing);
// printf(" \n g in bytes %d \n", gbytes);
// element_printf("system parameter g = %B\n", g);
//generate private key
element_random(secret_key);
//generate u
element_random(u);
//calculating hash of a file name and mapping it to element in group G1
// element_from_hash(h, "FileName", 8);
element_random(h);
//element_printf("private key = %B\n", secret_key);
//compute corresponding public key
element_pow_zn(public_key, g, secret_key);
//element_printf("public key = %B\n", public_key);
//end of setup
tag = (paillier_tag*) malloc(sizeof(paillier_tag));
plain = (paillier_plaintext_t*) malloc(sizeof(paillier_plaintext_t));
cipher = (paillier_ciphertext_t*) malloc(sizeof(paillier_ciphertext_t));
mpz_init(plain->m);
mpz_init(tag->t);
mpz_init(cipher->c);
mpz_init(tag_sig);
rand_prf = (mpz_t*) malloc(n*sizeof(mpz_t));
len = (char *)malloc(2048*sizeof(char));
//****paillier key generation****
if(!(fpub = fopen("pub.txt", "r")))
{
//fputs("Not able to read public key file!\n", stderr);
paillier_keygen(&pub, &priv, get_rand,450);
//fclose(fpub);
fpub = fopen("pub.txt", "w");
gmp_fprintf(fpub, "%Zd\n", pub->p);
gmp_fprintf(fpub, "%Zd\n", pub->q);
gmp_fprintf(fpub, "%Zd\n", pub->n_plusone);
//***Writing private keys into a file***
fpriv = fopen("priv.txt", "w");
gmp_fprintf(fpriv, "%Zd\n", priv->lambda);
gmp_fprintf(fpriv, "%Zd\n", priv->x);
fclose(fpriv);
//****End of writing private key in a file***
}
else
{
printf("\n in else");
pub = (paillier_pubkey_t*) malloc(sizeof(paillier_pubkey_t));
priv = (paillier_prvkey_t*) malloc(sizeof(paillier_prvkey_t));
mpz_init(pub->n_squared);
mpz_init(pub->n);
fgets(len, 1000, fpub);
mpz_init_set_str(pub->p, len, 10);
fgets(len, 1000, fpub);
mpz_init_set_str(pub->q, len, 10);
fgets(len, 1000, fpub);
mpz_init_set_str(pub->n_plusone, len, 10);
//printf("value of nplusone : \n");
//mpz_out_str(stdout, 10, pub->n_plusone);
paillier_keygen(&pub, &priv, get_rand, 0);
pub->bits = mpz_sizeinbase(pub->n, 2);
}
fclose(fpub);
//****end of paillier key generation****
//printf("writing pairing parameters to a file\n");
//writing pairing keys to file
fpairing = fopen("pairing.txt", "w");
/* n = pairing_length_in_bytes_compressed_G2(pairing);
data = pbc_malloc(n);
element_to_bytes_compressed(data, g);
element_printf(" decomp g %B\n", g);
element_from_bytes_compressed(test2, data);
element_printf(" decomp g %B\n", test2); */
//writing compressed g to file
element_fprintf(fpairing, "%B\n", g);
// element_printf(" g = %B\n", g);
/*n = pairing_length_in_bytes_compressed_G1(pairing);
data = pbc_malloc(n);
element_to_bytes_compressed(data, u);
element_printf(" decomp g %B\n", u);
element_from_bytes_compressed(test1, data);
element_printf(" decomp g %B\n", test1);
//writing compressed u to file */
element_fprintf(fpairing, "%B\n", u);
//element_printf(" u = %B\n", u);
//writing secret key to file
element_fprintf(fpairing, "%B\n", secret_key);
//element_printf(" sk = %B\n", secret_key);
// printf("secret key = %s\n",secret_key);
/* n = pairing_length_in_bytes_compressed_G2(pairing);
data = pbc_malloc(n);
element_to_bytes_compressed(data, public_key);
//writing compressed public key to file */
element_fprintf(fpairing, "%B\n", public_key);
//element_printf("pk = %B\n", public_key);
/* n = pairing_length_in_bytes_compressed_G1(pairing);
data = pbc_malloc(n);
element_to_bytes_compressed(data, h);
element_printf(" decomp g %B\n", h);
element_from_bytes_compressed(test1, data);
element_printf(" decomp g %B\n", test1);
//writing compressed h to file */
element_fprintf(fpairing, "%B\n", h);
//element_printf("h = %B\n", h);
//writing n to file
gmp_fprintf(fpairing, "%Zd\n", pub->n);
fclose(fpairing);
//end of writing pairing keys to file
cipher_copy = (paillier_ciphertext_t*)malloc(no_copies*sizeof(paillier_ciphertext_t));
frand = fopen("rand.txt","w");
int i;
init_rand(rand, get_rand, pub->bits / 8 + 1);
for(i = 0; i< no_copies; i++)
{
mpz_init(rand_prf[i]);
do
mpz_urandomb(rand_prf[i], rand, pub->bits);
while( mpz_cmp(rand_prf[i], pub->n) >= 0 );
gmp_fprintf(frand, "%Zd\n", rand_prf[i]);
//printf("\nrandom : \n");
//mpz_out_str(stdout, 10, rand_prf[i]);
}
fclose(frand);
//****Opening files to read files and encrypt*****
d = opendir("./split");
if (d)
{
while ((dir = readdir(d)) != NULL)
{
//printf("%s\n", dir->d_name);
char fileName[1000], copy[1000];
strcpy(fileName, "./split/");
strcat(fileName,dir->d_name);
//printf("\nfile name %s", fileName);
if(!(fplain = fopen(fileName, "r")))
{
printf("\n not able to read %s", fileName);
// fputs("not possible to read file!\n", stderr);
count1++;
}
else
{
//printf("\n able to read %s", fileName);
fgets(len, 2048, fplain);
mpz_init_set_str(plain->m, len, 10);
// mpz_out_str(stdout, 10, plain->m);
fclose(fplain);
//Writing cipher text to files
strcpy(fileName, "./cipher/");
//strcat(fileName,dir->d_name);
//printf("\nfilename %s",fileName);
paillier_enc(tag, cipher_copy, pub,plain, get_rand, no_copies, rand_prf);
// mpz_out_str(stdout, 10, tag->t);
int j;
for(j=0;j < no_copies; j++)
{
char num[20];
strcpy(copy, fileName);
sprintf(num, "copy%d/", (j+1));
// strcat(copy, );
strcat(copy, num);
if(stat(copy, &st) == -1)
mkdir(copy,0777);
strcat(copy,dir->d_name);
if(!(fciph = fopen(copy, "w")))
{
printf("\nnot able to open file for writing cipher text %s", copy);
}
else
{
// printf("\nbefore enc");
gmp_fprintf(fciph, "%Zd\n", cipher_copy[j].c);
fclose(fciph);
}
}
//writing tags to files
strcpy(fileName, "./tag/");
strcat(fileName,dir->d_name);
//printf("\nfilename %s",fileName);
if(!(ftag = fopen(fileName, "w")))
{
printf("not able to open file for writing tag %s", fileName);
}
else
{
element_pow_mpz(temp_pow,u, tag->t);
element_mul(temp_pow, temp_pow, h);
element_pow_zn(sig, temp_pow, secret_key);
element_fprintf(ftag, "%B", sig);
fclose(ftag);
}
}
count++;
}
closedir(d);
}
printf("\nTotal number of files : %d, unreadable files %d", count, count1);
return 0;
}
static void f_init_pairing(pairing_t pairing, void *data) {
f_param_ptr param = data;
f_pairing_data_ptr p;
element_t irred;
element_t e0, e1, e2;
p = pairing->data = pbc_malloc(sizeof(f_pairing_data_t));
mpz_init(pairing->r);
mpz_set(pairing->r, param->r);
field_init_fp(pairing->Zr, pairing->r);
field_init_fp(p->Fq, param->q);
p->Fq->nqr = pbc_malloc(sizeof(element_t));
element_init(p->Fq->nqr, p->Fq);
element_set_mpz(p->Fq->nqr, param->beta);
field_init_quadratic(p->Fq2, p->Fq);
field_init_poly(p->Fq2x, p->Fq2);
element_init(irred, p->Fq2x);
// Call poly_set_coeff1() first so we can use element_item() for the other
// coefficients.
poly_set_coeff1(irred, 6);
element_init(p->negalpha, p->Fq2);
element_init(p->negalphainv, p->Fq2);
element_set_mpz(element_x(p->negalpha), param->alpha0);
element_set_mpz(element_y(p->negalpha), param->alpha1);
element_set(element_item(irred, 0), p->negalpha);
field_init_polymod(p->Fq12, irred);
element_neg(p->negalpha, p->negalpha);
element_invert(p->negalphainv, p->negalpha);
element_clear(irred);
element_init(e0, p->Fq);
element_init(e1, p->Fq);
element_init(e2, p->Fq2);
// Initialize the curve Y^2 = X^3 + b.
element_set_mpz(e1, param->b);
field_init_curve_ab(p->Eq, e0, e1, pairing->r, NULL);
// Initialize the curve Y^2 = X^3 - alpha0 b - alpha1 sqrt(beta) b.
element_set_mpz(e0, param->alpha0);
element_neg(e0, e0);
element_mul(element_x(e2), e0, e1);
element_set_mpz(e0, param->alpha1);
element_neg(e0, e0);
element_mul(element_y(e2), e0, e1);
element_clear(e0);
element_init(e0, p->Fq2);
field_init_curve_ab(p->Etwist, e0, e2, pairing->r, NULL);
element_clear(e0);
element_clear(e1);
element_clear(e2);
mpz_t ndonr;
mpz_init(ndonr);
// ndonr temporarily holds the trace.
mpz_sub(ndonr, param->q, param->r);
mpz_add_ui(ndonr, ndonr, 1);
// TODO: We can use a smaller quotient_cmp, but I have to figure out
// BN curves again.
pbc_mpz_curve_order_extn(ndonr, param->q, ndonr, 12);
mpz_divexact(ndonr, ndonr, param->r);
mpz_divexact(ndonr, ndonr, param->r);
field_curve_set_quotient_cmp(p->Etwist, ndonr);
mpz_clear(ndonr);
pairing->G1 = p->Eq;
pairing->G2 = p->Etwist;
pairing_GT_init(pairing, p->Fq12);
pairing->finalpow = f_finalpow;
pairing->map = f_pairing;
pairing->clear_func = f_pairing_clear;
mpz_init(p->tateexp);
/* unoptimized tate exponent
mpz_pow_ui(p->tateexp, param->q, 12);
mpz_sub_ui(p->tateexp, p->tateexp, 1);
mpz_divexact(p->tateexp, p->tateexp, param->r);
*/
mpz_ptr z = p->tateexp;
mpz_mul(z, param->q, param->q);
mpz_sub_ui(z, z, 1);
mpz_mul(z, z, param->q);
mpz_mul(z, z, param->q);
mpz_add_ui(z, z, 1);
mpz_divexact(z, z, param->r);
element_init(p->xpowq2, p->Fq2);
element_init(p->xpowq6, p->Fq2);
element_init(p->xpowq8, p->Fq2);
element_t xpowq;
element_init(xpowq, p->Fq12);
//there are smarter ways since we know q = 1 mod 6
//and that x^6 = -alpha
//but this is fast enough
element_set1(element_item(xpowq, 1));
element_pow_mpz(xpowq, xpowq, param->q);
element_pow_mpz(xpowq, xpowq, param->q);
element_set(p->xpowq2, element_item(xpowq, 1));
element_pow_mpz(xpowq, xpowq, param->q);
element_pow_mpz(xpowq, xpowq, param->q);
element_pow_mpz(xpowq, xpowq, param->q);
element_pow_mpz(xpowq, xpowq, param->q);
element_set(p->xpowq6, element_item(xpowq, 1));
element_pow_mpz(xpowq, xpowq, param->q);
element_pow_mpz(xpowq, xpowq, param->q);
element_set(p->xpowq8, element_item(xpowq, 1));
element_clear(xpowq);
}
// x in Z_r, g, h in some group of order r
// finds x such that g^x = h
void element_dlog_pollard_rho(element_t x, element_t g, element_t h) {
// see Blake, Seroussi and Smart
// only one snark for this implementation
int i, s = 20;
field_ptr Zr = x->field, G = g->field;
element_t asum;
element_t bsum;
element_t a[s];
element_t b[s];
element_t m[s];
element_t g0, snark;
darray_t hole;
int interval = 5;
mpz_t counter;
int found = 0;
mpz_init(counter);
element_init(g0, G);
element_init(snark, G);
element_init(asum, Zr);
element_init(bsum, Zr);
darray_init(hole);
//set up multipliers
for (i = 0; i < s; i++) {
element_init(a[i], Zr);
element_init(b[i], Zr);
element_init(m[i], G);
element_random(a[i]);
element_random(b[i]);
element_pow_zn(g0, g, a[i]);
element_pow_zn(m[i], h, b[i]);
element_mul(m[i], m[i], g0);
}
element_random(asum);
element_random(bsum);
element_pow_zn(g0, g, asum);
element_pow_zn(snark, h, bsum);
element_mul(snark, snark, g0);
record(asum, bsum, snark, hole, counter);
for (;;) {
int len = element_length_in_bytes(snark);
unsigned char *buf = pbc_malloc(len);
unsigned char hash = 0;
element_to_bytes(buf, snark);
for (i = 0; i < len; i++) {
hash += buf[i];
}
i = hash % s;
pbc_free(buf);
element_mul(snark, snark, m[i]);
element_add(asum, asum, a[i]);
element_add(bsum, bsum, b[i]);
for (i = 0; i < hole->count; i++) {
snapshot_ptr ss = hole->item[i];
if (!element_cmp(snark, ss->snark)) {
element_sub(bsum, bsum, ss->b);
element_sub(asum, ss->a, asum);
//answer is x such that x * bsum = asum
//complications arise if gcd(bsum, r) > 1
//which can happen if r is not prime
if (!mpz_probab_prime_p(Zr->order, 10)) {
mpz_t za, zb, zd, zm;
mpz_init(za);
mpz_init(zb);
mpz_init(zd);
mpz_init(zm);
element_to_mpz(za, asum);
element_to_mpz(zb, bsum);
mpz_gcd(zd, zb, Zr->order);
mpz_divexact(zm, Zr->order, zd);
mpz_divexact(zb, zb, zd);
//if zd does not divide za there is no solution
mpz_divexact(za, za, zd);
mpz_invert(zb, zb, zm);
mpz_mul(zb, za, zb);
mpz_mod(zb, zb, zm);
do {
element_pow_mpz(g0, g, zb);
if (!element_cmp(g0, h)) {
element_set_mpz(x, zb);
break;
}
mpz_add(zb, zb, zm);
mpz_sub_ui(zd, zd, 1);
} while (mpz_sgn(zd));
mpz_clear(zm);
mpz_clear(za);
mpz_clear(zb);
mpz_clear(zd);
} else {
element_div(x, asum, bsum);
}
found = 1;
break;
}
}
if (found) break;
mpz_add_ui(counter, counter, 1);
if (mpz_tstbit(counter, interval)) {
record(asum, bsum, snark, hole, counter);
interval++;
}
}
for (i = 0; i < s; i++) {
element_clear(a[i]);
element_clear(b[i]);
element_clear(m[i]);
}
element_clear(g0);
element_clear(snark);
for (i = 0; i < hole->count; i++) {
snapshot_ptr ss = hole->item[i];
element_clear(ss->a);
element_clear(ss->b);
element_clear(ss->snark);
pbc_free(ss);
}
darray_clear(hole);
element_clear(asum);
element_clear(bsum);
mpz_clear(counter);
}
void pbc_param_init_f_gen(pbc_param_t p, int bits) {
f_init(p);
f_param_ptr fp = p->data;
//36 is a 6-bit number
int xbit = (bits - 6) / 4;
//TODO: use binary search to find smallest appropriate x
mpz_t x, t;
mpz_ptr q = fp->q;
mpz_ptr r = fp->r;
mpz_ptr b = fp->b;
field_t Fq, Fq2, Fq2x;
element_t e1;
element_t f;
field_t c;
element_t P;
mpz_init(x);
mpz_init(t);
mpz_setbit(x, xbit);
for (;;) {
mpz_mul(t, x, x);
mpz_mul_ui(t, t, 6);
mpz_add_ui(t, t, 1);
tryminusx(q, x);
mpz_sub(r, q, t);
mpz_add_ui(r, r, 1);
if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
tryplusx(q, x);
mpz_sub(r, q, t);
mpz_add_ui(r, r, 1);
if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
mpz_add_ui(x, x, 1);
}
field_init_fp(Fq, q);
element_init(e1, Fq);
for (;;) {
element_random(e1);
field_init_curve_b(c, e1, r, NULL);
element_init(P, c);
element_random(P);
element_mul_mpz(P, P, r);
if (element_is0(P)) break;
element_clear(P);
field_clear(c);
}
element_to_mpz(b, e1);
element_clear(e1);
field_init_quadratic(Fq2, Fq);
element_to_mpz(fp->beta, field_get_nqr(Fq));
field_init_poly(Fq2x, Fq2);
element_init(f, Fq2x);
// Find an irreducible polynomial of the form f = x^6 + alpha.
// Call poly_set_coeff1() first so we can use element_item() for the other
// coefficients.
poly_set_coeff1(f, 6);
for (;;) {
element_random(element_item(f, 0));
if (poly_is_irred(f)) break;
}
//extend F_q^2 using f = x^6 + alpha
//see if sextic twist contains a subgroup of order r
//if not, it's the wrong twist: replace alpha with alpha^5
{
field_t ctest;
element_t Ptest;
mpz_t z0, z1;
mpz_init(z0);
mpz_init(z1);
element_init(e1, Fq2);
element_set_mpz(e1, fp->b);
element_mul(e1, e1, element_item(f, 0));
element_neg(e1, e1);
field_init_curve_b(ctest, e1, r, NULL);
element_init(Ptest, ctest);
element_random(Ptest);
//I'm not sure what the #E'(F_q^2) is, but
//it definitely divides n_12 = #E(F_q^12). It contains a
//subgroup of order r if and only if
//(n_12 / r^2)P != O for some (in fact most) P in E'(F_q^6)
mpz_pow_ui(z0, q, 12);
mpz_add_ui(z0, z0, 1);
pbc_mpz_trace_n(z1, q, t, 12);
mpz_sub(z1, z0, z1);
mpz_mul(z0, r, r);
mpz_divexact(z1, z1, z0);
element_mul_mpz(Ptest, Ptest, z1);
if (element_is0(Ptest)) {
mpz_set_ui(z0, 5);
element_pow_mpz(element_item(f, 0), element_item(f, 0), z0);
}
element_clear(e1);
element_clear(Ptest);
field_clear(ctest);
mpz_clear(z0);
mpz_clear(z1);
}
element_to_mpz(fp->alpha0, element_x(element_item(f, 0)));
element_to_mpz(fp->alpha1, element_y(element_item(f, 0)));
element_clear(f);
field_clear(Fq2x);
field_clear(Fq2);
field_clear(Fq);
mpz_clear(t);
mpz_clear(x);
}
int main(int argc, char **argv) {
FILE *fpairing, *ftag, *fdata, *fresult, *fplain, *fkey, *fcipher, *fpub;
pairing_t pairing;
paillier_pubkey_t *pub;
paillier_prvkey_t *priv;
element_t g, h, u, sig1, sig2, sig3, temp_pow, m, g1, g2;
element_t public_key, tag, tag_prod;
element_t secret_key;
paillier_get_rand_t get_rand;
paillier_ciphertext_t *cipher1, *cipher2;
paillier_plaintext_t *plain1, *plain2;
mpz_t pub_n, a, b, data2, nsquare;
int count = 0, val=5;
pairing_init_set_str(pairing, param_str);
//mpz_init_set_str(data_sum, "0", 10);
plain1 = (paillier_plaintext_t*) malloc(sizeof(paillier_plaintext_t));
plain2 = (paillier_plaintext_t*) malloc(sizeof(paillier_plaintext_t));
cipher1 = (paillier_ciphertext_t*) malloc(sizeof(paillier_ciphertext_t));
cipher2 = (paillier_ciphertext_t*) malloc(sizeof(paillier_ciphertext_t));
//pbc_demo_pairing_init(pairing, argc, argv);
element_init_G1(g1, pairing);
element_init_G1(g2, pairing);
element_init_G2(g, pairing);
element_init_G2(public_key, pairing);
element_init_G1(u, pairing);
element_init_G1(temp_pow, pairing);
element_init_G2(public_key, pairing);
element_init_G1(h, pairing);
element_init_G1(m, pairing);
element_init_G1(sig1, pairing);
element_init_G1(sig2, pairing);
element_init_G1(sig3, pairing);
element_init_G1(tag, pairing);
element_init_G1(tag_prod, pairing);
element_init_Zr(secret_key, pairing);
// mpz_init(pub_n);
char *len;
mpz_init(a);
mpz_init(b);
mpz_init(data2);
printf("Short signature test\n");
len = (char *)malloc(2048*sizeof(char));
if((fpub = fopen("pub.txt", "r")))
{
pub = (paillier_pubkey_t*) malloc(sizeof(paillier_pubkey_t));
priv = (paillier_prvkey_t*) malloc(sizeof(paillier_prvkey_t));
mpz_init(pub->n_squared);
mpz_init(pub->n);
fgets(len, 1000, fpub);
mpz_init_set_str(pub->p, len, 10);
fgets(len, 1000, fpub);
mpz_init_set_str(pub->q, len, 10);
fgets(len, 1000, fpub);
mpz_init_set_str(pub->n_plusone, len, 10);
//printf("value of nplusone : \n");
//mpz_out_str(stdout, 10, pub->n_plusone);
paillier_keygen(&pub, &priv, get_rand, 0);
pub->bits = mpz_sizeinbase(pub->n, 2);
fclose(fpub);
}
//setting already known pairing parameters
if((fpairing = fopen("pairing.txt", "r")))
{
fgets(len, 1000, fpairing);
//printf("\n %s\n", len);
element_set_str(g, len, 10);
//element_printf(" g = %B\n", g);
fgets(len, 1000, fpairing);
//printf("\n %s\n", len);
element_set_str(u, len, 10);
//element_printf("\n u= %B\n", u);
fgets(len, 1000, fpairing);
element_set_str(secret_key, len, 10);
//element_printf(" secretkey %B\n",secret_key);
fgets(len, 1000, fpairing);
element_set_str(public_key, len, 10);
//element_printf(" publickey %B\n", public_key);
fgets(len, 1000, fpairing);
element_set_str(h, len, 10);
//element_printf(" \nh = %B\n", h);
fgets(len, 1000, fpairing);
mpz_init_set_str(pub_n, len, 10);
//printf("\n n = ");
//mpz_out_str(stdout, 10, pub_n);
fclose(fpairing);
}
element_set1(tag_prod);
ftag = fopen("./tag/output5.txt", "r");
fgets(len, 1000, ftag);
element_set_str(g1, len, 10);
element_printf("\ng1 = %B\n", g1);
fclose(ftag);
ftag = fopen("./tag/output6.txt", "r");
fgets(len, 1000, ftag);
element_set_str(g2, len, 10);
element_printf("\ng2 = %B\n", g2);
fclose(ftag);
fplain = fopen("./split/output5.txt", "r");
fgets(len, 1000, fplain);
// printf("\nlen %s", len);
mpz_set_str(a, len, 10);
//element_printf("\na = %Zd\n", a);
fclose(fplain);
fplain = fopen("./split/output6.txt", "r");
fgets(len, 1000, fplain);
mpz_set_str(b, len, 10);
fcipher = fopen("./cipher/copy1/output5.txt", "r");
fgets(len, 1000, fcipher);
mpz_init_set_str(cipher1->c, len, 10);
fclose(fcipher);
fcipher = fopen("./cipher/copy1/output6.txt", "r");
fgets(len, 1000, fcipher);
mpz_init_set_str(cipher2->c, len, 10);
fclose(fcipher);
paillier_mul(pub, cipher2, cipher2, cipher1);
plain1 = paillier_dec(plain1, pub, priv, cipher2);
//tag
mpz_t an;
mpz_init(an);
mpz_init(nsquare);
// mpz_mul(an, a, pub_n);
mpz_mul(nsquare, pub_n, pub_n);
element_pow_mpz(temp_pow,u, plain1->m);
element_mul(temp_pow, temp_pow, h);
element_pow_zn(sig1, temp_pow, secret_key);
element_printf("\n signature of plain = %B\n", sig1);
//mpz_mul(an, b, pub_n);
// mpz_mul(nsquare, pub_n, pub_n);
element_pow_mpz(temp_pow,u, b);
element_mul(temp_pow, temp_pow, h);
element_pow_zn(sig2, temp_pow, secret_key);
element_printf("\n signature of b = %B\n", sig2);
//element_printf("\nb = %Zd\n", b);
fclose(fplain);
mpz_add(a, a, b);
// mpz_mod(a, a, pub_n);
// mpz_mul(a, a, pub_n);
// mpz_mod(a, a, nsquare);
count = 2;
element_pow_mpz(temp_pow,u, a);
mpz_set_ui(data2, count);
// itoa(count, len, 10);+
//element_printf(" \nh = %B\n", h);
element_pow_mpz(h, h, data2);
element_mul(temp_pow, temp_pow, h);
//element_printf("\n h. u^bN = %B\n", temp_pow);
element_pow_zn(sig3, temp_pow, secret_key);
element_printf("\n sig 3 %B\n", sig3);
element_mul(g2, g2, g1);
element_printf("\n Direct Product %B\n", g2);
element_mul(sig2, sig1, sig2);
element_printf("\n Direct Product %B\n", sig2);
return 0;
}
void shipseystange(element_t z, element_t P, element_t Q)
{
mpz_t q1r;
mpz_init(q1r);
mpz_set_ui(q1r, 696);
element_ptr x = curve_x_coord(P);
element_ptr y = curve_y_coord(P);
element_ptr x2 = curve_x_coord(Q);
element_ptr y2 = curve_y_coord(Q);
element_t v0m1, v0m2, v0m3;
element_t v00, v01, v02, v03, v04;
element_t v1m1, v10, v11;
element_t t0, t1, t2;
element_t W20inv;
element_t Wm11inv;
element_t W2m1inv;
element_t sm2, sm1, s0, s1, s2, s3;
element_t pm2, pm1, p0, p1, p2, p3;
element_init_same_as(sm2, z);
element_init_same_as(sm1, z);
element_init_same_as(s0, z);
element_init_same_as(s1, z);
element_init_same_as(s2, z);
element_init_same_as(s3, z);
element_init_same_as(pm2, z);
element_init_same_as(pm1, z);
element_init_same_as(p0, z);
element_init_same_as(p1, z);
element_init_same_as(p2, z);
element_init_same_as(p3, z);
element_init_same_as(v0m3, z);
element_init_same_as(v0m2, z);
element_init_same_as(v0m1, z);
element_init_same_as(v00, z);
element_init_same_as(v01, z);
element_init_same_as(v02, z);
element_init_same_as(v03, z);
element_init_same_as(v04, z);
element_init_same_as(v1m1, z);
element_init_same_as(v10, z);
element_init_same_as(v11, z);
element_init_same_as(W20inv, z);
element_init_same_as(Wm11inv, z);
element_init_same_as(W2m1inv, z);
element_init_same_as(t0, z);
element_init_same_as(t1, z);
element_init_same_as(t2, z);
element_set0(v0m1);
element_set1(v00);
element_neg(v0m2, v00);
element_double(v01, y);
element_neg(v0m3, v01);
element_invert(W20inv, v01);
element_sub(Wm11inv, x, x2);
element_square(t1, Wm11inv);
element_invert(Wm11inv, Wm11inv);
element_double(t0, x);
element_add(t0, t0, x2);
element_mul(t1, t0, t1);
element_add(t0, y, y2);
element_square(t0, t0);
element_sub(t0, t0, t1);
element_invert(W2m1inv, t0);
/* Let P=(x,y) since A=1, B=0 we have:
* W(3,0) = 3x^4 + 6x^2 - 1
* W(4,0) = 4y(x^6 + 5x^4 - 5x^2 - 1)
*/
//t0 = x^2
element_square(t0, x);
//t1 = x^4
element_square(t1, t0);
//t2 = x^4 + 2 x^2
element_double(t2, t0);
element_add(t2, t2, t1);
//v02 = W(3,0)
element_double(v02, t2);
element_add(v02, v02, t2);
element_add(v02, v02, v0m2);
//t2 = x^4 - x^2
element_sub(t2, t1, t0);
//v03 = 5(x^4 - x^2)
element_double(v03, t2);
element_double(v03, v03);
element_add(v03, v03, t2);
//t2 = x^6
element_mul(t2, t0, t1);
//v03 = W(4,0)
element_add(v03, v03, t2);
element_add(v03, v03, v0m2);
element_double(v03, v03);
element_double(v03, v03);
element_mul(v03, v03, y);
//v04 = W(5,0) = W(2,0)^3 W(4,0) - W(3,0)^3
element_square(t0, v01);
element_mul(t0, t0, v01);
element_mul(v04, t0, v03);
element_square(t0, v02);
element_mul(t0, t0, v02);
element_sub(v04, v04, t0);
element_set1(v1m1);
element_set1(v10);
element_printf("x y: %B %B\n", x, y);
element_printf("x2 y2: %B %B\n", x2, y2);
element_sub(t0, x2, x);
element_sub(t1, y2, y);
element_div(t0, t1, t0);
element_square(t0, t0);
element_double(v11, x);
element_add(v11, v11, x2);
element_sub(v11, v11, t0);
element_printf("VEC1: %B %B %B\n", v1m1, v10, v11);
element_printf("VEC0: %B %B %B %B %B %B %B %B\n",
v0m3, v0m2, v0m1, v00, v01, v02, v03, v04);
//Double
element_square(sm2, v0m2);
element_square(sm1, v0m1);
element_square(s0, v00);
element_square(s1, v01);
element_square(s2, v02);
element_square(s3, v03);
element_mul(pm2, v0m3, v0m1);
element_mul(pm1, v0m2, v00);
element_mul(p0, v0m1, v01);
element_mul(p1, v00, v02);
element_mul(p2, v01, v03);
element_mul(p3, v02, v04);
element_mul(t0, pm1, sm2);
element_mul(t1, pm2, sm1);
element_sub(v0m3, t0, t1);
element_mul(t1, pm2, s0);
element_mul(t0, p0, sm2);
element_sub(v0m2, t0, t1);
element_mul(v0m2, v0m2, W20inv);
element_mul(t0, p0, sm1);
element_mul(t1, pm1, s0);
element_sub(v0m1, t0, t1);
element_mul(t1, pm1, s1);
element_mul(t0, p1, sm1);
element_sub(v00, t0, t1);
element_mul(v00, v00, W20inv);
element_mul(t0, p1, s0);
element_mul(t1, p0, s1);
element_sub(v01, t0, t1);
element_mul(t1, p0, s2);
element_mul(t0, p2, s0);
element_sub(v02, t0, t1);
element_mul(v02, v02, W20inv);
element_mul(t0, p2, s1);
element_mul(t1, p1, s2);
element_sub(v03, t0, t1);
element_mul(t1, p1, s3);
element_mul(t0, p3, s1);
element_sub(v04, t0, t1);
element_mul(v04, v04, W20inv);
element_square(t0, v10);
element_mul(t1, v1m1, v11);
element_mul(t2, pm1, t0);
element_mul(v1m1, t1, sm1);
element_sub(v1m1, v1m1, t2);
element_mul(t2, p0, t0);
element_mul(v10, t1, s0);
element_sub(v10, v10, t2);
element_mul(t2, p1, t0);
element_mul(v11, t1, s1);
element_sub(v11, v11, t2);
element_mul(v11, v11, Wm11inv);
element_printf("VEC1: %B %B %B\n", v1m1, v10, v11);
element_printf("VEC0: %B %B %B %B %B %B %B %B\n",
v0m3, v0m2, v0m1, v00, v01, v02, v03, v04);
//DoubleAdd
element_square(sm2, v0m2);
element_square(sm1, v0m1);
element_square(s0, v00);
element_square(s1, v01);
element_square(s2, v02);
element_square(s3, v03);
element_mul(pm2, v0m3, v0m1);
element_mul(pm1, v0m2, v00);
element_mul(p0, v0m1, v01);
element_mul(p1, v00, v02);
element_mul(p2, v01, v03);
element_mul(p3, v02, v04);
element_mul(t1, pm2, s0);
element_mul(t0, p0, sm2);
element_sub(v0m3, t0, t1);
element_mul(v0m3, v0m3, W20inv);
element_mul(t0, p0, sm1);
element_mul(t1, pm1, s0);
element_sub(v0m2, t0, t1);
element_mul(t1, pm1, s1);
element_mul(t0, p1, sm1);
element_sub(v0m1, t0, t1);
element_mul(v0m1, v0m1, W20inv);
element_mul(t0, p1, s0);
element_mul(t1, p0, s1);
element_sub(v00, t0, t1);
element_mul(t1, p0, s2);
element_mul(t0, p2, s0);
element_sub(v01, t0, t1);
element_mul(v01, v01, W20inv);
element_mul(t0, p2, s1);
element_mul(t1, p1, s2);
element_sub(v02, t0, t1);
element_mul(t1, p1, s3);
element_mul(t0, p3, s1);
element_sub(v03, t0, t1);
element_mul(v03, v03, W20inv);
element_mul(t0, p3, s2);
element_mul(t1, p2, s3);
element_sub(v04, t0, t1);
element_square(t0, v10);
element_mul(t1, v1m1, v11);
element_mul(t2, p0, t0);
element_mul(v1m1, t1, s0);
element_sub(v1m1, v1m1, t2);
element_mul(t2, p1, t0);
element_mul(v10, t1, s1);
element_sub(v10, v10, t2);
element_mul(v10, v10, Wm11inv);
element_mul(t2, t1, s2);
element_mul(v11, p2, t0);
element_sub(v11, v11, t2);
element_mul(v11, v11, W2m1inv);
element_printf("VEC1: %B %B %B\n", v1m1, v10, v11);
element_printf("VEC0: %B %B %B %B %B %B %B %B\n",
v0m3, v0m2, v0m1, v00, v01, v02, v03, v04);
element_div(z, v11, v01);
element_printf("prepow: %B\n", z);
element_pow_mpz(z, z, q1r);
mpz_clear(q1r);
}