init attribute-based encryption

Change-Id: Iba1a3d722110abf747a0fba366f3ebc911d25b25

8 files changed, 826 insertions, 0 deletions

diff --git a/moon-abe/pbc-0.5.14/example/Makefile.am b/moon-abe/pbc-0.5.14/example/Makefile.am
new file mode 100644
index 00000000..a1b60dbc
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/Makefile.am
@@ -0,0 +1,16 @@
+CLEANFILES = *~
+maintainer-clean-local:
+	-rm -rf Makefile.in
+
+AM_CPPFLAGS = -I../include
+LDADD = ../libpbc.la -lgmp
+
+noinst_PROGRAMS = bls hess joux paterson yuanli zhangkim zss
+
+bls_SOURCES = bls.c
+hess_SOURCES = hess.c
+joux_SOURCES = joux.c
+paterson_SOURCES = paterson.c
+yuanli_SOURCES = yuanli.c
+zhangkim_SOURCES = zhangkim.c
+zss_SOURCES = zss.c
diff --git a/moon-abe/pbc-0.5.14/example/bls.c b/moon-abe/pbc-0.5.14/example/bls.c
new file mode 100644
index 00000000..8b62a097
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/bls.c
@@ -0,0 +1,133 @@
+// Boneh-Lynn-Shacham short signatures demo.
+//
+// See the PBC_sig library for a practical implementation.
+//
+// Ben Lynn
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  element_t g, h;
+  element_t public_key, sig;
+  element_t secret_key;
+  element_t temp1, temp2;
+
+  pbc_demo_pairing_init(pairing, argc, argv);
+
+  element_init_G2(g, pairing);
+  element_init_G2(public_key, pairing);
+  element_init_G1(h, pairing);
+  element_init_G1(sig, pairing);
+  element_init_GT(temp1, pairing);
+  element_init_GT(temp2, pairing);
+  element_init_Zr(secret_key, pairing);
+
+  printf("Short signature test\n");
+
+  //generate system parameters
+  element_random(g);
+  element_printf("system parameter g = %B\n", g);
+
+  //generate private key
+  element_random(secret_key);
+  element_printf("private key = %B\n", secret_key);
+
+  //compute corresponding public key
+  element_pow_zn(public_key, g, secret_key);
+  element_printf("public key = %B\n", public_key);
+
+  //generate element from a hash
+  //for toy pairings, should check that pairing(g, h) != 1
+  element_from_hash(h, "hashofmessage", 13);
+  element_printf("message hash = %B\n", h);
+
+  //h^secret_key is the signature
+  //in real life: only output the first coordinate
+  element_pow_zn(sig, h, secret_key);
+  element_printf("signature = %B\n", sig);
+
+  {
+    int n = pairing_length_in_bytes_compressed_G1(pairing);
+    //int n = element_length_in_bytes_compressed(sig);
+    int i;
+    unsigned char *data = pbc_malloc(n);
+
+    element_to_bytes_compressed(data, sig);
+    printf("compressed = ");
+    for (i = 0; i < n; i++) {
+      printf("%02X", data[i]);
+    }
+    printf("\n");
+
+    element_from_bytes_compressed(sig, data);
+    element_printf("decompressed = %B\n", sig);
+
+    pbc_free(data);
+  }
+
+  //verification part 1
+  element_pairing(temp1, sig, g);
+  element_printf("f(sig, g) = %B\n", temp1);
+
+  //verification part 2
+  //should match above
+  element_pairing(temp2, h, public_key);
+  element_printf("f(message hash, public_key) = %B\n", temp2);
+
+  if (!element_cmp(temp1, temp2)) {
+    printf("signature verifies\n");
+  } else {
+    printf("*BUG* signature does not verify *BUG*\n");
+  }
+
+  {
+    int n = pairing_length_in_bytes_x_only_G1(pairing);
+    //int n = element_length_in_bytes_x_only(sig);
+    int i;
+    unsigned char *data = pbc_malloc(n);
+
+    element_to_bytes_x_only(data, sig);
+    printf("x-coord = ");
+    for (i = 0; i < n; i++) {
+      printf("%02X", data[i]);
+    }
+    printf("\n");
+
+    element_from_bytes_x_only(sig, data);
+    element_printf("de-x-ed = %B\n", sig);
+
+    element_pairing(temp1, sig, g);
+    if (!element_cmp(temp1, temp2)) {
+      printf("signature verifies on first guess\n");
+    } else {
+      element_invert(temp1, temp1);
+      if (!element_cmp(temp1, temp2)) {
+        printf("signature verifies on second guess\n");
+      } else {
+        printf("*BUG* signature does not verify *BUG*\n");
+      }
+    }
+
+    pbc_free(data);
+  }
+
+  //a random signature shouldn't verify
+  element_random(sig);
+  element_pairing(temp1, sig, g);
+  if (element_cmp(temp1, temp2)) {
+    printf("random signature doesn't verify\n");
+  } else {
+    printf("*BUG* random signature verifies *BUG*\n");
+  }
+
+  element_clear(sig);
+  element_clear(public_key);
+  element_clear(secret_key);
+  element_clear(g);
+  element_clear(h);
+  element_clear(temp1);
+  element_clear(temp2);
+  pairing_clear(pairing);
+  return 0;
+}
diff --git a/moon-abe/pbc-0.5.14/example/hess.c b/moon-abe/pbc-0.5.14/example/hess.c
new file mode 100644
index 00000000..8d5a437e
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/hess.c
@@ -0,0 +1,109 @@
+/*
+  Hess ID-based signature.
+  Based on papers "F. Hess. Efficient Identity Based Signature Schemes Based on Pairings. SAC 2002, LNCS 2595, Springer-Verlag, 2000"
+  Contributed by Dmitry Kosolapov.
+*/
+
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  double time1, time2;
+  pbc_demo_pairing_init(pairing, argc, argv);
+
+  element_t Qid, P, P1, Ppub, s, k, Did, r, v, u, t1, t3, t4, t5, t6, t7, t8;
+  mpz_t t2;
+
+  if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
+
+  mpz_init(t2);
+  element_init_G1(P, pairing);
+  element_init_G1(P1, pairing);
+  element_init_G1(Qid, pairing);
+  element_init_G1(Did, pairing);
+  element_init_G1(Ppub, pairing);
+  element_init_G1(t4, pairing);
+  element_init_G1(t5, pairing);
+  element_init_G1(u, pairing);
+
+  element_init_Zr(s, pairing);
+  element_init_Zr(k, pairing);
+  element_init_Zr(v, pairing);
+  element_init_Zr(t3, pairing);
+  element_init_Zr(t8, pairing);
+
+  element_init_GT(r, pairing);
+  element_init_GT(t1, pairing);
+  element_init_GT(t6, pairing);
+  element_init_GT(t7, pairing);
+
+  time1 = pbc_get_time();
+  printf("Hess ID-based signature protocol\n");
+  printf("KEYGEN\n");
+  element_random(P);
+  element_random(s);
+  element_random(Qid);
+  element_mul_zn(Ppub, P, s);
+  element_mul_zn(Did, Qid, s);
+  element_printf("Qid = %B\n", Qid);
+  element_printf("P = %B\n", P);
+  element_printf("Ppub = %B\n", Ppub);
+
+  printf("SIGN\n");
+  element_random(P1);
+  element_random(k);
+  element_pairing(t1, P1, P);
+  element_pow_zn(r, t1, k);
+  element_to_mpz(t2, r);
+
+  //h3=h(m)*mpz(r);
+  element_from_hash(t3, "Message", 7);
+  element_mul_mpz(v, t3, t2);
+  element_mul_zn(t4, Did, v);
+  element_mul_zn(t5, P1, k);
+  element_add(u, t4, t5);
+  printf("Signature of message \"Message\" is:\n");
+  element_printf("u = %B\n", u);
+  element_printf("v = %B\n", v);
+
+  printf("VERIFY\n");
+  element_pairing(t6, u, P);
+  element_neg(Ppub, Ppub);
+  element_pairing(t7, Qid, Ppub);
+  element_pow_zn(t7, t7, v);
+  element_mul(r, t6, t7);
+  element_to_mpz(t2, r);
+  element_from_hash(t3, "Message", 7);
+  element_mul_mpz(t8, t3, t2);
+  element_printf("h3(m,r) = %B\n", t8);
+  element_printf("v = %B\n", v);
+  if (!element_cmp(t8, v)) {
+    printf("Signature is valid!\n");
+  } else {
+    printf("Signature is invalid!\n");
+  }
+  time2 = pbc_get_time();
+  printf("All time = %fs\n", time2 - time1);
+
+  element_clear(P);
+  element_clear(P1);
+  element_clear(Qid);
+  element_clear(Did);
+  element_clear(Ppub);
+  element_clear(t4);
+  element_clear(t5);
+  element_clear(u);
+  element_clear(s);
+  element_clear(k);
+  element_clear(v);
+  element_clear(t3);
+  element_clear(t8);
+  element_clear(r);
+  element_clear(t1);
+  element_clear(t6);
+  element_clear(t7);
+  pairing_clear(pairing);
+
+  return 0;
+}
diff --git a/moon-abe/pbc-0.5.14/example/joux.c b/moon-abe/pbc-0.5.14/example/joux.c
new file mode 100644
index 00000000..4c7a46b9
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/joux.c
@@ -0,0 +1,80 @@
+/*
+  Joux one round protocol for tripartite Diffie-Hellman
+  Based on papers "A. Joux. A One Round Protocol for Tripartie Diffie-Hellman. Proceedings of ANTS 4. LNCS 1838, pp. 385-394, 2000."
+  Contributed by Dmitry Kosolapov.
+*/
+
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  double time1, time2;
+  element_t P, a, b, c, Ka, Kb, Kc, t1, t2, t3, t4, t5, t6;
+  pbc_demo_pairing_init(pairing, argc, argv);
+  if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
+
+  element_init_G1(P, pairing);
+  element_init_G1(t1, pairing);
+  element_init_G1(t2, pairing);
+  element_init_G1(t3, pairing);
+
+  element_init_Zr(a, pairing);
+  element_init_Zr(b, pairing);
+  element_init_Zr(c, pairing);
+
+  element_init_GT(t4, pairing);
+  element_init_GT(t5, pairing);
+  element_init_GT(t6, pairing);
+  element_init_GT(Ka, pairing);
+  element_init_GT(Kb, pairing);
+  element_init_GT(Kc, pairing);
+
+  time1 = pbc_get_time();
+  printf("Joux key agreement between A, B and C.\n");
+  element_random(P);
+  element_random(a);
+  element_random(b);
+  element_random(c);
+  element_mul_zn(t1, P, a);
+  printf("A sends B and C: aP\n");
+  element_printf("aP = %B\n", t1);
+  element_mul_zn(t2, P, b);
+  printf("B sends A and C: bP\n");
+  element_printf("bP = %B\n", t2);
+  element_mul_zn(t3, P, c);
+  printf("C sends A and B: cP\n");
+  element_printf("cP = %B\n", t3);
+
+  element_pairing(t4, t2, t3);
+  element_pow_zn(Ka, t4, a);
+  element_printf("Ka = %B\n", Ka);
+  element_pairing(t5, t1, t3);
+  element_pow_zn(Kb, t5, b);
+  element_printf("Kb = %B\n", Kb);
+  element_pairing(t6, t1, t2);
+  element_pow_zn(Kc, t6, c);
+  element_printf("Kc = %B\n", Kc);
+
+  printf("Shared key K = Ka = Kb = Kc\n");
+  time2 = pbc_get_time();
+  printf("All time = %fs\n", time2 - time1);
+
+
+  element_clear(P);
+  element_clear(a);
+  element_clear(b);
+  element_clear(c);
+  element_clear(Ka);
+  element_clear(Kb);
+  element_clear(Kc);
+  element_clear(t1);
+  element_clear(t2);
+  element_clear(t3);
+  element_clear(t4);
+  element_clear(t5);
+  element_clear(t6);
+  pairing_clear(pairing);
+
+  return 0;
+}
diff --git a/moon-abe/pbc-0.5.14/example/paterson.c b/moon-abe/pbc-0.5.14/example/paterson.c
new file mode 100644
index 00000000..4e21fc9f
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/paterson.c
@@ -0,0 +1,114 @@
+/*
+  Paterson ID-based signature.
+  Based on papers "K. G. Paterson. ID-Based Signatures from Pairings on Elliptic Curvers. Electron. Lett., Vol. 38". Available at http://eprint.iacr.org/2002/004."
+  Contributed by Dmitry Kosolapov.
+*/
+
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  double time1, time2;
+  element_t Ppub, s, P, R, k, S, Did, Qid, t1, t2, t4, t5, t6, t7, t8,
+    t9, t10, t11;
+  mpz_t t3;
+  mpz_init(t3);
+  pbc_demo_pairing_init(pairing, argc, argv);
+  if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
+
+  element_init_G1(P, pairing);
+  element_init_G1(Ppub, pairing);
+  element_init_G1(Qid, pairing);
+  element_init_G1(Did, pairing);
+  element_init_G1(R, pairing);
+  element_init_G1(S, pairing);
+  element_init_G1(t2, pairing);
+  element_init_G1(t4, pairing);
+  element_init_G1(t5, pairing);
+  element_init_G1(t7, pairing);
+
+  element_init_Zr(s, pairing);
+  element_init_Zr(k, pairing);
+  element_init_Zr(t1, pairing);
+
+  element_init_GT(t6, pairing);
+  element_init_GT(t8, pairing);
+  element_init_GT(t9, pairing);
+  element_init_GT(t10, pairing);
+  element_init_GT(t11, pairing);
+
+  time1 = pbc_get_time();
+  printf("Paterson ID-based signature.\n");
+  printf("KEYGEN\n");
+  element_random(P);
+  element_random(s);
+  element_mul_zn(Ppub, P, s);
+  element_printf("P = %B\n", P);
+  element_printf("Ppub = %B\n", Ppub);
+  element_from_hash(Qid, "ID", 2);
+  element_printf("Qid = %B\n", Qid);
+  element_mul_zn(Did, Qid, s);
+
+  printf("SIGN\n");
+  element_random(k);
+  element_mul_zn(R, P, k);
+  element_from_hash(t1, "Message", 7);
+  element_mul_zn(t2, P, t1);
+  //H3(R)=mpz(R);
+//  int n = element_length_in_bytes(R);
+//  unsigned char *data=malloc(n);
+//  element_to_bytes(data, R);
+//  printf("data = %s\n", data);
+  element_to_mpz(t3, R);
+  element_mul_mpz(t4, Did, t3);
+  element_add(t5, t4, t2);
+  element_invert(k, k);
+  element_mul_zn(S, t5, k);
+  printf("Signature of message \"Message\" is:\n");
+  element_printf("R = %B\n", R);
+  element_printf("S = %B\n", S);
+
+  printf("VERIFY\n");
+  element_from_hash(t1, "Message", 7);
+  element_mul_zn(t7, P, t1);
+  element_pairing(t6, P, t7);
+  element_pairing(t8, Ppub, Qid);
+  element_to_mpz(t3, R);
+  element_pow_mpz(t9, t8, t3);
+  element_printf("t8 = %B\n", t8);
+  element_printf("t9 = %B\n", t9);
+  element_mul(t10, t6, t9);
+  element_printf("t10 = %B\n", t10);
+  element_pairing(t11, R, S);
+  element_printf("[e(P, P)^H2(M)][e(Ppub, Qid)^H3(R)] = %B\n", t10);
+  element_printf("e(R, S) = %B\n", t11);
+  if (!element_cmp(t10, t11)) {
+    printf("Signature is valid!\n");
+  } else {
+    printf("Signature is invalid!\n");
+  }
+  time2 = pbc_get_time();
+  printf("All time = %fs\n", time2 - time1);
+
+  element_clear(P);
+  element_clear(Ppub);
+  element_clear(Qid);
+  element_clear(Did);
+  element_clear(R);
+  element_clear(t2);
+  element_clear(t4);
+  element_clear(t5);
+  element_clear(s);
+  element_clear(k);
+  element_clear(t1);
+  element_clear(t6);
+  element_clear(t7);
+  element_clear(t8);
+  element_clear(t9);
+  element_clear(t10);
+  element_clear(t11);
+  pairing_clear(pairing);
+
+  return 0;
+}
diff --git a/moon-abe/pbc-0.5.14/example/yuanli.c b/moon-abe/pbc-0.5.14/example/yuanli.c
new file mode 100644
index 00000000..a3606377
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/yuanli.c
@@ -0,0 +1,165 @@
+/* Contributed by Dmitry Kosolapov
+ *
+ * I haven't tested this much, and I'm personally not familiar with
+ * this particular cryptosystem. -Ben Lynn
+ */
+/* Here we represent the original Yuan-Li ID-Based Authenticated Key Agreement Protocol, 2005.
+ * This protocol has 2 stages: Setup and Extract. We represent them inside one code block with demo and time outputs.
+ */
+
+/*Yuan-Li protocol description according to:
+Quan Yuan and Songping Li, A New Efficient ID-Based Authenticated Key Agreement Protocol, Cryptology ePrint Archive, Report 2005/309
+
+SETUP:
+KGS chooses G1, G2, e: G1*G1 -> G2, P, H: {0, 1}* -> G1, s, H - some function for key calculation.
+KGS calculates Ppub = s*P, publishes {G1, G2, e, P, Ppub, H1, H} and saves s as master key.
+
+EXTRACT:
+
+For the user with ID public key can be calculated with Qid = H1(ID). KGS generates bound public key Sid = s*Qid.
+1. A chooses random a from Z_p*, calculates Ta = a*P.
+   A -> B: Ta
+2. B chooses random b from Z_p*, calculates Tb = b*P.
+   B -> A: Tb
+3. A calculates h = a*Tb = a*b*P and shared secret key Kab = e(a*Ppub + Sa, Tb + Qb)
+4. B calculates h = b*Ta = a*b*P and shared secret key Kba = e(Ta + Qa, b*Ppub + Sb)
+Session key is K = H(A, B, h, Kab).
+H was not defined in the original article.
+I've defined it as H(A, B, h, Kab)=e(h,H1(A)+H1(B))+Kab.
+*/
+
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  double t0, t1;
+  element_t s, a, b, P, Ppub, Qa, Qb, Sa, Sb, Ta, Tb, Kab, Kba, K, temp1,
+    temp2, temp3, temp4, temp5, h;
+
+  pbc_demo_pairing_init(pairing, argc, argv);
+  if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
+
+  element_init_Zr(s, pairing);
+  element_init_Zr(a, pairing);
+  element_init_Zr(b, pairing);
+
+  element_init_G1(P, pairing);
+  element_init_G1(Ppub, pairing);
+  element_init_G1(Qa, pairing);
+  element_init_G1(Qb, pairing);
+  element_init_G1(Sa, pairing);
+  element_init_G1(Sb, pairing);
+  element_init_G1(Ta, pairing);
+  element_init_G1(Tb, pairing);
+  element_init_G1(temp1, pairing);
+  element_init_G1(temp2, pairing);
+  element_init_G1(temp3, pairing);
+  element_init_G1(h, pairing);
+
+  element_init_GT(Kab, pairing);
+  element_init_GT(Kba, pairing);
+  element_init_GT(K, pairing);
+  element_init_GT(temp4, pairing);
+  element_init_GT(temp5, pairing);
+
+  printf("Yuan-Li key agreement protocol\n");
+
+  t0 = pbc_get_time();
+
+//Setup, system parameters generation
+  printf("SETUP STAGE\n");
+  element_random(P);
+  element_printf("P = %B\n", P);
+  element_random(s);
+  element_mul_zn(Ppub, P, s);
+  element_printf("Ppub = %B\n", Ppub);
+
+//Extract, key calculation
+  printf("EXTRACT STAGE\n");
+  element_from_hash(Qa, "A", 1);
+  element_from_hash(Qb, "B", 1);
+  element_mul_zn(Sa, Qa, s);
+  element_mul_zn(Sb, Qb, s);
+  element_printf("Sa = %B\n", Sa);
+  element_printf("Sb = %B\n", Sb);
+
+  printf("-----1-----\n");
+
+  element_random(a);
+  element_mul_zn(Ta, P, a);
+  element_printf("A sends B Ta = %B\n", Ta);
+
+  printf("-----2-----\n");
+
+  element_random(b);
+  element_mul_zn(Tb, P, b);
+  element_printf("B sends A Tb = %B\n", Tb);
+
+  printf("-----3-----\n");
+
+  printf("A calculates h and Kab\n");
+  element_mul_zn(h, Tb, a);
+  element_printf("h = %B\n", h);
+  element_mul_zn(temp1, Ppub, a);
+  element_add(temp1, temp1, Sa);
+  element_add(temp2, Tb, Qb);
+  element_pairing(Kab, temp1, temp2);
+  element_printf("Kab = %B\n", Kab);
+
+  printf("-----4-----\n");
+
+  printf("B calculates h and Kba\n");
+  element_mul_zn(h, Ta, b);
+  element_printf("h = %B\n", h);
+  element_add(temp1, Ta, Qa);
+  element_mul_zn(temp2, Ppub, b);
+  element_add(temp2, temp2, Sb);
+  element_pairing(Kba, temp1, temp2);
+  element_printf("Kba = %B\n", Kba);
+
+  printf("-----FINAL-----\n");
+
+  element_add(temp3, Qa, Qb);
+  element_pairing(temp4, h, temp3);
+
+  element_add(K, temp4, Kab);
+  element_printf("A has the key K = %B\n", K);
+  element_set(temp5, K);
+
+  element_add(K, temp4, Kba);
+  element_printf("B has the key K = %B\n", K);
+
+  if (!element_cmp(temp5, K))
+    printf("The keys are the same. Start session...\n");
+  else
+    printf("The keys aren't the same. Try again, please.\n");
+
+  element_clear(K);
+  element_clear(Kab);
+  element_clear(Kba);
+  element_clear(h);
+  element_clear(temp1);
+  element_clear(temp2);
+  element_clear(temp3);
+  element_clear(temp4);
+  element_clear(temp5);
+  element_clear(s);
+  element_clear(a);
+  element_clear(b);
+  element_clear(P);
+  element_clear(Ppub);
+  element_clear(Qa);
+  element_clear(Qb);
+  element_clear(Sa);
+  element_clear(Sb);
+  element_clear(Ta);
+  element_clear(Tb);
+
+  t1 = pbc_get_time();
+
+  printf("All time = %fs\n", t1 - t0);
+  printf("Have a good day!\n");
+
+  return 0;
+}
diff --git a/moon-abe/pbc-0.5.14/example/zhangkim.c b/moon-abe/pbc-0.5.14/example/zhangkim.c
new file mode 100644
index 00000000..caaa0b9f
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/zhangkim.c
@@ -0,0 +1,139 @@
+/*
+  Zhang and Kim ID-based Blind Signature scheme.
+  Based on papers "F. Zang, K. Kim. ID-based Blind Signature and Ring Signature from Pairings. Advances in Cryptology - Asiacrypt 2002, LNCS Vol. 2510, Springer-Verlag, 2002".
+  Contributed by Dmitry Kosolapov.
+*/
+
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  double time1, time2;
+  element_t P, Ppub, s, R, Qid, Sid, a, b, r, c, S, negc, t1, t2, t3, t5,
+    t6, t7, t8, t9, t10, t11, t12, t14;
+  mpz_t t4, t13;
+  mpz_init(t4);
+  mpz_init(t13);
+  pbc_demo_pairing_init(pairing, argc, argv);
+  if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
+  element_init_G1(P, pairing);
+  element_init_G1(Ppub, pairing);
+  element_init_G1(Qid, pairing);
+  element_init_G1(Sid, pairing);
+  element_init_G1(R, pairing);
+  element_init_G1(S, pairing);
+  element_init_G1(t1, pairing);
+  element_init_G1(t2, pairing);
+  element_init_G1(t7, pairing);
+  element_init_G1(t8, pairing);
+  element_init_G1(t9, pairing);
+
+  element_init_Zr(r, pairing);
+  element_init_Zr(s, pairing);
+  element_init_Zr(c, pairing);
+  element_init_Zr(a, pairing);
+  element_init_Zr(b, pairing);
+  element_init_Zr(negc, pairing);
+  element_init_Zr(t5, pairing);
+  element_init_Zr(t6, pairing);
+  element_init_Zr(t14, pairing);
+
+  element_init_GT(t3, pairing);
+  element_init_GT(t10, pairing);
+  element_init_GT(t11, pairing);
+  element_init_GT(t12, pairing);
+
+  time1 = pbc_get_time();
+  printf("Zhang and Kim ID-based Blind Signature scheme\n");
+  printf("SETUP\n");
+  element_random(P);
+  element_random(s);
+  element_mul_zn(Ppub, P, s);
+  element_printf("P = %B\n", P);
+  element_printf("Ppub = %B\n", Ppub);
+
+  printf("EXTRACT\n");
+  element_from_hash(Qid, "ID", 2);
+  element_mul_zn(Sid, Qid, s);
+  element_printf("Public key Qid = %B\n", Qid);
+  element_printf("Private key Sid = %B\n", Sid);
+
+  printf("BLIND SIGNATURE ISSUING PROTOCOL\n");
+  element_random(r);
+  element_mul_zn(R, P, r);
+  printf("Signer sends R = rP to user\n");
+  element_printf("R = %B\n", R);
+  printf("Blinding\n");
+  element_random(a);
+  element_random(b);
+  element_mul_zn(t1, P, a);
+  element_add(t1, R, t1);
+  element_mul_zn(t2, Qid, b);
+  element_add(t2, t2, t1);
+  element_pairing(t3, t2, Ppub);
+  element_to_mpz(t4, t3);
+  element_from_hash(t5, "Message", 7);
+  element_mul_mpz(t6, t5, t4);
+  element_add(c, t6, b);
+  printf("User sends c to signer\n");
+  element_printf("c = %B\n", c);
+  printf("Signing\n");
+  element_mul_zn(t7, Ppub, r);
+  element_mul_zn(t8, Sid, c);
+  element_add(S, t8, t7);
+  printf("Signer sends S\n");
+  element_printf("S = %B\n", S);
+  printf("Unblinding\n");
+  element_mul_zn(t9, Ppub, a);
+  element_add(S, S, t9);
+  element_sub(c, c, b);
+  printf("Blind Signature of message \"Message\" is:\n");
+  element_printf("S1 = %B\n", S);
+  element_printf("c1 = %B\n", c);
+
+  printf("VERIFICATION\n");
+  element_pairing(t10, Qid, Ppub);
+  element_neg(negc, c);
+  element_pow_zn(t10, t10, negc);
+  element_pairing(t11, S, P);
+  element_mul(t12, t11, t10);
+  element_to_mpz(t13, t12);
+  element_from_hash(t5, "Message", 7);
+  element_mul_mpz(t14, t5, t13);
+  element_printf("c1 = %B\n", c);
+  element_printf("H(m, [e(S1, P)][e(Qid, Ppub)^(-c1)]) = %B\n", t14);
+
+  if (!element_cmp(t14, c)) printf("Signature is valid\n");
+  else printf("Signature is invalid\n");
+  time2 = pbc_get_time();
+  printf("All time = %fs\n", time2 - time1);
+
+  element_clear(P);
+  element_clear(Ppub);
+  element_clear(Qid);
+  element_clear(Sid);
+  element_clear(R);
+  element_clear(S);
+  element_clear(r);
+  element_clear(s);
+  element_clear(c);
+  element_clear(a);
+  element_clear(b);
+  element_clear(negc);
+  element_clear(t1);
+  element_clear(t2);
+  element_clear(t3);
+  element_clear(t5);
+  element_clear(t6);
+  element_clear(t14);
+  element_clear(t7);
+  element_clear(t8);
+  element_clear(t9);
+  element_clear(t10);
+  element_clear(t11);
+  element_clear(t12);
+  pairing_clear(pairing);
+
+  return 0;
+}
diff --git a/moon-abe/pbc-0.5.14/example/zss.c b/moon-abe/pbc-0.5.14/example/zss.c
new file mode 100644
index 00000000..5020a3a6
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/example/zss.c
@@ -0,0 +1,70 @@
+/*
+  ZSS Short Signature Scheme from Bilinear Pairing.
+  Based on papers "F. Zhang, R. Safavi-Naini and W. Susilo. An Efficient Signature Scheme from Bilinear Pairings and it's Applications. PKC 2004".
+  Contributed by Dmitry Kosolapov.
+*/
+
+#include <pbc.h>
+#include <pbc_test.h>
+
+int main(int argc, char **argv) {
+  pairing_t pairing;
+  pbc_demo_pairing_init(pairing, argc, argv);
+  if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric");
+  double time1, time2;
+  element_t P, Ppub, x, S, H, t1, t2, t3, t4;
+  element_init_Zr(x, pairing);
+  element_init_Zr(H, pairing);
+  element_init_Zr(t1, pairing);
+
+  element_init_G1(S, pairing);
+  element_init_G1(P, pairing);
+  element_init_G1(Ppub, pairing);
+  element_init_G1(t2, pairing);
+
+  element_init_GT(t3, pairing);
+  element_init_GT(t4, pairing);
+
+  printf("ZSS short signature schema\n");
+  printf("KEYGEN\n");
+  time1 = pbc_get_time();
+  element_random(x);
+  element_random(P);
+  element_mul_zn(Ppub, P, x);
+  element_printf("P = %B\n", P);
+  element_printf("x = %B\n", x);
+  element_printf("Ppub = %B\n", Ppub);
+
+  printf("SIGN\n");
+  element_from_hash(H, "Message", 7);
+  element_add(t1, H, x);
+  element_invert(t1, t1);
+  element_mul_zn(S, P, t1);
+  printf("Signature of message \"Message\" is:\n");
+  element_printf("S = %B\n", S);
+
+  printf("VERIFY\n");
+  element_from_hash(H, "Message", 7);
+  element_mul_zn(t2, P, H);
+  element_add(t2, t2, Ppub);
+  element_pairing(t3, t2, S);
+  element_pairing(t4, P, P);
+  element_printf("e(H(m)P + Ppub, S) = %B\n", t3);
+  element_printf("e(P, P) = %B\n", t4);
+  if (!element_cmp(t3, t4)) printf("Signature is valid\n");
+  else printf("Signature is invalid\n");
+  time2 = pbc_get_time();
+  printf("All time = %fs\n", time2 - time1);
+  element_clear(P);
+  element_clear(Ppub);
+  element_clear(x);
+  element_clear(S);
+  element_clear(H);
+  element_clear(t1);
+  element_clear(t2);
+  element_clear(t3);
+  element_clear(t4);
+  pairing_clear(pairing);
+
+  return 0;
+}