summaryrefslogtreecommitdiffstats
path: root/moon-abe/pbc-0.5.14/ecc
diff options
context:
space:
mode:
Diffstat (limited to 'moon-abe/pbc-0.5.14/ecc')
-rw-r--r--moon-abe/pbc-0.5.14/ecc/a_param.c2315
-rw-r--r--moon-abe/pbc-0.5.14/ecc/curve.c987
-rw-r--r--moon-abe/pbc-0.5.14/ecc/d_param.c1258
-rw-r--r--moon-abe/pbc-0.5.14/ecc/e_param.c1006
-rw-r--r--moon-abe/pbc-0.5.14/ecc/eta_T_3.c835
-rw-r--r--moon-abe/pbc-0.5.14/ecc/f_param.c599
-rw-r--r--moon-abe/pbc-0.5.14/ecc/g_param.c1435
-rw-r--r--moon-abe/pbc-0.5.14/ecc/hilbert.c539
-rw-r--r--moon-abe/pbc-0.5.14/ecc/mnt.c496
-rw-r--r--moon-abe/pbc-0.5.14/ecc/mpc.c122
-rw-r--r--moon-abe/pbc-0.5.14/ecc/mpc.h93
-rw-r--r--moon-abe/pbc-0.5.14/ecc/pairing.c283
-rw-r--r--moon-abe/pbc-0.5.14/ecc/param.c220
-rw-r--r--moon-abe/pbc-0.5.14/ecc/param.h23
-rw-r--r--moon-abe/pbc-0.5.14/ecc/singular.c447
15 files changed, 10658 insertions, 0 deletions
diff --git a/moon-abe/pbc-0.5.14/ecc/a_param.c b/moon-abe/pbc-0.5.14/ecc/a_param.c
new file mode 100644
index 00000000..6cf8dd96
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/a_param.c
@@ -0,0 +1,2315 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h> //for rand, pbc_malloc, pbc_free
+#include <string.h> //for strcmp
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_fp.h"
+#include "pbc_fieldquadratic.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_curve.h"
+#include "pbc_random.h"
+#include "pbc_memory.h"
+#include "ecc/param.h"
+#include "pbc_a_param.h"
+#include "pbc_a1_param.h"
+
+typedef struct {
+ int exp2;
+ int exp1;
+ int sign1;
+ int sign0;
+ mpz_t r; // r = 2^exp2 + sign1 * 2^exp1 + sign0 * 1
+ mpz_t q; // we work in E(F_q) (and E(F_q^2))
+ mpz_t h; // r * h = q + 1
+} *a_param_ptr;
+
+typedef struct {
+ field_t Fq, Fq2, Eq;
+ int exp2, exp1;
+ int sign1;
+} *a_pairing_data_ptr;
+
+static void a_out_str(FILE *stream, void *data) {
+ a_param_ptr p = data;
+ param_out_type(stream, "a");
+ param_out_mpz(stream, "q", p->q);
+ param_out_mpz(stream, "h", p->h);
+ param_out_mpz(stream, "r", p->r);
+ param_out_int(stream, "exp2", p->exp2);
+ param_out_int(stream, "exp1", p->exp1);
+ param_out_int(stream, "sign1", p->sign1);
+ param_out_int(stream, "sign0", p->sign0);
+}
+
+static void a_clear(void *data) {
+ a_param_ptr sp = data;
+ mpz_clear(sp->r);
+ mpz_clear(sp->q);
+ mpz_clear(sp->h);
+ pbc_free(data);
+}
+
+static void phi_identity(element_ptr out, element_ptr in, pairing_ptr pairing) {
+ UNUSED_VAR(pairing);
+ element_set(out, in);
+}
+
+static void compute_abc_tangent(element_ptr a, element_ptr b, element_ptr c,
+ element_ptr Vx, element_ptr Vy, element_ptr e0) {
+ //a = -slope_tangent(V.x, V.y);
+ //b = 1;
+ //c = -(V.y + aV.x);
+ //but we multiply by -2*V.y to avoid division so:
+ //a = -(3 Vx^2 + cc->a)
+ //b = 2 * Vy
+ //c = -(2 Vy^2 + a Vx);
+ element_square(a, Vx);
+ //element_mul_si(a, a, 3);
+ element_add(e0, a, a);
+ element_add(a, e0, a);
+ element_set1(b);
+ element_add(a, a, b);
+ element_neg(a, a);
+
+ element_double(b, Vy);
+
+ element_mul(e0, b, Vy);
+ element_mul(c, a, Vx);
+ element_add(c, c, e0);
+ element_neg(c, c);
+}
+
+static void compute_abc_tangent_proj(element_ptr a, element_ptr b, element_ptr c,
+ element_ptr Vx, element_ptr Vy,
+ element_ptr z, element_ptr z2, element_ptr e0) {
+ //a = -(3x^2 + cca z^4)
+ //for this case cca = 1
+ //b = 2 y z^3
+ //c = -(2 y^2 + x a)
+ //a = z^2 a
+ element_square(a, z2);
+ element_square(b, Vx);
+ ////element_mul_si(b, b, 3);
+ element_double(e0, b);
+ element_add(b, e0, b);
+ element_add(a, a, b);
+ element_neg(a, a);
+
+ ////element_mul_si(e0, Vy, 2);
+ element_double(e0, Vy);
+ element_mul(b, e0, z2);
+ element_mul(b, b, z);
+
+ element_mul(c, Vx, a);
+ element_mul(a, a, z2);
+ element_mul(e0, e0, Vy);
+ element_add(c, c, e0);
+ element_neg(c, c);
+}
+
+static void compute_abc_line(element_ptr a, element_ptr b, element_ptr c,
+ element_ptr Vx, element_ptr Vy,
+ element_ptr V1x, element_ptr V1y,
+ element_ptr e0) {
+ //a = -(B.y - A.y) / (B.x - A.x);
+ //b = 1;
+ //c = -(A.y + a * A.x);
+ //but we'll multiply by B.x - A.x to avoid division, so
+ //a = -(By - Ay)
+ //b = Bx - Ax
+ //c = -(Ay b + a Ax);
+ element_sub(a, Vy, V1y);
+ element_sub(b, V1x, Vx);
+ element_mul(c, Vx, V1y);
+ element_mul(e0, Vy, V1x);
+ element_sub(c, c, e0);
+}
+
+struct pp_coeff_s {
+ element_t a;
+ element_t b;
+ element_t c;
+};
+typedef struct pp_coeff_s pp_coeff_t[1];
+typedef struct pp_coeff_s *pp_coeff_ptr;
+
+static void pp_coeff_set(pp_coeff_ptr p, element_t a, element_t b, element_t c) {
+ element_init(p->a, a->field);
+ element_init(p->b, b->field);
+ element_init(p->c, c->field);
+ element_set(p->a, a);
+ element_set(p->b, b);
+ element_set(p->c, c);
+}
+
+static void a_pairing_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
+ int i, n;
+ a_pairing_data_ptr ainfo = pairing->data;
+ p->data = pbc_malloc(sizeof(pp_coeff_t) * (ainfo->exp2 + 1));
+ pp_coeff_t *coeff = (pp_coeff_t *) p->data;
+ element_t V, V1;
+ element_t a, b, c;
+ element_t e0;
+ element_ptr Vx, Vy;
+ element_ptr V1x, V1y;
+
+ #define do_tangent() \
+ compute_abc_tangent(a, b, c, Vx, Vy, e0); \
+ pp_coeff_set(coeff[i], a, b, c);
+
+ #define do_line() \
+ compute_abc_line(a, b, c, Vx, Vy, V1x, V1y, e0); \
+ pp_coeff_set(coeff[i], a, b, c);
+
+ element_init(V, ainfo->Eq);
+ element_init(V1, ainfo->Eq);
+ element_set(V, in1);
+ Vx = curve_x_coord(V);
+ Vy = curve_y_coord(V);
+ V1x = curve_x_coord(V1);
+ V1y = curve_y_coord(V1);
+ element_init(e0, ainfo->Fq);
+ element_init(a, ainfo->Fq);
+ element_init(b, ainfo->Fq);
+ element_init(c, ainfo->Fq);
+
+ n = ainfo->exp1;
+ for (i=0; i<n; i++) {
+ do_tangent();
+ element_double(V, V);
+ }
+
+ if (ainfo->sign1 < 0) {
+ element_neg(V1, V);
+ } else {
+ element_set(V1, V);
+ }
+ n = ainfo->exp2;
+ for (; i<n; i++) {
+ do_tangent();
+ element_double(V, V);
+ }
+
+ do_line();
+
+ element_clear(e0);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(V);
+ element_clear(V1);
+ #undef do_tangent
+ #undef do_line
+}
+
+static void a_pairing_pp_clear(pairing_pp_t p) {
+ a_pairing_data_ptr ainfo = p->pairing->data;
+ pp_coeff_t *coeff = (pp_coeff_t *) p->data;
+ int i, n = ainfo->exp2 + 1;
+ for (i=0; i<n; i++) {
+ pp_coeff_ptr pp = coeff[i];
+ element_clear(pp->a);
+ element_clear(pp->b);
+ element_clear(pp->c);
+ }
+ pbc_free(p->data);
+}
+
+// Requires cofactor to be odd.
+// Overwrites in and temp, out != in.
+// Luckily this touchy routine is only used internally.
+// TODO: rewrite to allow (out == in)? would simplify a_finalpow()
+static void lucas_odd(element_ptr out, element_ptr in, element_ptr temp, mpz_t cofactor) {
+ element_ptr in0 = element_x(in);
+ element_ptr in1 = element_y(in);
+ element_ptr v0 = element_x(out);
+ element_ptr v1 = element_y(out);
+ element_ptr t0 = element_x(temp);
+ element_ptr t1 = element_y(temp);
+ int j;
+
+ element_set_si(t0, 2);
+ element_double(t1, in0);
+
+ element_set(v0, t0);
+ element_set(v1, t1);
+
+ j = mpz_sizeinbase(cofactor, 2) - 1;
+ for (;;) {
+ if (!j) {
+ element_mul(v1, v0, v1);
+ element_sub(v1, v1, t1);
+ element_square(v0, v0);
+ element_sub(v0, v0, t0);
+ break;
+ }
+ if (mpz_tstbit(cofactor, j)) {
+ element_mul(v0, v0, v1);
+ element_sub(v0, v0, t1);
+ element_square(v1, v1);
+ element_sub(v1, v1, t0);
+ } else {
+ element_mul(v1, v0, v1);
+ element_sub(v1, v1, t1);
+ element_square(v0, v0);
+ element_sub(v0, v0, t0);
+ }
+ j--;
+ }
+
+ //assume cofactor = (q + 1) / r is even
+ //(r should be odd and q + 1 is always even)
+ //thus v0 = V_k, v1 = V_{k+1}
+ //and V_{k-1} = P v0 - v1
+
+ //so U_k = (P V_k - 2 V_{k-1}) / (P^2 - 4)
+ // = (2 v1 - P v0) / (P^2 - 4)
+
+ element_mul(in0, v0, t1);
+ element_double(v1, v1);
+ element_sub(v1, v1, in0);
+
+ element_square(t1, t1);
+ element_sub(t1, t1, t0);
+ element_sub(t1, t1, t0);
+ element_div(v1, v1, t1);
+
+ element_halve(v0, v0);
+ element_mul(v1, v1, in1);
+}
+
+static inline void a_tateexp(element_ptr out, element_ptr in, element_ptr temp, mpz_t cofactor) {
+ element_ptr in1 = element_y(in);
+ //simpler but slower:
+ //element_pow_mpz(out, f, tateexp);
+
+ //1. Exponentiate by q-1
+ //which is equivalent to the following
+
+ element_invert(temp, in);
+ element_neg(in1, in1);
+ element_mul(in, in, temp);
+
+ //2. Exponentiate by (q+1)/r
+
+ //Instead of:
+ // element_pow_mpz(out, in, cofactor);
+ //we use Lucas sequences (see "Compressed Pairings", Scott and Barreto)
+ lucas_odd(out, in, temp, cofactor);
+}
+
+//computes a Qx + b Qy + c for type A pairing
+static inline void a_miller_evalfn(element_ptr out,
+ element_ptr a, element_ptr b, element_ptr c,
+ element_ptr Qx, element_ptr Qy) {
+ //we'll map Q via (x,y) --> (-x, iy)
+ //hence Re(a Qx + b Qy + c) = -a Q'x + c and
+ //Im(a Qx + b Qy + c) = b Q'y
+ element_mul(element_y(out), a, Qx);
+ element_sub(element_x(out), c, element_y(out));
+ element_mul(element_y(out), b, Qy);
+}
+
+static void a_pairing_pp_apply(element_ptr out, element_ptr in2, pairing_pp_t p) {
+ //TODO: use proj coords here too to shave off a little time
+ element_ptr Qx = curve_x_coord(in2);
+ element_ptr Qy = curve_y_coord(in2);
+ element_t f, f0;
+ int i, n;
+ a_pairing_data_ptr ainfo = p->pairing->data;
+ pp_coeff_t *coeff = p->data;
+ element_init(f, ainfo->Fq2);
+ element_init(f0, ainfo->Fq2);
+
+ element_set1(f);
+ n = ainfo->exp1;
+ for (i=0; i<n; i++) {
+ pp_coeff_ptr pp = coeff[i];
+ element_square(f, f);
+ a_miller_evalfn(f0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(f, f, f0);
+ }
+ if (ainfo->sign1 < 0) {
+ element_invert(out, f);
+ } else {
+ element_set(out, f);
+ }
+ n = ainfo->exp2;
+ for (; i<n; i++) {
+ element_square(f, f);
+ pp_coeff_ptr pp = coeff[i];
+ a_miller_evalfn(f0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(f, f, f0);
+ }
+
+ element_mul(f, f, out);
+ {
+ pp_coeff_ptr pp = coeff[i];
+ a_miller_evalfn(f0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(f, f, f0);
+ }
+
+ a_tateexp(out, f, f0, p->pairing->phikonr);
+
+ element_clear(f);
+ element_clear(f0);
+}
+
+// in1, in2 are from E(F_q), out from F_q^2.
+// Pairing via elliptic nets (see Stange).
+static void a_pairing_ellnet(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ element_ptr x = curve_x_coord(in1);
+ element_ptr y = curve_y_coord(in1);
+
+ element_ptr x2 = curve_x_coord(in2);
+ element_ptr y2 = curve_y_coord(in2);
+
+ //we map (x2,y2) to (-x2, i y2) before pairing
+ //notation: cmi means c_{k-i}, ci means c_{k+i}
+ element_t cm3, cm2, cm1, c0, c1, c2, c3, c4;
+ element_t dm1, d0, d1;
+ element_t A, B, C;
+
+ element_init_same_as(cm3, x);
+ element_init_same_as(cm2, x);
+ element_init_same_as(cm1, x);
+ element_init_same_as(c0, x);
+ element_init_same_as(c1, x);
+ element_init_same_as(c2, x);
+ element_init_same_as(c3, x);
+ element_init_same_as(c4, x);
+ element_init_same_as(C, x);
+
+ element_init_same_as(dm1, out);
+ element_init_same_as(d0, out);
+ element_init_same_as(d1, out);
+ element_init_same_as(A, x);
+ element_init_same_as(B, out);
+
+ // c1 = 2y
+ // c0 = 1
+ // cm2 = -1
+ // cm3 = -2y
+ element_double(c1, y);
+ element_set1(c0);
+ element_neg(cm3, c1);
+ element_neg(cm2, c0);
+
+ // a = 1, b = 0 for Y^2 = X^3 + X
+ //hence c3 = c_{k+3} = c_4 = 4y(x^6 + 5(x^4 - x^2) - 1)
+ //use cm1, C, c2 as temp variables for now
+ element_square(cm1, x);
+ element_square(C, cm1);
+ element_sub(c2, C, cm1);
+ element_double(c3, c2);
+ element_double(c3, c3);
+ element_add(c3, c3, c2);
+ element_mul(c2, C, cm1);
+ element_add(c3, c3, c2);
+ element_add(c3, c3, cm2);
+ element_mul(c3, c3, c1);
+ element_double(c3, c3);
+
+ // c2 = c_3 = 3x^4 + 6x^2 - 1
+ element_double(cm1, cm1);
+ element_add(cm1, cm1, C);
+ element_double(C, cm1);
+ element_add(C, C, cm1);
+ element_add(c2, C, cm2);
+
+ // c4 = c_5 = c_2^3 c_4 - c_3^3 = c1^3 c3 - c2^3
+ element_square(C, c1);
+ element_mul(c4, C, c1);
+ element_mul(c4, c4, c3);
+ element_square(C, c2);
+ element_mul(C, C, c2);
+ element_sub(c4, c4, C);
+
+ //compute A, B, d1 (which is d_2 since k = 1)
+ //(recall phi takes x2 to -x2, y2 to i y2)
+ element_add(A, x, x2);
+ element_double(C, x);
+ element_sub(C, C, x2);
+ element_square(cm1, A);
+ element_mul(cm1, C, cm1);
+ element_set(element_x(d1), y);
+ element_set(element_y(d1), y2);
+ element_square(d1, d1);
+ element_sub(element_x(d1), element_x(d1), cm1);
+ element_neg(B, d1);
+ element_invert(B, B);
+ element_invert(A, A);
+ element_mul(element_x(d1), y, A);
+ element_neg(element_x(d1), element_x(d1));
+ element_mul(element_y(d1), y2, A);
+ element_square(d1, d1);
+ element_sub(element_x(d1), C, element_x(d1));
+ element_neg(element_y(d1), element_y(d1));
+
+ // cm1 = 0
+ // C = (2y)^-1
+ element_set0(cm1);
+ element_invert(C, c1);
+
+ element_set1(dm1);
+ element_set1(d0);
+
+ element_t sm2, sm1;
+ element_t s0, s1, s2, s3;
+ element_t tm2, tm1;
+ element_t t0, t1, t2, t3;
+ element_t e0, e1;
+ element_t u, v;
+
+ element_init_same_as(sm2, x);
+ element_init_same_as(sm1, x);
+ element_init_same_as(s0, x);
+ element_init_same_as(s1, x);
+ element_init_same_as(s2, x);
+ element_init_same_as(s3, x);
+
+ element_init_same_as(tm2, x);
+ element_init_same_as(tm1, x);
+ element_init_same_as(t0, x);
+ element_init_same_as(t1, x);
+ element_init_same_as(t2, x);
+ element_init_same_as(t3, x);
+
+ element_init_same_as(e0, x);
+ element_init_same_as(e1, x);
+
+ element_init_same_as(u, d0);
+ element_init_same_as(v, d0);
+
+ int m = mpz_sizeinbase(pairing->r, 2) - 2;
+ for (;;) {
+ element_square(sm2, cm2);
+ element_square(sm1, cm1);
+ element_square(s0, c0);
+ element_square(s1, c1);
+ element_square(s2, c2);
+ element_square(s3, c3);
+
+ element_mul(tm2, cm3, cm1);
+ element_mul(tm1, cm2, c0);
+ element_mul(t0, cm1, c1);
+ element_mul(t1, c0, c2);
+ element_mul(t2, c1, c3);
+ element_mul(t3, c2, c4);
+
+ element_square(u, d0);
+ element_mul(v, dm1, d1);
+
+ if (mpz_tstbit(pairing->r, m)) {
+ //double-and-add
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm3, e0, e1);
+ element_mul(cm3, cm3, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm2, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(cm1, e0, e1);
+ element_mul(cm1, cm1, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c0, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c1, e0, e1);
+ element_mul(c1, c1, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c2, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c3, e0, e1);
+ element_mul(c3, c3, C);
+
+ element_mul(e0, t3, s2);
+ element_mul(e1, t2, s3);
+ element_sub(c4, e0, e1);
+
+ element_mul(element_x(out), element_x(u), t0);
+ element_mul(element_y(out), element_y(u), t0);
+ element_mul(element_x(dm1), element_x(v), s0);
+ element_mul(element_y(dm1), element_y(v), s0);
+ element_sub(dm1, dm1, out);
+
+ element_mul(element_x(out), element_x(u), t1);
+ element_mul(element_y(out), element_y(u), t1);
+ element_mul(element_x(d0), element_x(v), s1);
+ element_mul(element_y(d0), element_y(v), s1);
+ element_sub(d0, d0, out);
+ element_mul(element_x(d0), element_x(d0), A);
+ element_mul(element_y(d0), element_y(d0), A);
+
+ element_mul(element_x(out), element_x(u), t2);
+ element_mul(element_y(out), element_y(u), t2);
+ element_mul(element_x(d1), element_x(v), s2);
+ element_mul(element_y(d1), element_y(v), s2);
+ element_sub(d1, d1, out);
+ element_mul(d1, d1, B);
+ } else {
+ //double
+ element_mul(e0, tm1, sm2);
+ element_mul(e1, tm2, sm1);
+ element_sub(cm3, e0, e1);
+
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm2, e0, e1);
+ element_mul(cm2, cm2, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm1, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(c0, e0, e1);
+ element_mul(c0, c0, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c1, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c2, e0, e1);
+ element_mul(c2, c2, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c3, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c4, e0, e1);
+ element_mul(c4, c4, C);
+
+ element_mul(element_x(out), element_x(u), tm1);
+ element_mul(element_y(out), element_y(u), tm1);
+ element_mul(element_x(dm1), element_x(v), sm1);
+ element_mul(element_y(dm1), element_y(v), sm1);
+ element_sub(dm1, dm1, out);
+
+ element_mul(element_x(out), element_x(u), t0);
+ element_mul(element_y(out), element_y(u), t0);
+ element_mul(element_x(d0), element_x(v), s0);
+ element_mul(element_y(d0), element_y(v), s0);
+ element_sub(d0, d0, out);
+
+ element_mul(element_x(out), element_x(u), t1);
+ element_mul(element_y(out), element_y(u), t1);
+ element_mul(element_x(d1), element_x(v), s1);
+ element_mul(element_y(d1), element_y(v), s1);
+ element_sub(d1, d1, out);
+ element_mul(element_x(d1), element_x(d1), A);
+ element_mul(element_y(d1), element_y(d1), A);
+ }
+ if (!m) break;
+ m--;
+ }
+ // since c_k lies base field
+ // it gets killed by the final powering
+ //element_invert(c1, c1);
+ //element_mul(element_x(d1), element_x(d1), c1);
+ //element_mul(element_y(d1), element_y(d1), c1);
+
+ a_tateexp(out, d1, d0, pairing->phikonr);
+
+ element_clear(dm1);
+ element_clear(d0);
+ element_clear(d1);
+
+ element_clear(cm3);
+ element_clear(cm2);
+ element_clear(cm1);
+ element_clear(c0);
+ element_clear(c1);
+ element_clear(c2);
+ element_clear(c3);
+ element_clear(c4);
+
+ element_clear(sm2);
+ element_clear(sm1);
+ element_clear(s0);
+ element_clear(s1);
+ element_clear(s2);
+ element_clear(s3);
+
+ element_clear(tm2);
+ element_clear(tm1);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(t2);
+ element_clear(t3);
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(A);
+ element_clear(B);
+ element_clear(C);
+ element_clear(u);
+ element_clear(v);
+}
+
+struct ellnet_pp_st_s {
+ element_t sm1, s0, s1, s2;
+ element_t tm1, t0, t1, t2;
+};
+typedef struct ellnet_pp_st_s ellnet_pp_st_t[1];
+typedef struct ellnet_pp_st_s *ellnet_pp_st_ptr;
+
+struct ellnet_pp_s {
+ element_t x;
+ element_t y;
+ ellnet_pp_st_t *seq;
+};
+typedef struct ellnet_pp_s ellnet_pp_t[1];
+typedef struct ellnet_pp_s *ellnet_pp_ptr;
+
+static void a_pairing_ellnet_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
+ element_ptr x = curve_x_coord(in1);
+ element_ptr y = curve_y_coord(in1);
+ int i, rbits = mpz_sizeinbase(pairing->r, 2);
+ ellnet_pp_ptr pp = p->data = pbc_malloc(sizeof(ellnet_pp_t));
+ pp->seq = pbc_malloc(sizeof(ellnet_pp_st_t) * rbits);
+ element_init_same_as(pp->x, x);
+ element_init_same_as(pp->y, y);
+ element_set(pp->x, x);
+ element_set(pp->y, y);
+ for (i=0; i<rbits; i++) {
+ ellnet_pp_st_ptr seq = pp->seq[i];
+ element_init_same_as(seq->sm1, x);
+ element_init_same_as(seq->s0, x);
+ element_init_same_as(seq->s1, x);
+ element_init_same_as(seq->s2, x);
+ element_init_same_as(seq->tm1, x);
+ element_init_same_as(seq->t0, x);
+ element_init_same_as(seq->t1, x);
+ element_init_same_as(seq->t2, x);
+ }
+
+ //we map (x2,y2) to (-x2, i y2) before pairing
+ //notation: cmi means c_{k-i}, ci means c_{k+i}
+ element_t cm3, cm2, cm1, c0, c1, c2, c3, c4;
+ element_t C;
+
+ element_init_same_as(cm3, x);
+ element_init_same_as(cm2, x);
+ element_init_same_as(cm1, x);
+ element_init_same_as(c0, x);
+ element_init_same_as(c1, x);
+ element_init_same_as(c2, x);
+ element_init_same_as(c3, x);
+ element_init_same_as(c4, x);
+ element_init_same_as(C, x);
+
+ // c1 = 2y
+ // c0 = 1
+ // cm2 = -1
+ // cm3 = -2y
+ element_double(c1, y);
+ element_set1(c0);
+ element_neg(cm3, c1);
+ element_neg(cm2, c0);
+
+ // a = 1, b = 0 for Y^2 = X^3 + X
+ //hence c3 = c_{k+3} = c_4 = 4y(x^6 + 5(x^4 - x^2) - 1)
+ //use cm1, C, c2 as temp variables for now
+ element_square(cm1, x);
+ element_square(C, cm1);
+ element_sub(c2, C, cm1);
+ element_double(c3, c2);
+ element_double(c3, c3);
+ element_add(c3, c3, c2);
+ element_mul(c2, C, cm1);
+ element_add(c3, c3, c2);
+ element_add(c3, c3, cm2);
+ element_mul(c3, c3, c1);
+ element_double(c3, c3);
+
+ // c2 = c_3 = 3x^4 + 6x^2 - 1
+ element_double(cm1, cm1);
+ element_add(cm1, cm1, C);
+ element_double(C, cm1);
+ element_add(C, C, cm1);
+ element_add(c2, C, cm2);
+
+ // c4 = c_5 = c_2^3 c_4 - c_3^3 = c1^3 c3 - c2^3
+ element_square(C, c1);
+ element_mul(c4, C, c1);
+ element_mul(c4, c4, c3);
+ element_square(C, c2);
+ element_mul(C, C, c2);
+ element_sub(c4, c4, C);
+
+ // cm1 = 0
+ // C = (2y)^-1
+ element_set0(cm1);
+ element_invert(C, c1);
+
+ int k = 0;
+ element_t sm2, s3;
+ element_t tm2, t3;
+ element_ptr sm1, s0, s1, s2;
+ element_ptr tm1, t0, t1, t2;
+ element_t e0, e1;
+
+ element_init_same_as(sm2, x);
+ element_init_same_as(s3, x);
+
+ element_init_same_as(tm2, x);
+ element_init_same_as(t3, x);
+
+ element_init_same_as(e0, x);
+ element_init_same_as(e1, x);
+
+ int m = rbits - 2;
+ for (;;) {
+ ellnet_pp_st_ptr seq = pp->seq[k];
+ sm1 = seq->sm1;
+ s0 = seq->s0;
+ s1 = seq->s1;
+ s2 = seq->s2;
+ tm1 = seq->tm1;
+ t0 = seq->t0;
+ t1 = seq->t1;
+ t2 = seq->t2;
+
+ element_square(sm2, cm2);
+ element_square(sm1, cm1);
+ element_square(s0, c0);
+ element_square(s1, c1);
+ element_square(s2, c2);
+ element_square(s3, c3);
+
+ element_mul(tm2, cm3, cm1);
+ element_mul(tm1, cm2, c0);
+ element_mul(t0, cm1, c1);
+ element_mul(t1, c0, c2);
+ element_mul(t2, c1, c3);
+ element_mul(t3, c2, c4);
+
+ if (!m) break;
+ k++;
+
+ if (mpz_tstbit(pairing->r, m)) {
+ //double-and-add
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm3, e0, e1);
+ element_mul(cm3, cm3, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm2, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(cm1, e0, e1);
+ element_mul(cm1, cm1, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c0, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c1, e0, e1);
+ element_mul(c1, c1, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c2, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c3, e0, e1);
+ element_mul(c3, c3, C);
+
+ element_mul(e0, t3, s2);
+ element_mul(e1, t2, s3);
+ element_sub(c4, e0, e1);
+
+ } else {
+ //double
+ element_mul(e0, tm1, sm2);
+ element_mul(e1, tm2, sm1);
+ element_sub(cm3, e0, e1);
+
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm2, e0, e1);
+ element_mul(cm2, cm2, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm1, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(c0, e0, e1);
+ element_mul(c0, c0, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c1, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c2, e0, e1);
+ element_mul(c2, c2, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c3, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c4, e0, e1);
+ element_mul(c4, c4, C);
+ }
+ m--;
+ }
+
+ element_clear(cm3);
+ element_clear(cm2);
+ element_clear(cm1);
+ element_clear(c0);
+ element_clear(c1);
+ element_clear(c2);
+ element_clear(c3);
+ element_clear(c4);
+
+ element_clear(sm2);
+ element_clear(s3);
+
+ element_clear(tm2);
+ element_clear(t3);
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(C);
+}
+
+static void a_pairing_ellnet_pp_clear(pairing_pp_t p) {
+ ellnet_pp_ptr pp = p->data;
+ int i, rbits = mpz_sizeinbase(p->pairing->r, 2);
+ for (i=0; i<rbits; i++) {
+ ellnet_pp_st_ptr seq = pp->seq[i];
+ element_clear(seq->sm1);
+ element_clear(seq->s0);
+ element_clear(seq->s1);
+ element_clear(seq->s2);
+ element_clear(seq->tm1);
+ element_clear(seq->t0);
+ element_clear(seq->t1);
+ element_clear(seq->t2);
+ }
+ element_clear(pp->x);
+ element_clear(pp->y);
+ pbc_free(pp->seq);
+ pbc_free(p->data);
+}
+
+static void a_pairing_ellnet_pp_apply(element_ptr out, element_ptr in2, pairing_pp_t p) {
+ element_ptr x2 = curve_x_coord(in2);
+ element_ptr y2 = curve_y_coord(in2);
+ ellnet_pp_ptr pp = p->data;
+ int rbits = mpz_sizeinbase(p->pairing->r, 2);
+ int k = 0;
+ int m = rbits - 2;
+ element_t A, B;
+ element_t e0, e1;
+ element_t dm1, d0, d1;
+ element_t u, v;
+
+ element_init_same_as(A, x2);
+ element_init_same_as(B, out);
+ element_init_same_as(e0, x2);
+ element_init_same_as(e1, x2);
+ element_init_same_as(dm1, out);
+ element_init_same_as(d0, out);
+ element_init_same_as(d1, out);
+ element_init_same_as(u, out);
+ element_init_same_as(v, out);
+
+ element_add(A, pp->x, x2);
+ element_double(e0, pp->x);
+ element_sub(e0, e0, x2);
+ element_square(e1, A);
+ element_mul(e1, e0, e1);
+ element_set(element_x(d1), pp->y);
+ element_set(element_y(d1), y2);
+ element_square(d1, d1);
+ element_sub(element_x(d1), element_x(d1), e1);
+ element_neg(B, d1);
+ element_invert(B, B);
+ element_invert(A, A);
+ element_mul(element_x(d1), pp->y, A);
+ element_neg(element_x(d1), element_x(d1));
+ element_mul(element_y(d1), y2, A);
+ element_square(d1, d1);
+ element_sub(element_x(d1), e0, element_x(d1));
+ element_neg(element_y(d1), element_y(d1));
+
+ element_set1(dm1);
+ element_set1(d0);
+ for (;;) {
+ element_ptr sm1, s0, s1, s2;
+ element_ptr tm1, t0, t1, t2;
+ ellnet_pp_st_ptr seq = pp->seq[k];
+ sm1 = seq->sm1;
+ s0 = seq->s0;
+ s1 = seq->s1;
+ s2 = seq->s2;
+ tm1 = seq->tm1;
+ t0 = seq->t0;
+ t1 = seq->t1;
+ t2 = seq->t2;
+ k++;
+
+ element_square(u, d0);
+ element_mul(v, dm1, d1);
+
+ if (mpz_tstbit(p->pairing->r, m)) {
+ //double-and-add
+ element_mul(element_x(out), element_x(u), t0);
+ element_mul(element_y(out), element_y(u), t0);
+ element_mul(element_x(dm1), element_x(v), s0);
+ element_mul(element_y(dm1), element_y(v), s0);
+ element_sub(dm1, dm1, out);
+
+ element_mul(element_x(out), element_x(u), t1);
+ element_mul(element_y(out), element_y(u), t1);
+ element_mul(element_x(d0), element_x(v), s1);
+ element_mul(element_y(d0), element_y(v), s1);
+ element_sub(d0, d0, out);
+ element_mul(element_x(d0), element_x(d0), A);
+ element_mul(element_y(d0), element_y(d0), A);
+
+ element_mul(element_x(out), element_x(u), t2);
+ element_mul(element_y(out), element_y(u), t2);
+ element_mul(element_x(d1), element_x(v), s2);
+ element_mul(element_y(d1), element_y(v), s2);
+ element_sub(d1, d1, out);
+ element_mul(d1, d1, B);
+ } else {
+ //double
+ element_mul(element_x(out), element_x(u), tm1);
+ element_mul(element_y(out), element_y(u), tm1);
+ element_mul(element_x(dm1), element_x(v), sm1);
+ element_mul(element_y(dm1), element_y(v), sm1);
+ element_sub(dm1, dm1, out);
+
+ element_mul(element_x(out), element_x(u), t0);
+ element_mul(element_y(out), element_y(u), t0);
+ element_mul(element_x(d0), element_x(v), s0);
+ element_mul(element_y(d0), element_y(v), s0);
+ element_sub(d0, d0, out);
+
+ element_mul(element_x(out), element_x(u), t1);
+ element_mul(element_y(out), element_y(u), t1);
+ element_mul(element_x(d1), element_x(v), s1);
+ element_mul(element_y(d1), element_y(v), s1);
+ element_sub(d1, d1, out);
+ element_mul(element_x(d1), element_x(d1), A);
+ element_mul(element_y(d1), element_y(d1), A);
+ }
+ if (!m) break;
+ m--;
+ }
+ a_tateexp(out, d1, d0, p->pairing->phikonr);
+
+ element_clear(A);
+ element_clear(B);
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(dm1);
+ element_clear(d0);
+ element_clear(d1);
+ element_clear(u);
+ element_clear(v);
+}
+
+//in1, in2 are from E(F_q), out from F_q^2
+static void a_pairing_proj(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ a_pairing_data_ptr p = pairing->data;
+ element_t V, V1;
+ element_t z, z2;
+ element_t f, f0, f1;
+ element_t a, b, c;
+ element_t e0;
+ const element_ptr e1 = a, e2 = b, e3 = c;
+ int i, n;
+ element_ptr Vx, Vy;
+ element_ptr V1x, V1y;
+ element_ptr Qx = curve_x_coord(in2);
+ element_ptr Qy = curve_y_coord(in2);
+
+ //could save a couple of inversions by avoiding
+ //this function and rewriting do_line() to handle projective coords
+ //convert V from weighted projective (Jacobian) to affine
+ //i.e. (X, Y, Z) --> (X/Z^2, Y/Z^3)
+ //also sets z to 1
+ #define point_to_affine() \
+ element_invert(z, z); \
+ element_square(e0, z); \
+ element_mul(Vx, Vx, e0); \
+ element_mul(e0, e0, z); \
+ element_mul(Vy, Vy, e0); \
+ element_set1(z); \
+ element_set1(z2);
+
+ #define proj_double() { \
+ /* e0 = 3x^2 + (cc->a) z^4 */ \
+ /* for this case a = 1 */ \
+ element_square(e0, Vx); \
+ /*element_mul_si(e0, e0, 3);*/ \
+ element_double(e1, e0); \
+ element_add(e0, e1, e0); \
+ element_square(e1, z2); \
+ element_add(e0, e0, e1); \
+ \
+ /* z_out = 2 y z */ \
+ element_mul(z, Vy, z); \
+ /*element_mul_si(z, z, 2);*/ \
+ element_double(z, z); \
+ element_square(z2, z); \
+ \
+ /* e1 = 4 x y^2 */ \
+ element_square(e2, Vy); \
+ element_mul(e1, Vx, e2); \
+ /*element_mul_si(e1, e1, 4);*/ \
+ element_double(e1, e1); \
+ element_double(e1, e1); \
+ \
+ /* x_out = e0^2 - 2 e1 */ \
+ element_double(e3, e1); \
+ element_square(Vx, e0); \
+ element_sub(Vx, Vx, e3); \
+ \
+ /* e2 = 8y^4 */ \
+ element_square(e2, e2); \
+ /*element_mul_si(e2, e2, 8);*/ \
+ element_double(e2, e2); \
+ element_double(e2, e2); \
+ element_double(e2, e2); \
+ \
+ /*y_out = e0(e1 - x_out) - e2*/\
+ element_sub(e1, e1, Vx); \
+ element_mul(e0, e0, e1); \
+ element_sub(Vy, e0, e2); \
+ }
+
+ #define do_tangent() \
+ compute_abc_tangent_proj(a, b, c, Vx, Vy, z, z2, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0);
+
+ #define do_line() \
+ compute_abc_line(a, b, c, Vx, Vy, V1x, V1y, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0);
+
+ element_init(V, p->Eq);
+ element_init(V1, p->Eq);
+ element_set(V, in1);
+
+ Vx = curve_x_coord(V);
+ Vy = curve_y_coord(V);
+ V1x = curve_x_coord(V1);
+ V1y = curve_y_coord(V1);
+
+ element_init(f, p->Fq2);
+ element_init(f0, p->Fq2);
+ element_init(f1, p->Fq2);
+ element_set1(f);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_init(c, p->Fq);
+ element_init(e0, p->Fq);
+ element_init(z, p->Fq);
+ element_init(z2, p->Fq);
+ element_set1(z);
+ element_set1(z2);
+ n = p->exp1;
+ for (i=0; i<n; i++) {
+ //f = f^2 g_V,V(Q)
+ //where g_V,V = tangent at V
+ element_square(f, f);
+ do_tangent();
+ proj_double();
+ }
+ point_to_affine();
+ if (p->sign1 < 0) {
+ element_neg(V1, V);
+ element_invert(f1, f);
+ } else {
+ element_set(V1, V);
+ element_set(f1, f);
+ }
+ n = p->exp2;
+ for (; i<n; i++) {
+ element_square(f, f);
+ do_tangent();
+ proj_double();
+ }
+
+ element_mul(f, f, f1);
+ point_to_affine();
+ do_line();
+
+ a_tateexp(out, f, f0, pairing->phikonr);
+
+ element_clear(f);
+ element_clear(f0);
+ element_clear(f1);
+ element_clear(z);
+ element_clear(z2);
+ element_clear(V);
+ element_clear(V1);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ #undef point_to_affine
+ #undef proj_double
+ #undef do_tangent
+ #undef do_line
+}
+
+//in1, in2 are from E(F_q), out from F_q^2
+static void a_pairing_affine(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ a_pairing_data_ptr p = pairing->data;
+ element_t V, V1;
+ element_t f, f0, f1;
+ element_t a, b, c;
+ element_t e0;
+ int i, n;
+ element_ptr Qx = curve_x_coord(in2);
+ element_ptr Qy = curve_y_coord(in2);
+ element_ptr Vx, Vy;
+ element_ptr V1x, V1y;
+
+ #define do_tangent() \
+ compute_abc_tangent(a, b, c, Vx, Vy, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0);
+
+ #define do_line() \
+ compute_abc_line(a, b, c, Vx, Vy, V1x, V1y, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0);
+
+ element_init(V, p->Eq);
+ element_init(V1, p->Eq);
+ Vx = curve_x_coord(V);
+ Vy = curve_y_coord(V);
+
+ V1x = curve_x_coord(V1);
+ V1y = curve_y_coord(V1);
+
+ element_set(V, in1);
+ element_init(f, p->Fq2);
+ element_init(f0, p->Fq2);
+ element_init(f1, p->Fq2);
+ element_set1(f);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_init(c, p->Fq);
+ element_init(e0, p->Fq);
+ n = p->exp1;
+ for (i=0; i<n; i++) {
+ //f = f^2 g_V,V(Q)
+ //where g_V,V = tangent at V
+ element_square(f, f);
+ do_tangent();
+ element_double(V, V);
+ }
+ if (p->sign1 < 0) {
+ element_neg(V1, V);
+ element_invert(f1, f);
+ } else {
+ element_set(V1, V);
+ element_set(f1, f);
+ }
+ n = p->exp2;
+ for (; i<n; i++) {
+ element_square(f, f);
+ do_tangent();
+ element_double(V, V);
+ }
+
+ element_mul(f, f, f1);
+ do_line();
+
+ a_tateexp(out, f, f0, pairing->phikonr);
+
+ element_clear(f);
+ element_clear(f0);
+ element_clear(f1);
+ element_clear(V);
+ element_clear(V1);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ #undef do_tangent
+ #undef do_line
+}
+
+// On Computing Products of Pairing
+//in1, in2 are from E(F_q), out from F_q^2
+void a_pairings_affine(element_ptr out, element_t in1[], element_t in2[],
+ int n_prod, pairing_t pairing) {
+ a_pairing_data_ptr p = pairing->data;
+ element_t* V = pbc_malloc(sizeof(element_t)*n_prod);
+ element_t* V1 = pbc_malloc(sizeof(element_t)*n_prod);
+ element_t f, f0, f1;
+ element_t a, b, c;
+ element_t e0;
+ int i, j, n;
+ element_ptr Qx, Qy;
+ element_ptr Vx, Vy;
+ element_ptr V1x, V1y;
+
+ #define do_tangents() \
+ for(j=0; j<n_prod; j++){ \
+ Vx = curve_x_coord(V[j]); \
+ Vy = curve_y_coord(V[j]); \
+ Qx = curve_x_coord(in2[j]); \
+ Qy = curve_y_coord(in2[j]); \
+ \
+ compute_abc_tangent(a, b, c, Vx, Vy, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ }
+
+ #define do_lines() \
+ for(j=0;j<n_prod;j++){ \
+ Vx = curve_x_coord(V[j]); \
+ Vy = curve_y_coord(V[j]); \
+ V1x = curve_x_coord(V1[j]); \
+ V1y = curve_y_coord(V1[j]); \
+ Qx = curve_x_coord(in2[j]); \
+ Qy = curve_y_coord(in2[j]); \
+ \
+ compute_abc_line(a, b, c, Vx, Vy, V1x, V1y, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ }
+
+ for(i=0; i<n_prod; i++){
+ element_init(V[i],p->Eq);
+ element_init(V1[i],p->Eq);
+ element_set(V[i],in1[i]);
+ }
+
+
+ element_init(f, p->Fq2);
+ element_init(f0, p->Fq2);
+ element_init(f1, p->Fq2);
+ element_set1(f);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_init(c, p->Fq);
+ element_init(e0, p->Fq);
+ n = p->exp1;
+ for (i=0; i<n; i++) {
+ //f = f^2 g_V,V(Q)
+ //where g_V,V = tangent at V
+ element_square(f, f);
+ do_tangents();
+ element_multi_double(V, V, n_prod); //V_i = V_i + V_i for all i at one time.
+ }
+ if (p->sign1 < 0) {
+ for(j=0; j<n_prod; j++){
+ element_neg(V1[j], V[j]);
+ }
+ element_invert(f1, f);
+ } else {
+ for(j=0; j<n_prod; j++){
+ element_set(V1[j], V[j]);
+ }
+ element_set(f1, f);
+ }
+ n = p->exp2;
+ for (; i<n; i++) {
+ element_square(f, f);
+ do_tangents();
+ element_multi_double(V, V, n_prod);
+ }
+
+ element_mul(f, f, f1);
+ do_lines();
+
+ a_tateexp(out, f, f0, pairing->phikonr);
+
+ element_clear(f);
+ element_clear(f0);
+ element_clear(f1);
+ for(j=0;j<n_prod;j++){
+ element_clear(V[j]);
+ element_clear(V1[j]);
+ }
+ pbc_free(V);
+ pbc_free(V1);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ #undef do_tangents
+ #undef do_lines
+}
+
+static void a_pairing_clear(pairing_t pairing) {
+ field_clear(pairing->GT);
+
+ a_pairing_data_ptr p = pairing->data;
+ field_clear(p->Eq);
+ field_clear(p->Fq);
+ field_clear(p->Fq2);
+ pbc_free(p);
+
+ mpz_clear(pairing->r);
+ mpz_clear(pairing->phikonr);
+ field_clear(pairing->Zr);
+}
+
+static void a_pairing_option_set(pairing_t pairing, char *key, char *value) {
+ if (!strcmp(key, "method")) {
+ if (!strcmp(value, "miller")) {
+ pairing->map = a_pairing_proj;
+ pairing->pp_init = a_pairing_pp_init;
+ pairing->pp_clear = a_pairing_pp_clear;
+ pairing->pp_apply = a_pairing_pp_apply;
+ } else if (!strcmp(value, "miller-affine")) {
+ pairing->map = a_pairing_affine;
+ pairing->pp_init = a_pairing_pp_init;
+ pairing->pp_clear = a_pairing_pp_clear;
+ pairing->pp_apply = a_pairing_pp_apply;
+ } else if (!strcmp(value, "shipsey-stange")) {
+ pairing->map = a_pairing_ellnet;
+ pairing->pp_init = a_pairing_ellnet_pp_init;
+ pairing->pp_clear = a_pairing_ellnet_pp_clear;
+ pairing->pp_apply = a_pairing_ellnet_pp_apply;
+ }
+ }
+}
+
+static void a_finalpow(element_t e) {
+ pairing_ptr pairing = e->field->pairing;
+ element_t t0, t1;
+ element_init_same_as(t0, e->data);
+ element_init_same_as(t1, e->data);
+ a_tateexp(t0, e->data, t1, pairing->phikonr);
+ element_set(e->data, t0);
+ element_clear(t0);
+ element_clear(t1);
+}
+
+static void a_init_pairing(pairing_ptr pairing, void *data) {
+ a_param_ptr param = data;
+ element_t a, b;
+ a_pairing_data_ptr p;
+
+ p = pairing->data = pbc_malloc(sizeof(*p));
+ p->exp2 = param->exp2;
+ p->exp1 = param->exp1;
+ p->sign1 = param->sign1;
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, param->r);
+ field_init_fp(pairing->Zr, pairing->r);
+ pairing->map = a_pairing_proj;
+ pairing->prod_pairings = a_pairings_affine;
+
+ field_init_fp(p->Fq, param->q);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_set1(a);
+ element_set0(b);
+ field_init_curve_ab(p->Eq, a, b, pairing->r, param->h);
+ element_clear(a);
+ element_clear(b);
+
+ field_init_fi(p->Fq2, p->Fq);
+
+ //k=2, hence phi_k(q) = q + 1, phikonr = (q+1)/r
+ mpz_init(pairing->phikonr);
+ mpz_set(pairing->phikonr, param->h);
+
+ pairing->G1 = p->Eq;
+ pairing->G2 = pairing->G1;
+ pairing->phi = phi_identity;
+ pairing_GT_init(pairing, p->Fq2);
+ pairing->finalpow = a_finalpow;
+
+ pairing->clear_func = a_pairing_clear;
+ pairing->option_set = a_pairing_option_set;
+ pairing->pp_init = a_pairing_pp_init;
+ pairing->pp_clear = a_pairing_pp_clear;
+ pairing->pp_apply = a_pairing_pp_apply;
+}
+
+static void a_param_init(pbc_param_ptr par) {
+ static pbc_param_interface_t interface = {{
+ a_clear,
+ a_init_pairing,
+ a_out_str,
+ }};
+ par->api = interface;
+ a_param_ptr p = par->data = pbc_malloc(sizeof(*p));
+ mpz_init(p->r);
+ mpz_init(p->q);
+ mpz_init(p->h);
+}
+
+// Public interface for type A pairings:
+
+int pbc_param_init_a(pbc_param_ptr par, struct symtab_s *tab) {
+ a_param_init(par);
+ a_param_ptr p = par->data;
+
+ int err = 0;
+ err += lookup_mpz(p->q, tab, "q");
+ err += lookup_mpz(p->r, tab, "r");
+ err += lookup_mpz(p->h, tab, "h");
+ err += lookup_int(&p->exp2, tab, "exp2");
+ err += lookup_int(&p->exp1, tab, "exp1");
+ err += lookup_int(&p->sign1, tab, "sign1");
+ err += lookup_int(&p->sign0, tab, "sign0");
+ return err;
+}
+
+void pbc_param_init_a_gen(pbc_param_ptr par, int rbits, int qbits) {
+ a_param_init(par);
+ a_param_ptr sp = par->data;
+ int found = 0;
+
+ mpz_ptr q = sp->q;
+ mpz_ptr r = sp->r;
+ mpz_ptr h = sp->h;
+
+ do {
+ int i;
+ mpz_set_ui(r, 0);
+
+ if (rand() % 2) {
+ sp->exp2 = rbits - 1;
+ sp->sign1 = 1;
+ } else {
+ sp->exp2 = rbits;
+ sp->sign1 = -1;
+ }
+ mpz_setbit(r, sp->exp2);
+
+ //use q as a temp variable
+ mpz_set_ui(q, 0);
+ sp->exp1 = (rand() % (sp->exp2 - 1)) + 1;
+ mpz_setbit(q, sp->exp1);
+ if (sp->sign1 > 0) {
+ mpz_add(r, r, q);
+ } else {
+ mpz_sub(r, r, q);
+ }
+
+ if (rand() % 2) {
+ sp->sign0 = 1;
+ mpz_add_ui(r, r, 1);
+ } else {
+ sp->sign0 = -1;
+ mpz_sub_ui(r, r, 1);
+ }
+ if (!mpz_probab_prime_p(r, 10)) continue;
+ for (i=0; i<10; i++) {
+ int bit;
+ //use q as a temp variable
+ mpz_set_ui(q, 0);
+ bit = qbits - rbits - 4 + 1;
+ if (bit < 3) bit = 3;
+ mpz_setbit(q, bit);
+ pbc_mpz_random(h, q);
+ mpz_mul_ui(h, h, 12);
+ //finally q takes the value it should
+ mpz_mul(q, h, r);
+ mpz_sub_ui(q, q, 1);
+ if (mpz_probab_prime_p(q, 10)) {
+ found = 1;
+ break;
+ }
+ }
+ } while (!found);
+}
+
+// Type A1 pairings:
+
+struct a1_param_s {
+ mpz_t p;
+ mpz_t n;
+ int l;
+};
+typedef struct a1_param_s a1_param_t[1];
+typedef struct a1_param_s *a1_param_ptr;
+
+struct a1_pairing_data_s {
+ field_t Fp, Fp2, Ep;
+};
+typedef struct a1_pairing_data_s a1_pairing_data_t[1];
+typedef struct a1_pairing_data_s *a1_pairing_data_ptr;
+
+static void a1_clear(void *data) {
+ a1_param_ptr param = data;
+ mpz_clear(param->p);
+ mpz_clear(param->n);
+ pbc_free(data);
+}
+
+static void a1_out_str(FILE *stream, void *data) {
+ a1_param_ptr p = data;
+ param_out_type(stream, "a1");
+ param_out_mpz(stream, "p", p->p);
+ param_out_mpz(stream, "n", p->n);
+ param_out_int(stream, "l", p->l);
+}
+
+struct pp2_coeff_s {
+ element_t cx2;
+ element_t cy2;
+ element_t cxy;
+ element_t cx;
+ element_t cy;
+ element_t c;
+};
+typedef struct pp2_coeff_s pp2_coeff_t[1];
+typedef struct pp2_coeff_s *pp2_coeff_ptr;
+
+static void pp2_coeff_set(pp2_coeff_ptr p,
+ element_t cx2, element_t cy2, element_t cxy,
+ element_t cx, element_t cy, element_t c) {
+ element_init(p->cx2, cx2->field);
+ element_init(p->cy2, cy2->field);
+ element_init(p->cxy, cxy->field);
+ element_init(p->cx, cx->field);
+ element_init(p->cy, cy->field);
+ element_init(p->c, c->field);
+ element_set(p->cx2, cx2);
+ element_set(p->cy2, cy2);
+ element_set(p->cxy, cxy);
+ element_set(p->cx, cx);
+ element_set(p->cy, cy);
+ element_set(p->c, c);
+}
+
+static void a1_pairing_pp_clear(pairing_pp_t p) {
+ void **pp = p->data;
+ while (*pp) {
+ pbc_free(*pp);
+ pp++;
+ }
+ pbc_free(p->data);
+}
+
+static void a1_pairing_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
+ int m;
+ element_ptr Px = curve_x_coord(in1);
+ element_ptr Py = curve_y_coord(in1);
+ a1_pairing_data_ptr a1info = pairing->data;
+ p->data = pbc_malloc(sizeof(void *) * mpz_sizeinbase(pairing->r, 2));
+ void **pp = p->data;
+ element_t V;
+ element_t a, b, c;
+ element_t a2, b2, c2;
+ element_t e0, e1, e2;
+ element_ptr Vx, Vy;
+
+ #define do_tangent() compute_abc_tangent(a, b, c, Vx, Vy, e0);
+
+ #define do_line() compute_abc_line(a2, b2, c2, Vx, Vy, Px, Py, e0);
+
+ element_init(V, a1info->Ep);
+ element_set(V, in1);
+ Vx = curve_x_coord(V);
+ Vy = curve_y_coord(V);
+
+ element_init(a, a1info->Fp);
+ element_init(b, a1info->Fp);
+ element_init(c, a1info->Fp);
+ element_init(e0, a1info->Fp);
+ element_init(e1, a1info->Fp);
+ element_init(e2, a1info->Fp);
+ element_init(a2, a1info->Fp);
+ element_init(b2, a1info->Fp);
+ element_init(c2, a1info->Fp);
+
+ m = mpz_sizeinbase(pairing->r, 2) - 2;
+
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+ element_double(V, V);
+
+ if (mpz_tstbit(pairing->r, m)) {
+ do_line();
+ element_add(V, V, in1);
+ //preprocess two at once
+ //e0 = coeff of x
+ element_mul(e0, a, c2);
+ element_mul(e1, a2, c);
+ element_add(e0, e0, e1);
+
+ //e1 = coeff of y
+ element_mul(e1, b2, c);
+ element_mul(e2, b, c2);
+ element_add(e1, e1, e2);
+
+ //c = constant term
+ element_mul(c, c, c2);
+
+ //c2 = coeff of xy
+ element_mul(c2, a, b2);
+ element_mul(e2, a2, b);
+ element_add(c2, c2, e2);
+
+ //a = coeff of x^2
+ element_mul(a, a, a2);
+
+ //b = coeff of y^2
+ element_mul(b, b, b2);
+
+ *pp = pbc_malloc(sizeof(pp2_coeff_t));
+ pp2_coeff_set(*pp, a, b, c2, e0, e1, c);
+ } else {
+ *pp = pbc_malloc(sizeof(pp_coeff_t));
+ pp_coeff_set(*pp, a, b, c);
+ }
+ pp++;
+ m--;
+ }
+ *pp = pbc_malloc(sizeof(pp_coeff_t));
+ pp_coeff_set(*pp, a, b, c);
+ pp++;
+ *pp = NULL;
+
+ element_clear(a2);
+ element_clear(b2);
+ element_clear(c2);
+ element_clear(e2);
+ element_clear(e1);
+ element_clear(e0);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(V);
+ #undef do_tangent
+ #undef do_line
+}
+
+static void a1_pairing_pp_apply(element_ptr out, element_ptr in2, pairing_pp_t p) {
+ void **pp = p->data;
+ a1_pairing_data_ptr a1info = p->pairing->data;
+ element_t f, f0;
+ element_t e0, e1;
+ int m;
+ element_ptr Qx = curve_x_coord(in2);
+ element_ptr Qy = curve_y_coord(in2);
+ element_t Qx2, Qy2, Qxy;
+
+ #define do_tangent() \
+ pp_coeff_ptr ppp = *pp; \
+ a_miller_evalfn(f0, ppp->a, ppp->b, ppp->c, Qx, Qy);
+
+ #define do_line() { \
+ pp2_coeff_ptr ppp = *pp; \
+ /*we'll map Q via (x,y) --> (-x, iy) */ \
+ /*hence Qx^2 = x^2, Qy^2 = -y^2, Qx Qy = -ixy */\
+ /*where x = Q'x, y = Q'y */ \
+ \
+ /* Re = cx2 x^2 - cy2 y^2 - cx x + c */ \
+ /* Im = -cxy xy + cy y */ \
+ element_mul(e0, ppp->cx2, Qx2); \
+ element_mul(e1, ppp->cy2, Qy2); \
+ element_sub(e0, e0, e1); \
+ element_mul(e1, ppp->cx, Qx); \
+ element_sub(e0, e0, e1); \
+ element_add(element_x(f0), e0, ppp->c); \
+ \
+ element_mul(e0, ppp->cy, Qy); \
+ element_mul(e1, ppp->cxy, Qxy); \
+ element_sub(element_y(f0), e0, e1); \
+ }
+
+ element_init(f, out->field);
+ element_init(f0, out->field);
+
+ element_set1(f);
+
+ element_init(e0, a1info->Fp);
+ element_init(e1, a1info->Fp);
+ element_init(Qx2, a1info->Fp);
+ element_init(Qy2, a1info->Fp);
+ element_init(Qxy, a1info->Fp);
+
+ element_square(Qx2, Qx);
+ element_square(Qy2, Qy);
+ element_mul(Qxy, Qx, Qy);
+
+ m = mpz_sizeinbase(p->pairing->r, 2) - 2;
+
+ while (m > 0) {
+ if (mpz_tstbit(p->pairing->r, m)) {
+ do_line();
+ } else {
+ do_tangent();
+ }
+ element_mul(f, f, f0);
+ pp++;
+ m--;
+ element_square(f, f);
+ }
+ do_tangent();
+ element_mul(f, f, f0);
+
+ //Tate exponentiation
+ //simpler but slower:
+ //element_pow_mpz(out, f, p->tateexp);
+ //use this trick instead:
+ element_invert(f0, f);
+ element_neg(element_y(f), element_y(f));
+ element_mul(f, f, f0);
+ element_pow_mpz(out, f, p->pairing->phikonr);
+
+ /* We could use this instead but p->h is small so this does not help much
+ a_tateexp(out, f, f0, p->h);
+ */
+
+ element_clear(Qx2);
+ element_clear(Qy2);
+ element_clear(Qxy);
+ element_clear(f);
+ element_clear(f0);
+ element_clear(e1);
+ element_clear(e0);
+ #undef do_tangent
+ #undef do_line
+}
+
+// e0 is a temp var.
+// Mixed coordinates.
+static void compute_abc_line_proj(element_ptr a, element_ptr b, element_ptr c,
+ element_ptr Vx, element_ptr Vy, element_ptr z, element_ptr z2,
+ element_ptr V1x, element_ptr V1y, element_ptr e0) {
+ //temporally used to store Z1^3
+ element_mul(c,z,z2);
+ //a = Y1-Y2*Z1^3
+ element_mul(e0,V1y,c);
+ element_sub(a,Vy,e0);
+ //b = -(X1*Z1-X2*Z1^3)
+ element_mul(b,c,V1x);
+ element_mul(e0,Vx,z);
+ element_sub(b,b,e0);
+ //c = -(Y2*b+X2*a)
+ element_mul(c,b,V1y);
+ element_mul(e0,a,V1x);
+ element_add(c,c,e0);
+ element_neg(c,c);
+}
+
+// in1, in2 are from E(F_q), out from F_q^2
+static void a1_pairing_proj(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ a1_pairing_data_ptr p = pairing->data;
+ element_t V;
+ element_t z, z2;
+ element_t f, f0;
+ element_t a, b, c;
+ element_t e0;
+ const element_ptr e1 = a, e2 = b, e3 = c; // used in point_to_affine() etc.
+ int m;
+ element_ptr Px = curve_x_coord(in1);
+ element_ptr Py = curve_y_coord(in1);
+ element_ptr Qx = curve_x_coord(in2);
+ element_ptr Qy = curve_y_coord(in2);
+ element_ptr Vx;
+ element_ptr Vy;
+
+ #define point_to_affine() \
+ element_invert(z, z); \
+ element_square(e0, z); \
+ element_mul(Vx, Vx, e0); \
+ element_mul(e0, e0, z); \
+ element_mul(Vy, Vy, e0); \
+ element_set1(z); \
+ element_set1(z2);
+
+ //TODO: do I need to check if V=-in1?
+ //Where V=(Vx,Vy,z) and in1=(Px,Py,1), a mixed coordinates.
+ #define proj_add() { \
+ /* H=X2*Z1^2-X1 */ \
+ element_mul(e0,Px,z2); \
+ element_sub(e0,e0,Vx); \
+ /* H^2 */ \
+ element_square(e1,e0); \
+ /* r=Y2*Z1^3-Y1 */ \
+ element_mul(e2,z,z2); \
+ element_mul(e2,e2,Py); \
+ element_sub(e2,e2,Vy); \
+ \
+ /* X3=r^2-H^3-2X1*H^2 */ \
+ element_set(z2,Vx); /* use z2 to store X1 and update Vx=X3 */ \
+ element_square(Vx,e2); \
+ element_mul(e3,e0,e1); /* e3=H^3 */ \
+ element_sub(Vx,Vx,e3); \
+ element_double(e3,z2); \
+ element_mul(e3,e3,e1); /* 2X1*H^2 */ \
+ element_sub(Vx,Vx,e3); \
+ /* Y3=r(X1*H^2-X3)-Y1*H^3 */ \
+ element_mul(e3,z2,e1); \
+ element_sub(e3,e3,Vx); \
+ element_mul(e3,e3,e2); \
+ element_mul(e2,e0,e1); /* e2 no longer used. */ \
+ element_mul(e2,e2,Vy); \
+ element_sub(Vy,e3,e2); \
+ /* Z3=Z1*H */ \
+ element_mul(z,z,e0); \
+ element_square(z2,z); \
+ }
+
+ #define proj_double() { \
+ /* e0 = 3x^2 + (cc->a) z^4 */ \
+ /* for this case a = 1 */ \
+ element_square(e0, Vx); \
+ /* element_mul_si(e0, e0, 3); */ \
+ element_double(e1, e0); \
+ element_add(e0, e1, e0); \
+ element_square(e1, z2); \
+ element_add(e0, e0, e1); \
+ \
+ /* z_out = 2 y z */ \
+ element_mul(z, Vy, z); \
+ /* element_mul_si(z, z, 2); */ \
+ element_double(z, z); \
+ element_square(z2, z); \
+ \
+ /* e1 = 4 x y^2 */ \
+ element_square(e2, Vy); \
+ element_mul(e1, Vx, e2); \
+ /* element_mul_si(e1, e1, 4); */ \
+ element_double(e1, e1); \
+ element_double(e1, e1); \
+ \
+ /* x_out = e0^2 - 2 e1 */ \
+ element_double(e3, e1); \
+ element_square(Vx, e0); \
+ element_sub(Vx, Vx, e3); \
+ \
+ /* e2 = 8y^4 */ \
+ element_square(e2, e2); \
+ /* element_mul_si(e2, e2, 8); */ \
+ element_double(e2, e2); \
+ element_double(e2, e2); \
+ element_double(e2, e2); \
+ \
+ /* y_out = e0(e1 - x_out) - e2 */ \
+ element_sub(e1, e1, Vx); \
+ element_mul(e0, e0, e1); \
+ element_sub(Vy, e0, e2); \
+ }
+
+ #define do_tangent() { \
+ compute_abc_tangent_proj(a, b, c, Vx, Vy, z, z2, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ }
+
+ #define do_line() { \
+ compute_abc_line_proj(a, b, c, Vx, Vy, z, z2, Px, Py, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ }
+
+ element_init(V, p->Ep);
+ element_set(V, in1);
+ Vx = curve_x_coord(V);
+ Vy = curve_y_coord(V);
+
+ element_init(f, p->Fp2);
+ element_init(f0, p->Fp2);
+ element_set1(f);
+ element_init(a, p->Fp);
+ element_init(b, p->Fp);
+ element_init(c, p->Fp);
+ element_init(e0, p->Fp);
+ element_init(z, p->Fp);
+ element_init(z2, p->Fp);
+ element_set1(z);
+ element_set1(z2);
+
+ m = mpz_sizeinbase(pairing->r, 2) - 2;
+ //TODO: sliding NAF
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+
+ proj_double(); //V=2V
+ if (mpz_tstbit(pairing->r, m)) {
+ // point_to_affine();
+ do_line();
+ proj_add(); //V=V+in1
+ }
+
+ m--;
+ element_square(f, f);
+ }
+
+ // Tate exponentiation.
+ // Simpler but slower:
+ // element_pow_mpz(out, f, p->tateexp);
+ // Use this trick instead:
+ element_invert(f0, f);
+ element_neg(element_y(f), element_y(f));
+ element_mul(f, f, f0);
+ element_pow_mpz(out, f, pairing->phikonr);
+
+ /* We could use this instead but p->h is small so this does not help much
+ a_tateexp(out, f, f0, p->h);
+ */
+
+ element_clear(f);
+ element_clear(f0);
+ element_clear(z);
+ element_clear(z2);
+ element_clear(V);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ #undef point_to_affine
+ #undef proj_add
+ #undef proj_double
+ #undef do_tangent
+ #undef do_line
+}
+
+//in1, in2 are from E(F_q), out from F_q^2
+static void a1_pairing(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ a1_pairing_data_ptr p = pairing->data;
+ element_t V;
+ element_t f, f0;
+ element_t a, b, c;
+ element_t e0;
+ int m;
+ element_ptr Px = curve_x_coord(in1);
+ element_ptr Py = curve_y_coord(in1);
+ element_ptr Qx = curve_x_coord(in2);
+ element_ptr Qy = curve_y_coord(in2);
+ element_ptr Vx;
+ element_ptr Vy;
+
+ #define do_tangent() { \
+ compute_abc_tangent(a, b, c, Vx, Vy, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ }
+
+ #define do_line() { \
+ compute_abc_line(a, b, c, Vx, Vy, Px, Py, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ }
+
+ element_init(V, p->Ep);
+ element_set(V, in1);
+ Vx = curve_x_coord(V);
+ Vy = curve_y_coord(V);
+
+ element_init(f, p->Fp2);
+ element_init(f0, p->Fp2);
+ element_set1(f);
+ element_init(a, p->Fp);
+ element_init(b, p->Fp);
+ element_init(c, p->Fp);
+ element_init(e0, p->Fp);
+
+ m = mpz_sizeinbase(pairing->r, 2) - 2;
+
+ //TODO: sliding NAF
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+
+ element_double(V, V);
+ if (mpz_tstbit(pairing->r, m)) {
+ do_line();
+ element_add(V, V, in1);
+ }
+
+ m--;
+ element_square(f, f);
+ }
+
+ // Tate exponentiation.
+ // Simpler but slower:
+ // element_pow_mpz(out, f, p->tateexp);
+ // Use this trick instead:
+ element_invert(f0, f);
+ element_neg(element_y(f), element_y(f));
+ element_mul(f, f, f0);
+ element_pow_mpz(out, f, pairing->phikonr);
+
+ /* We could use this instead but p->h is small so this does not help much
+ a_tateexp(out, f, f0, p->h);
+ */
+
+ element_clear(f);
+ element_clear(f0);
+ element_clear(V);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ #undef do_tangent
+ #undef do_line
+}
+
+//in1, in2 are from E(F_q), out from F_q^2
+void a1_pairings_affine(element_ptr out, element_t in1[], element_t in2[],
+ int n_prod, pairing_t pairing) {
+ a1_pairing_data_ptr p = pairing->data;
+ element_t* V = pbc_malloc(sizeof(element_t)*n_prod);
+ element_t f, f0;
+ element_t a, b, c;
+ element_t e0;
+ int m, i;
+ element_ptr Px, Py;
+ element_ptr Qx, Qy;
+ element_ptr Vx, Vy;
+
+ #define do_tangents() { \
+ for(i=0; i<n_prod; i++){ \
+ Vx = curve_x_coord(V[i]); \
+ Vy = curve_y_coord(V[i]); \
+ Qx = curve_x_coord(in2[i]); \
+ Qy = curve_y_coord(in2[i]); \
+ compute_abc_tangent(a, b, c, Vx, Vy, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ } \
+ }
+
+ #define do_lines() { \
+ for(i=0; i<n_prod; i++){ \
+ Vx = curve_x_coord(V[i]); \
+ Vy = curve_y_coord(V[i]); \
+ Px = curve_x_coord(in1[i]); \
+ Py = curve_y_coord(in1[i]); \
+ Qx = curve_x_coord(in2[i]); \
+ Qy = curve_y_coord(in2[i]); \
+ compute_abc_line(a, b, c, Vx, Vy, Px, Py, e0); \
+ a_miller_evalfn(f0, a, b, c, Qx, Qy); \
+ element_mul(f, f, f0); \
+ } \
+ }
+
+ for(i=0; i<n_prod; i++){
+ element_init(V[i], p->Ep);
+ element_set(V[i], in1[i]);
+ }
+ element_init(f, p->Fp2);
+ element_init(f0, p->Fp2);
+ element_set1(f);
+ element_init(a, p->Fp);
+ element_init(b, p->Fp);
+ element_init(c, p->Fp);
+ element_init(e0, p->Fp);
+
+ m = mpz_sizeinbase(pairing->r, 2) - 2;
+
+ //TODO: sliding NAF
+ for(;;) {
+ do_tangents();
+ if (!m) break;
+ element_multi_double(V, V, n_prod);
+ if (mpz_tstbit(pairing->r, m)) {
+ do_lines();
+ element_multi_add(V, V, in1, n_prod);
+ }
+
+ m--;
+ element_square(f, f);
+ }
+
+ // Tate exponentiation.
+ // Simpler but slower:
+ // element_pow_mpz(out, f, p->tateexp);
+ // Use this trick instead:
+ element_invert(f0, f);
+ element_neg(element_y(f), element_y(f));
+ element_mul(f, f, f0);
+ element_pow_mpz(out, f, pairing->phikonr);
+
+ /* We could use this instead but p->h is small so this does not help much
+ a_tateexp(out, f, f0, p->h);
+ */
+
+ element_clear(f);
+ element_clear(f0);
+ for(i=0; i<n_prod; i++){
+ element_clear(V[i]);
+ }
+ pbc_free(V);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ #undef do_tangents
+ #undef do_lines
+}
+
+static void a1_pairing_clear(pairing_t pairing) {
+ field_clear(pairing->GT);
+
+ a1_pairing_data_ptr p = pairing->data;
+ field_clear(p->Ep);
+ field_clear(p->Fp2);
+ field_clear(p->Fp);
+ pbc_free(p);
+
+ mpz_clear(pairing->phikonr);
+ mpz_clear(pairing->r);
+ field_clear(pairing->Zr);
+}
+
+static void a1_pairing_option_set(pairing_t pairing, char *key, char *value) {
+ if (!strcmp(key, "method")) {
+ if (!strcmp(value, "miller")) {
+ pairing->map = a1_pairing_proj;
+ pairing->pp_init = a1_pairing_pp_init;
+ pairing->pp_clear = a1_pairing_pp_clear;
+ pairing->pp_apply = a1_pairing_pp_apply;
+ } else if (!strcmp(value, "miller-affine")){
+ pairing->map = a1_pairing;
+ pairing->pp_init = a1_pairing_pp_init;
+ pairing->pp_clear = a1_pairing_pp_clear;
+ pairing->pp_apply = a1_pairing_pp_apply;
+ } else if (!strcmp(value, "shipsey-stange")) {
+ pairing->map = a_pairing_ellnet;
+ pairing->pp_init = a_pairing_ellnet_pp_init;
+ pairing->pp_clear = a_pairing_ellnet_pp_clear;
+ pairing->pp_apply = a_pairing_ellnet_pp_apply;
+ }
+ }
+}
+
+static void a1_init_pairing(pairing_t pairing, void *data) {
+ a1_param_ptr param = data;
+ element_t a, b;
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, param->n);
+ field_init_fp(pairing->Zr, pairing->r);
+
+ a1_pairing_data_ptr p;
+
+ p = pairing->data = pbc_malloc(sizeof(a1_pairing_data_t));
+
+ //k=2, hence phi_k(q) = q + 1, phikonr = (q+1)/r
+ mpz_init(pairing->phikonr);
+ mpz_set_ui(pairing->phikonr, param->l);
+
+ field_init_fp(p->Fp, param->p);
+ element_init(a, p->Fp);
+ element_init(b, p->Fp);
+ element_set1(a);
+ element_set0(b);
+ field_init_curve_ab(p->Ep, a, b, pairing->r, pairing->phikonr);
+
+ // Turns out to be faster.
+ field_curve_use_random_solvefory(p->Ep);
+
+ element_clear(a);
+ element_clear(b);
+ field_init_fi(p->Fp2, p->Fp);
+
+ pairing->finalpow = a_finalpow;
+ pairing->G1 = pbc_malloc(sizeof(field_t));
+ pairing->G2 = pairing->G1 = p->Ep;
+ pairing_GT_init(pairing, p->Fp2);
+
+ pairing->map = a1_pairing_proj; //default uses projective coordinates.
+ pairing->phi = phi_identity;
+ pairing->prod_pairings = a1_pairings_affine;
+
+ pairing->clear_func = a1_pairing_clear;
+
+ pairing->pp_init = a1_pairing_pp_init;
+ pairing->pp_clear = a1_pairing_pp_clear;
+ pairing->pp_apply = a1_pairing_pp_apply;
+ pairing->option_set = a1_pairing_option_set;
+}
+
+static void a1_init(pbc_param_t p) {
+ static pbc_param_interface_t interface = {{
+ a1_clear,
+ a1_init_pairing,
+ a1_out_str,
+ }};
+ p->api = interface;
+ a1_param_ptr param = p->data = pbc_malloc(sizeof(*param));
+ mpz_init(param->p);
+ mpz_init(param->n);
+}
+
+// Public interface:
+
+int pbc_param_init_a1(pbc_param_ptr par, struct symtab_s *tab) {
+ a1_init(par);
+ a1_param_ptr p = par->data;
+
+ int err = 0;
+ err += lookup_mpz(p->p, tab, "p");
+ err += lookup_mpz(p->n, tab, "n");
+ err += lookup_int(&p->l, tab, "l");
+ return err;
+}
+
+void pbc_param_init_a1_gen(pbc_param_ptr par, mpz_t order) {
+ a1_init(par);
+ a1_param_ptr param = par->data;
+ // If order is even, ideally check all even l, not just multiples of 4
+ // but I don't see a good reason for having an even order.
+ unsigned int l = 4;
+ mpz_t n;
+ mpz_ptr p = param->p;
+ mpz_init(n);
+ mpz_mul_ui(n, order, 4);
+ mpz_sub_ui(p, n, 1);
+ for (;;) {
+ if (mpz_probab_prime_p(p, 20)) {
+ break;
+ }
+ mpz_add(p, p, n);
+ l += 4;
+ }
+ param->l = l;
+ mpz_set(param->n, order);
+ mpz_clear(n);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/curve.c b/moon-abe/pbc-0.5.14/ecc/curve.c
new file mode 100644
index 00000000..3bc1f020
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/curve.c
@@ -0,0 +1,987 @@
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h>
+#include <string.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_multiz.h"
+#include "pbc_poly.h"
+#include "pbc_curve.h"
+#include "pbc_memory.h"
+#include "pbc_random.h"
+#include "misc/darray.h"
+
+// Per-field data.
+typedef struct {
+ field_ptr field; // The field where the curve is defined.
+ element_t a, b; // The curve is E: Y^2 = X^3 + a X + b.
+ // cofac == NULL means we're using the whole group of points.
+ // otherwise we're working in the subgroup of order #E / cofac,
+ // where #E is the number of points in E.
+ mpz_ptr cofac;
+ // A generator of E.
+ element_t gen_no_cofac;
+ // A generator of the subgroup.
+ element_t gen;
+ // A non-NULL quotient_cmp means we are working with the quotient group of
+ // order #E / quotient_cmp, and the points are actually coset
+ // representatives. Thus for a comparison, we must multiply by quotient_cmp
+ // before comparing.
+ mpz_ptr quotient_cmp;
+} *curve_data_ptr;
+
+// Per-element data. Elements of this group are points on the elliptic curve.
+typedef struct {
+ int inf_flag; // inf_flag == 1 means O, the point at infinity.
+ element_t x, y; // Otherwise we have the finite point (x, y).
+} *point_ptr;
+
+static void curve_init(element_ptr e) {
+ curve_data_ptr cdp = e->field->data;
+ point_ptr p = e->data = pbc_malloc(sizeof(*p));
+ element_init(p->x, cdp->field);
+ element_init(p->y, cdp->field);
+ p->inf_flag = 1;
+}
+
+static void curve_clear(element_ptr e) {
+ point_ptr p = e->data;
+ element_clear(p->x);
+ element_clear(p->y);
+ pbc_free(e->data);
+}
+
+static int curve_is_valid_point(element_ptr e) {
+ element_t t0, t1;
+ int result;
+ curve_data_ptr cdp = e->field->data;
+ point_ptr p = e->data;
+
+ if (p->inf_flag) return 1;
+
+ element_init(t0, cdp->field);
+ element_init(t1, cdp->field);
+ element_square(t0, p->x);
+ element_add(t0, t0, cdp->a);
+ element_mul(t0, t0, p->x);
+ element_add(t0, t0, cdp->b);
+ element_square(t1, p->y);
+ result = !element_cmp(t0, t1);
+
+ element_clear(t0);
+ element_clear(t1);
+ return result;
+}
+
+static void curve_invert(element_ptr c, element_ptr a) {
+ point_ptr r = c->data, p = a->data;
+
+ if (p->inf_flag) {
+ r->inf_flag = 1;
+ return;
+ }
+ r->inf_flag = 0;
+ element_set(r->x, p->x);
+ element_neg(r->y, p->y);
+}
+
+static void curve_set(element_ptr c, element_ptr a) {
+ point_ptr r = c->data, p = a->data;
+ if (p->inf_flag) {
+ r->inf_flag = 1;
+ return;
+ }
+ r->inf_flag = 0;
+ element_set(r->x, p->x);
+ element_set(r->y, p->y);
+}
+
+static inline void double_no_check(point_ptr r, point_ptr p, element_ptr a) {
+ element_t lambda, e0, e1;
+ field_ptr f = r->x->field;
+
+ element_init(lambda, f);
+ element_init(e0, f);
+ element_init(e1, f);
+
+ //lambda = (3x^2 + a) / 2y
+ element_square(lambda, p->x);
+ element_mul_si(lambda, lambda, 3);
+ element_add(lambda, lambda, a);
+
+ element_double(e0, p->y);
+
+ element_invert(e0, e0);
+ element_mul(lambda, lambda, e0);
+ //x1 = lambda^2 - 2x
+ //element_add(e1, p->x, p->x);
+ element_double(e1, p->x);
+ element_square(e0, lambda);
+ element_sub(e0, e0, e1);
+ //y1 = (x - x1)lambda - y
+ element_sub(e1, p->x, e0);
+ element_mul(e1, e1, lambda);
+ element_sub(e1, e1, p->y);
+
+ element_set(r->x, e0);
+ element_set(r->y, e1);
+ r->inf_flag = 0;
+
+ element_clear(lambda);
+ element_clear(e0);
+ element_clear(e1);
+ return;
+}
+
+static void curve_double(element_ptr c, element_ptr a) {
+ curve_data_ptr cdp = a->field->data;
+ point_ptr r = c->data, p = a->data;
+ if (p->inf_flag) {
+ r->inf_flag = 1;
+ return;
+ }
+ if (element_is0(p->y)) {
+ r->inf_flag = 1;
+ return;
+ }
+ double_no_check(r, p, cdp->a);
+}
+
+static void curve_mul(element_ptr c, element_ptr a, element_ptr b) {
+ curve_data_ptr cdp = a->field->data;
+ point_ptr r = c->data, p = a->data, q = b->data;
+
+ if (p->inf_flag) {
+ curve_set(c, b);
+ return;
+ }
+ if (q->inf_flag) {
+ curve_set(c, a);
+ return;
+ }
+ if (!element_cmp(p->x, q->x)) {
+ if (!element_cmp(p->y, q->y)) {
+ if (element_is0(p->y)) {
+ r->inf_flag = 1;
+ return;
+ } else {
+ double_no_check(r, p, cdp->a);
+ return;
+ }
+ }
+ //points are inverses of each other
+ r->inf_flag = 1;
+ return;
+ } else {
+ element_t lambda, e0, e1;
+
+ element_init(lambda, cdp->field);
+ element_init(e0, cdp->field);
+ element_init(e1, cdp->field);
+
+ //lambda = (y2-y1)/(x2-x1)
+ element_sub(e0, q->x, p->x);
+ element_invert(e0, e0);
+ element_sub(lambda, q->y, p->y);
+ element_mul(lambda, lambda, e0);
+ //x3 = lambda^2 - x1 - x2
+ element_square(e0, lambda);
+ element_sub(e0, e0, p->x);
+ element_sub(e0, e0, q->x);
+ //y3 = (x1-x3)lambda - y1
+ element_sub(e1, p->x, e0);
+ element_mul(e1, e1, lambda);
+ element_sub(e1, e1, p->y);
+
+ element_set(r->x, e0);
+ element_set(r->y, e1);
+ r->inf_flag = 0;
+
+ element_clear(lambda);
+ element_clear(e0);
+ element_clear(e1);
+ }
+}
+
+//compute c_i=a_i+a_i at one time.
+static void multi_double(element_ptr c[], element_ptr a[], int n) {
+ int i;
+ element_t* table = pbc_malloc(sizeof(element_t)*n); //a big problem?
+ element_t e0, e1, e2;
+ point_ptr q, r;
+ curve_data_ptr cdp = a[0]->field->data;
+
+ q=a[0]->data;
+ element_init(e0,q->y->field);
+ element_init(e1,q->y->field);
+ element_init(e2,q->y->field);
+
+ for(i=0; i<n; i++){
+ q=a[i]->data; r=c[i]->data;
+ element_init(table[i],q->y->field);
+
+ if (q->inf_flag) {
+ r->inf_flag = 1;
+ continue;
+ }
+ if (element_is0(q->y)) {
+ r->inf_flag = 1;
+ continue;
+ }
+ }
+ //to compute 1/2y multi. see Cohen's GTM139 Algorithm 10.3.4
+ for(i=0; i<n; i++){
+ q=a[i]->data;
+ element_double(table[i],q->y);
+ if(i>0) element_mul(table[i],table[i],table[i-1]);
+ }
+ element_invert(e2,table[n-1]); //ONLY ONE inv is required now.
+ for(i=n-1; i>0; i--){
+ q=a[i]->data;
+ element_mul(table[i],table[i-1],e2);
+ element_mul(e2,e2,q->y);
+ element_double(e2,e2); //e2=e2*2y_j
+ }
+ element_set(table[0],e2); //e2 no longer used.
+
+ for(i=0; i<n; i++){
+ q=a[i]->data;
+ r=c[i]->data;
+ if(r->inf_flag) continue;
+
+ //e2=lambda = (3x^2 + a) / 2y
+ element_square(e2, q->x);
+ element_mul_si(e2, e2, 3);
+ element_add(e2, e2, cdp->a);
+
+ element_mul(e2, e2, table[i]); //Recall that table[i]=1/2y_i
+ //x1 = lambda^2 - 2x
+ element_double(e1, q->x);
+ element_square(e0, e2);
+ element_sub(e0, e0, e1);
+ //y1 = (x - x1)lambda - y
+ element_sub(e1, q->x, e0);
+ element_mul(e1, e1, e2);
+ element_sub(e1, e1, q->y);
+ element_set(r->x, e0);
+ element_set(r->y, e1);
+ r->inf_flag = 0;
+ }
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(e2);
+ for(i=0; i<n; i++){
+ element_clear(table[i]);
+ }
+ pbc_free(table);
+}
+
+//compute c_i=a_i+b_i at one time.
+static void multi_add(element_ptr c[], element_ptr a[], element_ptr b[], int n){
+ int i;
+ element_t* table = pbc_malloc(sizeof(element_t)*n); //a big problem?
+ point_ptr p, q, r;
+ element_t e0, e1, e2;
+ curve_data_ptr cdp = a[0]->field->data;
+
+ p = a[0]->data;
+ q = b[0]->data;
+ element_init(e0, p->x->field);
+ element_init(e1, p->x->field);
+ element_init(e2, p->x->field);
+
+ element_init(table[0], p->x->field);
+ element_sub(table[0], q->x, p->x);
+ for(i=1; i<n; i++){
+ p = a[i]->data;
+ q = b[i]->data;
+ element_init(table[i], p->x->field);
+ element_sub(table[i], q->x, p->x);
+ element_mul(table[i], table[i], table[i-1]);
+ }
+ element_invert(e2, table[n-1]);
+ for(i=n-1; i>0; i--){
+ p = a[i]->data;
+ q = b[i]->data;
+ element_mul(table[i], table[i-1], e2);
+ element_sub(e1, q->x, p->x);
+ element_mul(e2,e2,e1); //e2=e2*(x2_j-x1_j)
+ }
+ element_set(table[0],e2); //e2 no longer used.
+
+ for(i=0; i<n; i++){
+ p = a[i]->data;
+ q = b[i]->data;
+ r = c[i]->data;
+ if (p->inf_flag) {
+ curve_set(c[i], b[i]);
+ continue;
+ }
+ if (q->inf_flag) {
+ curve_set(c[i], a[i]);
+ continue;
+ }
+ if (!element_cmp(p->x, q->x)) { //a[i]=b[i]
+ if (!element_cmp(p->y, q->y)) {
+ if (element_is0(p->y)) {
+ r->inf_flag = 1;
+ continue;
+ } else {
+ double_no_check(r, p, cdp->a);
+ continue;
+ }
+ }
+ //points are inverses of each other
+ r->inf_flag = 1;
+ continue;
+ } else {
+ //lambda = (y2-y1)/(x2-x1)
+ element_sub(e2, q->y, p->y);
+ element_mul(e2, e2, table[i]);
+ //x3 = lambda^2 - x1 - x2
+ element_square(e0, e2);
+ element_sub(e0, e0, p->x);
+ element_sub(e0, e0, q->x);
+ //y3 = (x1-x3)lambda - y1
+ element_sub(e1, p->x, e0);
+ element_mul(e1, e1, e2);
+ element_sub(e1, e1, p->y);
+ element_set(r->x, e0);
+ element_set(r->y, e1);
+ r->inf_flag = 0;
+ }
+ }
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(e2);
+ for(i=0; i<n; i++){
+ element_clear(table[i]);
+ }
+ pbc_free(table);
+}
+
+
+static inline int point_cmp(point_ptr p, point_ptr q) {
+ if (p->inf_flag || q->inf_flag) {
+ return !(p->inf_flag && q->inf_flag);
+ }
+ return element_cmp(p->x, q->x) || element_cmp(p->y, q->y);
+}
+
+static int curve_cmp(element_ptr a, element_ptr b) {
+ if (a == b) {
+ return 0;
+ } else {
+ // If we're working with a quotient group we must account for different
+ // representatives of the same coset.
+ curve_data_ptr cdp = a->field->data;
+ if (cdp->quotient_cmp) {
+ element_t e;
+ element_init_same_as(e, a);
+ element_div(e, a, b);
+ element_pow_mpz(e, e, cdp->quotient_cmp);
+ int result = !element_is1(e);
+ element_clear(e);
+ return result;
+ }
+ return point_cmp(a->data, b->data);
+ }
+}
+
+static void curve_set1(element_ptr x) {
+ point_ptr p = x->data;
+ p->inf_flag = 1;
+}
+
+static int curve_is1(element_ptr x) {
+ point_ptr p = x->data;
+ return p->inf_flag;
+}
+
+static void curve_random_no_cofac_solvefory(element_ptr a) {
+ //TODO: with 0.5 probability negate y-coord
+ curve_data_ptr cdp = a->field->data;
+ point_ptr p = a->data;
+ element_t t;
+
+ element_init(t, cdp->field);
+ p->inf_flag = 0;
+ do {
+ element_random(p->x);
+ element_square(t, p->x);
+ element_add(t, t, cdp->a);
+ element_mul(t, t, p->x);
+ element_add(t, t, cdp->b);
+ } while (!element_is_sqr(t));
+ element_sqrt(p->y, t);
+ element_clear(t);
+}
+
+static void curve_random_solvefory(element_ptr a) {
+ curve_data_ptr cdp = a->field->data;
+ curve_random_no_cofac_solvefory(a);
+ if (cdp->cofac) element_mul_mpz(a, a, cdp->cofac);
+}
+
+static void curve_random_pointmul(element_ptr a) {
+ curve_data_ptr cdp = a->field->data;
+ mpz_t x;
+ mpz_init(x);
+
+ pbc_mpz_random(x, a->field->order);
+ element_mul_mpz(a, cdp->gen, x);
+ mpz_clear(x);
+}
+
+void field_curve_use_random_solvefory(field_ptr f) {
+ f->random = curve_random_solvefory;
+}
+
+void curve_set_gen_no_cofac(element_ptr a) {
+ curve_data_ptr cdp = a->field->data;
+ element_set(a, cdp->gen_no_cofac);
+}
+
+static int curve_sign(element_ptr e) {
+ point_ptr p = e->data;
+ if (p->inf_flag) return 0;
+ return element_sign(p->y);
+}
+
+static void curve_from_hash(element_t a, void *data, int len) {
+ element_t t, t1;
+ point_ptr p = a->data;
+ curve_data_ptr cdp = a->field->data;
+
+ element_init(t, cdp->field);
+ element_init(t1, cdp->field);
+ p->inf_flag = 0;
+ element_from_hash(p->x, data, len);
+ for(;;) {
+ element_square(t, p->x);
+ element_add(t, t, cdp->a);
+ element_mul(t, t, p->x);
+ element_add(t, t, cdp->b);
+ if (element_is_sqr(t)) break;
+ // Compute x <- x^2 + 1 and try again.
+ element_square(p->x, p->x);
+ element_set1(t);
+ element_add(p->x, p->x, t);
+ }
+ element_sqrt(p->y, t);
+ if (element_sgn(p->y) < 0) element_neg(p->y, p->y);
+
+ if (cdp->cofac) element_mul_mpz(a, a, cdp->cofac);
+
+ element_clear(t);
+ element_clear(t1);
+}
+
+static size_t curve_out_str(FILE *stream, int base, element_ptr a) {
+ point_ptr p = a->data;
+ size_t result, status;
+ if (p->inf_flag) {
+ if (EOF == fputc('O', stream)) return 0;
+ return 1;
+ }
+ if (EOF == fputc('[', stream)) return 0;
+ result = element_out_str(stream, base, p->x);
+ if (!result) return 0;
+ if (EOF == fputs(", ", stream)) return 0;
+ status = element_out_str(stream, base, p->y);
+ if (!status) return 0;
+ if (EOF == fputc(']', stream)) return 0;
+ return result + status + 4;
+}
+
+static int curve_snprint(char *s, size_t n, element_ptr a) {
+ point_ptr p = a->data;
+ size_t result = 0, left;
+ int status;
+
+ #define clip_sub() { \
+ result += status; \
+ left = result >= n ? 0 : n - result; \
+ }
+
+ if (p->inf_flag) {
+ status = snprintf(s, n, "O");
+ if (status < 0) return status;
+ return 1;
+ }
+
+ status = snprintf(s, n, "[");
+ if (status < 0) return status;
+ clip_sub();
+ status = element_snprint(s + result, left, p->x);
+ if (status < 0) return status;
+ clip_sub();
+ status = snprintf(s + result, left, ", ");
+ if (status < 0) return status;
+ clip_sub();
+ status = element_snprint(s + result, left, p->y);
+ if (status < 0) return status;
+ clip_sub();
+ status = snprintf(s + result, left, "]");
+ if (status < 0) return status;
+ return result + status;
+ #undef clip_sub
+}
+
+static void curve_set_multiz(element_ptr a, multiz m) {
+ if (multiz_is_z(m)) {
+ if (multiz_is0(m)) {
+ element_set0(a);
+ return;
+ }
+ pbc_warn("bad multiz");
+ return;
+ } else {
+ if (multiz_count(m) < 2) {
+ pbc_warn("multiz has too few coefficients");
+ return;
+ }
+ point_ptr p = a->data;
+ p->inf_flag = 0;
+ element_set_multiz(p->x, multiz_at(m, 0));
+ element_set_multiz(p->y, multiz_at(m, 1));
+ }
+}
+
+static int curve_set_str(element_ptr e, const char *s, int base) {
+ point_ptr p = e->data;
+ const char *cp = s;
+ element_set0(e);
+ while (*cp && isspace(*cp)) cp++;
+ if (*cp == 'O') {
+ return cp - s + 1;
+ }
+ p->inf_flag = 0;
+ if (*cp != '[') return 0;
+ cp++;
+ cp += element_set_str(p->x, cp, base);
+ while (*cp && isspace(*cp)) cp++;
+ if (*cp != ',') return 0;
+ cp++;
+ cp += element_set_str(p->y, cp, base);
+ if (*cp != ']') return 0;
+
+ if (!curve_is_valid_point(e)) {
+ element_set0(e);
+ return 0;
+ }
+ return cp - s + 1;
+}
+
+static void field_clear_curve(field_t f) {
+ curve_data_ptr cdp;
+ cdp = f->data;
+ element_clear(cdp->gen);
+ element_clear(cdp->gen_no_cofac);
+ if (cdp->cofac) {
+ mpz_clear(cdp->cofac);
+ pbc_free(cdp->cofac);
+ }
+ if (cdp->quotient_cmp) {
+ mpz_clear(cdp->quotient_cmp);
+ pbc_free(cdp->quotient_cmp);
+ }
+ element_clear(cdp->a);
+ element_clear(cdp->b);
+ pbc_free(cdp);
+}
+
+static int curve_length_in_bytes(element_ptr x) {
+ point_ptr p = x->data;
+ return element_length_in_bytes(p->x) + element_length_in_bytes(p->y);
+}
+
+static int curve_to_bytes(unsigned char *data, element_t e) {
+ point_ptr P = e->data;
+ int len;
+ len = element_to_bytes(data, P->x);
+ len += element_to_bytes(data + len, P->y);
+ return len;
+}
+
+static int curve_from_bytes(element_t e, unsigned char *data) {
+ point_ptr P = e->data;
+ int len;
+
+ P->inf_flag = 0;
+ len = element_from_bytes(P->x, data);
+ len += element_from_bytes(P->y, data + len);
+ //if point does not lie on curve, set it to O
+ if (!curve_is_valid_point(e)) {
+ element_set0(e);
+ }
+ return len;
+}
+
+static void curve_out_info(FILE *out, field_t f) {
+ int len;
+ fprintf(out, "elliptic curve");
+ if ((len = f->fixed_length_in_bytes)) {
+ fprintf(out, ", bits per coord = %d", len * 8 / 2);
+ } else {
+ fprintf(out, "variable-length");
+ }
+}
+
+static int odd_curve_is_sqr(element_ptr e) {
+ UNUSED_VAR(e);
+ return 1;
+}
+
+//TODO: untested
+static int even_curve_is_sqr(element_ptr e) {
+ mpz_t z;
+ element_t e1;
+ int result;
+
+ mpz_init(z);
+ element_init(e1, e->field);
+ mpz_sub_ui(z, e->field->order, 1);
+ mpz_fdiv_q_2exp(z, z, 1);
+ element_pow_mpz(e1, e, z);
+ result = element_is1(e1);
+
+ mpz_clear(z);
+ element_clear(e1);
+ return result;
+}
+
+static int curve_item_count(element_ptr e) {
+ if (element_is0(e)) {
+ return 0;
+ }
+ return 2;
+}
+
+static element_ptr curve_item(element_ptr e, int i) {
+ if (element_is0(e)) return NULL;
+ point_ptr P = e->data;
+ switch(i) {
+ case 0:
+ return P->x;
+ case 1:
+ return P->y;
+ default:
+ return NULL;
+ }
+}
+
+static element_ptr curve_get_x(element_ptr e) {
+ point_ptr P = e->data;
+ return P->x;
+}
+
+static element_ptr curve_get_y(element_ptr e) {
+ point_ptr P = e->data;
+ return P->y;
+}
+
+void field_init_curve_ab(field_ptr f, element_ptr a, element_ptr b, mpz_t order, mpz_t cofac) {
+ /*
+ if (element_is0(a)) {
+ c->double_nocheck = cc_double_no_check_ais0;
+ } else {
+ c->double_nocheck = cc_double_no_check;
+ }
+ */
+ curve_data_ptr cdp;
+ field_init(f);
+ mpz_set(f->order, order);
+ cdp = f->data = pbc_malloc(sizeof(*cdp));
+ cdp->field = a->field;
+ element_init(cdp->a, cdp->field);
+ element_init(cdp->b, cdp->field);
+ element_set(cdp->a, a);
+ element_set(cdp->b, b);
+
+ f->init = curve_init;
+ f->clear = curve_clear;
+ f->neg = f->invert = curve_invert;
+ f->square = f->doub = curve_double;
+ f->multi_doub = multi_double;
+ f->add = f->mul = curve_mul;
+ f->multi_add = multi_add;
+ f->mul_mpz = element_pow_mpz;
+ f->cmp = curve_cmp;
+ f->set0 = f->set1 = curve_set1;
+ f->is0 = f->is1 = curve_is1;
+ f->sign = curve_sign;
+ f->set = curve_set;
+ f->random = curve_random_pointmul;
+ //f->random = curve_random_solvefory;
+ f->from_hash = curve_from_hash;
+ f->out_str = curve_out_str;
+ f->snprint = curve_snprint;
+ f->set_multiz = curve_set_multiz;
+ f->set_str = curve_set_str;
+ f->field_clear = field_clear_curve;
+ if (cdp->field->fixed_length_in_bytes < 0) {
+ f->length_in_bytes = curve_length_in_bytes;
+ } else {
+ f->fixed_length_in_bytes = 2 * cdp->field->fixed_length_in_bytes;
+ }
+ f->to_bytes = curve_to_bytes;
+ f->from_bytes = curve_from_bytes;
+ f->out_info = curve_out_info;
+ f->item_count = curve_item_count;
+ f->item = curve_item;
+ f->get_x = curve_get_x;
+ f->get_y = curve_get_y;
+
+ if (mpz_odd_p(order)) {
+ f->is_sqr = odd_curve_is_sqr;
+ } else {
+ f->is_sqr = even_curve_is_sqr;
+ }
+
+ element_init(cdp->gen_no_cofac, f);
+ element_init(cdp->gen, f);
+ curve_random_no_cofac_solvefory(cdp->gen_no_cofac);
+ if (cofac) {
+ cdp->cofac = pbc_malloc(sizeof(mpz_t));
+ mpz_init(cdp->cofac);
+ mpz_set(cdp->cofac, cofac);
+ element_mul_mpz(cdp->gen, cdp->gen_no_cofac, cofac);
+ } else{
+ cdp->cofac = NULL;
+ element_set(cdp->gen, cdp->gen_no_cofac);
+ }
+ cdp->quotient_cmp = NULL;
+}
+
+// Requires e to be a point on an elliptic curve.
+int element_to_bytes_compressed(unsigned char *data, element_ptr e) {
+ point_ptr P = e->data;
+ int len;
+ len = element_to_bytes(data, P->x);
+ if (element_sign(P->y) > 0) {
+ data[len] = 1;
+ } else {
+ data[len] = 0;
+ }
+ len++;
+ return len;
+}
+
+// Computes a point on the elliptic curve Y^2 = X^3 + a X + b given its
+// x-coordinate.
+// Requires a solution to exist.
+static void point_from_x(point_ptr p, element_t x, element_t a, element_t b) {
+ element_t t;
+
+ element_init(t, x->field);
+ p->inf_flag = 0;
+ element_square(t, x);
+ element_add(t, t, a);
+ element_mul(t, t, x);
+ element_add(t, t, b);
+ element_sqrt(p->y, t);
+ element_set(p->x, x);
+
+ element_clear(t);
+}
+
+void curve_from_x(element_ptr e, element_t x) {
+ curve_data_ptr cdp = e->field->data;
+ point_from_x(e->data, x, cdp->a, cdp->b);
+}
+
+// Requires e to be a point on an elliptic curve.
+int element_from_bytes_compressed(element_ptr e, unsigned char *data) {
+ curve_data_ptr cdp = e->field->data;
+ point_ptr P = e->data;
+ int len;
+ len = element_from_bytes(P->x, data);
+ point_from_x(P, P->x, cdp->a, cdp->b);
+
+ if (data[len]) {
+ if (element_sign(P->y) < 0) element_neg(P->y, P->y);
+ } else if (element_sign(P->y) > 0) {
+ element_neg(P->y, P->y);
+ }
+ len++;
+ return len;
+}
+
+int element_length_in_bytes_compressed(element_ptr e) {
+ point_ptr P = e->data;
+ return element_length_in_bytes(P->x) + 1;
+}
+
+// Requires e to be a point on an elliptic curve.
+int element_to_bytes_x_only(unsigned char *data, element_ptr e) {
+ point_ptr P = e->data;
+ int len;
+ len = element_to_bytes(data, P->x);
+ return len;
+}
+
+// Requires e to be a point on an elliptic curve.
+int element_from_bytes_x_only(element_ptr e, unsigned char *data) {
+ curve_data_ptr cdp = e->field->data;
+ point_ptr P = e->data;
+ int len;
+ len = element_from_bytes(P->x, data);
+ point_from_x(P, P->x, cdp->a, cdp->b);
+ return len;
+}
+
+int element_length_in_bytes_x_only(element_ptr e) {
+ point_ptr P = e->data;
+ return element_length_in_bytes(P->x);
+}
+
+inline element_ptr curve_x_coord(element_t e) {
+ return ((point_ptr) e->data)->x;
+}
+
+inline element_ptr curve_y_coord(element_t e) {
+ return ((point_ptr) e->data)->y;
+}
+
+inline element_ptr curve_a_coeff(element_t e) {
+ return ((curve_data_ptr) e->field->data)->a;
+}
+
+inline element_ptr curve_b_coeff(element_t e) {
+ return ((curve_data_ptr) e->field->data)->b;
+}
+
+inline element_ptr curve_field_a_coeff(field_t f) {
+ return ((curve_data_ptr) f->data)->a;
+}
+
+inline element_ptr curve_field_b_coeff(field_t f) {
+ return ((curve_data_ptr) f->data)->b;
+}
+
+void field_init_curve_ab_map(field_t cnew, field_t c,
+ fieldmap map, field_ptr mapdest,
+ mpz_t ordernew, mpz_t cofacnew) {
+ element_t a, b;
+ curve_data_ptr cdp = c->data;
+
+ element_init(a, mapdest);
+ element_init(b, mapdest);
+
+ map(a, cdp->a);
+ map(b, cdp->b);
+
+ field_init_curve_ab(cnew, a, b, ordernew, cofacnew);
+ element_clear(a);
+ element_clear(b);
+}
+
+// Existing points are invalidated as this mangles c.
+void field_reinit_curve_twist(field_ptr c) {
+ curve_data_ptr cdp = c->data;
+ element_ptr nqr = field_get_nqr(cdp->field);
+ element_mul(cdp->a, cdp->a, nqr);
+ element_mul(cdp->a, cdp->a, nqr);
+ element_mul(cdp->b, cdp->b, nqr);
+ element_mul(cdp->b, cdp->b, nqr);
+ element_mul(cdp->b, cdp->b, nqr);
+
+ // Recompute generators.
+ curve_random_no_cofac_solvefory(cdp->gen_no_cofac);
+ if (cdp->cofac) {
+ element_mul_mpz(cdp->gen, cdp->gen_no_cofac, cdp->cofac);
+ } else{
+ element_set(cdp->gen, cdp->gen_no_cofac);
+ }
+}
+
+// I could generalize this for all fields, but is there any point?
+void field_curve_set_quotient_cmp(field_ptr c, mpz_t quotient_cmp) {
+ curve_data_ptr cdp = c->data;
+ cdp->quotient_cmp = pbc_malloc(sizeof(mpz_t));
+ mpz_init(cdp->quotient_cmp);
+ mpz_set(cdp->quotient_cmp, quotient_cmp);
+}
+
+// Requires j != 0, 1728.
+void field_init_curve_j(field_ptr f, element_ptr j, mpz_t order, mpz_t cofac) {
+ element_t a, b;
+ element_init(a, j->field);
+ element_init(b, j->field);
+
+ element_set_si(a, 1728);
+ element_sub(a, a, j);
+ element_invert(a, a);
+ element_mul(a, a, j);
+
+ //b = 2 j / (1728 - j)
+ element_add(b, a, a);
+ //a = 3 j / (1728 - j)
+ element_add(a, a, b);
+ field_init_curve_ab(f, a, b, order, cofac);
+
+ element_clear(a);
+ element_clear(b);
+}
+
+void field_init_curve_b(field_ptr f, element_ptr b, mpz_t order, mpz_t cofac) {
+ element_t a;
+ element_init(a, b->field);
+ field_init_curve_ab(f, a, b, order, cofac);
+
+ element_clear(a);
+}
+
+// Compute trace of Frobenius at q^n given trace at q.
+// See p.105 of Blake, Seroussi and Smart.
+void pbc_mpz_trace_n(mpz_t res, mpz_t q, mpz_t trace, int n) {
+ int i;
+ mpz_t c0, c1, c2;
+ mpz_t t0;
+
+ mpz_init(c0);
+ mpz_init(c1);
+ mpz_init(c2);
+ mpz_init(t0);
+ mpz_set_ui(c2, 2);
+ mpz_set(c1, trace);
+ for (i=2; i<=n; i++) {
+ mpz_mul(c0, trace, c1);
+ mpz_mul(t0, q, c2);
+ mpz_sub(c0, c0, t0);
+ mpz_set(c2, c1);
+ mpz_set(c1, c0);
+ }
+ mpz_set(res, c1);
+ mpz_clear(t0);
+ mpz_clear(c2);
+ mpz_clear(c1);
+ mpz_clear(c0);
+}
+
+// Given q, t such that #E(F_q) = q - t + 1, compute #E(F_q^k).
+void pbc_mpz_curve_order_extn(mpz_t res, mpz_t q, mpz_t t, int k) {
+ mpz_t z;
+ mpz_t tk;
+ mpz_init(z);
+ mpz_init(tk);
+ mpz_pow_ui(z, q, k);
+ mpz_add_ui(z, z, 1);
+ pbc_mpz_trace_n(tk, q, t, k);
+ mpz_sub(z, z, tk);
+ mpz_set(res, z);
+ mpz_clear(z);
+ mpz_clear(tk);
+}
+
+void curve_set_si(element_t R, long int x, long int y) {
+ point_ptr p = R->data;
+ element_set_si(p->x, x);
+ element_set_si(p->y, y);
+ p->inf_flag = 0;
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/d_param.c b/moon-abe/pbc-0.5.14/ecc/d_param.c
new file mode 100644
index 00000000..8b7d6ac5
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/d_param.c
@@ -0,0 +1,1258 @@
+// Type D pairings, aka MNT curves.
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h>
+#include <string.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_poly.h"
+#include "pbc_hilbert.h"
+#include "pbc_fp.h"
+#include "pbc_fieldquadratic.h"
+#include "pbc_mnt.h"
+#include "pbc_curve.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_memory.h"
+#include "pbc_d_param.h"
+#include "ecc/param.h"
+
+struct d_param_s {
+ mpz_t q; // curve defined over F_q
+ mpz_t n; // has order n (= q - t + 1) in F_q
+ mpz_t h; // h * r = n, r is prime
+ mpz_t r;
+ mpz_t a, b; // curve equation is y^2 = x^3 + ax + b
+ int k; // embedding degree
+ mpz_t nk; // order of curve over F_q^k
+ mpz_t hk; // hk * r^2 = nk
+ mpz_t *coeff; // coefficients of polynomial used to extend F_q by k/2
+ mpz_t nqr; // a quadratic nonresidue in F_q^d that lies in F_q
+};
+
+typedef struct d_param_s d_param_t[1];
+typedef struct d_param_s *d_param_ptr;
+
+// Per-pairing data.
+typedef struct {
+ field_t Fq, Fqx, Fqd, Fqk; // The fields F_q, F_q[x], F_q^d, F_q^k.
+ field_t Eq, Etwist; // The curves E(F_q) and E'(F_q^d).
+ // Let v be the quadratic nonresidue used to construct F_q^k from F_q^d,
+ // namely Fqk = Fqd[sqrt(v)].
+ element_t nqrinv, nqrinv2; // The constants v^-1 and v^-2.
+ mpz_t tateexp; // The Tate exponent,
+ // to standardize coset representatives.
+ int k; // The embedding degree, usually 6.
+ // Let x be the element used to build Fqd from Fq, i.e. Fqd = Fq[x].
+ element_t xpowq, xpowq2; // x^q and x^{2q} in F_q^d.
+} *pptr;
+
+static void d_clear(void *data) {
+ d_param_ptr param = data;
+ int d = param->k / 2;
+ int i;
+ mpz_clear(param->q);
+ mpz_clear(param->n);
+ mpz_clear(param->h);
+ mpz_clear(param->r);
+ mpz_clear(param->a);
+ mpz_clear(param->b);
+ mpz_clear(param->nk);
+ mpz_clear(param->hk);
+ mpz_clear(param->nqr);
+ for (i=0; i<d; i++) {
+ mpz_clear(param->coeff[i]);
+ }
+ pbc_free(param->coeff);
+ pbc_free(data);
+}
+
+static void d_out_str(FILE *stream, void *data) {
+ d_param_ptr p = data;
+ int d = p->k / 2;
+ int i;
+ char s[8];
+ param_out_type(stream, "d");
+ param_out_mpz(stream, "q", p->q);
+ param_out_mpz(stream, "n", p->n);
+ param_out_mpz(stream, "h", p->h);
+ param_out_mpz(stream, "r", p->r);
+ param_out_mpz(stream, "a", p->a);
+ param_out_mpz(stream, "b", p->b);
+ param_out_int(stream, "k", p->k);
+ param_out_mpz(stream, "nk", p->nk);
+ param_out_mpz(stream, "hk", p->hk);
+ for (i=0; i<d; i++) {
+ sprintf(s, "coeff%d", i);
+ param_out_mpz(stream, s, p->coeff[i]);
+ }
+ param_out_mpz(stream, "nqr", p->nqr);
+}
+
+// Define l = aX + bY + c where a, b, c are in Fq.
+// Compute e0 = l(Q) specialized for the case when Q has the form
+// (Qx, Qy * sqrt(v)) where Qx, Qy are in Fqd and v is the quadratic nonresidue
+// used to construct the quadratic field extension Fqk of Fqd.
+static inline void d_miller_evalfn(element_t e0,
+ element_t a, element_t b, element_t c, element_t Qx, element_t Qy) {
+ element_ptr re_out = element_x(e0);
+ element_ptr im_out = element_y(e0);
+
+ int i;
+ int d = polymod_field_degree(re_out->field);
+ for (i = 0; i < d; i++) {
+ element_mul(element_item(re_out, i), element_item(Qx, i), a);
+ element_mul(element_item(im_out, i), element_item(Qy, i), b);
+ }
+ element_add(element_item(re_out, 0), element_item(re_out, 0), c);
+}
+
+// Miller's algorithm, assuming we can ignore the denominator. We can do this
+// with careful group selection when the embedding degree is even. See thesis.
+// This version uses projective coordinates, which don't seem much faster.
+static void cc_miller_no_denom_proj(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy) {
+ int m;
+ element_t v;
+ element_t Z;
+ element_t a, b, c;
+ element_t t0, t1;
+ element_ptr t2 = a, t3 = b, t4 = c;
+ element_t e0;
+ element_t z, z2;
+ element_ptr Zx, Zy;
+ const element_ptr curve_a = curve_a_coeff(P);
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+
+ #define proj_double() { \
+ /* t0 = 3x^2 + (curve_a) z^4 */ \
+ element_square(t0, Zx); \
+ /* element_mul_si(t0, t0, 3); */ \
+ element_double(t1, t0); \
+ element_add(t0, t0, t1); \
+ element_square(t1, z2); \
+ element_mul(t1, t1, curve_a); \
+ element_add(t0, t0, t1); \
+ \
+ /* z_out = 2 y z */ \
+ element_mul(z, Zy, z); \
+ /* element_mul_si(z, z, 2); */ \
+ element_double(z, z); \
+ element_square(z2, z); \
+ \
+ /* t1 = 4 x y^2 */ \
+ element_square(t2, Zy); \
+ element_mul(t1, Zx, t2); \
+ /* element_mul_si(t1, t1, 4); */ \
+ element_double(t1, t1); \
+ element_double(t1, t1); \
+ \
+ /* x_out = t0^2 - 2 t1 */ \
+ /* element_mul_si(t3, t1, 2); */ \
+ element_double(t3, t1); \
+ element_square(Zx, t0); \
+ element_sub(Zx, Zx, t3); \
+ \
+ /* t2 = 8y^4 */ \
+ element_square(t2, t2); \
+ /* element_mul_si(t2, t2, 8); */ \
+ element_double(t2, t2); \
+ element_double(t2, t2); \
+ element_double(t2, t2); \
+ \
+ /* y_out = t0(t1 - x_out) - t2 */ \
+ element_sub(t1, t1, Zx); \
+ element_mul(t0, t0, t1); \
+ element_sub(Zy, t0, t2); \
+ }
+
+ #define proj_mixin() { \
+ /* t2 = Px z^2 */ \
+ element_mul(t2, z2, Px); \
+ \
+ /* t3 = Zx - t2 */ \
+ element_sub(t3, Zx, t2); \
+ \
+ /* t0 = Py z^3 */ \
+ element_mul(t0, z2, Py); \
+ element_mul(t0, t0, z); \
+ \
+ /* t1 = Zy - t0 */ \
+ element_sub(t1, Zy, t0); \
+ \
+ /* e7 = Zx + t2, use t2 to double for e7 */ \
+ element_add(t2, Zx, t2); \
+ \
+ /* e8 = Zy + t0, use t0 to double for e8 */ \
+ element_add(t0, Zy, t0); \
+ \
+ /* z = z t3 */ \
+ element_mul(z, z, t3); \
+ element_square(z2, z); \
+ \
+ /* Zx = t1^2 - e7 t3^2 */ \
+ /* t3 now holds t3^3, */ \
+ /* t4 holds e7 t3^2. */ \
+ element_square(t4, t3); \
+ element_mul(t3, t4, t3); \
+ element_square(Zx, t1); \
+ element_mul(t4, t2, t4); \
+ element_sub(Zx, Zx, t4); \
+ \
+ /* t4 = e7 t3^2 - 2 Zx */ \
+ element_sub(t4, t4, Zx); \
+ element_sub(t4, t4, Zx); \
+ \
+ /* Zy = (t4 t1 - e8 t3^3)/2 */ \
+ element_mul(t4, t4, t1); \
+ element_mul(t0, t0, t3); \
+ element_sub(t4, t4, t0); \
+ element_halve(Zy, t4); \
+ }
+
+ #define do_tangent() { \
+ /* a = -(3x^2 + cca z^4) */ \
+ /* b = 2 y z^3 */ \
+ /* c = -(2 y^2 + x a) */ \
+ /* a = z^2 a */ \
+ element_square(a, z2); \
+ element_mul(a, a, curve_a); \
+ element_square(b, Zx); \
+ /* element_mul_si(b, b, 3); */ \
+ element_double(t0, b); \
+ element_add(b, b, t0); \
+ element_add(a, a, b); \
+ element_neg(a, a); \
+ \
+ element_mul(b, z, z2); \
+ element_mul(b, b, Zy); \
+ element_mul_si(b, b, 2); \
+ \
+ element_mul(c, Zx, a); \
+ element_mul(a, a, z2); \
+ element_square(t0, Zy); \
+ element_mul_si(t0, t0, 2); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ #define do_line() { \
+ /* a = -(Py z^3 - Zy) */ \
+ /* b = Px z^3 - Zx z */ \
+ /* c = Zx z Py - Zy Px; */ \
+ \
+ element_mul(t0, Zx, z); \
+ element_mul(t1, z2, z); \
+ \
+ element_mul(a, Py, t1); \
+ element_sub(a, Zy, a); \
+ \
+ element_mul(b, Px, t1); \
+ element_sub(b, b, t0); \
+ \
+ element_mul(t0, t0, Py); \
+ element_mul(c, Zy, Px); \
+ element_sub(c, t0, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ element_init(a, Px->field);
+ element_init(b, a->field);
+ element_init(c, a->field);
+ element_init(t0, a->field);
+ element_init(t1, a->field);
+ element_init(e0, res->field);
+ element_init(z, a->field);
+ element_init(z2, a->field);
+ element_set1(z);
+ element_set1(z2);
+
+ element_init(v, res->field);
+ element_init(Z, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_x_coord(Z);
+
+ element_set1(v);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+ proj_double();
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ proj_mixin();
+ }
+ m--;
+ element_square(v, v);
+ }
+
+ element_set(res, v);
+
+ element_clear(v);
+ element_clear(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(e0);
+ element_clear(z);
+ element_clear(z2);
+ #undef proj_double
+ #undef proj_mixin
+ #undef do_tangent
+ #undef do_line
+}
+
+// Same as above, but with affine coordinates.
+static void cc_miller_no_denom_affine(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy) {
+ int m;
+ element_t v;
+ element_t Z;
+ element_t a, b, c;
+ element_t t0;
+ element_t e0;
+ const element_ptr cca = curve_a_coeff(P);
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+ element_ptr Zx, Zy;
+
+ /* TODO: when exactly is this not needed?
+ void do_vertical() {
+ mapbase(e0, Z->x);
+ element_sub(e0, Qx, e0);
+ element_mul(v, v, e0);
+ }
+ */
+
+ #define do_tangent() { \
+ /* a = -(3 Zx^2 + cc->a) */ \
+ /* b = 2 * Zy */ \
+ /* c = -(2 Zy^2 + a Zx); */ \
+ \
+ element_square(a, Zx); \
+ element_mul_si(a, a, 3); \
+ element_add(a, a, cca); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ #define do_line() { \
+ /* a = -(B.y - A.y) / (B.x - A.x); */ \
+ /* b = 1; */ \
+ /* c = -(A.y + a * A.x); */ \
+ /* but we multiply by B.x - A.x to avoid division. */ \
+ \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ element_init(a, Px->field);
+ element_init(b, a->field);
+ element_init(c, a->field);
+ element_init(t0, a->field);
+ element_init(e0, res->field);
+
+ element_init(v, res->field);
+ element_init(Z, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_set1(v);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ for(;;) {
+ do_tangent();
+
+ if (!m) break;
+
+ element_double(Z, Z);
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ element_add(Z, Z, P);
+ }
+ m--;
+ element_square(v, v);
+ }
+
+ element_set(res, v);
+
+ element_clear(v);
+ element_clear(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(t0);
+ element_clear(e0);
+ #undef do_tangent
+ #undef do_line
+}
+
+static void (*cc_miller_no_denom_fn)(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy);
+
+static void d_pairing_option_set(pairing_t pairing, char *key, char *value) {
+ UNUSED_VAR(pairing);
+ if (!strcmp(key, "method")) {
+ if (!strcmp(value, "miller")) {
+ cc_miller_no_denom_fn = cc_miller_no_denom_proj;
+ } else if (!strcmp(value, "miller-affine")) {
+ cc_miller_no_denom_fn = cc_miller_no_denom_affine;
+ }
+ }
+}
+
+// Requires cofactor is even. TODO: This seems to contradict a comment below.
+// Requires in != out.
+// Mangles in.
+static void lucas_even(element_ptr out, element_ptr in, mpz_t cofactor) {
+ if (element_is1(in)) {
+ element_set(out, in);
+ return;
+ }
+ element_t temp;
+ element_init_same_as(temp, out);
+ element_ptr in0 = element_x(in);
+ element_ptr in1 = element_y(in);
+ element_ptr v0 = element_x(out);
+ element_ptr v1 = element_y(out);
+ element_ptr t0 = element_x(temp);
+ element_ptr t1 = element_y(temp);
+ int j;
+
+ element_set_si(t0, 2);
+ element_double(t1, in0);
+
+ element_set(v0, t0);
+ element_set(v1, t1);
+
+ j = mpz_sizeinbase(cofactor, 2) - 1;
+ for (;;) {
+ if (!j) {
+ element_mul(v1, v0, v1);
+ element_sub(v1, v1, t1);
+ element_square(v0, v0);
+ element_sub(v0, v0, t0);
+ break;
+ }
+ if (mpz_tstbit(cofactor, j)) {
+ element_mul(v0, v0, v1);
+ element_sub(v0, v0, t1);
+ element_square(v1, v1);
+ element_sub(v1, v1, t0);
+ } else {
+ element_mul(v1, v0, v1);
+ element_sub(v1, v1, t1);
+ element_square(v0, v0);
+ element_sub(v0, v0, t0);
+ }
+ j--;
+ }
+
+ // Assume cofactor = (q^2 - q + 1) / r is odd
+ // thus v1 = V_k, v0 = V_{k-1}
+ // U = (P v1 - 2 v0) / (P^2 - 4)
+
+ element_double(v0, v0);
+ element_mul(in0, t1, v1);
+ element_sub(in0, in0, v0);
+
+ element_square(t1, t1);
+ element_sub(t1, t1, t0);
+ element_sub(t1, t1, t0);
+
+ element_halve(v0, v1);
+ element_div(v1, in0, t1);
+ element_mul(v1, v1, in1);
+
+ element_clear(temp);
+}
+
+// The final powering, where we standardize the coset representative.
+static void cc_tatepower(element_ptr out, element_ptr in, pairing_t pairing) {
+ pptr p = pairing->data;
+ #define qpower(sign) { \
+ polymod_const_mul(e2, inre[1], p->xpowq); \
+ element_set(e0re, e2); \
+ polymod_const_mul(e2, inre[2], p->xpowq2); \
+ element_add(e0re, e0re, e2); \
+ element_add(e0re0, e0re0, inre[0]); \
+ \
+ if (sign > 0) { \
+ polymod_const_mul(e2, inim[1], p->xpowq); \
+ element_set(e0im, e2); \
+ polymod_const_mul(e2, inim[2], p->xpowq2); \
+ element_add(e0im, e0im, e2); \
+ element_add(e0im0, e0im0, inim[0]); \
+ } else { \
+ polymod_const_mul(e2, inim[1], p->xpowq); \
+ element_neg(e0im, e2); \
+ polymod_const_mul(e2, inim[2], p->xpowq2); \
+ element_sub(e0im, e0im, e2); \
+ element_sub(e0im0, e0im0, inim[0]); \
+ } \
+ }
+ if (p->k == 6) {
+ // See thesis, section 6.9, "The Final Powering", which gives a formula
+ // for the first step of the final powering when Fq6 has been implemented
+ // as a quadratic extension on top of a cubic extension.
+ element_t e0, e2, e3;
+ element_init(e0, p->Fqk);
+ element_init(e2, p->Fqd);
+ element_init(e3, p->Fqk);
+ element_ptr e0re = element_x(e0);
+ element_ptr e0im = element_y(e0);
+ element_ptr e0re0 = ((element_t *) e0re->data)[0];
+ element_ptr e0im0 = ((element_t *) e0im->data)[0];
+ element_t *inre = element_x(in)->data;
+ element_t *inim = element_y(in)->data;
+ // Expressions in the formula are similar, hence the following function.
+ qpower(1);
+ element_set(e3, e0);
+ element_set(e0re, element_x(in));
+ element_neg(e0im, element_y(in));
+ element_mul(e3, e3, e0);
+ qpower(-1);
+ element_mul(e0, e0, in);
+ element_invert(e0, e0);
+ element_mul(in, e3, e0);
+
+ element_set(e0, in);
+ // We use Lucas sequences to complete the final powering.
+ lucas_even(out, e0, pairing->phikonr);
+
+ element_clear(e0);
+ element_clear(e2);
+ element_clear(e3);
+ } else {
+ element_pow_mpz(out, in, p->tateexp);
+ }
+ #undef qpower
+}
+
+static void cc_finalpow(element_t e) {
+ cc_tatepower(e->data, e->data, e->field->pairing);
+}
+
+static void cc_pairing(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ element_ptr Qbase = in2;
+ element_t Qx, Qy;
+ pptr p = pairing->data;
+
+ element_init(Qx, p->Fqd);
+ element_init(Qy, p->Fqd);
+ // Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ // where v is the quadratic nonresidue used to construct the twist.
+ element_mul(Qx, curve_x_coord(Qbase), p->nqrinv);
+ // v^-3/2 = v^-2 * v^1/2
+ element_mul(Qy, curve_y_coord(Qbase), p->nqrinv2);
+ cc_miller_no_denom_fn(out, pairing->r, in1, Qx, Qy);
+ cc_tatepower(out, out, pairing);
+ element_clear(Qx);
+ element_clear(Qy);
+}
+
+
+//do many millers at one time with affine coordinates.
+static void cc_millers_no_denom_affine(element_t res, mpz_t q, element_t P[],
+ element_t Qx[], element_t Qy[], int n_prod) {
+ int m, i;
+ element_t v;
+ element_t a, b, c;
+ element_t t0;
+ element_t e0;
+ const element_ptr cca = curve_a_coeff(P[0]);
+ element_ptr Px, Py;
+ element_t* Z = pbc_malloc(sizeof(element_t)*n_prod);
+ element_ptr Zx, Zy;
+
+ /* TODO: when exactly is this not needed?
+ void do_vertical() {
+ mapbase(e0, Z->x);
+ element_sub(e0, Qx, e0);
+ element_mul(v, v, e0);
+ }
+ */
+
+ #define do_tangents() { \
+ /* a = -(3 Zx^2 + cc->a) */ \
+ /* b = 2 * Zy */ \
+ /* c = -(2 Zy^2 + a Zx); */ \
+ for(i=0; i<n_prod; i++){ \
+ Px = curve_x_coord(P[i]); \
+ Py = curve_y_coord(P[i]); \
+ Zx = curve_x_coord(Z[i]); \
+ Zy = curve_y_coord(Z[i]); \
+ \
+ element_square(a, Zx); \
+ element_mul_si(a, a, 3); \
+ element_add(a, a, cca); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx[i], Qy[i]); \
+ element_mul(v, v, e0); \
+ } \
+ }
+
+ #define do_lines() { \
+ /* a = -(B.y - A.y) / (B.x - A.x); */ \
+ /* b = 1; */ \
+ /* c = -(A.y + a * A.x); */ \
+ /* but we multiply by B.x - A.x to avoid division. */ \
+ for(i=0; i<n_prod; i++){ \
+ Px = curve_x_coord(P[i]); \
+ Py = curve_y_coord(P[i]); \
+ Zx = curve_x_coord(Z[i]); \
+ Zy = curve_y_coord(Z[i]); \
+ \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx[i], Qy[i]); \
+ element_mul(v, v, e0); \
+ } \
+ }
+
+ Px= curve_x_coord(P[0]); //temporally used to initial a,b, c and etc.
+ element_init(a, Px->field);
+ element_init(b, a->field);
+ element_init(c, a->field);
+ element_init(t0, a->field);
+ element_init(e0, res->field);
+
+ element_init(v, res->field);
+ for(i=0; i<n_prod; i++){
+ element_init(Z[i], P[i]->field);
+ element_set(Z[i], P[i]);
+ }
+
+ element_set1(v);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ for(;;) {
+ do_tangents();
+
+ if (!m) break;
+ element_multi_double(Z, Z, n_prod); //Z_i=Z_i+Z_i for all i.
+
+ if (mpz_tstbit(q, m)) {
+ do_lines();
+ element_multi_add(Z, Z, P, n_prod); //Z_i=Z_i+P_i for all i.
+ }
+ m--;
+ element_square(v, v);
+ }
+
+ element_set(res, v);
+
+ element_clear(v);
+ for(i=0; i<n_prod; i++){
+ element_clear(Z[i]);
+ }
+ pbc_free(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(t0);
+ element_clear(e0);
+ #undef do_tangents
+ #undef do_lines
+}
+
+
+void cc_pairings_affine(element_ptr out, element_t in1[], element_t in2[],
+ int n_prod, pairing_t pairing) {
+ element_ptr Qbase;
+ element_t* Qx = pbc_malloc(sizeof(element_t)*n_prod);
+ element_t* Qy = pbc_malloc(sizeof(element_t)*n_prod);
+ pptr p = pairing->data;
+ int i;
+ for(i=0; i<n_prod; i++){
+ element_init(Qx[i], p->Fqd);
+ element_init(Qy[i], p->Fqd);
+ Qbase = in2[i];
+ // Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ // where v is the quadratic nonresidue used to construct the twist.
+ element_mul(Qx[i], curve_x_coord(Qbase), p->nqrinv);
+ // v^-3/2 = v^-2 * v^1/2
+ element_mul(Qy[i], curve_y_coord(Qbase), p->nqrinv2);
+ }
+ cc_millers_no_denom_affine(out, pairing->r, in1, Qx, Qy, n_prod);
+ cc_tatepower(out, out, pairing);
+
+ for(i=0; i<n_prod; i++){
+ element_clear(Qx[i]);
+ element_clear(Qy[i]);
+ }
+ pbc_free(Qx);
+ pbc_free(Qy);
+}
+
+
+static int cc_is_almost_coddh(element_ptr a, element_ptr b,
+ element_ptr c, element_ptr d,
+ pairing_t pairing) {
+ int res = 0;
+ element_t t0, t1, t2;
+ element_t cx, cy;
+ element_t dx, dy;
+ pptr p = pairing->data;
+
+ element_init(cx, p->Fqd);
+ element_init(cy, p->Fqd);
+ element_init(dx, p->Fqd);
+ element_init(dy, p->Fqd);
+
+ element_init(t0, p->Fqk);
+ element_init(t1, p->Fqk);
+ element_init(t2, p->Fqk);
+ // Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ // where v is the quadratic nonresidue used to construct the twist.
+ element_mul(cx, curve_x_coord(c), p->nqrinv);
+ element_mul(dx, curve_x_coord(d), p->nqrinv);
+ // v^-3/2 = v^-2 * v^1/2
+ element_mul(cy, curve_y_coord(c), p->nqrinv2);
+ element_mul(dy, curve_y_coord(d), p->nqrinv2);
+
+ cc_miller_no_denom_fn(t0, pairing->r, a, dx, dy);
+ cc_miller_no_denom_fn(t1, pairing->r, b, cx, cy);
+ cc_tatepower(t0, t0, pairing);
+ cc_tatepower(t1, t1, pairing);
+ element_mul(t2, t0, t1);
+ if (element_is1(t2)) res = 1; // We were given g, g^x, h, h^-x.
+ else {
+ // Cheaply check the other case.
+ element_invert(t1, t1);
+ element_mul(t2, t0, t1);
+ if (element_is1(t2)) res = 1; // We were given g, g^x, h, h^x.
+ }
+ element_clear(cx);
+ element_clear(cy);
+ element_clear(dx);
+ element_clear(dy);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(t2);
+ return res;
+}
+
+struct pp_coeff_s {
+ element_t a;
+ element_t b;
+ element_t c;
+};
+typedef struct pp_coeff_s pp_coeff_t[1];
+typedef struct pp_coeff_s *pp_coeff_ptr;
+
+static void d_pairing_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
+ element_ptr P = in1;
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+ element_t Z;
+ int m;
+ pptr info = pairing->data;
+ element_t t0;
+ element_t a, b, c;
+ field_ptr Fq = info->Fq;
+ pp_coeff_t *coeff;
+ mpz_ptr q = pairing->r;
+ pp_coeff_ptr pp;
+ const element_ptr cca = curve_a_coeff(P);
+ element_ptr Zx;
+ element_ptr Zy;
+
+ #define store_abc() { \
+ element_init(pp->a, Fq); \
+ element_init(pp->b, Fq); \
+ element_init(pp->c, Fq); \
+ element_set(pp->a, a); \
+ element_set(pp->b, b); \
+ element_set(pp->c, c); \
+ pp++; \
+ }
+
+ #define do_tangent() { \
+ /* a = -slope_tangent(Z.x, Z.y); */ \
+ /* b = 1; */ \
+ /* c = -(Z.y + a * Z.x); */ \
+ /* but we multiply by 2*Z.y to avoid division. */ \
+ \
+ /* a = -Zx * (3 Zx + twicea_2) - a_4; */ \
+ /* Common curves: a2 = 0 (and cc->a is a_4), so */ \
+ /* a = -(3 Zx^2 + cc->a) */ \
+ /* b = 2 * Zy */ \
+ /* c = -(2 Zy^2 + a Zx); */ \
+ \
+ element_square(a, Zx); \
+ element_double(t0, a); \
+ element_add(a, a, t0); \
+ element_add(a, a, cca); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ store_abc(); \
+ }
+
+ #define do_line() { \
+ /* a = -(B.y - A.y) / (B.x - A.x); */ \
+ /* b = 1; */ \
+ /* c = -(A.y + a * A.x); */ \
+ /* but we'll multiply by B.x - A.x to avoid division */ \
+ \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ store_abc(); \
+ }
+
+ element_init(Z, P->field);
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_init(t0, Fq);
+ element_init(a, Fq);
+ element_init(b, Fq);
+ element_init(c, Fq);
+
+ m = mpz_sizeinbase(q, 2) - 2;
+ p->data = pbc_malloc(sizeof(pp_coeff_t) * 2 * m);
+ coeff = (pp_coeff_t *) p->data;
+ pp = coeff[0];
+
+ for(;;) {
+ do_tangent();
+
+ if (!m) break;
+
+ element_double(Z, Z);
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ element_add(Z, Z, P);
+ }
+ m--;
+ }
+
+ element_clear(t0);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(Z);
+ #undef store_abc
+ #undef do_tangent
+ #undef do_line
+}
+
+static void d_pairing_pp_clear(pairing_pp_t p) {
+ // TODO: Better to store a sentinel value in p->data?
+ mpz_ptr q = p->pairing->r;
+ int m = mpz_sizeinbase(q, 2) + mpz_popcount(q) - 3;
+ int i;
+ pp_coeff_t *coeff = (pp_coeff_t *) p->data;
+ pp_coeff_ptr pp;
+ for (i=0; i<m; i++) {
+ pp = coeff[i];
+ element_clear(pp->a);
+ element_clear(pp->b);
+ element_clear(pp->c);
+ }
+ pbc_free(p->data);
+}
+
+static void d_pairing_pp_apply(element_ptr out, element_ptr in2,
+ pairing_pp_t p) {
+ mpz_ptr q = p->pairing->r;
+ pptr info = p->pairing->data;
+ int m = mpz_sizeinbase(q, 2) - 2;
+ pp_coeff_t *coeff = (pp_coeff_t *) p->data;
+ pp_coeff_ptr pp = coeff[0];
+ element_ptr Qbase = in2;
+ element_t e0;
+ element_t Qx, Qy;
+ element_t v;
+ element_init_same_as(e0, out);
+ element_init_same_as(v, out);
+ element_init(Qx, info->Fqd);
+ element_init(Qy, info->Fqd);
+
+ // Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ // where v is the quadratic nonresidue used to construct the twist
+ element_mul(Qx, curve_x_coord(Qbase), info->nqrinv);
+ // v^-3/2 = v^-2 * v^1/2
+ element_mul(Qy, curve_y_coord(Qbase), info->nqrinv2);
+
+ element_set1(out);
+ for(;;) {
+ d_miller_evalfn(e0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(out, out, e0);
+ pp++;
+
+ if (!m) break;
+
+ if (mpz_tstbit(q, m)) {
+ d_miller_evalfn(e0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(out, out, e0);
+ pp++;
+ }
+ m--;
+ element_square(out, out);
+ }
+ cc_tatepower(out, out, p->pairing);
+
+ element_clear(e0);
+ element_clear(Qx);
+ element_clear(Qy);
+ element_clear(v);
+}
+
+static void d_pairing_clear(pairing_t pairing) {
+ field_clear(pairing->GT);
+ pptr p = pairing->data;
+
+ if (p->k == 6) {
+ element_clear(p->xpowq);
+ element_clear(p->xpowq2);
+ mpz_clear(pairing->phikonr);
+ } else {
+ mpz_clear(p->tateexp);
+ }
+
+ field_clear(p->Etwist);
+ field_clear(p->Eq);
+ element_clear(p->nqrinv);
+ element_clear(p->nqrinv2);
+ field_clear(p->Fqk);
+ field_clear(p->Fqd);
+ field_clear(p->Fqx);
+ field_clear(p->Fq);
+ field_clear(pairing->Zr);
+ mpz_clear(pairing->r);
+ pbc_free(p);
+}
+
+static void d_init_pairing(pairing_ptr pairing, void *data) {
+ d_param_ptr param = data;
+ pptr p;
+ element_t a, b;
+ element_t irred;
+ int d = param->k / 2;
+ int i;
+
+ if (param->k % 2) pbc_die("k must be even");
+
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, param->r);
+ field_init_fp(pairing->Zr, pairing->r);
+ pairing->map = cc_pairing;
+ pairing->prod_pairings = cc_pairings_affine;
+ pairing->is_almost_coddh = cc_is_almost_coddh;
+
+ p = pairing->data = pbc_malloc(sizeof(*p));
+ field_init_fp(p->Fq, param->q);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_set_mpz(a, param->a);
+ element_set_mpz(b, param->b);
+ field_init_curve_ab(p->Eq, a, b, pairing->r, param->h);
+
+ field_init_poly(p->Fqx, p->Fq);
+ element_init(irred, p->Fqx);
+ poly_set_coeff1(irred, d);
+ for (i = 0; i < d; i++) {
+ element_set_mpz(element_item(irred, i), param->coeff[i]);
+ }
+
+ field_init_polymod(p->Fqd, irred);
+ element_clear(irred);
+
+ p->Fqd->nqr = pbc_malloc(sizeof(element_t));
+ element_init(p->Fqd->nqr, p->Fqd);
+ element_set_mpz(((element_t *) p->Fqd->nqr->data)[0], param->nqr);
+
+ field_init_quadratic(p->Fqk, p->Fqd);
+
+ // Compute constants involved in the final powering.
+ if (param->k == 6) {
+ mpz_ptr q = param->q;
+ mpz_ptr z = pairing->phikonr;
+ mpz_init(z);
+ mpz_mul(z, q, q);
+ mpz_sub(z, z, q);
+ mpz_add_ui(z, z, 1);
+ mpz_divexact(z, z, pairing->r);
+
+ element_ptr e = p->xpowq;
+ element_init(e, p->Fqd);
+ element_set1(((element_t *) e->data)[1]);
+ element_pow_mpz(e, e, q);
+
+ element_init(p->xpowq2, p->Fqd);
+ element_square(p->xpowq2, e);
+ } else {
+ mpz_init(p->tateexp);
+ mpz_sub_ui(p->tateexp, p->Fqk->order, 1);
+ mpz_divexact(p->tateexp, p->tateexp, pairing->r);
+ }
+
+ field_init_curve_ab_map(p->Etwist, p->Eq, element_field_to_polymod, p->Fqd, pairing->r, NULL);
+ field_reinit_curve_twist(p->Etwist);
+
+ mpz_t ndonr;
+ mpz_init(ndonr);
+ // ndonr temporarily holds the trace.
+ mpz_sub(ndonr, param->q, param->n);
+ mpz_add_ui(ndonr, ndonr, 1);
+ // Negate it because we want the trace of the twist.
+ mpz_neg(ndonr, ndonr);
+ pbc_mpz_curve_order_extn(ndonr, param->q, ndonr, d);
+ mpz_divexact(ndonr, ndonr, param->r);
+ field_curve_set_quotient_cmp(p->Etwist, ndonr);
+ mpz_clear(ndonr);
+
+ element_init(p->nqrinv, p->Fqd);
+ element_invert(p->nqrinv, field_get_nqr(p->Fqd));
+ element_init(p->nqrinv2, p->Fqd);
+ element_square(p->nqrinv2, p->nqrinv);
+
+ pairing->G1 = p->Eq;
+ pairing->G2 = p->Etwist;
+
+ p->k = param->k;
+ pairing_GT_init(pairing, p->Fqk);
+ pairing->finalpow = cc_finalpow;
+
+ // By default use affine coordinates.
+ cc_miller_no_denom_fn = cc_miller_no_denom_affine;
+ pairing->option_set = d_pairing_option_set;
+ pairing->pp_init = d_pairing_pp_init;
+ pairing->pp_clear = d_pairing_pp_clear;
+ pairing->pp_apply = d_pairing_pp_apply;
+
+ pairing->clear_func = d_pairing_clear;
+
+ element_clear(a);
+ element_clear(b);
+}
+
+// Computes a curve and sets fp to the field it is defined over using the
+// complex multiplication method, where cm holds the appropriate information
+// (e.g. discriminant, field order).
+static void compute_cm_curve(d_param_ptr param, pbc_cm_ptr cm) {
+ element_t hp, root;
+ field_t fp, fpx;
+ field_t cc;
+
+ field_init_fp(fp, cm->q);
+ field_init_poly(fpx, fp);
+ element_init(hp, fpx);
+
+ mpz_t *coefflist;
+ int n = pbc_hilbert(&coefflist, cm->D);
+
+ // Temporarily set the coefficient of x^{n-1} to 1 so hp has degree n - 1,
+ // allowing us to use poly_coeff().
+ poly_set_coeff1(hp, n - 1);
+ int i;
+ for (i = 0; i < n; i++) {
+ element_set_mpz(element_item(hp, i), coefflist[i]);
+ }
+ pbc_hilbert_free(coefflist, n);
+
+ // TODO: Remove x = 0, 1728 roots.
+ // TODO: What if there are no roots?
+ //printf("hp ");
+ //element_out_str(stdout, 0, hp);
+ //printf("\n");
+
+ element_init(root, fp);
+ poly_findroot(root, hp);
+ //printf("root = ");
+ //element_out_str(stdout, 0, root);
+ //printf("\n");
+ element_clear(hp);
+ field_clear(fpx);
+
+ // The root is the j-invariant of the desired curve.
+ field_init_curve_j(cc, root, cm->n, NULL);
+ element_clear(root);
+
+ // We may need to twist it.
+ {
+ // Pick a random point P and twist the curve if it has the wrong order.
+ element_t P;
+ element_init(P, cc);
+ element_random(P);
+ element_mul_mpz(P, P, cm->n);
+ if (!element_is0(P)) field_reinit_curve_twist(cc);
+ element_clear(P);
+ }
+
+ mpz_set(param->q, cm->q);
+ mpz_set(param->n, cm->n);
+ mpz_set(param->h, cm->h);
+ mpz_set(param->r, cm->r);
+ element_to_mpz(param->a, curve_field_a_coeff(cc));
+ element_to_mpz(param->b, curve_field_b_coeff(cc));
+ param->k = cm->k;
+ {
+ mpz_t z;
+ mpz_init(z);
+ // Compute order of curve in F_q^k.
+ // n = q - t + 1 hence t = q - n + 1
+ mpz_sub(z, param->q, param->n);
+ mpz_add_ui(z, z, 1);
+ pbc_mpz_trace_n(z, param->q, z, param->k);
+ mpz_pow_ui(param->nk, param->q, param->k);
+ mpz_sub_ui(z, z, 1);
+ mpz_sub(param->nk, param->nk, z);
+ mpz_mul(z, param->r, param->r);
+ mpz_divexact(param->hk, param->nk, z);
+ mpz_clear(z);
+ }
+ field_clear(cc);
+ field_clear(fp);
+}
+
+static void d_param_init(pbc_param_ptr p) {
+ static pbc_param_interface_t interface = {{
+ d_clear,
+ d_init_pairing,
+ d_out_str,
+ }};
+ p->api = interface;
+ d_param_ptr param = p->data = pbc_malloc(sizeof(*param));
+ mpz_init(param->q);
+ mpz_init(param->n);
+ mpz_init(param->h);
+ mpz_init(param->r);
+ mpz_init(param->a);
+ mpz_init(param->b);
+ mpz_init(param->nk);
+ mpz_init(param->hk);
+ param->k = 0;
+ param->coeff = NULL;
+ mpz_init(param->nqr);
+}
+
+// Public interface:
+
+int pbc_param_init_d(pbc_param_ptr par, struct symtab_s *tab) {
+ d_param_init(par);
+ d_param_ptr p = par->data;
+ char s[80];
+ int i, d;
+
+ int err = 0;
+ err += lookup_mpz(p->q, tab, "q");
+ err += lookup_mpz(p->n, tab, "n");
+ err += lookup_mpz(p->h, tab, "h");
+ err += lookup_mpz(p->r, tab, "r");
+ err += lookup_mpz(p->a, tab, "a");
+ err += lookup_mpz(p->b, tab, "b");
+ err += lookup_int(&p->k, tab, "k");
+ err += lookup_mpz(p->nk, tab, "nk");
+ err += lookup_mpz(p->hk, tab, "hk");
+ err += lookup_mpz(p->nqr, tab, "nqr");
+
+ d = p->k / 2;
+ p->coeff = pbc_realloc(p->coeff, sizeof(mpz_t) * d);
+ for (i=0; i<d; i++) {
+ sprintf(s, "coeff%d", i);
+ mpz_init(p->coeff[i]);
+ err += lookup_mpz(p->coeff[i], tab, s);
+ }
+ return err;
+}
+
+void pbc_param_init_d_gen(pbc_param_ptr p, pbc_cm_ptr cm) {
+ d_param_init(p);
+ d_param_ptr param = p->data;
+ field_t Fq, Fqx, Fqd;
+ element_t irred, nqr;
+ int d = cm->k / 2;
+ int i;
+
+ compute_cm_curve(param, cm);
+
+ field_init_fp(Fq, param->q);
+ field_init_poly(Fqx, Fq);
+ element_init(irred, Fqx);
+ do {
+ poly_random_monic(irred, d);
+ } while (!poly_is_irred(irred));
+ field_init_polymod(Fqd, irred);
+
+ // Find a quadratic nonresidue of Fqd lying in Fq.
+ element_init(nqr, Fqd);
+ do {
+ element_random(((element_t *) nqr->data)[0]);
+ } while (element_is_sqr(nqr));
+
+ param->coeff = pbc_realloc(param->coeff, sizeof(mpz_t) * d);
+
+ for (i=0; i<d; i++) {
+ mpz_init(param->coeff[i]);
+ element_to_mpz(param->coeff[i], element_item(irred, i));
+ }
+ element_to_mpz(param->nqr, ((element_t *) nqr->data)[0]);
+
+ element_clear(nqr);
+ element_clear(irred);
+
+ field_clear(Fqx);
+ field_clear(Fqd);
+ field_clear(Fq);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/e_param.c b/moon-abe/pbc-0.5.14/ecc/e_param.c
new file mode 100644
index 00000000..53f7217c
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/e_param.c
@@ -0,0 +1,1006 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h> //for rand, pbc_malloc, pbc_free
+#include <string.h> //for strcmp
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_fp.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_curve.h"
+#include "pbc_random.h"
+#include "pbc_memory.h"
+#include "pbc_e_param.h"
+#include "ecc/param.h"
+
+struct e_param_s {
+ mpz_t q; // Curve is defined over F_q.
+ mpz_t r; // q = h r^2 + 1, r is prime.
+ mpz_t h; // h is 28 times some square.
+ mpz_t a, b; // Curve equation is Y^2 = X^3 + aX + b.
+ int exp2;
+ int exp1;
+ int sign1;
+ int sign0;
+};
+typedef struct e_param_s e_param_t[1];
+typedef struct e_param_s *e_param_ptr;
+
+struct e_pairing_data_s {
+ field_t Fq, Eq;
+ int exp2, exp1;
+ int sign1, sign0;
+ element_t R;
+};
+typedef struct e_pairing_data_s e_pairing_data_t[1];
+typedef struct e_pairing_data_s *e_pairing_data_ptr;
+
+static void e_clear(void *data) {
+ e_param_ptr ep = data;
+ mpz_clear(ep->q);
+ mpz_clear(ep->r);
+ mpz_clear(ep->h);
+ mpz_clear(ep->a);
+ mpz_clear(ep->b);
+ pbc_free(data);
+}
+
+static void e_out_str(FILE *stream, void *data) {
+ e_param_ptr p = data;
+ param_out_type(stream, "e");
+ param_out_mpz(stream, "q", p->q);
+ param_out_mpz(stream, "r", p->r);
+ param_out_mpz(stream, "h", p->h);
+ param_out_mpz(stream, "a", p->a);
+ param_out_mpz(stream, "b", p->b);
+ param_out_int(stream, "exp2", p->exp2);
+ param_out_int(stream, "exp1", p->exp1);
+ param_out_int(stream, "sign1", p->sign1);
+ param_out_int(stream, "sign0", p->sign0);
+}
+
+static void e_miller_proj(element_t res, element_t P,
+ element_ptr QR, element_ptr R,
+ e_pairing_data_ptr p) {
+ //collate divisions
+ int n;
+ element_t v, vd;
+ element_t v1, vd1;
+ element_t Z, Z1;
+ element_t a, b, c;
+ const element_ptr cca = curve_a_coeff(P);
+ element_t e0, e1;
+ const element_ptr e2 = a, e3 = b;
+ element_t z, z2;
+ int i;
+ element_ptr Zx, Zy;
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr numx = curve_x_coord(QR);
+ const element_ptr numy = curve_y_coord(QR);
+ const element_ptr denomx = curve_x_coord(R);
+ const element_ptr denomy = curve_y_coord(R);
+
+ //convert Z from weighted projective (Jacobian) to affine
+ //i.e. (X, Y, Z) --> (X/Z^2, Y/Z^3)
+ //also sets z to 1
+ #define to_affine() { \
+ element_invert(z, z); \
+ element_square(e0, z); \
+ element_mul(Zx, Zx, e0); \
+ element_mul(e0, e0, z); \
+ element_mul(Zy, Zy, e0); \
+ element_set1(z); \
+ element_set1(z2); \
+ }
+
+ #define proj_double() { \
+ const element_ptr x = Zx; \
+ const element_ptr y = Zy; \
+ /* e0 = 3x^2 + (cc->a) z^4 */ \
+ element_square(e0, x); \
+ /* element_mul_si(e0, e0, 3); */ \
+ element_double(e1, e0); \
+ element_add(e0, e0, e1); \
+ element_square(e1, z2); \
+ element_mul(e1, e1, cca); \
+ element_add(e0, e0, e1); \
+ \
+ /* z_out = 2 y z */ \
+ element_mul(z, y, z); \
+ /* element_mul_si(z, z, 2); */ \
+ element_double(z, z); \
+ element_square(z2, z); \
+ \
+ /* e1 = 4 x y^2 */ \
+ element_square(e2, y); \
+ element_mul(e1, x, e2); \
+ /* element_mul_si(e1, e1, 4); */ \
+ element_double(e1, e1); \
+ element_double(e1, e1); \
+ \
+ /* x_out = e0^2 - 2 e1 */ \
+ /* element_mul_si(e3, e1, 2); */ \
+ element_double(e3, e1); \
+ element_square(x, e0); \
+ element_sub(x, x, e3); \
+ \
+ /* e2 = 8y^4 */ \
+ element_square(e2, e2); \
+ /* element_mul_si(e2, e2, 8); */ \
+ element_double(e2, e2); \
+ element_double(e2, e2); \
+ element_double(e2, e2); \
+ \
+ /* y_out = e0(e1 - x_out) - e2 */ \
+ element_sub(e1, e1, x); \
+ element_mul(e0, e0, e1); \
+ element_sub(y, e0, e2); \
+ }
+
+ #define do_tangent(e, edenom) { \
+ /* a = -(3x^2 + cca z^4) */ \
+ /* b = 2 y z^3 */ \
+ /* c = -(2 y^2 + x a) */ \
+ /* a = z^2 a */ \
+ element_square(a, z2); \
+ element_mul(a, a, cca); \
+ element_square(b, Zx); \
+ /* element_mul_si(b, b, 3); */ \
+ element_double(e0, b); \
+ element_add(b, b, e0); \
+ element_add(a, a, b); \
+ element_neg(a, a); \
+ \
+ /* element_mul_si(e0, Zy, 2); */ \
+ element_double(e0, Zy); \
+ element_mul(b, e0, z2); \
+ element_mul(b, b, z); \
+ \
+ element_mul(c, Zx, a); \
+ element_mul(a, a, z2); \
+ element_mul(e0, e0, Zy); \
+ element_add(c, c, e0); \
+ element_neg(c, c); \
+ \
+ element_mul(e0, a, numx); \
+ element_mul(e1, b, numy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(e, e, e0); \
+ \
+ element_mul(e0, a, denomx); \
+ element_mul(e1, b, denomy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(edenom, edenom, e0); \
+ }
+
+ #define do_vertical(e, edenom, Ax) { \
+ element_mul(e0, numx, z2); \
+ element_sub(e0, e0, Ax); \
+ element_mul(e, e, e0); \
+ \
+ element_mul(e0, denomx, z2); \
+ element_sub(e0, e0, Ax); \
+ element_mul(edenom, edenom, e0); \
+ }
+
+ #define do_line(e, edenom, A, B) { \
+ element_ptr Ax = curve_x_coord(A); \
+ element_ptr Ay = curve_y_coord(A); \
+ element_ptr Bx = curve_x_coord(B); \
+ element_ptr By = curve_y_coord(B); \
+ \
+ element_sub(b, Bx, Ax); \
+ element_sub(a, Ay, By); \
+ element_mul(c, Ax, By); \
+ element_mul(e0, Ay, Bx); \
+ element_sub(c, c, e0); \
+ \
+ element_mul(e0, a, numx); \
+ element_mul(e1, b, numy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(e, e, e0); \
+ \
+ element_mul(e0, a, denomx); \
+ element_mul(e1, b, denomy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(edenom, edenom, e0); \
+ }
+
+ element_init(a, res->field);
+ element_init(b, res->field);
+ element_init(c, res->field);
+ element_init(e0, res->field);
+ element_init(e1, res->field);
+ element_init(z, res->field);
+ element_init(z2, res->field);
+ element_set1(z);
+ element_set1(z2);
+
+ element_init(v, res->field);
+ element_init(vd, res->field);
+ element_init(v1, res->field);
+ element_init(vd1, res->field);
+ element_init(Z, P->field);
+ element_init(Z1, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_set1(v);
+ element_set1(vd);
+ element_set1(v1);
+ element_set1(vd1);
+
+ n = p->exp1;
+ for (i=0; i<n; i++) {
+ element_square(v, v);
+ element_square(vd, vd);
+ do_tangent(v, vd);
+ proj_double();
+ do_vertical(vd, v, Zx);
+ }
+ to_affine();
+ if (p->sign1 < 0) {
+ element_set(v1, vd);
+ element_set(vd1, v);
+ do_vertical(vd1, v1, Zx);
+ element_neg(Z1, Z);
+ } else {
+ element_set(v1, v);
+ element_set(vd1, vd);
+ element_set(Z1, Z);
+ }
+ n = p->exp2;
+ for (; i<n; i++) {
+ element_square(v, v);
+ element_square(vd, vd);
+ do_tangent(v, vd);
+ proj_double();
+ do_vertical(vd, v, Zx);
+ }
+ to_affine();
+ element_mul(v, v, v1);
+ element_mul(vd, vd, vd1);
+ do_line(v, vd, Z, Z1);
+ element_add(Z, Z, Z1);
+ do_vertical(vd, v, Zx);
+
+ if (p->sign0 > 0) {
+ do_vertical(v, vd, Px);
+ }
+
+ element_invert(vd, vd);
+ element_mul(res, v, vd);
+
+ element_clear(v);
+ element_clear(vd);
+ element_clear(v1);
+ element_clear(vd1);
+ element_clear(z);
+ element_clear(z2);
+ element_clear(Z);
+ element_clear(Z1);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ element_clear(e1);
+ #undef to_affine
+ #undef proj_double
+ #undef do_tangent
+ #undef do_vertical
+ #undef do_line
+}
+
+static void e_miller_affine(element_t res, element_t P,
+ element_ptr QR, element_ptr R,
+ e_pairing_data_ptr p) {
+ //collate divisions
+ int n;
+ element_t v, vd;
+ element_t v1, vd1;
+ element_t Z, Z1;
+ element_t a, b, c;
+ element_t e0, e1;
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr cca = curve_a_coeff(P);
+ element_ptr Zx, Zy;
+ int i;
+ const element_ptr numx = curve_x_coord(QR);
+ const element_ptr numy = curve_y_coord(QR);
+ const element_ptr denomx = curve_x_coord(R);
+ const element_ptr denomy = curve_y_coord(R);
+
+ #define do_vertical(e, edenom, Ax) { \
+ element_sub(e0, numx, Ax); \
+ element_mul(e, e, e0); \
+ \
+ element_sub(e0, denomx, Ax); \
+ element_mul(edenom, edenom, e0); \
+ }
+
+ #define do_tangent(e, edenom) { \
+ /* a = -slope_tangent(A.x, A.y); */ \
+ /* b = 1; */ \
+ /* c = -(A.y + a * A.x); */ \
+ /* but we multiply by 2*A.y to avoid division */ \
+ \
+ /* a = -Ax * (Ax + Ax + Ax + twicea_2) - a_4; */ \
+ /* Common curves: a2 = 0 (and cc->a is a_4), so */ \
+ /* a = -(3 Ax^2 + cc->a) */ \
+ /* b = 2 * Ay */ \
+ /* c = -(2 Ay^2 + a Ax); */ \
+ \
+ element_square(a, Zx); \
+ element_mul_si(a, a, 3); \
+ element_add(a, a, cca); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(e0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, e0); \
+ element_neg(c, c); \
+ \
+ element_mul(e0, a, numx); \
+ element_mul(e1, b, numy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(e, e, e0); \
+ \
+ element_mul(e0, a, denomx); \
+ element_mul(e1, b, denomy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(edenom, edenom, e0); \
+ }
+
+ #define do_line(e, edenom, A, B) { \
+ element_ptr Ax = curve_x_coord(A); \
+ element_ptr Ay = curve_y_coord(A); \
+ element_ptr Bx = curve_x_coord(B); \
+ element_ptr By = curve_y_coord(B); \
+ \
+ element_sub(b, Bx, Ax); \
+ element_sub(a, Ay, By); \
+ element_mul(c, Ax, By); \
+ element_mul(e0, Ay, Bx); \
+ element_sub(c, c, e0); \
+ \
+ element_mul(e0, a, numx); \
+ element_mul(e1, b, numy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(e, e, e0); \
+ \
+ element_mul(e0, a, denomx); \
+ element_mul(e1, b, denomy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(edenom, edenom, e0); \
+ }
+
+ element_init(a, res->field);
+ element_init(b, res->field);
+ element_init(c, res->field);
+ element_init(e0, res->field);
+ element_init(e1, res->field);
+
+ element_init(v, res->field);
+ element_init(vd, res->field);
+ element_init(v1, res->field);
+ element_init(vd1, res->field);
+ element_init(Z, P->field);
+ element_init(Z1, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_set1(v);
+ element_set1(vd);
+ element_set1(v1);
+ element_set1(vd1);
+
+ n = p->exp1;
+ for (i=0; i<n; i++) {
+ element_square(v, v);
+ element_square(vd, vd);
+ do_tangent(v, vd);
+ element_double(Z, Z);
+ do_vertical(vd, v, Zx);
+ }
+ if (p->sign1 < 0) {
+ element_set(v1, vd);
+ element_set(vd1, v);
+ do_vertical(vd1, v1, Zx);
+ element_neg(Z1, Z);
+ } else {
+ element_set(v1, v);
+ element_set(vd1, vd);
+ element_set(Z1, Z);
+ }
+ n = p->exp2;
+ for (; i<n; i++) {
+ element_square(v, v);
+ element_square(vd, vd);
+ do_tangent(v, vd);
+ element_double(Z, Z);
+ do_vertical(vd, v, Zx);
+ }
+ element_mul(v, v, v1);
+ element_mul(vd, vd, vd1);
+ do_line(v, vd, Z, Z1);
+ element_add(Z, Z, Z1);
+ do_vertical(vd, v, Zx);
+
+ if (p->sign0 > 0) {
+ do_vertical(v, vd, Px);
+ }
+
+ element_invert(vd, vd);
+ element_mul(res, v, vd);
+
+ element_clear(v);
+ element_clear(vd);
+ element_clear(v1);
+ element_clear(vd1);
+ element_clear(Z);
+ element_clear(Z1);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ element_clear(e1);
+ #undef do_vertical
+ #undef do_tangent
+ #undef do_line
+}
+
+static void (*e_miller_fn)(element_t res, element_t P,
+ element_ptr QR, element_ptr R,
+ e_pairing_data_ptr p);
+
+static void e_pairing(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ e_pairing_data_ptr p = pairing->data;
+ element_ptr Q = in2;
+ element_t QR;
+ element_init(QR, p->Eq);
+ element_add(QR, Q, p->R);
+ e_miller_fn(out, in1, QR, p->R, p);
+ element_pow_mpz(out, out, pairing->phikonr);
+ element_clear(QR);
+}
+
+// in1, in2 are from E(F_q), out from F_q^2.
+// Pairing via elliptic nets (see Stange).
+static void e_pairing_ellnet(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ const element_ptr a = curve_a_coeff(in1);
+ const element_ptr b = curve_b_coeff(in1);
+
+ element_ptr x = curve_x_coord(in1);
+ element_ptr y = curve_y_coord(in1);
+
+ element_ptr x2 = curve_x_coord(in2);
+ element_ptr y2 = curve_y_coord(in2);
+
+ //notation: cmi means c_{k-i}, ci means c_{k+i}
+ element_t cm3, cm2, cm1, c0, c1, c2, c3, c4;
+ element_t dm1, d0, d1;
+ element_t A, B, C;
+
+ element_init_same_as(cm3, x);
+ element_init_same_as(cm2, x);
+ element_init_same_as(cm1, x);
+ element_init_same_as(c0, x);
+ element_init_same_as(c1, x);
+ element_init_same_as(c2, x);
+ element_init_same_as(c3, x);
+ element_init_same_as(c4, x);
+ element_init_same_as(C, x);
+
+ element_init_same_as(dm1, out);
+ element_init_same_as(d0, out);
+ element_init_same_as(d1, out);
+ element_init_same_as(A, x);
+ element_init_same_as(B, out);
+
+ // c1 = 2y
+ // cm3 = -2y
+ element_double(c1, y);
+ element_neg(cm3, c1);
+
+ //use c0, cm1, cm2, C, c4 as temp variables for now
+ //compute c3, c2
+ element_square(cm2, x);
+ element_square(C, cm2);
+ element_mul(cm1, b, x);
+ element_double(cm1, cm1);
+ element_square(c4, a);
+
+ element_mul(c2, cm1, cm2);
+ element_double(c2, c2);
+ element_mul(c0, a, C);
+ element_add(c2, c2, c0);
+ element_mul(c0, c4, cm2);
+ element_sub(c2, c2, c0);
+ element_double(c0, c2);
+ element_double(c0, c0);
+ element_add(c2, c2, c0);
+
+ element_mul(c0, cm1, a);
+ element_square(c3, b);
+ element_double(c3, c3);
+ element_double(c3, c3);
+ element_add(c0, c0, c3);
+ element_double(c0, c0);
+ element_mul(c3, a, c4);
+ element_add(c0, c0, c3);
+ element_sub(c2, c2, c0);
+ element_mul(c0, cm2, C);
+ element_add(c3, c0, c2);
+ element_mul(c3, c3, c1);
+ element_double(c3, c3);
+
+ element_mul(c0, a, cm2);
+ element_add(c0, c0, cm1);
+ element_double(c0, c0);
+ element_add(c0, c0, C);
+ element_double(c2, c0);
+ element_add(c0, c0, c2);
+ element_sub(c2, c0, c4);
+
+ // c0 = 1
+ // cm2 = -1
+ element_set1(c0);
+ element_neg(cm2, c0);
+
+ // c4 = c_5 = c_2^3 c_4 - c_3^3 = c1^3 c3 - c2^3
+ element_square(C, c1);
+ element_mul(c4, C, c1);
+ element_mul(c4, c4, c3);
+ element_square(C, c2);
+ element_mul(C, C, c2);
+ element_sub(c4, c4, C);
+
+ //compute A, B, d1 (which is d_2 since k = 1)
+ element_sub(A, x, x2);
+ element_double(C, x);
+ element_add(C, C, x2);
+ element_square(cm1, A);
+ element_mul(cm1, C, cm1);
+ element_add(d1, y, y2);
+ element_square(d1, d1);
+ element_sub(B, cm1, d1);
+ element_invert(B, B);
+ element_invert(A, A);
+
+ element_sub(d1, y, y2);
+ element_mul(d1, d1, A);
+ element_square(d1, d1);
+ element_sub(d1, C, d1);
+
+ // cm1 = 0
+ // C = (2y)^-1
+ element_set0(cm1);
+ element_invert(C, c1);
+
+ element_set1(dm1);
+ element_set1(d0);
+
+ element_t sm2, sm1;
+ element_t s0, s1, s2, s3;
+ element_t tm2, tm1;
+ element_t t0, t1, t2, t3;
+ element_t e0, e1;
+ element_t u, v;
+
+ element_init_same_as(sm2, x);
+ element_init_same_as(sm1, x);
+ element_init_same_as(s0, x);
+ element_init_same_as(s1, x);
+ element_init_same_as(s2, x);
+ element_init_same_as(s3, x);
+
+ element_init_same_as(tm2, x);
+ element_init_same_as(tm1, x);
+ element_init_same_as(t0, x);
+ element_init_same_as(t1, x);
+ element_init_same_as(t2, x);
+ element_init_same_as(t3, x);
+
+ element_init_same_as(e0, x);
+ element_init_same_as(e1, x);
+
+ element_init_same_as(u, d0);
+ element_init_same_as(v, d0);
+
+ int m = mpz_sizeinbase(pairing->r, 2) - 2;
+ for (;;) {
+ element_square(sm2, cm2);
+ element_square(sm1, cm1);
+ element_square(s0, c0);
+ element_square(s1, c1);
+ element_square(s2, c2);
+ element_square(s3, c3);
+
+ element_mul(tm2, cm3, cm1);
+ element_mul(tm1, cm2, c0);
+ element_mul(t0, cm1, c1);
+ element_mul(t1, c0, c2);
+ element_mul(t2, c1, c3);
+ element_mul(t3, c2, c4);
+
+ element_square(u, d0);
+ element_mul(v, dm1, d1);
+
+ if (mpz_tstbit(pairing->r, m)) {
+ //double-and-add
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm3, e0, e1);
+ element_mul(cm3, cm3, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm2, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(cm1, e0, e1);
+ element_mul(cm1, cm1, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c0, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c1, e0, e1);
+ element_mul(c1, c1, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c2, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c3, e0, e1);
+ element_mul(c3, c3, C);
+
+ element_mul(e0, t3, s2);
+ element_mul(e1, t2, s3);
+ element_sub(c4, e0, e1);
+
+ element_mul(out, u, t0);
+ element_mul(dm1, v, s0);
+ element_sub(dm1, dm1, out);
+
+ element_mul(out, u, t1);
+ element_mul(d0, v, s1);
+ element_sub(d0, d0, out);
+ element_mul(d0, d0, A);
+
+ element_mul(out, u, t2);
+ element_mul(d1, v, s2);
+ element_sub(d1, d1, out);
+ element_mul(d1, d1, B);
+ } else {
+ //double
+ element_mul(e0, tm1, sm2);
+ element_mul(e1, tm2, sm1);
+ element_sub(cm3, e0, e1);
+
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm2, e0, e1);
+ element_mul(cm2, cm2, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm1, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(c0, e0, e1);
+ element_mul(c0, c0, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c1, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c2, e0, e1);
+ element_mul(c2, c2, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c3, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c4, e0, e1);
+ element_mul(c4, c4, C);
+
+ element_mul(out, u, tm1);
+ element_mul(dm1, v, sm1);
+ element_sub(dm1, dm1, out);
+
+ element_mul(out, u, t0);
+ element_mul(d0, v, s0);
+ element_sub(d0, d0, out);
+
+ element_mul(out, u, t1);
+ element_mul(d1, v, s1);
+ element_sub(d1, d1, out);
+ element_mul(d1, d1, A);
+ }
+ if (!m) break;
+ m--;
+ }
+ element_invert(c1, c1);
+ element_mul(d1, d1, c1);
+
+ element_pow_mpz(out, d1, pairing->phikonr);
+
+ element_clear(dm1);
+ element_clear(d0);
+ element_clear(d1);
+
+ element_clear(cm3);
+ element_clear(cm2);
+ element_clear(cm1);
+ element_clear(c0);
+ element_clear(c1);
+ element_clear(c2);
+ element_clear(c3);
+ element_clear(c4);
+
+ element_clear(sm2);
+ element_clear(sm1);
+ element_clear(s0);
+ element_clear(s1);
+ element_clear(s2);
+ element_clear(s3);
+
+ element_clear(tm2);
+ element_clear(tm1);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(t2);
+ element_clear(t3);
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(A);
+ element_clear(B);
+ element_clear(C);
+ element_clear(u);
+ element_clear(v);
+}
+
+static void phi_identity(element_ptr out, element_ptr in, pairing_ptr pairing) {
+ (void) pairing;
+ element_set(out, in);
+}
+
+static void e_pairing_option_set(pairing_t pairing, char *key, char *value) {
+ //TODO: this affects every type E pairing!
+ UNUSED_VAR(pairing);
+ if (!strcmp(key, "method")) {
+ if (!strcmp(value, "miller")) {
+ pairing->map = e_pairing;
+ e_miller_fn = e_miller_proj;
+ } else if (!strcmp(value, "miller-affine")) {
+ pairing->map = e_pairing;
+ e_miller_fn = e_miller_affine;
+ } else if (!strcmp(value, "shipsey-stange")) {
+ pairing->map = e_pairing_ellnet;
+ }
+ }
+}
+
+static void e_pairing_clear(pairing_t pairing) {
+ field_clear(pairing->GT);
+ e_pairing_data_ptr p = pairing->data;
+ field_clear(p->Fq);
+ field_clear(p->Eq);
+ element_clear(p->R);
+ pbc_free(p);
+
+ mpz_clear(pairing->phikonr);
+ mpz_clear(pairing->r);
+ field_clear(pairing->Zr);
+}
+
+static void e_finalpow(element_ptr e) {
+ element_pow_mpz(e->data, e->data, e->field->pairing->phikonr);
+}
+
+static void e_init_pairing(pairing_t pairing, void *data) {
+ e_param_ptr param = data;
+ e_pairing_data_ptr p;
+ element_t a, b;
+
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, param->r);
+ field_init_fp(pairing->Zr, pairing->r);
+ pairing->map = e_pairing;
+ e_miller_fn = e_miller_proj;
+
+ p = pairing->data = pbc_malloc(sizeof(e_pairing_data_t));
+ p->exp2 = param->exp2;
+ p->exp1 = param->exp1;
+ p->sign1 = param->sign1;
+ p->sign0 = param->sign0;
+ field_init_fp(p->Fq, param->q);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_set_mpz(a, param->a);
+ element_set_mpz(b, param->b);
+ field_init_curve_ab(p->Eq, a, b, pairing->r, param->h);
+
+ //k=1, hence phikonr = (p-1)/r
+ mpz_init(pairing->phikonr);
+ mpz_sub_ui(pairing->phikonr, p->Fq->order, 1);
+ mpz_divexact(pairing->phikonr, pairing->phikonr, pairing->r);
+
+ pairing->G2 = pairing->G1 = p->Eq;
+ pairing_GT_init(pairing, p->Fq);
+ pairing->finalpow = e_finalpow;
+ pairing->phi = phi_identity;
+ pairing->option_set = e_pairing_option_set;
+ pairing->clear_func = e_pairing_clear;
+
+ element_init(p->R, p->Eq);
+ curve_set_gen_no_cofac(p->R);
+
+ element_clear(a);
+ element_clear(b);
+}
+
+static void e_init(pbc_param_ptr p) {
+ static pbc_param_interface_t interface = {{
+ e_clear,
+ e_init_pairing,
+ e_out_str,
+ }};
+ p->api = interface;
+ e_param_ptr ep = p->data = pbc_malloc(sizeof(*ep));
+ mpz_init(ep->q);
+ mpz_init(ep->r);
+ mpz_init(ep->h);
+ mpz_init(ep->a);
+ mpz_init(ep->b);
+}
+
+// Public interface:
+
+int pbc_param_init_e(pbc_param_ptr par, struct symtab_s *tab) {
+ e_init(par);
+ e_param_ptr p = par->data;
+
+ int err = 0;
+ err += lookup_mpz(p->q, tab, "q");
+ err += lookup_mpz(p->r, tab, "r");
+ err += lookup_mpz(p->h, tab, "h");
+ err += lookup_mpz(p->a, tab, "a");
+ err += lookup_mpz(p->b, tab, "b");
+ err += lookup_int(&p->exp2, tab, "exp2");
+ err += lookup_int(&p->exp1, tab, "exp1");
+ err += lookup_int(&p->sign1, tab, "sign1");
+ err += lookup_int(&p->sign0, tab, "sign0");
+ return err;
+}
+
+void pbc_param_init_e_gen(pbc_param_t par, int rbits, int qbits) {
+ e_init(par);
+ e_param_ptr p = par->data;
+ //3 takes 2 bits to represent
+ int hbits = (qbits - 2) / 2 - rbits;
+ mpz_ptr q = p->q;
+ mpz_ptr r = p->r;
+ mpz_ptr h = p->h;
+ mpz_t n;
+ field_t Fq;
+ field_t cc;
+ element_t j;
+ int found = 0;
+
+ //won't find any curves is hbits is too low
+ if (hbits < 3) hbits = 3;
+
+ mpz_init(n);
+
+ do {
+ int i;
+ mpz_set_ui(r, 0);
+
+ if (rand() % 2) {
+ p->exp2 = rbits - 1;
+ p->sign1 = 1;
+ } else {
+ p->exp2 = rbits;
+ p->sign1 = -1;
+ }
+ mpz_setbit(r, p->exp2);
+
+ p->exp1 = (rand() % (p->exp2 - 1)) + 1;
+ //use q as a temp variable
+ mpz_set_ui(q, 0);
+ mpz_setbit(q, p->exp1);
+
+ if (p->sign1 > 0) {
+ mpz_add(r, r, q);
+ } else {
+ mpz_sub(r, r, q);
+ }
+
+ if (rand() % 2) {
+ p->sign0 = 1;
+ mpz_add_ui(r, r, 1);
+ } else {
+ p->sign0 = -1;
+ mpz_sub_ui(r, r, 1);
+ }
+ if (!mpz_probab_prime_p(r, 10)) continue;
+ for (i=0; i<10; i++) {
+ //use q as a temp variable
+ mpz_set_ui(q, 0);
+ mpz_setbit(q, hbits + 1);
+ pbc_mpz_random(h, q);
+ mpz_mul(h, h, h);
+ mpz_mul_ui(h, h, 3);
+ //finally q takes the value it should
+ mpz_mul(n, r, r);
+ mpz_mul(n, n, h);
+ mpz_add_ui(q, n, 1);
+ if (mpz_probab_prime_p(q, 10)) {
+ found = 1;
+ break;
+ }
+ }
+ } while (!found);
+ /*
+ do {
+ mpz_set_ui(r, 0);
+ mpz_setbit(r, rbits);
+ pbc_mpz_random(r, r);
+ mpz_nextprime(r, r);
+ mpz_mul(n, r, r);
+ mpz_mul_ui(n, n, 3);
+ mpz_add_ui(q, n, 1);
+ } while (!mpz_probab_prime_p(q, 10));
+ */
+
+ field_init_fp(Fq, q);
+ element_init(j, Fq);
+ element_set_si(j, 1);
+ field_init_curve_b(cc, j, n, NULL);
+ element_clear(j);
+ // We may need to twist it.
+ {
+ // Pick a random point P and twist the curve if P has the wrong order.
+ element_t P;
+ element_init(P, cc);
+ element_random(P);
+ element_mul_mpz(P, P, n);
+ if (!element_is0(P)) field_reinit_curve_twist(cc);
+ element_clear(P);
+ }
+ element_to_mpz(p->a, curve_field_a_coeff(cc));
+ element_to_mpz(p->b, curve_field_b_coeff(cc));
+
+ mpz_clear(n);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/eta_T_3.c b/moon-abe/pbc-0.5.14/ecc/eta_T_3.c
new file mode 100644
index 00000000..44396b76
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/eta_T_3.c
@@ -0,0 +1,835 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_fp.h"
+#include "pbc_memory.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_ternary_extension_field.h"
+#include "param.h"
+
+typedef struct { /* private data of $GF(3^m)$ */
+ unsigned int len; /* the number of native machine integers required to represent one GF(3^m) element */
+ int m; /* the irreducible polynomial is $x^m + x^t + 2$ */
+ int t; /* the irreducible polynomial is $x^m + x^t + 2$ */
+ element_ptr p; /* $p$ is the irreducible polynomial. */
+ mpz_t n; /* group order of $G_1$, $G_2$, $G_T$ */
+ mpz_t n2; /* order(elliptic curve points) / order(G_1) */
+} params;
+
+struct pairing_data {
+ field_t gf3m, gf32m, gf36m;
+ mpz_t n2; // cofactor
+};
+typedef struct pairing_data *pairing_data_ptr;
+
+#define PARAM(e) ((params *)e->field->data)
+#define ITEM(e,x,y) (element_item(element_item(e,x),y))
+#define print(e) {printf(#e": "); element_out_str(stdout, 10, e); printf("\n");}
+
+struct point_s { // points on the elliptic curve $y^2=x^3-x+1$
+ int isinf;
+ element_t x, y;
+};
+typedef struct point_s *point_ptr;
+typedef struct point_s point_t[1];
+
+#define FIELD(e) ((field_ptr) e->field)
+#define BASE(e) ((field_ptr) FIELD(e)->data)
+#define DATA(e) ((point_ptr) e->data)
+
+static void point_set(element_t e, element_t a) {
+ point_ptr r = DATA(e), p = DATA(a);
+ r->isinf = p->isinf;
+ if (!p->isinf) {
+ element_set(r->x, p->x);
+ element_set(r->y, p->y);
+ }
+}
+
+static void point_init(element_t e) {
+ field_ptr f = BASE(e);
+ e->data = pbc_malloc(sizeof(struct point_s));
+ point_ptr p = DATA(e);
+ element_init(p->x, f);
+ element_init(p->y, f);
+ p->isinf = 1;
+}
+
+static void point_clear(element_t e) {
+ point_ptr p = DATA(e);
+ element_clear(p->x);
+ element_clear(p->y);
+ pbc_free(p);
+}
+
+/* return 1 if $a!=b$, 0 otherwise. */
+static int point_cmp(element_t a, element_t b) {
+ point_ptr pa = DATA(a), pb = DATA(b);
+ if (pa->isinf == pb->isinf) {
+ if (pa->isinf)
+ return 0;
+ else
+ return element_cmp(pa->x, pb->x) || element_cmp(pa->y, pb->y);
+ } else
+ return 1;
+}
+
+static void point_set0(element_ptr e) {
+ DATA(e)->isinf = 1;
+}
+
+static int point_is0(element_ptr e) {
+ return DATA(e)->isinf;
+}
+
+static void point_random(element_t a) {
+ point_ptr p = DATA(a);
+ element_ptr x = p->x, y = p->y;
+ field_ptr f = x->field;
+ p->isinf = 0;
+ element_t t, t2, e1;
+ element_init(t, f);
+ element_init(e1, f);
+ element_set1(e1);
+ element_init(t2, f);
+ do {
+ element_random(x);
+ if (element_is0(x))
+ continue;
+ element_cubic(t, x); // t == x^3
+ element_sub(t, t, x); // t == x^3 - x
+ element_add(t, t, e1); // t == x^3 - x + 1
+ element_sqrt(y, t); // y == sqrt(x^3 - x + 1)
+ element_mul(t2, y, y); // t2 == x^3 - x + 1
+ } while (element_cmp(t2, t)); // t2 != t
+
+ // make sure order of $a$ is order of $G_1$
+ pairing_ptr pairing = FIELD(a)->pairing;
+ pairing_data_ptr dp = pairing->data;
+ element_pow_mpz(a, a, dp->n2);
+
+ element_clear(t);
+ element_clear(t2);
+ element_clear(e1);
+}
+
+static void point_add(element_t c, element_t a, element_t b) {
+ point_ptr p1 = DATA(a), p2 = DATA(b), p3 = DATA(c);
+ int inf1 = p1->isinf, inf2 = p2->isinf;
+ element_ptr x1 = p1->x, y1 = p1->y, x2 = p2->x, y2 = p2->y;
+ field_ptr f = FIELD(x1);
+ if (inf1) {
+ point_set(c, b);
+ return;
+ }
+ if (inf2) {
+ point_set(c, a);
+ return;
+ }
+ element_t v0, v1, v2, v3, v4, ny2;
+ element_init(v0, f);
+ element_init(v1, f);
+ element_init(v2, f);
+ element_init(v3, f);
+ element_init(v4, f);
+ element_init(ny2, f);
+ if (!element_cmp(x1, x2)) { // x1 == x2
+ element_neg(ny2, y2); // ny2 == -y2
+ if (!element_cmp(y1, ny2)) {
+ p3->isinf = 1;
+ goto end;
+ }
+ if (!element_cmp(y1, y2)) { // y1 == y2
+ element_invert(v0, y1); // v0 == y1^{-1}
+ element_mul(v1, v0, v0); // v1 == [y1^{-1}]^2
+ element_add(p3->x, v1, x1); // v1 == [y1^{-1}]^2 + x1
+ element_cubic(v2, v0); // v2 == [y1^{-1}]^3
+ element_add(v2, v2, y1); // v2 == [y1^{-1}]^3 + y1
+ element_neg(p3->y, v2); // p3 == -([y1^{-1}]^3 + y1)
+ p3->isinf = 0;
+ goto end;
+ }
+ }
+ // $P1 \ne \pm P2$
+ element_sub(v0, x2, x1); // v0 == x2-x1
+ element_invert(v1, v0); // v1 == (x2-x1)^{-1}
+ element_sub(v0, y2, y1); // v0 == y2-y1
+ element_mul(v2, v0, v1); // v2 == (y2-y1)/(x2-x1)
+ element_mul(v3, v2, v2); // v3 == [(y2-y1)/(x2-x1)]^2
+ element_cubic(v4, v2); // v4 == [(y2-y1)/(x2-x1)]^3
+ element_add(v0, x1, x2); // v0 == x1+x2
+ element_sub(v3, v3, v0); // v3 == [(y2-y1)/(x2-x1)]^2 - (x1+x2)
+ element_add(v0, y1, y2); // v0 == y1+y2
+ element_sub(v4, v0, v4); // v4 == (y1+y2) - [(y2-y1)/(x2-x1)]^3
+ p3->isinf = 0;
+ element_set(p3->x, v3);
+ element_set(p3->y, v4);
+ end: element_clear(v0);
+ element_clear(v1);
+ element_clear(v2);
+ element_clear(v3);
+ element_clear(v4);
+ element_clear(ny2);
+}
+
+static void point_invert(element_ptr e, element_ptr a) {
+ point_ptr r = DATA(e), p = DATA(a);
+ r->isinf = p->isinf;
+ if (!p->isinf) {
+ element_set(r->x, p->x);
+ element_neg(r->y, p->y);
+ }
+}
+
+static size_t point_out_str(FILE *stream, int base, element_ptr a) {
+ point_ptr p = DATA(a);
+ size_t size = 0;
+ if (p->isinf)
+ return fprintf(stream, "O");
+ else {
+ size += element_out_str(stream, base, p->x);
+ size += element_out_str(stream, base, p->y);
+ return size;
+ }
+}
+
+static void point_field_clear(field_ptr f) {
+ UNUSED_VAR(f);
+}
+
+void field_init_eta_T_3(field_t f, field_t base) {
+ field_init(f);
+ f->data = (void *) base;
+ f->init = point_init;
+ f->clear = point_clear;
+ f->random = point_random;
+ f->set = point_set;
+ f->cmp = point_cmp;
+ f->invert = f->neg = point_invert;
+ f->mul = f->add = point_add;
+ f->set1 = f->set0 = point_set0;
+ f->is1 = f->is0 = point_is0;
+ f->mul_mpz = f->pow_mpz;
+ f->out_str = point_out_str;
+ f->field_clear = point_field_clear;
+ f->name = "eta_T_3 point group";
+}
+
+/* computing of $(-t^2 +u*s -t*p -p^2)^3$
+ * The algorithm is by J.Beuchat et.al, in the paper of "Algorithms and Arithmetic Operators for Computing
+ * the $eta_T$ Pairing in Characteristic Three", algorithm 4 in the appendix */
+static void algorithm4a(element_t S, element_t t, element_t u) {
+ field_ptr f = FIELD(t);
+ element_t e1, c0, c1, m0, v0, v2;
+ element_init(e1, f);
+ element_init(c0, f);
+ element_init(c1, f);
+ element_init(m0, f);
+ element_init(v0, f);
+ element_init(v2, f);
+ element_set1(e1);
+ element_cubic(c0, t); // c0 == t^3
+ element_cubic(c1, u);
+ element_neg(c1, c1); // c1 == -u^3
+ element_mul(m0, c0, c0); // m0 == c0^2
+ element_neg(v0, m0); // v0 == -c0^2
+ element_sub(v0, v0, c0); // v0 == -c0^2 -c0
+ element_sub(v0, v0, e1); // v0 == -c0^2 -c0 -1
+ element_set1(v2);
+ element_sub(v2, v2, c0); // v2 == 1 -c0
+ // v1 == c1
+ // S == [[v0, v1], [v2, f3m.zero()], [f3m.two(), f3m.zero()]]
+ element_set(ITEM(S,0,0), v0);
+ element_set(ITEM(S,0,1), c1);
+ element_set(ITEM(S,1,0), v2);
+ element_set0(ITEM(S,1,1));
+ element_neg(ITEM(S,2,0), e1);
+ element_set0(ITEM(S,2,1));
+ element_clear(e1);
+ element_clear(c0);
+ element_clear(c1);
+ element_clear(m0);
+ element_clear(v0);
+ element_clear(v2);
+}
+
+static void algorithm5(element_t c, element_ptr xp, element_ptr yp,
+ element_ptr xq, element_ptr yq) {
+ params *p = PARAM(xp);
+ unsigned int re = p->m % 12;
+ field_ptr f = FIELD(xp) /*GF(3^m)*/, f6 = FIELD(c) /*GF(3^{6*m})*/;
+ element_t e1, xpp, ypp, xqq, yqq, t, nt, nt2, v1, v2, a1, a2, R, u, nu, S, S2;
+ element_init(e1, f);
+ element_init(xpp, f);
+ element_init(ypp, f);
+ element_init(xqq, f);
+ element_init(yqq, f);
+ element_init(t, f);
+ element_init(nt, f);
+ element_init(nt2, f);
+ element_init(v1, f);
+ element_init(v2, f);
+ element_init(a1, f6);
+ element_init(a2, f6);
+ element_init(R, f6);
+ element_init(u, f);
+ element_init(nu, f);
+ element_init(S, f6);
+ element_init(S2, f6);
+ element_set1(e1);
+ element_set(xpp, xp);
+ xp = xpp; // clone
+ element_add(xp, xp, e1); // xp == xp + b
+ element_set(ypp, yp);
+ yp = ypp; // clone
+ if (re == 1 || re == 11)
+ element_neg(yp, yp); // yp == -\mu*b*yp, \mu == 1 when re==1, or 11
+ element_set(xqq, xq);
+ xq = xqq; // clone
+ element_cubic(xq, xq); // xq == xq^3
+ element_set(yqq, yq);
+ yq = yqq; // clone
+ element_cubic(yq, yq); // yq == yq^3
+ element_add(t, xp, xq); // t == xp+xq
+ element_neg(nt, t); // nt == -t
+ element_mul(nt2, t, nt); // nt2 == -t^2
+ element_mul(v2, yp, yq); // v2 == yp*yq
+ element_mul(v1, yp, t); // v1 == yp*t
+ if (re == 7 || re == 11) { // \lambda == 1
+ element_t nyp, nyq;
+ element_init(nyp, f);
+ element_init(nyq, f);
+ element_neg(nyp, yp); // nyp == -yp
+ element_neg(nyq, yq); // nyq == -yq
+ element_set(ITEM(a1,0,0), v1);
+ element_set(ITEM(a1,0,1), nyq);
+ element_set(ITEM(a1,1,0), nyp);
+ element_clear(nyp);
+ element_clear(nyq);
+ } else { // \lambda == -1
+ element_neg(v1, v1); // v1 == -yp*t
+ element_set(ITEM(a1,0,0), v1);
+ element_set(ITEM(a1,0,1), yq);
+ element_set(ITEM(a1,1,0), yp);
+ }
+ // a2 == -t^2 +yp*yq*s -t*p -p^2
+ element_set(ITEM(a2,0,0), nt2);
+ element_set(ITEM(a2,0,1), v2);
+ element_set(ITEM(a2,1,0), nt);
+ element_neg(ITEM(a2,2,0), e1);
+ element_mul(R, a1, a2);
+ int i;
+ for (i = 0; i < (p->m - 1) / 4; i++) {
+ element_cubic(R, R);
+ element_cubic(R, R); // R <= R^9
+ element_cubic(xq, xq);
+ element_cubic(xq, xq);
+ element_sub(xq, xq, e1); // xq <= xq^9-b
+ element_cubic(yq, yq);
+ element_cubic(yq, yq); // yq <= yq^9
+ element_add(t, xp, xq); // t == xp+xq
+ element_mul(u, yp, yq); // u == yp*yq
+ element_neg(nu, u); // nu == -yp*yq
+ algorithm4a(S, t, nu); // S == (-t^2 -u*s -t*p -p^2)^3
+ element_cubic(xq, xq);
+ element_cubic(xq, xq);
+ element_sub(xq, xq, e1); // xq <= xq^9-b
+ element_cubic(yq, yq);
+ element_cubic(yq, yq); // yq <= yq^9
+ element_add(t, xp, xq); // t == xp+xq
+ element_mul(u, yp, yq); // u == yp*yq
+ element_neg(nt, t); // nt == -t
+ element_mul(nt2, t, nt); // nt2 == -t^2
+ // S2 = [[nt2, u], [nt, f3m.zero()], [f3m.two(), f3m.zero()]]
+ // S2 == -t^2 +u*s -t*p -p^2
+ element_set(ITEM(S2,0,0), nt2);
+ element_set(ITEM(S2,0,1), u);
+ element_set(ITEM(S2,1,0), nt);
+ element_set0(ITEM(S2,1,1));
+ element_neg(ITEM(S2,2,0), e1);
+ element_set0(ITEM(S2,2,1));
+ element_mul(S, S, S2);
+ element_mul(R, R, S);
+ }
+ element_set(c, R);
+ element_clear(e1);
+ element_clear(xpp);
+ element_clear(ypp);
+ element_clear(xqq);
+ element_clear(yqq);
+ element_clear(t);
+ element_clear(nt);
+ element_clear(nt2);
+ element_clear(v1);
+ element_clear(v2);
+ element_clear(a1);
+ element_clear(a2);
+ element_clear(R);
+ element_clear(u);
+ element_clear(nu);
+ element_clear(S);
+ element_clear(S2);
+}
+
+/* this is the algorithm 4 in the paper of J.Beuchat et.al, "Algorithms and Arithmetic Operators for Computing
+ * the $eta_T$ Pairing in Characteristic Three" */
+static void algorithm4(element_t c, element_ptr xp, element_ptr yp,
+ element_ptr xq, element_ptr yq) {
+ params *p = PARAM(xp);
+ unsigned int re = p->m % 12;
+ field_ptr f = FIELD(xp) /*GF(3^m)*/, f6 = FIELD(c) /*GF(3^{6*m})*/;
+ element_t e1, xpp, ypp, xqq, yqq, t, nt, nt2, v1, v2, a1, a2, R, u, S;
+ element_init(e1, f);
+ element_init(xpp, f);
+ element_init(ypp, f);
+ element_init(xqq, f);
+ element_init(yqq, f);
+ element_init(t, f);
+ element_init(nt, f);
+ element_init(nt2, f);
+ element_init(v1, f);
+ element_init(v2, f);
+ element_init(a1, f6);
+ element_init(a2, f6);
+ element_init(R, f6);
+ element_init(u, f);
+ element_init(S, f6);
+ element_set1(e1);
+ element_set(xpp, xp);
+ xp = xpp; // clone
+ element_add(xp, xp, e1); // xp == xp + b
+ element_set(ypp, yp);
+ yp = ypp; // clone
+ if (re == 1 || re == 11)
+ element_neg(yp, yp); // yp == -\mu*b*yp, \mu == 1 when re==1, or 11
+ element_set(xqq, xq);
+ xq = xqq; // clone
+ element_cubic(xq, xq); // xq == xq^3
+ element_set(yqq, yq);
+ yq = yqq; // clone
+ element_cubic(yq, yq); // yq == yq^3
+ element_add(t, xp, xq); // t == xp+xq
+ element_neg(nt, t); // nt == -t
+ element_mul(nt2, t, nt); // nt2 == -t^2
+ element_mul(v2, yp, yq); // v2 == yp*yq
+ element_mul(v1, yp, t); // v1 == yp*t
+ if (re == 7 || re == 11) { // \lambda == 1
+ element_t nyp, nyq;
+ element_init(nyp, f);
+ element_init(nyq, f);
+ element_neg(nyp, yp); // nyp == -yp
+ element_neg(nyq, yq); // nyq == -yq
+ element_set(ITEM(a1,0,0), v1);
+ element_set(ITEM(a1,0,1), nyq);
+ element_set(ITEM(a1,1,0), nyp);
+ element_clear(nyp);
+ element_clear(nyq);
+ } else { // \lambda == -1
+ element_neg(v1, v1); // v1 == -yp*t
+ element_set(ITEM(a1,0,0), v1);
+ element_set(ITEM(a1,0,1), yq);
+ element_set(ITEM(a1,1,0), yp);
+ }
+ // a2 == -t^2 +yp*yq*s -t*p -p^2
+ element_set(ITEM(a2,0,0), nt2);
+ element_set(ITEM(a2,0,1), v2);
+ element_set(ITEM(a2,1,0), nt);
+ element_neg(ITEM(a2,2,0), e1);
+ element_mul(R, a1, a2);
+ int i;
+ for (i = 0; i < (p->m - 1) / 2; i++) {
+ element_cubic(R, R);
+ element_cubic(xq, xq);
+ element_cubic(xq, xq);
+ element_sub(xq, xq, e1); // xq <= xq^9-b
+ element_cubic(yq, yq);
+ element_cubic(yq, yq);
+ element_neg(yq, yq); // yq <= -yq^9
+ element_add(t, xp, xq); // t == xp+xq
+ element_neg(nt, t); // nt == -t
+ element_mul(nt2, t, nt); // nt2 == -t^2
+ element_mul(u, yp, yq); // u == yp*yq
+ element_set0(S);
+ element_set(ITEM(S,0,0), nt2);
+ element_set(ITEM(S,0,1), u);
+ element_set(ITEM(S,1,0), nt);
+ element_neg(ITEM(S,2,0), e1);
+ element_mul(R, R, S);
+ }
+ element_set(c, R);
+ element_clear(e1);
+ element_clear(xpp);
+ element_clear(ypp);
+ element_clear(xqq);
+ element_clear(yqq);
+ element_clear(t);
+ element_clear(nt);
+ element_clear(nt2);
+ element_clear(v1);
+ element_clear(v2);
+ element_clear(a1);
+ element_clear(a2);
+ element_clear(R);
+ element_clear(u);
+ element_clear(S);
+}
+
+/* computation of $c <- U ^ {3^{3m} - 1}$
+ * This is the algorithm 6 in the paper above. */
+static void algorithm6(element_t c, element_t u) {
+ element_ptr u0 = ITEM(u,0,0), u1 = ITEM(u,0,1), u2 = ITEM(u,1,0), u3 =
+ ITEM(u,1,1), u4 = ITEM(u,2,0), u5 = ITEM(u,2,1);
+ field_ptr f = FIELD(u0); /*GF(3^m)*/
+ field_t f3; /*GF(3^{3*m})*/
+ field_init_gf33m(f3, f);
+ element_t v0, v1, m0, m1, m2, a0, a1, i;
+ element_init(v0, f3);
+ element_init(v1, f3);
+ element_init(m0, f3);
+ element_init(m1, f3);
+ element_init(m2, f3);
+ element_init(a0, f3);
+ element_init(a1, f3);
+ element_init(i, f3);
+ element_set(element_item(v0, 0), u0);
+ element_set(element_item(v0, 1), u2);
+ element_set(element_item(v0, 2), u4);
+ element_set(element_item(v1, 0), u1);
+ element_set(element_item(v1, 1), u3);
+ element_set(element_item(v1, 2), u5);
+ element_mul(m0, v0, v0);
+ element_mul(m1, v1, v1);
+ element_mul(m2, v0, v1);
+ element_sub(a0, m0, m1);
+ element_add(a1, m0, m1);
+ element_invert(i, a1);
+ element_mul(v0, a0, i);
+ element_mul(v1, m2, i);
+ element_set(ITEM(c,0,0), element_item(v0, 0));
+ element_set(ITEM(c,1,0), element_item(v0, 1));
+ element_set(ITEM(c,2,0), element_item(v0, 2));
+ element_set(ITEM(c,0,1), element_item(v1, 0));
+ element_set(ITEM(c,1,1), element_item(v1, 1));
+ element_set(ITEM(c,2,1), element_item(v1, 2));
+ element_clear(v0);
+ element_clear(v1);
+ element_clear(m0);
+ element_clear(m1);
+ element_clear(m2);
+ element_clear(a0);
+ element_clear(a1);
+ element_clear(i);
+ field_clear(f3);
+}
+
+/* computation of $c <- U ^ {3^m+1}$, $U \in T_2(F_{3^3M})$
+ * This is the algorithm 7 in the paper above. */
+static void algorithm7(element_t c, element_t u) {
+ element_ptr u0 = ITEM(u,0,0), u1 = ITEM(u,0,1), u2 = ITEM(u,1,0), u3 =
+ ITEM(u,1,1), u4 = ITEM(u,2,0), u5 = ITEM(u,2,1);
+ field_ptr f = FIELD(u0); /*GF(3^m)*/
+ params *p = PARAM(u0);
+ element_t a0, a1, a2, a3, a4, a5, a6, m0, m1, m2, m3, m4, m5, m6, m7, m8,
+ v0, v1, v2, v3, v4, v5, e1;
+ element_init(a0, f);
+ element_init(a1, f);
+ element_init(a2, f);
+ element_init(a3, f);
+ element_init(a4, f);
+ element_init(a5, f);
+ element_init(a6, f);
+ element_init(m0, f);
+ element_init(m1, f);
+ element_init(m2, f);
+ element_init(m3, f);
+ element_init(m4, f);
+ element_init(m5, f);
+ element_init(m6, f);
+ element_init(m7, f);
+ element_init(m8, f);
+ element_init(v0, f);
+ element_init(v1, f);
+ element_init(v2, f);
+ element_init(v3, f);
+ element_init(v4, f);
+ element_init(v5, f);
+ element_init(e1, f);
+ element_set1(e1);
+ element_add(a0, u0, u1);
+ element_add(a1, u2, u3);
+ element_sub(a2, u4, u5);
+ element_mul(m0, u0, u4);
+ element_mul(m1, u1, u5);
+ element_mul(m2, u2, u4);
+ element_mul(m3, u3, u5);
+ element_mul(m4, a0, a2);
+ element_mul(m5, u1, u2);
+ element_mul(m6, u0, u3);
+ element_mul(m7, a0, a1);
+ element_mul(m8, a1, a2);
+ element_add(a3, m5, m6);
+ element_sub(a3, a3, m7);
+ element_neg(a4, m2);
+ element_sub(a4, a4, m3);
+ element_sub(a5, m3, m2);
+ element_sub(a6, m1, m0);
+ element_add(a6, a6, m4);
+ if (p->m % 6 == 1) {
+ element_add(v0, m0, m1);
+ element_add(v0, v0, a4);
+ element_add(v0, e1, v0);
+ element_sub(v1, m5, m6);
+ element_add(v1, v1, a6);
+ element_sub(v2, a4, a3);
+ element_add(v3, m8, a5);
+ element_sub(v3, v3, a6);
+ element_add(v4, a3, a4);
+ element_neg(v4, v4);
+ element_add(v5, m8, a5);
+ } else { // p->m % 6 == 5
+ element_add(v0, m0, m1);
+ element_sub(v0, v0, a4);
+ element_add(v0, e1, v0);
+ element_sub(v1, m6, m5);
+ element_add(v1, v1, a6);
+ element_set(v2, a3);
+ element_add(v3, m8, a5);
+ element_add(v3, v3, a6);
+ element_add(v4, a3, a4);
+ element_neg(v4, v4);
+ element_add(v5, m8, a5);
+ element_neg(v5, v5);
+ }
+ element_set(ITEM(c,0,0), v0);
+ element_set(ITEM(c,0,1), v1);
+ element_set(ITEM(c,1,0), v2);
+ element_set(ITEM(c,1,1), v3);
+ element_set(ITEM(c,2,0), v4);
+ element_set(ITEM(c,2,1), v5);
+ element_clear(a0);
+ element_clear(a1);
+ element_clear(a2);
+ element_clear(a3);
+ element_clear(a4);
+ element_clear(a5);
+ element_clear(a6);
+ element_clear(m0);
+ element_clear(m1);
+ element_clear(m2);
+ element_clear(m3);
+ element_clear(m4);
+ element_clear(m5);
+ element_clear(m6);
+ element_clear(m7);
+ element_clear(m8);
+ element_clear(v0);
+ element_clear(v1);
+ element_clear(v2);
+ element_clear(v3);
+ element_clear(v4);
+ element_clear(v5);
+ element_clear(e1);
+}
+
+/* computing $c <- U^M, M=(3^{3m}-1)*(3^m+1)*(3^m+1-\mu*b*3^{(m+1)//2})$
+ * This is the algorithm 8 in the paper above. */
+static void algorithm8(element_t c, element_t u) {
+ field_ptr f6 = FIELD(u), f = FIELD(ITEM(u,0,0));
+ params *p = (params *) f->data;
+ element_t v, w;
+ element_init(v, f6);
+ element_init(w, f6);
+ algorithm6(v, u);
+ algorithm7(v, v);
+ element_set(w, v);
+ int i;
+ for (i = 0; i < (p->m + 1) / 2; i++)
+ element_cubic(w, w);
+ algorithm7(v, v);
+ if (p->m % 12 == 1 || p->m % 12 == 11) { // w <= w^{-\mu*b}
+ element_ptr e;
+ e = ITEM(w,0,1);
+ element_neg(e, e);
+ e = ITEM(w,1,1);
+ element_neg(e, e);
+ e = ITEM(w,2,1);
+ element_neg(e, e);
+ }
+ element_mul(c, v, w);
+ element_clear(v);
+ element_clear(w);
+}
+
+/* computing the Eta_T bilinear pairing $c <- Eta_T pairing(P,R)$ */
+static void eta_T_pairing(element_ptr c, element_ptr P, element_ptr R, struct pairing_s *p) {
+ UNUSED_VAR(p);
+ if (DATA(P)->isinf || DATA(R)->isinf)
+ element_set1(c);
+ else {
+ element_ptr x1 = DATA(P)->x, y1 = DATA(P)->y, x2 = DATA(R)->x, y2 =
+ DATA(R)->y;
+ if((PARAM(x1)->m - 1) / 2 % 2 == 0)
+ algorithm5(c, x1, y1, x2, y2);
+ else
+ algorithm4(c, x1, y1, x2, y2);
+ algorithm8(c, c);
+ }
+}
+
+static void eta_T_3_clear(params *p) {
+ mpz_clear(p->n);
+ mpz_clear(p->n2);
+ pbc_free(p);
+}
+
+static void GT_random(element_ptr e) {
+ element_t a, b;
+ element_init(a, e->field->pairing->G1);
+ element_init(b, e->field->pairing->G1);
+ element_random(a);
+ element_random(b);
+ element_pairing(e, a, b);
+ element_clear(a);
+ element_clear(b);
+}
+
+static void eta_T_3_pairing_clear(pairing_t pairing) {
+ mpz_clear(pairing->r);
+ field_clear(pairing->Zr);
+ field_clear(pairing->GT);
+ field_clear(pairing->G1);
+ pbc_free(pairing->G1);
+ pairing_data_ptr dp = pairing->data;
+ field_clear(dp->gf3m);
+ field_clear(dp->gf32m);
+ field_clear(dp->gf36m);
+ mpz_clear(dp->n2);
+ pbc_free(dp);
+}
+
+static void eta_T_3_init_pairing(pairing_t pairing, params *p) {
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, p->n);
+ field_init_fp(pairing->Zr, pairing->r);
+
+ pairing_data_ptr dp = pbc_malloc(sizeof(*dp));
+ mpz_init(dp->n2);
+ mpz_set(dp->n2, p->n2);
+ field_init_gf3m(dp->gf3m, p->m, p->t);
+ field_init_gf32m(dp->gf32m, dp->gf3m);
+ field_init_gf33m(dp->gf36m, dp->gf32m);
+ pairing_GT_init(pairing, dp->gf36m);
+ pairing->GT->name = "eta_T_3 group of roots of 1";
+ pairing->GT->random = GT_random;
+ pairing->G2 = pairing->G1 = pbc_malloc(sizeof(field_t));
+ field_init_eta_T_3(pairing->G1, dp->gf3m);
+ pairing->G1->pairing = pairing;
+ mpz_set(pairing->G1->order, p->n);
+ mpz_set(pairing->GT->order, p->n);
+ pairing->map = eta_T_pairing;
+ pairing->data = dp;
+ pairing->clear_func = eta_T_3_pairing_clear;
+}
+
+static void eta_T_3_out_str(FILE *stream, params *p) {
+ param_out_type(stream, "i");
+ param_out_int(stream, "m", p->m);
+ param_out_int(stream, "t", p->t);
+ param_out_mpz(stream, "n", p->n);
+ param_out_mpz(stream, "n2", p->n2);
+}
+
+static void param_init(pbc_param_ptr p) {
+ static pbc_param_interface_t interface = {{
+ (void (*)(void *))eta_T_3_clear,
+ (void (*)(pairing_t, void *))eta_T_3_init_pairing,
+ (void (*)(FILE *, void *))eta_T_3_out_str,
+ }};
+ p->api = interface;
+ params *param = p->data = pbc_malloc(sizeof(*param));
+ mpz_init(param->n);
+ mpz_init(param->n2);
+}
+
+int pbc_param_init_i(pbc_param_ptr p, struct symtab_s *tab) {
+ param_init(p);
+ params *param = p->data;
+ int err = 0;
+ err += lookup_int(&param->m, tab, "m");
+ err += lookup_int(&param->t, tab, "t");
+ err += lookup_mpz(param->n, tab, "n");
+ err += lookup_mpz(param->n2, tab, "n2");
+ return err;
+}
+
+void pbc_param_init_i_gen(pbc_param_ptr par, int group_size) {
+ param_init(par);
+ params *p = par->data;
+ if (group_size <= 150) {
+ p->m = 97;
+ p->t = 12;
+ mpz_set_str(p->n, "2726865189058261010774960798134976187171462721", 10);
+ mpz_set_str(p->n2, "7", 10);
+ } else if (group_size <= 206) {
+ p->m = 199;
+ p->t = 164;
+ mpz_set_str(p->n, "167725321489096000055336949742738378351010268990525380470313869", 10);
+ mpz_set_str(p->n2, "527874953560391326545598291952743", 10);
+ } else if (group_size <= 259) {
+ p->m = 235;
+ p->t = 26;
+ mpz_set_str(p->n, "1124316700897695330265827797088699345032488681307846555184025129863722718180241", 10);
+ mpz_set_str(p->n2, "11819693021332914275777073321995059", 10);
+ } else if (group_size <= 316) {
+ p->m = 385;
+ p->t = 22;
+ mpz_set_str(p->n, "140884762419712839999909157778648717913595360839856026704744558309545986970238264714753014287541", 10);
+ mpz_set_str(p->n2, "34899486997246711147841377458771182755186809219564106252058066150110543296498189654810187", 10);
+ } else if (group_size <= 376) {
+ p->m = 337;
+ p->t = 30;
+ mpz_set_str(p->n, "250796519030408069744426774377542635685621984993105288007781750196791322190409525696108840742205849171229571431053", 10);
+ mpz_set_str(p->n2, "245777055088325363697128811262733732423405120899", 10);
+ } else if (group_size <= 430) {
+ p->m = 373;
+ p->t = 198;
+ mpz_set_str(p->n, "2840685307599487500956683789051368080919805957805957356540760731597378326586402072132959867084691357708217739285576524329854284197", 10);
+ mpz_set_str(p->n2, "3256903458766749542151641063558247849550904613763", 10);
+ } else if (group_size <= 484) {
+ p->m = 395;
+ p->t = 338;
+ mpz_set_str(p->n, "80172097064154181257340545445945701478615643539554910656655431171167598268341527430200810544156625333601812351266052856520678455274751591367269291", 10);
+ mpz_set_str(p->n2, "3621365590261279902324876775553649595261567", 10);
+ } else if (group_size <= 552) {
+ p->m = 433;
+ p->t = 120;
+ mpz_set_str(p->n, "15699907553631673835088720676147779193076555382157913339177784853763686462870506492752576492212322736133645158157557950634628006965882177348385366381692092784577773463", 10);
+ mpz_set_str(p->n2, "24980791723059119877470531054938874784049", 10);
+ } else if (group_size <= 644) {
+ p->m = 467;
+ p->t = 48;
+ mpz_set_str(p->n, "108220469499363631995525712756135494735252733492048868417164002000654321383482753640072319529019505742300964525569770933946381504691909098938045089999753901375631613294579329433690943459352138231", 10);
+ mpz_set_str(p->n2, "60438898450096967424971813347", 10);
+ } else if (group_size <= 696) {
+ p->m = 503;
+ p->t = 104;
+ mpz_set_str(p->n, "545523657676112447260904563578912738373307867219686215849632469801471112426878939776725222290437653718473962733760874627315930933126581248465899651120481066111839081575164964589811985885719017214938514563804313", 10);
+ mpz_set_str(p->n2, "1799606423432800810122901025413", 10);
+ } else if (group_size <= 803) {
+ p->m = 509;
+ p->t = 358;
+ mpz_set_str(p->n, "102239946202586852409809887418093021457150612495255706614733003327526279081563687830782748305746187060264985869283524441819589592750998086186315250781067131293823177124077445718802216415539934838376431091001197641295264650596195201747790167311", 10);
+ mpz_set_str(p->n2, "7", 10);
+ } else if (group_size <= 892) {
+ p->m = 617;
+ p->t = 88;
+ mpz_set_str(p->n, "57591959284219511220590893724691916802833742568034971006633345422620650391172287893878655658086794200963521584019889327992536532560877385225451713282279597074750857647455565899702728629166541223955196002755787520206774906606158388947359746178875040401304783332742806641", 10);
+ mpz_set_str(p->n2, "42019638181715250622338241", 10);
+ } else
+ pbc_die("unsupported group size");
+}
+
diff --git a/moon-abe/pbc-0.5.14/ecc/f_param.c b/moon-abe/pbc-0.5.14/ecc/f_param.c
new file mode 100644
index 00000000..2477ace1
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/f_param.c
@@ -0,0 +1,599 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_fp.h"
+#include "pbc_fieldquadratic.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_poly.h"
+#include "pbc_curve.h"
+#include "pbc_memory.h"
+#include "pbc_f_param.h"
+#include "ecc/param.h"
+
+struct f_param_s {
+ mpz_t q; // Curve defined over F_q.
+ mpz_t r; // The order of the curve.
+ mpz_t b; // E: y^2 = x^3 + b
+ mpz_t beta; //beta is a quadratic nonresidue in Fq
+ //we use F_q^2 = F_q[sqrt(beta)]
+ mpz_t alpha0, alpha1;
+ //the polynomial x^6 + alpha0 + alpha1 sqrt(beta)
+ //is irreducible over F_q^2[x], so
+ //we can extend F_q^2 to F_q^12 using the
+ //sixth root of -(alpha0 + alpha1 sqrt(beta))
+};
+typedef struct f_param_s f_param_t[1];
+typedef struct f_param_s *f_param_ptr;
+
+// TODO: we never use phikonr so don't bother computing it,
+// but one day other routines might need it
+struct f_pairing_data_s {
+ field_t Fq, Fq2, Fq2x, Fq12;
+ field_t Eq, Etwist;
+ element_t negalpha;
+ element_t negalphainv;
+ mpz_t tateexp;
+
+ //for tate exponentiation speedup:
+ //x^{q^k} for various k
+ element_t xpowq2, xpowq6, xpowq8;
+};
+typedef struct f_pairing_data_s f_pairing_data_t[1];
+typedef struct f_pairing_data_s *f_pairing_data_ptr;
+
+static void f_clear(void *data) {
+ f_param_ptr fp = data;
+ mpz_clear(fp->q);
+ mpz_clear(fp->r);
+ mpz_clear(fp->b);
+ mpz_clear(fp->beta);
+ mpz_clear(fp->alpha0);
+ mpz_clear(fp->alpha1);
+ pbc_free(data);
+}
+
+static void f_out_str(FILE *stream, void *data) {
+ f_param_ptr p = data;
+ param_out_type(stream, "f");
+ param_out_mpz(stream, "q", p->q);
+ param_out_mpz(stream, "r", p->r);
+ param_out_mpz(stream, "b", p->b);
+ param_out_mpz(stream, "beta", p->beta);
+ param_out_mpz(stream, "alpha0", p->alpha0);
+ param_out_mpz(stream, "alpha1", p->alpha1);
+}
+
+static void tryminusx(mpz_ptr q, mpz_ptr x) {
+ //36x4 - 36x3 + 24x2 - 6x + 1
+ //= ((36(x - 1)x + 24)x - 6)x + 1
+ mpz_sub_ui(q, x, 1);
+ mpz_mul(q, q, x);
+ mpz_mul_ui(q, q, 36);
+ mpz_add_ui(q, q, 24);
+ mpz_mul(q, q, x);
+ mpz_sub_ui(q, q, 6);
+ mpz_mul(q, q, x);
+ mpz_add_ui(q, q, 1);
+}
+
+static void tryplusx(mpz_ptr q, mpz_ptr x) {
+ //36x4 + 36x3 + 24x2 + 6x + 1
+ //= ((36(x + 1)x + 24)x + 6)x + 1
+ mpz_add_ui(q, x, 1);
+ mpz_mul(q, q, x);
+ mpz_mul_ui(q, q, 36);
+ mpz_add_ui(q, q, 24);
+ mpz_mul(q, q, x);
+ mpz_add_ui(q, q, 6);
+ mpz_mul(q, q, x);
+ mpz_add_ui(q, q, 1);
+}
+
+static void cc_miller_no_denom(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy, element_t negalpha) {
+ int m;
+ element_t v;
+ element_t Z;
+ element_t a, b, c;
+ element_t t0;
+ element_t e0, e1;
+ element_ptr Zx, Zy;
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+
+ #define do_term(i, j, k, flag) { \
+ element_ptr e2; \
+ e2 = element_item(e0, i); \
+ element_mul(e1, element_item(v, j), Qx); \
+ if (flag == 1) element_mul(e1, e1, negalpha); \
+ element_mul(element_x(e1), element_x(e1), a); \
+ element_mul(element_y(e1), element_y(e1), a); \
+ element_mul(e2, element_item(v, k), Qy); \
+ element_mul(element_x(e2), element_x(e2), b); \
+ element_mul(element_y(e2), element_y(e2), b); \
+ element_add(e2, e2, e1); \
+ if (flag == 2) element_mul(e2, e2, negalpha); \
+ element_mul(element_x(e1), element_x(element_item(v, i)), c); \
+ element_mul(element_y(e1), element_y(element_item(v, i)), c); \
+ element_add(e2, e2, e1); \
+ }
+
+ // a, b, c lie in Fq
+ // Qx, Qy lie in Fq^2
+ // Qx is coefficient of x^4
+ // Qy is coefficient of x^3
+ //
+ // computes v *= (a Qx x^4 + b Qy x^3 + c)
+ //
+ // recall x^6 = -alpha thus
+ // x^4 (u0 + u1 x^1 + ... + u5 x^5) =
+ // u0 x^4 + u1 x^5
+ // - alpha u2 - alpha u3 x - alpha u4 x^2 - alpha u5 x^3
+ // and
+ // x^4 (u0 + u1 x^1 + ... + u5 x^5) =
+ // u0 x^3 + u1 x^4 + u2 x^5
+ // - alpha u3 - alpha u4 x - alpha u5 x^2
+ #define f_miller_evalfn() { \
+ do_term(0, 2, 3, 2); \
+ do_term(1, 3, 4, 2); \
+ do_term(2, 4, 5, 2); \
+ do_term(3, 5, 0, 1); \
+ do_term(4, 0, 1, 0); \
+ do_term(5, 1, 2, 0); \
+ element_set(v, e0); \
+ }
+ /*
+ element_ptr e1;
+
+ e1 = element_item(e0, 4);
+
+ element_mul(element_x(e1), element_x(Qx), a);
+ element_mul(element_y(e1), element_y(Qx), a);
+
+ e1 = element_item(e0, 3);
+
+ element_mul(element_x(e1), element_x(Qy), b);
+ element_mul(element_y(e1), element_y(Qy), b);
+
+ element_set(element_x(element_item(e0, 0)), c);
+
+ element_mul(v, v, e0);
+ */
+
+ //a = -3 Zx^2 since cc->a is 0 for D = 3
+ //b = 2 * Zy
+ //c = -(2 Zy^2 + a Zx);
+ #define do_tangent() { \
+ element_square(a, Zx); \
+ element_mul_si(a, a, 3); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ f_miller_evalfn(); \
+ }
+
+ //a = -(B.y - A.y) / (B.x - A.x);
+ //b = 1;
+ //c = -(A.y + a * A.x);
+ //but we'll multiply by B.x - A.x to avoid division
+ #define do_line() { \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ f_miller_evalfn(); \
+ }
+
+ element_init(a, Px->field);
+ element_init(b, a->field);
+ element_init(c, a->field);
+ element_init(t0, a->field);
+ element_init(e0, res->field);
+ element_init(e1, Qx->field);
+
+ element_init(v, res->field);
+ element_init(Z, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_set1(v);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ //TODO: sliding NAF
+ for(;;) {
+ do_tangent();
+
+ if (!m) break;
+
+ element_double(Z, Z);
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ element_add(Z, Z, P);
+ }
+ m--;
+ element_square(v, v);
+ }
+
+ element_set(res, v);
+
+ element_clear(v);
+ element_clear(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(t0);
+ element_clear(e0);
+ element_clear(e1);
+ #undef do_term
+ #undef f_miller_evalfn
+ #undef do_tangent
+ #undef do_line
+}
+
+static void f_tateexp(element_t out) {
+ element_t x, y, epow;
+ f_pairing_data_ptr p = out->field->pairing->data;
+ element_init(x, p->Fq12);
+ element_init(y, p->Fq12);
+ element_init(epow, p->Fq2);
+
+ #define qpower(e1, e) { \
+ element_set(element_item(e1, 0), element_item(out, 0)); \
+ element_mul(element_item(e1, 1), element_item(out, 1), e); \
+ element_square(epow, e); \
+ element_mul(element_item(e1, 2), element_item(out, 2), epow); \
+ element_mul(epow, epow, e); \
+ element_mul(element_item(e1, 3), element_item(out, 3), epow); \
+ element_mul(epow, epow, e); \
+ element_mul(element_item(e1, 4), element_item(out, 4), epow); \
+ element_mul(epow, epow, e); \
+ element_mul(element_item(e1, 5), element_item(out, 5), epow); \
+ }
+
+ qpower(y, p->xpowq8);
+ qpower(x, p->xpowq6);
+ element_mul(y, y, x);
+ qpower(x, p->xpowq2);
+ element_mul(x, x, out);
+ element_invert(x, x);
+ element_mul(out, y, x);
+
+ element_clear(epow);
+ element_clear(x);
+ element_clear(y);
+ element_pow_mpz(out, out, p->tateexp);
+ #undef qpower
+}
+
+static void f_finalpow(element_t out) {
+ f_tateexp(out->data);
+}
+
+static void f_pairing(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ element_ptr Qbase = in2;
+ element_t x, y;
+ f_pairing_data_ptr p = pairing->data;
+
+ element_init(x, p->Fq2);
+ element_init(y, p->Fq2);
+ //map from twist: (x, y) --> (v^-2 x, v^-3 y)
+ //where v is the sixth root used to construct the twist
+ //i.e. v^6 = -alpha
+ //thus v^-2 = -alpha^-1 v^4
+ //and v^-3 = -alpha^-1 v^3
+ element_mul(x, curve_x_coord(Qbase), p->negalphainv);
+ element_mul(y, curve_y_coord(Qbase), p->negalphainv);
+
+ cc_miller_no_denom(out, pairing->r, in1, x, y, p->negalpha);
+
+ element_clear(x);
+ element_clear(y);
+
+ f_tateexp(out);
+}
+
+static void f_pairing_clear(pairing_t pairing) {
+ field_clear(pairing->GT);
+ f_pairing_data_ptr p = pairing->data;
+ element_clear(p->negalpha);
+ element_clear(p->negalphainv);
+ mpz_clear(p->tateexp);
+ element_clear(p->xpowq2);
+ element_clear(p->xpowq6);
+ element_clear(p->xpowq8);
+ field_clear(p->Etwist);
+ field_clear(p->Eq);
+
+ field_clear(p->Fq12);
+ field_clear(p->Fq2x);
+ field_clear(p->Fq2);
+ field_clear(p->Fq);
+ pbc_free(p);
+
+ mpz_clear(pairing->r);
+ field_clear(pairing->Zr);
+}
+
+static void f_init_pairing(pairing_t pairing, void *data) {
+ f_param_ptr param = data;
+ f_pairing_data_ptr p;
+ element_t irred;
+ element_t e0, e1, e2;
+ p = pairing->data = pbc_malloc(sizeof(f_pairing_data_t));
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, param->r);
+ field_init_fp(pairing->Zr, pairing->r);
+ field_init_fp(p->Fq, param->q);
+ p->Fq->nqr = pbc_malloc(sizeof(element_t));
+ element_init(p->Fq->nqr, p->Fq);
+ element_set_mpz(p->Fq->nqr, param->beta);
+ field_init_quadratic(p->Fq2, p->Fq);
+ field_init_poly(p->Fq2x, p->Fq2);
+ element_init(irred, p->Fq2x);
+ // Call poly_set_coeff1() first so we can use element_item() for the other
+ // coefficients.
+ poly_set_coeff1(irred, 6);
+
+ element_init(p->negalpha, p->Fq2);
+ element_init(p->negalphainv, p->Fq2);
+ element_set_mpz(element_x(p->negalpha), param->alpha0);
+ element_set_mpz(element_y(p->negalpha), param->alpha1);
+
+ element_set(element_item(irred, 0), p->negalpha);
+ field_init_polymod(p->Fq12, irred);
+ element_neg(p->negalpha, p->negalpha);
+ element_invert(p->negalphainv, p->negalpha);
+ element_clear(irred);
+
+ element_init(e0, p->Fq);
+ element_init(e1, p->Fq);
+ element_init(e2, p->Fq2);
+
+ // Initialize the curve Y^2 = X^3 + b.
+ element_set_mpz(e1, param->b);
+ field_init_curve_ab(p->Eq, e0, e1, pairing->r, NULL);
+
+ // Initialize the curve Y^2 = X^3 - alpha0 b - alpha1 sqrt(beta) b.
+ element_set_mpz(e0, param->alpha0);
+ element_neg(e0, e0);
+ element_mul(element_x(e2), e0, e1);
+ element_set_mpz(e0, param->alpha1);
+ element_neg(e0, e0);
+ element_mul(element_y(e2), e0, e1);
+ element_clear(e0);
+ element_init(e0, p->Fq2);
+ field_init_curve_ab(p->Etwist, e0, e2, pairing->r, NULL);
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(e2);
+
+ mpz_t ndonr;
+ mpz_init(ndonr);
+ // ndonr temporarily holds the trace.
+ mpz_sub(ndonr, param->q, param->r);
+ mpz_add_ui(ndonr, ndonr, 1);
+ // TODO: We can use a smaller quotient_cmp, but I have to figure out
+ // BN curves again.
+ pbc_mpz_curve_order_extn(ndonr, param->q, ndonr, 12);
+ mpz_divexact(ndonr, ndonr, param->r);
+ mpz_divexact(ndonr, ndonr, param->r);
+ field_curve_set_quotient_cmp(p->Etwist, ndonr);
+ mpz_clear(ndonr);
+
+ pairing->G1 = p->Eq;
+ pairing->G2 = p->Etwist;
+ pairing_GT_init(pairing, p->Fq12);
+ pairing->finalpow = f_finalpow;
+ pairing->map = f_pairing;
+ pairing->clear_func = f_pairing_clear;
+
+ mpz_init(p->tateexp);
+ /* unoptimized tate exponent
+ mpz_pow_ui(p->tateexp, param->q, 12);
+ mpz_sub_ui(p->tateexp, p->tateexp, 1);
+ mpz_divexact(p->tateexp, p->tateexp, param->r);
+ */
+ mpz_ptr z = p->tateexp;
+ mpz_mul(z, param->q, param->q);
+ mpz_sub_ui(z, z, 1);
+ mpz_mul(z, z, param->q);
+ mpz_mul(z, z, param->q);
+ mpz_add_ui(z, z, 1);
+ mpz_divexact(z, z, param->r);
+
+ element_init(p->xpowq2, p->Fq2);
+ element_init(p->xpowq6, p->Fq2);
+ element_init(p->xpowq8, p->Fq2);
+ element_t xpowq;
+ element_init(xpowq, p->Fq12);
+
+ //there are smarter ways since we know q = 1 mod 6
+ //and that x^6 = -alpha
+ //but this is fast enough
+ element_set1(element_item(xpowq, 1));
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_set(p->xpowq2, element_item(xpowq, 1));
+
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_set(p->xpowq6, element_item(xpowq, 1));
+
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_pow_mpz(xpowq, xpowq, param->q);
+ element_set(p->xpowq8, element_item(xpowq, 1));
+
+ element_clear(xpowq);
+}
+
+static void f_init(pbc_param_ptr p) {
+ static pbc_param_interface_t interface = {{
+ f_clear,
+ f_init_pairing,
+ f_out_str,
+ }};
+ p->api = interface;
+ f_param_ptr fp = p->data = pbc_malloc(sizeof(*fp));
+ mpz_init(fp->q);
+ mpz_init(fp->r);
+ mpz_init(fp->b);
+ mpz_init(fp->beta);
+ mpz_init(fp->alpha0);
+ mpz_init(fp->alpha1);
+}
+
+// Public interface:
+
+int pbc_param_init_f(pbc_param_ptr par, struct symtab_s *tab) {
+ f_init(par);
+ f_param_ptr p = par->data;
+
+ int err = 0;
+ err += lookup_mpz(p->q, tab, "q");
+ err += lookup_mpz(p->r, tab, "r");
+ err += lookup_mpz(p->b, tab, "b");
+ err += lookup_mpz(p->beta, tab, "beta");
+ err += lookup_mpz(p->alpha0, tab, "alpha0");
+ err += lookup_mpz(p->alpha1, tab, "alpha1");
+ return err;
+}
+
+void pbc_param_init_f_gen(pbc_param_t p, int bits) {
+ f_init(p);
+ f_param_ptr fp = p->data;
+ //36 is a 6-bit number
+ int xbit = (bits - 6) / 4;
+ //TODO: use binary search to find smallest appropriate x
+ mpz_t x, t;
+ mpz_ptr q = fp->q;
+ mpz_ptr r = fp->r;
+ mpz_ptr b = fp->b;
+ field_t Fq, Fq2, Fq2x;
+ element_t e1;
+ element_t f;
+ field_t c;
+ element_t P;
+
+ mpz_init(x);
+ mpz_init(t);
+ mpz_setbit(x, xbit);
+ for (;;) {
+ mpz_mul(t, x, x);
+ mpz_mul_ui(t, t, 6);
+ mpz_add_ui(t, t, 1);
+ tryminusx(q, x);
+ mpz_sub(r, q, t);
+ mpz_add_ui(r, r, 1);
+ if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
+
+ tryplusx(q, x);
+ mpz_sub(r, q, t);
+ mpz_add_ui(r, r, 1);
+ if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
+
+ mpz_add_ui(x, x, 1);
+ }
+
+ field_init_fp(Fq, q);
+ element_init(e1, Fq);
+
+ for (;;) {
+ element_random(e1);
+ field_init_curve_b(c, e1, r, NULL);
+ element_init(P, c);
+
+ element_random(P);
+
+ element_mul_mpz(P, P, r);
+ if (element_is0(P)) break;
+ element_clear(P);
+ field_clear(c);
+ }
+ element_to_mpz(b, e1);
+ element_clear(e1);
+ field_init_quadratic(Fq2, Fq);
+ element_to_mpz(fp->beta, field_get_nqr(Fq));
+ field_init_poly(Fq2x, Fq2);
+ element_init(f, Fq2x);
+
+ // Find an irreducible polynomial of the form f = x^6 + alpha.
+ // Call poly_set_coeff1() first so we can use element_item() for the other
+ // coefficients.
+ poly_set_coeff1(f, 6);
+ for (;;) {
+ element_random(element_item(f, 0));
+ if (poly_is_irred(f)) break;
+ }
+
+ //extend F_q^2 using f = x^6 + alpha
+ //see if sextic twist contains a subgroup of order r
+ //if not, it's the wrong twist: replace alpha with alpha^5
+ {
+ field_t ctest;
+ element_t Ptest;
+ mpz_t z0, z1;
+ mpz_init(z0);
+ mpz_init(z1);
+ element_init(e1, Fq2);
+ element_set_mpz(e1, fp->b);
+ element_mul(e1, e1, element_item(f, 0));
+ element_neg(e1, e1);
+
+ field_init_curve_b(ctest, e1, r, NULL);
+ element_init(Ptest, ctest);
+ element_random(Ptest);
+
+ //I'm not sure what the #E'(F_q^2) is, but
+ //it definitely divides n_12 = #E(F_q^12). It contains a
+ //subgroup of order r if and only if
+ //(n_12 / r^2)P != O for some (in fact most) P in E'(F_q^6)
+ mpz_pow_ui(z0, q, 12);
+ mpz_add_ui(z0, z0, 1);
+ pbc_mpz_trace_n(z1, q, t, 12);
+ mpz_sub(z1, z0, z1);
+ mpz_mul(z0, r, r);
+ mpz_divexact(z1, z1, z0);
+
+ element_mul_mpz(Ptest, Ptest, z1);
+ if (element_is0(Ptest)) {
+ mpz_set_ui(z0, 5);
+ element_pow_mpz(element_item(f, 0), element_item(f, 0), z0);
+ }
+ element_clear(e1);
+ element_clear(Ptest);
+ field_clear(ctest);
+ mpz_clear(z0);
+ mpz_clear(z1);
+ }
+
+ element_to_mpz(fp->alpha0, element_x(element_item(f, 0)));
+ element_to_mpz(fp->alpha1, element_y(element_item(f, 0)));
+
+ element_clear(f);
+
+ field_clear(Fq2x);
+ field_clear(Fq2);
+ field_clear(Fq);
+
+ mpz_clear(t);
+ mpz_clear(x);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/g_param.c b/moon-abe/pbc-0.5.14/ecc/g_param.c
new file mode 100644
index 00000000..75a08c57
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/g_param.c
@@ -0,0 +1,1435 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h>
+#include <string.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_poly.h"
+#include "pbc_hilbert.h"
+#include "pbc_fp.h"
+#include "pbc_fieldquadratic.h"
+#include "pbc_mnt.h"
+#include "pbc_curve.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_memory.h"
+#include "pbc_g_param.h"
+#include "ecc/param.h"
+
+struct g_param_s {
+ mpz_t q; // Curve defined over F_q.
+ mpz_t n; // n = #E(F_q) (= q - t + 1)
+ mpz_t h; // h * r = n, r is prime
+ mpz_t r;
+ mpz_t a, b; // E: y^2 = x^3 + ax + b
+
+ // k = 10 for these curves.
+ mpz_t nk; // #E(F_q^k)
+ mpz_t hk; // hk * r^2 = nk
+ mpz_t *coeff; //Coefficients of polynomial used to extend F_q by k/2
+ mpz_t nqr; // Quadratic nonresidue in F_q^d that lies in F_q.
+};
+
+typedef struct g_param_s g_param_t[1];
+typedef struct g_param_s *g_param_ptr;
+
+struct mnt_pairing_data_s {
+ field_t Fq, Fqx, Fqd, Fqk;
+ field_t Eq, Etwist;
+ element_t nqrinv, nqrinv2;
+ element_t xpowq, xpowq2, xpowq3, xpowq4;
+};
+typedef struct mnt_pairing_data_s mnt_pairing_data_t[1];
+typedef struct mnt_pairing_data_s *mnt_pairing_data_ptr;
+
+static void g_clear(void *data) {
+ g_param_ptr param = data;
+ int i;
+ mpz_clear(param->q);
+ mpz_clear(param->n);
+ mpz_clear(param->h);
+ mpz_clear(param->r);
+ mpz_clear(param->a);
+ mpz_clear(param->b);
+ mpz_clear(param->nk);
+ mpz_clear(param->hk);
+ mpz_clear(param->nqr);
+ for (i = 0; i < 5; i++) {
+ mpz_clear(param->coeff[i]);
+ }
+ pbc_free(param->coeff);
+ pbc_free(data);
+}
+
+static void g_out_str(FILE *stream, void *data) {
+ g_param_ptr p = data;
+ int i;
+ char s[8];
+ param_out_type(stream, "g");
+ param_out_mpz(stream, "q", p->q);
+ param_out_mpz(stream, "n", p->n);
+ param_out_mpz(stream, "h", p->h);
+ param_out_mpz(stream, "r", p->r);
+ param_out_mpz(stream, "a", p->a);
+ param_out_mpz(stream, "b", p->b);
+ param_out_mpz(stream, "nk", p->nk);
+ param_out_mpz(stream, "hk", p->hk);
+ for (i=0; i<5; i++) {
+ sprintf(s, "coeff%d", i);
+ param_out_mpz(stream, s, p->coeff[i]);
+ }
+ param_out_mpz(stream, "nqr", p->nqr);
+}
+
+static inline void d_miller_evalfn(element_t e0,
+ element_t a, element_t b, element_t c,
+ element_t Qx, element_t Qy) {
+ //a, b, c are in Fq
+ //point Q is (Qx, Qy * sqrt(nqr)) where nqr is used to construct
+ //the quadratic field extension Fqk of Fqd
+ element_ptr re_out = element_x(e0);
+ element_ptr im_out = element_y(e0);
+
+ int i;
+ int d = polymod_field_degree(re_out->field);
+ for (i=0; i<d; i++) {
+ element_mul(element_item(re_out, i), element_item(Qx, i), a);
+ element_mul(element_item(im_out, i), element_item(Qy, i), b);
+ }
+ element_add(element_item(re_out, 0), element_item(re_out, 0), c);
+}
+
+static void cc_miller_no_denom_proj(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy) {
+ int m;
+ element_t v;
+ element_t Z;
+ element_t a, b, c;
+ element_t t0, t1;
+ element_ptr t2 = a, t3 = b, t4 = c;
+ element_t e0;
+ element_t z, z2;
+ element_ptr Zx, Zy;
+ const element_ptr curve_a = curve_a_coeff(P);
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+
+ #define proj_double() { \
+ /* t0 = 3x^2 + (curve_a) z^4 */ \
+ element_square(t0, Zx); \
+ /* element_mul_si(t0, t0, 3); */ \
+ element_double(t1, t0); \
+ element_add(t0, t0, t1); \
+ element_square(t1, z2); \
+ element_mul(t1, t1, curve_a); \
+ element_add(t0, t0, t1); \
+ \
+ /* z_out = 2 y z */ \
+ element_mul(z, Zy, z); \
+ /* element_mul_si(z, z, 2); */ \
+ element_double(z, z); \
+ element_square(z2, z); \
+ \
+ /* t1 = 4 x y^2 */ \
+ element_square(t2, Zy); \
+ element_mul(t1, Zx, t2); \
+ /* element_mul_si(t1, t1, 4); */ \
+ element_double(t1, t1); \
+ element_double(t1, t1); \
+ \
+ /* x_out = t0^2 - 2 t1 */ \
+ /* element_mul_si(t3, t1, 2); */ \
+ element_double(t3, t1); \
+ element_square(Zx, t0); \
+ element_sub(Zx, Zx, t3); \
+ \
+ /* t2 = 8y^4 */ \
+ element_square(t2, t2); \
+ /* element_mul_si(t2, t2, 8); */ \
+ element_double(t2, t2); \
+ element_double(t2, t2); \
+ element_double(t2, t2); \
+ \
+ /* y_out = t0(t1 - x_out) - t2 */ \
+ element_sub(t1, t1, Zx); \
+ element_mul(t0, t0, t1); \
+ element_sub(Zy, t0, t2); \
+ }
+
+ #define proj_mixin() { \
+ /* t2 = Px z^2 */ \
+ element_mul(t2, z2, Px); \
+ \
+ /* t3 = Zx - t2 */ \
+ element_sub(t3, Zx, t2); \
+ \
+ /* t0 = Py z^3 */ \
+ element_mul(t0, z2, Py); \
+ element_mul(t0, t0, z); \
+ \
+ /* t1 = Zy - t0 */ \
+ element_sub(t1, Zy, t0); \
+ \
+ /* e7 = Zx + t2, use t2 to double for e7 */ \
+ element_add(t2, Zx, t2); \
+ \
+ /* e8 = Zy + t0, use t0 to double for e8 */ \
+ element_add(t0, Zy, t0); \
+ \
+ /* z = z t3 */ \
+ element_mul(z, z, t3); \
+ element_square(z2, z); \
+ \
+ /* Zx = t1^2 - e7 t3^2 */ \
+ /* t3 now holds t3^3, */ \
+ /* t4 holds e7 t3^2 */ \
+ element_square(t4, t3); \
+ element_mul(t3, t4, t3); \
+ element_square(Zx, t1); \
+ element_mul(t4, t2, t4); \
+ element_sub(Zx, Zx, t4); \
+ \
+ /* t4 = e7 t3^2 - 2 Zx */ \
+ element_sub(t4, t4, Zx); \
+ element_sub(t4, t4, Zx); \
+ \
+ /* Zy = (t4 t1 - e8 t3^3)/2 */ \
+ element_mul(t4, t4, t1); \
+ element_mul(t0, t0, t3); \
+ element_sub(t4, t4, t0); \
+ element_halve(Zy, t4); \
+ }
+
+ #define do_tangent() { \
+ /* a = -(3x^2 + cca z^4) */ \
+ /* b = 2 y z^3 */ \
+ /* c = -(2 y^2 + x a) */ \
+ /* a = z^2 a */ \
+ element_square(a, z2); \
+ element_mul(a, a, curve_a); \
+ element_square(b, Zx); \
+ /* element_mul_si(b, b, 3); */ \
+ element_double(t0, b); \
+ element_add(b, b, t0); \
+ element_add(a, a, b); \
+ element_neg(a, a); \
+ \
+ element_mul(b, z, z2); \
+ element_mul(b, b, Zy); \
+ element_mul_si(b, b, 2); \
+ \
+ element_mul(c, Zx, a); \
+ element_mul(a, a, z2); \
+ element_square(t0, Zy); \
+ element_mul_si(t0, t0, 2); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ #define do_line() { \
+ /* a = -(Py z^3 - Zy) */ \
+ /* b = Px z^3 - Zx z */ \
+ /* c = Zx z Py - Zy Px; */ \
+ \
+ element_mul(t0, Zx, z); \
+ element_mul(t1, z2, z); \
+ \
+ element_mul(a, Py, t1); \
+ element_sub(a, Zy, a); \
+ \
+ element_mul(b, Px, t1); \
+ element_sub(b, b, t0); \
+ \
+ element_mul(t0, t0, Py); \
+ element_mul(c, Zy, Px); \
+ element_sub(c, t0, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ element_init(a, Px->field);
+ element_init(b, a->field);
+ element_init(c, a->field);
+ element_init(t0, a->field);
+ element_init(t1, a->field);
+ element_init(e0, res->field);
+ element_init(z, a->field);
+ element_init(z2, a->field);
+ element_set1(z);
+ element_set1(z2);
+
+ element_init(v, res->field);
+ element_init(Z, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_x_coord(Z);
+
+ element_set1(v);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+ proj_double();
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ proj_mixin();
+ }
+ m--;
+ element_square(v, v);
+ }
+
+ element_set(res, v);
+
+ element_clear(v);
+ element_clear(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(e0);
+ element_clear(z);
+ element_clear(z2);
+ #undef proj_double
+ #undef proj_mixin
+ #undef do_tangent
+ #undef do_line
+}
+
+static void cc_miller_no_denom_affine(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy) {
+ int m;
+ element_t v;
+ element_t Z;
+ element_t a, b, c;
+ element_t t0;
+ element_t e0;
+ const element_ptr cca = curve_a_coeff(P);
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+ element_ptr Zx, Zy;
+
+ /* TODO: when exactly is this not needed?
+ void do_vertical(void)
+ {
+ mapbase(e0, Z->x);
+ element_sub(e0, Qx, e0);
+ element_mul(v, v, e0);
+ }
+ */
+
+ #define do_tangent() { \
+ /* a = -(3 Zx^2 + cc->a) */ \
+ /* b = 2 * Zy */ \
+ /* c = -(2 Zy^2 + a Zx); */ \
+ element_square(a, Zx); \
+ element_mul_si(a, a, 3); \
+ element_add(a, a, cca); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ #define do_line() { \
+ /* a = -(B.y - A.y) / (B.x - A.x); */ \
+ /* b = 1; */ \
+ /* c = -(A.y + a * A.x); */ \
+ /* but we'll multiply by B.x - A.x */ \
+ /* to avoid division */ \
+ \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ d_miller_evalfn(e0, a, b, c, Qx, Qy); \
+ element_mul(v, v, e0); \
+ }
+
+ element_init(a, Px->field);
+ element_init(b, a->field);
+ element_init(c, a->field);
+ element_init(t0, a->field);
+ element_init(e0, res->field);
+
+ element_init(v, res->field);
+ element_init(Z, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_set1(v);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+ element_double(Z, Z);
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ element_add(Z, Z, P);
+ }
+ m--;
+ element_square(v, v);
+ }
+
+ element_set(res, v);
+
+ element_clear(v);
+ element_clear(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(t0);
+ element_clear(e0);
+ #undef do_tangent
+ #undef do_line
+}
+
+// Requires cofactor is even.
+// Requires in != out.
+// Mangles in.
+static void lucas_even(element_ptr out, element_ptr in, mpz_t cofactor) {
+ element_t temp;
+ element_init_same_as(temp, out);
+ element_ptr in0 = element_x(in);
+ element_ptr in1 = element_y(in);
+ element_ptr v0 = element_x(out);
+ element_ptr v1 = element_y(out);
+ element_ptr t0 = element_x(temp);
+ element_ptr t1 = element_y(temp);
+ int j;
+
+ element_set_si(t0, 2);
+ element_double(t1, in0);
+
+ element_set(v0, t0);
+ element_set(v1, t1);
+
+ j = mpz_sizeinbase(cofactor, 2) - 1;
+ for (;;) {
+ if (!j) {
+ element_mul(v1, v0, v1);
+ element_sub(v1, v1, t1);
+ element_square(v0, v0);
+ element_sub(v0, v0, t0);
+ break;
+ }
+ if (mpz_tstbit(cofactor, j)) {
+ element_mul(v0, v0, v1);
+ element_sub(v0, v0, t1);
+ element_square(v1, v1);
+ element_sub(v1, v1, t0);
+ } else {
+ element_mul(v1, v0, v1);
+ element_sub(v1, v1, t1);
+ element_square(v0, v0);
+ element_sub(v0, v0, t0);
+ }
+ j--;
+ }
+
+ //assume cofactor = (q^2 - q + 1) / r is odd
+ //thus v1 = V_k, v0 = V_{k-1}
+ // U = (P v1 - 2 v0) / (P^2 - 4)
+
+ element_double(v0, v0);
+ element_mul(in0, t1, v1);
+ element_sub(in0, in0, v0);
+
+ element_square(t1, t1);
+ element_sub(t1, t1, t0);
+ element_sub(t1, t1, t0);
+
+ element_halve(v0, v1);
+ element_div(v1, in0, t1);
+ element_mul(v1, v1, in1);
+ element_clear(temp);
+}
+
+static void tatepower10(element_ptr out, element_ptr in, pairing_t pairing) {
+ mnt_pairing_data_ptr p = pairing->data;
+ element_t e0, e1, e2, e3;
+ element_init(e0, p->Fqk);
+ element_init(e1, p->Fqd);
+ element_init(e2, p->Fqd);
+ element_init(e3, p->Fqk);
+ element_ptr e0re = element_x(e0);
+ element_ptr e0im = element_y(e0);
+ element_ptr e0re0 = ((element_t *) e0re->data)[0];
+ element_ptr e0im0 = ((element_t *) e0im->data)[0];
+ element_t *inre = element_x(in)->data;
+ element_t *inim = element_y(in)->data;
+ //see thesis
+ #define qpower(sign) { \
+ polymod_const_mul(e2, inre[1], p->xpowq); \
+ element_set(e0re, e2); \
+ polymod_const_mul(e2, inre[2], p->xpowq2); \
+ element_add(e0re, e0re, e2); \
+ polymod_const_mul(e2, inre[3], p->xpowq3); \
+ element_add(e0re, e0re, e2); \
+ polymod_const_mul(e2, inre[4], p->xpowq4); \
+ element_add(e0re, e0re, e2); \
+ element_add(e0re0, e0re0, inre[0]); \
+ \
+ if (sign > 0) { \
+ polymod_const_mul(e2, inim[1], p->xpowq); \
+ element_set(e0im, e2); \
+ polymod_const_mul(e2, inim[2], p->xpowq2); \
+ element_add(e0im, e0im, e2); \
+ polymod_const_mul(e2, inim[3], p->xpowq3); \
+ element_add(e0im, e0im, e2); \
+ polymod_const_mul(e2, inim[4], p->xpowq4); \
+ element_add(e0im, e0im, e2); \
+ element_add(e0im0, e0im0, inim[0]); \
+ } else { \
+ polymod_const_mul(e2, inim[1], p->xpowq); \
+ element_neg(e0im, e2); \
+ polymod_const_mul(e2, inim[2], p->xpowq2); \
+ element_sub(e0im, e0im, e2); \
+ polymod_const_mul(e2, inim[3], p->xpowq3); \
+ element_sub(e0im, e0im, e2); \
+ polymod_const_mul(e2, inim[4], p->xpowq4); \
+ element_sub(e0im, e0im, e2); \
+ element_sub(e0im0, e0im0, inim[0]); \
+ } \
+ }
+ qpower(1);
+ element_set(e3, e0);
+ element_set(e0re, element_x(in));
+ element_neg(e0im, element_y(in));
+ element_mul(e3, e3, e0);
+ qpower(-1);
+ element_mul(e0, e0, in);
+ element_invert(e0, e0);
+ element_mul(in, e3, e0);
+
+ element_set(e0, in);
+ lucas_even(out, e0, pairing->phikonr);
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(e2);
+ element_clear(e3);
+ #undef qpower
+}
+
+static void (*cc_miller_no_denom_fn)(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy);
+
+static void cc_pairing(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ element_ptr Qbase = in2;
+ element_t Qx, Qy;
+ mnt_pairing_data_ptr p = pairing->data;
+
+ element_init(Qx, p->Fqd);
+ element_init(Qy, p->Fqd);
+ //map from twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ //where v is the quadratic nonresidue used to construct the twist
+ element_mul(Qx, curve_x_coord(Qbase), p->nqrinv);
+ //v^-3/2 = v^-2 * v^1/2
+ element_mul(Qy, curve_y_coord(Qbase), p->nqrinv2);
+ cc_miller_no_denom_fn(out, pairing->r, in1, Qx, Qy);
+ tatepower10(out, out, pairing);
+ element_clear(Qx);
+ element_clear(Qy);
+}
+
+static int cc_is_almost_coddh(element_ptr a, element_ptr b,
+ element_ptr c, element_ptr d,
+ pairing_t pairing) {
+ int res = 0;
+ element_t t0, t1, t2;
+ element_t cx, cy;
+ element_t dx, dy;
+ mnt_pairing_data_ptr p = pairing->data;
+
+ element_init(cx, p->Fqd);
+ element_init(cy, p->Fqd);
+ element_init(dx, p->Fqd);
+ element_init(dy, p->Fqd);
+
+ element_init(t0, p->Fqk);
+ element_init(t1, p->Fqk);
+ element_init(t2, p->Fqk);
+ //map from twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ //where v is the quadratic nonresidue used to construct the twist
+ element_mul(cx, curve_x_coord(c), p->nqrinv);
+ element_mul(dx, curve_x_coord(d), p->nqrinv);
+ //v^-3/2 = v^-2 * v^1/2
+ element_mul(cy, curve_y_coord(c), p->nqrinv2);
+ element_mul(dy, curve_y_coord(d), p->nqrinv2);
+
+ cc_miller_no_denom_fn(t0, pairing->r, a, dx, dy);
+ cc_miller_no_denom_fn(t1, pairing->r, b, cx, cy);
+ tatepower10(t0, t0, pairing);
+ tatepower10(t1, t1, pairing);
+ element_mul(t2, t0, t1);
+ if (element_is1(t2)) {
+ //g, g^x, h, h^-x case
+ res = 1;
+ } else {
+ element_invert(t1, t1);
+ element_mul(t2, t0, t1);
+ if (element_is1(t2)) {
+ //g, g^x, h, h^x case
+ res = 1;
+ }
+ }
+ element_clear(cx);
+ element_clear(cy);
+ element_clear(dx);
+ element_clear(dy);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(t2);
+ return res;
+}
+
+struct pp_coeff_s {
+ element_t a;
+ element_t b;
+ element_t c;
+};
+typedef struct pp_coeff_s pp_coeff_t[1];
+typedef struct pp_coeff_s *pp_coeff_ptr;
+
+static void g_pairing_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
+ element_ptr P = in1;
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+ element_t Z;
+ int m;
+ mnt_pairing_data_ptr info = pairing->data;
+ element_t t0;
+ element_t a, b, c;
+ field_ptr Fq = info->Fq;
+ pp_coeff_t *coeff;
+ mpz_ptr q = pairing->r;
+ pp_coeff_ptr pp;
+ const element_ptr cca = curve_a_coeff(P);
+ element_ptr Zx;
+ element_ptr Zy;
+
+ #define store_abc() { \
+ element_init(pp->a, Fq); \
+ element_init(pp->b, Fq); \
+ element_init(pp->c, Fq); \
+ element_set(pp->a, a); \
+ element_set(pp->b, b); \
+ element_set(pp->c, c); \
+ pp++; \
+ }
+
+ //a = -slope_tangent(Z.x, Z.y);
+ //b = 1;
+ //c = -(Z.y + a * Z.x);
+ //but we multiply by 2*Z.y to avoid division
+
+ //a = -Zx * (3 Zx + twicea_2) - a_4;
+ //Common curves: a2 = 0 (and cc->a is a_4), so
+ //a = -(3 Zx^2 + cc->a)
+ //b = 2 * Zy
+ //c = -(2 Zy^2 + a Zx);
+ #define do_tangent() { \
+ element_square(a, Zx); \
+ element_double(t0, a); \
+ element_add(a, a, t0); \
+ element_add(a, a, cca); \
+ element_neg(a, a); \
+ \
+ element_add(b, Zy, Zy); \
+ \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ \
+ store_abc(); \
+ }
+
+ //a = -(B.y - A.y) / (B.x - A.x);
+ //b = 1;
+ //c = -(A.y + a * A.x);
+ //but we'll multiply by B.x - A.x to avoid division
+ #define do_line() { \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(t0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, t0); \
+ element_neg(c, c); \
+ store_abc(); \
+ }
+
+ element_init(Z, P->field);
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_init(t0, Fq);
+ element_init(a, Fq);
+ element_init(b, Fq);
+ element_init(c, Fq);
+
+ m = mpz_sizeinbase(q, 2) - 2;
+ p->data = pbc_malloc(sizeof(pp_coeff_t) * 2 * m);
+ coeff = (pp_coeff_t *) p->data;
+ pp = coeff[0];
+
+ for(;;) {
+ do_tangent();
+ if (!m) break;
+ element_double(Z, Z);
+ if (mpz_tstbit(q, m)) {
+ do_line();
+ element_add(Z, Z, P);
+ }
+ m--;
+ }
+
+ element_clear(t0);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(Z);
+ #undef store_abc
+ #undef do_tangent
+ #undef do_line
+}
+
+static void g_pairing_pp_clear(pairing_pp_t p) {
+ //TODO: better to store a sentinel value in p->data?
+ mpz_ptr q = p->pairing->r;
+ int m = mpz_sizeinbase(q, 2) + mpz_popcount(q) - 3;
+ int i;
+ pp_coeff_t *coeff = (pp_coeff_t *) p->data;
+ pp_coeff_ptr pp;
+ for (i=0; i<m; i++) {
+ pp = coeff[i];
+ element_clear(pp->a);
+ element_clear(pp->b);
+ element_clear(pp->c);
+ }
+ pbc_free(p->data);
+}
+
+static void g_pairing_pp_apply(element_ptr out, element_ptr in2, pairing_pp_t p) {
+ mpz_ptr q = p->pairing->r;
+ mnt_pairing_data_ptr info = p->pairing->data;
+ int m = mpz_sizeinbase(q, 2) - 2;
+ pp_coeff_t *coeff = (pp_coeff_t *) p->data;
+ pp_coeff_ptr pp = coeff[0];
+ element_ptr Qbase = in2;
+ element_t e0;
+ element_t Qx, Qy;
+ element_t v;
+ element_init_same_as(e0, out);
+ element_init_same_as(v, out);
+ element_init(Qx, info->Fqd);
+ element_init(Qy, info->Fqd);
+
+ //map from twist: (x, y) --> (v^-1 x, v^-(3/2) y)
+ //where v is the quadratic nonresidue used to construct the twist
+ element_mul(Qx, curve_x_coord(Qbase), info->nqrinv);
+ //v^-3/2 = v^-2 * v^1/2
+ element_mul(Qy, curve_y_coord(Qbase), info->nqrinv2);
+
+ element_set1(out);
+ for(;;) {
+ d_miller_evalfn(e0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(out, out, e0);
+ pp++;
+
+ if (!m) break;
+
+ if (mpz_tstbit(q, m)) {
+ d_miller_evalfn(e0, pp->a, pp->b, pp->c, Qx, Qy);
+ element_mul(out, out, e0);
+ pp++;
+ }
+ m--;
+ element_square(out, out);
+ }
+ tatepower10(out, out, p->pairing);
+
+ element_clear(e0);
+ element_clear(Qx);
+ element_clear(Qy);
+ element_clear(v);
+}
+
+// in1, in2 are from E(F_q), out from F_q^2
+// Compute pairing via elliptic nets (see Stange).
+static void g_pairing_ellnet(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ mnt_pairing_data_ptr p = pairing->data;
+
+ const element_ptr a = curve_a_coeff(in1);
+ const element_ptr b = curve_b_coeff(in1);
+
+ element_ptr x = curve_x_coord(in1);
+ element_ptr y = curve_y_coord(in1);
+
+ element_ptr x2 = curve_x_coord(in2);
+ element_ptr y2 = curve_y_coord(in2);
+
+ //we map (x2,y2) to (-x2, i y2) before pairing
+ //notation: cmi means c_{k-i}, ci means c_{k+i}
+ element_t cm3, cm2, cm1, c0, c1, c2, c3, c4;
+ element_t dm1, d0, d1;
+ element_t A, B, C;
+
+ element_init_same_as(cm3, x);
+ element_init_same_as(cm2, x);
+ element_init_same_as(cm1, x);
+ element_init_same_as(c0, x);
+ element_init_same_as(c1, x);
+ element_init_same_as(c2, x);
+ element_init_same_as(c3, x);
+ element_init_same_as(c4, x);
+ element_init_same_as(C, x);
+
+ element_init_same_as(dm1, out);
+ element_init_same_as(d0, out);
+ element_init_same_as(d1, out);
+ element_init_same_as(A, out);
+ element_init_same_as(B, out);
+
+ // c1 = 2y
+ // cm3 = -2y
+ element_double(c1, y);
+ element_neg(cm3, c1);
+
+ //use c0, cm1, cm2, C, c4 as temp variables for now
+ //compute c3, c2
+ element_square(cm2, x);
+ element_square(C, cm2);
+ element_mul(cm1, b, x);
+ element_double(cm1, cm1);
+ element_square(c4, a);
+
+ element_mul(c2, cm1, cm2);
+ element_double(c2, c2);
+ element_mul(c0, a, C);
+ element_add(c2, c2, c0);
+ element_mul(c0, c4, cm2);
+ element_sub(c2, c2, c0);
+ element_double(c0, c2);
+ element_double(c0, c0);
+ element_add(c2, c2, c0);
+
+ element_mul(c0, cm1, a);
+ element_square(c3, b);
+ element_double(c3, c3);
+ element_double(c3, c3);
+ element_add(c0, c0, c3);
+ element_double(c0, c0);
+ element_mul(c3, a, c4);
+ element_add(c0, c0, c3);
+ element_sub(c2, c2, c0);
+ element_mul(c0, cm2, C);
+ element_add(c3, c0, c2);
+ element_mul(c3, c3, c1);
+ element_double(c3, c3);
+
+ element_mul(c0, a, cm2);
+ element_add(c0, c0, cm1);
+ element_double(c0, c0);
+ element_add(c0, c0, C);
+ element_double(c2, c0);
+ element_add(c0, c0, c2);
+ element_sub(c2, c0, c4);
+
+ // c0 = 1
+ // cm2 = -1
+ element_set1(c0);
+ element_neg(cm2, c0);
+
+ // c4 = c_5 = c_2^3 c_4 - c_3^3 = c1^3 c3 - c2^3
+ element_square(C, c1);
+ element_mul(c4, C, c1);
+ element_mul(c4, c4, c3);
+ element_square(C, c2);
+ element_mul(C, C, c2);
+ element_sub(c4, c4, C);
+
+ //compute A, B, d1
+
+ element_mul(element_x(d0), x2, p->nqrinv);
+ element_neg(A, d0);
+ element_add(element_item(element_x(A), 0), element_item(element_x(A), 0), x);
+
+ element_double(C, x);
+ element_add(element_item(element_x(d0), 0), element_item(element_x(d0), 0), C);
+
+ element_square(dm1, A);
+ element_mul(dm1, d0, dm1);
+
+ element_mul(element_y(d1), y2, p->nqrinv2);
+ element_set(element_item(element_x(d1), 0), y);
+
+ element_square(d1, d1);
+ element_sub(d1, dm1, d1);
+ element_invert(B, d1);
+
+ element_invert(A, A);
+
+ element_mul(element_y(d1), y2, p->nqrinv2);
+ element_set0(element_x(d1));
+ element_neg(element_item(element_x(d1), 0), y);
+ element_mul(d1, d1, A);
+ element_square(d1, d1);
+ element_sub(d1, d0, d1);
+
+ // cm1 = 0
+ // C = (2y)^-1
+ element_set0(cm1);
+ element_invert(C, c1);
+
+ element_set1(dm1);
+ element_set1(d0);
+
+ element_t sm2, sm1;
+ element_t s0, s1, s2, s3;
+ element_t tm2, tm1;
+ element_t t0, t1, t2, t3;
+ element_t e0, e1;
+ element_t u, v;
+
+ element_init_same_as(sm2, x);
+ element_init_same_as(sm1, x);
+ element_init_same_as(s0, x);
+ element_init_same_as(s1, x);
+ element_init_same_as(s2, x);
+ element_init_same_as(s3, x);
+
+ element_init_same_as(tm2, x);
+ element_init_same_as(tm1, x);
+ element_init_same_as(t0, x);
+ element_init_same_as(t1, x);
+ element_init_same_as(t2, x);
+ element_init_same_as(t3, x);
+
+ element_init_same_as(e0, x);
+ element_init_same_as(e1, x);
+
+ element_init_same_as(u, d0);
+ element_init_same_as(v, d0);
+
+ int m = mpz_sizeinbase(pairing->r, 2) - 2;
+ for (;;) {
+ element_square(sm2, cm2);
+ element_square(sm1, cm1);
+ element_square(s0, c0);
+ element_square(s1, c1);
+ element_square(s2, c2);
+ element_square(s3, c3);
+
+ element_mul(tm2, cm3, cm1);
+ element_mul(tm1, cm2, c0);
+ element_mul(t0, cm1, c1);
+ element_mul(t1, c0, c2);
+ element_mul(t2, c1, c3);
+ element_mul(t3, c2, c4);
+
+ element_square(u, d0);
+ element_mul(v, dm1, d1);
+
+ if (mpz_tstbit(pairing->r, m)) {
+ //double-and-add
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm3, e0, e1);
+ element_mul(cm3, cm3, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm2, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(cm1, e0, e1);
+ element_mul(cm1, cm1, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c0, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c1, e0, e1);
+ element_mul(c1, c1, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c2, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c3, e0, e1);
+ element_mul(c3, c3, C);
+
+ element_mul(e0, t3, s2);
+ element_mul(e1, t2, s3);
+ element_sub(c4, e0, e1);
+
+ polymod_const_mul(element_x(out), t0, element_x(u));
+ polymod_const_mul(element_y(out), t0, element_y(u));
+ polymod_const_mul(element_x(dm1), s0, element_x(v));
+ polymod_const_mul(element_y(dm1), s0, element_y(v));
+ element_sub(dm1, dm1, out);
+
+ polymod_const_mul(element_x(out), t1, element_x(u));
+ polymod_const_mul(element_y(out), t1, element_y(u));
+ polymod_const_mul(element_x(d0), s1, element_x(v));
+ polymod_const_mul(element_y(d0), s1, element_y(v));
+ element_sub(d0, d0, out);
+ element_mul(d0, d0, A);
+
+ polymod_const_mul(element_x(out), t2, element_x(u));
+ polymod_const_mul(element_y(out), t2, element_y(u));
+ polymod_const_mul(element_x(d1), s2, element_x(v));
+ polymod_const_mul(element_y(d1), s2, element_y(v));
+ element_sub(d1, d1, out);
+ element_mul(d1, d1, B);
+ } else {
+ //double
+ element_mul(e0, tm1, sm2);
+ element_mul(e1, tm2, sm1);
+ element_sub(cm3, e0, e1);
+
+ element_mul(e0, t0, sm2);
+ element_mul(e1, tm2, s0);
+ element_sub(cm2, e0, e1);
+ element_mul(cm2, cm2, C);
+
+ element_mul(e0, t0, sm1);
+ element_mul(e1, tm1, s0);
+ element_sub(cm1, e0, e1);
+
+ element_mul(e0, t1, sm1);
+ element_mul(e1, tm1, s1);
+ element_sub(c0, e0, e1);
+ element_mul(c0, c0, C);
+
+ element_mul(e0, t1, s0);
+ element_mul(e1, t0, s1);
+ element_sub(c1, e0, e1);
+
+ element_mul(e0, t2, s0);
+ element_mul(e1, t0, s2);
+ element_sub(c2, e0, e1);
+ element_mul(c2, c2, C);
+
+ element_mul(e0, t2, s1);
+ element_mul(e1, t1, s2);
+ element_sub(c3, e0, e1);
+
+ element_mul(e0, t3, s1);
+ element_mul(e1, t1, s3);
+ element_sub(c4, e0, e1);
+ element_mul(c4, c4, C);
+
+ polymod_const_mul(element_x(out), tm1, element_x(u));
+ polymod_const_mul(element_y(out), tm1, element_y(u));
+ polymod_const_mul(element_x(dm1), sm1, element_x(v));
+ polymod_const_mul(element_y(dm1), sm1, element_y(v));
+ element_sub(dm1, dm1, out);
+
+ polymod_const_mul(element_x(out), t0, element_x(u));
+ polymod_const_mul(element_y(out), t0, element_y(u));
+ polymod_const_mul(element_x(d0), s0, element_x(v));
+ polymod_const_mul(element_y(d0), s0, element_y(v));
+ element_sub(d0, d0, out);
+
+ polymod_const_mul(element_x(out), t1, element_x(u));
+ polymod_const_mul(element_y(out), t1, element_y(u));
+ polymod_const_mul(element_x(d1), s1, element_x(v));
+ polymod_const_mul(element_y(d1), s1, element_y(v));
+ element_sub(d1, d1, out);
+ element_mul(d1, d1, A);
+ }
+ if (!m) break;
+ m--;
+ }
+ // since c_k lies base field
+ // it gets killed by the final powering
+ //element_invert(c1, c1);
+ //element_mul(element_x(d1), element_x(d1), c1);
+ //element_mul(element_y(d1), element_y(d1), c1);
+
+ tatepower10(out, d1, pairing);
+
+ element_clear(dm1);
+ element_clear(d0);
+ element_clear(d1);
+
+ element_clear(cm3);
+ element_clear(cm2);
+ element_clear(cm1);
+ element_clear(c0);
+ element_clear(c1);
+ element_clear(c2);
+ element_clear(c3);
+ element_clear(c4);
+
+ element_clear(sm2);
+ element_clear(sm1);
+ element_clear(s0);
+ element_clear(s1);
+ element_clear(s2);
+ element_clear(s3);
+
+ element_clear(tm2);
+ element_clear(tm1);
+ element_clear(t0);
+ element_clear(t1);
+ element_clear(t2);
+ element_clear(t3);
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(A);
+ element_clear(B);
+ element_clear(C);
+ element_clear(u);
+ element_clear(v);
+}
+
+static void g_pairing_clear(pairing_t pairing) {
+ field_clear(pairing->GT);
+ mnt_pairing_data_ptr p = pairing->data;
+
+ element_clear(p->xpowq);
+ element_clear(p->xpowq2);
+ element_clear(p->xpowq3);
+ element_clear(p->xpowq4);
+ mpz_clear(pairing->phikonr);
+
+ field_clear(p->Etwist);
+ field_clear(p->Eq);
+ element_clear(p->nqrinv);
+ element_clear(p->nqrinv2);
+ field_clear(p->Fqk);
+ field_clear(p->Fqd);
+ field_clear(p->Fqx);
+ field_clear(p->Fq);
+ field_clear(pairing->Zr);
+ mpz_clear(pairing->r);
+ pbc_free(p);
+}
+
+static void g_pairing_option_set(pairing_t pairing, char *key, char *value) {
+ UNUSED_VAR(pairing);
+ if (!strcmp(key, "method")) {
+ if (!strcmp(value, "miller")) {
+ cc_miller_no_denom_fn = cc_miller_no_denom_proj;
+ } else if (!strcmp(value, "miller-affine")) {
+ cc_miller_no_denom_fn = cc_miller_no_denom_affine;
+ } else if (!strcmp(value, "shipsey-stange")) {
+ pairing->map = g_pairing_ellnet;
+ }
+ }
+}
+
+static void g_finalpow(element_ptr e) {
+ element_t t0;
+ element_init_same_as(t0, e->data);
+ tatepower10(t0, e->data, e->field->pairing);
+ element_set(e->data, t0);
+ element_clear(t0);
+}
+
+// Computes a curve and sets fp to the field it is defined over using the
+// complex multiplication method, where cm holds appropriate data
+// (e.g. discriminant, field order).
+static void compute_cm_curve(g_param_ptr param, pbc_cm_ptr cm) {
+ element_t hp, root;
+ field_t fp, fpx;
+ field_t cc;
+
+ field_init_fp(fp, cm->q);
+ field_init_poly(fpx, fp);
+ element_init(hp, fpx);
+
+ mpz_t *coefflist;
+ int n = pbc_hilbert(&coefflist, cm->D);
+
+ // Temporarily set the coefficient of x^{n-1} to 1 so hp has degree n - 1,
+ // allowing us to use element_item().
+ poly_set_coeff1(hp, n - 1);
+ int i;
+ for (i = 0; i < n; i++) {
+ element_set_mpz(element_item(hp, i), coefflist[i]);
+ }
+ pbc_hilbert_free(coefflist, n);
+
+ //TODO: remove x = 0, 1728 roots
+ //TODO: what if there's no roots?
+ //printf("hp ");
+ //element_out_str(stdout, 0, hp);
+ //printf("\n");
+
+ element_init(root, fp);
+ poly_findroot(root, hp);
+ //printf("root = ");
+ //element_out_str(stdout, 0, root);
+ //printf("\n");
+ element_clear(hp);
+ field_clear(fpx);
+
+ //the root is the j-invariant of our desired curve
+ field_init_curve_j(cc, root, cm->n, NULL);
+ element_clear(root);
+
+ //we may need to twist it however
+ {
+ // Pick a random point P and twist the curve if it has the wrong order.
+ element_t P;
+ element_init(P, cc);
+ element_random(P);
+ element_mul_mpz(P, P, cm->n);
+ if (!element_is0(P)) field_reinit_curve_twist(cc);
+ element_clear(P);
+ }
+
+ mpz_set(param->q, cm->q);
+ mpz_set(param->n, cm->n);
+ mpz_set(param->h, cm->h);
+ mpz_set(param->r, cm->r);
+ element_to_mpz(param->a, curve_field_a_coeff(cc));
+ element_to_mpz(param->b, curve_field_b_coeff(cc));
+ {
+ mpz_t z;
+ mpz_init(z);
+ //compute order of curve in F_q^k
+ //n = q - t + 1 hence t = q - n + 1
+ mpz_sub(z, param->q, param->n);
+ mpz_add_ui(z, z, 1);
+ pbc_mpz_trace_n(z, param->q, z, 10);
+ mpz_pow_ui(param->nk, param->q, 10);
+ mpz_sub_ui(z, z, 1);
+ mpz_sub(param->nk, param->nk, z);
+ mpz_mul(z, param->r, param->r);
+ mpz_divexact(param->hk, param->nk, z);
+ mpz_clear(z);
+ }
+ field_clear(cc);
+ field_clear(fp);
+}
+
+static void g_init_pairing(pairing_t pairing, void *data) {
+ g_param_ptr param = data;
+ mnt_pairing_data_ptr p;
+ element_t a, b;
+ element_t irred;
+ int i;
+
+ mpz_init(pairing->r);
+ mpz_set(pairing->r, param->r);
+ field_init_fp(pairing->Zr, pairing->r);
+ pairing->map = cc_pairing;
+ pairing->is_almost_coddh = cc_is_almost_coddh;
+
+ p = pairing->data = pbc_malloc(sizeof(mnt_pairing_data_t));
+ field_init_fp(p->Fq, param->q);
+ element_init(a, p->Fq);
+ element_init(b, p->Fq);
+ element_set_mpz(a, param->a);
+ element_set_mpz(b, param->b);
+ field_init_curve_ab(p->Eq, a, b, pairing->r, param->h);
+
+ field_init_poly(p->Fqx, p->Fq);
+ element_init(irred, p->Fqx);
+
+ // First set the coefficient of x^5 to 1 so we can call element_item()
+ // for the other coefficients.
+ poly_set_coeff1(irred, 5);
+ for (i=0; i<5; i++) {
+ element_set_mpz(element_item(irred, i), param->coeff[i]);
+ }
+
+ field_init_polymod(p->Fqd, irred);
+ element_clear(irred);
+
+ p->Fqd->nqr = pbc_malloc(sizeof(element_t));
+ element_init(p->Fqd->nqr, p->Fqd);
+ element_set_mpz(((element_t *) p->Fqd->nqr->data)[0], param->nqr);
+
+ field_init_quadratic(p->Fqk, p->Fqd);
+
+ // Compute phi(k)/r = (q^4 - q^3 + ... + 1)/r.
+ {
+ element_ptr e = p->xpowq;
+ mpz_t z0;
+ mpz_ptr q = param->q;
+ mpz_ptr z = pairing->phikonr;
+ mpz_init(z);
+ mpz_init(z0);
+ mpz_set_ui(z, 1);
+ mpz_sub(z, z, q);
+ mpz_mul(z0, q, q);
+ mpz_add(z, z, z0);
+ mpz_mul(z0, z0, q);
+ mpz_sub(z, z, z0);
+ mpz_mul(z0, z0, q);
+ mpz_add(z, z, z0);
+ mpz_clear(z0);
+ mpz_divexact(z, z, pairing->r);
+
+ element_init(e, p->Fqd);
+ element_init(p->xpowq2, p->Fqd);
+ element_init(p->xpowq3, p->Fqd);
+ element_init(p->xpowq4, p->Fqd);
+ element_set1(((element_t *) e->data)[1]);
+ element_pow_mpz(e, e, q);
+
+ element_square(p->xpowq2, p->xpowq);
+ element_square(p->xpowq4, p->xpowq2);
+ element_mul(p->xpowq3, p->xpowq2, p->xpowq);
+ }
+
+ field_init_curve_ab_map(p->Etwist, p->Eq, element_field_to_polymod, p->Fqd, pairing->r, NULL);
+ field_reinit_curve_twist(p->Etwist);
+
+ element_init(p->nqrinv, p->Fqd);
+ element_invert(p->nqrinv, field_get_nqr(p->Fqd));
+ element_init(p->nqrinv2, p->Fqd);
+ element_square(p->nqrinv2, p->nqrinv);
+
+ mpz_t ndonr;
+ mpz_init(ndonr);
+ // ndonr temporarily holds the trace.
+ mpz_sub(ndonr, param->q, param->n);
+ mpz_add_ui(ndonr, ndonr, 1);
+ // Negate because we want the order of the twist.
+ mpz_neg(ndonr, ndonr);
+ pbc_mpz_curve_order_extn(ndonr, param->q, ndonr, 5);
+ mpz_divexact(ndonr, ndonr, param->r);
+ field_curve_set_quotient_cmp(p->Etwist, ndonr);
+ mpz_clear(ndonr);
+
+ pairing->G1 = p->Eq;
+ pairing->G2 = p->Etwist;
+ pairing_GT_init(pairing, p->Fqk);
+ pairing->finalpow = g_finalpow;
+
+ cc_miller_no_denom_fn = cc_miller_no_denom_affine;
+ pairing->option_set = g_pairing_option_set;
+ pairing->pp_init = g_pairing_pp_init;
+ pairing->pp_clear = g_pairing_pp_clear;
+ pairing->pp_apply = g_pairing_pp_apply;
+
+ pairing->clear_func = g_pairing_clear;
+
+ element_clear(a);
+ element_clear(b);
+}
+
+static void g_init(pbc_param_ptr p) {
+ static pbc_param_interface_t interface = {{
+ g_clear,
+ g_init_pairing,
+ g_out_str,
+ }};
+ p->api = interface;
+ g_param_ptr param = p->data = pbc_malloc(sizeof(*param));
+ mpz_init(param->q);
+ mpz_init(param->n);
+ mpz_init(param->h);
+ mpz_init(param->r);
+ mpz_init(param->a);
+ mpz_init(param->b);
+ mpz_init(param->nk);
+ mpz_init(param->hk);
+ param->coeff = NULL;
+ mpz_init(param->nqr);
+}
+
+// Public interface:
+
+int pbc_param_init_g(pbc_param_ptr par, struct symtab_s *tab) {
+ g_init(par);
+ g_param_ptr p = par->data;
+ char s[80];
+
+ int err = 0;
+ err += lookup_mpz(p->q, tab, "q");
+ err += lookup_mpz(p->n, tab, "n");
+ err += lookup_mpz(p->h, tab, "h");
+ err += lookup_mpz(p->r, tab, "r");
+ err += lookup_mpz(p->a, tab, "a");
+ err += lookup_mpz(p->b, tab, "b");
+ err += lookup_mpz(p->nk, tab, "nk");
+ err += lookup_mpz(p->hk, tab, "hk");
+ err += lookup_mpz(p->nqr, tab, "nqr");
+
+ p->coeff = pbc_realloc(p->coeff, sizeof(mpz_t) * 5);
+ int i;
+ for (i = 0; i < 5; i++) {
+ sprintf(s, "coeff%d", i);
+ mpz_init(p->coeff[i]);
+ err += lookup_mpz(p->coeff[i], tab, s);
+ }
+ return err;
+}
+
+void pbc_param_init_g_gen(pbc_param_t p, pbc_cm_ptr cm) {
+ g_init(p);
+ g_param_ptr param = p->data;
+ field_t Fq, Fqx, Fqd;
+ element_t irred, nqr;
+ int i;
+
+ compute_cm_curve(param, cm);
+
+ field_init_fp(Fq, param->q);
+ field_init_poly(Fqx, Fq);
+ element_init(irred, Fqx);
+ do {
+ poly_random_monic(irred, 5);
+ } while (!poly_is_irred(irred));
+ field_init_polymod(Fqd, irred);
+
+ // Find a quadratic nonresidue of Fqd lying in Fq.
+ element_init(nqr, Fqd);
+ do {
+ element_random(((element_t *) nqr->data)[0]);
+ } while (element_is_sqr(nqr));
+
+ param->coeff = pbc_realloc(param->coeff, sizeof(mpz_t) * 5);
+
+ for (i=0; i<5; i++) {
+ mpz_init(param->coeff[i]);
+ element_to_mpz(param->coeff[i], element_item(irred, i));
+ }
+ element_to_mpz(param->nqr, ((element_t *) nqr->data)[0]);
+
+ element_clear(nqr);
+ element_clear(irred);
+
+ field_clear(Fqx);
+ field_clear(Fqd);
+ field_clear(Fq);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/hilbert.c b/moon-abe/pbc-0.5.14/ecc/hilbert.c
new file mode 100644
index 00000000..753e70e0
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/hilbert.c
@@ -0,0 +1,539 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h> //for pbc_malloc, pbc_free
+#include <gmp.h>
+#include <math.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_poly.h"
+#include "pbc_hilbert.h"
+#include "pbc_memory.h"
+
+#include "misc/darray.h"
+#include "mpc.h"
+
+static mpf_t pi, eulere, recipeulere, epsilon, negepsilon;
+
+static void mpf_exp(mpf_t res, mpf_t pwr) {
+ mpf_t a;
+ mpf_t f0;
+ int i;
+
+ mpf_init(a); mpf_set(a, pwr);
+
+ mpf_init(f0);
+
+ mpf_set(f0, a);
+ mpf_add_ui(res, a, 1);
+
+ for (i=2;;i++) {
+ mpf_mul(f0, f0, a);
+ mpf_div_ui(f0, f0, i);
+ if (mpf_sgn(f0) > 0) {
+ if (mpf_cmp(f0, epsilon) < 0) break;
+ } else {
+ if (mpf_cmp(f0, negepsilon) > 0) break;
+ }
+ mpf_add(res, res, f0);
+ }
+
+ mpf_clear(f0);
+ mpf_clear(a);
+}
+
+static void mpc_cis(mpc_t res, mpf_t theta) {
+ mpf_t a;
+
+ mpf_init(a); mpf_set(a, theta);
+ //res = exp(i a)
+ // = cos a + i sin a
+ //converges quickly near the origin
+ mpf_t f0;
+ mpf_ptr rx = mpc_re(res), ry = mpc_im(res);
+ int i;
+ int toggle = 1;
+
+ mpf_init(f0);
+
+ mpf_set(f0, a);
+ mpf_set_ui(rx, 1);
+ mpf_set(ry, f0);
+ i = 1;
+ for(;;) {
+ toggle = !toggle;
+ i++;
+ mpf_div_ui(f0, f0, i);
+ mpf_mul(f0, f0, a);
+ if (toggle) {
+ mpf_add(rx, rx, f0);
+ } else {
+ mpf_sub(rx, rx, f0);
+ }
+
+ i++;
+ mpf_div_ui(f0, f0, i);
+ mpf_mul(f0, f0, a);
+
+ if (toggle) {
+ mpf_add(ry, ry, f0);
+ } else {
+ mpf_sub(ry, ry, f0);
+ }
+
+ if (mpf_sgn(f0) > 0) {
+ if (mpf_cmp(f0, epsilon) < 0) break;
+ } else {
+ if (mpf_cmp(f0, negepsilon) > 0) break;
+ }
+ }
+
+ mpf_clear(f0);
+ mpf_clear(a);
+}
+
+// Computes q = exp(2 pi i tau).
+static void compute_q(mpc_t q, mpc_t tau) {
+ mpc_t z0;
+ mpf_t f0, f1;
+ mpf_ptr fp0;
+ unsigned long pwr;
+
+ mpc_init(z0);
+ mpf_init(f0);
+ mpf_init(f1);
+
+ //compute z0 = 2 pi i tau
+ mpc_set(z0, tau);
+ //first remove integral part of Re(tau)
+ //since exp(2 pi i) = 1
+ //it seems |Re(tau)| < 1 anyway?
+ fp0 = mpc_re(z0);
+ mpf_trunc(f1, fp0);
+ mpf_sub(fp0, fp0, f1);
+
+ mpc_mul_mpf(z0, z0, pi);
+ mpc_mul_ui(z0, z0, 2);
+ mpc_muli(z0, z0);
+
+ //compute q = exp(z0);
+ //first write z0 = A + a + b i
+ //where A is a (negative) integer
+ //and a, b are in [-1, 1]
+ //compute e^A separately
+ fp0 = mpc_re(z0);
+ pwr = mpf_get_ui(fp0);
+ mpf_pow_ui(f0, recipeulere, pwr);
+ mpf_add_ui(fp0, fp0, pwr);
+
+ mpf_exp(f1, mpc_re(z0));
+ mpf_mul(f0, f1, f0);
+ mpc_cis(q, mpc_im(z0));
+
+ /*
+ old_mpc_exp(q, z0);
+ */
+ mpc_mul_mpf(q, q, f0);
+
+ mpc_clear(z0);
+ mpf_clear(f0);
+ mpf_clear(f1);
+}
+
+// Computes z = Delta(q) (see Cohen).
+static void compute_Delta(mpc_t z, mpc_t q) {
+ int d;
+ int n;
+ int power;
+ mpc_t z0, z1, z2;
+
+ mpc_init(z0);
+ mpc_init(z1);
+ mpc_init(z2);
+
+ mpc_set_ui(z0, 1);
+ d = -1;
+ for(n=1; n<100; n++) {
+ power = n *(3 * n - 1) / 2;
+ mpc_pow_ui(z1, q, power);
+ mpc_pow_ui(z2, q, n);
+ mpc_mul(z2, z2, z1);
+ mpc_add(z1, z1, z2);
+ if (d) {
+ mpc_sub(z0, z0, z1);
+ d = 0;
+ } else {
+ mpc_add(z0, z0, z1);
+ d = 1;
+ }
+ }
+
+ mpc_pow_ui(z0, z0, 24);
+ mpc_mul(z, z0, q);
+
+ mpc_clear(z0);
+ mpc_clear(z1);
+ mpc_clear(z2);
+}
+
+// Computes z = h(tau)
+// (called h() by Blake et al, f() by Cohen.)
+static void compute_h(mpc_t z, mpc_t tau) {
+ mpc_t z0, z1, q;
+ mpc_init(q);
+ mpc_init(z0);
+ mpc_init(z1);
+ compute_q(q, tau);
+ mpc_mul(z0, q, q);
+ compute_Delta(z0, z0);
+ compute_Delta(z1, q);
+ mpc_div(z, z0, z1);
+ mpc_clear(q);
+ mpc_clear(z0);
+ mpc_clear(z1);
+}
+
+// Computes j = j(tau).
+static void compute_j(mpc_t j, mpc_t tau) {
+ mpc_t h;
+ mpc_t z0;
+ mpc_init(h);
+ mpc_init(z0);
+ compute_h(h, tau);
+ //mpc_mul_ui(z0, h, 256);
+ mpc_mul_2exp(z0, h, 8);
+ mpc_add_ui(z0, z0, 1);
+ mpc_pow_ui(z0, z0, 3);
+ mpc_div(j, z0, h);
+ mpc_clear(z0);
+ mpc_clear(h);
+}
+
+static void compute_pi(int prec) {
+ //Chudnovsky brothers' Ramanujan formula
+ //http://www.cs.uwaterloo.ca/~alopez-o/math-faq/mathtext/node12.html
+ mpz_t k1, k2, k4, k5, d;
+ unsigned int k3 = 640320;
+ unsigned int k6 = 53360;
+ mpz_t z0, z1, z2;
+ mpq_t p, q;
+ mpf_t f1;
+ int toggle = 1;
+ int n;
+ //converges fast: each term gives over 47 bits
+ int nlimit = prec / 47 + 1;
+
+ mpz_init(k1);
+ mpz_init(k2);
+ mpz_init(k4);
+ mpz_init(k5);
+ mpz_init(d);
+ mpz_init(z0);
+ mpz_init(z1);
+ mpz_init(z2);
+ mpq_init(q);
+ mpq_init(p);
+ mpf_init(f1);
+
+ mpz_set_str(k1, "545140134", 10);
+ mpz_set_str(k2, "13591409", 10);
+ mpz_set_str(k4, "100100025", 10);
+ mpz_set_str(k5, "327843840", 10);
+
+ mpz_mul(d, k4, k5);
+ mpz_mul_2exp(d, d, 3);
+ mpq_set_ui(p, 0, 1);
+
+ for (n=0; n<nlimit; n++) {
+ mpz_fac_ui(z0, 6*n);
+ mpz_mul_ui(z1, k1, n);
+ mpz_add(z1, z1, k2);
+ mpz_mul(z0, z0, z1);
+
+ mpz_fac_ui(z1, 3*n);
+ mpz_fac_ui(z2, n);
+ mpz_pow_ui(z2, z2, 3);
+ mpz_mul(z1, z1, z2);
+ mpz_pow_ui(z2, d, n);
+ mpz_mul(z1, z1, z2);
+
+ mpz_set(mpq_numref(q), z0);
+ mpz_set(mpq_denref(q), z1);
+ mpq_canonicalize(q);
+ if (toggle) {
+ mpq_add(p, p, q);
+ } else {
+ mpq_sub(p, p, q);
+ }
+ toggle = !toggle;
+ }
+ mpq_inv(q, p);
+ mpz_mul_ui(mpq_numref(q), mpq_numref(q), k6);
+ mpq_canonicalize(q);
+ mpf_set_q(pi, q);
+ mpf_sqrt_ui(f1, k3);
+ mpf_mul(pi, pi, f1);
+ //mpf_out_str(stdout, 0, 14 * nlimit, pi);
+ //printf("\n");
+
+ mpz_clear(k1);
+ mpz_clear(k2);
+ mpz_clear(k4);
+ mpz_clear(k5);
+ mpz_clear(d);
+ mpz_clear(z0);
+ mpz_clear(z1);
+ mpz_clear(z2);
+ mpq_clear(q);
+ mpq_clear(p);
+ mpf_clear(f1);
+}
+
+static void precision_init(int prec) {
+ int i;
+ mpf_t f0;
+
+ mpf_set_default_prec(prec);
+ mpf_init2(epsilon, 2);
+ mpf_init2(negepsilon, 2);
+ mpf_init(recipeulere);
+ mpf_init(pi);
+ mpf_init(eulere);
+
+ mpf_set_ui(epsilon, 1);
+ mpf_div_2exp(epsilon, epsilon, prec);
+ mpf_neg(negepsilon, epsilon);
+
+ mpf_init(f0);
+ mpf_set_ui(eulere, 1);
+ mpf_set_ui(f0, 1);
+ for (i=1;; i++) {
+ mpf_div_ui(f0, f0, i);
+ if (mpf_cmp(f0, epsilon) < 0) {
+ break;
+ }
+ mpf_add(eulere, eulere, f0);
+ }
+ mpf_clear(f0);
+
+ mpf_ui_div(recipeulere, 1, eulere);
+
+ compute_pi(prec);
+}
+
+static void precision_clear(void) {
+ mpf_clear(eulere);
+ mpf_clear(recipeulere);
+ mpf_clear(pi);
+ mpf_clear(epsilon);
+ mpf_clear(negepsilon);
+}
+
+// See Cohen; my D is -D in his notation.
+size_t pbc_hilbert(mpz_t **arr, int D) {
+ int a, b;
+ int t;
+ int B = floor(sqrt((double) D / 3.0));
+ mpc_t alpha;
+ mpc_t j;
+ mpf_t sqrtD;
+ mpf_t f0;
+ darray_t Pz;
+ mpc_t z0, z1, z2;
+ double d = 1.0;
+ int h = 1;
+ int jcount = 1;
+
+ // Compute required precision.
+ b = D % 2;
+ for (;;) {
+ t = (b*b + D) / 4;
+ a = b;
+ if (a <= 1) {
+ a = 1;
+ goto step535_4;
+ }
+step535_3:
+ if (!(t % a)) {
+ jcount++;
+ if ((a == b) || (a*a == t) || !b) {
+ d += 1.0 / ((double) a);
+ h++;
+ } else {
+ d += 2.0 / ((double) a);
+ h+=2;
+ }
+ }
+step535_4:
+ a++;
+ if (a * a <= t) {
+ goto step535_3;
+ } else {
+ b += 2;
+ if (b > B) break;
+ }
+ }
+
+ //printf("modulus: %f\n", exp(3.14159265358979 * sqrt(D)) * d * 0.5);
+ d *= sqrt(D) * 3.14159265358979 / log(2);
+ precision_init(d + 34);
+ pbc_info("class number %d, %d bit precision", h, (int) d + 34);
+
+ darray_init(Pz);
+ mpc_init(alpha);
+ mpc_init(j);
+ mpc_init(z0);
+ mpc_init(z1);
+ mpc_init(z2);
+ mpf_init(sqrtD);
+ mpf_init(f0);
+
+ mpf_sqrt_ui(sqrtD, D);
+ b = D % 2;
+ h = 0;
+ for (;;) {
+ t = (b*b + D) / 4;
+ if (b > 1) {
+ a = b;
+ } else {
+ a = 1;
+ }
+step3:
+ if (t % a) {
+step4:
+ a++;
+ if (a * a <= t) goto step3;
+ } else {
+ // a, b, t/a are coeffs of an appropriate primitive reduced positive
+ // definite form.
+ // Compute j((-b + sqrt{-D})/(2a)).
+ h++;
+ pbc_info("[%d/%d] a b c = %d %d %d", h, jcount, a, b, t/a);
+ mpf_set_ui(f0, 1);
+ mpf_div_ui(f0, f0, 2 * a);
+ mpf_mul(mpc_im(alpha), sqrtD, f0);
+ mpf_mul_ui(f0, f0, b);
+ mpf_neg(mpc_re(alpha), f0);
+
+ compute_j(j, alpha);
+if (0) {
+ int i;
+ for (i=Pz->count - 1; i>=0; i--) {
+ printf("P %d = ", i);
+ mpc_out_str(stdout, 10, 4, Pz->item[i]);
+ printf("\n");
+ }
+}
+ if (a == b || a * a == t || !b) {
+ // P *= X - j
+ int i, n;
+ mpc_ptr p0;
+ p0 = (mpc_ptr) pbc_malloc(sizeof(mpc_t));
+ mpc_init(p0);
+ mpc_neg(p0, j);
+ n = Pz->count;
+ if (n) {
+ mpc_set(z1, Pz->item[0]);
+ mpc_add(Pz->item[0], z1, p0);
+ for (i=1; i<n; i++) {
+ mpc_mul(z0, z1, p0);
+ mpc_set(z1, Pz->item[i]);
+ mpc_add(Pz->item[i], z1, z0);
+ }
+ mpc_mul(p0, p0, z1);
+ }
+ darray_append(Pz, p0);
+ } else {
+ // P *= X^2 - 2 Re(j) X + |j|^2
+ int i, n;
+ mpc_ptr p0, p1;
+ p0 = (mpc_ptr) pbc_malloc(sizeof(mpc_t));
+ p1 = (mpc_ptr) pbc_malloc(sizeof(mpc_t));
+ mpc_init(p0);
+ mpc_init(p1);
+ // p1 = - 2 Re(j)
+ mpf_mul_ui(f0, mpc_re(j), 2);
+ mpf_neg(f0, f0);
+ mpf_set(mpc_re(p1), f0);
+ // p0 = |j|^2
+ mpf_mul(f0, mpc_re(j), mpc_re(j));
+ mpf_mul(mpc_re(p0), mpc_im(j), mpc_im(j));
+ mpf_add(mpc_re(p0), mpc_re(p0), f0);
+ n = Pz->count;
+ if (!n) {
+ } else if (n == 1) {
+ mpc_set(z1, Pz->item[0]);
+ mpc_add(Pz->item[0], z1, p1);
+ mpc_mul(p1, z1, p1);
+ mpc_add(p1, p1, p0);
+ mpc_mul(p0, p0, z1);
+ } else {
+ mpc_set(z2, Pz->item[0]);
+ mpc_set(z1, Pz->item[1]);
+ mpc_add(Pz->item[0], z2, p1);
+ mpc_mul(z0, z2, p1);
+ mpc_add(Pz->item[1], z1, z0);
+ mpc_add(Pz->item[1], Pz->item[1], p0);
+ for (i=2; i<n; i++) {
+ mpc_mul(z0, z1, p1);
+ mpc_mul(alpha, z2, p0);
+ mpc_set(z2, z1);
+ mpc_set(z1, Pz->item[i]);
+ mpc_add(alpha, alpha, z0);
+ mpc_add(Pz->item[i], z1, alpha);
+ }
+ mpc_mul(z0, z2, p0);
+ mpc_mul(p1, p1, z1);
+ mpc_add(p1, p1, z0);
+ mpc_mul(p0, p0, z1);
+ }
+ darray_append(Pz, p1);
+ darray_append(Pz, p0);
+ }
+ goto step4;
+ }
+ b+=2;
+ if (b > B) break;
+ }
+
+ // Round polynomial and assign.
+ int k = 0;
+ {
+ *arr = pbc_malloc(sizeof(mpz_t) * (Pz->count + 1));
+ int i;
+ for (i=Pz->count - 1; i>=0; i--) {
+ if (mpf_sgn(mpc_re(Pz->item[i])) < 0) {
+ mpf_set_d(f0, -0.5);
+ } else {
+ mpf_set_d(f0, 0.5);
+ }
+ mpf_add(f0, f0, mpc_re(Pz->item[i]));
+ mpz_init((*arr)[k]);
+ mpz_set_f((*arr)[k], f0);
+ k++;
+ mpc_clear(Pz->item[i]);
+ pbc_free(Pz->item[i]);
+ }
+ mpz_init((*arr)[k]);
+ mpz_set_ui((*arr)[k], 1);
+ k++;
+ }
+ darray_clear(Pz);
+ mpc_clear(z0);
+ mpc_clear(z1);
+ mpc_clear(z2);
+ mpf_clear(f0);
+ mpf_clear(sqrtD);
+ mpc_clear(alpha);
+ mpc_clear(j);
+
+ precision_clear();
+ return k;
+}
+
+void pbc_hilbert_free(mpz_t *arr, size_t n) {
+ size_t i;
+
+ for (i = 0; i < n; i++) mpz_clear(arr[i]);
+ pbc_free(arr);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/mnt.c b/moon-abe/pbc-0.5.14/ecc/mnt.c
new file mode 100644
index 00000000..230442fc
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/mnt.c
@@ -0,0 +1,496 @@
+// Routines for finding:
+// * MNT curves with embedding degree 6
+// * Freeman curves (which have embedding degree 10)
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h> // for intptr_t
+#include <gmp.h>
+#include "pbc_mnt.h"
+#include "pbc_memory.h"
+#include "pbc_utils.h"
+#include "misc/darray.h"
+
+struct pell_solution_s {
+ int count;
+ mpz_t minx; //minimal solution of x^2 - Dy^2 = 1
+ mpz_t miny;
+ mpz_t *x;
+ mpz_t *y;
+};
+typedef struct pell_solution_s pell_solution_t[1];
+typedef struct pell_solution_s *pell_solution_ptr;
+
+static void freempz(void *data) {
+ mpz_clear(data);
+ pbc_free(data);
+}
+
+// Solves x^2 - Dy^2 = N where D not a square.
+// For square D, we have (x+Dy)(x-Dy) = N so we look at the factors of N.
+static void general_pell(pell_solution_t ps, mpz_t D, int N) {
+ // TODO: Use brute force for small D.
+ int i, sgnN = N > 0 ? 1 : -1;
+ intptr_t f, n;
+
+ // Find square factors of N.
+ darray_t listf;
+ darray_init(listf);
+
+ f = 1;
+ for (;;) {
+ n = f * f;
+ if (n > abs(N)) break;
+ if (!(abs(N) % n)) {
+ darray_append(listf, int_to_voidp(f));
+ }
+ f++;
+ }
+
+ //a0, twice_a0 don't change once initialized
+ //a1 is a_i every iteration
+ //P0, P1 become P_{i-1}, P_i every iteration
+ //similarly for Q0, Q1
+ mpz_t a0, twice_a0, a1;
+ mpz_t P0, P1;
+ mpz_t Q0, Q1;
+ //variables to compute the convergents
+ mpz_t p0, p1, pnext;
+ mpz_t q0, q1, qnext;
+
+ int d;
+
+ darray_t listp, listq;
+ mpz_ptr zptr;
+
+ mpz_init(a0);
+ mpz_init(twice_a0);
+ mpz_init(a1);
+ mpz_init(P0); mpz_init(P1);
+ mpz_init(Q0); mpz_init(Q1);
+ mpz_init(p0); mpz_init(p1); mpz_init(pnext);
+ mpz_init(q0); mpz_init(q1); mpz_init(qnext);
+
+ darray_init(listp);
+ darray_init(listq);
+
+ mpz_sqrt(a0, D);
+ mpz_set_ui(P0, 0);
+ mpz_set_ui(Q0, 1);
+
+ mpz_set(P1, a0);
+ mpz_mul(Q1, a0, a0);
+ mpz_sub(Q1, D, Q1);
+ mpz_add(a1, a0, P1);
+ mpz_tdiv_q(a1, a1, Q1);
+
+ mpz_add(twice_a0, a0, a0);
+
+ mpz_set(p0, a0);
+ mpz_set_ui(q0, 1);
+ mpz_mul(p1, a0, a1);
+ mpz_add_ui(p1, p1, 1);
+ mpz_set(q1, a1);
+
+ d = -1;
+ for(;;) {
+ if (d == sgnN) {
+ for (i=0; i<listf->count; i++) {
+ f = (intptr_t) listf->item[i];
+ if (!mpz_cmp_ui(Q1, abs(N) / (f * f))) {
+//element_printf("found %Zd, %Zd, %d\n", p0, q0, f);
+ zptr = (mpz_ptr) pbc_malloc(sizeof(mpz_t));
+ mpz_init(zptr);
+ mpz_set(zptr, p0);
+ mpz_mul_ui(zptr, p0, f);
+ darray_append(listp, zptr);
+ zptr = (mpz_ptr) pbc_malloc(sizeof(mpz_t));
+ mpz_init(zptr);
+ mpz_set(zptr, q0);
+ mpz_mul_ui(zptr, q0, f);
+ darray_append(listq, zptr);
+ }
+ }
+ }
+
+ if (!mpz_cmp(twice_a0, a1) && d == 1) break;
+ //compute more of the continued fraction expansion
+ mpz_set(P0, P1);
+ mpz_mul(P1, a1, Q1);
+ mpz_sub(P1, P1, P0);
+ mpz_set(Q0, Q1);
+ mpz_mul(Q1, P1, P1);
+ mpz_sub(Q1, D, Q1);
+ mpz_divexact(Q1, Q1, Q0);
+ mpz_add(a1, a0, P1);
+ mpz_tdiv_q(a1, a1, Q1);
+
+ //compute next convergent
+ mpz_mul(pnext, a1, p1);
+ mpz_add(pnext, pnext, p0);
+ mpz_set(p0, p1);
+ mpz_set(p1, pnext);
+
+ mpz_mul(qnext, a1, q1);
+ mpz_add(qnext, qnext, q0);
+ mpz_set(q0, q1);
+ mpz_set(q1, qnext);
+ d = -d;
+ }
+ darray_clear(listf);
+
+ mpz_init(ps->minx);
+ mpz_init(ps->miny);
+ mpz_set(ps->minx, p0);
+ mpz_set(ps->miny, q0);
+ n = listp->count;
+ ps->count = n;
+ if (n) {
+ ps->x = (mpz_t *) pbc_malloc(sizeof(mpz_t) * n);
+ ps->y = (mpz_t *) pbc_malloc(sizeof(mpz_t) * n);
+ for (i = 0; i < n; i++) {
+ mpz_init(ps->x[i]);
+ mpz_init(ps->y[i]);
+ mpz_set(ps->x[i], (mpz_ptr) listp->item[i]);
+ mpz_set(ps->y[i], (mpz_ptr) listq->item[i]);
+ }
+ }
+
+ mpz_clear(a0);
+ mpz_clear(twice_a0);
+ mpz_clear(a1);
+ mpz_clear(P0); mpz_clear(P1);
+ mpz_clear(Q0); mpz_clear(Q1);
+ mpz_clear(p0); mpz_clear(p1); mpz_clear(pnext);
+ mpz_clear(q0); mpz_clear(q1); mpz_clear(qnext);
+
+ darray_forall(listp, freempz);
+ darray_forall(listq, freempz);
+ darray_clear(listp);
+ darray_clear(listq);
+}
+
+static void pell_solution_clear(pell_solution_t ps) {
+ int i, n = ps->count;
+
+ if (n) {
+ for (i=0; i<n; i++) {
+ mpz_clear(ps->x[i]);
+ mpz_clear(ps->y[i]);
+ }
+ pbc_free(ps->x);
+ pbc_free(ps->y);
+ }
+ mpz_clear(ps->minx);
+ mpz_clear(ps->miny);
+}
+
+void pbc_cm_init(pbc_cm_t cm) {
+ mpz_init(cm->q);
+ mpz_init(cm->r);
+ mpz_init(cm->h);
+ mpz_init(cm->n);
+}
+
+void pbc_cm_clear(pbc_cm_t cm) {
+ mpz_clear(cm->q);
+ mpz_clear(cm->r);
+ mpz_clear(cm->h);
+ mpz_clear(cm->n);
+}
+
+static int mnt_step2(int (*callback)(pbc_cm_t, void *), void *data,
+ unsigned int D, mpz_t U) {
+ int d;
+ mpz_t n, l, q;
+ mpz_t p;
+ mpz_t r, cofac;
+
+ mpz_init(l);
+ mpz_mod_ui(l, U, 6);
+ if (!mpz_cmp_ui(l, 1)) {
+ mpz_sub_ui(l, U, 1);
+ d = 1;
+ } else if (!mpz_cmp_ui(l, 5)) {
+ mpz_add_ui(l, U, 1);
+ d = -1;
+ } else {
+ mpz_clear(l);
+ return 0;
+ }
+
+ mpz_divexact_ui(l, l, 3);
+ mpz_init(q);
+
+ mpz_mul(q, l, l);
+ mpz_add_ui(q, q, 1);
+ if (!mpz_probab_prime_p(q, 10)) {
+ mpz_clear(q);
+ mpz_clear(l);
+ return 0;
+ }
+
+ mpz_init(n);
+ if (d < 0) {
+ mpz_sub(n, q, l);
+ } else {
+ mpz_add(n, q, l);
+ }
+
+ mpz_init(p);
+ mpz_init(r);
+ mpz_init(cofac);
+ {
+ mpz_set_ui(cofac, 1);
+ mpz_set(r, n);
+ mpz_set_ui(p, 2);
+ if (!mpz_probab_prime_p(r, 10)) for(;;) {
+ if (mpz_divisible_p(r, p)) do {
+ mpz_mul(cofac, cofac, p);
+ mpz_divexact(r, r, p);
+ } while (mpz_divisible_p(r, p));
+ if (mpz_probab_prime_p(r, 10)) break;
+ //TODO: use a table of primes instead?
+ mpz_nextprime(p, p);
+ if (mpz_sizeinbase(p, 2) > 16) {
+ //printf("has 16+ bit factor\n");
+ mpz_clear(r);
+ mpz_clear(p);
+ mpz_clear(cofac);
+ mpz_clear(q);
+ mpz_clear(l);
+ mpz_clear(n);
+ return 0;
+ }
+ }
+ }
+
+ pbc_cm_t cm;
+ pbc_cm_init(cm);
+ cm->k = 6;
+ cm->D = D;
+ mpz_set(cm->q, q);
+ mpz_set(cm->r, r);
+ mpz_set(cm->h, cofac);
+ mpz_set(cm->n, n);
+ int res = callback(cm, data);
+ pbc_cm_clear(cm);
+
+ mpz_clear(cofac);
+ mpz_clear(r);
+ mpz_clear(p);
+ mpz_clear(q);
+ mpz_clear(l);
+ mpz_clear(n);
+ return res;
+}
+
+int pbc_cm_search_d(int (*callback)(pbc_cm_t, void *), void *data,
+ unsigned int D, unsigned int bitlimit) {
+ mpz_t D3;
+ mpz_t t0, t1, t2;
+
+ mpz_init(D3);
+ mpz_set_ui(D3, D * 3);
+
+ if (mpz_perfect_square_p(D3)) {
+ // The only squares that differ by 8 are 1 and 9,
+ // which we get if U=V=1, D=3, but then l is not an integer.
+ mpz_clear(D3);
+ return 0;
+ }
+
+ mpz_init(t0);
+ mpz_init(t1);
+ mpz_init(t2);
+
+ pell_solution_t ps;
+ general_pell(ps, D3, -8);
+
+ int i, n;
+ int res = 0;
+ n = ps->count;
+ if (n) for (;;) {
+ for (i=0; i<n; i++) {
+ //element_printf("%Zd, %Zd\n", ps->x[i], ps->y[i]);
+ res = mnt_step2(callback, data, D, ps->x[i]);
+ if (res) goto toobig;
+ //compute next solution as follows
+ //if p, q is current solution
+ //compute new solution p', q' via
+ //(p + q sqrt{3D})(t + u sqrt{3D}) = p' + q' sqrt(3D)
+ //where t, u is min. solution to Pell equation
+ mpz_mul(t0, ps->minx, ps->x[i]);
+ mpz_mul(t1, ps->miny, ps->y[i]);
+ mpz_mul(t1, t1, D3);
+ mpz_add(t0, t0, t1);
+ if (2 * mpz_sizeinbase(t0, 2) > bitlimit + 10) goto toobig;
+ mpz_mul(t2, ps->minx, ps->y[i]);
+ mpz_mul(t1, ps->miny, ps->x[i]);
+ mpz_add(t2, t2, t1);
+ mpz_set(ps->x[i], t0);
+ mpz_set(ps->y[i], t2);
+ }
+ }
+toobig:
+
+ pell_solution_clear(ps);
+ mpz_clear(t0);
+ mpz_clear(t1);
+ mpz_clear(t2);
+ mpz_clear(D3);
+ return res;
+}
+
+static int freeman_step2(int (*callback)(pbc_cm_t, void *), void *data,
+ unsigned int D, mpz_t U) {
+ mpz_t n, x, q;
+ mpz_t p;
+ mpz_t r, cofac;
+ pbc_cm_t cm;
+
+ mpz_init(x);
+ mpz_mod_ui(x, U, 15);
+ if (!mpz_cmp_ui(x, 5)) {
+ mpz_sub_ui(x, U, 5);
+ } else if (!mpz_cmp_ui(x, 10)) {
+ mpz_add_ui(x, U, 5);
+ } else {
+ pbc_die("should never reach here");
+ mpz_clear(x);
+ return 0;
+ }
+
+ mpz_divexact_ui(x, x, 15);
+ mpz_init(q);
+ mpz_init(r);
+
+ //q = 25x^4 + 25x^3 + 25x^2 + 10x + 3
+ mpz_mul(r, x, x);
+ mpz_add(q, x, x);
+ mpz_mul_ui(r, r, 5);
+ mpz_add(q, q, r);
+ mpz_mul(r, r, x);
+ mpz_add(q, q, r);
+ mpz_mul(r, r, x);
+ mpz_add(q, q, r);
+ mpz_mul_ui(q, q, 5);
+ mpz_add_ui(q, q, 3);
+
+ if (!mpz_probab_prime_p(q, 10)) {
+ mpz_clear(q);
+ mpz_clear(r);
+ mpz_clear(x);
+ return 0;
+ }
+
+ //t = 10x^2 + 5x + 3
+ //n = q - t + 1
+ mpz_init(n);
+
+ mpz_mul_ui(n, x, 5);
+ mpz_mul(r, n, x);
+ mpz_add(r, r, r);
+ mpz_add(n, n, r);
+ mpz_sub(n, q, n);
+ mpz_sub_ui(n, n, 2);
+
+ mpz_init(p);
+ mpz_init(cofac);
+ {
+ mpz_set_ui(cofac, 1);
+ mpz_set(r, n);
+ mpz_set_ui(p, 2);
+ if (!mpz_probab_prime_p(r, 10)) for(;;) {
+ if (mpz_divisible_p(r, p)) do {
+ mpz_mul(cofac, cofac, p);
+ mpz_divexact(r, r, p);
+ } while (mpz_divisible_p(r, p));
+ if (mpz_probab_prime_p(r, 10)) break;
+ //TODO: use a table of primes instead?
+ mpz_nextprime(p, p);
+ if (mpz_sizeinbase(p, 2) > 16) {
+ //printf("has 16+ bit factor\n");
+ mpz_clear(r);
+ mpz_clear(p);
+ mpz_clear(cofac);
+ mpz_clear(q);
+ mpz_clear(x);
+ mpz_clear(n);
+ return 0;
+ }
+ }
+ }
+
+ pbc_cm_init(cm);
+ cm->k = 10;
+ cm->D = D;
+ mpz_set(cm->q, q);
+ mpz_set(cm->r, r);
+ mpz_set(cm->h, cofac);
+ mpz_set(cm->n, n);
+ int res = callback(cm, data);
+ pbc_cm_clear(cm);
+
+ mpz_clear(cofac);
+ mpz_clear(r);
+ mpz_clear(p);
+ mpz_clear(q);
+ mpz_clear(x);
+ mpz_clear(n);
+ return res;
+}
+
+int pbc_cm_search_g(int (*callback)(pbc_cm_t, void *), void *data,
+ unsigned int D, unsigned int bitlimit) {
+ int res = 0;
+ mpz_t D15;
+ mpz_t t0, t1, t2;
+
+ mpz_init(D15);
+ mpz_set_ui(D15, D);
+ mpz_mul_ui(D15, D15, 15);
+ if (mpz_perfect_square_p(D15)) {
+ mpz_clear(D15);
+ return 0;
+ }
+
+ mpz_init(t0);
+ mpz_init(t1);
+ mpz_init(t2);
+
+ pell_solution_t ps;
+ general_pell(ps, D15, -20);
+
+ int i, n;
+ n = ps->count;
+ if (n) for (;;) {
+ for (i=0; i<n; i++) {
+ res = freeman_step2(callback, data, D, ps->x[i]);
+ if (res) goto toobig;
+ // Compute next solution as follows:
+ // If p, q is current solution
+ // then compute new solution p', q' via
+ // (p + q sqrt{15D})(t + u sqrt{15D}) = p' + q' sqrt(15D)
+ // where t, u is min. solution to Pell equation
+ mpz_mul(t0, ps->minx, ps->x[i]);
+ mpz_mul(t1, ps->miny, ps->y[i]);
+ mpz_mul(t1, t1, D15);
+ mpz_add(t0, t0, t1);
+ if (2 * mpz_sizeinbase(t0, 2) > bitlimit + 10) goto toobig;
+ mpz_mul(t2, ps->minx, ps->y[i]);
+ mpz_mul(t1, ps->miny, ps->x[i]);
+ mpz_add(t2, t2, t1);
+ mpz_set(ps->x[i], t0);
+ mpz_set(ps->y[i], t2);
+ }
+ }
+toobig:
+
+ pell_solution_clear(ps);
+ mpz_clear(t0);
+ mpz_clear(t1);
+ mpz_clear(t2);
+ mpz_clear(D15);
+ return res;
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/mpc.c b/moon-abe/pbc-0.5.14/ecc/mpc.c
new file mode 100644
index 00000000..e5341f99
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/mpc.c
@@ -0,0 +1,122 @@
+//GMP based complex floats
+#include <stdio.h>
+#include <gmp.h>
+#include "mpc.h"
+
+//(a+bi)(c+di) = ac - bd + ((a+b)(c+d) - ac - bd)i
+void mpc_mul(mpc_t res, mpc_t z0, mpc_t z1)
+{
+ mpf_t ac, bd, f0;
+ mpf_init(ac);
+ mpf_init(bd);
+ mpf_init(f0);
+ mpf_mul(ac, z0->a, z1->a);
+ mpf_mul(bd, z0->b, z1->b);
+ mpf_add(f0, z0->a, z0->b);
+ mpf_add(res->b, z1->a, z1->b);
+ mpf_mul(res->b, res->b, f0);
+ mpf_sub(res->b, res->b, ac);
+ mpf_sub(res->b, res->b, bd);
+ mpf_sub(res->a, ac, bd);
+ mpf_clear(f0);
+ mpf_clear(ac);
+ mpf_clear(bd);
+}
+
+void mpc_mul_2exp(mpc_t res, mpc_t z, unsigned long int e)
+{
+ mpf_mul_2exp(res->a, z->a, e);
+ mpf_mul_2exp(res->b, z->b, e);
+}
+
+//(a+bi)^2 = (a-b)(a+b) + 2abi
+void mpc_sqr(mpc_t res, mpc_t z)
+{
+ mpf_t f0, f1;
+ mpf_init(f0);
+ mpf_init(f1);
+ mpf_add(f0, z->a, z->b);
+ mpf_sub(f1, z->a, z->b);
+ mpf_mul(f0, f0, f1);
+ mpf_mul(f1, z->a, z->b);
+ mpf_set(res->a, f0);
+ mpf_add(res->b, f1, f1);
+ mpf_clear(f0);
+ mpf_clear(f1);
+}
+
+//1/(a+bi) = (1/(a^2 + b^2))(a-bi)
+//naive. TODO: use one that is less prone to (over/under)flows/precision loss
+void mpc_inv(mpc_t res, mpc_t z)
+{
+ mpf_t f0, f1;
+ mpf_init(f0);
+ mpf_init(f1);
+ mpf_mul(f0, z->a, z->a);
+ mpf_mul(f1, z->b, z->b);
+ mpf_add(f0, f0, f1);
+ mpf_ui_div(f0, 1, f0);
+ mpf_mul(res->a, z->a, f0);
+ mpf_neg(f0, f0);
+ mpf_mul(res->b, z->b, f0);
+ mpf_clear(f0);
+ mpf_clear(f1);
+}
+
+void mpc_div(mpc_t res, mpc_t z0, mpc_t z1)
+{
+ mpc_t c0;
+ mpc_init(c0);
+ mpc_inv(c0, z1);
+ mpc_mul(res, z0, c0);
+ mpc_clear(c0);
+}
+
+size_t mpc_out_str(FILE *stream, int base, size_t n_digits, mpc_t op)
+{
+ size_t result, status;
+ result = mpf_out_str(stream, base, n_digits, op->a);
+ if (!result) return 0;
+ if (mpf_sgn(op->b) >= 0) {
+ if (EOF == fputc('+', stream)) return 0;
+ result++;
+ }
+ status = mpf_out_str(stream, base, n_digits, op->b);
+ if (!status) return 0;
+ if (EOF == fputc('i', stream)) return 0;
+ return result + status + 1;
+}
+
+void mpc_pow_ui(mpc_t res, mpc_t z, unsigned int n)
+{
+ unsigned int m;
+ mpc_t z0;
+ mpc_init(z0);
+
+ //set m to biggest power of 2 less than n
+ for (m = 1; m <= n; m <<= 1);
+ m >>= 1;
+
+ mpf_set_ui(z0->a, 1);
+ mpf_set_ui(z0->b, 0);
+ while (m) {
+ mpc_mul(z0, z0, z0);
+ if (m & n) {
+ mpc_mul(z0, z0, z);
+ }
+ m >>= 1;
+ }
+ mpc_set(res, z0);
+ mpc_clear(z0);
+}
+
+void mpc_muli(mpc_t res, mpc_t z)
+{
+ //i(a+bi) = -b + ai
+ mpf_t f0;
+ mpf_init(f0);
+ mpf_neg(f0, z->b);
+ mpf_set(res->b, z->a);
+ mpf_set(res->a, f0);
+ mpf_clear(f0);
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/mpc.h b/moon-abe/pbc-0.5.14/ecc/mpc.h
new file mode 100644
index 00000000..3588586b
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/mpc.h
@@ -0,0 +1,93 @@
+// Complex floats.
+// Called mpc_t, these complex numbers are built on GMP's mpf_t type.
+
+// Requires:
+// * stdio.h
+// * gmp.h
+
+#ifndef __PBC_MPC_H__
+#define __PBC_MPC_H__
+
+#pragma GCC visibility push(hidden)
+
+struct mpc_s {
+ mpf_t a;
+ mpf_t b;
+};
+typedef struct mpc_s mpc_t[1];
+typedef struct mpc_s *mpc_ptr;
+
+static inline void mpc_init(mpc_ptr c) {
+ mpf_init(c->a);
+ mpf_init(c->b);
+}
+
+static inline void mpc_clear(mpc_ptr c) {
+ mpf_clear(c->a);
+ mpf_clear(c->b);
+}
+
+static inline mpf_ptr mpc_re(mpc_ptr c) {
+ return c->a;
+}
+
+static inline mpf_ptr mpc_im(mpc_ptr c) {
+ return c->b;
+}
+
+static inline void mpc_add(mpc_ptr res, mpc_ptr z0, mpc_ptr z1) {
+ mpf_add(res->a, z0->a, z1->a);
+ mpf_add(res->b, z0->b, z1->b);
+}
+
+static inline void mpc_sub(mpc_ptr res, mpc_ptr z0, mpc_ptr z1) {
+ mpf_sub(res->a, z0->a, z1->a);
+ mpf_sub(res->b, z0->b, z1->b);
+}
+
+static inline void mpc_neg(mpc_ptr res, mpc_ptr z) {
+ mpf_neg(res->a, z->a);
+ mpf_neg(res->b, z->b);
+}
+
+static inline void mpc_conj(mpc_ptr res, mpc_ptr z) {
+ mpf_set(res->a, z->a);
+ mpf_neg(res->b, z->b);
+}
+
+static inline void mpc_set(mpc_t res, mpc_t z) {
+ mpf_set(res->a, z->a);
+ mpf_set(res->b, z->b);
+}
+
+static inline void mpc_set_ui(mpc_t res, unsigned long int n) {
+ mpf_set_ui(res->a, n);
+ mpf_set_ui(res->b, 0);
+}
+
+static inline void mpc_add_ui(mpc_t res, mpc_t z, unsigned long int n) {
+ mpf_add_ui(res->a, z->a, n);
+}
+
+static inline void mpc_mul_ui(mpc_t res, mpc_t z, unsigned long int n) {
+ mpf_mul_ui(res->a, z->a, n);
+ mpf_mul_ui(res->b, z->b, n);
+}
+
+static inline void mpc_mul_mpf(mpc_t res, mpc_t z, mpf_t f) {
+ mpf_mul(res->a, z->a, f);
+ mpf_mul(res->b, z->b, f);
+}
+
+void mpc_mul(mpc_t res, mpc_t z0, mpc_t z1);
+void mpc_mul_2exp(mpc_t res, mpc_t z, unsigned long int);
+void mpc_div(mpc_t res, mpc_t z0, mpc_t z1);
+void mpc_muli(mpc_t res, mpc_t z);
+void mpc_sqr(mpc_t res, mpc_t z);
+void mpc_inv(mpc_t res, mpc_t z);
+size_t mpc_out_str(FILE *stream, int base, size_t n_digits, mpc_t op);
+void mpc_pow_ui(mpc_t res, mpc_t z, unsigned int n);
+
+#pragma GCC visibility pop
+
+#endif //__PBC_MPC_H__
diff --git a/moon-abe/pbc-0.5.14/ecc/pairing.c b/moon-abe/pbc-0.5.14/ecc/pairing.c
new file mode 100644
index 00000000..48a9c8c6
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/pairing.c
@@ -0,0 +1,283 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h>
+#include <string.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_poly.h"
+#include "pbc_curve.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_memory.h"
+
+static int generic_is_almost_coddh(element_ptr a, element_ptr b,
+ element_ptr c, element_ptr d, pairing_t pairing) {
+ int res = 0;
+ element_t t0, t1;
+
+ element_init(t0, pairing->GT);
+ element_init(t1, pairing->GT);
+ element_pairing(t0, a, d);
+ element_pairing(t1, b, c);
+ if (!element_cmp(t0, t1)) {
+ res = 1;
+ } else {
+ element_mul(t0, t0, t1);
+ if (element_is1(t0)) res = 1;
+ }
+ element_clear(t0);
+ element_clear(t1);
+ return res;
+}
+
+static void generic_prod_pairings(element_ptr out, element_t in1[],
+ element_t in2[], int n, pairing_t pairing) {
+ pairing->map(out, in1[0], in2[0], pairing);
+ element_t tmp;
+ element_init_same_as(tmp, out);
+ int i;
+ for(i = 1; i < n; i++) {
+ pairing->map(tmp, in1[i], in2[i], pairing);
+ element_mul(out, out, tmp);
+ }
+ element_clear(tmp);
+}
+
+static void phi_warning(element_ptr out, element_ptr in, pairing_ptr pairing) {
+ UNUSED_VAR(out);
+ UNUSED_VAR(in);
+ UNUSED_VAR(pairing);
+ printf("Phi() not implemented for this pairing type yet!\n");
+}
+
+static void default_option_set(struct pairing_s *pairing, char *key, char *value) {
+ UNUSED_VAR(pairing);
+ UNUSED_VAR(key);
+ UNUSED_VAR(value);
+}
+
+static void default_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
+ UNUSED_VAR(pairing);
+ p->data = (void *) in1;
+}
+
+static void default_pp_apply(element_ptr out, element_ptr in2, pairing_pp_t p) {
+ p->pairing->map(out, p->data, in2, p->pairing);
+}
+
+static void default_pp_clear(pairing_pp_t p) {
+ UNUSED_VAR(p);
+}
+
+void pairing_init_pbc_param(pairing_t pairing, pbc_param_ptr p) {
+ pairing->option_set = default_option_set;
+ pairing->pp_init = default_pp_init;
+ pairing->pp_clear = default_pp_clear;
+ pairing->pp_apply = default_pp_apply;
+ pairing->is_almost_coddh = generic_is_almost_coddh;
+ pairing->phi = phi_warning;
+ pairing->prod_pairings = generic_prod_pairings;
+ p->api->init_pairing(pairing, p->data);
+ pairing->G1->pairing = pairing;
+ pairing->G2->pairing = pairing;
+ pairing->GT->pairing = pairing;
+}
+
+int pairing_init_set_buf(pairing_t pairing, const char *input, size_t len) {
+ pbc_param_t par;
+ int res = pbc_param_init_set_buf(par, input, len);
+ if (res) {
+ pbc_error("error initializing pairing");
+ return 1;
+ }
+ pairing_init_pbc_param(pairing, par);
+ pbc_param_clear(par);
+ return 0;
+}
+
+int pairing_init_set_str(pairing_t pairing, const char *s) {
+ return pairing_init_set_buf(pairing, s, 0);
+}
+
+void pairing_clear(pairing_t pairing) {
+ pairing->clear_func(pairing);
+}
+
+// TODO: it's most likely better to add extra stuff to field_t
+// so no new data structures are needed to create mulitplicative subgroups.
+// Additionally the same code could be used with curve_t
+// Will consider it later, especially if timings turn out bad
+
+static void gt_out_info(FILE *out, field_ptr f) {
+ gmp_fprintf(out, "roots of unity, order %Zd, ", f->order);
+ field_out_info(out, f->data);
+}
+
+static void gt_from_hash(element_ptr e, void *data, int len) {
+ pairing_ptr pairing = e->field->pairing;
+ element_from_hash(e->data, data, len);
+ pairing->finalpow(e);
+}
+
+static void gt_random(element_ptr e) {
+ pairing_ptr pairing = e->field->pairing;
+ element_random(e->data);
+ pairing->finalpow(e);
+}
+
+// multiplicative subgroup of a field
+static void mulg_field_clear(field_t f) {
+ UNUSED_VAR(f);
+}
+
+static void mulg_init(element_ptr e) {
+ e->data = pbc_malloc(sizeof(element_t));
+ field_ptr f = e->field->data;
+ element_init(e->data, f);
+ element_set1(e->data);
+}
+
+static void mulg_clear(element_ptr e) {
+ element_clear(e->data);
+ pbc_free(e->data);
+}
+
+static void mulg_set(element_ptr x, element_t a) {
+ element_set(x->data, a->data);
+}
+
+static int mulg_cmp(element_ptr x, element_t a) {
+ return element_cmp(x->data, a->data);
+}
+
+static size_t mulg_out_str(FILE *stream, int base, element_ptr e) {
+ return element_out_str(stream, base, e->data);
+}
+
+static void mulg_set_multiz(element_ptr e, multiz m) {
+ return element_set_multiz(e->data, m);
+}
+
+static int mulg_set_str(element_ptr e, const char *s, int base) {
+ return element_set_str(e->data, s, base);
+}
+
+static int mulg_item_count(element_ptr e) {
+ return element_item_count(e->data);
+}
+
+static element_ptr mulg_item(element_ptr e, int i) {
+ return element_item(e->data, i);
+}
+
+static int mulg_to_bytes(unsigned char *data, element_ptr e) {
+ return element_to_bytes(data, e->data);
+}
+
+static int mulg_from_bytes(element_ptr e, unsigned char *data) {
+ return element_from_bytes(e->data, data);
+}
+
+static int mulg_length_in_bytes(element_ptr e) {
+ return element_length_in_bytes(e->data);
+}
+
+static int mulg_snprint(char *s, size_t n, element_ptr e) {
+ return element_snprint(s, n, e->data);
+}
+
+static void mulg_to_mpz(mpz_ptr z, element_ptr e) {
+ element_to_mpz(z, e->data);
+}
+
+static void mulg_set1(element_t e) {
+ element_set1(e->data);
+}
+
+static void mulg_mul(element_ptr x, element_t a, element_t b) {
+ element_mul(x->data, a->data, b->data);
+}
+
+static void mulg_div(element_ptr x, element_t a, element_t b) {
+ element_div(x->data, a->data, b->data);
+}
+
+static void mulg_invert(element_ptr x, element_t a) {
+ element_invert(x->data, a->data);
+}
+
+static int mulg_is1(element_ptr x) {
+ return element_is1(x->data);
+}
+
+static void mulg_pow_mpz(element_t x, element_t a, mpz_t n) {
+ element_pow_mpz(x->data, a->data, n);
+}
+
+static void mulg_pp_init(element_pp_t p, element_t in) {
+ p->data = pbc_malloc(sizeof(element_pp_t));
+ element_pp_init(p->data, in->data);
+}
+
+static void mulg_pp_clear(element_pp_t p) {
+ element_pp_clear(p->data);
+ pbc_free(p->data);
+}
+
+static void mulg_pp_pow(element_t out, mpz_ptr power, element_pp_t p) {
+ element_pp_pow(out->data, power, p->data);
+}
+
+void pairing_GT_init(pairing_ptr pairing, field_t f) {
+ field_ptr gt = pairing->GT;
+ field_init(gt);
+ gt->data = f;
+ f->pairing = pairing;
+ mpz_set(gt->order, pairing->r);
+ gt->field_clear = mulg_field_clear;
+ gt->out_info = gt_out_info;
+
+ gt->init = mulg_init;
+ gt->clear = mulg_clear;
+ gt->set = mulg_set;
+ gt->cmp = mulg_cmp;
+
+ gt->out_str = mulg_out_str;
+ gt->set_multiz = mulg_set_multiz;
+ gt->set_str = mulg_set_str;
+ gt->to_bytes = mulg_to_bytes;
+ gt->from_bytes = mulg_from_bytes;
+ gt->length_in_bytes = mulg_length_in_bytes;
+ gt->fixed_length_in_bytes = f->fixed_length_in_bytes;
+ gt->to_mpz = mulg_to_mpz;
+ gt->snprint = mulg_snprint;
+ gt->item = mulg_item;
+ gt->item_count = mulg_item_count;
+
+ // TODO: set gt->nqr to something?
+ // set is_sqr, sqrt to something?
+
+ // additive notation
+ gt->set0 = mulg_set1;
+ gt->add = mulg_mul;
+ gt->sub = mulg_div;
+ gt->mul_mpz = mulg_pow_mpz;
+ gt->neg = mulg_invert;
+ gt->is0 = mulg_is1;
+
+ // multiplicative notation
+ gt->set1 = mulg_set1;
+ gt->mul = mulg_mul;
+ gt->div = mulg_div;
+ gt->pow_mpz = mulg_pow_mpz;
+ gt->invert = mulg_invert;
+ gt->is1 = mulg_is1;
+ gt->pp_init = mulg_pp_init;
+ gt->pp_clear = mulg_pp_clear;
+ gt->pp_pow = mulg_pp_pow;
+
+ gt->random = gt_random;
+ gt->from_hash = gt_from_hash;
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/param.c b/moon-abe/pbc-0.5.14/ecc/param.c
new file mode 100644
index 00000000..4fa25eef
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/param.c
@@ -0,0 +1,220 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h> // for intptr_t
+#include <string.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_memory.h"
+#include "pbc_param.h"
+#include "pbc_a_param.h"
+#include "pbc_mnt.h"
+#include "pbc_d_param.h"
+#include "pbc_e_param.h"
+#include "pbc_f_param.h"
+#include "pbc_a1_param.h"
+#include "pbc_g_param.h"
+#include "pbc_i_param.h"
+
+#include "misc/symtab.h"
+#include "ecc/param.h"
+
+// Parser that reads a bunch of strings and places them in a symbol table.
+// TODO: Replace with Flex/Bison?
+
+enum {
+ token_none = 0,
+ token_langle,
+ token_langleslash,
+ token_rangle,
+ token_word,
+ token_eof,
+};
+
+struct token_s {
+ int type;
+ char *s;
+};
+typedef struct token_s token_t[1];
+typedef struct token_s *token_ptr;
+
+// Reads next token from `input`.
+// Returns 1 on reaching `end` (if not NULL) or '\0' is read, 0 otherwise.
+static const char *token_get(token_t tok, const char *input, const char *end) {
+ char *buf;
+ int n = 32;
+ int i;
+ char c;
+ #define get() (((!end || input < end) && *input) ? (c = *input++, 0) : 1)
+ // Skip whitespace and comments.
+ for(;;) {
+ do {
+ if (get()) {
+ tok->type = token_eof;
+ return input;
+ }
+ } while (strchr(" \t\r\n", c));
+ if (c == '#') {
+ do {
+ if (get()) {
+ tok->type = token_eof;
+ return input;
+ }
+ } while (c != '\n');
+ } else break;
+ }
+
+ tok->type = token_word;
+ pbc_free(tok->s);
+ buf = (char *) pbc_malloc(n);
+ i = 0;
+ for (;;) {
+ buf[i] = c;
+ i++;
+ if (i == n) {
+ n += 32;
+ buf = (char *) pbc_realloc(buf, n);
+ }
+ if (get() || strchr(" \t\r\n</>", c)) break;
+ }
+ buf[i] = 0;
+ tok->s = buf;
+ return input;
+ #undef get
+}
+
+static void token_init(token_t tok) {
+ tok->type = token_none;
+ tok->s = NULL;
+}
+
+static void token_clear(token_t tok) {
+ pbc_free(tok->s);
+}
+
+static void read_symtab(symtab_t tab, const char *input, size_t limit) {
+ token_t tok;
+ const char *inputend = limit ? input + limit : NULL;
+ token_init(tok);
+ for (;;) {
+ input = token_get(tok, input, inputend);
+ if (tok->type != token_word) break;
+ char *key = pbc_strdup(tok->s);
+ input = token_get(tok, input, inputend);
+ if (tok->type != token_word) {
+ pbc_free(key);
+ break;
+ }
+ symtab_put(tab, pbc_strdup(tok->s), key);
+ pbc_free(key);
+ }
+ token_clear(tok);
+}
+
+// These functions have hidden visibility (see header).
+
+void param_out_type(FILE *stream, char *s) {
+ fprintf(stream, "type %s\n", s);
+}
+
+void param_out_mpz(FILE *stream, char *s, mpz_t z) {
+ fprintf(stream, "%s ", s);
+ mpz_out_str(stream, 0, z);
+ fprintf(stream, "\n");
+}
+
+void param_out_int(FILE *stream, char *s, int i) {
+ mpz_t z;
+ mpz_init(z);
+
+ mpz_set_si(z, i);
+ param_out_mpz(stream, s, z);
+ mpz_clear(z);
+}
+
+static const char *lookup(symtab_t tab, const char *key) {
+ if (!symtab_has(tab, key)) {
+ pbc_error("missing param: `%s'", key);
+ return NULL;
+ }
+ return symtab_at(tab, key);
+}
+
+int lookup_mpz(mpz_t z, symtab_t tab, const char *key) {
+ const char *data = lookup(tab, key);
+ if (!data) {
+ pbc_error("missing param: `%s'", key);
+ return 1;
+ }
+ mpz_set_str(z, data, 0);
+ return 0;
+}
+
+int lookup_int(int *n, symtab_t tab, const char *key) {
+ mpz_t z;
+ const char *data = lookup(tab, key);
+ if (!data) {
+ pbc_error("missing param: `%s'", key);
+ return 1;
+ }
+ mpz_init(z);
+
+ mpz_set_str(z, data, 0);
+ *n = mpz_get_si(z);
+ mpz_clear(z);
+
+ return 0;
+}
+
+static int param_set_tab(pbc_param_t par, symtab_t tab) {
+ const char *s = lookup(tab, "type");
+
+ static struct {
+ char *s;
+ int (*fun)(pbc_param_ptr, symtab_t tab);
+ } funtab[] = {
+ { "a", pbc_param_init_a },
+ { "d", pbc_param_init_d },
+ { "e", pbc_param_init_e },
+ { "f", pbc_param_init_f },
+ { "g", pbc_param_init_g },
+ { "a1", pbc_param_init_a1 },
+ { "i", pbc_param_init_i },
+ };
+
+ int res = 1;
+ if (s) {
+ unsigned int i;
+ for(i = 0; i < sizeof(funtab)/sizeof(*funtab); i++) {
+ if (!strcmp(s, funtab[i].s)) {
+ res = funtab[i].fun(par, tab);
+ if (res) pbc_error("bad pairing parameters");
+ return res;
+ }
+ }
+ }
+
+ pbc_error("unknown pairing type");
+ return res;
+}
+
+// Public functions:
+
+int pbc_param_init_set_str(pbc_param_t par, const char *input) {
+ symtab_t tab;
+ symtab_init(tab);
+ read_symtab(tab, input, 0);
+ int res = param_set_tab(par, tab);
+ symtab_forall_data(tab, pbc_free);
+ symtab_clear(tab);
+ return res;
+}
+
+int pbc_param_init_set_buf(pbc_param_t par, const char *input, size_t len) {
+ symtab_t tab;
+ symtab_init(tab);
+ read_symtab(tab, input, len);
+ int res = param_set_tab(par, tab);
+ symtab_forall_data(tab, pbc_free);
+ symtab_clear(tab);
+ return res;
+}
diff --git a/moon-abe/pbc-0.5.14/ecc/param.h b/moon-abe/pbc-0.5.14/ecc/param.h
new file mode 100644
index 00000000..36cbdd36
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/param.h
@@ -0,0 +1,23 @@
+// Input/output routines common to all pairing parameters.
+
+// Requires:
+// * param.h
+// * stdio.h
+// * gmp.h
+#ifndef __PARAM_UTILS_H__
+#define __PARAM_UTILS_H__
+
+#pragma GCC visibility push(hidden)
+
+void param_out_type(FILE *stream, char *s);
+void param_out_mpz(FILE *stream, char *s, mpz_t z);
+void param_out_int(FILE *stream, char *s, int i);
+// TODO: Replace with a stdarg function, e.g.
+// err = lookup("ZZi", "p", "n", "l", p->p, p->n, &p->l);
+struct symtab_s; // let "include/pbc.h" not include "misc/symtab.h"
+int lookup_int(int *n, struct symtab_s *tab, const char *key);
+int lookup_mpz(mpz_t z, struct symtab_s *tab, const char *key);
+
+#pragma GCC visibility pop
+
+#endif //__PARAM_UTILS_H__
diff --git a/moon-abe/pbc-0.5.14/ecc/singular.c b/moon-abe/pbc-0.5.14/ecc/singular.c
new file mode 100644
index 00000000..95f00410
--- /dev/null
+++ b/moon-abe/pbc-0.5.14/ecc/singular.c
@@ -0,0 +1,447 @@
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h> // for intptr_t
+#include <stdlib.h>
+#include <gmp.h>
+#include "pbc_utils.h"
+#include "pbc_field.h"
+#include "pbc_curve.h"
+#include "pbc_param.h"
+#include "pbc_pairing.h"
+#include "pbc_fp.h"
+#include "pbc_memory.h"
+
+//TODO: Store as integer mod ring instead and convert at last minute?
+struct point_s {
+ int inf_flag;
+ element_t x;
+ element_t y;
+};
+typedef struct point_s *point_ptr;
+typedef struct point_s point_t[1];
+
+static void sn_init(element_ptr e) {
+ field_ptr f = e->field->data;
+ e->data = pbc_malloc(sizeof(point_t));
+ point_ptr p = e->data;
+ element_init(p->x, f);
+ element_init(p->y, f);
+ p->inf_flag = 1;
+}
+
+static void sn_clear(element_ptr e) {
+ point_ptr p = e->data;
+ element_clear(p->x);
+ element_clear(p->y);
+ pbc_free(e->data);
+}
+
+static void sn_set0(element_ptr x) {
+ point_ptr p = x->data;
+ p->inf_flag = 1;
+}
+
+static int sn_is0(element_ptr x) {
+ point_ptr p = x->data;
+ return p->inf_flag;
+}
+
+//singular with node: y^2 = x^3 + x^2
+static void sn_random(element_t a) {
+ point_ptr p = a->data;
+ element_t t;
+
+ element_init(t, p->x->field);
+ p->inf_flag = 0;
+ do {
+ element_random(p->x);
+ if (element_is0(p->x)) continue;
+ element_square(t, p->x);
+ element_add(t, t, p->x);
+ element_mul(t, t, p->x);
+ } while (!element_is_sqr(t));
+ element_sqrt(p->y, t);
+
+ element_clear(t);
+}
+
+static inline void sn_double_no_check(point_ptr r, point_ptr p) {
+ element_t lambda, e0, e1;
+
+ element_init(lambda, p->x->field);
+ element_init(e0, p->x->field);
+ element_init(e1, p->x->field);
+ //same point: double them
+
+ //lambda = (3x^2 + 2x) / 2y
+ element_mul_si(lambda, p->x, 3);
+ element_set_si(e0, 2);
+ element_add(lambda, lambda, e0);
+ element_mul(lambda, lambda, p->x);
+ element_add(e0, p->y, p->y);
+ element_invert(e0, e0);
+ element_mul(lambda, lambda, e0);
+ //x1 = lambda^2 - 2x - 1
+ element_add(e1, p->x, p->x);
+ element_square(e0, lambda);
+ element_sub(e0, e0, e1);
+ element_set_si(e1, 1);
+ element_sub(e0, e0, e1);
+ //y1 = (x - x1)lambda - y
+ element_sub(e1, p->x, e0);
+ element_mul(e1, e1, lambda);
+ element_sub(e1, e1, p->y);
+
+ element_set(r->x, e0);
+ element_set(r->y, e1);
+ r->inf_flag = 0;
+
+ element_clear(lambda);
+ element_clear(e0);
+ element_clear(e1);
+ return;
+}
+
+static void sn_double(element_t c, element_t a) {
+ point_ptr r = c->data;
+ point_ptr p = a->data;
+ if (p->inf_flag) {
+ r->inf_flag = 1;
+ return;
+ }
+ if (element_is0(p->y)) {
+ r->inf_flag = 1;
+ return;
+ }
+ sn_double_no_check(r, p);
+}
+
+static void sn_set(element_ptr c, element_ptr a) {
+ point_ptr r = c->data, p = a->data;
+ if (p->inf_flag) {
+ r->inf_flag = 1;
+ return;
+ }
+ r->inf_flag = 0;
+ element_set(r->x, p->x);
+ element_set(r->y, p->y);
+}
+
+static void sn_add(element_t c, element_t a, element_t b) {
+ point_ptr r = c->data;
+ point_ptr p = a->data;
+ point_ptr q = b->data;
+ if (p->inf_flag) {
+ sn_set(c, b);
+ return;
+ }
+ if (q->inf_flag) {
+ sn_set(c, a);
+ return;
+ }
+ if (!element_cmp(p->x, q->x)) {
+ if (!element_cmp(p->y, q->y)) {
+ if (element_is0(p->y)) {
+ r->inf_flag = 1;
+ return;
+ } else {
+ sn_double_no_check(r, p);
+ return;
+ }
+ }
+ //points are inverses of each other
+ r->inf_flag = 1;
+ return;
+ } else {
+ element_t lambda, e0, e1;
+
+ element_init(lambda, p->x->field);
+ element_init(e0, p->x->field);
+ element_init(e1, p->x->field);
+
+ //lambda = (y2-y1)/(x2-x1)
+ element_sub(e0, q->x, p->x);
+ element_invert(e0, e0);
+ element_sub(lambda, q->y, p->y);
+ element_mul(lambda, lambda, e0);
+ //x3 = lambda^2 - x1 - x2 - 1
+ element_square(e0, lambda);
+ element_sub(e0, e0, p->x);
+ element_sub(e0, e0, q->x);
+ element_set1(e1);
+ element_sub(e0, e0, e1);
+ //y3 = (x1-x3)lambda - y1
+ element_sub(e1, p->x, e0);
+ element_mul(e1, e1, lambda);
+ element_sub(e1, e1, p->y);
+
+ element_set(r->x, e0);
+ element_set(r->y, e1);
+ r->inf_flag = 0;
+
+ element_clear(lambda);
+ element_clear(e0);
+ element_clear(e1);
+ }
+}
+
+static void sn_invert(element_ptr c, element_ptr a) {
+ point_ptr r = c->data, p = a->data;
+
+ if (p->inf_flag) {
+ r->inf_flag = 1;
+ return;
+ }
+ r->inf_flag = 0;
+ element_set(r->x, p->x);
+ element_neg(r->y, p->y);
+}
+
+static void sn_field_clear(field_ptr c) {
+ UNUSED_VAR(c);
+}
+
+/* TODO: Write a test program that uses these functions.
+
+// Nonsingular points on sn curves map to finite field elements via
+// (x, y) --> (y + x)/(y - x)
+// The reverse map is
+// a --> (4a/(a-1)^2, 4a(a+1)/(a-1)^3)
+
+void sn_point_to_field(element_t out, point_ptr P) {
+ element_t e0, e1;
+ if (P->inf_flag) {
+ element_set1(out);
+ return;
+ }
+ element_init(e0, out->field);
+ element_init(e1, out->field);
+ element_add(e0, P->y, P->x);
+ element_sub(e1, P->y, P->x);
+ element_invert(e1, e1);
+ element_mul(out, e0, e1);
+ element_clear(e0);
+ element_clear(e1);
+}
+
+static void sn_field_to_point(point_ptr P, element_t in) {
+ element_t e0, e1, e2;
+
+ if (element_is1(in)) {
+ P->inf_flag = 1;
+ return;
+ }
+ element_init(e0, in->field);
+ element_init(e1, in->field);
+ element_init(e2, in->field);
+
+ element_set1(e1);
+ element_sub(e0, in, e1);
+ element_invert(e0, e0);
+
+ element_mul_si(e2, in, 4);
+
+ element_add(P->y, in, e1);
+
+ element_mul(e1, e0, e0);
+ element_mul(P->x, e1, e2);
+ element_mul(P->y, P->y, e2);
+ element_mul(P->y, P->y, e0);
+ element_mul(P->y, P->y, e1);
+ P->inf_flag = 0;
+
+ element_clear(e0);
+ element_clear(e1);
+ element_clear(e2);
+}
+*/
+
+static size_t sn_out_str(FILE *stream, int base, element_ptr a) {
+ point_ptr p = a->data;
+ size_t result, status;
+ if (p->inf_flag) {
+ if (EOF == fputc('O', stream)) return 0;
+ return 1;
+ }
+ result = element_out_str(stream, base, p->x);
+ if (!result) return 0;
+ if (EOF == fputc(' ', stream)) return 0;
+ status = element_out_str(stream, base, p->y);
+ if (!status) return 0;
+ return result + status + 1;
+}
+
+void naive_generic_pow_mpz(element_ptr x, element_ptr a, mpz_ptr n);
+void field_init_curve_singular_with_node(field_t c, field_t field) {
+ mpz_set(c->order, field->order);
+ c->data = (void *) field;
+ c->init = sn_init;
+ c->clear = sn_clear;
+ c->random = sn_random;
+ //c->from_x = cc_from_x;
+ //c->from_hash = cc_from_hash;
+ c->set = sn_set;
+ c->invert = c->neg = sn_invert;
+ c->square = c->doub = sn_double;
+ c->mul = c->add = sn_add;
+ c->set1 = c->set0 = sn_set0;
+ c->is1 = c->is0 = sn_is0;
+ c->mul_mpz = element_pow_mpz;
+ c->out_str = sn_out_str;
+ c->field_clear = sn_field_clear;
+}
+
+//TODO: the following code is useless as the Tate pairing is degenerate on singular curves
+static void sn_miller(element_t res, mpz_t q, element_t P,
+ element_ptr Qx, element_ptr Qy) {
+ //collate divisions
+ int m;
+ element_t v, vd;
+ element_t Z;
+ element_t a, b, c;
+ element_t e0, e1;
+ element_ptr Zx;
+ element_ptr Zy;
+ const element_ptr Px = curve_x_coord(P);
+ const element_ptr Py = curve_y_coord(P);
+
+ #define do_vertical(e) \
+ element_sub(e0, Qx, Zx); \
+ element_mul(e, e, e0);
+
+ //a = -slope_tangent(Z.x, Z.y);
+ //b = 1;
+ //c = -(Z.y + a * Z.x);
+ //but we multiply by 2*Z.y to avoid division
+ //a = -Zx * (Zx + Zx + Zx + 2)
+ //b = 2 * Zy
+ //c = -(2 Zy^2 + a Zx);
+ #define do_tangent(e) \
+ element_double(e0, Zx); \
+ element_add(a, Zx, e0); \
+ element_set_si(e0, 2); \
+ element_add(a, a, e0); \
+ element_mul(a, a, Zx); \
+ element_neg(a, a); \
+ element_add(b, Zy, Zy); \
+ element_mul(e0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, e0); \
+ element_neg(c, c); \
+ element_mul(e0, a, Qx); \
+ element_mul(e1, b, Qy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(e, e, e0);
+
+ //a = -(B.y - A.y) / (B.x - A.x);
+ //b = 1;
+ //c = -(A.y + a * A.x);
+ //but we'll multiply by B.x - A.x to avoid division
+ #define do_line(e) \
+ element_sub(b, Px, Zx); \
+ element_sub(a, Zy, Py); \
+ element_mul(e0, b, Zy); \
+ element_mul(c, a, Zx); \
+ element_add(c, c, e0); \
+ element_neg(c, c); \
+ element_mul(e0, a, Qx); \
+ element_mul(e1, b, Qy); \
+ element_add(e0, e0, e1); \
+ element_add(e0, e0, c); \
+ element_mul(e, e, e0);
+
+ element_init(a, Px->field);
+ element_init(b, Px->field);
+ element_init(c, Px->field);
+ element_init(e0, res->field);
+ element_init(e1, res->field);
+
+ element_init(v, res->field);
+ element_init(vd, res->field);
+ element_init(Z, P->field);
+
+ element_set(Z, P);
+ Zx = curve_x_coord(Z);
+ Zy = curve_y_coord(Z);
+
+ element_set1(v);
+ element_set1(vd);
+ m = mpz_sizeinbase(q, 2) - 2;
+
+ while(m >= 0) {
+ element_mul(v, v, v);
+ element_mul(vd, vd, vd);
+ do_tangent(v);
+ element_double(Z, Z);
+ do_vertical(vd);
+ if (mpz_tstbit(q, m)) {
+ do_line(v);
+ element_add(Z, Z, P);
+ do_vertical(vd);
+ }
+ m--;
+ }
+ #undef do_tangent
+ #undef do_vertical
+ #undef do_line
+
+ element_invert(vd, vd);
+ element_mul(res, v, vd);
+
+ element_clear(v);
+ element_clear(vd);
+ element_clear(Z);
+ element_clear(a);
+ element_clear(b);
+ element_clear(c);
+ element_clear(e0);
+ element_clear(e1);
+}
+
+struct sn_pairing_data_s {
+ field_t Fq, Eq;
+};
+typedef struct sn_pairing_data_s sn_pairing_data_t[1];
+typedef struct sn_pairing_data_s *sn_pairing_data_ptr;
+
+static void sn_pairing(element_ptr out, element_ptr in1, element_ptr in2,
+ pairing_t pairing) {
+ sn_pairing_data_ptr p = pairing->data;
+ element_ptr Q = in2;
+ element_t e0;
+ element_t R, QR;
+ element_init(R, p->Eq);
+ element_init(QR, p->Eq);
+ element_random(R);
+ element_init(e0, out->field);
+ element_add(QR, Q, R);
+ sn_miller(out, pairing->r, in1, curve_x_coord(QR), curve_y_coord(QR));
+ sn_miller(e0, pairing->r, in1, curve_x_coord(R), curve_y_coord(R));
+ element_invert(e0, e0);
+ element_mul(out, out, e0);
+ //element_pow_mpz(out, out, p->tateexp);
+ element_clear(R);
+ element_clear(QR);
+}
+
+void pairing_init_singular_with_node(pairing_t pairing, mpz_t q) {
+ sn_pairing_data_ptr p;
+
+ mpz_init(pairing->r);
+ mpz_sub_ui(pairing->r, q, 1);
+ field_init_fp(pairing->Zr, pairing->r);
+ pairing->map = sn_pairing;
+
+ p = pairing->data = pbc_malloc(sizeof(sn_pairing_data_t));
+ field_init_fp(p->Fq, q);
+ field_init_curve_singular_with_node(p->Eq, p->Fq);
+
+ //mpz_init(p->tateexp);
+ //mpz_sub_ui(p->tateexp, p->Fq->order, 1);
+ //mpz_divexact(p->tateexp, p->tateexp, pairing->r);
+
+ pairing->G2 = pairing->G1 = p->Eq;
+
+ pairing_GT_init(pairing, p->Fq);
+}