1 
2 /***************************************************************************
3                                                                            *
4 Copyright 2012 CertiVox IOM Ltd.                                           *
5                                                                            *
6 This file is part of CertiVox MIRACL Crypto SDK.                           *
7                                                                            *
8 The CertiVox MIRACL Crypto SDK provides developers with an                 *
9 extensive and efficient set of cryptographic functions.                    *
10 For further information about its features and functionalities please      *
11 refer to http://www.certivox.com                                           *
12                                                                            *
13 * The CertiVox MIRACL Crypto SDK is free software: you can                 *
14   redistribute it and/or modify it under the terms of the                  *
15   GNU Affero General Public License as published by the                    *
16   Free Software Foundation, either version 3 of the License,               *
17   or (at your option) any later version.                                   *
18                                                                            *
19 * The CertiVox MIRACL Crypto SDK is distributed in the hope                *
20   that it will be useful, but WITHOUT ANY WARRANTY; without even the       *
21   implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
22   See the GNU Affero General Public License for more details.              *
23                                                                            *
24 * You should have received a copy of the GNU Affero General Public         *
25   License along with CertiVox MIRACL Crypto SDK.                           *
26   If not, see <http://www.gnu.org/licenses/>.                              *
27                                                                            *
28 You can be released from the requirements of the license by purchasing     *
29 a commercial license. Buying such a license is mandatory as soon as you    *
30 develop commercial activities involving the CertiVox MIRACL Crypto SDK     *
31 without disclosing the source code of your own applications, or shipping   *
32 the CertiVox MIRACL Crypto SDK with a closed source product.               *
33                                                                            *
34 ***************************************************************************/
35 /*
36  * pairing_1.h
37  *
38  * High level interface to pairing functions - Type 1 pairings
39  *
40  * GT=pairing(G1,G1)
41  *
42  * This is calculated on a Pairing Friendly Curve (PFC), which must first be defined.
43  *
44  * G1 is a point over the base field
45  * GT is a finite field point over the k-th extension, where k is the embedding degree.
46  */
47 
48 #ifndef PAIRING_1_H
49 #define PAIRING_1_H
50 
51 // k=2 Super-Singular curve over GF(P)
52 #ifdef MR_PAIRING_SSP
53 #include "zzn2.h"	// GT
54 #include "ecn.h"	// G1
55 #define G1_TYPE ECn
56 #define G1_SUBTYPE ZZn
57 #define GT_TYPE ZZn2
58 #define WINDOW_SIZE 8 // window size for precomputation
59 extern void read_only_error(void);
60 #endif
61 
62 // k=4 Super-Singular curve over GF(2^M)
63 #ifdef MR_PAIRING_SS2
64 #include "gf2m4x.h"	// GT
65 #include "ec2.h"	// G1
66 #define G1_TYPE EC2
67 #define GT_TYPE GF2m4x
68 #endif
69 
70 class PFC;
71 
72 class G1
73 {
74 public:
75 	G1_TYPE g;
76 
77 #ifdef MR_PAIRING_SSP
78 	G1_SUBTYPE *ptable;
79 	G1_TYPE *mtable;
80 	int mtbits;
81 
G1()82 	G1()   {mtable=NULL; mtbits=0; ptable=NULL;}
G1(const G1 & w)83 	G1(const G1& w) {mtable=NULL; mtbits=0; ptable=NULL; g=w.g;}
84 
85 	G1& operator=(const G1& w)
86 	{
87 		if (mtable==NULL && ptable==NULL) g=w.g;
88 		else read_only_error();
89 		return *this;
90 	}
91 
92 #else
G1()93     G1()   {}
G1(const G1 & w)94 	G1(const G1& w) {g=w.g;}
95 
96 	G1& operator=(const G1& w)
97 	{
98 		g=w.g;
99 		return *this;
100 	}
101 #endif
102 	int spill(char *&);   // spill precomputation to byte array, and return length
103 	void restore(char *); // restore precomputation from byte array
104 
105 	friend G1 operator-(const G1&);
106 	friend G1 operator+(const G1&,const G1&);
107 	friend BOOL operator==(const G1& x,const G1& y)
108       {if (x.g==y.g) return TRUE; else return FALSE;}
109 	friend BOOL operator!=(const G1& x,const G1& y)
110       {if (x.g!=y.g) return TRUE; else return FALSE;}
111 
112 #ifdef MR_PAIRING_SSP
~G1()113 	~G1()  {if (ptable!=NULL) {delete [] ptable; ptable=NULL;}
114 			if (mtable!=NULL) {delete [] mtable; mtable=NULL;}}
115 #else
~G1()116 	~G1()  {}
117 #endif
118 };
119 
120 class GT
121 {
122 public:
123 	GT_TYPE g;
124 
125 #ifdef MR_PAIRING_SSP
126 	GT_TYPE *etable;
127 	int etbits;
GT()128 	GT() {etable=NULL; etbits=0;}
GT(const GT & w)129 	GT(const GT& w) {etable=NULL; etbits=0; g=w.g;}
GT(int d)130 	GT(int d) {etable=NULL; g=d;}
131 
132 	GT& operator=(const GT& w)
133 	{
134 		if (etable==NULL) g=w.g;
135 		else read_only_error();
136 		return *this;
137 	}
138 #else
GT()139 	GT() {}
GT(const GT & w)140 	GT(const GT& w) {g=w.g;}
GT(int d)141 	GT(int d) {g=d;}
142 
143 	GT& operator=(const GT& w)
144 	{
145 		g=w.g;
146 		return *this;
147 	}
148 #endif
149 	int spill(char *&);   // spill precomputation to byte array, and return length
150 	void restore(char *); // restore precomputation from byte array
151 	friend GT operator*(const GT&,const GT&);
152 	friend GT operator/(const GT&,const GT&);
153 	friend BOOL operator==(const GT& x,const GT& y)
154       {if (x.g==y.g) return TRUE; else return FALSE;}
155 	friend BOOL operator!=(const GT& x,const GT& y)
156       {if (x.g!=y.g) return TRUE; else return FALSE;}
157 #ifdef MR_PAIRING_SSP
~GT()158 	~GT() {if (etable!=NULL) {delete [] etable; etable=NULL;}}
159 #else
~GT()160 	~GT() {}
161 #endif
162 };
163 
164 // pairing friendly curve class
165 
166 class PFC
167 {
168 #ifdef MR_PAIRING_SSP
169 public:
170 	Big *mod;
171 	Big *cof;
172 #else
173 	int B;
174 public:
175     int M;
176 	int CF;
177 #endif
178 	int S;
179 	Big *ord;
180 	sha256 SH;
181 #ifndef MR_NO_RAND
182 	csprng *RNG;
183 #endif
184 
185 	PFC(int, csprng *rng=NULL);
order(void)186 	Big order(void) {return *ord;}
187 
188 	GT power(const GT&,const Big&);
189 	G1 mult(const G1&,const Big&);
190 	void hash_and_map(G1&,char *);
191 	void random(Big&);
192 	void rankey(Big&);
193 	void random(G1&);
194 	BOOL member(const GT&);		   // test if element is member of pairing friendly group
195 
196 	int precomp_for_pairing(G1&);  // precompute multiples of G1 that occur in Miller loop
197 	int precomp_for_mult(G1&,BOOL small=FALSE);     // (precomputation may not be implemented!)
198 	int precomp_for_power(GT&,BOOL small=FALSE);    // returns number of precomputed values
199 // small=TRUE if exponent is always less than full group size and equal to 2*Security level
200 // creates a smaller table
201 
202 	int spill(G1&,char *&);
203 	void restore(char *,G1&);
204 
205 	Big hash_to_aes_key(const GT&);
206 	Big hash_to_group(char *);
207 	GT miller_loop(const G1&,const G1&);
208 	GT final_exp(const GT&);
209 	GT pairing(const G1&,const G1&);
210 // parameters: number of pairings n, pointers to pair of G1 elements
211 	GT multi_pairing(int n,G1 **,G1 **); //product of pairings
212 	GT multi_miller(int n,G1 **,G1 **);
213 	void start_hash(void);
214 	void add_to_hash(const G1&);
215 	void add_to_hash(const GT&);
216 	void add_to_hash(const Big&);
217 	Big finish_hash_to_group(void);
~PFC()218 	~PFC() {
219 #ifdef MR_PAIRING_SSP
220 		delete mod; delete cof;
221 #endif
222 		delete ord; mirexit(); }
223 };
224 
225 #ifdef MR_PAIRING_SSP
226 
227 #ifndef MR_AFFINE_ONLY
228 
229 extern void force(ZZn&,ZZn&,ZZn&,ECn&);
230 extern void extract(ECn&,ZZn&,ZZn&,ZZn&);
231 
232 #endif
233 
234 extern void force(ZZn&,ZZn&,ECn&);
235 extern void extract(ECn&,ZZn&,ZZn&);
236 #endif
237 
238 #endif
239