From 38ecab86bd8f7ad1d2da7515cebca6773bfe91c8 Mon Sep 17 00:00:00 2001 From: "Diego F. Aranha" Date: Sat, 18 Jan 2025 03:15:50 +0100 Subject: [PATCH] Another refactor for speed. --- bench/bench_cp.c | 98 ++++++++---------- include/relic_cp.h | 97 ++++++++---------- src/cp/relic_cp_pcdel.c | 221 ++++++++++++++-------------------------- test/test_cp.c | 90 ++++++++-------- 4 files changed, 210 insertions(+), 296 deletions(-) diff --git a/bench/bench_cp.c b/bench/bench_cp.c index f72a4f601..ffd5c8a55 100644 --- a/bench/bench_cp.c +++ b/bench/bench_cp.c @@ -877,83 +877,69 @@ static void pdpub(void) { static void pdprv(void) { bn_t r1, r2[3], ls[AGGS * AGGS], cs[AGGS], ks[AGGS]; - g1_t fs[AGGS], p[AGGS * AGGS], u1[2], v1[3]; - g2_t q[AGGS * AGGS], u2[2], v2[4], w2[4], ds[AGGS * AGGS], bs[AGGS], rs[AGGS * AGGS]; - gt_t e[2], r, ts[AGGS + 1], g[3 * AGGS + 1]; + g1_t fs[AGGS], p[AGGS * AGGS], u1[2], v1[3], rs[AGGS * AGGS], ds[AGGS * AGGS]; + g2_t q[AGGS * AGGS], u2[2], v2[4], w2[4], bs[AGGS * AGGS]; + gt_t e[2], r, ts[2 * AGGS + 1], g[AGGS * AGGS + 1]; bn_null(r1); gt_null(r); - for (int i = 0; i < 2; i++) { - g1_null(u1[i]); - g2_null(u2[i]); - gt_null(e[i]); - } - for (int i = 0; i < 3; i++) { - g1_null(v1[i]); - bn_null(r2[i]); - } - for (int i = 0; i < 4; i++) { - g2_null(v2[i]); - g2_null(w2[i]); - } - for (int i = 0; i < RLC_MAX(4, AGGS + 1); i++) { - gt_null(g[i]); - } - for (int i = 0; i < AGGS; i++) { - g1_null(p[i]); - g2_null(q[i]); - bn_null(ls[i]); - g2_null(ds[i]) - g2_null(rs[i]) - } - gt_null(ts[AGGS]); bn_new(r1); gt_new(r); for (int i = 0; i < 2; i++) { + g1_null(u1[i]); + g2_null(u2[i]); + gt_null(e[i]); g1_new(u1[i]); g2_new(u2[i]); gt_new(e[i]); } for (int i = 0; i < 3; i++) { + g1_null(v1[i]); + bn_null(r2[i]); g1_new(v1[i]); bn_new(r2[i]); } for (int i = 0; i < 4; i++) { + g2_null(v2[i]); + g2_null(w2[i]); g2_new(v2[i]); g2_new(w2[i]); } - for (size_t i = 0; i < 3 * AGGS + 1; i++) { - gt_null(g[i]); - gt_new(g[i]); - } for (size_t i = 0; i < AGGS; i++) { for (size_t j = 0; j < AGGS; j++) { bn_null(ls[i * AGGS + j]); g1_null(p[i * AGGS + j]); g2_null(q[i * AGGS + j]); - g2_null(rs[i * AGGS + j]); - g2_null(ds[i * AGGS + j]); + g1_null(rs[i * AGGS + j]); + g1_null(ds[i * AGGS + j]); + g2_null(bs[i * AGGS + j]); + gt_null(g[i * AGGS + j]); bn_new(ls[i * AGGS + j]); g1_new(p[i * AGGS + j]); g2_new(q[i * AGGS + j]); - g2_new(rs[i * AGGS + j]); - g2_new(ds[i * AGGS + j]); + g1_new(rs[i * AGGS + j]); + g1_new(ds[i * AGGS + j]); + g2_new(bs[i * AGGS + j]); + gt_new(g[i * AGGS + j]); g1_rand(p[i * AGGS + j]); g2_rand(q[i * AGGS + j]); } bn_null(ks[i]); bn_null(cs[i]); g1_null(fs[i]); - g2_null(bs[i]); gt_null(ts[i]); + gt_null(ts[i + AGGS]); bn_new(ks[i]); bn_new(cs[i]) g1_new(fs[i]); - g2_new(bs[i]); gt_new(ts[i]); + gt_new(ts[i + AGGS]); } - gt_new(ts[AGGS]); + gt_null(ts[2 * AGGS]); + gt_new(ts[2 * AGGS]); + gt_null(g[AGGS * AGGS]); + gt_new(g[AGGS * AGGS]); BENCH_RUN("cp_pdprv_gen") { BENCH_ADD(cp_pdprv_gen(r1, r2, u1, u2, v2, e)); @@ -1020,11 +1006,11 @@ static void pdprv(void) { } BENCH_END; BENCH_RUN("cp_ambat_ask (AGGS)") { - BENCH_ADD(cp_ambat_ask(ls, rs, u1[1], u2[1], r1, p, q[0], u1[0], u2[0], e[0], 0, AGGS)); + BENCH_ADD(cp_ambat_ask(ls, rs, u1[1], u2[1], w2[0], r1, p[0], q, u1[0], u2[0], e[0], AGGS)); } BENCH_END; BENCH_RUN("cp_ambat_ans (AGGS)") { - BENCH_ADD(cp_ambat_ans(g, rs, u1[1], u2[1], p, AGGS)); + BENCH_ADD(cp_ambat_ans(g, rs, u1[1], u2[1], w2[0], q, AGGS)); } BENCH_END; BENCH_RUN("cp_ambat_ver (AGGS)") { @@ -1032,37 +1018,38 @@ static void pdprv(void) { } BENCH_END; BENCH_RUN("cp_amprd_gen (AGGS)") { - BENCH_ADD(cp_amprd_gen(ls, rs, w2[0], r1, u1[0], u2[0], e[0], 1, AGGS)); + BENCH_ADD(cp_amprd_gen(fs[0], r1, u1[0], u2[0], e[0])); } BENCH_END; BENCH_RUN("cp_amprd_ask (AGGS)") { - BENCH_ADD(cp_amprd_ask(ks, ds, cs, fs, bs, v1[0], v2[0], ls, rs, w2[0], r1, p, q, u1[0], u2[0], e[0], 1, AGGS)); + BENCH_ADD(cp_amprd_ask(ks, ds, ls, rs, v1[0], v2[0], w2[0], bs, fs[0], r1, u1[0], u2[0], e[0], p, q, 1, AGGS)); } BENCH_END; BENCH_RUN("cp_amprd_ans (AGGS)") { - BENCH_ADD(cp_amprd_ans(g, ds, fs, bs, v1[0], v2[0], p, q, 1, AGGS)); + BENCH_ADD(cp_amprd_ans(g, ts, ds, rs, v1[0], v2[0], w2[0], bs, p, q, 1, AGGS)); } BENCH_END; BENCH_RUN("cp_amprd_ver (AGGS)") { - BENCH_ADD(cp_amprd_ver(ts, g, ks, cs, e[0], 1)); + BENCH_ADD(cp_amprd_ver(g, ts, ks, ls, e[0], 1, AGGS)); } BENCH_END; BENCH_RUN("cp_amprd_gen (AGGS²)") { - BENCH_ADD(cp_amprd_gen(ls, rs, w2[0], r1, u1[0], u2[0], e[0], AGGS, AGGS)); + BENCH_ADD(cp_amprd_gen(fs[0], r1, u1[0], u2[0], e[0])); } BENCH_END; BENCH_RUN("cp_amprd_ask (AGGS²)") { - BENCH_ADD(cp_amprd_ask(ks, ds, cs, fs, bs, v1[0], v2[0], ls, rs, w2[0], r1, p, q, u1[0], u2[0], e[0], AGGS, AGGS)); + BENCH_ADD(cp_amprd_ask(ks, ds, ls, rs, v1[0], v2[0], w2[0], bs, fs[0], r1, u1[0], u2[0], e[0], p, q, AGGS, AGGS)); } BENCH_END; BENCH_RUN("cp_amprd_ans (AGGS²)") { - BENCH_ADD(cp_amprd_ans(g, ds, fs, bs, v1[0], v2[0], p, q, AGGS, AGGS)); + BENCH_ADD(cp_amprd_ans(g, ts, ds, rs, v1[0], v2[0], w2[0], bs, p, q, AGGS, AGGS)); } BENCH_END; BENCH_RUN("cp_amprd_ver (AGGS²)") { - BENCH_ADD(cp_amprd_ver(ts, g, ks, cs, e[0], AGGS)); + BENCH_ADD(cp_amprd_ver(g, ts, ks, ls, e[0], AGGS, AGGS)); } BENCH_END; + bn_free(r1); gt_free(r); for (int i = 0; i < 2; i++) { @@ -1078,26 +1065,25 @@ static void pdprv(void) { g2_free(v2[i]); g2_free(w2[i]); } - for (size_t i = 0; i < 3 * AGGS + 1; i++) { - gt_free(g[i]); - } for (size_t i = 0; i < AGGS; i++) { for (size_t j = 0; j < AGGS; j++) { bn_free(ls[i * AGGS + j]); g1_free(p[i * AGGS + j]); g2_free(q[i * AGGS + j]); - g2_free(rs[i * AGGS + j]); - g2_free(ds[i * AGGS + j]); + g1_free(rs[i * AGGS + j]); + g1_free(ds[i * AGGS + j]); + g2_free(bs[i * AGGS + j]); + gt_free(g[i * AGGS + j]); } bn_free(ls[i]); bn_free(cs[i]); bn_free(ks[i]); g1_free(fs[i]); - g2_free(rs[i]); - g2_free(bs[i]); gt_free(ts[i]); + gt_free(ts[i + AGGS]); } - gt_free(ts[AGGS]); + gt_free(ts[2 * AGGS]); + gt_free(g[AGGS * AGGS]); } static void sokaka(void) { diff --git a/include/relic_cp.h b/include/relic_cp.h index 8dafebb68..847ef3b69 100644 --- a/include/relic_cp.h +++ b/include/relic_cp.h @@ -1498,19 +1498,19 @@ int cp_ambat_gen(bn_t r, g1_t u, g2_t v, gt_t e); * @param[out] rs - the group elements computed by the client. * @param[out] a - the element in G_1 computed by the client. * @param[out] b - the element in G_2 computed by the client. + * @param[out] c - the element in G_2 computed by the client. * @param[in] r - the randomness. - * @param[in] p - the first arguments of the pairing. - * @param[in] q - the second argument of the pairing. + * @param[in] p - the first argument of the pairing. + * @param[in] q - the second arguments of the pairing. * @param[in] u - the U1 precomputed value in G_1. * @param[in] v - the U2 precomputed value in G_2. * @param[in] e - the precomputed value e(U1, U2). - * @param[in] longc - the flag to indicate if challenge is long. * @param[in] m - the number of pairings delegated in the batch. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_ambat_ask(bn_t *ls, g2_t *rs, g1_t a, g2_t b, const bn_t r, - const g1_t *p, const g2_t q, const g1_t u, const g2_t v, const gt_t e, - uint_t longc, size_t m); +int cp_ambat_ask(bn_t *ls, g1_t *rs, g1_t a, g2_t b, g2_t c, const bn_t r, + const g1_t p, const g2_t *q, const g1_t u, const g2_t v, const gt_t e, + size_t m); /** * Executes the server-side response for the AMORE batch pairing delegation @@ -1520,12 +1520,13 @@ int cp_ambat_ask(bn_t *ls, g2_t *rs, g1_t a, g2_t b, const bn_t r, * @param[out] rs - the group elements sent by the client. * @param[in] a - the element in G_1 computed by the client. * @param[in] b - the element in G_2 computed by the client. - * @param[in] p - the first arguments of the delegated pairings. + * @param[in] c - the element in G_2 computed by the client. + * @param[in] q - the second arguments of the delegated pairings. * @param[in] m - the number of pairings delegated in the batch. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_ambat_ans(gt_t *gs, const g2_t *rs, const g1_t a, const g2_t b, - const g1_t *p, size_t m); +int cp_ambat_ans(gt_t *gs, const g1_t *rs, const g1_t a, const g2_t b, + const g2_t c, const g2_t *q, size_t m); /** * Verifies the result of the AMORE batch pairing delegation protocol. @@ -1544,80 +1545,72 @@ int cp_ambat_ver(gt_t *es, const gt_t *gs, const bn_t *ls, const gt_t e, * Generates parameters for the AMORE delegation protocol to compute the * product of m pairings using a pairing delegation protocol. * - * @param[out] ls - the (m) scalars for the protocol. - * @param[out] rs - the (m) points for the protocol. - * @param[out] r - the additional random point for the protocol. - * @param[out] c - the challenge for the pairing delegation. - * @param[out] u - the mask in G_1 for the pairing delegation. - * @param[out] v - the mask in G_2 for the pairing delegation. - * @param[in,out] x - the secret key. - * @param[in,out] e - the precomputed value e(U1, U2). - * @param[in] l - the number of pairing products to compute. - * @param[in] m - the number of pairings per product to compute. - * @return RLC_OK if no errors occurred, RLC_ERR otherwise. + * @param[out] r - the random point in G_1. + * @param[out] c - the randomness for the batch AMORE protocol. + * @param[out] u - the mask in G_1 for batch AMORE. + * @param[out] v - the mask in G_2 for batch AMORE. + * @param[out] e - the precomputed value e(U1, U2). */ -int cp_amprd_gen(bn_t *ls, g2_t *rs, g2_t r, bn_t c, g1_t u, g2_t v, gt_t e, - size_t l, size_t m); +int cp_amprd_gen(g1_t r, bn_t c, g1_t u, g2_t v, gt_t e); -/** +/* * Executes the client-side request for the AMORE pairing product delegation * protocol. * - * @param[out] ks - the (l) keys for the protocol. - * @param[out] ds - the (l) points for the protocol. - * @param[out] cs - the (l) challenges for the batch protocol. - * @param[out] bs - the (l) points for the batch protocol. - * @param[out] a - the element in G_1. - * @param[out] b - the element in G_2. - * @param[in] ls - the (m) scalars for the protocol. - * @param[in] rs - the (m) points for the protocol. - * @param[in] r - the additional random point for the protocol. - * @param[in] p - the inputs to the batch protocol. - * @param[in] p - the first argument inputs for the pairings. - * @param[in] q - the second argument inputs for the pairings. - * @param[in] u - the U1 precomputed value in G_1. - * @param[in] v - the U2 precomputed value in G_2. + * @param[out] ks - the (l) keys for the batch AMORE protocol. + * @param[out] ds - the (l) points for the batch AMORE protocol. + * @param[out] ls - the (l * m) scalars for the protocol. + * @param[out] rs - the (l * m) points for the protocol. + * @param[out] a - the setup for the batch AMORE protocol. + * @param[out] b - the setup for the batch AMORE protocol. + * @param[out] d - the setup for the batch AMORE protocol. + * @param[out] bs - the row-wise addition of the second arguments. + * @param[out] r - the additional random point for the protocol. + * @param[out] c - the challenge for the pairing delegation. + * @param[out] u - the mask in G_1 for the pairing delegation. + * @param[out] v - the mask in G_2 for the pairing delegation. * @param[in] l - the number of pairing products to compute. * @param[in] m - the number of pairings per product to compute. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_amprd_ask(bn_t *ks, g2_t *ds, bn_t *cs, g1_t *fs, g2_t *bs, g1_t a, - g2_t b, const bn_t *ls, const g2_t *rs, const g2_t r, const bn_t c, - const g1_t *p, const g2_t *q, const g1_t u, const g2_t v, const gt_t e, - size_t l, size_t m); - +int cp_amprd_ask(bn_t *ks, g1_t *ds, bn_t *ls, g1_t *rs, g1_t a, g2_t b, g2_t d, + g2_t *bs, const g1_t c, const bn_t r, const g1_t u, const g2_t v, + gt_t e, const g1_t *p, const g2_t *q, size_t l, size_t m); /** * Executes the server-side response for the AMORE pairing product delegation * protocol. * - * @param[out] g - the group elements computed by the server. - * @param[in] ds - the m points for the protocol. - * @param[out] bs - the (l) points for the batch protocol. + * @param[out] gs - the results computed by the server. + * @param[out] ts - the group elements computed by the server. + * @param[in] ds - the (l) points for the batch AMORE protocol. + * @param[in] rs - the (l * m) points for the protocol. * @param[in] a - the first element in G_1. * @param[in] b - the first element in G_2. + * @param[in] b - the second element in G_2. * @param[in] p - the first argument inputs for the pairings. * @param[in] q - the second argument inputs for the pairings. * @param[in] l - the number of pairing products to compute. * @param[in] m - the number of pairings per product to compute. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_amprd_ans(gt_t *gs, const g2_t *ds, const g1_t *fs, const g2_t *bs, - const g1_t a, const g2_t b, const g1_t *p, const g2_t *q, - size_t l, size_t m); +int cp_amprd_ans(gt_t *gs, gt_t *ts, const g1_t *ds, const g1_t *rs, + const g1_t a, const g2_t b, const g2_t d, const g2_t *bs, const g1_t *p, + const g2_t *q, size_t l, size_t m); /** * Verifies the result of the AMORE pairing delegation protocol. * - * @param[out] ts - the results of the computation. - * @param[in] gs - the group elements returned by the server. + * @param[out] gs - the results of the computation. + * @param[in,out] ts - the group elements returned by the server. * @param[in] ks - the pairing product keys. * @param[in] cs - the challenges for the batch protocol. * @param[in] e - the precomputed value e(U1, U2). * @param[in] l - the number of pairing products to compute. + * @param[in] m - the number of pairings per product to compute. * @return a boolean value indicating if the computation is correct. */ -int cp_amprd_ver(gt_t *ts, const gt_t *gs, const bn_t *ks, const bn_t *cs, - const gt_t e, size_t l); +int cp_amprd_ver(gt_t *gs, gt_t *ts, const bn_t *ks, const bn_t *ls, + const gt_t e, size_t l, size_t m); /** * Generates a master key for the SOKAKA identity-based non-interactive diff --git a/src/cp/relic_cp_pcdel.c b/src/cp/relic_cp_pcdel.c index 291c1ac09..0f6b32fd5 100644 --- a/src/cp/relic_cp_pcdel.c +++ b/src/cp/relic_cp_pcdel.c @@ -504,6 +504,7 @@ int cp_amore_gen(bn_t x, gt_t e) { bn_null(n); RLC_TRY { + bn_new(n); pc_get_ord(n); bn_rand_mod(x, n); @@ -517,7 +518,6 @@ int cp_amore_gen(bn_t x, gt_t e) { result = RLC_ERR; } RLC_FINALLY { bn_free(n); - bn_free(t); } return result; } @@ -537,6 +537,8 @@ int cp_amore_ask(bn_t d, g1_t a1, g2_t b1, g1_t a2, g2_t b2, bn_t c, bn_t r, RLC_TRY { bn_new(n); bn_new(t); + g1_new(u); + g2_new(v); pc_get_ord(n); bn_rand_mod(t, n); @@ -843,10 +845,10 @@ int cp_ambat_gen(bn_t r, g1_t u, g2_t v, gt_t e) { pc_get_ord(n); bn_rand_mod(r, n); - g2_mul_gen(v, r); - bn_rand_mod(t, n); - g1_mul_gen(u, t); + + g1_mul_gen(u, r); + g2_mul_gen(v, t); bn_mul(t, t, r); bn_mod(t, t, n); @@ -862,11 +864,10 @@ int cp_ambat_gen(bn_t r, g1_t u, g2_t v, gt_t e) { return result; } -int cp_ambat_ask(bn_t *ls, g2_t *rs, g1_t a, g2_t b, const bn_t r, - const g1_t *p, const g2_t q, const g1_t u, const g2_t v, const gt_t e, - uint_t longc, size_t m) { +int cp_ambat_ask(bn_t *ls, g1_t *rs, g1_t a, g2_t b, g2_t c, const bn_t r, + const g1_t p, const g2_t *q, const g1_t u, const g2_t v, const gt_t e, + size_t m) { bn_t n, *t = RLC_ALLOCA(bn_t, m); - size_t eps, len; int result = RLC_OK; bn_null(n); @@ -875,36 +876,29 @@ int cp_ambat_ask(bn_t *ls, g2_t *rs, g1_t a, g2_t b, const bn_t r, bn_new(n); pc_get_ord(n); - eps = gt_size_bin(e, 1) / g2_size_bin(q, 1); - if (longc) { - len = 2 * (pc_param_level() - eps); - } else { - len = RAND_DIST/2 + BND_STORE + eps; - } - for (size_t i = 0; i < m; i++) { bn_null(t[i]); bn_new(t[i]); if (ep_curve_is_pairf() == EP_BN) { - bn_rand(ls[i], RLC_POS, len); + bn_rand(ls[i], RLC_POS, RAND_DIST + BND_STORE); } else { - bn_rand_frb(ls[i], &(core_get()->par), n, len); + bn_rand_frb(ls[i], &(core_get()->par), n, RAND_DIST + BND_STORE); } } - g1_set_infty(a); + g2_set_infty(c); bn_mod_inv_sim(t, ls, n, m); for (size_t i = 0; i < m; i++) { - g1_add(a, a, p[i]); - g2_mul(rs[i], q, t[i]); + g1_mul(rs[i], p, t[i]); + g2_add(c, c, q[i]); } - g1_sub(a, u, a); + g1_sub(a, u, p); g1_norm(a, a); - g1_mul(a, a, r); - g2_sub(b, v, q); + g2_sub(b, v, c); g2_norm(b, b); + g2_mul(b, b, r); } RLC_CATCH_ANY { result = RLC_ERR; } RLC_FINALLY { @@ -918,8 +912,8 @@ int cp_ambat_ask(bn_t *ls, g2_t *rs, g1_t a, g2_t b, const bn_t r, return result; } -int cp_ambat_ans(gt_t *gs, const g2_t *rs, const g1_t a, const g2_t b, - const g1_t *p, size_t m) { +int cp_ambat_ans(gt_t *gs, const g1_t *rs, const g1_t a, const g2_t b, + const g2_t c, const g2_t *q, size_t m) { g1_t ps[2]; g2_t qs[2]; int result = RLC_OK; @@ -935,15 +929,13 @@ int cp_ambat_ans(gt_t *gs, const g2_t *rs, const g1_t a, const g2_t b, g2_new(qs[0]); g2_new(qs[1]); - g1_set_infty(ps[0]); for (size_t i = 0; i < m; i++) { - g1_add(ps[0], ps[0], p[i]); - pc_map(gs[i], p[i], rs[i]); + pc_map(gs[i], rs[i], q[i]); } - g1_norm(ps[0], ps[0]); - g2_copy(qs[0], b); - g1_copy(ps[1], a); - g2_get_gen(qs[1]); + g1_copy(ps[0], a); + g2_copy(qs[0], c); + g1_get_gen(ps[1]); + g2_copy(qs[1], b); pc_map_sim(gs[m], ps, qs, 2); } RLC_CATCH_ANY { @@ -989,156 +981,100 @@ int cp_ambat_ver(gt_t *es, const gt_t *gs, const bn_t *ls, const gt_t e, return result; } -int cp_amprd_gen(bn_t *ls, g2_t *rs, g2_t r, bn_t c, g1_t u, g2_t v, gt_t e, - size_t l, size_t m) { - bn_t n, xi; +int cp_amprd_gen(g1_t c, bn_t r, g1_t u, g2_t v, gt_t e) { + g1_rand(c); + return cp_ambat_gen(r, u, v, e); +} + +int cp_amprd_ask(bn_t *ks, g1_t *ds, bn_t *ls, g1_t *rs, g1_t a, g2_t b, g2_t d, + g2_t *bs, const g1_t c, const bn_t r, const g1_t u, const g2_t v, + gt_t e, const g1_t *p, const g2_t *q, size_t l, size_t m) { + bn_t n; int result = RLC_OK; - size_t i, j, eps, bound = RLC_MIN(l * m, pc_param_level() - RAND_DIST); - int8_t naf[RLC_FP_BITS + 1]; bn_null(n); - bn_null(xi); RLC_TRY { bn_new(n); - bn_new(xi); pc_get_ord(n); - g2_rand(r); - - cp_ambat_gen(c, u, v, e); - eps = gt_size_bin(e, 1) / g2_size_bin(rs[0], 1); + for (size_t i = 0; i < l; i++) { + g2_set_infty(bs[i]); + for (size_t j = 0; j < m; j++) { + g2_add(bs[i], bs[i], q[i * m + j]); + } + } + g2_norm_sim(bs, bs, l); - for (i = 0; i < bound; i++) { + for (size_t i = 0; i < l * m; i++) { if (ep_curve_is_pairf() == EP_BN) { - bn_rand(ls[i], RLC_POS, eps + BND_STORE - RAND_DIST/2); + bn_rand(ls[i], RLC_POS, RAND_DIST + BND_STORE); } else { - bn_rand_frb(ls[i], &(core_get()->par), n, eps + BND_STORE - RAND_DIST/2); - } - g2_mul(rs[i], r, ls[i]); - } - for (; i < 0; i++) { - /* Case 2 is too slow in practice, so move directly to case 3. */ - bn_rand(xi, RLC_POS, pc_param_level() - RAND_DIST); - l = RLC_FP_BITS + 1; - bn_rec_naf(naf, &l, xi, 2); - bn_zero(ls[i + 1]); - g2_set_infty(rs[i + 1]); - for (j = 0; j < l; j++) { - if (naf[j] > 0) { - bn_add(ls[i], ls[i], ls[j]); - g2_add(rs[i], rs[i], rs[j]); - } - if (naf[j] < 0) { - bn_sub(ls[i], ls[i], ls[j]); - g2_sub(rs[i], rs[i], rs[j]); - } - } - bn_mod(ls[i], ls[i], n); - } - for (; i < l * m; i++) { - bn_zero(ls[i]); - g2_set_infty(rs[i]); - for (j = 0; j < bound/3; j++) { - size_t index; - rand_bytes((unsigned char *)&index, sizeof(size_t)); - index = index % i; - bn_add(ls[i], ls[i], ls[index]); - g2_add(rs[i], rs[i], rs[index]); + bn_rand_frb(ls[i], &(core_get()->par), n, RAND_DIST + BND_STORE); } - bn_mod(ls[i], ls[i], n); - } - if (l * m != bound) { - g2_norm_sim(rs + bound + 1, rs + bound + 1, l * m - bound - 1); + g1_mul(rs[i], p[i], ls[i]); + g1_add(rs[i], rs[i], c); } + g1_norm_sim(rs, rs, l * m); + cp_ambat_ask(ks, ds, a, b, d, r, c, bs, u, v, e, l); } RLC_CATCH_ANY { result = RLC_ERR; } RLC_FINALLY { bn_free(n); - bn_free(xi); - } - return result; -} - -int cp_amprd_ask(bn_t *ks, g2_t *ds, bn_t *cs, g1_t *fs, g2_t *bs, g1_t a, - g2_t b, const bn_t *ls, const g2_t *rs, const g2_t r, const bn_t c, - const g1_t *p, const g2_t *q, const g1_t u, const g2_t v, const gt_t e, - size_t l, size_t m) { - bn_t n; - g1_t t; - int result = RLC_OK; - - bn_null(n); - g1_null(t); - - RLC_TRY { - bn_new(n); - g1_new(t); - - pc_get_ord(n); - for (size_t j = 0; j < l; j++) { - if (ep_curve_is_pairf() == EP_BN) { - bn_rand(ks[j], RLC_POS, RAND_DIST); - } else { - bn_rand_frb(ks[j], &(core_get()->par), n, RAND_DIST); - } - g1_set_infty(fs[j]); - for (size_t i = 0; i < m; i++) { - g1_mul(t, p[j * m + i], ls[j * m + i]); - g1_add(fs[j], fs[j], t); - g2_mul(ds[j * m + i], q[j * m + i], ks[j]); - g2_add(ds[j * m + i], ds[j * m + i], rs[j * m + i]); - } - } - g2_norm_sim(ds, ds, l * m); - g1_norm_sim(fs, fs, l); - cp_ambat_ask(cs, bs, a, b, c, fs, r, u, v, e, 1, l); - } RLC_CATCH_ANY { - result = RLC_ERR; - } RLC_FINALLY { - bn_free(n); - g1_free(t); } - return result; } -int cp_amprd_ans(gt_t *gs, const g2_t *ds, const g1_t *fs, const g2_t *bs, - const g1_t a, const g2_t b, const g1_t *p, const g2_t *q, - size_t l, size_t m) { - cp_ambat_ans(gs, bs, a, b, fs, l); +int cp_amprd_ans(gt_t *gs, gt_t *ts, const g1_t *ds, const g1_t *rs, const g1_t a, + const g2_t b, const g2_t d, const g2_t *bs, const g1_t *p, + const g2_t *q, size_t l, size_t m) { for (size_t i = 0; i < l; i++) { - pc_map_sim(gs[l+i*2+1], p + i * m, ds + i * m, m); - pc_map_sim(gs[l+i*2+2], p + i * m, q + i * m, m); + pc_map_sim(ts[i], rs + i * m, q + i * m, m); + } + cp_ambat_ans(ts + l, ds, a, b, d, bs, l); + for (size_t i = 0; i < l * m; i++) { + pc_map(gs[i], p[i], q[i]); } return RLC_OK; } -int cp_amprd_ver(gt_t *ts, const gt_t *gs, const bn_t *ks, const bn_t *cs, - const gt_t e, size_t l) { +int cp_amprd_ver(gt_t *gs, gt_t *ts, const bn_t *ks, const bn_t *ls, + const gt_t e, size_t l, size_t m) { int result = 1; - gt_t t; + gt_t t, u; gt_null(t); + gt_null(u); RLC_TRY { gt_new(t); + gt_new(u); - result = cp_ambat_ver(ts, gs, cs, e, l); + result = cp_ambat_ver((gt_t *)ts + l, ts + l, ks, e, l); for (size_t i = 0; i < l; i++) { result &= !gt_is_unity(ts[i]); - result &= gt_is_valid(gs[l+i+2]); - gt_exp(t, gs[l+i*2+2], ks[i]); - gt_mul(t, t, ts[i]); - gt_copy(ts[i], gs[l+i*2+2]); - result &= (gt_cmp(gs[l+i*2+1], t) == RLC_EQ); + result &= gt_is_valid(ts[i]); + } + for (size_t i = 0; i < l; i++) { + gt_set_unity(t); + for (size_t j = 0; j < m; j++) { + gt_exp(u, gs[i * m + j], ls[i * m + j]); + gt_mul(t, t, u); + } + gt_mul(t, t, ts[l + i]); + result &= (gt_cmp(t, ts[i]) == RLC_EQ); } - if (!result) { + for (size_t i = 0; i < l * m; i++) { + gt_set_unity(gs[i]); + } + } else { for (size_t i = 0; i < l; i++) { - gt_set_unity(ts[i]); + for (size_t j = 1; j < m; j++) { + gt_mul(gs[i * m], gs[i * m], gs[i * m + j]); + } } } } RLC_CATCH_ANY { @@ -1146,6 +1082,7 @@ int cp_amprd_ver(gt_t *ts, const gt_t *gs, const bn_t *ks, const bn_t *cs, } RLC_FINALLY { gt_free(t); + gt_free(u); } return result; } diff --git a/test/test_cp.c b/test/test_cp.c index aec025f71..3ebf275ac 100644 --- a/test/test_cp.c +++ b/test/test_cp.c @@ -1309,9 +1309,9 @@ static int pdprv(void) { static int pdprd(void) { int code = RLC_ERR; bn_t x, t, r, ls[AGGS * AGGS], cs[AGGS], ks[AGGS]; - g1_t fs[AGGS], p[AGGS * AGGS], u1, v1; - g2_t q[AGGS * AGGS], u2, v2, w2, rs[AGGS * AGGS], ds[AGGS * AGGS], bs[AGGS]; - gt_t e, ts[AGGS + 1], g[3 * AGGS + 1]; + g1_t fs[AGGS], p[AGGS * AGGS], u1, v1, rs[AGGS * AGGS], ds[AGGS * AGGS]; + g2_t q[AGGS * AGGS], u2, v2, w2, bs[AGGS * AGGS]; + gt_t e, ts[2 * AGGS + 1], g[AGGS * AGGS + 1]; bn_null(t); bn_null(x); @@ -1333,38 +1333,40 @@ static int pdprd(void) { g2_new(v2); g2_new(w2); gt_new(e); - for (size_t i = 0; i < 3 * AGGS + 1; i++) { - gt_null(g[i]); - gt_new(g[i]); - } for (size_t i = 0; i < AGGS; i++) { for (size_t j = 0; j < AGGS; j++) { bn_null(ls[i * AGGS + j]); g1_null(p[i * AGGS + j]); g2_null(q[i * AGGS + j]); - g2_null(rs[i * AGGS + j]); - g2_null(ds[i * AGGS + j]); + g1_null(rs[i * AGGS + j]); + g1_null(ds[i * AGGS + j]); + g2_null(bs[i * AGGS + j]); + gt_null(g[i * AGGS + j]); bn_new(ls[i * AGGS + j]); g1_new(p[i * AGGS + j]); g2_new(q[i * AGGS + j]); - g2_new(rs[i * AGGS + j]); - g2_new(ds[i * AGGS + j]); + g1_new(rs[i * AGGS + j]); + g1_new(ds[i * AGGS + j]); + g2_new(bs[i * AGGS + j]); + gt_new(g[i * AGGS + j]); } bn_null(ks[i]); bn_null(cs[i]); g1_null(fs[i]); - g2_null(bs[i]); gt_null(ts[i]); + gt_null(ts[i + AGGS]); bn_new(ks[i]); bn_new(cs[i]) g1_new(fs[i]); - g2_new(bs[i]); gt_new(ts[i]); + gt_new(ts[i + AGGS]); } - gt_null(ts[AGGS]); - gt_new(ts[AGGS]); + gt_null(ts[2 * AGGS]); + gt_new(ts[2 * AGGS]); + gt_null(g[AGGS * AGGS]); + gt_new(g[AGGS * AGGS]); - TEST_CASE("delegated batch delegated pairing is correct") { + TEST_CASE("delegated batch pairing is correct") { TEST_ASSERT(cp_mvbat_gen(r, fs, AGGS) == RLC_OK, end); for (size_t i = 0; i < AGGS; i++) { g1_rand(p[i]); @@ -1379,46 +1381,42 @@ static int pdprd(void) { } } TEST_END; - TEST_CASE("amortized batch delegated pairing is correct") { + TEST_CASE("amortized delegated batch pairing is correct") { TEST_ASSERT(cp_ambat_gen(r, u1, u2, e) == RLC_OK, end); + g1_rand(p[0]); for (size_t i = 0; i < AGGS; i++) { - g1_rand(p[i]); + g2_rand(q[i]); } - g2_rand(q[0]); - TEST_ASSERT(cp_ambat_ask(ls, rs, v1, v2, r, p, q[0], u1, u2, e, 0, AGGS) == RLC_OK, end); - TEST_ASSERT(cp_ambat_ans(g, rs, v1, v2, p, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_ambat_ask(ls, rs, v1, v2, w2, r, p[0], q, u1, u2, e, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_ambat_ans(g, rs, v1, v2, w2, q, AGGS) == RLC_OK, end); TEST_ASSERT(cp_ambat_ver(g, g, ls, e, AGGS) == 1, end); for (size_t i = 0; i < AGGS; i++) { - pc_map(e, p[i], q[0]); + pc_map(e, p[0], q[i]); TEST_ASSERT(gt_cmp(e, g[i]) == RLC_EQ, end); } } TEST_END; TEST_CASE("amortized delegated pairing product is correct") { - TEST_ASSERT(cp_amprd_gen(ls, rs, w2, x, u1, u2, e, 1, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_amprd_gen(fs[0], r, u1, u2, e) == RLC_OK, end); for (size_t i = 0; i < AGGS * AGGS; i++) { g1_rand(p[i]); g2_rand(q[i]); } - TEST_ASSERT(cp_amprd_ask(ks, ds, cs, fs, bs, v1, v2, ls, rs, w2, x, p, q, u1, u2, e, 1, AGGS) == RLC_OK, end); - TEST_ASSERT(cp_amprd_ans(g, ds, fs, bs, v1, v2, p, q, 1, AGGS) == RLC_OK, end); - TEST_ASSERT(cp_amprd_ver(ts, g, ks, cs, e, 1) == 1, end); - pc_map_sim(g[0], p, q, AGGS); - TEST_ASSERT(gt_cmp(ts[0], g[0]) == RLC_EQ, end); - TEST_ASSERT(cp_amprd_gen(ls, rs, w2, x, u1, u2, e, AGGS, AGGS) == RLC_OK, end); - for (size_t i = 0; i < AGGS * AGGS; i++) { - g1_rand(p[i]); - g2_rand(q[i]); - } - TEST_ASSERT(cp_amprd_ask(ks, ds, cs, fs, bs, v1, v2, ls, rs, w2, x, p, q, u1, u2, e, AGGS, AGGS) == RLC_OK, end); - TEST_ASSERT(cp_amprd_ans(g, ds, fs, bs, v1, v2, p, q, AGGS, AGGS) == RLC_OK, end); - TEST_ASSERT(cp_amprd_ver(ts, g, ks, cs, e, AGGS) == 1, end); + TEST_ASSERT(cp_amprd_ask(ks, ds, ls, rs, v1, v2, w2, bs, fs[0], r, u1, u2, e, p, q, 1, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_amprd_ans(g, ts, ds, rs, v1, v2, w2, bs, p, q, 1, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_amprd_ver(g, ts, ks, ls, e, 1, AGGS) == 1, end); + pc_map_sim(e, p, q, AGGS); + TEST_ASSERT(gt_cmp(g[0], e) == RLC_EQ, end); + + TEST_ASSERT(cp_amprd_gen(fs[0], r, u1, u2, e) == RLC_OK, end); + TEST_ASSERT(cp_amprd_ask(ks, ds, ls, rs, v1, v2, w2, bs, fs[0], r, u1, u2, e, p, q, AGGS, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_amprd_ans(g, ts, ds, rs, v1, v2, w2, bs, p, q, AGGS, AGGS) == RLC_OK, end); + TEST_ASSERT(cp_amprd_ver(g, ts, ks, ls, e, AGGS, AGGS) == 1, end); for (size_t i = 0; i < AGGS; i++) { - pc_map_sim(g[0], p + i * AGGS, q + i * AGGS, AGGS); - TEST_ASSERT(gt_cmp(ts[i], g[0]) == RLC_EQ, end); + pc_map_sim(e, p + i * AGGS, q + i * AGGS, AGGS); + TEST_ASSERT(gt_cmp(g[i * AGGS], e) == RLC_EQ, end); } } TEST_END; - } RLC_CATCH_ANY { RLC_ERROR(end); } @@ -1434,25 +1432,25 @@ static int pdprd(void) { g2_free(v2); g2_free(w2); gt_free(e); - for (size_t i = 0; i < 3 * AGGS + 1; i++) { - gt_free(g[i]); - } for (size_t i = 0; i < AGGS; i++) { for (size_t j = 0; j < AGGS; j++) { bn_free(ls[i * AGGS + j]); g1_free(p[i * AGGS + j]); g2_free(q[i * AGGS + j]); - g2_free(rs[i * AGGS + j]); - g2_free(ds[i * AGGS + j]); + g1_free(rs[i * AGGS + j]); + g1_free(ds[i * AGGS + j]); + g2_free(bs[i * AGGS + j]); + gt_free(g[i * AGGS + j]); } bn_free(ls[i]); bn_free(cs[i]); bn_free(ks[i]); g1_free(fs[i]); - g2_free(bs[i]); gt_free(ts[i]); + gt_free(ts[i + AGGS]); } - gt_free(ts[AGGS]); + gt_free(ts[2 * AGGS]); + gt_free(g[AGGS * AGGS]); return code; }