Finish AMORE implementation.

relic-toolkit · Feb 10, 2024 · ad13196 · ad13196
1 parent 577b3ad
commit ad13196
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 48 deletions.
diff --git a/bench/bench_cp.c b/bench/bench_cp.c
@@ -782,27 +782,36 @@ static void pdpub(void) {
 		BENCH_ADD(cp_lvpub_ver(r, g, r1, e));
 	} BENCH_END;
 
-	BENCH_RUN("cp_ampub_gen") {
-		BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e));
+	BENCH_RUN("cp_ampub_gen (first)") {
+		BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e, NULL, NULL, NULL));
 	} BENCH_END;
 
-	BENCH_RUN("cp_ampub_ask") {
+	BENCH_RUN("cp_ampub_ask (first)") {
 		g1_rand(p);
 		g2_rand(q);
 		BENCH_ADD(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t));
 	} BENCH_END;
 
-	BENCH_RUN("cp_ampub_ans") {
+	BENCH_RUN("cp_ampub_ans (first)") {
 		g1_rand(p);
 		g2_rand(q);
-		BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2));
+		BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2, NULL));
+	} BENCH_END;
+
+	BENCH_RUN("cp_ampub_gen") {
+		BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e, r1, p, q));
+	} BENCH_END;
+
+	BENCH_RUN("cp_ampub_ans") {
+		BENCH_ADD(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t));
+		BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2, q));
 	} BENCH_END;
 
 	BENCH_RUN("cp_ampub_ver") {
 		g1_rand(p);
 		g2_rand(q);
 		pc_map(e, p, q);
-		BENCH_ADD(cp_ampub_ver(r, g, r1, e));
+		BENCH_ADD(cp_ampub_ver(r, e, g, r1));
 	} BENCH_END;
 
 	bn_free(t);
@@ -889,13 +898,13 @@ static void pdprv(void) {
 	} BENCH_END;
 
 	BENCH_RUN("cp_lvprv_gen") {
-		BENCH_ADD(cp_lvprv_gen(r1, r2, u1, u2, v2, e));
+		BENCH_ADD(cp_lvprv_gen(r2, u1, u2, v2, e));
 	} BENCH_END;
 
 	BENCH_RUN("cp_lvprv_ask") {
 		g1_rand(p);
 		g2_rand(q);
-		BENCH_ADD(cp_lvprv_ask(v1, w2, p, q, r1, r2, u1, u2, v2));
+		BENCH_ADD(cp_lvprv_ask(r1, v1, w2, p, q, r2, u1, u2, v2));
 	} BENCH_END;
 
 	BENCH_RUN("cp_lvprv_ans") {

diff --git a/include/relic_cp.h b/include/relic_cp.h
@@ -1319,8 +1319,7 @@ int cp_lvpub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e);
  * @param[out] e			- the precomputed values e(U1, U2).
  * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
  */
-int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4],
-		gt_t e[2]);
+int cp_lvprv_gen(bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], gt_t e[2]);
 
 /**
  * Execute the client-side request for the LOVE pairing delegation protocol.
@@ -1336,9 +1335,8 @@ int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4],
  * @param[in] v2			- the image of the randomness in G_2.
  * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
  */
-int cp_lvprv_ask(g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q,
-		const bn_t c, const bn_t r[3], const g1_t u1[2], const g2_t u2[2],
-		const g2_t v2[4]);
+int cp_lvprv_ask(bn_t c, g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q,
+		const bn_t r[3], const g1_t u1[2], const g2_t u2[2], const g2_t v2[4]);
 
 /**
  * Execute the server-side response for the LOVE pairing delegation protocol.
@@ -1366,16 +1364,20 @@ int cp_lvprv_ver(gt_t r, const gt_t g[4], const bn_t c, const gt_t e[2]);
 
 /**
  * Generate parameters for the AMORE pairing delegation protocol with public
- * inputs.
+ * inputs, using the result of a previous execution.
  *
  * @param[out] r			- the randomness.
  * @param[out] u1			- the U1 precomputed value in G_1.
  * @param[out] u2			- the U2 precomputed value in G_2.
  * @param[out] v2			- the randomness for G_2.
  * @param[out] e			- the precomputed values e(U1, U2).
+ * @param[in] c				- the previous challenge, NULL if first.
+ * @param[in] p				- the previous first argument, NULL if first.
+ * @param[in] q				- the previous second argument, NULL if first.
  * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
  */
-int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e);
+int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e, const bn_t c,
+		const g1_t p, const g2_t q);
 
 /**
  * Execute the client-side request for the AMORE pairing delegation protocol.
@@ -1404,21 +1406,22 @@ int cp_ampub_ask(bn_t c, g1_t v1, g2_t w2, const g1_t p, const g2_t q,
  * @param[in] v1			- the blinded element in G_1.
  * @param[in] v2			- the randomness for G_2.
  * @param[in] w2			- the blinded element in G_2.
+ * @param[in] s				- the input to a previous execution, NULL if first.
  * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
  */
 int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1,
-		const bn_t v2, const g2_t w2);
+		const bn_t v2, const g2_t w2, const g2_t s);
 
 /**
  * Verifies the result of the AMORE pairing delegation protocol.
  *
  * @param[out] r			- the result of the computation.
+ * @param[in, out] e		- the precomputed values e(U1, U2).
  * @param[in] g				- the group elements returned by the server.
  * @param[in] c				- the challenge.
- * @param[in] e				- the precomputed values e(U1, U2).
  * @return a boolean value indicating if the computation is correct.
  */
-int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e);
+int cp_ampub_ver(gt_t r, gt_t e, const gt_t g[2], const bn_t c);
 
 /**
  * Generates a master key for the SOKAKA identity-based non-interactive

diff --git a/src/cp/relic_cp_pcdel.c b/src/cp/relic_cp_pcdel.c
@@ -44,7 +44,7 @@ int cp_pdpub_gen(bn_t c, bn_t r, g1_t u1, g2_t u2, g2_t v2, gt_t e) {
 	RLC_TRY {
 		bn_new(n);
 
-		/* Generate random c, U1, r, U2. */
+		/* Generate random c, U1, U2, r. */
 		pc_get_ord(n);
 		bn_rand(c, RLC_POS, 50);
 		g1_rand(u1);
@@ -336,7 +336,7 @@ int cp_lvpub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) {
 	return result;
 }
 
-int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4],
+int cp_lvprv_gen(bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4],
 		gt_t e[2]) {
 	bn_t n;
 	int result = RLC_OK;
@@ -348,7 +348,6 @@ int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4],
 
 		pc_get_ord(n);
 		bn_rand_mod(r[2], n);
-		bn_rand(c, RLC_POS, 50);
 		for (int i = 0; i < 2; i++) {
 			/* Generate random c, r, Ui. */
 			g1_rand(u1[i]);
@@ -373,9 +372,8 @@ int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4],
 	return result;
 }
 
-int cp_lvprv_ask(g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q,
-		const bn_t c, const bn_t r[3], const g1_t u1[2], const g2_t u2[2],
-		const g2_t v2[4]) {
+int cp_lvprv_ask(bn_t c, g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q,
+		const bn_t r[3], const g1_t u1[2], const g2_t u2[2], const g2_t v2[4]) {
 	int result = RLC_OK;
 	bn_t n;
 
@@ -385,6 +383,7 @@ int cp_lvprv_ask(g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q,
 		bn_new(n);
 
 		pc_get_ord(n);
+		bn_rand(c, RLC_POS, 50);
 		bn_mod_inv(n, r[2], n);
 		g1_mul(v1[2], p, n);
 		for (int i = 0; i < 2; i++) {
@@ -470,7 +469,8 @@ int cp_lvprv_ver(gt_t r, const gt_t g[4], const bn_t c, const gt_t e[2]) {
 	return result;
 }
 
-int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e) {
+int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e, const bn_t c,
+		const g1_t p, const g2_t q) {
 	bn_t n, t1, t2;
 	int result = RLC_OK;
 
@@ -481,20 +481,30 @@ int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e) {
 		bn_new(t1);
 		bn_new(t2);
 
-		/* Generate random c, U1, r, U2. */
 		pc_get_ord(n);
-		bn_rand_mod(t1, n);
-		bn_rand_mod(t2, n);
-		g1_mul_gen(u1, t1);
-		g2_mul_gen(u2, t2);
+		if (c == NULL || p == NULL || q == NULL) {
+			/* Generate random U1, U2, r. */
+			bn_rand_mod(t1, n);
+			bn_rand_mod(t2, n);
+			g1_mul_gen(u1, t1);
+			g2_mul_gen(u2, t2);
+			/* Compute gamma = e(U1, U2). */
+			gt_get_gen(e);
+			bn_mul(t1, t1, t2);
+			bn_mod(t1, t1, n);
+			gt_exp(e, e, t1);
+		} else {
+			bn_rand_mod(t1, n);
+			bn_mod_inv(t2, t1, n);
+			bn_mul(t2, t2, c);
+			g1_mul(u1, p, t1);
+			g2_mul(u2, q, t2);
+		}
+ 		/* Compute v2 = [1/r]u2 mod q. */
 		bn_rand_mod(r, n);
-		/* Compute gamma = e(U1, U2) and V2 = [1/r2]U2. */
 		bn_mod_inv(v2, r, n);
 		bn_mul(v2, v2, t2);
-		gt_get_gen(e);
-		bn_mul(t1, t1, t2);
-		bn_mod(t1, t1, n);
-		gt_exp(e, e, t1);
+		bn_mod(v2, v2, n);
 	}
 	RLC_CATCH_ANY {
 		result = RLC_ERR;
@@ -524,7 +534,7 @@ int cp_ampub_ask(bn_t c, g1_t v1, g2_t w2, const g1_t p, const g2_t q,
 }
 
 int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1,
-		const bn_t v2, const g2_t w2) {
+		const bn_t v2, const g2_t w2, const g2_t s) {
 	int result = RLC_OK;
 	g1_t _p[2];
 	g2_t _q[2];
@@ -543,7 +553,11 @@ int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1,
 		g1_copy(_p[0], p);
 		g1_neg(_p[1], v1);
 		g2_copy(_q[0], w2);
-		g2_mul_gen(_q[1], v2);
+		if (s == NULL) {
+			g2_mul_gen(_q[1], v2);
+		} else {
+			g2_mul(_q[1], s, v2);
+		}
 		pc_map_sim(g[1], _p, _q, 2);
 		pc_map(g[0], p, q);
 	} RLC_CATCH_ANY {
@@ -558,7 +572,7 @@ int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1,
 	return result;
 }
 
-int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) {
+int cp_ampub_ver(gt_t r, gt_t e, const gt_t g[2], const bn_t c) {
 	int result = 1;
 	gt_t t;
 
@@ -570,13 +584,14 @@ int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) {
 		result &= gt_is_valid(g[0]);
 
 		gt_exp(t, g[0], c);
-		gt_inv(t, t);
-		gt_mul(t, t, g[1]);
+		gt_mul(e, e, t);
 
-		if (!result || gt_cmp(t, e) != RLC_EQ) {
+		if (!result || gt_cmp(g[1], e) != RLC_EQ) {
 			gt_set_unity(r);
+			gt_set_unity(e);
 		} else {
 			gt_copy(r, g[0]);
+			gt_copy(e, t);
 		}
 	} RLC_CATCH_ANY {
 		result = RLC_ERR;

diff --git a/test/test_cp.c b/test/test_cp.c
@@ -1094,7 +1094,7 @@ static int pdpub(void) {
 	int code = RLC_ERR;
 	bn_t t, r1, r2;
 	g1_t p, u1, v1;
-	g2_t q, u2, v2, w2;
+	g2_t q, u2, v2, w2, s;
 	gt_t e, r, g[3];
 
 	bn_null(t);
@@ -1152,13 +1152,23 @@ static int pdpub(void) {
 			TEST_ASSERT(gt_cmp(r, e) == RLC_EQ, end);
 		} TEST_END;
 
-		TEST_CASE("fastest delegated pairing with public inputs is correct") {
-			TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e) == RLC_OK, end);
+		TEST_CASE("amortized delegated pairing with public inputs is correct") {
+			void *z = NULL;
+			TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e, z, z, z) == RLC_OK, end);
 			g1_rand(p);
 			g2_rand(q);
 			TEST_ASSERT(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t) == RLC_OK, end);
-			TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2) == RLC_OK, end);
-			TEST_ASSERT(cp_ampub_ver(r, g, r1, e) == 1, end);
+			TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2, NULL) == RLC_OK, end);
+			TEST_ASSERT(cp_ampub_ver(r, e, g, r1) == 1, end);
+			pc_map(g[0], p, q);
+			TEST_ASSERT(gt_cmp(r, g[0]) == RLC_EQ, end);
+			g2_copy(s, q);
+			TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e, r1, p, q) == RLC_OK, end);
+			g1_rand(p);
+			g2_rand(q);
+			TEST_ASSERT(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t) == RLC_OK, end);
+			TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2, s) == RLC_OK, end);
+			TEST_ASSERT(cp_ampub_ver(r, e, g, r1) == 1, end);
 			pc_map(e, p, q);
 			TEST_ASSERT(gt_cmp(r, e) == RLC_EQ, end);
 		} TEST_END;
@@ -1244,10 +1254,10 @@ static int pdprv(void) {
 		} TEST_END;
 
 		TEST_CASE("faster delegated pairing with private inputs is correct") {
-			TEST_ASSERT(cp_pdprv_gen(r1, r2, u1, u2, v2, e) == RLC_OK, end);
+			TEST_ASSERT(cp_lvprv_gen(r2, u1, u2, v2, e) == RLC_OK, end);
 			g1_rand(p);
 			g2_rand(q);
-			TEST_ASSERT(cp_lvprv_ask(v1, w2, p, q, r1, r2, u1, u2, v2) == RLC_OK, end);
+			TEST_ASSERT(cp_lvprv_ask(r1, v1, w2, p, q, r2, u1, u2, v2) == RLC_OK, end);
 			TEST_ASSERT(cp_lvprv_ans(g, v1, w2) == RLC_OK, end);
 			TEST_ASSERT(cp_lvprv_ver(r, g, r1, e) == 1, end);
 			pc_map(e[0], p, q);