From ad13196ee0222740c1dda2b3084fa8f0fc1f2949 Mon Sep 17 00:00:00 2001 From: "Diego F. Aranha" Date: Sat, 10 Feb 2024 19:45:01 +0100 Subject: [PATCH] Finish AMORE implementation. --- bench/bench_cp.c | 25 +++++++++++------ include/relic_cp.h | 23 +++++++++------- src/cp/relic_cp_pcdel.c | 61 +++++++++++++++++++++++++---------------- test/test_cp.c | 24 +++++++++++----- 4 files changed, 85 insertions(+), 48 deletions(-) diff --git a/bench/bench_cp.c b/bench/bench_cp.c index ee4b3c2e6..39a2016c3 100644 --- a/bench/bench_cp.c +++ b/bench/bench_cp.c @@ -782,27 +782,36 @@ static void pdpub(void) { BENCH_ADD(cp_lvpub_ver(r, g, r1, e)); } BENCH_END; - BENCH_RUN("cp_ampub_gen") { - BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e)); + BENCH_RUN("cp_ampub_gen (first)") { + BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e, NULL, NULL, NULL)); } BENCH_END; - BENCH_RUN("cp_ampub_ask") { + BENCH_RUN("cp_ampub_ask (first)") { g1_rand(p); g2_rand(q); BENCH_ADD(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t)); } BENCH_END; - BENCH_RUN("cp_ampub_ans") { + BENCH_RUN("cp_ampub_ans (first)") { g1_rand(p); g2_rand(q); - BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2)); + BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2, NULL)); + } BENCH_END; + + BENCH_RUN("cp_ampub_gen") { + BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e, r1, p, q)); + } BENCH_END; + + BENCH_RUN("cp_ampub_ans") { + BENCH_ADD(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t)); + BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2, q)); } BENCH_END; BENCH_RUN("cp_ampub_ver") { g1_rand(p); g2_rand(q); pc_map(e, p, q); - BENCH_ADD(cp_ampub_ver(r, g, r1, e)); + BENCH_ADD(cp_ampub_ver(r, e, g, r1)); } BENCH_END; bn_free(t); @@ -889,13 +898,13 @@ static void pdprv(void) { } BENCH_END; BENCH_RUN("cp_lvprv_gen") { - BENCH_ADD(cp_lvprv_gen(r1, r2, u1, u2, v2, e)); + BENCH_ADD(cp_lvprv_gen(r2, u1, u2, v2, e)); } BENCH_END; BENCH_RUN("cp_lvprv_ask") { g1_rand(p); g2_rand(q); - BENCH_ADD(cp_lvprv_ask(v1, w2, p, q, r1, r2, u1, u2, v2)); + BENCH_ADD(cp_lvprv_ask(r1, v1, w2, p, q, r2, u1, u2, v2)); } BENCH_END; BENCH_RUN("cp_lvprv_ans") { diff --git a/include/relic_cp.h b/include/relic_cp.h index 578e524b2..0051044d0 100644 --- a/include/relic_cp.h +++ b/include/relic_cp.h @@ -1319,8 +1319,7 @@ int cp_lvpub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e); * @param[out] e - the precomputed values e(U1, U2). * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], - gt_t e[2]); +int cp_lvprv_gen(bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], gt_t e[2]); /** * Execute the client-side request for the LOVE pairing delegation protocol. @@ -1336,9 +1335,8 @@ int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], * @param[in] v2 - the image of the randomness in G_2. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_lvprv_ask(g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q, - const bn_t c, const bn_t r[3], const g1_t u1[2], const g2_t u2[2], - const g2_t v2[4]); +int cp_lvprv_ask(bn_t c, g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q, + const bn_t r[3], const g1_t u1[2], const g2_t u2[2], const g2_t v2[4]); /** * Execute the server-side response for the LOVE pairing delegation protocol. @@ -1366,16 +1364,20 @@ int cp_lvprv_ver(gt_t r, const gt_t g[4], const bn_t c, const gt_t e[2]); /** * Generate parameters for the AMORE pairing delegation protocol with public - * inputs. + * inputs, using the result of a previous execution. * * @param[out] r - the randomness. * @param[out] u1 - the U1 precomputed value in G_1. * @param[out] u2 - the U2 precomputed value in G_2. * @param[out] v2 - the randomness for G_2. * @param[out] e - the precomputed values e(U1, U2). + * @param[in] c - the previous challenge, NULL if first. + * @param[in] p - the previous first argument, NULL if first. + * @param[in] q - the previous second argument, NULL if first. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ -int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e); +int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e, const bn_t c, + const g1_t p, const g2_t q); /** * Execute the client-side request for the AMORE pairing delegation protocol. @@ -1404,21 +1406,22 @@ int cp_ampub_ask(bn_t c, g1_t v1, g2_t w2, const g1_t p, const g2_t q, * @param[in] v1 - the blinded element in G_1. * @param[in] v2 - the randomness for G_2. * @param[in] w2 - the blinded element in G_2. + * @param[in] s - the input to a previous execution, NULL if first. * @return RLC_OK if no errors occurred, RLC_ERR otherwise. */ int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1, - const bn_t v2, const g2_t w2); + const bn_t v2, const g2_t w2, const g2_t s); /** * Verifies the result of the AMORE pairing delegation protocol. * * @param[out] r - the result of the computation. + * @param[in, out] e - the precomputed values e(U1, U2). * @param[in] g - the group elements returned by the server. * @param[in] c - the challenge. - * @param[in] e - the precomputed values e(U1, U2). * @return a boolean value indicating if the computation is correct. */ -int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e); +int cp_ampub_ver(gt_t r, gt_t e, const gt_t g[2], const bn_t c); /** * Generates a master key for the SOKAKA identity-based non-interactive diff --git a/src/cp/relic_cp_pcdel.c b/src/cp/relic_cp_pcdel.c index fa137bfcf..5964feda5 100644 --- a/src/cp/relic_cp_pcdel.c +++ b/src/cp/relic_cp_pcdel.c @@ -44,7 +44,7 @@ int cp_pdpub_gen(bn_t c, bn_t r, g1_t u1, g2_t u2, g2_t v2, gt_t e) { RLC_TRY { bn_new(n); - /* Generate random c, U1, r, U2. */ + /* Generate random c, U1, U2, r. */ pc_get_ord(n); bn_rand(c, RLC_POS, 50); g1_rand(u1); @@ -336,7 +336,7 @@ int cp_lvpub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) { return result; } -int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], +int cp_lvprv_gen(bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], gt_t e[2]) { bn_t n; int result = RLC_OK; @@ -348,7 +348,6 @@ int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], pc_get_ord(n); bn_rand_mod(r[2], n); - bn_rand(c, RLC_POS, 50); for (int i = 0; i < 2; i++) { /* Generate random c, r, Ui. */ g1_rand(u1[i]); @@ -373,9 +372,8 @@ int cp_lvprv_gen(bn_t c, bn_t r[3], g1_t u1[2], g2_t u2[2], g2_t v2[4], return result; } -int cp_lvprv_ask(g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q, - const bn_t c, const bn_t r[3], const g1_t u1[2], const g2_t u2[2], - const g2_t v2[4]) { +int cp_lvprv_ask(bn_t c, g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q, + const bn_t r[3], const g1_t u1[2], const g2_t u2[2], const g2_t v2[4]) { int result = RLC_OK; bn_t n; @@ -385,6 +383,7 @@ int cp_lvprv_ask(g1_t v1[3], g2_t w2[4], const g1_t p, const g2_t q, bn_new(n); pc_get_ord(n); + bn_rand(c, RLC_POS, 50); bn_mod_inv(n, r[2], n); g1_mul(v1[2], p, n); for (int i = 0; i < 2; i++) { @@ -470,7 +469,8 @@ int cp_lvprv_ver(gt_t r, const gt_t g[4], const bn_t c, const gt_t e[2]) { return result; } -int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e) { +int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e, const bn_t c, + const g1_t p, const g2_t q) { bn_t n, t1, t2; int result = RLC_OK; @@ -481,20 +481,30 @@ int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e) { bn_new(t1); bn_new(t2); - /* Generate random c, U1, r, U2. */ pc_get_ord(n); - bn_rand_mod(t1, n); - bn_rand_mod(t2, n); - g1_mul_gen(u1, t1); - g2_mul_gen(u2, t2); + if (c == NULL || p == NULL || q == NULL) { + /* Generate random U1, U2, r. */ + bn_rand_mod(t1, n); + bn_rand_mod(t2, n); + g1_mul_gen(u1, t1); + g2_mul_gen(u2, t2); + /* Compute gamma = e(U1, U2). */ + gt_get_gen(e); + bn_mul(t1, t1, t2); + bn_mod(t1, t1, n); + gt_exp(e, e, t1); + } else { + bn_rand_mod(t1, n); + bn_mod_inv(t2, t1, n); + bn_mul(t2, t2, c); + g1_mul(u1, p, t1); + g2_mul(u2, q, t2); + } + /* Compute v2 = [1/r]u2 mod q. */ bn_rand_mod(r, n); - /* Compute gamma = e(U1, U2) and V2 = [1/r2]U2. */ bn_mod_inv(v2, r, n); bn_mul(v2, v2, t2); - gt_get_gen(e); - bn_mul(t1, t1, t2); - bn_mod(t1, t1, n); - gt_exp(e, e, t1); + bn_mod(v2, v2, n); } RLC_CATCH_ANY { result = RLC_ERR; @@ -524,7 +534,7 @@ int cp_ampub_ask(bn_t c, g1_t v1, g2_t w2, const g1_t p, const g2_t q, } int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1, - const bn_t v2, const g2_t w2) { + const bn_t v2, const g2_t w2, const g2_t s) { int result = RLC_OK; g1_t _p[2]; g2_t _q[2]; @@ -543,7 +553,11 @@ int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1, g1_copy(_p[0], p); g1_neg(_p[1], v1); g2_copy(_q[0], w2); - g2_mul_gen(_q[1], v2); + if (s == NULL) { + g2_mul_gen(_q[1], v2); + } else { + g2_mul(_q[1], s, v2); + } pc_map_sim(g[1], _p, _q, 2); pc_map(g[0], p, q); } RLC_CATCH_ANY { @@ -558,7 +572,7 @@ int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1, return result; } -int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) { +int cp_ampub_ver(gt_t r, gt_t e, const gt_t g[2], const bn_t c) { int result = 1; gt_t t; @@ -570,13 +584,14 @@ int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) { result &= gt_is_valid(g[0]); gt_exp(t, g[0], c); - gt_inv(t, t); - gt_mul(t, t, g[1]); + gt_mul(e, e, t); - if (!result || gt_cmp(t, e) != RLC_EQ) { + if (!result || gt_cmp(g[1], e) != RLC_EQ) { gt_set_unity(r); + gt_set_unity(e); } else { gt_copy(r, g[0]); + gt_copy(e, t); } } RLC_CATCH_ANY { result = RLC_ERR; diff --git a/test/test_cp.c b/test/test_cp.c index 098a5b6de..a916ec42e 100644 --- a/test/test_cp.c +++ b/test/test_cp.c @@ -1094,7 +1094,7 @@ static int pdpub(void) { int code = RLC_ERR; bn_t t, r1, r2; g1_t p, u1, v1; - g2_t q, u2, v2, w2; + g2_t q, u2, v2, w2, s; gt_t e, r, g[3]; bn_null(t); @@ -1152,13 +1152,23 @@ static int pdpub(void) { TEST_ASSERT(gt_cmp(r, e) == RLC_EQ, end); } TEST_END; - TEST_CASE("fastest delegated pairing with public inputs is correct") { - TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e) == RLC_OK, end); + TEST_CASE("amortized delegated pairing with public inputs is correct") { + void *z = NULL; + TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e, z, z, z) == RLC_OK, end); g1_rand(p); g2_rand(q); TEST_ASSERT(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t) == RLC_OK, end); - TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2) == RLC_OK, end); - TEST_ASSERT(cp_ampub_ver(r, g, r1, e) == 1, end); + TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2, NULL) == RLC_OK, end); + TEST_ASSERT(cp_ampub_ver(r, e, g, r1) == 1, end); + pc_map(g[0], p, q); + TEST_ASSERT(gt_cmp(r, g[0]) == RLC_EQ, end); + g2_copy(s, q); + TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e, r1, p, q) == RLC_OK, end); + g1_rand(p); + g2_rand(q); + TEST_ASSERT(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t) == RLC_OK, end); + TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2, s) == RLC_OK, end); + TEST_ASSERT(cp_ampub_ver(r, e, g, r1) == 1, end); pc_map(e, p, q); TEST_ASSERT(gt_cmp(r, e) == RLC_EQ, end); } TEST_END; @@ -1244,10 +1254,10 @@ static int pdprv(void) { } TEST_END; TEST_CASE("faster delegated pairing with private inputs is correct") { - TEST_ASSERT(cp_pdprv_gen(r1, r2, u1, u2, v2, e) == RLC_OK, end); + TEST_ASSERT(cp_lvprv_gen(r2, u1, u2, v2, e) == RLC_OK, end); g1_rand(p); g2_rand(q); - TEST_ASSERT(cp_lvprv_ask(v1, w2, p, q, r1, r2, u1, u2, v2) == RLC_OK, end); + TEST_ASSERT(cp_lvprv_ask(r1, v1, w2, p, q, r2, u1, u2, v2) == RLC_OK, end); TEST_ASSERT(cp_lvprv_ans(g, v1, w2) == RLC_OK, end); TEST_ASSERT(cp_lvprv_ver(r, g, r1, e) == 1, end); pc_map(e[0], p, q);