/* test group membership */ /* with GT-Strong curve, now only check that m!=1, conj(m)*m==1, and m.m^{p^4}=m^{p^2} */ public static bool GTmember(FP12 m) { if (m.isunity()) { return(false); } FP12 r = new FP12(m); r.conj(); r.mul(m); if (!r.isunity()) { return(false); } FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb)); r.copy(m); r.frob(f); r.frob(f); FP12 w = new FP12(r); w.frob(f); w.frob(f); w.mul(m); if (!ROM.GT_STRONG) { if (!w.Equals(r)) { return(false); } BIG x = new BIG(ROM.CURVE_Bnx); r.copy(m); w = r.pow(x); w = w.pow(x); r.copy(w); r.sqr(); r.mul(w); r.sqr(); w.copy(m); w.frob(f); } return(w.Equals(r)); }
/* calculate common key on client side */ /* wCID = w.(A+AT) */ public static int CLIENT_KEY(sbyte[] G1, sbyte[] G2, int pin, sbyte[] R, sbyte[] X, sbyte[] wCID, sbyte[] CK) { HASH H = new HASH(); sbyte[] t = new sbyte[EFS]; FP12 g1 = FP12.fromBytes(G1); FP12 g2 = FP12.fromBytes(G2); BIG z = BIG.fromBytes(R); BIG x = BIG.fromBytes(X); ECP W = ECP.fromBytes(wCID); if (W.is_infinity()) { return(INVALID_POINT); } W = PAIR.G1mul(W, x); FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb)); BIG r = new BIG(ROM.CURVE_Order); BIG q = new BIG(ROM.Modulus); BIG m = new BIG(q); m.mod(r); BIG a = new BIG(z); a.mod(m); BIG b = new BIG(z); b.div(m); g2.pinpow(pin, PBLEN); g1.mul(g2); FP4 c = g1.trace(); g2.copy(g1); g2.frob(f); FP4 cp = g2.trace(); g1.conj(); g2.mul(g1); FP4 cpm1 = g2.trace(); g2.mul(g1); FP4 cpm2 = g2.trace(); c = c.xtr_pow2(cp, cpm1, cpm2, a, b); c.geta().A.toBytes(t); H.process_array(t); c.geta().B.toBytes(t); H.process_array(t); c.getb().A.toBytes(t); H.process_array(t); c.getb().B.toBytes(t); H.process_array(t); W.X.toBytes(t); H.process_array(t); W.Y.toBytes(t); H.process_array(t); t = H.hash(); for (int i = 0; i < PAS; i++) { CK[i] = t[i]; } return(0); }
/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */ public static FP12 fexp(FP12 m) { FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb)); BIG x = new BIG(ROM.CURVE_Bnx); FP12 r = new FP12(m); FP12 x0, x1, x2, x3, x4, x5; /* Easy part of final exp */ FP12 lv = new FP12(r); lv.inverse(); r.conj(); r.mul(lv); lv.copy(r); r.frob(f); r.frob(f); r.mul(lv); /* Hard part of final exp */ lv.copy(r); lv.frob(f); x0 = new FP12(lv); x0.frob(f); lv.mul(r); x0.mul(lv); x0.frob(f); x1 = new FP12(r); x1.conj(); x4 = r.pow(x); x3 = new FP12(x4); x3.frob(f); x2 = x4.pow(x); x5 = new FP12(x2); x5.conj(); lv = x2.pow(x); x2.frob(f); r.copy(x2); r.conj(); x4.mul(r); x2.frob(f); r.copy(lv); r.frob(f); lv.mul(r); lv.usqr(); lv.mul(x4); lv.mul(x5); r.copy(x3); r.mul(x5); r.mul(lv); lv.mul(x2); r.usqr(); r.mul(lv); r.usqr(); lv.copy(r); lv.mul(x1); r.mul(x0); lv.usqr(); r.mul(lv); r.reduce(); return(r); }