/* test group membership */
/* with GT-Strong curve, now only check that m!=1, conj(m)*m==1, and m.m^{p^4}=m^{p^2} */
public static bool GTmember(FP12 m)
{
if (m.isunity())
{
return(false);
}
FP12 r = new FP12(m);
r.conj();
r.mul(m);
if (!r.isunity())
{
return(false);
}
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
r.copy(m);
r.frob(f);
r.frob(f);
FP12 w = new FP12(r);
w.frob(f);
w.frob(f);
w.mul(m);
if (!ROM.GT_STRONG)
{
if (!w.Equals(r))
{
return(false);
}
BIG x = new BIG(ROM.CURVE_Bnx);
r.copy(m);
w = r.pow(x);
w = w.pow(x);
r.copy(w);
r.sqr();
r.mul(w);
r.sqr();
w.copy(m);
w.frob(f);
}
return(w.Equals(r));
}
/* calculate common key on client side */
/* wCID = w.(A+AT) */
public static int CLIENT_KEY(sbyte[] G1, sbyte[] G2, int pin, sbyte[] R, sbyte[] X, sbyte[] wCID, sbyte[] CK)
{
HASH H = new HASH();
sbyte[] t = new sbyte[EFS];
FP12 g1 = FP12.fromBytes(G1);
FP12 g2 = FP12.fromBytes(G2);
BIG z = BIG.fromBytes(R);
BIG x = BIG.fromBytes(X);
ECP W = ECP.fromBytes(wCID);
if (W.is_infinity())
{
return(INVALID_POINT);
}
W = PAIR.G1mul(W, x);
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
BIG r = new BIG(ROM.CURVE_Order);
BIG q = new BIG(ROM.Modulus);
BIG m = new BIG(q);
m.mod(r);
BIG a = new BIG(z);
a.mod(m);
BIG b = new BIG(z);
b.div(m);
g2.pinpow(pin, PBLEN);
g1.mul(g2);
FP4 c = g1.trace();
g2.copy(g1);
g2.frob(f);
FP4 cp = g2.trace();
g1.conj();
g2.mul(g1);
FP4 cpm1 = g2.trace();
g2.mul(g1);
FP4 cpm2 = g2.trace();
c = c.xtr_pow2(cp, cpm1, cpm2, a, b);
c.geta().A.toBytes(t);
H.process_array(t);
c.geta().B.toBytes(t);
H.process_array(t);
c.getb().A.toBytes(t);
H.process_array(t);
c.getb().B.toBytes(t);
H.process_array(t);
W.X.toBytes(t);
H.process_array(t);
W.Y.toBytes(t);
H.process_array(t);
t = H.hash();
for (int i = 0; i < PAS; i++)
{
CK[i] = t[i];
}
return(0);
}
/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */
public static FP12 fexp(FP12 m)
{
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
BIG x = new BIG(ROM.CURVE_Bnx);
FP12 r = new FP12(m);
FP12 x0, x1, x2, x3, x4, x5;
/* Easy part of final exp */
FP12 lv = new FP12(r);
lv.inverse();
r.conj();
r.mul(lv);
lv.copy(r);
r.frob(f);
r.frob(f);
r.mul(lv);
/* Hard part of final exp */
lv.copy(r);
lv.frob(f);
x0 = new FP12(lv);
x0.frob(f);
lv.mul(r);
x0.mul(lv);
x0.frob(f);
x1 = new FP12(r);
x1.conj();
x4 = r.pow(x);
x3 = new FP12(x4);
x3.frob(f);
x2 = x4.pow(x);
x5 = new FP12(x2);
x5.conj();
lv = x2.pow(x);
x2.frob(f);
r.copy(x2);
r.conj();
x4.mul(r);
x2.frob(f);
r.copy(lv);
r.frob(f);
lv.mul(r);
lv.usqr();
lv.mul(x4);
lv.mul(x5);
r.copy(x3);
r.mul(x5);
r.mul(lv);
lv.mul(x2);
r.usqr();
r.mul(lv);
r.usqr();
lv.copy(r);
lv.mul(x1);
r.mul(x0);
lv.usqr();
r.mul(lv);
r.reduce();
return(r);
}