/* this=this^e */
public FP12 pow(BIG e)
{
norm();
e.norm();
FP12 w = new FP12(this);
BIG z = new BIG(e);
FP12 r = new FP12(1);
while (true)
{
int bt = z.parity();
z.fshr(1);
if (bt == 1)
{
r.mul(w);
}
if (z.iszilch())
{
break;
}
w.usqr();
}
r.reduce();
return(r);
}
/* this=this^e */
/* Note this is simple square and multiply, so not side-channel safe */
public FP12 Pow(BIG e)
{
Norm();
e.Norm();
BIG e3 = new BIG(e);
e3.PMul(3);
e3.Norm();
FP12 w = new FP12(this);
int nb = e3.NBits();
for (int i = nb - 2; i >= 1; i--)
{
w.USqr();
int bt = e3.Bit(i) - e.Bit(i);
if (bt == 1)
{
w.mul(this);
}
if (bt == -1)
{
Conj();
w.mul(this);
Conj();
}
}
w.Reduce();
return(w);
/*
* BIG z=new BIG(e);
* FP12 r=new FP12(1);
*
* while (true)
* {
* int bt=z.parity();
* z.fshr(1);
* if (bt==1) r.mul(w);
* if (z.iszilch()) break;
* w.usqr();
* }
* r.reduce();
* return r; */
}
/* Pollards kangaroos used to return PIN error */
public static int KANGAROO(sbyte[] E, sbyte[] F)
{
FP12 ge = FP12.fromBytes(E);
FP12 gf = FP12.fromBytes(F);
int[] distance = new int[TS];
FP12 t = new FP12(gf);
FP12[] table = new FP12[TS];
int i, j, m, s, dn, dm, res, steps;
s = 1;
for (m = 0; m < TS; m++)
{
distance[m] = s;
table[m] = new FP12(t);
s *= 2;
t.usqr();
}
t.one();
dn = 0;
for (j = 0; j < TRAP; j++)
{
i = t.geta().geta().A.lastbits(8) % TS;
t.mul(table[i]);
dn += distance[i];
}
gf.copy(t);
gf.conj();
steps = 0;
dm = 0;
res = 0;
while (dm - dn < MAXPIN)
{
steps++;
if (steps > 4 * TRAP)
{
break;
}
i = ge.geta().geta().A.lastbits(8) % TS;
ge.mul(table[i]);
dm += distance[i];
if (ge.Equals(t))
{
res = dm - dn;
break;
}
if (ge.Equals(gf))
{
res = dn - dm;
break;
}
}
if (steps > 4 * TRAP || dm - dn >= MAXPIN)
{
res = 0;
} // Trap Failed - probable invalid token
return(res);
}
public FP4 ComPow(BIG e, BIG r)
{
FP12 g1 = new FP12(0);
FP12 g2 = new FP12(0);
FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
BIG q = new BIG(ROM.Modulus);
BIG m = new BIG(q);
m.Mod(r);
BIG a = new BIG(e);
a.Mod(m);
BIG b = new BIG(e);
b.Div(m);
g1.Copy(this);
g2.Copy(this);
FP4 c = g1.Trace();
if (b.IsZilch())
{
c = c.Xtr_Pow(e);
return(c);
}
g2.Frob(f);
FP4 cp = g2.Trace();
g1.Conj();
g2.mul(g1);
FP4 cpm1 = g2.Trace();
g2.mul(g1);
FP4 cpm2 = g2.Trace();
c = c.Xtr_Pow2(cp, cpm1, cpm2, a, b);
return(c);
}
/* test group membership */
/* with GT-Strong curve, now only check that m!=1, conj(m)*m==1, and m.m^{p^4}=m^{p^2} */
public static bool GTmember(FP12 m)
{
if (m.isunity())
{
return(false);
}
FP12 r = new FP12(m);
r.conj();
r.mul(m);
if (!r.isunity())
{
return(false);
}
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
r.copy(m);
r.frob(f);
r.frob(f);
FP12 w = new FP12(r);
w.frob(f);
w.frob(f);
w.mul(m);
if (!ROM.GT_STRONG)
{
if (!w.Equals(r))
{
return(false);
}
BIG x = new BIG(ROM.CURVE_Bnx);
r.copy(m);
w = r.pow(x);
w = w.pow(x);
r.copy(w);
r.sqr();
r.mul(w);
r.sqr();
w.copy(m);
w.frob(f);
}
return(w.Equals(r));
}
/**
* Verify this signature
*
* @param disclosure an array indicating which attributes it expects to be disclosed
* @param ipk the issuer public key
* @param msg the message that should be signed in this signature
* @param attributeValues BIG array where attributeValues[i] contains the desired attribute value for the i-th attribute if its disclosed
* @param rhIndex index of the attribute that represents the revocation-handle
* @param revPk the long term public key used to authenticate CRIs
* @param epoch monotonically increasing counter representing a time window
* @return true iff valid
*/
// ReSharper disable once ParameterHidesMember
public bool Verify(bool[] disclosure, IdemixIssuerPublicKey ipk, byte[] msg, BIG[] attributeValues, int rhIndex, KeyPair revPk, int epoch)
{
if (disclosure == null || ipk == null || msg == null || attributeValues == null || attributeValues.Length != ipk.AttributeNames.Length || disclosure.Length != ipk.AttributeNames.Length)
{
return(false);
}
for (int i = 0; i < ipk.AttributeNames.Length; i++)
{
if (disclosure[i] && attributeValues[i] == null)
{
return(false);
}
}
int[] hiddenIndices = HiddenIndices(disclosure);
if (proofSAttrs.Length != hiddenIndices.Length)
{
return(false);
}
if (aPrime.IsInfinity())
{
return(false);
}
if (nonRevocationProof.RevocationAlg >= Enum.GetValues(typeof(RevocationAlgorithm)).Length)
{
throw new ArgumentException("CRI specifies unknown revocation algorithm");
}
RevocationAlgorithm revocationAlgorithm = (RevocationAlgorithm)nonRevocationProof.RevocationAlg;
if (disclosure[rhIndex])
{
throw new ArgumentException("Attribute " + rhIndex + " is disclosed but also used a revocation handle attribute, which should remain hidden");
}
// Verify EpochPK
if (!RevocationAuthority.VerifyEpochPK(revPk, revocationPk, revocationPKSig, epoch, revocationAlgorithm))
{
// Signature is based on an invalid revocation epoch public key
return(false);
}
FP12 temp1 = PAIR.Ate(ipk.W, aPrime);
FP12 temp2 = PAIR.Ate(IdemixUtils.GenG2, aBar);
temp2.Inverse();
temp1.mul(temp2);
if (!PAIR.FExp(temp1).IsUnity())
{
return(false);
}
ECP t1 = aPrime.Mul2(proofSE, ipk.HRand, proofSR2);
ECP temp = new ECP();
temp.Copy(aBar);
temp.Sub(bPrime);
t1.Sub(PAIR.G1Mul(temp, proofC));
ECP t2 = PAIR.G1Mul(ipk.HRand, proofSSPrime);
t2.Add(bPrime.Mul2(proofSR3, ipk.Hsk, proofSSk));
for (int i = 0; i < hiddenIndices.Length / 2; i++)
{
t2.Add(ipk.HAttrs[hiddenIndices[2 * i]].Mul2(proofSAttrs[2 * i], ipk.HAttrs[hiddenIndices[2 * i + 1]], proofSAttrs[2 * i + 1]));
}
if (hiddenIndices.Length % 2 != 0)
{
t2.Add(PAIR.G1Mul(ipk.HAttrs[hiddenIndices[hiddenIndices.Length - 1]], proofSAttrs[hiddenIndices.Length - 1]));
}
temp = new ECP();
temp.Copy(IdemixUtils.GenG1);
for (int i = 0; i < disclosure.Length; i++)
{
if (disclosure[i])
{
temp.Add(PAIR.G1Mul(ipk.HAttrs[i], attributeValues[i]));
}
}
t2.Add(PAIR.G1Mul(temp, proofC));
ECP t3 = ipk.Hsk.Mul2(proofSSk, ipk.HRand, proofSRNym);
t3.Sub(nym.Mul(proofC));
// Check with non-revoked-verifier
INonRevocationVerifier nonRevokedVerifier = NonRevocationVerifier.GetNonRevocationVerifier(revocationAlgorithm);
int hiddenRHIndex = Array.IndexOf(hiddenIndices, rhIndex);
if (hiddenRHIndex < 0)
{
// rhIndex is not present, set to last index position
hiddenRHIndex = hiddenIndices.Length;
}
BIG proofSRh = proofSAttrs[hiddenRHIndex];
byte[] nonRevokedProofBytes = nonRevokedVerifier.RecomputeFSContribution(nonRevocationProof, proofC, revocationPk.ToECP2(), proofSRh);
if (nonRevokedProofBytes == null)
{
return(false);
}
// create proofData such that it can contain the sign label, 7 elements in G1 (each of size 2*FIELD_BYTES+1),
// the ipk hash, the disclosure array, and the message
byte[] proofData = new byte[0];
proofData = proofData.Append(SIGN_LABEL.ToBytes());
proofData = proofData.Append(t1.ToBytes());
proofData = proofData.Append(t2.ToBytes());
proofData = proofData.Append(t3.ToBytes());
proofData = proofData.Append(aPrime.ToBytes());
proofData = proofData.Append(aBar.ToBytes());
proofData = proofData.Append(bPrime.ToBytes());
proofData = proofData.Append(nym.ToBytes());
proofData = proofData.Append(ipk.Hash);
proofData = proofData.Append(disclosure);
proofData = proofData.Append(msg);
BIG cvalue = proofData.HashModOrder();
byte[] finalProofData = new byte[0];
finalProofData = finalProofData.Append(cvalue.ToBytes());
finalProofData = finalProofData.Append(nonce.ToBytes());
byte[] hashedProofData = finalProofData.HashModOrder().ToBytes();
return(Enumerable.SequenceEqual(proofC.ToBytes(), hashedProofData));
}
/* p=q0^u0.q1^u1.q2^u2.q3^u3 */
/* Timing attack secure, but not cache attack secure */
public static FP12 pow4(FP12[] q, BIG[] u)
{
int i, j, nb, m;
int[] a = new int[4];
FP12[] g = new FP12[8];
FP12[] s = new FP12[2];
FP12 c = new FP12(1);
FP12 p = new FP12(0);
BIG[] t = new BIG[4];
BIG mt = new BIG(0);
sbyte[] w = new sbyte[ROM.NLEN * ROM.BASEBITS + 1];
for (i = 0; i < 4; i++)
{
t[i] = new BIG(u[i]);
}
s[0] = new FP12(0);
s[1] = new FP12(0);
g[0] = new FP12(q[0]);
s[0].copy(q[1]);
s[0].conj();
g[0].mul(s[0]);
g[1] = new FP12(g[0]);
g[2] = new FP12(g[0]);
g[3] = new FP12(g[0]);
g[4] = new FP12(q[0]);
g[4].mul(q[1]);
g[5] = new FP12(g[4]);
g[6] = new FP12(g[4]);
g[7] = new FP12(g[4]);
s[1].copy(q[2]);
s[0].copy(q[3]);
s[0].conj();
s[1].mul(s[0]);
s[0].copy(s[1]);
s[0].conj();
g[1].mul(s[0]);
g[2].mul(s[1]);
g[5].mul(s[0]);
g[6].mul(s[1]);
s[1].copy(q[2]);
s[1].mul(q[3]);
s[0].copy(s[1]);
s[0].conj();
g[0].mul(s[0]);
g[3].mul(s[1]);
g[4].mul(s[0]);
g[7].mul(s[1]);
/* if power is even add 1 to power, and add q to correction */
for (i = 0; i < 4; i++)
{
if (t[i].parity() == 0)
{
t[i].inc(1);
t[i].norm();
c.mul(q[i]);
}
mt.add(t[i]);
mt.norm();
}
c.conj();
nb = 1 + mt.nbits();
/* convert exponent to signed 1-bit window */
for (j = 0; j < nb; j++)
{
for (i = 0; i < 4; i++)
{
a[i] = (t[i].lastbits(2) - 2);
t[i].dec(a[i]);
t[i].norm();
t[i].fshr(1);
}
w[j] = (sbyte)(8 * a[0] + 4 * a[1] + 2 * a[2] + a[3]);
}
w[nb] = (sbyte)(8 * t[0].lastbits(2) + 4 * t[1].lastbits(2) + 2 * t[2].lastbits(2) + t[3].lastbits(2));
p.copy(g[(w[nb] - 1) / 2]);
for (i = nb - 1; i >= 0; i--)
{
m = w[i] >> 7;
j = (w[i] ^ m) - m; // j=abs(w[i])
j = (j - 1) / 2;
s[0].copy(g[j]);
s[1].copy(g[j]);
s[1].conj();
p.usqr();
p.mul(s[m & 1]);
}
p.mul(c); // apply correction
p.reduce();
return(p);
}
/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */
public static FP12 FExp(FP12 m)
{
FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
BIG x = new BIG(ROM.CURVE_Bnx);
FP12 r = new FP12(m);
/* Easy part of final exp */
FP12 lv = new FP12(r);
lv.Inverse();
r.Conj();
r.mul(lv);
lv.Copy(r);
r.Frob(f);
r.Frob(f);
r.mul(lv);
/* Hard part of final exp */
if (ECP.CURVE_PAIRING_TYPE == ECP.BN)
{
FP12 x0, x1, x2, x3, x4, x5;
lv.Copy(r);
lv.Frob(f);
x0 = new FP12(lv);
x0.Frob(f);
lv.mul(r);
x0.mul(lv);
x0.Frob(f);
x1 = new FP12(r);
x1.Conj();
x4 = r.Pow(x);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
x4.Conj();
}
x3 = new FP12(x4);
x3.Frob(f);
x2 = x4.Pow(x);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
x2.Conj();
}
x5 = new FP12(x2);
x5.Conj();
lv = x2.Pow(x);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
lv.Conj();
}
x2.Frob(f);
r.Copy(x2);
r.Conj();
x4.mul(r);
x2.Frob(f);
r.Copy(lv);
r.Frob(f);
lv.mul(r);
lv.USqr();
lv.mul(x4);
lv.mul(x5);
r.Copy(x3);
r.mul(x5);
r.mul(lv);
lv.mul(x2);
r.USqr();
r.mul(lv);
r.USqr();
lv.Copy(r);
lv.mul(x1);
r.mul(x0);
lv.USqr();
r.mul(lv);
r.Reduce();
}
else
{
FP12 y0, y1, y2, y3;
// Ghamman & Fouotsa Method
y0 = new FP12(r);
y0.USqr();
y1 = y0.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y1.Conj();
}
x.FShr(1);
y2 = y1.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y2.Conj();
}
x.FShl(1);
y3 = new FP12(r);
y3.Conj();
y1.mul(y3);
y1.Conj();
y1.mul(y2);
y2 = y1.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y2.Conj();
}
y3 = y2.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y3.Conj();
}
y1.Conj();
y3.mul(y1);
y1.Conj();
y1.Frob(f);
y1.Frob(f);
y1.Frob(f);
y2.Frob(f);
y2.Frob(f);
y1.mul(y2);
y2 = y3.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y2.Conj();
}
y2.mul(y0);
y2.mul(r);
y1.mul(y2);
y2.Copy(y3);
y2.Frob(f);
y1.mul(y2);
r.Copy(y1);
r.Reduce();
}
return(r);
}
/* p=q0^u0.q1^u1.q2^u2.q3^u3 */
// Bos & Costello https://eprint.iacr.org/2013/458.pdf
// Faz-Hernandez & Longa & Sanchez https://eprint.iacr.org/2013/158.pdf
// Side channel attack secure
public static FP12 Pow4(FP12[] q, BIG[] u)
{
int i, j, nb, pb;
FP12[] g = new FP12[8];
FP12 r = new FP12(1);
FP12 p = new FP12(0);
BIG[] t = new BIG[4];
BIG mt = new BIG(0);
sbyte[] w = new sbyte[BIG.NLEN * BIG.BASEBITS + 1];
sbyte[] s = new sbyte[BIG.NLEN * BIG.BASEBITS + 1];
for (i = 0; i < 4; i++)
{
t[i] = new BIG(u[i]);
t[i].Norm();
}
g[0] = new FP12(q[0]); // q[0]
g[1] = new FP12(g[0]);
g[1].mul(q[1]); // q[0].q[1]
g[2] = new FP12(g[0]);
g[2].mul(q[2]); // q[0].q[2]
g[3] = new FP12(g[1]);
g[3].mul(q[2]); // q[0].q[1].q[2]
g[4] = new FP12(q[0]);
g[4].mul(q[3]); // q[0].q[3]
g[5] = new FP12(g[1]);
g[5].mul(q[3]); // q[0].q[1].q[3]
g[6] = new FP12(g[2]);
g[6].mul(q[3]); // q[0].q[2].q[3]
g[7] = new FP12(g[3]);
g[7].mul(q[3]); // q[0].q[1].q[2].q[3]
// Make it odd
pb = 1 - t[0].Parity();
t[0].Inc(pb);
t[0].Norm();
// Number of bits
mt.Zero();
for (i = 0; i < 4; i++)
{
mt.Or(t[i]);
}
nb = 1 + mt.NBits();
// Sign pivot
s[nb - 1] = 1;
for (i = 0; i < nb - 1; i++)
{
t[0].FShr(1);
s[i] = (sbyte)(2 * t[0].Parity() - 1);
}
// Recoded exponent
for (i = 0; i < nb; i++)
{
w[i] = 0;
int k = 1;
for (j = 1; j < 4; j++)
{
sbyte bt = (sbyte)(s[i] * t[j].Parity());
t[j].FShr(1);
t[j].Dec((int)(bt) >> 1);
t[j].Norm();
w[i] += (sbyte)(bt * (sbyte)k);
k *= 2;
}
}
// Main loop
p.Select(g, (int)(2 * w[nb - 1] + 1));
for (i = nb - 2; i >= 0; i--)
{
p.USqr();
r.Select(g, (int)(2 * w[i] + s[i]));
p.mul(r);
}
// apply correction
r.Copy(q[0]);
r.Conj();
r.mul(p);
p.CMove(r, pb);
p.Reduce();
return(p);
}
/* calculate common key on client side */
/* wCID = w.(A+AT) */
public static int CLIENT_KEY(sbyte[] G1, sbyte[] G2, int pin, sbyte[] R, sbyte[] X, sbyte[] wCID, sbyte[] CK)
{
HASH H = new HASH();
sbyte[] t = new sbyte[EFS];
FP12 g1 = FP12.fromBytes(G1);
FP12 g2 = FP12.fromBytes(G2);
BIG z = BIG.fromBytes(R);
BIG x = BIG.fromBytes(X);
ECP W = ECP.fromBytes(wCID);
if (W.is_infinity())
{
return(INVALID_POINT);
}
W = PAIR.G1mul(W, x);
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
BIG r = new BIG(ROM.CURVE_Order);
BIG q = new BIG(ROM.Modulus);
BIG m = new BIG(q);
m.mod(r);
BIG a = new BIG(z);
a.mod(m);
BIG b = new BIG(z);
b.div(m);
g2.pinpow(pin, PBLEN);
g1.mul(g2);
FP4 c = g1.trace();
g2.copy(g1);
g2.frob(f);
FP4 cp = g2.trace();
g1.conj();
g2.mul(g1);
FP4 cpm1 = g2.trace();
g2.mul(g1);
FP4 cpm2 = g2.trace();
c = c.xtr_pow2(cp, cpm1, cpm2, a, b);
c.geta().A.toBytes(t);
H.process_array(t);
c.geta().B.toBytes(t);
H.process_array(t);
c.getb().A.toBytes(t);
H.process_array(t);
c.getb().B.toBytes(t);
H.process_array(t);
W.X.toBytes(t);
H.process_array(t);
W.Y.toBytes(t);
H.process_array(t);
t = H.hash();
for (int i = 0; i < PAS; i++)
{
CK[i] = t[i];
}
return(0);
}
/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */
public static FP12 fexp(FP12 m)
{
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
BIG x = new BIG(ROM.CURVE_Bnx);
FP12 r = new FP12(m);
FP12 x0, x1, x2, x3, x4, x5;
/* Easy part of final exp */
FP12 lv = new FP12(r);
lv.inverse();
r.conj();
r.mul(lv);
lv.copy(r);
r.frob(f);
r.frob(f);
r.mul(lv);
/* Hard part of final exp */
lv.copy(r);
lv.frob(f);
x0 = new FP12(lv);
x0.frob(f);
lv.mul(r);
x0.mul(lv);
x0.frob(f);
x1 = new FP12(r);
x1.conj();
x4 = r.pow(x);
x3 = new FP12(x4);
x3.frob(f);
x2 = x4.pow(x);
x5 = new FP12(x2);
x5.conj();
lv = x2.pow(x);
x2.frob(f);
r.copy(x2);
r.conj();
x4.mul(r);
x2.frob(f);
r.copy(lv);
r.frob(f);
lv.mul(r);
lv.usqr();
lv.mul(x4);
lv.mul(x5);
r.copy(x3);
r.mul(x5);
r.mul(lv);
lv.mul(x2);
r.usqr();
r.mul(lv);
r.usqr();
lv.copy(r);
lv.mul(x1);
r.mul(x0);
lv.usqr();
r.mul(lv);
r.reduce();
return(r);
}