Implement first part of AMORE protocol.

bench/bench_cp.c

@@ -699,11 +699,12 @@ static void etrs(void) {
 #if defined(WITH_PC)
 
 static void pdpub(void) {
-	bn_t r1, r2;
+	bn_t t, r1, r2;
 	g1_t p, u1, v1;
 	g2_t q, u2, v2, w2;
 	gt_t e, r, g[3];
 
+	bn_null(t);
 	bn_null(r1);
 	bn_null(r2);
 	g1_null(p);
@@ -719,6 +720,7 @@ static void pdpub(void) {
 	gt_null(g[1]);
 	gt_null(g[2]);
 
+	bn_new(t);
 	bn_new(r1);
 	bn_new(r2);
 	g1_new(p);
@@ -780,6 +782,30 @@ static void pdpub(void) {
 		BENCH_ADD(cp_lvpub_ver(r, g, r1, e));
 	} BENCH_END;
 
+	BENCH_RUN("cp_ampub_gen") {
+		BENCH_ADD(cp_ampub_gen(r2, u1, u2, t, e));
+	} BENCH_END;
+
+	BENCH_RUN("cp_ampub_ask") {
+		g1_rand(p);
+		g2_rand(q);
+		BENCH_ADD(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t));
+	} BENCH_END;
+
+	BENCH_RUN("cp_ampub_ans") {
+		g1_rand(p);
+		g2_rand(q);
+		BENCH_ADD(cp_ampub_ans(g, p, q, v1, t, w2));
+	} BENCH_END;
+
+	BENCH_RUN("cp_ampub_ver") {
+		g1_rand(p);
+		g2_rand(q);
+		pc_map(e, p, q);
+		BENCH_ADD(cp_ampub_ver(r, g, r1, e));
+	} BENCH_END;
+
+	bn_free(t);
 	bn_free(r1);
 	bn_free(r2);
 	g1_free(p);

include/relic_cp.h

@@ -1364,6 +1364,62 @@ int cp_lvprv_ans(gt_t g[4], const g1_t v1[3], const g2_t w2[4]);
  */
 int cp_lvprv_ver(gt_t r, const gt_t g[4], const bn_t c, const gt_t e[2]);
 
+/**
+ * Generate parameters for the AMORE pairing delegation protocol with public
+ * inputs.
+ *
+ * @param[out] r			- the randomness.
+ * @param[out] u1			- the U1 precomputed value in G_1.
+ * @param[out] u2			- the U2 precomputed value in G_2.
+ * @param[out] v2			- the randomness for G_2.
+ * @param[out] e			- the precomputed values e(U1, U2).
+ * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
+ */
+int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e);
+
+/**
+ * Execute the client-side request for the AMORE pairing delegation protocol.
+ *
+ * @param[out] c			- the challenge.
+ * @param[out] v1			- the blinded element in G_1.
+ * @param[out] w2			- the blinded element in G_2.
+ * @param[in] p				- the first argument of the pairing.
+ * @param[in] q				- the second argument of the pairing.
+ * @param[in] c				- the challenge.
+ * @param[in] r				- the randomness.
+ * @param[in] u1			- the U1 precomputed value in G_1.
+ * @param[in] u2			- the U2 precomputed value in G_2.
+ * @param[in] v2			- the randomness for G_2.
+ * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
+ */
+int cp_ampub_ask(bn_t c, g1_t v1, g2_t w2, const g1_t p, const g2_t q,
+		const bn_t r, const g1_t u1, const g2_t u2, const bn_t v2);
+
+/**
+ * Execute the server-side response for the AMORE pairing delegation protocol.
+ *
+ * @param[out] g			- the group elements computed by the server.
+ * @param[in] p				- the first argument of the pairing.
+ * @param[in] q				- the second argument of the pairing.
+ * @param[in] v1			- the blinded element in G_1.
+ * @param[in] v2			- the randomness for G_2.
+ * @param[in] w2			- the blinded element in G_2.
+ * @return RLC_OK if no errors occurred, RLC_ERR otherwise.
+ */
+int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1,
+		const bn_t v2, const g2_t w2);
+
+/**
+ * Verifies the result of the AMORE pairing delegation protocol.
+ *
+ * @param[out] r			- the result of the computation.
+ * @param[in] g				- the group elements returned by the server.
+ * @param[in] c				- the challenge.
+ * @param[in] e				- the precomputed values e(U1, U2).
+ * @return a boolean value indicating if the computation is correct.
+ */
+int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e);
+
 /**
  * Generates a master key for the SOKAKA identity-based non-interactive
  * authenticated key agreement protocol.

include/relic_label.h

@@ -3260,6 +3260,10 @@
 #undef cp_lvprv_ask
 #undef cp_lvprv_ans
 #undef cp_lvprv_ver
+#undef cp_ampub_gen
+#undef cp_ampub_ask
+#undef cp_ampub_ans
+#undef cp_ampub_ver
 #undef cp_sokaka_gen
 #undef cp_sokaka_gen_prv
 #undef cp_sokaka_key
@@ -3410,6 +3414,10 @@
 #define cp_lvprv_ask 	RLC_PREFIX(cp_lvprv_ask)
 #define cp_lvprv_ans 	RLC_PREFIX(cp_lvprv_ans)
 #define cp_lvprv_ver 	RLC_PREFIX(cp_lvprv_ver)
+#define cp_ampub_gen 	RLC_PREFIX(cp_ampub_gen)
+#define cp_ampub_ask 	RLC_PREFIX(cp_ampub_ask)
+#define cp_ampub_ans 	RLC_PREFIX(cp_ampub_ans)
+#define cp_ampub_ver 	RLC_PREFIX(cp_ampub_ver)
 #define cp_sokaka_gen 	RLC_PREFIX(cp_sokaka_gen)
 #define cp_sokaka_gen_prv 	RLC_PREFIX(cp_sokaka_gen_prv)
 #define cp_sokaka_key 	RLC_PREFIX(cp_sokaka_key)

src/cp/relic_cp_pcdel.c

@@ -469,3 +469,120 @@ int cp_lvprv_ver(gt_t r, const gt_t g[4], const bn_t c, const gt_t e[2]) {
 	}
 	return result;
 }
+
+int cp_ampub_gen(bn_t r, g1_t u1, g2_t u2, bn_t v2, gt_t e) {
+	bn_t n, t1, t2;
+	int result = RLC_OK;
+
+	bn_null(n);
+
+	RLC_TRY {
+		bn_new(n);
+		bn_new(t1);
+		bn_new(t2);
+
+		/* Generate random c, U1, r, U2. */
+		pc_get_ord(n);
+		bn_rand_mod(t1, n);
+		bn_rand_mod(t2, n);
+		g1_mul_gen(u1, t1);
+		g2_mul_gen(u2, t2);
+		bn_rand_mod(r, n);
+		/* Compute gamma = e(U1, U2) and V2 = [1/r2]U2. */
+		bn_mod_inv(v2, r, n);
+		bn_mul(v2, v2, t2);
+		gt_get_gen(e);
+		bn_mul(t1, t1, t2);
+		bn_mod(t1, t1, n);
+		gt_exp(e, e, t1);
+	}
+	RLC_CATCH_ANY {
+		result = RLC_ERR;
+	}
+	RLC_FINALLY {
+		bn_free(n);
+		bn_free(t1);
+		bn_free(t2);
+	}
+	return result;
+}
+
+int cp_ampub_ask(bn_t c, g1_t v1, g2_t w2, const g1_t p, const g2_t q,
+		const bn_t r, const g1_t u1, const g2_t u2, const bn_t v2) {
+	int result = RLC_OK;
+
+	/* Sample random c. */
+	bn_rand(c, RLC_POS, 50);
+	/* Compute V1 = [r](P - U1). */
+	g1_sub(v1, p, u1);
+	g1_mul(v1, v1, r);
+	/* Compute W2 = [c]Q + U_2. */
+	g2_mul(w2, q, c);
+	g2_add(w2, w2, u2);
+
+	return result;
+}
+
+int cp_ampub_ans(gt_t g[2], const g1_t p, const g2_t q, const g1_t v1,
+		const bn_t v2, const g2_t w2) {
+	int result = RLC_OK;
+	g1_t _p[2];
+	g2_t _q[2];
+
+	g1_null(_p[0]);
+	g1_null(_p[1]);
+	g2_null(_q[0]);
+	g2_null(_q[1]);
+
+	RLC_TRY {
+		g1_new(_p[0]);
+		g1_new(_p[1]);
+		g2_new(_q[0]);
+		g2_new(_q[1]);
+
+		g1_copy(_p[0], p);
+		g1_neg(_p[1], v1);
+		g2_copy(_q[0], w2);
+		g2_mul_gen(_q[1], v2);
+		pc_map_sim(g[1], _p, _q, 2);
+		pc_map(g[0], p, q);
+	} RLC_CATCH_ANY {
+		RLC_THROW(ERR_CAUGHT);
+	} RLC_FINALLY {
+		g1_free(_p[0]);
+		g1_free(_p[1]);
+		g2_free(_q[0]);
+		g2_free(_q[1]);
+	}
+
+	return result;
+}
+
+int cp_ampub_ver(gt_t r, const gt_t g[2], const bn_t c, const gt_t e) {
+	int result = 1;
+	gt_t t;
+
+	gt_null(t);
+
+	RLC_TRY {
+		gt_new(t);
+
+		result &= gt_is_valid(g[0]);
+
+		gt_exp(t, g[0], c);
+		gt_inv(t, t);
+		gt_mul(t, t, g[1]);
+
+		if (!result || gt_cmp(t, e) != RLC_EQ) {
+			gt_set_unity(r);
+		} else {
+			gt_copy(r, g[0]);
+		}
+	} RLC_CATCH_ANY {
+		result = RLC_ERR;
+	}
+	RLC_FINALLY {
+		gt_free(t);
+	}
+	return result;
+}

test/test_cp.c

@@ -1092,11 +1092,12 @@ static int etrs(void) {
 
 static int pdpub(void) {
 	int code = RLC_ERR;
-	bn_t r1, r2;
+	bn_t t, r1, r2;
 	g1_t p, u1, v1;
 	g2_t q, u2, v2, w2;
 	gt_t e, r, g[3];
 
+	bn_null(t);
 	bn_null(r1);
 	bn_null(r2);
 	g1_null(p);
@@ -1113,6 +1114,7 @@ static int pdpub(void) {
 	gt_null(g[2]);
 
 	RLC_TRY {
+		bn_new(t);
 		bn_new(r1);
 		bn_new(r2);
 		g1_new(p);
@@ -1149,12 +1151,24 @@ static int pdpub(void) {
 			pc_map(e, p, q);
 			TEST_ASSERT(gt_cmp(r, e) == RLC_EQ, end);
 		} TEST_END;
+
+		TEST_CASE("fastest delegated pairing with public inputs is correct") {
+			TEST_ASSERT(cp_ampub_gen(r2, u1, u2, t, e) == RLC_OK, end);
+			g1_rand(p);
+			g2_rand(q);
+			TEST_ASSERT(cp_ampub_ask(r1, v1, w2, p, q, r2, u1, u2, t) == RLC_OK, end);
+			TEST_ASSERT(cp_ampub_ans(g, p, q, v1, t, w2) == RLC_OK, end);
+			TEST_ASSERT(cp_ampub_ver(r, g, r1, e) == 1, end);
+			pc_map(e, p, q);
+			TEST_ASSERT(gt_cmp(r, e) == RLC_EQ, end);
+		} TEST_END;
 	} RLC_CATCH_ANY {
 		RLC_ERROR(end);
 	}
 	code = RLC_OK;
 
   end:
+	bn_free(t);
 	bn_free(r1);
 	bn_free(r2);
 	g1_free(p);