in src/cg21/cg21_rp_pi_affg.c [367:475]
void Piaffg_Prove(PAILLIER_public_key *prover_paillier_pub, PAILLIER_public_key *verifier_paillier_pub, Piaffg_SECRETS *secrets,
octet *x, octet *y, octet *rho, octet *rho_y,
octet *E, Piaffg_PROOFS *proofs, Piaffg_PROOFS_OCT *proofsOct)
{
// ------------ VARIABLE DEFINITION ----------
BIG_1024_58 hws[HFLEN_2048];
BIG_1024_58 ws[FFLEN_2048];
BIG_1024_58 dws[2*FFLEN_2048];
BIG_1024_58 n[FFLEN_2048];
BIG_1024_58 e[HFLEN_2048];
BIG_1024_58 e_[FFLEN_2048];
char oct[2*FS_2048];
octet OCT = {0, sizeof(oct), oct};
char oct3[FS_2048];
octet OCT3 = {0, sizeof(oct3), oct3};
char oct2[FS_2048];
octet OCT2 = {0, sizeof(oct2), oct2};
// ------------ READ INPUTS ----------
OCT_copy(&OCT, E);
OCT_pad(&OCT, HFS_2048);
FF_2048_fromOctet(e, &OCT, HFLEN_2048);
// Compute w = r * rho^e mod N0
OCT_copy(&OCT, rho);
FF_2048_zero(dws, 2*FFLEN_2048);
FF_2048_fromOctet(dws, &OCT, 2*FFLEN_2048); // dws <- rho
FF_4096_toOctet(&OCT, verifier_paillier_pub->n, HFLEN_4096);
FF_2048_fromOctet(n, &OCT, FFLEN_2048);
// ------------ GENERATE Piaffg_PROOFS ----------
FF_2048_copy(ws, dws, FFLEN_2048);
FF_2048_ct_pow(ws, ws, e, n, FFLEN_2048, HFLEN_2048);
FF_2048_mul(dws, secrets->r, ws, FFLEN_2048);
FF_2048_dmod(proofs->w, dws, n, FFLEN_2048);
// Compute wy = ry * rho_y^e mod N0
OCT_copy(&OCT, rho_y);
FF_2048_zero(dws, 2*FFLEN_2048);
FF_2048_fromOctet(dws, &OCT, 2*FFLEN_2048); // dws <- rho_y
FF_4096_toOctet(&OCT, prover_paillier_pub->n, HFLEN_4096);
FF_2048_fromOctet(n, &OCT, FFLEN_2048);
FF_2048_copy(ws, dws, FFLEN_2048);
FF_2048_dmod(ws, ws, n, FFLEN_2048);
FF_2048_ct_pow(ws, ws, e, n, FFLEN_2048, HFLEN_2048); // ws <- rho_y^e
FF_2048_mul(dws, secrets->ry, ws, FFLEN_2048);
FF_2048_dmod(proofs->wy, dws, n, FFLEN_2048);
// Compute z1 = alpha + ex
OCT_copy(&OCT, x);
OCT_pad(&OCT, HFS_2048);
FF_2048_fromOctet(hws, &OCT, HFLEN_2048); // hws <- x
FF_2048_zero(proofs->z1, FFLEN_2048);
FF_2048_mul(ws, e, hws, HFLEN_2048);
FF_2048_add(proofs->z1, secrets->alpha, ws, HFLEN_2048);
FF_2048_norm(proofs->z1, HFLEN_2048);
// Compute z2 = beta + ey
OCT_copy(&OCT, y);
OCT_pad(&OCT, HFS_4096);
FF_2048_fromOctet(ws, &OCT, FFLEN_2048); // ws <- y
OCT_copy(&OCT3, E);
OCT_pad(&OCT3, HFS_4096);
FF_2048_fromOctet(e_, &OCT3, FFLEN_2048);
FF_2048_zero(dws, 2*FFLEN_2048);
FF_2048_mul(dws, ws, e_, FFLEN_2048); // dws <- e * y
FF_2048_zero(proofs->z2, FFLEN_2048);
FF_2048_add(proofs->z2, secrets->beta, dws, FFLEN_2048);
FF_2048_norm(proofs->z2, FFLEN_2048);
//Compute z3 = gamma + e*m
FF_2048_zero(dws, 2*FFLEN_2048);
CG21_FF_2048_amul(dws, e, HFLEN_2048, secrets->m, FFLEN_2048 + HFLEN_2048);
FF_2048_copy(proofs->z3, secrets->gamma, FFLEN_2048 + HFLEN_2048);
FF_2048_add(proofs->z3, proofs->z3, dws, FFLEN_2048 + HFLEN_2048);
FF_2048_norm(proofs->z3, FFLEN_2048 + HFLEN_2048);
//Compute z4 = delta + e*mu
FF_2048_zero(dws, 2*FFLEN_2048);
CG21_FF_2048_amul(dws, e, HFLEN_2048, secrets->mu, FFLEN_2048 + HFLEN_2048);
FF_2048_copy(proofs->z4, secrets->delta, FFLEN_2048 + HFLEN_2048);
FF_2048_add(proofs->z4, proofs->z4, dws, FFLEN_2048 + HFLEN_2048);
FF_2048_norm(proofs->z4, FFLEN_2048 + HFLEN_2048);
Piaffg_proof_toOctets(proofsOct, proofs);
// ------------ CLEAN MEMORY ----------
OCT_clear(&OCT);
OCT_clear(&OCT2);
OCT_clear(&OCT3);
FF_2048_zero(dws, 2*FFLEN_2048);
FF_2048_zero(ws, FFLEN_2048);
FF_2048_zero(hws, HFLEN_2048);
}