in src/cg21/cg21_presign.c [498:600]
int CG21_PRESIGN_ROUND3_2_2(const CG21_PRESIGN_ROUND2_OUTPUT *r2hisOutput,
CG21_PRESIGN_ROUND3_OUTPUT *r3Output,
const CG21_PRESIGN_ROUND3_STORE_1 *r3Store1,
CG21_PRESIGN_ROUND3_STORE_2 *r3Store2,
const CG21_PRESIGN_ROUND1_STORE *r1Store,
PAILLIER_private_key *myKeys,
const CG21_PRESIGN_ROUND2_STORE *r2Store,
int status){
/*
* status = 0 first call
* status = 1 neither first call, nor last call
* status = 2 last call
* status = 3 first and last call (t=2)
*/
/*
* ---------STEP 3: compute alpha and alpha_hat -----------
* alpha: Decryption(D), D is received from party j in round2
* alpha_hat: Decryption(D_hat)
*/
char pt1[FS_2048];
char pt2[FS_2048];
char tt1[EGS_SECP256K1];
char tt2[EGS_SECP256K1];
char beta[EGS_SECP256K1];
char beta_hat[EGS_SECP256K1];
octet PT1 = {0, sizeof(pt1), pt1};
octet PT2 = {0, sizeof(pt2), pt2};
octet Alpha = {0, sizeof(tt1), tt1};
octet Alpha_hat = {0, sizeof(tt2), tt2};
octet Beta = {0, sizeof(beta), beta};
octet Beta_hat = {0, sizeof(beta_hat), beta_hat};
OCT_clear(&Alpha);
OCT_clear(&Alpha_hat);
OCT_clear(&Beta);
OCT_clear(&Beta_hat);
r3Store2->i = r2Store->i;
r3Output->i = r2Store->i;
OCT_copy(r3Output->Delta, r3Store1->Delta);
PAILLIER_DECRYPT(myKeys, r2hisOutput->D, &PT1);
PAILLIER_DECRYPT(myKeys, r2hisOutput->D_hat, &PT2);
CG21_MTA_decrypt_reduce_q(&PT1, &Alpha);
CG21_MTA_decrypt_reduce_q(&PT2, &Alpha_hat);
CG21_MTA_decrypt_reduce_q(r2Store->neg_beta, &Beta);
CG21_MTA_decrypt_reduce_q(r2Store->neg_beta_hat, &Beta_hat);
/*
* ---------STEP 4: compute delta and chi -----------
* delta: gamma*k + \sum alpha + (-beta)
* chi: a*k + \sum alpha_hat + (-beta_hat)
*/
BIG_256_56 sum1;
BIG_256_56 sum2;
if (status==0 || status==3) {
// sum1 = gamma.k mod q & sum1 = a.k mod q
CG21_MTA_ACCUMULATOR_SET(sum1, r1Store->gamma, r1Store->k);
CG21_MTA_ACCUMULATOR_SET(sum2, r1Store->a, r1Store->k);
}
else{
BIG_256_56_fromBytesLen(sum1, r3Store2->delta->val, r3Store2->delta->len);
BIG_256_56_fromBytesLen(sum2, r3Store2->chi->val, r3Store2->chi->len);
}
// sum1 = sum1 + alpha + beta
CG21_MTA_ACCUMULATOR_ADD(sum1, &Alpha);
CG21_MTA_ACCUMULATOR_ADD(sum1, &Beta);
// sum2 = sum2 + alpha_hat + beta_hat
CG21_MTA_ACCUMULATOR_ADD(sum2, &Alpha_hat);
CG21_MTA_ACCUMULATOR_ADD(sum2, &Beta_hat);
// Output result
BIG_256_56_toBytes(r3Store2->delta->val, sum1);
BIG_256_56_toBytes(r3Output->delta->val, sum1);
BIG_256_56_toBytes(r3Store2->chi->val, sum2);
r3Store2->delta->len = EGS_SECP256K1;
r3Output->delta->len = EGS_SECP256K1;
r3Store2->chi->len = EGS_SECP256K1;
// Clean memory
BIG_256_56_zero(sum1);
BIG_256_56_zero(sum2);
OCT_clear(&Alpha);
OCT_clear(&Alpha_hat);
OCT_clear(&Beta);
OCT_clear(&Beta_hat);
OCT_clear(&PT1);
OCT_clear(&PT2);
return CG21_OK;
}