void PiLogstar

void PiLogstar_Prove()

in src/cg21/cg21_rp_pi_logstar.c [294:372]
58 lines of code
1 McCabe index (conditional complexity)

void PiLogstar_Prove(PAILLIER_private_key *priv_key, octet *k_oct, octet *rho_oct,
                 PiLogstar_SECRETS *secrets, octet *e_oct, PiLogstar_PROOFS *proofs,
                 PiLogstar_PROOFS_OCT *proofsOct)
{
    // ------------ VARIABLE DEFINITION ----------
    BIG_1024_58 ws1[FFLEN_2048];
    BIG_1024_58 ws2[FFLEN_2048];
    BIG_1024_58 hws[HFLEN_2048];
    BIG_1024_58 t[2 * FFLEN_2048];
    BIG_1024_58 e[HFLEN_2048];
    BIG_1024_58 k[HFLEN_2048];
    BIG_1024_58 sp[HFLEN_2048];
    BIG_1024_58 sq[HFLEN_2048];

    char oct[2*FS_2048];
    octet OCT = {0, sizeof(oct), oct};

    // ------------ READ INPUTS ----------
    OCT_copy(&OCT, k_oct);
    OCT_pad(&OCT, HFS_2048);
    FF_2048_fromOctet(k, &OCT, HFLEN_2048);

    OCT_clear(&OCT);
    OCT_copy(&OCT, rho_oct);
    FF_2048_fromOctet(t, &OCT, 2 * FFLEN_2048);

    OCT_copy(&OCT, e_oct);
    OCT_pad(&OCT, HFS_2048);
    FF_2048_fromOctet(e, &OCT, HFLEN_2048);

    // ------------ GENERATE PiLogstar_PROOFS ----------
    // Compute z2 = r * rho^e mod N using CRT
    CG21_FF_2048_amod(hws, t, 2 * FFLEN_2048, priv_key->p, HFLEN_2048);
    FF_2048_dmod(sp, secrets->r, priv_key->p, HFLEN_2048);
    FF_2048_nt_pow(hws, hws, e, priv_key->p, HFLEN_2048, HFLEN_2048);
    FF_2048_mul(ws1, sp, hws,  HFLEN_2048);
    FF_2048_dmod(sp, ws1, priv_key->p, HFLEN_2048);

    CG21_FF_2048_amod(hws, t, 2 * FFLEN_2048, priv_key->q, HFLEN_2048);
    FF_2048_dmod(sq, secrets->r, priv_key->q, HFLEN_2048);
    FF_2048_nt_pow(hws, hws, e, priv_key->q, HFLEN_2048, HFLEN_2048);
    FF_2048_mul(ws1, sq, hws,  HFLEN_2048);
    FF_2048_dmod(sq, ws1, priv_key->q, HFLEN_2048);

    FF_2048_mul(ws2, priv_key->p, priv_key->q, HFLEN_2048);
    FF_2048_crt(ws1, sp, sq, priv_key->p, priv_key->invpq, ws2, HFLEN_2048);

    // Convert z2 to FF_4096 since it is only used as such
    FF_2048_toOctet(&OCT, ws1, FFLEN_2048);
    OCT_pad(&OCT, FS_4096);
    FF_4096_fromOctet(proofs->z2, &OCT, FFLEN_4096);

    // Compute z1 = e*k + alpha
    FF_2048_mul(ws1, e, k, HFLEN_2048);  // k at this point is x from the paper
    FF_2048_zero(proofs->z1, FFLEN_2048);
    FF_2048_copy(proofs->z1, secrets->alpha, HFLEN_2048);
    FF_2048_add(proofs->z1, proofs->z1, ws1, FFLEN_2048);
    FF_2048_norm(proofs->z1, FFLEN_2048);

    // Compute z3 = e*mu + gamma
    FF_2048_zero(t, 2*FFLEN_2048);
    CG21_FF_2048_amul(t, e, HFLEN_2048, secrets->mu, FFLEN_2048 + HFLEN_2048);
    FF_2048_copy(proofs->z3, secrets->gamma, FFLEN_2048 + HFLEN_2048);
    FF_2048_add(proofs->z3, proofs->z3, t, FFLEN_2048 + HFLEN_2048);
    FF_2048_norm(proofs->z3, FFLEN_2048 + HFLEN_2048);

    // proof to octets for transmission
    PiLogstar_proof_toOctets(proofsOct, proofs);

    // ------------ CLEAR MEMORY ----------
    OCT_clear(&OCT);
    FF_2048_zero(t, 2 * FFLEN_2048);
    FF_2048_zero(ws1, FFLEN_2048);
    FF_2048_zero(ws2, FFLEN_2048);
    FF_2048_zero(hws, HFLEN_2048);
    FF_2048_zero(sp, HFLEN_2048);
    FF_2048_zero(sq, HFLEN_2048);
    FF_2048_zero(k, HFLEN_2048);
}