in src/cg21/cg21_pi_factor.c [134:319]
void CG21_PI_FACTOR_COMMIT(csprng *RNG, CG21_PiFACTOR_SECRETS *r1priv, CG21_PiFACTOR_COMMIT *r1pub,
PEDERSEN_PUB *pub_com, octet *p1, octet *q1, octet *e, const CG21_SSID *ssid,
int pack_size){
/*
* Bounds for randomness generation were derived from CG21 as follows:
* \ell is q-bit long
* \epsilon is 2q-bit long
*/
// ------------ VARIABLE DEFINITION ----------
BIG_1024_58 n[FFLEN_2048];
BIG_1024_58 n_[2*FFLEN_2048];
BIG_1024_58 n2[2 * FFLEN_2048];
BIG_1024_58 q[HFLEN_2048];
BIG_1024_58 q2[FFLEN_2048];
BIG_1024_58 q3[FFLEN_2048];
BIG_1024_58 q4[FFLEN_2048];
BIG_1024_58 alpha[FFLEN_2048];
BIG_1024_58 beta[FFLEN_2048];
BIG_1024_58 mu[FFLEN_2048 + HFLEN_2048];
BIG_1024_58 nu[FFLEN_2048 + HFLEN_2048];
BIG_1024_58 sigma[2*FFLEN_2048 + HFLEN_2048];
BIG_1024_58 r[2*FFLEN_2048 + HFLEN_2048];
BIG_1024_58 x[FFLEN_2048 + HFLEN_2048];
BIG_1024_58 y[FFLEN_2048 + HFLEN_2048];
BIG_1024_58 pF[FFLEN_2048];
BIG_1024_58 qF[FFLEN_2048];
BIG_1024_58 t[FFLEN_2048];
BIG_1024_58 Q[FFLEN_2048];
BIG_1024_58 t1[FFLEN_2048];
BIG_1024_58 t2[2*FFLEN_2048];
BIG_1024_58 t3[FFLEN_2048 + HFLEN_2048];
BIG_1024_58 t4[3*FFLEN_2048];
BIG_1024_58 t5[2*FFLEN_2048 + HFLEN_2048];
char p[FS_2048];
octet p_ = {0,sizeof(p),p};
char qq[FS_2048];
octet q_ = {0,sizeof(qq),qq};
OCT_copy(&p_, p1);
OCT_copy(&q_, q1);
OCT_pad(&p_, FS_2048);
OCT_pad(&q_, FS_2048);
FF_2048_fromOctet(pF, &p_, FFLEN_2048);
FF_2048_fromOctet(qF, &q_, FFLEN_2048);
FF_2048_mul(n_, pF, qF, FFLEN_2048);
FF_2048_copy(n, n_, FFLEN_2048);
// Curve order
CG21_GET_CURVE_ORDER(q);
FF_2048_sqr(q2, q, HFLEN_2048);
FF_2048_mul(q3, q, q2, HFLEN_2048);
FF_2048_mul(q4, q, q3, HFLEN_2048);
// Paillier_N * Pedersen_N
FF_2048_mul(n2, n, pub_com->N, FFLEN_2048);
FF_2048_norm(n2, 2 * FFLEN_2048);
/* ------------ RANDOM GENERATION ---------- */
// t1=2^{4\kappa}
FF_2048_init(t1,1,FFLEN_2048);
FF_2048_norm(t1,FFLEN_2048);
for (int i=0; i<CG21_PI_FACTOR_MAX_N_LENGTH/2;i++)
FF_2048_shl(t1, FFLEN_2048);
// t1=2^{4\kappa}-1
FF_2048_dec(t1,1,FFLEN_2048);
FF_2048_norm(t1,FFLEN_2048);
// t1=q^3 * {2^{4\kappa}-1}
FF_2048_mul(t1, t1, q3,FFLEN_2048);
// Note: we replace sqrt(N) with 2^{4\kappa}-1 as upper bound
// Generate alpha in [0, .., q^3*{2^{4\kappa}-1}]
FF_2048_random(alpha, RNG, FFLEN_2048); //alpha: 2^{8\kappa}-bit random number
FF_2048_mod(alpha, t1, FFLEN_2048); //alpha: alpha mod t1
FF_2048_toOctet(r1priv->alpha,alpha,FFLEN_2048);
// Generate beta in [0, .., q^3*{2^{4\kappa}-1}]
FF_2048_random(beta, RNG, FFLEN_2048); //beta: 2^{8\kappa}-bit random number
FF_2048_mod(beta, t1, FFLEN_2048); //beta: beta mod t1
FF_2048_toOctet(r1priv->beta,beta,FFLEN_2048);
// Generate mu in [0, .., Pedersen_N * q]
CG21_FF_2048_amul(t2, q, HFLEN_2048, pub_com->N, FFLEN_2048);
FF_2048_random(mu, RNG, FFLEN_2048 + HFLEN_2048);
FF_2048_mod(mu, t2, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1priv->mu,mu,FFLEN_2048 + HFLEN_2048);
// Generate nu in [0, .., Pedersen_N * q]
FF_2048_random(nu, RNG, FFLEN_2048 + HFLEN_2048);
FF_2048_mod(nu, t2, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1priv->nu,nu,FFLEN_2048 + HFLEN_2048);
// Generate sigma in [0, .., Paillier_N * Pedersen_N * q]
CG21_FF_2048_amul(t4, q, HFLEN_2048, n2, 2*FFLEN_2048);
FF_2048_random(sigma, RNG, 2*FFLEN_2048 + HFLEN_2048);
FF_2048_mod(sigma, t4, 2*FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1pub->sigma,sigma,2*FFLEN_2048 + HFLEN_2048);
// Generate r in [0, .., Paillier_N * Pedersen_N * q^3]
CG21_FF_2048_amul(t4, q3, HFLEN_2048, n2, 2*FFLEN_2048);
FF_2048_random(r, RNG, 2*FFLEN_2048 + HFLEN_2048);
FF_2048_mod(r, t4, 2*FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1priv->r,r,2*FFLEN_2048 + HFLEN_2048);
// Generate x in [0, .., Pedersen_N * q^3]
CG21_FF_2048_amul(t2, q3, HFLEN_2048, pub_com->N, FFLEN_2048);
FF_2048_random(x, RNG, FFLEN_2048 + HFLEN_2048);
FF_2048_mod(x, t2, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1priv->x,x,FFLEN_2048 + HFLEN_2048);
// Generate y in [0, .., Pedersen_N * q^3]
FF_2048_random(y, RNG, FFLEN_2048 + HFLEN_2048);
FF_2048_mod(y, t2, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1priv->y,y,FFLEN_2048 + HFLEN_2048);
/* ------------ COMMITMENT ---------- */
// Compute P: b0^p * b1^mu mod hat{N}
FF_2048_zero(t, FFLEN_2048);
FF_2048_zero(t3, FFLEN_2048 + HFLEN_2048);
FF_2048_copy(t3, pF, FFLEN_2048);
FF_2048_ct_pow_2(t, pub_com->b0, t3, pub_com->b1, mu,pub_com->N,
FFLEN_2048, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1pub->P,t,FFLEN_2048);
// Compute Q: b0^q * b1^nu mod hat{N}
FF_2048_zero(Q, FFLEN_2048);
FF_2048_zero(t3, FFLEN_2048 + HFLEN_2048);
FF_2048_copy(t3, qF, FFLEN_2048);
FF_2048_ct_pow_2(Q, pub_com->b0, t3, pub_com->b1, nu,pub_com->N,
FFLEN_2048, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1pub->Q,Q,FFLEN_2048);
// Compute A: b0^alpha * b1^x mod hat{N}
FF_2048_zero(t, FFLEN_2048);
FF_2048_zero(t3, FFLEN_2048 + HFLEN_2048);
FF_2048_copy(t3, alpha, FFLEN_2048);
FF_2048_ct_pow_2(t, pub_com->b0, t3, pub_com->b1, x,pub_com->N,
FFLEN_2048, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1pub->A,t,FFLEN_2048);
// Compute B: b0^beta * b1^y mod hat{N}
FF_2048_zero(t, FFLEN_2048);
FF_2048_zero(t3, FFLEN_2048 + HFLEN_2048);
FF_2048_copy(t3, beta, FFLEN_2048);
FF_2048_ct_pow_2(t, pub_com->b0, t3, pub_com->b1, y,pub_com->N,
FFLEN_2048, FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1pub->B,t,FFLEN_2048);
// Compute T: Q^alpha * b1^r mod hat{N}
FF_2048_zero(t, FFLEN_2048);
FF_2048_zero(t5, 2*FFLEN_2048 + HFLEN_2048);
FF_2048_copy(t5, alpha, FFLEN_2048);
FF_2048_ct_pow_2(t, Q, t5, pub_com->b1, r,pub_com->N,
FFLEN_2048, 2*FFLEN_2048 + HFLEN_2048);
FF_2048_toOctet(r1pub->T,t,FFLEN_2048);
// clean up
FF_2048_zero(alpha,FFLEN_2048);
FF_2048_zero(beta,FFLEN_2048);
FF_2048_zero(mu,FFLEN_2048 + HFLEN_2048);
FF_2048_zero(nu,FFLEN_2048 + HFLEN_2048);
FF_2048_zero(sigma,2*FFLEN_2048 + HFLEN_2048);
FF_2048_zero(r,2*FFLEN_2048 + HFLEN_2048);
FF_2048_zero(x,FFLEN_2048 + HFLEN_2048);
FF_2048_zero(y,FFLEN_2048 + HFLEN_2048);
FF_2048_zero(t,FFLEN_2048);
FF_2048_zero(Q,FFLEN_2048);
FF_2048_zero(t2,2*FFLEN_2048);
FF_2048_zero(t3,FFLEN_2048 + HFLEN_2048);
FF_2048_zero(t4,3*FFLEN_2048);
FF_2048_zero(t5,2*FFLEN_2048 + HFLEN_2048);
CG21_PI_FACTOR_CHALLENGE(ssid, pub_com->N, n, e, pack_size);
}