void ring_Pedersen_setup()

in src/cg21/cg21_utilities.c [305:379]


void ring_Pedersen_setup(csprng *RNG, PEDERSEN_PRIV *m, octet *P, octet *Q)
{
    BIG_1024_58 p[HFLEN_2048];
    BIG_1024_58 q[HFLEN_2048];
    BIG_1024_58 gp[HFLEN_2048];
    BIG_1024_58 gq[HFLEN_2048];
    BIG_1024_58 ap[HFLEN_2048];
    BIG_1024_58 aq[HFLEN_2048];

    /* Load or generate safe primes P, Q */
    if (P == NULL)
    {
        safe_prime_gen(RNG, p, m->mod.p, HFLEN_2048);
    }
    else
    {
        OCT_pad(P, HFS_2048);
        FF_2048_fromOctet(m->mod.p, P, HFLEN_2048);
        FF_2048_copy(p, m->mod.p, HFLEN_2048);

        // Since P is odd, P>>1 == (P-1) / 2
        FF_2048_shr(p, HFLEN_2048);
    }

    if (Q == NULL)
    {
        safe_prime_gen(RNG, q, m->mod.q, HFLEN_2048);
    }
    else
    {
        OCT_pad(Q, HFS_2048);
        FF_2048_fromOctet(m->mod.q, Q, HFLEN_2048);
        FF_2048_copy(q, m->mod.q, HFLEN_2048);

        // Since Q is odd, Q>>1 == (Q-1) / 2
        FF_2048_shr(q, HFLEN_2048);
    }

    FF_2048_mul(m->mod.n, m->mod.p, m->mod.q, HFLEN_2048);
    FF_2048_mul(m->pq, p, q, HFLEN_2048);
    FF_2048_invmodp(m->mod.invpq, m->mod.p, m->mod.q, HFLEN_2048);

    // Find a generator of G_pq in Z/NZ using the crt to
    // combine generators of G_p in Z/PZ and G_q in Z/QZ
    BC_find_generator(RNG, gp, m->mod.p, HFLEN_2048);
    BC_find_generator(RNG, gq, m->mod.q, HFLEN_2048);
    FF_2048_crt(m->b0, gp, gq, m->mod.p, m->mod.invpq, m->mod.n, HFLEN_2048);

    FF_2048_randomnum(m->alpha, m->pq, RNG, FFLEN_2048);

    // Look for invertible alpha and precompute inverse
    FF_2048_invmodp(m->ialpha, m->alpha, m->pq, FFLEN_2048);
    while (FF_2048_iszilch(m->ialpha, FFLEN_2048))
    {
        FF_2048_inc(m->alpha, 1, FFLEN_2048);
        FF_2048_invmodp(m->ialpha, m->alpha, m->pq, FFLEN_2048);
    }

    /* Compute b1=b0^alpha using CRT */
    FF_2048_dmod(ap, m->alpha, p, HFLEN_2048);
    FF_2048_dmod(aq, m->alpha, q, HFLEN_2048);

    FF_2048_ct_pow(gp, gp, ap, m->mod.p, HFLEN_2048, HFLEN_2048);
    FF_2048_ct_pow(gq, gq, aq, m->mod.q, HFLEN_2048, HFLEN_2048);

    FF_2048_crt(m->b1, gp, gq, m->mod.p, m->mod.invpq, m->mod.n, HFLEN_2048);

    // Clean memory
    FF_2048_zero(p,  HFLEN_2048);
    FF_2048_zero(q,  HFLEN_2048);
    FF_2048_zero(gp, HFLEN_2048);
    FF_2048_zero(gq, HFLEN_2048);
    FF_2048_zero(ap, HFLEN_2048);
    FF_2048_zero(aq, HFLEN_2048);
}