ホーム エクスプローラ ヘルプ
サインイン
avadapal
/
duoram
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: b3edb4445e
ブランチ タグ
duoram
/
2p-preprocessing
/
ENCRYPTO_utils
/
crypto
/
dgk.cpp

dgk.cpp 20 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809 
  1. /**
    2. 

  2.  \file 		dgk.cpp
    3. 

  3.  \author 	Daniel Demmler
    4. 

  4.  \copyright Copyright (C) 2019 ENCRYPTO Group, TU Darmstadt
    5. 

  5.   This program is free software: you can redistribute it and/or modify
    6. 

  6.   it under the terms of the GNU Lesser General Public License as published
    7. 

  7.   by the Free Software Foundation, either version 3 of the License, or
    8. 

  8.   (at your option) any later version.
    9. 

  9.   ABY is distributed in the hope that it will be useful,
    10. 

  10.   but WITHOUT ANY WARRANTY; without even the implied warranty of
    11. 

  11.   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12. 

  12.   GNU Lesser General Public License for more details.
    13. 

  13.   You should have received a copy of the GNU Lesser General Public License
    14. 

  14.   along with this program. If not, see <http://www.gnu.org/licenses/>.
    15. 

  15. 

  16.  \brief		 libdgk - v0.9
    17. 

  17.  A library implementing the DGK crypto system with full decryption
    18. 

  18.  Thanks to Marina Blanton for sharing her Miracl DGK implementation from
    19. 

  19.  M. Blanton and P. Gasti, "Secure and efficient protocols for iris and fingerprint identification" (ESORICS’11)
    20. 

  20.  with us. We used it as a template for this GMP version.
    21. 

  21. 

  22.  The implementation structure was inspired by
    23. 

  23.  libpailler - A library implementing the Paillier crypto system. (http://hms.isi.jhu.edu/acsc/libpaillier/)
    24. 

  24.  */
    25. 

  25. 

  26. #include "dgk.h"
    27. 

  27. #include "../powmod.h"
    28. 

  28. #include "../utils.h"
    29. 

  29. #include <cstdlib>
    30. 

  30. #include <cstring>
    31. 

  31. 

  32. #define DGK_CHECKSIZE 0
    33. 

  33. 

  34. // number of test encryptions and decryptions that are performed to verify a generated key. This will take time, but more are better.
    35. 

  35. #define KEYTEST_ITERATIONS 1000
    36. 

  36. 

  37. //array holding the powers of two
    38. 

  38. mpz_t* powtwo;
    39. 

  39. 

  40. //array for holding temporary values
    41. 

  41. mpz_t* gvpvqp;
    42. 

  42. 

  43. void dgk_complete_pubkey(unsigned int modulusbits, unsigned int lbits, dgk_pubkey_t** pub, mpz_t n, mpz_t g, mpz_t h) {
    44. 

  44. 	*pub = (dgk_pubkey_t*) malloc(sizeof(dgk_pubkey_t));
    45. 

  45. 

  46. 	mpz_init((*pub)->n);
    47. 

  47. 	mpz_init((*pub)->u);
    48. 

  48. 	mpz_init((*pub)->h);
    49. 

  49. 	mpz_init((*pub)->g);
    50. 

  50. 

  51. 	mpz_set((*pub)->n, n);
    52. 

  52. 	mpz_setbit((*pub)->u, 2 * lbits + 2);
    53. 

  53. 	mpz_set((*pub)->g, g);
    54. 

  54. 	mpz_set((*pub)->h, h);
    55. 

  55. 

  56. 	(*pub)->bits = modulusbits;
    57. 

  57. 	(*pub)->lbits = 2 * lbits + 2;
    58. 

  58. }
    59. 

  59. 

  60. void dgk_keygen(unsigned int modulusbits, unsigned int lbits, dgk_pubkey_t** pub, dgk_prvkey_t** prv) {
    61. 

  61. 	mpz_t tmp, tmp2, f1, f2, exp1, exp2, exp3, xp, xq;
    62. 

  62. 

  63. 	unsigned int found = 0, i;
    64. 

  64. 

  65. 	//printf("Keygen %u %u\n", modulusbits, lbits);
    66. 

  66. 

  67. 	/* allocate the new key structures */
    68. 

  68. 	*pub = (dgk_pubkey_t*) malloc(sizeof(dgk_pubkey_t));
    69. 

  69. 	*prv = (dgk_prvkey_t*) malloc(sizeof(dgk_prvkey_t));
    70. 

  70. 

  71. 	/* initialize our integers */
    72. 

  72. 	mpz_init((*pub)->n);
    73. 

  73. 	mpz_init((*pub)->u);
    74. 

  74. 	mpz_init((*pub)->h);
    75. 

  75. 	mpz_init((*pub)->g);
    76. 

  76. 

  77. 	mpz_init((*prv)->vp);
    78. 

  78. 	mpz_init((*prv)->vq);
    79. 

  79. 	mpz_init((*prv)->p);
    80. 

  80. 	mpz_init((*prv)->q);
    81. 

  81. 	mpz_init((*prv)->p_minusone);
    82. 

  82. 	mpz_init((*prv)->q_minusone);
    83. 

  83. 	mpz_init((*prv)->pinv);
    84. 

  84. 	mpz_init((*prv)->qinv);
    85. 

  85. 

  86. 	mpz_inits(tmp, tmp2, f1, f2, exp1, exp2, exp3, xp, xq, NULL);
    87. 

  87. 

  88. 	lbits = lbits * 2 + 2; // plaintext space needs to 2l+2 in our use case. probably not needed for general use, but four our MT generation.
    89. 

  89. 

  90. 	(*pub)->bits = modulusbits;
    91. 

  91. 	(*pub)->lbits = lbits;
    92. 

  92. 

  93. 	// vp and vq are primes
    94. 

  94. 	aby_prng((*prv)->vp, 160);
    95. 

  95. 	mpz_nextprime((*prv)->vp, (*prv)->vp);
    96. 

  96. 

  97. 	aby_prng((*prv)->vq, 160);
    98. 

  98. 	do {
    99. 

  99. 		mpz_nextprime((*prv)->vq, (*prv)->vq);
    100. 

  100. 	} while (mpz_cmp((*prv)->vp, (*prv)->vq) == 0);
    101. 

  101. 

  102. 	// u = 2^lbits. u is NOT a prime (different from original DGK to allow full and easy decryption. See Blanton/Gasti Paper for details).
    103. 

  103. 	mpz_setbit((*pub)->u, lbits);
    104. 

  104. 

  105. 	// p
    106. 

  106. 	while (!found) {
    107. 

  107. 		aby_prng(f1, modulusbits / 2 - 160 - lbits);
    108. 

  108. 		mpz_nextprime(f1, f1);
    109. 

  109. 

  110. 		mpz_mul((*prv)->p, (*pub)->u, (*prv)->vp);
    111. 

  111. 		mpz_mul((*prv)->p, f1, (*prv)->p);
    112. 

  112. 		mpz_add_ui((*prv)->p, (*prv)->p, 1);
    113. 

  113. 		found = mpz_probab_prime_p((*prv)->p, 50);
    114. 

  114. 	}
    115. 

  115. 	found = 0;
    116. 

  116. 

  117. 	// q
    118. 

  118. 	while (!found) {
    119. 

  119. 		aby_prng(f2, modulusbits / 2 - 159 - lbits);
    120. 

  120. 		mpz_nextprime(f2, f2);
    121. 

  121. 

  122. 		mpz_mul((*prv)->q, (*pub)->u, (*prv)->vq);
    123. 

  123. 		mpz_mul((*prv)->q, f2, (*prv)->q);
    124. 

  124. 		mpz_add_ui((*prv)->q, (*prv)->q, 1);
    125. 

  125. 		found = mpz_probab_prime_p((*prv)->q, 50);
    126. 

  126. 	}
    127. 

  127. 	found = 0;
    128. 

  128. 

  129. 	// p-1, q-1 - this is currently not used
    130. 

  130. 	mpz_sub_ui((*prv)->p_minusone, (*prv)->p, 1);
    131. 

  131. 	mpz_sub_ui((*prv)->q_minusone, (*prv)->q, 1);
    132. 

  132. 

  133. 	// n = pq
    134. 

  134. 	mpz_mul((*pub)->n, (*prv)->p, (*prv)->q);
    135. 

  135. 

  136. 	mpz_setbit(exp1, lbits - 1);
    137. 

  137. 

  138. 	mpz_mul(exp1, (*prv)->vp, exp1);
    139. 

  139. 	mpz_mul(exp1, f1, exp1);
    140. 

  140. 	mpz_mul(exp2, (*prv)->vp, (*pub)->u);
    141. 

  141. 	mpz_mul(exp3, f1, (*pub)->u);
    142. 

  142. 

  143. 	// xp
    144. 

  144. 	while (!found) {
    145. 

  145. 		aby_prng(xp, mpz_sizeinbase((*prv)->p, 2) + 128);
    146. 

  146. 		mpz_mod(xp, xp, (*prv)->p);
    147. 

  147. 

  148. 		mpz_powm(tmp, xp, exp1, (*prv)->p);
    149. 

  149. 		if (mpz_cmp_ui(tmp, 1) != 0) {
    150. 

  150. 			mpz_powm(tmp, xp, exp2, (*prv)->p);
    151. 

  151. 			if (mpz_cmp_ui(tmp, 1) != 0) {
    152. 

  152. 				mpz_powm(tmp, xp, exp3, (*prv)->p);
    153. 

  153. 				if (mpz_cmp_ui(tmp, 1) != 0) {
    154. 

  154. 					found = 1;
    155. 

  155. 				}
    156. 

  156. 			}
    157. 

  157. 		}
    158. 

  158. 	}
    159. 

  159. 	found = 0;
    160. 

  160. 

  161. 	mpz_setbit(exp1, lbits - 1);
    162. 

  162. 

  163. 	mpz_mul(exp1, (*prv)->vq, exp1);
    164. 

  164. 	mpz_mul(exp1, f2, exp1);
    165. 

  165. 	mpz_mul(exp2, (*prv)->vq, (*pub)->u);
    166. 

  166. 	mpz_mul(exp3, f2, (*pub)->u);
    167. 

  167. 

  168. 	// xq
    169. 

  169. 	while (!found) {
    170. 

  170. 		aby_prng(xq, mpz_sizeinbase((*prv)->q, 2) + 128);
    171. 

  171. 		mpz_mod(xq, xq, (*prv)->q);
    172. 

  172. 

  173. 		mpz_powm(tmp, xq, exp1, (*prv)->q);
    174. 

  174. 		if (mpz_cmp_ui(tmp, 1) != 0) {
    175. 

  175. 			mpz_powm(tmp, xq, exp2, (*prv)->q);
    176. 

  176. 			if (mpz_cmp_ui(tmp, 1) != 0) {
    177. 

  177. 				mpz_powm(tmp, xq, exp3, (*prv)->q);
    178. 

  178. 				if (mpz_cmp_ui(tmp, 1) != 0) {
    179. 

  179. 					found = 1;
    180. 

  180. 				}
    181. 

  181. 			}
    182. 

  182. 		}
    183. 

  183. 	}
    184. 

  184. 

  185. 	// compute CRT: g = xp*q*(q^{-1} mod p) + xq*p*(p^{-1} mod q) mod n
    186. 

  186. 	mpz_invert(tmp, (*prv)->q, (*prv)->p); // tmp = 1/q % p
    187. 

  187. 	mpz_set((*prv)->qinv, tmp);
    188. 

  188. 	mpz_mul(tmp, tmp, (*prv)->q); // tmp = tmp * q
    189. 

  189. 

  190. 	// tmp = xp*tmp % n
    191. 

  191. 	mpz_mul(tmp, xp, tmp);
    192. 

  192. 	mpz_mod(tmp, tmp, (*pub)->n);
    193. 

  193. 

  194. 	mpz_invert(tmp2, (*prv)->p, (*prv)->q); // tmp1 = 1/p % q
    195. 

  195. 	mpz_set((*prv)->pinv, tmp2);
    196. 

  196. 	mpz_mul(tmp2, tmp2, (*prv)->p); // tmp1 = tmp1*p
    197. 

  197. 

  198. 	// tmp1 = xq*tmp1 % n
    199. 

  199. 	mpz_mul(tmp2, xq, tmp2);
    200. 

  200. 	mpz_mod(tmp2, tmp2, (*pub)->n);
    201. 

  201. 

  202. 	// g = xp + xq % n
    203. 

  203. 	mpz_add((*pub)->g, xq, xp);
    204. 

  204. 	mpz_mod((*pub)->g, (*pub)->g, (*pub)->n);
    205. 

  205. 

  206. 	mpz_mul(tmp, f1, f2); // tmp = f1*f2
    207. 

  207. 	mpz_powm((*pub)->g, (*pub)->g, tmp, (*pub)->n); // g = g^tmp % n
    208. 

  208. 

  209. 	aby_prng((*pub)->h, mpz_sizeinbase((*pub)->n, 2) + 128);
    210. 

  210. 	mpz_mod((*pub)->h, (*pub)->h, (*pub)->n);
    211. 

  211. 

  212. 	mpz_mul(tmp, tmp, (*pub)->u);
    213. 

  213. 	mpz_powm((*pub)->h, (*pub)->h, tmp, (*pub)->n); // h = h^tmp % n
    214. 

  214. 

  215. 	powtwo = (mpz_t*) malloc(sizeof(mpz_t) * lbits);
    216. 

  216. 	gvpvqp = (mpz_t*) malloc(sizeof(mpz_t) * lbits);
    217. 

  217. 

  218. 	// array holding powers of two
    219. 

  219. 	for (i = 0; i < lbits; i++) {
    220. 

  220. 		mpz_init(powtwo[i]);
    221. 

  221. 		mpz_setbit(powtwo[i], i);
    222. 

  222. 	}
    223. 

  223. 

  224. 	mpz_powm(f1, (*pub)->g, (*prv)->vp, (*prv)->p); // gvpvq
    225. 

  225. 

  226. 	mpz_sub_ui(tmp2, (*pub)->u, 1); // tmp1 = u - 1
    227. 

  227. 

  228. 	for (i = 0; i < lbits; i++) {
    229. 

  229. 		mpz_init(gvpvqp[i]);
    230. 

  230. 		mpz_powm(gvpvqp[i], f1, powtwo[i], (*prv)->p);
    231. 

  231. 		mpz_powm(gvpvqp[i], gvpvqp[i], tmp2, (*prv)->p);
    232. 

  232. 	}
    233. 

  233. 

  234. 	/* clear temporary integers */
    235. 

  235. 	mpz_clears(tmp, tmp2, f1, f2, exp1, exp2, exp3, xp, xq, NULL);
    236. 

  236. }
    237. 

  237. 

  238. void dgk_encrypt_db(mpz_t res, dgk_pubkey_t* pub, mpz_t plaintext) {
    239. 

  239. 	mpz_t r;
    240. 

  240. 	mpz_init(r);
    241. 

  241. 

  242. #if DGK_CHECKSIZE
    243. 

  243. 	mpz_setbit(r, (pub->lbits-2)/2);
    244. 

  244. 	if (mpz_cmp(plaintext, r) >= 0) {
    245. 

  245. 		gmp_printf("m: %Zd\nmax:%Zd\n", plaintext, r);
    246. 

  246. 		printf("DGK WARNING: m too big!\n");
    247. 

  247. 	}
    248. 

  248. #endif
    249. 

  249. 

  250. 	/* pick random blinding factor r */
    251. 

  251. 	aby_prng(r, 400); // 2.5 * 160 = 400 bit
    252. 

  252. 

  253. 	dbpowmod(res, pub->h, r, pub->g, plaintext, pub->n);
    254. 

  254. 

  255. 	mpz_clear(r);
    256. 

  256. }
    257. 

  257. 

  258. void dgk_encrypt_fb(mpz_t res, dgk_pubkey_t* pub, mpz_t plaintext) {
    259. 

  259. 	mpz_t r;
    260. 

  260. 	mpz_init(r);
    261. 

  261. 

  262. #if DGK_CHECKSIZE
    263. 

  263. 	mpz_setbit(r, (pub->lbits-2)/2);
    264. 

  264. 	if (mpz_cmp(plaintext, r) >= 0) {
    265. 

  265. 		gmp_printf("m: %Zd\nmax:%Zd\n", plaintext, r);
    266. 

  266. 		printf("DGK WARNING: m too big!\n");
    267. 

  267. 	}
    268. 

  268. #endif
    269. 

  269. 

  270. 	/* pick random blinding factor r */
    271. 

  271. 	aby_prng(r, 400); // 2.5 * 160 = 400 bit
    272. 

  272. 	fbpowmod_h(r, r); //r = h^r
    273. 

  273. 	fbpowmod_g(res, plaintext); //res = g^plaintext
    274. 

  274. 

  275. 	mpz_mul(res, res, r);
    276. 

  276. 	mpz_mod(res, res, pub->n);
    277. 

  277. 

  278. 	mpz_clear(r);
    279. 

  279. }
    280. 

  280. 

  281. void dgk_encrypt_plain(mpz_t res, dgk_pubkey_t* pub, mpz_t plaintext) {
    282. 

  282. 	mpz_t r;
    283. 

  283. 	mpz_init(r);
    284. 

  284. 

  285. #if DGK_CHECKSIZE
    286. 

  286. 	mpz_setbit(r, (pub->lbits-2)/2);
    287. 

  287. 	if (mpz_cmp(plaintext, r) >= 0) {
    288. 

  288. 		gmp_printf("m: %Zd\nmax:%Zd\n", plaintext, r);
    289. 

  289. 		printf("DGK WARNING: m too big!\n");
    290. 

  290. 	}
    291. 

  291. #endif
    292. 

  292. 

  293. 	/* pick random blinding factor r */
    294. 

  294. 	aby_prng(r, 400); // 2.5 * 160 = 400 bit
    295. 

  295. 	mpz_powm(r, pub->h, r, pub->n);
    296. 

  296. 	mpz_powm(res, pub->g, plaintext, pub->n);
    297. 

  297. 

  298. 	mpz_mul(res, res, r);
    299. 

  299. 	mpz_mod(res, res, pub->n);
    300. 

  300. 

  301. 	mpz_clear(r);
    302. 

  302. }
    303. 

  303. 

  304. void dgk_encrypt_crt_db(mpz_t res, dgk_pubkey_t * pub, dgk_prvkey_t * prv, mpz_t plaintext) {
    305. 

  305. 	mpz_t r, ep;
    306. 

  306. 	mpz_inits(r, ep, NULL);
    307. 

  307. 

  308. #if DGK_CHECKSIZE
    309. 

  309. 	mpz_setbit(r, (pub->lbits-2)/2);
    310. 

  310. 	if (mpz_cmp(plaintext, r) >= 0) {
    311. 

  311. 		gmp_printf("m: %Zd\nmax:%Zd\n", plaintext, r);
    312. 

  312. 		printf("DGK WARNING: m too big!\n");
    313. 

  313. 	}
    314. 

  314. #endif
    315. 

  315. 

  316. 	/* pick random blinding factor r */
    317. 

  317. 	//mpz_urandomb(r, rnd, 400); // 2.5 * 160 = 400 bit
    318. 

  318. 	aby_prng(r, 400);
    319. 

  319. 	dbpowmod(ep, pub->h, r, pub->g, plaintext, prv->p);
    320. 

  320. 

  321. 	mpz_mul(res, ep, prv->q);
    322. 

  322. 	mpz_mul(res, res, prv->qinv);
    323. 

  323. 	mpz_mod(res, res, pub->n);
    324. 

  324. 

  325. 	dbpowmod(ep, pub->h, r, pub->g, plaintext, prv->q);
    326. 

  326. 

  327. 	mpz_mul(ep, ep, prv->p);
    328. 

  328. 	mpz_mul(ep, ep, prv->pinv);
    329. 

  329. 	mpz_mod(ep, ep, pub->n);
    330. 

  330. 

  331. 	mpz_add(res, res, ep);
    332. 

  332. 	mpz_mod(res, res, pub->n);
    333. 

  333. 

  334. 	mpz_clears(r, ep, NULL);
    335. 

  335. }
    336. 

  336. 

  337. void dgk_encrypt_crt(mpz_t res, dgk_pubkey_t * pub, dgk_prvkey_t * prv, mpz_t plaintext) {
    338. 

  338. 	mpz_t r, ep, eq;
    339. 

  339. 	mpz_inits(r, ep, eq, NULL);
    340. 

  340. 

  341. #if DGK_CHECKSIZE
    342. 

  342. 	mpz_setbit(r, (pub->lbits-2)/2);
    343. 

  343. 	if (mpz_cmp(plaintext, r) >= 0) {
    344. 

  344. 		gmp_printf("m: %Zd\nmax:%Zd\n", plaintext, r);
    345. 

  345. 		printf("DGK WARNING: m too big!\n");
    346. 

  346. 	}
    347. 

  347. #endif
    348. 

  348. 

  349. 	/* pick random blinding factor r */
    350. 

  350. 	aby_prng(r, 400); // 2.5 * 160 = 400 bit
    351. 

  351. 	// ep = h^r * g^plaintext % p
    352. 

  352. 	mpz_powm(ep, pub->h, r, prv->p);
    353. 

  353. 	mpz_powm(res, pub->g, plaintext, prv->p);
    354. 

  354. 	mpz_mul(ep, ep, res);
    355. 

  355. 	mpz_mod(ep, ep, prv->p);
    356. 

  356. 

  357. 	mpz_mul(res, ep, prv->q);
    358. 

  358. 	mpz_mul(res, res, prv->qinv);
    359. 

  359. 	mpz_mod(res, res, pub->n);
    360. 

  360. 

  361. 	// ep = h^r*g^plaintext % q
    362. 

  362. 	mpz_powm(ep, pub->h, r, prv->q);
    363. 

  363. 	mpz_powm(eq, pub->g, plaintext, prv->q);
    364. 

  364. 	mpz_mul(ep, ep, eq);
    365. 

  365. 	mpz_mod(ep, ep, prv->q);
    366. 

  366. 

  367. 	mpz_mul(ep, ep, prv->p);
    368. 

  368. 	mpz_mul(ep, ep, prv->pinv);
    369. 

  369. 	mpz_mod(ep, ep, pub->n);
    370. 

  370. 

  371. 	mpz_add(res, res, ep);
    372. 

  372. 	mpz_mod(res, res, pub->n);
    373. 

  373. 

  374. 	mpz_clears(r, ep, eq, NULL);
    375. 

  375. }
    376. 

  376. 

  377. void dgk_decrypt(mpz_t res, dgk_pubkey_t* pub, dgk_prvkey_t* prv, mpz_t ciphertext) {
    378. 

  378. 	mpz_t y, yi;
    379. 

  379. 	mpz_inits(y, yi, NULL);
    380. 

  380. 

  381. 	unsigned int i, xi[pub->lbits];
    382. 

  382. 

  383. 	mpz_powm(y, ciphertext, prv->vp, prv->p);
    384. 

  384. 

  385. 	mpz_set_ui(res, 0);
    386. 

  386. 

  387. 	for (i = 0; i < pub->lbits; i++) {
    388. 

  388. 

  389. 		mpz_powm(yi, y, powtwo[pub->lbits - 1 - i], prv->p);
    390. 

  390. 

  391. 		if (mpz_cmp_ui(yi, 1) == 0) {
    392. 

  392. 			xi[i] = 0;
    393. 

  393. 		} else {
    394. 

  394. 			xi[i] = 1;
    395. 

  395. 

  396. 			mpz_mul(y, y, gvpvqp[i]);
    397. 

  397. 			mpz_mod(y, y, prv->p);
    398. 

  398. 		}
    399. 

  399. 	}
    400. 

  400. 

  401. 	for (i = 0; i < pub->lbits; i++) {
    402. 

  402. 		if (xi[i] == 1) {
    403. 

  403. 			mpz_add(res, powtwo[i], res);
    404. 

  404. 		}
    405. 

  405. 	}
    406. 

  406. 

  407. 	mpz_clears(y, yi, NULL);
    408. 

  408. }
    409. 

  409. 

  410. void dgk_freepubkey(dgk_pubkey_t* pub) {
    411. 

  411. 	mpz_clears(pub->n, pub->u, pub->g, pub->h, NULL);
    412. 

  412. 	free(pub);
    413. 

  413. }
    414. 

  414. 

  415. void dgk_freeprvkey(dgk_prvkey_t* prv) {
    416. 

  416. 	mpz_clears(prv->p, prv->q, prv->vp, prv->vq, prv->qinv, prv->pinv, prv->p_minusone, prv->q_minusone, NULL);
    417. 

  417. 	free(prv);
    418. 

  418. }
    419. 

  419. 

  420. void dgk_storekey(unsigned int modulusbits, unsigned int lbits, dgk_pubkey_t* pub, dgk_prvkey_t* prv) {
    421. 

  421. 	FILE *fp;
    422. 

  422. 

  423. 	char smod[5];
    424. 

  424. 	char slbit[4];
    425. 

  425. 	char name[40] = "dgk_key_";
    426. 

  426. 	const char* div = "_";
    427. 

  427. 	const char* ext = ".bin";
    428. 

  428. 

  429. 	sprintf(smod, "%d", modulusbits);
    430. 

  430. 	sprintf(slbit, "%d", lbits);
    431. 

  431. 

  432. 	strcat(name, smod);
    433. 

  433. 	strcat(name, div);
    434. 

  434. 	strcat(name, slbit);
    435. 

  435. 	strcat(name, ext);
    436. 

  436. 

  437. 	printf("writing dgk key to %s\n", name);
    438. 

  438. 

  439. 	fp = fopen(name, "w");
    440. 

  440. 

  441. 	mpz_out_raw(fp, prv->p);
    442. 

  442. 	mpz_out_raw(fp, prv->q);
    443. 

  443. 	mpz_out_raw(fp, prv->vp);
    444. 

  444. 	mpz_out_raw(fp, prv->vq);
    445. 

  445. 

  446. 	mpz_out_raw(fp, prv->pinv);
    447. 

  447. 	mpz_out_raw(fp, prv->qinv);
    448. 

  448. 

  449. 	mpz_out_raw(fp, pub->n);
    450. 

  450. 	mpz_out_raw(fp, pub->u);
    451. 

  451. 	mpz_out_raw(fp, pub->g);
    452. 

  452. 	mpz_out_raw(fp, pub->h);
    453. 

  453. 

  454. 	fclose(fp);
    455. 

  455. }
    456. 

  456. 

  457. void dgk_readkey(unsigned int modulusbits, unsigned int lbits, dgk_pubkey_t** pub, dgk_prvkey_t** prv) {
    458. 

  458. 	unsigned int i;
    459. 

  459. 

  460. 	mpz_t f1, tmp;
    461. 

  461. 

  462. 	mpz_inits(f1, tmp, NULL);
    463. 

  463. 

  464. 	char smod[5];
    465. 

  465. 	char slbit[4];
    466. 

  466. 	char name[40] = "dgk_key_";
    467. 

  467. 	const char* div = "_";
    468. 

  468. 	const char* ext = ".bin";
    469. 

  469. 

  470. 	sprintf(smod, "%d", modulusbits);
    471. 

  471. 	sprintf(slbit, "%d", lbits);
    472. 

  472. 

  473. 	strcat(name, smod);
    474. 

  474. 	strcat(name, div);
    475. 

  475. 	strcat(name, slbit);
    476. 

  476. 	strcat(name, ext);
    477. 

  477. 

  478. //	printf("reading dgk key from %s\n", name);
    479. 

  479. 

  480. 	/* allocate the new key structures */
    481. 

  481. 	*pub = (dgk_pubkey_t*) malloc(sizeof(dgk_pubkey_t));
    482. 

  482. 	*prv = (dgk_prvkey_t*) malloc(sizeof(dgk_prvkey_t));
    483. 

  483. 

  484. 	FILE *fp;
    485. 

  485. 	fp = fopen(name, "r");
    486. 

  486. 

  487. 	/* initialize our integers */
    488. 

  488. 	mpz_init((*pub)->n);
    489. 

  489. 	mpz_init((*pub)->u);
    490. 

  490. 	mpz_init((*pub)->h);
    491. 

  491. 	mpz_init((*pub)->g);
    492. 

  492. 

  493. 	mpz_init((*prv)->vp);
    494. 

  494. 	mpz_init((*prv)->vq);
    495. 

  495. 	mpz_init((*prv)->p);
    496. 

  496. 	mpz_init((*prv)->q);
    497. 

  497. 

  498. 	mpz_init((*prv)->pinv);
    499. 

  499. 	mpz_init((*prv)->qinv);
    500. 

  500. 

  501. 	mpz_init((*prv)->p_minusone);
    502. 

  502. 	mpz_init((*prv)->q_minusone);
    503. 

  503. 

  504. 	mpz_inp_raw((*prv)->p, fp);
    505. 

  505. 	mpz_inp_raw((*prv)->q, fp);
    506. 

  506. 	mpz_inp_raw((*prv)->vp, fp);
    507. 

  507. 	mpz_inp_raw((*prv)->vq, fp);
    508. 

  508. 	mpz_inp_raw((*prv)->pinv, fp);
    509. 

  509. 	mpz_inp_raw((*prv)->qinv, fp);
    510. 

  510. 

  511. 	mpz_inp_raw((*pub)->n, fp);
    512. 

  512. 	mpz_inp_raw((*pub)->u, fp);
    513. 

  513. 	mpz_inp_raw((*pub)->g, fp);
    514. 

  514. 	mpz_inp_raw((*pub)->h, fp);
    515. 

  515. 

  516. 	fclose(fp);
    517. 

  517. 

  518. 	mpz_sub_ui((*prv)->p_minusone, (*prv)->p, 1);
    519. 

  519. 	mpz_sub_ui((*prv)->q_minusone, (*prv)->q, 1);
    520. 

  520. 

  521. 	lbits = lbits * 2 + 2;
    522. 

  522. 

  523. 	(*pub)->bits = modulusbits;
    524. 

  524. 	(*pub)->lbits = lbits;
    525. 

  525. 

  526. 	powtwo = (mpz_t*) malloc(sizeof(mpz_t) * lbits);
    527. 

  527. 	gvpvqp = (mpz_t*) malloc(sizeof(mpz_t) * lbits);
    528. 

  528. 

  529. 	// array holding powers of two
    530. 

  530. 	for (i = 0; i < lbits; i++) {
    531. 

  531. 		mpz_init(powtwo[i]);
    532. 

  532. 		mpz_setbit(powtwo[i], i);
    533. 

  533. 	}
    534. 

  534. 

  535. 	mpz_powm(f1, (*pub)->g, (*prv)->vp, (*prv)->p); //gvpvq
    536. 

  536. 	mpz_sub_ui(tmp, (*pub)->u, 1); // tmp1 = u - 1
    537. 

  537. 

  538. 	for (i = 0; i < lbits; i++) {
    539. 

  539. 		mpz_init(gvpvqp[i]);
    540. 

  540. 		mpz_powm(gvpvqp[i], f1, powtwo[i], (*prv)->p);
    541. 

  541. 		mpz_powm(gvpvqp[i], gvpvqp[i], tmp, (*prv)->p);
    542. 

  542. 	}
    543. 

  543. 

  544. 	/*
    545. 

  545. 	 // debug output
    546. 

  546. 	 gmp_printf("n  %Zd\n", (*pub)->n);
    547. 

  547. 	 gmp_printf("u  %Zd\n", (*pub)->u);
    548. 

  548. 	 gmp_printf("g  %Zd\n", (*pub)->g);
    549. 

  549. 	 gmp_printf("h  %Zd\n", (*pub)->h);
    550. 

  550. 	 gmp_printf("p  %Zd\n", (*prv)->p);
    551. 

  551. 	 gmp_printf("q  %Zd\n", (*prv)->q);
    552. 

  552. 	 gmp_printf("vp %Zd\n", (*prv)->vp);
    553. 

  553. 	 gmp_printf("vq %Zd\n", (*prv)->vq);
    554. 

  554. 	 gmp_printf("vpinv %Zd\n", (*prv)->pinv);
    555. 

  555. 	 gmp_printf("vqinv %Zd\n", (*prv)->qinv);
    556. 

  556. 	 */
    557. 

  557. }
    558. 

  558. 

  559. void createKeys() {
    560. 

  560. 	dgk_pubkey_t * pub;
    561. 

  561. 	dgk_prvkey_t * prv;
    562. 

  562. 

  563. 	mpz_t msg, ct, msg2;
    564. 

  564. 

  565. 	mpz_inits(msg, ct, msg2, NULL);
    566. 

  566. 

  567. 	for (unsigned int n = 1024; n <= 3072; n += 1024) {
    568. 

  568. 		for (unsigned int l = 8; l <= 64; l *= 2) {
    569. 

  569. 

  570. 			// choose either keygen or readkey
    571. 

  571. 			// dgk_keygen(n, l, &pub, &prv); //uncomment to acutally create keys
    572. 

  572. 			dgk_readkey(n, l, &pub, &prv); //only read from file
    573. 

  573. 

  574. 			int no_error = 1;
    575. 

  575. 

  576. 			if (l < 16) {
    577. 

  577. 				int maxit = 1 << l;
    578. 

  578. 				for (int i = 0; i < maxit; i++) {
    579. 

  579. 					mpz_set_ui(msg, i);
    580. 

  580. 					dgk_encrypt_plain(ct, pub, msg);
    581. 

  581. 					dgk_decrypt(msg2, pub, prv, ct);
    582. 

  582. 

  583. 					if (mpz_cmp(msg, msg2)) {
    584. 

  584. 						//					printf("ERROR: \n");
    585. 

  585. 						//
    586. 

  586. 						//					gmp_printf("msg  %Zd\n", msg);
    587. 

  587. 						//					gmp_printf("ct   %Zd\n", ct);
    588. 

  588. 						//					gmp_printf("msg2 %Zd\n", msg2);
    589. 

  589. 						//
    590. 

  590. 						//					gmp_printf("n  %Zd\n", pub->n);
    591. 

  591. 						//					gmp_printf("u  %Zd\n", pub->u);
    592. 

  592. 						//					gmp_printf("g  %Zd\n", pub->g);
    593. 

  593. 						//					gmp_printf("h  %Zd\n", pub->h);
    594. 

  594. 						//					gmp_printf("p  %Zd\n", prv->p);
    595. 

  595. 						//					gmp_printf("q  %Zd\n", prv->q);
    596. 

  596. 						//					gmp_printf("vp %Zd\n", prv->vp);
    597. 

  597. 						//					gmp_printf("vq %Zd\n", prv->vq);
    598. 

  598. 						printf(".");
    599. 

  599. 						i = maxit;
    600. 

  600. 						no_error = 0;
    601. 

  601. 					}
    602. 

  602. 				}
    603. 

  603. 			} else {
    604. 

  604. 				for (int i = 0; i < KEYTEST_ITERATIONS; i++) {
    605. 

  605. 

  606. 					if (i > 3) {
    607. 

  607. 						aby_prng(msg, l);
    608. 

  608. 					}
    609. 

  609. 					// test some corner cases first: 0, 1, 2^l-1, 2^l-2. After that random numbers.
    610. 

  610. 					else if (i == 0)
    611. 

  611. 						mpz_set_ui(msg, 0);
    612. 

  612. 					else if (i == 1)
    613. 

  613. 						mpz_set_ui(msg, 1);
    614. 

  614. 					else if (i == 2) {
    615. 

  615. 						mpz_set_ui(msg, 0);
    616. 

  616. 						mpz_setbit(msg, l);
    617. 

  617. 						mpz_sub_ui(msg, msg, 1);
    618. 

  618. 					} else if (i == 3) {
    619. 

  619. 						mpz_sub_ui(msg, msg, 1);
    620. 

  620. 					}
    621. 

  621. 

  622. 					dgk_encrypt_plain(ct, pub, msg);
    623. 

  623. 					dgk_decrypt(msg2, pub, prv, ct);
    624. 

  624. 

  625. 					if (mpz_cmp(msg, msg2)) {
    626. 

  626. 						// Error: decrypted message is different from encrypted message. We have to start again.
    627. 

  627. 						//					printf("ERROR: \n");
    628. 

  628. 						//
    629. 

  629. 						//					gmp_printf("msg  %Zd\n", msg);
    630. 

  630. 						//					gmp_printf("ct   %Zd\n", ct);
    631. 

  631. 						//					gmp_printf("msg2 %Zd\n", msg2);
    632. 

  632. 						//
    633. 

  633. 						//					gmp_printf("n  %Zd\n", pub->n);
    634. 

  634. 						//					gmp_printf("u  %Zd\n", pub->u);
    635. 

  635. 						//					gmp_printf("g  %Zd\n", pub->g);
    636. 

  636. 						//					gmp_printf("h  %Zd\n", pub->h);
    637. 

  637. 						//					gmp_printf("p  %Zd\n", prv->p);
    638. 

  638. 						//					gmp_printf("q  %Zd\n", prv->q);
    639. 

  639. 						//					gmp_printf("vp %Zd\n", prv->vp);
    640. 

  640. 						//					gmp_printf("vq %Zd\n", prv->vq);
    641. 

  641. 						printf(".");
    642. 

  642. 						no_error = 0;
    643. 

  643. 						break;
    644. 

  644. 					}
    645. 

  645. 				}
    646. 

  646. 			}
    647. 

  647. 			if (no_error) {
    648. 

  648. 				// dgk_storekey(n, l, pub, prv);
    649. 

  649. 			} else {
    650. 

  650. 				if (l > 4) { // re-do last iteration
    651. 

  651. 					l /= 2;
    652. 

  652. 				}
    653. 

  653. 			}
    654. 

  654. 		}
    655. 

  655. 	}
    656. 

  656. }
    657. 

  657. 

  658. void test_encdec() {
    659. 

  659. 	dgk_pubkey_t * pub;
    660. 

  660. 	dgk_prvkey_t * prv;
    661. 

  661. 

  662. 	mpz_t a0, a1, b0, b1, c0, c1, r, d, a0c, b0c, rc, tmp0, tmp1;
    663. 

  663. 

  664. 	mpz_inits(a0, a1, b0, b1, c0, c1, r, d, a0c, b0c, rc, tmp0, tmp1, NULL);
    665. 

  665. 

  666. 	unsigned int l = 32;
    667. 

  667. 	unsigned int nbit = 3072;
    668. 

  668. 

  669. 	//choose either keygen or readkey
    670. 

  670. 	//dgk_keygen(nbit, l, &pub, &prv);
    671. 

  671. 	dgk_readkey(nbit, l, &pub, &prv);
    672. 

  672. 

  673. 	aby_prng(a0, l);
    674. 

  674. 	dgk_encrypt_crt(a0c, pub, prv, a0); //encrypt a0
    675. 

  675. 

  676. 	dgk_decrypt(b0, pub, prv, a0c);
    677. 

  677. 

  678. 	if (mpz_cmp(a0, b0) == 0) {
    679. 

  679. 		printf("fine\n");
    680. 

  680. 	} else {
    681. 

  681. 		printf("ERR :(\n");
    682. 

  682. 		gmp_printf("%Zd, %Zd", a0, b0);
    683. 

  683. 	}
    684. 

  684. 

  685. 	dgk_encrypt_plain(a0c, pub, a0);
    686. 

  686. 	dgk_decrypt(b0, pub, prv, a0c);
    687. 

  687. 

  688. 	if (mpz_cmp(a0, b0) == 0) {
    689. 

  689. 		printf("fine\n");
    690. 

  690. 	} else {
    691. 

  691. 		printf("ERR :(\n");
    692. 

  692. 		gmp_printf("%Zd, %Zd", a0, b0);
    693. 

  693. 	}
    694. 

  694. }
    695. 

  695. 

  696. void test_sharing() {
    697. 

  697. 	dgk_pubkey_t * pub;
    698. 

  698. 	dgk_prvkey_t * prv;
    699. 

  699. 

  700. 	mpz_t a0, a1, b0, b1, c0, c1, r, d, a0c, b0c, rc, tmp0, tmp1;
    701. 

  701. 

  702. 	mpz_inits(a0, a1, b0, b1, c0, c1, r, d, a0c, b0c, rc, tmp0, tmp1, NULL);
    703. 

  703. 

  704. 	unsigned int l = 32;
    705. 

  705. 	unsigned int nbit = 3072;
    706. 

  706. 

  707. 	//choose either keygen or readkey
    708. 

  708. 	// dgk_keygen(nbit, l, &pub, &prv);
    709. 

  709. 	dgk_readkey(nbit, l, &pub, &prv);
    710. 

  710. 

  711. 	// choose random a and b shares, l bits long
    712. 

  712. 	aby_prng(a0, l);
    713. 

  713. 	aby_prng(b0, l);
    714. 

  714. 	aby_prng(a1, l);
    715. 

  715. 	aby_prng(b1, l);
    716. 

  716. 

  717. 	gmp_printf("a0,b0: %Zd %Zd \n", a0, b0);
    718. 

  718. 	gmp_printf("a1,b1: %Zd %Zd \n", a1, b1);
    719. 

  719. 

  720. 	// choose random r for masking
    721. 

  721. 	aby_prng(r, 2 * l + 2);
    722. 

  722. 

  723. 	dgk_encrypt_plain(a0c, pub, a0); //encrypt a0
    724. 

  724. 	dgk_encrypt_plain(b0c, pub, b0); //encrypt b0
    725. 

  725. 	dgk_encrypt_plain(rc, pub, r); //encrypt r
    726. 

  726. 

  727. 	mpz_mul(c1, a1, b1);
    728. 

  728. 	mpz_mod_2exp(c1, c1, l);
    729. 

  729. 	mpz_sub(c1, c1, r); // c1 = a1*b1 - r
    730. 

  730. 	mpz_mod_2exp(c1, c1, l); // % l (stay within plaintext space)
    731. 

  731. 

  732. 	// homomorphic multiplication
    733. 

  733. 	mpz_powm(a0c, a0c, b1, pub->n);
    734. 

  734. 	mpz_powm(b0c, b0c, a1, pub->n);
    735. 

  735. 

  736. 	// test from here
    737. 

  737. 	dgk_decrypt(d, pub, prv, a0c);
    738. 

  738. 	gmp_printf("---test shares---\ndec a0*b1= %Zd\n", d);
    739. 

  739. 

  740. 	mpz_mul(tmp0, b1, a0);
    741. 

  741. 	gmp_printf("a0*b1=     %Zd\n", tmp0);
    742. 

  742. 

  743. 	dgk_decrypt(d, pub, prv, b0c);
    744. 

  744. 	gmp_printf("dec a1*b0= %Zd\n", d);
    745. 

  745. 

  746. 	mpz_mul(tmp1, b0, a1);
    747. 

  747. 	gmp_printf("a1*b0=     %Zd\n---test shares---\n", tmp1);
    748. 

  748. 	// test till here
    749. 

  749. 

  750. 	mpz_mul(a0c, a0c, b0c); // multiply [a0]^b1 and [b0]^a1 (homomorphic addition)
    751. 

  751. 	mpz_mod(a0c, a0c, pub->n); // product % n (stay within ciphertext space)
    752. 

  752. 

  753. 	// test from here
    754. 

  754. 	dgk_decrypt(d, pub, prv, a0c); // decrypt ciphertext (sum of products a0c, yet no r)
    755. 

  755. 	gmp_printf("dec 4x= %Zd\n", d);
    756. 

  756. 

  757. 	mpz_add(tmp0, tmp0, tmp1); // add plaintext products, should be equal to d
    758. 

  758. 	gmp_printf("4x=     %Zd\n", tmp0);
    759. 

  759. 

  760. 	mpz_add(tmp0, tmp0, r); // plaintext add r
    761. 

  761. 	mpz_mod_2exp(tmp1, tmp0, l); // mod l
    762. 

  762. 	gmp_printf("4x + r= %Zd = %Zd (mod l)\n", tmp0, tmp1);
    763. 

  763. 	// test till here
    764. 

  764. 

  765. 	mpz_mul(a0c, a0c, rc); // homomorphic addition of r
    766. 

  766. 	mpz_mod(a0c, a0c, pub->n); // product % n
    767. 

  767. 

  768. 	dgk_decrypt(d, pub, prv, a0c); // decrypt masked sum+r
    769. 

  769. 

  770. 	mpz_mul(c0, a0, b0); // c0 = a0 * b0
    771. 

  771. 	mpz_mod_2exp(c0, c0, l); // c0 = c0 % 2^l
    772. 

  772. 	mpz_add(c0, c0, d); // c0 = c0 + d
    773. 

  773. 	mpz_mod_2exp(c0, c0, l); // c0 = c0 % 2^l
    774. 

  774. 

  775. 	gmp_printf("%Zd %Zd %Zd\n", a0, b0, c0);
    776. 

  776. 	gmp_printf("%Zd %Zd %Zd\n", a1, b1, c1);
    777. 

  777. 	gmp_printf("%Zd %Zd\n", r, d);
    778. 

  778. 

  779. 	// test if MT is valid: (a0+a1) * (b0+b1) = c0+c1  [mod l]
    780. 

  780. 	mpz_add(a0, a0, a1);
    781. 

  781. 	mpz_add(b0, b0, b1);
    782. 

  782. 	mpz_mul(a0, a0, b0);
    783. 

  783. 	mpz_add(c0, c0, c1);
    784. 

  784. 

  785. 	mpz_mod_2exp(c0, c0, l);
    786. 

  786. 	mpz_mod_2exp(a0, a0, l);
    787. 

  787. 

  788. 	if (mpz_cmp(a0, c0) == 0) {
    789. 

  789. 		printf("fine\n");
    790. 

  790. 	} else {
    791. 

  791. 		printf("ERR :(\n");
    792. 

  792. 	}
    793. 

  793. }
    794. 

  794. 

  795. /**
    796. 

  796.  * uncomment the following main for direct testing
    797. 

  797.  * g++ dgk.cpp ../utils.cpp ../powmod.cpp -lgmp -O3 -g0 -o dgk
    798. 

  798.  */
    799. 

  799. // #include <time.h>
    800. 

  800. // int main(){
    801. 

  801. // 	srand (time(NULL)^clock());
    802. 

  802. 

  803. // 	// createKeys();
    804. 

  804. // 	test_encdec();
    805. 

  805. // 	test_sharing();
    806. 

  806. // 	printf("DGK END.\n");
    807. 

  807. 

  808. // 	return 0;
    809. 

  809. // }
    810.