linux-sgx-trts-modified/external/epid-sdk/epid/verifier/src/context.c

/*############################################################################
  # Copyright 2016-2017 Intel Corporation
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  ############################################################################*/

/*!
 * \file
 * \brief Verifier context implementation.
 */
#include "epid/verifier/src/context.h"
#include <string.h>
#include "epid/common/math/pairing.h"
#include "epid/common/src/endian_convert.h"
#include "epid/common/src/epid2params.h"
#include "epid/common/src/memory.h"
#include "epid/common/src/sigrlvalid.h"
#include "epid/verifier/api.h"

/// Handle SDK Error with Break
#define BREAK_ON_EPID_ERROR(ret) \
  if (kEpidNoErr != (ret)) {     \
    break;                       \
  }
/// create Verifier precomp of the VerifierCtx
static EpidStatus DoPrecomputation(VerifierCtx* ctx);

/// Read Verifier precomp
static EpidStatus ReadPrecomputation(VerifierPrecomp const* precomp_str,
                                     VerifierCtx* ctx);

/// Internal function to prove if group based revocation list is valid
static bool IsGroupRlValid(GroupRl const* group_rl, size_t grp_rl_size) {
  const size_t kMinGroupRlSize = sizeof(GroupRl) - sizeof(GroupId);
  size_t input_grp_rl_size = 0;

  if (!group_rl || grp_rl_size < kMinGroupRlSize) {
    return false;
  }
  if (ntohl(group_rl->n3) > (SIZE_MAX - kMinGroupRlSize) / sizeof(GroupId)) {
    return false;
  }
  input_grp_rl_size = kMinGroupRlSize + (ntohl(group_rl->n3) * sizeof(GroupId));
  if (input_grp_rl_size != grp_rl_size) {
    return false;
  }
  return true;
}

/// Internal function to verify if private key based revocation list is valid
static bool IsPrivRlValid(GroupId const* gid, PrivRl const* priv_rl,
                          size_t priv_rl_size) {
  const size_t kMinPrivRlSize = sizeof(PrivRl) - sizeof(FpElemStr);
  size_t input_priv_rl_size = 0;

  if (!gid || !priv_rl || kMinPrivRlSize > priv_rl_size) {
    return false;
  }
  if (ntohl(priv_rl->n1) >
      (SIZE_MAX - kMinPrivRlSize) / sizeof(priv_rl->f[0])) {
    return false;
  }
  // sanity check of input PrivRl size
  input_priv_rl_size =
      kMinPrivRlSize + ntohl(priv_rl->n1) * sizeof(priv_rl->f[0]);
  if (input_priv_rl_size != priv_rl_size) {
    return false;
  }
  // verify that gid given and gid in PrivRl match
  if (0 != memcmp(gid, &priv_rl->gid, sizeof(*gid))) {
    return false;
  }
  return true;
}

/// Internal function to verify if verifier revocation list is valid
static bool IsVerifierRlValid(GroupId const* gid, VerifierRl const* ver_rl,
                              size_t ver_rl_size) {
  const size_t kMinVerifierRlSize = sizeof(VerifierRl) - sizeof(G1ElemStr);
  size_t expected_verifier_rl_size = 0;

  if (!gid || !ver_rl || kMinVerifierRlSize > ver_rl_size) {
    return false;
  }
  if (ntohl(ver_rl->n4) >
      (SIZE_MAX - kMinVerifierRlSize) / sizeof(ver_rl->K[0])) {
    return false;
  }
  // sanity check of input VerifierRl size
  expected_verifier_rl_size =
      kMinVerifierRlSize + ntohl(ver_rl->n4) * sizeof(ver_rl->K[0]);
  if (expected_verifier_rl_size != ver_rl_size) {
    return false;
  }

  // verify that gid in public key and gid in SigRl match
  if (0 != memcmp(gid, &ver_rl->gid, sizeof(*gid))) {
    return false;
  }

  return true;
}

EpidStatus EpidVerifierCreate(GroupPubKey const* pubkey,
                              VerifierPrecomp const* precomp,
                              VerifierCtx** ctx) {
  EpidStatus result = kEpidErr;
  VerifierCtx* verifier_ctx = NULL;
  if (!pubkey || !ctx) {
    return kEpidBadArgErr;
  }
  do {
    // Allocate memory for VerifierCtx
    verifier_ctx = SAFE_ALLOC(sizeof(VerifierCtx));
    if (!verifier_ctx) {
      result = kEpidMemAllocErr;
      break;
    }

    // set the default hash algorithm
    verifier_ctx->hash_alg = kSha512;
#ifdef TPM_TSS  // if build for TSS, make Sha256 default
    verifier_ctx->hash_alg = kSha256;
#endif

    // Internal representation of Epid2Params
    result = CreateEpid2Params(&verifier_ctx->epid2_params);
    if (kEpidNoErr != result) {
      break;
    }
    // Internal representation of Group Pub Key
    result = CreateGroupPubKey(pubkey, verifier_ctx->epid2_params->G1,
                               verifier_ctx->epid2_params->G2,
                               &verifier_ctx->pub_key);
    if (kEpidNoErr != result) {
      break;
    }
    // Store group public key strings for later use
    result = SetKeySpecificCommitValues(pubkey, &verifier_ctx->commit_values);
    if (kEpidNoErr != result) {
      break;
    }
    // Allocate verifier_ctx->e12
    result = NewFfElement(verifier_ctx->epid2_params->GT, &verifier_ctx->e12);
    if (kEpidNoErr != result) {
      break;
    }
    // Allocate verifier_ctx->e22
    result = NewFfElement(verifier_ctx->epid2_params->GT, &verifier_ctx->e22);
    if (kEpidNoErr != result) {
      break;
    }
    // Allocate verifier_ctx->e2w
    result = NewFfElement(verifier_ctx->epid2_params->GT, &verifier_ctx->e2w);
    if (kEpidNoErr != result) {
      break;
    }
    // Allocate verifier_ctx->eg12
    result = NewFfElement(verifier_ctx->epid2_params->GT, &verifier_ctx->eg12);
    if (kEpidNoErr != result) {
      break;
    }
    // precomputation
    if (precomp != NULL) {
      result = ReadPrecomputation(precomp, verifier_ctx);
    } else {
      result = DoPrecomputation(verifier_ctx);
    }
    if (kEpidNoErr != result) {
      break;
    }
    verifier_ctx->sig_rl = NULL;
    verifier_ctx->group_rl = NULL;
    verifier_ctx->priv_rl = NULL;
    verifier_ctx->verifier_rl = NULL;
    verifier_ctx->was_verifier_rl_updated = false;
    verifier_ctx->basename_hash = NULL;
    verifier_ctx->basename = NULL;
    verifier_ctx->basename_len = 0;
    *ctx = verifier_ctx;
    result = kEpidNoErr;
  } while (0);

  if (kEpidNoErr != result && verifier_ctx) {
    DeleteFfElement(&verifier_ctx->eg12);
    DeleteFfElement(&verifier_ctx->e2w);
    DeleteFfElement(&verifier_ctx->e22);
    DeleteFfElement(&verifier_ctx->e12);
    DeleteEpid2Params(&verifier_ctx->epid2_params);
    DeleteGroupPubKey(&verifier_ctx->pub_key);
    SAFE_FREE(verifier_ctx);
  }
  return result;
}

void EpidVerifierDelete(VerifierCtx** ctx) {
  if (ctx && *ctx) {
    DeleteFfElement(&(*ctx)->eg12);
    DeleteFfElement(&(*ctx)->e2w);
    DeleteFfElement(&(*ctx)->e22);
    DeleteFfElement(&(*ctx)->e12);
    DeleteGroupPubKey(&(*ctx)->pub_key);
    DeleteEpid2Params(&(*ctx)->epid2_params);
    (*ctx)->priv_rl = NULL;
    (*ctx)->sig_rl = NULL;
    (*ctx)->group_rl = NULL;
    SAFE_FREE((*ctx)->verifier_rl);
    DeleteEcPoint(&(*ctx)->basename_hash);
    SAFE_FREE((*ctx)->basename);
    (*ctx)->basename_len = 0;
    SAFE_FREE(*ctx);
  }
}

EpidStatus EpidVerifierWritePrecomp(VerifierCtx const* ctx,
                                    VerifierPrecomp* precomp) {
  EpidStatus result = kEpidErr;
  FfElement* e12 = NULL;   // an element in GT
  FfElement* e22 = NULL;   // an element in GT
  FfElement* e2w = NULL;   // an element in GT
  FfElement* eg12 = NULL;  // an element in GT
  FiniteField* GT = NULL;  // Finite field GT(Fq12 )
  if (!ctx) {
    return kEpidBadArgErr;
  }
  if (!precomp) {
    return kEpidBadArgErr;
  }
  if (!ctx->e12 || !ctx->e22 || !ctx->e2w || !ctx->eg12 || !ctx->epid2_params ||
      !ctx->epid2_params->GT || !ctx->pub_key) {
    return kEpidBadArgErr;
  }
  e12 = ctx->e12;
  e22 = ctx->e22;
  e2w = ctx->e2w;
  eg12 = ctx->eg12;
  GT = ctx->epid2_params->GT;
  precomp->gid = ctx->pub_key->gid;
  result = WriteFfElement(GT, e12, &(precomp->e12), sizeof(precomp->e12));
  if (kEpidNoErr != result) {
    return result;
  }
  result = WriteFfElement(GT, e22, &(precomp->e22), sizeof(precomp->e22));
  if (kEpidNoErr != result) {
    return result;
  }
  result = WriteFfElement(GT, e2w, &(precomp->e2w), sizeof(precomp->e2w));
  if (kEpidNoErr != result) {
    return result;
  }
  result = WriteFfElement(GT, eg12, &(precomp->eg12), sizeof(precomp->eg12));
  if (kEpidNoErr != result) {
    return result;
  }
  return result;
}

EpidStatus EpidVerifierSetPrivRl(VerifierCtx* ctx, PrivRl const* priv_rl,
                                 size_t priv_rl_size) {
  if (!ctx || !priv_rl || !ctx->pub_key) {
    return kEpidBadArgErr;
  }
  if (!IsPrivRlValid(&ctx->pub_key->gid, priv_rl, priv_rl_size)) {
    return kEpidBadArgErr;
  }
  // Do not set an older version of priv rl
  if (ctx->priv_rl) {
    unsigned int current_ver = 0;
    unsigned int incoming_ver = 0;
    current_ver = ntohl(ctx->priv_rl->version);
    incoming_ver = ntohl(priv_rl->version);
    if (current_ver >= incoming_ver) {
      return kEpidBadArgErr;
    }
  }
  ctx->priv_rl = priv_rl;
  return kEpidNoErr;
}

EpidStatus EpidVerifierSetSigRl(VerifierCtx* ctx, SigRl const* sig_rl,
                                size_t sig_rl_size) {
  if (!ctx || !sig_rl || !ctx->pub_key) {
    return kEpidBadArgErr;
  }
  if (!IsSigRlValid(&ctx->pub_key->gid, sig_rl, sig_rl_size)) {
    return kEpidBadArgErr;
  }
  // Do not set an older version of sig rl
  if (ctx->sig_rl) {
    unsigned int current_ver = 0;
    unsigned int incoming_ver = 0;
    current_ver = ntohl(ctx->sig_rl->version);
    incoming_ver = ntohl(sig_rl->version);
    if (current_ver >= incoming_ver) {
      return kEpidBadArgErr;
    }
  }
  ctx->sig_rl = sig_rl;

  return kEpidNoErr;
}

EpidStatus EpidVerifierSetGroupRl(VerifierCtx* ctx, GroupRl const* grp_rl,
                                  size_t grp_rl_size) {
  if (!ctx || !grp_rl || !ctx->pub_key) {
    return kEpidBadArgErr;
  }
  if (!IsGroupRlValid(grp_rl, grp_rl_size)) {
    return kEpidBadArgErr;
  }
  // Do not set an older version of group rl
  if (ctx->group_rl) {
    unsigned int current_ver = 0;
    unsigned int incoming_ver = 0;
    current_ver = ntohl(ctx->group_rl->version);
    incoming_ver = ntohl(grp_rl->version);
    if (current_ver >= incoming_ver) {
      return kEpidBadArgErr;
    }
  }
  ctx->group_rl = grp_rl;

  return kEpidNoErr;
}

EpidStatus EpidVerifierSetVerifierRl(VerifierCtx* ctx, VerifierRl const* ver_rl,
                                     size_t ver_rl_size) {
  VerifierRl* verifier_rl = NULL;
  EpidStatus res = kEpidErr;
  EcPoint* B = NULL;
  bool cmp_result = false;
  EcGroup* G1 = NULL;
  if (!ctx || !ver_rl || !ctx->pub_key || !ctx->epid2_params ||
      !ctx->epid2_params->G1) {
    return kEpidBadArgErr;
  }
  if (!IsVerifierRlValid(&ctx->pub_key->gid, ver_rl, ver_rl_size)) {
    return kEpidBadArgErr;
  }
  // if random basename
  if (!ctx->basename_hash) {
    return kEpidInconsistentBasenameSetErr;
  }
  // Do not set an older version of verifier rl
  if (ctx->verifier_rl) {
    unsigned int current_ver = 0;
    unsigned int incoming_ver = 0;
    current_ver = ntohl(ctx->verifier_rl->version);
    incoming_ver = ntohl(ver_rl->version);
    if (current_ver >= incoming_ver) {
      return kEpidBadArgErr;
    }
  }
  do {
    G1 = ctx->epid2_params->G1;
    res = NewEcPoint(G1, &B);
    BREAK_ON_EPID_ERROR(res);
    res = ReadEcPoint(G1, &(ver_rl->B), sizeof(ver_rl->B), B);
    BREAK_ON_EPID_ERROR(res);
    // verify B = G1.hash(bsn)
    res = EcIsEqual(G1, ctx->basename_hash, B, &cmp_result);
    BREAK_ON_EPID_ERROR(res);
    if (true != cmp_result) {
      res = kEpidBadArgErr;
      break;
    }
    verifier_rl = SAFE_ALLOC(ver_rl_size);
    if (!verifier_rl) {
      res = kEpidMemAllocErr;
      break;
    }
    if (0 != memcpy_S(verifier_rl, ver_rl_size, ver_rl, ver_rl_size)) {
      res = kEpidBadArgErr;
      break;
    }
    res = kEpidNoErr;
  } while (0);
  DeleteEcPoint(&B);
  SAFE_FREE(ctx->verifier_rl);
  if (kEpidNoErr == res) {
    ctx->verifier_rl = verifier_rl;
    ctx->was_verifier_rl_updated = false;
  }
  return res;
}

size_t EpidGetVerifierRlSize(VerifierCtx const* ctx) {
  size_t empty_size = 0;
  if (!ctx || !ctx->basename_hash) return 0;
  empty_size = sizeof(VerifierRl) - sizeof(((VerifierRl*)0)->K[0]);
  if (!ctx->verifier_rl) return empty_size;
  return empty_size +
         ntohl(ctx->verifier_rl->n4) * sizeof(ctx->verifier_rl->K[0]);
}

EpidStatus EpidWriteVerifierRl(VerifierCtx const* ctx, VerifierRl* ver_rl,
                               size_t ver_rl_size) {
  EpidStatus res = kEpidErr;
  size_t real_ver_rl_size = 0;
  if (!ctx || !ver_rl || !ctx->pub_key || !ctx->epid2_params ||
      !ctx->epid2_params->G1) {
    return kEpidBadArgErr;
  }
  real_ver_rl_size = EpidGetVerifierRlSize(ctx);
  if (real_ver_rl_size == 0) {
    return kEpidErr;
  }
  if (real_ver_rl_size != ver_rl_size) {
    return kEpidBadArgErr;
  }
  if (ctx->verifier_rl) {
    // serialize
    if (0 !=
        memcpy_S(ver_rl, ver_rl_size, ctx->verifier_rl, real_ver_rl_size)) {
      return kEpidBadArgErr;
    }
    // update rl version if it has changed
    if (ctx->was_verifier_rl_updated) {
      uint32_t prior_rl_version = ntohl(ver_rl->version);
      *((uint32_t*)(&ver_rl->version)) = htonl(prior_rl_version + 1);
      ((VerifierCtx*)ctx)->was_verifier_rl_updated = false;
    }
  } else {
    // write empty rl
    res = WriteEcPoint(ctx->epid2_params->G1, ctx->basename_hash, &(ver_rl->B),
                       sizeof(ver_rl->B));
    if (kEpidNoErr != res) {
      return res;
    }
    ver_rl->gid = ctx->pub_key->gid;
    memset(&ver_rl->version, 0, sizeof(ver_rl->version));
    memset(&ver_rl->n4, 0, sizeof(ver_rl->n4));
  }
  return kEpidNoErr;
}

EpidStatus EpidBlacklistSig(VerifierCtx* ctx, EpidSignature const* sig,
                            size_t sig_len, void const* msg, size_t msg_len) {
  EpidStatus result = kEpidErr;
  VerifierRl* ver_rl = NULL;
  if (!ctx || !sig || (!msg && msg_len > 0) || !ctx->epid2_params ||
      !ctx->epid2_params->G1) {
    return kEpidBadArgErr;
  }
  if (sig_len < sizeof(EpidSignature) - sizeof(((EpidSignature*)0)->sigma[0])) {
    return kEpidBadArgErr;
  }
  if (!ctx->basename_hash) {
    return kEpidInconsistentBasenameSetErr;
  }

  do {
    EcGroup* G1 = ctx->epid2_params->G1;
    uint32_t n4 = 0;
    result = EpidVerify(ctx, sig, sig_len, msg, msg_len);
    BREAK_ON_EPID_ERROR(result);

    if (!ctx->verifier_rl) {
      ver_rl = SAFE_ALLOC(sizeof(VerifierRl));
      if (!ver_rl) {
        result = kEpidMemAllocErr;
        break;
      }
      // write empty rl
      ver_rl->gid = ctx->pub_key->gid;
      result =
          WriteEcPoint(G1, ctx->basename_hash, &(ver_rl->B), sizeof(ver_rl->B));
      BREAK_ON_EPID_ERROR(result);
    } else {
      uint32_t prior_rl_version = ntohl(ctx->verifier_rl->version);
      n4 = ntohl(ctx->verifier_rl->n4);

      if (prior_rl_version == UINT32_MAX || n4 == UINT32_MAX) {
        result = kEpidBadArgErr;
        break;
      }
      ver_rl = SAFE_REALLOC(
          ctx->verifier_rl,
          EpidGetVerifierRlSize(ctx) + sizeof(((VerifierRl*)0)->K[0]));
      if (!ver_rl) {
        result = kEpidMemAllocErr;
        break;
      }
    }

    ctx->was_verifier_rl_updated = true;
    ++n4;
    ver_rl->K[n4 - 1] = sig->sigma0.K;

    *((uint32_t*)(&ver_rl->n4)) = htonl(n4);
    ctx->verifier_rl = ver_rl;
    result = kEpidNoErr;
  } while (0);
  if (kEpidNoErr != result) SAFE_FREE(ver_rl);
  return result;
}

EpidStatus EpidVerifierSetHashAlg(VerifierCtx* ctx, HashAlg hash_alg) {
  EpidStatus result = kEpidErr;
  if (!ctx) {
    return kEpidBadArgErr;
  }
  if (kSha256 != hash_alg && kSha384 != hash_alg && kSha512 != hash_alg &&
      kSha512_256 != hash_alg)
    return kEpidBadArgErr;

  if (ctx->hash_alg != hash_alg) {
    HashAlg previous_hash_alg = ctx->hash_alg;
    ctx->hash_alg = hash_alg;

    result = EpidVerifierSetBasename(ctx, ctx->basename, ctx->basename_len);
    if (kEpidNoErr != result) {
      ctx->hash_alg = previous_hash_alg;
      return result;
    }
  }
  result = kEpidNoErr;
  return result;
}

EpidStatus EpidVerifierSetBasename(VerifierCtx* ctx, void const* basename,
                                   size_t basename_len) {
  EpidStatus result = kEpidErr;
  EcPoint* basename_hash = NULL;
  uint8_t* basename_buffer = NULL;

  if (!ctx || !ctx->epid2_params || !ctx->epid2_params->G1) {
    return kEpidBadArgErr;
  }
  if (!basename && basename_len > 0) {
    return kEpidBadArgErr;
  }

  if (!basename) {
    DeleteEcPoint(&ctx->basename_hash);
    ctx->basename_hash = NULL;
    ctx->was_verifier_rl_updated = false;
    SAFE_FREE(ctx->basename);
    ctx->basename_len = 0;
    return kEpidNoErr;
  }

  do {
    size_t i = 0;
    EcGroup* G1 = ctx->epid2_params->G1;
    result = NewEcPoint(G1, &basename_hash);
    if (kEpidNoErr != result) {
      break;
    }

    result =
        EcHash(G1, basename, basename_len, ctx->hash_alg, basename_hash, NULL);
    if (kEpidNoErr != result) {
      break;
    }

    if (basename_len > 0) {
      basename_buffer = SAFE_ALLOC(basename_len);
      if (!basename_buffer) {
        result = kEpidMemAllocErr;
        break;
      }
    }

    SAFE_FREE(ctx->verifier_rl);

    DeleteEcPoint(&ctx->basename_hash);
    ctx->basename_hash = basename_hash;
    SAFE_FREE(ctx->basename);
    ctx->basename = basename_buffer;
    ctx->basename_len = basename_len;
    for (i = 0; i < basename_len; i++) {
      ctx->basename[i] = ((uint8_t*)basename)[i];
    }
    result = kEpidNoErr;
  } while (0);

  if (kEpidNoErr != result) {
    DeleteEcPoint(&basename_hash);
    SAFE_FREE(basename_buffer);
  }
  return result;
}

static EpidStatus DoPrecomputation(VerifierCtx* ctx) {
  EpidStatus result = kEpidErr;
  FfElement* e12 = NULL;
  FfElement* e22 = NULL;
  FfElement* e2w = NULL;
  FfElement* eg12 = NULL;
  Epid2Params_* params = NULL;
  GroupPubKey_* pub_key = NULL;
  PairingState* ps_ctx = NULL;
  if (!ctx) {
    return kEpidBadArgErr;
  }
  if (!ctx->epid2_params || !ctx->epid2_params->GT ||
      !ctx->epid2_params->pairing_state || !ctx->pub_key || !ctx->e12 ||
      !ctx->e22 || !ctx->e2w || !ctx->eg12) {
    return kEpidBadArgErr;
  }
  pub_key = ctx->pub_key;
  params = ctx->epid2_params;
  e12 = ctx->e12;
  e22 = ctx->e22;
  e2w = ctx->e2w;
  eg12 = ctx->eg12;
  ps_ctx = params->pairing_state;
  // do precomputation
  // 1. The verifier computes e12 = pairing(h1, g2).
  result = Pairing(ps_ctx, pub_key->h1, params->g2, e12);
  if (kEpidNoErr != result) {
    return result;
  }
  // 2. The verifier computes e22 = pairing(h2, g2).
  result = Pairing(ps_ctx, pub_key->h2, params->g2, e22);
  if (kEpidNoErr != result) {
    return result;
  }
  // 3. The verifier computes e2w = pairing(h2, w).
  result = Pairing(ps_ctx, pub_key->h2, pub_key->w, e2w);
  if (kEpidNoErr != result) {
    return result;
  }
  // 4. The verifier computes eg12 = pairing(g1, g2).
  result = Pairing(ps_ctx, params->g1, params->g2, eg12);
  if (kEpidNoErr != result) {
    return result;
  }
  return kEpidNoErr;
}
static EpidStatus ReadPrecomputation(VerifierPrecomp const* precomp_str,
                                     VerifierCtx* ctx) {
  EpidStatus result = kEpidErr;
  FfElement* e12 = NULL;
  FfElement* e22 = NULL;
  FfElement* e2w = NULL;
  FfElement* eg12 = NULL;
  FiniteField* GT = NULL;
  Epid2Params_* params = NULL;
  if (!ctx) {
    return kEpidBadArgErr;
  }
  if (!ctx->epid2_params || !ctx->epid2_params->GT || !ctx->e12 || !ctx->e22 ||
      !ctx->e2w || !ctx->eg12 || !ctx->pub_key) {
    return kEpidBadArgErr;
  }
  if (0 !=
      memcmp(&precomp_str->gid, &ctx->pub_key->gid, sizeof(precomp_str->gid))) {
    return kEpidBadArgErr;
  }
  params = ctx->epid2_params;
  GT = params->GT;
  e12 = ctx->e12;
  e22 = ctx->e22;
  e2w = ctx->e2w;
  eg12 = ctx->eg12;

  result = ReadFfElement(GT, &precomp_str->e12, sizeof(precomp_str->e12), e12);
  if (kEpidNoErr != result) {
    return result;
  }
  result = ReadFfElement(GT, &precomp_str->e22, sizeof(precomp_str->e22), e22);
  if (kEpidNoErr != result) {
    return result;
  }
  result = ReadFfElement(GT, &precomp_str->e2w, sizeof(precomp_str->e2w), e2w);
  if (kEpidNoErr != result) {
    return result;
  }
  result =
      ReadFfElement(GT, &precomp_str->eg12, sizeof(precomp_str->eg12), eg12);
  if (kEpidNoErr != result) {
    return result;
  }
  return kEpidNoErr;
}