From ef2fd069db5690ca026a66909eb4921f53fa92cf Mon Sep 17 00:00:00 2001
From: MITSUNARI Shigeo <herumi@nifty.com>
Date: Wed, 27 Sep 2017 09:54:39 +0900
Subject: [PATCH] [she] modify pairing instead of miller loop

---
 include/mcl/she.hpp | 51 ++++++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 31 deletions(-)

diff --git a/include/mcl/she.hpp b/include/mcl/she.hpp
index a7f2550..5cc31a8 100644
--- a/include/mcl/she.hpp
+++ b/include/mcl/she.hpp
@@ -336,12 +336,10 @@ struct SHET {
 	static G1 P_;
 	static G2 Q_;
 	static GT ePQ_; // e(P, Q)
-	static GT mPQ_; // millerLoop(P, Q)
 	static std::vector<bn_current::Fp6> Qcoeff_;
 	static local::HashTable<G1> PhashTbl_;
 	static mcl::fp::WindowMethod<G2> Qwm_;
 	typedef local::InterfaceForHashTable<GT, false> GTasEC;
-	static mcl::fp::WindowMethod<GTasEC> mPQwm_;
 	static local::HashTable<GT, false> ePQhashTbl_;
 private:
 	template<class G>
@@ -427,16 +425,18 @@ private:
 		g1 = millerLoop(P1, Q)
 		g2 = millerLoop(P2, Q)
 	*/
-	static void doubleMillerLoop(GT& g1, GT& g2, const G1& P1, const G1& P2, const G2& Q)
+	static void doublePairing(GT& g1, GT& g2, const G1& P1, const G1& P2, const G2& Q)
 	{
 #if 1
 		std::vector<bn_current::Fp6> Qcoeff;
 		BN::precomputeG2(Qcoeff, Q);
 		BN::precomputedMillerLoop(g1, P1, Qcoeff);
+		BN::finalExp(g1, g1);
 		BN::precomputedMillerLoop(g2, P2, Qcoeff);
+		BN::finalExp(g2, g2);
 #else
-		BN::millerLoop(g1, P1, Q);
-		BN::millerLoop(g2, P2, Q);
+		BN::pairing(g1, P1, Q);
+		BN::pairing(g2, P2, Q);
 #endif
 	}
 	static void tensorProduct(GT g[4], const G1& S1, const G1& T1, const G2& S2, const G2& T2)
@@ -444,8 +444,8 @@ private:
 		/*
 			(S1, T1) x (S2, T2) = (e(S1, S2), e(S1, T2), e(T1, S2), e(T1, T2))
 		*/
-		doubleMillerLoop(g[0], g[2], S1, T1, S2);
-		doubleMillerLoop(g[1], g[3], S1, T1, T2);
+		doublePairing(g[0], g[2], S1, T1, S2);
+		doublePairing(g[1], g[3], S1, T1, T2);
 	}
 public:
 
@@ -457,12 +457,10 @@ public:
 		bn_current::initPairing(cp);
 		BN::hashAndMapToG1(P_, "0");
 		BN::hashAndMapToG2(Q_, "0");
-		BN::millerLoop(mPQ_, P_, Q_);
-		BN::finalExp(ePQ_, mPQ_);
+		BN::pairing(ePQ_, P_, Q_);
 		BN::precomputeG2(Qcoeff_, Q_);
 		const size_t bitSize = Fr::getBitSize();
 		Qwm_.init(Q_, bitSize, local::winSize);
-		mPQwm_.init(static_cast<const GTasEC&>(mPQ_), bitSize, local::winSize);
 	}
 	/*
 		set range for G1-DLP
@@ -562,7 +560,6 @@ public:
 			GT::pow(u, u, x_);
 			v *= u;
 			v *= c.g_[0];
-			BN::finalExp(v, v);
 			return ePQhashTbl_.log(v);
 //			return log(g, v);
 		}
@@ -668,7 +665,7 @@ public:
 			rb.setRand(rg);
 			rc.setRand(rg);
 			GT e;
-#if 1
+
 			G1 P1, P2;
 			G1::mul(P1, xP_, ra);
 			if (m) {
@@ -684,23 +681,15 @@ public:
 			P1 -= P2;
 			BN::millerLoop(e, P1, yQ_);
 			c.g_[0] *= e;
-#else
-			GT::pow(c.g_[0], mxPQ, ra);
-			GT::pow(e, myPQ, rb);
-			c.g_[0] *= e;
-			GT::pow(e, mxyPQ, -rc);
-			c.g_[0] *= e;
-			GT::pow(e, mPQ_, m);
-			c.g_[0] *= e;
-#endif
+			BN::finalExp(c.g_[0], c.g_[0]);
 #if 1
-			mPQwm_.mul(static_cast<GTasEC&>(c.g_[1]), rb);
-			mPQwm_.mul(static_cast<GTasEC&>(c.g_[2]), ra);
-			mPQwm_.mul(static_cast<GTasEC&>(c.g_[3]), rc);
+			ePQhashTbl_.mulByWindowMethod(c.g_[1], rb);
+			ePQhashTbl_.mulByWindowMethod(c.g_[2], ra);
+			ePQhashTbl_.mulByWindowMethod(c.g_[3], rc);
 #else
-			GT::pow(c.g_[1], mPQ_, rb);
-			GT::pow(c.g_[2], mPQ_, ra);
-			GT::pow(c.g_[3], mPQ_, rc);
+			GT::pow(c.g_[1], ePQ_, rb);
+			GT::pow(c.g_[2], ePQ_, ra);
+			GT::pow(c.g_[3], ePQ_, rc);
 #endif
 		}
 		template<class RG>
@@ -727,9 +716,12 @@ public:
 				Enc(1) = (S, T) = (Q + r yQ, rQ) = (Q, 0) if r = 0
 				cm = c1 * (Q, 0) = (S, T) * (Q, 0) = (e(S, Q), 1, e(T, Q), 1)
 			*/
-//			doubleMillerLoop(cm.g_[0], cm.g_[2], c1.S, c1.T, Q);
+//			doublePairing(cm.g_[0], cm.g_[2], c1.S, c1.T, Q);
 			BN::precomputedMillerLoop(cm.g_[0], c1.S_, Qcoeff_);
+			BN::finalExp(cm.g_[0], cm.g_[0]);
 			BN::precomputedMillerLoop(cm.g_[2], c1.T_, Qcoeff_);
+			BN::finalExp(cm.g_[2], cm.g_[2]);
+
 			cm.g_[1] = 1;
 			cm.g_[3] = 1;
 		}
@@ -968,7 +960,6 @@ public:
 		{
 			/*
 				(S1, T1) * (S2, T2) = (e(S1, S2), e(S1, T2), e(T1, S2), e(T1, T2))
-				call finalExp at once in decrypting c
 			*/
 			tensorProduct(z.g_, x.S_, x.T_, y.S_, y.T_);
 		}
@@ -1150,11 +1141,9 @@ public:
 template<class BN, class Fr> typename BN::G1 SHET<BN, Fr>::P_;
 template<class BN, class Fr> typename BN::G2 SHET<BN, Fr>::Q_;
 template<class BN, class Fr> typename BN::Fp12 SHET<BN, Fr>::ePQ_;
-template<class BN, class Fr> typename BN::Fp12 SHET<BN, Fr>::mPQ_;
 template<class BN, class Fr> std::vector<bn_current::Fp6> SHET<BN, Fr>::Qcoeff_;
 template<class BN, class Fr> local::HashTable<typename BN::G1> SHET<BN, Fr>::PhashTbl_;
 template<class BN, class Fr> mcl::fp::WindowMethod<typename BN::G2> SHET<BN, Fr>::Qwm_;
-template<class BN, class Fr> mcl::fp::WindowMethod<mcl::she::local::InterfaceForHashTable<typename BN::Fp12, false> > SHET<BN, Fr>::mPQwm_;
 template<class BN, class Fr> local::HashTable<typename BN::Fp12, false> SHET<BN, Fr>::ePQhashTbl_;
 typedef mcl::she::SHET<bn_current::BN, bn_current::Fr> SHE;
 typedef SHE::SecretKey SecretKey;