You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@milagro.apache.org by br...@apache.org on 2018/11/08 00:13:02 UTC
[42/51] [partial] incubator-milagro-crypto-c git commit: update code
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp24.h.in
----------------------------------------------------------------------
diff --git a/include/fp24.h.in b/include/fp24.h.in
new file mode 100644
index 0000000..122aad5
--- /dev/null
+++ b/include/fp24.h.in
@@ -0,0 +1,222 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/
+
+/**
+ * @file fp24_YYY.h
+ * @author Mike Scott
+ * @brief FP24 Header File
+ *
+ */
+
+#ifndef FP24_YYY_H
+#define FP24_YYY_H
+
+#include "fp8_YYY.h"
+
+/**
+ @brief FP24 Structure - towered over three FP8
+*/
+
+typedef struct
+{
+ FP8_YYY a; /**< first part of FP12 */
+ FP8_YYY b; /**< second part of FP12 */
+ FP8_YYY c; /**< third part of FP12 */
+} FP24_YYY;
+
+extern const BIG_XXX Fra_YYY; /**< real part of BN curve Frobenius Constant */
+extern const BIG_XXX Frb_YYY; /**< imaginary part of BN curve Frobenius Constant */
+
+/* FP24 prototypes */
+/** @brief Tests for FP24 equal to zero
+ *
+ @param x FP24 number to be tested
+ @return 1 if zero, else returns 0
+ */
+extern int FP24_YYY_iszilch(FP24_YYY *x);
+/** @brief Tests for FP24 equal to unity
+ *
+ @param x FP24 number to be tested
+ @return 1 if unity, else returns 0
+ */
+extern int FP24_YYY_isunity(FP24_YYY *x);
+/** @brief Copy FP24 to another FP24
+ *
+ @param x FP24 instance, on exit = y
+ @param y FP24 instance to be copied
+ */
+extern void FP24_YYY_copy(FP24_YYY *x,FP24_YYY *y);
+/** @brief Set FP24 to unity
+ *
+ @param x FP24 instance to be set to one
+ */
+extern void FP24_YYY_one(FP24_YYY *x);
+/** @brief Tests for equality of two FP24s
+ *
+ @param x FP24 instance to be compared
+ @param y FP24 instance to be compared
+ @return 1 if x=y, else returns 0
+ */
+extern int FP24_YYY_equals(FP24_YYY *x,FP24_YYY *y);
+/** @brief Conjugation of FP24
+ *
+ If y=(a,b,c) (where a,b,c are its three FP8 components) on exit x=(conj(a),-conj(b),conj(c))
+ @param x FP24 instance, on exit = conj(y)
+ @param y FP24 instance
+ */
+extern void FP24_YYY_conj(FP24_YYY *x,FP24_YYY *y);
+/** @brief Initialise FP24 from single FP8
+ *
+ Sets first FP8 component of an FP24, other components set to zero
+ @param x FP24 instance to be initialised
+ @param a FP8 to form first part of FP8
+ */
+extern void FP24_YYY_from_FP8(FP24_YYY *x,FP8_YYY *a);
+/** @brief Initialise FP24 from three FP8s
+ *
+ @param x FP24 instance to be initialised
+ @param a FP8 to form first part of FP24
+ @param b FP8 to form second part of FP24
+ @param c FP8 to form third part of FP24
+ */
+extern void FP24_YYY_from_FP8s(FP24_YYY *x,FP8_YYY *a,FP8_YYY* b,FP8_YYY *c);
+/** @brief Fast Squaring of an FP24 in "unitary" form
+ *
+ @param x FP24 instance, on exit = y^2
+ @param y FP8 instance, must be unitary
+ */
+extern void FP24_YYY_usqr(FP24_YYY *x,FP24_YYY *y);
+/** @brief Squaring an FP24
+ *
+ @param x FP24 instance, on exit = y^2
+ @param y FP24 instance
+ */
+extern void FP24_YYY_sqr(FP24_YYY *x,FP24_YYY *y);
+/** @brief Fast multiplication of an FP24 by an FP24 that arises from an ATE pairing line function
+ *
+ Here the multiplier has a special form that can be exploited
+ @param x FP24 instance, on exit = x*y
+ @param y FP24 instance, of special form
+ @param t D_TYPE or M_TYPE twist
+ */
+extern void FP24_YYY_smul(FP24_YYY *x,FP24_YYY *y,int t);
+/** @brief Multiplication of two FP24s
+ *
+ @param x FP24 instance, on exit = x*y
+ @param y FP24 instance, the multiplier
+ */
+extern void FP24_YYY_mul(FP24_YYY *x,FP24_YYY *y);
+/** @brief Inverting an FP24
+ *
+ @param x FP24 instance, on exit = 1/y
+ @param y FP24 instance
+ */
+extern void FP24_YYY_inv(FP24_YYY *x,FP24_YYY *y);
+/** @brief Raises an FP24 to the power of a BIG
+ *
+ @param r FP24 instance, on exit = y^b
+ @param x FP24 instance
+ @param b BIG number
+ */
+extern void FP24_YYY_pow(FP24_YYY *r,FP24_YYY *x,BIG_XXX b);
+
+//extern void FP24_ppow(FP24 *r,FP24 *x,BIG b);
+
+/** @brief Raises an FP24 instance x to a small integer power, side-channel resistant
+ *
+ @param x FP24 instance, on exit = x^i
+ @param i small integer exponent
+ @param b maximum number of bits in exponent
+ */
+extern void FP24_YYY_pinpow(FP24_YYY *x,int i,int b);
+
+/** @brief Raises an FP24 instance x to a BIG power, compressed to FP8
+ *
+ @param c FP8 instance, on exit = x^(e mod r) as FP8
+ @param x FP24 input
+ @param e BIG exponent
+ @param r BIG group order
+ */
+extern void FP24_YYY_compow(FP8_YYY *c,FP24_YYY *x,BIG_XXX e,BIG_XXX r);
+
+/** @brief Calculate Pi x[i]^b[i] for i=0 to 7, side-channel resistant
+ *
+ @param r FP24 instance, on exit = Pi x[i]^b[i] for i=0 to 7
+ @param x FP24 array with 8 FP24s
+ @param b BIG array of 4 exponents
+ */
+extern void FP24_YYY_pow8(FP24_YYY *r,FP24_YYY *x,BIG_XXX *b);
+
+
+/** @brief Raises an FP24 to the power of the internal modulus p, using the Frobenius
+ *
+ @param x FP24 instance, on exit = x^p^n
+ @param f FP2 precalculated Frobenius constant
+ @param n power of p
+ */
+extern void FP24_YYY_frob(FP24_YYY *x,FP2_YYY *f,int n);
+
+/** @brief Reduces all components of possibly unreduced FP24 mod Modulus
+ *
+ @param x FP24 instance, on exit reduced mod Modulus
+ */
+extern void FP24_YYY_reduce(FP24_YYY *x);
+/** @brief Normalises the components of an FP24
+ *
+ @param x FP24 instance to be normalised
+ */
+extern void FP24_YYY_norm(FP24_YYY *x);
+/** @brief Formats and outputs an FP24 to the console
+ *
+ @param x FP24 instance to be printed
+ */
+extern void FP24_YYY_output(FP24_YYY *x);
+/** @brief Formats and outputs an FP24 instance to an octet string
+ *
+ Serializes the components of an FP24 to big-endian base 256 form.
+ @param S output octet string
+ @param x FP24 instance to be converted to an octet string
+ */
+extern void FP24_YYY_toOctet(octet *S,FP24_YYY *x);
+/** @brief Creates an FP24 instance from an octet string
+ *
+ De-serializes the components of an FP24 to create an FP24 from big-endian base 256 components.
+ @param x FP24 instance to be created from an octet string
+ @param S input octet string
+
+ */
+extern void FP24_YYY_fromOctet(FP24_YYY *x,octet *S);
+/** @brief Calculate the trace of an FP24
+ *
+ @param t FP8 trace of x, on exit = tr(x)
+ @param x FP24 instance
+
+ */
+extern void FP24_YYY_trace(FP8_YYY *t,FP24_YYY *x);
+
+/** @brief Conditional copy of FP24_YYY number
+ *
+ Conditionally copies second parameter to the first (without branching)
+ @param x FP24_YYY instance, set to y if s!=0
+ @param y another FP24_YYY instance
+ @param s copy only takes place if not equal to 0
+ */
+extern void FP24_YYY_cmove(FP24_YYY *x,FP24_YYY *y,int s);
+
+#endif
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp4.h.in
----------------------------------------------------------------------
diff --git a/include/fp4.h.in b/include/fp4.h.in
new file mode 100644
index 0000000..731afd0
--- /dev/null
+++ b/include/fp4.h.in
@@ -0,0 +1,304 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/
+
+/**
+ * @file fp4_YYY.h
+ * @author Mike Scott
+ * @brief FP4 Header File
+ *
+ */
+
+#ifndef FP4_YYY_H
+#define FP4_YYY_H
+
+#include "fp2_YYY.h"
+#include "config_curve_ZZZ.h"
+
+/**
+ @brief FP4 Structure - towered over two FP2
+*/
+
+typedef struct
+{
+ FP2_YYY a; /**< real part of FP4 */
+ FP2_YYY b; /**< imaginary part of FP4 */
+} FP4_YYY;
+
+
+/* FP4 prototypes */
+/** @brief Tests for FP4 equal to zero
+ *
+ @param x FP4 number to be tested
+ @return 1 if zero, else returns 0
+ */
+extern int FP4_YYY_iszilch(FP4_YYY *x);
+/** @brief Tests for FP4 equal to unity
+ *
+ @param x FP4 number to be tested
+ @return 1 if unity, else returns 0
+ */
+extern int FP4_YYY_isunity(FP4_YYY *x);
+/** @brief Tests for equality of two FP4s
+ *
+ @param x FP4 instance to be compared
+ @param y FP4 instance to be compared
+ @return 1 if x=y, else returns 0
+ */
+extern int FP4_YYY_equals(FP4_YYY *x,FP4_YYY *y);
+/** @brief Tests for FP4 having only a real part and no imaginary part
+ *
+ @param x FP4 number to be tested
+ @return 1 if real, else returns 0
+ */
+extern int FP4_YYY_isreal(FP4_YYY *x);
+/** @brief Initialise FP4 from two FP2s
+ *
+ @param x FP4 instance to be initialised
+ @param a FP2 to form real part of FP4
+ @param b FP2 to form imaginary part of FP4
+ */
+extern void FP4_YYY_from_FP2s(FP4_YYY *x,FP2_YYY *a,FP2_YYY *b);
+/** @brief Initialise FP4 from single FP2
+ *
+ Imaginary part is set to zero
+ @param x FP4 instance to be initialised
+ @param a FP2 to form real part of FP4
+ */
+extern void FP4_YYY_from_FP2(FP4_YYY *x,FP2_YYY *a);
+
+/** @brief Initialise FP4 from single FP2
+ *
+ real part is set to zero
+ @param x FP4 instance to be initialised
+ @param a FP2 to form imaginary part of FP4
+ */
+extern void FP4_YYY_from_FP2H(FP4_YYY *x,FP2_YYY *a);
+
+
+/** @brief Copy FP4 to another FP4
+ *
+ @param x FP4 instance, on exit = y
+ @param y FP4 instance to be copied
+ */
+extern void FP4_YYY_copy(FP4_YYY *x,FP4_YYY *y);
+/** @brief Set FP4 to zero
+ *
+ @param x FP4 instance to be set to zero
+ */
+extern void FP4_YYY_zero(FP4_YYY *x);
+/** @brief Set FP4 to unity
+ *
+ @param x FP4 instance to be set to one
+ */
+extern void FP4_YYY_one(FP4_YYY *x);
+/** @brief Negation of FP4
+ *
+ @param x FP4 instance, on exit = -y
+ @param y FP4 instance
+ */
+extern void FP4_YYY_neg(FP4_YYY *x,FP4_YYY *y);
+/** @brief Conjugation of FP4
+ *
+ If y=(a,b) on exit x=(a,-b)
+ @param x FP4 instance, on exit = conj(y)
+ @param y FP4 instance
+ */
+extern void FP4_YYY_conj(FP4_YYY *x,FP4_YYY *y);
+/** @brief Negative conjugation of FP4
+ *
+ If y=(a,b) on exit x=(-a,b)
+ @param x FP4 instance, on exit = -conj(y)
+ @param y FP4 instance
+ */
+extern void FP4_YYY_nconj(FP4_YYY *x,FP4_YYY *y);
+/** @brief addition of two FP4s
+ *
+ @param x FP4 instance, on exit = y+z
+ @param y FP4 instance
+ @param z FP4 instance
+ */
+extern void FP4_YYY_add(FP4_YYY *x,FP4_YYY *y,FP4_YYY *z);
+/** @brief subtraction of two FP4s
+ *
+ @param x FP4 instance, on exit = y-z
+ @param y FP4 instance
+ @param z FP4 instance
+ */
+extern void FP4_YYY_sub(FP4_YYY *x,FP4_YYY *y,FP4_YYY *z);
+/** @brief Multiplication of an FP4 by an FP2
+ *
+ @param x FP4 instance, on exit = y*a
+ @param y FP4 instance
+ @param a FP2 multiplier
+ */
+extern void FP4_YYY_pmul(FP4_YYY *x,FP4_YYY *y,FP2_YYY *a);
+
+/** @brief Multiplication of an FP4 by an FP
+ *
+ @param x FP4 instance, on exit = y*a
+ @param y FP4 instance
+ @param a FP multiplier
+ */
+extern void FP4_YYY_qmul(FP4_YYY *x,FP4_YYY *y,FP_YYY *a);
+
+/** @brief Multiplication of an FP4 by a small integer
+ *
+ @param x FP4 instance, on exit = y*i
+ @param y FP4 instance
+ @param i an integer
+ */
+extern void FP4_YYY_imul(FP4_YYY *x,FP4_YYY *y,int i);
+/** @brief Squaring an FP4
+ *
+ @param x FP4 instance, on exit = y^2
+ @param y FP4 instance
+ */
+extern void FP4_YYY_sqr(FP4_YYY *x,FP4_YYY *y);
+/** @brief Multiplication of two FP4s
+ *
+ @param x FP4 instance, on exit = y*z
+ @param y FP4 instance
+ @param z FP4 instance
+ */
+extern void FP4_YYY_mul(FP4_YYY *x,FP4_YYY *y,FP4_YYY *z);
+/** @brief Inverting an FP4
+ *
+ @param x FP4 instance, on exit = 1/y
+ @param y FP4 instance
+ */
+extern void FP4_YYY_inv(FP4_YYY *x,FP4_YYY *y);
+/** @brief Formats and outputs an FP4 to the console
+ *
+ @param x FP4 instance to be printed
+ */
+extern void FP4_YYY_output(FP4_YYY *x);
+/** @brief Formats and outputs an FP4 to the console in raw form (for debugging)
+ *
+ @param x FP4 instance to be printed
+ */
+extern void FP4_YYY_rawoutput(FP4_YYY *x);
+/** @brief multiplies an FP4 instance by irreducible polynomial sqrt(1+sqrt(-1))
+ *
+ @param x FP4 instance, on exit = sqrt(1+sqrt(-1)*x
+ */
+extern void FP4_YYY_times_i(FP4_YYY *x);
+/** @brief Normalises the components of an FP4
+ *
+ @param x FP4 instance to be normalised
+ */
+extern void FP4_YYY_norm(FP4_YYY *x);
+/** @brief Reduces all components of possibly unreduced FP4 mod Modulus
+ *
+ @param x FP4 instance, on exit reduced mod Modulus
+ */
+extern void FP4_YYY_reduce(FP4_YYY *x);
+/** @brief Raises an FP4 to the power of a BIG
+ *
+ @param x FP4 instance, on exit = y^b
+ @param y FP4 instance
+ @param b BIG number
+ */
+extern void FP4_YYY_pow(FP4_YYY *x,FP4_YYY *y,BIG_XXX b);
+/** @brief Raises an FP4 to the power of the internal modulus p, using the Frobenius
+ *
+ @param x FP4 instance, on exit = x^p
+ @param f FP2 precalculated Frobenius constant
+ */
+extern void FP4_YYY_frob(FP4_YYY *x,FP2_YYY *f);
+/** @brief Calculates the XTR addition function r=w*x-conj(x)*y+z
+ *
+ @param r FP4 instance, on exit = w*x-conj(x)*y+z
+ @param w FP4 instance
+ @param x FP4 instance
+ @param y FP4 instance
+ @param z FP4 instance
+ */
+extern void FP4_YYY_xtr_A(FP4_YYY *r,FP4_YYY *w,FP4_YYY *x,FP4_YYY *y,FP4_YYY *z);
+/** @brief Calculates the XTR doubling function r=x^2-2*conj(x)
+ *
+ @param r FP4 instance, on exit = x^2-2*conj(x)
+ @param x FP4 instance
+ */
+extern void FP4_YYY_xtr_D(FP4_YYY *r,FP4_YYY *x);
+/** @brief Calculates FP4 trace of an FP12 raised to the power of a BIG number
+ *
+ XTR single exponentiation
+ @param r FP4 instance, on exit = trace(w^b)
+ @param x FP4 instance, trace of an FP12 w
+ @param b BIG number
+ */
+extern void FP4_YYY_xtr_pow(FP4_YYY *r,FP4_YYY *x,BIG_XXX b);
+/** @brief Calculates FP4 trace of c^a.d^b, where c and d are derived from FP4 traces of FP12s
+ *
+ XTR double exponentiation
+ Assumes c=tr(x^m), d=tr(x^n), e=tr(x^(m-n)), f=tr(x^(m-2n))
+ @param r FP4 instance, on exit = trace(c^a.d^b)
+ @param c FP4 instance, trace of an FP12
+ @param d FP4 instance, trace of an FP12
+ @param e FP4 instance, trace of an FP12
+ @param f FP4 instance, trace of an FP12
+ @param a BIG number
+ @param b BIG number
+ */
+extern void FP4_YYY_xtr_pow2(FP4_YYY *r,FP4_YYY *c,FP4_YYY *d,FP4_YYY *e,FP4_YYY *f,BIG_XXX a,BIG_XXX b);
+
+/** @brief Conditional copy of FP4 number
+ *
+ Conditionally copies second parameter to the first (without branching)
+ @param x FP4 instance, set to y if s!=0
+ @param y another FP4 instance
+ @param s copy only takes place if not equal to 0
+ */
+extern void FP4_YYY_cmove(FP4_YYY *x,FP4_YYY *y,int s);
+
+
+/** @brief Calculate square root of an FP4
+ *
+ Square root
+ @param r FP4 instance, on exit = sqrt(x)
+ @param x FP4 instance
+ @return 1 x is a QR, otherwise 0
+ */
+extern int FP4_YYY_sqrt(FP4_YYY *r,FP4_YYY *x);
+
+
+/** @brief Divide FP4 number by QNR
+ *
+ Divide FP4 by the QNR
+ @param x FP4 instance
+ */
+extern void FP4_YYY_div_i(FP4_YYY *x);
+
+/** @brief Divide an FP4 by QNR/2
+ *
+ Divide FP4 by the QNR/2
+ @param x FP4 instance
+ */
+extern void FP4_YYY_div_2i(FP4_YYY *x);
+
+
+
+/** @brief Divide an FP4 by 2
+ *
+ @param x FP4 instance, on exit = y/2
+ @param y FP4 instance
+ */
+extern void FP4_YYY_div2(FP4_YYY *x,FP4_YYY *y);
+
+#endif
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp48.h.in
----------------------------------------------------------------------
diff --git a/include/fp48.h.in b/include/fp48.h.in
new file mode 100644
index 0000000..8bd05ad
--- /dev/null
+++ b/include/fp48.h.in
@@ -0,0 +1,222 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/
+
+/**
+ * @file fp48_YYY.h
+ * @author Mike Scott
+ * @brief FP48 Header File
+ *
+ */
+
+#ifndef FP48_YYY_H
+#define FP48_YYY_H
+
+#include "fp16_YYY.h"
+
+/**
+ @brief FP48 Structure - towered over three FP12
+*/
+
+typedef struct
+{
+ FP16_YYY a; /**< first part of FP12 */
+ FP16_YYY b; /**< second part of FP12 */
+ FP16_YYY c; /**< third part of FP12 */
+} FP48_YYY;
+
+extern const BIG_XXX Fra_YYY; /**< real part of BN curve Frobenius Constant */
+extern const BIG_XXX Frb_YYY; /**< imaginary part of BN curve Frobenius Constant */
+
+/* FP48 prototypes */
+/** @brief Tests for FP48 equal to zero
+ *
+ @param x FP48 number to be tested
+ @return 1 if zero, else returns 0
+ */
+extern int FP48_YYY_iszilch(FP48_YYY *x);
+/** @brief Tests for FP48 equal to unity
+ *
+ @param x FP48 number to be tested
+ @return 1 if unity, else returns 0
+ */
+extern int FP48_YYY_isunity(FP48_YYY *x);
+/** @brief Copy FP48 to another FP48
+ *
+ @param x FP48 instance, on exit = y
+ @param y FP48 instance to be copied
+ */
+extern void FP48_YYY_copy(FP48_YYY *x,FP48_YYY *y);
+/** @brief Set FP48 to unity
+ *
+ @param x FP48 instance to be set to one
+ */
+extern void FP48_YYY_one(FP48_YYY *x);
+/** @brief Tests for equality of two FP48s
+ *
+ @param x FP48 instance to be compared
+ @param y FP48 instance to be compared
+ @return 1 if x=y, else returns 0
+ */
+extern int FP48_YYY_equals(FP48_YYY *x,FP48_YYY *y);
+/** @brief Conjugation of FP48
+ *
+ If y=(a,b,c) (where a,b,c are its three FP16 components) on exit x=(conj(a),-conj(b),conj(c))
+ @param x FP48 instance, on exit = conj(y)
+ @param y FP48 instance
+ */
+extern void FP48_YYY_conj(FP48_YYY *x,FP48_YYY *y);
+/** @brief Initialise FP48 from single FP16
+ *
+ Sets first FP16 component of an FP48, other components set to zero
+ @param x FP48 instance to be initialised
+ @param a FP16 to form first part of FP48
+ */
+extern void FP48_YYY_from_FP16(FP48_YYY *x,FP16_YYY *a);
+/** @brief Initialise FP48 from three FP16s
+ *
+ @param x FP48 instance to be initialised
+ @param a FP16 to form first part of FP48
+ @param b FP16 to form second part of FP48
+ @param c FP16 to form third part of FP48
+ */
+extern void FP48_YYY_from_FP16s(FP48_YYY *x,FP16_YYY *a,FP16_YYY* b,FP16_YYY *c);
+/** @brief Fast Squaring of an FP48 in "unitary" form
+ *
+ @param x FP48 instance, on exit = y^2
+ @param y FP16 instance, must be unitary
+ */
+extern void FP48_YYY_usqr(FP48_YYY *x,FP48_YYY *y);
+/** @brief Squaring an FP48
+ *
+ @param x FP48 instance, on exit = y^2
+ @param y FP48 instance
+ */
+extern void FP48_YYY_sqr(FP48_YYY *x,FP48_YYY *y);
+/** @brief Fast multiplication of an FP48 by an FP48 that arises from an ATE pairing line function
+ *
+ Here the multiplier has a special form that can be exploited
+ @param x FP48 instance, on exit = x*y
+ @param y FP48 instance, of special form
+ @param t D_TYPE or M_TYPE twist
+ */
+extern void FP48_YYY_smul(FP48_YYY *x,FP48_YYY *y,int t);
+/** @brief Multiplication of two FP48s
+ *
+ @param x FP48 instance, on exit = x*y
+ @param y FP48 instance, the multiplier
+ */
+extern void FP48_YYY_mul(FP48_YYY *x,FP48_YYY *y);
+/** @brief Inverting an FP48
+ *
+ @param x FP48 instance, on exit = 1/y
+ @param y FP48 instance
+ */
+extern void FP48_YYY_inv(FP48_YYY *x,FP48_YYY *y);
+/** @brief Raises an FP48 to the power of a BIG
+ *
+ @param r FP48 instance, on exit = y^b
+ @param x FP48 instance
+ @param b BIG number
+ */
+extern void FP48_YYY_pow(FP48_YYY *r,FP48_YYY *x,BIG_XXX b);
+
+//extern void FP48_ppow(FP48 *r,FP48 *x,BIG b);
+
+/** @brief Raises an FP48 instance x to a small integer power, side-channel resistant
+ *
+ @param x FP48 instance, on exit = x^i
+ @param i small integer exponent
+ @param b maximum number of bits in exponent
+ */
+extern void FP48_YYY_pinpow(FP48_YYY *x,int i,int b);
+
+/** @brief Raises an FP48 instance x to a BIG_XXX power, compressed to FP16
+ *
+ @param c FP16 instance, on exit = x^(e mod r) as FP16
+ @param x FP48 input
+ @param e BIG exponent
+ @param r BIG group order
+ */
+extern void FP48_YYY_compow(FP16_YYY *c,FP48_YYY *x,BIG_XXX e,BIG_XXX r);
+
+/** @brief Calculate Pi x[i]^b[i] for i=0 to 15, side-channel resistant
+ *
+ @param r FP48 instance, on exit = Pi x[i]^b[i] for i=0 to 15
+ @param x FP48 array with 16 FP48s
+ @param b BIG array of 16 exponents
+ */
+extern void FP48_YYY_pow16(FP48_YYY *r,FP48_YYY *x,BIG_XXX *b);
+
+
+/** @brief Raises an FP48 to the power of the internal modulus p, using the Frobenius
+ *
+ @param x FP48 instance, on exit = x^p^n
+ @param f FP2 precalculated Frobenius constant
+ @param n power of p
+ */
+extern void FP48_YYY_frob(FP48_YYY *x,FP2_YYY *f,int n);
+
+/** @brief Reduces all components of possibly unreduced FP48 mod Modulus
+ *
+ @param x FP48 instance, on exit reduced mod Modulus
+ */
+extern void FP48_YYY_reduce(FP48_YYY *x);
+/** @brief Normalises the components of an FP48
+ *
+ @param x FP48 instance to be normalised
+ */
+extern void FP48_YYY_norm(FP48_YYY *x);
+/** @brief Formats and outputs an FP48 to the console
+ *
+ @param x FP48 instance to be printed
+ */
+extern void FP48_YYY_output(FP48_YYY *x);
+/** @brief Formats and outputs an FP48 instance to an octet string
+ *
+ Serializes the components of an FP48 to big-endian base 256 form.
+ @param S output octet string
+ @param x FP48 instance to be converted to an octet string
+ */
+extern void FP48_YYY_toOctet(octet *S,FP48_YYY *x);
+/** @brief Creates an FP48 instance from an octet string
+ *
+ De-serializes the components of an FP48 to create an FP48 from big-endian base 256 components.
+ @param x FP48 instance to be created from an octet string
+ @param S input octet string
+
+ */
+extern void FP48_YYY_fromOctet(FP48_YYY *x,octet *S);
+/** @brief Calculate the trace of an FP48
+ *
+ @param t FP16 trace of x, on exit = tr(x)
+ @param x FP48 instance
+
+ */
+extern void FP48_YYY_trace(FP16_YYY *t,FP48_YYY *x);
+
+/** @brief Conditional copy of FP48 number
+ *
+ Conditionally copies second parameter to the first (without branching)
+ @param x FP48 instance, set to y if s!=0
+ @param y another FP48 instance
+ @param s copy only takes place if not equal to 0
+ */
+extern void FP48_YYY_cmove(FP48_YYY *x,FP48_YYY *y,int s);
+
+#endif
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp8.h.in
----------------------------------------------------------------------
diff --git a/include/fp8.h.in b/include/fp8.h.in
new file mode 100644
index 0000000..012208f
--- /dev/null
+++ b/include/fp8.h.in
@@ -0,0 +1,320 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/
+
+/**
+ * @file fp8_YYY.h
+ * @author Mike Scott
+ * @brief FP8 Header File
+ *
+ */
+
+#ifndef FP8_YYY_H
+#define FP8_YYY_H
+
+#include "fp4_YYY.h"
+#include "config_curve_ZZZ.h"
+
+
+/**
+ @brief FP8 Structure - towered over two FP4
+*/
+
+typedef struct
+{
+ FP4_YYY a; /**< real part of FP8 */
+ FP4_YYY b; /**< imaginary part of FP8 */
+} FP8_YYY;
+
+
+/* FP8 prototypes */
+/** @brief Tests for FP8 equal to zero
+ *
+ @param x FP8 number to be tested
+ @return 1 if zero, else returns 0
+ */
+extern int FP8_YYY_iszilch(FP8_YYY *x);
+/** @brief Tests for FP8 equal to unity
+ *
+ @param x FP8 number to be tested
+ @return 1 if unity, else returns 0
+ */
+extern int FP8_YYY_isunity(FP8_YYY *x);
+/** @brief Tests for equality of two FP8s
+ *
+ @param x FP8 instance to be compared
+ @param y FP8 instance to be compared
+ @return 1 if x=y, else returns 0
+ */
+extern int FP8_YYY_equals(FP8_YYY *x,FP8_YYY *y);
+/** @brief Tests for FP8 having only a real part and no imaginary part
+ *
+ @param x FP8 number to be tested
+ @return 1 if real, else returns 0
+ */
+extern int FP8_YYY_isreal(FP8_YYY *x);
+/** @brief Initialise FP8 from two FP4s
+ *
+ @param x FP8 instance to be initialised
+ @param a FP4 to form real part of FP8
+ @param b FP4 to form imaginary part of FP8
+ */
+extern void FP8_YYY_from_FP4s(FP8_YYY *x,FP4_YYY *a,FP4_YYY *b);
+/** @brief Initialise FP8 from single FP4
+ *
+ Imaginary part is set to zero
+ @param x FP8 instance to be initialised
+ @param a FP4 to form real part of FP8
+ */
+extern void FP8_YYY_from_FP4(FP8_YYY *x,FP4_YYY *a);
+
+/** @brief Initialise FP8 from single FP4
+ *
+ real part is set to zero
+ @param x FP8 instance to be initialised
+ @param a FP4 to form imaginary part of FP8
+ */
+extern void FP8_YYY_from_FP4H(FP8_YYY *x,FP4_YYY *a);
+
+
+/** @brief Copy FP8 to another FP8
+ *
+ @param x FP8 instance, on exit = y
+ @param y FP8 instance to be copied
+ */
+extern void FP8_YYY_copy(FP8_YYY *x,FP8_YYY *y);
+/** @brief Set FP8 to zero
+ *
+ @param x FP8 instance to be set to zero
+ */
+extern void FP8_YYY_zero(FP8_YYY *x);
+/** @brief Set FP8 to unity
+ *
+ @param x FP8 instance to be set to one
+ */
+extern void FP8_YYY_one(FP8_YYY *x);
+/** @brief Negation of FP8
+ *
+ @param x FP8 instance, on exit = -y
+ @param y FP8 instance
+ */
+extern void FP8_YYY_neg(FP8_YYY *x,FP8_YYY *y);
+/** @brief Conjugation of FP8
+ *
+ If y=(a,b) on exit x=(a,-b)
+ @param x FP8 instance, on exit = conj(y)
+ @param y FP8 instance
+ */
+extern void FP8_YYY_conj(FP8_YYY *x,FP8_YYY *y);
+/** @brief Negative conjugation of FP8
+ *
+ If y=(a,b) on exit x=(-a,b)
+ @param x FP8 instance, on exit = -conj(y)
+ @param y FP8 instance
+ */
+extern void FP8_YYY_nconj(FP8_YYY *x,FP8_YYY *y);
+/** @brief addition of two FP8s
+ *
+ @param x FP8 instance, on exit = y+z
+ @param y FP8 instance
+ @param z FP8 instance
+ */
+extern void FP8_YYY_add(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z);
+/** @brief subtraction of two FP8s
+ *
+ @param x FP8 instance, on exit = y-z
+ @param y FP8 instance
+ @param z FP8 instance
+ */
+extern void FP8_YYY_sub(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z);
+/** @brief Multiplication of an FP8 by an FP4
+ *
+ @param x FP8 instance, on exit = y*a
+ @param y FP8 instance
+ @param a FP4 multiplier
+ */
+extern void FP8_YYY_pmul(FP8_YYY *x,FP8_YYY *y,FP4_YYY *a);
+
+/** @brief Multiplication of an FP8 by an FP2
+ *
+ @param x FP8 instance, on exit = y*a
+ @param y FP8 instance
+ @param a FP2 multiplier
+ */
+extern void FP8_YYY_qmul(FP8_YYY *x,FP8_YYY *y,FP2_YYY *a);
+
+/** @brief Multiplication of an FP8 by an FP
+ *
+ @param x FP8 instance, on exit = y*a
+ @param y FP8 instance
+ @param a FP multiplier
+ */
+extern void FP8_YYY_tmul(FP8_YYY *x,FP8_YYY *y,FP_YYY *a);
+
+/** @brief Multiplication of an FP8 by a small integer
+ *
+ @param x FP8 instance, on exit = y*i
+ @param y FP8 instance
+ @param i an integer
+ */
+extern void FP8_YYY_imul(FP8_YYY *x,FP8_YYY *y,int i);
+/** @brief Squaring an FP8
+ *
+ @param x FP8 instance, on exit = y^2
+ @param y FP8 instance
+ */
+extern void FP8_YYY_sqr(FP8_YYY *x,FP8_YYY *y);
+/** @brief Multiplication of two FP8s
+ *
+ @param x FP8 instance, on exit = y*z
+ @param y FP8 instance
+ @param z FP8 instance
+ */
+extern void FP8_YYY_mul(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z);
+/** @brief Inverting an FP8
+ *
+ @param x FP8 instance, on exit = 1/y
+ @param y FP8 instance
+ */
+extern void FP8_YYY_inv(FP8_YYY *x,FP8_YYY *y);
+/** @brief Formats and outputs an FP8 to the console
+ *
+ @param x FP8 instance to be printed
+ */
+extern void FP8_YYY_output(FP8_YYY *x);
+/** @brief Formats and outputs an FP8 to the console in raw form (for debugging)
+ *
+ @param x FP8 instance to be printed
+ */
+extern void FP8_YYY_rawoutput(FP8_YYY *x);
+/** @brief multiplies an FP8 instance by irreducible polynomial sqrt(1+sqrt(-1))
+ *
+ @param x FP8 instance, on exit = sqrt(1+sqrt(-1)*x
+ */
+extern void FP8_YYY_times_i(FP8_YYY *x);
+/** @brief multiplies an FP8 instance by irreducible polynomial (1+sqrt(-1))
+ *
+ @param x FP8 instance, on exit = (1+sqrt(-1)*x
+ */
+extern void FP8_YYY_times_i2(FP8_YYY *x);
+
+/** @brief Normalises the components of an FP8
+ *
+ @param x FP8 instance to be normalised
+ */
+extern void FP8_YYY_norm(FP8_YYY *x);
+/** @brief Reduces all components of possibly unreduced FP8 mod Modulus
+ *
+ @param x FP8 instance, on exit reduced mod Modulus
+ */
+extern void FP8_YYY_reduce(FP8_YYY *x);
+/** @brief Raises an FP8 to the power of a BIG
+ *
+ @param x FP8 instance, on exit = y^b
+ @param y FP8 instance
+ @param b BIG number
+ */
+extern void FP8_YYY_pow(FP8_YYY *x,FP8_YYY *y,BIG_XXX b);
+/** @brief Raises an FP8 to the power of the internal modulus p, using the Frobenius
+ *
+ @param x FP8 instance, on exit = x^p
+ @param f FP2 precalculated Frobenius constant
+ */
+extern void FP8_YYY_frob(FP8_YYY *x,FP2_YYY *f);
+/** @brief Calculates the XTR addition function r=w*x-conj(x)*y+z
+ *
+ @param r FP8 instance, on exit = w*x-conj(x)*y+z
+ @param w FP8 instance
+ @param x FP8 instance
+ @param y FP8 instance
+ @param z FP8 instance
+ */
+extern void FP8_YYY_xtr_A(FP8_YYY *r,FP8_YYY *w,FP8_YYY *x,FP8_YYY *y,FP8_YYY *z);
+/** @brief Calculates the XTR doubling function r=x^2-2*conj(x)
+ *
+ @param r FP8 instance, on exit = x^2-2*conj(x)
+ @param x FP8 instance
+ */
+extern void FP8_YYY_xtr_D(FP8_YYY *r,FP8_YYY *x);
+/** @brief Calculates FP8 trace of an FP12 raised to the power of a BIG number
+ *
+ XTR single exponentiation
+ @param r FP8 instance, on exit = trace(w^b)
+ @param x FP8 instance, trace of an FP12 w
+ @param b BIG number
+ */
+extern void FP8_YYY_xtr_pow(FP8_YYY *r,FP8_YYY *x,BIG_XXX b);
+/** @brief Calculates FP8 trace of c^a.d^b, where c and d are derived from FP8 traces of FP12s
+ *
+ XTR double exponentiation
+ Assumes c=tr(x^m), d=tr(x^n), e=tr(x^(m-n)), f=tr(x^(m-2n))
+ @param r FP8 instance, on exit = trace(c^a.d^b)
+ @param c FP8 instance, trace of an FP12
+ @param d FP8 instance, trace of an FP12
+ @param e FP8 instance, trace of an FP12
+ @param f FP8 instance, trace of an FP12
+ @param a BIG number
+ @param b BIG number
+ */
+extern void FP8_YYY_xtr_pow2(FP8_YYY *r,FP8_YYY *c,FP8_YYY *d,FP8_YYY *e,FP8_YYY *f,BIG_XXX a,BIG_XXX b);
+
+
+/** @brief Calculate square root of an FP8
+ *
+ Square root
+ @param r FP8 instance, on exit = sqrt(x)
+ @param x FP8 instance
+ @return 1 x is a QR, otherwise 0
+ */
+extern int FP8_YYY_sqrt(FP8_YYY *r,FP8_YYY *x);
+
+
+/** @brief Conditional copy of FP8 number
+ *
+ Conditionally copies second parameter to the first (without branching)
+ @param x FP8 instance, set to y if s!=0
+ @param y another FP8 instance
+ @param s copy only takes place if not equal to 0
+ */
+extern void FP8_YYY_cmove(FP8_YYY *x,FP8_YYY *y,int s);
+
+
+/** @brief Divide FP8 number by QNR
+ *
+ Divide FP8 by the QNR
+ @param x FP8 instance
+ */
+extern void FP8_YYY_div_i(FP8_YYY *x);
+
+/** @brief Divide FP8 number by QNR twice
+ *
+ Divide FP8 by the QNR twice
+ @param x FP8 instance
+ */
+extern void FP8_YYY_div_i2(FP8_YYY *x);
+
+/** @brief Divide FP8 number by QNR/2
+ *
+ Divide FP8 by the QNR/2
+ @param x FP8 instance
+ */
+extern void FP8_YYY_div_2i(FP8_YYY *x);
+
+
+#endif
+
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/mpin.h.in
----------------------------------------------------------------------
diff --git a/include/mpin.h.in b/include/mpin.h.in
new file mode 100644
index 0000000..98ef7e6
--- /dev/null
+++ b/include/mpin.h.in
@@ -0,0 +1,357 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/**
+ * @file mpin_ZZZ.h
+ * @author Mike Scott
+ * @brief M-Pin Header file
+ *
+ *
+ */
+
+#ifndef MPIN_ZZZ_H
+#define MPIN_ZZZ_H
+
+#include "pair_ZZZ.h"
+#include "pbc_support.h"
+
+/* Field size is assumed to be greater than or equal to group size */
+
+#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */
+#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */
+
+#define MPIN_OK 0 /**< Function completed without error */
+#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */
+#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */
+
+#define MPIN_PAS 16 /**< MPIN Symmetric Key Size */
+#define MAXPIN @AMCL_MAXPIN@ /**< max PIN */
+#define PBLEN @AMCL_PBLEN@ /**< max length of PIN in bits */
+
+#define MESSAGE_SIZE 256 /**< Signature message size */
+#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */
+
+/* MPIN support functions */
+
+/* MPIN primitives */
+
+
+/** @brief Generate Y=H(s,O), where s is epoch time, O is an octet, and H(.) is a hash function
+ *
+ @param h is the hash type
+ @param t is epoch time in seconds
+ @param O is an input octet
+ @param Y is the output octet
+*/
+void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y);
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param factor is an input factor
+ @param facbits is the number of bits in the factor
+ @param CS is the client secret from which the factor is to be extracted
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS);
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param factor is an input factor
+ @param facbits is the number of bits in the factor
+ @param CS is the client secret to which the factor is to be added
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS);
+
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param pin is an input PIN number
+ @param CS is the client secret from which the PIN is to be extracted
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS);
+
+
+
+/** @brief Perform client side of the one-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input client identity
+ @param R is a pointer to a cryptographically secure random number generator
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param pin is the input PIN number
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit
+ @param U is output = x.H(ID)
+ @param UT is output = x.(H(ID)+H(d|H(ID)))
+ @param TP is the input time permit
+ @param MESSAGE is the message to be signed
+ @param t is input epoch time in seconds - a timestamp
+ @param y is output H(t|U) or H(t|UT) if Time Permits enabled
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y);
+
+/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input client identity
+ @param R is a pointer to a cryptographically secure random number generator
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param pin is the input PIN number
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit
+ @param U is output = x.H(ID)
+ @param UT is output = x.(H(ID)+H(d|H(ID)))
+ @param TP is the input time permit
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP);
+
+/** @brief Generate a random group element
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param S is the output random octet
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S);
+
+/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol
+ *
+ @param x an input, a locally generated random number
+ @param y an input random challenge from the server
+ @param V on output = -(x+y).V
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V);
+
+/** @brief Perform server side of the one-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param HID is output H(ID), a hash of the client ID
+ @param HTID is output H(ID)+H(d|H(ID))
+ @param y is output H(t|U) or H(t|UT) if Time Permits enabled
+ @param SS is the input server secret
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param V is an input from the client
+ @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param ID is the input claimed client identity
+ @param MESSAGE is the message to be signed
+ @param t is input epoch time in seconds - a timestamp
+ @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa);
+
+/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol
+ *
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input claimed client identity
+ @param HID is output H(ID), a hash of the client ID
+ @param HTID is output H(ID)+H(d|H(ID))
+ @return 0 or an error code
+ */
+void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID);
+
+/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required.
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param HID is input H(ID), a hash of the client ID
+ @param HTID is input H(ID)+H(d|H(ID))
+ @param y is the input server's randomly generated challenge
+ @param SS is the input server secret
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param V is an input from the client
+ @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa);
+
+/** @brief Add two members from the group G1
+ *
+ @param Q1 an input member of G1
+ @param Q2 an input member of G1
+ @param Q an output member of G1 = Q1+Q2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q);
+
+/** @brief Add two members from the group G2
+ *
+ @param P1 an input member of G2
+ @param P2 an input member of G2
+ @param P an output member of G2 = P1+P2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P);
+
+/** @brief Use Kangaroos to find PIN error
+ *
+ @param E a member of the group GT
+ @param F a member of the group GT = E^e
+ @return 0 if Kangaroos failed, or the PIN error e
+ */
+int MPIN_ZZZ_KANGAROO(octet *E,octet *F);
+
+/** @brief Encoding of a Time Permit to make it indistinguishable from a random string
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param TP is the input time permit, obfuscated on output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_ENCODING(csprng *R,octet *TP);
+
+/** @brief Encoding of an obfuscated Time Permit
+ *
+ @param TP is the input obfuscated time permit, restored on output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_DECODING(octet *TP);
+
+/** @brief Find a random multiple of a point in G1
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param type determines type of action to be taken
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param G if type=0 a point in G1, else an octet to be mapped to G1
+ @param W the output =x.G or x.M(G), where M(.) is a mapping
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W);
+
+/** @brief Find a random multiple of a point in G1
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param type determines type of action to betaken
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param G a point in G2
+ @param W the output =x.G or (1/x).G
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W);
+
+/** @brief Create a client secret in G1 from a master secret and the client ID
+ *
+ @param S is an input master secret
+ @param ID is the input client identity
+ @param CS is the full client secret = s.H(ID)
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS);
+
+/** @brief Create a Time Permit in G1 from a master secret and the client ID
+ *
+ @param h is the hash type
+ @param d is input date, in days since the epoch.
+ @param S is an input master secret
+ @param ID is the input client identity
+ @param TP is a Time Permit for the given date = s.H(d|H(ID))
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP);
+
+/** @brief Create a server secret in G2 from a master secret
+ *
+ @param S is an input master secret
+ @param SS is the server secret = s.Q where Q is a fixed generator of G2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS);
+
+/* For M-Pin Full */
+/** @brief Precompute values for use by the client side of M-Pin Full
+ *
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param ID is the input client identity
+ @param CP is Public Key (or NULL)
+ @param g1 precomputed output
+ @param g2 precomputed output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2);
+
+/** @brief Calculate Key on Server side for M-Pin Full
+ *
+ Uses UT internally for the key calculation, unless not available in which case U is used
+ @param h is the hash type
+ @param Z is the input Client-side Diffie-Hellman component
+ @param SS is the input server secret
+ @param w is an input random number generated by the server
+ @param p is an input, hash of the protocol transcript
+ @param I is the hashed input client ID = H(ID)
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param K is the output calculated shared key
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K);
+
+/** @brief Calculate Key on Client side for M-Pin Full
+ *
+ @param h is the hash type
+ @param g1 precomputed input
+ @param g2 precomputed input
+ @param pin is the input PIN number
+ @param r is an input, a locally generated random number
+ @param x is an input, a locally generated random number
+ @param p is an input, hash of the protocol transcript
+ @param T is the input Server-side Diffie-Hellman component
+ @param K is the output calculated shared key
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K);
+
+/** @brief Generates a random public key for the client z.Q
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input
+ @param Pa the output public key for the client
+ */
+int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa);
+
+#endif
+
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/mpin192.h.in
----------------------------------------------------------------------
diff --git a/include/mpin192.h.in b/include/mpin192.h.in
new file mode 100644
index 0000000..dbb980a
--- /dev/null
+++ b/include/mpin192.h.in
@@ -0,0 +1,358 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/**
+ * @file mpin192_ZZZ.h
+ * @author Mike Scott and Kealan McCusker
+ * @date 2nd June 2015
+ * @brief M-Pin 192 Header file
+ *
+ * Allows some user configuration
+ * defines structures
+ * declares functions
+ *
+ */
+
+#ifndef MPIN_ZZZ_H
+#define MPIN_ZZZ_H
+
+#include "pair192_ZZZ.h"
+#include "pbc_support.h"
+
+/* Field size is assumed to be greater than or equal to group size */
+
+#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */
+#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */
+
+#define MPIN_OK 0 /**< Function completed without error */
+#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */
+#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */
+
+#define MAXPIN @AMCL_MAXPIN@ /**< max PIN */
+#define PBLEN @AMCL_PBLEN@ /**< max length of PIN in bits */
+
+#define MESSAGE_SIZE 256 /**< Signature message size */
+#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */
+
+
+/* MPIN support functions */
+
+/* MPIN primitives */
+
+/** @brief Generate Y=H(t,O), where t is epoch time, O is an octet, and H(.) is a hash function
+ *
+ @param h is the hash type
+ @param t is epoch time in seconds
+ @param O is an input octet
+ @param Y is the output octet
+*/
+void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y);
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param factor is an input factor
+ @param facbits is the number of bits in the factor
+ @param CS is the client secret from which the factor is to be extracted
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS);
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param factor is an input factor
+ @param facbits is the number of bits in the factor
+ @param CS is the client secret to which the factor is to be added
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS);
+
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param pin is an input PIN number
+ @param CS is the client secret from which the PIN is to be extracted
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS);
+
+/** @brief Perform client side of the one-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input client identity
+ @param R is a pointer to a cryptographically secure random number generator
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param pin is the input PIN number
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit
+ @param U is output = x.H(ID)
+ @param UT is output = x.(H(ID)+H(d|H(ID)))
+ @param TP is the input time permit
+ @param MESSAGE is the message to be signed
+ @param t is input epoch time in seconds - a timestamp
+ @param y is output H(t|U) or H(t|UT) if Time Permits enabled
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y);
+
+/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input client identity
+ @param R is a pointer to a cryptographically secure random number generator
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param pin is the input PIN number
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit
+ @param U is output = x.H(ID)
+ @param UT is output = x.(H(ID)+H(d|H(ID)))
+ @param TP is the input time permit
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP);
+
+/** @brief Generate a random group element
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param S is the output random octet
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S);
+
+/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol
+ *
+ @param x an input, a locally generated random number
+ @param y an input random challenge from the server
+ @param V on output = -(x+y).V
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V);
+
+/** @brief Perform server side of the one-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param HID is output H(ID), a hash of the client ID
+ @param HTID is output H(ID)+H(d|H(ID))
+ @param y is output H(t|U) or H(t|UT) if Time Permits enabled
+ @param SS is the input server secret
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param V is an input from the client
+ @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param ID is the input claimed client identity
+ @param MESSAGE is the message to be signed
+ @param t is input epoch time in seconds - a timestamp
+ @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa);
+
+/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol
+ *
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input claimed client identity
+ @param HID is output H(ID), a hash of the client ID
+ @param HTID is output H(ID)+H(d|H(ID))
+ @return 0 or an error code
+ */
+void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID);
+
+/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required.
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param HID is input H(ID), a hash of the client ID
+ @param HTID is input H(ID)+H(d|H(ID))
+ @param y is the input server's randomly generated challenge
+ @param SS is the input server secret
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param V is an input from the client
+ @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa);
+
+/** @brief Add two members from the group G1
+ *
+ @param Q1 an input member of G1
+ @param Q2 an input member of G1
+ @param Q an output member of G1 = Q1+Q2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q);
+
+/** @brief Add two members from the group G2
+ *
+ @param P1 an input member of G2
+ @param P2 an input member of G2
+ @param P an output member of G2 = P1+P2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P);
+
+/** @brief Use Kangaroos to find PIN error
+ *
+ @param E a member of the group GT
+ @param F a member of the group GT = E^e
+ @return 0 if Kangaroos failed, or the PIN error e
+ */
+int MPIN_ZZZ_KANGAROO(octet *E,octet *F);
+
+/** @brief Encoding of a Time Permit to make it indistinguishable from a random string
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param TP is the input time permit, obfuscated on output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_ENCODING(csprng *R,octet *TP);
+
+/** @brief Encoding of an obfuscated Time Permit
+ *
+ @param TP is the input obfuscated time permit, restored on output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_DECODING(octet *TP);
+
+/** @brief Find a random multiple of a point in G1
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param type determines type of action to be taken
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param G if type=0 a point in G1, else an octet to be mapped to G1
+ @param W the output =x.G or x.M(G), where M(.) is a mapping
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W);
+
+/** @brief Find a random multiple of a point in G1
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param type determines type of action to betaken
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param G a point in G2
+ @param W the output =x.G or (1/x).G
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W);
+
+/** @brief Create a client secret in G1 from a master secret and the client ID
+ *
+ @param S is an input master secret
+ @param ID is the input client identity
+ @param CS is the full client secret = s.H(ID)
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS);
+
+/** @brief Create a Time Permit in G1 from a master secret and the client ID
+ *
+ @param h is the hash type
+ @param d is input date, in days since the epoch.
+ @param S is an input master secret
+ @param ID is the input client identity
+ @param TP is a Time Permit for the given date = s.H(d|H(ID))
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP);
+
+/** @brief Create a server secret in G2 from a master secret
+ *
+ @param S is an input master secret
+ @param SS is the server secret = s.Q where Q is a fixed generator of G2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS);
+
+/* For M-Pin Full */
+/** @brief Precompute values for use by the client side of M-Pin Full
+ *
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param ID is the input client identity
+ @param CP is Public Key (or NULL)
+ @param g1 precomputed output
+ @param g2 precomputed output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2);
+
+/** @brief Calculate Key on Server side for M-Pin Full
+ *
+ Uses UT internally for the key calculation, unless not available in which case U is used
+ @param h is the hash type
+ @param Z is the input Client-side Diffie-Hellman component
+ @param SS is the input server secret
+ @param w is an input random number generated by the server
+ @param p is an input, hash of the protocol transcript
+ @param I is the hashed input client ID = H(ID)
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param K is the output calculated shared key
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K);
+
+/** @brief Calculate Key on Client side for M-Pin Full
+ *
+ @param h is the hash type
+ @param g1 precomputed input
+ @param g2 precomputed input
+ @param pin is the input PIN number
+ @param r is an input, a locally generated random number
+ @param x is an input, a locally generated random number
+ @param p is an input, hash of the protocol transcript
+ @param T is the input Server-side Diffie-Hellman component
+ @param K is the output calculated shared key
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K);
+
+/** @brief Generates a random public key for the client z.Q
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input
+ @param Pa the output public key for the client
+ */
+int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa);
+
+#endif
+
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/mpin256.h.in
----------------------------------------------------------------------
diff --git a/include/mpin256.h.in b/include/mpin256.h.in
new file mode 100644
index 0000000..d66149a
--- /dev/null
+++ b/include/mpin256.h.in
@@ -0,0 +1,358 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/**
+ * @file mpin256_ZZZ.h
+ * @author Mike Scott and Kealan McCusker
+ * @date 2nd June 2015
+ * @brief M-Pin 256 Header file
+ *
+ * Allows some user configuration
+ * defines structures
+ * declares functions
+ *
+ */
+
+#ifndef MPIN_ZZZ_H
+#define MPIN_ZZZ_H
+
+#include "pair256_ZZZ.h"
+#include "pbc_support.h"
+
+
+/* Field size is assumed to be greater than or equal to group size */
+
+#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */
+#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */
+
+#define MPIN_OK 0 /**< Function completed without error */
+#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */
+#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */
+
+#define MAXPIN @AMCL_MAXPIN@ /**< max PIN */
+#define PBLEN @AMCL_PBLEN@ /**< max length of PIN in bits */
+
+#define MESSAGE_SIZE 256 /**< Signature message size */
+#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */
+
+/* MPIN support functions */
+
+/* MPIN primitives */
+
+/** @brief Generate Y=H(t,O), where t is epoch time, O is an octet, and H(.) is a hash function
+ *
+ @param h is the hash type
+ @param t is epoch time in seconds
+ @param O is an input octet
+ @param Y is the output octet
+*/
+void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y);
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param factor is an input factor
+ @param facbits is the number of bits in the factor
+ @param CS is the client secret from which the factor is to be extracted
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS);
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param factor is an input factor
+ @param facbits is the number of bits in the factor
+ @param CS is the client secret to which the factor is to be added
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS);
+
+
+/** @brief Extract a PIN number from a client secret
+ *
+ @param h is the hash type
+ @param ID is the input client identity
+ @param pin is an input PIN number
+ @param CS is the client secret from which the PIN is to be extracted
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS);
+
+/** @brief Perform client side of the one-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input client identity
+ @param R is a pointer to a cryptographically secure random number generator
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param pin is the input PIN number
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit
+ @param U is output = x.H(ID)
+ @param UT is output = x.(H(ID)+H(d|H(ID)))
+ @param TP is the input time permit
+ @param MESSAGE is the message to be signed
+ @param t is input epoch time in seconds - a timestamp
+ @param y is output H(t|U) or H(t|UT) if Time Permits enabled
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y);
+
+/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input client identity
+ @param R is a pointer to a cryptographically secure random number generator
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param pin is the input PIN number
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit
+ @param U is output = x.H(ID)
+ @param UT is output = x.(H(ID)+H(d|H(ID)))
+ @param TP is the input time permit
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP);
+
+/** @brief Generate a random group element
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param S is the output random octet
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S);
+
+/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol
+ *
+ @param x an input, a locally generated random number
+ @param y an input random challenge from the server
+ @param V on output = -(x+y).V
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V);
+
+/** @brief Perform server side of the one-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required.
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param HID is output H(ID), a hash of the client ID
+ @param HTID is output H(ID)+H(d|H(ID))
+ @param y is output H(t|U) or H(t|UT) if Time Permits enabled
+ @param SS is the input server secret
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param V is an input from the client
+ @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param ID is the input claimed client identity
+ @param MESSAGE is the message to be signed
+ @param t is input epoch time in seconds - a timestamp
+ @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa);
+
+/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol
+ *
+ @param h is the hash type
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param ID is the input claimed client identity
+ @param HID is output H(ID), a hash of the client ID
+ @param HTID is output H(ID)+H(d|H(ID))
+ @return 0 or an error code
+ */
+void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID);
+
+/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol
+ *
+ If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL.
+ If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required.
+ @param d is input date, in days since the epoch. Set to 0 if Time permits disabled
+ @param HID is input H(ID), a hash of the client ID
+ @param HTID is input H(ID)+H(d|H(ID))
+ @param y is the input server's randomly generated challenge
+ @param SS is the input server secret
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param V is an input from the client
+ @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required
+ @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa);
+
+/** @brief Add two members from the group G1
+ *
+ @param Q1 an input member of G1
+ @param Q2 an input member of G1
+ @param Q an output member of G1 = Q1+Q2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q);
+
+/** @brief Add two members from the group G2
+ *
+ @param P1 an input member of G2
+ @param P2 an input member of G2
+ @param P an output member of G2 = P1+P2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P);
+
+/** @brief Use Kangaroos to find PIN error
+ *
+ @param E a member of the group GT
+ @param F a member of the group GT = E^e
+ @return 0 if Kangaroos failed, or the PIN error e
+ */
+int MPIN_ZZZ_KANGAROO(octet *E,octet *F);
+
+/** @brief Encoding of a Time Permit to make it indistinguishable from a random string
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param TP is the input time permit, obfuscated on output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_ENCODING(csprng *R,octet *TP);
+
+/** @brief Encoding of an obfuscated Time Permit
+ *
+ @param TP is the input obfuscated time permit, restored on output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_DECODING(octet *TP);
+
+/** @brief Find a random multiple of a point in G1
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param type determines type of action to be taken
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param G if type=0 a point in G1, else an octet to be mapped to G1
+ @param W the output =x.G or x.M(G), where M(.) is a mapping
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W);
+
+/** @brief Find a random multiple of a point in G1
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param type determines type of action to betaken
+ @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input
+ @param G a point in G2
+ @param W the output =x.G or (1/x).G
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W);
+
+/** @brief Create a client secret in G1 from a master secret and the client ID
+ *
+ @param S is an input master secret
+ @param ID is the input client identity
+ @param CS is the full client secret = s.H(ID)
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS);
+
+/** @brief Create a Time Permit in G1 from a master secret and the client ID
+ *
+ @param h is the hash type
+ @param d is input date, in days since the epoch.
+ @param S is an input master secret
+ @param ID is the input client identity
+ @param TP is a Time Permit for the given date = s.H(d|H(ID))
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP);
+
+/** @brief Create a server secret in G2 from a master secret
+ *
+ @param S is an input master secret
+ @param SS is the server secret = s.Q where Q is a fixed generator of G2
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS);
+
+/* For M-Pin Full */
+/** @brief Precompute values for use by the client side of M-Pin Full
+ *
+ @param T is the input M-Pin token (the client secret with PIN portion removed)
+ @param ID is the input client identity
+ @param CP is Public Key (or NULL)
+ @param g1 precomputed output
+ @param g2 precomputed output
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2);
+
+/** @brief Calculate Key on Server side for M-Pin Full
+ *
+ Uses UT internally for the key calculation, unless not available in which case U is used
+ @param h is the hash type
+ @param Z is the input Client-side Diffie-Hellman component
+ @param SS is the input server secret
+ @param w is an input random number generated by the server
+ @param p is an input, hash of the protocol transcript
+ @param I is the hashed input client ID = H(ID)
+ @param U is input from the client = x.H(ID)
+ @param UT is input from the client= x.(H(ID)+H(d|H(ID)))
+ @param K is the output calculated shared key
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K);
+
+/** @brief Calculate Key on Client side for M-Pin Full
+ *
+ @param h is the hash type
+ @param g1 precomputed input
+ @param g2 precomputed input
+ @param pin is the input PIN number
+ @param r is an input, a locally generated random number
+ @param x is an input, a locally generated random number
+ @param p is an input, hash of the protocol transcript
+ @param T is the input Server-side Diffie-Hellman component
+ @param K is the output calculated shared key
+ @return 0 or an error code
+ */
+int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K);
+
+/** @brief Generates a random public key for the client z.Q
+ *
+ @param R is a pointer to a cryptographically secure random number generator
+ @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input
+ @param Pa the output public key for the client
+ */
+int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa);
+
+#endif
+
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/pair.h.in
----------------------------------------------------------------------
diff --git a/include/pair.h.in b/include/pair.h.in
new file mode 100644
index 0000000..ef065e5
--- /dev/null
+++ b/include/pair.h.in
@@ -0,0 +1,103 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/
+
+/**
+ * @file pair_ZZZ.h
+ * @author Mike Scott
+ * @brief PAIR Header File
+ *
+ */
+
+#ifndef PAIR_ZZZ_H
+#define PAIR_ZZZ_H
+
+#include "fp12_YYY.h"
+#include "ecp2_ZZZ.h"
+#include "ecp_ZZZ.h"
+
+/* Pairing constants */
+
+extern const BIG_XXX CURVE_Bnx_ZZZ; /**< BN curve x parameter */
+extern const BIG_XXX CURVE_Cru_ZZZ; /**< BN curve Cube Root of Unity */
+
+extern const BIG_XXX CURVE_W_ZZZ[2]; /**< BN curve constant for GLV decomposition */
+extern const BIG_XXX CURVE_SB_ZZZ[2][2]; /**< BN curve constant for GLV decomposition */
+extern const BIG_XXX CURVE_WB_ZZZ[4]; /**< BN curve constant for GS decomposition */
+extern const BIG_XXX CURVE_BB_ZZZ[4][4]; /**< BN curve constant for GS decomposition */
+
+/* Pairing function prototypes */
+/** @brief Calculate Miller loop for Optimal ATE pairing e(P,Q)
+ *
+ @param r FP12 result of the pairing calculation e(P,Q)
+ @param P ECP2 instance, an element of G2
+ @param Q ECP instance, an element of G1
+
+ */
+extern void PAIR_ZZZ_ate(FP12_YYY *r,ECP2_ZZZ *P,ECP_ZZZ *Q);
+/** @brief Calculate Miller loop for Optimal ATE double-pairing e(P,Q).e(R,S)
+ *
+ Faster than calculating two separate pairings
+ @param r FP12 result of the pairing calculation e(P,Q).e(R,S), an element of GT
+ @param P ECP2 instance, an element of G2
+ @param Q ECP instance, an element of G1
+ @param R ECP2 instance, an element of G2
+ @param S ECP instance, an element of G1
+ */
+extern void PAIR_ZZZ_double_ate(FP12_YYY *r,ECP2_ZZZ *P,ECP_ZZZ *Q,ECP2_ZZZ *R,ECP_ZZZ *S);
+/** @brief Final exponentiation of pairing, converts output of Miller loop to element in GT
+ *
+ Here p is the internal modulus, and r is the group order
+ @param x FP12, on exit = x^((p^12-1)/r)
+ */
+extern void PAIR_ZZZ_fexp(FP12_YYY *x);
+/** @brief Fast point multiplication of a member of the group G1 by a BIG number
+ *
+ May exploit endomorphism for speed.
+ @param Q ECP member of G1.
+ @param b BIG multiplier
+
+ */
+extern void PAIR_ZZZ_G1mul(ECP_ZZZ *Q,BIG_XXX b);
+/** @brief Fast point multiplication of a member of the group G2 by a BIG number
+ *
+ May exploit endomorphism for speed.
+ @param P ECP2 member of G1.
+ @param b BIG multiplier
+
+ */
+extern void PAIR_ZZZ_G2mul(ECP2_ZZZ *P,BIG_XXX b);
+/** @brief Fast raising of a member of GT to a BIG power
+ *
+ May exploit endomorphism for speed.
+ @param x FP12 member of GT.
+ @param b BIG exponent
+
+ */
+extern void PAIR_ZZZ_GTpow(FP12_YYY *x,BIG_XXX b);
+/** @brief Tests FP12 for membership of GT
+ *
+ @param x FP12 instance
+ @return 1 if x is in GT, else return 0
+
+ */
+extern int PAIR_ZZZ_GTmember(FP12_YYY *x);
+
+
+
+#endif
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/pair192.h.in
----------------------------------------------------------------------
diff --git a/include/pair192.h.in b/include/pair192.h.in
new file mode 100644
index 0000000..2e50d51
--- /dev/null
+++ b/include/pair192.h.in
@@ -0,0 +1,77 @@
+#ifndef PAIR192_ZZZ_H
+#define PAIR192_ZZZ_H
+
+#include "fp24_YYY.h"
+#include "ecp4_ZZZ.h"
+#include "ecp_ZZZ.h"
+
+
+/* Pairing constants */
+
+extern const BIG_XXX CURVE_Bnx_ZZZ; /**< BN curve x parameter */
+extern const BIG_XXX CURVE_Cru_ZZZ; /**< BN curve Cube Root of Unity */
+
+extern const BIG_XXX CURVE_W_ZZZ[2]; /**< BN curve constant for GLV decomposition */
+extern const BIG_XXX CURVE_SB_ZZZ[2][2]; /**< BN curve constant for GLV decomposition */
+extern const BIG_XXX CURVE_WB_ZZZ[4]; /**< BN curve constant for GS decomposition */
+extern const BIG_XXX CURVE_BB_ZZZ[4][4]; /**< BN curve constant for GS decomposition */
+
+/* Pairing function prototypes */
+/** @brief Calculate Miller loop for Optimal ATE pairing e(P,Q)
+ *
+ @param r FP24 result of the pairing calculation e(P,Q)
+ @param P ECP4 instance, an element of G2
+ @param Q ECP instance, an element of G1
+
+ */
+extern void PAIR_ZZZ_ate(FP24_YYY *r,ECP4_ZZZ *P,ECP_ZZZ *Q);
+/** @brief Calculate Miller loop for Optimal ATE double-pairing e(P,Q).e(R,S)
+ *
+ Faster than calculating two separate pairings
+ @param r FP24 result of the pairing calculation e(P,Q).e(R,S), an element of GT
+ @param P ECP4 instance, an element of G2
+ @param Q ECP instance, an element of G1
+ @param R ECP4 instance, an element of G2
+ @param S ECP instance, an element of G1
+ */
+extern void PAIR_ZZZ_double_ate(FP24_YYY *r,ECP4_ZZZ *P,ECP_ZZZ *Q,ECP4_ZZZ *R,ECP_ZZZ *S);
+/** @brief Final exponentiation of pairing, converts output of Miller loop to element in GT
+ *
+ Here p is the internal modulus, and r is the group order
+ @param x FP24, on exit = x^((p^12-1)/r)
+ */
+extern void PAIR_ZZZ_fexp(FP24_YYY *x);
+/** @brief Fast point multiplication of a member of the group G1 by a BIG number
+ *
+ May exploit endomorphism for speed.
+ @param Q ECP member of G1.
+ @param b BIG multiplier
+
+ */
+extern void PAIR_ZZZ_G1mul(ECP_ZZZ *Q,BIG_XXX b);
+/** @brief Fast point multiplication of a member of the group G2 by a BIG number
+ *
+ May exploit endomorphism for speed.
+ @param P ECP4 member of G1.
+ @param b BIG multiplier
+
+ */
+extern void PAIR_ZZZ_G2mul(ECP4_ZZZ *P,BIG_XXX b);
+/** @brief Fast raising of a member of GT to a BIG power
+ *
+ May exploit endomorphism for speed.
+ @param x FP24 member of GT.
+ @param b BIG exponent
+
+ */
+extern void PAIR_ZZZ_GTpow(FP24_YYY *x,BIG_XXX b);
+/** @brief Tests FP24 for membership of GT
+ *
+ @param x FP24 instance
+ @return 1 if x is in GT, else return 0
+
+ */
+extern int PAIR_ZZZ_GTmember(FP24_YYY *x);
+
+
+#endif
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/pair256.h.in
----------------------------------------------------------------------
diff --git a/include/pair256.h.in b/include/pair256.h.in
new file mode 100644
index 0000000..d270f76
--- /dev/null
+++ b/include/pair256.h.in
@@ -0,0 +1,77 @@
+#ifndef PAIR256_ZZZ_H
+#define PAIR256_ZZZ_H
+
+#include "fp48_YYY.h"
+#include "ecp8_ZZZ.h"
+#include "ecp_ZZZ.h"
+
+
+/* Pairing constants */
+
+extern const BIG_XXX CURVE_Bnx_ZZZ; /**< BN curve x parameter */
+extern const BIG_XXX CURVE_Cru_ZZZ; /**< BN curve Cube Root of Unity */
+
+extern const BIG_XXX CURVE_W_ZZZ[2]; /**< BN curve constant for GLV decomposition */
+extern const BIG_XXX CURVE_SB_ZZZ[2][2]; /**< BN curve constant for GLV decomposition */
+extern const BIG_XXX CURVE_WB_ZZZ[4]; /**< BN curve constant for GS decomposition */
+extern const BIG_XXX CURVE_BB_ZZZ[4][4]; /**< BN curve constant for GS decomposition */
+
+/* Pairing function prototypes */
+/** @brief Calculate Miller loop for Optimal ATE pairing e(P,Q)
+ *
+ @param r FP48 result of the pairing calculation e(P,Q)
+ @param P ECP8 instance, an element of G2
+ @param Q ECP instance, an element of G1
+
+ */
+extern void PAIR_ZZZ_ate(FP48_YYY *r,ECP8_ZZZ *P,ECP_ZZZ *Q);
+/** @brief Calculate Miller loop for Optimal ATE double-pairing e(P,Q).e(R,S)
+ *
+ Faster than calculating two separate pairings
+ @param r FP48 result of the pairing calculation e(P,Q).e(R,S), an element of GT
+ @param P ECP8 instance, an element of G2
+ @param Q ECP instance, an element of G1
+ @param R ECP8 instance, an element of G2
+ @param S ECP instance, an element of G1
+ */
+extern void PAIR_ZZZ_double_ate(FP48_YYY *r,ECP8_ZZZ *P,ECP_ZZZ *Q,ECP8_ZZZ *R,ECP_ZZZ *S);
+/** @brief Final exponentiation of pairing, converts output of Miller loop to element in GT
+ *
+ Here p is the internal modulus, and r is the group order
+ @param x FP48, on exit = x^((p^12-1)/r)
+ */
+extern void PAIR_ZZZ_fexp(FP48_YYY *x);
+/** @brief Fast point multiplication of a member of the group G1 by a BIG number
+ *
+ May exploit endomorphism for speed.
+ @param Q ECP member of G1.
+ @param b BIG multiplier
+
+ */
+extern void PAIR_ZZZ_G1mul(ECP_ZZZ *Q,BIG_XXX b);
+/** @brief Fast point multiplication of a member of the group G2 by a BIG number
+ *
+ May exploit endomorphism for speed.
+ @param P ECP8 member of G1.
+ @param b BIG multiplier
+
+ */
+extern void PAIR_ZZZ_G2mul(ECP8_ZZZ *P,BIG_XXX b);
+/** @brief Fast raising of a member of GT to a BIG power
+ *
+ May exploit endomorphism for speed.
+ @param x FP48 member of GT.
+ @param b BIG exponent
+
+ */
+extern void PAIR_ZZZ_GTpow(FP48_YYY *x,BIG_XXX b);
+/** @brief Tests FP48 for membership of GT
+ *
+ @param x FP48 instance
+ @return 1 if x is in GT, else return 0
+
+ */
+extern int PAIR_ZZZ_GTmember(FP48_YYY *x);
+
+
+#endif