[09/12] incubator-milagro-crypto git commit: MILAGRO-14.Updating package name with apache git

[sa...@apache.org]

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/FP12.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/FP12.go b/go/amcl-go/FP12.go
new file mode 100644
index 0000000..8e9cb4c
--- /dev/null
+++ b/go/amcl-go/FP12.go
@@ -0,0 +1,654 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* AMCL Fp^12 functions */
+/* FP12 elements are of the form a+i.b+i^2.c */
+
+package amcl
+
+//import "fmt"
+
+type FP12 struct {
+	a *FP4
+	b *FP4
+	c *FP4
+}
+
+/* Constructors */
+func NewFP12fp4(d *FP4) *FP12 {
+	F := new(FP12)
+	F.a = NewFP4copy(d)
+	F.b = NewFP4int(0)
+	F.c = NewFP4int(0)
+	return F
+}
+
+func NewFP12int(d int) *FP12 {
+	F := new(FP12)
+	F.a = NewFP4int(d)
+	F.b = NewFP4int(0)
+	F.c = NewFP4int(0)
+	return F
+}
+
+func NewFP12fp4s(d *FP4, e *FP4, f *FP4) *FP12 {
+	F := new(FP12)
+	F.a = NewFP4copy(d)
+	F.b = NewFP4copy(e)
+	F.c = NewFP4copy(f)
+	return F
+}
+
+func NewFP12copy(x *FP12) *FP12 {
+	F := new(FP12)
+	F.a = NewFP4copy(x.a)
+	F.b = NewFP4copy(x.b)
+	F.c = NewFP4copy(x.c)
+	return F
+}
+
+/* reduce all components of this mod Modulus */
+func (F *FP12) reduce() {
+	F.a.reduce()
+	F.b.reduce()
+	F.c.reduce()
+}
+
+/* normalise all components of this */
+func (F *FP12) norm() {
+	F.a.norm()
+	F.b.norm()
+	F.c.norm()
+}
+
+/* test x==0 ? */
+func (F *FP12) iszilch() bool {
+	F.reduce()
+	return (F.a.iszilch() && F.b.iszilch() && F.c.iszilch())
+}
+
+/* test x==1 ? */
+func (F *FP12) isunity() bool {
+	one := NewFP4int(1)
+	return (F.a.equals(one) && F.b.iszilch() && F.c.iszilch())
+}
+
+/* return 1 if x==y, else 0 */
+func (F *FP12) equals(x *FP12) bool {
+	return (F.a.equals(x.a) && F.b.equals(x.b) && F.c.equals(x.c))
+}
+
+/* extract a from this */
+func (F *FP12) geta() *FP4 {
+	return F.a
+}
+
+/* extract b */
+func (F *FP12) getb() *FP4 {
+	return F.b
+}
+
+/* extract c */
+func (F *FP12) getc() *FP4 {
+	return F.c
+}
+
+/* copy this=x */
+func (F *FP12) copy(x *FP12) {
+	F.a.copy(x.a)
+	F.b.copy(x.b)
+	F.c.copy(x.c)
+}
+
+/* set this=1 */
+func (F *FP12) one() {
+	F.a.one()
+	F.b.zero()
+	F.c.zero()
+}
+
+/* this=conj(this) */
+func (F *FP12) conj() {
+	F.a.conj()
+	F.b.nconj()
+	F.c.conj()
+}
+
+/* Granger-Scott Unitary Squaring */
+func (F *FP12) usqr() {
+	A := NewFP4copy(F.a)
+	B := NewFP4copy(F.c)
+	C := NewFP4copy(F.b)
+	D := NewFP4int(0)
+
+	F.a.sqr()
+	D.copy(F.a)
+	D.add(F.a)
+	F.a.add(D)
+
+	//		a.norm();
+	A.nconj()
+
+	A.add(A)
+	F.a.add(A)
+	B.sqr()
+	B.times_i()
+
+	D.copy(B)
+	D.add(B)
+	B.add(D)
+	//		B.norm();
+
+	C.sqr()
+	D.copy(C)
+	D.add(C)
+	C.add(D)
+	//		C.norm();
+
+	F.b.conj()
+	F.b.add(F.b)
+	F.c.nconj()
+
+	F.c.add(F.c)
+	F.b.add(B)
+	F.c.add(C)
+	F.reduce()
+
+}
+
+/* Chung-Hasan SQR2 method from http://cacr.uwaterloo.ca/techreports/2006/cacr2006-24.pdf */
+func (F *FP12) sqr() {
+	A := NewFP4copy(F.a)
+	B := NewFP4copy(F.b)
+	C := NewFP4copy(F.c)
+	D := NewFP4copy(F.a)
+
+	A.sqr()
+	B.mul(F.c)
+	B.add(B)
+	C.sqr()
+	D.mul(F.b)
+	D.add(D)
+
+	F.c.add(F.a)
+	F.c.add(F.b)
+	F.c.sqr()
+
+	F.a.copy(A)
+
+	A.add(B)
+	//		A.norm();
+	A.add(C)
+	A.add(D)
+	//		A.norm();
+
+	A.neg()
+	B.times_i()
+	C.times_i()
+
+	F.a.add(B)
+
+	F.b.copy(C)
+	F.b.add(D)
+	F.c.add(A)
+	F.norm()
+}
+
+/* FP12 full multiplication this=this*y */
+func (F *FP12) mul(y *FP12) {
+	z0 := NewFP4copy(F.a)
+	z1 := NewFP4int(0)
+	z2 := NewFP4copy(F.b)
+	z3 := NewFP4int(0)
+	t0 := NewFP4copy(F.a)
+	t1 := NewFP4copy(y.a)
+
+	z0.mul(y.a)
+	z2.mul(y.b)
+
+	t0.add(F.b)
+	t1.add(y.b)
+
+	z1.copy(t0)
+	z1.mul(t1)
+	t0.copy(F.b)
+	t0.add(F.c)
+
+	t1.copy(y.b)
+	t1.add(y.c)
+	z3.copy(t0)
+	z3.mul(t1)
+
+	t0.copy(z0)
+	t0.neg()
+	t1.copy(z2)
+	t1.neg()
+
+	z1.add(t0)
+	//		z1.norm();
+	F.b.copy(z1)
+	F.b.add(t1)
+
+	z3.add(t1)
+	z2.add(t0)
+
+	t0.copy(F.a)
+	t0.add(F.c)
+	t1.copy(y.a)
+	t1.add(y.c)
+	t0.mul(t1)
+	z2.add(t0)
+
+	t0.copy(F.c)
+	t0.mul(y.c)
+	t1.copy(t0)
+	t1.neg()
+
+	//		z2.norm();
+	//		z3.norm();
+	//		b.norm();
+
+	F.c.copy(z2)
+	F.c.add(t1)
+	z3.add(t1)
+	t0.times_i()
+	F.b.add(t0)
+
+	z3.times_i()
+	F.a.copy(z0)
+	F.a.add(z3)
+	F.norm()
+}
+
+/* Special case of multiplication arises from special form of ATE pairing line function */
+func (F *FP12) smul(y *FP12) {
+	z0 := NewFP4copy(F.a)
+	z2 := NewFP4copy(F.b)
+	z3 := NewFP4copy(F.b)
+	t0 := NewFP4int(0)
+	t1 := NewFP4copy(y.a)
+
+	z0.mul(y.a)
+	z2.pmul(y.b.real())
+	F.b.add(F.a)
+	t1.real().add(y.b.real())
+
+	F.b.mul(t1)
+	z3.add(F.c)
+	z3.pmul(y.b.real())
+
+	t0.copy(z0)
+	t0.neg()
+	t1.copy(z2)
+	t1.neg()
+
+	F.b.add(t0)
+	//		b.norm();
+
+	F.b.add(t1)
+	z3.add(t1)
+	z2.add(t0)
+
+	t0.copy(F.a)
+	t0.add(F.c)
+	t0.mul(y.a)
+	F.c.copy(z2)
+	F.c.add(t0)
+
+	z3.times_i()
+	F.a.copy(z0)
+	F.a.add(z3)
+
+	F.norm()
+}
+
+/* this=1/this */
+func (F *FP12) inverse() {
+	f0 := NewFP4copy(F.a)
+	f1 := NewFP4copy(F.b)
+	f2 := NewFP4copy(F.a)
+	f3 := NewFP4int(0)
+
+	F.norm()
+	f0.sqr()
+	f1.mul(F.c)
+	f1.times_i()
+	f0.sub(f1)
+
+	f1.copy(F.c)
+	f1.sqr()
+	f1.times_i()
+	f2.mul(F.b)
+	f1.sub(f2)
+
+	f2.copy(F.b)
+	f2.sqr()
+	f3.copy(F.a)
+	f3.mul(F.c)
+	f2.sub(f3)
+
+	f3.copy(F.b)
+	f3.mul(f2)
+	f3.times_i()
+	F.a.mul(f0)
+	f3.add(F.a)
+	F.c.mul(f1)
+	F.c.times_i()
+
+	f3.add(F.c)
+	f3.inverse()
+	F.a.copy(f0)
+	F.a.mul(f3)
+	F.b.copy(f1)
+	F.b.mul(f3)
+	F.c.copy(f2)
+	F.c.mul(f3)
+}
+
+/* this=this^p using Frobenius */
+func (F *FP12) frob(f *FP2) {
+	f2 := NewFP2copy(f)
+	f3 := NewFP2copy(f)
+
+	f2.sqr()
+	f3.mul(f2)
+
+	F.a.frob(f3)
+	F.b.frob(f3)
+	F.c.frob(f3)
+
+	F.b.pmul(f)
+	F.c.pmul(f2)
+}
+
+/* trace function */
+func (F *FP12) trace() *FP4 {
+	t := NewFP4int(0)
+	t.copy(F.a)
+	t.imul(3)
+	t.reduce()
+	return t
+}
+
+/* convert from byte array to FP12 */
+func FP12_fromBytes(w []byte) *FP12 {
+	var t [int(MODBYTES)]byte
+	MB := int(MODBYTES)
+
+	for i := 0; i < MB; i++ {
+		t[i] = w[i]
+	}
+	a := fromBytes(t[:])
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+MB]
+	}
+	b := fromBytes(t[:])
+	c := NewFP2bigs(a, b)
+
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+2*MB]
+	}
+	a = fromBytes(t[:])
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+3*MB]
+	}
+	b = fromBytes(t[:])
+	d := NewFP2bigs(a, b)
+
+	e := NewFP4fp2s(c, d)
+
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+4*MB]
+	}
+	a = fromBytes(t[:])
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+5*MB]
+	}
+	b = fromBytes(t[:])
+	c = NewFP2bigs(a, b)
+
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+6*MB]
+	}
+	a = fromBytes(t[:])
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+7*MB]
+	}
+	b = fromBytes(t[:])
+	d = NewFP2bigs(a, b)
+
+	f := NewFP4fp2s(c, d)
+
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+8*MB]
+	}
+	a = fromBytes(t[:])
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+9*MB]
+	}
+	b = fromBytes(t[:])
+
+	c = NewFP2bigs(a, b)
+
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+10*MB]
+	}
+	a = fromBytes(t[:])
+	for i := 0; i < MB; i++ {
+		t[i] = w[i+11*MB]
+	}
+	b = fromBytes(t[:])
+	d = NewFP2bigs(a, b)
+
+	g := NewFP4fp2s(c, d)
+
+	return NewFP12fp4s(e, f, g)
+}
+
+/* convert this to byte array */
+func (F *FP12) toBytes(w []byte) {
+	var t [int(MODBYTES)]byte
+	MB := int(MODBYTES)
+	F.a.geta().getA().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i] = t[i]
+	}
+	F.a.geta().getB().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+MB] = t[i]
+	}
+	F.a.getb().getA().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+2*MB] = t[i]
+	}
+	F.a.getb().getB().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+3*MB] = t[i]
+	}
+
+	F.b.geta().getA().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+4*MB] = t[i]
+	}
+	F.b.geta().getB().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+5*MB] = t[i]
+	}
+	F.b.getb().getA().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+6*MB] = t[i]
+	}
+	F.b.getb().getB().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+7*MB] = t[i]
+	}
+
+	F.c.geta().getA().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+8*MB] = t[i]
+	}
+	F.c.geta().getB().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+9*MB] = t[i]
+	}
+	F.c.getb().getA().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+10*MB] = t[i]
+	}
+	F.c.getb().getB().toBytes(t[:])
+	for i := 0; i < MB; i++ {
+		w[i+11*MB] = t[i]
+	}
+}
+
+/* convert to hex string */
+func (F *FP12) toString() string {
+	return ("[" + F.a.toString() + "," + F.b.toString() + "," + F.c.toString() + "]")
+}
+
+/* this=this^e */
+func (F *FP12) pow(e *BIG) *FP12 {
+	F.norm()
+	e.norm()
+	w := NewFP12copy(F)
+	z := NewBIGcopy(e)
+	r := NewFP12int(1)
+
+	for true {
+		bt := z.parity()
+		z.fshr(1)
+		if bt == 1 {
+			r.mul(w)
+		}
+		if z.iszilch() {
+			break
+		}
+		w.usqr()
+	}
+	r.reduce()
+	return r
+}
+
+/* constant time powering by small integer of max length bts */
+func (F *FP12) pinpow(e int, bts int) {
+	var R []*FP12
+	R = append(R, NewFP12int(1))
+	R = append(R, NewFP12copy(F))
+
+	for i := bts - 1; i >= 0; i-- {
+		b := (e >> uint(i)) & 1
+		R[1-b].mul(R[b])
+		R[b].usqr()
+	}
+	F.copy(R[0])
+}
+
+/* p=q0^u0.q1^u1.q2^u2.q3^u3 */
+/* Timing attack secure, but not cache attack secure */
+
+func pow4(q []*FP12, u []*BIG) *FP12 {
+	var a [4]int8
+	var g []*FP12
+	var s []*FP12
+	c := NewFP12int(1)
+	p := NewFP12int(0)
+	var w [NLEN*int(BASEBITS) + 1]int8
+	var t []*BIG
+	mt := NewBIGint(0)
+
+	for i := 0; i < 4; i++ {
+		t = append(t, NewBIGcopy(u[i]))
+	}
+
+	s = append(s, NewFP12int(0))
+	s = append(s, NewFP12int(0))
+
+	g = append(g, NewFP12copy(q[0]))
+	s[0].copy(q[1])
+	s[0].conj()
+	g[0].mul(s[0])
+	g = append(g, NewFP12copy(g[0]))
+	g = append(g, NewFP12copy(g[0]))
+	g = append(g, NewFP12copy(g[0]))
+	g = append(g, NewFP12copy(q[0]))
+	g[4].mul(q[1])
+	g = append(g, NewFP12copy(g[4]))
+	g = append(g, NewFP12copy(g[4]))
+	g = append(g, NewFP12copy(g[4]))
+
+	s[1].copy(q[2])
+	s[0].copy(q[3])
+	s[0].conj()
+	s[1].mul(s[0])
+	s[0].copy(s[1])
+	s[0].conj()
+	g[1].mul(s[0])
+	g[2].mul(s[1])
+	g[5].mul(s[0])
+	g[6].mul(s[1])
+	s[1].copy(q[2])
+	s[1].mul(q[3])
+	s[0].copy(s[1])
+	s[0].conj()
+	g[0].mul(s[0])
+	g[3].mul(s[1])
+	g[4].mul(s[0])
+	g[7].mul(s[1])
+
+	/* if power is even add 1 to power, and add q to correction */
+
+	for i := 0; i < 4; i++ {
+		if t[i].parity() == 0 {
+			t[i].inc(1)
+			t[i].norm()
+			c.mul(q[i])
+		}
+		mt.add(t[i])
+		mt.norm()
+	}
+	c.conj()
+	nb := 1 + mt.nbits()
+
+	/* convert exponent to signed 1-bit window */
+	for j := 0; j < nb; j++ {
+		for i := 0; i < 4; i++ {
+			a[i] = int8(t[i].lastbits(2) - 2)
+			t[i].dec(int(a[i]))
+			t[i].norm()
+			t[i].fshr(1)
+		}
+		w[j] = (8*a[0] + 4*a[1] + 2*a[2] + a[3])
+	}
+	w[nb] = int8(8*t[0].lastbits(2) + 4*t[1].lastbits(2) + 2*t[2].lastbits(2) + t[3].lastbits(2))
+	p.copy(g[(w[nb]-1)/2])
+
+	for i := nb - 1; i >= 0; i-- {
+		m := w[i] >> 7
+		j := (w[i] ^ m) - m /* j=abs(w[i]) */
+		j = (j - 1) / 2
+		s[0].copy(g[j])
+		s[1].copy(g[j])
+		s[1].conj()
+		p.usqr()
+		p.mul(s[m&1])
+	}
+	p.mul(c) /* apply correction */
+	p.reduce()
+	return p
+}

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/FP2.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/FP2.go b/go/amcl-go/FP2.go
new file mode 100644
index 0000000..599fbcc
--- /dev/null
+++ b/go/amcl-go/FP2.go
@@ -0,0 +1,324 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* Finite Field arithmetic  Fp^2 functions */
+
+/* FP2 elements are of the form a+ib, where i is sqrt(-1) */
+
+package amcl
+
+//import "fmt"
+
+type FP2 struct {
+	a *FP
+	b *FP
+}
+
+/* Constructors */
+func NewFP2int(a int) *FP2 {
+	F := new(FP2)
+	F.a = NewFPint(a)
+	F.b = NewFPint(0)
+	return F
+}
+
+func NewFP2copy(x *FP2) *FP2 {
+	F := new(FP2)
+	F.a = NewFPcopy(x.a)
+	F.b = NewFPcopy(x.b)
+	return F
+}
+
+func NewFP2fps(c *FP, d *FP) *FP2 {
+	F := new(FP2)
+	F.a = NewFPcopy(c)
+	F.b = NewFPcopy(d)
+	return F
+}
+
+func NewFP2bigs(c *BIG, d *BIG) *FP2 {
+	F := new(FP2)
+	F.a = NewFPbig(c)
+	F.b = NewFPbig(d)
+	return F
+}
+
+func NewFP2fp(c *FP) *FP2 {
+	F := new(FP2)
+	F.a = NewFPcopy(c)
+	F.b = NewFPint(0)
+	return F
+}
+
+func NewFP2big(c *BIG) *FP2 {
+	F := new(FP2)
+	F.a = NewFPbig(c)
+	F.b = NewFPint(0)
+	return F
+}
+
+/* reduce components mod Modulus */
+func (F *FP2) reduce() {
+	F.a.reduce()
+	F.b.reduce()
+}
+
+/* normalise components of w */
+func (F *FP2) norm() {
+	F.a.norm()
+	F.b.norm()
+}
+
+/* test this=0 ? */
+func (F *FP2) iszilch() bool {
+	F.reduce()
+	return (F.a.iszilch() && F.b.iszilch())
+}
+
+func (F *FP2) cmove(g *FP2, d int32) {
+	F.a.cmove(g.a, d)
+	F.b.cmove(g.b, d)
+}
+
+/* test this=1 ? */
+func (F *FP2) isunity() bool {
+	one := NewFPint(1)
+	return (F.a.equals(one) && F.b.iszilch())
+}
+
+/* test this=x */
+func (F *FP2) equals(x *FP2) bool {
+	return (F.a.equals(x.a) && F.b.equals(x.b))
+}
+
+/* extract a */
+func (F *FP2) getA() *BIG {
+	return F.a.redc()
+}
+
+/* extract b */
+func (F *FP2) getB() *BIG {
+	return F.b.redc()
+}
+
+/* copy this=x */
+func (F *FP2) copy(x *FP2) {
+	F.a.copy(x.a)
+	F.b.copy(x.b)
+}
+
+/* set this=0 */
+func (F *FP2) zero() {
+	F.a.zero()
+	F.b.zero()
+}
+
+/* set this=1 */
+func (F *FP2) one() {
+	F.a.one()
+	F.b.zero()
+}
+
+/* negate this mod Modulus */
+func (F *FP2) neg() {
+	F.norm()
+	m := NewFPcopy(F.a)
+	t := NewFPint(0)
+
+	m.add(F.b)
+	m.neg()
+	m.norm()
+	t.copy(m)
+	t.add(F.b)
+	F.b.copy(m)
+	F.b.add(F.a)
+	F.a.copy(t)
+}
+
+/* set to a-ib */
+func (F *FP2) conj() {
+	F.b.neg()
+}
+
+/* this+=a */
+func (F *FP2) add(x *FP2) {
+	F.a.add(x.a)
+	F.b.add(x.b)
+}
+
+/* this-=a */
+func (F *FP2) sub(x *FP2) {
+	m := NewFP2copy(x)
+	m.neg()
+	F.add(m)
+}
+
+/* this*=s, where s is an FP */
+func (F *FP2) pmul(s *FP) {
+	F.a.mul(s)
+	F.b.mul(s)
+}
+
+/* this*=i, where i is an int */
+func (F *FP2) imul(c int) {
+	F.a.imul(c)
+	F.b.imul(c)
+}
+
+/* this*=this */
+func (F *FP2) sqr() {
+	F.norm()
+	w1 := NewFPcopy(F.a)
+	w3 := NewFPcopy(F.a)
+	mb := NewFPcopy(F.b)
+
+	w3.mul(F.b)
+	w1.add(F.b)
+	mb.neg()
+	F.a.add(mb)
+	F.a.mul(w1)
+	F.b.copy(w3)
+	F.b.add(w3)
+
+	F.norm()
+}
+
+/* this*=y */
+func (F *FP2) mul(y *FP2) {
+	F.norm() /* This is needed here as {a,b} is not normed before additions */
+
+	w1 := NewFPcopy(F.a)
+	w2 := NewFPcopy(F.b)
+	w5 := NewFPcopy(F.a)
+	mw := NewFPint(0)
+
+	w1.mul(y.a) // w1=a*y.a  - this norms w1 and y.a, NOT a
+	w2.mul(y.b) // w2=b*y.b  - this norms w2 and y.b, NOT b
+	w5.add(F.b) // w5=a+b
+	F.b.copy(y.a)
+	F.b.add(y.b) // b=y.a+y.b
+
+	F.b.mul(w5)
+	mw.copy(w1)
+	mw.add(w2)
+	mw.neg()
+
+	F.b.add(mw)
+	mw.add(w1)
+	F.a.copy(w1)
+	F.a.add(mw)
+
+	F.norm()
+}
+
+/* sqrt(a+ib) = sqrt(a+sqrt(a*a-n*b*b)/2)+ib/(2*sqrt(a+sqrt(a*a-n*b*b)/2)) */
+/* returns true if this is QR */
+func (F *FP2) sqrt() bool {
+	if F.iszilch() {
+		return true
+	}
+	w1 := NewFPcopy(F.b)
+	w2 := NewFPcopy(F.a)
+	w1.sqr()
+	w2.sqr()
+	w1.add(w2)
+	if w1.jacobi() != 1 {
+		F.zero()
+		return false
+	}
+	w1 = w1.sqrt()
+	w2.copy(F.a)
+	w2.add(w1)
+	w2.div2()
+	if w2.jacobi() != 1 {
+		w2.copy(F.a)
+		w2.sub(w1)
+		w2.div2()
+		if w2.jacobi() != 1 {
+			F.zero()
+			return false
+		}
+	}
+	w2 = w2.sqrt()
+	F.a.copy(w2)
+	w2.add(w2)
+	w2.inverse()
+	F.b.mul(w2)
+	return true
+}
+
+/* output to hex string */
+func (F *FP2) toString() string {
+	return ("[" + F.a.toString() + "," + F.b.toString() + "]")
+}
+
+/* this=1/this */
+func (F *FP2) inverse() {
+	F.norm()
+	w1 := NewFPcopy(F.a)
+	w2 := NewFPcopy(F.b)
+
+	w1.sqr()
+	w2.sqr()
+	w1.add(w2)
+	w1.inverse()
+	F.a.mul(w1)
+	w1.neg()
+	F.b.mul(w1)
+}
+
+/* this/=2 */
+func (F *FP2) div2() {
+	F.a.div2()
+	F.b.div2()
+}
+
+/* this*=sqrt(-1) */
+func (F *FP2) times_i() {
+	//	a.norm();
+	z := NewFPcopy(F.a)
+	F.a.copy(F.b)
+	F.a.neg()
+	F.b.copy(z)
+}
+
+/* w*=(1+sqrt(-1)) */
+/* where X*2-(1+sqrt(-1)) is irreducible for FP4, assumes p=3 mod 8 */
+func (F *FP2) mul_ip() {
+	F.norm()
+	t := NewFP2copy(F)
+	z := NewFPcopy(F.a)
+	F.a.copy(F.b)
+	F.a.neg()
+	F.b.copy(z)
+	F.add(t)
+	F.norm()
+}
+
+/* w/=(1+sqrt(-1)) */
+func (F *FP2) div_ip() {
+	t := NewFP2int(0)
+	F.norm()
+	t.a.copy(F.a)
+	t.a.add(F.b)
+	t.b.copy(F.b)
+	t.b.sub(F.a)
+	F.copy(t)
+	F.div2()
+}

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/FP4.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/FP4.go b/go/amcl-go/FP4.go
new file mode 100644
index 0000000..76e9d1e
--- /dev/null
+++ b/go/amcl-go/FP4.go
@@ -0,0 +1,522 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* Finite Field arithmetic  Fp^4 functions */
+
+/* FP4 elements are of the form a+ib, where i is sqrt(-1+sqrt(-1)) */
+
+package amcl
+
+//import "fmt"
+
+type FP4 struct {
+	a *FP2
+	b *FP2
+}
+
+/* Constructors */
+func NewFP4int(a int) *FP4 {
+	F := new(FP4)
+	F.a = NewFP2int(a)
+	F.b = NewFP2int(0)
+	return F
+}
+
+func NewFP4copy(x *FP4) *FP4 {
+	F := new(FP4)
+	F.a = NewFP2copy(x.a)
+	F.b = NewFP2copy(x.b)
+	return F
+}
+
+func NewFP4fp2s(c *FP2, d *FP2) *FP4 {
+	F := new(FP4)
+	F.a = NewFP2copy(c)
+	F.b = NewFP2copy(d)
+	return F
+}
+
+func NewFP4fp2(c *FP2) *FP4 {
+	F := new(FP4)
+	F.a = NewFP2copy(c)
+	F.b = NewFP2int(0)
+	return F
+}
+
+/* reduce all components of this mod Modulus */
+func (F *FP4) reduce() {
+	F.a.reduce()
+	F.b.reduce()
+}
+
+/* normalise all components of this mod Modulus */
+func (F *FP4) norm() {
+	F.a.norm()
+	F.b.norm()
+}
+
+/* test this==0 ? */
+func (F *FP4) iszilch() bool {
+	F.reduce()
+	return F.a.iszilch() && F.b.iszilch()
+}
+
+/* test this==1 ? */
+func (F *FP4) isunity() bool {
+	one := NewFP2int(1)
+	return F.a.equals(one) && F.b.iszilch()
+}
+
+/* test is w real? That is in a+ib test b is zero */
+func (F *FP4) isreal() bool {
+	return F.b.iszilch()
+}
+
+/* extract real part a */
+func (F *FP4) real() *FP2 {
+	return F.a
+}
+
+func (F *FP4) geta() *FP2 {
+	return F.a
+}
+
+/* extract imaginary part b */
+func (F *FP4) getb() *FP2 {
+	return F.b
+}
+
+/* test this=x? */
+func (F *FP4) equals(x *FP4) bool {
+	return (F.a.equals(x.a) && F.b.equals(x.b))
+}
+
+/* copy this=x */
+func (F *FP4) copy(x *FP4) {
+	F.a.copy(x.a)
+	F.b.copy(x.b)
+}
+
+/* set this=0 */
+func (F *FP4) zero() {
+	F.a.zero()
+	F.b.zero()
+}
+
+/* set this=1 */
+func (F *FP4) one() {
+	F.a.one()
+	F.b.zero()
+}
+
+/* set this=-this */
+func (F *FP4) neg() {
+	m := NewFP2copy(F.a)
+	t := NewFP2int(0)
+	m.add(F.b)
+	m.neg()
+	m.norm()
+	t.copy(m)
+	t.add(F.b)
+	F.b.copy(m)
+	F.b.add(F.a)
+	F.a.copy(t)
+}
+
+/* this=conjugate(this) */
+func (F *FP4) conj() {
+	F.b.neg()
+	F.b.norm()
+}
+
+/* this=-conjugate(this) */
+func (F *FP4) nconj() {
+	F.a.neg()
+	F.a.norm()
+}
+
+/* this+=x */
+func (F *FP4) add(x *FP4) {
+	F.a.add(x.a)
+	F.b.add(x.b)
+}
+
+/* this-=x */
+func (F *FP4) sub(x *FP4) {
+	m := NewFP4copy(x)
+	m.neg()
+	F.add(m)
+}
+
+/* this*=s where s is FP2 */
+func (F *FP4) pmul(s *FP2) {
+	F.a.mul(s)
+	F.b.mul(s)
+}
+
+/* this*=c where c is int */
+func (F *FP4) imul(c int) {
+	F.a.imul(c)
+	F.b.imul(c)
+}
+
+/* this*=this */
+func (F *FP4) sqr() {
+	F.norm()
+
+	t1 := NewFP2copy(F.a)
+	t2 := NewFP2copy(F.b)
+	t3 := NewFP2copy(F.a)
+
+	t3.mul(F.b)
+	t1.add(F.b)
+	t2.mul_ip()
+
+	t2.add(F.a)
+	F.a.copy(t1)
+
+	F.a.mul(t2)
+
+	t2.copy(t3)
+	t2.mul_ip()
+	t2.add(t3)
+	t2.neg()
+	F.a.add(t2)
+
+	F.b.copy(t3)
+	F.b.add(t3)
+
+	F.norm()
+}
+
+/* this*=y */
+func (F *FP4) mul(y *FP4) {
+	F.norm()
+
+	t1 := NewFP2copy(F.a)
+	t2 := NewFP2copy(F.b)
+	t3 := NewFP2int(0)
+	t4 := NewFP2copy(F.b)
+
+	t1.mul(y.a)
+	t2.mul(y.b)
+	t3.copy(y.b)
+	t3.add(y.a)
+	t4.add(F.a)
+
+	t4.mul(t3)
+	t4.sub(t1)
+	//		t4.norm();
+
+	F.b.copy(t4)
+	F.b.sub(t2)
+	t2.mul_ip()
+	F.a.copy(t2)
+	F.a.add(t1)
+
+	F.norm()
+}
+
+/* convert this to hex string */
+func (F *FP4) toString() string {
+	return ("[" + F.a.toString() + "," + F.b.toString() + "]")
+}
+
+/* this=1/this */
+func (F *FP4) inverse() {
+	F.norm()
+
+	t1 := NewFP2copy(F.a)
+	t2 := NewFP2copy(F.b)
+
+	t1.sqr()
+	t2.sqr()
+	t2.mul_ip()
+	t1.sub(t2)
+	t1.inverse()
+	F.a.mul(t1)
+	t1.neg()
+	F.b.mul(t1)
+}
+
+/* this*=i where i = sqrt(-1+sqrt(-1)) */
+func (F *FP4) times_i() {
+	F.norm()
+	s := NewFP2copy(F.b)
+	t := NewFP2copy(F.b)
+	s.times_i()
+	t.add(s)
+	//		t.norm();
+	F.b.copy(F.a)
+	F.a.copy(t)
+}
+
+/* this=this^p using Frobenius */
+func (F *FP4) frob(f *FP2) {
+	F.a.conj()
+	F.b.conj()
+	F.b.mul(f)
+}
+
+/* this=this^e */
+func (F *FP4) pow(e *BIG) *FP4 {
+	F.norm()
+	e.norm()
+	w := NewFP4copy(F)
+	z := NewBIGcopy(e)
+	r := NewFP4int(1)
+	for true {
+		bt := z.parity()
+		z.fshr(1)
+		if bt == 1 {
+			r.mul(w)
+		}
+		if z.iszilch() {
+			break
+		}
+		w.sqr()
+	}
+	r.reduce()
+	return r
+}
+
+/* XTR xtr_a function */
+func (F *FP4) xtr_A(w *FP4, y *FP4, z *FP4) {
+	r := NewFP4copy(w)
+	t := NewFP4copy(w)
+	r.sub(y)
+	r.pmul(F.a)
+	t.add(y)
+	t.pmul(F.b)
+	t.times_i()
+
+	F.copy(r)
+	F.add(t)
+	F.add(z)
+
+	F.norm()
+}
+
+/* XTR xtr_d function */
+func (F *FP4) xtr_D() {
+	w := NewFP4copy(F)
+	F.sqr()
+	w.conj()
+	w.add(w)
+	F.sub(w)
+	F.reduce()
+}
+
+/* r=x^n using XTR method on traces of FP12s */
+func (F *FP4) xtr_pow(n *BIG) *FP4 {
+	a := NewFP4int(3)
+	b := NewFP4copy(F)
+	c := NewFP4copy(b)
+	c.xtr_D()
+	t := NewFP4int(0)
+	r := NewFP4int(0)
+
+	n.norm()
+	par := n.parity()
+	v := NewBIGcopy(n)
+	v.fshr(1)
+	if par == 0 {
+		v.dec(1)
+		v.norm()
+	}
+
+	nb := v.nbits()
+	for i := nb - 1; i >= 0; i-- {
+		if v.bit(i) != 1 {
+			t.copy(b)
+			F.conj()
+			c.conj()
+			b.xtr_A(a, F, c)
+			F.conj()
+			c.copy(t)
+			c.xtr_D()
+			a.xtr_D()
+		} else {
+			t.copy(a)
+			t.conj()
+			a.copy(b)
+			a.xtr_D()
+			b.xtr_A(c, F, t)
+			c.xtr_D()
+		}
+	}
+	if par == 0 {
+		r.copy(c)
+	} else {
+		r.copy(b)
+	}
+	r.reduce()
+	return r
+}
+
+/* r=ck^a.cl^n using XTR double exponentiation method on traces of FP12s. See Stam thesis. */
+func (F *FP4) xtr_pow2(ck *FP4, ckml *FP4, ckm2l *FP4, a *BIG, b *BIG) *FP4 {
+	a.norm()
+	b.norm()
+	e := NewBIGcopy(a)
+	d := NewBIGcopy(b)
+	w := NewBIGint(0)
+
+	cu := NewFP4copy(ck) // can probably be passed in w/o copying
+	cv := NewFP4copy(F)
+	cumv := NewFP4copy(ckml)
+	cum2v := NewFP4copy(ckm2l)
+	r := NewFP4int(0)
+	t := NewFP4int(0)
+
+	f2 := 0
+	for d.parity() == 0 && e.parity() == 0 {
+		d.fshr(1)
+		e.fshr(1)
+		f2++
+	}
+
+	for comp(d, e) != 0 {
+		if comp(d, e) > 0 {
+			w.copy(e)
+			w.imul(4)
+			w.norm()
+			if comp(d, w) <= 0 {
+				w.copy(d)
+				d.copy(e)
+				e.rsub(w)
+				e.norm()
+
+				t.copy(cv)
+				t.xtr_A(cu, cumv, cum2v)
+				cum2v.copy(cumv)
+				cum2v.conj()
+				cumv.copy(cv)
+				cv.copy(cu)
+				cu.copy(t)
+			} else {
+				if d.parity() == 0 {
+					d.fshr(1)
+					r.copy(cum2v)
+					r.conj()
+					t.copy(cumv)
+					t.xtr_A(cu, cv, r)
+					cum2v.copy(cumv)
+					cum2v.xtr_D()
+					cumv.copy(t)
+					cu.xtr_D()
+				} else {
+					if e.parity() == 1 {
+						d.sub(e)
+						d.norm()
+						d.fshr(1)
+						t.copy(cv)
+						t.xtr_A(cu, cumv, cum2v)
+						cu.xtr_D()
+						cum2v.copy(cv)
+						cum2v.xtr_D()
+						cum2v.conj()
+						cv.copy(t)
+					} else {
+						w.copy(d)
+						d.copy(e)
+						d.fshr(1)
+						e.copy(w)
+						t.copy(cumv)
+						t.xtr_D()
+						cumv.copy(cum2v)
+						cumv.conj()
+						cum2v.copy(t)
+						cum2v.conj()
+						t.copy(cv)
+						t.xtr_D()
+						cv.copy(cu)
+						cu.copy(t)
+					}
+				}
+			}
+		}
+		if comp(d, e) < 0 {
+			w.copy(d)
+			w.imul(4)
+			w.norm()
+			if comp(e, w) <= 0 {
+				e.sub(d)
+				e.norm()
+				t.copy(cv)
+				t.xtr_A(cu, cumv, cum2v)
+				cum2v.copy(cumv)
+				cumv.copy(cu)
+				cu.copy(t)
+			} else {
+				if e.parity() == 0 {
+					w.copy(d)
+					d.copy(e)
+					d.fshr(1)
+					e.copy(w)
+					t.copy(cumv)
+					t.xtr_D()
+					cumv.copy(cum2v)
+					cumv.conj()
+					cum2v.copy(t)
+					cum2v.conj()
+					t.copy(cv)
+					t.xtr_D()
+					cv.copy(cu)
+					cu.copy(t)
+				} else {
+					if d.parity() == 1 {
+						w.copy(e)
+						e.copy(d)
+						w.sub(d)
+						w.norm()
+						d.copy(w)
+						d.fshr(1)
+						t.copy(cv)
+						t.xtr_A(cu, cumv, cum2v)
+						cumv.conj()
+						cum2v.copy(cu)
+						cum2v.xtr_D()
+						cum2v.conj()
+						cu.copy(cv)
+						cu.xtr_D()
+						cv.copy(t)
+					} else {
+						d.fshr(1)
+						r.copy(cum2v)
+						r.conj()
+						t.copy(cumv)
+						t.xtr_A(cu, cv, r)
+						cum2v.copy(cumv)
+						cum2v.xtr_D()
+						cumv.copy(t)
+						cu.xtr_D()
+					}
+				}
+			}
+		}
+	}
+	r.copy(cv)
+	r.xtr_A(cu, cumv, cum2v)
+	for i := 0; i < f2; i++ {
+		r.xtr_D()
+	}
+	r = r.xtr_pow(d)
+	return r
+}

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/GCM.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/GCM.go b/go/amcl-go/GCM.go
new file mode 100644
index 0000000..2fc4da3
--- /dev/null
+++ b/go/amcl-go/GCM.go
@@ -0,0 +1,472 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/*
+* Implementation of the AES-GCM Encryption/Authentication
+*
+* Some restrictions..
+* 1. Only for use with AES
+* 2. Returned tag is always 128-bits. Truncate at your own risk.
+* 3. The order of function calls must follow some rules
+*
+* Typical sequence of calls..
+* 1. call GCM_init
+* 2. call GCM_add_header any number of times, as long as length of header is multiple of 16 bytes (block size)
+* 3. call GCM_add_header one last time with any length of header
+* 4. call GCM_add_cipher any number of times, as long as length of cipher/plaintext is multiple of 16 bytes
+* 5. call GCM_add_cipher one last time with any length of cipher/plaintext
+* 6. call GCM_finish to extract the tag.
+*
+* See http://www.mindspring.com/~dmcgrew/gcm-nist-6.pdf
+ */
+
+package amcl
+
+/*
+import
+(
+	"fmt"
+	"strconv"
+)
+*/
+const gcm_NB int = 4
+const GCM_ACCEPTING_HEADER int = 0
+const GCM_ACCEPTING_CIPHER int = 1
+const GCM_NOT_ACCEPTING_MORE int = 2
+const GCM_FINISHED int = 3
+const GCM_ENCRYPTING int = 0
+const GCM_DECRYPTING int = 1
+
+type GCM struct {
+	table   [128][4]uint32 /* 2k bytes */
+	stateX  [16]byte
+	Y_0     [16]byte
+	counter int
+	lenA    [2]uint32
+	lenC    [2]uint32
+	status  int
+	a       *AES
+}
+
+func gcm_pack(b [4]byte) uint32 { /* pack bytes into a 32-bit Word */
+	return ((uint32(b[0]) & 0xff) << 24) | ((uint32(b[1]) & 0xff) << 16) | ((uint32(b[2]) & 0xff) << 8) | (uint32(b[3]) & 0xff)
+}
+
+func gcm_unpack(a uint32) [4]byte { /* unpack bytes from a word */
+	var b = [4]byte{byte((a >> 24) & 0xff), byte((a >> 16) & 0xff), byte((a >> 8) & 0xff), byte(a & 0xff)}
+	return b
+}
+
+func (G *GCM) precompute(H []byte) {
+	var b [4]byte
+	j := 0
+	for i := 0; i < gcm_NB; i++ {
+		b[0] = H[j]
+		b[1] = H[j+1]
+		b[2] = H[j+2]
+		b[3] = H[j+3]
+		G.table[0][i] = gcm_pack(b)
+		j += 4
+	}
+	for i := 1; i < 128; i++ {
+		c := uint32(0)
+		for j := 0; j < gcm_NB; j++ {
+			G.table[i][j] = c | (G.table[i-1][j])>>1
+			c = G.table[i-1][j] << 31
+		}
+		if c != 0 {
+			G.table[i][0] ^= 0xE1000000
+		} /* irreducible polynomial */
+	}
+}
+
+func (G *GCM) gf2mul() { /* gf2m mul - Z=H*X mod 2^128 */
+	var P [4]uint32
+
+	for i := 0; i < 4; i++ {
+		P[i] = 0
+	}
+	j := uint(8)
+	m := 0
+	for i := 0; i < 128; i++ {
+		j--
+		c := (G.stateX[m] >> j) & 1
+		if c != 0 {
+			for k := 0; k < gcm_NB; k++ {
+				P[k] ^= G.table[i][k]
+			}
+		}
+		if j == 0 {
+			j = 8
+			m++
+			if m == 16 {
+				break
+			}
+		}
+	}
+	j = 0
+	for i := 0; i < gcm_NB; i++ {
+		b := gcm_unpack(P[i])
+		G.stateX[j] = b[0]
+		G.stateX[j+1] = b[1]
+		G.stateX[j+2] = b[2]
+		G.stateX[j+3] = b[3]
+		j += 4
+	}
+}
+
+func (G *GCM) wrap() { /* Finish off GHASH */
+	var F [4]uint32
+	var L [16]byte
+
+	/* convert lengths from bytes to bits */
+	F[0] = (G.lenA[0] << 3) | (G.lenA[1]&0xE0000000)>>29
+	F[1] = G.lenA[1] << 3
+	F[2] = (G.lenC[0] << 3) | (G.lenC[1]&0xE0000000)>>29
+	F[3] = G.lenC[1] << 3
+	j := 0
+	for i := 0; i < gcm_NB; i++ {
+		b := gcm_unpack(F[i])
+		L[j] = b[0]
+		L[j+1] = b[1]
+		L[j+2] = b[2]
+		L[j+3] = b[3]
+		j += 4
+	}
+	for i := 0; i < 16; i++ {
+		G.stateX[i] ^= L[i]
+	}
+	G.gf2mul()
+}
+
+func (G *GCM) ghash(plain []byte, len int) bool {
+	if G.status == GCM_ACCEPTING_HEADER {
+		G.status = GCM_ACCEPTING_CIPHER
+	}
+	if G.status != GCM_ACCEPTING_CIPHER {
+		return false
+	}
+
+	j := 0
+	for j < len {
+		for i := 0; i < 16 && j < len; i++ {
+			G.stateX[i] ^= plain[j]
+			j++
+			G.lenC[1]++
+			if G.lenC[1] == 0 {
+				G.lenC[0]++
+			}
+		}
+		G.gf2mul()
+	}
+	if len%16 != 0 {
+		G.status = GCM_NOT_ACCEPTING_MORE
+	}
+	return true
+}
+
+/* Initialize GCM mode */
+func (G *GCM) Init(key []byte, niv int, iv []byte) { /* iv size niv is usually 12 bytes (96 bits). AES key size nk can be 16,24 or 32 bytes */
+	var H [16]byte
+
+	for i := 0; i < 16; i++ {
+		H[i] = 0
+		G.stateX[i] = 0
+	}
+
+	G.a = new(AES)
+
+	G.a.Init(aes_ECB, key, iv)
+	G.a.ecb_encrypt(H[:]) /* E(K,0) */
+	G.precompute(H[:])
+
+	G.lenA[0] = 0
+	G.lenC[0] = 0
+	G.lenA[1] = 0
+	G.lenC[1] = 0
+	if niv == 12 {
+		for i := 0; i < 12; i++ {
+			G.a.f[i] = iv[i]
+		}
+		b := gcm_unpack(uint32(1))
+		G.a.f[12] = b[0]
+		G.a.f[13] = b[1]
+		G.a.f[14] = b[2]
+		G.a.f[15] = b[3] /* initialise IV */
+		for i := 0; i < 16; i++ {
+			G.Y_0[i] = G.a.f[i]
+		}
+	} else {
+		G.status = GCM_ACCEPTING_CIPHER
+		G.ghash(iv, niv) /* GHASH(H,0,IV) */
+		G.wrap()
+		for i := 0; i < 16; i++ {
+			G.a.f[i] = G.stateX[i]
+			G.Y_0[i] = G.a.f[i]
+			G.stateX[i] = 0
+		}
+		G.lenA[0] = 0
+		G.lenC[0] = 0
+		G.lenA[1] = 0
+		G.lenC[1] = 0
+	}
+	G.status = GCM_ACCEPTING_HEADER
+}
+
+/* Add Header data - included but not encrypted */
+func (G *GCM) Add_header(header []byte, len int) bool { /* Add some header. Won't be encrypted, but will be authenticated. len is length of header */
+	if G.status != GCM_ACCEPTING_HEADER {
+		return false
+	}
+
+	j := 0
+	for j < len {
+		for i := 0; i < 16 && j < len; i++ {
+			G.stateX[i] ^= header[j]
+			j++
+			G.lenA[1]++
+			if G.lenA[1] == 0 {
+				G.lenA[0]++
+			}
+		}
+		G.gf2mul()
+	}
+	if len%16 != 0 {
+		G.status = GCM_ACCEPTING_CIPHER
+	}
+	return true
+}
+
+/* Add Plaintext - included and encrypted */
+func (G *GCM) Add_plain(plain []byte, len int) []byte {
+	var B [16]byte
+	var b [4]byte
+
+	cipher := make([]byte, len)
+	var counter uint32 = 0
+	if G.status == GCM_ACCEPTING_HEADER {
+		G.status = GCM_ACCEPTING_CIPHER
+	}
+	if G.status != GCM_ACCEPTING_CIPHER {
+		return nil
+	}
+
+	j := 0
+	for j < len {
+
+		b[0] = G.a.f[12]
+		b[1] = G.a.f[13]
+		b[2] = G.a.f[14]
+		b[3] = G.a.f[15]
+		counter = gcm_pack(b)
+		counter++
+		b = gcm_unpack(counter)
+		G.a.f[12] = b[0]
+		G.a.f[13] = b[1]
+		G.a.f[14] = b[2]
+		G.a.f[15] = b[3] /* increment counter */
+		for i := 0; i < 16; i++ {
+			B[i] = G.a.f[i]
+		}
+		G.a.ecb_encrypt(B[:]) /* encrypt it  */
+
+		for i := 0; i < 16 && j < len; i++ {
+			cipher[j] = (plain[j] ^ B[i])
+			G.stateX[i] ^= cipher[j]
+			j++
+			G.lenC[1]++
+			if G.lenC[1] == 0 {
+				G.lenC[0]++
+			}
+		}
+		G.gf2mul()
+	}
+	if len%16 != 0 {
+		G.status = GCM_NOT_ACCEPTING_MORE
+	}
+	return cipher
+}
+
+/* Add Ciphertext - decrypts to plaintext */
+func (G *GCM) Add_cipher(cipher []byte, len int) []byte {
+	var B [16]byte
+	var b [4]byte
+
+	plain := make([]byte, len)
+	var counter uint32 = 0
+
+	if G.status == GCM_ACCEPTING_HEADER {
+		G.status = GCM_ACCEPTING_CIPHER
+	}
+	if G.status != GCM_ACCEPTING_CIPHER {
+		return nil
+	}
+
+	j := 0
+	for j < len {
+		b[0] = G.a.f[12]
+		b[1] = G.a.f[13]
+		b[2] = G.a.f[14]
+		b[3] = G.a.f[15]
+		counter = gcm_pack(b)
+		counter++
+		b = gcm_unpack(counter)
+		G.a.f[12] = b[0]
+		G.a.f[13] = b[1]
+		G.a.f[14] = b[2]
+		G.a.f[15] = b[3] /* increment counter */
+		for i := 0; i < 16; i++ {
+			B[i] = G.a.f[i]
+		}
+		G.a.ecb_encrypt(B[:]) /* encrypt it  */
+		for i := 0; i < 16 && j < len; i++ {
+			plain[j] = (cipher[j] ^ B[i])
+			G.stateX[i] ^= cipher[j]
+			j++
+			G.lenC[1]++
+			if G.lenC[1] == 0 {
+				G.lenC[0]++
+			}
+		}
+		G.gf2mul()
+	}
+	if len%16 != 0 {
+		G.status = GCM_NOT_ACCEPTING_MORE
+	}
+	return plain
+}
+
+/* Finish and extract Tag */
+func (G *GCM) Finish(extract bool) [16]byte { /* Finish off GHASH and extract tag (MAC) */
+	var tag [16]byte
+
+	G.wrap()
+	/* extract tag */
+	if extract {
+		G.a.ecb_encrypt(G.Y_0[:]) /* E(K,Y0) */
+		for i := 0; i < 16; i++ {
+			G.Y_0[i] ^= G.stateX[i]
+		}
+		for i := 0; i < 16; i++ {
+			tag[i] = G.Y_0[i]
+			G.Y_0[i] = 0
+			G.stateX[i] = 0
+		}
+	}
+	G.status = GCM_FINISHED
+	G.a.End()
+	return tag
+}
+
+/* AES-GCM Encryption:
+   K is key, H is header, IV is initialization vector and P is plaintext.
+   Returns cipthertext and tag (MAC) */
+func AES_GCM_ENCRYPT(K, IV, H, P []byte) ([]byte, []byte) {
+	g := new(GCM)
+	lenIV := len(IV)
+	lenH := len(H)
+	lenP := len(P)
+
+	g.Init(K, lenIV, IV)
+	g.Add_header(H, lenH)
+	C := g.Add_plain(P, lenP)
+	T := g.Finish(true)
+	return C, T[:]
+}
+
+/* AES-GCM Deryption:
+   K is key, H is header, IV is initialization vector and P is plaintext.
+   Returns cipthertext and tag (MAC) */
+func AES_GCM_DECRYPT(K, IV, H, C []byte) ([]byte, []byte) {
+	g := new(GCM)
+	lenIV := len(IV)
+	lenH := len(H)
+	lenC := len(C)
+
+	g.Init(K, lenIV, IV)
+	g.Add_header(H, lenH)
+	P := g.Add_cipher(C, lenC)
+	T := g.Finish(true)
+	return P, T[:]
+}
+
+/*
+func hex2bytes(s string) []byte {
+	lgh:=len(s)
+	data:=make([]byte,lgh/2)
+
+        for i:=0;i<lgh;i+=2 {
+            a,_ := strconv.ParseInt(s[i:i+2],16,32)
+	    data[i/2]=byte(a)
+        }
+        return data
+}
+
+func main() {
+
+	KT:="feffe9928665731c6d6a8f9467308308"
+	MT:="d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"
+	HT:="feedfacedeadbeeffeedfacedeadbeefabaddad2"
+
+	NT:="9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b";
+// Tag should be 619cc5aefffe0bfa462af43c1699d050
+
+	g:=new(GCM)
+
+	M:=hex2bytes(MT)
+	H:=hex2bytes(HT)
+	N:=hex2bytes(NT)
+	K:=hex2bytes(KT)
+
+	lenM:=len(M)
+	lenH:=len(H)
+	//lenK:=len(K)
+	lenIV:=len(N)
+
+ 	fmt.Printf("Plaintext=\n");
+	for i:=0;i<lenM;i++ {fmt.Printf("%02x",M[i])}
+	fmt.Printf("\n")
+
+	g.Init(K,lenIV,N)
+	g.Add_header(H,lenH)
+	C:=g.Add_plain(M,lenM)
+	T:=g.Finish(true)
+
+	fmt.Printf("Ciphertext=\n")
+	for i:=0;i<lenM;i++ {fmt.Printf("%02x",C[i])}
+	fmt.Printf("\n")
+
+	fmt.Printf("Tag=\n")
+	for i:=0;i<16;i++ {fmt.Printf("%02x",T[i])}
+	fmt.Printf("\n")
+
+	g.Init(K,lenIV,N)
+	g.Add_header(H,lenH)
+	P:=g.Add_cipher(C,lenM)
+	T=g.Finish(true)
+
+ 	fmt.Printf("Plaintext=\n");
+	for i:=0;i<lenM;i++ {fmt.Printf("%02x",P[i])}
+	fmt.Printf("\n")
+
+	fmt.Printf("Tag=\n");
+	for i:=0;i<16;i++ {fmt.Printf("%02x",T[i])}
+	fmt.Printf("\n")
+}
+*/

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/HASH.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/HASH.go b/go/amcl-go/HASH.go
new file mode 100644
index 0000000..c31f51a
--- /dev/null
+++ b/go/amcl-go/HASH.go
@@ -0,0 +1,215 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/*
+ * Implementation of the Secure Hashing Algorithm (SHA-256)
+ *
+ * Generates a 256 bit message digest. It should be impossible to come
+ * come up with two messages that hash to the same value ("collision free").
+ *
+ * For use with byte-oriented messages only.
+ */
+
+package amcl
+
+//import "fmt"
+
+const hash_H0 uint32 = 0x6A09E667
+const hash_H1 uint32 = 0xBB67AE85
+const hash_H2 uint32 = 0x3C6EF372
+const hash_H3 uint32 = 0xA54FF53A
+const hash_H4 uint32 = 0x510E527F
+const hash_H5 uint32 = 0x9B05688C
+const hash_H6 uint32 = 0x1F83D9AB
+const hash_H7 uint32 = 0x5BE0CD19
+
+var hash_K = [...]uint32{
+	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2}
+
+type HASH struct {
+	length [2]uint32
+	h      [8]uint32
+	w      [64]uint32
+}
+
+/* functions */
+func hash_S(n uint32, x uint32) uint32 {
+	return (((x) >> n) | ((x) << (32 - n)))
+}
+
+func hash_R(n uint32, x uint32) uint32 {
+	return ((x) >> n)
+}
+
+func hash_Ch(x, y, z uint32) uint32 {
+	return ((x & y) ^ (^(x) & z))
+}
+
+func hash_Maj(x, y, z uint32) uint32 {
+	return ((x & y) ^ (x & z) ^ (y & z))
+}
+
+func hash_Sig0(x uint32) uint32 {
+	return (hash_S(2, x) ^ hash_S(13, x) ^ hash_S(22, x))
+}
+
+func hash_Sig1(x uint32) uint32 {
+	return (hash_S(6, x) ^ hash_S(11, x) ^ hash_S(25, x))
+}
+
+func hash_theta0(x uint32) uint32 {
+	return (hash_S(7, x) ^ hash_S(18, x) ^ hash_R(3, x))
+}
+
+func hash_theta1(x uint32) uint32 {
+	return (hash_S(17, x) ^ hash_S(19, x) ^ hash_R(10, x))
+}
+
+func (H *HASH) transform() { /* basic transformation step */
+	for j := 16; j < 64; j++ {
+		H.w[j] = hash_theta1(H.w[j-2]) + H.w[j-7] + hash_theta0(H.w[j-15]) + H.w[j-16]
+	}
+	a := H.h[0]
+	b := H.h[1]
+	c := H.h[2]
+	d := H.h[3]
+	e := H.h[4]
+	f := H.h[5]
+	g := H.h[6]
+	hh := H.h[7]
+	for j := 0; j < 64; j++ { /* 64 times - mush it up */
+		t1 := hh + hash_Sig1(e) + hash_Ch(e, f, g) + hash_K[j] + H.w[j]
+		t2 := hash_Sig0(a) + hash_Maj(a, b, c)
+		hh = g
+		g = f
+		f = e
+		e = d + t1
+		d = c
+		c = b
+		b = a
+		a = t1 + t2
+	}
+	H.h[0] += a
+	H.h[1] += b
+	H.h[2] += c
+	H.h[3] += d
+	H.h[4] += e
+	H.h[5] += f
+	H.h[6] += g
+	H.h[7] += hh
+}
+
+/* Initialise Hash function */
+func (H *HASH) Init() { /* initialise */
+	for i := 0; i < 64; i++ {
+		H.w[i] = 0
+	}
+	H.length[0] = 0
+	H.length[1] = 0
+	H.h[0] = hash_H0
+	H.h[1] = hash_H1
+	H.h[2] = hash_H2
+	H.h[3] = hash_H3
+	H.h[4] = hash_H4
+	H.h[5] = hash_H5
+	H.h[6] = hash_H6
+	H.h[7] = hash_H7
+}
+
+func NewHASH() *HASH {
+	H := new(HASH)
+	H.Init()
+	return H
+}
+
+/* process a single byte */
+func (H *HASH) Process(byt byte) { /* process the next message byte */
+	cnt := (H.length[0] / 32) % 16
+
+	H.w[cnt] <<= 8
+	H.w[cnt] |= uint32(byt & 0xFF)
+	H.length[0] += 8
+	if H.length[0] == 0 {
+		H.length[1]++
+		H.length[0] = 0
+	}
+	if (H.length[0] % 512) == 0 {
+		H.transform()
+	}
+}
+
+/* process an array of bytes */
+func (H *HASH) Process_array(b []byte) {
+	for i := 0; i < len(b); i++ {
+		H.Process((b[i]))
+	}
+}
+
+/* process a 32-bit integer */
+func (H *HASH) Process_num(n int32) {
+	H.Process(byte((n >> 24) & 0xff))
+	H.Process(byte((n >> 16) & 0xff))
+	H.Process(byte((n >> 8) & 0xff))
+	H.Process(byte(n & 0xff))
+}
+
+/* Generate 32-byte Hash */
+func (H *HASH) Hash() [32]byte { /* pad message and finish - supply digest */
+	var digest [32]byte
+	len0 := H.length[0]
+	len1 := H.length[1]
+	H.Process(0x80)
+	for (H.length[0] % 512) != 448 {
+		H.Process(0)
+	}
+	H.w[14] = len1
+	H.w[15] = len0
+	H.transform()
+	for i := 0; i < 32; i++ { /* convert to bytes */
+		digest[i] = byte((H.h[i/4] >> uint(8*(3-i%4))) & 0xff)
+	}
+	H.Init()
+	return digest
+}
+
+/* test program: should produce digest */
+
+//248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
+/*
+func main() {
+
+	test := []byte("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq")
+	sh:=NewHASH()
+
+	for i:=0;i<len(test);i++ {
+		sh.Process(test[i])
+	}
+
+	digest:=sh.Hash()
+	for i:=0;i<32;i++ {fmt.Printf("%02x",digest[i])}
+
+}
+*/

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/MPIN.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/MPIN.go b/go/amcl-go/MPIN.go
new file mode 100644
index 0000000..42a2443
--- /dev/null
+++ b/go/amcl-go/MPIN.go
@@ -0,0 +1,807 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* MPIN API Functions */
+
+package amcl
+
+import "time"
+
+import "fmt"
+
+/* Configure mode of operation */
+
+const PERMITS bool = true
+const PINERROR bool = true
+const FULL bool = true
+const SINGLE_PASS bool = false
+
+const MPIN_EFS int = int(MODBYTES)
+const MPIN_EGS int = int(MODBYTES)
+const MPIN_PAS int = 16
+const MPIN_BAD_PARAMS int = -11
+const MPIN_INVALID_POINT int = -14
+const MPIN_WRONG_ORDER int = -18
+const MPIN_BAD_PIN int = -19
+
+/* Configure your PIN here */
+
+const MPIN_MAXPIN int32 = 10000 /* PIN less than this */
+const MPIN_PBLEN int32 = 14     /* Number of bits in PIN */
+const MPIN_TS int = 10          /* 10 for 4 digit PIN, 14 for 6-digit PIN - 2^TS/TS approx = sqrt(MAXPIN) */
+const MPIN_TRAP int = 200       /* 200 for 4 digit PIN, 2000 for 6-digit PIN  - approx 2*sqrt(MAXPIN) */
+
+/* Hash number (optional) and string to point on curve */
+
+func Hashit(n int32, ID []byte) []byte {
+	H := NewHASH()
+	if n != 0 {
+		H.Process_num(n)
+	}
+	H.Process_array(ID)
+	h := H.Hash()
+	return h[:]
+}
+
+func mapit(h []byte) *ECP {
+	q := NewBIGints(Modulus)
+	x := fromBytes(h[:])
+	x.mod(q)
+	var P *ECP
+	for true {
+		P = NewECPbigint(x, 0)
+		if !P.is_infinity() {
+			break
+		}
+		x.inc(1)
+		x.norm()
+	}
+	return P
+}
+
+/* needed for SOK */
+func mapit2(h []byte) *ECP2 {
+	q := NewBIGints(Modulus)
+	x := fromBytes(h[:])
+	one := NewBIGint(1)
+	var X *FP2
+	var Q, T, K *ECP2
+	x.mod(q)
+	for true {
+		X = NewFP2bigs(one, x)
+		Q = NewECP2fp2(X)
+		if !Q.is_infinity() {
+			break
+		}
+		x.inc(1)
+		x.norm()
+	}
+	/* Fast Hashing to G2 - Fuentes-Castaneda, Knapp and Rodriguez-Henriquez */
+	Fra := NewBIGints(CURVE_Fra)
+	Frb := NewBIGints(CURVE_Frb)
+	X = NewFP2bigs(Fra, Frb)
+	x = NewBIGints(CURVE_Bnx)
+
+	T = NewECP2()
+	T.copy(Q)
+	T.mul(x)
+	T.neg()
+	K = NewECP2()
+	K.copy(T)
+	K.dbl()
+	K.add(T)
+	K.affine()
+
+	K.frob(X)
+	Q.frob(X)
+	Q.frob(X)
+	Q.frob(X)
+	Q.add(T)
+	Q.add(K)
+	T.frob(X)
+	T.frob(X)
+	Q.add(T)
+	Q.affine()
+	return Q
+}
+
+/* return time in slots since epoch */
+func MPIN_today() int {
+	now := time.Now()
+	return int(now.Unix()) / (60 * 1440)
+}
+
+/* these next two functions help to implement elligator squared - http://eprint.iacr.org/2014/043 */
+/* maps a random u to a point on the curve */
+func emap(u *BIG, cb int) *ECP {
+	var P *ECP
+	x := NewBIGcopy(u)
+	p := NewBIGints(Modulus)
+	x.mod(p)
+	for true {
+		P = NewECPbigint(x, cb)
+		if !P.is_infinity() {
+			break
+		}
+		x.inc(1)
+		x.norm()
+	}
+	return P
+}
+
+/* returns u derived from P. Random value in range 1 to return value should then be added to u */
+func unmap(u *BIG, P *ECP) int {
+	s := P.getS()
+	var R *ECP
+	r := 0
+	x := P.getX()
+	u.copy(x)
+	for true {
+		u.dec(1)
+		u.norm()
+		r++
+		R = NewECPbigint(u, s)
+		if !R.is_infinity() {
+			break
+		}
+	}
+	return r
+}
+
+func MPIN_HASH_ID(ID []byte) []byte {
+	return Hashit(0, ID)
+}
+
+/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */
+/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */
+/* Note that u and v are indistinguisible from random strings */
+func MPIN_ENCODING(rng *RAND, E []byte) int {
+	var T [MPIN_EFS]byte
+
+	for i := 0; i < MPIN_EFS; i++ {
+		T[i] = E[i+1]
+	}
+	u := fromBytes(T[:])
+	for i := 0; i < MPIN_EFS; i++ {
+		T[i] = E[i+MPIN_EFS+1]
+	}
+	v := fromBytes(T[:])
+
+	P := NewECPbigs(u, v)
+	if P.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	p := NewBIGints(Modulus)
+	u = randomnum(p, rng)
+
+	su := int(rng.GetByte())
+	su %= 2
+
+	W := emap(u, su)
+	P.sub(W)
+	sv := P.getS()
+	rn := unmap(v, P)
+	m := int(rng.GetByte())
+	m %= rn
+	v.inc(m + 1)
+	E[0] = byte(su + 2*sv)
+	u.toBytes(T[:])
+	for i := 0; i < MPIN_EFS; i++ {
+		E[i+1] = T[i]
+	}
+	v.toBytes(T[:])
+	for i := 0; i < MPIN_EFS; i++ {
+		E[i+MPIN_EFS+1] = T[i]
+	}
+
+	return 0
+}
+
+func MPIN_DECODING(D []byte) int {
+	var T [MPIN_EFS]byte
+
+	if (D[0] & 0x04) != 0 {
+		return MPIN_INVALID_POINT
+	}
+
+	for i := 0; i < MPIN_EFS; i++ {
+		T[i] = D[i+1]
+	}
+	u := fromBytes(T[:])
+	for i := 0; i < MPIN_EFS; i++ {
+		T[i] = D[i+MPIN_EFS+1]
+	}
+	v := fromBytes(T[:])
+
+	su := int(D[0] & 1)
+	sv := int((D[0] >> 1) & 1)
+	W := emap(u, su)
+	P := emap(v, sv)
+	P.add(W)
+	u = P.getX()
+	v = P.getY()
+	D[0] = 0x04
+	u.toBytes(T[:])
+	for i := 0; i < MPIN_EFS; i++ {
+		D[i+1] = T[i]
+	}
+	v.toBytes(T[:])
+	for i := 0; i < MPIN_EFS; i++ {
+		D[i+MPIN_EFS+1] = T[i]
+	}
+
+	return 0
+}
+
+/* R=R1+R2 in group G1 */
+func MPIN_RECOMBINE_G1(R1 []byte, R2 []byte, R []byte) int {
+	P := ECP_fromBytes(R1)
+	Q := ECP_fromBytes(R2)
+
+	if P.is_infinity() || Q.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	P.add(Q)
+
+	P.toBytes(R[:])
+	return 0
+}
+
+/* W=W1+W2 in group G2 */
+func MPIN_RECOMBINE_G2(W1 []byte, W2 []byte, W []byte) int {
+	P := ECP2_fromBytes(W1)
+	Q := ECP2_fromBytes(W2)
+
+	if P.is_infinity() || Q.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	P.add(Q)
+
+	P.toBytes(W)
+	return 0
+}
+
+/* create random secret S */
+func MPIN_RANDOM_GENERATE(rng *RAND, S []byte) int {
+	r := NewBIGints(CURVE_Order)
+	s := randomnum(r, rng)
+
+	s.toBytes(S)
+	return 0
+}
+
+/* Extract PIN from TOKEN for identity CID */
+func MPIN_EXTRACT_PIN(CID []byte, pin int, TOKEN []byte) int {
+	P := ECP_fromBytes(TOKEN)
+	if P.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+	h := Hashit(0, CID)
+	R := mapit(h)
+
+	R = R.pinmul(int32(pin)%MPIN_MAXPIN, MPIN_PBLEN)
+	P.sub(R)
+
+	P.toBytes(TOKEN)
+
+	return 0
+}
+
+/* Implement step 2 on client side of MPin protocol */
+func MPIN_CLIENT_2(X []byte, Y []byte, SEC []byte) int {
+	r := NewBIGints(CURVE_Order)
+	P := ECP_fromBytes(SEC)
+	if P.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	px := fromBytes(X)
+	py := fromBytes(Y)
+	px.add(py)
+	px.mod(r)
+	px.rsub(r)
+
+	G1mul(P, px).toBytes(SEC)
+	return 0
+}
+
+/* Implement step 1 on client side of MPin protocol */
+func MPIN_CLIENT_1(date int, CLIENT_ID []byte, rng *RAND, X []byte, pin int, TOKEN []byte, SEC []byte, xID []byte, xCID []byte, PERMIT []byte) int {
+	r := NewBIGints(CURVE_Order)
+
+	var x *BIG
+	if rng != nil {
+		x = randomnum(r, rng)
+		x.toBytes(X)
+	} else {
+		x = fromBytes(X)
+	}
+
+	h := Hashit(0, CLIENT_ID)
+	P := mapit(h)
+
+	T := ECP_fromBytes(TOKEN)
+	if T.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	W := P.pinmul(int32(pin)%MPIN_MAXPIN, MPIN_PBLEN)
+	T.add(W)
+	if date != 0 {
+		W = ECP_fromBytes(PERMIT)
+		if W.is_infinity() {
+			return MPIN_INVALID_POINT
+		}
+		T.add(W)
+		h = Hashit(int32(date), h)
+		W = mapit(h)
+		if xID != nil {
+			P = G1mul(P, x)
+			P.toBytes(xID)
+			W = G1mul(W, x)
+			P.add(W)
+		} else {
+			P.add(W)
+			P = G1mul(P, x)
+		}
+		if xCID != nil {
+			P.toBytes(xCID)
+		}
+	} else {
+		if xID != nil {
+			P = G1mul(P, x)
+			P.toBytes(xID)
+		}
+	}
+
+	T.toBytes(SEC)
+	return 0
+}
+
+/* Extract Server Secret SST=S*Q where Q is fixed generator in G2 and S is master secret */
+func MPIN_GET_SERVER_SECRET(S []byte, SST []byte) int {
+	Q := NewECP2fp2s(NewFP2bigs(NewBIGints(CURVE_Pxa), NewBIGints(CURVE_Pxb)), NewFP2bigs(NewBIGints(CURVE_Pya), NewBIGints(CURVE_Pyb)))
+
+	s := fromBytes(S)
+	Q = G2mul(Q, s)
+	Q.toBytes(SST)
+	return 0
+}
+
+/*
+ W=x*H(G);
+ if RNG == NULL then X is passed in
+ if RNG != NULL the X is passed out
+ if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve
+*/
+func MPIN_GET_G1_MULTIPLE(rng *RAND, typ int, X []byte, G []byte, W []byte) int {
+	var x *BIG
+	r := NewBIGints(CURVE_Order)
+	if rng != nil {
+		x = randomnum(r, rng)
+		x.toBytes(X)
+	} else {
+		x = fromBytes(X)
+	}
+	var P *ECP
+	if typ == 0 {
+		P = ECP_fromBytes(G)
+		if P.is_infinity() {
+			return MPIN_INVALID_POINT
+		}
+	} else {
+		P = mapit(G)
+	}
+
+	G1mul(P, x).toBytes(W)
+	return 0
+}
+
+/* Client secret CST=S*H(CID) where CID is client ID and S is master secret */
+/* CID is hashed externally */
+func MPIN_GET_CLIENT_SECRET(S []byte, CID []byte, CST []byte) int {
+	return MPIN_GET_G1_MULTIPLE(nil, 1, S, CID, CST)
+}
+
+/* Time Permit CTT=S*(date|H(CID)) where S is master secret */
+func MPIN_GET_CLIENT_PERMIT(date int, S []byte, CID []byte, CTT []byte) int {
+	h := Hashit(int32(date), CID)
+	P := mapit(h)
+
+	s := fromBytes(S)
+	G1mul(P, s).toBytes(CTT)
+	return 0
+}
+
+/* Outputs H(CID) and H(T|H(CID)) for time permits. If no time permits set HID=HTID */
+func MPIN_SERVER_1(date int, CID []byte, HID []byte, HTID []byte) {
+	h := Hashit(0, CID)
+	P := mapit(h)
+
+	if date != 0 {
+		if HID != nil {
+			P.toBytes(HID)
+		}
+		h = Hashit(int32(date), h)
+		R := mapit(h)
+		P.add(R)
+		P.toBytes(HTID)
+	} else {
+		P.toBytes(HID)
+	}
+}
+
+/* Implement step 2 of MPin protocol on server side */
+func MPIN_SERVER_2(date int, HID []byte, HTID []byte, Y []byte, SST []byte, xID []byte, xCID []byte, mSEC []byte, E []byte, F []byte) int {
+	//	q:=NewBIGints(Modulus)
+	Q := NewECP2fp2s(NewFP2bigs(NewBIGints(CURVE_Pxa), NewBIGints(CURVE_Pxb)), NewFP2bigs(NewBIGints(CURVE_Pya), NewBIGints(CURVE_Pyb)))
+
+	sQ := ECP2_fromBytes(SST)
+	if sQ.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	var R *ECP
+	if date != 0 {
+		R = ECP_fromBytes(xCID)
+	} else {
+		if xID == nil {
+			return MPIN_BAD_PARAMS
+		}
+		R = ECP_fromBytes(xID)
+	}
+	if R.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	y := fromBytes(Y)
+	var P *ECP
+	if date != 0 {
+		P = ECP_fromBytes(HTID)
+	} else {
+		if HID == nil {
+			return MPIN_BAD_PARAMS
+		}
+		P = ECP_fromBytes(HID)
+	}
+
+	if P.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	P = G1mul(P, y)
+	P.add(R)
+	R = ECP_fromBytes(mSEC)
+	if R.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	var g *FP12
+	//		FP12 g1=new FP12(0);
+
+	g = ate2(Q, R, sQ, P)
+	g = fexp(g)
+
+	if !g.isunity() {
+		if HID != nil && xID != nil && E != nil && F != nil {
+			g.toBytes(E)
+			if date != 0 {
+				P = ECP_fromBytes(HID)
+				if P.is_infinity() {
+					return MPIN_INVALID_POINT
+				}
+				R = ECP_fromBytes(xID)
+				if R.is_infinity() {
+					return MPIN_INVALID_POINT
+				}
+
+				P = G1mul(P, y)
+				P.add(R)
+			}
+			g = ate(Q, P)
+			g = fexp(g)
+			g.toBytes(F)
+		}
+		return MPIN_BAD_PIN
+	}
+
+	return 0
+}
+
+/* Pollards kangaroos used to return PIN error */
+func MPIN_KANGAROO(E []byte, F []byte) int {
+	ge := FP12_fromBytes(E)
+	gf := FP12_fromBytes(F)
+	var distance [MPIN_TS]int
+	t := NewFP12copy(gf)
+
+	var table []*FP12
+	var i int
+	s := 1
+	for m := 0; m < MPIN_TS; m++ {
+		distance[m] = s
+		table = append(table, NewFP12copy(t))
+		s *= 2
+		t.usqr()
+	}
+	t.one()
+	dn := 0
+	for j := 0; j < MPIN_TRAP; j++ {
+		i = t.geta().geta().getA().lastbits(8) % MPIN_TS
+		t.mul(table[i])
+		dn += distance[i]
+	}
+	gf.copy(t)
+	gf.conj()
+	steps := 0
+	dm := 0
+	res := 0
+	for dm-dn < int(MPIN_MAXPIN) {
+		steps++
+		if steps > 4*MPIN_TRAP {
+			break
+		}
+		i = ge.geta().geta().getA().lastbits(8) % MPIN_TS
+		ge.mul(table[i])
+		dm += distance[i]
+		if ge.equals(t) {
+			res = dm - dn
+			break
+		}
+		if ge.equals(gf) {
+			res = dn - dm
+			break
+		}
+
+	}
+	if steps > 4*MPIN_TRAP || dm-dn >= int(MPIN_MAXPIN) {
+		res = 0
+	} // Trap Failed  - probable invalid token
+	return int(res)
+}
+
+/* Functions to support M-Pin Full */
+
+func MPIN_PRECOMPUTE(TOKEN []byte, CID []byte, G1 []byte, G2 []byte) int {
+	var P, T *ECP
+	var g *FP12
+
+	T = ECP_fromBytes(TOKEN)
+	if T.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	P = mapit(CID)
+
+	Q := NewECP2fp2s(NewFP2bigs(NewBIGints(CURVE_Pxa), NewBIGints(CURVE_Pxb)), NewFP2bigs(NewBIGints(CURVE_Pya), NewBIGints(CURVE_Pyb)))
+
+	g = ate(Q, T)
+	g = fexp(g)
+	g.toBytes(G1)
+
+	g = ate(Q, P)
+	g = fexp(g)
+	g.toBytes(G2)
+
+	return 0
+}
+
+/* calculate common key on client side */
+/* wCID = w.(A+AT) */
+func MPIN_CLIENT_KEY(G1 []byte, G2 []byte, pin int, R []byte, X []byte, wCID []byte, CK []byte) int {
+	H := NewHASH()
+	var t [MPIN_EFS]byte
+
+	g1 := FP12_fromBytes(G1)
+	g2 := FP12_fromBytes(G2)
+	z := fromBytes(R)
+	x := fromBytes(X)
+
+	W := ECP_fromBytes(wCID)
+	if W.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	W = G1mul(W, x)
+
+	f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+	r := NewBIGints(CURVE_Order)
+	q := NewBIGints(Modulus)
+
+	m := NewBIGcopy(q)
+	m.mod(r)
+
+	a := NewBIGcopy(z)
+	a.mod(m)
+
+	b := NewBIGcopy(z)
+	b.div(m)
+
+	g2.pinpow(pin, int(MPIN_PBLEN))
+	g1.mul(g2)
+
+	c := g1.trace()
+	g2.copy(g1)
+	g2.frob(f)
+	cp := g2.trace()
+	g1.conj()
+	g2.mul(g1)
+	cpm1 := g2.trace()
+	g2.mul(g1)
+	cpm2 := g2.trace()
+
+	c = c.xtr_pow2(cp, cpm1, cpm2, a, b)
+
+	c.geta().getA().toBytes(t[:])
+	H.Process_array(t[:])
+	c.geta().getB().toBytes(t[:])
+	H.Process_array(t[:])
+	c.getb().getA().toBytes(t[:])
+	H.Process_array(t[:])
+	c.getb().getB().toBytes(t[:])
+	H.Process_array(t[:])
+
+	W.getX().toBytes(t[:])
+	H.Process_array(t[:])
+	W.getY().toBytes(t[:])
+	H.Process_array(t[:])
+
+	t = H.Hash()
+	for i := 0; i < MPIN_PAS; i++ {
+		CK[i] = t[i]
+	}
+
+	return 0
+}
+
+/* calculate common key on server side */
+/* Z=r.A - no time permits involved */
+
+func MPIN_SERVER_KEY(Z []byte, SST []byte, W []byte, xID []byte, xCID []byte, SK []byte) int {
+	H := NewHASH()
+	var t [MPIN_EFS]byte
+
+	sQ := ECP2_fromBytes(SST)
+	if sQ.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+	R := ECP_fromBytes(Z)
+	if R.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	var U *ECP
+	if xCID != nil {
+		U = ECP_fromBytes(xCID)
+	} else {
+		U = ECP_fromBytes(xID)
+	}
+	if U.is_infinity() {
+		return MPIN_INVALID_POINT
+	}
+
+	w := fromBytes(W)
+	U = G1mul(U, w)
+	g := ate(sQ, R)
+	g = fexp(g)
+
+	c := g.trace()
+	c.geta().getA().toBytes(t[:])
+	H.Process_array(t[:])
+	c.geta().getB().toBytes(t[:])
+	H.Process_array(t[:])
+	c.getb().getA().toBytes(t[:])
+	H.Process_array(t[:])
+	c.getb().getB().toBytes(t[:])
+	H.Process_array(t[:])
+
+	U.getX().toBytes(t[:])
+	H.Process_array(t[:])
+	U.getY().toBytes(t[:])
+	H.Process_array(t[:])
+
+	t = H.Hash()
+	for i := 0; i < MPIN_PAS; i++ {
+		SK[i] = t[i]
+	}
+
+	return 0
+}
+
+/* return time since epoch */
+func MPIN_GET_TIME() int {
+	now := time.Now()
+	return int(now.Unix())
+}
+
+/* Generate Y = H(epoch, xCID/xID) */
+func MPIN_GET_Y(TimeValue int, xCID []byte, Y []byte) {
+	h := Hashit(int32(TimeValue), xCID)
+	y := fromBytes(h)
+	q := NewBIGints(CURVE_Order)
+	y.mod(q)
+	y.toBytes(Y)
+}
+
+/* One pass MPIN Client */
+func MPIN_CLIENT(date int, CLIENT_ID []byte, RNG *RAND, X []byte, pin int, TOKEN []byte, SEC []byte, xID []byte, xCID []byte, PERMIT []byte, MESSAGE []byte, TimeValue int, Y []byte) int {
+	rtn := 0
+
+	var M []byte
+	if date == 0 {
+		M = xID
+	} else {
+		M = xCID
+	}
+
+	rtn = MPIN_CLIENT_1(date, CLIENT_ID, RNG, X, pin, TOKEN, SEC, xID, xCID, PERMIT)
+	if rtn != 0 {
+		return rtn
+	}
+
+	if MESSAGE != nil {
+		M = append(M, MESSAGE...)
+	}
+
+	MPIN_GET_Y(TimeValue, M, Y)
+
+	rtn = MPIN_CLIENT_2(X, Y, SEC)
+	if rtn != 0 {
+		return rtn
+	}
+
+	return 0
+}
+
+/* One pass MPIN Server */
+func MPIN_SERVER(date int, HID []byte, HTID []byte, Y []byte, SST []byte, xID []byte, xCID []byte, SEC []byte, E []byte, F []byte, CID []byte, MESSAGE []byte, TimeValue int) int {
+	rtn := 0
+
+	var M []byte
+	if date == 0 {
+		M = xID
+	} else {
+		M = xCID
+	}
+
+	MPIN_SERVER_1(date, CID, HID, HTID)
+
+	if MESSAGE != nil {
+		M = append(M, MESSAGE...)
+	}
+
+	MPIN_GET_Y(TimeValue, M, Y)
+
+	rtn = MPIN_SERVER_2(date, HID, HTID, Y, SST, xID, xCID, SEC, E, F)
+	if rtn != 0 {
+		return rtn
+	}
+
+	return 0
+}
+
+func MPIN_printBinary(array []byte) {
+	for i := 0; i < len(array); i++ {
+		fmt.Printf("%02x", array[i])
+	}
+	fmt.Printf("\n")
+}

http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/MPIN_test.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/MPIN_test.go b/go/amcl-go/MPIN_test.go
new file mode 100644
index 0000000..f489bea
--- /dev/null
+++ b/go/amcl-go/MPIN_test.go
@@ -0,0 +1,898 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+package amcl
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"testing"
+)
+
+func TestGoodPIN(t *testing.T) {
+	want := 0
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	var MESSAGE []byte
+	// MESSAGE := []byte("test sign message")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("MPIN GOOD PIN %d != %d", want, got)
+	}
+}
+
+func TestBadPIN(t *testing.T) {
+	want := -19
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1235
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	var MESSAGE []byte
+	// MESSAGE := []byte("test sign message")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("TestBadPIN %d != %d", want, got)
+	}
+}
+
+func TestBadToken(t *testing.T) {
+	want := -19
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	var MESSAGE []byte
+	// MESSAGE := []byte("test sign message")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	// Send UT as V to model bad token
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], UT[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("TestBadToken %d != %d", want, got)
+	}
+}
+
+func TestRandom(t *testing.T) {
+	want := 0
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seed := make([]byte, 16)
+	rand.Read(seed)
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	var MESSAGE []byte
+	// MESSAGE := []byte("test sign message")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("TestRandom %d != %d", want, got)
+	}
+}
+
+func TestGoodSignature(t *testing.T) {
+	want := 0
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Message to sign
+	MESSAGE := []byte("test message to sign")
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("TestGoodSignature %d != %d", want, got)
+	}
+}
+
+func TestSignatureExpired(t *testing.T) {
+	want := -19
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	MESSAGE := []byte("test message to sign")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	timeValue += 10
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("TestSignatureExpired %d != %d", want, got)
+	}
+}
+
+func TestBadSignature(t *testing.T) {
+	want := -19
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	MESSAGE := []byte("test message to sign")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	MESSAGE[0] = 00
+	got := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+	if got != want {
+		t.Errorf("TestBadSignature %d != %d", want, got)
+	}
+}
+
+func TestMPINFull(t *testing.T) {
+	want := "0afc948b03b2733a0663571f86411a07"
+	// Assign the End-User an ID
+	IDstr := "testUser@miracl.com"
+	ID := []byte(IDstr)
+
+	// Epoch time in days
+	date := 16660
+
+	// Epoch time in seconds
+	timeValue := 1439465203
+
+	// PIN variable to create token
+	PIN1 := 1234
+	// PIN variable to authenticate
+	PIN2 := 1234
+
+	// Seed value for Random Number Generator (RNG)
+	seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+	seed, err := hex.DecodeString(seedHex)
+	if err != nil {
+		fmt.Println("Error decoding seed value")
+		return
+	}
+	rng := NewRAND()
+	rng.Seed(len(seed), seed)
+
+	// Message to sign
+	var MESSAGE []byte
+	// MESSAGE := []byte("test sign message")
+
+	const EGS = MPIN_EGS
+	const EFS = MPIN_EFS
+	const G1S = 2*EFS + 1 /* Group 1 Size */
+	const G2S = 4 * EFS   /* Group 2 Size */
+	const EAS = MPIN_PAS
+
+	var MS1 [EGS]byte
+	var SS1 [G2S]byte
+	var CS1 [G1S]byte
+	var TP1 [G1S]byte
+	var MS2 [EGS]byte
+	var SS2 [G2S]byte
+	var CS2 [G1S]byte
+	var TP2 [G1S]byte
+	var SS [G2S]byte
+	var TP [G1S]byte
+	var TOKEN [G1S]byte
+	var SEC [G1S]byte
+	var U [G1S]byte
+	var UT [G1S]byte
+	var X [EGS]byte
+	var Y [EGS]byte
+	var E [12 * EFS]byte
+	var F [12 * EFS]byte
+	var HID [G1S]byte
+	var HTID [G1S]byte
+
+	var G1 [12 * EFS]byte
+	var G2 [12 * EFS]byte
+	var R [EGS]byte
+	var Z [G1S]byte
+	var W [EGS]byte
+	var T [G1S]byte
+	var AES_KEY_CLIENT [EAS]byte
+	var AES_KEY_SERVER [EAS]byte
+
+	// Generate Master Secret Share 1
+	MPIN_RANDOM_GENERATE(rng, MS1[:])
+
+	// Generate Master Secret Share 2
+	MPIN_RANDOM_GENERATE(rng, MS2[:])
+
+	// Either Client or TA calculates Hash(ID)
+	HCID := MPIN_HASH_ID(ID)
+
+	// Generate server secret share 1
+	MPIN_GET_SERVER_SECRET(MS1[:], SS1[:])
+
+	// Generate server secret share 2
+	MPIN_GET_SERVER_SECRET(MS2[:], SS2[:])
+
+	// Combine server secret shares
+	MPIN_RECOMBINE_G2(SS1[:], SS2[:], SS[:])
+
+	// Generate client secret share 1
+	MPIN_GET_CLIENT_SECRET(MS1[:], HCID, CS1[:])
+
+	// Generate client secret share 2
+	MPIN_GET_CLIENT_SECRET(MS2[:], HCID, CS2[:])
+
+	// Combine client secret shares : TOKEN is the full client secret
+	MPIN_RECOMBINE_G1(CS1[:], CS2[:], TOKEN[:])
+
+	// Generate time permit share 1
+	MPIN_GET_CLIENT_PERMIT(date, MS1[:], HCID, TP1[:])
+
+	// Generate time permit share 2
+	MPIN_GET_CLIENT_PERMIT(date, MS2[:], HCID, TP2[:])
+
+	// Combine time permit shares
+	MPIN_RECOMBINE_G1(TP1[:], TP2[:], TP[:])
+
+	// Create token
+	MPIN_EXTRACT_PIN(ID, PIN1, TOKEN[:])
+
+	// precomputation
+	MPIN_PRECOMPUTE(TOKEN[:], HCID, G1[:], G2[:])
+
+	// Authenticate
+	MPIN_CLIENT(date, ID, rng, X[:], PIN2, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, timeValue, Y[:])
+
+	// Send Z=r.ID to Server
+	MPIN_GET_G1_MULTIPLE(rng, 1, R[:], HCID, Z[:])
+
+	MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], SEC[:], E[:], F[:], ID, MESSAGE, timeValue)
+
+	// send T=w.ID to client
+	MPIN_GET_G1_MULTIPLE(rng, 0, W[:], HTID[:], T[:])
+
+	MPIN_SERVER_KEY(Z[:], SS[:], W[:], U[:], UT[:], AES_KEY_SERVER[:])
+	got := hex.EncodeToString(AES_KEY_SERVER[:])
+	if got != want {
+		t.Errorf("TestMPINFull %s != %s", want, got)
+	}
+
+	MPIN_CLIENT_KEY(G1[:], G2[:], PIN2, R[:], X[:], T[:], AES_KEY_CLIENT[:])
+	got = hex.EncodeToString(AES_KEY_CLIENT[:])
+	if got != want {
+		t.Errorf("TestMPINFull %s != %s", want, got)
+	}
+}