Possibly working fixed-base multiplication.

src/hss.c

@@ -1,7 +1,9 @@
 #include "config.h"
 
 #include <assert.h>
+#include <stdlib.h>
 
+#include "entropy.h"
 #include "hss.h"
 
 /**
@@ -34,6 +36,18 @@ void hss_del()
   mpz_clear(p);
 }
 
+
+void fbprecompute(fbptable_t T, const mpz_t base)
+{
+  for (size_t j = 0; j < 4; j++) {
+    for (size_t i = 0; i <= 0xFF; i++) {
+      uint64_t e = (0x01 << 8*j) * i;
+      mpz_init(T[j][i]);
+      mpz_powm_ui(T[j][i], base, e, p);
+    }
+  }
+}
+
 void ssl1_init(ssl1_t s)
 {
   elgamal_cipher_init(s->w);
@@ -58,6 +72,10 @@ void ssl1_share(ssl1_t r1, ssl1_t r2, const mpz_t v, const elgamal_key_t key)
   mpz_init_set_ui(zero, 0);
 
   elgamal_encrypt_shares(r1->w, r2->w, key, v);
+  //  s->T = (fbptable_t) calloc(sizeof(fbptable_entry_t), 256 * 4);
+  fbprecompute(r1->T, r1->w->c2);
+  fbprecompute(r2->T, r2->w->c2);
+
   for (size_t t = 0; t < 160; t++) {
     if (mpz_tstbit(key->sk, 159-t)) {
       elgamal_encrypt_shares(r1->cw[t], r2->cw[t], key, v);
@@ -86,20 +104,27 @@ void ssl1_open(mpz_t rop, const ssl1_t r1, const ssl1_t r2, const elgamal_key_t
 
 void ssl2_init(ssl2_t s)
 {
-  mpz_inits(s->x, s->cx, NULL);
+  s->x = 0;
+  mpz_inits(s->cx, NULL);
 }
 
 void ssl2_clear(ssl2_t s)
 {
-  mpz_clear(s->x);
   mpz_clear(s->cx);
 }
 
 
 void ssl2_share(ssl2_t s1, ssl2_t s2, const mpz_t v, const mpz_t sk)
 {
-  mpz_urandomb(s1->x, _rstate, 192);
-  mpz_add(s2->x, v, s1->x);
+  /* sampling one byte here is already sufficient.
+   * However, the purpose of this function is testing,
+   * so here we go sampling over the whole space */
+  getrandom(&s1->x, 3, GRND_NONBLOCK);
+  //mpz_urandomb(s1->x, _rstate, 192);
+  //mpz_add(s2->x, v, s1->x);
+
+  const uint32_t _v = (uint32_t) mpz_get_ui(v);
+  s2->x = s1->x + _v;
 
   mpz_urandomb(s1->cx, _rstate, 192);
   mpz_mul(s2->cx, sk, v);
@@ -109,6 +134,8 @@ void ssl2_share(ssl2_t s1, ssl2_t s2, const mpz_t v, const mpz_t sk)
 
 void ssl2_open(mpz_t rop, const ssl2_t s1, const ssl2_t s2)
 {
-  mpz_sub(rop, s2->x, s1->x);
-  mpz_abs(rop, rop);
+  if (s1->x > s2->x) mpz_set_ui(rop, s1->x - s2->x);
+  else               mpz_set_ui(rop, s2->x - s1->x);
+  //mpz_sub(rop, s2->x, s1->x);
+  //mpz_abs(rop, rop);
 }

src/hss.h

@@ -20,9 +20,16 @@ void hss_del();
 /** A level-1 share is the El-Gamal encryption of a secretly-shared value,
  *  plus the encryption of the product of each bit.
  */
+
+//typedef __mpz_struct* fbptable_entry_t;
+//typedef fbptable_entry_t (* fbptable_t)[256];
+typedef const mpz_t (* const_fbptable_t)[256];
+typedef mpz_t (* fbptable_t)[256];
+
 typedef struct ssl1 {
   elgamal_cipher_t w;
   elgamal_cipher_t cw[160];
+  mpz_t T[4][256];
 } ssl1_t[1];
 
 
@@ -35,7 +42,7 @@ void ssl1_open(mpz_t rop, const ssl1_t r1, const ssl1_t r2, const elgamal_key_t
     This shares have at most 192 bits.
  */
 typedef struct ssl2 {
-  mpz_t x;
+  uint32_t x;
   mpz_t cx;
 } ssl2_t[1];
 

src/rms.c

@@ -7,46 +7,52 @@
 
 #include <gmp.h>
 
+#include "ddlog.h"
 #include "elgamal.h"
 #include "entropy.h"
 #include "rms.h"
 #include "hss.h"
 #include "timeit.h"
 
-#define strip_size 16
-uint32_t naif_convert(mpz_t n)
-{
-  uint32_t i;
-  mpz_t t;
-  mpz_init_set_ui(t, 1);
-  mpz_mul_2exp(t, t, 1536-strip_size);
-
 
-  for (i = 0; mpz_cmp(n, t) > -1; i++) {
-    mpz_mul_ui(n, n, 2);
-    mpz_mod(n, n, p);
-  }
-
-  mpz_clear(t);
-  return i;
+static inline
+void fbpowm(mpz_t rop, const_fbptable_t T, const uint32_t exp)
+{
+  const uint8_t *e = (uint8_t *) &exp;
+
+  mpz_mul(rop, T[0][e[0]], T[1][e[1]]);
+  mpz_mod(rop, rop, p);
+  mpz_mul(rop, rop, T[2][e[2]]);
+  mpz_mod(rop, rop, p);
+  mpz_mul(rop, rop, T[3][e[3]]);
+  mpz_mod(rop, rop, p);
 }
 
+
 static inline
 uint32_t __mul_single(mpz_t op1,
                       mpz_t op2,
                       const mpz_t c1,
                       const mpz_t c2,
-                      const mpz_t x,
+                      const_fbptable_t T,
+                      const uint32_t x,
                       const mpz_t cx)
 {
 
   mpz_powm(op1, c1, cx, p);
   mpz_invert(op1, op1, p);
 
-  mpz_powm(op2, c2, x, p);
+  //mpz_t test; mpz_init(test);
+  //mpz_powm_ui(test, c2, x, p);
+  fbpowm(op2, T, x);
+  //if (mpz_cmp(test, op2)) gmp_printf("base: %Zx\nexp: %x\npcomp: %Zx\nreal: %Zd\n", c2, x, op2, test);
+  //mpz_clear(test);
+
+  mpz_powm_ui(op2, c2, x, p);
   mpz_mul(op2, op2, op1);
   mpz_mod(op2, op2, p);
-  return naif_convert(op2);
+  const uint32_t converted = convert(op2->_mp_d);
+  return converted;
 }
 
 void hss_mul(ssl2_t rop, const ssl1_t sl1, const ssl2_t sl2)
@@ -56,13 +62,21 @@ void hss_mul(ssl2_t rop, const ssl1_t sl1, const ssl2_t sl2)
   mpz_inits(op1, op2, NULL);
 
   converted = __mul_single(op1, op2,
-                           sl1->w->c1, sl1->w->c2, sl2->x, sl2->cx);
-  mpz_set_ui(rop->x, converted);
+                           sl1->w->c1,
+                           sl1->w->c2,
+                           sl1->T,
+                           sl2->x,
+                           sl2->cx);
+  rop->x = converted;
 
   mpz_set_ui(rop->cx, 0);
   for (size_t t = 0; t < 160; t++) {
     converted = __mul_single(op1, op2,
-                             sl1->cw[t]->c1, sl1->cw[t]->c2, sl2->x, sl2->cx);
+                             sl1->cw[t]->c1,
+                             sl1->cw[t]->c2,
+                             sl1->T,
+                             sl2->x,
+                             sl2->cx);
     mpz_add_ui(rop->cx, rop->cx, converted);
     mpz_mul_2exp(rop->cx, rop->cx, 1);
   }
@@ -75,6 +89,7 @@ int main()
 {
   mpz_entropy_init();
   hss_init();
+  dlog_precompute();
 
   mpz_t test;
   mpz_init(test);
@@ -96,7 +111,6 @@ int main()
   ssl2_init(t1);
   ssl2_init(t2);
 
-
   INIT_TIMEIT();
   for (int i = 0; i <  (int) 1e1; i++) {
 
@@ -119,7 +133,7 @@ int main()
      hss_mul(t2, r2, s2);
 #ifndef NDEBUG
     gmp_printf("%Zx %Zx\n", x, y);
-    gmp_printf("%Zx %Zx\n", s1->x, s2->x);
+    gmp_printf("%d %d\n", s1->x, s2->x);
 #endif
 
     mpz_mul(xy, x, y);