以下内容源自PBC Library 的 英文manual(Chapter 3/4)。
一,Pairing functions
二,Element functions
An application should first initialize a pairing object. This causes PBC to setup curves, groups and other mathematical miscellany. After that, elements can be initialized and manipulated for cryptographic operations.
Parameters for various pairings are included with the PBC library distribution in the param subdirectory, and some are suitable for cryptographic use. Some programs in the gen subdirectory may be used to generate parameters (see Chapter 7). Also, see the PBC website for many more pairing parameters.
Pairings involve three groups of prime order. The PBC library calls them G1, G2, and GT, and calls the order r. The pairing is a bilinear map that takes two elements as input, one from G1 and one from G2, and outputs an element of GT.
The elements of G2 are at least as long as G1; G1 is guaranteed to be the shorter of the two. Sometimes G1 and G2 are the same group (i.e. the pairing is symmetric) so their elements can be mixed freely. In this case the pairing_is_symmetric function returns 1.
Bilinear pairings are stored in the data type pairing_t. Functions that operate on them start with pairing_.
应用程序应首先初始化一个配对对象。这导致PBC设置曲线,组和其他数学杂项。之后,可以对元素进行初始化和操作以进行加密操作。
param子目录中的PBC库分布中包含用于各种配对的参数,其中一些参数适合加密使用。== gen子目录中的某些程序可用于生成参数(请参见第7章)。另外,请参阅PBC网站以获取更多配对参数。==
配对涉及三个主要素数阶的群。 PBC库将它们称为G1,G2和GT,并称阶为r 。配对是一个双线性映射,它以两个元素作为输入,一个来自G1,一个来自G2,并输出GT元素。
G2的元素至少与G1一样长; G1保证是两者中较短的一个。有时G1和G2是同一组(即配对是对称的),因此它们的元素可以自由组合。在这种情况下,pairing_is_symmetric函数返回1。
双线性对存储在数据类型pairing_t中。对它们进行操作的功能以pairing_开头。
To initialize a pairing from an ASCIIZ string:
pairing_t pairing;
pairing_init_set_str(pairing, s); // Where s is a char *.
The string s holds pairing parameters in a text format. The param subdirectory contains several examples.
Alternatively, call:
pairing_t pairing;
pairing_init_pbc_param(pairing, param);
where param is an initialized pbc_param_t (see Chapter 5).
Initialize pairing from parameters in a ASCIIZ string str Returns 0 on success, 1 on failure.
从一个ASCIIZ串的参数初始化配对,初始化成功则返回0,否则返回1。
Same, but read at most len bytes. If len is 0, it behaves as the previous function. Returns 0 on success, 1 on failure.
同样,但是最多读取len个字节,如果len是0,它就和上一个函数一样。
Initialize a pairing with pairing parameters p.
用配对参数p来初始化一个配对。
Free the space occupied by pairing. Call whenever a pairing_t variable is no longer needed. Only call this after all elements associated with pairing have been cleared, as they need information stored in the pairing structure.
释放配对所占的空间。当一个pairing_t类型的变量没用的时候,就可以调用这个函数来释放该变量所占空间。因为需要存储在配对结构中的信息,所以只有所有与配对有关的元素都声明之后,才能调用这个函数。
The function pairing_apply can be called to apply a bilinear map. The order of the inputs is important. The first, which holds the output, must be from the group GT. The second must be from G1, the third from G2, and the fourth must be the pairing_t variable that relates them.
In some applications, the programmer may know that many pairings with the same G1 input will be computed. If so, preprocessing should be used to avoid repeating many calculations saving time in the long run. A variable of type pairing_pp_t should be declared, initialized with the fixed G1 element, and then used to compute pairings:
可以调用pairing_apply函数来应用双线性映射。 输入的顺序很重要。 保存输出的第一个必须来自组GT。 第二个必须来自G1,第三个必须来自G2,第四个必须是与它们相关的pairing_t变量。
在某些应用中,程序员可能知道会计算出具有相同G1输入的许多配对。 如果是这样,从长远来看,应该使用预处理以避免重复许多计算,从而节省了时间。 应该声明类型为pairing_pp_t的变量,并使用固定的G1元素进行初始化,然后将其用于计算配对:
pairing_pp_t pp;
pairing_pp_init(pp, x, pairing); // x is some element of G1
pairing_pp_apply(r1, y1, pp); // r1 = e(x, y1)
pairing_pp_apply(r2, y2, pp); // r2 = e(x, y2)
pairing_pp_clear(pp); // don’t need pp anymore
Never mix and match G1, G2, and GT groups from different pairings.
不要混合搭配来自不同配对的G1,G2和GT群。
Get ready to perform a pairing whose first input is in1,and store the results of time-saving precomputation in p.
准备执行第一个输入为in1的配对,存储这个节约时间的预计算结果到p.
Clear p. This should be called after p is no longer needed.
清除p。当不再用pairing_pp_t类型的变量p的时候,调用这个函数来回收。
Compute a pairing using in2 and the preprocessed information stored in p and store the output in out. The inputs to the pairing are the element previously used to initialize p and the element in2.
使用in2和存储在p中的预处理信息计算一个配对,将输出存储在out中。
Computes a pairing: out = e(in1, in2), where in1, in2, out must be in the groups G1, G2, GT.
计算一个配对:out=e(in1,in2),in1属于G1,in2属于G2,out属于GT。
Computes the product of pairings, that is out = e(in1[0], in2[0]) … e(in1[n-1], in2[n-1]). The arrays in1, in2 must have at least n elements belonging to the groups G1, G2 respectively, and out must belong to the group GT.
计算配对的乘积,即out = e(in1 [0],in2 [0])…e(in1 [n-1],in2 [n-1])。 数组in1,in2必须至少具有分别属于组G1,G2的n个元素,而数组out必须属于组GT。
Returns true if G1 and G2 are the same group.
判断是否对称。
Returns the length in bytes needed to represent an element of G1.
返回G1元素所需的字节长度。
Returns the length in bytes needed to represent the x-coordinate of an element of G1.
返回G1元素的x坐标所需要的字节长度。
Returns the length in bytes needed to represent a compressed form of an element of G1. There is some overhead in decompressing.
返回G1元素压缩格式所需的字节长度 ,解压缩会有一些开销。
Returns the length in bytes needed to represent an element of G2.
返回G2元素所需的字节长度。
Returns the length in bytes needed to represent a compressed form of an element of G2. There is some overhead in decompressing.
返回G2元素压缩格式所需的字节长度 ,解压缩会有一些开销。
Returns the length in bytes needed to represent the x-coordinate of an element of G2.
返回G2元素的x坐标所需要的字节长度。
Returns the length in bytes needed to represent an element of GT.
返回GT元素所需的字节长度。
Returns the length in bytes needed to represent an element of Zr.
返回Zr元素所需的字节长度。
Elements of groups, rings and fields are stored in the element_t data type. Variables of this type must be initialized before use, and should be cleared after they are no longer needed.
The element_ functions must be used with caution. Just as division by zero does not make sense for integers, some operations may not make sense for particular elements. For example, in a ring, one cannot in general invert elements.
Another caveat is that many of these functions assume their arguments come from the same ring, group or field. No implicit type casting is performed.
For debug builds, turn on run-time checks by defining PBC_DEBUG before including pbc.h:
#define PBC_DEBUG
#include
Also, when PBC_DEBUG is defined, the following macros are active. Normally they are replaced with empty statements.
PBC_ASSERT(expr,msg)
Macro: if expr evaluates to 0, print msg and exit.
PBC_ASSERT_MATCH2(a,b)
Macro: if elements a and b are from different fields then exit.
PBC_ASSERT_MATCH3(a,b,c)
Macro: if elements a, b and c are from different fields then exit.
群,环和域的元素存储在element_t数据类型中。此类型的变量必须在使用前进行初始化,并在不再需要它们后清除。
必须谨慎使用element_函数。正如零除对整数没有意义,某些操作对特定元素可能没有意义。例如,在一环中,通常不能反转元素。另一个警告是,这些函数中的许多函数都假定它们的参数来自同一环,组或字段。不执行隐式类型转换。
对于调试版本,通过在包含pbc.h
之前定义PBC_DEBUG
来打开运行时检查:
#define PBC_DEBUG
#include
另外,定义PBC_DEBUG
时,以下宏处于活动状态。通常,它们用空语句替换。
PBC_ASSERT(expr,msg)
Macro:如果expr计算为0,则打印msg并退出。
PBC_ASSERT_MATCH2(a,b)
Macro:如果元素a和b来自不同的字段,则退出。
PBC_ASSERT_MATCH3(a,b,c)
Macro:如果元素a,b和c来自不同的字段,则退出。
When an element is initialized it is associated with an algebraic structure, such as a particular finite field or elliptic curve group.
We use G1 and G2 to denote the input groups to the pairing, and GT for the output group. All have order r, and Zr means the ring of integers modulo r. G1 is the smaller group (the group of points over the base field). With symmetric pairings, G1 = G2.
当元素被初始化时,它与代数结构相关联,例如特定的有限域或椭圆曲线组。
我们使用G1和G2表示配对的输入组,并使用GT表示输出组。都具有r阶,Zr表示以r为模的整数环。 G1是较小的组(基域上的点组)。对于对称配对,G1 = G2。
初始化e为G1群上的元素。
初始化e为G2群上的元素。
Initialize e to be an element of the group G1, G2 or GT of pairing.
初始化e为GT群上的元素。
Initialize e to be an element of the ring Z_r of pairing. r is the order of the groups G1, G2 and GT that are involved in the pairing.
初始化e为配对上的环Zr上的一个元素。r是配对中的群G1,G2,GT的阶。
Initialize e to be an element of the algebraic structure that e2 lies in.
初始化e为e2所在代数结构的一个元素。
Free the space occupied by e. Call this when the variable e is no longer needed.
当变量e不再使用的时候调用这个函数来释放e占用的空间。
These functions assign values to elements. When integers are assigned, they are mapped to algebraic structures canonically if it makes sense (e.g. rings and fields).
Set e to zero.
设定e的值为0。
Set e to one.
设定e的值为1。
Set e to i.
设定e的值为i。
Set e to z.
设置e的值为z的值。
Set e to a.
设置e的值为元素a的值。
Converts e to a GMP integer z if such an operation makes sense.
在有意义的前提下,将z转化为一个GMP整数。
Generate an element e deterministically from the len bytes stored in the buffer data.
根据存储在缓冲区的len字节长度的数据,确定性地生成一个元素e。
Unless otherwise stated, all element_t arguments to these functions must have been initialized to be from the same algebraic structure. When one of these functions expects its arguments to be from particular algebraic structures, this is reflected in the name of the function.
The addition and multiplication functions perform addition and multiplication operations in rings and fields. For groups of points on an ellitpic curve, such as the G1 and G2 groups associated with pairings, both addition and multiplication represent the group operation (and similarly both 0 and 1 represent the identity element). It is recommended that programs choose and one convention and stick with it to avoid confusion.
In contrast, the GT group is currently implemented as a subgroup of a finite field, so only multiplicative operations should be used for GT.
除非另有说明,否则这些函数的所有element_t参数都必须已初始化为来自相同的代数结构。 当某个函数的参数是特定的代数结构时,将以函数的名称反映出来。
加法和乘法功能在环和域中执行加法和乘法运算。 对于椭圆曲线上的点组,例如与配对关联的群G1和G2,加法和乘法均表示群操作(类似地,0和1均表示标识元素)。 建议程序选择一个约定,并遵守约定以避免混淆。
相比之下,群GT当前被实现为有限域的子群,因此GT仅使用乘法运算。
Set n to a + b.
Set n to a - b.
Set n = a*b.
Set n = a z, that is a + a + … + a where there are z a’s.
设置n = a*z,即a + a + … + a,其中有z 个a。
z must be an element of a integer mod ring (i.e.Zn for some n). Set c = a*z, that is a + a + … + a where there are z a’s.
z必须是一个整数模环的元素(即对于某个n的环Zn)。设置 c = a*z,即a + a + … + a,z个a相加。
Set n = a / b.
Set n = a + a.
Set n = a/2.
Set n = a2.
设置n为a的平方。
Set n = -a.
Set n to the inverse of a.
设置n为a的倒数。
Exponentiation and multiexponentiation functions. If it is known in advance that a particular element will be exponentiated several times in the future, time can be saved in the long run by first calling the preprocessing function:
求幂和乘幂函数。 如果事先知道某个特定元素将来会被取幂,那么从长远来看,可以通过首先调用预处理函数来节省时间:
element_pp_t g_pp;
element_pp_init(g_pp, g);
element_pp_pow(h, pow1, g_pp); // h = g^pow1
element_pp_pow(h, pow2, g_pp); // h = g^pow2
element_pp_pow(h, pow3, g_pp); // h = g^pow3
element_pp_clear(g_pp);
Set x = an, that is a times a times … times a where there are n a’s.
设置x = an。
Set x=an,where n is an element of a ring ZN for some N (typically the order of the algebraic structure x lies in).
令x=an,n是某个整数N的环ZN上的元素(N通常是x所在代数结构的阶)。
Sets x = a1n1 a2 n2, and is generally faster than performing two separate exponentiations.
令x=a1n1 a2n2,通常比分别执行求幂运算要快。
Also sets x = a1n1 a2n2, but n1, n2 must be elements of a ring Zn for some integer n.
同上,但是要求n1,n2必须是对于某个整数n的环Zn上的元素;
Sets x = a1n1 a2n2 a3n3, generally faster than performing three separate exponentiations.
x = a1n1 a2n2 a3n3,通常比执行三个单独的求幂运算要快;
Also sets x = a1n1 a2n2 a3n3, but n1, n2, n3 must be elements of a ring Zn for some integer n.
x = a1n1 a2n2 a3n3,但是,n1,n2,n3必须是对于某个整数n上的环Zn的元素;
Prepare to exponentiate an element in, and store preprocessing information in p.
准备在p中对元素求幂,并且将预处理信息保存到p中;
Clear p. Should be called after p is no longer needed.
当p不再使用的时候,清除p;
Raise in to power and store the result in out, where in is a previously
preprocessed element, that is, the second argument passed to a previouselement_pp_initcall.
将in提高到power以将结果存储到out中,其中in是先前预处理的元素,即,传递给先前element_pp_init调用的第二个参数。
Same except power is an element ofZn for some integer n.
power是基于整数n的环Zn的一个元素,除此之外都
Computes x such that gx= h by brute force, where x lies in a field where element_set_mpz() makes sense.
以暴力的方式计算x,使得gx=h,其中x位于使element_set_mpz()有意义的域中;
Computes x such that gx = h using Pollard rho method, where x lies in a field where element_set_mpz() makes sense.
使用Pollard rho方法计算x,使得gx=h,其中x位于使得element_set_mpz()有意义的域中;
These functions compare elements from the same algebraic structure.
Returns true if n is 1.
Returns true if n is 0.
Returns 0 if a and b are the same, nonzero otherwise.
如果a,b相等,返回0;否则返回非0值;
Returns nonzero if a is a perfect square (quadratic residue), zero otherwise.
如果a是一个完全平方数(二次剩余),返回非0值;否则,返回0;
If a is zero, returns 0. For nozero a the behaviour depends on the algebraic structure, but has the property that element_sgn(a) = -element_sgn(-a) and element_sgn(a) = 0 implies a = 0 with overwhelming probability.
如果a为零,则返回0。对于非零a,其行为取决于代数结构,但具有element_sgn(a)= -element_sgn(-a)和element_sgn(a)= 0的性质表示a = 0的可能性很大。
Functions for producing human-readable outputs for elements. Converting elements to and from bytes are discussed later.
这些函数用于生成可读的元素输出。稍后讨论元素与字节之间的转换。
Output e on stream in base base. The base must be between 2 and 36.
以基数为基础在流上输出e。底数必须在2到36之间。
Same as printf family except also has the B conversion specifier for types ofelement_t, and Y, Z conversion specifiers for mpz_t.
For example if e is of type element_t then
element_printf("%B\n", e);
will print the value of e in a human-readable form on standard output.
与printf家族相同,除了对element_t类型具有B转换说明符,对于mpz_t具有Y,Z转换说明符。
例如,如果e是一个element_t类型的元素,那么,element_printf(“%B\n”,e);将会以一种可读的方式将e的值输出到标准输出中;
Convert an element to a human-friendly string. Behaves as snprintfbut only on one element at a time.
将元素转换为人类友好的字符串。表现为snprintf,但一次仅作用于一个元素。
Set the element e from s, a null-terminated C string in base base. Whitespace is ignored. Points have the form “[x,y]” or “O”, while polynomials have the form “[a0,…,an]”. Returns number of characters read (unlike GMP’s mpz_set_str). A return code of zero means PBC could not find a well-formed string describing an element.
从s设置元素e,s是基数为null终止的C字符串。空格被忽略。点的形式为“ [x,y]”或“ O”,而多项式的形式为“ [a0,…,an]”。返回读取的字符数(与GMP的mpz_set_str不同)。返回码为零表示PBC无法找到描述元素的格式正确的字符串。
Only works for finite algebraic structures. Effect on polynomial rings, fields of characteristic zero, etc. undefined.
See Section 6.1 for how PBC gets random bits.
仅适用于有限的代数结构。 未定义对多项式环,特征零域等的影响。
有关PBC如何获取随机位的信息,请参见第6.1节。
If the e lies in a finite algebraic structure, assigns a uniformly random element to e.
如果e位于有限的代数结构中,则将均匀随机元素分配给e。
Functions for serializing and deserializing elements.
进行元素序列化和元素反序列化的函数。
Returns the length in bytes the element e will take to represent
返回元素e的字节长度;
Converts e to byte, writing the result in the buffer data. The number of bytes it will write can be determined from callingelement_length_in_bytes(). Returns number of bytes written.
把元素e转化为字节,并把结果写到缓存区数据。通过调用函数element_length_in_bytes()来确定写入的字节数。并返回写入的字节数。
Reads e from the buffer data, and returns the number of bytes read.
从缓冲区数据读取e,并且返回读取的字节数。
Assumes e is a point on an elliptic curve. Writes the x-coordinate of e to the buffer data
假设e是椭圆曲线上的一个点。把e的x坐标写到缓冲区数据。
Assumes e is a point on an elliptic curve. Sets e to a point with x-coordinate represented by the buffer data. This is not unique.For each x-coordinate, there exist two different points,at least for the elliptic curves in PBC. (They are inverses of each other.)
假设e是一个椭圆曲线上的点。根据缓冲区数据所存储的x坐标来设置e的值。这个值并不是唯一的。对于每个x坐标,在PBC的椭圆曲线上都至少有两个不同的点与之对应。(它们是互为倒数)
Assumes e is a point on an elliptic curve. Returns the length in bytes needed to hold the x-coordinate of e.
假设e是一个椭圆曲线上的点。返回存储e的x坐标所需要的字节长度。
If possible, outputs a compressed form of the element e to the buffer of bytes data.Currently only implemented for points on an elliptic curve.
如果可能,将元素e的压缩形式输出到字节数据缓冲区。当前仅对椭圆曲线上的点实施。
Sets element e to the element in compressed form in the buffer of bytes data. Currently only implemented for points on an elliptic curve.
在字节数据缓冲区中将元素e设置为压缩形式的元素。当前仅对椭圆曲线上的点实施。
Returns the number of bytes needed to hold e in compressed form. Currently only implemented for points on an elliptic curve.
返回以压缩形式保存e所需的字节数。当前仅对椭圆曲线上的点实施。
For points, returns the number of coordinates. For polynomials, returns the number of coefficients. Otherwise returns zero.
对于点,返回坐标数。对于多项式,返回系数数。否则返回零。
For points, returns nth coordinate. For polynomials, returns coefficient of xn. Otherwise returns NULL. The element the return value points to may be modified.
对于点,返回第n个坐标。对于多项式,返回系数xn。否则返回NULL。返回值指向的元素可以修改。
Equivalent to element_item(a, 0).
等价于element_item(a,0);
Equivalent to element_item(a, 1).
等价于element_telement_y(element_t a)