From eb273023ea16d139ba227662d8c29adf20bb23af Mon Sep 17 00:00:00 2001
From: MITSUNARI Shigeo <herumi@nifty.com>
Date: Tue, 13 Jun 2017 05:37:10 +0900
Subject: end of refactoring

---
 go/bls/bls.go     |   2 +-
 include/bls/bls.h |  13 +-
 src/bls_c.cpp     | 677 ++++++++----------------------------------------------
 3 files changed, 109 insertions(+), 583 deletions(-)

diff --git a/go/bls/bls.go b/go/bls/bls.go
index 91da636..deeeeb5 100644
--- a/go/bls/bls.go
+++ b/go/bls/bls.go
@@ -444,7 +444,7 @@ func (sign *Sign) Recover(signVec []Sign, idVec []ID) error {
 func (sign *Sign) Verify(pub *PublicKey, m string) bool {
 	buf := []byte(m)
 	// #nosec
-	return C.blsVerify(sign.getPointer(), pub.getPointer(), (*C.char)(unsafe.Pointer(&buf[0])), C.size_t(len(buf))) == 1
+	return C.blsVerify(sign.getPointer(), pub.getPointer(), unsafe.Pointer(&buf[0]), C.size_t(len(buf))) == 1
 }
 
 // VerifyPop --
diff --git a/include/bls/bls.h b/include/bls/bls.h
index ef5f24f..e15a82b 100644
--- a/include/bls/bls.h
+++ b/include/bls/bls.h
@@ -118,17 +118,28 @@ BLS_DLL_API int blsSignatureRecover(blsSignature *sig, const blsSignature *sigVe
 BLS_DLL_API void blsSign(blsSignature *sig, const blsSecretKey *sec, const char *m, size_t size);
 
 // return 1 if valid
-BLS_DLL_API int blsVerify(const blsSignature *sig, const blsPublicKey *pub, const char *m, size_t size);
+BLS_DLL_API int blsVerify(const blsSignature *sig, const blsPublicKey *pub, const void *m, size_t size);
 BLS_DLL_API int blsVerifyPop(const blsSignature *sig, const blsPublicKey *pub);
 
 /*
+	Lagrange interpolation
 	recover out = y(0) by { (xVec[i], yVec[i]) }
 	return 0 if success else -1
+	@note k >= 2, xVec[i] != 0, xVec[i] != xVec[j] for i != j
 */
 BLS_DLL_API int mclBn_FrLagrangeInterpolation(mclBnFr *out, const mclBnFr *yVec, const mclBnFr *xVec, size_t k);
 BLS_DLL_API int mclBn_G1LagrangeInterpolation(mclBnG1 *out, const mclBnG1 *yVec, const mclBnFr *xVec, size_t k);
 BLS_DLL_API int mclBn_G2LagrangeInterpolation(mclBnG2 *out, const mclBnG2 *yVec, const mclBnFr *xVec, size_t k);
 
+/*
+	evaluate polynomial
+	out = f(x) = c[0] + c[1] * x + c[2] * x^2 + ... + c[cSize - 1] * x^(cSize - 1)
+	@note cSize >= 2
+*/
+BLS_DLL_API int mclBn_FrEvaluatePolynomial(mclBnFr *out, const mclBnFr *cVec, size_t cSize, const mclBnFr *x);
+BLS_DLL_API int mclBn_G1EvaluatePolynomial(mclBnG1 *out, const mclBnG1 *cVec, size_t cSize, const mclBnFr *x);
+BLS_DLL_API int mclBn_G2EvaluatePolynomial(mclBnG2 *out, const mclBnG2 *cVec, size_t cSize, const mclBnFr *x);
+
 //////////////////////////////////////////////////////////////////////////
 // the following apis will be removed
 
diff --git a/src/bls_c.cpp b/src/bls_c.cpp
index 622e732..c9e2408 100644
--- a/src/bls_c.cpp
+++ b/src/bls_c.cpp
@@ -9,6 +9,39 @@
 #define BLS_DLL_EXPORT
 
 #include <bls/bls.h>
+/*
+	BLS signature
+	e : G2 x G1 -> Fp12
+	Q in G2 ; fixed global parameter
+	H : {str} -> G1
+	s : secret key
+	sQ ; public key
+	s H(m) ; signature of m
+	verify ; e(sQ, H(m)) = e(Q, s H(m))
+*/
+
+static G2 g_Q;
+static std::vector<Fp6> g_Qcoeff; // precomputed Q
+static const G2& getQ() { return g_Q; }
+static const std::vector<Fp6>& getQcoeff() { return g_Qcoeff; }
+
+int blsInit(int curve, int maxUnitSize)
+	try
+{
+	if (mclBn_init(curve, maxUnitSize) != 0) return -1;
+	if (curve == mclBn_CurveFp254BNb) {
+		g_Q.set(
+			Fp2("12723517038133731887338407189719511622662176727675373276651903807414909099441", "4168783608814932154536427934509895782246573715297911553964171371032945126671"),
+			Fp2("13891744915211034074451795021214165905772212241412891944830863846330766296736", "7937318970632701341203597196594272556916396164729705624521405069090520231616")
+		);
+	} else {
+		BN::mapToG2(g_Q, 1);
+	}
+	BN::precomputeG2(g_Qcoeff, getQ());
+	return 0;
+} catch (std::exception&) {
+	return -1;
+}
 
 static inline Fr *cast(blsId* x) { return (Fr *)x; }
 static inline Fr *cast(blsSecretKey* x) { return (Fr *)x; }
@@ -19,11 +52,13 @@ static inline const Fr *cast(const blsSecretKey* x) { return (const Fr *)x; }
 static inline const G1 *cast(const blsSignature* x) { return (const G1 *)x; }
 static inline const G2 *cast(const blsPublicKey* x) { return (const G2 *)x; }
 
+static inline const mclBnG1 *cast(const G1* x) { return (const mclBnG1*)x; }
+static inline const mclBnG2 *cast(const G2* x) { return (const mclBnG2*)x; }
 /*
-	recover f(0) by { (x, y) | x = S[i], y = f(x) = vec[i] }
+	recover out = f(0) by { (x, y) | x = S[i], y = f(x) = vec[i] }
 */
 template<class G, class F>
-int LagrangeInterpolation(G& r, const G *vec, const F *S, size_t k)
+int LagrangeInterpolation(G& out, const G *vec, const F *S, size_t k)
 {
 	/*
 		delta_{i,S}(0) = prod_{j != i} S[j] / (S[j] - S[i]) = a / b
@@ -51,577 +86,74 @@ int LagrangeInterpolation(G& r, const G *vec, const F *S, size_t k)
 	/*
 		f(0) = sum_i f(S[i]) delta_{i,S}(0)
 	*/
+	G r, t;
 	r.clear();
-	G t;
 	for (size_t i = 0; i < delta.size(); i++) {
 		G::mul(t, vec[i], delta[i]);
 		r += t;
 	}
+	out = r;
 	return 0;
 }
-int mclBn_FrLagrangeInterpolation(mclBnFr *out, const mclBnFr *yVec, const mclBnFr *xVec, size_t k)
-{
-	return LagrangeInterpolation(*cast(out), cast(yVec), cast(xVec), k);
-}
-int mclBn_G1LagrangeInterpolation(mclBnG1 *out, const mclBnG1 *yVec, const mclBnFr *xVec, size_t k)
-{
-	return LagrangeInterpolation(*cast(out), cast(yVec), cast(xVec), k);
-}
-int mclBn_G2LagrangeInterpolation(mclBnG2 *out, const mclBnG2 *yVec, const mclBnFr *xVec, size_t k)
-{
-	return LagrangeInterpolation(*cast(out), cast(yVec), cast(xVec), k);
-}
-/////////////////////////////////////////////////////////////
-namespace bls2 {
-
-// same value with IoMode of mcl/op.hpp
-enum {
-	IoBin = 2, // binary number
-	IoDec = 10, // decimal number
-	IoHex = 16, // hexadecimal number
-	IoFixedByteSeq = 512 // fixed byte representation
-};
-
-namespace impl {
-
-struct SecretKey;
-struct PublicKey;
-struct Signature;
-struct Id;
-
-} // bls2::impl
-
-/*
-	BLS signature
-	e : G2 x G1 -> Fp12
-	Q in G2 ; fixed global parameter
-	H : {str} -> G1
-	s : secret key
-	sQ ; public key
-	s H(m) ; signature of m
-	verify ; e(sQ, H(m)) = e(Q, s H(m))
-*/
-
-class SecretKey;
-class PublicKey;
-class Signature;
-class Id;
 
 /*
-	the value of secretKey and Id must be less than
-	r = 0x2523648240000001ba344d8000000007ff9f800000000010a10000000000000d
-	sizeof(uint64_t) * keySize byte
+	out = f(x) = c[0] + c[1] * x + c[2] * x^2 + ... + c[cSize - 1] * x^(cSize - 1)
 */
-const size_t keySize = MCLBN_FP_UNIT_SIZE;
-
-typedef std::vector<SecretKey> SecretKeyVec;
-typedef std::vector<PublicKey> PublicKeyVec;
-typedef std::vector<Signature> SignatureVec;
-typedef std::vector<Id> IdVec;
-
-class Id {
-	blsId self_;
-	friend class PublicKey;
-	friend class SecretKey;
-	template<class T, class G> friend struct WrapArray;
-	impl::Id& getInner() { return *reinterpret_cast<impl::Id*>(this); }
-	const impl::Id& getInner() const { return *reinterpret_cast<const impl::Id*>(this); }
-public:
-	Id(unsigned int id = 0);
-	bool operator==(const Id& rhs) const;
-	bool operator!=(const Id& rhs) const { return !(*this == rhs); }
-	friend std::ostream& operator<<(std::ostream& os, const Id& id);
-	friend std::istream& operator>>(std::istream& is, Id& id);
-	void getStr(std::string& str, int ioMode = 0) const;
-	void setStr(const std::string& str, int ioMode = 0);
-	bool isZero() const;
-	/*
-		set p[0, .., keySize)
-		@note the value must be less than r
-	*/
-	void set(const uint64_t *p);
-	// bufSize is truncted/zero extended to keySize
-	void setLittleEndian(const void *buf, size_t bufSize);
-};
-
-/*
-	s ; secret key
-*/
-class SecretKey {
-	blsSecretKey self_;
-	template<class T, class G> friend struct WrapArray;
-	impl::SecretKey& getInner() { return *reinterpret_cast<impl::SecretKey*>(this); }
-	const impl::SecretKey& getInner() const { return *reinterpret_cast<const impl::SecretKey*>(this); }
-public:
-	SecretKey() : self_() {}
-	bool operator==(const SecretKey& rhs) const;
-	bool operator!=(const SecretKey& rhs) const { return !(*this == rhs); }
-	friend std::ostream& operator<<(std::ostream& os, const SecretKey& sec);
-	friend std::istream& operator>>(std::istream& is, SecretKey& sec);
-	void getStr(std::string& str, int ioMode = 0) const;
-	void setStr(const std::string& str, int ioMode = 0);
-	/*
-		initialize secretKey with random number and set id = 0
-	*/
-	void init();
-	/*
-		set secretKey with p[0, .., keySize) and set id = 0
-		@note the value must be less than r
-	*/
-	void set(const uint64_t *p);
-	// bufSize is truncted/zero extended to keySize
-	void setLittleEndian(const void *buf, size_t bufSize);
-	// set hash of buf
-	void setHashOf(const void *buf, size_t bufSize);
-	void getPublicKey(PublicKey& pub) const;
-	// constant time sign
-	void sign(Signature& sig, const std::string& m) const;
-	/*
-		make Pop(Proof of Possesion)
-		pop = prv.sign(pub)
-	*/
-	void getPop(Signature& pop) const;
-	/*
-		make [s_0, ..., s_{k-1}] to prepare k-out-of-n secret sharing
-	*/
-	void getMasterSecretKey(SecretKeyVec& msk, size_t k) const;
-	/*
-		set a secret key for id > 0 from msk
-	*/
-	void set(const SecretKeyVec& msk, const Id& id)
-	{
-		set(msk.data(), msk.size(), id);
-	}
-	/*
-		add secret key
-	*/
-	void add(const SecretKey& rhs);
-
-	// the following methods are for C api
-	/*
-		the size of msk must be k
-	*/
-	void set(const SecretKey *msk, size_t k, const Id& id);
-};
-
-/*
-	sQ ; public key
-*/
-class PublicKey {
-	blsPublicKey self_;
-	friend class SecretKey;
-	friend class Signature;
-	template<class T, class G> friend struct WrapArray;
-	impl::PublicKey& getInner() { return *reinterpret_cast<impl::PublicKey*>(this); }
-	const impl::PublicKey& getInner() const { return *reinterpret_cast<const impl::PublicKey*>(this); }
-public:
-	PublicKey() : self_() {}
-	bool operator==(const PublicKey& rhs) const;
-	bool operator!=(const PublicKey& rhs) const { return !(*this == rhs); }
-	friend std::ostream& operator<<(std::ostream& os, const PublicKey& pub);
-	friend std::istream& operator>>(std::istream& is, PublicKey& pub);
-	void getStr(std::string& str, int ioMode = 0) const;
-	void setStr(const std::string& str, int ioMode = 0);
-	/*
-		set public for id from mpk
-	*/
-	void set(const PublicKeyVec& mpk, const Id& id)
-	{
-		set(mpk.data(), mpk.size(), id);
-	}
-	/*
-		add public key
-	*/
-	void add(const PublicKey& rhs);
-
-	// the following methods are for C api
-	void set(const PublicKey *mpk, size_t k, const Id& id);
-};
-
-/*
-	s H(m) ; signature
-*/
-class Signature {
-	blsSignature self_;
-	friend class SecretKey;
-	template<class T, class G> friend struct WrapArray;
-	impl::Signature& getInner() { return *reinterpret_cast<impl::Signature*>(this); }
-	const impl::Signature& getInner() const { return *reinterpret_cast<const impl::Signature*>(this); }
-public:
-	Signature() : self_() {}
-	bool operator==(const Signature& rhs) const;
-	bool operator!=(const Signature& rhs) const { return !(*this == rhs); }
-	friend std::ostream& operator<<(std::ostream& os, const Signature& s);
-	friend std::istream& operator>>(std::istream& is, Signature& s);
-	void getStr(std::string& str, int ioMode = 0) const;
-	void setStr(const std::string& str, int ioMode = 0);
-	bool verify(const PublicKey& pub, const std::string& m) const;
-	/*
-		verify self(pop) with pub
-	*/
-	bool verify(const PublicKey& pub) const;
-	/*
-		add signature
-	*/
-	void add(const Signature& rhs);
-};
-
-/*
-	make master public key [s_0 Q, ..., s_{k-1} Q] from msk
-*/
-inline void getMasterPublicKey(PublicKeyVec& mpk, const SecretKeyVec& msk)
+template<class G, class T>
+int evalPoly(G& out, const G *c, size_t cSize, const T& x)
 {
-	const size_t n = msk.size();
-	mpk.resize(n);
-	for (size_t i = 0; i < n; i++) {
-		msk[i].getPublicKey(mpk[i]);
-	}
-}
-
-/*
-	make pop from msk and mpk
-*/
-inline void getPopVec(SignatureVec& popVec, const SecretKeyVec& msk)
-{
-	const size_t n = msk.size();
-	popVec.resize(n);
-	for (size_t i = 0; i < n; i++) {
-		msk[i].getPop(popVec[i]);
-	}
-}
-
-inline Signature operator+(const Signature& a, const Signature& b) { Signature r(a); r.add(b); return r; }
-inline PublicKey operator+(const PublicKey& a, const PublicKey& b) { PublicKey r(a); r.add(b); return r; }
-inline SecretKey operator+(const SecretKey& a, const SecretKey& b) { SecretKey r(a); r.add(b); return r; }
-
-} //bls2
-////////////////////////////////////////////////////////////////
-typedef std::vector<Fr> FrVec;
-
-static cybozu::RandomGenerator& getRG()
-{
-	static cybozu::RandomGenerator rg;
-	return rg;
-}
-
-static const std::vector<Fp6> *g_pQcoeff;
-static const G2 *g_pQ;
-
-namespace bls2 {
-
-static const G2& getQ() { return *g_pQ; }
-static const std::vector<Fp6>& getQcoeff() { return *g_pQcoeff; }
-
-static void HashAndMapToG1(G1& P, const std::string& m)
-{
-	Fp t;
-	t.setHashOf(m);
-	BN::mapToG1(P, t);
-}
-
-template<class T, class G, class Vec>
-void evalPoly(G& y, const T& x, const Vec& c)
-{
-	if (c.size() < 2) throw cybozu::Exception("bls:evalPoly:bad size") << c.size();
-	y = c[c.size() - 1];
-	for (int i = (int)c.size() - 2; i >= 0; i--) {
+	if (cSize < 2) return -1;
+	G y = c[cSize - 1];
+	for (int i = (int)cSize - 2; i >= 0; i--) {
 		G::mul(y, y, x);
 		G::add(y, y, c[i]);
 	}
+	out = y;
+	return 0;
 }
 
-template<class T, class G>
-struct WrapArray {
-	const T *v;
-	size_t k;
-	WrapArray(const T *v, size_t k) : v(v), k(k) {}
-	const G& operator[](size_t i) const
-	{
-		return v[i].getInner().get();
-	}
-	size_t size() const { return k; }
-};
-
-struct Polynomial {
-	FrVec c; // f[x] = sum_{i=0}^{k-1} c[i] x^i
-	void init(const Fr& s, int k)
-	{
-		if (k < 2) throw cybozu::Exception("bls:Polynomial:init:bad k") << k;
-		c.resize(k);
-		c[0] = s;
-		for (size_t i = 1; i < c.size(); i++) {
-			c[i].setRand(getRG());
-		}
-	}
-	// y = f(id)
-	void eval(Fr& y, const Fr& id) const
-	{
-		if (id.isZero()) throw cybozu::Exception("bls:Polynomial:eval:id is zero");
-		evalPoly(y, id, c);
-	}
-};
-
-namespace impl {
-
-struct Id {
-	Fr v;
-	const Fr& get() const { return v; }
-};
-
-struct SecretKey {
-	Fr s;
-	const Fr& get() const { return s; }
-};
-
-struct Signature {
-	G1 sHm; // s Hash(m)
-	const G1& get() const { return sHm; }
-};
-
-struct PublicKey {
-	G2 sQ;
-	const G2& get() const { return sQ; }
-	void getStr(std::string& str) const
-	{
-		sQ.getStr(str, mcl::IoArrayRaw);
-	}
-};
-
-} // mcl::bls::impl
-
-template<class T>
-std::ostream& writeAsHex(std::ostream& os, const T& t)
-{
-	std::string str;
-	t.getStr(str, mcl::IoHexPrefix);
-	return os << str;
-}
-
-Id::Id(unsigned int id)
-{
-	getInner().v = id;
-}
-
-bool Id::operator==(const Id& rhs) const
-{
-	return getInner().v == rhs.getInner().v;
-}
-
-std::ostream& operator<<(std::ostream& os, const Id& id)
-{
-	return writeAsHex(os, id.getInner().v);
-}
-
-std::istream& operator>>(std::istream& is, Id& id)
-{
-	return is >> id.getInner().v;
-}
-void Id::getStr(std::string& str, int ioMode) const
-{
-	getInner().v.getStr(str, ioMode);
-}
-void Id::setStr(const std::string& str, int ioMode)
-{
-	getInner().v.setStr(str, ioMode);
-}
-
-bool Id::isZero() const
-{
-	return getInner().v.isZero();
-}
-
-void Id::set(const uint64_t *p)
-{
-	getInner().v.setArrayMask(p, keySize);
-}
-
-void Id::setLittleEndian(const void *buf, size_t bufSize)
-{
-	getInner().v.setArrayMask((const char *)buf, bufSize);
-}
-
-bool Signature::operator==(const Signature& rhs) const
-{
-	return getInner().sHm == rhs.getInner().sHm;
-}
-
-std::ostream& operator<<(std::ostream& os, const Signature& s)
-{
-	return writeAsHex(os, s.getInner().sHm);
-}
-
-std::istream& operator>>(std::istream& os, Signature& s)
-{
-	return os >> s.getInner().sHm;
-}
-void Signature::getStr(std::string& str, int ioMode) const
-{
-	getInner().sHm.getStr(str, ioMode);
-}
-void Signature::setStr(const std::string& str, int ioMode)
-{
-	getInner().sHm.setStr(str, ioMode);
-}
-
-bool Signature::verify(const PublicKey& pub, const std::string& m) const
+/*
+	e(P1, Q1) == e(P2, Q2)
+	<=> finalExp(ML(P1, Q1)) == finalExp(ML(P2, Q2))
+	<=> finalExp(ML(P1, Q1) / ML(P2, Q2)) == 1
+	<=> finalExp(ML(P1, Q1) * ML(-P2, Q2)) == 1
+	Q1 is precomputed
+*/
+bool isEqualTwoPairings(const G1& P1, const Fp6* Q1coeff, const G1& P2, const G2& Q2)
 {
-	G1 Hm;
-	HashAndMapToG1(Hm, m); // Hm = Hash(m)
-#if 1
-	/*
-		e(P1, Q1) == e(P2, Q2)
-		<=> finalExp(ML(P1, Q1)) == finalExp(ML(P2, Q2))
-		<=> finalExp(ML(P1, Q1) / ML(P2, Q2)) == 1
-		<=> finalExp(ML(P1, Q1) * ML(-P2, Q2)) == 1
-		2.1Mclk => 1.5Mclk
-	*/
-	Fp12 e;
 	std::vector<Fp6> Q2coeff;
-	BN::precomputeG2(Q2coeff, pub.getInner().sQ);
-	BN::precomputedMillerLoop2(e, getInner().sHm, getQcoeff(), -Hm, Q2coeff);
+	BN::precomputeG2(Q2coeff, Q2);
+	Fp12 e;
+	BN::precomputedMillerLoop2(e, P1, Q1coeff, -P2, Q2coeff.data());
 	BN::finalExp(e, e);
 	return e.isOne();
-#else
-	Fp12 e1, e2;
-	BN::pairing(e1, getInner().sHm, getQ()); // e(s Hm, Q)
-	BN::pairing(e2, Hm, pub.getInner().sQ); // e(Hm, sQ)
-	return e1 == e2;
-#endif
-}
-
-bool Signature::verify(const PublicKey& pub) const
-{
-	std::string str;
-	pub.getInner().sQ.getStr(str);
-	return verify(pub, str);
-}
-
-void Signature::add(const Signature& rhs)
-{
-	getInner().sHm += rhs.getInner().sHm;
-}
-
-bool PublicKey::operator==(const PublicKey& rhs) const
-{
-	return getInner().sQ == rhs.getInner().sQ;
-}
-
-std::ostream& operator<<(std::ostream& os, const PublicKey& pub)
-{
-	return writeAsHex(os, pub.getInner().sQ);
-}
-
-std::istream& operator>>(std::istream& is, PublicKey& pub)
-{
-	return is >> pub.getInner().sQ;
-}
-
-void PublicKey::getStr(std::string& str, int ioMode) const
-{
-	getInner().sQ.getStr(str, ioMode);
-}
-void PublicKey::setStr(const std::string& str, int ioMode)
-{
-	getInner().sQ.setStr(str, ioMode);
-}
-void PublicKey::set(const PublicKey *mpk, size_t k, const Id& id)
-{
-	WrapArray<PublicKey, G2> w(mpk, k);
-	evalPoly(getInner().sQ, id.getInner().v, w);
 }
 
-void PublicKey::add(const PublicKey& rhs)
-{
-	getInner().sQ += rhs.getInner().sQ;
-}
-
-bool SecretKey::operator==(const SecretKey& rhs) const
-{
-	return getInner().s == rhs.getInner().s;
-}
-
-std::ostream& operator<<(std::ostream& os, const SecretKey& sec)
-{
-	return writeAsHex(os, sec.getInner().s);
-}
-
-std::istream& operator>>(std::istream& is, SecretKey& sec)
-{
-	return is >> sec.getInner().s;
-}
-void SecretKey::getStr(std::string& str, int ioMode) const
-{
-	getInner().s.getStr(str, ioMode);
-}
-void SecretKey::setStr(const std::string& str, int ioMode)
-{
-	getInner().s.setStr(str, ioMode);
-}
-
-void SecretKey::init()
-{
-	getInner().s.setRand(getRG());
-}
-
-void SecretKey::set(const uint64_t *p)
-{
-	getInner().s.setArrayMask(p, keySize);
-}
-void SecretKey::setLittleEndian(const void *buf, size_t bufSize)
-{
-	getInner().s.setArrayMask((const char *)buf, bufSize);
-}
-void SecretKey::setHashOf(const void *buf, size_t bufSize)
-{
-	getInner().s.setHashOf(buf, bufSize);
-}
-
-void SecretKey::getPublicKey(PublicKey& pub) const
+int mclBn_FrLagrangeInterpolation(mclBnFr *out, const mclBnFr *yVec, const mclBnFr *xVec, size_t k)
 {
-	G2::mul(pub.getInner().sQ, getQ(), getInner().s);
+	return LagrangeInterpolation(*cast(out), cast(yVec), cast(xVec), k);
 }
-
-void SecretKey::sign(Signature& sig, const std::string& m) const
+int mclBn_G1LagrangeInterpolation(mclBnG1 *out, const mclBnG1 *yVec, const mclBnFr *xVec, size_t k)
 {
-	G1 Hm;
-	HashAndMapToG1(Hm, m);
-//	G1::mul(sig.getInner().sHm, Hm, getInner().s);
-	G1::mulCT(sig.getInner().sHm, Hm, getInner().s);
+	return LagrangeInterpolation(*cast(out), cast(yVec), cast(xVec), k);
 }
-
-void SecretKey::getPop(Signature& pop) const
+int mclBn_G2LagrangeInterpolation(mclBnG2 *out, const mclBnG2 *yVec, const mclBnFr *xVec, size_t k)
 {
-	PublicKey pub;
-	getPublicKey(pub);
-	std::string m;
-	pub.getInner().sQ.getStr(m);
-	sign(pop, m);
+	return LagrangeInterpolation(*cast(out), cast(yVec), cast(xVec), k);
 }
-
-void SecretKey::getMasterSecretKey(SecretKeyVec& msk, size_t k) const
+int mclBn_FrEvaluatePolynomial(mclBnFr *out, const mclBnFr *cVec, size_t cSize, const mclBnFr *x)
 {
-	if (k <= 1) throw cybozu::Exception("bls:SecretKey:getMasterSecretKey:bad k") << k;
-	msk.resize(k);
-	msk[0] = *this;
-	for (size_t i = 1; i < k; i++) {
-		msk[i].init();
-	}
+	return evalPoly(*cast(out), cast(cVec), cSize, *cast(x));
 }
-
-void SecretKey::set(const SecretKey *msk, size_t k, const Id& id)
+int mclBn_G1EvaluatePolynomial(mclBnG1 *out, const mclBnG1 *cVec, size_t cSize, const mclBnFr *x)
 {
-	WrapArray<SecretKey, Fr> w(msk, k);
-	evalPoly(getInner().s, id.getInner().v, w);
+	return evalPoly(*cast(out), cast(cVec), cSize, *cast(x));
 }
-
-void SecretKey::add(const SecretKey& rhs)
+int mclBn_G2EvaluatePolynomial(mclBnG2 *out, const mclBnG2 *cVec, size_t cSize, const mclBnFr *x)
 {
-	getInner().s += rhs.getInner().s;
+	return evalPoly(*cast(out), cast(cVec), cSize, *cast(x));
 }
 
-} // bls2
-////////////////////////////////////////////////////////////////
-
 size_t checkAndCopy(char *buf, size_t maxBufSize, const std::string& s)
 {
 	if (s.size() > maxBufSize + 1) {
@@ -632,29 +164,7 @@ size_t checkAndCopy(char *buf, size_t maxBufSize, const std::string& s)
 	return s.size();
 }
 
-int blsInit(int curve, int maxUnitSize)
-	try
-{
-	if (mclBn_init(curve, maxUnitSize) != 0) return -1;
-	static G2 Q;
-	if (curve == mclBn_CurveFp254BNb) {
-		Q.set(
-			Fp2("12723517038133731887338407189719511622662176727675373276651903807414909099441", "4168783608814932154536427934509895782246573715297911553964171371032945126671"),
-			Fp2("13891744915211034074451795021214165905772212241412891944830863846330766296736", "7937318970632701341203597196594272556916396164729705624521405069090520231616")
-		);
-	} else {
-		BN::mapToG2(Q, 1);
-	}
-	static std::vector<Fp6> Qcoeff;
-
-	BN::precomputeG2(Qcoeff, Q);
-	g_pQ = &Q;
-	g_pQcoeff = &Qcoeff;
-	return 0;
-} catch (std::exception&) {
-	return -1;
-}
-size_t blsGetOpUnitSize()
+size_t blsGetOpUnitSize() // FpUint64Size
 {
 	return Fp::getUnitSize() * sizeof(mcl::fp::Unit) / sizeof(uint64_t);
 }
@@ -681,25 +191,22 @@ int blsGetFieldOrder(char *buf, size_t maxBufSize)
 
 void blsGetGeneratorOfG2(blsPublicKey *pub)
 {
-	*(G2*)pub = bls2::getQ();
+	*(G2*)pub = getQ();
 }
 
 void blsGetPublicKey(blsPublicKey *pub, const blsSecretKey *sec)
 {
-	((const bls2::SecretKey*)sec)->getPublicKey(*(bls2::PublicKey*)pub);
+	mclBnG2_mul(&pub->v, cast(&getQ()), &sec->v);
 }
 void blsSign(blsSignature *sig, const blsSecretKey *sec, const char *m, size_t size)
 {
-	((const bls2::SecretKey*)sec)->sign(*(bls2::Signature*)sig, std::string(m, size));
+	G1 Hm;
+	BN::hashAndMapToG1(Hm, m, size);
+	mclBnG1_mulCT(&sig->v, cast(&Hm), &sec->v);
 }
 int blsSecretKeyShare(blsSecretKey *sec, const blsSecretKey* msk, size_t k, const blsId *id)
-	try
 {
-	((bls2::SecretKey*)sec)->set((const bls2::SecretKey *)msk, k, *(const bls2::Id*)id);
-	return 0;
-} catch (std::exception& e) {
-	fprintf(stderr, "err blsSecretKeyShare %s\n", e.what());
-	return -1;
+	return mclBn_FrEvaluatePolynomial(&sec->v, &msk->v, k, &id->v);
 }
 
 int blsSecretKeyRecover(blsSecretKey *sec, const blsSecretKey *secVec, const blsId *idVec, size_t n)
@@ -709,16 +216,16 @@ int blsSecretKeyRecover(blsSecretKey *sec, const blsSecretKey *secVec, const bls
 
 void blsGetPop(blsSignature *sig, const blsSecretKey *sec)
 {
-	((const bls2::SecretKey*)sec)->getPop(*(bls2::Signature*)sig);
+	blsPublicKey pub;
+	blsGetPublicKey(&pub, sec);
+	char buf[1024];
+	size_t n = mclBnG2_serialize(buf, sizeof(buf), &pub.v);
+	assert(n);
+	blsSign(sig, sec, buf, n);
 }
 int blsPublicKeyShare(blsPublicKey *pub, const blsPublicKey *mpk, size_t k, const blsId *id)
-	try
 {
-	((bls2::PublicKey*)pub)->set((const bls2::PublicKey*)mpk, k, *(const bls2::Id*)id);
-	return 0;
-} catch (std::exception& e) {
-	fprintf(stderr, "err blsPublicKeyShare %s\n", e.what());
-	return -1;
+	return mclBn_G2EvaluatePolynomial(&pub->v, &mpk->v, k, &id->v);
 }
 int blsPublicKeyRecover(blsPublicKey *pub, const blsPublicKey *pubVec, const blsId *idVec, size_t n)
 {
@@ -729,14 +236,23 @@ int blsSignatureRecover(blsSignature *sig, const blsSignature *sigVec, const bls
 	return mclBn_G1LagrangeInterpolation(&sig->v, &sigVec->v, &idVec->v, n);
 }
 
-int blsVerify(const blsSignature *sig, const blsPublicKey *pub, const char *m, size_t size)
+int blsVerify(const blsSignature *sig, const blsPublicKey *pub, const void *m, size_t size)
 {
-	return ((const bls2::Signature*)sig)->verify(*(const bls2::PublicKey*)pub, std::string(m, size));
+	G1 Hm;
+	BN::hashAndMapToG1(Hm, m, size);
+	/*
+		e(sHm, Q) = e(Hm, sQ)
+		e(sig, Q) = e(Hm, pub)
+	*/
+	return isEqualTwoPairings(*cast(&sig->v), getQcoeff().data(), Hm, *cast(&pub->v));
 }
 
 int blsVerifyPop(const blsSignature *sig, const blsPublicKey *pub)
 {
-	return ((const bls2::Signature*)sig)->verify(*(const bls2::PublicKey*)pub);
+	char buf[1024];
+	size_t n = mclBnG2_serialize(buf, sizeof(buf), &pub->v);
+	assert(n);
+	return blsVerify(sig, pub, buf, n);
 }
 
 void blsIdSetInt(blsId *id, int x)
@@ -875,4 +391,3 @@ size_t blsSignatureGetHexStr(char *buf, size_t maxBufSize, const blsSignature *s
 {
 	return mclBnG1_getStr(buf, maxBufSize, &sig->v, 16);
 }
-
-- 
cgit v1.2.3