/*
  Author:  Pate Williams (c) 1997

  Exercise 9.3
  "Suppose that Alice uses the Schnorr Scheme with
  p, q, t, and alpha as in Exercise 9.2. Now suppose
  that v = 51131, and Olga has learned that
  alpha ^ 3 v ^ 148 = alpha ^ 151 v ^ 1077 mod p.
  Show how Olga can compute Alice's secret exponent
  a." -Douglas R. Stinson-
  See "Cryptography: Theory and Practice" by
  Douglas R. Stinson page 304.
*/

#include <stdio.h>
#include "lip.h"

int main(void)
{
  long alpha = 11538, p = 122503, q = 1201;
  long r1 = 148, r2 = 1077, y1 = 3, y2 = 151;
  long v = 51131;
  verylong za = 0, zb = 0, zc = 0, zd = 0, zp = 0;
  verylong zq = 0, zv = 0;
  verylong zalpha = 0, zr1 = 0, zr2 = 0;
  verylong zy1 = 0, zy2 = 0;

  zintoz(alpha, &zalpha);
  zintoz(p, &zp);
  zintoz(q, &zq);
  zintoz(v, &zv);
  zintoz(r1, &zr1);
  zintoz(r2, &zr2);
  zintoz(y1, &zy1);
  zintoz(y2, &zy2);
  zexpmod(zalpha, zq, zp, &zb);
  printf("alpha = %ld\n", alpha);
  printf("p = %ld\n", p);
  printf("q = %ld\n", q);
  printf("v = %ld\n", v);
  printf("r_1 = %ld\n", r1);
  printf("r_2 = %ld\n", r2);
  printf("y_1 = %ld\n", y1);
  printf("y_2 = %ld\n", y2);
  zsubmod(zy1, zy2, zq, &zb);
  zsubmod(zr1, zr2, zq, &zc);
  zinvmod(zc, zq, &zd);
  zmulmod(zb, zd, zq, &za);
  printf("a = ");
  zwriteln(za);
  zsub(zq, za, &zb);
  zexpmod(zalpha, zb, zp, &zc);
  if (zcompare(zc, zv) == 0)
    printf("private exponent verified\n");
  else
    printf("private exponent not verified\n");
  zfree(&za);
  zfree(&zb);
  zfree(&zc);
  zfree(&zd);
  zfree(&zp);
  zfree(&zq);
  zfree(&zv);
  zfree(&zalpha);
  zfree(&zr1);
  zfree(&zr2);
  zfree(&zy1);
  zfree(&zy2);
  return 0;
}