reviewed rsa250/README.md

b1920e09 · ZIMMERMANN Paul · 067f82a4 · b1920e09 · b1920e09
Commit b1920e09 authored May 25, 2020 by ZIMMERMANN Paul
--- a/rsa250/README.md
+++ b/rsa250/README.md
@@ -8,7 +8,18 @@ This is exactly similar to RSA-240.

 ## Searching for a polynomial pair

-TODO: complete here...
+The polynomial selection size-optimization
+step was performed with cado-nfs in client/server mode, using a myslq database:
+```
+./cado-nfs.py params.rsa250 database=db:mysql://USERNAME:PASSWORD@localhost:3306/rsa250
+```
+with the file [`params.rsa250`](params.rsa250).
+
+The root-optimization step was performed on the best 100 size-optimized
+polynomials (those with the smallest exp_E value) with the following command:
+```
+polyselect_ropt -inputpolys candidates -Bf 2.1e9 -Bg 1.8e9 -area 2.4e19 -ropteffort 10 -t 100
+```

 And the winner is:

@@ -72,9 +83,9 @@ of degree-1 prime ideals below a bound. In Sagemath, this gives:
 ave_rel_per_sq = 12.7   ## pick value ouput by las
 number_of_sq = log_integral(12e9) - log_integral(1e9)
 tot_rels = ave_rel_per_sq * number_of_sq
-print tot_rels
+print (tot_rels)
 ```
-This estimate can be made more precise by increasing the number of
+This estimate of 6.2e9 can be made more precise by increasing the number of
 special-q that are sampled for sieving. It is also possible to have
 different nodes sampling different sub-ranges of the global range to get
 the result faster. We consider that sampling 1024 special-qs is enough
@@ -125,7 +136,7 @@ subrange. We get (in Sagemath):
 cost_in_core_sec=(log_integral(4e9)-log_integral(1e9))*(128*60+8.1)*32/1024
 cost_in_core_hours=cost_in_core_sec/3600
 cost_in_core_years=cost_in_core_hours/24/365
-print cost_in_core_hours, cost_in_core_years
+print (cost_in_core_hours, cost_in_core_years)
 ```

 With this experiment, we get therefore about 1060 core.years for this sub-range.
@@ -143,13 +154,13 @@ side 1.)
 $CADO_BUILD/sieve/ecm/precompbatch -poly rsa250.poly -lim0 0 -lim1 2147483647 -batch0 rsa250.batch0 -batch1 rsa250.batch1 -batchlpb0 31 -batchlpb1 30
 ```

-Then, we can use the sieve-batch.sh shell-script given in this
+Then, we can use the [`sieve-batch.sh`](sieve-batch.sh) shell-script given in this
 repository. This launches:
 - one instance of las, that does the sieving on side 1 and print the
  survivors to files;
- 6 instances of finishbatch that process these files as they are
-  produced, does the batch smoothness detection, and produces relations.
-It takes as input on the command-line two arguments -q0 xxx -q1 xxx
+- 6 instances of the `finishbatch` program. Those instances process the files as they are
+  produced, do the batch smoothness detection, and produce relations.
+They take as input on the command-line two arguments -q0 xxx -q1 xxx
 describing the range of special-q to process.

 In order to run it on your own machine, there are some variables to
@@ -192,7 +203,7 @@ Cost in core.sec per special-q: 116.51841746248294679392
 cost_in_core_sec=(log_integral(12e9)-log_integral(4e9))*116.5
 cost_in_core_hours=cost_in_core_sec/3600
 cost_in_core_years=cost_in_core_hours/24/365
-print cost_in_core_hours, cost_in_core_years
+print (cost_in_core_hours, cost_in_core_years)
 ```

 With this experiment, we get 116.5 core.sec per special-q, and therefore
@@ -207,7 +218,7 @@ This feature is still experimental and we do not claim full
 reproducibility for this part of our work which was useful only to help
 us choosing the parameters, but not for the proper computation.

-## estimating linear algebra time (coarsely)
+## Estimating linear algebra time (coarsely)

 ## Validating the claimed sieving results

@@ -218,10 +229,11 @@ work units that in the end cover exactly the global q-range.

 Since we do not expect anyone to spend again as much computing resources
 to perform again exactly the same computation, we provide in the
-`rel_count` file the count of how many (non-unique) relations were
+[`rel_count`](rel_count) file the count of how many (non-unique) relations were
 produced for each 100M special-q sub-range.

-We can then have a visual plot of this data, as shown in `plot_count_rel.pdf`
+We can then have a visual plot of this data, as shown in
+[`plot_count_rel.pdf`](plot_count_rel.pdf)
 where we see the drop in the number of relations produced per special-q
 when changing the strategy. The plot is very regular on the two
 sub-ranges.
@@ -232,11 +244,37 @@ we report. This still requires significant resources. If only a single
 node is available for the validation, it is better to rely on sampling as
 for the estimates in previous sections, and extrapolate.

-## reproducing the filtering results
+## Reproducing the filtering results
+
+## Estimating linear algebra time more precisely, and choosing parameters

-## estimating linear algebra time more precisely, and choosing parameters
-## reproducing the linear algebra results
+## Reproducing the linear algebra results

+## Reproducing the characters step

+Let `W` be the kernel vector computed by the linear algebra step.
+The characters step transforms this kernel vector into dependencies.
+We used the following command on the machine `wurst`:
+```
+characters -poly rsa250.poly -purged purged3.gz -index rsa250.index.gz -heavyblock rsa250.matrix.250.dense.bin -out rsa250.kernel -ker K.sols0-64.0 -lpb0 36 -lpb1 37 -nchar 50 -t 56
+```
+This gave after about 2 hours 23 dependencies.

+## Reproducing the square root step

+The following command line can be used to produce the actual dependencies
+(rsa250.dep.000.gz to rsa250.dep.022.gz) from the `rsa250.kernel` file:
+```
+sqrt -poly rsa250.poly -prefix rsa250.dep.gz -purged purged3.gz -index rsa250.index.gz -ker rsa250.kernel -t 56 -ab```
+```
+Then the following command line can be used to compute the square root on the
+rational side of dependency `nnn`:
+```
+sqrt -poly rsa250.poly -prefix rsa250.dep -dep nnn -side0
+```
+and similarly on the algebraic side:
+```
+sqrt -poly rsa250.poly -prefix rsa250.dep -dep nnn -side1
+```
+Then we can simply compute `gcd(x-y,N)` where `x` and `y` are the square
+roots on the rational and algebraic sides respectively, and `N` is RSA-250.
--- a/rsa250/params.rsa250
+++ b/rsa250/params.rsa250
+server.ssl=false
+server.whitelist=172.16.0.0/16,172.20.0.0/16,localhost      # ADJUST
+server.address=wurst                                        # ADJUST
+
+N = 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937
+name = rsa250
+
+tasks.workdir = /grcinq/zimmerma/rsa250
+tasks.wutimeout = 7200 # = 2 hours
+tasks.maxtimedout = 100000000
+tasks.maxfailed = 100000
+tasks.maxwuerror = 5
+
+###########################################################################
+# Polynomial selection
+###########################################################################
+
+tasks.polyselect.degree = 6
+tasks.polyselect.P = 50000000
+tasks.polyselect.admax = 2.26e+13
+tasks.polyselect.adrange = 18018000
+tasks.polyselect.incr = 1801800
+tasks.polyselect.nq = 1296
+tasks.polyselect.sopteffort = 20
+tasks.polyselect.ropteffort = 10
+tasks.polyselect.nrkeep = 100
+tasks.polyselect.threads = 1
+
+###########################################################################
+# Sieve
+###########################################################################
+
+tasks.sieve.run = false # don't run the sieving yet
+
+lim0 = 1800000000
+lim1 = 2100000000
+lpb0 = 36
+lpb1 = 37
+
+tasks.sieve.mfb0 = 72
+tasks.sieve.mfb1 = 111
+tasks.sieve.lambda0 = 2.0
+tasks.sieve.lambda1 = 3.0
+tasks.sieve.ncurves0 = 100
+tasks.sieve.ncurves1 = 35
+
+tasks.sieve.sqside = 1
+tasks.qmin = 1000000000
+# qmax = 5.6e9 should give enough relations
+
+tasks.sieve.bkmult = 1,1l:1.15,1s:1.4,2s:1.1
+tasks.sieve.bkthresh1 = 50000000
+# tasks.sieve.adjust-strategy = 2
+
+tasks.A = 32
+# we must provide I otherwise we get
+# KeyError: 'Required parameter I not found under path tasks.sieve'
+# (this should be fixed if A is given instead of I)
+tasks.I = 16
+
+# qrange is also required
+# KeyError: 'Required parameter qrange not found under path tasks.sieve'
+tasks.sieve.qrange = 10000
+
+###########################################################################
+# Filter
+###########################################################################
+
+# use default
+
+###########################################################################
+# Linalg
+###########################################################################
+
+# use default