Commit 9f109ba1 authored by GUILLEVIC Aurore's avatar GUILLEVIC Aurore

Merge branch 'master' of gitlab.inria.fr:smasson/cocks-pinch-variant

parents 26df684f 11aa843e
...@@ -405,11 +405,11 @@ def chain_alternate_iterators(gp, gm, with_zero=False): ...@@ -405,11 +405,11 @@ def chain_alternate_iterators(gp, gm, with_zero=False):
# promises. # promises.
class CocksPinchVariantResult(object): class CocksPinchVariantResult(object):
""" """
sage: C=CocksPinchVariantResult(6,3,34359607296,5,ht=0x101,hy=2,max_B1=1000) sage: C=CocksPinchVariantResult(6,3,34359607296,5,ht=0x101,hy=-2,max_B1=1000)
sage: C.E2(factor=True)["text_factorization"] sage: C.E2(factor=True)["text_factorization"]
'2^2 * 3 * 19 * 73 * 163 * 33637 * p48 * r' '2^2 * 3 * 19 * 73 * 163 * 33637 * p48 * r'
sage: C=CocksPinchVariantResult(6,3,0x600100002,5,ht=0x428,hy=0x639,allowed_cofactor=420,max_B1=600) sage: C=CocksPinchVariantResult(6,3,0x600100002,5,ht=0x428,hy=-0x639,allowed_cofactor=420,max_B1=600)
sage: C.is_small_subgroup_secure() sage: C.is_small_subgroup_secure()
True True
sage: C.is_twist_small_subgroup_secure() sage: C.is_twist_small_subgroup_secure()
...@@ -458,17 +458,17 @@ class CocksPinchVariantResult(object): ...@@ -458,17 +458,17 @@ class CocksPinchVariantResult(object):
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True) (True, True, True, True)
sage: C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=-0x7e2) sage: C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=0x7e2)
sage: C.set_test_info(allowed_size_cofactor=10) sage: C.set_test_info(allowed_size_cofactor=10)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True) (True, True, True, True)
sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
sage: C.set_test_info(allowed_size_cofactor=10) sage: C.set_test_info(allowed_size_cofactor=10)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True) (True, True, True, True)
sage: C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=-0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600) sage: C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True) (True, True, True, True)
...@@ -488,11 +488,11 @@ class CocksPinchVariantResult(object): ...@@ -488,11 +488,11 @@ class CocksPinchVariantResult(object):
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True) (True, True, True, True)
sage: C=CocksPinchVariantResult(7,20,0x5ec7fc01ff8,4,ht=-3,hy=-1,allowed_size_cofactor=10,max_B1=600) sage: C=CocksPinchVariantResult(7,20,0x5ec7fc01ff8,4,ht=-3,hy=1,allowed_size_cofactor=10,max_B1=600)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, False, False) (True, True, False, False)
sage: C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600) sage: C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=-0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure()) sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True) (True, True, True, True)
...@@ -506,7 +506,10 @@ class CocksPinchVariantResult(object): ...@@ -506,7 +506,10 @@ class CocksPinchVariantResult(object):
""" """
def __init__(self,k,D,T,i,ht=Integer(0),hy=Integer(0),max_poly_coeff=None,pre=False,l=1, allowed_cofactor = 1, allowed_size_cofactor = 5, max_trialdiv=10**6, max_B1=10**4, new_semantics=False):
=======
def __init__(self,k,D,T,i,ht=Integer(0),hy=Integer(0),max_poly_coeff=0,pre=False,l=1, allowed_cofactor = 1, allowed_size_cofactor = 5, max_trialdiv=10**6, max_B1=10**4, new_semantics=False): def __init__(self,k,D,T,i,ht=Integer(0),hy=Integer(0),max_poly_coeff=0,pre=False,l=1, allowed_cofactor = 1, allowed_size_cofactor = 5, max_trialdiv=10**6, max_B1=10**4, new_semantics=False):
>>>>>>> 107d412592d84ec5619ec671ff8231cbcde4d52c
kl = k * l kl = k * l
fD = -fundamental_discriminant(-D) fD = -fundamental_discriminant(-D)
...@@ -536,6 +539,7 @@ class CocksPinchVariantResult(object): ...@@ -536,6 +539,7 @@ class CocksPinchVariantResult(object):
self.t0 -= r self.t0 -= r
if abs(r-self.y0) < abs(self.y0): if abs(r-self.y0) < abs(self.y0):
self.y0 -= r self.y0 -= r
self.y0 = abs(self.y0)
# Determination of the lifted (t,y) from the solution mod r # Determination of the lifted (t,y) from the solution mod r
...@@ -978,7 +982,10 @@ class CocksPinchVariantResult(object): ...@@ -978,7 +982,10 @@ class CocksPinchVariantResult(object):
saved_max_B1 = self.max_B1 saved_max_B1 = self.max_B1
self.max_B1 = 600 self.max_B1 = 600
dt0 = t0 - ((T**i+1) % r) dt0 = t0 - ((T**i+1) % r)
dy0 = y0 - ZZ((t0-2)/sqrt(Integers(r)(-fD))) y0base = ZZ((t0-2)/sqrt(Integers(r)(-fD)))
if r - y0base < y0base:
y0base = r - y0base
dy0 = y0 - y0base
assert dt0 in [0,-r] assert dt0 in [0,-r]
assert dy0 in [0,-r] assert dy0 in [0,-r]
...@@ -1341,12 +1348,22 @@ class CocksPinchVariantSearch(object): ...@@ -1341,12 +1348,22 @@ class CocksPinchVariantSearch(object):
y0 = K(t0-2)/sqrt(K(-fD)) y0 = K(t0-2)/sqrt(K(-fD))
# Lift arbitrarily. Anyway we'll iterate over multiple # Lift arbitrarily. Anyway we'll iterate over multiple
# possible representatives. # possible representatives.
# The normalisation choice that we do in final_expo_k68
# (at least) is that we use the least positive integer
# representative of y0=\pm(t0-2)*inv_sqrt_D
#
# (as for t0, we have no sign indetermination, so we
# simply choose the representative of smallest absolute
# value, and that may mean a negative integer)
t0 = ZZ(t0) t0 = ZZ(t0)
y0 = ZZ(y0) y0 = ZZ(y0)
if abs(r-t0) < abs(t0): if abs(r-t0) < abs(t0):
t0 -= r t0 -= r
if abs(r-y0) < abs(y0): if abs(r-y0) < abs(y0):
y0 -= r y0 -= r
y0 = abs(y0)
# We want to constrain the bit length of t^2+fD*y^2{{{ # We want to constrain the bit length of t^2+fD*y^2{{{
# with t = t0 + ht * r and y = y0 + hy * r # with t = t0 + ht * r and y = y0 + hy * r
...@@ -1821,7 +1838,7 @@ class CocksPinchVariantSearch(object): ...@@ -1821,7 +1838,7 @@ class CocksPinchVariantSearch(object):
# (sqrt((PP/2 - t^2)/D) + y1) / ry <= -pre_hy < (sqrt(PP - t^2)/D) + y1) / ry # (sqrt((PP/2 - t^2)/D) + y1) / ry <= -pre_hy < (sqrt(PP - t^2)/D) + y1) / ry
if PP < t**2: if PP < t**2:
continue continue
pre_hymax = 1+floor(((sqrt((PP - t**2)/fD) - y1)/ry)) pre_hymax = 1+floor(((sqrt((PP - t**2)/fD) - y1)/ry))
mpre_hymax = 1+floor(((sqrt((PP - t**2)/fD) + y1)/ry)) mpre_hymax = 1+floor(((sqrt((PP - t**2)/fD) + y1)/ry))
if PP/2 < t**2: if PP/2 < t**2:
......
...@@ -75,24 +75,23 @@ Example: search for baby examples ...@@ -75,24 +75,23 @@ Example: search for baby examples
This does a search for baby examples. This does a search for baby examples.
sage search.sage -k 8 -D 1 --T_choice "2-naf<=7" --hty_choice "2-naf<=7" --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --spawn 4 0 4 sage search.sage -k 8 -D 1 --T_choice "2-naf<=7" --hty_choice "2-naf<=7" --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --allowed_cofactor 30 --spawn 4 0 4
This should provide, as output, the file This should provide, as output, the file
`curves-data/curves-k8-p160-T:2-naf<=7-hty:2-naf<=7-2-4.sage`, with in `curves-data/curves-k8-p160-T:2-naf<=7-hty:2-naf<=7-2-4.sage`, with in
particular the following contents: particular the following contents:
C=CocksPinchVariantResult(8,4,0x27d80,7,ht=-0x451,hy=-0x481) C=CocksPinchVariantResult(8,4,0x27d80,7,ht=-0x451,hy=-0x481,allowed_cofactor=30)
(it takes about 15 minutes on a Intel Core i5-6500 CPU at 3.20GHz without any (it takes about 15 minutes on a Intel Core i5-6500 CPU at 3.20GHz without any
other running process). other running process).
One day later, these other curves were found: One day later, these other curves were found:
C=CocksPinchVariantResult(8,4,0x29072,7,ht=0x9bf,hy=-0x10e) C=CocksPinchVariantResult(8,4,0x29072,7,ht=0x9bf,hy=-0x10e,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x29f24,7,ht=-0x289,hy=0x53f) C=CocksPinchVariantResult(8,4,0x29f24,7,ht=-0x289,hy=0x53f,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x2a1c8,3,ht=0x53f,hy=-0x437) C=CocksPinchVariantResult(8,4,0x2a1c8,3,ht=0x53f,hy=-0x437,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x27d80,7,ht=-0x451,hy=-0x481) C=CocksPinchVariantResult(8,4,0x2617e,5,ht=-0xd93,hy=0x305,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x2617e,5,ht=-0xd93,hy=0x305) C=CocksPinchVariantResult(8,4,0x28f86,3,ht=0x8cf,hy=0x2e0,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x28f86,3,ht=0x8cf,hy=0x2e0)
The different parameters above are explained as follows. The different parameters above are explained as follows.
...@@ -120,24 +119,27 @@ The different parameters above are explained as follows. ...@@ -120,24 +119,27 @@ The different parameters above are explained as follows.
GF(p^k)). GF(p^k)).
* 8 is twist-G2-small-subgroup-security: same for the quadratic twist * 8 is twist-G2-small-subgroup-security: same for the quadratic twist
of E2. of E2.
* `--spawn 4` and `0 4`: these two are related. The last `4` indicates * `--spawn 4` and `0 4`: these two are related. The last `4` indicates
that the search space (on T) is to be divided in 4 roughly equal-size that the search space (on T) is to be divided in 4 roughly equal-size
parts. The `0` indicates that the first one that we intend to handle is the parts. The `0` indicates that the first one that we intend to handle is the
one with number 0, while `--spawn 4` indicates that we wish to perform one with number 0, while `--spawn 4` indicates that we wish to perform
4 searches in parallel, so that we'll actually do parts number 0, 1, 2, 4 searches in parallel, so that we'll actually do parts number 0, 1, 2,
and 3 in parallel. and 3 in parallel.
* `--allowed_cofactor 30` : group orders are considered secure whenever
they are of the form X times a prime, where here divides the cofactor
30.
Here is another example that cheats a bit, because we've arranged for the Here is another example that cheats a bit, because we've arranged for the
search to complete quickly, knowing that a previous search was search to complete quickly, knowing that a previous search was
successful. It still takes some minutes, though successful. It still takes some minutes, though
sage search.sage -k 6 -D 3 --T_choice 'hamming<=4' --hty_choice '2-naf<=4' --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --spawn 1 --restrict_i '[1]' 57468 65536 sage search.sage -k 6 -D 3 --T_choice 'hamming<=4' --hty_choice '2-naf<=4' --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --spawn 1 --restrict_i '[1]' --allowed_cofactor 420 57468 65536
For reference, the command above should write the following data to the For reference, the command above should write the following data to the
file `curves-data/curves-k6-p160-T\:hamming\<\=4-hty\:2-naf\<\=4-57468-65536.sage`: file `curves-data/curves-k6-p160-T\:hamming\<\=4-hty\:2-naf\<\=4-57468-65536.sage`:
C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=-0x7e2) C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=0x7e2,allowed_cofactor=420)
Using the search within `sage` so as to examine things more closely Using the search within `sage` so as to examine things more closely
=================================================================== ===================================================================
...@@ -202,7 +204,7 @@ Results are stored in a Python object called `CocksPinchVariantResult`. ...@@ -202,7 +204,7 @@ Results are stored in a Python object called `CocksPinchVariantResult`.
Whenever you look into an output file in the `curves-data` directory, it Whenever you look into an output file in the `curves-data` directory, it
starts with a line such as: starts with a line such as:
C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
This contains exactly the data that is necessary to identify the curve This contains exactly the data that is necessary to identify the curve
parameters uniquely. Provided the utility software has been attached into parameters uniquely. Provided the utility software has been attached into
...@@ -210,10 +212,10 @@ parameters uniquely. Provided the utility software has been attached into ...@@ -210,10 +212,10 @@ parameters uniquely. Provided the utility software has been attached into
then type the command above, and obtain data on the curve by `print`-ing then type the command above, and obtain data on the curve by `print`-ing
the object, as follows the object, as follows
sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
sage: print C sage: print C
# Cocks-Pinch pairing-friendly curve of embedding degree 5: # Cocks-Pinch pairing-friendly curve of embedding degree 5:
C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
fD = 10000000147 fD = 10000000147
k = 5 k = 5
p = 0x40000138cd26ab94b86e1b2f7482785fa18f877591d2a4476b4760217f860bfe8674e2a4610d669328bda13044c030e8cc836a5b363f2d4c8abcab71b12091356bb4695c5626bc319d38bf65768c5695f9ad97 # 663 bits p = 0x40000138cd26ab94b86e1b2f7482785fa18f877591d2a4476b4760217f860bfe8674e2a4610d669328bda13044c030e8cc836a5b363f2d4c8abcab71b12091356bb4695c5626bc319d38bf65768c5695f9ad97 # 663 bits
...@@ -361,13 +363,13 @@ mileage may vary. See the [jobpick ...@@ -361,13 +363,13 @@ mileage may vary. See the [jobpick
documentation](https://gitlab.inria.fr/thome/jobpick/blob/master/README.md) documentation](https://gitlab.inria.fr/thome/jobpick/blob/master/README.md)
for information on the different parameters. for information on the different parameters.
my_machine ~ $ rsync -a pairings/code/ nancy.g5k:pairings-code/ my_machine ~ $ rsync -a cocks-pinch-variant/ nancy.g5k:cocks-pinch-variant/
fnancy ~ $ rm -rf ~/jobpick fnancy ~ $ rm -rf ~/jobpick
fnancy ~ $ (cd ~ ; git clone https://gitlab.inria.fr/thome/jobpick) fnancy ~ $ (cd ~ ; git clone https://gitlab.inria.fr/thome/jobpick)
fnancy ~ $ mkdir -p ~/pairings-code/k5/{todo,done,doing,failed} fnancy ~ $ mkdir -p ~/cocks-pinch-variant/k5/{todo,done,doing,failed}
fnancy ~ $ mkdir -p ~/pairings-code/k5/curves-data/ fnancy ~ $ mkdir -p ~/cocks-pinch-variant/k5/curves-data/
fnancy ~ $ for i in {0..1599} ; do touch ~/pairings-code/k5/todo/$((16*i)) ; done fnancy ~ $ for i in {0..1599} ; do touch ~/cocks-pinch-variant/k5/todo/$((16*i)) ; done
fnancy ~ $ cd ~/pairings-code/k5 ; for i in {1..10} ; do oarsub -n k5 -q production -l "{cluster='grcinq'}/nodes=8,walltime=1" -l "{cluster='grvingt'}/nodes=8,walltime=1" "/home/ethome/jobpick/pick.sh --job-queue-path /home/ethome/pairings-code/k5 --job-weight 16 /grvingt/software/SageMath/sage ../search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 7 --required_cofactor 4 --spawn 16 --parallel-mode hy --ntasks 68719476736 --task" ; done fnancy ~ $ cd ~/cocks-pinch-variant/k5 ; for i in {1..10} ; do oarsub -n k5 -q production -l "{cluster='grcinq'}/nodes=8,walltime=1" -l "{cluster='grvingt'}/nodes=8,walltime=1" "/home/ethome/jobpick/pick.sh --job-queue-path /home/ethome/cocks-pinch-variant/k5 --job-weight 16 /grvingt/software/SageMath/sage ../search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 7 --required_cofactor 4 --spawn 16 --parallel-mode hy --ntasks 68719476736 --task" ; done
Note that the job duration above, set to one hour (`walltime=1`), was Note that the job duration above, set to one hour (`walltime=1`), was
verified beforehand to be a comfortable upper bound on the running time verified beforehand to be a comfortable upper bound on the running time
...@@ -431,7 +433,9 @@ or by the `search.sage` script, prefixed by one or two dashes. ...@@ -431,7 +433,9 @@ or by the `search.sage` script, prefixed by one or two dashes.
* `hty_choice`: strategy for picking cofactors `ht` and `hy`. Same syntax * `hty_choice`: strategy for picking cofactors `ht` and `hy`. Same syntax
as above, plus some additional modifiers of the form `ht:foo` or as above, plus some additional modifiers of the form `ht:foo` or
`hy:foo` that make the strategy modifier (e.g., something like `max=4`) `hy:foo` that make the strategy modifier (e.g., something like `max=4`)
only applicable to `ht` (resp. `hy`(. only applicable to `ht` (resp. `hy`). Note that setting a hamming
weight or 2-naf weight here applies to the cumulative weight of the
pair (h_t, h_y).
* `lambdap`: search for `p` of exactly this bit length. * `lambdap`: search for `p` of exactly this bit length.
* `lambdar`: search for `r` of exactly this bit length. * `lambdar`: search for `r` of exactly this bit length.
* `--spawn` (only for the command-line of `search.sage`): start this * `--spawn` (only for the command-line of `search.sage`): start this
...@@ -496,17 +500,17 @@ exploration of this setting only, we use the following arguments: ...@@ -496,17 +500,17 @@ exploration of this setting only, we use the following arguments:
To do a fraction `2^-32 of the search space`: To do a fraction `2^-32 of the search space`:
sage search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 3 --required_cofactor 4 --spawn 4 --parallel-mode hy 0 4294967296 sage search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 15 --required_cofactor 4 --spawn 4 --parallel-mode hy 0 4294967296
On houblon.loria.fr, a fraction 4/2^39 of the search space is processed On houblon.loria.fr, a fraction 4/2^39 of the search space is processed
in 128 seconds WCT. in 128 seconds WCT.
On grvingt we do a fraction 64/2^39 in time 266 seconds WCT (2.1 GHz On grvingt-1.nancy.grid5000.fr we do a fraction 64/2^39 in time 266
per core, 64 hyperthreads). seconds WCT (2.1 GHz per core, 64 hyperthreads).
The following curve was found by job `24165/2^36`. The following curve was found by job `24165/2^36`
# C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) # C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
# card_E = 2^2 * p405 * r # card_E = 2^2 * p405 * r
# card_Et = 2^2 * p661 # card_Et = 2^2 * p661
# card_E2 = p2393 * (2^2 * p405 * r) * r # card_E2 = p2393 * (2^2 * p405 * r) * r
...@@ -532,7 +536,7 @@ computers: ...@@ -532,7 +536,7 @@ computers:
The following curve was found: The following curve was found:
# C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=-0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600) # C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600)
# card_E = 2^2 * 3 * p412 * r # card_E = 2^2 * 3 * p412 * r
# card_Et = 2^2 * 13 * p666 # card_Et = 2^2 * 13 * p666
# card_E2 = p416 * r # card_E2 = p416 * r
...@@ -550,16 +554,12 @@ to `|ht|<=4`. ...@@ -550,16 +554,12 @@ to `|ht|<=4`.
and we obtain four curves for which G2 is also twist-secure : and we obtain four curves for which G2 is also twist-secure :
C=CocksPinchVariantResult(6,3,0xff800000000000200000000000000000,1,ht=-1,hy=0xffffff823ffffe008000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(6,3,0xff800000000000200000000000000000,1,ht=-1,hy=0xffffff823ffffe008000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C print C
C=CocksPinchVariantResult(6,3,0xffe00008000000000000000000000000,1,ht=-1,hy=0xffbfffe3f80200000000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(6,3,0xffe00008000000000000000000000000,1,ht=-1,hy=0xffbfffe3f80200000000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C print C
C=CocksPinchVariantResult(6,3,0xffe00008000000000000000000000000,1,ht=-1,hy=0xfffffd0010001ffc0000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(6,3,0xffe00008000000000000000000000000,1,ht=-1,hy=0xfffffd0010001ffc0000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C print C
C=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C print C
Search for curves of embedding degree 7 Search for curves of embedding degree 7
...@@ -567,11 +567,11 @@ Search for curves of embedding degree 7 ...@@ -567,11 +567,11 @@ Search for curves of embedding degree 7
For k=7, we need to restrict to small discriminant D: as 4*p = t**2 + D*y**2, For k=7, we need to restrict to small discriminant D: as 4*p = t**2 + D*y**2,
log_2(p) = 512 and t and y are defined mod r, we need to take D as small as log_2(p) = 512 and t and y are defined mod r, we need to take D as small as
possible, and D!= 3, 4 that are known discriminant, even if no attack using possible. We also avoid D != 3, 4 , even though no known attack takes
this property exist. advantage of this.
We looked for curves of security parameter 7 (i.e G1-subgroup- G1-twist-secure). We looked for curves of security parameter 7 (i.e G1-subgroup- G1-twist-secure).
For D = 5, HW_{NAF}(T) <= 7 and log_2(h_y) = 7, no curve was found. For D = 5, HW_{NAF}(T) <= 7 and log_2(h_y) = 7; no curve was found.
We obtain the only G1-subgroup- G1-twist-secure with HW_NAF(T) = 8 with: We obtain the only G1-subgroup- G1-twist-secure with HW_NAF(T) = 8 with:
C=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
...@@ -588,7 +588,7 @@ We decide to force `4 | #E` so that Edwards form can be used. ...@@ -588,7 +588,7 @@ We decide to force `4 | #E` so that Edwards form can be used.
The following curve was found: The following curve was found:
# C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600) # C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=-0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
# card_E = 2^4 * p284 * r # card_E = 2^4 * p284 * r
# card_Et = 2^2 * p542 # card_Et = 2^2 * p542
# card_E2 = 2 * p830 * r # card_E2 = 2 * p830 * r
...@@ -620,12 +620,8 @@ This produces the following two curves (subjobs 47/4096 and 2483/4096, ...@@ -620,12 +620,8 @@ This produces the following two curves (subjobs 47/4096 and 2483/4096,
respectively): respectively):
C=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
C=CocksPinchVariantResult(8,4,0xffdffffc7ffffc00,3,ht=5,hy=0xc5f4,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C=CocksPinchVariantResult(8,4,0xffdffffc7ffffc00,3,ht=5,hy=0xc5f4,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
Note that the former is naturally preferred because hy has 2-naf weight Note that the former is naturally preferred because hy has 2-naf weight
only 4. only 4.
......
...@@ -167,11 +167,11 @@ def Hw(x) : ...@@ -167,11 +167,11 @@ def Hw(x) :
return len(bit_positions_2naf(x)) return len(bit_positions_2naf(x))
proof.arithmetic(False) proof.arithmetic(False)
C5=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) C5=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600) C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
#C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) #C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C8=CocksPinchVariantResult(8,4,0xffc00020fffffffc,1,ht=1,hy=-0xdc04,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C8=CocksPinchVariantResult(8,4,0xffc00020fffffffc,1,ht=1,hy=0xdc04,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
CMNT6=MNT6(u=873723667900031396506414143162332159382674816702805606206979732381600254701804231398281169537138620,a=209307816050232262803672282154940341360062431838092388077917610639183322072827259682607127795420474686833003315766797546568469776750651773087882545447646552119008299040167030969895802846139484415144,b=2319663192174958547181026340141410918530227127674793888869119262391240421488942353013995765010333162065568990954578077256489549792305772041454141172011940607053889955897003759289947924385489341215143,D=8317003,c=1) CMNT6=MNT6(u=873723667900031396506414143162332159382674816702805606206979732381600254701804231398281169537138620,a=209307816050232262803672282154940341360062431838092388077917610639183322072827259682607127795420474686833003315766797546568469776750651773087882545447646552119008299040167030969895802846139484415144,b=2319663192174958547181026340141410918530227127674793888869119262391240421488942353013995765010333162065568990954578077256489549792305772041454141172011940607053889955897003759289947924385489341215143,D=8317003,c=1)
...@@ -186,21 +186,21 @@ def finite_field_cost(logp): ...@@ -186,21 +186,21 @@ def finite_field_cost(logp):
#time_m #time_m
words = ceil(RR(logp)/64) words = ceil(RR(logp)/64)
if words == 5 : if words == 5 :
time_m = 35 #relic benchmark time_m = 35 # relic benchmark
if words == 6 : if words == 6 :
time_m = 69 #relic benchmark time_m = 65 # relic benchmark
if words == 7 : if words == 7 :
time_m = 94 #relic benchmark commit 307bc1f17410c36f6bd93d2a1f5c419270cf9ebd time_m = 85 # relic benchmark
if words == 8 : if words == 8 :
time_m = 120 #relic benchmark, more close to 123 time_m = 106 # relic benchmark
elif words == 9 : elif words == 9 :
time_m = 1.9*9**2 time_m = 129 # relic benchmark
elif words == 10 : elif words == 10 :
time_m = 188 #relic benchmark time_m = 154 # relic benchmark
elif words == 11 : elif words == 11 :
time_m = 1.9*11**2 time_m = 1.5*11**2
elif words == 48 : elif words == 48 :
time_m = 4882 #gmp benchmark time_m = 4882 # gmp benchmark
return time_m return time_m
def is_one_of_our_known_pairing_friendly_curves(C): def is_one_of_our_known_pairing_friendly_curves(C):
......
...@@ -59,20 +59,24 @@ def count_formula_k8(i, c): ...@@ -59,20 +59,24 @@ def count_formula_k8(i, c):
c1 = c1 + y c1 = c1 + y
d1 = 0 d1 = 0
elif i==5: elif i==5:
c1 = c1 - y c1 = c1 + y
d1 = 0 d1 = 0
d1 = d1 + d0*V d1 = d1 + d0*V
assert c1 + d1/2 == (c0 + d0/4) * T + e1 assert c1 + d1/2 == (c0 + d0/4) * T + e1
c12 = c1*2 c12 = c1*2
c2 = (c12 + d1) * 2*U + (c12 + d1) * V - y c2 = (c12 + d1) * 2*U + (c12 + d1) * V
if i == 1:
c2 -= y
else:
c2 += y
d2 = 1 d2 = 1
assert c2 + d2/4 == (c1 + d1/2) * T + e2 assert c2 + d2/4 == (c1 + d1/2) * T + e2
c22 = c2*2 c22 = c2*2
c3 = (c22*2 + d2) * U + c22*V c3 = (c22*2 + d2) * U + c22*V
if i == 7: if i == 7:
c3 = c3 + y
elif i == 3:
c3 = c3 - y c3 = c3 - y
elif i == 3:
c3 = c3 + y
elif i == 1: elif i == 1:
c3 = c3 + u - 1 c3 = c3 + u - 1
elif i == 5: elif i == 5:
...@@ -111,7 +115,7 @@ def count_formula_k8(i, c): ...@@ -111,7 +115,7 @@ def count_formula_k8(i, c):
r = r * ay r = r * ay
s = s ** V s = s ** V
elif i == 5: elif i == 5:
r = r * ayi r = r * ay
s = s ** V s = s ** V
assert r.val == c1 assert r.val == c1
assert s.val == d1 assert s.val == d1
...@@ -120,7 +124,10 @@ def count_formula_k8(i, c): ...@@ -120,7 +124,10 @@ def count_formula_k8(i, c):
r = r ** 2 r = r ** 2
r = r * s r = r * s
r = (r ** 2) ** U * r ** V r = (r ** 2) ** U * r ** V
r = r * ayi if i == 1:
r = r * ayi
else:
r = r * ay
s = a s = a
assert r.val == c2 assert r.val == c2
assert s.val == d2 assert s.val == d2
...@@ -129,9 +136,9 @@ def count_formula_k8(i, c): ...@@ -129,9 +136,9 @@ def count_formula_k8(i, c):
r = r ** 2 r = r ** 2
r = (r ** 2 * s) ** U * r ** V r = (r ** 2 * s) ** U * r ** V
if i == 7: if i == 7:
r = r * ay
elif i == 3:
r = r * ayi r = r * ayi
elif i == 3:
r = r * ay
elif i == 1: elif i == 1:
r = r * au r = r * au
r = r * ai r = r * ai
...@@ -172,17 +179,20 @@ def count_formula_k6(i, tr, c): ...@@ -172,17 +179,20 @@ def count_formula_k6(i, tr, c):
# For k=6, the expressions of t and y are: # For k=6, the expressions of t and y are:
# t = T + 1 +h_t*r # t = T + 1 +h_t*r
# y = 1/3*T^2 - 2/3*T +h_y*r # y = 1/3*T^2 - 2/3*T +h_y*r
#
# t = T + 1 +h_t*r # t = T + 1 +h_t*r
# y = -1/3*T^2 - 2/3 +h_y*r # y = 1/3*T^2 + 2/3 +h_y*r
#
# t = -T + 2 +h_t*r # t = -T + 2 +h_t*r
# y = 1/3*T^2 - 2/3*T + 1 +h_y*r # y = 1/3*T^2 - 2/3*T + 1 +h_y*r
#
# t = -T + 2 +h_t*r # t = -T + 2 +h_t*r
# y = -1/3*T^2 + 1/3 +h_y*r # y = 1/3*T^2 - 1/3 +h_y*r
# but if we reduce to the parity bit of t+y only: # but if we reduce to the parity bit of t+y only:
# parity = T + 1 +h_t + T^2 +h_y = 1 + h_t + h_y # parity = T + 1 + h_t + T^2 + h_y = 1 + h_t + h_y
# parity = T + 1 +h_t - T^2 +h_y = 1 + h_t + h_y # parity = T + 1 + h_t + T^2 + h_y = 1 + h_t + h_y
# parity = -T +h_t + T^2 + 1 +h_y = 1 + h_t + h_y # parity = T + h_t + T^2 + 1 + h_y = 1 + h_t + h_y
# parity = -T +h_t - T^2 + 1 +h_y = 1 + h_t + h_y # parity = T + h_t + T^2 + 1 + h_y = 1 + h_t + h_y
# so that in all cases, we have either h_t odd and h_y # so that in all cases, we have either h_t odd and h_y
# even, or the converse. # even, or the converse.
...@@ -191,7 +201,7 @@ def count_formula_k6(i, tr, c): ...@@ -191,7 +201,7 @@ def count_formula_k6(i, tr, c):
# This one expresses the result as a function of: # This one expresses the result as a function of:
# u = h_t/2 # u = h_t/2
# w = (h_y-z)/2 # w = (h_y-z)/2
z = -1 if tr == 0 else 1 z = -1
# so we're assuming that h_t is even and h_y is odd. # so we're assuming that h_t is even and h_y is odd.