Commit a9092423 authored by MASSON Simon's avatar MASSON Simon

Merge branch 'master' of gitlab.inria.fr:smasson/cocks-pinch-variant

parents 8bb205a9 d4915ed2
......@@ -404,11 +404,11 @@ def chain_alternate_iterators(gp, gm, with_zero=False):
# promises.
class CocksPinchVariantResult(object):
"""
sage: C=CocksPinchVariantResult(6,3,34359607296,5,ht=0x101,hy=2,max_B1=1000)
sage: C=CocksPinchVariantResult(6,3,34359607296,5,ht=0x101,hy=-2,max_B1=1000)
sage: C.E2(factor=True)["text_factorization"]
'2^2 * 3 * 19 * 73 * 163 * 33637 * p48 * r'
sage: C=CocksPinchVariantResult(6,3,0x600100002,5,ht=0x428,hy=0x639,allowed_cofactor=420,max_B1=600)
sage: C=CocksPinchVariantResult(6,3,0x600100002,5,ht=0x428,hy=-0x639,allowed_cofactor=420,max_B1=600)
sage: C.is_small_subgroup_secure()
True
sage: C.is_twist_small_subgroup_secure()
......@@ -457,17 +457,17 @@ class CocksPinchVariantResult(object):
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True)
sage: C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=-0x7e2)
sage: C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=0x7e2)
sage: C.set_test_info(allowed_size_cofactor=10)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True)
sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600)
sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
sage: C.set_test_info(allowed_size_cofactor=10)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True)
sage: C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=-0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600)
sage: C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True)
......@@ -487,11 +487,11 @@ class CocksPinchVariantResult(object):
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True)
sage: C=CocksPinchVariantResult(7,20,0x5ec7fc01ff8,4,ht=-3,hy=-1,allowed_size_cofactor=10,max_B1=600)
sage: C=CocksPinchVariantResult(7,20,0x5ec7fc01ff8,4,ht=-3,hy=1,allowed_size_cofactor=10,max_B1=600)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, False, False)
sage: C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
sage: C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=-0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
sage: (C.is_small_subgroup_secure(), C.is_twist_small_subgroup_secure(), C.is_G2_small_subgroup_secure(), C.is_twist_G2_small_subgroup_secure())
(True, True, True, True)
......@@ -1837,7 +1837,7 @@ class CocksPinchVariantSearch(object):
# (sqrt((PP/2 - t^2)/D) + y1) / ry <= -pre_hy < (sqrt(PP - t^2)/D) + y1) / ry
if PP < t**2:
continue
pre_hymax = 1+floor(((sqrt((PP - t**2)/fD) - y1)/ry))
pre_hymax = 1+floor(((sqrt((PP - t**2)/fD) - y1)/ry))
mpre_hymax = 1+floor(((sqrt((PP - t**2)/fD) + y1)/ry))
if PP/2 < t**2:
......
......@@ -75,24 +75,23 @@ Example: search for baby examples
This does a search for baby examples.
sage search.sage -k 8 -D 1 --T_choice "2-naf<=7" --hty_choice "2-naf<=7" --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --spawn 4 0 4
sage search.sage -k 8 -D 1 --T_choice "2-naf<=7" --hty_choice "2-naf<=7" --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --allowed_cofactor 30 --spawn 4 0 4
This should provide, as output, the file
`curves-data/curves-k8-p160-T:2-naf<=7-hty:2-naf<=7-2-4.sage`, with in
particular the following contents:
C=CocksPinchVariantResult(8,4,0x27d80,7,ht=-0x451,hy=-0x481)
C=CocksPinchVariantResult(8,4,0x27d80,7,ht=-0x451,hy=-0x481,allowed_cofactor=30)
(it takes about 15 minutes on a Intel Core i5-6500 CPU at 3.20GHz without any
other running process).
One day later, these other curves were found:
C=CocksPinchVariantResult(8,4,0x29072,7,ht=0x9bf,hy=-0x10e)
C=CocksPinchVariantResult(8,4,0x29f24,7,ht=-0x289,hy=0x53f)
C=CocksPinchVariantResult(8,4,0x2a1c8,3,ht=0x53f,hy=-0x437)
C=CocksPinchVariantResult(8,4,0x27d80,7,ht=-0x451,hy=-0x481)
C=CocksPinchVariantResult(8,4,0x2617e,5,ht=-0xd93,hy=0x305)
C=CocksPinchVariantResult(8,4,0x28f86,3,ht=0x8cf,hy=0x2e0)
C=CocksPinchVariantResult(8,4,0x29072,7,ht=0x9bf,hy=-0x10e,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x29f24,7,ht=-0x289,hy=0x53f,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x2a1c8,3,ht=0x53f,hy=-0x437,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x2617e,5,ht=-0xd93,hy=0x305,allowed_cofactor=30)
C=CocksPinchVariantResult(8,4,0x28f86,3,ht=0x8cf,hy=0x2e0,allowed_cofactor=30)
The different parameters above are explained as follows.
......@@ -120,24 +119,27 @@ The different parameters above are explained as follows.
GF(p^k)).
* 8 is twist-G2-small-subgroup-security: same for the quadratic twist
of E2.
* `--spawn 4` and `0 4`: these two are related. The last `4` indicates
* `--spawn 4` and `0 4`: these two are related. The last `4` indicates
that the search space (on T) is to be divided in 4 roughly equal-size
parts. The `0` indicates that the first one that we intend to handle is the
one with number 0, while `--spawn 4` indicates that we wish to perform
4 searches in parallel, so that we'll actually do parts number 0, 1, 2,
and 3 in parallel.
* `--allowed_cofactor 30` : group orders are considered secure whenever
they are of the form X times a prime, where here divides the cofactor
30.
Here is another example that cheats a bit, because we've arranged for the
search to complete quickly, knowing that a previous search was
successful. It still takes some minutes, though
sage search.sage -k 6 -D 3 --T_choice 'hamming<=4' --hty_choice '2-naf<=4' --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --spawn 1 --restrict_i '[1]' 57468 65536
sage search.sage -k 6 -D 3 --T_choice 'hamming<=4' --hty_choice '2-naf<=4' --lambdap 160 --lambdar 70 --save --check_small_subgroup_secure 15 --spawn 1 --restrict_i '[1]' --allowed_cofactor 420 57468 65536
For reference, the command above should write the following data to the
file `curves-data/curves-k6-p160-T\:hamming\<\=4-hty\:2-naf\<\=4-57468-65536.sage`:
C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=-0x7e2)
C=CocksPinchVariantResult(6,3,0x600081000,1,ht=-0x191,hy=0x7e2,allowed_cofactor=420)
Using the search within `sage` so as to examine things more closely
===================================================================
......@@ -202,7 +204,7 @@ Results are stored in a Python object called `CocksPinchVariantResult`.
Whenever you look into an output file in the `curves-data` directory, it
starts with a line such as:
C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600)
C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
This contains exactly the data that is necessary to identify the curve
parameters uniquely. Provided the utility software has been attached into
......@@ -210,10 +212,10 @@ parameters uniquely. Provided the utility software has been attached into
then type the command above, and obtain data on the curve by `print`-ing
the object, as follows
sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600)
sage: C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
sage: print C
# Cocks-Pinch pairing-friendly curve of embedding degree 5:
C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600)
C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
fD = 10000000147
k = 5
p = 0x40000138cd26ab94b86e1b2f7482785fa18f877591d2a4476b4760217f860bfe8674e2a4610d669328bda13044c030e8cc836a5b363f2d4c8abcab71b12091356bb4695c5626bc319d38bf65768c5695f9ad97 # 663 bits
......@@ -361,13 +363,13 @@ mileage may vary. See the [jobpick
documentation](https://gitlab.inria.fr/thome/jobpick/blob/master/README.md)
for information on the different parameters.
my_machine ~ $ rsync -a pairings/code/ nancy.g5k:pairings-code/
my_machine ~ $ rsync -a cocks-pinch-variant/ nancy.g5k:cocks-pinch-variant/
fnancy ~ $ rm -rf ~/jobpick
fnancy ~ $ (cd ~ ; git clone https://gitlab.inria.fr/thome/jobpick)
fnancy ~ $ mkdir -p ~/pairings-code/k5/{todo,done,doing,failed}
fnancy ~ $ mkdir -p ~/pairings-code/k5/curves-data/
fnancy ~ $ for i in {0..1599} ; do touch ~/pairings-code/k5/todo/$((16*i)) ; done
fnancy ~ $ cd ~/pairings-code/k5 ; for i in {1..10} ; do oarsub -n k5 -q production -l "{cluster='grcinq'}/nodes=8,walltime=1" -l "{cluster='grvingt'}/nodes=8,walltime=1" "/home/ethome/jobpick/pick.sh --job-queue-path /home/ethome/pairings-code/k5 --job-weight 16 /grvingt/software/SageMath/sage ../search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 7 --required_cofactor 4 --spawn 16 --parallel-mode hy --ntasks 68719476736 --task" ; done
fnancy ~ $ mkdir -p ~/cocks-pinch-variant/k5/{todo,done,doing,failed}
fnancy ~ $ mkdir -p ~/cocks-pinch-variant/k5/curves-data/
fnancy ~ $ for i in {0..1599} ; do touch ~/cocks-pinch-variant/k5/todo/$((16*i)) ; done
fnancy ~ $ cd ~/cocks-pinch-variant/k5 ; for i in {1..10} ; do oarsub -n k5 -q production -l "{cluster='grcinq'}/nodes=8,walltime=1" -l "{cluster='grvingt'}/nodes=8,walltime=1" "/home/ethome/jobpick/pick.sh --job-queue-path /home/ethome/cocks-pinch-variant/k5 --job-weight 16 /grvingt/software/SageMath/sage ../search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 7 --required_cofactor 4 --spawn 16 --parallel-mode hy --ntasks 68719476736 --task" ; done
Note that the job duration above, set to one hour (`walltime=1`), was
verified beforehand to be a comfortable upper bound on the running time
......@@ -431,7 +433,9 @@ or by the `search.sage` script, prefixed by one or two dashes.
* `hty_choice`: strategy for picking cofactors `ht` and `hy`. Same syntax
as above, plus some additional modifiers of the form `ht:foo` or
`hy:foo` that make the strategy modifier (e.g., something like `max=4`)
only applicable to `ht` (resp. `hy`(.
only applicable to `ht` (resp. `hy`). Note that setting a hamming
weight or 2-naf weight here applies to the cumulative weight of the
pair (h_t, h_y).
* `lambdap`: search for `p` of exactly this bit length.
* `lambdar`: search for `r` of exactly this bit length.
* `--spawn` (only for the command-line of `search.sage`): start this
......@@ -496,17 +500,18 @@ exploration of this setting only, we use the following arguments:
To do a fraction `2^-32 of the search space`:
sage search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 3 --required_cofactor 4 --spawn 4 --parallel-mode hy 0 4294967296
sage search.sage -k 5 -D 10000000147 --hty_choice ht:max=4 --restrict_i '[1]' --save --T_choice hamming=4 --lambdap 663 --lambdar 256 --check_small_subgroup_secure 15 --required_cofactor 4 --spawn 4 --parallel-mode hy 0 4294967296
On houblon.loria.fr, a fraction 4/2^39 of the search space is processed
in 128 seconds WCT.
On grvingt we do a fraction 64/2^39 in time 266 seconds WCT (2.1 GHz
per core, 64 hyperthreads).
On grvingt-1.nancy.grid5000.fr we do a fraction 64/2^39 in time 266
seconds WCT (2.1 GHz per core, 64 hyperthreads).
The following curve was found by job `24165/2^36`.
The following curve was found by job `24165/2^36` (TODO: fix this, it is
(no longer) the right number).
# C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600)
# C=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
# card_E = 2^2 * p405 * r
# card_Et = 2^2 * p661
# card_E2 = p2393 * (2^2 * p405 * r) * r
......@@ -532,7 +537,7 @@ computers:
The following curve was found:
# C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=-0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600)
# C=CocksPinchVariantResult(6,3,0xfffffffffffffff00000000000000000,1,ht=0x43fff,hy=0xffffffffff800007fffe,allowed_size_cofactor=10,max_B1=600)
# card_E = 2^2 * 3 * p412 * r
# card_Et = 2^2 * 13 * p666
# card_E2 = p416 * r
......@@ -550,16 +555,12 @@ to `|ht|<=4`.
and we obtain four curves for which G2 is also twist-secure :
C=CocksPinchVariantResult(6,3,0xff800000000000200000000000000000,1,ht=-1,hy=0xffffff823ffffe008000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
C=CocksPinchVariantResult(6,3,0xffe00008000000000000000000000000,1,ht=-1,hy=0xffbfffe3f80200000000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
C=CocksPinchVariantResult(6,3,0xffe00008000000000000000000000000,1,ht=-1,hy=0xfffffd0010001ffc0000,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
C=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
Search for curves of embedding degree 7
......@@ -567,11 +568,11 @@ Search for curves of embedding degree 7
For k=7, we need to restrict to small discriminant D: as 4*p = t**2 + D*y**2,
log_2(p) = 512 and t and y are defined mod r, we need to take D as small as
possible, and D!= 3, 4 that are known discriminant, even if no attack using
this property exist.
possible. We also avoid D != 3, 4 , even though no known attack takes
advantage of this.
We looked for curves of security parameter 7 (i.e G1-subgroup- G1-twist-secure).
For D = 5, HW_{NAF}(T) <= 7 and log_2(h_y) = 7, no curve was found.
For D = 5, HW_{NAF}(T) <= 7 and log_2(h_y) = 7; no curve was found.
We obtain the only G1-subgroup- G1-twist-secure with HW_NAF(T) = 8 with:
C=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
......@@ -588,7 +589,7 @@ We decide to force `4 | #E` so that Edwards form can be used.
The following curve was found:
# C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
# C=CocksPinchVariantResult(8,4,0xffffffffffffffc0,1,ht=-0x1821f,hy=-0x1fdc,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
# card_E = 2^4 * p284 * r
# card_Et = 2^2 * p542
# card_E2 = 2 * p830 * r
......@@ -620,12 +621,8 @@ This produces the following two curves (subjobs 47/4096 and 2483/4096,
respectively):
C=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
C=CocksPinchVariantResult(8,4,0xffdffffc7ffffc00,3,ht=5,hy=0xc5f4,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C.set_test_info(allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
print C
Note that the former is naturally preferred because hy has 2-naf weight
only 4.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment