Attention une mise à jour du serveur va être effectuée le lundi 17 mai entre 13h et 13h30. Cette mise à jour va générer une interruption du service de quelques minutes.

Commit f23ab0d8 authored by MASSON Simon's avatar MASSON Simon

OLD_COUNT supprimé

parent f8cd90da
...@@ -9,23 +9,11 @@ from BN import * ...@@ -9,23 +9,11 @@ from BN import *
from MNT6 import * from MNT6 import *
from final_expo_k57 import * from final_expo_k57 import *
# Set this flag to make sure that the changes we've done to the
# computation code do *NOT* affect the costs that we had computed thus
# far.
#
# Once we check that, we are confident that the change in machinery did
# not introduce new bugs. Then we can set OLDCOUNTS to False (and delete
# the associated code when relevant).
OLDCOUNTS=False
# if OLDCOUNTS is True, these two are ignored (or are forced to False,
# so to say).
mystery_201903151748_simon_a_raison=False
# TODO: take into account h_t not always being 0 in the k=6 or k=8 # TODO: take into account h_t not always being 0 in the k=6 or k=8
# cases... [WIP for k=8 -- want to automate a bit] # cases... [WIP for k=8 -- want to automate a bit]
mystery_201903151748_simon_a_raison=False
Qmsi = QQ['m,s,inv'] Qmsi = QQ['m,s,inv']
m,s,inv = Qmsi.gens() m,s,inv = Qmsi.gens()
...@@ -110,8 +98,6 @@ def cost_i(k) : ...@@ -110,8 +98,6 @@ def cost_i(k) :
# # ni = inv(n) # # ni = inv(n)
# # ai = ni * a # # ai = ni * a
# return 6*cost_f(k) + 3*cost_m(k) + inv + 2*k*m # return 6*cost_f(k) + 3*cost_m(k) + inv + 2*k*m
elif OLDCOUNTS and (k==5 or k==7):
return (k-1)*cost_f(k) + (k-1)*cost_m(k) + inv
elif k%2 == 1: elif k%2 == 1:
# generalization of the above. # generalization of the above.
# Note that we can go further. If (k-1)/2 >= 4, then we may apply # Note that we can go further. If (k-1)/2 >= 4, then we may apply
...@@ -125,7 +111,7 @@ def cost_i(k) : ...@@ -125,7 +111,7 @@ def cost_i(k) :
def cost_f(k, d=1) : def cost_f(k, d=1) :
# return the cost of a d-Frobenius over F_{p^k} # return the cost of a d-Frobenius over F_{p^k}
assert k % d == 0 assert k % d == 0
if (k//d) % 2 == 0 and not OLDCOUNTS: if (k//d) % 2 == 0 :
# for F_{p^{k/d}} a tower defined by binomials, the multipliers in # for F_{p^{k/d}} a tower defined by binomials, the multipliers in
# the Frobenius (p^d-th power) expressions are all powers of a # the Frobenius (p^d-th power) expressions are all powers of a
# k/d-th root of unity. If k/d is even, one of them is -1. At any # k/d-th root of unity. If k/d is even, one of them is -1. At any
...@@ -136,7 +122,7 @@ def cost_f(k, d=1) : ...@@ -136,7 +122,7 @@ def cost_f(k, d=1) :
return (k//d-1) * d * cost_m(1) return (k//d-1) * d * cost_m(1)
def cost_i_and_f(k) : def cost_i_and_f(k) :
if OLDCOUNTS or k % 2 == 0 or k % 3 == 0: if k % 2 == 0 or k % 3 == 0:
return cost_i(k) + cost_f(k) return cost_i(k) + cost_f(k)
elif k == 5 or k == 7: elif k == 5 or k == 7:
# Then we know that the inversion computes the Frobenius anyway. # Then we know that the inversion computes the Frobenius anyway.
...@@ -185,20 +171,6 @@ C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xf ...@@ -185,20 +171,6 @@ C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xf
C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600) C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C8old=CocksPinchVariantResult(8,4,0xe000000000001010,5,ht=1,hy=0x177dc)
C6old=CocksPinchVariantResult(6,3,0xc0000000000000000040000000000000,5,hy=0x20000000000000000000f)
C5old=CocksPinchVariantResult(5,1001035,0xe000000000000036,4,ht=1,hy=0xb5f94915f3db71cae)
C7old=CocksPinchVariantResult(7,312916,0x60000000002,5,ht=-1)
if OLDCOUNTS:
# Curves as they were at least on the printout I have here. But I'm
# not sure these are the curves we used to base our counts on anyway.
C5 = C5old
C6 = C6old
C7 = C7old
C8 = C8old
CBN12=BN(eval(preparse("2^114+2^101-2^14-1"))) CBN12=BN(eval(preparse("2^114+2^101-2^14-1")))
CBLS12=BLS12(eval(preparse("-2^77+2^50+2^33"))) CBLS12=BLS12(eval(preparse("-2^77+2^50+2^33")))
CKSS16=KSS16(eval(preparse("2^35-2^32-2^18+2^8+1"))) CKSS16=KSS16(eval(preparse("2^35-2^32-2^18+2^8+1")))
...@@ -212,10 +184,7 @@ def finite_field_cost(logp): ...@@ -212,10 +184,7 @@ def finite_field_cost(logp):
if words == 6 : if words == 6 :
time_m = 69 #relic benchmark time_m = 69 #relic benchmark
if words == 8 : if words == 8 :
if OLDCOUNTS: time_m = 120 #relic benchmark
time_m = 130 #relic benchmark
else:
time_m = 120 #relic benchmark
elif words == 9 : elif words == 9 :
time_m = 1.9*9**2 time_m = 1.9*9**2
elif words == 10 : elif words == 10 :
...@@ -343,7 +312,7 @@ def millerLoopCost(C): ...@@ -343,7 +312,7 @@ def millerLoopCost(C):
cost_update1 = cost_s(k)+densexsparse_m8(k) cost_update1 = cost_s(k)+densexsparse_m8(k)
cost_update2 = densexsparse_m8(k) cost_update2 = densexsparse_m8(k)
if name == 'KSS16' : # extra partial add and partial double + 3 frob and 2 multiplications if name == 'KSS16' : # extra partial add and partial double + 3 frob and 2 multiplications
if not OLDCOUNTS and mystery_201903151748_simon_a_raison: if mystery_201903151748_simon_a_raison:
miller_fixup = (cost_m(k//4) + 5 *cost_s(k//4) + k//2 * cost_m(1)) + \ miller_fixup = (cost_m(k//4) + 5 *cost_s(k//4) + k//2 * cost_m(1)) + \
+ (5*cost_m(k//4) + 2*cost_s(k//4) + k//2 * cost_m(1)) + (5*cost_m(k//4) + 2*cost_s(k//4) + k//2 * cost_m(1))
else: else:
...@@ -378,10 +347,6 @@ def millerLoopCost(C): ...@@ -378,10 +347,6 @@ def millerLoopCost(C):
logT = T.nbits() logT = T.nbits()
HwT = Hw(T) HwT = Hw(T)
if OLDCOUNTS:
if k==8:
HwT=3
tot_miller = (logT-1) * (cost_doubleline + cost_verticalline) \ tot_miller = (logT-1) * (cost_doubleline + cost_verticalline) \
+ (logT-2) * cost_update1 \ + (logT-2) * cost_update1 \
+ (HwT-1) * (cost_addline + cost_verticalline + cost_update2) \ + (HwT-1) * (cost_addline + cost_verticalline + cost_update2) \
...@@ -394,8 +359,6 @@ def cost_firstexp(k): ...@@ -394,8 +359,6 @@ def cost_firstexp(k):
assert k in [5,6,7,8] assert k in [5,6,7,8]
if Integer(k).is_prime(): if Integer(k).is_prime():
return cost_i_and_f(k)+cost_m(k) return cost_i_and_f(k)+cost_m(k)
if OLDCOUNTS and k==6 :
return 4*cost_f(k) + cost_i(k) + 3*cost_m(k)
if k == 6 : if k == 6 :
# a <- a^(1+p) # a <- a^(1+p)
c0 = cost_f(k) + cost_m(k) c0 = cost_f(k) + cost_m(k)
...@@ -449,19 +412,6 @@ def finalExpoCost(C): ...@@ -449,19 +412,6 @@ def finalExpoCost(C):
loghy=hy.nbits(); Hwhy=Hw(hy) loghy=hy.nbits(); Hwhy=Hw(hy)
loght=ht.nbits(); Hwht=Hw(ht) loght=ht.nbits(); Hwht=Hw(ht)
if OLDCOUNTS:
if k==5:
logp=665
HwCofr=206
elif k==7:
HwCofr=133
# This had us trip over word size limits.
logp=513
elif k==8:
HwT=3
loghy=18
c1 = cost_firstexp(k) c1 = cost_firstexp(k)
# Now compute c2 (second part of FE) # Now compute c2 (second part of FE)
...@@ -470,64 +420,27 @@ def finalExpoCost(C): ...@@ -470,64 +420,27 @@ def finalExpoCost(C):
cost_T = (logT-1)*cost_s(k) + (HwT-1)*cost_m(k) cost_T = (logT-1)*cost_s(k) + (HwT-1)*cost_m(k)
if OLDCOUNTS: # see final-expo-k57.sage
# number of frobenius exponentiations in the second part c2 = (k-2)*(cost_f(k) + cost_T + 2*cost_m(k)) + cost_m(k)
c_frobenius = (k - 2) * cost_f(k) logc = logp - logr
c2 = c_frobenius c2 += (logc -1)*cost_s(k) + (HwCofr-1)*cost_m(k)
# one inversion costs (k-1) Frobenius since norm == 1
# k-2 exponentations to T: cost_inv_torus = (k-1) * cost_f(k)
c2 += (k - 2) * cost_T if i > 1:
# exponentation to cofactor c: c2 += cost_inv_torus
logc = logp - logr if i < k-1 and 2*i > k:
c2 += (logc -1)*cost_s(k) + (HwCofr-1)*cost_m(k) # this just happens to match the formulas that we have.
c2 += cost_inv_torus
# FIXME: the formulas below are not generic. They're specific # cost for k=5 i=1: 1c + 3T + 7M + 3p
# to one chosen value of i. And among the different # cost for k=5 i=2: 1I + 1c + 3T + 7M + 3p
# possibilities, i=1 is arguably nicest, so that we're # cost for k=5 i=3: 2I + 1c + 3T + 7M + 3p
# tempted to use that as a default. Maybe it's unwanted # cost for k=5 i=4: 1I + 1c + 3T + 7M + 3p
# pressure for the k=7 case, though. # cost for k=7 i=1: 1c + 5T + 11M + 5p
# cost for k=7 i=2: 1I + 1c + 5T + 11M + 5p
# multiplying together the (k - 2) terms costs (k - 3) M: # cost for k=7 i=3: 1I + 1c + 5T + 11M + 5p
c2 += (k - 3)*cost_m(k) # cost for k=7 i=4: 2I + 1c + 5T + 11M + 5p
### XXX ? really ? I count (k-1) terms, not (k-2) # cost for k=7 i=5: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=6: 1I + 1c + 5T + 11M + 5p
# assume one inversion costs (k-1) Frobenius since the norm is 1 at this point
if OLDCOUNTS:
cost_inv_torus = (k-1) * c_frobenius
else:
# 99% sure that the formula above is a bug.
cost_inv_torus = (k-1) * cost_f(k)
# This adds (k-1)*cost_m(k) (don't know where this comes
# from, but anyway this seems to match our 2(k-2)) and
# cost_inv_torus, which I think is potentially unneeded
if k == 5:
c2 += 4*cost_m(k) + cost_inv_torus
elif k == 7:
c2 += 6*cost_m(k) + 3*cost_inv_torus
# checked in sage, see params-k7-512.sage and params-k5-664.sage
else:
# see final-expo-k57.sage
c2 = (k-2)*(cost_f(k) + cost_T + 2*cost_m(k)) + cost_m(k)
logc = logp - logr
c2 += (logc -1)*cost_s(k) + (HwCofr-1)*cost_m(k)
# one inversion costs (k-1) Frobenius since norm == 1
cost_inv_torus = (k-1) * cost_f(k)
if i > 1:
c2 += cost_inv_torus
if i < k-1 and 2*i > k:
# this just happens to match the formulas that we have.
c2 += cost_inv_torus
# cost for k=5 i=1: 1c + 3T + 7M + 3p
# cost for k=5 i=2: 1I + 1c + 3T + 7M + 3p
# cost for k=5 i=3: 2I + 1c + 3T + 7M + 3p
# cost for k=5 i=4: 1I + 1c + 3T + 7M + 3p
# cost for k=7 i=1: 1c + 5T + 11M + 5p
# cost for k=7 i=2: 1I + 1c + 5T + 11M + 5p
# cost for k=7 i=3: 1I + 1c + 5T + 11M + 5p
# cost for k=7 i=4: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=5: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=6: 1I + 1c + 5T + 11M + 5p
elif k == 6 : elif k == 6 :
# See: # See:
...@@ -536,50 +449,35 @@ def finalExpoCost(C): ...@@ -536,50 +449,35 @@ def finalExpoCost(C):
assert D==3 assert D==3
if OLDCOUNTS: # start with this:
c_exp_T = (logT-1)*cyclo_s6 + (HwT-1)*cost_m(k)
c_exp_hy = (loghy-1)*cyclo_s6 + (Hwhy-1)*cost_m(k) c_exp_T = (logT-1)*cyclo_s6 + (HwT-1)*cost_m(k)
c2 = c_exp_T + cost_f(k) + cyclo_s6 + 4*cost_m(k)
c21 = 2*c_exp_T + 2*c_exp_hy + cyclo_s6 + 5*cost_m(k) if i == 5:
c22 = 0 # extra cost for raising to the power p+t0 = p+2-T: we
c23 = c_exp_T + cost_f(k) + cyclo_s6 + 4*cost_m(k) # need a square...
c2 += cyclo_s6
#
# c21 = 2*c_exp_T + 2*c_exp_hy + 5*cyclo_s6 + 8*cost_m(k) # + cost_i(k) NO inversions are free at this point # Then, see code/formules-familles-CocksPinch.sage
# c22 = c_exp_T + cost_m(k) # + cost_i(k) NO inversion # it's a slight mess, to be honest.
# c23 = 2*cost_m(k) + cost_f(k)
assert (1 + ht + hy) % 2 == 0
c2 = c21 + c22+c23 if ht % 2 == 0:
else: hu = ht//2
# start with this: hz = -1 if T%3 == 0 else 1
hw = (hy-hz)//2
c_exp_T = (logT-1)*cyclo_s6 + (HwT-1)*cost_m(k) else:
c2 = c_exp_T + cost_f(k) + cyclo_s6 + 4*cost_m(k) hu = (ht+1)//2
if i == 5:
# extra cost for raising to the power p+t0 = p+2-T: we
# need a square...
c2 += cyclo_s6
# Then, see code/formules-familles-CocksPinch.sage
# it's a slight mess, to be honest.
assert (1 + ht + hy) % 2 == 0
if ht % 2 == 0:
hu = ht//2
hz = -1 if T%3 == 0 else 1
hw = (hy-hz)//2
else:
hu = (ht+1)//2
hw = hy//2 hw = hy//2
U = T - (T % 3) U = T - (T % 3)
logU=U.nbits(); HwU=Hw(U) logU=U.nbits(); HwU=Hw(U)
loghu=hu.nbits(); Hwhu=Hw(hu) loghu=hu.nbits(); Hwhu=Hw(hu)
loghw=hw.nbits(); Hwhw=Hw(hw) loghw=hw.nbits(); Hwhw=Hw(hw)
c_exp_U = (logU-1)*cyclo_s6 + (HwU-1)*cost_m(k) c_exp_U = (logU-1)*cyclo_s6 + (HwU-1)*cost_m(k)
c_exp_hu = (loghu-1)*cyclo_s6 + (Hwhu-1)*cost_m(k) c_exp_hu = (loghu-1)*cyclo_s6 + (Hwhu-1)*cost_m(k)
c_exp_hw = (loghw-1)*cyclo_s6 + (Hwhw-1)*cost_m(k) c_exp_hw = (loghw-1)*cyclo_s6 + (Hwhw-1)*cost_m(k)
c2 += 12*cost_m(k) + 2*cost_s(k) + 2*(c_exp_U + c_exp_hu + c_exp_hw) c2 += 12*cost_m(k) + 2*cost_s(k) + 2*(c_exp_U + c_exp_hu + c_exp_hw)
elif k == 8 : elif k == 8 :
# See: # See:
# sage: attach("formules-familles-CocksPinch.sage") # sage: attach("formules-familles-CocksPinch.sage")
...@@ -594,37 +492,27 @@ def finalExpoCost(C): ...@@ -594,37 +492,27 @@ def finalExpoCost(C):
# and maybe one multiplication less. Note also that ht+1 is # and maybe one multiplication less. Note also that ht+1 is
# necessarily even. # necessarily even.
if OLDCOUNTS: c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k)
c21 = 0 # c21 = 2*cost_s(k)
c_exp_hy = (loghy-1)*cyclo_s8 + (Hwhy-1)*cost_m(k) # first, this: (because phi_8(p)/r = 1 + c(T^2+p^2)(p-T))
c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k) c2 = 3*c_exp_T + 2*cost_f(8) + 3*cost_m(k)
c22 = 2*c_exp_hy + 4*c_exp_T + 6*cost_m(k) #+ 3*cyclo_s8 not needed if we compute C/4 instead of C
c23 = 3*c_exp_T + 3*cost_f(8) + 3*cost_m(k) #+ 2*cost_i(k) inversions are free at this point ! # Then, see code/formules-familles-CocksPinch.sage
c24 = 0 # c24 = cost_m(k)
# for raising to the power c, we get:
c2 = c21+c22+c23+c24 # 11M + 2u + 4T + 2y
else: # with one of the multiplies that (for i=3 and i=7) can be
c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k) # elided if T=0 mod 4. This is with u = multiplication by
# (h_t+1)//2.
# first, this: (because phi_8(p)/r = 1 + c(T^2+p^2)(p-T)) hu = (ht+1)//2;
c2 = 3*c_exp_T + 2*cost_f(8) + 3*cost_m(k) loghu=hu.nbits(); Hwhu=Hw(hu)
c_exp_hy = (loghy-1)*cyclo_s8 + (Hwhy-1)*cost_m(k)
# Then, see code/formules-familles-CocksPinch.sage c_exp_hu = (loghu-1)*cyclo_s8 + (Hwhu-1)*cost_m(k)
# for raising to the power c, we get: c2 += 4 * c_exp_T + 2 * c_exp_hu + 2 * c_exp_hy + 10 * cost_m(k)
# 11M + 2u + 4T + 2y if (T%4 == 2 or i == 1 or i == 5):
# with one of the multiplies that (for i=3 and i=7) can be c2 += cost_m(k)
# elided if T=0 mod 4. This is with u = multiplication by
# (h_t+1)//2.
hu = (ht+1)//2;
loghu=hu.nbits(); Hwhu=Hw(hu)
c_exp_hy = (loghy-1)*cyclo_s8 + (Hwhy-1)*cost_m(k)
c_exp_hu = (loghu-1)*cyclo_s8 + (Hwhu-1)*cost_m(k)
c2 += 4 * c_exp_T + 2 * c_exp_hu + 2 * c_exp_hy + 10 * cost_m(k)
if (T%4 == 2 or i == 1 or i == 5):
c2 += cost_m(k)
tot_expo = c1 + c2 tot_expo = c1 + c2
return tot_expo(m=1,s=1,inv=25) return tot_expo(m=1,s=1,inv=25)
...@@ -634,13 +522,7 @@ def pairingCost(C): ...@@ -634,13 +522,7 @@ def pairingCost(C):
costFinalExp = finalExpoCost(C) costFinalExp = finalExpoCost(C)
logp = polymorphic_get_logp(C) logp = polymorphic_get_logp(C)
if OLDCOUNTS:
k = polymorphic_get_embedding_degree(C)
if k==5:
logp=665
elif k==7:
logp=513
time_m = finite_field_cost(logp) time_m = finite_field_cost(logp)
tot_miller = costMiller[-1] tot_miller = costMiller[-1]
...@@ -667,13 +549,6 @@ def table_cost_pairing() : ...@@ -667,13 +549,6 @@ def table_cost_pairing() :
for C in [C5,C6,C7,C8,CBN12,CBLS12,CKSS16,C1]: for C in [C5,C6,C7,C8,CBN12,CBLS12,CKSS16,C1]:
L=pairingCost(C) L=pairingCost(C)
if OLDCOUNTS:
if L['k'] == 7:
scale = 130/L['time_m']
for kk in L.keys():
if re.match("^time_.*", kk):
L[kk] = round(L[kk] * scale, 1)
timing_recap.append(L) timing_recap.append(L)
#timing recap is generated #timing recap is generated
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment