reconcile normalisation choices between CocksPinchVariant.py and final_expo_k68.sage

CocksPinchVariant.py

@@ -535,6 +535,7 @@ class CocksPinchVariantResult(object):
             self.t0 -= r
         if abs(r-self.y0) < abs(self.y0):
             self.y0 -= r
+        self.y0 = abs(self.y0)
 
 
         # Determination of the lifted (t,y) from the solution mod r
@@ -977,7 +978,10 @@ class CocksPinchVariantResult(object):
         saved_max_B1 = self.max_B1
         self.max_B1 = 600
         dt0 = t0 - ((T**i+1) % r)
-        dy0 = y0 - ZZ((t0-2)/sqrt(Integers(r)(-fD)))
+        y0base = ZZ((t0-2)/sqrt(Integers(r)(-fD)))
+        if r - y0base < y0base:
+            y0base = r - y0base
+        dy0 = y0 - y0base
         assert dt0 in [0,-r]
         assert dy0 in [0,-r]
 
@@ -1340,12 +1344,22 @@ class CocksPinchVariantSearch(object):
                 y0 = K(t0-2)/sqrt(K(-fD))
                 # Lift arbitrarily. Anyway we'll iterate over multiple
                 # possible representatives.
+
+                # The normalisation choice that we do in final_expo_k68
+                # (at least) is that we use the least positive integer
+                # representative of y0=\pm(t0-2)*inv_sqrt_D
+                #
+                # (as for t0, we have no sign indetermination, so we
+                # simply choose the representative of smallest absolute
+                # value, and that may mean a negative integer)
+
                 t0 = ZZ(t0)
                 y0 = ZZ(y0)
                 if abs(r-t0) < abs(t0):
                     t0 -= r
                 if abs(r-y0) < abs(y0):
                     y0 -= r
+                y0 = abs(y0)
 
                 # We want to constrain the bit length of t^2+fD*y^2{{{
                 # with t = t0 + ht * r and y = y0 + hy * r

cost_pairing.py

@@ -167,11 +167,11 @@ def Hw(x) :
     return len(bit_positions_2naf(x))
 
 proof.arithmetic(False)
-C5=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600)
+C5=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600)
 C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
 C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
 #C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
-C8=CocksPinchVariantResult(8,4,0xffc00020fffffffc,1,ht=1,hy=-0xdc04,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
+C8=CocksPinchVariantResult(8,4,0xffc00020fffffffc,1,ht=1,hy=0xdc04,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
 
 
 CMNT6=MNT6(u=873723667900031396506414143162332159382674816702805606206979732381600254701804231398281169537138620,a=209307816050232262803672282154940341360062431838092388077917610639183322072827259682607127795420474686833003315766797546568469776750651773087882545447646552119008299040167030969895802846139484415144,b=2319663192174958547181026340141410918530227127674793888869119262391240421488942353013995765010333162065568990954578077256489549792305772041454141172011940607053889955897003759289947924385489341215143,D=8317003,c=1)

final_expo_k68.sage

@@ -59,20 +59,24 @@ def count_formula_k8(i, c):
         c1 = c1 + y
         d1 = 0
     elif i==5:
-        c1 = c1 - y
+        c1 = c1 + y
         d1 = 0
     d1 = d1 + d0*V
     assert c1 + d1/2 == (c0 + d0/4) * T + e1
     c12 = c1*2
-    c2 = (c12 + d1) * 2*U + (c12 + d1) * V - y
+    c2 = (c12 + d1) * 2*U + (c12 + d1) * V
+    if i == 1:
+        c2 -= y
+    else:
+        c2 += y
     d2 = 1
     assert c2 + d2/4 == (c1 + d1/2) * T + e2
     c22 = c2*2
     c3 = (c22*2 + d2) * U + c22*V
     if i == 7:
-        c3 = c3 + y
-    elif i == 3:
         c3 = c3 - y
+    elif i == 3:
+        c3 = c3 + y
     elif i == 1:
         c3 = c3 + u - 1
     elif i == 5:
@@ -111,7 +115,7 @@ def count_formula_k8(i, c):
         r = r * ay
         s = s ** V
     elif i == 5:
-        r = r * ayi
+        r = r * ay
         s = s ** V
     assert r.val == c1
     assert s.val == d1
@@ -120,7 +124,10 @@ def count_formula_k8(i, c):
     r = r ** 2
     r = r * s
     r = (r ** 2) ** U * r ** V
-    r = r * ayi
+    if i == 1:
+        r = r * ayi
+    else:
+        r = r * ay
     s = a
     assert r.val == c2
     assert s.val == d2
@@ -129,9 +136,9 @@ def count_formula_k8(i, c):
     r = r ** 2
     r = (r ** 2 * s) ** U * r ** V
     if i == 7:
-        r = r * ay
-    elif i == 3:
         r = r * ayi
+    elif i == 3:
+        r = r * ay
     elif i == 1:
         r = r * au
         r = r * ai
@@ -172,17 +179,20 @@ def count_formula_k6(i, tr, c):
     # For k=6, the expressions of t and y are:
     #       t = T + 1 +h_t*r
     #       y = 1/3*T^2 - 2/3*T +h_y*r
+    #
     #       t = T + 1 +h_t*r
-    #       y = -1/3*T^2 - 2/3 +h_y*r
+    #       y = 1/3*T^2 + 2/3 +h_y*r
+    #
     #       t = -T + 2 +h_t*r
     #       y = 1/3*T^2 - 2/3*T + 1 +h_y*r
+    #
     #       t = -T + 2 +h_t*r
-    #       y = -1/3*T^2 + 1/3 +h_y*r
+    #       y = 1/3*T^2 - 1/3 +h_y*r
     # but if we reduce to the parity bit of t+y only:
-    #       parity = T + 1 +h_t + T^2 +h_y  = 1 + h_t + h_y
-    #       parity = T + 1 +h_t - T^2 +h_y  = 1 + h_t + h_y
-    #       parity = -T +h_t + T^2 + 1 +h_y = 1 + h_t + h_y
-    #       parity = -T +h_t - T^2 + 1 +h_y = 1 + h_t + h_y
+    #       parity = T + 1 + h_t + T^2 + h_y  = 1 + h_t + h_y
+    #       parity = T + 1 + h_t + T^2 + h_y  = 1 + h_t + h_y
+    #       parity = T + h_t + T^2 + 1 + h_y = 1 + h_t + h_y
+    #       parity = T + h_t + T^2 + 1 + h_y = 1 + h_t + h_y
     # so that in all cases, we have either h_t odd and h_y
     # even, or the converse.
 
@@ -191,7 +201,7 @@ def count_formula_k6(i, tr, c):
             # This one expresses the result as a function of:
             # u = h_t/2
             # w = (h_y-z)/2
-            z = -1 if tr == 0 else 1
+            z = -1
             # so we're assuming that h_t is even and h_y is odd.
             new_c=horner_list(3*c(h_t=2*u,h_y=(2*w+z),T=tr+3*U),U)
             new_c[1] /= 3
@@ -252,14 +262,10 @@ def count_formula_k6(i, tr, c):
         rplus3 = ar + a3
         if parity_ht == 1:
             c0 = c0 - a3u
-        if parity_ht == 0 and tr == 0:
+        if parity_ht == 0:
             c0 = c0 - a6w
-        elif parity_ht == 1 and tr == 0:
+        elif parity_ht == 1:
             c0 = c0 + a3w
-        elif parity_ht == 0 and tr == 1:
-            c0 = c0 + a6w
-        elif parity_ht == 1 and tr == 1:
-            c0 = c0 - a3w
         assert c0 == e0
         if i == 1:
             if tr == 0:
@@ -271,11 +277,11 @@ def count_formula_k6(i, tr, c):
                     c2 = ar
             else:
                 if parity_ht == 0:
-                    c1 = ar + a3u + a3w
+                    c1 = ar + a3u - a3w
                     c2 = ar + a6u
                 else:
-                    c1 = ar - a6w
-                    c2 = ar + a3u - a9w
+                    c1 = ar + a6w
+                    c2 = ar + a3u + a9w
         else:
             if tr == 0:
                 if parity_ht == 0:
@@ -286,10 +292,10 @@ def count_formula_k6(i, tr, c):
                     c2 = ar + a3u + a9w
             else:
                 if parity_ht == 0:
-                    c1 = ar - a3u + a3w
-                    c2 = rplus3 + a3u + a9w
+                    c1 = ar - a3u - a3w
+                    c2 = rplus3 + a3u - a9w
                 else:
-                    c1 = rplus3 - a6u - a6w
+                    c1 = rplus3 - a6u + a6w
                     c2 = ar
         assert c1 == e1
         assert c2 == e2
@@ -327,18 +333,18 @@ def count_formula_k6(i, tr, c):
                     acc = acc * ar
             else:
                 if parity_ht == 0:
-                    acc = acc * a6w
+                    acc = acc * a6w^-1
                     acc = acc^U
                     ar3u = ar * a3u
-                    acc = acc * ar3u * a3w
+                    acc = acc * ar3u * a3w^-1
                     acc = acc^U
                     acc = acc * ar3u * a3u
                 else:
-                    acc = acc * (a3u * a3w)^-1
+                    acc = acc * a3u^-1 * a3w
                     acc = acc^U
-                    acc = acc * ar * a6w^-1
+                    acc = acc * ar * a6w
                     acc = acc^U
-                    acc = acc * ar * a3u * a9w^-1
+                    acc = acc * ar * a3u * a9w
         else:
             if tr == 0:
                 if parity_ht == 0:
@@ -358,14 +364,14 @@ def count_formula_k6(i, tr, c):
             else:
                 if parity_ht == 0:
                     ar3 = ar * a3
-                    acc = acc * a6w
+                    acc = acc * a6w^-1
                     acc = acc^U
-                    acc = acc * ar * a3u^-1 * a3w
+                    acc = acc * ar * a3u^-1 * a3w^-1
                     acc = acc^U
-                    acc = acc * ar3 * a3u * a9w
+                    acc = acc * ar3 * a3u * a9w^-1
                 else:
                     ar3 = ar * a3
-                    a3u3w = a3u * a3w
+                    a3u3w = a3u * a3w^-1
                     acc = acc * (a3u3w)^-1
                     acc = acc^U
                     acc = acc * ar3 * (a3u3w^2)^-1
@@ -403,34 +409,45 @@ def formulas(k):
         D=4
 
     inv_sqrt_D = (1/sqrt(K(-D))).polynomial()
-    ld = inv_sqrt_D.list()[-1]
     assert inv_sqrt_D.degree() < euler_phi(k)
-    # choose positive leading coefficient
-    if ld < 0:
-        inv_sqrt_D = -inv_sqrt_D
     inv_sqrt_D = inv_sqrt_D(T)
 
+    # We do **NOT** normalize inv_sqrt_D. We could, if we wanted: the
+    # idea would be to do that depending on the congruence class of T,
+    # and choose the polynomial expression with the smallest leading
+    # coefficient in absolute value (for example).
+    #
+    # E.g. for k=6, inv_sqrt_D = \pm (2T-1)/3 ; if T is 1 mod 3, this is
+    # the same as if we add 0 = 2r/3 = 2*(T^2-T+1)/3, hence inv_sqrt_D =
+    # \pm (2T^2+1)/3, but then the reprensentatives \pm (T^2-3T+2)/3 are
+    # smaller.
+    #
+    # However, even though we know how to do this, we're better off doing
+    # this work on y0, which is the final data.
+
+    # Bottom line: below, we strive to write the formula for the
+    # (polynomial expression of the) least positive integer
+    # representative of y0=\pm(t0-2)*inv_sqrt_D, and this exact expression
+    # depends on the congruence class of D.
+
     if k==6:
         subfamilies=[
+                # Recall that T=2 mod 3 is forbidden since r=Phi_6(T)
+                # must be prime.
+                #
                 # For i==1, t0 == T+1
-                # Recall that T=2 mod 3 is forbidden since r=Phi_6(T).
-                # The representatives of (t0-2)*inv_sqrt_D in 1/3 * Z are:
-                # (2T^2-3T+1)/3 : outside range
-                # (T^2-2T)/3 = T*(T-2)/3 : good if T = 0,2 mod 3 (hence only 0)
-                # (-T-1)/3 : good if T is 2 mod 3, so *never good* !
-                # (-T^2-2)/3 : good if T is 1, 2 mod 3 (hence only 1)
-                (1, T+1, [(0,6,(T*(T-2))/3), (1,6,(1-T**2)/3-1), ]),
-                # what might correspond to CocksPinchVariant is:
-                #(1, T+1, [(0,6,(T*(T-2))/3), (1,6,(2+T**2)/3), ]),
+                # The representatives of \pm (t0-2)*inv_sqrt_D in 1/3 * Z are:
+                # \pm (T^2-2T)/3 = \pm T*(T-2)/3 : good if T = 0,2 mod 3 (hence only 0)
+                # \pm (T+1)/3 : good if T is 2 mod 3, so *never good* !
+                # \pm (T^2+2)/3 : good if T is 1, 2 mod 3 (hence only 1)
+                (1, T+1, [(0,3,(T*(T-2))/3), (1,3,(T**2+2)/3), ]),
+
                 # For i==5, t0 == 2-T
-                # The representatives of (t0-2)*inv_sqrt_D in 1/3 * Z are:
-                # (T-2*T^2)/3 = T*(1-2*T)/3 : outside range
-                # (1-T^2)/3 : good if T is 1 or 2 mod 3 (hence only 1)
-                # (2-T)/3 : good if T is 2 mod 3, so *never good* !
-                # (T^2-2*T+3)/3 : good if T is 0 or 2 mod 3 (hence only 0)
-                (5, 2-T, [ (0,3,1+T*(T-2)/3), (1,3,(1-T**2)/3), ]),
-                # what might correspond to CocksPinchVariant is:
-                #(5, 2-T, [ (0,3,1-T*(T-2)/3), (1,3,-(1-T**2)/3), ]),
+                # The representatives of \pm(t0-2)*inv_sqrt_D in 1/3 * Z are:
+                # \pm (T^2-1)/3 : good if T is 1 or 2 mod 3 (hence only 1)
+                # \pm (T-2)/3 : good if T is 2 mod 3, so *never good* !
+                # \pm (T^2-2*T+3)/3 : good if T is 0 or 2 mod 3 (hence only 0)
+                (5, 2-T, [ (0,3,1+T*(T-2)/3), (1,3,(T**2-1)/3), ]),
                 ]
         # Note that congruence classes on ht and hy will force p to be an
         # integer, even though it seems to have a 1/4 in the denominator.
@@ -444,11 +461,13 @@ def formulas(k):
         # -> as a consequence, the formula should not be specific to one
         # congruence class of T mod 4
     elif k==8:
+        # Here T must be even, since T^4+1 must be prime. The minimal
+        # integer representatives of \pm (t0-2)*inv_sqrt_D are:
         subfamilies=[
                 (1, T+1, [(0,2,(T-1)*T**2/2)]),
-                (3, T**3+1, [(0,2,-(T+1)*T/2)]),
-                (5, -T+1, [(0,2,(-T-1)*T**2/2)]),
-                (7, -T**3+1, [(0,2,(-T+1)*T/2)]),
+                (3, T**3+1, [(0,2,(T+1)*T/2)]),
+                (5, -T+1, [(0,2,(T+1)*T**2/2)]),
+                (7, -T**3+1, [(0,2,(T-1)*T/2)]),
                 ]
     else:
         # just for completeness. This ignores the fact that the
@@ -461,7 +480,9 @@ def formulas(k):
 
     for i,t0,y0class in subfamilies:
         for tr,tq,y0 in y0class:
-            assert (y0 - (t0-2)*inv_sqrt_D) % r == 0
+            # We don't check against inv_sqrt_D, since inv_sqrt_D is
+            # known only up to sign.
+            # assert (y0 - (t0-2)*inv_sqrt_D) % r == 0
             assert (D * y0**2 + (t0-2)**2) % r == 0
             t = t0 + h_t*r
             y = y0 + h_y*r