Commit 3fcdf24b authored by GUILLEVIC Aurore's avatar GUILLEVIC Aurore

Merge branch 'master' of gitlab.inria.fr:smasson/cocks-pinch-variant

parents 4bd8ff31 0e2c16f7
......@@ -2,7 +2,7 @@
Cocks--Pinch curves with embedding degree 5 to 8 and optimal ate pairing
========================================================================
This repository holds companion code for the paper.
This repository holds companion code for the paper [Cocks-Pinch curves of embedding degrees five to eight and optimal ate pairing computation](https://ia.cr/2019/431).
We provide code for the following tasks.
* Generate tables with estimated costs of pairing computations for
......@@ -38,6 +38,7 @@ paper.
To reproduce this, one does as follows. Notice that the number of
inversions depends on the parameter `i`.
sage: load("final_expo_k57.py")
sage: print_final_expo_k57()
cost for k=5 i=1: 3p + 1c + 7M + 3T
......@@ -55,6 +56,7 @@ For the cases `k=6` and `k=8`, the exact formulas depend on the chosen
CM discriminant, and employ further optimizations. Formulas as well as
costs, matching those found in §5.2 in the paper, can be obtained as
follows:
sage: load("final_expo_k68.sage")
sage: formulas(6)
[lots of output]
......@@ -324,7 +326,7 @@ multiplication software. You have two options.
localhost ~ $ HOME=/tmp/cm-data/ /tmp/cm/bin/classpoly 10000000147 0 19136268507011813102345745679502968108741656052980768772125358458053107229388560784972377216338036093499504796562349965064380467318189753451458608209221520383584470050757421467305085292271391865417111 /tmp/H5.txt
The next step is to edit the resulting file `/tmp/H5.txt` to transform
it into valid sage code (e.g. `/tmp/H5.sage, with all coefficients of
it into valid sage code (e.g. `/tmp/H5.sage`, with all coefficients of
the polynomial in one single line), and then load it into sage. Note
that root finding takes about 20 minutes to complete.
......@@ -515,7 +517,7 @@ Search for curves of embedding degree 6
For k=6, we fix D=`3` in order to get efficient formulas from sextic twist.
We are free to choose ht and hy with low hamming weight. This is
done by passing `--hty_choice '2-naf<=5'.
done by passing `--hty_choice '2-naf<=5'`.
We choose `T` of hamming weight less or equal to 5 so that we have enough
choices to have `phi_6(T)` prime.
......@@ -524,6 +526,7 @@ We decide to force `4 | #E` so that Edwards form can be used.
We decompose the search in 8 fractions of the search space, done in two
computers:
sage search.sage -k 6 -D 3 --required_cofactor 4 --allowed_size_cofactor 10 --T_choice "2-naf<=5" --hty_choice "2-naf<=5" --lambdap 672 --lambdar 256 --save --check_small_subgroup_secure 15 --spawn 4 0 8
sage search.sage -k 6 -D 3 --required_cofactor 4 --allowed_size_cofactor 10 --T_choice "2-naf<=5" --hty_choice "2-naf<=5" --lambdap 672 --lambdar 256 --save --check_small_subgroup_secure 15 --spawn 4 4 8
......@@ -541,6 +544,7 @@ Search for curves of embedding degree 6 (second take with small h_t)
For k=6, allowing arbitrary cofactors in `h_t` and `h_y` leads to an
expensive second part of the final exponentiation. Therefore we restrict
to `|ht|<=4`.
search.sage -k 6 --D 3 --hty_choice '2-naf<=7,ht:max=4' --save --T_choice '2-naf<=5' --lambdap 672 --lambdar 256 --check_small_subgroup_secure 7 --required_cofactor 4 --allowed_automatic_cofactor 720 --allowed_cofactor 420 --allowed_size_cofactor 10
and we obtain four curves for which G2 is also twist-secure :
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment