Commit 8bb205a9 by MASSON Simon

### solve conflicts

parents cfc507a7 107d4125
 ... ... @@ -506,6 +506,9 @@ class CocksPinchVariantResult(object): """ def __init__(self,k,D,T,i,ht=Integer(0),hy=Integer(0),max_poly_coeff=None,pre=False,l=1, allowed_cofactor = 1, allowed_size_cofactor = 5, max_trialdiv=10**6, max_B1=10**4, new_semantics=False): ======= def __init__(self,k,D,T,i,ht=Integer(0),hy=Integer(0),max_poly_coeff=0,pre=False,l=1, allowed_cofactor = 1, allowed_size_cofactor = 5, max_trialdiv=10**6, max_B1=10**4, new_semantics=False): >>>>>>> 107d412592d84ec5619ec671ff8231cbcde4d52c kl = k * l fD = -fundamental_discriminant(-D) ... ... @@ -535,6 +538,7 @@ class CocksPinchVariantResult(object): self.t0 -= r if abs(r-self.y0) < abs(self.y0): self.y0 -= r self.y0 = abs(self.y0) # Determination of the lifted (t,y) from the solution mod r ... ... @@ -977,7 +981,10 @@ class CocksPinchVariantResult(object): saved_max_B1 = self.max_B1 self.max_B1 = 600 dt0 = t0 - ((T**i+1) % r) dy0 = y0 - ZZ((t0-2)/sqrt(Integers(r)(-fD))) y0base = ZZ((t0-2)/sqrt(Integers(r)(-fD))) if r - y0base < y0base: y0base = r - y0base dy0 = y0 - y0base assert dt0 in [0,-r] assert dy0 in [0,-r] ... ... @@ -1035,7 +1042,7 @@ class CocksPinchVariantSearch(object): output_file="", T_choice="", hty_choice="", max_poly_coeff=None, max_poly_coeff=0, l=1, required_cofactor=1, allowed_cofactor = 1, ... ... @@ -1084,7 +1091,7 @@ class CocksPinchVariantSearch(object): self.T_choice = T_choice self.hty_choice = hty_choice self.l = l self.max_poly_coeff = max_poly_coeff self.max_poly_coeff = Integer(max_poly_coeff) self.required_cofactor = Integer(required_cofactor) self.allowed_cofactor = Integer(allowed_cofactor) self.allowed_size_cofactor = Integer(allowed_size_cofactor) ... ... @@ -1340,12 +1347,22 @@ class CocksPinchVariantSearch(object): y0 = K(t0-2)/sqrt(K(-fD)) # Lift arbitrarily. Anyway we'll iterate over multiple # possible representatives. # The normalisation choice that we do in final_expo_k68 # (at least) is that we use the least positive integer # representative of y0=\pm(t0-2)*inv_sqrt_D # # (as for t0, we have no sign indetermination, so we # simply choose the representative of smallest absolute # value, and that may mean a negative integer) t0 = ZZ(t0) y0 = ZZ(y0) if abs(r-t0) < abs(t0): t0 -= r if abs(r-y0) < abs(y0): y0 -= r y0 = abs(y0) # We want to constrain the bit length of t^2+fD*y^2{{{ # with t = t0 + ht * r and y = y0 + hy * r ... ... @@ -1931,9 +1948,9 @@ class CocksPinchVariantSearch(object): fail['p milrab'] += 1 continue if max_poly_coeff != None : if self.max_poly_coeff > 0 : boo = False for alpha in range(1, max_poly_coeff): for alpha in range(1, self.max_poly_coeff): if (x**k - alpha).is_irreducible() : boo = True break ... ...
 ... ... @@ -167,10 +167,11 @@ def Hw(x) : return len(bit_positions_2naf(x)) proof.arithmetic(False) C5=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=-0x11e36418c7c8b454,max_B1=600) C5=CocksPinchVariantResult(5,10000000147,0xe000000000008000,1,ht=3,hy=0x11e36418c7c8b454,max_B1=600) C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xffbbffffffffffffc020,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600) C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) #C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) C8=CocksPinchVariantResult(8,4,0xffc00020fffffffc,1,ht=1,hy=0xdc04,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600) CMNT6=MNT6(u=873723667900031396506414143162332159382674816702805606206979732381600254701804231398281169537138620,a=209307816050232262803672282154940341360062431838092388077917610639183322072827259682607127795420474686833003315766797546568469776750651773087882545447646552119008299040167030969895802846139484415144,b=2319663192174958547181026340141410918530227127674793888869119262391240421488942353013995765010333162065568990954578077256489549792305772041454141172011940607053889955897003759289947924385489341215143,D=8317003,c=1) ... ... @@ -509,6 +510,9 @@ def finalExpoCost(C): c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k) # first, this: (because phi_8(p)/r = 1 + c(T^2+p^2)(p-T)) # recall that a p^2-power cost is the same as a p-power # for the reason explained in remark \ref{frob}. # What happen if i != 1 when the expo is to the power T^i ? c2 = 3*c_exp_T + 2*cost_f(8) + 3*cost_m(k) # Then, see code/formules-familles-CocksPinch.sage ... ... @@ -524,6 +528,7 @@ def finalExpoCost(C): c_exp_hu = (loghu-1)*cyclo_s8 + (Hwhu-1)*cost_m(k) c2 += 4 * c_exp_T + 2 * c_exp_hu + 2 * c_exp_hy + 10 * cost_m(k) # Do we miss some inversions ? if (T%4 == 2 or i == 1 or i == 5): c2 += cost_m(k) ... ...
 ... ... @@ -59,20 +59,24 @@ def count_formula_k8(i, c): c1 = c1 + y d1 = 0 elif i==5: c1 = c1 - y c1 = c1 + y d1 = 0 d1 = d1 + d0*V assert c1 + d1/2 == (c0 + d0/4) * T + e1 c12 = c1*2 c2 = (c12 + d1) * 2*U + (c12 + d1) * V - y c2 = (c12 + d1) * 2*U + (c12 + d1) * V if i == 1: c2 -= y else: c2 += y d2 = 1 assert c2 + d2/4 == (c1 + d1/2) * T + e2 c22 = c2*2 c3 = (c22*2 + d2) * U + c22*V if i == 7: c3 = c3 + y elif i == 3: c3 = c3 - y elif i == 3: c3 = c3 + y elif i == 1: c3 = c3 + u - 1 elif i == 5: ... ... @@ -111,7 +115,7 @@ def count_formula_k8(i, c): r = r * ay s = s ** V elif i == 5: r = r * ayi r = r * ay s = s ** V assert r.val == c1 assert s.val == d1 ... ... @@ -120,7 +124,10 @@ def count_formula_k8(i, c): r = r ** 2 r = r * s r = (r ** 2) ** U * r ** V r = r * ayi if i == 1: r = r * ayi else: r = r * ay s = a assert r.val == c2 assert s.val == d2 ... ... @@ -129,9 +136,9 @@ def count_formula_k8(i, c): r = r ** 2 r = (r ** 2 * s) ** U * r ** V if i == 7: r = r * ay elif i == 3: r = r * ayi elif i == 3: r = r * ay elif i == 1: r = r * au r = r * ai ... ... @@ -172,17 +179,20 @@ def count_formula_k6(i, tr, c): # For k=6, the expressions of t and y are: # t = T + 1 +h_t*r # y = 1/3*T^2 - 2/3*T +h_y*r # # t = T + 1 +h_t*r # y = -1/3*T^2 - 2/3 +h_y*r # y = 1/3*T^2 + 2/3 +h_y*r # # t = -T + 2 +h_t*r # y = 1/3*T^2 - 2/3*T + 1 +h_y*r # # t = -T + 2 +h_t*r # y = -1/3*T^2 + 1/3 +h_y*r # y = 1/3*T^2 - 1/3 +h_y*r # but if we reduce to the parity bit of t+y only: # parity = T + 1 +h_t + T^2 +h_y = 1 + h_t + h_y # parity = T + 1 +h_t - T^2 +h_y = 1 + h_t + h_y # parity = -T +h_t + T^2 + 1 +h_y = 1 + h_t + h_y # parity = -T +h_t - T^2 + 1 +h_y = 1 + h_t + h_y # parity = T + 1 + h_t + T^2 + h_y = 1 + h_t + h_y # parity = T + 1 + h_t + T^2 + h_y = 1 + h_t + h_y # parity = T + h_t + T^2 + 1 + h_y = 1 + h_t + h_y # parity = T + h_t + T^2 + 1 + h_y = 1 + h_t + h_y # so that in all cases, we have either h_t odd and h_y # even, or the converse. ... ... @@ -191,7 +201,7 @@ def count_formula_k6(i, tr, c): # This one expresses the result as a function of: # u = h_t/2 # w = (h_y-z)/2 z = -1 if tr == 0 else 1 z = -1 # so we're assuming that h_t is even and h_y is odd. new_c=horner_list(3*c(h_t=2*u,h_y=(2*w+z),T=tr+3*U),U) new_c[1] /= 3 ... ... @@ -252,14 +262,10 @@ def count_formula_k6(i, tr, c): rplus3 = ar + a3 if parity_ht == 1: c0 = c0 - a3u if parity_ht == 0 and tr == 0: if parity_ht == 0: c0 = c0 - a6w elif parity_ht == 1 and tr == 0: elif parity_ht == 1: c0 = c0 + a3w elif parity_ht == 0 and tr == 1: c0 = c0 + a6w elif parity_ht == 1 and tr == 1: c0 = c0 - a3w assert c0 == e0 if i == 1: if tr == 0: ... ... @@ -271,11 +277,11 @@ def count_formula_k6(i, tr, c): c2 = ar else: if parity_ht == 0: c1 = ar + a3u + a3w c1 = ar + a3u - a3w c2 = ar + a6u else: c1 = ar - a6w c2 = ar + a3u - a9w c1 = ar + a6w c2 = ar + a3u + a9w else: if tr == 0: if parity_ht == 0: ... ... @@ -286,10 +292,10 @@ def count_formula_k6(i, tr, c): c2 = ar + a3u + a9w else: if parity_ht == 0: c1 = ar - a3u + a3w c2 = rplus3 + a3u + a9w c1 = ar - a3u - a3w c2 = rplus3 + a3u - a9w else: c1 = rplus3 - a6u - a6w c1 = rplus3 - a6u + a6w c2 = ar assert c1 == e1 assert c2 == e2 ... ... @@ -327,18 +333,18 @@ def count_formula_k6(i, tr, c): acc = acc * ar else: if parity_ht == 0: acc = acc * a6w acc = acc * a6w^-1 acc = acc^U ar3u = ar * a3u acc = acc * ar3u * a3w acc = acc * ar3u * a3w^-1 acc = acc^U acc = acc * ar3u * a3u else: acc = acc * (a3u * a3w)^-1 acc = acc * a3u^-1 * a3w acc = acc^U acc = acc * ar * a6w^-1 acc = acc * ar * a6w acc = acc^U acc = acc * ar * a3u * a9w^-1 acc = acc * ar * a3u * a9w else: if tr == 0: if parity_ht == 0: ... ... @@ -358,14 +364,14 @@ def count_formula_k6(i, tr, c): else: if parity_ht == 0: ar3 = ar * a3 acc = acc * a6w acc = acc * a6w^-1 acc = acc^U acc = acc * ar * a3u^-1 * a3w acc = acc * ar * a3u^-1 * a3w^-1 acc = acc^U acc = acc * ar3 * a3u * a9w acc = acc * ar3 * a3u * a9w^-1 else: ar3 = ar * a3 a3u3w = a3u * a3w a3u3w = a3u * a3w^-1 acc = acc * (a3u3w)^-1 acc = acc^U acc = acc * ar3 * (a3u3w^2)^-1 ... ... @@ -403,34 +409,45 @@ def formulas(k): D=4 inv_sqrt_D = (1/sqrt(K(-D))).polynomial() ld = inv_sqrt_D.list()[-1] assert inv_sqrt_D.degree() < euler_phi(k) # choose positive leading coefficient if ld < 0: inv_sqrt_D = -inv_sqrt_D inv_sqrt_D = inv_sqrt_D(T) # We do **NOT** normalize inv_sqrt_D. We could, if we wanted: the # idea would be to do that depending on the congruence class of T, # and choose the polynomial expression with the smallest leading # coefficient in absolute value (for example). # # E.g. for k=6, inv_sqrt_D = \pm (2T-1)/3 ; if T is 1 mod 3, this is # the same as if we add 0 = 2r/3 = 2*(T^2-T+1)/3, hence inv_sqrt_D = # \pm (2T^2+1)/3, but then the reprensentatives \pm (T^2-3T+2)/3 are # smaller. # # However, even though we know how to do this, we're better off doing # this work on y0, which is the final data. # Bottom line: below, we strive to write the formula for the # (polynomial expression of the) least positive integer # representative of y0=\pm(t0-2)*inv_sqrt_D, and this exact expression # depends on the congruence class of D. if k==6: subfamilies=[ # Recall that T=2 mod 3 is forbidden since r=Phi_6(T) # must be prime. # # For i==1, t0 == T+1 # Recall that T=2 mod 3 is forbidden since r=Phi_6(T). # The representatives of (t0-2)*inv_sqrt_D in 1/3 * Z are: # (2T^2-3T+1)/3 : outside range # (T^2-2T)/3 = T*(T-2)/3 : good if T = 0,2 mod 3 (hence only 0) # (-T-1)/3 : good if T is 2 mod 3, so *never good* ! # (-T^2-2)/3 : good if T is 1, 2 mod 3 (hence only 1) (1, T+1, [(0,6,(T*(T-2))/3), (1,6,(1-T**2)/3-1), ]), # what might correspond to CocksPinchVariant is: #(1, T+1, [(0,6,(T*(T-2))/3), (1,6,(2+T**2)/3), ]), # The representatives of \pm (t0-2)*inv_sqrt_D in 1/3 * Z are: # \pm (T^2-2T)/3 = \pm T*(T-2)/3 : good if T = 0,2 mod 3 (hence only 0) # \pm (T+1)/3 : good if T is 2 mod 3, so *never good* ! # \pm (T^2+2)/3 : good if T is 1, 2 mod 3 (hence only 1) (1, T+1, [(0,3,(T*(T-2))/3), (1,3,(T**2+2)/3), ]), # For i==5, t0 == 2-T # The representatives of (t0-2)*inv_sqrt_D in 1/3 * Z are: # (T-2*T^2)/3 = T*(1-2*T)/3 : outside range # (1-T^2)/3 : good if T is 1 or 2 mod 3 (hence only 1) # (2-T)/3 : good if T is 2 mod 3, so *never good* ! # (T^2-2*T+3)/3 : good if T is 0 or 2 mod 3 (hence only 0) (5, 2-T, [ (0,3,1+T*(T-2)/3), (1,3,(1-T**2)/3), ]), # what might correspond to CocksPinchVariant is: #(5, 2-T, [ (0,3,1-T*(T-2)/3), (1,3,-(1-T**2)/3), ]), # The representatives of \pm(t0-2)*inv_sqrt_D in 1/3 * Z are: # \pm (T^2-1)/3 : good if T is 1 or 2 mod 3 (hence only 1) # \pm (T-2)/3 : good if T is 2 mod 3, so *never good* ! # \pm (T^2-2*T+3)/3 : good if T is 0 or 2 mod 3 (hence only 0) (5, 2-T, [ (0,3,1+T*(T-2)/3), (1,3,(T**2-1)/3), ]), ] # Note that congruence classes on ht and hy will force p to be an # integer, even though it seems to have a 1/4 in the denominator. ... ... @@ -444,11 +461,13 @@ def formulas(k): # -> as a consequence, the formula should not be specific to one # congruence class of T mod 4 elif k==8: # Here T must be even, since T^4+1 must be prime. The minimal # integer representatives of \pm (t0-2)*inv_sqrt_D are: subfamilies=[ (1, T+1, [(0,2,(T-1)*T**2/2)]), (3, T**3+1, [(0,2,-(T+1)*T/2)]), (5, -T+1, [(0,2,(-T-1)*T**2/2)]), (7, -T**3+1, [(0,2,(-T+1)*T/2)]), (3, T**3+1, [(0,2,(T+1)*T/2)]), (5, -T+1, [(0,2,(T+1)*T**2/2)]), (7, -T**3+1, [(0,2,(T-1)*T/2)]), ] else: # just for completeness. This ignores the fact that the ... ... @@ -461,7 +480,9 @@ def formulas(k): for i,t0,y0class in subfamilies: for tr,tq,y0 in y0class: assert (y0 - (t0-2)*inv_sqrt_D) % r == 0 # We don't check against inv_sqrt_D, since inv_sqrt_D is # known only up to sign. # assert (y0 - (t0-2)*inv_sqrt_D) % r == 0 assert (D * y0**2 + (t0-2)**2) % r == 0 t = t0 + h_t*r y = y0 + h_y*r ... ...
 ... ... @@ -53,7 +53,7 @@ while args: parsed_one = True search_args[passthrough] = False args=args[1:] for passthrough in [ "k", "lambdap", "lambdar", "allowed_automatic_cofactor", "allowed_cofactor", "allowed_size_cofactor", "check_small_subgroup_secure", "required_cofactor", "restrict_i", "Drange", "l", "seed" ]: for passthrough in [ "k", "lambdap", "lambdar", "allowed_automatic_cofactor", "allowed_cofactor", "allowed_size_cofactor", "check_small_subgroup_secure", "max_poly_coeff", "required_cofactor", "restrict_i", "Drange", "l", "seed" ]: if not args: break if args[0] == "-D" or args[0] == "--D": ... ...
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment