Commit f23ab0d8 authored by MASSON Simon's avatar MASSON Simon

OLD_COUNT supprimé

parent f8cd90da
......@@ -9,23 +9,11 @@ from BN import *
from MNT6 import *
from final_expo_k57 import *
# Set this flag to make sure that the changes we've done to the
# computation code do *NOT* affect the costs that we had computed thus
# far.
#
# Once we check that, we are confident that the change in machinery did
# not introduce new bugs. Then we can set OLDCOUNTS to False (and delete
# the associated code when relevant).
OLDCOUNTS=False
# if OLDCOUNTS is True, these two are ignored (or are forced to False,
# so to say).
mystery_201903151748_simon_a_raison=False
# TODO: take into account h_t not always being 0 in the k=6 or k=8
# cases... [WIP for k=8 -- want to automate a bit]
mystery_201903151748_simon_a_raison=False
Qmsi = QQ['m,s,inv']
m,s,inv = Qmsi.gens()
......@@ -110,8 +98,6 @@ def cost_i(k) :
# # ni = inv(n)
# # ai = ni * a
# return 6*cost_f(k) + 3*cost_m(k) + inv + 2*k*m
elif OLDCOUNTS and (k==5 or k==7):
return (k-1)*cost_f(k) + (k-1)*cost_m(k) + inv
elif k%2 == 1:
# generalization of the above.
# Note that we can go further. If (k-1)/2 >= 4, then we may apply
......@@ -125,7 +111,7 @@ def cost_i(k) :
def cost_f(k, d=1) :
# return the cost of a d-Frobenius over F_{p^k}
assert k % d == 0
if (k//d) % 2 == 0 and not OLDCOUNTS:
if (k//d) % 2 == 0 :
# for F_{p^{k/d}} a tower defined by binomials, the multipliers in
# the Frobenius (p^d-th power) expressions are all powers of a
# k/d-th root of unity. If k/d is even, one of them is -1. At any
......@@ -136,7 +122,7 @@ def cost_f(k, d=1) :
return (k//d-1) * d * cost_m(1)
def cost_i_and_f(k) :
if OLDCOUNTS or k % 2 == 0 or k % 3 == 0:
if k % 2 == 0 or k % 3 == 0:
return cost_i(k) + cost_f(k)
elif k == 5 or k == 7:
# Then we know that the inversion computes the Frobenius anyway.
......@@ -185,20 +171,6 @@ C6=CocksPinchVariantResult(6,3,0xefffffffffffffe00000000000000000,1,ht=-1,hy=0xf
C7=CocksPinchVariantResult(7,20,0x5fffb820248,6,ht=-2,allowed_cofactor=1232,allowed_size_cofactor=10,max_B1=600)
C8=CocksPinchVariantResult(8,4,0xffffffffeff7c200,5,ht=5,hy=-0xd700,allowed_cofactor=420,allowed_size_cofactor=10,max_B1=600)
C8old=CocksPinchVariantResult(8,4,0xe000000000001010,5,ht=1,hy=0x177dc)
C6old=CocksPinchVariantResult(6,3,0xc0000000000000000040000000000000,5,hy=0x20000000000000000000f)
C5old=CocksPinchVariantResult(5,1001035,0xe000000000000036,4,ht=1,hy=0xb5f94915f3db71cae)
C7old=CocksPinchVariantResult(7,312916,0x60000000002,5,ht=-1)
if OLDCOUNTS:
# Curves as they were at least on the printout I have here. But I'm
# not sure these are the curves we used to base our counts on anyway.
C5 = C5old
C6 = C6old
C7 = C7old
C8 = C8old
CBN12=BN(eval(preparse("2^114+2^101-2^14-1")))
CBLS12=BLS12(eval(preparse("-2^77+2^50+2^33")))
CKSS16=KSS16(eval(preparse("2^35-2^32-2^18+2^8+1")))
......@@ -212,10 +184,7 @@ def finite_field_cost(logp):
if words == 6 :
time_m = 69 #relic benchmark
if words == 8 :
if OLDCOUNTS:
time_m = 130 #relic benchmark
else:
time_m = 120 #relic benchmark
time_m = 120 #relic benchmark
elif words == 9 :
time_m = 1.9*9**2
elif words == 10 :
......@@ -343,7 +312,7 @@ def millerLoopCost(C):
cost_update1 = cost_s(k)+densexsparse_m8(k)
cost_update2 = densexsparse_m8(k)
if name == 'KSS16' : # extra partial add and partial double + 3 frob and 2 multiplications
if not OLDCOUNTS and mystery_201903151748_simon_a_raison:
if mystery_201903151748_simon_a_raison:
miller_fixup = (cost_m(k//4) + 5 *cost_s(k//4) + k//2 * cost_m(1)) + \
+ (5*cost_m(k//4) + 2*cost_s(k//4) + k//2 * cost_m(1))
else:
......@@ -378,10 +347,6 @@ def millerLoopCost(C):
logT = T.nbits()
HwT = Hw(T)
if OLDCOUNTS:
if k==8:
HwT=3
tot_miller = (logT-1) * (cost_doubleline + cost_verticalline) \
+ (logT-2) * cost_update1 \
+ (HwT-1) * (cost_addline + cost_verticalline + cost_update2) \
......@@ -394,8 +359,6 @@ def cost_firstexp(k):
assert k in [5,6,7,8]
if Integer(k).is_prime():
return cost_i_and_f(k)+cost_m(k)
if OLDCOUNTS and k==6 :
return 4*cost_f(k) + cost_i(k) + 3*cost_m(k)
if k == 6 :
# a <- a^(1+p)
c0 = cost_f(k) + cost_m(k)
......@@ -449,19 +412,6 @@ def finalExpoCost(C):
loghy=hy.nbits(); Hwhy=Hw(hy)
loght=ht.nbits(); Hwht=Hw(ht)
if OLDCOUNTS:
if k==5:
logp=665
HwCofr=206
elif k==7:
HwCofr=133
# This had us trip over word size limits.
logp=513
elif k==8:
HwT=3
loghy=18
c1 = cost_firstexp(k)
# Now compute c2 (second part of FE)
......@@ -470,64 +420,27 @@ def finalExpoCost(C):
cost_T = (logT-1)*cost_s(k) + (HwT-1)*cost_m(k)
if OLDCOUNTS:
# number of frobenius exponentiations in the second part
c_frobenius = (k - 2) * cost_f(k)
c2 = c_frobenius
# k-2 exponentations to T:
c2 += (k - 2) * cost_T
# exponentation to cofactor c:
logc = logp - logr
c2 += (logc -1)*cost_s(k) + (HwCofr-1)*cost_m(k)
# FIXME: the formulas below are not generic. They're specific
# to one chosen value of i. And among the different
# possibilities, i=1 is arguably nicest, so that we're
# tempted to use that as a default. Maybe it's unwanted
# pressure for the k=7 case, though.
# multiplying together the (k - 2) terms costs (k - 3) M:
c2 += (k - 3)*cost_m(k)
### XXX ? really ? I count (k-1) terms, not (k-2)
# assume one inversion costs (k-1) Frobenius since the norm is 1 at this point
if OLDCOUNTS:
cost_inv_torus = (k-1) * c_frobenius
else:
# 99% sure that the formula above is a bug.
cost_inv_torus = (k-1) * cost_f(k)
# This adds (k-1)*cost_m(k) (don't know where this comes
# from, but anyway this seems to match our 2(k-2)) and
# cost_inv_torus, which I think is potentially unneeded
if k == 5:
c2 += 4*cost_m(k) + cost_inv_torus
elif k == 7:
c2 += 6*cost_m(k) + 3*cost_inv_torus
# checked in sage, see params-k7-512.sage and params-k5-664.sage
else:
# see final-expo-k57.sage
c2 = (k-2)*(cost_f(k) + cost_T + 2*cost_m(k)) + cost_m(k)
logc = logp - logr
c2 += (logc -1)*cost_s(k) + (HwCofr-1)*cost_m(k)
# one inversion costs (k-1) Frobenius since norm == 1
cost_inv_torus = (k-1) * cost_f(k)
if i > 1:
c2 += cost_inv_torus
if i < k-1 and 2*i > k:
# this just happens to match the formulas that we have.
c2 += cost_inv_torus
# cost for k=5 i=1: 1c + 3T + 7M + 3p
# cost for k=5 i=2: 1I + 1c + 3T + 7M + 3p
# cost for k=5 i=3: 2I + 1c + 3T + 7M + 3p
# cost for k=5 i=4: 1I + 1c + 3T + 7M + 3p
# cost for k=7 i=1: 1c + 5T + 11M + 5p
# cost for k=7 i=2: 1I + 1c + 5T + 11M + 5p
# cost for k=7 i=3: 1I + 1c + 5T + 11M + 5p
# cost for k=7 i=4: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=5: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=6: 1I + 1c + 5T + 11M + 5p
# see final-expo-k57.sage
c2 = (k-2)*(cost_f(k) + cost_T + 2*cost_m(k)) + cost_m(k)
logc = logp - logr
c2 += (logc -1)*cost_s(k) + (HwCofr-1)*cost_m(k)
# one inversion costs (k-1) Frobenius since norm == 1
cost_inv_torus = (k-1) * cost_f(k)
if i > 1:
c2 += cost_inv_torus
if i < k-1 and 2*i > k:
# this just happens to match the formulas that we have.
c2 += cost_inv_torus
# cost for k=5 i=1: 1c + 3T + 7M + 3p
# cost for k=5 i=2: 1I + 1c + 3T + 7M + 3p
# cost for k=5 i=3: 2I + 1c + 3T + 7M + 3p
# cost for k=5 i=4: 1I + 1c + 3T + 7M + 3p
# cost for k=7 i=1: 1c + 5T + 11M + 5p
# cost for k=7 i=2: 1I + 1c + 5T + 11M + 5p
# cost for k=7 i=3: 1I + 1c + 5T + 11M + 5p
# cost for k=7 i=4: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=5: 2I + 1c + 5T + 11M + 5p
# cost for k=7 i=6: 1I + 1c + 5T + 11M + 5p
elif k == 6 :
# See:
......@@ -536,50 +449,35 @@ def finalExpoCost(C):
assert D==3
if OLDCOUNTS:
c_exp_T = (logT-1)*cyclo_s6 + (HwT-1)*cost_m(k)
c_exp_hy = (loghy-1)*cyclo_s6 + (Hwhy-1)*cost_m(k)
c21 = 2*c_exp_T + 2*c_exp_hy + cyclo_s6 + 5*cost_m(k)
c22 = 0
c23 = c_exp_T + cost_f(k) + cyclo_s6 + 4*cost_m(k)
#
# c21 = 2*c_exp_T + 2*c_exp_hy + 5*cyclo_s6 + 8*cost_m(k) # + cost_i(k) NO inversions are free at this point
# c22 = c_exp_T + cost_m(k) # + cost_i(k) NO inversion
# c23 = 2*cost_m(k) + cost_f(k)
c2 = c21 + c22+c23
else:
# start with this:
c_exp_T = (logT-1)*cyclo_s6 + (HwT-1)*cost_m(k)
c2 = c_exp_T + cost_f(k) + cyclo_s6 + 4*cost_m(k)
if i == 5:
# extra cost for raising to the power p+t0 = p+2-T: we
# need a square...
c2 += cyclo_s6
# Then, see code/formules-familles-CocksPinch.sage
# it's a slight mess, to be honest.
assert (1 + ht + hy) % 2 == 0
if ht % 2 == 0:
hu = ht//2
hz = -1 if T%3 == 0 else 1
hw = (hy-hz)//2
else:
hu = (ht+1)//2
# start with this:
c_exp_T = (logT-1)*cyclo_s6 + (HwT-1)*cost_m(k)
c2 = c_exp_T + cost_f(k) + cyclo_s6 + 4*cost_m(k)
if i == 5:
# extra cost for raising to the power p+t0 = p+2-T: we
# need a square...
c2 += cyclo_s6
# Then, see code/formules-familles-CocksPinch.sage
# it's a slight mess, to be honest.
assert (1 + ht + hy) % 2 == 0
if ht % 2 == 0:
hu = ht//2
hz = -1 if T%3 == 0 else 1
hw = (hy-hz)//2
else:
hu = (ht+1)//2
hw = hy//2
U = T - (T % 3)
logU=U.nbits(); HwU=Hw(U)
loghu=hu.nbits(); Hwhu=Hw(hu)
loghw=hw.nbits(); Hwhw=Hw(hw)
c_exp_U = (logU-1)*cyclo_s6 + (HwU-1)*cost_m(k)
c_exp_hu = (loghu-1)*cyclo_s6 + (Hwhu-1)*cost_m(k)
c_exp_hw = (loghw-1)*cyclo_s6 + (Hwhw-1)*cost_m(k)
c2 += 12*cost_m(k) + 2*cost_s(k) + 2*(c_exp_U + c_exp_hu + c_exp_hw)
U = T - (T % 3)
logU=U.nbits(); HwU=Hw(U)
loghu=hu.nbits(); Hwhu=Hw(hu)
loghw=hw.nbits(); Hwhw=Hw(hw)
c_exp_U = (logU-1)*cyclo_s6 + (HwU-1)*cost_m(k)
c_exp_hu = (loghu-1)*cyclo_s6 + (Hwhu-1)*cost_m(k)
c_exp_hw = (loghw-1)*cyclo_s6 + (Hwhw-1)*cost_m(k)
c2 += 12*cost_m(k) + 2*cost_s(k) + 2*(c_exp_U + c_exp_hu + c_exp_hw)
elif k == 8 :
# See:
# sage: attach("formules-familles-CocksPinch.sage")
......@@ -594,37 +492,27 @@ def finalExpoCost(C):
# and maybe one multiplication less. Note also that ht+1 is
# necessarily even.
if OLDCOUNTS:
c21 = 0 # c21 = 2*cost_s(k)
c_exp_hy = (loghy-1)*cyclo_s8 + (Hwhy-1)*cost_m(k)
c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k)
c22 = 2*c_exp_hy + 4*c_exp_T + 6*cost_m(k) #+ 3*cyclo_s8 not needed if we compute C/4 instead of C
c23 = 3*c_exp_T + 3*cost_f(8) + 3*cost_m(k) #+ 2*cost_i(k) inversions are free at this point !
c24 = 0 # c24 = cost_m(k)
c2 = c21+c22+c23+c24
else:
c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k)
# first, this: (because phi_8(p)/r = 1 + c(T^2+p^2)(p-T))
c2 = 3*c_exp_T + 2*cost_f(8) + 3*cost_m(k)
# Then, see code/formules-familles-CocksPinch.sage
# for raising to the power c, we get:
# 11M + 2u + 4T + 2y
# with one of the multiplies that (for i=3 and i=7) can be
# elided if T=0 mod 4. This is with u = multiplication by
# (h_t+1)//2.
hu = (ht+1)//2;
loghu=hu.nbits(); Hwhu=Hw(hu)
c_exp_hy = (loghy-1)*cyclo_s8 + (Hwhy-1)*cost_m(k)
c_exp_hu = (loghu-1)*cyclo_s8 + (Hwhu-1)*cost_m(k)
c2 += 4 * c_exp_T + 2 * c_exp_hu + 2 * c_exp_hy + 10 * cost_m(k)
if (T%4 == 2 or i == 1 or i == 5):
c2 += cost_m(k)
c_exp_T = (logT-1)*cyclo_s8 + (HwT-1)*cost_m(k)
# first, this: (because phi_8(p)/r = 1 + c(T^2+p^2)(p-T))
c2 = 3*c_exp_T + 2*cost_f(8) + 3*cost_m(k)
# Then, see code/formules-familles-CocksPinch.sage
# for raising to the power c, we get:
# 11M + 2u + 4T + 2y
# with one of the multiplies that (for i=3 and i=7) can be
# elided if T=0 mod 4. This is with u = multiplication by
# (h_t+1)//2.
hu = (ht+1)//2;
loghu=hu.nbits(); Hwhu=Hw(hu)
c_exp_hy = (loghy-1)*cyclo_s8 + (Hwhy-1)*cost_m(k)
c_exp_hu = (loghu-1)*cyclo_s8 + (Hwhu-1)*cost_m(k)
c2 += 4 * c_exp_T + 2 * c_exp_hu + 2 * c_exp_hy + 10 * cost_m(k)
if (T%4 == 2 or i == 1 or i == 5):
c2 += cost_m(k)
tot_expo = c1 + c2
return tot_expo(m=1,s=1,inv=25)
......@@ -634,13 +522,7 @@ def pairingCost(C):
costFinalExp = finalExpoCost(C)
logp = polymorphic_get_logp(C)
if OLDCOUNTS:
k = polymorphic_get_embedding_degree(C)
if k==5:
logp=665
elif k==7:
logp=513
time_m = finite_field_cost(logp)
tot_miller = costMiller[-1]
......@@ -667,13 +549,6 @@ def table_cost_pairing() :
for C in [C5,C6,C7,C8,CBN12,CBLS12,CKSS16,C1]:
L=pairingCost(C)
if OLDCOUNTS:
if L['k'] == 7:
scale = 130/L['time_m']
for kk in L.keys():
if re.match("^time_.*", kk):
L[kk] = round(L[kk] * scale, 1)
timing_recap.append(L)
#timing recap is generated
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment