yydcaib
/
KGC_TEST
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
KGC_TEST/KGCAPP/3rdparty/miracl/source/curve/pairing/bestpair.cpp

623 lines
11 KiB
C++
Raw Blame History

//
// Program to generate "best" BN, BLS12, BLS24 and BLS48 curves (with modulus p=3 mod 8)
//
// g++ -O2 bestpair.cpp zzn8.cpp zzn4.cpp zzn2.cpp zzn.cpp ecn8.cpp ecn4.cpp ecn2.cpp ecn.cpp big.cpp miracl.a -o bestpair.exe
//
// Further tests may be needed to ensure full satisfaction (e.g. twist security, even x, etc.)
//
// Note that finding curves that are both GT and G2 Strong, can take a while
//
// SUggestions:-
// For AES-128 security: bestpair BLS12 64 3
// For AES-192 security: bestpair BLS24 48 4
// FOr AES-256 security: bestpair BLS48 32 4
// Some possible rational points on y^2=x^3+b (x^3+b is a perfect square)
// b=1, x=0, -1 or 2
// b=2, x=-1
// b=3, x=1
// b=4, x=0
// b=5, x=-1
// b=8, x=-2, 1, 2
// b=9, x=0, 3, 6, 40
// b=10, x=-1
// b=12, x=-2, 13
// b=-1, x=1
// b=-2, x=3;
// b=-4, x=2, 5
// b=-7, x=2, 32
// b=-8, x=2
// b=-11, x=3, 15
// of course these points need to be checked for correct order...
#include <iostream>
#include "big.h"
#include "ecn.h"
#include "ecn2.h"
#include "ecn4.h"
#include "ecn8.h"
#define BN 0
#define BLS12 1
#define BLS24 2
#define BLS48 3
using namespace std;
Miracl precision=500;
// Number of ways of selecting k items from n
Big combo(int n,int k)
{ // calculate n C k
int i;
Big c,d;
d=1;
for (i=2;i<=k;i++)
d*=i;
c=1;
for (i=n;i>n-k;i--)
c*=i;
c/=d;
return c;
}
// Number of candidates to be searched.
Big count(int b,int h)
{
Big c=combo(b-h+1,h-1)+combo(b-h+1,h-2);
c*=pow((Big)2,h);
return c;
}
// Move to next NAF pattern
int iterate(int *x,int n)
{
int i,j,k,gotone=0;
for (i=0;i<n-1;i++)
{
if (x[i]==1 && x[i+2]==0)
{
gotone=1;
x[i+1]=1;
x[i]=0;
if (x[0]==1) break;
for (k=1;;k++)
if (x[k]!=0) break;
for (j=0;j<i-k;j+=2)
{
x[j]=x[j+k];
x[j+k]=0;
}
break;
}
}
return gotone;
}
int main(int argc, char *argv[])
{
int HW,BITS,S,type,xm8,xm3,xm24,percent,pc;
Big cnt,odds,total;
int i,j,k,m,jj,bt,hw,twist,pb,nb,b,cb[40],ip;
int xb[256];
BOOL G2,GT,gotH,gotB,gotT,progress;
Big msb,c,r,m1,n,p,q,t,x,y,w,X,Y,cof,cof2,coft,tau[9];
Big PP,TT,FF;
Big xp[10];
int pw[10];
miracl *mip=&precision;
ECn P;
argc--; argv++;
if (argc<1)
{
cout << "Missing arguments" << endl;
cout << "Program to find best pairing-friendly curves" << endl;
cout << "bestpair type bits Hamming-weight" << endl;
cout << "where type is the curve (BN, BLS12, BLS24, BLS48)" << endl;
cout << "where bits is number of bits in curve x parameter (>30 and <200)" << endl;
cout << "and hamming-weight is the number of non-zero bits (>1 and <10)" << endl;
cout << "e.g. bestpair BLS12 77 3" << endl;
cout << "Use flag /GT for GT-Strong curves" << endl;
cout << "Use flag /G2 for G2-Strong curves" << endl;
cout << "Use flag /P to show progress" << endl;
exit(0);
}
ip=0; HW=0; BITS=0;
G2=GT=gotB=gotH=gotT=progress=FALSE;
while (ip<argc)
{
if (!gotT && strcmp(argv[ip],"BN")==0)
{
ip++;
gotT=TRUE;
type=BN;
}
if (!gotT && strcmp(argv[ip],"BLS12")==0)
{
ip++;
gotT=TRUE;
type=BLS12;
}
if (!gotT && strcmp(argv[ip],"BLS24")==0)
{
ip++;
gotT=TRUE;
type=BLS24;
}
if (!gotT && strcmp(argv[ip],"BLS48")==0)
{
ip++;
gotT=TRUE;
type=BLS48;
}
if (!G2 && strcmp(argv[ip],"/G2")==0)
{
ip++;
G2=TRUE;
continue;
}
if (!GT && strcmp(argv[ip],"/GT")==0)
{
ip++;
GT=TRUE;
continue;
}
if (!progress && strcmp(argv[ip],"/P")==0)
{
ip++;
progress=TRUE;
continue;
}
if (!gotB)
{
BITS=atoi(argv[ip++]);
gotB=TRUE;
continue;
}
if (!gotH)
{
HW=atoi(argv[ip++]);
gotH=TRUE;
continue;
}
cout << "Error in command line" << endl;
return 0;
}
if (!gotH || !gotB || !gotT || HW>9 || HW<2 || BITS>=200 || BITS<30)
{
cout << "Error in command line" << endl;
return 0;
}
hw=HW-1;
msb=pow((Big)2,BITS);
for (i=0;i<=BITS;i++)
xb[i]=0;
for (i=0;i<hw;i++)
xb[2*i]=1;
S=0;
total=count(BITS,HW);
cout << "search " << total << " candidates" << endl;
// very approximate estimate of odds of success. Assumes primes are not correlated (but they are!)
if (type==BN)
{
odds = (7*(4*BITS+5)/10)*(7*(4*BITS+5)/10);
if (G2)
odds*=(7*(4*BITS+5)/10);
if (GT)
odds*=(7*(12*BITS+16)/10);
}
if (type==BLS12)
{
odds = ((7*4*BITS)/10)*((7*6*BITS)/10);
if (G2)
odds*=(7*(8*BITS)/10);
if (GT)
odds*=(7*(20*BITS)/10);
}
if (type==BLS24)
{
odds = ((7*8*BITS)/10)*((7*10*BITS)/10);
if (G2)
odds*=(7*(32*BITS)/10);
if (GT)
odds*=(7*(72*BITS)/10);
}
if (type==BLS48)
{
odds = ((7*16*BITS)/10)*((7*18*BITS)/10);
if (G2)
odds*=(7*(128*BITS)/10);
if (GT)
odds*=(7*(272*BITS)/10);
}
odds/=8; // frig factor
cout << "one in " << odds << " expected to be OK" << endl;
// gprime(1000);
percent=-1;
cnt=0;
for (;;)
{
if (cnt>0 && !iterate(xb,BITS)) break;
for (i=j=0;i<BITS;i++)
{ // assign values to set bits
if (xb[i]==1)
{
xp[j]=pow((Big)2,i);
pw[j]=i;
j++;
}
}
xp[j]=msb;
pw[j]=BITS;
j++;
// iterate through all combinations of + and - terms
for (i=0;i<(1<<j);i++)
{
cnt+=1;
if (progress)
{
pc=toint((100*cnt)/total);
if (percent<pc)
{
percent=pc;
cout << pc << "\%" << endl;
}
}
x=0;
bt=1;
//cout << "x= ";
for (k=0;k<j;k++)
{
if ((bt&i)!=0) {x+=xp[k]; /*cout << "+2^" << pw[k];*/}
else {x-=xp[k]; /*cout << "-2^" << pw[k];*/}
bt<<=1;
}
if (type==BLS12)
{
xm24=x%24;
if (x<0) xm24+=24;
xm24%=24;
xm3=xm24%3;
if (xm3!=1) continue; // quick exit for p%3=0
xm8=xm24%8;
if (xm8!=0 && xm8!=7) continue; // quick exit for p=3 mod 8 condition
q=pow(x,4)-x*x+1;
p=q*(((x-1)*(x-1))/3)+x;
t=x+1;
n=p+1-t;
}
if (type==BLS24)
{
xm24=x%24;
if (x<0) xm24+=24;
xm24%=24;
xm3=xm24%3;
if (xm3!=1) continue; // quick exit for p%3=0
xm8=xm24%8;
if (xm8!=0 && xm8!=7) continue; // quick exit for p=3 mod 8 condition
q=pow(x,8)-pow(x,4)+1;
p=q*(((x-1)*(x-1))/3)+x;
t=x+1;
n=p+1-t;
}
if (type==BLS48)
{
xm24=x%24;
if (x<0) xm24+=24;
xm24%=24;
xm3=xm24%3;
if (xm3!=1) continue; // quick exit for p%3=0
xm8=xm24%8;
if (xm8!=0 && xm8!=7) continue; // quick exit for p=3 mod 8 condition
q=pow(x,16)-pow(x,8)+1;
p=q*(((x-1)*(x-1))/3)+x;
t=x+1;
n=p+1-t;
}
if (type==BN)
{
xm8=x%8;
if (x<0) xm8+=8;
xm8%=8;
if (xm8!=3 && xm8!=7) continue; // quick exit for p=3 mod 8 condition
p=36*pow(x,4)+36*pow(x,3)+24*x*x+6*x+1;
t=6*x*x+1;
n=p+1-t;
q=n;
}
if (p%8!=3) continue; // restriction here could be eased
if (small_factors(q)) continue;
if (small_factors(p)) continue;
cof=n/q;
if (type==BLS24)
{
coft=(pow(p,8)-pow(p,4)+1)/q;
}
if (type==BLS48)
{
coft=(pow(p,16)-pow(p,8)+1)/q;
}
if (type==BLS12 || type==BN)
{
coft=(pow(p,4)-p*p+1)/q;
}
if (GT)
{
if (small_factors(coft)) continue;
}
if (type==BLS12)
{
TT=t*t-2*p;
PP=p*p;
FF=t*(2*x*x*x-2*x*x-x+1)/3;
m1=PP+1-(-3*FF+TT)/2;
}
if (type==BLS24)
{
TT=t*t*t*t-4*p*t*t+2*p*p;
PP=pow(p,4);
FF=sqrt((4*PP-TT*TT)/3);
m1=PP+1-(3*FF+TT)/2;
}
if (type==BLS48)
{
tau[0]=2; // count points on twist over extension p^8
tau[1]=t;
for (jj=1;jj<8;jj++ ) tau[jj+1]=t*tau[jj]-p*tau[jj-1];
TT=tau[8];
PP=pow(p,8);
FF=sqrt((4*PP-TT*TT)/3);
m1=PP+1-(3*FF+TT)/2; //?
}
if (type==BN)
{
TT=t*t-2*p;
PP=p*p;
FF=sqrt((4*PP-TT*TT)/3);
m1=PP+1-(3*FF+TT)/2;
}
cof2=m1/q;
if (G2)
{
if (small_factors(cof2)) continue;
}
if (!prime(q)) continue;
if (!prime(p)) continue;
modulo(p);
ZZn2 xi;
xi.set(1,1); // for p=3 mod 8
// make sure its irreducible
if (pow(xi,(p*p-1)/2)==1)
continue;
if (pow(xi,(p*p-1)/3)==1)
continue; // make sure that x^6-c is irreducible
if (G2)
{
if (!prime(cof2)) continue;
}
if (GT)
{
if (!prime(coft)) continue;
}
// we have a solution
// Find curve b parameter - uses first positive one found (but collect some other possibilities)
pb=0;
b=0;
m=0;
while (pb<=20 || b==0)
{
pb+=1;
ecurve(0,pb,p,MR_AFFINE);
while (!P.set(rand(p))) ;
P*=cof;
if ((q*P).iszero())
{
if (b==0) b=pb;
else cb[m++]=pb;
}
}
nb=0;
while (nb>=-20)
{
nb-=1;
ecurve(0,nb,p,MR_AFFINE);
while (!P.set(rand(p))) ;
P*=cof;
if ((q*P).iszero())
cb[m++]=nb;
}
ecurve(0,b,p,MR_AFFINE);
// find number of points on sextic twist..
twist=MR_SEXTIC_D;
mip->TWIST=MR_SEXTIC_D;
if (type==BLS12 || type==BN)
{
ECn2 Q;
ZZn2 rr;
do
{
rr=randn2();
} while (!Q.set(rr));
Q*=cof2;
if (!(n*Q).iszero())
{
twist=MR_SEXTIC_M;
mip->TWIST=MR_SEXTIC_M;
do
{
rr=randn2();
} while (!Q.set(rr));
Q*=cof2;
if (!(n*Q).iszero())
{
cout << "Never Happens" << endl;
continue;
}
}
}
if (type==BLS24)
{
ECn4 Q;
ZZn4 rr;
do
{
rr=randn4();
} while (!Q.set(rr));
Q*=cof2;
if (!(n*Q).iszero())
{
twist=MR_SEXTIC_M;
mip->TWIST=MR_SEXTIC_M;
do
{
rr=randn4();
} while (!Q.set(rr));
Q*=cof2;
if (!(n*Q).iszero())
{
cout << "Never Happens" << endl;
continue;
}
}
}
if (type==BLS48)
{
ECn8 Q;
ZZn8 rr;
do
{
rr=randn8();
} while (!Q.set(rr));
Q*=cof2;
if (!(n*Q).iszero())
{
twist=MR_SEXTIC_M;
mip->TWIST=MR_SEXTIC_M;
do
{
rr=randn8();
} while (!Q.set(rr));
Q*=cof2;
if (!(n*Q).iszero())
{
cout << "Never Happens" << endl;
continue;
}
}
}
S++;
cout << endl;
cout << "Solution " << S << endl;
x=0;
bt=1;
mip->IOBASE=16;
cout << "x= ";
for (k=0;k<j;k++)
{
if ((bt&i)!=0) {x+=xp[k]; cout << "+2^" << pw[k];}
else {x-=xp[k]; cout << "-2^" << pw[k];}
bt<<=1;
}
cout << " = " << x << endl;
cout << "Curve is y^2=x^3+" << b << endl;
if (m>0)
{
cout << "(or) ";
for (jj=0;jj<m;jj++)
cout << cb[jj] << " ";
}
cout << "\np= " << p << " (" << bits(p) << " bits)";
if (twist==MR_SEXTIC_D) cout << " D-Type" << endl;
if (twist==MR_SEXTIC_M) cout << " M-Type" << endl;
if (progress) cout << endl;
mip->IOBASE=10;
// cout << "twist= " << p+1+t << endl;
}
}
cout << endl;
cout << cnt << " solutions searched" << endl;
if (S==0)
{
cout << "No solutions found" << endl;
return 0;
}
if (S==1)
{
cout << "One solution found" << endl;
return 0;
}
cout << S << " solutions found" << endl;
return 0;
}
Reference in New Issue View Git Blame Copy Permalink