zec
/
pasta
mirror of https://github.com/zcash/pasta.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Correct an error in computing the twist embedding degree. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2019-09-17 17:33:53 +01:00
parent fc4c16613d
commit a26bab8bfb
1 changed files with 17 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
amicable.sage
View File

@ -118,13 +118,13 @@ def find_nice_curves(strategy, L, twoadicity, stretch, wid, processes):
primq = (Mod(bq, q).multiplicative_order() == q-1) primq = (Mod(bq, q).multiplicative_order() == q-1)
if REQUIRE_PRIMITIVE and not primq: continue if REQUIRE_PRIMITIVE and not primq: continue
twsecp = twist_security(p, q) (twsecp, twembedp) = twist_security(p, q)
if twsecp < TWIST_SECURITY: continue if twsecp < TWIST_SECURITY: continue
twsecq = twist_security(q, p) (twsecq, twembedq) = twist_security(q, p)
if twsecq < TWIST_SECURITY: continue if twsecq < TWIST_SECURITY: continue
secp = curve_security(order=q) (secp, embedp) = curve_security(p, q)
secq = curve_security(order=p) (secq, embedq) = curve_security(q, p)
zetap = GF(p).zeta(3) zetap = GF(p).zeta(3)
zetap = min(zetap, zetap^2) zetap = min(zetap, zetap^2)
@ -141,10 +141,10 @@ def find_nice_curves(strategy, L, twoadicity, stretch, wid, processes):
Q = Eq.gens()[0] Q = Eq.gens()[0]
assert(endo(Eq, zetaq, Q) == int(zetap)*Q) assert(endo(Eq, zetaq, Q) == int(zetap)*Q)
embeddivp = embedding_divisor(p, q) embeddivp = (q-1)/embedp
embeddivq = embedding_divisor(q, p) embeddivq = (p-1)/embedq
twembeddivp = twist_embedding_divisor(p, q) twembeddivp = (2*p + 1 - q)/twembedp
twembeddivq = twist_embedding_divisor(q, p) twembeddivq = (2*q + 1 - p)/twembedq
yield (p, q, bp, bq, zetap, zetaq, qdesc, primp, primq, secp, secq, twsecp, twsecq, yield (p, q, bp, bq, zetap, zetaq, qdesc, primp, primq, secp, secq, twsecp, twsecq,
embeddivp, embeddivq, twembeddivp, twembeddivq) embeddivp, embeddivq, twembeddivp, twembeddivq)
@ -167,32 +167,29 @@ def find_lowest_prime(p):
pi_12 = (pi/12).numerical_approx() pi_12 = (pi/12).numerical_approx()
def curve_security(order): def curve_security(p, q):
sys.stdout.write('!') sys.stdout.write('!')
sys.stdout.flush() sys.stdout.flush()
r = factor(order)[-1][0] r = factor(q)[-1][0]
return log(pi_12 * r, 4) return (log(pi_12 * r, 4), embedding_degree(p, r))
def twist_security(p, q): def twist_security(p, q):
return curve_security(2*(p+1) - q) return curve_security(p, 2*(p+1) - q)
def embedding_divisor(p, q): def embedding_degree(p, r):
sys.stdout.write('#') sys.stdout.write('#')
sys.stdout.flush() sys.stdout.flush()
assert(gcd(p, q) == 1) assert(gcd(p, r) == 1)
Z_q = Integers(q) Z_q = Integers(r)
u = Z_q(p) u = Z_q(p)
d = q-1 d = r-1
V = factor(d) V = factor(d)
for (v, k) in V: for (v, k) in V:
while d % v == 0: while d % v == 0:
if u^(d/v) != 1: break if u^(d/v) != 1: break
d /= v d /= v
return (q-1)/d return d
def twist_embedding_divisor(p, q):
return embedding_divisor(p, 2*(p+1) - q)
def format_weight(x, detail=True): def format_weight(x, detail=True):