import os import sys import traceback from errno import ENOENT, EEXIST from sortedcontainers import SortedSet def readfile(fn): fd = open(fn,'r') r = fd.read() fd.close() return r def writefile(fn,s): fd = open(fn,'w') fd.write(s) fd.close() def expand2(n): s = "" while n != 0: j = 16 while 2**j < abs(n): j += 1 if 2**j - abs(n) > abs(n) - 2**(j-1): j -= 1 if abs(abs(n) - 2**j) > 2**(j - 10): if n > 0: if s != "": s += " + " s += str(n) else: s += " - " + str(-n) n = 0 elif n > 0: if s != "": s += " + " s += "2^" + str(j) n -= 2**j else: s += " - 2^" + str(j) n += 2**j return s def requirement(fn,istrue): writefile(fn,str(istrue) + '\n') return istrue def verify(): try: os.mkdir('proof') except OSError as e: if e.errno != EEXIST: raise try: s = set(map(Integer, readfile('primes').split())) except IOError, e: if e.errno != ENOENT: raise s = set() needtofactor = SortedSet() V = SortedSet() # distinct verified primes verify_primes(V, s, needtofactor) verify_pass(V, needtofactor) old = V needtofactor.update(V) while len(needtofactor) > len(old): k = len(needtofactor) - len(old) sys.stdout.write('Factoring %d integer%s' % (k, '' if k == 1 else 's')) sys.stdout.flush() for x in needtofactor: if x not in old: for (y, z) in factor(x): s.add(y) sys.stdout.write('.') sys.stdout.flush() print('') old = needtofactor.copy() verify_primes(V, s, needtofactor) writefile('primes', '\n'.join(map(str, s)) + '\n') writefile('verify-primes', '
\n' + ''.join(('2\n' if v == 2 else '%s\n' % (v,v)) for v in V) + '\n') verify_pass(V, needtofactor) def verify_primes(V, s, needtofactor): for n in sorted(s): if not n.is_prime() or n in V: continue needtofactor.add(n-1) if n == 2: V.add(n) continue for trybase in primes(2,10000): base = Integers(n)(trybase) if base^(n-1) != 1: continue proof = 'Primality proof for n = %s:\n' % n proof += 'Take b = %s.\n' % base proof += '
b^(n-1) mod n = 1.\n' f = factor(1) for v in reversed(V): if f.prod()^2 <= n: if n % v == 1: u = base^((n-1)/v)-1 if u.is_unit(): if v == 2: proof += '
2 is prime.\n' else: proof += '
%s is prime.\n' % (v,v)
proof += '
b^((n-1)/%s)-1 mod n = %s, which is a unit, inverse %s.\n' % (v,u,1/u)
f *= factor(v)^(n-1).valuation(v)
if f.prod()^2 <= n: continue
if n % f.prod() != 1: continue
proof += '
(%s) divides n-1.\n' % f proof += '
(%s)^2 > n.\n' % f proof += "
n is prime by Pocklington's theorem.\n"
proof += '\n'
writefile('proof/%s.html' % n,proof)
V.add(n)
break
def verify_pass(V, needtofactor):
p = Integer(readfile('p'))
k = GF(p)
kz.
= %s\n' % expand2(l))
writefile('hex-p',p.hex() + '\n')
writefile('hex-l',l.hex() + '\n')
writefile('hex-x0',x0.hex() + '\n')
writefile('hex-x1',x1.hex() + '\n')
writefile('hex-y0',y0.hex() + '\n')
writefile('hex-y1',y1.hex() + '\n')
gcdlpis1 = gcd(l,p) == 1
safetransfer &= requirement('verify-gcdlp1',gcdlpis1)
writefile('verify-movsafe','Unverified\n')
writefile('verify-embeddingdegree','Unverified\n')
if gcdlpis1 and l.is_prime():
u = Integers(l)(p)
d = l-1
needtofactor.add(d)
for v in V:
while d % v == 0: d /= v
if d == 1:
d = l-1
for v in V:
while d % v == 0:
if u^(d/v) != 1: break
d /= v
safetransfer &= requirement('verify-movsafe',(l-1)/d <= 100)
writefile('verify-embeddingdegree','%s
= (l-1)/%s\n' % (d,(l-1)/d))
t = p+1-l*round((p+1)/l)
if l^2 > 16*p:
writefile('verify-trace','%s\n' % t)
f = factor(1)
d = (p+1-t)/l
needtofactor.add(d)
for v in V:
while d % v == 0:
d //= v
f *= factor(v)
writefile('verify-cofactor','%s\n' % f)
else:
writefile('verify-trace','Unverified\n')
writefile('verify-cofactor','Unverified\n')
D = t^2-4*p
needtofactor.add(D)
for v in V:
while D % v^2 == 0: D /= v^2
if prod([v for v in V if D % v == 0]) != -D:
writefile('verify-disc','Unverified\n')
writefile('verify-discisbig','Unverified\n')
safedisc = False
else:
f = -prod([factor(v) for v in V if D % v == 0])
if D % 4 != 1:
D *= 4
f = factor(4) * f
Dbits = (log(-D)/log(2)).numerical_approx()
writefile('verify-disc','%s
= %s
≈ -2^%.1f\n' % (D,f,Dbits))
safedisc &= requirement('verify-discisbig',D < -2^100)
pin = 0.78539816339744830961566084581987572105
if D == -3:
pin /= 3.0
rho = log(pin*l)/log(4)
writefile('verify-rho','%.1f\n' % rho)
saferho &= requirement('verify-rhoabove100',rho.numerical_approx() >= 100)
twistl = 'Unverified'
d = p+1+t
needtofactor.add(d)
for v in V:
while d % v == 0: d /= v
if d == 1:
d = p+1+t
for v in V:
if d % v == 0:
if twistl == 'Unverified' or v > twistl: twistl = v
writefile('verify-twistl','%s\n' % twistl)
writefile('verify-twistembeddingdegree','Unverified\n')
writefile('verify-twistmovsafe','Unverified\n')
if twistl == 'Unverified':
writefile('hex-twistl','Unverified\n')
writefile('expand2-twistl','Unverified\n')
writefile('verify-twistcofactor','Unverified\n')
writefile('verify-gcdtwistlp1','Unverified\n')
writefile('verify-twistrho','Unverified\n')
safetwist = False
else:
writefile('hex-twistl',twistl.hex() + '\n')
writefile('expand2-twistl','
= %s\n' % expand2(twistl))
f = factor(1)
d = (p+1+t)/twistl
needtofactor.add(d)
for v in V:
while d % v == 0:
d //= v
f *= factor(v)
writefile('verify-twistcofactor','%s\n' % f)
gcdtwistlpis1 = gcd(twistl,p) == 1
safetwist &= requirement('verify-gcdtwistlp1',gcdtwistlpis1)
movsafe = 'Unverified'
embeddingdegree = 'Unverified'
if gcdtwistlpis1 and twistl.is_prime():
u = Integers(twistl)(p)
d = twistl-1
needtofactor.add(d)
for v in V:
while d % v == 0: d /= v
if d == 1:
d = twistl-1
for v in V:
while d % v == 0:
if u^(d/v) != 1: break
d /= v
safetwist &= requirement('verify-twistmovsafe',(twistl-1)/d <= 100)
writefile('verify-twistembeddingdegree',"%s
= (l'-1)/%s\n" % (d,(twistl-1)/d))
rho = log(pin*twistl)/log(4)
writefile('verify-twistrho','%.1f\n' % rho)
safetwist &= requirement('verify-twistrhoabove100',rho.numerical_approx() >= 100)
precomp = 0
joint = l
needtofactor.add(p+1-t)
needtofactor.add(p+1+t)
for v in V:
d1 = p+1-t
d2 = p+1+t
while d1 % v == 0 or d2 % v == 0:
if d1 % v == 0: d1 //= v
if d2 % v == 0: d2 //= v
# best case for attack: cyclic; each power is usable
# also assume that kangaroo is as efficient as rho
if v + sqrt(pin*joint/v) < sqrt(pin*joint):
precomp += v
joint /= v
rho = log(precomp + sqrt(pin * joint))/log(2)
writefile('verify-jointrho','%.1f\n' % rho)
safetwist &= requirement('verify-jointrhoabove100',rho.numerical_approx() >= 100)
x0 = k(x0)
y0 = k(y0)
x1 = k(x1)
y1 = k(y1)
if shape in ('edwards', 'tedwards'):
d = Integer(readfile('d'))
a = 1
if shape == 'tedwards':
a = Integer(readfile('a'))
writefile('verify-shape','Twisted Edwards\n')
writefile('verify-equation','%sx^2+y^2 = 1%+dx^2y^2\n' % (a, d))
if a == 1:
writefile('verify-shape','Edwards\n')
writefile('verify-equation','x^2+y^2 = 1%+dx^2y^2\n' % d)
a = k(a)
d = k(d)
elliptic = a*d*(a-d)
level0 = a*x0^2+y0^2-1-d*x0^2*y0^2
level1 = a*x1^2+y1^2-1-d*x1^2*y1^2
if shape == 'montgomery':
writefile('verify-shape','Montgomery\n')
A = Integer(readfile('A'))
B = Integer(readfile('B'))
equation = '%sy^2 = x^3